#modules

Can I dm you?

No, the Attacker Host accesses port 8000 of the target via port 8080.
So from the Attacker Host to the Target and not from the Target to the Attacker Host

sure

Stuck on ATTACKING COMMON SERVICES: Attacking Common Services - Easy
Question:
You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer.

Got accessed to mysql server
Upload the backdoor
When running the cmd=___ from the site in firefox, I am only able to run 'whoami' and 'dir' and 'more' doesn't work.

Further stucked... Can anyone help?

-R command asks the Ubuntu server to listen on <targetIPaddress>:8080 and forward all incoming connections on port 8080 to our msfconsole listener on 0.0.0.0:8000 of our attack host. acxe@htb[/htb]$ ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN . doesnt this statement meant that the Attacker Host accesses port 8080 of the target via port 8000?

@short hare you can read the flag with type. the path is quite obvious

I got that error too at first. I think I was able to fix it by running impacket as root, since root has an installation of impacket which is more updated than the user one. Btw if you are still working on the module feel free to DM

I am still stuck on Q3 of the NTLM Relay Skills Assessment. I am even starting to suspect that there is something wrong with the lab.

Hello guys, need a hint for the Lab Easy for the module "Attack Common".

Ports : 21 ftp, 25 smtp, 80 http, 443 https, 587 smtp, 3306 mysql, 3389 rdp
Enumeration user : I used the git https://github.com/cytopia/smtp-user-enum with the command: || smtp-user-enum -m RCPT -U USER_LIST_IN_RESSOURCES.txt -d 'inlanefreight.htb' TARGET_IP 25 || and i found :
user : ||fiona|| / account disabled ||jason and marlin||

So? So I tried brute force on ftp:

• hydra -l f_user -P password_in_ressources.txt ftp://target -t 32
• same but with user : f_user@inlanefreight.htb
• same again with capital F (--> hydra -l F_user -P password_in_ressources.txt ftp://target -t 32 && same with domain)

I tried this for : ftp, rdp, smtp, mysql (do not try this or you ll get blacklisted and must restart the target to refresh it).
0 valid password. anonymous isn't enbale for ftp.

Question: Where to start... I'm kinda stuck.. I tried to enumerate the web site but nothing interesting too

I think the top left arrow is jus the attack host establishing a ssh connection with the „listen on 8080 and send it to my 8000“ directive. The actual sending of data is the other red arrow

That’s the wrong way around. If the attack host accesses port 8080 on the target then that means there is a service running that you can now access (that maybe was hidden before). But -R doesn’t reveal any existing services on the target, it tells the target to open a new port and send everything it receives there to your 8000

one question about the module "Shells & Payloads": for the live engagement to get the credentials for the initial vector (as exposed on the first Hint), is there a way to get to those credentials without looking at any hint? The password is not present on any list and I would like to understand if possible how can one get there without looking into the hint. Thanks!

I think there's credentials on the foothold machine

Clearly labeled :)

Hey Guys I'm in "Password Attacks " : "Password Attacks Lab - Hard"
got the credentials of user J & d cracked the Logins.kdbx
but I can't use this credentials 4 anything ,
I've tried 2 connect with evil-winrm as david (didn't worked out ), tried to do xfreerdp as david (didn't worked out), tried 2 access the folder of administrator & david (didn't worked put)...
can some1 give me a hint please, not sure what ells 2 do ...

Yes but when going to Host 1 I’ve enumerated, then explores the shares, then the service that is the first vector..tried to bruteforce with no hit..then in went to the hint and there was the suggestion of username and password Host1 vulnerable vector I was trying to bruteforce with the service known lists. My question is more around if there was anyway to get these creds without looking at the hint (btw thanks a lot for (replying)

It's on the desktop of the foothold system

Omg…I was going crazy with the smb enumeration -.-‘

Thanks

Hi, since yesterday my proxychains seems down and I dont know why. I was doing a module yesterday and I use dynamic port forwarding properly but today wasnt working. I have been trying a lot of things but my proxychains doesnt work... Anybody know why?

And the host is there

Ping does not work with chisel

hi guys im in the password module and im trying to use lasagnia.exe to look for passswords. i get the exe to the target i open cmd and run start lasagnia.exe it runs but the cmd with the results closes as soon as the script finishes i dont have time to actualy read results

Open cmd.exe and run lazagne.exe inside cmd.exe

hey y'all ,I am new to HTB academy. I completed the intro to academy and half of the Linux fundamentals modules by using free pwn box instance until it hit the time limit. My laptop runs on Ubuntu OS. Is it possible for me to complete the remaining module using ubuntu terminal ? If so, how?

im doing that

and it all runs as planed i can see output but as soon as its done its thing the window with the output closes andi dont have time to actualy read it

i tried start lasagne.exe all > output.txt too so it prints it and i dont have to worry bout it

but it makes an empty file

Don‘t use start

Only lazagne.exe all

thank you my good sir i now have a populated text file

Did some1 encounter in Kali's safe mode?!

hello guys how i can detect 3 way TCP handshake from pcap file by tcpdump

anyone end this module

Look for the flags S S. . which is the 3 way handshake like this
You can use the filter 'tcp[13] & 2 != 0' to get all packets with SYN flag set

Hi, im currently doing attacking common service module - "Find all available DNS records for the "inlanefreight.htb".
Keep getting this error when using subbrute.py - "get_ns_blocking - Resolver list is empty.". From my understanding, I already set all the correct details in resolvers file.

Also i heard only subbrute.py able to get the h... subdomain but not other tools like dnsenum.

I'm also on the same as you @main meadow, mind if we brainstorm a bit?

From my research, dig and dnsenum somehow will no work and cant get that final correct sub domain.
only subbrute.py will get the final sub domain answer which somehow is not working for me.

Imma just get up to speed, but I got subbrute to work once, lemme try again

dam son, finally got it working... your resolvers file need append newline after each entry

lol...

Yes that helps, instead of wiping you need to add

I saw you ran against .htb you sure it's not .com domain we are targeting?

the task/question ask you to target .htb domain

You're right, I didn't get a respond earlier so thats why I started wondering :/

Hi! Currently working on WINDOWS PRIVILEGE ESCALATION - Windows Privilege Escalation Skills Assessment - Part I

I already have a meterpreter shell with limited priviledges and think I am on a juicy track to priv escalation, but there are some things that don't work as expected. Can somebody maybe support me here? I don't want to spoil too much by asking the question directly.

Go to the potato exploit page and read about CLSID, they have a link to list of CLSIDs Organized by OS, try them it will work

Quick question about getting started module and gobuster, there is a way to improve the speed 🤔 ?

is identification working rn

the discord bot

hi there stuck on Password Attacks : Linux Local Password Attacks | Credentials Hunting on linux

what i have tried so far :
1 Obtain kira password
2 login as kira through ssh
3 Found a Notes.zip file did zip2john and tested it againt a wordlist. No hit

stuck from here

I'm working on the knowledge check for the getting started module. I crafted the cookie but when I pass it to the IP with curl I can't find it in dev tools. I don't know what I'm doing wrong.

