#modules

Any suggestions?

thank you

idk I didn't use metasploit

I tried smtp-user-enum same deal

will try again

which methods did you try

tried EXPN & VRFY

sounds like out of three different options youve tried two that hasnt worked

haha, will try some more

thanks

this maybe the wrong place to ask but do the cubes roll over?

someone can create a new repository in github?

or is just me who is bugged

**** Originally posted in pwnbox channel since it's related to pwnbox but, it's also very specific to HTB Academy so, I'm posting it here for help. ****

Hi everyone! Does anyone know how to copy something from the HTB module and paste it into a module instance of pwnbox?

I'm doing a Ffuf module and am trying to copy/paste the wordlist path but, can't figure out how to do it.

I would use the copy/paste feature for more than just this. This is just 1 example.

I know about the small clipboard button in the individual instances of pwnbox.

This same button doesn't seem to exist in the per-module instances of pwnbox.

where can we share ideas for modules?

i would like they add more advanced scripting 🙂

Has anyone done Data Extraction under the module Blind SQL Injection -- MANUALLY? I used sqlmap to solve this one, but at a loss on how to do it manually...

Just add verbosity and look at the payload it’s sending with -v=3

You can also inspect the entire request with wireshark

or you can increase verbosity level, check the manual

Thx. Did that... And doing things very diff than what module is describing. I'm bad enough at SQL and this is way beyond my knowledge... Have you done this module?

The module should serve as a gentle introduction to the topic, not something rigid you should follow. And it’s okay if it seems to be completely beyond your knowledge right now 👍 you will come to find that HTTP requests and SQL injections aren’t so complicated after some practice

So just to confirm you did this part manually (no sqlmap)?

yes doing sqlmap manually is a good practice to understand what it’s doing

Can I get some help with working on dante? I cant get the ball rolling unfortunately. Not sure what I can say without spoilers

Cool -- kudos and hats off to you for completing it, I'll get there soon enough, thx

#prolabs-dante

can anyone help me with the meterpreter question in the Metasploit module please?

What's the question?

Retrieve the NTLM password hash for the "htb-student" user. Submit the hash as the answer.

They need to verify their HTB account following instructions in #rules and #welcome to see Dante's Channel

I'm in the SQLMap Essentials module and I keep having issues with the connection timing out to the target URL. Anyone else seen that or know what I might be able to do to fix it? I can't get past the first question because of this issue.

Have you tried doing an lsa dump?

i need to be more thorough, tried the hashdump and the other one but not lsa dump. Thank you!

Glad I could help.

Can anyone help with the Attacking Common Services module? Specifically Attacking SQL Databases and the question "Enumerate the "flagDB" database and submit a flag as your answer."

Have you tried signing in with the username and password you've already found?

Can I ask someone for help on Attacking Applications Connecting to Services please? Part of Attacking Common Applications

Sorry, I haven't made it to that module yet.

Does anyone have any hints or tops for the 3rd question in Running SQLMap on an HTTP Request of the SQLMap Essentials module?

I've tried using the mssqlsvc creds with mssql, rdp and pop3. I also tried that password with the sa user I found in the sql database. I must be missing something...

I’ll fix it in a bit

Try mssqlclient.py if you're using sqsh, sqsh doesn't work

Try sqlsh. That should get you in.

sqsh doesn't work for some reason

Sqsh is broken on pwnbox /parrot

Hello I'm having issues with the Nmap network enumeration service enumeration module

Ah, I see. I was using my own Kali box. In that case, mssqlclient.py should work.

Didn't work in my vm either lol

Just ask your question

is there a way to hide my commands? I dont want to accidently reveal anything

Screenshot, go into mspainy

Mspaint*

And gg

yolo

I think i found the flag on the webserver, but its spitting out that its not the correct flag. I found it in the robots.txt directory

Is it a long string of alpha numeric characters?

It's probably a different flag

Ahh okay, ill keep enumerating

Does anyone have any hints or tips for the 3rd question in Running SQLMap on an HTTP Request of the SQLMap Essentials module?

I've copied the request header and pasted it into a txt doc. I then ran sqlmap against it with the -r switch and I get nothing. Even when I add --craw=2 to it, I get nothing.

If there's something I'm supposed to ad to the txt file, I can't find where to add or what needs to be added. Does anyone have any hints?

Did you copy the entire request or just the header?

The request. That's what the section says to do.

Yea, you should include the post data. then just sqlmap -r req.txt

So put the request and post in the same txt file and run it?

Yea, copy the whole request in the the file

Got it. I'll give that a shot. Than you!

you can right-click on burp > copy to file

I've just been copying from the browser using the dev tools. I'll try and use Burp instead.

thanks mate, impacket with the -windows-auth option worked

That's still not working. It gets to a point and then just stops.

hi eveyone! has anyone done the game hacking module? I was wondering if it covered game client/server data transfers, or if all the game hacking was local

I just ran it and it works, sqlmap skips header fields by default when testing parameters. Add * next to the id parameter to specify that's the one you want to test

Okay, so in the txt file I should put {"id":*1} , right?

Cookie: id=1*

Got it. I'll try that now.

Wait, this is for the 3rd question, right?

Yes, i believe that's the one you asked about

Yep, just making sure because this request doesn't have "cookie" in it.

Ah shit, mb, I was matching Case3 with question 3

No problem. I'm still getting to a point where it just quits.

I just did case 4, dm me if you'd like to not spoil

Okay, will do. Thank you!

need help in password attacks module "credential hunting in linux". download all resources. mutated password list. used the new mutated password list to hydra FTP. hydra -l Kira -P mut_password.list ftp://10.129.232.48 -t 64. 2 hour scan later and still no hit. I got a "hint" from someone saying to use the mutated password list but that didnt work. Could use some help.

Is there a fix with web enumeration in the pwnbox? Everytime I try to run it with the generated target, I get an error that it is unable to connect

HTB Staff any help with this?

Can someone help me with Information Gathering - Web Edition - Active Subdomain Enumeration. "Find and submit the contents of the TXT record". I have no idea what's going on

Try mutating kira's password you found earlier and testing it against the available services on the box

ok, will give it a go. thanks

I've did a zone transfer (nslookup -type=any -query=AXFR inlanefreight.htb ns.inlanefreight.htb) and was able to get a list of subdomains. no idea how to move forward from here

Sweet. Found it

you're welcome 🫠

are you talking about Kira's password that's given in the hint? I did not come across Kira the user prior to reading the hint.

Oh i guess it was the hint 😅 my notes just said "password gained previously"... must've been talking about our "colleagues from the hint

no worries, thanks again

meh. so i bruteforce using crackmapexec. Get successful creds. Still cannot access the SMB share with those creds. Tried using those creds to SSH and FTP in and still no luck. Rabbit hole?

@fringe shell

I will dm

👍

has anyone completed pop3/imap on footprinting?

yeah, whats up

nvm just finished

gotta be the hardest section on that module

im starting new need help with netcat on first module

forward host lookup failed: unknown host

because its domain joined and you have to tell it that with..\\

its not broken
I actually find it more efficient lol

👍 Good to know, i'll try it out next time i need to connect to mssql

alrighty
Its easier to execute batch queries with it or at least for me

can I dm?

