#modules

You don't need to reuse (for this one) I don't believe

Usually the question will tell you if you need previously gained creds

You don't need to do any exploits. Just brute force, mostly following the techniques in the section

ok, thanks, I got traped by the fact that the Openssh service is in v7.7. Does any of you have manages to run a user enum exploit against it ?

you can use crackmapexec

plus this ^

for SSH ?

yes

oh...

thanks

It's easy to overcomplicate things: general rule of thumb , if it's not covered by the module - it's generally a rabbit hole

Have you figured it out yet?

Yes, I have. I had the answer all along just did not enter it correctly

Can anyone help me with the double pivoting in the Pivoting, Tunneling, and Port Forwarding Skills Assessment? I have successfully pivot from 10.129.201.127 to ||172.16.5.35||. I have found ||vfrank||'s credentials and I'm trying to find and enumerate the next machine.

wow, cme is incredibly faster ...

Hi! I'm trying to enumerate Firewall and IDS/IPS Evasion - Medium Lab, I'm using the command:

sudo nmap 10.129.113.199 -sA -sV -Pn -F --packet-trace --version-trace -n --disable-arp-ping -T 2 -D RND:5 --source-port 53

And the question is:
After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer.
Could someone point me in the right direction? I'm quite lost.

yeah it was actually good even tho it was hard

You generated a kerberos ticket. You can authenticate with the same ticket using another tool apart from psexec.py. Check the help for the other tool. The parameters are almost the same as psexec.py...

Don't use the -T

Awesome! same happened to me haha.

Has anyone finished "Skills Assessment - Hard" of the HTTP Misconfigurations Module? I'm stuck on a section and it's driving me crazy. Payload works, but don't understand why admin isn't hitting the page

Nothing crazy needed for this. If you're struggling in a few hours I'll be able to check

for this module, now, I have used cme for all protocols and it worked nicely, but crackmapexec didn't worked on RDP (it just return with no output at all) whild Hydra succeed. Has some of you be faced to the same behaviour please ?

I think I already tried without the T, let me try again.

The first lab was easy and I don't get banned on this one but the issue is that all the ports appear as filtered

I got SOMETHING, but no versions of the services, let me try the version script.

you can take a look at the requests that are being made between crackmapexec and hydra so you can compare them and see why

versions script didn't help

The best way is contacting the support ? And saying that I can’t create account

Is anyone willing to help me figure out what I am doing wrong trying to run bloodhound-python through a pivot from outside the internal network?

Do you have any suggestions as to how I can get the service versions?

Ok.

Yes, in this case only the support can help you

no idea at the moment

This I have found on the site Common Pitfalls:

_Working on Two Devices
The HTB VPN cannot be connected to more than one device simultaneously. If we are connected on one device and try to connect from another device, the second connection attempt will fail.

For example, this can happen when our VPN connection is connected in our PwnBox, and then we try to connect to it from our Parrot VM at the same time. Alternatively, perhaps we are connected on our Parrot VM, and then we want to switch to a Windows VM to test something._

Normally, I was with one device logged in on the HTB-Website in two windows, because in one I have the language german in the other english. There I make the Academy Path Cracking into HTB. At the other device I'm logged into the target via a Parrot VM, when I want to do the exercises.

If I understand the text correctly, is there only a problem when I'm logged into the target with two devices or are there already problems when it's like I described above?

Only if you have two devices using the VPN. Like the pwnbox (interactive VM in the browser) AND your VM

If you are logged into the site twice I don't believe there are many issues

Hello everyone, I ask for some help if you can, could someone show me how to edit the user.java file correctly? I'm stuck on module Attacking Common Applications section Exploiting Web Vulnerabilities in Thick-Client Applications plese help me !! 🙂

hope you don't mind, I've sent you a dm

2 obama fried chicken

Need help in File Upload Attacks > Type Filters. I have modified the magic bytes for the jpg + php code and the file uploads successfully. But, when i visit the url saids "cannot be displayed because it contains errors". Using phar.jpg as the extension. Any help greatly appreciated it.

You are close, don't forget what the app is expecting to be uploaded

also, start by running a simple php echo command to verify if php is getting executed

Ok. Thanks.

Hello all, need some help on the File Upload Attacks Skills Assessment. I know the first step is reading the source code and I know how to do it (considering I have…”limited” 😉 options) but for some reason the damn ||.svg|| file won’t upload no matter how I manipulate burp suite…any guidance?

Hello! Stuck on the last question of the Skills Assessment for the Login Brute Forcing module. I'm on the box, I have the correct user. I'm running hydra on the machine using the provided wordlist. I'm 95% sure I have the right command syntax. But it's been running for quite awhile. The box has about 60 minutes left. Am I being impatient, or does it really take this long, compared to the previous similar excercise?

Sometimes it can take up to like 20 minutes

¯_(ツ)_/¯

OK, that's cool then.

I'd really like to get this done, and move on to the next module. I don't have a lot of time today.

Thank you!

When you rush you can make mistakes

True. I spent about an hour on it last night. I circled back this afternoon and double checked, and I think it's right.

ok done

Simple syntax issue?

mo wrong IP

no

Nvm…resolved

echo xx.xx.xx.xxx server.fatty.htb >> C:\Windows\System32\drivers\etc\hosts

don't work well.. edit via notepad

Ah yeah

3 days man 🙂

Take it it was escaping all the \

This is why quotes are important too

https://academy.hackthebox.com/achievement/498721/57

Just had to let it sit for awhile.

Which is weird, because I used the same syntax last night, and got 0 results.

All's well that ends well.

Any idea as to why I’m getting this?

do cat key_rsa

and send the output in the chat

You didn't copy the full key

first line should be "-----BEGIN RSA PRIVATE KEY-----"

and also the last line respectively

END RSA.....

Well that would be it

@drowsy yacht I did the same mistake 2 days ago 😅

Lol

That worked

Hello, working on Password Attacks Lab - Hard I cannot mount vhd. Ive tried guestmount and doesnt work

#modules message @golden vortex

Im sure there is a better way... I ended up just using Windows to mount it.

There's a useful link someone sent earlier

I just googled around how to mount in Linux until I got it working

anyone complete the ATTACKING ENTERPRISE NETWORKS module yet? I just completed the Active Directory Compromise section and I have a few questions to see if we did things that same.

-Mainly how you authenticated to the DC.
-If you used the Admin account or were able to do it with the user that was found.
-How did you get $group = = Convert-NameToSid "Server Admins" to work (I got it to take, but not sure if it was the most elegant way)

Feel free to DM me

I cannot find the bitlocker partition

Then you may need to use a x2john to decrypt

Sometimes it can be awkward with the gui

You need to click a partition then it gives you the option to mount a vhd

I used evil-winrm and the admin account. I couldnt get other methods to work...

I was getting permission denied with evil and psexec with the share. So I enabled RDP and RDPd into the DC. Do you know if there was a way to enable the gui for .20?

I just used proxychains with the admins hash.. I didn't try enabling the GUI, I like your method! I also didnt try on .20.. I pretty much just followed the module examples.

Yea I did proxy chains with impacket and evil might have been the box, going to reset it and try a few other things. How many hashes did you crack at the very end?