Additionally, I don't really know what to do to upload the file after the session cookie is present on the webserver.

For future references; If you're stuck on Attacking common service module - DNS, check your resolve.conf, VPN can be issue here. Or just keep it simple and use the pwnbox....

I'm using the pwnbox

I passed the cookie with
'''curl --cookie "NAME=VALUE" IP

'''curl --cookie "NAME=VALUE IP'''

@brazen saffron -t flag to set # threads

Ah.

code output test

Alright thanks.

Can someone plz point me in the right direction with using the session cookie for the getting started module knowledge check?

Did you try a mutaded wordlist?

What do you mean you can’t see it in the dev tools? Do you mean the browser dev tools? Curl can not set cookies there

That

That I didn't know.

You can set cookies in the dev tools manually

Maybe that is what you want to do

So I passed the cookie as
curl --cookie "NAME=VALUE" 10.x.x.x
I'm not sure which url to pass it to, though. And I'm not sure how to upload my php one-liner to get the reverse shell.

It’s kind of hard to tell where you are stuck, in the knowledge check they want you to identify what is running on the Webserver and find a public exploit for it to get a reverse shell. Have you found what is running on the Webserver and what exploit is available?

I'm not going that route. I found the exploit and researched it. I created a cookie based on the vulnerability found in /admin/theme-edit.php

the cookie should be sha1(getsimple_cookie_3315{apikey}={username}{apikey}

i mistyped that, both name and value are hashed with sha1 in this case

I don’t remember the exploit, but you have the apikey to craft the cookie?

yeah i have crafted the cookie. I just don't know what to do with it lol

Sounds like you can just set that in the dev tools then and manually browse the admin page?

that's what i was thinking too. To set a cookie in the browser do I click the + in the storage tab? When I do that it doesn't request input.

The + should add a entry in the list that you can change with doubleclick

yes i tried the one i got from mutating the kira passowrd LoveYou1

@tranquil axle I added the cookie to the /admin/index.php url. I refreshed the page but it's still requesting login.

Try setting it not for admin but the normal url maybe

I thought mutated should do it, maybe someone else can chime in. Don't have notes on this one

you haven't done the module yet ?

@tranquil axle Tried that too, both pages

ye I have, but long time ago, no notes written down

😭 guess i will just hope someone hops in to help then

thanks btw

The metasploit module sets two cookies, did you do that too?

no i missed that. What other cookie?

GS_ADMIN_USERNAME={username}

I just tried it and with both set it worked for me to bypass the login

i logged in with admin:admin and no cookie. geez.

Oh you mean those were the default credentials?

yeah lol

i think i need the cookie to upload files tho. checking it out now.

Nah you can edit themed once you are admin, the cookie was just to bypass the login

password attack hard lab is smb server suppoesed to give this error?

That being said you can take a look at what cookies are set now and how they are different from yours

got a reverse shell

oh damn i did a find for *.sh and crashed the pwnbox

my browser keeps trying to go to a secure http URL. I turned HTTPS Everywhere off thinking that would make a difference. Why is firefox continously adding the https scheme?

i set the network.stricttransportsecurity.preloadlist variable to false in about:config. That didn't help.

i also set the browser.fixup.fallback-to-https variable to false. It's not defaulting to https any longer, but still wont load the uri. So 🤷

try appending a newline in the resolvers file after each ip, everything will be fixed after that

websites that set their own hsts response headers will still enforce https in your browser regardless of your settings

My target IP address has Hello World, not the getsimple cms. What's going on?

I've tried resetting the target several times

logged out and back in fixed it

I am working on NTLM Relay Attacks - Authentication Coercion and I have a question. I was able to get the answer correct but looking at questions #2 I am not getting ' [+] (ERROR_BAD_NETPATH)' when i use the command: Coercer coerce -t 172.16.117.60 -l 172.16.117.30 -u 'plaintext$' -p 'o6@ekK5#rlw2rAe' -d inlanefreight.local -v --always-continue I get: [!] (NO_AUTH_RECEIVED) for everyone of them.

DM me. And please do not include answer spoilers 🙂

Guys I am in the Active Directory Enumeration & Attacks LLMNR/NBT-NS Poisoning - from Windows and when I try to rdp using xfreerdp I end up getting a black screen with nothing else. Is this a tech issue with HTB right now?

bro im so confused

what tf do I do?

try pressing enter

this stupid thing is telling me to run command cd and I dont kno how to do that 💀

thanks mate -__-

bruh

how do I run command cd

what were you asked to do?

run command cd

which module is this and what section

literally the first

im the definition of a noob rn

dude give me the section name and module

idfk

it sthe first "lesson"

of the entire hack the box course

send me the link here

blob:https://app.hackthebox.com/20be4c2c-5b61-4cc7-b956-2c6b3c7456f9

dude that is the HTB main site... this discord channel is for academy

bruh

wtf am I supposes to do

look it says what does acronym vm stand for

and I do not know'

so I go to the walkthrough

and it says run command cd

well maybe you should first join the HTB academy before going on solving problems in the main site

what

https://academy.hackthebox.com go here ... learn the basics, then learn some more than one day go to main site to solve prob

Good night!
Detecting Windows Attacks with Splunk.
Detecting ransomware.
Modify the action-related part of the Splunk search of this section that detects excessive file overwrites so that it detects ransomware that delete the original files instead of overwriting them. Run this search against the "ransomware_excessive_delete_aleta" index and the "bro:smb_files:json" sourcetype. Enter the value of the "count" field as your answer.
The answer is not correct, I can’t understand what I’m doing wrong.

Anyone able to assist me break this AES-256 Encryption with hashcat ?

Read #welcome and post in #starting-point

Is it for an academy module?

@fringe shell I’m breaking into a bank

Jk I need it for a track on labs

You mean on https://app.hackthebox.com ?

This channel is for https://academy.hackthebox.com please read #welcome on how to access more of the server

u know how to take someones password

i dont remember my discord password ngl

#rules

But also just do password reset since youre logged in

how do i do that

Google is a free to use search engine my guy

the thing is i lost the gmail too

OK? You generally don't need the email to reset the password if logged in

Either way if you're really up the creek, just message actual discord support via email. (Yes you'll need to set up a new email too)

um

I cant access firefox

what do I do?

Type firefox in terminal

wdym terminal

ohhhh ok I think I got it

Terminal refers to the command line window

it still doesnt work

Are you trying to access the internet in the in-browser vm?

what

im trying to ddo the next step in the academy, and I have to use firefox

I guess I'm confused on what you meant by "can't access firefox"

meaning it wont connect, it keeps saying connection timed out

What module are you doing?