Sure

alrighty thank you

Hey!!

hello 😄

Hi all, Did someone come across any mind map made just for CPTS track?

Or any idea how to revise all the studies again? Its a huge course to learn in one go. Just my thoughts

im interested in this as well .. iv been highlighting modules/lessons in my notes that i need to retake but still much deeper understand is gonna be required for the exam

Hello I would like to learn attack of active directory and I would like to have a certification for confirm my formation? Can you help me plz?

there are a few modules covering AD in Academy

yes I see but a certifcation? Is there ?

well, if you want a certification you can go for CPTS

Thanks !

If you want to specifically learn about attacking AD etc do CRTP / RTO etc.

CPTS if you want a more rounded approach, some of the labs are fun, some are fucking awful.

I am currently doing the the skill assessment for LFI, I'm trying to get LFI and read /etc/hosts.

||So far, I've read the source code and found <?php if(!isset($_GET['page'])) { include "main.php"; } else { $page = $_GET['page']; if (strpos($page, "..") !== false) { include "error.php"; } else { include $page . ".php"; } } ?>

I can see that any string with ".." is sanitized so i use payloads without it or I double URL encode my string. Whenever I try to read the /etc/passwd file I recieve a blank output, I assume that its because ".php" is appended to the end of the string, however I can't seem to be able to bypass it, I've tried using filter wrappers, path truncation, null byte injection but nothing seem to work. I've also tried all of these with various different prompts but can't seem to get LFI. Is there something I am missing or doing completely wrong?||

any help with be much appreciated

Ok, I was checking source code and found:
||ilf_admin/index.php||

Success

I'm going out on a limb and saying you got errors saying some agents couldn't connect. That's because you're using too many threads I've found between 32-48 threads gives the answer

Remove the password from this as it's a spoiler

Yep. Figured it out. Thanks

Done

While it wasn't their actual password don't want people falling down incidental rabbit holes

If you're still working on pw attacks. I recommend keeping all the passwords you come across

can anyone tell me if cubes roll over into the next month if you don't use them all? I'm assuming they do, but I can't find anything that states it

hey for password attacks lab medium, i have found a zip file, got the hash, cracked the hash but getting errors when i open the file. any ideas?

Yes. Because cubes arent some sort of nebulous thing. And the fact that you can buy them outright would be pointless if they didn't

How are you trying to open it?

Thanks - i was hoping that was the case

nvm think i got it XD

XD

wait nvm

LOL

i need to unencrypt it

Yeah no shit that's why you got the password

XD

yea i got the pass

but incorrect password?

Rip

Copy the password into a text editor and make sure there's no weird spaces or anything at the start or end

Or just copy/paste lol

yea im just typing it

what i need to write to hide the hint?

|| before and after

2 of ea

ty

Basic discord things

That gets explained at least once a month

~~Hey, I am at the last skill assessment of the AD enum module and when I try to LLMNR poison I get this:

Why does it says that it captured the hash but does not print it. (I used sudo responder -I ens224 -wF)~~

Solved it with -v

Read #rules and #welcome

need hel p

i got the flag of this question : Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.

but it's still saying incorrect ans ??

check for spaces

Hey guys i just started the linux fundamentals module and i wanna ask

I wanna answer

nah mate no bad spaces

regarding the VPn connection file and SSH connection, can i do it on windows too? or exusively on linux?

it's still saying incorrect ans ??

but i got the flag

There's no reason to do it on Windows. It's best to use it on Linux. The only reason to use windows is if you're trying to attack with windows.

or just kali-undercover? 😛

No idea what that is

if u have kali linux try that command

don't care enough to ¯_(ツ)_/¯

wth is this error ?

@rustic sage ??

DM me the flag you have

ok

can u check ur dm @fathom pendant

Greetings to you 👋🏽

I'm trying to get RCE on the LFI skill assessment:

||Im using burp suite to log poison, but the logs dont seem to show up? I'm getting 0 matches||

For the past few days I've had major problems with the targets in htb academy. The targets keep freezing. I usually get to do a few minutes of work on the target, and then I have to restart it. Is it just me? Even when using the pwnbox I keep having this problem. Yesterday whenever RDP kicked me out, I just kept swapping between my VM and the Pwnbox since I couldn't connect back with the same machine for the next few minutes.

If I just try to wait out the problem, it takes 3-5 minutes for the target to start responding once again...

Please can I discuss with someone in PV for my research?

you need to use single quotes to poison log file - if it's broken then you need to reload the target and try again

reach out to support

Hi, I have a problema with the first question of the section "Attacking SQL Databases" of the module Attacking Common Service, you can help me ?

what is the problema

me too please

take a look at the plugins

I am working on Password Attacks, Credential Hunting in Linux. I am unable to get lazagne running on linux(I don't have python2.7). What is the recommended method of setting it up on my VM?

https://installati.one/install-python2.7-kalilinux/

Hey everyone

I have problem with footprin hard leb

I got the key from toms mail box and then I tried to login over ssh.

But it show me an error. “Load key “id_rsa”: invalid format
tom@10.129.202.20: Permission denied (publickey).”

I change permission with 600

change RSA perms
The rsa key needs the begin and end lines

Thanks

Now it’s working

🫡

Thanks for the follow up, I got it already, thanks a lot for the hint!

I could use some help on the broken authentication module. section predictable reset token question 1 so far. I can get the epoch time and they give the username for the token we need to find. but i dont know what script they want us to make. i tried modifying the php script and get parsing errors. im not sure how the username and time are connected to render it a md5sum because ive tried the "username . time" as shown but they keep ending up incorrect. im unable to recreate the original token hash because i dont know how its supposed to be formatted prior to the hashing

im doing pivoting module and socksoverrdp section and when i try using mstsc i get this

is trhere any kind on how the VPN thing should work on llinux?

not sure what your asking here.

going to go out on a limb and think your asking how to connect using the provided openvpn file? sudo openvpn ~/path/to/your/vpn/file.ovpn

Hi all, need a litle help with restic the password I found seems to be incorrect i can't chack repository... (module windows privilege escalation)

*check

Make sure there are no spaces or something at the beginning or at the end.

can i send you a private message please ?

sure

This is common, happened to me and a few other fellas, I can help out though. Dm me.

I could use some help if anyone has gone through this module

using web proxies skills assessment 3rd question i know i need to find a result with a different result, i cannot, here's what i have done so far:
||i sent the request captured from http://[target ip]/admin.php i set the payload to alphanum-case.txt i set the payload processors to the decoded cookie, base 64 and ascii hex.
then i tried to run it, mostly 200s some had different lengths but there was no one different from the others.
i tried to include admin.php in these: §§ but it was giving me a different original cookie so i deleted them off admin.php|| may i please have some help?

I have a solution but it doesn't involve Burpsuite, my solution is through a tiny python script, let me know if you would want that.

sure, may i dm u?

Sure.

Going through the CREST CRT path modules,prepares a person to take the exam. I heard that you need other pre-requisites to be eligible for the exam? Is that the case?

hey guys, I need help with the AD enum and attacks module.
I am currently doing the DCSync exercises and I need to use both the Linux and Windows attacker machines. In the module it says to ssh from the Windows machine to the Linux one and the IP and creds are given. However, when I try to do it, it says permission is denied (it doesn't accept the password). Any help?

that is connect but shouldnt it work also by just by opening it from downloads?

no. the file you download is just the config file for openvpn follow. you still have to use the "sudo openvpn" command to start the connection

Ah so CPSA first and only then CRT. Got it, Thanks!

