#modules

Or

i have no clue

The .htb domain is local, it has to be associated with a target IP address in the /etc/hosts
The .com domain is public

Each subdomain can be configured as a separate zone.
You can work according to the exclusion principle.

Is www a zone or a host? Presumably it is a web server and therefore a host.

No, you can also have an authoritative server that does the name resolution.

In this lesson you have an authoritative server, you do not need the hosts file

wha

Oh ok, I am not sure what module they are on, maybe "Info Gathering - Web Edition"? If that's the one, I have not done that yet.. but from all the other modules where I have dealt with .htb domain it was local, there was no authoritative server

I am so confused right now

Yes

Its like that

I have to have it in the /etc/hosts file

no, just ask the Target Server

dig example.com @targetip

What is the name of the module you are doing right now?

Information gathering-web edition

dig not nslookup 😉

Yeah, as I thought

Active subdomain enumeration

I haven't completed that one yet

Aaaaa

I forgot

That

F

But later you will, ez

So basically by just looking at it I can only take an educated guess as to it being a subdomain or a zone? Also does subdomain equal host? I'd assume it can be more complicated than that

There are no TXT records lmao

If you have found a subdomain which could be a zone, check if there is a NameServer for it.

dig NS zone.example.com

Each zone has an SOA entry and a NameServer, which is responsible for the zone.

https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/

Aaaaaaa

Omah

Omah the course said it too

Are different DNS records like different DNS zones?

I'm doing it right now, maybe I caught you from behind, I think I am at the same question as you

WHa

Hahahah, good luck man, I have no clue how to get it

It wont work

Alright, thanks. That's what I had already picked up but was wondering if there was clear distinction by just looking at it

Click on the Hint button, it helps you.. or if you prefer I can tell you what the hint is: "One of the existing zones contains a TXT record."

Which means it's not that specific domain, you have to dig for the zones you have found in the previous answer

I'm speedrunning this module

Aaaaa

I found it

Thanks

I am proud of the one liner script i made

Yet i feel it was very simple lol

Good luck man, I feel I understand domains way better after this question xd

Just completed it

I haven't read through all the things though, just done the flags so I will have to revisit it later on to see if I've missed something I didn't knew

ah, nice

i'm stuck in Linux Privilege Escalation module : Section sudo Escalate the privileges and submit the contents of flag.txt as the answer. can someone plz help?

I tried using the command|| sudo -u#-1 /bin/ncdu|| but it only launches the ncdu program. it doesn't give me any root shell

type ? for help in this Software

You are on the right track

I feel so incredibly stupid!😅 THanks! man

please I'm stuck at footprinting oracle tns the odat tool didn't give any usernames how do I login to target server?

See sqlplus section

I’m running out of ideas at the Hard Footprinting Lab in the Footprinting module. Does anyone here have a pointer? Feel free to DM and/or bash my notes.

Free to dm me

sqlplus needs password for the dbsnmp user how do i get password

the user and the password are mentioned as far as I remember in the section material

I'm a dumbass for not taking note of default creds of dbsnmp lol but now I've run into a now problem I can't login cuz of error "ERROR:
ORA-12162: TNS:net service name is incorrectly specified"

did you try a ping sweep?

dm you

https://academy.hackthebox.com/achievement/361921/162

https://tenor.com/view/good-job-clapping-applause-proud-gif-25136270

Most modules will not have a walk through as it's against tos for anything above tier0 to have a writeup

im doing login brute forcing section service authnetication brute forcing and i am trying to crack ssh, its been 10 minuts and still nothing

i used the command from the section

||hydra -l b.gates -P william.txt -u -f ssh://134.209.191.190:31542||

🤷‍♂️

is it supposed to be like that or?

Are you using the ip and port the section is giving you?

yup

Ssh is a super slow service but since that looks like a docker container, that's the only service available probably

yeah that was the problem

sorry for bothering for no reason...

Eh it's just how it is

You shouldn't ever be brute forcing ssh unless you absolutely have no other thing to brute

https://academy.hackthebox.com/module/158/section/1441
I found the creds for the next host but i cant SSH using these credentials?

Also its in the enumeration

You need to use the first host to jump to the second. But also remove the password from your message as 1) its a spoiler and 2) its an answer to one of the questions

How am i supposed to find the fully qualified domain name of the host if it is down?

What Windows executable will allow us to create, query, and modify services on a host? (I need help please)

powershell?

Hi can I dm anyone in BloodHound for BlueTeams (ACTIVE DIRECTORY BLOODHOUND module)?

Stuck on first question

nope

any answers to this?

what module and section?

INTRODUCTION TO WINDOWS COMMAND LINE - Managing Services

sorry I havent completed that module

It's okay

Try using other tools to enumerate like Nmap or maybe dig or who is or since you're told fqdn

Also it seems like you're meant to use the initial axfr to get the info

aaa so it might not be avaliable on my network

Axfr to the initial target and/or subdomains and you should find the answer

Btw, why do i get different results if i change the position of type and query?

Read the section it should be in there

-query first gives less output

Oke, thanks

Tried everything. I think I'm missing something

Because nslookup is silly

Hahahha ok

hi, search ctf team

I think I know what module you're on, they're having you use nslookup instead of dig

Not the place, read #welcome and #rules

#starting-point this is for learning modules on https://academy.hackthebox.com

Is it a normal behavior not to be able to hit public webservers that are spun up during WebApp portions. I have hit reset about 10 times and was only able to hit a server one time.

As soon as I started fuzzing w/ ffuf ( per module ) it goes down

Can you try limiting the ffuf threads?

They added a new challenge category 🙂

blockchain

How do I stop it, and I cant find any new IP's

Ctrl-c

Ahhh. I see what the issue is, my ATT Armour Security solution on egress IP is blocking public activity haha

Like I said axfr to the domain and see if the answer is there

Nice

The hostd public IPs are flagged as malicious. Hehe

Kek it's because the firewall dns can't resolve it probably

At least it can't resolve it to a domain

Most likely

with the pro ñabs subscription i have access to any pro lab right?