When you did the DCSync how did you enable AD into Powershell, I installed it with program features, but I thought their was a ps1 that enabled AD features in powershell but couldn’t remember

I have no idea what I'm talking about when I offer if you mean Import-Modules ActiveDirectory? I've been working on the WinAD Enum&ATT Module l8ly. I'm just a little over halfway thru :u ; but wanted to suggest if that was it

Also once again, RIP kirbi2john.py. I ended up manually formatting the crack_me file so it would work with Hashcat. That, and ParrotOS has the .py file to use instead of the one hyperlinked within "this"...

ONly cost me Four hours. Lesson Learned: Manually do it for now. Learn Python asap later.

may i ask question abount nmap here? I meet a problem. When i scan a machine on htb by nmap , why i get different result when i spawn new machine.

trying to complet the password module . on protected file and protected archive asks to use the cracked kira password's. there is no cracked password ,tho

A bit out of nowhere and old asf but W advice king 👑

It didn’t allow you to import it without installing it on the module. Wasn’t sure if there is a ps1 script that can do what you need instead of installing it

does anyone have any input on this? I've tried running it first but i'm getting the same error as well. Can't add the breakpoint.

Sir this is a Wendy's

I found ways to do it, just DM me, but I’m curious if mine was the intended way or if it’s the hard way. I tend to just beat my head against things until they work

nvm got it.

What did you do? Like I said just trying to add to my notes

Can someone infiltrate the website database

still stuck ):

I think the problem is from the lab

Im beginning to feel this

Someone can help me for: (AD Enumeration & Attacks - Skills Assessment Part II) - Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

enumerate smarter

Hi guys, im stuck on "Attacking Common Services - Easy" lab for days now... I can't figure out what am i doing wrong.
I found the f*** username and im trying to brute the password on FTP like so:

hydra -l <username> -P <pws.list> -s 21 -v -V -t 1 -u <HOST_IP> ftp

and it finds nothing... I also tries it on SMTP but again - nothing. How do go on from here? Please Help!!!

Thank you ❤️

maybe ftp is not the path

Can i maybe have a little hint? I tried brute forcing SMTP as well but that didn't help either,,,

perhaps you can use a different more common wordlist

like r***? hydra says its gonna take 48 hours to complete 😦

especially when i can only use 1 thread for the attack

nvm, looks like smtp can proccess a lot more threads then i thought...

careful with spoilers

Good morning, in Module "Active Directory Enumeration & Attacks" Privileged Access part there's question: "What host can this user access via WinRM? (just the computer name)". I have found user, how can I find his possibilities to access computers without BloodHound?

edited the part that might be a spoiler. sorry.

don't worry it was something not related to your question

oh ok

🙂

Even within bloodhound I see only 1 computer with RDP Privileges and answer is still wrong
Ok, I found it. using query 🙂

Trying to get this logic work

if i try to run it says: syntax error in line 10

-eq is a numerical evaluator

And you're trying to compare strings

Ok, Thanks

knew that paste wasn't lasting long

Still the same error

i put the variables in quotation marks also

Don't. Also string comparators should be double =

Also your tail command is missing var

Test with insert space between 450" and ]

That could also be an issue

Script doesn't give error anymore

Also syntax could be interpreting 113,450 as the literal string

Which is a whole other issue

No error, but something is wrong

But the logic seems good

Read what I typed above :)

i removed quotation marks, still the same

You may need to do something like && $(wc -c $var)

Iirc wc -c counts characters

ohhhh, ok

But doing man wc would be more helpful

Also

You're not going to get an answer

Just an fyi

i want to learn not get the answer

Ik

Look at your comparator

The exercise seems like to much for the start imho

But i will try

It's probably explained in the module

You have a comma.

But you need to find a way to look for the $value inside of $var as well

Unless that does work @proud pine

What is the name of the security standard for credit card payments that a company must adhere to? (Answer Format: acronym)
Payment card Industry security standard
Please why do i still get incorrect answers

i try PCI still incorrect, can someone please help

Payment Card Industry didn't work also

You are being asked for the standard that applies to the industry not the name of the industry

ok thank you, think i misunderstood the question

some of the questions are worded very strangely so I understand, I have the same issue sometimes.

hey I am starting the bug bounty hunter path, anyone wants to do it in sync? would be good to have people to discuss and a little bit competition never hurt anyone.

It's gonna be hard to get people that are on the same page as you tbh

Attacking Common Services, Attacking Thick Client Applications: When I try and compile after changing the ClientGuiTest.java file with: C:\> javac -cp fatty-client-new.jar fatty-client-new.jar.src/htb/fatty/client/gui/ClientGuiTest.java I get the error: Error: Could not find or load main class fatty-client-new.jar.src.htb.fatty.client.gui.ClientGuiTest.java Any ideas? I'm executing the command from the parent directory of fatty-client-new.jar.src, and I've tried going into that directory and executing too.

to use username-anarchy are we suppose to place anything before ./username-anarchy and the name we want to use to get the username for? I keep trying to use figure out username-anarchy but there doesnt seem to be clear instructions on how to use it to get the username file. thank you for any assistance someone can provide

https://github.com/urbanadventurer/username-anarchy

There's examples at the github page.

I didnt see it but I will look again. thank you

I think I am typing the examples but i get ./username-anarchy: command not found so I think I am missing something that I am not seeing in the examples

You have to be in the directory where the program is.

The ./ tells the computer to look in the current directory.

Ok I think I got it thank you

Linux Fundamentals - File System Management:

Question: What is the size in GiB of the "/dev/sda" disk in our Pwnbox? (Format: 000)

I have found the /dev/sda, its /dev/sda1 and /dev/sda2. SDA1 shows || 75.8 GB || and SDA2 || 3.7GB || . How do I put these in the format it wants(000)? Also do I add them together or do I just take SDA1?

It's asking for the total size of sda, I think. But I don't think it's asking for the two to be added together.

What was your command and what was the output?

|| sudo fdisk -l
Disk /dev/sda: 160 GiB, 171798691840 bytes, 335544320 sectors
Disk model: QEMU HARDDISK
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x5224b35f

Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 158974027 158971980 75.8G 83 Linux
/dev/sda2 158974028 166796875 7822848 3.7G 82 Linux swap / Solaris ||

Thinking its sda1, since the bottom is swap. But either way, entering the ||75.8 || I get wrong answer and same for when I add. So I think its a formatting error. I just dont get what it means by 000 as format. Cause ive also entered this to try bytes || 75800000000 ||

Read the output carefully and see if there's a number in the format requested. ###

/dev/sda is the drive /dev/sda1 and /dev/sda2 are what's called partitions on the drive.

I finally got it after using lsblk, but I now see I would've found it in the output I sent had I looked a little closer. Thank you for the help and information ❤️

It's a little clearer with lsblk, yeah.

hi guys, im doing the windows pe module, and im in the pillaging section, the question is : Restore the directory containing the files needed to obtain the password hashes for local users. Submit the Administrator hash as the answer.
i got all of the hashes tried to submit only the nt part and the whole ntlm hashes but it wont accept it, someone can help?

@celest light You can dm me it and I can compare it to the answer I have to see if you got the right one.

Modified the script for bashscripting module. Still doesn't give the answer

hey, If i buy student pack monthly for 5 pounds, than it says free tier 0 to tier 2 but do this reward cubes for module completion?

are you sure? if I buy that pack and access CPTS - and when ever I need to unlock above tier 2 start other skill paths to collect and unlock for CPTS?