And section

the first one

That's vague af

segment 5

the first module

At the top of the screen, what is the name of it

interactive section with target

Did you spawn the target from the "spawn target" interactive text line?

.....

english please

I am using English

I clicked on it, didnt work

so I went to firefox

It should work

like it said

What do you mean it didn't work?

I mean that when I clicked on it nothing happened

I just clicked it myself and after "spawning target" it shows a public ip with a port [ip:port]

bro how

Send a screenshot after you clicked the "Click here to spawn target!"

nothing happens

i think that’s the target

I see a public ip and port on your screenshot my guy

ok but when I put the url into firefox it doesnt work

Oh wait

No that's just a screenshot of the example

😐

yes

but that is the url

No

I need to use

no

It's not

wtf do I do then

Scroll down

To just above the question

The reason it wasn't working for you initially is because you were clicking the text block explanation

Keeeeeeeep going

😐

Bingo

how do I answer that

...

if I didnt research a target url

I will punt you to the sun

Click the text

im a noob bruh

oof

lmao

You're also lacking reading comprehension

k did it

I just thought i needed to do other things first chill

Now just visit http://ip:port

done

9 times out of 10 (unless specified) the example IP will not be your actual target ip

ok thank god

As you just experienced. Reading the whole page is crucial to moving forward

I was having an awesome time working on "Windows Event Logs & Finding Evil" yesterday. However, about 24 hours ago the Target Machines started kicking me out after 1 minute into my RDP session. Is this a temporary issue - do you have any suggestions except for to keep trying to reset the target?

Try from Pwnbox. This has happened to me and it turned out to be a VPN issue

Also try switching VPN servers or switching protocol

Thanks for the quick response - I also have been trying the pwnbox and I get an error that there are no available instances

Tried the following
'cd .. && dir'
cd .. && dir
cd%20..%20&&%20dir
'cd .. && type flag.txt'
cd%20..%20&&%20type%20flag.txt

But nothing worked white screen -_-

What I am missing?

try "reset" button near the pwnbox screen.

My notes don't have anything about mysql for the easy assessment, i used ||ftp bounc attack||

with anonymous?

i found a user using another port, then brute forced a password for that user on the ftp

I found the user fXXXXX but brute forced ftp on 21 but it seems going on n on
Used password list from resource or rockyou.txt?

I found it just using rockyou

ok let try once more

i just checked and its within the first 100 lines

hydra -l fXXXX -P rockyou.txt IP ftp -t 64

I think thats correct right?

yeah, i think i had to use medusa

ran but nothing it says no passwords found
Can i dm you?

sure can

I changed my VPN session to TCP and that worked for me

There is an issue with the parrot machine

Please check that issue

Nice! UDP connections can be inconsistent so that may have been the issue.

I'm trying to get root.txt for the getting started knowledge check. I'm having trouble. I've uploaded LinEnum.sh and ran it. It says I can read the shadow file, but it's permission is restricted to root, so I'm thinking that's the wrong way to go. I think I need mrb3n user password to escalate privileges. I'm kinda stuck. Can I get a hint?

@short hare the absolute path. For instance, type C:\Users\Godzilla\Desktop\flag.txt

Hi, were you able to crack the hash? I used ||-m 18200|| but it hasn't been working for me.

hello

Anyone know how to crack a ||$krb5asrep$18$|| hash? I am on the Kerberos Attacks - Skills Assessment

Have you tried using jhon?

I have...I was using ||john --format=krb5asrep|| but it was taking a while...I just started it up again after you reminded me

fine , just keep it in bg , and in other terminal tap use it as raw " john hash.txt"

Hydra -L username.txt -P password.txt ssh:// ip -t 8

I tried that too...no dice so far

I didn’t use a hash

Just got it! With ||Kerbrute|| Make sure to use the ||--downgrade|| flag

bro what is the differ between normal vitrual vm and docker

what

is that

Anyone else having trouble with Starting Instances?

Same here

Log out from academy , wait for sometime
It will work again

Evenif I logout and reconnect. Still not working

samr error for me can't start the box

@short hare did you manage to get the flag?

After work just now sat to do it

Can I DM you if I get again stuck?

yes

Ok...

Yea... Saw just now...
-_-

Yea I cannot start a pwnbox also, I have cleared browser cache and logged out/in but still getting this error.

neither can I

I did try support but the GPT ai was directing me to openvpn troubleshooting not pwnbox.

now started the module with VPN file

I'll prob use my kali vm with vpn too if it persists or just read and take notes and try the exercises later.

That's a good idea

running into the same issue

WINDOWS ATTACKS & DEFENSE - DCSync . After performing the DCSync attack, connect to DC1 as 'htb-student:HTB_@cademy_stdnt!' and look at the logs in Event Viewer. What is the Task Category of the events generated by the attack?

I don't list answers what to fill in, can someone help me?

same

Hey guys, has anyone else being issue trouble in starting Pwnbox instances. Since the whole day.

i came here to ask this question, i see many have this issue

Yes many have this issue

exactly

Got a strange one, I can't seem to SSH into the linux machine with the provided creds for the privileged access section of active directory enumeration & attacks. Keeps telling me the password is wrong.

Before anyone asks I am copying and pasting as well as verifying it is right

Unsure if they have changed the password and not updated the module?

I keep getting a permission denied error

ssh htb-student@172.16.5.225

That looks normal right I am not losing my tiny mind

I don't need to pivot, i'm RDP'd on a computer with two nics

I can ping the host

So it's up. And I am using the credentials provided

Is SSH available at all?
Is the port correct?

Doesn't actually provide a port

"For the portion of this section that requires interaction from a Linux host (mssqlclient.py and evil-winrm) you can open a PowerShell console on MS01 and SSH to 172.16.5.225 with the credentials htb-student:HTB_@cademy_stdnt!."

then it should work....

And this is why I am here....

Try restarting the instance.
Otherwise contact the support

Tried that, I have been having this issue with this section. I will contact support.

Thanks

Is anyone lese getting this message when trying to spawn their PwnBoxes??

I also encountered the same problem, now I use openvpn to connect

+1

Hey guys i have a question:
I´m currently working on the Footprinting medium lab.
I found the nfs share, mounted it, and got permission denied. I googled around a little and found that you can just "sudo su". I just dont understand how permissions work in this scenario. Why can i access the share with those permission, but not just like that. I seem to not get something here. Any tips how i can read up on this specificly?

As far as I recall
It's just like if you want to delete some system file from Linux directory, it says permission denied. But if you switch from current user to root you have the permission to delete that file even though you're in the same system.

In certain cases, you won't even be able to do sudo su. In those cases switching users from a current account to other is denied.

In the above you have the permission to switch to other users from the same OS or whatever

Ok if it´s just like that thats fine with me. I was just confused, because usually when i mounted an NFS share i could just cd in right of the start.