*sudo

Anybody around that could answer a question on the IDS/IPS Evasion Medium lab?

https://giphy.com/gifs/cbc-schitts-creek-kEoOCToX1VeJWDCPSk

I got the flag, but had to use the spawned instance of pwnbox rather than from my kali machine. Used the same commands both times. Is there a reason why it worked on one and not the other? Would I be better just installing parrot in my virtual environment to work through the course that way?

are you using the tcp or udp connection when using your vm?

Eh sometimes it's an issue with UDP/TCP connection

^

udp

what Marcie said. if your using the TCP vpn connection. for some reason it doesnt work correctly. but the UDP does

youre sure? because thats the issue i had when going through that. switching to a new config file for UDP fixed it

nevermind.. just opened my vpn connection. The website showed udp selected but my file is tcp

/doh

happens ¯_(ツ)_/¯

I am stuck at the beginning of the hashcat module for the path of basic toolset

😅😊

what exactly have you tried and what is not working?

Creating a xor Cypher, I am stuck at where to begin tbh

I'm also utilizing Google to research it on my own as well but I figured I'd ask you just in case somebody has like a hint of what I can do I don't want the answer

So I guess the answer would be I have only tried researching, I have not put in effort yet with what I've gathered so I'll come back when I've exhausted if I haven't gotten it on my own

Thank u

This question?

Create the XOR ciphertext of the password 'opens3same' using the key 'academy'. (Answer format: \x00\x00\x00....)

Hi there! I am new to the academy 🙂

@terse igloo
If yes, have a look at this chapter again

https://academy.hackthebox.com/module/20/section/116 > Symmetric Encryption

Can anyone help me with the question im on?

someone who completed the module siem fundamentals

am trying to find the logon type but it does not show it

i see thank you

I've yet to see this section, maybe I should do this one first so I can have a better understanding about it. Thanks 👯

Yes absolutely. Always read through due modules first. Then try to answer the questions.

Hi, i am doing the module, Active Directory and windows Security. But i can't access the VMs in RPD since a couple of days. You guys have the same issue ?

hey how do i make win32bof.exe accept data in the Stack-Based Buffer Overflows on Windows x86 skill assessment ive just been trying with a basic python script at port 21449 but nothing seems to happen

Oh I always do 😂 its just I'm a freshling

No problem. Everyone here started from 0

hello everyone, I am new to this website and is going to try out the Penetration Tester on hack the box, excited to see how much i learn from this.

good luck!

So basicaly openvpn and the file correct?

correct command should be 'sudo openvpn /path/to/file.ovpn'

thank you good sir

np

is the System Information by Linux Fundementals supposed to be done from the VM or an private laptop?

its recommended using a VM. probably kali or parrot OS

i meant the instance that HTB provides or something from our side

Either or. the instance is going to be parrot OS. but you can use a VM too. either way works

ye just the parrotOS realy hangs hard on the console for me currently idk why

VM is de wey

Is anyone going to help me with the question im on. i just need someone to explain what i need to do Broken Authentication. Predictable reset token question 1. ive already got question 2 but im not sure what script they want me to make and the script provided gives me traceback errors

I'm stuck on the File Upload Attacks Skills Assessment. I found the ||upload.php|| location. Tried to POST a ||SVG file|| for ||XXE|| and I get an error: ||only images are allowed||. Can anyone assist?

did you modify the magic numbers in the hexeditor? whats the extension on your file?

I'm confused

"The Oracle Transparent Network Substrate (TNS) server is a communication protocol that facilitates communication between Oracle databases and applications over networks."

how is it a server and a protocol?

I used the magic bytes from the website mentioned in the Type Filters section. I kept the magic bytes the same as the content-type header and the extension, so file.jpg, content-type: image/jpeg, and that "yuyo" weird looking magic byte for jpeg for example

did you bruteforce the acceptable extensions?

Question: If I buy the student subscription (it says unlimited pwnbox access) would I also be able to use the pwnbox when I’m not doing a module on academy HTB? (for example to use for an active machine on the main HTB platform)

Yes and I get only images are allowed or extention not allowed so I have an idea of the extensions being allowed

ok. so using the known good extensions. do you know of any of those that will work with the XXE inside a SVG file? i know in the module they gave a few lists and in one of them it should have a file extension that allows for it. then after that just need to work on the magic number

man its frustrating when a module gives you a specific password list in the resources, the password isn't in the list and it sends you down a rabbit hole for an hour until you just try rockyou and get the creds 🫠

Just saying but the AD enum and attack module was insane. Like the Skill assessment took me overall probably 8h. But coming from "I don't know anything about AD" to "I actually can solve the skill assessment" is awesome now 😄

hello

I speak english an spanish, pls speak in spanish

Got a question on the first question in the SQLMap Essentials module. The Attack Tuning section's first question says "What's the contents of table flag5? (Case #5)" and the hint says to use the -T flag5 option and the --no-cast option as well. I have run this multiple times and I still get to the end of the run with no flag found. Any ideas what I might b doing wrong?

me or other people

aa

esto es preguntas xd

Just to anyone who has made it through this module.

speak in spanish please

hola

I don't speak very much Spanish. Sorry about that.

intenta, me intento speak in english

Is anyone else available to assist with the SQLMap Essentials module?

hit me

The Attack Tuning section's first question says "What's the contents of table flag5? (Case #5)" and the hint says to use the -T flag5 option and the --no-cast option as well. I have run this multiple times and I still get to the end of the run with no flag found. Any ideas what I might b doing wrong?

Read #rules and #welcome the primary language of this server is English

have you added risk, level and the database?

I've even added --dbms=mysql and set the --level and --risk as high as possible. Still no result.

-T?

Yeah, -T flag5.

It runs for about 5 to 10 minutes and then ends with nothing found.

are you dumping ur finding?

I'm dumping.

Wait a minute. Never mind. I'm not sure what happened, but it suddenly coughed up the flag. Thanks for the help, though!

nice 😄

Uh, it says it's wrong.

didnt wanna say it... but yeh i had to run it 4-5 times

Recommend save flags each time and compare

Okay, will do. I'll keep at it.

I can't seem to complete the File Transfers - Detection module

It just keeps giving the same flag. Is there something I'm missing? I'm even changing the level and risk. Still getting the same flag each time.

u added commands from the hint?

Yes, the -T flag5 and the --no-cast.

nonononno, I SPEAK SPANISH AN ENGLISH, EVERYONE SPEAK IN SPANI, ONLY CUANDO VAN A HABLAR CONMIGO

habla ingles por favor

si es publico, tiene que ser multiispano

srry

In the Login Brute Forcing Module, on the first question in the "Service Login" skill assessment, I need some help. I have used username anarchy to create a username list which is 15 line long, because i dont know what "usernameGenerator" is. Also i used cupp -i to create a wordlist multiple times, first i used <firstname> and <lastname>. and then i used that with the birthdate. I got fully through the first list and most of the way through the second list, but even in 90 minutes the second list didn't fully finish, because the machine shut down. I have been brute forcing for hours and gotten nothing. Can i get a hint?