Hi i have a quick question. I have this string “be?ikta?”(Utf-8) and i have to convert it to besiktas.

for that section i found a vuln that doesn't require to be login via rdp so i didn't but you can try something like powershell -ep bypass or powershell –ExecutionPolicy bypass before you import a ps1 script

if you still need help shoot me a dm with exactly what you run because if you just import a script there will be no error or output the script will just be imported

prompt injection module when

I am doing the shells and payloads live engagement and I have been struggling for while and keep getting an error when trying to upload my shell but I am not sure why. Anyone around to give me a nudge?

Not sure if I am not supposed to be able to upload a war file and need to go with the other shell?

Msg me what you've tried ect

Can the exams be done without doing their relative paths rn?

You must have completed the path 100%, otherwise you will not be admitted to the exam

Anyone knows, why does this script doesn't work ?

you're testing if two strings are the same when the prompt is only asking for a portion to be the same

so it should be something like this: "$var == $*value"

?

or should i try to play with tools like "uniq"

If you're going to throw a wildcard in you need to do it like this *$value

i surrender for now 😵‍💫 , i will try to do something else

hi yall

The lab is broken over vpn. Just use the HTB attack box, and it will take 2 mins. You can also eliminate 90% of those flags you have. This kind of stuff irks me with HTB academy.

worked for me over VPN. As mentioned above, I didn't use half the arguments you used here. But you are missing one critical one.

I just did the lab and it would not work

Interesting... I will spin it up rn to check

Yes works for me

When I do it I get NLnet Lab not the flag, same command I get the flag using the HTB attack host

That's odd... DM please, I'd like to understand what the difference is here

Sometimes when it comes to that regenerating a new VPN works

Could you guide me a little bit please?

dm

This one was broken for me over VPN too. I was looking in the right place for the answer for a while, but it just was not reporting the right thing. Once I did it over the WebBox it gave me the right answer.

It can be gotten over VPN it can just be tricky

I think its broken over the tcp vpn

I resumed a lab after a year, but seems like the machine is broken

Can't find any option to contact support to revert the lab, any idea how to do it?

I could be wrong, but the lab machine will start over new everytime you get a new IP

Module=AD Enumeration & Attacks, Section=Skills Assessment Part II. I'm on the mssql server. I looked into using JuicyPotato but noticed that I should be using RoguePotato. I tried to Google on how to use RoguePotato but am unable to get through. Any recommendations on which source to review on how to use RoguePotato or other suggestions beside using RoguePotato/JuicyPotato? Thanks!

You're attacking the mssql server? Did you try hitting the mssql on it?

Hi! I did a reverse shell on SQL01 from mssqlclient. I upload several files on it, looking to do privilege escalation via RoguePotato. [EDIT] I'm going to try printspoofer now that I noticed it in the module.

dm

This was me today. Did you get the right backup ;)?

hello guys, I am on shells & payloads the live engagement. I need someone to dm

hi

no idea

try to mention them idk

no idea

Someone can help me for “Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host” question?

If you tell us which module and section you are in, I am sure someone will be able to help you.

may I dm you, hi

No idea what it's about, but yes, get in touch via DM

Sorry Module=AD Enumeration & Attacks, Section=Skills Assessment Part II.

And what exactly is the problem?

Someone can help me for “Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host” question?

Yes, I read that, but what is the problem? What have you tried? What did not work?

I have not permission to read this file. I try with user A* and B* from MS01 host

No idea what you mean by User B. The user || mssqlsvc || has the necessary rights. || Mimikatz is your friend ||

I need a slight hint for "attacking common services" module easy lab, got the user and their pass and can access the sql database and ftp server and reading the forums I see I'm supposed to gain a shell, however whenever I try anything it downloads the payload rather than running it, a little stuck probably me being dense

I don’t find credential for this user

If you have access to the database, you can || upload a file (WebShell) ||

I told you how to find the creds. Read my post above again

Try it with a mail client like Thunderbird/Evolution

Tnx I try to do this

sure

hello, can i dm for help with the Using CrackMapExec Skills Assessment? Thanks

I tried python code, it download all the 20 files, but there is no any flag

hello, anybody with some help for the following, please?

Module: Attacking common apps
Section: Web vulns in Thick Client apps

I've got to the SQL injection part, I have modified the User.java file by ||modifying the first public User definition with the code that was given in the lecture, as well as deleting all the SHA encoding blocks and replacing it with the public void setPassword definition. ||, and rebuilt the JAR file as it was done earlier in the lecture. The JAR file runs properly, however I am getting a login failed error when I try to login with the SQL injection. (logging in with a valid user works however, but no elevated privileges of course)

nevermind, I figured it out 🙂

Hey guys, I’m at attacking common services - SQL part, stuck at logging in the user, somehow my network getting bugged when I’m trying, any help?

Looks like I need to install SQLcmd , is it available on kali?

mssql or sqsh should work iirc both are talked about

If I'm recalling correctly*

Hello

Module: Using metasploit frameowrk
Section: Sessions and Jobs
Priv esc question
I have gotten the user shell.
Tried using the post exploitation tools however kept getting "Exploit completed, but no session was created." with every variation I tried
moved onto uploading linpeas and while I got linpeas uploaded. I cannot get a TTY shell, or when attempting to exe from the meterpreter shell it doesnt escalate the user.
Need some help please

You need to follow the post exploit section exactly. Your 'session' is going to be the Session # that you got the user shell in.

To do the post-exploit

You also do need to ctrl-z/background not fully exit/close session

I was able to get that far, found the 3 post exploitation modules
-seems vulnerable but could not verify
-is vulnerable
and -service is running but could not verify

tried running all 3

Iirc it's the one that is shown

In the module

But make sure you set the post exploit exactly the same

There is no post exploit mentioned in the module - it makes quick reference to that it is possible to use sessioned exploited machines in a post exploit way.
But no actual examples - I'll keep digging i guess

Hello everyone
Please help with the possibility of ROTATION, TUNNELING AND PORT FORWARDING.
I'm stuck on one of the tasks and can't go any further.
I will be very grateful if someone can help me in private messages.

If it's the one where you have to run a DLL: make sure real time protection is off

I probably haven't gotten to that yet)))

Also just ask your question

What section is it?

#modules message bumping this for ptunnel issues

I have a one-step question: What two IP addresses can be discovered when attempting a ping sweep from the Ubuntu pivot host? (Format: x.x.x.x,x.x.x.x)
This refers to the topic of Meterpreter Tunneling & Port Forwarding.
I use the communication verification methods that were specified in this thread and get two hosts: 172.16.5.19 and 172.16.5.129, but they are not suitable for the answer

And you provided it in the same format?

Provide it in the same format it tells you

With a comma between the IP

Oh, I was wrong
Yes, I provide the answer in the same form as required, but it doesn't help

@fathom pendant I appreciate your help but wanted to let you know what happened.
So running the "post/multi/recon/local_exploit_suggester" gave different results the 3 times I ran it - on my most recent run it made reference to the boxes sudo version (which was obviously hinted at in the question)
However that was still not the end becuase that post exploitation payload does not execute a shell - I then had to search for similar shells to that suggested payload and there was another with a similar name which was able to provide a shell as root.
Thought I'd let you know incase you get this question again 🙂

Help please 😦

Idk then I'm not at my computer to help

Just wait and someone else may be able to assist

you need to specify just one IP address

not both

Ahhh right

BC one is the system's ip

The answer format implies 2

Unless they copied wrong

I don't understand)
Do I need to find out 2 addresses on the question, or am I confusing something?

Just one

the answer is one IP

One of those IPs is the Ubuntu host that you're sweeping from

The other is the answer

Sure!

