Which VPN server?

no vpn

Oh that one

Okay

uhhhh is this server even for hacking or real?

Guys idk why i cant download my prolab vpn anymore, it say to turn off active machine before, but i dont have any ON machine

Read the #rules then you know what this is all about

any way to fix my problem ?

Please reach out support

issue resolved thx

Slowly users will now be able to spawn the academy targets and pwnbox.

If anyone gets stuck at the imap part in the footprinting module, https://www.atmail.com/blog/imap-commands/ helped me a lot

Saw some people that did it with gui, but I managed to do it in terminal

did you read my mind?

You’re doing it now?

On the hard challenge

and have been beating my head against the wall

this might be it

Ah alright, good luck!

I've been recommending this to people too. If it's not already in the section, maybe write an erratum suggesting to add it

is the academy working already?

it should be

Hi everyone, just to know, is there a module specially dedicated to python programming?

go to the modules

and search python

https://academy.hackthebox.com/module/details/88

or literally just google python htb

Hi guys, I've just joined this server. I'm stuck with something while doing Oopsie in Starting Point. Can I ask the question here?

Thanks

yea

i think the doubts for that is #starting-point

#starting-point would be the appropriate channel

Thank you guys

u also have the write-ups to check it

I don't have access to the server you've posted

Or channel

It says No Access

then you need to read and agree to #welcome and #rules first

ok so for attacking domain trusts, extrasids attack

i need to have DCSync ACL enabled ?

or i did not understand it good

it says compromising child domain, what do they mean by compromising? having local admin or?

just wanna make sure i understand it 😄

Anyone able to help me out with password mutations exercise for "sam" user ? tried ftp instead of ssh with hydra, also filtered my list down to 8 character + passwords - still this mutated list is not coming back with anything after 30 mins..

Module Using CrackMapExec
Section Command Execution
Q. Copy the file named julio_keys from the target Administrator's desktop and authenticate using the file with SSH. Submit the flag in Julio's desktop.

im using this command to download the file

crackmapexec smb 10.129.204.178 -u administrator -p 'AnotherC0mpl3xP4$$' --local-auth --get-file "c:\Users\administrator\Desktop\julio_keys" /tmp/julio_keys

getting error

[-] Error reading file C$: SMB SessionError: STATUS_OBJECT_NAME_INVALID(The object name is invalid.)

Why it didnt work?

Also which ip im going to ssh into?
I have looked into the content of the key and made a id_rsa but cant login via ssh

You need to escape the slash, e.g. double slashes will work

that didnt work

removal of the c: is necessary as well

I can look into the file like this

it will drop you in the C: directory, from there you can navigate to the key without specifying (C:)

ok it worked thanks

I almost press send to this

now for the stupid question.. how do I login via ssh :skull: 

Almost xD

can anyone give me a hint please 🥲

someone could help me with Documentation & Reporting Practice Lab ?

Which module/section is that?

yeah domain compromise usually means having Domain Admin rights or something similar

Under Password Attacks -> Remote Password Attacks -> Password Mutations

don't have notes on it but from what I remember it does indeed take a bit. so increasing threads may be helpful and choosing the fastest service

Tried it & targeted FTP so it was quicker, threads set to 64 - given the resources I mutated the original password list where strings were 8 characters or above - mutated with the rules provided - ran for 5 hours and no hits..

ugh it should be doable within 20min for sure. Feel free to dm me, I can run through it later and try to help with debugging

Are you using RSA Encryption

No

Hello. What are you talking about?

I AM NEW HERE.

What is FTP?

What is it? What is this software? What are you doing?

this is a NSA level tool. used for various things. you can brute force , type in other peoples computer and get peoples password

Hey dudes, I am interested in doing the Academy content, any suggestions on how to get started? I have some background knowledge on many topics. Would you recommend Penetration Tester path on Academy?

How this "brute force" works?

Both Penetration testing path and bug bounty path is good.
I have some knowledge about a lot the topic hackthebox covered. But the moment I started studying the modules I understand how little I know. HTB goes in debt in everything they teach. @tepid hemlock

Can save a message here?

Have you by any chance done THM content? How would you compare the two?

I am currently doing it and I dunno, I feel like it has a bit too much hand holding which gives a bit of a false sense of success

@foggy light Why do you using this NSA? Are coding for something? What were that software?

I did a lot of THM, last december i was around rank 9000.
Both of them have different flavor. While THM helps you a lot , HTB wants you to try hard. You can use discord to discuss if you have issues but mods here still will motivate you to solve it by yourself by giving you hint first. So again different flavor.

IMO if you are want in dept knowledge htb is the way to go

yea, a little bit of sweating is what I believe promotes learning and makes it interesting

You say both paths are good, have you done from both or maybe completed both?

and as a last question. If I want to the Pentest path, which pricing model should I go with? I do wish HTB Academy had similar pricing to THM (one price, access to all) but maybe this way it is easier to be dedicated to one path

IMO bug bounty path is relatively easier than Pentest path.
But both focus on different things. I have both of the certification , if you like web app pentesting start with bug bounty path

I was thinking bug bounty was "easier" to use on Freelancer type gigs, like Hacker1 where as pentester seems more suited if you want a fulltime job

I mean, easier to practice in real life with bug bounty programs

HTB is different. Again htb wants you to try your best, if you cant solve something try again and again.
after you complete module you get cubes back. This forces you to finish modules and not module hopping if you cant solve something.