Yes
This is just one case

There are plenty of other cases where it become confusing to connect the links

Im doing the Identifying Hashes section on Cracking passwords with hashcat module
The one question at bottom on Identifying hashes section asks to identify the hash

The hash is very clearly a || Drupal7 || hash, all tools i use say it but when i enter it, etc its wrong.

Have i misunderstood the task or something ?

Fixed ^^
Solution: Submit the full output from the command you are running.

Can you use any other hash identifier tool

It asks you to use hashid, but i prefer to use tools such as Name That Hash and Search That Hash.

I just find it easier to look at and navigate trough, it gives you pretty much the same answer but less work, automatically outputs hashcat modes, etc.
Search That Hash basicly uses name that hash but then check if its been cracked before, etc, so it can give you an easy answer.

I just used search that hash and got the answer for most my questions on the module but i also did it the normal way

NTH: https://github.com/HashPals/Name-That-Hash
STH: https://github.com/HashPals/Search-That-Hash

Let me check my notes

Use HashID tool and same the output that you including the >< symbols

Hello Guys,
Hope you enjoyed your weekend!
I'm reaching you for a hints looking for - Attacking Common Services - Lab Hard

Intro : I found user ||fiona|| though the ||smbclient|| (with the user ||john and simon||. I Bruteforced the password of them on RDP. I got Fiona.
Now I'm on RDP with her. I saw there is a MSSQL. So I'm trying to connect on it with the password of Fiona but without success..
I tried :

1. sqsh -S TARGET -U ||fiona|| -P Password (I tried with quote also)
2. mssqlclient.py (from impacket) : /usr/share/doc/python3-impacket/examples/mssqlclient.py -p 1433 ||Fiona||@TARGET
3. On the winodws machine via cmd : sqlcmd -S localhost -U ||fiona|| -P PASSWORD
4. Via GUI on sql server profiler

Nothing of them worked.
I'm kinda stuck.
Thanks in advance 🙂

use .\\<username>

thanks, i now want to die 🥳

prob one hour lost for this

Hi. I'm trying to follow the instructions found here: blob:https://app.hackthebox.com/8baa230d-a251-495c-a659-a992314ca1fc

But there is no downloads folder for me to select.

Could I get some help with this module? Stuck on the 1st round of questions.

I dont think the password has . at the end

try without .

read #welcome and #rules after that use /verify at #bot-commands and ask that at in the appropriate channels

Oh are you attempting to help me? I already solved it as i wrote above, i thought you were wondering what hash identifier tools im using

hey guys i need help for install -r requirements.txt for python in ubuntu

It is ok

can you share nore details

Hey I need help on Active Directory Enumeration & Attacks Privileged Access

hello guys im on this question Find the user for the SMB service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer. i have read permissin on the users shares but no flog inside the share any help plzz im stuck here for hours

Check the User dir. Normaly it is in the Desktop or Documents Folder

Hey I need help on Active Directory Enumeration & Attacks Privileged Access for the question "Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt."

what exactly is not working? What have you tried?

ahhh hello... i want to learn... can any one guide me with this?

https://note.nkmk.me/en/python-pip-install-requirements/

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Is htb academy content restricted content ? As in not to be streamed ?

Tier 0 is not restricted
Everything above yes

Hey I need help on Active Directory Enumeration & Attacks Privileged Access for the question "Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt." (I think something didn't work well)

what exactly is not working? What have you tried?

https://x.com/hackthebox_eu/status/1700901958163239405?s=46&t=SnsKZuOJQ5FLrXwua5DEaw

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Has anyone completed the last question on the Attacking Kerberos - Skills Assessment module? I used Rubeus to find the TGT of a new user, but that user and my current user are not Domain Admins.

3

Hey all, I was working on the Footprinting easy lab ( https://academy.hackthebox.com/module/112/section/1078)
I found the solution eventually, but I dont understand it.
||I nmapped the server and found there was a 21, and 2121 - I understand that 21 is the FTP server, and 2121 is an FTP proxy - but I really don't understand what that means in general and in regards to this lab - I tried researching it on google, but I couldn't really make sense of it. I found the solution on a forum online saying to download all the files from port 2121 instead of 21, but I do not understand why this works - any help?||

It's just an alternate port my guy. A lot of systems are set up in a way that the default port is a blank trap for attackers, and the alt port is the correct one

And vice versa

Oh, is it not a proxy?

Not necessarily

A proxy would mean that it's an intermediary

Not direct

I tried using the ftp command with that port and it didn’t net any results so I thought it didn’t exist, but wget worked

services can run on ANY port. The common shit like port 21 is just the default

It works just fine

You probably did ls and saw it empty

Oh maybe I mistyped

And didn't do ls -la

Oh yeah probably

But how come there is also another ftp server on 21? Are you able to have two on one server

Yes

You can have multiple

I see

So both 21 and 2121 had an ftp server but 21 was blank and 2121 was the real one

Much like you can have multiple http servers on multiple ports

Basically yes. And previously this exercise was harder. Requiring you to either use the hint or brute force the password

:p

I see - I read a post saying there was only 1 FTP server, so I think that confused me

You probably misread that someone's enumeration only showed 1 ftp server running

Ah yeah probably

When there is in fact 2 services running

Well thank you! I understand now haha

¯_(ツ)_/¯

Just don't get caught up on things that [in the end] aren't all important

Haha alright, thank you

Did you ever get past this? i am unsure if my payloads are all just wrong or if the lab is having issues 😄 probably the former but worth an ask

if i pivot from an user1 to an user2, can i get the password to "sudo" commands as user2?

depends on how you pivoted

if what youre really asking is how to find the password of a user you have access to but dont have the password then generally you cant unless you find a clue somewhere in the system or the user has elevated permissions to read /etc/shadow or the likes

i tried reading /etc/shadow with the user i pivoted into, but didnt have permission, so yeah, no good so far

Can I Hack Roblox?

#rules

There is a couple modules tho : https://academy.hackthebox.com/module/details/182

Lol

The slideshow like performance when trying to navigate around the RDP connection for the Documentation and Reporting lab is making me want to throw my keyboard out the window

Anyone finish the Attacking Kerberos module who can help me with the last question?

thats just standard RDP stuff

Hello
Any one know a machine which replicate Account Take Over attack

Man, just finished Pass the Ticket (PtT) from Linux but it absolutely kicked my ass and exposed a fair bit of knowledge gaps in that area for me. Will definitely be something to further revise.

If you still need help, send me a DM.

hello all 🙂

I have a question

I'm new and don't know where to start

Hey I need help on Active Directory Enumeration & Attacks Privileged Access for the question "Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt." (I think something didn't work well I got a timed out)

#modules message

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

ho it's for me I think it's for shadowexe13

Well we need to connect to ip 172.16.5.150 and get a shell with SQL (xp_cmdshell) to read a FLAG but the service is really slow I've tried with mssclient.py and MSFConsole... with PowerUpSQL from the Windows host i can execute SQL command

If i try to execute command i don't have the command return

and if I read the hint it say "Use mssqlclient.py"

Is xp_cmdshell active?