That's why I decided that these 2 addresses should be suitable 🙂

please delete the spoiler

So this is the wrong decision (
I don't understand what to do(

I have a question. Before you guys do the modules did yall do the academy first or go back & forth?

The modules are academy

The systems on the main site are referred to as boxes; read #welcome and #rules

Hello! Is this the place to report issues with content on htb academy?

Linux Privilege Escalation - Special Permissions
I ran the command to find files with the setuid bit set and got /tmp/r*. I put that in as the answer but it tells me its incorrect. Can I get help on this?

Edit: So there were 2 files that were not shown in the example output. I got the answer!

So close #858470491676737536

Ok, will move it 🙂 thank you

No problem: this channel is for assistance with said modules that's spoiler free.

Makes sense! I guess I should expand my vocabulary - wasn't sure what erratum meant 😅

Also take a read of #rules and #welcome

My god i have 380 ping on Xfreerdp sessions

Does anybody know how to uhhh make it more stable?

I'm not able to see the A record for the host

What is this sever about ?

this discord server?

which module

Footprinting - DNS

I need the get the IPv4 address of the DC1 host

Do a zone transfer instead

Which namserver did you request?

The spawned target

I did the zone transfer, But I don't see the DC1 host

@fathom pendant

Maybe there's another zone you can transfer into as well. Take a close look at your results

Noted, let me check.

Is there somewhere where htb points are explained? why do I get 5 pts for a 50 pts box for example

Check at help.hackthebox.com

If i got the student plan and completed the modules, will i still have access to them after i cancel the student plan?

And what about the cubes i get for completing each module, do i still get/keep them?

I'm pretty sure you keep access to modules you complete even if you don't have an active subscription.

Same for the cubes you earn.

under the student plan, there's a disclaimer saying you'd have to pay again to continue having access, hence my need for clarification.

I suppose you should take this to support then.

Aight

It's only for modules you have not completed

Ah ok, ty

There's still the cubes question, but i'd assume you get to keep the cubes?

I keep timing out from the rdp session to the foothold machine on Shells and Payloads - The Live Engagement. Is this intended?

subdomains-top1million-110000.txt from seclists is sufficient for the last question in Footprinting-DNS?

That's the question regarding x.x.x.203 yes?

Yup!

Need a more fierce hostlist. Your answer will be a.b.inlanefreight.htb

Ah, so that's what the hint was about huh?

Subdomains of subdomains woooo

oh well, gotta do what you gotta do lol. Thanks for clarification

Np

A

I keep timing out from the rdp session to the foothold machine on Shells and Payloads - The Live Engagement. Is this intended?

I get it now lol. Got it, Thanks xD

ATTACKING COMMON APPLICATIONS - Attacking Thick Client Applications
Hi,
I'm trying to solve the exercice but I don't understand which memory address I need to dump. I did uncheck all option except Exit Breakpoint. Each time I launch the program, It stops at this address : 00007FFD994E250D | EB 00 | jmp ntdll.7FFD994E250F

Then, when I follow it in Memory Map, I don't have anything like the exemple in the course (USER, MAP -RW)

I'm pretty sure that I need to analyze the restart-service .exe in the c:\programdata folder but it isn't there.

I know that I need to run that program to generate it. It crashed all the time. I changed all the permissions has mentionned.

.\Restart-OracleService.exe
Windows PowerShell terminated with the following error:
The type initializer for 'System.Management.Automation.Runspaces.InitialSessionState' threw an exception.
'c:\programdata\restart-service.exe' is not recognized as an internal or external command,
operable program or batch file.
Could Not Find c:\programdata\restart-service.exe

Can someone give me a clue on this one please?

Nevermind I got it. Dump mistake. I was skipping an important step. All details matter.

can anyone ping me, I need small clue/help regarding Snoopy? Sorry if this is against the rules Im really stuck for long time 🙂

Read #rules and #welcome

Thanks, just read it 🙂

I see I should not ask in private, so I asked here if someone can hint me in private 🙂

#1104466576926838946 is a box and has its own dedicated channel for verified htb users

ok, let me verify first

I just verified

Let me check the chann

question: Where can I find the list of valid academic domains from hack the box? I am a student from the Netherlands but I'm not sure if my school is on the hack the box list. (I want to buy a student subscription in HTB academy:))

Contact support

Net+ Guy here. Are you talking to the DNS intranet/Lan server or ARIN/Google DNS services?

One will talk to the DNS/DHCP or DC server, the other over the WAN I believe

Okay thank you;)

is it worth it to do CBBH and pentesterlab at the same time?

to get really good at web app pentesting?

Module=AD Enumeration & Attacks , Section=Skills Assessment Part II. I am able to get the pw to CT***. My thinking is to do a dcsync attack based on the BH result. I port forwarded and logged via RDP into MS01 but obviously running into limited privileges. I did consider using secretsdump.py but getting errors. Can someone offer a suggestion on what I may not be considering?

Think about what else you can do with those rights.

😄 wow. that helped! i wonder why I didn't ask myself this.

Hey all

Would like some nudge on priv escalation

If anybody could have a chat about it? cheers

quick question. at what point doing HTB Academy should I start HTB Main Platform if I'm a beginner?

would you say when I complete CBBH/CPTS? earlier?

what's your take?

or later when I have CBBH, CPTS, CREST CRT, and CREST APP?

You can get on there and do the starting point anytime. They come with walkthroughs to show you through it. After that, if you buy the VIP, you can use community walkthroughs to do some retired boxes just for reps and exposure.

Figuring out an active box on your own is pretty tough though usually

Ok. What if my long term goal is to be able to do advanced boxes on my own and my medium term goal is to be able to do easy and intermediate boxes on my own?

is that doable if I go through Academy and get all certs?

and practice?

and do advanced boxes also have web component?

practicing boxes on the main platform will get you there faster than the certs imo

Ok. No I really meant what about practicing on Academy?

not so much about taking certs

at what point should I add in HTB Main Platform if I already am doing Academy?

I am on last module of Information Security Foundations Path on Academy

I want to do CBBH next

and maybe do HTB boxes that go with CBBH?

so ya

then once I am good with web I want to do boxes that go with CPTS stuff and OSCP

so your saying Academy won't get me there?

Hello, i am currently stuck on this question.
Use the Metasploit-framework to exploit the target with EternalRomance. Find the flag.txt file on Administrator’s Desktop and submit the contents as an answer.
I was able to access the desktop and i opened flag.txt and copied the answer but it says its the incorrect answer

The answer i got is || MSF-W1nD0w5-3xPL01t4t10n ||

Sorry i am new to hack the box

Make sure there's no extra space at the end

Okay

I got it. I forgot to copy the HTB bit. Sorry for wasting your time

Please avoid posting what you assume is the flag as it can be a spoiler

Currently doing the password attacks module. idk if its just me but should the pass the hash section really be included there instead of at the pivoting module? It is explained pretty well already but i feel that specific section has a fair share of parts that asks you to read a module that come after the current one in the current track for more info

I found that the entire CBBH path on Academy maps to a fortress. If I wanted to do Akerva fortress on HTB Main Platform, would that best be done while I'm doing CBBH or after? Is Akerva material more advanced than all of CBBH?

or is it same difficulty level?