I cant find it

Yes

Yay. It works. Nvm. @fathom pendant you saying threads made me look at my solution

Just keep looking around I can't recall the full solution but iirc you're close

ok

That is because you are only looking for that domain

It's just using nslookup is a pain because the subdomain and ip are on separate lines

Yeah

I hate that

lol

Use dig

Ok

How do i stop it?

CTRL+C dosent work

Just look at the whole thing and then there's a fairly obvious subdomain iirc that you dig to get it

ok

Close the tab and just start a new one

Aaaaa

I know

Search for A records

Probably

¯_(ツ)_/¯

It works, but you are doing a script that runs n commands.. you can't expect to close all of them with only 1 ctrl+c

^

It depends on how big your zones list is

9 letters

Words*

Ctrl-c only stops the current running command and goes to the next

Aaaaaaaaaa

I still cant find it

I tried looking at each zone

but I just got one IP from each zone

Don't do any loop or grepping

Just dig first because it's possible you missed a zone

Means that it's having an issue with encryption

Most likely on your end, not the machine

Does the rsa key you have have any extra spaces or lines?

Does it have the ---Begin and ---End lines?

Are you sure it was copied properly?

I have all of these in my list

And it didn't paste weirdly

That tells me nothing. Its entirely possible it messed up when copying. Try recopying it from what you have found

Iirc I had a similar issue

Try a dig to just internal

Convert it to base64, then copy it then paste it

Or try to check the MD5 value

Autocorrect

.

Moo

Ah I thought the key didnt work

You might have some phantom spaces or whatever and if the problem is that you can convert it to base64 then decrypt it into a file

Its easier to copy paste base64

Compared to a big file

Why do you do the grep command? Don't do it if you don't have a good reason, otherwise you lose valuable information
Btw, I can confirm you that one of those zones is the correct one, on which you have to perform dig command, in order to get its subdomains

Converting to base64 and decrypting makes sure it copies properly

wha :I

Does curl -u user:pass https://example.com work for all website logins

No

which type it works for

Execute the same command you have done in that image without the grep

It depends. If the website uses a php or other login form you need to find how it grabs info to pass to backend to verify

It works for basic websites

ok thanks

I did, but I cant find it, the purpouse of grep is to find out if the ip is in the file

help I ru hashcat on linux vm to crack has now whole VM is frozen

I ran hascat

restart the vm maybe

I am telling you the grep is not needed, also no.. you are not grepping for the ip, as I can see from your image you are doing a grep on "inlanefreight.htb".. which again, is wrong

Wait

I think i spelled a word wrong

Big "I'm hearing you but not listening" energy

I have grepped both?

But I cant find it so I am just confuzed lol

I want to hack

Do. Not. Grep

Ok

I wont

everyone does

Some of the things dont have ips, huh

Now to escalate

https://tenor.com/view/breezy-hacker-im-in-matrix-laptop-gif-22983973

How it feels

I forget what the objectives of that module are

If you can escalate, why not

But also sending the link does nothing, I'm mostly answering on my phone and haven't bothered with logging in using my phone

lol

Can subdomains have the same ip?

like admin.inlanefreight.htb and ftp.admin.inlanefreight.htb

I restarted the box and my pc so I am doing something wrong

yes

I cant find the IP

Or FQDN

You are doing the correct commands now, not executing grep anymore, but you are doing it on the wrong subdomain.. it's not admin, try with the other ones you have found

I am looping through all of them

But I cannot find it

Like Ive looked

Some of them dont have an IP address at all

idk if thats normal xd

CLuster just lists other domains

Ahhh you need to do a ping sweep

Like what are these numbers at the end

There is one you've potentially overlooked

You're getting hung up on the wrong things

Hmm

Don't loop, do it manually

With the found subdmains since it's not a large list

Ok

hi, i'm on "https://academy.hackthebox.com/module/144/section/1311" and am stuck on question: Perform active infrastructure identification against the host https://i.imgur.com. What server name is returned for the host?

Use the commands shown in the section

i've used harvestor and it responded with 3 host names servicing the target ip. but, none of them seem to be the answer.

Don't need harvester

i've tried whois and nslookup also.

Iirc they also refer to whatweb

With -vvv

Or something like that

rg. will give that a try. tnx

I did it manually, didnt find anything :I

Now ill go and eat dinner, idk if it exists anymore lol

Module name?

You make this look so complicated when it's only 2 commands:

1. do a dig zone transfer (using axfr) on the main target (inlanefreight.htb) and save all the subdomains in a text file
2. do the same dig command but the target now is every single subdomain you have saved in the text file and only then grep for the required ip (the one which is written in the flag question)

Information gathering -web edition Active Subdomain Enumeration

I have tried

But it dosent owkr

work*

It does work, what commands have you executed?

This dosent exist neither

Copy paste them here

Yes it does, you're just doing it wrong

I cant, its on my VM

This is not

@fathom pendant hi, if module name was for me, it's Information Gathering - Web Edition, skills assessment

nslookup -type=a -query=axfr inlanefreight.htb IP

Then

I look at all the IPs and none match

So

I try to dig into the subdomains

WIth a loop

And I dont get the IP

The question refers to what section you can look at

These are all the domains I get

Yep the subdomain is definitely in there

Huh

Let me try after dinner then

xd

thanks for letting me know its there

hehe

Like I said you're just doing it wrong

I tried dig a inlaneblabla ipzoneserver

on all of them

But ill try something else later

What are the fortesses in hackthebox for?

Yeah just did it doing nslookup too, and you're 100% doing something wrong

Lmao

Aoch

It's funny because these answers are related to another answer... so if you have the txt answer...