Sometimes it must be activated first. This is also shown in the modules

he is activate but it's not the problem I can't access the service with mssclient from my host (what the hint say) if xp_cmdshell is or not activated I shouldn't have a Timed error

Have you tried it from the pwnbox?

well nop I have my own setup

I have solved it with PSSession but just wanted to know if I'm doing something wrong

Try it from the PwnBox.
If it works there, it is an error of your VM. If it doesn't work there either, it is either an error of the tool/lab or a faulty application of the tool.

Ugh, last question on Attacking Kerberos is killing me

Why?

I have tried renewing the ticket on the new user I found through Rubeus, and I still can't read the DC01 share

I even used Metasploit to priv esc to nt authority\system, and that didn't help

||
You need to find a ticket.
You can then use it to query another ticket.
Then you have to renew this new ticket
After that you should be able to read the flag.
||

Metasploit will probably not help you in this case

||Yes, I found the ticket for jake, and then I queried the new ticket (.\Rubeus.exe asktgs /ticket:..." just like in the module instructions), used Rubeus again to renew the ticket, then tried to use dir to find the share, but I get an error. ||

May I DM you?

sure

Is anyone able to help me with the PTT module, stuck trying to use the ticket to get into the DC

Have copied the ticket from the target host to my attack host, set up chisel, but upon trying to use the ticket I keep getting access denied

feel free to dm

hi im on
module: Pivoting Tunneling
section: Remote/Reverse Port Forwarding with SSH
want to try gain reverse shell in msfconsole, but it seem doesn't work.

have you set reverse port forwarding

in /etc/proxychains.conf ?

||ssh -R||

yes it seem success

Is anyone else free to help with this?

gimme a sec

i think this was for you #modules message

but what module and section are you on? also which question?

It was but I think he is busy

I am on PTT, last question

Got the ticket, set it as my KRB5CCNAME variable, tried to pass the ticket

but alas, no luck

from linux right?

yes indeed

did you convert the kirbi to ccache?

its a kirbi file? I thought it was ccache

because the file is called ccache_....

it't depends on what you use to dump the ticket if mimikatz then it's a kirbi file (nvm same format for Rubeus)

Can I DM you so I don't spoil it for ppl

sure

Why is the machine not being created?

@quick magnet can you dm me ur commands

looks like ur listening on the wrong ip address

||ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN||

InternalIPofPivotHost is tun0 right ?

you need the internal IP of the pivot host

since the payload connects to the pivot host, and you want to listen on the internal ip of pivot host then redirect it back to your attack host

check the diagram in the session

so the InternalIPofPivotHost is attack host ?

nah

pivot host is the host you have access to in the internal network

in this case its the ubuntu server you ssh into

ah i see, let me change it

👍

● openvpn@new.service - OpenVPN connection to new
     Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
     Active: activating (auto-restart) (Result: exit-code) since Mon 2023-09-11 09:28:58 UTC; 2s ago
       Docs: man:openvpn(8)
             https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
             https://community.openvpn.net/openvpn/wiki/HOWTO
    Process: 4643 ExecStart=/usr/sbin/openvpn --daemon ovpn-new --status /run/openvpn/new.status 10 --cd /etc/openvpn --script-security 2 --config /etc/ope>
   Main PID: 4643 (code=exited, status=1/FAILURE)
        CPU: 20ms

Sep 11 09:28:58 ahmadiarian981 systemd[1]: openvpn@new.service: Main process exited, code=exited, status=1/FAILURE
Sep 11 09:28:58 ahmadiarian981 systemd[1]: openvpn@new.service: Failed with result 'exit-code'.
Sep 11 09:28:58 ahmadiarian981 systemd[1]: Failed to start OpenVPN connection to new.```

hey guys i cant connect to .ovpn

use openvpn <vpnfile.ovpn> to connect

i did

it will stuck

2023-09-11 09:38:09 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
2023-09-11 09:38:09 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2023-09-11 09:38:09 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-09-11 09:38:09 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-09-11 09:38:09 TCP/UDP: Preserving recently used remote address: [AF_INET]23.19.60.155:1337
2023-09-11 09:38:09 Socket Buffers: R=[212992->212992] S=[212992->212992]
2023-09-11 09:38:09 UDP link local: (not bound)
2023-09-11 09:38:09 UDP link remote: [AF_INET]23.19.60.155:1337```

it stucked at the line UDP link remote: [AF_INET]23.19.60.155:1337?

might wanna try another server

SQLMAP ESSENTIALS --> Running SQLMap on an HTTP Request -->What's the contents of table flag2? (Case #2)

How to start? I've intercepted with browser dev utility but i dont see anything to start with, same for burp suite interception. Any nudges?

Access the given IP:PORT in browser -> click on case 2.
Intercept the correct request and identity which paramater is vulnerable for SQL, then save the request in a file and try with sqlmap -r flag

In module "Server-side Attacks" in section "SSRF Exploitation Example"

Please change or review the code for injection is JS function rce() { function> while true; do function while> echo -n "# "; read cmd function while> ecmd=$(echo -n $cmd | jq -sRr @uri | jq -sRr @uri | jq -sRr @uri) function while> curl -s -o - "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=${ecmd}" function while> echo "" function while> done function> }

to

  while true; do
    echo -n "# "; read cmd
    ecmd=$(echo -n $cmd | jq -sRr @uri | jq -sRr @uri | jq -sRr @uri)
    curl -s -o - "http://<target ip>/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=${ecmd}"
    echo ""
  done
}

Due to the problem of parsing error if you trying to make the function that is in the acadamy atm

Best Regards Angry 🙂

PS just so you can copy and paste the code easier

Hi guys, I am doing AD enumeration and attacks skill assessment. I am stuck on second question on kerberoasting. I cannot find any account that can be authenticated against DC for it to work. I was able to get administrator hash from the jump host but it did not further me in any way. I have also tried kebrute but did not work. I got reverse meterpreter shell and hooked up proxychains so I can get into the network. I have discovered the MS01 and DC ips.

every thing i do i cant ping or do anything with this domains

Make sure they're in your hosts file

/etc/hosts

10.129.229.49 dev.inlanefreight.local```

didnt work

I always put them in the same line

try

10.129.229.49  inlanefreight.local app.inlanefreight.local dev.inlanefreight.local

all on the same line

worked

thanks

sorry i know this is offtopic but i've tried reaching out to staff and mods. but the hackster bot is giving me an error whilst trying to indentify myself

Has anyone done the skills assessment in: “Introduction to threat hunting & hunting with elastic”? I managed to find the answer on question 1 and 3, but stuck on the 2nd. I know d*.exe sets a registry but neither the one B or svc makes seems to be right. Am I missing something or just doing it wrong entirely?

