#modules

black box web for me is a pain

when you do not see the response and all that stuff

said no one ever

said me just now 😂

I love AD

he has a cerberus teddy in his room

how did you know

Who can help me with the 2nd question of this module: https://academy.hackthebox.com/module/216/section/2300 ?

but doesn't seem to get the information what I need 😁

Hello every one, i need some help : ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://94.237.53.115:40888/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded'
when i run this command i get no answer, here's what i found : :: Progress: [2588/2588] :: Job [1/1] :: 1708 req/sec :: Duration: [0:00:05] :: Errors: 0 ::
[20:51]
would someone please help ?

yo huys i reviewd my memory watached some youtube video and i read the module about networking in the academy and this till not making sens for me

they are on the same network even tho chat gpt say so

im feeling dumb like for real

wht its /24 when the subnet mask in 255.255.0.0

@orchid pine where do you have /24? which module?

pivoting moule?

yes

maybe if this helps: both 172.16.6.0/24 and 172.16.5.0/24 is in 172.16.0.0/16, and sometimes it makes sense to add only a part of the subnet to route through a pivot host.

same network different subnets

i added a route to 172.16.0.0/16

i can only acces 172.16.0.0/16 i can only acces 172.16.5.0

i cannot acces 172.16.6.0

I don't remember that module very well, and my notes only consist of some proxychains stuff

maybe try to add multiple pivot routes

whats your ip a of your starting host?

yes these 2 ip addresses belong to the same subnetwork

i'd try resetting the machine

@orchid pine maybe try with multiple, smaller leaps / pivots, that's how I solved this module. I used proxychains, but maybe you can do it with the pivot module in meterpreter

i solved it

it just it didnt make sens somehow

that i have a route too 172.16.0.0

but i cannot reach 172.16.6.25/16

hi @here , require help for Attacking Common Services - DNS
I am stuck on "Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer. "
Can I DM someone I have try using subbrute with the nameserver got from nslookup

@rapid kiln sure, glad to help if I can

Thanks @harsh patrol , Can I DM you will send you details what I have try

yeah

Hi @harsh patrol DM you

Module Name : Password Attacks
section name : Pass the hash
question : Connect via RDP and use Mimikatz located in c:\tools to extract the hashes presented in the current session. What is the NTLM/RC4 hash of David's account?
can someone help me the section dont talk about dumping hashes so i dont know the one for david and dont know how i can find it

Connect via RDP and use Mimikatz located in c:\tools to extract the hashes presented in the current session

The previous sections do. You gotta learn to apply knowledge from earlier material

yeah i know but the sections doesn't talk about dumping other users hashes i'm currently on administrator

it is telling you how to do it

Introduction to Active Directory Enumeration & Attacks on this module they will talk again about pass the hsah and pass the ticket ?

do not forget about the "exit"

pass the hash and pass the ticket i didn't do AD

mimikatz.exe privilege::debug "sekurlsa::pth /user:Administrator /rc4:30B3783CE2ABF1AF70F77D0660CF3453 /domain:inlanefreight.htb /run:cmd.exe" exit i did this but dont know what to do next

for anyone who did this

cuz i kinda forget XDD

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" >> c:\tmp\mimikatz_output.txt

its asking you for the current session

and im about to start AD

PTH and PTT techniques are widely used in AD enviroments

so i guess yes

and i want to know if they talk about it on this module or i need to go and review opassword attacks

i dont understand.....just want to give up on this f question

dont give up

broo i dint write notes about this and im on my place

i wish i can help

yeah i'll try later it's been a day on this question i'm so mad ahah

u can type the question on google

no worries i'll find a way to answer i hope

and u can visit the forume

website

u will find a lot of people helping there

chech it out

??? anyone

i'm checking right now thx

if it is asking you to do it in RDP probably you have to dump the memory

Yes

but idk u can do it from PS also

You can literally look at what the course sections are when you click on it

idk man it is that easy that maybe ur doing it complicated

can anyone help on the attack common services dns section

sure just ask

i found 4 servers but cant axfr with any of them

@mossy hatch dm me to double check ur process

ive read the instructions but am struggling here

subbrute keeps erroring too

tell us

what you did till now

from the first and the error you got

wasnt fionding anything with subbrute so i went with dnsenum and found ns helpdesk and control.inlanefreight.htb

tried to axfr all of those with the machien IP

give me like 5 min and ill be with ya

ok

cool

maybe axfr is disabled

There is another

how would you enable it

Also what is your resolvers.txt file. It should just have the spawned ip in it

You can't.

Lol Rafa

Let me@confirm

it does

^

It does have the spawned ip

Keeps going to no nameserves found trying fallback list

yea axfr is enabled

im just completing random questions just to test xDDDDDD

Ya idk

you have the server name or not btw

subbrute works > then axfr

cant say more actually

I have ns.inlanefreight.htb

And control and Helpdesk

And support

i did not find any of those

yeah then you u use the name server in the resolver.txt

you just bruteforce the subdomains

same XD'

the only resolver you have is the actual ip

you cannot find more resolvers with the information provided

python3 subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt

the command is on the module

thats what i have

you will find one human subdomain

why use names small

tho

i tried regular as well

What does your revolvers.txt file look like

Because that's where the issue is with subbrute

You don't need the ns line

Also if you added the site to your /etc/hosts sometimes it acts dumb

but should it makes a difference?

having an extra resolver

It doesn't know how to resolve ns.inlanefreight.htb

i did that and it worked adding the name server on the file

As htb isn't a valid tld

ahh yea

i only have "<IP> inlanefreight.htb"

in the hosts

i added bouth and it worked

both?

the exercise only provides 1 ip and 1 domain

I think they mean to /etc/hosts and to revolvers.txt

ahh

makes sense

but in resolvers is weird if u add random top level domain as marcie said

im looking at the python code

¯_(ツ)_/¯

it worked for me

and this ismy resolver

i literally have all that

weird

This works, but requires additional, unnecessary DNS requests.
Better specify the IP directly

I just did it (used usb tethering to get a connection going) and only put the ip in resolvers.txt, after a minute I got the right answer

I found Helpdesk

Nope

But stuck from there

You should be able to do it with the default names.txt file

Hmmm

in reslover

just sepcify the adresse id right

i will try that

Yes, specify the IP address directly.
Otherwise your PC must resolve the IP via hosts file.