I do

...

Lol

Dont tell me anything moee

I thought about it and i think i know idk, but after dinner heeeh

Just do whatever you did for that answer and tweak it slightly

That's all I can do at this point

https://tenor.com/view/it-is-far-beyond-human-understanding-beyond-human-hard-to-understand-something-scary-snarled-gif-14093756

Maybe he understood

They are going to go eat food and come back to it

newbie question

I always see this tool

what is the name?

Virustotal

need to get a better crypter boyo

ty

i tried to scan the network using nmap with proxychains over a dynamically forwarded port but it says that all hosts are up. do you know why? it also takes a very long time

Should probably do a different sweep method

Are you doing a SYN scan?

Especially if you're adding -Pn

my command is nmap -sn 172.16.5.0-255 -T5 --unprivileged

--unprivileged does not make a difference

-T5 does not make one too

for i in {1..254}; do (ping -c 1 172.16.5.$i \| grep "bytes from" &); done does not yield results too

Why are you escaping the |

oooohhhhhhhhhhh

yeahh

saw it too

but still no result

i cant figure out what the active host is

Are you sure the 172.16.5.x is correct? Haven’t done the module in a minute so this is just a legit question

can you check the interfaces?

mind if I dm re: Thick application?

Could try uploading static nmap and then using that https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap

but... isn't on the right machine

hi, i've tried whatweb i.imgur.com and dig i.imgur.com - i would have thought it was the cname. but, that's not working. whatweb, says it's moved to imgur.com. ha, but that didn't work either. i feel like i'm overthinking this...

what do you mean? i am ssh connected to the foothold host and ran the ssh command

Whatweb -a3 (url) -v

Literally from the section it refers to

just didn't see the webadmin@whatever

I need help with the broken auth skill assesment its literally the last thing i need to finish my cbbh. I've tried all the same stuff everyone else who posted here has, obviously none of that worked. I know there are two other methods i could try but I can't remember how i did them since i lost my notes.One method im not even sure works since they never gave us an example of proper output, they just hand you some code and say understand it. IT wasnt the one of two other methods i had in mind. AND i don't understand how to the backend is evaluating my request and deciding i don't have the proper role assigned. I've gone as far as registering a new user, intercepting the request and changing the role before its fulfilled and that didn't work either.

can you do the same ping sweep but this time showing also the webadmin@?

wtf

now it works? are you kidding me xd

you were on the wrong machine

no

i tried on the same machine before

Most likely with the faulty line

So the interfaces you listed were on this machine?

^

damn you are right

i need a pause

yeh. i ran that and just did again. i'm either not putting the server name into the field properly or i'm not picking the right one out. do you see the answer when you do it?

Httpserver

getting TypeError: setLDAPOptions() missing 1 required positional argument: 'sid' when using impacket-ntlmrelayx

is this another case of using an old version of python?

Maybe

I only have 100 cubes, if anyone has done both, which one you recommend?

right one

Thank you

ugg..thanks! i was overthinking it.

Does anyone know the answer in Setting up module?

Can anyone give me hint on this question
What does the acronym Linux PAM stand for?

I wont get any of the internal ones

Like

These IP's

I can easily find the other flag

but I cannot find the IP (like if I search for A addresses)

Perhaps in a different path? I’m not too familiar with it

Didn’t get to that module yet

Like I said using nslookup -type=any -query=axfr $subdomain.inlanefreight.htb $IP I got the answer

Tweak the command you used for this one

Wait

What

Since it looks like that query was specifically for txt

Modify the command you used to get the txt record. Think how you can get other records instead/as well

It works

I used nslookup

and now it works

I tried with dig

and it dosent work

Meaning you were doing it incorrectly previously

I dont see the difference in what I did

Why does the any scan from dig fail

but from nslookup work?

aaaaaaaaaaaa

I looked for another zone

Did you remember with dig to do @$IP

with the nslookup one

Because I did dig axfr and it worked

AAAAAAAAAA

I am stupid

Yes

Axfr

Not any

I did with any

for this whole time

omah

Now the rest is childs play

lol

omah

All of this

Yep

From a small mistake

lmao

Ofc

Aaaa

I was not kidding though with some of the remaining answers

it makes sense

I am looking for other zones

To find new ips

so therefore its axfr

any would just look for inlanefreight.htb subdomain ip

Inlanefreight.htb is the domain

Have you understood why it's wrong and what both any and axfr do? Otherwise you simply got the flag but in a real life scenario you won't be able to apply this things

Any x.inlanefreight.htb is a subdomain

yes but I was looking for the subdomains IP, instead of the subdomains list of ips

the way i understood it

@zinc marsh this is the answer

broken auth, has anyone done it

tons of people have

oh i did it

forgot to delete the message

https://dontasktoask.com

better odds of getting help if you just ask your question

I need help with the broken auth skill assesment its literally the last thing i need to finish my cbbh. I've tried all the same stuff everyone else who posted here has, obviously none of that worked. I know there are two other methods i could try but I can't remember how i did them since i lost my notes.One method im not even sure works since they never gave us an example of proper output, they just hand you some code and say understand it. IT wasnt the one of two other methods i had in mind. AND i don't understand how to the backend is evaluating my request and deciding i don't have the proper role assigned. I've gone as far as registering a new user, intercepting the request and changing the role before its fulfilled and that didn't work either.

screenshots

error messages

etc

I posted that earlier AND i posted yesterday

Refer to what i said, without those we can only guess what ur doing wrong

not actually see it

yup

and sometimes just requires patience

There was a time some guy was going through so much trouble only for a single screenshot to make us realize he had a single typo.

So please, screenshots.

