Can't find anything on the error online either

weird yeah I'm pretty sure that what I did as well and didn't run into that error

are there any other options related to the vulnerable version of bash you can try?

or maybe try bringing that session back to the foreground and trying again

Not that I can see.

not sure what you mean.

gonna try it on the browser box

that's where I was successful with it, lmk if it works on there

will do thanks

why is it 186k lines

ya it worked from the browser box. No idea whats going on with my VM

that's what's produced when using the custom.rule against the password.list file in the resources to create the mutated list with hashcat

Weird!

you gotta mutate the given password.list file with the custom.rule file, you will get presented with the mutated password list.
Then u gotta sort the new password list for unique enteries.

and if ur using a windows machine in order to use hashcat and then transfer the files into the vm or the box. make sure to specify the encoding to UTF-8

maybe I missed the sort I'll try again in a second gotta tend to something real quick

oke oke, goodluck with that.
and for once ur back, try dissecting the mutated password list into parts, so it isn't a rly big pile of passwords, you could also try sorting them based on length.
Each for their own use case ofc.

FYI, removed Metasploit altogether from my VM and redownloaded it. Works just fine on my VM now.

Oh nice! I came back and it had found it, I'm gonna play around with your recommendations and see how much faster I can find it! Thanks for the tips!

Hey have question in the HTB SOC job role path is it enough to get into Cyber Security

Anyone able to nudge me on the document and reporting lab? I thought it was supposed to be a simple inital access but I can't seem to get RDP / winrm to work with any of the hashes / passwords

Which passwords are you using?

Tried ADMIN, abouldercon, asmith, clusteragent (hash, couldn't crack), and dhawkins

Are you trying to connect to the DC with those creds?

Yeah I was

So try using those creds in another manner, you need to do some work still to find other accounts to use on the DC.

Is this path training enough to get a job in IT or Cyber Security

I see says the blindman.

As he pickedup his hammer and saw

guys how do i can factory reset the kali linux ?

Reinstall ?

only that ?

I mean it's probably the quickest

hmm

anything other method ?

i'm doing attacking common services module and i'm on mysql. I kept getting this error

i ran an nmap scan and the port is open

Don't put the password on the command line, or put quotes around the password

! gets treated differently by bash/zsh, you'll have to escape it

^

still not working

Did you enter the password?

yup

this way just hangs

There is no mysql on the target

I don't think

Try running an nmap scan, you should see different things

this helped me out

there's an issue with that module

i'm able to switch btw certain databases but i can't use the command show

think i gotta contact suport this is weird

Call me crazy

But it seems u are in mssql

^

Important to apply some critical thinking here. You've been given a list of commands, some work for MySQL, others work for MSSQL. Everything you need is in the module, so what do you think you need to try?

I'm not sure but I think

Google exists

Me looking at the answer in the module

https://tenor.com/view/elmo-stare-sesame-street-rocco-death-stare-gif-24438342

\

You are a master in databases

lol

this command works

however i just got it i hate mysql

This isn't mysql

Hey everyone! Having some trouble on the question 3 for "Skills Assessment - Using Web Proxies"

"Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)"

In my payloads options I have the correct wordlist from above, have the correct payload processing (adding cookie prefix, encoded both base64 + HEX) but when I run begin the fuzzing, i keept getting 404 errors. I believe my error is the "payload postions" as im unsure what to put there. Open to DM's + any guidance!

MySQL and MSSQL are two very distinct databases that both share SQL (structured query language) in common. The general approach of querying the databases remain the same, but the underlying structures are fundamentally different. You need to identify what "flavor" of sql database you're working with so you can appropriately issue commands and work with it.

You don't understand what it is you're hating here 🙃

i agree with you @trail leaf just understanding it

Good morning/evening everyone. How quickly do you usually finish a module? Average

i got the hash but hashcat isn't spitting it out let me try john

i copied this hash from responder used hashcat -m 1000 hash.txt password.list and its not crackig password john is still trying been goin on 10 mins now

the hash is an NTLM hash so the -m 1000 should be correct to use in thhis instance

am i thinking wrong or doing something wrong ?

used both password.list and pws.list

my output

It’s NTLMv2, not NTLM

Different hashes

https://hashcat.net/wiki/doku.php?id=example_hashes

Can anyone help me in Password Attack: Passwd, Shadow & Opasswd
Examine the target using the credentials from the user Will and find out the password of the "root" user. Then, submit the password as the answer.

Logged in with ssh with will's credentials
Copied xxxxx.bak and xxxxx.bak from .backups
Unshadwoed the hashes

Then
Mutated the password.list from the resource section

Then
Tried to crack the unshadowed hashes using mutated password list

But still hashed not cracked. It says EXHAUSTED

What wrong I am doing don't know

You can DM me.

when am I ready for Hack the Box Main Platform?

currently I am doing the Introduction to Nmap module

I am in process of CPTS

I don't want to forget information from module

could I start Dante right away or is that unrealistic?

what about doing HTB boxes?

I really want to practice what I learn in CPTS while I learn it preferably

Whenever you want to take a stab at it tbh

well but can someone who only is learning nmap really do well in main platform?

You're not gonna be able to really search active boxes for relevant content

Nmap is an entry point. Google can help fill gaps

Starting point and guided mode boxes help get you in the mindset of moving forward

Retired boxes have writeups or based ippsec vids

would it be better to do Dante while doing CTPS path or after?

how do I find boxes I can do during CPTS?

could I ask for recommendations as I go?

I mean Dante requires a prolab subscription but there is also an intro to Dante track in main htb

ok

Look for the academyxhtb in the drop-down from the academy site

I know I did tht

but I get twenty boxes for one module

which one do I start with?

Hi all, I'm stuck in the File Inclusion Prevention second question
https://academy.hackthebox.com/module/23/section/622

Got the file and moved it in /var/www/html/.
I have added a webshell in teh file, however when I curl the file to execute and read the error.log file, it doesn't behave the way it is meant to.

Could anyone direct me to the right path? Thanks

The reason Nmap has so many is because Nmap is a basic and core module

ok I see

You're gonna get hits because Nmap is just a basic enumeration tool

so I don't want to overthink it. which nmap module do I start with if I am just learning basics?

Because alongside the boxes it shows you, it also gives you its difficulty

I know it does

The Nmap intro module

The t1 one

ok thanks

But honestly if you're doing the cpts path, follow that

The Nmap module is included in it

I know

I am doing Nmap module in CPTS

because I am working througuh CPTS

You're just overthinking things

but I want to get additional practice because I'm worried about forgetting material

Then just do boxes

Ippsec.rocks has a search feature for topics

And a relevant (retired) box regarding that topic [in part or whole]

ok thanks

but how can a beginner do boxes? do I just do it along with CPTS? I don't know prerequisite material

do I just google it as I go?

thanks btw

Yep

ok cool

so is VIP+ better subscription or pro labs?