Eh it's because Pass the Hash isn't about cracking a password

does anyone have difficulties with academy ? I mean it doesnt work at all

seems smbdy is having fun

Hello, I’ve been using hackthebox for about 2 days and for some reason the workstation is quite laggy

Is that normal?

nope but also what kind of difficulties are you having? like with module or the pwnbox?

if you mean the pwnbox then yep

with website

it loads barely, sometimes it logs me out

the log out thing i sometime get and the loading issue may because of adblock extension or your internet speed or most likely the HTB academy server are having a stroke

i did not have such problem

but yeah, maybe u will be ensured in it later

i haven't done the Akerva fortress but from what info i can get about that fortress online i would say it isn't that hard and it only have 8 flag so it isn't going to be a big lab either

Hi

am new to HTB academy

i just started in File Transfers

can any one help me on it

hi all
Module : Windows Attack & Defense
Section : Credential in Object Properties
i am stuck in the last question of the section. i got the cred for bonni and try to connect to the DC
Then go for check the log as htb-student but i only have 4625 event no 4771 id event as the hint says to check.
I dont know what to do for this question. the targetUserSid on the event 4625 is not the correct answer. (i check with the UI and PS)
anyone had the same probleme ?

got it 🙂

Module: Web Attacks - IDOR Prevention
https://academy.hackthebox.com/module/134/section/1202
The last php code fragment shows how it should be, but is using bad practices. Next to that it is using uid instead of UUID that is in the text.

for "Running SQLMap on an HTTP Request" in sqlMap essentials module. I run this command

Now i have to use sql injection based on the results ?

So i have to learn SQL first 🤔

Is never a Bad idea, but why not try --os-shell or --os-pwn as sqlmap params

in "hint" it says to use --data and --batch parameters

anyone recently finish the Password Attacks module? I am currently on Credential Hunting Linux and could use an assist as far as what wordlist to use for a shadow file. Tried rockyou but it exhausted

FOOTPRINTING - SMTP (Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.) what am I supposed to do?

iam stuck in file transfer :Windows File Transfer Methods no 1 question how can i get flag.txt

You need to perform user enumeration against the SMTP service to find a valid user.

Also, the module provides you a username wordlist under "Resources"

You can make use of that

i didn't have a proper guide to do on my first question Download the file flag.txt from the web root using wget from the Pwnbox. Submit the contents of the file as your answer.

can any one give me hint to do

iam stuck for 1 week on this

https://www.cyberciti.biz/tips/linux-wget-your-ultimate-command-line-downloader.html

@edgy trellis

i managed to solve the password attack medium lab but i'm unsure how the privilege escalation even works. Could someone explain it to me?

Send me a DM

Hey I am new to cybersecurity, Can anyone help me to grow?

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@acoustic owltq for it

Tq so munch

Your supposed to connect to the service and verify each user

There is a smtp-user-enum script that can be run

ACTIVE DIRECTORY ENUMERATION & ATTACKS : ACL Abuse Tactics
module I'm trying to run this command, but I'm getting back this error what can be a reason

It looks like within the script it didn't load properly

Is $Cred2 a set variable?

powerview is imported , and variable is set

Can someone help me with the footprinting lab- hard? I get the account data for ssh but I need the public key so I login in IMAP and try to Fetch with “1 UID FETCH <ID> RFC822, but the message is that “Fetch is complete” but I don’t get any message. So what can I do to become the key to login?

its showing like INLANEFREIGHT does not exist

Interesting

If you were able to just interact with it that's weird

I am working on the shells and payloads assessment and i can figure out how to gain access to host 2. I found the exploit, but im not sure how to use it.

i would love to chat about it with someone

bro

why earning cube's is hard

i only got 30

i need buy a easy something for grind

but which stuff's are easy (modules and etc)

Fundamentals

Also you won't earn more cubes than you spend

Fundamentals will refund the 10 cube cost each tier up only refunds some not all

there is no earning of cubes, for the tier 0 modules, you get back what you spend, for higher, you just get some cubes back. No additional cubes are given.

specify the domain + IP associated to that domain

Module: Session Security
https://academy.hackthebox.com/module/153/section/1452
the example about referrer, misses a closing character

i know

oo

okay

Hey guys, I'm trying to solve the File Upload Attacks Whitelist Filters section. I used the bash script and added ||php5, php7, phtm|| to the ||for ext in|| line. After generating that list, I pasted it into Intruder and made sure to uncheck url encode these characters. Whenever I navigate to ||SITE:PORT/profile-images/PAYLOAD|| I get a ||Not Found|| error. Is anyone able to help?

did you change "PAYLOAD" to your file

you must upload a something for see your file in "PAYLOAD"

are you here

I put || <?php system($_REQUEST['cmd']); ?>|| in the body of the POST

that's a php code

you know probaly

you should upload "php" file extansion but probaly there is a only accepts "png and etc photo extansions"

did you tried upload your php file extansion?

when running intruder like in the example the length of 190 is upload fail and 193 is successfully uploaded (your case could be different) and of course you can only access the file that are successfully uploaded and note that if the file name have symbol that can be url encoded then you can't use a browser because it will url encode your request

also ||one of|| the extensions you added to your script should work

Hi guys I'm currently on the "AD Enumeration & Attacks - Skills Assessment Part II" and I'm stuck on the question 6 : Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?

Does someone have an idea please ?

I'm going to re-try using intruder again. I can upload a test PNG file and find it in the browser without issues. I'm seeing 190 and 193 lengths as well. My pwnbox seems to have some freezing issues, so I could've just missed something simple

*little misread but first this should be question 6 right? and did you answer question 4+5? if you didn't, do those question first and after that for question 6 do some enum based on the answer of the 2 previous question for

Yes I'm on question 6 sorry

Can someone chat about Shells and Payloads skills assesmnet? I cannot figure out this one and I have been stuck for a while:

because your target machine is on a public ip so in cased like that i would recommend to use your own vm because it's less lag and if you are doing something like an AD module where your target is in the same network as the pwnbox it would make more sense to use the pwnbox because the speed is going to be so much faster + stabler than an vpn

which question is that?

It is the 5th on on the Live Engagement part

I'm on the last question of the SMB footprinting section & I have done all the work, found the flag etc & I am currently looking at the path and it still won't accept my answer, unsure of what syntactically I am doing wrong? Question is "What is the full system path of that specific share?"

and what is the issue?

did you answer it in linux format?

I found the creds and exploit on the blog, but its not in metasploit and I cant add the exploit db metasploit file without root perms

so idk what I am missing

the given user on the foothold box should have root also after importing a exploit to metasploit you need to run reload_all before you can use that exploit

I did

without a / at the end?

yeah

even tried tilde ~ as well

oh that's weird shoot me a dm with your answer

will do

hint take a step back and enum ||other service||

thanks

I figured it out! I manually went through each 193 length using curl. There were a lot of 193s, so is there an easier way I could've figured out which one provided coded execution?

The exploit appears to be working, but I am not finding anything on the error I am getting for NilClass. Do I have to edit the script or anything?

nope and got 0 idea about that error

and did you use the .rb exploit in the exploitdb directory on the foothold machine?

you still on question 6?

Yes

The hint for this question is : "Remember that not all users can read all files in an AD environment."

So I think I need to find a file on ms01

hint wrong machine also ||wrong service||

On the /billing page it says the following:
" Access to Academy modules requires an active student subscription."

Does that mean that if I buy a student subscription and I complete several modules. I won't be able to access those completed modules after my subscription is ended?