Also you lost your notes? where did you build up your notes in the first place? The section content typically has all you need to do to pass the assessments

This is incorrect, any gets you a full set of DNS records like: A, AAAA, MX, CNAME, NS, SOA
The fact that any gave you just the subdomain ip doesn't mean that is what it's actually used for. It means only that record was retrieved successfully, which is common because many DNS servers won't even bother responding to "any" or they just reply with a link to RFC8482, where it very clearly states that ANY requests are being abolished

Yes

I agree

Or like

True

lol

So a thing you learned from this is: do not use ANY requests.

Ever

I lost my notes saved on another VM but i re-tested that method and it didn't work for the skill assessment. I can send anyone screenshots but i you'll have to specify do you want to see login requests, registration requests?, error messages?

True, I didnt just learn that though, I didnt know what AXFR was neither or what zones were so I guess I am happy with what I learned xd

The rest of the questions were very easy after I learned that lmao, I am already done with that section xd

Just a suggestion for next sections, read the text before jumping into questions. Even though you might think not reading all and just glancing might be faster, it would have saved you loads of time reading carefully all the text

Indeed, thanks for the advice hehe

I fuzzed this subdomain and I added the target to /etc/hosts (www.inlainfreight.htb) then I intercept the packets with burp and edit the domain to access the vhost websites, is this allowed?

why u do that

just add it to the hosts and go to the website

AAA

Lmao

what?

just put <ip addres> <subdomain>

like everyone does, in /etc/hosts

Welp, i guess there is another way

😎

there's many ways to do something but it's best to just not make ur life harder on purpose

unless you're trying to learn

True

I thought doing it through repeater would be faster

but who knows

remember in the real world you rarely need to edit /etc/hosts so much

its mostly just a convention for lab environment limitations

Aaaa

Oke

and if its vhost enumeration youre doing then there are significantly better options then just guess adding to hosts or messing with repeater lul

xd

Welp

I guess I just wanted to cuz i learned it in the previous module

lmao

Now I know not to do that irl

baby steps before you run

and experimenting with what youve learned so far is NEVER wrong, I recommend it always

Nice

its the people that dont and say, 'well the material didnt tell me to do it so I didn't try' that I have concerns about

O.o, and I love skill assessments aswell ohhhhhhhhh

good

I don't really understand what are the named pipes

what about them?

named pipes are another inter-process communication tool thay windows has

kinda like a socks file in linux

think like a localhost tcp port except it doesnt use tcp at all

hmm oksy

https://academy.hackthebox.com/module/67/section/926

am I suppose to use accesschk.exe here? I get this error:

operable program or batch file.```

accesschk.exe is a binary from the SysInternals toolkit. Normally you'd have to upload it yourself if it's not on the system, but they put it in C:\Tools for you

reading the module helps here 🙃

ah okay ty

I thought it was just a binary from the system

I’m having trouble accessing a Hack The Box machine through OpenVPN, despite following the necessary steps. I have performed the following actions:

Successfully connected to the Hack The Box VPN using OpenVPN.

Added the machine's domain name (searcher.htb) to my hosts file with the correct IP address.

Verified that I can ping the machine successfully using the domain name.

However, I am unable to access the machine through my web browser using the domain name

can anyone help me

read #welcome then verify your account so you can access the #boxes channel and ask there. this is off topic for this channel

Broken Auth assessment: Ive gone as far as brute forcing the stupid support account, decoding the cookie for it to learn how it works, enumerated the account with higher privileges, created a cookie for that account and STILL get user cannot have requested role. I've gone as far as literally having to look at a walk through to figure why this isn't working and i've followed the walk through to the letter and still get the error. Even though they clearly show it working.

id message support is thats the case

am gonna run mimikatz in my own machine

there was any way to get it from the rdp?

https://academy.hackthebox.com/module/67/section/631

hello all

@deep owl Hello

I got it in both

i think i know the command to solve this question

but am wondering how can i get rubeus on the machine that i just gained shell on

module:ACTIVE DIRECTORY ENUMERATION & ATTACKS

section: Attacking Domain Trusts - Child -> Parent Trusts - from Linux

wdym

Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer.

just transfer the file

how

https://academy.hackthebox.com/module/details/24

There are a lot of ways

This script always works?

hello there, appreciate any help regardin gmoving a mimikatz file from a linux machine to a windows machine i tried the following but faced an error scp /home/htb-student/mimikatz.exe system@172.16.5.5:"C:\Windows\Temp"
ssh: connect to host 172.16.5.5 port 22: Connection refused
lost connection

@deep owl Hello

scp only works if theres a ssh server hosted on the target

any other method to move the file to the windows machine'

theres a million

have you done the file transfers module?

it depends largely on what kind of access you have, how much opsec/evasion matters in your scenario, and personal preference

like if I have rdp to windows and opsec is not a concern I prefer just hosting a share via xfreerdp's /drive option

if I have winrm I use evil-winrm's built in upload download

for some windows boxes I prefer having a meterpreter shell so I'll use thats built in upload/download

just generic powershell shell/cmd injection? ill use invoke-webrequest or certutil

and a lot more methods ive not named

i sent u the module

anyway with rdp u can just drag n drop

hello everyone, I'm stuck within the question Where is the Laudanum aspx web shell located on Pwnbox? Submit the full path. (Format: /path/to/laudanum/aspx) | Shells & Payloads module, webshells section

@tight mesa Hello

hello @compact musk

@tight mesa Hello

any hint?

a little bit of context, I'm not attacking the website from the Pwnbox instead I'm attacking directly from my host and I'm pasting as an answer the absolute path located on the target

but it's not accepted as a valid path

I really don't understand what I'm missing here

what youre missing is its asking specifically about on the pwnbox

fire up an instance and answer the question

ok. ty

finally finished web requests module, onto networking now

oh shit its long

Anyone help me with file upload skill assessment?

I cannot get my test files to load. I have the correct URL, and I've read the naming algorithm, and used that as well

Dm me where your at / what you've tried

sent

Hi guys

I need a sanity check

been way to long

dm me if u need help

What is a root flag?