I dont agree. they are related. Like if you 100% complete Bug bounty path you will complete around 50% of pentester path.
The skills you gain from bug bounty path can be used in other sectors. Its not limited to bug bounty.
Although the name is bug bounty its more like web app pentesting path.

Both paths look very interesting

The Try hack me is not free?

How can i learn how to crypto and hack?

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Spider hat when???

Will i learn how to encryt too?

But yea, just start googling/reading for the topics you are interested in

Maybe check Academy for modules related to your learning needs

But it has things a lot. I don't know how can i bigin.

Check the link Lieke sent

Is try hack me free?

no idea. I paid 14 dollars try go to their website and see what you get for free and what is paid 🙂

And how about Hack the Box?

I think Active machines are free to hack

retired content and academy is paid I believe

has a bunch of free stuff too but getting premium there is certainly helpful

hii, I am doing the WINDOWS PRIVILEGE ESCALATION module.

Whenever I add my user to the admin group, I can see I added it succesffuly but I can't read the flags. Then I redo all and get a shell back to read it.

So just out of curiosity is this normal?

Give me some exemple of free stuff.

I have no idea what's free there. just sign up and look around a bit

the fundamental stuff is free pretty sure

Which module and question?

What have you tried so far?

You may also DM me so you don't spoil anything.

@snow lion I know u are surely a kid, but this is not the right server to troll. (just for ur safety and ur family)

I dm'd you.

u have to enumerate subdomains of subdomains

ok guys idk why this is not working. im on AD enum and attacks, Attacking domain trusts cross forest abuse from linux

i got user and password of domain admin

but can not connect to it

yea same to me

u doing the same thing?

i went to do machines in app.hackthebox

waiting for support

😭

its the last question

"Log in to the ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL Domain Controller using the Domain Admin account password submitted for question #2 and submit the contents of the flag.txt file on the Administrator desktop. "

im was finna leave the office after this

but got stuck on this for the last 30mins xd

myb even less but...

did you text the support or?

i found out rn

did u find the ip of the dc03?

cuz we have to

but idk how to lol

ah no im stuck here

https://academy.hackthebox.com/module/143/section/1489

it doesnt let me ssh to 172.16.5.225 with that creds

u got this? @naive field

its not 225

chect /etc/hosts

its ||172.16.5.238||

but still not working for me

did u get it?

ohhhh we wrong modules

lmao

yea lol

are u sshing from the powershell/cmd?

wait what module are u

aka windows host

yea

what does it say

permission denied

cross forest trust abuse from linux

badd pass

u need to type in the password

pasting wont work

bruh

i didnt try that lol

yeah

now im stuck af on thissssss

^^

i also tried with IP of the DC03

but nah

oh u are 3 sections above me

i was dsync 2 days ago

but yeah idk why this is not workingg

got it, was supposed to use user without the INLANEFREIGHT.LOCAL domain

https://academy.hackthebox.com/module/77/section/844

bro help

i cant install linenum

for privilage escalation

someone help me with documentation and reporting practice lab :{

.

Active Directory Enumeration & Attacks

AD Enumeration & Attacks - Skills Assessment Part I

🔗 https://academy.hackthebox.com/module/143/section/1278

Have been stuck at question 4 all day.

Submit the contents of the flag.txt file on the Administrator desktop on MS01

So:

• || I've tried to use the gathered credentials everywhere. I know this svc_sql user has SQLAdmin rights over SQL01, but I couldn't seem to get anything out of it. ||
• || I believe this domain is also vulnerable to PetitPotam, but with the port forwarding, I wasn't able to get a connection back to my relay. ||

Those are my main 2 ways of thinking right now. I seem to have exhausted all the rest I had in mind. Any help is greatly appreciated!

I'm in AD Enumeration & Attacks - Skills Assessment Part I
I got a Windows reverse shell , but I'm having issues while running mimikatz can anyone help?

linpeas u mean?

Could you help me out with my question? #modules message

we all doing the same module lol

your ahead of me. im on quesiton 3

did you use mimikatz for question 3?

Oh, let me help you then! I didn't use mimikatz

i need a do privilage escalation for "cat flag.txt"

and also in root directory i need do that

there are alot of services and im confused

Dm if you'd like

i mean AD enumeration & attacks

hm

wdym

alot of services in the target server

like mysql, ssh etc

u can use linpeas or just enumerate what u learnt in the section manually

i cant install it into ssh

File transfer methods

You have shell, you can transfer

how

should i use scp

Whatever method you want

Python http

python http

how

wdym

transfer it

Brother

Did you not do the file transfers module?

u should do other modules first i guess

learn the basics first

i know basics already

before start looking for privesc modules

u dont know transfer files

hm

It's called a path for a reason lol

That's dumb

Never trust school

@rustic sage https://academy.hackthebox.com/course/preview/file-transfers

hm

in the school they teach hacking now?

that is good

oh im spanish

here they still dont even know what is hacking -.-

Ahh that looks more along the Cbbh path

yea

that is enfocated in web hacking

Active Directory Enumeration & Attacks

AD Enumeration & Attacks - Skills Assessment Part I

🔗 https://academy.hackthebox.com/module/143/section/1278

Submit the contents of the flag.txt file on the Administrator desktop on MS01

Does anyone know why BloodHound does not show this access? It seems like something that should totally be shown... 🤔
I missed this, but not sure what to add to my methodology not to miss this in the future...