After you complete a module you retain access

If you lose your subscription while in the middle you either need to buy a new sub or just buy cubes

That's good to hear! Thank you for your quick reaction:)

how youtuber's get hacked by only clicking fake pfp file

by mail

Not relevant to the channel read #rules and #welcome

just asking

I'm informing you :) there are other channels to ask in if you read #welcome it explains it

I got curious and looked it up and found a few Reddit posts discussing it, you may take a look there.

This channel is explicitly for the learning modules found at http://academy.hackthebox.com

hm

alr

i do already

https://academy.hackthebox.com/module/77/section/843

hep

help*

bro i cant even send smth because of mee6

thanks i wil try it

Does anyone know why this happens:

Like to be specific: Why is my ticket removed from the cache ?

(I am on the active directory enumeration module)

nvm I used the wrong domain

Hey everyone is anyone able to help with the Web attacks/API module, I'm somewhat stuck on the Information disclosure through SQL injection question. I've tried all the basic payloads from the SQL module and can't get a positive response.

Anyone could help me in Footprinting - SMTP? (Enumerate the SMTP service even further and find the username that exists on the system.) , i was trying using the command: ||smtp-user-enum -M VRFY -U footprinting-wordlist.txt -D inlanefreight.htb -t 10.129.198.120 -w 7||, playing with|| -M and -w parameters||, but i can't find the username, what am I doing wrong?

try to launch ps as administrator and repeat same steps

hello, for some reason whenever i open a workstation my internet keeps cutting off. It is always when i open the workstation because my internet is working just fine before opening it. Everytime my internet turns off and it says wifi is disabled. i am using arco linux

it was working completely fine yesterday

but yesterday i was using a different internet network

<@&861185840277487616>

-w 25

All sorted - thanks

do you have pwnbox + vpn connected at the same time

Hey Everyone, I'm at 95% completion on the CBBH path and have run into three recurring issues that I'm stuck on.

Php file inclusion filters on the LFI and uploadattacks moduule. I seem to be missing something that across both. I've been fuzzing extensions, adding magic bytes, etc and I don't know what is causing my issues.

Time Code generation for the cookie brute forcing and login brute forcing. Need to discuss this a bit.

SQLi - Where it is used in the web attacks/API module.

If anyone is able to help/discuss these I would greatly appreciate it.

sure shoot me a dm if you still need help

Support says this:

Make sure to renew your plan monthly to not lose access to the learning material you've acquired so far.

So that means you have to renew your plan in order to have access to the material you have acquired so far, even if you have completed it right? (I'm strictly talking about the student subscription, I don't know about other subscriptions)

Just message support chat

I'm not an all knowing wizard, I just know what others have said

And iirc I've seen staff say it as well

Ah okey thank you

Need a bit of clarification on something related to Web Attacks - Mass IDOR Enumeration:

If I am unsure of the format of the files in the folder then how do I go about using curl to get the links?

I tried: ||url -s -X POST http://178.62.74.235:31244/documents.php -d uid=15 | grep -oP "\/documents.*?"|| but this does not work ... FYI the files in question are pdf and txt files

grep -oE "/documents/[^']+\.(pdf|txt)" this?

or this grep -oP "\/documents/.*?.(pdf|txt)"

hey guys and gals, can anyone help me with the shells & payloads Live engagement assessment please? I've been stuck on the second question since yesterday 🥺

https://tenor.com/view/tom-and-jerry-gif-24406469

oh my god!

Has anyone completed this module? Exploiting Web Vulnerabilities in Thick-Client Applications

they keep muting me!

IM NOT JOKING

i tried but i kept getting error messages

i figured it out, thanks anyway

it is punishing

if you continue to be naughty you will get the boot, keep up with the topic of the channel and its intended purpose

he has a roman pfp those were racist christian nationalists who persecuted africans and arabs purely for their appearance and religion

maybe you need to check your white privelege

what?

you heard me

black lives matter it may not be 2020 anymore but its a movement not a trend

Wtf did I walk into

2nd question of the Skills assessment or in one of the topics?

Skills assessment

sure, DM if you would like

just did, thanks!

Anyone else got this error while doing "RDP and SOCKS tunneling with SocksOverRDP" section in "Pivoting, tunneling and port forwarding" module?

Disable defender before uploading the dll

Thanks my friend, that worked.

hey did you solve it ? i got the same problem

i forgot lmao

Hi, can someone give me some hints for Windows Priv Esc - Miscellaneous Techniques?

think where an admin could potentially store sensitive information

||the Deleted Items folder in Outlook||

How long should I expect to wait for the password attacks module exercises to complete? Like in terms of hydra brute forcing things, is it a very long time that I should let it run or did I do something wrong if it is running forever?

unfortunately its long enough that often by the time you can reasonably say something was wrong, you have to reset the lab

I just tried it, but it shows me that all the emails in the list are valid.I am trying with the VRFY mode, the EXPN does not return anything, and the RCPT mode also returns that all the emails are valid.I am trying with the VRFY mode, the EXPN does not return anything, and the RCPT mode also returns that all the emails are valid.

Should I expect like 20+ minutes? Im at 15 right now.

sometimes yeah

And you're using the username list from the resource?

yes i am usiging it and the domain ||inlanefreight.htb with the argument -D||

Iirc you shouldn't need to specify -D

But it has been a moment

Yes, use VRFY and skip the -D and domain

with -w 25

Thanks

My brain is a bit fogged since just waking up so syntax in brain go brrr

No worries, I only had it in mind since I just did that one on like Friday

Lol fair

Great! that was, the domain was not necessary, thanks!

It's the same password list for 99% of the module the one from resources. Iirc though after it has you create a mutated list you need that as well

If I'm recalling correctly

Otherwise there's an open port you can pull the list from

Iirc there's only one that may require that

i think i'm having issues reading/parsing again. working on the skills assessment for the module "information gathering - web edition" and am confused about what this question is looking for: Perform active infrastructure identification against the host <snip>. What server name is returned for the host? it feels like "server name" can mean a million different things, and i'm not sure what it's looking for

Server Name is like hostname iirc from that section

the hostname of the server the site is running on? or the value of the Host header?

Hostname as in when you log into the server via ssh you get user@system

Iirc

Again it's been a hot minute

Just do the active enum and usually the answer is fairly obvious

Overthinking tends to lead to wrong answers

yeah and the obvious answer isn't being accepted, so now i'm not sure what i'm supposed to do

oh. it works now. weird. must have had some extra spaces or NPCs

module complete, thanks 🙂

Ye

Is it rockyou?

There's a resources button on the page

I was working on skills assessment of pivoting and port forwarding, from what I see here, it seems like this lab doesn't involve any password cracking. (it doesn't have resources)

Iirc rockyou is correct for password cracking in that module but I believe most password are plaintext somewhere. I need to sweep up older modules and clean up my notes

I am on the part where you dump ||lsass||, I tried previous tactics and failed so will work on it later.

Ah

hey guys any idea why its not working? they provided this cmd in the module

Are you sure the path is correct

Also you have an >

^

ahh shi, im blind

thanks a lot mb

❤️

xddd

haha

okay so I am doing pivoting module, web server pivoting with rpivot section and i've got ssh and attack host connected, but when i run proxychains with firefox its not working

it just fires up mozila and loads foreveerr

someone who completed macos fundamentals?

not sure if is bugged

i have this question Find the numeric version running on your machine and submit it as the answer.

but there is no machine to connect and the machine i spawn is a parrot

it was firefox error, had to curl it at teh end

even with that if i create a virtualbox with macos i cannot respond that answer no?

well if u have vb macos

u could then

u just need something with macos on :D

but i mean if i create a vb and i check the version in that macos

yeah

It will ask for the version of your machine. So you could just google the official version numbers on the internet and try them out.

u can do that

how is it possible that i get this answer correct

unless i can answer with any version

just google for that part if the versions are not

the same

🤷‍♂️

not even having taken that module before and Ive had several complaints with it lol

The module is cool. But it requires a Mac. But that's what it says in the description.