I am thinking VIP+ probably and then as I get better at it I can add in pro labs?

because pro labs are expensive

they are separate subscriptions and offering different services

ok but what's the point in pro labs? I am thinking a guided lab could help like it would make sense to do Dante or something but why not have both in one subscription?

why do one vs other?

which is better for my case? my long term goal for the next couple years is to be able to do more advanced HTB boxes and I am willing to put in a lot of time

prolabs do not offer guidance

ok

I am getting these terms confused

so pro labs just get extra practice?

how do pro labs work and what is better for someone who is ultimately aiming to get good

I want to be a good hacker

and/or pentester

Prolabs simulate a more realistic experience with pivoting and proxying

While boxes, generally, are single instances

ok

I don't have unlimited money to do both currently

which should I do on top of academy

prolabs or boxes

long term I want to do both

Active boxes are free

ok

but what about retired machines?

ok

They require vip

I mean I'm looking to go from beginner through advanced over the course of maybe a couple of years

in terms of HTB boxes

I completed InfoSec Foundations on Academy

now doing CPTS and need to supplement it for practice

Then slow yourself down. You're overcomplicating things for the most part

ok

A lot of things early on continue to be reinforced throughout the modules

ok thanks

so is there no point in doing boxes or other stuff now?

at least currently?

I mean that's purely up to you

But with how you're overthinking things at this time: yes

what would you recommend to get good? I want to get CPTS and CBBH certs then move into CREST pathways to get to the more advanced paths

so would doing advanced academy modules in a couple years be a better goal?

and just focus on academy?

The more advanced modules start being more niche

ok

Just take it slow. Take on active easy boxes first

Once you're comfortable with those move up

Even supplementing learning on thm isn't necessarily bad

Ok. But since you said do academy first, should I get CPTS and CBBH and then transition into main platform?

Ok I personally don't like THM

I never really said do academy first.

ok

I misunderstood

I just said whatever you feel comfortable with

ok

A good majority of people on the main platform don't do academy

They just Google and learn

Ok. Why does no one do both?

because main platform is more advanced?

They just don't want to. Or know about it

It's because they Fundamentally serve different purposes as well

ok

what's difference in purpose?

Main platform is to test your skills

ok

Academy is skill growth

Ok. So that's why I assume to do Academy before the main platform. So its a misconception?

I mean isn't doing both better for learning?

Where did most people who do Main Platform learn beforehand?

Probably thm or Google or the millions of resources out there

Or the classic "fuck around find out"

so academy is self-reinforcing? and but what's the difference between doing THM and academy?

in terms of prerequisites to main platform?

Different styles of teaching and learning

ok

but both cover prerequisites right?

idk dude I haven't touched thm ¯_(ツ)_/¯

ok but if I had CPTS and CBBH I could transition into main platform's intermediate boxes more easily?

some people do do both

ok I see

so do people who do both tend to do one for a while before the other or do they just start both at same time?

They usually start around the same time

ok cool

and then so would you say academy + main platform is good for learning?

But as I said you're overthinking and mind-flooding yourseld

Just fucking do it and find out

ok got it thanks

I believe the CPTS modules gives you the knowledge of the trade then the boxes will help you practice this knowledge and apply to a more realistic environment

https://tenor.com/view/adam-sandler-billy-madison-funny-insult-just-do-it-gif-15340470

Ok thanks

will try it out

will try main platform soon even while working on CPTS possibly

but ya thank you

I am following the CPTS path and will do a box until I have finished my path, not because I don't believe given time I wouldn't be able to do the box but because I want to focus on this bjective and get it done, then move onto the fun in hacking the boxes

It's all relative to the person

Say you spend 5/7 days on academy and 2/7 on main [arbitrary bullshit numbers]

Managing your own time us also a valuable skill

ok thanks

If anyone can help would be really appreciated 👀

Yeah sorry your question got drowned out

Hello guys sorry for interrupting you guys im a cybersecurity student my last year and new to crf challenge i did some of htb academy tryhack me but when j started like 2 weeks ago wirh easy machine i feel like they are hard for me a bit i was doing a lot of theory without practice sometimes i can get the flag but i need hints to do that i want some advices from u guys to help me with this i liked ctf so much and i like doing it lately but most of the time i feel so stupid and i cant do anything about it any advices guys

no worries, someone else needed help 🙂

Infosec foundations path on academy is a good start. Bear in mind, easy boxes for htb are medium/hard on other platforms usually

hey friends. i am at last step at Skills Assessment - File Upload Attacks, i uploaded the file and think the name of it should be ||2023823_test.phar.png|| but i get 404, any help please

YYMMDD_<whatevercomesnext>

thanks a lot, i got it, but the payload is not working, i get empty page

what are you using, webshell?

a php system request

tried cmd=id

yeah a webshell then

did you figure out which php ext is parsed by the web browser?

I'll dm you so we avoid spoilers

ok thanks 😊

SQL INJECTION FUNDAMENTALS --> Intro to MySQL --> Connect to the database using the MySQL client from the command line. Use the 'show databases;' command to list databases in the DBMS. What is the name of the first database?

mysql -u root -h [redacted] -P 43129 -p[redacted]
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 6
Server version: 10.7.3-MariaDB-1:10.7.3+maria~focal mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| employees |
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+

The answer "employees" is not correct. What am i doing wrong?

Check for space i guess?

Even worse...had the answer already answered on another page i had opened. Didnt read the error message properly

data managemwenet dagtbacbs

data base e

Did anyone completed the cpts path and try to solve the normal htb boxes, how much did the content helped ?

hello world, how you doing ? ^-^

hello i need on module Attack Common Service: Attacking DNS
https://academy.hackthebox.com/module/116/section/1512

i am done finding name server using Subbrute but i am stuck at dig axfr, it always failed idk why

Not every zone allows a zonetransfer

can you give me more hint?

If a zone does not allow zone transfer, you must query the zone manually or with automated tools

query manually right?

Or with automated tools

is it automated tools to query? or you mean automated tools for subdomain enum

Because you're probably querying incorrectly tbh

🥹

I tried everything i can, idk what should i do next right now

ahhh i got it thanks you two @acoustic owl@fathom pendant

Syntax

It's always important

why isnt the machine spawning

?

Hello companions, you are my last bullet, I am having problems in the Privilege Escalation module in Linux, specifically the Logrottate section, I have tried everything, I have followed all the advice from the HTB forum, searching google for help, and still I have not achieved anything. Could someone help me a little? I did the rest of the modules, only that one remains but I can’t get the flag… Thank you very much.

dm you

Guys, I seriously need help.
I changed the email of my HTB Academy account to a wrong email. Now it force me to confirm email before login, but I don't have access to that email. Where can I find support for this? Thanks a lot!!

Click the support bubble on the logon page

it only show articles and stuffs, I can't find where to send a help ticket.