Not sure if it helps but i did a zip file with sharphound

and uploaded it to bloodhound

Did it show the access of that user over that computer?

but i didnt check if ms01 was there

Because for me it doesn't

i havent done the skill assessment yet

but i used sharphound with bloodhound to complete 2 sections

what tool did you use to extract the ticket for kerberoasting?

Rubeus

@blazing crypt try .\sharphound.exe -c all --zipfilename whatever

and check if it appears

It's not getting the data in BloodHound that's the problem. That all worked fine.
It's that a specific edge is not in there that should be there and I don't know why. Seems to be the case for everyone

But thanks for trying to help! Feel free to DM me once you did the SA 😉

np then i dont know how to help

i think i can arrive to the skill assessment by tomorrow

is harder i think

cpts

the cpts include exploits and missconfigurations

the oscp had just exploits

but they updated the exam and i dont know if now they have included missconfigurations as well

I used to work with CryptoCat and he told me that if you can pass CPTS, then you can just take the OSCP with ease

he is guru

he knows too much

Yet so little at the same time!

never stop learning

In the footprinting medium lab, I’m in the server management studio as admin, but where do I find the HTB user and pass? I’ve checked security-users in every database but i can’t seem to find it

Is that the HTB one?

I heard that if you can do medium boxes without the biggest hassle then you should be able to pass OSCP too

Yeah and one time I was on a CTF team with Pink, so I trust everything he says

There is a table you can enumerate. Take a look at databases and draw conclusions from that

Anyone able to give some hints on Advanced SQL Injection Skill Assssment? I've got the ||email|| but its not working ||to reset the password||.

I must be absolutely stupid because I’ve been clicking +‘s for 2 hours now to no avail

Start with databases.

Read the names of them. There's one that will certainly help you

I assume it must be in the master db, at least that’s what the most logical would be if I read the descriptions from the mssql part of the course

So starting at the top. There's some standard DBs but I believe one of them sticks out a bit more

Yeah |||dbo.accounts|||stands out more to me

Wrong give me a sec

Well in the tables that is

Give me one moment

Lol

I only see master model msdb and tempdb

It is accounts

Sorry

I was thinking of a different module

But yes you're close.
SQL GUI is just trash

And I wish they taught you basic enumeration with CLI in footprinting

It sure is, I have no clue how to get it lol

In accounts the only thing left to open is columns

You haven't checked tables?

Dbo.accounts is in tables

Like I said

Start at DATABASES

Yeah, master seems most logical to me

Literally found it in 3 seconds (knowing where to look in GUI)

🥲

Are you doing GUI or cli?

GUI

Ok

Those + and - are gonna make me cry

DM me a screenshot because you seem wildly lost

Lol

Because it sounds like you're digging down a rabbit hole

When the answer is right in front of you

Active Directory Enumeration & Attacks AD Enumeration & Attacks - Skills Assessment Part I on question 4 Submit the contents of the flag.txt file on the Administrator desktop on MS01. Im using chisel to tunnel and then rdp. im not sure what im doing wrong. I think im doing something wrong in proxychains.conf

Again I'm not telling you System databases

Just DATABASES

module: ACTIVE DIRECTORY ENUMERATION & ATTACKS section:Kerberoasting - from Linux
when trying to run the attackitt requests a password .... am confused what password do i need to enter

appreciate any help 🙂

Tip, do not filter your databases on accident

Hello, i need support about buying cubes in htb academy...

Contact support on the site using the green bubble on the bottom corner of the screen

someone more in the AD enumeration and attacks with poblems with the xfreerdp?

i always need to retry multiple times to be able to use it

Hi, i need help please... In the module "File Transfers" --> Windows File Transfer Methods --> Second question. I have submit the content of the file and give me an error

So i have submit the md5 hash of the file as well

And error

😦

what error

Footprinting module finished! Had a much better time on the hard lab compared to the medium lab

Now I can sleep in peace

Yeah I found the medium lab much harder than hard. heh

@naive field the flag is incorrect

check for spaces

at the beggining or at the end

of the flag

If you're using UDP VPN switch to TCP

Have you used the Footprinting-Wordlist provided in the resources ?

it still stays in black screen

i need to try it multiple times all time

Anyone here able to give some help with the WordPress - Discovery & Enumeration section in Attacking Common Applications? I can't seem to find any of the answers at all for this section.

Try remmina

Can I DM you for some hints on the skill assessment? 🙂

Sure!

@modern epoch sent you a friend request so I can dm.

@blazing crypt i found this website

https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html

it tells how to abuse each ObjectAceType

Im kinda confused on the next steps for the Active Directory Enumeration and Attacks module, section "Privileged Access". We can't use a linux host to run mssqlclient.py since we are rdp'ed in and there seems to be an issue changing the settings using PowerUpSQL. Any recommendations around this?

am doing that execises rn

would you want to dm me?

the rdp is too slow idk why

i havent could even log in with rdp yet

ah gotcha, i kept getting disconnected errors with powerupsql

Okay, still stuck on WordPress Discovery & Enumeration, but I have the last two answers and just need to find out how to get the flag for the first answer. I can't find it anywhere. Does anyone have a hint?

just make a tunnel to the target maybe?

to run mssqlclient.py

send the link

https://academy.hackthebox.com/module/113/section/1100

like with chisel?

Thank you.

what to do when target machine is going down?