It is a flag designed to be found as the root user of a system

In footprinting NFS I am using the command "sudo mount -t nfs 10.129.14.128:/ ./target-NFS/ -o nolock" and getting an error "mount.nfs: an incorrect mount option was specified"

I made a folder in my home directory for ./target-NFS

Hi I’m fairly new to hack the book. How would you simply go about gaining access to an SSH server?

use "ssh <username>@<IP>"

for example "ssh TheFxrsakenOne@10.0.13.12"

then it will prompt you for passwd

Ik that command. I’m asking in a hacking sense.

Like how would one go about exploiting it?

Gotcha

Well, in my experience more enumeration, such as plaintext passwords

or other interesting files that help you get further along

I tried <ip>:/mnt/nfsshare as well, but it didn't work

this is the footprinting nfs lesson

still getting "mount.nfs: an incorrect mount option was specified"

I've used NFS in one of the boxes on the main HTB platform and it worked fine

Try -o rw

where should I put that, at the end?

Instead of -o noclock

what is noclock and what is rw?

those weren't explained in the lesson, so I just went with what they said

Hy.. can anybody tell me what is the right way to install ngnix and ajo module iam stuck in server side attack module I have tried a lot configured nginx with ajp proxy still it through some error

I'm not sure on the specifics, I know that they are mounting options. rw stands for read-write, sometimes if noclock doesn't work, rw will

rw worked

Thank you!

I'm surprised that hasn't been asked before, I looked it up on google, HTB forums, and in the history here.

I did verbatim what they had in the lesson

Okay, I figured it out, I'm dumb and typed in noclock instead of nolock

I swore I had copied/pasted

lol

Nice catch!

Is there any done server side attack

you cant ping scan through a socks proxy

I need help with the https://academy.hackthebox.com/achievement/298184/211 model, in Example 2: Failed Logon Attempts (Disabled Users), What should you specify after user.name: in the KQL query? Please help.

after completing the SqlMap-Essentials - bypassing web application protections, i was wondering if anybody could enlighten me, particularly with -random-agant and --tamper=between or for any other script, is there any hints in the reqs and response that could hint at what type of protection you need bypass or is it just a matter of guessing and trial and error?

Exploiting Web Vulnerabilities in Thick-Client Applications 💀 🔫

Its not as bad as you think it is. Its basically two parts. Part 1 is pretty much following along with the first section down to foothold. Part 2 is similar with following the SQL injection section.

It's cost me a significant amount of hours wasted 😪

That'll happen with a lot of the tier 2 and above modules. Some problems you will bash your head against.

Can confirm I have bashed my head a few times

Worst modules for me were: Active Directory Enumeration, Advanced SQL Injection, Secure Coding, and Whitebox Pentesting 101. Certainly there's been a few other modules that have been challenging, but most times people have already asked similar questions so I can figure out my own answer.

Why would u think that

U are asking what u wrote wrong

and u didn't send the code

A lot of WAFs will block you based on default user agents of tools like ffuf and SQLmap, you can also use a tool like https://github.com/m4ll0k/Atlas to suggest tamper scripts to use before running SQLmap

I think I wrote just import FileOutputStream

Starting the windows fundamental module, is it recommended to use w11 on a virtualbox as a host machine?

<SNIP>
public String open(String foldername, String filename) throws MessageParseException, MessageBuildException, IOException {
    String methodName = (new Object() {}).getClass().getEnclosingMethod().getName();
    logger.logInfo("[+] Method '" + methodName + "' was called by user '" + this.user.getUsername() + "'.");
    if (AccessCheck.checkAccess(methodName, this.user)) {
        return "Error: Method '" + methodName + "' is not allowed for this user account";
    }
    this.action = new ActionMessage(this.sessionID, "open");
    this.action.addArgument(foldername);
    this.action.addArgument(filename);
    sendAndRecv();
    String desktopPath = System.getProperty("user.home") + "\\Desktop\\fatty-server.jar";
    FileOutputStream fos = new FileOutputStream(desktopPath);
    
    if (this.response.hasError()) {
        return "Error: Your action caused an error on the application server!";
    }
    
    byte[] content = this.response.getContent();
    fos.write(content);
    fos.close();
    
    return "Successfully saved the file to " + desktopPath;
}
<SNIP>```

Thx for pointing that out 👍
Smashes head on desk..

they give u the box i think

Did u just c/p what's between in the SNIPs into the invoker.java over the top of the existing section

U have to change the fucntion for the one in the section

Hi in Attacking Common services - Easy lab I wrote this query in DB To get webshell MariaDB [(none)]> SELECT "<?php echo shell_exec($_GET['c']); ?>" INTO OUTFILE 'C:\webshell.php'; Query OK, 1 row affected (0.076 sec)
I need to get access it on URL ... when use http://10.129.203.7/webshell.php?c=dir I get 404 and when try http://10.129.203.7/dashboard/webshell.php?c=dir also get 404 ?
what I missed?

Done .. but how can I learn what happened 😅

I mean how can I know to use your query?

chatGPT but also the correct file path is to upload to is most important

Great thanks

that is not the path to website

u are suppose to have readen this already "WebServersInfo.txt"

True I missed that

I need some help with this module

https://academy.hackthebox.com/module/67/section/605

I already followed the instructions, but the SeLoadDriverPrivilege is not exist when I typed whoami /priv

I figure it out, I need to open a cmd as admin using the username and password that already provided.
Follow the steps in this section to escalate privileges to SYSTEM, and submit the contents of the flag.txt file on administrator's Desktop. Necessary tools for both methods can be found in the C:\Tools directory, or you can practice compiling and uploading them on your own.