Select an arbitrary article, scroll down, click sadface

Ah I see. Thanks alot

need help on module Attacking Common Services: Attacking Email Services
https://academy.hackthebox.com/module/116/section/1173

on last question can anyone give me hint how to access the email account? i got user credentials already

SQL INJECTION FUNDAMENTALS --> Using Comments --> Login as the user with the id 5 to get the flag.

used commands: || SELECT * FROM logins where (username='admin')-- ' AND id >1) AND password = '5f4dcc3b5aa765d61d8327deb882cf99';

SELECT * FROM logins where (username='admin')-- ' AND id >4) AND password = 'something';

SELECT * FROM logins where (username='tom')-- -' AND id >1) AND password = 'something';

SELECT * FROM logins where (username='admin')

admin' or '1'='1
||

Anyone a hint about my what i'm doing wrong?

the section is called using comments and u noñt using comments

and the question tells u id 5 and u not looking for the user with the id 5

Hello all,
I need help in Web Attacks - Skills Assessment

I ||manage to change the admin password and get to the calendar|| I am doing a|| simple XEE but it doesnt work|| (i also tried the others one).
Update: I did the exact same thing after a nap and it worked
Thx for the help

why with smbmap it shows the directories

and with smbclient I cannot list them manually?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

again this isn't mysql

one nquestion , for a joomla application, what is the web root location /var/www/html?

k i found it, thanks 🙂

isint roms and emulators illegal if so why are there so many like dolphin emulator other ones to

hi i have a problem when i want to download the Cheatsheet for introduction to mysql module windows detect a virus

oof

A few of the cheat cheets will be detected, but they're fine.

yea i know just found that weird

some command in the cheat cheat sheet is flagged but it's false positive

https://discord.com/channels/473760315293696010/1143839520937218088

reach out to support

I didn't remember the SQL cheatsheet triggering it, but some of the cheat sheets with powershell reverse shells also trigger it.

||telnet||

I would just set a folder with AV exclusion, to download all the cheat sheets.

I've just done it and downloaded it thanks

one question, usualy when making a simple rev shell,,we use system($_REQUEST..) command but in the attackng joomla room, we use the system($_GET..) command, why is that? why was GET used in the jooma attack section instead of REQUEST?

use credential to login on ||telnet?||am i understand correct?

https://stackoverflow.com/questions/42942559/whats-the-difference-between-post-get-and-request

oh ok thanks. one more question, the module obtains the flag using curl i tried to use burpsuite to get the flag as well. when i send the request via repeater, i am not getting any response. we should be able to get the response via burp as well , right?

not on telnet but using telnet

yes, I don't see any problem

more hint please 🥹

I am really stuck here all day

hmm ok, i dont know why. i put in the correct url but not getting any response when i use burp instead of curl

dm you

oh i got the flag THANKS!! @vital adder

hey guys, so I wanna do ethical hacking and i want to go in depth in it, at the same time, coz I'm from Pakistan and the situation of Pakistan is not really well, someone said me that HTB offers some free courses. I wanna earn money by doing bug bounty and any job or CTF (if it's true that we can earn from CTF's). Anybody can suggest me which course or courses I should have to do?

@fair sablesorry for the ping tho but I really need the answer

you can take the cert CBBH ( certified bug bounty hunter) on HTB academy and then do boxes on HTB to practice and go to hackerone to earn bounty

is it free?

you need a subscription for modules personally i'm student so i pay 7euros per month so i can do all of them and the voucher for the exam in 180$ i think

if you're not a student i recommend the silver subscription

You can also purchase cubes outright

You didn't ask a question

You just said you need help but didn't actually ask your question

Also read #welcome and #rules

because ur question was answered already

Didn't realize they asked way earlier

I dont get it, I follow along and understand the whole module but when I get to the skills assessment its like I cant do anything right!

of course its malicious..lol

ITS NOT FAIR

https://academy.hackthebox.com/module/109/section/1042

well. i have 0$ to pay 🥲

The modules questions often are little more than copy/paste. If you're doing that without taking the time to fully understand what the module is saying, and how it works, you're going to struggle. The assessments are making sure that you understand.

I understand but I am the very first part and I cant get any kind of momentum going

like I get no errors from the search bar, I dont even get any results. ITS BROKEN

So, you commonly seem to rush to discord to complain about these modules, and rage. It might be better to redo the modules, and ensure that you fully understand what you're doing.

why do people always look back at the user's replies

I don't have to - it's easy to remember because you seem to do it every day. =X

this advanced search bar is not populating any results even though there is a file clearly there

I am supposed to find an injection operator right?

I dont just rush in here, you are assuming. I am at my wits end when I come here.

I reported and am blocking you for toxicity.

hello all, i need help on module Attack Common Service: Attacking Common Services - Easy
https://academy.hackthebox.com/module/116/section/1466

I have try brute force smtp using smtp-user-enum with wordlists from resources and many more. but i got nothing can you guys tell me which wordlist is the correct one? (I am also tried with -w 15 and -D ||inlanefreight.htb ||)

its not broken and who said the search bar was even the path

yeah I found its not but the whole module is based off one

so? if you understand the content you can apply it to unfamiliar situations, thats what the skill assessment is for.

cmd injections dont exist just in search fields

the search field was just one example they showed you in for simplicity's sake

learning this information can be hard for some people to think outside the box. relax and research, if you don't understand and get it wrong think, google search, search the HTB forum. and reread module to get a deeper understanding

you have to be brief about it
what issue are you facing?

Eu vpn issues today + reach out to support on the website

Change vpn region

To us

Then reach out to support on the website

Not much we can really do as random af users on discord

Are you referring to the pwnbox instance (the in-browser vm) or spawn target button

Then reach out to support

They'll be able to walk you through Troubleshooting better

So I have two laptop, one has a fried gpu but has a working intel one, sometimes the labs dont open there
I just see a black screen, but it always works on my other laptop
so maybe your workstation doesnt have sufficient resources to run it
make sure youve closed every other unnecessary application

though I doubt thats the case because it shouldnt really take that much resources to begin with but thats the best guess I have

Hi everyone!
Who can help me with the "Windows Privilege Escalation - Vulnerable Services"?
I can't get a reverse shell on my netcat listener.

You shouldn't need to make a new account lol. Just reach out to support

tom answered u

Don't bother

In this section - https://academy.hackthebox.com/module/147/section/1639 I'm a little confused - can you use the base64 encoded Rebeus key instead of the one from Mimikatz in this command under Rubeus - Pass the Key or OverPass the Hash c:\tools> Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /aes256:b21c99fc068e3ab2ca789bccbef67de43791fd911c6e15ead25641a8fda3fe60 /nowrap ? if not wouldn't Rubeus rely on Mimikatz?

or, this command in the paragraph for example Rubeus - Pass the Ticket for Lateral Movement Rubeus.exe asktgt /user:john /domain:inlanefreight.htb /aes256:9279bcbd40db957a0ed0d3856b2e67f9bb58e6dc7fc07207d0763ce2713f11dc /ptt the aes265:... is depending on the key from Mimikatz here as well. Can you use the base64 encoded version from Rebeus?

the below key is the equivalent aes265 base64 key from Rubeus. Can you use it in the above command instead of the Mimikatz aes265 key?

  Base64(key)              :  5VdAaevnpxx/f9rXsDDLfK6tH+4qQ3f1GlOB1ClBWh0=```

hi fellow hackers, i'm doing the attacking common services module i'm on rdp logged in as htb-rdp

in order to successful ran the exploit i need the users session id

when i run query user only one user shows up but there is an lab_adm and an Admin oin machine

whether i run the command in PS or cmd.exe same result

The way it reads, is it "seems" like you need the aes256 key from Mimikatz to be able to do the Over Pass the Hash and Pass the ticket attacks in Rubeus I think. I'm only curious because It would be great to only use Rubeus and not have to use both tools for the same attack. One not depending on the other.