Try with ||gobuster||, and one of the ||directory-lists from the word lists||.

Not really much you can do.

i always use rpivot

but yea chisel should work

restart it

Report it in the help section if it keeps happening.

gotcha ill try it ty

just enumerate the directories

and one of them has the flag

I've looked through them, but I'll try again.

Try multiple locations

Okay, will do. Thank you both!

annoying it takes me 20 minute to be able to rdp

and am still getting black screen with rdp

1. Have you used the wordlist in the resources page?

Okay, I'm stumped. Is the flag enrcrypted? I've tried decrypting the different cyphers that I've found but so far, nothing has the flag.

surely

have u done the first 2 questions with bloodhound?

no i did them manually

2. There is a command shown in smtp module that allows you verify users. please look through module to find this. Once you have these two hints it is just a matter of enumerating through the usernames on the wordlist until find a name that matches.

they give u a linux machine

with mssqlclient and evil-winrm

i used different tools within the rdp session to find the other user

powershell, aduc, etc

did i look over that section?

it is at the beginning of the section

LOL

maybe i should read then

send the link

damn, that was hard

Is there some special tool that I should be using to get the flag for the WordPress Discovery & Enumeration section, or just the ones it shows you how to use?

have dmed you

is the ssh this really slow for everyone else?

for active directory enumeration and attacks - privilege access

lol

ive tried resetting the machine

i might end up doing that if this doesnt load in a few minutes

i reseted it

and worked fine

it was slow as well like 1h ago

i just reset mine and its still slow

maybe i need a new vpn file again

i downloaded us 3 vpn

and it works better than eu

when you ran the ssh command, did you have to use "-tt" at the end?

and im already us 2

no

hm

u mean for 172.16.5.225?

you didnt get that pseudo terminal error?

yes

u have to write the password manually

htb-student:HTB_@cademy_stdnt!

and dont use clear in the ssh lol

i dont even get a prompt for a password

it just dies immediately

im just doing ssh htb-student@172.16.5.225

weird then

u doing it from ms01?

yes

i dont know then

they need to upgrade the servers i guess

no worries, thank you for the help tho

they are too slow since the kids finished the school

lol

and they stay up later now even during the work week

well gn is 4am here

For Attacking Common Services Hard, is the ||Home share supposed to be empty||?

Is there anyone that I could discuss about Broken Authentication module Predictable Reset Token section?

Are you sure nothing is hidden

stuck on it too

I was taking a look at the source code the provide on the section (not the python one) and it seems the app do not concatenate ||user+time||

but the Apache OpenMeeting: was about it

Yeah, that make sense, but I really tried hundreds of hundreds of tokens all being user+time and/or time+user.

i think we should use the snippet of php code provided in the section

but it dosen't work for me

it give me errors on $time

Worked on that yesterday. Pretty easy/simple to run it locally php -a. Define the vars and echo them

Came to the conclusion that it’s possible to achieve the same md5 token with python. So now I’m working with python.

What I tried so far:
user+timestamp
user+timestamp_in_miliseconds
timestamp+user
timestamp_in_miliseconds+user

I’ve implemented the for loop in the timestamp, as HTB showed on their script.

At the beginning I thought that I had to find a way to recreate the token, we generate on the app, locally. But after reading all questions regarding this section, it seems that we just have to guess (brute force) the admin one. One of the reasons is because the exercise says that after +-1 second the admin token is generated. It doesn’t says that is gonna be invalidated after N seconds, so it seems we have to guess it.

eeem that's intersting I am gonna give it a try later

Sure! Lemme know if you get any news

Predictable Reset Token?

You have to calculate the tokens based on the displayed time. Each token you have to check against the website

Yep!

Alright! Done that. Countless times, but I’m still trying. Making some changes to my script.

user+displaytime ?

|| md5(Username+timestamp) ||

timestamp has 13 digits right?

||user+timestamp_in_miliseconds||

https://www.unixtimestamp.com

still can't get any answer🥲

flag5 is easier than you think, don't over complicate things and you will get it

you are on the right path

¯_(ツ)_/¯

poke around and find out

Morning Guys
i need a little bit of help here.. i've been stuck on this for weeks
ATTACKING COMMON APPLICATIONS ==> Exploiting Web Vulnerabilities in Thick-Client Applications

Yeah, got it. Had to upgrade the shell using a different python version.

Could I please DM you for some guidance on the Advanced SQL Injection module?

still can get the flag

|| user_name + str(timestamp_millisecond) ||

I tried a lot of time lol

For the time you have to take the time that the website displays

Ik GMT

i got this but ther's no flag

Then your script is not correct 😉

https://tenor.com/view/sweating-nervous-wreck-gif-24688521

i am not able to unlock any model, can someone help me

if i click unlock it just changes. the size

Do you have enough cubes?

sure, ask me

i have 60 cubes and its for 10

help me plz

Which module do you want to unlock?

any module unlock or not yet?

nope

linux

in the dashboardgo modules -> all modules -> then click unlock button

ya

nothing is happing

Is target spawn down again?

any error message?

nope

Been trying in openvas skills assessment but it’s been going for 5-10 mins now

try to logout and login again

done

also created different acc too

still

try to unlock "learning process" module

too strange

tried different browser too

mmm i'm sorry, but i don't know what is the problem

Might be a problem with academy

Working again now

Try contacting support if issues are persistent

easiest way to find out if shit is borked is contact support ¯_(ツ)_/¯

finally , one of the weirdest question in academy lol

modify the script to bruteforce on the range of 2 seconds , then generate time based on GMT epoch time in milliseconds

tbh I use chatgpt cuz , I 'am awful at py

no, believe me. There are other questions in the Academy... This question was logical. Not easy, but logical

I am really bad at scripting

Python is a lifesaver. It will help you a lot if you learn this language a little bit.

yeah , I started automated the boring stuff with python

ig I must go finish it

That actually wasn't that bad. But GPT certainly is a useful tool to get your barebones laid out 😄

I feel bad , when I use AI for hacking

Why?