Have you tried using Username Anarchy?

@red current yes and it is 15 lines long

That username shouldn't be that long.

How can I identify group membership of a specific AD user from a linux attack box?

@red current the username list is 15 lines long, not 15 characters name. is that still too long?

rpcclient or ldapsearch or bloodhound.py

Appreciate it thanks

Oh, i misunderstood you. That should be fine.

@red current yeah that is what i've been using though and unless it is meant to take this long, something must be going wrong

idk what it is though

It shouldn't really take very long. Do you want to DM me? I took really good notes on this assessment.

yeah sure

Just did the easy assessment for "Attacking Common Services" and the flag mentioned there were 2 ways to get it. I'm interested to know if anyone else has done it and if they did it differently

how do i transfer a file using xfreerdp? in the command line

im trynna figure out for hour lol

i cant find anything good online

/drive:/home

just in the command?

add ur path to end of the xfreerdp command

xfreerdp /drive:/home /v:ip /u: usr like this?

xfreerdp /v:IP /u:username /p:password /drive:/home

okee thanks!

works!!!!

😄

okay im kinda stuck on pivoting skills assesment, im onto the first pivot user mlefay and im stuck there the whole day

im am stuck many hours on command injection bypass black listed commands trying to cat file from users home

i just used mimikatz for lssas since thats what it says in the hint, but am i supposed to crack the passwords or what?

oh shit i think ik that one

i did a ctf that they said at the end was made by that module lab

ughh im trynna remember give me a min xd

if u dumped the lsass then have a good read of the output

||pass null?!||

ohh wow

i didnt expect that i had to exploit this lab

i thought its just gonna be pivoting n portforwarding lol

should be called pivoting/portfwding and file transfers XD

any advise on the command injection

Anyone notice that the powerview cmdlets in powershell provided in the examples (WinAD A&E)--some yield no ldap results and also STDERR out silently (2 arg; .ctor)?
The exact query is Get-DomainObjectAcl -Identity * |?{$_.SecurityIdentifier -eq $namesid}. This command example should technically work. When appended with -Verbose, no output is provided UNLESS is in Get-DomainObjectAcl -Identity * -Verbose which then you can see the LDAP query service.

The task was to find the specific ActiveDirectoryRights/ExtendedRights to a particular group over a user. Anything helps. I've tried different queries, with one yielding the answer I feel like inefficiently

are you putting the verbose after the $namesid}

uhm, so the example states after {} -Verbose in the comment above

I dont think that would work, since your telling Where-Object to run verbose and I dont think it has that option

It would only make sense to me, to put it after the -Identity * since that would tell Get-DomainObjectAcl to fun Verbose

Although I havent made it to that section yet so I don't know what exactly its telling you to do

(See comment about task)

But running verbose gives you the answer?

in that second command?

It doesn't. The beginning of OP states that some of the powerview powershell cmdlets that some yield no ldap results and also STDERR out silently (2 arg; .ctor)

Cna someone provide a nudge finding Will's password in the Linux Credential Hunting module? I have ran a few tools and attempted to run others, but no luck on finding it.

need some help, password attacks/credential hunting in linux. able to ssh in as k*** but cannot find any credentials for Will. i transferred over firefox_decrypt.py. chmod +x, then tried running it and get this error. ./firefox_decrypt.py
Traceback (most recent call last):
File "./firefox_decrypt.py", line 46, in <module>
PWStore = list[dict[str, str]]
TypeError: 'type' object is not subscriptable

Am i even going down the right track?

Right but you said this command Get-DomainObjectAcl -Identity * -Verbose yeilded results? Just not the ones you were looking for?

try using a tool named after a tasty dish @rotund urchin

so i did that a few min ago and got the same traceback error

are you using it on the target machine as the k user?

transferring "tasty dish" to k user. chmod +x. try to run it and get the traceback error

you think i should run this in pwnbox?

did you transfer the whole folder?

'tasty dish' in python needs the whole linux folder

hmm

can you wget a whole folder?

just zip the whole folder and transfer that over

gotcha

now i feel dumb, thanks. going to try it now

read above if you're still stuck

I tried using that. I tried copying the repo and the compiled version over to the target, but neither version would run

says it was missing dependencies

dm'd ya

anyone know why my module sections aren't being marked as complete?

There is a button "Mark complete & Next".
You have to click on it. Only then the section will be marked as complete

lol

I understand that much. It's just not marking as complete when I click "Mark Complete & Next". I've tried logging out/in, deleting cookies and multiple browsers

Have you answered all the questions on the page?

<@&861185840277487616> ??

Yup 🙂

just going to move on for now, but leaving that module incomplete is really bothering me

Open a Supportticket (Green Bubble)

i did

<@&486603600085123073> Can someone give me a nudge on Blind SQL Injection module; Assessment Q1. I have tried manual injection and sqlmap on login.php and index.php. Tried injecting user agent, referer and cookie fields but no luck. Also reset target a couple times

anyone able to give me a pointer on initial enumeration for the Attacking Common Services - Medium Assessment. I've pulled out a few domain names, but apart from straight brute forcing pop3 and ssh, i'm lost

if you are not seeing a specific high port, then you will have to reset the target until it comes up

is anyone available to assist with the Web Attacks module, just looking for a nudge using burp

which section, or what is the exact question that you have

Is that in response to my request on Blind SQL Injection module?

nope to Skillet37

haven't done the blind sql injection module, therefore I won't be able to help you much

ahhh cheers, i'll give it a couple resets

the magical port has appeared

After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer.

hey am kind a stuck here

i got the nc connection but its not responding

module :NETWORK ENUMERATION WITH NMAP

contents :Firewall and IDS/IPS Evasion - Medium Lab

@everyone

sorry, i dont have notes on this one, but i assume you can just use nmap and do a service/script scan on the port?

Ok, i just did it again, you should know DNS works on TCP and UDP... that should get you there

sudo nmap -sSU -p 53 --script dns-nsid 10.129.2.48

this was the command for the scan

i've spent hours but it was worth it lol

mine was similar, but i just did -sV instead of the exact script

this one looks hard : Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.

got it \

Anyone there who can give me some advice on htb academy?

for someone who's just starting should there be any pre requisites before doing any of the modules?

or are the modules already fundamental enough?

some bts would be great ig and also some knowledge of networking and also some basic knowledge of Linux

thank you

im currently enrolled in the bug bounty hunter programme but I plan to do both paths

Im doing some tryhackme and when I feel ready Ill hop on htb academy

everyone tells me htb is quite hard

u should go slow u should make ur basic strong first

it'll only puzzle u by hoping one thing to another

go for the basic and make sure u have a good grip of burp networking and linux

when should you know youre ready for ctfs?

i mean u can go for it anytime but what woud u do if u don't know non ?

u will google it and then get the ans that is non but wasting ur time

but what is the basic knowledge required to attempt them

learn tools like burp gidra hydra etc ..

there are a lot it all depends on what kind of ctf ur playing it could be web crypto pwn

those are just tools

there are tons of em

okay thank you

ayo am stuck again

Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.

module :NETWORK ENUMERATION WITH NMAP

content :Firewall and IDS/IPS Evasion - Hard Lab

nvm got it (sudo nc -nvv -p 53 10.129.57.209 50000
)

Hello everyone i want to buy cpts job path can someone help me to explain me which plan should I buy

Are you just going to do CPTS?
If you also want to do modules from the CBBH path, the silver annual subscription is probably the cheapest option.