Has anyone done Whitebox Pentesting 101: Command Injection Skill Assessment? Having some issues getting the injection, which I know is mostly a syntax issue. Would like to pick someone's brain. 🙂

Hey, did you complete the skill assessment for Whitebox pentesting? 🙂

Hello! I'm trying to find the local internal resource in Injection Attacks Module Skills Assessment. I already identified the ||PDF injection|| and now i'm stucked on it( Any hints on it?

hey folks, i need a help, I'm trying to play Pilgrimage, I start the Machine and when I try to access the Web Based Attackbox, I get an error saying "You're not assigned to this VPN Server", how can I solve the problem?

Screenshot: https://imgur.com/a/cgKAPqz

can someone help me make a malware for password crackng??

what?

whats soo funny?

what languages do u know

hungary and english

I still dont get it

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

i think u need to read this first

thx

can you help me too shockp?

@zinc marsh

#shockp if I press start for free what dose that do?

@zinc marsh

@coarse meadow are you also a beginner just like me??

@royal spire yes and I would like to leart to hack roctar account

rokstar

sorry

why cant I spell

let's talk separately

rockstal

Rockstar

ok

anyone please?

Have u done any other machine before?

no, this is my first machine

https://academy.hackthebox.com/modules

.

i'm currently learning Navigating HTB lesson

from HTB Academy

has anyone done the kerberos attacks module? I'm a bit confused with the unconstrained delegation - users section

Read #welcome and verify your account. Then you can also upload pictures and ask your question in the right channel.

What does the acronym Linux PAM stand for ? I known the answer is pluggable authentication modules but I keep getting the wrong answers is there problem with my answers?

https://www.instagram.com/reel/CuHvPCUuvPP/?igshid=MTc4MmM1YmI2Ng==

Search for it with Google, then you will find the answer very quickly

Enumerate the target using the concepts taught in this section. List the hostname of MSSQL server. having trouble with this can someone give me a nudge please i was pretty sure i was using the right command

sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248

can you please tell me where can I ask the question? I verified my account

here #1122224519793365054

thank you

In which module and section are you currently working?

footprinting mssql

the output for that asks me to debug and even then not getting the desired output

if u haven't done any machine u can do the starting point

and retire machines

This should actually work.
Try it in the PwnBox

okay, I got that, but should I first complete the Starting Point before trying to Pwn any other machines? I couldn't play the retired machines as I'm a free user

https://academy.hackthebox.com/module/67/section/603 Windows Privilege Escalation -- DnsAdmin -- Using Mimilib.dll -- This dll is part of windows or I need to upload it myself? https://github.com/gentilkiwi/mimikatz/tree/master/mimilib

I am doing it on pwnbox mr payload bunny . I'll try restarting the instance then

I need a little bit help.. Can I Dm you?

why i cannot open the administrator desktop if i got create a user and add it to domain admins?

you might run a Get-ACL on that folder; Domain Admins can add themselves to everything but may not immediately have access to everything

Because C:\Users\Administrator belongs to the local administrator and probably only he has access to it.
You would have to change the user rights of the directory.

doing get-acl C:\

i get access to the whole system?

No, you're Getting the Access Control List

I just used secretsdump because I was too lazy to look up the Get-ACL syntax when I was running into that

can someone pls tell me how to use a brute force?

https://academy.hackthebox.com/module/details/57

if u wanna hack a rockstar account just check a video

where?

this is for ethical hacking

not for kiddy stuff

oh

@zinc marsh 419 PAGE EXPIRED

can someone other then @zinc marsh tech me how to use brute force?

https://www.google.com/

Bro, what you are trying to do is illegal.
If you want to stay here, read the #rules

not sure if I did it right

I tried to set read rights and full rights over C:\users\administrator

and I get access denied

k

any nudges for the Documentation and Reporting skills assessment?
I tried to crack ||clusteragent|| hash as managed to enumerate the user as domain admin but to no avail.
Also managed to crack the IPMI hash for ||admin|| but to no success (cannot connect remotely)

@rustic sage and hacking itu other cumputers is not illigal?

Hi, I've been noticing my speed of reading through the hackthebox CPTS modules is quite slow.

Can anyone tell me about good ways to learn affective and go faster though it?
I've been doing the course quite some time now. Now I don't sit everyday for it, and just go through it the entire day. I Take peeks when I feel motivated enough to learn more, and create the time to read it.

Would love some great advice! Thank you in advance

Ps: I take tons of notes

I think your proxychains is not configured right yet

But how do you take notes when you don't have in control how fast it reads? And easily being able to pause it?

I tried that with some extension, and didn't feel that affective

I'll give it a try. I got ADD, so fast distracted 😛

who told u cannot ping sweep

he told u cannot ping scan

that's why we don't do it.

OK, since you seem to be denser than a cube of lead, what we are doing on academy-and what would be done for a job, is legal as we are given the permission to access and hack into those boxes

ping sweep is not nmap ping scan

Nmap can perform one

But it's not the only way

A ping sweep is just pinging a list of ips and seeing if something comes back

It's not necessarily scanning any info

Don't.

istfg whats with all the goofy ahh posts lately

I'm willing to be a mentor at this point for $100 a session for the goofy ahhh ppl

i didnt know u were a mod marcie

keep the friendly vibe, people come from different backgrounds and have different knowledge/skill

Not a mod

i got muted 1 min

Just community helper

Probably by dpgg

bro if he pays me then i can buy more cubes on htb everyone wins

to teach first u need to learn

not you, there were two people spamming goofy questions in a couple channels/threads

^

what makes u think i was gonna teach him anything

how he wants to hack people

Any nudges haha been stuck here for awhile

Hi all! Trying the nmap room at the moment, trying to find the hostname, but my scans keep getting stuck at 85.71% and become unrecoverable, any ideas?