I don't see why. Its just another tool

Do you feel bad for using dirbuster, or wfuzz?

hi, I really could use an explanation as I'm banging my head against a wall here.
The last question in the Active Directory Enumeration is baffling to me: "Find the name of an account with a ServicePrincipalName set that is also a member of the Protected Users group".
have tried several times using:
Get-ADUser -Filter "adminCount -eq '1'" -Properties * | where servicePrincipalName -ne $null | select SamAccountName,MemberOf,ServicePrincipalName | fl

and it provides me w/ two accounts which definitely can't be those

the only search I was able to ask ChatGPT to come up with was:

Get-ADGroupMember -Identity "Protected Users"

I thought I needed to see ServicePrincipalName also, so I modified it to:

Get-ADGroupMember -Identity "Protected Users" | select SamAccountName,SID,ServicePrincipalName,

but ServicePrincipalName is empty

can someone pls elighten me? 😦 Thanks!

Yeah, i was able to get flag by 2:30 jn the morning.

Hello please some one can tell me how to clear command line history

Elaborate. You mean the terminal screen?

clear - Linux
cls - Windows

Yup, pretty much, works without sudo also 😄

Footprinting -IMAP/POP3. I am struck at getting (1).what is the customized version of the POP3 server (2).what is the admin email address (3).Try to access the emails on the IMAP server and submit the flag as tge answer. I need the commands to get answers to this questions. I have been struck for days on these.

1. connect to the POP3 server
   2/3) you can get both by reading the email. This section contains some useful commands but I googled and found more: #modules message
   The other email option is using a client like evolution

The commands to connect are found on the page

history -c

I am doing the WINDOWS PRIVILEGE ESCALATION module.
Whenever I add my user to the admin group, I can see that I have added my self successfully but I can't read the flags.

So just out of curiosity is this normal?

To take over the rights, you must log out and then log in again

Use a different tool to connect to the POP3 server to banner grab (nc) 😉

Thank you

im doing ad enum and attacks assement part 1 and i have the web shell, when trying to kerberos for single user i get this

kerberoast*

but in the above command you can see i added the .Net framework class to poweshell session

is it maybe because i need to get a more stable shell than webshell?

i cant even get a more stable sheeelll

:(

im always getting errors, i tried like 10 diff payloads

lol i see this is not gonna be very fun :D

have you got

Windows Privilege Escalation

SeDebugPrivilege

Leverage SeDebugPrivilege rights and obtain the NTLM password hash for the sccm_svc account.

Eeuhm, the user we get given doesn't have that privilege? What kind of a weird lab is this? Is that intentional!

correct .NET framework

idk, how can i know that?

Get-ItemProperty -name Version -EA 0 |
Where-Object { $_.PSChildName -match '^(?!S)\p{L}'} |
Select-Object -Property PSChildName, Version

on powershell

unless you are on MacOS lol

no, its a powershell web shell xd

one moment

System.IdentityModel is inNET Framework versions 3.0 and above.... soooo since you have the required versions installed its not that

try run this

on powershell now

this confirms. that theSystem.IdentityModelassembly is available in GAC

@naive field

this will see if the assembly is successfully loaded and thefore ou should be able to use the New-Object cmdlet for instances of types from the System.IdentityModel namespace, such as KerberosRequestorSecurityToken etc etc

i get no output from it

i've done it here too

maybe create an instance

to check

run some token

umm

lemme try create one

its been a while

? try this perhaps

lol

oh

see this

Sure dm me

Replace MSSQLSvc/SQLO1.inlanefreight.local:1433 with SPN for your SQL Server instance. Make sure the SPN is correctly formatted with the correct host and port information of what you have

does it work?

@naive field

sorry for ping lol

nono

still no luck?

i will try to get a more stable shell

oh okay lol

this is a webshell and i've been told by my friend that every command run in webshell is executed in its own process

try RDP or VNC

oh bet

so when i loaded the .net framework above it did ran but not in my session...

oof

yeah probably just a shell issue

no worries. dm me if you still need help

cya

will do. thanks appreciate it

hey friends, at RDP and SOCKS Tunneling with SocksOverRDP, at the last step when i want to connect to jason at 172.16.6.155 it tells me at the login screen that domain isnt available

and proxifier give me this error (Microsoft.SharePoint.exe (8688) *64 - 127.8.0.1:443 error: Cannot connect to placeholder (fake) IP address. It's recommended to restart the client application.)