@acoustic owl perhaps you have done it?

It’s in the soc path

Did anyone finish the attacking enterprise networks: web enumeration & exploitation section? I am getting a proxy error trying to do the WordPress login... not sure whats going on?

No, 5 modules are still missing

Any idea? Or could I perhaps dm you?

Hello am stuck. Am doing the Introduction to Maleware Analysis, the last question of the skill asesement is this. After which function in x64dbg should a breakpoint be placed to unveil the decrypted content of the .tmp file? Answer format: C__________t. I even followed the hind but i could not find the function. Plse someone can help me?

What have you tried?

Sure, send me a dm

Module: PHP Web Shell

Each time I run Burp I get yelled at with a security warning. I've reset multiple times using the pwnbox and tried it multiple times in my own VM - I can't escape the message. My google searches aren't helpful.

I understand the lesson perfectly, I just don't know how to get around this certificate message so I can run Burp and answer the second question. Any tips (or better things to google) would be appreciated.

@languid galleon Not sure what message you get, try a screenshot or writing down the error message?

I'm learning the nmap enumeration in academy. I got this question to scan a hostname of the target. But I do not find any scanning command for the hostname? Can anyone help me with this?

yoo

i just fired up meow and i cannot ping the machine whilst being in the same vpn , am i doing anything wrong here ?

you can find the host name with ||nse scripts||

There is something wrong with the ACTIVE DIRECTORY ENUMERATION & ATTACKS module lab?? I can't connect to any labs, it gets stuck and then shuts down.

I used the nmap -A command. It works. Thank you.

Shuts down?

I mean, the screen got off, the remote desktop app

Press enter.

hello guys

let's try again

any idea hoe to dump a file .dit

to extract the hashes

if you i've done the password attack module then there should be something about this in that module but this work best for me https://www.thehacker.recipes/ad/movement/credentials/dumping/ntds

but the walkthrough said it can be pinged

which module and section are you on?

starting point

im sorry im a newbie

i didnt mention how to dump thefile after extracting the file

they *

then i need to extract the systeme as well

read #welcome and #rules after that use /verify at #bot-commands and ask that at at #starting-point

in the NTDS section of that module they show you 2 method of doing this the first one is Shadow Copy and the second is cme

which the last one is kinda ass but for dumping the hash from that ntds file you can just use imapcket-secretsdump (a quick google away)

ive no idea what i did , it workeddddd !!! thank you so much !

m

Hi

is there a place to ask general questions

Can anybody give me a dumbed down version for the Server-Side Attacks: Nginx Reverse Proxy & AJP what the heck is actually happening there? Like I got the flag by just replicating but I had no clue what to do? Very bad explanation when compared to other modules

Read #welcome

I'm doing the RDP and SOCKS Tunneling with SocksOverRDP

i've configured the proxifier

but when i run mstsc.exe its not pivoting to 172.16.6.155

Follow the section to a T and it will work

hi, when using cme for password spraying with both a user.list and password.list, i thought there were a parameter to tell cme to first try first password in the list with all users, then second password, etc. I can't find this parameter again... can someone tell me if this parameter exists please ?

when i run mstsc.exe for the second time should it be done on 172.16.5 or 10.129.x.x

From the foothold

because when i do it on 10.129.x.x it prompts me for username and password and i put jason since i wann connect to that host but i get nothing

the foothold would be 10.129

You start mstc.exe on foothold, put in the ip for the target you're looking for, enter username and password

i keep getting this error

i'll figure it out tho thanks @fathom pendant

Did you also start the socksoverrdp.dll as shown?

yea

rebooting machine ad doing steps from sqaure zero

did the exact same steps

i got the rdp session to let me in but having three rdp sessions open can't load for nothing

hey guys! i have some problems in the footprinting section

Enumerate the target Oracle database and submit the password hash of the user DBSNMP as the answer.

with this question

i managed to connect to the database but cant find the answer

hey everyone, can someone help me change this regex \/documents.*?.pdf to match any extension and not just pdf

i am horrible at regex and this is getting in my way

can any1one help?

Been awhile since i have done that one. Are you enumerating the dbs and tables?

can i dm? @ashen umbra

yep

sent

Having issues with credential hunting in linux on the password cracking module.

I cant gain initial access even after using the hint and trying regular lists/mutated lists with hydra. Anyone have an idea of what I am missing?

The hint doesn't seem to help as the password given for the user does not work on ssh and I attempted a mutated list with that password with the custom rule.

I know hydra has the -u switch... I don't think CME has one unfortunately. You could do it with for loop and pass in a singular password each loop.

thanks for the answer, I ended up that way 😐

Something like below... but i haven't tried this myself

#!/bin/bash

target="192.168.0.1"

for password in $(cat passwords.txt); do
    crackmapexec smb $target -u users.list -p $password
done

ah nice. be nice if they added that feature tho for sure

documents.*

Hey folks, I am having a difficult time with (linux fundamentals) Task scheduling with the question (what is the type of the service of the "syslog.service"?

systemctl ||show —property=Type syslog.service||

I've tired that, it keeps telling me incorrect answer. Not sure what else to put in?

try this ||cat /etc/systemd/system/syslog.service||

Thank you!!!

<@&861185840277487616>

Thanks

Did you get an answer to this? I am at the same point - won't accept??

hello y'all, any hint for Lab Medium from Attacking common services?

I tried BF on none estandard ftp ports with no success..!!!

No need to BF
Just anonymous login
Then just move around, you will find more hints

let me try again cuz I guess I tried already, but ty btw

./subbrute.py given_domain_name -s ./names.txt -r ./resolvers.txt

From there you will find some other subdomains

Then
dig @IP axfr one_of_the_found_sub-domain

Just hit and try you will get something

you have to look on and inside the directory present there

just 1 thing, how do you realize anonymous login, if the -sC -sV scripts don't disclosed?

This is a general idea in pentest that if we have ftp open, we must try anonymous at least once.

So with that intuition i tried and found that

hmm ok., make sense

Also this intuition came after spending a lot of hours stuck in stupid some idea.

These are certain things that clicks after spending hours on these things figuring out what to do when there is no one 😆

hey guys quick question if I'm running a nmap scan on a target in the modules do I need to include the port number that is being displayed also ie 94.237.56.76:43256 or can I run it like a normal nmap scan?

you can run it like a normal nmap scan

If you want to find more info about that port add some more flags and mention the port and hit enter

@lusty thicket thanks, only asked because I was getting a weird print out that I never got before 'RTTVAR has grown to over 2.3 seconds, decreasing to 2.0' never had that show up before

I've been on THM and just started academy so I'm making that switch

yea I tired to get version info but it just showed filtered and no info

some ports may be protected by firewalls

Anyone want to start a study group with me on the new NTLM Relay Attacks module?