I hope my question made sense?

yep

so both Rubes command are trying to forge a ticket using the asktgt module (here is some more info on how that module work https://github.com/GhostPack/Rubeus#asktgt) the aes256 key from Mimikatz is Kerberos Keys if you can find a way to dump those keys using Rubes then you can 1 single Rubes tool for this but note that as far as i can tell Rubes can only Export Tickets (not Kerberos Keys) but i maybe wrong though

Oh gotcha. I use it mostly for kerberosting. But this is a cool method I never learned in another course. Thanks for responding!

also this is as much info as i can find about this on Rubes github

I'll research it, You gave me a start though. I appreciate it!.

hlo

Stuck on Pass the Hash LInux section, can I get some help with the SVC_workstation .kt file

anything ?

nope

jk which section are you on

Check Carlos' crontab, and look for keytabs to which Carlos has access. Try to get the credentials of the user svc_workstations and use them to authenticate via SSH. Submit the flag.txt in svc_workstations' home directory. is where i am stuck

can anybody can teach me hacking?

?

hint find a file with a similar name

yeah i got that file already just don't know how to use it lol

i found _all

?

if you wan to learn cyber security then #bot-commands message but if you want to learn bs like dos or hack facebook then nope

The section tells you how to handle keytab files

can i message you @vital adder? and yeah i have read the entire module like 5 times now, but missing it I guess. i can get the .kt file and can even impersonate but I can't find the hash

sure

thankss

are you trying to do the RDP Session Hijacking in the Attacking RDP section?? not all example show in a section is applicable to the target machine

This question revolves around the Footprinting-Hard lab. I should be working but I can't stop thinking about it lol.

So, I got my foothold as a user. Enumeration uncovered another possible key. After some google, I think I found a possible way. What I found says I could possibly use it to login "somewhere else" if I add the password in a specific file.

I'm attempting to be vague as possible so I don't ruin the lab for someone else but if anyone was able to follow, is my line of thinking in the right direction or am I down a rabbit hole? I appreciate any thoughts in advance.

your thinking is both right and wrong 🤣 if you found a ||ssh key|| just check if it is "password protected" and if it is then crack it and use it, if not just use it

yea

lol ... i figured i was both right and wrong ... thank you

now i can go back to work with a peace of mind lol

hey all I'm a bit stuck with this question Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain. I've tried using dig and nslookup in all the ways I know but I can't find the FQDN

You are looking for the FQDN of the NameServer

omfg

am I the only one who finds the question misleading then? may I suggest a rephrasing in #858470491676737536 ?

am i the only one that thinks this isn't very clear as to what its asking?

lol

it wouldn't be as hard but it says one word

i dont really get what they mean about one word

The command is a one word command

for kerberos modules, how do i get the hash for callum account , if i cannot remote in to DC?

i have a question for the Writing files section in SQL Injections module i found the flag but i dont have the feeling i did it the intended way, ||after writing my webshell i went to see ww-data user location and more or less guessed the name of the file to found the flag|| is it the correct way to find the flag ?

doing enumeration with nmap and im stuck on the medium ids evasion lab, i believe I have the right command and script but im not getting any output

Hello everyone, I need help for the "password mutation" module.

Question :Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer.

Problem: with the custom rule and the password list I have 93500 password to try for the user SAM. Using crackmapexec or hdyra, estimate time: 43days... Can someone give me a hint please?

how do yall connect with your pwn box with xfreerdp?

try remmina otherwise

i have but the module i'm working on requires pth

i can't do pth with remmina

Is that the module password attack?

attacking common service

i'm on the rdp section

let me check

RDP doesnt work to domain in kerberos attack module unconstrained delegation. i need the password hash of the service account to be able to decript the tgs and get the TGT. get the flag for the last question from Unconstrained delegation -Computer also doesnt works even if i improted the tgt fro computer account DC01 a. any help?

I read will see PtT in password attack modue

That first file just autocompletes xfreerdp commands, the second does something related to the desktop

Neither is the actual xfreerdp executable

This looks like your own box; sudo apt install freerdp-x11?

https://forum.hackthebox.com/t/xfreerdp-fails-to-install/264671

i used this to install xfreerdp

i did sudo aptitude install freerdp-x11

And you still don't have the executable there?

nope

You could always try to search for it with the find command, locate might not be up-to-date since it's pulling from a database of where all your files are at

so find / -name xfreerdp -type f 2>/dev/null

that's so weird

yea i'm gonna have to use another machine

https://github.com/FreeRDP/FreeRDP/wiki/PreBuilds

^ you might be able to download it from here

yea pwnbox not it just gonna use a different distro for this lab

Are you saying pwnbox as in the in-browser vm or parrot the actual vm

the parrot

Ah because there's a heavy distinction between the two tbh

hello y'all, anyone has a good link as a how to mount .vhd file to follow?

www.google.com or www.youtube.com whichever you prefer

LoL ok., gotcha

lab instruction says to authenticate against xxx.xx.xx.x with the creds. from linux machine i believe it is ssh ,correct?i am on kerberos attack constrained delegation linux

hello all, i need help on module Attack Common Service: Attacking Common Services - Easy
https://academy.hackthebox.com/module/116/section/1466

I have try brute force smtp using smtp-user-enum with wordlists from resources and many more. but i got nothing can you guys tell me which wordlist is the correct one? (I am also tried with -w 15 and -D ||inlanefreight.htb ||)

Sounds like you're on the right track. Did you try different modes?

if i recall this may be one of those you have to reset machine thing

hey guys, I'm getting an error when try to mount the .vhd files

looks like the password that I'm using is not the correct

anyone (DM) who can confirm if the password that I'm using is the correct..!!!

If your working on the password attacks labs, I had to mount it in Windows, but I know others have done it in linux

yes, I am

well anyone who has made it in linux, please let me know..!!!

can DM to validate the user password extracted from the hash?

sure

Morning all, I am stuck yet again and struggling with the module content. From what I can see online, this is becoming common and other people are becoming increasingly frustrated with the lack of direction in the content.

I am working on the section ZAP Fuzzer within the USING WEB PROXIES module.

I am trying to answer the question at the end of the section. Specifically, this part of the question “then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag” is a massive challenge for me. In OWASP ZAP, I can see the cookie in Response, but when I right click the cookie and then click Fuzz, I cannot see the cookie field under Fuzz locations therefore I cannot add a payload position to fuzz the cookie.

I have been messing with this for a couple of days now, googled it over and over but cannot seem to figure it out and I do not know why.

Any help would be appreciated.

Thanks

smtp or ftp? I do not see smtp in my notes. if you are trying to get the un/pw, i used ncrack with 200 most used. But maybe another one will work for you.

can you share screen shot? you should be able to double click on the cookie, right click and choose fuzz

https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0

#modules message

Hello can someone please help me in https://academy.hackthebox.com/module/147/section/1326

i have the hklm.system and the NTDS.dit

and i dump the hashes with impacket

but i am not able to crack them

or PtH

help please v,:

If you have the NTDS.dit you should be able to crack the password for the user mentioned in the question

broo how r u ?

can i dm you ?

sure

Can you check the md5sum of the files?

Are they equal?

does droopescan application for drupal enumeration even work ? i ran the application but even after 1/2 hour no output from the applicaton. did anyone else face teh same issue?

INFORMATION GATHERING - WEB EDITION --> Active Subdomain Enumeration --> Submit the number of all "A" records from all zones as the answer.