• Proxy server cannot establish a connection with the target - general SOCKS server failure

it was a local account 😑

ohhhh, thanks

why hacking is too mixed

"9328/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
9999/tcp open abyss? syn-ack ttl 63"

i know how do connect ftp but how do we can connect to "unknown" service's and also like "abyss?" something's

[20:17:10:226] [1119287:1119288] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[20:17:10:227] [1119287:1119288] [ERROR][com.freerdp.core] - failed to connect to 10.129.91.118

Have a problem connecting with xfreerdp from my VMware fusion kali VM. I must state that i run kali on an M1 (ARM64 but little_endian) machine. Could be the problem, but could also be something trivial ... Ideas?

Module: Windows Fundamentals

Try enclosing your password in single quotes

Did all that - enclosing /u:'' and /p'' in single quotes. Must state that there seems to be a problem with the certificate. First time connecting I used quotes on all, and i got asked if I want to trust the Server certificate -> Answer Y . Now its like this

Try Remmina?

Ill try get a different IP Address maybe?
yeah ill check out the other client options, too. Gotta be on my way. Back later. Tnx 4 now

i feel like I am stupid lol

It's smart to use the right tools at the right moment.

Can i get a nudge in the right direction on password attacks medium? I am on the target with the first user and I found the service I am looking for but am now stuck. I don't want to say anything else and spoil, can I dm someone to see if I am in the right direction?

sure, dm me

Hey guys, I'm at the phishing part in the XSS module and I got the flag but not the way I was supposed to get it. (In fact I did, but I skipped a step because it didn't work) Can I DM someone to see what I did wrong? (the URL is +- the answer to this question so I want to do it in DM)

hi

i cant solve question

can snybody help me ?

It helps if you ask your question

The exercise above seems to be broken, as it returns incorrect results. Use the browser devtools to see what is the request it is sending when we search, and use cURL to search for 'flag' and obtain the flag.

this is my question

i meen exercise

in üeb requests

get method

web requests

Provide module and chapter name, and which question

Please help with the command. I have been struggling on this.

Cracking into Hack the Box

HTTP Methods

GET

The exercise above seems to be broken, as it returns incorrect results. Use the browser devtools to see what is the request it is sending when we search, and use cURL to search for 'flag' and obtain the flag.

is there a general chat

Cracking into Hack the Box isn't a module....

sorry

web requests

where do i start hacking and stuff im into the basics first

learn basic's first

Knowledge of coding in relevant programming languages.
An understanding of computer networks, both wired and wireless.
Basic hardware knowledge.
Creative and analytical thinking abilities.
Database proficiency.
A solid foundation in information security principles.

hello alll

module ACTIVE DIRECTORY ENUMERATION & ATTACKS

section Kerberoasting - from Linux

when running GetUserSPNs.py it asks me for a password

which password do i have to use ...

1234

just tried it .... saying invalid credentials

because thats not the credentials..

don't bait people

im not going to mess with you guys

hahah no worries, seriously though what credentials am i supposed to give it

you can fuck me up badly im scared of hackers

bro you sure as hell can't be scared of me ... am asking about the credentials of a basic tool in the industry

and ?

there is a server full of hackers

Don't be a dick period

who what?

can't RDP into my password attacks module target after multiple restarts. any idea why?

😭

Single quotes around the password

try ' password '

ohhhhhh

thanks guys

Also if you're curious what's going on, echo $$

can anyone help 😦

with?

.

Haven't done this section been busy with life, sorry

Why does lazagne.exe close right after running on a windows target? I dont have any time to look at the results.

where you at in the path at the moment

I don't remember

Kinda put academy progress on pause

You gotta put the password of the domain user which you have compromised.

🙄

noooo you helped me alot i don't want to get past you

¯_(ツ)_/¯

am sshed into a user

I really can't make progress in the weekdays either lol

is it the password of that user

First question to ask yourself is

is that user a domain user?

How do you find out if a user is a domain user?

i think i break the lab

validate if your user is a domain user and then proceed.

that is some great questions

if you did get past then perhaps youd be able to return the favor down the line

i hope so

still no luck with ssh in the privileged access section on active directory enumeration and attacks

u still there?

same issue

ssh just wont connect

to what ip

are u trying to connect

the .5.225 from MS01

with powershell/cmd?

powershell

ssh htb-student@172.16.5.225 -tt

why u use tt

i get this error without it:
Pseudo-terminal will not be allocated because stdin is not a terminal.

and then just hangs

weird

i just spawn the target

connect with xfreerdp and i open powershell and i ssh to 172.16.5.225

no issue?

no

...

what vpn are you again?

us 3

im gonna reset the vpn and reset the machine again

please help am stuck at this section

New machine came?

u should have his password

If you're referring to main platform see #rules and #welcome for how to access more of the server

no luck again :/

Has a module ever changed tiers?

I'm looking at a few old tweets, and I'm under the impression that they have.

i dont know then

u must be doing something wrong

i rdp as htb-student, i then psremote onto ms01 as forend, then i try ssh as htb-student on .5.225

ssh htb-student@172.16.5.225

https://academy.hackthebox.com/module/143/section/1484 someone could help me with the 2nd question?

i dont get what i have to do

why are u connected as forend

RDP to with user "htb-student" and password "Academy_student_AD!"

right thats for initial access

once im on the machine, i psremote into ms01 as forend

ill just come back to it i guess, kinda frustrating but whatever

?

just xfreerdp and then ssh

i gotta be an idiot

no way

LOL

welp

scratch that i should pay attention more

ty for the help, i should read the notes much more carefully

i got it

Just to help others who’s going or will go through Predictable Reset Tokens. Question 1 is not the kinda thing you get one shot one hit. I’ve been running the same script the whole day, the script that I first use to get the flag and is not working. Conclusion: you gotta keep running until you get it.