Or you are a student. Then check out the student subscription

No i want only cpts

If i'm student in HTB Academy?

No, student in an official university

Yes I'm student

But does it matter which university?

Then register with your university email address and you can sign up for the student subscription.

https://academy.hackthebox.com/faq

So i have account yet with different email now i should create new with my university email?

I'm sorry for the dump questions but i don't want to do mistakes

No, you can simply change the mail address in your HTB Academy Account

I see only one plan for students that's for 7 euro on month

That's what I'm talking about. You can do all modules up to Tier II with it

Nice

Once you have completed the path, you can buy a voucher for the exam.

So thr voucher is buying separated

yes

Thank you so much

If i buy that plan for 7 euro it will unlock me all sections in the cpts job role path right?

Yes, you can complete all modules in the CPTS and CBBH path

Thank you so much for the answers

Do I have to transfer the money every month to unlock the modules or does it automatically take the money from my card

As long as the subscription is running, your credit card will be charged every month

Is anyone else having issues spawning an AttackBox instance?

No

hello, i am new, you can call me pika or colress

Yup, pwnbox instance is not spawning

contact support

cant spawn pwnbox at all

Message support on the website

Hello all. US ACADEMY 3 VPN is going down for maintenance. Please switch to different VPN servers for the time being.
Thank you

??

anyone else has problems with pwnbox?

is also pwnbox down?

Nope

im getting this error

i cant run it

Please allow a few minutes.

okay

apparently

yeah its not working

support not answering either 😄

just got an answer saying that they are aware of the issue and working on fixing it

The VPN server is back online.

question on password cracking section Passwd, Shadow & Opasswd. i found the .bak files and unshadowed them. i then deleted everything but root and then ran hashcat. hashcat is showing a 3+hour estimated time to crack with the rockyou list. Am i going down the correct path and just need to be patient?

what about the mutated password list?

guys who can help me with DANTE?

#prolabs-dante

snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0
Can someone explain me the command and the flags? Because explainshell.com don't have an answer.

https://linux.die.net/man/1/snmpwalk

https://www.thomas-krenn.com/en/wiki/SNMP_Data_Query_with_snmpget_and_snmpwalk

thank you. Normally linux have man-pages but for snmpwalk don't excist one.

hey guys im doing pivoting module skill assesment

i got creds for vfrank but i can not access it

i try to connect via mstsc.exe and it says creds are inncorrect

even tho they should be fine

do i maybe need to input a domain also or no? thanks

i alr checked with someone else and they say the creds are fine, what can the error be?

just checked my notes. don't have anything special regarding that step. maybe mistyped or something broke when copying?

anyone around that has completed the Documentation & Reporting Practice Lab final lab?

I also set the resolution to dynamic but it doesn't look like I can change it. Am i stuck with this crappy resolution? I was trying xrandr but nothing was working

I'm not 100% sure, but I think the resolution is given. You can not change it

yeah i just decided to ssh into it for terminal access. from my understanding I just run everything over again?

If I remember correctly, you need the graphical interface

you can create a tunnel

plus you can download the obsidian notes

Can the language of the website be changed to Spanish?

no

ok

thx

with this module, they do a password spray to get asmiths user name, when i ran enum4linux to pull all the users that list was much smaller then theirs. Am i missing something or just assume that asmith is a user and trust their results.

well, go over the notes, and make some assumptions

based on them try to think what would be the next step

ok i was trying to conduct the test blind and was trying to figure out where they found this user

i have 1 question about defensive security

when should i Consult with IT Operations or Escalate to a Tier 2/3 analyst?

Pwnbox still down ;//////

asking again, question on password cracking section Passwd, Shadow & Opasswd. i found the .bak files and unshadowed them. i then deleted everything but root and then ran hashcat. hashcat is showing a 3+hour estimated time to crack with the rockyou list. Am i going down the correct path and just need to be patient?

Iirc you should be using the given password, mutated password list. But it's been a minute

i dont think that's right. if you have notes could you take a look?

i already did the mutated password stuff for "will" and got in, now it wants me to find password for root. section is all about /etc/passwd /etc/shadow. so i dont think it has anything to do with mutations

It's still cracking passwords

It's entirely possible it's in rockyou

Also a lot of this module regards patience

it wasnt for me 🤷‍♂️

try changing vpn

if ur cracking it try online first (most of the times it works with htb labs)

if not make sure u use good wordlists

u have a lot of crackers online 🤷‍♂️

will do, thanks guys

when i use gobuster the percentages interupt the results

how do i fix that

its a bit hard to explain wihtout an image

You need to verify. Then you can upload images
#welcome

hi all, im stuck on the question "Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What this user's account name? " on the AD Enumeration & Attacks - Skills Assessment Part II section, does anyone have a tip?

Ah okay

SSH was defiantly the way to do it for the documentation and reporting. It made it very simple and I didn't have worry about proxychains. But it is still bugging me why i can not enumerate and find asmith without using the obsidian notes. I wanted to do this 100% blind to practice and that is the only part that I wasn't able to figure out.

running

enum4linux -U 172.16.5.5  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"

Gets me a solid list but asmith is missing from it.

nm I just found asmith running this

crackmapexec smb 172.16.5.5 --users

how did u? 😄

My brother in Christ that was from a year ago lol

gotta do what you gotta do

^

🤦‍♀️

Instead just ask your question here

Like including " I tried doing x thing for this but I didn't get answers" or
"I'm stuck trying to do thing"

for anyone that wants to test password spraying on the documentation module this will create you a user list.

||```
crackmapexec smb 172.16.5.5 --users | awk -F' ' '{print $5}' | awk -F'\\' '{print $2}' > users.txt
``||`

Asking someone from something greater than a week ago is less likely to get you an answr

It's probably something simple that was overlooked

Is usually the case

Or a simple command switch missing

I'm on Linux Fundamentals Module in the Containerization section, and I'm attempting to "Configure the network settings for your LXC container.", I'm using the command "sudo lxc network create lixcon1" but I get this result:

Any ideas? I've tried to go through the options of lxc itself and google but I haven't found anything to lead me in the right direction

Looks like there's no unix.socket file

At least that's what I read

https://discuss.linuxcontainers.org/t/unix-socket-connect-no-such-file-or-directory/15093
https://github.com/lxc/lxd/issues/5423

Two articles I found within 5 seconds of googling the error

Weird, when I looked it up it lead to only three results that didn't help at all, but thank you! Looks like I didn't have lxd installed (didn't know that lxc/lxd are different)

They are codependent

Hopefully this fixes and works :D

someone can help me with this question i dont know what to do: Search for "WordPress xmlrpc attacks" and find out how to use it to execute all method calls. Enter the number of possible method calls of your target as the answer.

hacking wordpress login section

this is the hint: ||Look at the "system.listMethods" method. You can filter and count the number of results with the help of "grep" and "wc".||

Probably grep for method and piping it to wc just counts for you

i am trying this: ||curl -X POST -d "<methodCall><methodName>system.listMethods</methodName><params></params></methodCall>" http://178.62.74.235:32534/xmlrpc.php | grep -i '<value><string>' | wc||

grp

anyone having issues spawning their pwnbox instance?