This

Try resetting the target and trying again or reduce the flags you're using

Seems to be -A and -sV that make the scan stall there, probably because of the non standard service on a later port,

Yes

You want to run a blank scan first and be more aggressive using -p {list,of,ports}

Ah cool

That saves time overall

*this assumes you find all the ports

Got to say that the modules in the academy have been very useful/humbling. I work in infosec at the moment, and these modules still teach me new stuff every time I try then 😄

yes, i found them 🙂

nmap -p- -T4 --min-rate 5000 <IP>

then,

nmap -p 22,80 -A -sC -T4 --min-rate 5000 <IP>

is what i usually use, this assumes port 22 and 80 are open.

htb boxes can handle --min-rate 10000

They elaborate alot and go very in-depth.

Reads like a research paper at some points too.

That's just the level of professionalism put into htb modules.

Way different vibe than THM rooms, but definitely more on the expensive side.

yes, I agree. These modules teach me how to just be more professional and do better in skills I already had a basic understanding of, really well put together

Running through CPTS, work in embedded at the moment, but trying something new seems cool

I got it just doing shutdown /l

and log in again

Cool, found the solution, cheers for the nudge with my flags 🙂

Hi guys!
How is today?
I'm stuck with
FOOTPRINTING SNMP
Enumerate the custom script that is running on the system and submit its output as the answer.

How to get this?

Btw, regarding my question.
I take notes like the attachment.
Is this the most affective way to take notes? Or do you guys only create cheatsheets?

The best way to take notes is however it works for you

But doing it like this can take a long time to get everything written down. Would love to get to know other methods 😄

Follow the snmp commands given

So I can compare, improve or proceed

time to write things down isn't a bad thing ¯_(ツ)_/¯

well your method consists of typing everything down so obvs it'll take ages.

The only faster way is to screenshot everything.

or i'm ngl, you could probs find notes or cheatsheets online.

Payloadsofallthings and hacktricks is an example.

Not taking notes at all is a huge fallback for me for sure

I did How is look like this custom script?

I like to use my notes as a secondary brain. Just to keep getting the reminds of how things work when I get stuck.
Googling isn't always the best, I rather pass into my notes written in my own language.

I do use hacktricks etc for cheatsheets and stuff

Hint: you're told it's a script, what are some common script file extensions

Your notes are fine: you're overthinking it

Alright man. Thanks

The other thing taking time is parsing the info and rewriting it (which isn't a bad thing)

I do like the microsoft edge text to voice. its nice

Sure thing, but I am kinda slow because of it.

But ill try it a while with the voice reader. That would be a great asset to it

Who are you racing against?

No one, I just like to see big process

¯_(ツ)_/¯

Think of your notes as the large gear in a mechanism: yes it moves slower than the smaller gears, but it doesn't actually slow the process

Sure thing. Get everything to stick a bit more

What is going wrong here with my connection for the socksoverrdp section of pivoting tunneling and port forwarding?

I am up to the point where I need to connect the final machine

I believe proxifier is set up correctly as well

If it's not set up properly: you may need to reset the box

I did that once already and I am getting the same error

I am supposed to connect to 172.16.6.155 from the initial rdp connection?

nothing is showing up here, but I am not sure if that is supposed to happen before or after the connection takes place

Did you configure proxifier via the instructions in the example?

yes

Nothing there until connection occurs

Also rdp using your vm

through my vm terminal?

I get an error

Proxychains

Iirc it's mostly following the section

yea thats also giving an error

the section says to connect through mstsc.exe

Ah then yeah it's through the windows Machine

Just make sure you read the section carefully

I am seeing a bunch of connections in the example but mine is blank right now

Password Attacks > Credential Hunting in Linux > Question:

Examine the target and find out the password of the user Will. Then, submit the password as the answer.

I'm stuck in this section. Can someone help me?

||I already have the password of kira, the password decrypted from id_rsa key and I found 2 .back files from paswd and shadow. But I can't continue. I tryed all commands in the section and I can find something interesting.||

I.e. start from the very top

Transfer them to your system and try the commands

Do you talk about .bak?

Yes

Thanks, I will try

Btw, how can I transfer if I don't have permissons?

Wdym don't have permissions: you can start an http server yes?

Of course

Then you can transfer files

I'm gonna try, thanks!

@fathom pendant is the initial rdp connection through proxychains?

I am starting from a reset lab and vm

I'd suggest doing the file transfers module

No

It's done, thanks

Not sure how to proceed with the nmap room, section 'service enumeration'? I think I've found all open ports and services, but not sure how/where to find the flag 🙂

If the non standard port is where I need to be looking, my scans are having a hell of a time doing anything with it, but given the number, it looks more like a meme

Select yes here?

And I am noticing there are two proxies listed in the example but we only wind up with one if the steps are followed in the section

Yes

And from there I just go and start up mstsc.exe?

I have followed everything as it is shown and I am still getting the same error

Could someone point me in the right direction...
(Footprinting Hard lab) Once you get OID's utilizing ||braa backup@ip|| What the heck do you do with the results? I see some interesting locations...

Am I missing something here to connect to the final host (172.16.6.155)? I have all the connections set up correctly, and proxifier is configured just like the explanation. Am I missing something in the process to connect to the other machine as jason?

I'm really at a loss now... I have restarted things 4 times and still no luck

You are definitely doing something wrong, I've completed that module and haven't had any issue with it

Proxifier and stuff should be on the second machine

Iirc

Hi,
Did anyone have luck finding the user for "Find another valid user on the target GitLab instance." at
Attacking Common Applications
Attacking GitLab

The scripts are fine but the user cant be found 😊 and been wating much time here

@fathom pendant can you help with that, Im stuck at enumerating Users in "attacking Gitlab" - what userlist should i use for it?