Well, that’s at least what I’ve been experiencing.

sick question lol

Can't see to get the correct brute-force on Skills Assessment - Website - Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside? - Brute-forcing module

If someone could sanity check here or dm, would be lovely

send the link please

I'm sorry?

https://academy.hackthebox.com/module/57/section/515

what command did u try

Um, || hydra -L harry_username.txt -P harry.txt -u -f 144.126.230.162 -s 31679 http-post-form "/admin_login.php:username=^USER^&password=^PASS^:F=<title>Admin Panel - Login" -t 4 -I
||

Idek if this is right I was trying for like an hour or so and then just got back and trying again and read forums

are u stuck in the first or second question

second

I think the F=.....

is wrong

I had it different earlier and wans't working, I can give that a change. I mean the whole point is it shouldn't show up on the actual page so

hello ppl, I'm struggling with the Password Attacks Lab - Medium. I've cracked the docx, got j**** creds for (i guess?) mysql service but it doesn't work and I'm not sure what to do next. Can somebody guide me a bit, please?

||:F=<form name='log-in'" ||

that is the right one

Yeah I haha I dunno

Maybe the history shows how the user logs in, perhaps the same login

I'll give this like 10min and see what happens

not too much sense to bruteforce the title lol

iT's not bruteforcing the title, its seeing if the title changes based on the next page that loads

which I figured it should

Also the sql service may only be interacted with internally

that's it , make you sure you use the right wordlist

oh true i didnt remember

if you mean dennis' bash history then I have no permission to access it and jason doesn't have history at all

I made one, it doesn't give one. I used cupp -I first,last,leet,special

i did it with rockyou.txt

oh word?

you have all the info needed to get to the next step ¯_(ツ)_/¯

on the password mutation section of password attacks im only get ~1500 words and other people are geting 60k plus

Why would you need another users bash history???

is there any reason for this?

Password.list and custom.rule from the resources button

yeah i did that

yea u not running the right command

^

or ur wordlists are wrong

The wordlist should be like 90k+ iirc

read the hint

and yea i did it with rockyou.txt

Also don't use the arbitrary custom.rule they give you as an example on the page

ad module is taking forever

i think i can finish it tomorrow

yeah i think ive got it now

thanks for the help @fathom pendant @zinc marsh

just use rockyou

'm confused. you've mentioned looking up history but jason doesn't seem to have one. which history you mean then?

hide files maybe?

i havent checked the module

where are u stuck

Password Attacks lab medium

you have the info to log into mysql

Just saying.

u have the creds for mysql u saying

you just have to access it from your foothold user

I'm sorry I'm not very fast, been a tiring day. I tried to ssh to jason and then run mysql but it doesn't allow me to. Was there another foothold user i missed?

You have the user. Think of how you log in

-u

i did that anyways

ok, I'm an idiot, i got through

thank you @fathom pendant and @zinc marsh

Okay, back to the web server brute force login, maybe I'm misunderstanding -- || Created username list using Harry and Potter. Created password list using cupp -i using First, Last, l33t, Numbers, and Special, then grepped out any missing those. Ran hydra -L harry_username.txt -P harry.txt -u -f 134.209.176.83 -s 32461 http-post-form "/admin_login.php:username=^USER^&password=^PASS^:F=<form name='log-in'" -t 4 ---- From attack box and no luck. What am I missing here?||

don't use custom wordlist

Currently using rockyou, I tried rockyou when you suggested and no hits after 20min

use rockyou with what u found earlier "read hint"

restart everything and trying again

Okay, just to clarify this is on the Brute Forcing Logins - Skills Assessment - Website, I've been running rockyou and the cupp -i didn't work either, if someone could dm to clarify I would give you +1 Respect

?

but which module is dedicated to cryptography ?

there's no module with this name

eeem maybe they will release it later

wich username did you use ?

This is the Skills Assessment of Login Brute Forcing, there is no resources.

I have a username of like 15 users generated from username anarchy

I followed like these exact steps as well as trying rockyou,

Sorry for ping friend 😉

It's a completely separate module

There's not.

It's self-generated ones

Not exactly what this one's about it's differnet

Yup

Hello everyone. I have a question about STACK-BASED BUFFER OVERFLOWS ON WINDOWS X86. The fuzzing Parameters to be specific. I have a payload of length x , and I get the desired 41414141 at the eip
and when i generate payload x-1, I Get have 0D414141 in eip. I cant seem to find the right format for the answer. Any help will be appreciated. Thank you.

need a bit of a nudge in the File Upload Attach (module/136/section/1290). In the Type Filters question I managed to successfully upload a web shell file with the following extension: ||testshell.phtml.gif%20 || with the following content:
||GIF8
<?php system($_REQUEST['cmd']); ?>||
but when I try to curl it or send a request through repeater I get nothing ... any suggestion/tips as to why?

i have problems RDPing to the remote machine 10.129.x.x for the AD enumeration and attacks module-specifically for the box at Internal Password Spraying -from Windows.
tried xfreerdp,remmina,rdesktop, evil-winrm, downloading the different vpn etc. and nothing works. i suspect it might be something that is at the end of HTB side. anyone faced this problem and have a solution please?
edit: I have also tried single quotes for password. When using evil-winrm as the last resort but failed, i have also include the -N flag in that attempt

any staff that could look into my module reset?