I am getting no instances available
"Error
There are no available instances. Please try again later.

contact support on the site

thanks

yea i got it

was reading wrong the wc lol

You can complete the Penetration Tester path within 100$ right?

Between $100-200

The raw cubes is $200 I didn't do the math for refund cost

For the easy/medium modules that refund a portion of cubes on completion

But, a Gold+Platinum would give 1500 cubes which is around 110$

that should be enough to complete the path right?

Click on the path: it will tell you (an estimated) cube cost

https://academy.hackthebox.com/catalogue/paths

It does say 1500, so the Reward cubes are the little cubes you collect overall from completing the modules right?

Yes

Thanks guys

You've already done a few modules. Therefore you need less cubes now

Ah yeah, when I started I made the calculation that I'd need to get Gold for the first month and platinum for the second.

hello all, i need some help please .... password attacks module ... credential hunting in linux section ..... i cannot connect to ssh using the username and password declared in the quiz hint

kira?

yes

You need to mutate the password given

Tried to read through all this and then some and it left me confused without a solution

I'll keep looking

check for the hint

yeah, isn't working for me - first time I've ever had trouble getting pwnbox going.

^ Still can't figure this out. I'm gonna take a break and come back to it because its draining me mentally lol

Yeah, I tried web support but still no answer

DM me pls

I finally got one, just when I was about to give up and go to bed. Hope it works again for you as well!

erm question

if i had lets say a blocked cromebook (totally not school) and they blocked extensions and being able to enable developer mode is there another way to download extensions ?

like a script

that will download them 4 u

or what

password attacks module, ......... section: Passwd, Shadow & Opasswd............ quiz: how can i find the root password hash if the user will is not in the sudors file to access etc shadow

someone who completed hacking wordpress, skill assesment section for sanity check please

am not sure if im doing what i have to do

No, that errored with "~2 arg..... .ctor--".

Basically, I modified the cmdlet query and achieved the results in what felt like an inefficient way when the example provided should have been the intended. Get-DomainObjectACL -ResolveGUIDs -Identity * | ?{$_.SecurityIdentifier -eq $groupnamesid} -Verbose resulted in a silent loop error that becomes apparent when you instead place -Verbose after Identity *. I tried something similar that I included in my notes (but I'm not logged into to view them).

What uniquely identifies a Service instance?

I recommend learning your standard port numbers and try understanding simple protocol misconfigurations (i.g. the "beginner boxes"). Things like SMB, FTP, etc were all good but I highly recommend learning your port numbers and the services involved. That way, misconfigurations pique your interest and allow you to understand how one may leverage that misconfiguration.

What happens if you run this without the verbose at the very end? Get-DomainObjectACL -ResolveGUIDs -Identity * | ?{$_.SecurityIdentifier -eq $groupnamesid} -Verbose

Sounds like you need to enumerate AD a little more. Depending where you are, PowerView, bloodhound, and LLMNR/NBT-NS Poisening are your friend

The sound of Silence my friend

Hmm well the verbose at the very end shouldn't work, because Where-Object shouldn't have a verbose option I would think. So it makes sense that putting it after identity would work, but if thats what the example shows, I would think that would be wrong.

I've just been taking it as a way of "this is a problem, gotta solve it". Which is awesome, but also RIP because I've spent hours between connectivity and troubleshooting. Mainly browser issues

Still, if I can solve it, I can proceed.

Thank you shockp

<@&861185840277487616>

Yeah I would say you should be good. The verbose in the first command makes sense to me, you could post the error in erratum. I believe thats the place to post errors in the text or commands given in the modules

Awesome, I'll note down the cmdlet queries I've had true issues with and provide alts if I find any.

someone for sanity check in wordpress - skill assesment

What's the issue?

Submit the contents of the flag file in the directory with directory listing enabled.

||the flag is in the plugins directories?||

because i have enumerated all and couldnt find it

i already finished pwning the box by the way but still missing 1 questions lol

- Submit the contents of the flag file in the directory with directory listing enabled.

if it is 500k im down lol

I'm in the SQLMap Essentials and running into an issue with the Attack Tuning section. I found how to do the second question, but it repeatedly times out before completely giving up the flag. Is there something I'm missing?

It's not a hidden file, yeah?

And do you have perms when searching?

I don't know why, but I just decided on a whim to look for any past replies in the HTB DCs (discord server) and some have noted a 20-35min wait time. oof

u didnt complete the module i think

I am on this section now, make sure to check the home directory of the user

I am on this side: https://academy.hackthebox.com/module/77/section/728
Under the title Install SecLists stand: Next, add a DNS Server such as 1.1.1.1 to the /etc/resolv.conf file. We will target the domain inlanefreight.com, the website for a fictional freight and logistics company.

I don't understand what I have to do with the file resolv.conf, because in the page we don't make anything with this file. Or?

vim?

@green birch

no is just enumerate the directory

When I spawn a target, is it normal for 20 minutes to pass in real life and according to the target it's already been 50 minutes?

but there is no flag lol i even got root to check the plugins where i needed admin

but nothing

Thats time left not, time on the machine

I mean that 20 minutes should be subtracted, not 50 minutes.

||nvm just got it with root||

it wasnt the intended way but well i was creative lol

Are you able to naviagate to inlanefreight.com in a browser?

When I write inlanefreigt.com in my browser I am on the website. But navigate I don't know how. I have tried it.

Thats what I meant with "navigate" to it. So you should be good. Adding the 1.1.1.1 to /etc/resolv.conf is just adding a DNS Server for your machine to reach out to, but I dont know why its telling you to do that. 1.1.1.1 is cloudflares DNS and that shouldn't be required

Well, I can change the file, but I don't know for what I need this. Because the next command is

gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt

But we don't use the file resolv.conf. I think so.

Okay, then I'll go on first. Thank you.

Cam anyone PM me. I'm stuck on the final assessment for OS command injection and I feel like I've tried hundreds of payloads

大家好哇

https://tenor.com/view/小猫伸手-give-me-five-cute-cat-gif-15665602

AD Enumeration
Setting a Fake SPN.
Cmdlet input leads to a Constraint error?

English McTavish

我们不会说中文

@grim mural 你会说英语吗 😄

@glacial hazel this is an English Only Server especially in these channels regarding academy

ik I said "we don't speak Chinese", and "Do you speak English?"

I know what you said

I know some basic Chinese

But that's not the point

So committing changes is the issue. Just need to navigate around that I suppose

Just finished the Hard assessment for Attacking Common Services module and just got the flag through a file read. Just wondering if anyone else did it and got a full admin login?

would you say it's logical to ask someone that might not speak english, to speak it... in english?

It's logical that someone joining a discord server would read the #rules as well

But we know that doesn't happen

i guess you could have the same expectation that people would read the terms and conditions for any service they use... 0.