<@&861185840277487616>

thanks

Same issue like I had!

Just finished Pivoting, tunneling and port forwarding module, if anyone needs assistance, DM me.

wow that ping kinda geinous

i will if i do need, im on it rn thanks!

Sure, looking forward to it.

https://academy.hackthebox.com/achievement/298184/211

Folks

Congrats 🎉

Thanks, one step closer to the big bad AD module 😄

I need help with Shells and Payloads - The live engagement - Exploit the target and gain a shell session. Submit the name of the folder located in C:\Shares\ (Format: all lower case)

someone who finished macos fundamentals am just missing 1 question but i cannot finish it because i havent mac

i know how to solve it but i cannot do it because i havent mac if someone could help me

can any tell how can I find cms info

Search 'homebrew' for 'tmux', and one of the results ends in 'nator'. What is the full name of this package?

Hi i have a slightly different topic. is there anyone who could give me tips on how to properly make a test report using the CVSS calculator? Thanks in advanced!

wdym

cvss is to know the risk of the vulnerability

following the CIA triangle

condifentiality integrity and availability if im right

what is cms info

content management systems (CMS)

what module

recon (information gathering)

I'm really struggling with the Intro to SQL Injections module. Is anyone able to provide clarification on how this all works? I just can't seem to wrap my head around it.

what section

Active Infrastructure Identification

Has anyone done the password mutation module? I did the walkthrough from the course to write a password list, but nothing is cracking when attacking SSH.

and which is the doubt

Quick question on Session Security - Exploiting Weak CSRF tokens: The text says

When assessing how robust a CSRF token generation mechanism is, make sure you spend a small amount of time trying to come up with the CSRF token generation mechanism. It can be as easy as md5(username), sha1(username), md5(current date + username) etc. Please note that you should not spend much time on this, but it is worth a shot.

I know that these are suggestions, but if you were to use current date + username, would it be more common to have an actual date (e.g. 05152023) or use something similar to a Unix timestamp rounded up or something or something else entirely?

did u added the vhosts?

Basically just asking what the most common ways to do it would be, because I can think of many 🙃

dont need mac: https://formulae.brew.sh/formula/s-search

yes

then just check what cms is running

how

?

read the section

i checked that

often just using your eyes and looking for the cms version number works

but cant find the answer lol

really? I found the answer immediately

lol

i must be just to tired then

completed 3 modules today

its the same backend as using the cmdline so if you couldnt spot it with the website you wouldnt spot it from the terminal either 😛

might have fat fingered spelling tmux

not able to get?

xd

yea was easier than i thought lol thanks

wdym

there are different tools to enumerate the infrastructure of a website

that I am not able find the cms

what command did u try

I used whatweb

how can I add vhosts

add it to /etc/hosts

same thing I did

i just tried it it works

how?

worked for me too

check the output carefully

just use wappalyzer if u not able to see it

i think is more visual for new people

You can also just look at the web page and read it

I got it

thanx man

well im going to sleep

gn

gn

Would someone be able to at least give me a nudge of what letter the password starts with for the mutations module? I have been bruteforcing SSH/FTP for over 2 hours now.

I unerstand the concepts and mutations, I feel like this is just dragging out for no reason lol

You should be using the mutated wordlist using the password.list and custom.rules > use against ftp

Those are given in the resources tab

If it's dragging out then you're probably just using the wrong lists

i am, i ran the same command as in the module against the resources provided. I first tried SSH but was too slow. Switched to FTP, it’s still slow and haven’t got anything yet

Try using -t 32

^
Also, if you can get the password policy you can reduce the list size

Pw policy isn't needed if it's the pw attacks module

From the sounds it's just the pw attack module being sloooow

Oh also lowercase 'kira' for the user

If that's the module I'm thinking

Pretty sure there's an open SMB port in that module where you can get the password policies from

nah it’s the one for ‘sam’

It's not pw policies its just a straight up list but it's only one section

yeah i was thinking about trying to cut down the list, it’s huge. I know it probably hits toward the beginning or middle, but just not having luck

it's there ¯_(ツ)_/¯

Iirc some of them I've had to wait like 10 minutes before

yeah idk, just slow as balls. sucks.

i’ll try again with higher threads

32/48 seems to work on average

well i thought SSH had a cap on threads due to the nature of the service but i could be wrong

Don't use ssh

There are other services running

yeah tried ftp first, didnt notice that big of a jump

but i’ll try again

if you didnt notice a big jump you did something wrong

plaintext protocol vs encrypted protocol designed to be slow to brute

If it’s the question I think it is, ||cut the first 17,000 lines||

thanks for the tip 😄

Crackmapexec - Skills Assessment - Question 3 - I've pwned the SQL server and have ||stolen the james hash and cracked it.|| I have no idea where to go from here. Any nudges?

That seemed to work @pine dagger , much appreciated

Anyone done the Attacking FTP section in Attacking Common Services module? I've restarted and waited a few minutes and the FTP still isn't coming up. I can read the proftpd.conf and read what port it should be on to answer the question, but I can't hydra the robin login without the service up 🫠

also side note: seems like ncrack is much better to use, at least for me

Does anyone ever finish the modules in the time it states? For Example, File Transfers show an estimated time of 3 hours to complete and it has a lot of material. Is anyone getting through the modules at the time listed?
Note: I am not racing against the clock, I am taking my time... I just wanted to know I'm not the only one.

Definitely not the only one. It took me 5 months to go through the entirety of the Pentester path.

It's just an estimate depending on how well you absorb knowledge. The times you can mostly just ignore

Some people only spend at most an hour on some modules that take others 4+

Also when a module states 'days' it is considering 8 hours as a day

Thank you both for the quick responses, that really helps. I can tell "Active Directory Enumeration & Attacks" will take a least 2 weeks for me even though it states 7 Days. I'm going through the Pentester path as well, so it's good to set my expectations early in the game.

No worries. The Active Directory module is epic. In fact, I might redo it just to cement some concepts and enumeration tactics. The crackmapexec module is also good for A.D. stuff.

I think the A.D. module took me 3 weeks or so.

Thank you for the insight. I will make sure to take detailed notes during that module.

I think so far I've spent maybe ~8-9 hours on it but I've been busy and not been touching it a few days at a time

I can definitely see myself going through the module again after missing days. Some skill assessments are rough if some days have passed in reviewing the material.

Later mates.

I have been working on the password attacks/password reuse and default creds section for about an hour now. I have the list that was linked in the module, and I have been trying all the password/user combinations over and over again both in the lab and in the answer box and nothing is working... I feel like I am going crazy, is there something I am missing here?

How early on is it in the module. If it's like the first one there's an open file share that has a pw list

And user list

Hello, I am having issues with the Attacking Common Services - Attacking SMB questions. I am using the password list provided but all passwords fail when using crackmap. Am I missing something?

its the one where you ssh into the target with creds from the previous section and then need to find the creds for mysql

Ah

Yeah iirc you just need to look closely at the history

When ssh in

nevermind, found the answer when the question was asked previously. Need to use the --local-auth option which isn't mentioned in the module

in the ftp one, did the FTP show up on port 2121 for you?