That's a docker container, I wouldn't recommend using Nmap on ot

You'll have better luck doing web enumeration on it. (Visiting the webpage, using whatweb) usually the module tells you what it's expecting

okay cool thanks I'll see if I can get further not running the nmap.

You will. The ip you're given is a public ip. (Which is why you're also given a port) generally speaking: that indicates [in htb academy] that they want you to do web enumeration techniques

okay cool I feel like I relearning everything hahah completely different from THM

The module section tells you explicitly that it's going to have you do other techniques, if I'm assuming you're on one of the startup modules

yeah I am in the beginning stages of the Pentest pathway

the thing is the public exploits section mentions using nmap to enum the ports and then look up the services

It's a big bag of it depends

If you're given a public ip and port (not 10.129.x.x) then assume web

alright thanks I'll keep that in mind moving forward

Also since youre still early on: take notes

Thanks I've been taking them as I go making my own little cheat sheet

is it normal to have this extra cube ?

¯_(ツ)_/¯

You generally earn a few cubes back as you go through modules

you get cubes while doing the mods

ik but all modules give you back 10,10,20.... depends on the tier

but 401 ? it's weird lol

You get them as you do the modules

can i pm someone for a hint in FIle Inclusion module? LFI and File Uploads section

Not directly when you complete them

okaaay , I didn't know that

just ask here , where are you stuck and people will help you

I think is better pm someone... maybe if i ask i can give extra information

Hey all! I'm currently going through the "Active Directory Enumeration & Attacks" Module. In the "Windows Defender" section it says and I quote "Windows Defender has improved over the years to block tools such as PowerView. There are ways to bypass these protections. These ways will be covered in other modules." Which other modules is it referring to? I'm interested in reading about them.

The AV bypass is not properly addressed in any of the modules as far as I know.
For the modules here, it is enough to disable Defender or Real Time Protection.

what am i going to do when tampering protection is activated 😦

try disable it from settings

thats what tampering protection is against

Not saying i need it, im not doing the module

mb

I'm trying to do starting point and I'm getting this error:
"Stop your Active machine before starting a new one"

I don't know how to solve it

refresh the page, you might have a active machine running

or go to the next session, active another target then come back and try again

All right, thank you so much

trying to progress with the passwords medium lab but the ssh session keeps freezing augh

Feeling a little lighter!

gj! how’d you find it?

what?

the module, what did you think of it

It's good
Got to explore some areas where I never jumped into
And few sections were MY GOD, I really found them difficult (May be I am kind of noob )

connect to the web server on the internal network

May I know if I renew Silver Annual, is the one exam ticket I acquired from the previous membership period applicable for the new year period (old + new exam voucher= totally 2 vouchers remaining), or would be permanently expired?

As far as I know, an exam voucher is only valid for one year. That means it would expire.

But to be sure, ask the support.

Have you solved this issue? I'm having the same issue

You should ask in #boxes
If you have no access, read and follow #welcome

You need to go like this:

Get access to SMB with user Jason and his password.
You will find a file, you need to crack this file as it is protected by password and look into it

Look at the files contents and then you will find more clues to move forward

should i learn networking and linux before getting into hacking?

we need modules to cover those techniques

Someone knows why Meow machine doesn't work?

Im trying to do the "Starting point" but when I click "SPAWN MACHINE" I'm getting this error:
"Error!

Machine failed to deploy."

read #welcome and #rules after that use /verify at #bot-commands and ask that at at #starting-point

yes

🔥

@mortal basin Do you actually wait until I have finished a module to publish a new module a few minutes later? 🤣

at what stage should i learn programming?

tysm!

it's a possibility 😁

When will your module be released?
https://youtu.be/zxoGBT6eitA?feature=shared&t=23

When I have completed the next module?

i appreciate the reply but i decided to just skip it and will work on it this weekend. if i get stuck again i'll make sure to post a screen shot for clarity, thanks tho

Hi. Could anyone help me with FILE UPLOAD ATTACKS - Type Filters.
tried .pht .phar .pgif .phtml with image/gif image/jpeg image/png and GIF89a and GIF87a.

If I remember correctly, GIF-8 will work

You are using "image/jpg" as content type

It should be "image/gif"

Medium Level Modules are enough to bang head on wall

How much hard, hard modules are gonna be...

quite hard, and getting harder 😅 but we always keep a steady increase in difficulty, so if you follow a path it should gradually build your skills, such that you never feel it's way above your level, but only slightly above your current level so that your skills would improve..
that's how a path takes you from beginner to intermediate, and then from intermediate to advanced 😎

it's the next one in the pipeline 🔥

Cool, they will be any red teaming path / certs?

vautia makes a great assessments in the end of each section

Yeah...
Getting this feeling by moving forward in CPTS path

But still HARD aaaaaaa........... 😆

no pain no gain, right 🙂

Hard does not always equal hard.
There are modules that are marked as hard, which are relatively easy and then there are modules that are marked as hard, but the author meant insane...

Gotcha

The more, I work on the path, the more easier is become to me

waiting for ADCS modules, av/edr evasion, cloud security modules 🙂

........

this always depends on each individual's skills, so we try to use the average to rank them.. same with main htb platforms.. but yeah sometimes the rank may not be accurate and we change it later on..

Thanks! Will try it as soon as i'M @ PC again

Wooo.....

nothing official yet but i'm working on one of those topic

🥳 😍 waiting for it

As an example take the module OSINT
It is marked as hard.
Really hard was only to find out that I have to switch the browser to english to find what I am looking for.

Then put a module from vautia against it..... I mean, there are worlds between them

I am not mad about that. But I had to learn that these labels are very often, at least from my point of view, not correct.

thanks for the feedback.. we'll look into this if it needs a difficulty change. we will also ensure that modules in a single path have accurate difficulties in comparison to each other, as this is important to gradually increase difficulty, as i meantioned earlier 🙂

this one will be actually hard though

Also your JavaScript modules were hard
They really challenged me.

I’m the attached image it says “here we can see…” and I don’t really understand how we can tell that the 10.129.0.0/16 network is accessible via tun0 via 10.10.14.0/24 network. Would anyone be able to clear it up for me?

https://academy.hackthebox.com/module/35/section/219#questionsDiv

How can I upload a snapshot here?

The above link has a question.

you have to verify your account at #welcome

Read and follow #welcome

Thanks. I am following the steps.

You have marked the line. What exactly do you not understand?

Academy and app.htb accounts are different? I mean same credentials don't work.

yes, these are different accounts

okay, thanks.

But you can simply create an account

this just means that you can reach any network in the 10.129.0.0/16 range by first sending your traffic to the machine at 10.10.14.1

I have created one just now. I need help to get my idetifier code.

Found it.

@acoustic owl I tried the appropriate curl command options but the server can't connect.

The task is to download specific file from specific target.

U miss the protocol part

For ex curl http://.......

ohk

I am accustomed to using address without http:// 🙂

My mistake.