I know there are 2 zones but for some reason I dont get any further on this question. Anyone a hint what to do?

dnsrecon: || dnsrecon -d inlanefreight.htb -t axfr
[] Testing NS Servers for Zone Transfer
[] Checking for Zone Transfer for inlanefreight.htb name servers
[] Resolving SOA Record
['SOA', 'a.root-servers.net', '198.41.0.4']
[+] SOA a.root-servers.net 198.41.0.4
[] Resolving NS Records
[-] Could not Resolve NS Records: None of DNS query names exist: inlanefreight.htb., inlanefreight.htb.
[] Removing any duplicate NS server IP Addresses...
[]
[*] Trying NS server 198.41.0.4
[+] [] Has port 53 TCP Open
[-] Zone Transfer Failed!
[-] Zone transfer error: REFUSED
Traceback (most recent call last):
File "/usr/share/dnsrecon/lib/dnshelper.py", line 435, in zone_transfer
zone = self.from_wire(dns.query.xfr(ns_srv, self._domain))
File "/usr/share/dnsrecon/lib/dnshelper.py", line 363, in from_wire
for r in xfr:
File "/usr/lib/python3/dist-packages/dns/query.py", line 964, in xfr
raise TransferError(rcode)
dns.query.TransferError: Zone transfer error: REFUSED
┌─[eu-academy-2]─[10.10.14.191]─[htb-ac-750268@htb-9rs0lwgzc2]─[~/Desktop]
└──╼ [★]$ dig @10.129.66.136 axfr ||
dig: ||
; <<>> DiG 9.18.12-1~bpo11+1-Debian <<>> @10.129.66.136 axfr
; (1 server found)
;; global options: +cmd
;; Query time: 6 msec
;; SERVER: 10.129.66.136#53(10.129.66.136) (UDP)
;; WHEN: Fri Aug 25 08:33:30 BST 2023
;; MSG SIZE rcvd: 56
||

did you find the two zones? if you did then the answer is already there. If not then "dig" all subdomains and their results

hello guys, need help on Attacking Common Services - Hard
https://academy.hackthebox.com/module/116/section/1468

last question, i have got credentials from tb_users using mssqlclient.py and i don't know what should i do next, give me some hint please

did you check for linked server?

yes i did i also tried to enable xp_cmdshell but no permission
I am also impersonate as ||simon|| can anyone give me some hint to login on SSMS

there are three users simon is one

Found the two zones (as this is an assignment few questions earlier). but in previous i've tried it and added them up but that didnt answer the question properly.

i need to go back and check the question but as far as i remember all answers were there onceyou discover the two zones ... makes sure you dont have duplicates

Hello team, I'm doing windows priv escalation module. I'm trying to get a shell with elevated privileges usinh juicy potato and print spoofer. But I'm facing issues, while using printspoof it is giving time out error. while using juicy I'm getting other error. could you please let me know how can I do this

which module?

I guess you are working on "SeImpersonate and SeAssignPrimaryToken"

Anyone free for a DM on the Advanced SQL Injection module skills assessment? Hit a brick wall with it now...

No I'm working on skills assessment -I . the question is to find lab_adm password.

I'm not there yet

Thanks for the response.

np

https://dontasktoask.com/ saying you try 2 exploit and get error while using both exploit exactly easy for other to help you

but either way hint one of the exploit you try is the right path for the first assessment

for this section don't use tools for live host all of the subdomain is dead so use something like dig (your dig command is wrong)

if you haven't already solve this hint first try to find all of the ||unique subdomain||

which module and section are you on? also just Fing say 30 min 🤣

attacking common applications, Drupal-Discovery and enumeration section

could you please let me know which one you used??

the second one

the help menu is at session -h but you can use session -k 3

printspoofer?

my bad the first one

work fine for me

if you google search thet question you'll see a discussion in HTBB forum with a step by step guide on how to mount it

Does the parrot os in htb have droopescan installed by default ? Or did you have to install separately? I performed this action in my kali instance and it didn’t give any output . The htb parrot instance didn’t have droopescan installed . I tried installing it via pip and got an error. Then via Git clone but got an error while installing cement. So couldn’t proceed further

the pwnbox? nope it doesn't have this tool pre-install also why tf do you use pip not pip3 🤣 also the Joomla section clearly show you an more in depth used of the tool

that's why this section only glance over the tool also this only took me like 2 command 1 for install and 1 for running the tool

the github gave asked to use pip

i will try with pip3 and try the tool again

welp the repository dated back 8-9 year so it's old af and that's why the previous section have more / updated info on how to install and use the tool

ah ok. thanks for the response. i will use pip3 and will get back to you.

What's the flag for ffuf tool

For live server ?

?

Nobody is just going to give you the flag lmao

man ffuf or ffuf -h

Can someone help please? I'm having an issue with HTB Academy. I'm doind the BASH fundamentals course and one of the exercises asks the following:
Create a "For" loop that encodes the variable "var" 28 times in "base64". The number of characters in the 28th hash is the value that must be assigned to the "salt" variable.

I did the for loop and it iterates correctly but when it reaches 28, instead of giving me the $flag it returns this:

Counter = 28 - Assigning value to Salt
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
140676000277824:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:615:
[11:40 AM]
my loop is correct, but seems like the decrypt method is deprecated?

yeah got it to work with pip3 in HTB parrotOS. couldnt get it work in my kali instance even with pip3, getting some error when i execute the application

Hey dudes and dudettes, I am doing the Password attacks module and smb is dead on my kali, smbclient is out of question as I can't establish a connection to the smb service. Anyone knows what else I can do?

I get this error

Failed to open /var/lib/samba/private/secrets.tdb
_samba_cmd_set_machine_account_s3: failed to open secrets.tdb to obtain our trust credentials for WORKGROUP
Failed to set machine account: NT_STATUS_INTERNAL_ERROR

but with crackmapexec I KNOW I HAVE THE RIGHT CREDS:

$ crackmapexec smb ip-here -u 'username' -p 'password' --shares
SMB         10.129.209.234  445    WINSRV           [*] Windows 10.0 Build 17763 x64 (name:WINSRV) (domain:WINSRV) (signing:False) (SMBv1:False)
SMB         10.129.209.234  445    WINSRV           [+] WINSRV\cassie:12345678910 
SMB         10.129.209.234  445    WINSRV           [+] Enumerated shares
SMB         10.129.209.234  445    WINSRV           Share           Permissions     Remark
SMB         10.129.209.234  445    WINSRV           -----           -----------     ------
SMB         10.129.209.234  445    WINSRV           ADMIN$                          Remote Admin
SMB         10.129.209.234  445    WINSRV           C$                              Default share
SMB         10.129.209.234  445    WINSRV           username          READ,WRITE      
SMB         10.129.209.234  445    WINSRV           IPC$            READ            Remote IPC

try smbclient \\\\IP\\share -U(username)

ok I feel like a silly sock

was this all it was needed?

I am questioning my life rn

petty much

if a squirrel can do you can do it

see, I am right at questioning my life, I thought that was a cat

hey guys

how can i stop a listener?

ctrl+c

i am questioning my life rn lol

thank u

HTB will do that to you

Hin Guys what module do i need to study to compleete the lab in documentation and reporting

iv done the cbbh poath and want to go over it for the exam but the attacks in that skills assesment are way over my head

Some of the stuff in documentation and reporting is covered in the CPTS path

yeah i wont be starting that path for approx "4D 20H 49M"

Can someone help please? I'm having an issue with HTB Academy. I'm doind the BASH fundamentals course and one of the exercises asks the following:
Create a "For" loop that encodes the variable "var" 28 times in "base64". The number of characters in the 28th hash is the value that must be assigned to the "salt" variable.