Can you tell me box name?

RDPing from the pwnbox seem to be working fine for me so maybe give that a try also the password don't have quote

your payload look good but for the extension i didn't use any % thing so that could be the issue, try with a different extension and if you still need help shoot me a dm

the answer format for that section is a number in the thousands so like 1000, 2000, etc...

Hi thanks and appreciate the quick reply; I had been working on my own distro so will try using the pwnbox when I returned from work later. also if you don't mind may i know which vpn you have tried successfully to login?(us academy 1,2,...,europe academy...)

hi, it is the box at the htbxacademy-AD Enumeration and Attacks Module-Internal Password Spraying from Windows section.

i haven't change my vpn for a while but i has been use eu 2

thanks so much! i give it a try later!

Attacking Common Application's - Exploiting Web Vulnerabilities in Thick-Client Applications
Performed the path traversal, and I see the .jar files which I need to download to the system and in the module, it says to use thick-client's open button to download the .jar file, but I don't think it's downloading and just viewing the jar in it's console.
Was anybody able to download this?

Could any one help me how to find flag in the accessible directory in module Attacking Common Application’s
Enumerate the host and find a flag.txt flag in an accessible directory.

run a directory a bruteforcing and see what directories you can move around in.

Hmm. How you can do that? I have found /wp-content, /wp-includes,

But check for all plugins i can not find anything

use tools like gobuster, ffuf

Hmm

It sounds strangely

Can any one help with login brute force website assessment I’ve gotten four diff passwords 😓😓😓

N non work

Could you reply message in DM ?

i got 240 positive hits with intruder and all had the %20 ... mind you I didn't complete the session to see all other combination but let me try around till I get frustrated ... in which case I will DM you. thanks

have you got any hint for my i log in with ssh but i couldn't find the password for mysql

obsidian has made learning a lot easier I suggest obsidian or something similar to everyone

I tried One Note but its very overwhelming to have a bunch of notes on one page

Yes! I also like it a lot, but coming from Cherry Tree I had to change the way I take/organize notes.

I wish I would have knew about it earlier though haha I have to go back to everything before password attacks and take notes

Saaaaame. Guess it will be a good review 😂

😂

i told u to read the hint

I obviously read the hint what do you mean

then why are u using a wordlist for the users

https://academy.hackthebox.com/module/57/section/515

Which part of this says "Don't use a wordlist"

I'm stuck once again in the Password Attack Module at https://academy.hackthebox.com/module/147/section/1657 . I found the keytab file for the svc_workstations user and extracted the hash using keytabextract.py . But I can't seem to crack it. Neither by using rockyou.txt and hashcat or crackstation.net. Any idea how i could get the password out of this hash?

Was there a way to expert it?

export it* to like a file and use that is a input for SSH

or just try to su

i tried 😦 but it wants the password which i have to crack from the hash

What question did you stuck with ?

"Check Carlos' crontab, and look for keytabs to which Carlos has access. Try to get the credentials of the user svc_workstations and use them to authenticate via SSH. Submit the flag.txt in svc_workstations' home directory.
"

please remove the aes-256 hash

why? i did put it around as spoiler

It's still existing as anyone can look at it

oh alright, sorry

Schrodinger's Hash

A spoiler tag really doesn't do anything

thanks

It generally makes it stick out more for people looking to do the least work

yeah

my bad

and a hint, there is a hash that can be cracked using one of the two things you mentioned

Why you used AES-256 for cracking ?

you should find NTLM hash

the keytabextract tool only gave me a AES-256 hash

check the file(s) you are giving to the tool

With the AES256 or AES128 hash, we can forge our tickets using Rubeus or attempt to crack the hashes to obtain the plaintext password.

i gave it the svc_workstations.kt file

whats the point of giving him a tool that mostly works on windows for a linux pass the hash?

there are more

ill look for more files

It should gave you NTLM hash not AES-256

Look for more files

found it thanks guys

Hello everyone, I'm working on the "limited file uploads" lab for the file upload attack module. I have a question: When I attempt to retrieve the SVG file that contains the XML at /images/xxe.svg , I receive an error message stating, "This XML file does not seem to contain any style information." Could someone provide me with a hint? Have a great day!

https://academy.hackthebox.com/module/147/section/1657 I'm stuck at the proxychains part. I tried going along the guide multiple times now but it still doesn't work. I always get "no valid proxy". What am I doing wrong?

https://academy.hackthebox.com/module/134/section/1204

no clue why the shell wont connect

like its a simple XML lab

have you execute chisel on your server ?

yes

and in the victim's host ?

Have you uploaded SVG file and intercept the request ?

your shell has been collected by the IP ?

are you saying i need to add the address to the etc/hosts?

You just go the your http:<IP>:<PORT>/home/shell.php?cmd=? ?

No I meant if you have uploaded you shell into the victim's host. You just run by http://<IP>:<PORT>/home/shell.php?cmd=id

yes

i mean the commadn you put looks like ewhat i put, am i missing something?

like ik im obvi missing something very simple i just dont know what

http://<IP>:<PORT>/home/shell.php?cmd=id trythis

file:///flag.txt

/// not //

do you mean liek this? I still get same result :(

Nooo

i dumbbbb i sorrrry

Your command is right. But you need to go to the your browser and try http://<IP_Victim>:<PORT>/shell.php?cmd=id