Thanks buddy.

@limber river

you are wlc

does anyone know how to terminate a machine after i finished?

can anyone hack a discord server?

Well I’d often wondered how to get a quick ban from discord lol

i mean they are a toxic people

😂

#rules

What a strange young man lol

hey friends, i am at Attacking Common Applications Exploiting Web Vulnerabilities in Thick-Client Applications, i am having this error after editing the open function to download the file and it doesn't download it to the desktop, tons of other people having this issue at forums and no clear answer, any help please

underneath this is a chain useful link for this that section #modules message

Can someone help with what extension to use on the black list filters exercise in the file upload attacks section?

Try to fuzz on it, using burp(intruder)

I have done that, found the ones that allow me to upload, but nothing is still executing the script

so trying to figure out what else I am doing wrong. I just keep repeating with different extensions but same result.

Eeem, I remember now, what I did is fuzzing on the path/to/the/files/uploaded then looking for the one with different response

not sure what you mean sorry

Yeah, Ik is tricky

I know the section says "not all extensions will work with all web server configurations" but this is just a huge waste of time. I am on my 10th extension and there is no way it should be this trivial. That is why I feel like I am missing something but I dont know what.

I have my list of what is blacklisted and I get the succseful file upload, so idk

You can automate this process using intruder, instead of manually navigate to each extension, use intruder with the same word list to navigate to all the extensions in the same time, then read the responses

yes,

length=188 are the blacklisted ones

Show me the request body please

This is one of the more recent ones I did, but same concept for all other extensions/payloads

Okay what's the path of your file?

/profile_images/shell.php6?cmd=id

Go to intruder and fuzz on /profile_images/shell.$php6$?cmd=id

ok one sec

fuzz with the web extensions?

Use the same word list

I found .phps with a different response

Try it

You'll find the flag /profile_images/shell.ext

Not here

I know, but I cant get my script to upload to view the flag lol

Did you do that?

yes and it gave me phps

Could you show me in burp?

The request?

Okay, try to find something in the one with 200 status

so I'm trying to find the flag that one of these services contain and submit it as the answer. This is for NSE section of Nmap module. I did a scan and found port 31337 is open. I went into web browser and found it was an apache server. Am I on the right track? Is there anything I can research to help find the answer without being given answer directly?

I did a vulnerabilities scan now doing a version scan

Agressive scan said version is 3.13 so no point

but so do I just look up apache 3.13 vulnerabilities

I mean Linux version 3.13

not apache version but is using apache web server

apache version 2

or will gobuster be useful?

yes

ok thanks

ok thanks found flag

Can someone help me with the password attack hard lab. I've downloaded the .V** file and used John to crack. The instructions says to use -i , which when done shows some hashes. I've tried using PTH, but it doesn't work.

What exactly is not working?

Can anyone help me with the password attack module, i'm doing the password attack lab -HARD

What exactly is not working?

guys, who knows what the problem is with the machine not starting?

i found the password for the user ||david||

but i don't know what i do now

hello guys
can someone explain this question
i didnt get it
Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.
i need to perform a pass the has attack on my attack box
then set up a nc listener the target to get the reverse shell is that right

Hi can someone give me a hint for the sql injection question " Identify the username of the user that has a position of 736373 through SQLi. Submit it as your answer." in web service & api attacks, i tried all the injections and i url encoded but none work everytime i get 'Enter a valid param for HackTheB0X API'

You're basically just doing the same thing as the example to get a reverse shell with Invoke-TheHash from my understanding. I'm working on it now, but I'm having an issue with the Tool.

can anyone help me?

Nevermind i just used SQLMap

Hey guys! I'm trying to spawn machines but cannot. Additionally I cannot submit tickets for support. This is a paid account

I tried on multiple devices

i go it

do you need any help

check dms

That equation has infinite number of solutions since its the equation of a straight line

how can i mount .vhd file in kali??

You can Google it. But also you can just mount it in a windows machine

i tryied

but doesn't work

i'm in the password attack lab hard

i dowloaded the .vhd file

I know, I've done it on a windows machine ¯_(ツ)_/¯

You need to crack the password to be able to do anything with it

how can i crack?

1 figure out how it's encrypted
2 use the associated 2john python file
3 use john to Crack it

😭

Maybe run apt-get update, or try with --fix-missing

why do colums vs a rows still confuse me in Sqli sometimes... If someone were to show you a union statement without context. You really wouldn't know if it was a database name, table_name or column name without enumerating right? Since we're essentially injecting commands into columns the database names, table names or column names show up in the columns usually starting at column 2 depending on the type of SQLi. That concept took me forever to understand until I understood how the data was showing up vs how is looks inside a database.

Is your vm connecting to the internet? Looks like a bunch of failed GET requests.

sudo apt update then sudo apt install?

it looks like the library might not be available in kali’s repository

so you can try downloading from a third party repository idk tho

Did you end up figuring this out? I’m stuck on the skills assessment as well, don’t really feel prepared for it from the modules either

hello y'all, anyone could let me know what is wronge with command : smbclient -U WIN-HARD/simon --password=lxxxxxxxl //10.129.203.10

hello fellow hackers

are we asking silly questions here again

Lets see if I can word this question correctly... Doing a PTT attack (I am reviewing the password attacks module, on pass the ticket section), is there anyway to complete a full PTT with just Rubeus? It seems like to get the ekey I need to use for the PTT I can only do that with mimikatz. Is that correct? Or is there a way to use any of the base64 output I get from running Rubeus dump /nowrap for the PTT or another method with Rubeus only? Thanks!

After your command, you will get a base64 output, thereafter, you can do this to pass the ticket
Rubeus.exe ptt /ticket:<base64>

Thank you, I was just reading and typing that command when you sent it, many thanks! That helps clarify, so I don't need the username because its included in the base64, correct?

Yup

got it, thanks again!

Can anyone help me with the password attack module, i'm doing the password attack lab -HARD

?

what part do you need help on?

i downloaded the .vhd file, but i can't mount

yeah... I had a hard time with that, I used windows, I think I have a command that works, let me check

I thought people were treated with respect here.

Hi @tawdry vapor I'm leaving for today but, if tomorrow (depend were you are) still are struggling, feel free to DM, I can share with you some helpfulls hints....

I keep getting a permission denied error

ssh htb-student@172.16.5.225

Solution:

1. Don't copy paste the password just type it

2. Copy the password and when password prompt shows just right click at that moment it would paste that password and then press enter it would work

Why are you jumping straight to the second host? Unless you're already on the first?

You can copy/paste it. You're probably not adding the [shift] key in the paste

In terminal you need to add [shift] to the [ctrl] - [v] combo

shift also not work

if i copy password and just right click on password prompt it works

¯_(ツ)_/¯

Probably a thing with pwnbox sometimes the browser doesn't let you copy/paste