I did the for loop and it iterates correctly but when it reaches 28, instead of giving me the $flag it returns this:

Counter = 28 - Assigning value to Salt
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
140676000277824:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:615:
[11:40 AM]
my loop is correct, but seems like the decrypt method is deprecated?

I mean the time is arbitrary

what does the TTPs bit mean in each AD section? I have never seen this acnronym before

If anyone else is as stupid as me: TTPs: Tactics, Techniques, and Procedures

Yeah

It's a fairly common acronym

entirely dependent on context though.

I mean eh

Usually in context of Cyber it's Tools, Techniques, Procedures

But that's less common

Tactics is usually more common

But yeah in context of cyber I don't think the acronym ever changes?

Yep, haven't heard TTP be used for anything else in cybersecurity

Hey i don't understand the following sentence : it is preferable to pollute objects lower down in the prototype chain so that not all JavaScript objects are affected by the pollution.

anyone could give me a tip ?

basically if youre going to mess with something, you want to mess with something as specifically as you can so you dont cause accidental problems

Thanks ! tbh i have tried everyhting possible i'm crazy or just bad idk xD

I'm stuck on module Information Gathering - Web Edition on the Active Infrastructure Identification section question 2:
Which CMS is used on app.inlanefreight.local? (Format: word)

I've ran the whatweb cmd and utilized the Wappalyzer and still nothing!?

1. Is inlanefreight.local in your /etc/hosts
2. CMS stands for Content Management System.
   If you're stuck look around and see what sticks

attacking common service i'm on the DNS section

Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer. i'm running sbbroute and it looks like it stalled out . on the right i'm trying dig AXFR aganist the sub domains i found but i get timed out connection. I've added the target ip address to my /etc/hosts

check your tld

htb and com is not the same

how would I fix my Top Level Domain ?

The task asks for htb, not com

oh

that's what i get for copying and pasting

i'm getting this error after i change mt TLD

hello am new what do i do?

run around in a circle and scream i'm new lol! just joking welcome to HTB there is a free section called starting point on website start there

What is in the resolvers.txt file?

echo "ns1.inlanefreight.com" > ./resolvers.txt

The nameserver of the domain inlanefreight.com does not know the TLD htb.

You should always use an IP address as resolver. Never a domain.

A domain must first be translated into an IP address.

I'm not sure I follow??

noted for next time, i was following along what's in module. didn't know i could use an IP address

The module shows examples, not commands that you can copy 1:1.

If you understand DNS, you know what exactly happens when.
At the latest then you understand why it is a stupid idea to specify a domain as a resolver.

thanks for calling me stupid!!!

What? I never called you stupid.
I said that if you know how DNS works, you understand why it is a stupid idea to enter a domain instead of an IP as a resolver.

^ htb uses domains in their examples when often you're better off using the ip

I just started today and dont understand what they mean by this question " What is the proof text displayed in the Target website you browsed? "

We are all here to learn and sometimes make stupid mistakes.

THX

Especially when performing internal network testing

Well if you used a proof of concept exploit, when you load the page: it should show on the page

Sorry I dont understand I just started today im still on the introduction type page

What is a proof of concept exploit?

Without seeing or knowing your output my first question is: did you add the given vhosts to your /etc/hosts file

Just follow along with what the section is telling you to do

Alright Ill go back and re-read it again thanks for your help

Hi can you help me a bit?
I'm in the sqlmap essential module. On the 2nd question with cookies.
enters the command
sqlmap -u (IP:PORT) --cookie="id=1*" --batch. However, I don't get the flag. Do you have an idea where I am making a mistake?
Edit: Solved: Remember --dump 🙂

@fathom pendant Got it! I figured it out now. I didn't realize that I had to add those vhosts in the first place!

Hi guys, if anyone who is familiar with the question below could help me out, I would appreciate it!

its part of this module, and the only question i have left

I've stucked on [Logrotate] section of Linux Privilege Escalation for a while, I just can't make the exploit work, anyone could give me a hand?

I haven't done it but since it gives you the initial letters I would assume if you take a look at what Tier IV Modules are available in HTB Academy there should be one there that talks about just that popular hacking tool

thanks for the tip!

Hello, I am currently studying through HTB academy and in the first instance it says to find the bash terminal. Is this the MATE terminal...I was able to answer the question, but want to make sure I got the concept right.

craft your payload, start logrotten , write something in the "file". That's all what I've had to do

\

The payload didn't got executed, that's my problem

do a quick one liner to keep writing something, 3 times should be enough

ok i will try

just remove the picture, I'm not sure it is a spoiler or something

You used it on your system not the target

banging my head on the enumerate SMB section module questions

how is that not the full system path for that share makes no sense

Hint: this doesn't resemble a windows path hmmm

Also remove the photo as it's a spoiler

samba is ussually used with linux right

maybe ignore C:

?

/ ?

well it is used for interoperatibiliy between windows and linux/unix

so I guess yes lol

I’m super struggling today. I’m on linux fundamentals and the section im on is system information and its asking me whats the path to the htb-students mail? And which shell is specified? But i feel like i know the shell but definitely don’t know how to find the mail.

i tried to give a hint hahah

i know for some people its obvious

its just you have to know it right

Some sort of variable about mail

my question is why you changing it into the same value hahahaha

why would you want to deactivate the errrors>

what module is this ?

I wanted to desactivate the trigger

use john

Did you do the > file.hash after the unshadow command

Also you should be using the full mutated password list [96k words]

The custom.rule should be applied to the password.list [both found in the resources download]

To get in the box, start outside the box

Hi guys. Trying to find the kernel version, from the best of my understanding the version here is 6.1.15, I also tried the -r which gave me 6.1.0, both of which are coming back wrong. Any advice for a new strategy?

The answer has to be in the format 1.22.3

@west canopy has the answer to this question been updated?

It's possible the answer hasn't been updated

-r is the right flag

Thanks for the info on that, does it seem like my path is right?

ok cool

Try this answer 4.15.0

tried this as well

hey which module / section is this for?

https://academy.hackthebox.com/module/18/section/70 linux fundamentals, system information

4.15.0 was correct.. forgive me, I have NO idea how you got that

I did this when the version was that

ohhh we need to SSH into the target 😉

oh shit.

you were running the commands on the Pwnbox, which is our attack host

I forgot about that

sorrryyyyyyy!

Lol

we can spawn a machine to SSH into and then complete the exercises

no worries lol

My brain lapsed on it, it's been a minute xD

Nah they just weren't connected to the target

ewwwwww XD

time to plan up

Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-123-generic x86_64)

got it - thanks for the help! sorry about that.

Or just buy some coobs

You can always connect via your own VM too 🙂

I've tried 3 learning sites so far and although I feel like this one does occassionally leap, it has without a doubt been the smoothest learning experience Ive had so far. I'm happy to subscribe!

Thank you

In the file transfers "Catching Files over HTTP/S" module, which side is the attacking machine and which side is the target machine?

Is the intent that you can go both ways?