@rustic snow not the channel for that, read #rules and #welcome

OKOK

Sorry

Also don't just spam every channel you have access to

Makes you look like a jackass

No worries. Limit cross posting. Know that youll get quicker responses in the relevant channels 😁

And people more willing to give a response

inb4 I get a warning

Module - Game Hacking Fundamentals
Section - Skill Assessment
Question - What flag is displayed when you successfully modify the HiddenScore counter to a value greater than 200'000'000?

I found 2 values 1 float and 1 double , tried matching the value.. not working. Anyone solved it yet?

If you still need help, send me a dm

Given the increasing number of defensive-based modules being released, I believe it would be fantastic if HTB Academy expanded on the Introduction to Networking Module. It would be great to have an advanced networking module that delves into setting up networks with VLANs and other components, while building upon the theoretical knowledge. Acquiring thse skills would be incredibly valuable.

Yandex translator.
Can you help with the introduction to the academy? I do not know the answer in the Interactive section, I have already tried everything I knew. Thanks for the help

Thank you, this is the answer I was looking for. I didn't find it in the text, most likely not attentive

I have been struggling with Shells and Payloads - The live engagement question 2 for hours now if someone can point me in the right direction it would be very helpful

Even went and did shells and payloads a second time just to see if I missed something

never mind it was so simple haha pm me if anyone needs a hint with this

That's the one to do with the msf exploit yeah?

I hope not lmao im trying to uplaod a war payload rn

Ohhh the tomcat one

yep

Yeah that one was fun I didn't take good notes on it so it'll be fun to revisit lol

haha im taking very detailed notes this one hurts my brain

I never wanna revisit again

I remember Google being a good friend xD

How do I get cubes for the modules without paying i got the 200 cubes a month but it aint enough

You can't. You get some refunded whenever you complete a module but it's not going to be a net positive

So the only way is to subscribe to the more cubes plans

right?

Or just purchase the cubes outright

I dont see an option to buy cubes alone

Oh nevermind

i didnt know u could scroll

]

\

Reminder that some things can only be accessed internally

Don't speak in emoji

You could access via proxychain or just by signing into the foothold

¯_(ツ)_/¯

Pw attacks labs are lot about back and forth with files

Iirc

You shouldn't need to specify -h

But yes

hi

Or you know just do it from your foothold machine

Not at my computer to assist

But just a reminder: if you're trying to overcomplicate it, then you're probably doing it wrong

The module can be completed without proxychain

Iirc

IP may be a red herring if I'm remembering

Like I said I'm not at my computer and I've got work in a few hours so if after work you're still stuck. Lmk. Iirc it's fairly straightforward for the most part

Someone is probably gonna come by and reveal like the obvious answer xD

hello

Stuck on Password Attacks Lab - Medium initial foothold, I tried Hydra but get "target smb://10.129.202.221:445/ does not support SMBv1" and recompiled Hydra to no help. I defaulted to the Metasploit module and it gives me all false positives

what about crackmapexec?

it stops on the very first user/pw combo as successful

@autumn pilot

well, can you reproduce the same issue using the workstation in academy

hi, i have issues with the file inclusion module. The problem is in the very first LFI exercise. As seen in the explanation of the module something like "...language=/etc/passwd" should at least (depending on if the Basic inclusion is possible) give me an error code in the "history" box. However, i end up with something like this:

nvm i can't post pictures

But the history box is completely empty

I'm using firefox, tried chrome too, tried reseting the target, tried a few bypasses but it just won't show me anything

just tried and same issues using workstation, I must be doing something wrong but can't work it out

--local-auth iirc

ok will try ty

I mean anonymous do go brr

If that's the hint you're given

...

😂 fml

can any one help me to solve the Active Subdomain Enumeration part

I am stuck there

I really don‘t wanna be annoying, but could anybody look real quick if this is an server-side issue or if it comes from the client

I completed it yesterday thanks

@snow coyote dm me

Skills Assessment - File Upload Attacks I do Everything Right bypass the extension & i found the Path

But when I try access the file it's not exist

Hey GUYS, I'm on Shells & Payloads Laudanum and the module don't accept my answer. the absolute path with or without the filename of the shell don't work.... It's the same path on my Kali and in the PWNBOX... any advice? ||Even if I put the path of the symlink...||

have you checked the hint?

yes, it give me the same path I answered

and you have specified the filename as well in the path?

I can't understand.... I've tried each path multiple time... This time it works! Thanks for the help

Guys whats the best amount of tasks and timeout for ssh bruteforce with hydra

Hi, I'm stuck at the same point, depending on the way I launch sqlmap I get a HTB non valid flag or a blank table, any help? thanks

Hi same for me... any help?

Blind SQL methods have some error margin (which is worse with poor connectivity). Run it multiple times, and compare every output, to determine which is likely the 'correct' output. You can also likely just use context with this one, to guess what the answer is.

Alternatively, you could use a longer manual delay.

Command Injection Skills Assessment need hint?

Just found your message, after doing the same.

i am doing the Login Brute Forcing website assessment i got a few passwords for the second 'admin' login php page from a hydra run. None of them seem to work. I always get a 404 return when i try to log in. what might i be doing wrong? i find it weird that i have found multiple username/password combos...

i think i had a bad failure string

I need some help with the Active Subdomain Enumeration

Hey folks! I’m stuck on the Htb academy hacking wordpress “submit the contents of the flag file in the directory with directory listing enabled” trouble is I can’t actually get in to the website when trying to run wpscan it doesn’t work and I’ve tried so much stuff I just can’t make any breakthroughs. Any help or tips would be greatly appreciated. Thanks should of said I’m on the skills assessment - final part.

Hello Would you mind sharing more hints, I am stuck in this lab, I tried Hydra with username.list + password.list / mut_password list for ssh, smbv2, cme and metaesploit and nothing, not able to get a valid username or password. Thanks in advance for the help. CME shows a shared folder /john, metasploit smb plugin shows false possitives ; (

Im stuck on the Skills Assessment - File Upload Attacks
I got everything except when I try access the file

also I got the endpoint for uploads file

Hello!
I'm stuck on Introduction to deserialization attacks skills assessment II. I know how to recreate the cookie object value, but i can not forge the sign value. I think that i found the right salt in the web page source code, but don't know how to use it and where i need put it. Any hint like $salt.$value how to recreate the sign value please?

Im doing the SMTP footprinting section and have used the supplied wordlist with smtp-user-enum but either get a bunch of false positives or 0 results command is as follows ||smtp-user-enum -M VRFY -U footprinting-wordlist.txt -D inlanefreight.htb -t 10.129.66.126 -m 20 -w 3|| note the -w flag option varies hence the false positives etc

looking for a nudge

is anyone here....

no

good

how are you today

I'm good, just smashing my head against a wall due to false positives, you?

Hi everyone, anyone have a hint or tip for me please? I can't find the flag4.txt on Linux Local Privilege Escalation:Skills Assessment. I found some credentials but I can't use it in any place... I already use LinEnum and LinPeas but I can't see the path. Moreover, I already check the services but I can't as well.

I can't help as haven't done it, but have you taken a break and looked at it with fresh eyes?

tom and jerry is the hint

I should do some pentest today and learned the basics of ai but I didn't do anything because of overthing

I will go to play tennis, and try later. Thanks.

Thanks! I know, here it's the solution and where I can us the credentials I have found. Thanks!