Haven't done that one

no worries thanks!!

hint you can use one of the ||default|| list from SecLists or you can just use a combine of all of the username list from SecLists and it won't even took that long

also another hint is for the next part you don't need a valid password like the said section said

It's because you're not understanding it

hello everyone

It's not that difficult

Is there something I'm missing on the dns portion of the footprinting module. Trying to figure out the last one and I'm not getting any hits when using dnsenum

Subdomains of subdomains

I need a little hint, I'm doing the shell & payload skill assessment but, I'm not finding a web browser under the RDP foothold machine

firefox

hmm ty but, can I ask you why the browser is hide?

Just no icon doesn't necessarily mean hidden

ok

Should be able to run the basic command in like powershell

and why is not call it from the menu search bar?

I'm dumb

Idk that's an htb thing

ok. make sense

Just try different things brother

Come back when you've actually exhausted all options

I'm referring to running the sweep from the system itself

Not from a proxy

Just follow the section step by step

It's been a minute since I did it and the only one I had any issues with was the ptunnel one

All I did was follow the sections step by step

Section explains what you need to do

How do you know where to jump to if you don't know the ip

Also it's not a port scan

A ping sweep is not a port scan

Just on that system

Cheatsheet also gives commands to pingsweep if I remember correctly

How do you know where the next system in the chain is if, for instance, it's a grey/Blackbox test

Ping sweeps through proxy are dodgy at best

Just read the section carefully

Honestly, the amount of time the answer is just "read carefully" is insane

It's a method, but not the only method

Thanks! Alrady solve the second part but the first are not working with me tried almost all the seclist usernames section 🙂

Either server die or no luck

As someone with adhd, you need to learn how to cater your personal learning to how your attention works

I understand everything completely, I think I just needed to step away, I was pretty bleary eyed earlier lol. I am hoping for a facepalm moment tonight.

Inb4 it's an l and not an I

Again it's learning to learn that's the hard part, even if it's taking extra time: take apart each part of the section, ask yourself: what makes sense and what doesn't

If you need to Google for additional info or it's explained slightly later in that section then that reinforces it

for what? Sorry I am confused

It's a joke about simple overlooking

oh lol

Chatgpt can be useful about concepts

I'm running into an issue with the Vulnerable Services section in Windows Priv Esc. I can't seem to find the correct place in the PoC script to add the IP address and port number to run the exploit. The lesson is kind of vague. It says to "append the following at the bottom of the script file (changing the IP to match our address and listening port as well)" but I can't find where this needs to go. Is anyone able to provide this info?

Google what the word "append" means

So just at the very end of the script? Okay, I'll try that. Thank you.

"Append the following " I would assume means copy/paste the code and add it to the script

Yeah, I tried that as well. It's not working. I still get no connection on my netcat listener.

try rereading the section maybe it tells you more ¯_(ツ)_/¯

Also remember change their code to be your ip and listener port

Yeah, not sure what the issue is. I made the necessary changes to both files. My server shows that it was able to send the appended file, but when I use .\Druva.ps1 to run it, I get no response on my listener.

@fathom pendant just wanted to ask, do you have access to all modules to help in this channel

No

ah was js curious

no idea then ¯_(ツ)_/¯

Thanks anyway. I'm going to restart the lesson and try again.

you can try sending screenshots

I can't seem to get screenshots to upload here for some reason.

it sometimes gets things totally wrong tho. but its great for eli5 explanations

Any recommendations for tier 3 (or tier 4 modules) that are "must do"? I have ~500 cubes from doing modules and could probably grind for the full 1000, but I have no clue what to look at. I'm sure the quality of the material is all good, but what are some of the best ones?

How is cloudflare a proxy

Because it sits in the middle to manage traffic

Instead of all traffic being handled locally

ok i see, i thought a proxy was just using another ip to route your traffic through

I mean it is using another ip

Cloudflare's

How does normal proxy differ from cloudflare

It doesn't much

cloudflare is for blocking bot traffic no?

It's just cloudflare is a hosting site, and detects for potentially malicious traffic

Don't get this

What does it mean by sendingn any client that connects to the port back to the attacker

It means the infected endpoint is acting as a proxy for the internal network, sending data from clients that is sent to infected machines to the attacker.

ok thanks got it

Intro to networking

hello! I'm having trouble on the "Bug Bounty Hunting Process" module, the question is (CVSS)

Which base metric value of the base score considers that attackers can only exploit a vulnerability if they reside in the same physical or logical network as the target host/application?

Is it not Attack Vector? I tried writing it in many different ways but it doesn't seem to work.

congrats

Heeeelp when I am doing ACTIVE DIRECTORY ENUMERATION & ATTACKS and whenever I try to rdp into my Windows htb-student box the session is just a black screen. I could ping it and I have tried to reset it with no luck.

have you tried pressing any buttons

here i am still going mad over this question

got dammit

i am going mad over this question

Hacking wordpress module: Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.

i know the plugin, i've used lfi. i have a shell. I have all the flags, but i cant find the flag they are refeering to here

when I get frustrated at these multi flag boxes I usually just start grepping the filesystem for the flag

i have

i've literally grepped the entire filesystem for a flag

nothing

maybe its stored in a DB then

checked there as well

very vague question

weird

dunno, havnt done that module

yeah this module is taking a hit on me mentally

everything was easy, then this

and been stuck for way longer to deep to go to bed before i have it completed

hi, ask for windows priv assessment 1. Starting with the nmap to enumerate. did you have connection to the target ? i used pwnbox from my browser also in local kali box with pwn. the target IP is not reacable with ping. already reset the target multiple times. any clue ?

most windows boxes dont respond to ping

nah but fr

a file containing a flag value

For the "Kerberoasting from Linux" module, what creds do we use to complete the questions? The creds used to connect to the box do not work, and I dont see anything about using a set of certain creds?

ty

if u found the correct plugin, theres an exploitdb page for it and u can just copy the poc (Note: Question is asking for "unauthenticated file download")

guys how to fix "no intence to start"