In the file transfers "Detection" module, who is the "client" and who is the "server" in the examples at the bottom?

Is the "server" a form of SIEM intercepting the traffic?

This isn't explained very well in the module...

I wish the modules used notation such as http://<attackerip> and http://<targetip> instead of arbitrary ip addresses. It makes it unclear at times who is who and what the intent of the commands are.

heyy how to enter this cyber security field

what is the good start for me?

Introduction to Threat Hunting & Hunting With Elastic

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Found my answer, classic syntax error 😭

Do you have the rockyou.txt in that directory?

Ye it was, but syntax at end was wrong apparently. Hadnt used hydra in a while. Fixed now 😄

You could have kept it up tbh it didn't spoil anything (unless a mod deleted it, then rip)

nah i deleted it didnt want to give uneccessary work 🤣

Helps people in future

The brute forcing wait time is where i got stuck last time, brute forcing takes time but apparently its supposed to find it after like 5 minutes if you do it correctly. Which hasent happened yet, or last time when i tried

True, mb i suppose

Eh it's alright lol

At least you have the knowledge to help the next person figure it out

marcia you done the brute forcing before? Did it take long time, or should the hydra command be done within 5 minutes of starting it ?

Give or take

Though I'd generally start with a smaller list

ok

I haven't done it. Just general advice. Unless directly told to do so, rockyou is a shot in the dark

Given its size

Well i know rockyou has worked previously on the module from what ive heard, just since its so large it wasent really tempting to sit trough the entire list

@fathom pendant know you havent done it yourself but i checked a walktrough and i did the exact same as numerous walktroughts (but switched out specifics to my specifics obviously), but its been on rockyou.txt (which is supposed to work) for 50 minutes now. This is where i was stuck last time too

Any idea of stuff that might be wrong ?

Not a clue in mind

which module and section are you on?

Academy Login Brute Forcing module. Area of Skills assesment - Website

Last question where you gotta brute force the login page

Heres my command im using hydra -l user -P Desktop/rockyou.txt -f 83.136.252.24 -s 33414 http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=<form name='log-in'>:S=302"

yea this part is where most people get stuck mostly because of the fail strings but your look about right

bit try with user instead of ^USER^ because you aren't brute forcing the username also try without ||>:S=302|| and ||<form name=||

If i do it without it then how will it know if its successfull if it doesn see check the form ?

@vital adder Because to me i dont get why i would need to remove the form name because the standard command that is usually used is "hydra -l admin -P wordlist.txt -f SERVER_IP -s PORT http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"" no ?

no idea that's just what i have in my note also it could be that this part doesn't matter at all 🤣

😭

i also have noted burp is way better for this but longer wordlist like rockyou will be a pain to loaded and run

just give it a try and yep it's doesn't matter

also just try your command and its work by removing one thing that i had listed

Tried it without S=302 and also changing ^USER^ to user

@vital adder Have you tried it yourself ? because im trying all your methods but either they dont get a result or i get "Child with PID terminiating, cannot connect" then it starts terminating processes

This looks pretty good just glancing at it, "hydra -l admin -P wordlist.txt -f SERVER_IP -s PORT http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"" I think you may have too many " in there, or its how it was pasted in. Also you can try a shorter version of rock you. hydra -l admin -P wordlist.txt -f SERVER_IP -s PORT http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"

This is basicly what ive been trying, also been readign walktroughs / writeup of the skill assesment and they do the same as me but mine just doesnt work

Top right hand side click on your "avatar" --> Billing and you should be able to unsubscribe from there

Hey is there any free course for wireshark?

hello guys, I'm currently taking the active directory powerview module and I have some troubles. anytime I do something in the remote machine, I lost the connection and I have to wait 5min to reconnect and start again

plus I not sure if I have to move powerview.exe on the remote machine or what

seems stable now 🤞

make sure that you don't have both your pwnbox and your vpn on at the same time

yeah probably that was the error

and later I found the folder "Tools" with all I needed

on most section in that module if a tool is require it's most likely the tool is already on the target machine

nice also WTF is powerview.exe 🤣

First I downloaded the tools with from my pc to the remote box with certutil, then I saw that folder

really?

i'm just confused that a powershell tool now have an exe binary 🤣

oh you right! powerview.ps1 and sharpview.exe 🤦‍♂️

aaaand I lost the connection, again

anyone that passed the CPTS can tell me what would you say the difficulty of the exam is? and like they say does it cover every single module from the pentester path or not? how helpful do you think the modules were during the exam?

hey guys do you have any problem of vpn connection to htb too ?

the box is still down, start to thing that this accademy doesn't not worth the money

I have problem with rdp machines, vpn works fine for me

plus, I paid for a platinum subscription and I should have 1000cubs but I know have only 161, wtf

this is the academy channel, I think you should ask in HTB:PLATFORM

ok thank you

that's an academy module 🤣

sure what's the issue?

How to use ffuf tool for live server

Time to think out of box

Does anyone know ffuf tool flag for live server

Anybody having idea to give me

can someone tell me how much cost Active Directory PowerView module please?

its 1000 points, so thats 1 month of platinum premiumship as cheapest price. That makes it 52€ + VAT

thank you

anyone who has finished Cybermonday and could give me a hint? Got stuck and I feel the answer is soo close...

wrong channel, go to #welcome and follow the instructions there

it's ok bro. I can finish it now.

Did anyone completed the cpts path and try to solve the active htb boxes, how much did the content helped ?

Skills Assessment: Web Proxies

Been smashing this send button for 50 times. Reset the machine, changed everything to enabled a million times. Still no flag. Can anyone please save me from wasting the rest of the day learning nothing and being useless.

just finished the powerview module, I was expecting more. Is essentially a big cheatsheet

can't remember if i was able to it to work in burp repeater or not but in the response filter for flag or HTB{ just in case you missed the flag

but for this i just change some stuff in browser, click the thing and as able to get the flag in a couple of try

it's 100% depend on what box you do, for the more real, AD focus or just non CTF like in general box then you should be good but there is also box's that are just too CTF bs like cred in an image via steghide

Ah okay thank you sir

I pressed the button 130 times now and still no flag. Is it my fault?

so if it's originally a get request and you change it to post by hand then the request could be wrong because it's will miss 1-2 line of stuff so that may or may not affect your request

and of course if it does then you has been wasting your time sending invalid request

i'll double check but both screenshot have spoiler

I didn't change it, I intercepted the POST request that is made when you press the button

Also I deleted both images.