Nah it's pretty commonplace to parse the rules

Even if you don't fully read them

agree to disagree

I figured it out... and I don't wanna talk about it, Lol

Kawabunga time

I’m having difficulty with the System Information section of Linux Fundamentals where I’m instructed to connect to a server via VPN, to then “SSH to with user ‘htb-student’ and password ‘HTB_@cademy_stdnt!’ but am not giving an IP address and when I try either localhost or the IP address of the VPN, the password is rejected

'spawn target'

I’ve already spawned the server and connected to it via VPN

That's... That's not how the VPN works my guy

The VPN connects you to the HTB academy network

I’m not provided with an IP address for ssh

The 'spawn target' button on the page should spawn it

It's under the launch pwnbox instance

Above the questions

That would be the IP you ssh to

Syntax : ssh username@ip

I’m currently connected. It shows “Connected to htb-kofngovuni.htb-cloud.com:1 (htb-ac-721223)”

That's your pwnbox instance

Not the target

Look at the page for Linux Fundamentals you're on. Above where the question is that contains credentials should be green text

That is unclear. I see now.

That is either an IP, or says 'spawn target'

How is it unclear? Please explain what is unclear?

Your explanation is clear

I meant getting to the point we're at now without assistance

The HTB explanation neglects a few key points

It... It really doesn't

Spawn interactive instance and spawn target seem very different of a thing to me

I would suggest the Getting Started Module

To get you familiar with the platform if it was really that unclear

hello i need a hint for the last nmap skill assessment 🙂

@distant turret

I also simply did a file read but I'm pretty sure you could dump a reverse shell payload into it as well

dm me if you still need help

Module: Windows Privilege Escalation
Section: Interacting with users

Question: Using the techniques in this section obtain the cleartext credentials for the SCCM_SVC user.

I've set up responder with the scf file placed in the open smb share but I am only able to get hashes from htb-student. I am not getting any hashes from SCCM_SVC

Yeah, I figured there was a way to write the payload, but couldn't think how to execute it

Hi!
What have I missed?
It returns the floowing:
`(gdb) b *0x5555555551b0
Note: breakpoint 22 also set at pc 0x5555555551b0.
Breakpoint 23 at 0x5555555551b0
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/htb-student/octopus_checker
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program had started..
Attempting Connection

Breakpoint 22, 0x00005555555551b0 in SQLDriverConnect@plt ()`

hi to everyone
can someone help me with a htb machine?
im so stucked on the scanning
i found someone vulnerabilities but i cant do nothing because i didnt find a exploit for they
thanks
(Sorry for my english level)

@nocturne geyser hello Gabriel, this is the thread for HTB academy, you might want to try the #boxes one for help with machines

Hello at https://academy.hackthebox.com/module/147/section/1639, I can't connect with RDP to the target machine. I get:
[13:27:11:307] [2170:2171] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[13:27:11:307] [2170:2171] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[13:27:11:307] [2170:2171] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

I have a question about Active directory enum and attacks - Privileged access
The first 2 questions ask about another user who has the CanPSRemote right. However, the Cypher queries only show the user forend. The PS command Get-NetLocalGroupMember also only returns this user. I am sure there is something here that I am not getting. Maybe some default account who can PSRemote but I cant find it in the module itself. Can someone pls point me in the right direction?

@flat minnow did u put the password in single quotes?

oh that was the case, many thanks

Hi, unfortunately not. its just very very basic overview GameHacking. Actually, it just talks a little bit about memory scanning / corruption with Cheat Engine. Thats it. I really hope they plan to improve this...

I have a doubt in the module "WHITEBOX PENTESTING 101: COMMAND INJECTION"(https://academy.hackthebox.com/module/48/section/434) I completed all the exercises, they were very calm in the penultimate exercise, but it did not evolve because I passed something wrong in the body of the request, which must be the issue. The application in Node has two endpoints that receive JSON. Here are a few ways I've tried to pass code injection: curl http://localhost:21440/ifconfig -X POST -d '{"iface":"eth0\;ls"}' -H 'Content-Type: application/json'
curl http://localhost:21440/ifconfig -X POST -d '{"iface":"eth0\;ls"}' -H 'Content-Type: application/json'
curl http://localhost:21440/ifconfig -X POST -d '{"iface":"eth0%3Bls"}' -H 'Content-Type: application/json'

Hello, if I subscribe to the Platinium offer for 1 month, I receive 1000 cubes from the first day of the subscription? Thank you.

Yes

Hello, anyone who finished the Attacking Thick Client Applications from Attacking Common Applications module could help me please. I followed every step. When i run strings64.exe on the dumped file the output its very different from the exercise:

||`PS C:\TOOLS\Strings> .\strings.exe C:\restart-service_00007FFBA2EE0000.bin

Strings v2.54 - Search for ANSI and Unicode strings in binary images.
Copyright (C) 1999-2021 Mark Russinovich
Sysinternals - www.sysinternals.com

wzW
L/Z
$I)B9
oleaut32.dll
advapi32.dll
ole32.dll`||

And running de4dot.exe:

||`PS C:> TOOLS\de4dot\de4dot.exe .\restart-service_00007FFBA2EE0000.bin

de4dot v3.1.41592.3405

WARNING: The file isn't a .NET PE file: C:\restart-service_00007FFBA2EE0000.bin`||

PS: I have no idea what i doing in this exercise, just following the steps. Open to DM!

Ok thanks, these subscriptions only give cubes right? No free access to any module?

Yes exactly

Remote Code Execution (RCE) via the Theme Editor
Attacking the WordPress Backend

while adding php code its getting error

You can then buy modules with the cubes.

You have to overwrite everything completely

ohh

still there is error

Thank you for your answers 😉

dm

hello all, password attacks module, ......... section: Passwd, Shadow & Opasswd............ when trying to find the root password hash in rtc shadow i face will is not in the sudoers file

check wills directory more

what is the diffrent betwee nthe blue and green collor in Ls -la?

@placid scaffold

help please 😦
Module: Windows Privilege Escalation
Section: Interacting with users

Question: Using the techniques in this section obtain the cleartext credentials for the SCCM_SVC user.

I've set up responder with the scf file placed in the open smb share but I am only able to get hashes from htb-student. I am not getting any hashes from SCCM_SVC

If someone have any doubt about any module dm me 🙂

hey, I just did the Web Service & API Attacks - Skills Assessment and I managed to get a shell and then get the flag inside the shell but without using sqli, can someone pls help me understand what is the intended way to do this skills assessment?

Did you complete all of them?

Please how do i solve this?

################################################################################
#                                  EyeWitness                                  #
################################################################################
#           FortyNorth Security - https://www.fortynorthsecurity.com           #
################################################################################

Starting Web Requests (7 Hosts)
Message: Can not connect to the Service geckodriver

Message: Can not connect to the Service geckodriver

blue are folders, green are executables?

Guys, I am working AD Enumeration and Attacks module on the Academy. The task is to do Kerberoasting attack and find hash of SAPService, crack it, then find what group in AD this user belongs to.

I confirmed cracked creds are valid with psexec. So, for the second part, I tried using rpcclient with anonymous login, and cannot find a way to see which group (and there's like 100 of them) contains user SAPService or his RID. I have used querygroup hex_id, querygroupmem hex_id and few groups pop up but they are not valid flag. Can anyone give me a nudge on this?

EDIT: Found it, || tool you use to request all tickets will show MemberOf column for each user. ||

no i have 27/75 completed

I can't able to get the answer, can anyone share what's wrong here

I did not get an error

Not getting the answer as well

is all the information to complete the question in the Oracle section contained within that module or do I have to look further afield?

Are you asking me?

Are you running it through proxychains?

Nah

not through proxychains

Ahh, im not sure then. Maybe try re-installing? Or use an alternative tool.

eyewitness is hit or miss for me

I'm asking anyone

Hi all, can you give me a little hint on this flag please... Find left behind cleartext credentials for the iamtheadministrator domain admin account (windows privilege escalation first flag)

it doesn't matter i found it

did anyone, completed the command injection module from HTB-Academy

hi noob's

@solemn slate hey can you check dm from me?

I can't figure out the oracle TNS section in footprinting, I am running the commands outlined with the tools but getting very little back. The other information online is pretty slim too, that I can find.

Does anyone have a hint?

Okay so worked now

odat is temperamental it seems

Well done, thanks for offering your assistance.

Hey guys

If you're running the commands shown you should get a username/password combination as shown

Nvm didn't see you got it. Discord split your messages

Could anyone help with HTTP Attacks Module?

Try to use what you learned in this section to steal the admin user's cookie via XSS. CRLF Section Http Response Splitting

Trying to document.location to the /?admin page to read log with cookie

hi, so with the Student monthly subscription plan I can access all modules up to tier 2 for 7$ if I'm a student so all the 28 modules for CPTS path will be accessible right?

Yes

so normally I'd have to pay 116$ for 1000 cubes to be able to unlock all the 28 modules which in total cost 1970 cubes for the pentester job role path?

The cost is estimated and doesn't calculate the cube refunds of completing modules

Yes

but still it's estimatedly 13x cheaper for students to purchase modules compared to not students LOL

Well yeah

Most students are in crippling debt already for their studies

doing module 54 fuzzing with ffuf, and it requires you to fuff the public htb site for the store, but twice now it has blacklisted my connection very early in the scan.

^^

oic. Thanks for your response! I bought the module anyways hehe

probably because youre supposed to be fuzzing for the subdomain and not anything else

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.hackthebox.eu <<< thats not the command i was supposed to use?

yeah that looks reasonable (though should be https), not sure why youd be blacklisted then

try it from the pwnbox if you havnt, might be more trusted

yeah strangely it just did the exact same thing for skills assessment box, connected via vpn runs ffuf fine for enumerating directories and php params but i try to check for subdomains and it crashed the scan 40 words in.

that suggests it may be a different issue

tried again, got back into the VPN and refreshed the assessment box to a new one. basic command ffuf -w wordlist:FUZZ -u FUZZ.academy.htb:PORT , and it get exactly 40 words in before it starts counting the errors and get to around 700 words and it drops down to a crawl. Try to open the machines webpage no route, and no outside access till i disconnect from vpn.

exact same command works fine via pwnbox, which is very annoying i dont have vip so limited uses and i prefer to use my VM.

Can I dm someone about the Password Attacks, Reuse/Default Passwords section? I have all the potential users and the passwords that were possible, and it is still not working? I am at the point where I am wondering if something is wrong with my browser.

I have noticed that when it comes to DNS stuff. The pwnbox will work when a VPN connection just fails or gives the worng results

That's the one with the SQL service yes? Look at the suggested default repo. Also not the updated one

But the one directly in the repo

ahh I was looking at the updated one I think... I was losing my mind lol

I did the same

how do I find the not updated version, all I see is the "update default creds cheat sheet.csv"

meh i got excited over nothing, the pwnbox doesnt get disconnected during the scan like my VM, but it still only gets 40 words into DNS/Vhost Fuzzing before it starts catching errors on all words. looks like i wont be able to finish this module.

Sec

thank god... I have been stuck on that for days...

thanks

It's in the DefaultCreds-Cheat-Sheet.csv that's there, yep it's still there

Remember it's just MySQL creds you're looking for

So there's only like 4

I had the wrong usernames the whole time

:)

Some of this module is fun, and then other parts... meh

Hey guys, I'm at this question right now in PasswordAttacks:
Examine the target and find out the password of the user Will. Then, submit the password as the answer.

And I can't get further... Tried using a mutated list of passwords from the one in the tip (both custom_rule from the zip and best64), normall password list, both users,... tried SSH, FTP, SMB,... Anyone that can help?

hi, I have a question about hackthebox academy subscriptions, once I buy the subscription plan does it expire 30 days after the purchase or does it work differently?

It should be the one from the resources including the password.list from the same list

It's a recurring subscription until you cancel it

contact support. But a little hint: its supremely guessable without fuzzing lol

its a bummer to not be able to complete it the proper way cause of infra changes but you can still finish the module anyways

you clearly understand the concept and what to do, just being cockblocked by htb site

Then after how many days does it recure

That was my exact question

can I DM you, don't want to give away too many spoilers

Iirc it's roughly 4 weeks or 30 days (looking at you February for fucking shit up)

Idk if this would matter but I used https

Sure DM me the screenshot of what you're trying

This isn't the place for starting point boxes. Please read #rules and #welcome Modules specifically refer to the learning pages at https://academy.hackthebox.com
Once you read and follow instructions #starting-point should be available to you

"Next, add a DNS Server such as 1.1.1.1 to the /etc/resolv.conf file. We will target the domain inlanefreight.com, the website for a fictional freight and logistics company."
How would an example of this look like in the resolve file?

resolv.conf is legit just your dns file. 1.1.1.1 is CloudFlare DNS

but in order to fuzz the subdomain i have to add it somewhere? like in the etc/hosts?

Inlanefreight.com is an external website

ohhh

It doesn't need to go in your etc hosts file

The hosts file is just for resolving internal domains

https://academy.hackthebox.com/module/77/section/728

but then how do i run a subdomain fuzz for a ip

adding it in the etc/hosts file, right?

No

for this exercise you are not required to do subdomain fuzz

^

oh

just visit the IP address, and go from there

i reviewed the source code, fuzzed dirs, whatwebbed, robots.txt but cant find the flag

well, you are on a good track, however, read carefully

hmmmm

could you maybe give a hint? i tried everything the module learned me so far

the hint is to read carefully

what am i missing? 🙂 i read everything twice but i tried everything

ohh

...

but the head was empty? doesn't the robots.txt have to be in there?

ty

have a question on password attacks/PTH section. I solved the final question where it was asking us to reverse shell with julio. i started to wonder if i could use davids hash to do the same reverse shell but it didnt work. So i'm thinking that David doesnt have access to DC01. My question is, how do i quickly determine which accounts do or dont have access to DC01. Is there something in the mimikatz hash dump that would have clued me into knowing that Julio has access but David doesnt? Thanks.

Iirc something with mimikatz should tell you, can't recall what though

I've just completed the Footprinting Labs, and I feel that the Hard and Medium should swap places. Medium kicked my but

but I did learn a bunch.

Working on using ffuf for parameter fuzzing and am getting only errors from ffuf. I added the Ip address without port to /etc/hosts but ffuf just tells me there's errors for every scan.

Any and all help appreciated.

That tends to be the case for a lot of the labs

is there a specific place i should go with help or questions for the labs?

Ok, so no errors this time but absolutely no results or output.

Right here if you're meaning the labs on https://academy.hackthebox.com if you're referring to the prolabs, refer to #rules and #welcome