Thanks for taking the time to help me

np 👍 also forgot a got a curl bash loop in my note for this that will get the flag in like 2 sec

also just give it a try and on my like 10 try i got the flag

huhu anyone here whos already finsihed the password attack module (pass the hash section)

Which method did u use to get the flag? Should I revert the machine?

try going into the Logger tab and all of the request you send that didn't get you the flag should be the same length so try to look for a request that have the length stand out

was trying burp this time

got it nvm

😄

wth

where did u see powerview.exe

I just did it in the browser about 5-10 times and then it worked this time and I got the flag

Gonna write an erratum about it real quick

it's may because of you request in burp is invalid

if you are doing it right look for something like this in the Logger tab

check sharphound collection

the best repository with tools for AD

the other was thinking of sharpview.exe when he was typing powerview.ps1 🤣

lol

the stuff you linked in #resources-tools ? i used that guy tool before that isn't from sharp or blood hound 🤣 but that guy have some sweet as AV bypassing tool

yea

there are a lot of tools

checkout https://github.com/Flangvik/ObfuscatedSharpCollection

Thanks didn't know about the logger tab

Yes I found many flags now

last time i used this was on the thm Red Team Capstone Challenge and was able to bypass some updated AV hopefully no dump dump uploaded this onto virustotal

lol

they are the same tools

but obfuscated

that's the nice part

the nice part is that today is saturday

and new machine 🥵

@vital adder If a simple question like this is making this angry idk how I will survive in this field. I genuinely get really angry when I'm doing the right thing but getting the wrong results

why u getting angry

I recommend u doing thick applications section from attacking common applications

that will get u mad

Angry ++ not just angry and maybe it will make you question your life decisions especially about career

i'm sorry what?? i feel like the Fing hell hole Cybermonday box just come out yestoday

idk how that box wasn't insane

it's updated frequently so hopefully shouldn't be a problem

welp nowadays medium box can F you in the ass hopefully we don't get another miss label insane box

download

@vital adder do u have any repository with .ps1 tools?

i think i did at one point but got 0 idea where the hell i save it

guys when i want to connect to a pwnbox with openvpn and i choose any location , it says that there is 1000000 ms delay

any clues why? or is it just a bug

yea don't open the pwnbox and your vpn at the same time

"Skills Assessment - Using Web Proxies"

Question 3

Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)```

So I intercepted a refresh on the login page, set payloads options I have the correct wordlist from above, have the correct payload processing (adding cookie prefix, encoded both base64 + HEX).

However, I did not get any special response at all. How do I know which encoded last character is the correct one? Thank you for any help

Hey @zinc marsh I beleive you did this one recently. Were you able to get it?

I haven't notes for that module

just use burpsuite with the intruder I guess

or wfuzz

and check the length or the response

someone can tell me what is wrong here :/

Do you lose access to modules through monthly sub even though you finish it?

The completed modules should be available

perfect

if you have the student subscription then all unlocked module will be for life, same as all of the module you buy

this one is too much spoiler shoot me a dm with your burp Payload Processing

I got it but thank you

I will get stuck again soon though anyways

doubt it, you have 1 question left and this is the easy one

i’ve been stuck on the network enumeration with nmap module

can any one give me a hint on the last flag🙏

you have to use the pwnbox for the last flag, it for some reason doesnt work from your own vm

thanks you🙏

Now I can go to the gym without anger

WEB ATTACKS --> Bypassing Security Filters

To get the flag, try to bypass the command injection filter through HTTP Verb Tampering, while using the following filename: file; cp /flag.txt ./

I got the flag but When I sent it says "Incorrect answer!"

In the Windows Prilviage Escalation Module section SeTakeOwnershipPrivilege the insturctions say to leverage SeTakeOwnershipPrivilege to get the flag, however the htb_student account does not have the SeTakeOwnershipPrivilege in either the enabled or disabled state. The account only has the default privileges SeChageNotifyPrivilege and SeIncreaseWorkingSetPrivilege.

The section suggests that if your account doesn't have SeTakeOwnershipPrivilege you could get it by running SharpGPOAbuse, however the htb_student account is not part of an Active Directory Domain so it can't interact with GPOs and can't use any Active Directory attacks. The section also lists some directories that can be checked for credentials however the htb_student account doesn't have access to those directories.

What other methods can I use to aquire SeTakeOwnershipPrivilege for this subsection.

have you tried to open the cmd prompt as "administrator" and list the current user privileges? Then you should be able to see the "SeTakeOwnershipPrivilege" in a disabled state

Hi all, I got stuck in “Kernel Adventures: part 1” in pwn challenges. I have no idea about kernel stuff. Would any of you recommend resources to go through in order to solve it.

Thanks! I think that might be it when you run cmd as administrator SeTakeOwnershpPrivilege is there!!!. I didn't know you could run an app as admin is your account wasn't part of the admin group.

I'm working on Detecting windows attacks with splunk , need some nudge on detection of silver tickets section, if someone has done it, please DM me. Thanks

I guess this is a temporary way to elevate your user account privileges (as shown in the section pictures) and may be the reason why you can't see yourself part of the administrator group. If I'm wrong someone else will correct me

Guys, can anyone help me with this. I am so struggling please. Split the network 10.200.20.0/27 into 4 subnets and submit the broadcast address of the 2nd subnet as the answer.

has anyone been able to do this one and can help me out?

count how many ip addresses you need in each subnet

Thanks, I got it. I am new to Networking so it is difficult for me for now. Any good resources except HTB where can I read about it?

try out cisco academy it’s free

Thanks a lot, appreciate it

Anyone

stuck on the same kekkk

i did everything else

DM what have you been trying though

its so annoyhing

once I complete the Nmap module in Academy will future modules for CPTS utilize my Nmap skills?

or will they get lost?

Nmap is used for 99% of things

even in most of CPTS learning path? ok I so don't have to worry about forgetting basic skills as I progress?

I want to do CPTS and CBBH and I don't want to forget my knowledge

Yes

ok thanks

Take notes 🙂

so if I went through the CREST skill paths after I finished CBBH and CPTS would everything from CBBH and CPTS be utilized in the more advanced CREST modules?

you know about CREST learning paths right?

Idk what they cover

ok

if you look under skills paths there's the CREST certification paths that were added a few months ago

I know

There's definitely a good deal of crossover

I don't think CREST is well recognized in US but I want to do the paths for the skills

I'm stating I didn't look at them

ok who should I ask?

HTB team?

Nothing you learn is one and done, if it's in the path it's knowledge worth retaining

ok thanks

I know its worth retaining but I am hoping I will continue to use basic knowledge as I get through more advanced knowledge

Again, take notes 😉

I am taking notes

Building your own reference book is pretty important, can't hold everything to muscle memory

but I'm just super interested in CREST paths because they appear to teach more advanced pentesting skills. ya ok good idea

Yes, basic knowledge is always useful, as even the most advanced engagement has to start at the basics

I know CPTS is beyond OSCP level so CREST path is probably super advanced. So if I take notes, who do I ask if I want to know if CREST path will reinforce the fundamentals as I go?

is there anyone on here who might know?

The CREST path I believe is more tailored to their methodology, so it's not necessarily more advanced, just structured differently

ok

I can't say that for fact, as I've not reviewed or taken it personally

You're overthinking it too much dude

But that's my gut feeling

ok got it

I know I overthink stuff

Overthinking better than overlooking, just don't get stuck in a rabbit hole of thought 😉

Learn, repeat, reinforce

ok thanks

what I might do is get CPTS and CBBH and start bug hunting and doing HTB boxes then maybe after a while progress into rest of CREST paths to gain other skills, then from there once I master those I can go into Pentester Academy for other areas of hacking. Maybe I will try to get CREST certified long term if I can.

Is there any way to get CREST certified in the US?

just to know material well?

if not I will just do the paths to learn material

and then graduate into doing HTB boxes and bug bounties

and maybe start next area of hacking

It may be good to talk to a career counselor. It seems like that is the main question?

I don't have to get CREST certified to take paths tho. I think if I took the paths and got the certification that would really make me believe I know a lot.

and that would be more advanced at that point.

but I don't have to have CREST certification to live with myself