^

Like I said its completely possible with the default names list and ip in resolvers.txt

As stated I JUST did it and it's working just fine.

Was able to axfr to the proper subdomain

Hi! i have a question regarding,SOCKS5 Tunneling with Chisel module

i copied chisel over to the target machine

I swear if you say GLIBC

:DDDD

learn to statically compile

XDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

😂

....

very funny

guess since its a go binary

its not gcc

i mean other than gcc i never used anything else before

im not gonna liebut i used

chat gpt to staticly compile

ligol-ng

can you tell how can i lran it

learn it

└─$ CGO_ENABLED=0 go build -o agentcompile -ldflags '-extldflags "-static"' ./cmd/agent/main.go and i used this to compile it staticly

huh, the windows attack host for LLMNR/NBT-NS Poisoning has no desire to spawn properly today

took a few resets

i did this

sudo go build -o chisel1-ldflags '-w -s -extldflags "-static"' main.go

had no errors

copied over

still the same error

the module says that if you're getting an error, try an older version

well, different version which would mean older in this case

Thats not the correct way to build statically

Can you teach us plzz or recommend a resources

how i can do it properly? or where i can read about it since fuckin chatgpt fucked me over with this syntax

why they didnt put compiling into the modules?

i love trial and error learning no doubt

but...

because when it was written it wasnt an issue

just like 30 seconds of googling

https://mt165.co.uk/blog/static-link-go/

ur missing

CGO_ENABLED=0

why don’t academy include a section about using google

why google when you can use chatgpt and get 5 year old outdated answers

it's assumed people know how to google, especially someone looking for cybersec education

i will never support chatgpt, like im smarter than chatgpt

i was joking but yes im with you

Ive liked chatgpt when Im exploring a concept out a bit. But it I need something specific its always better to just hunt down an actually accurate resource

it can be helpful for some things, but yeah, google is the first stop the majority of the time

i have found some weird answers on chapgpt but probably was my fault

my google-fu is stronger 🤣

ive seen courses about learning chatgpt btw

oh yeah, there's one from ec council 💀

allright i get the point no need to kick me when i am laying on the floor

i managed to do it, another question

everytime i do this i always should manually edit the proxychains.conf or is there a better way to change between socks4 and 5?

technically we were roasting shadowexe too, you were only getting half of the kicks

manually edit or write a little bash script to do it for you

I like having little bash scripts for pivoting. I have one for autostarting my ligolo setup

ayyay men

dont go to hrash XD

yoo sweet

this is like my lightest form

just like three lines, and dumbly takes an argument in for the subnet for creating the route

i thought so

hello

i need help plz

you don’t

why

because its such a low effort ask

http://dontasktoask.com

also read the #rules and #welcome

Hi everyone, Im stuck on 'Service Authentication Brute Forcing' from the module 'Login Brute forcing'. When I try to SSH to use b.gates with the password I get the following question: Are you sure you want to continue connecting (yes/no/[fingerprint]

When I press, yes

I get this: Warning: Permanently added '94.237.53.115' (ECDSA) to the list of known hosts.
b.gates@94.237.53.115: Permission denied (publickey).

What can I do?

in Skills Assessment - Web Fuzzing
One of the pages you will identify should say 'You don't have access!'. What is the full page URL?
i found this http://faculty.academy.htb:54824/courses/linux-security.php7 but not accept the answer

check the hint

i mean

the hint or the question itself?

iirc you have to write PORT instead of the number

https://saturncloud.io/blog/how-to-resolve-permission-denied-publickey-error-when-accessing-amazon-ec2-instance-via-ssh/#:~:text=Common Causes of “Permission Denied (publickey)” Error&text=The most common cause of,authorized_keys file on the server.

sure - but not accept the answer - ifound the page

check you dont have trailing spaces

or leading one

ones*

I will take a look at this article

i send an article because that error can be caused by several factors

double check everything

what we know is that from the server side everything is ok (academy provides a well configured environment in the ~99% of the cases) 🤷🏻‍♂️

"https://academy.hackthebox.com/" is it working on your machine?

nope

am i the only one that can't access the academy?

gateway error as usual from cloudflare

🤣 🤣

No

just for me the web doesnt works ?

it seems academy is down probably affecting modules

probably i can't even move back and forth

yap

the new box visual is crashing the system

Yeah servers down

all down

I am confident that there are no spaces or incorrect characters in the answers provided, as I have meticulously reviewed them. I have successfully completed seven modules thus far, encountering issues exclusively with this particular task

they are up now

the servers

nice man

how can i help you?

that is the correct answer

http://faculty.academy.htb:36455/courses/linux-security.php7

this correct or no

if no give me name of subdomin or new list name to re scan

any help with my section ?

This is incorrect

as stated before. the answer wants PORT not the literal generated port number

i min

💀

Bad gateway Error code 502
Visit cloudflare.com for more information.
2023-09-30 23:35:51 UTC

gotta wait, htb infrastructure is a little wonky right now

I realize now that there was a misunderstanding on my part; I appreciate your assistance in clarifying it for me. The answer has been accepted. Thank you.

lets go mannn

F academy ?

ok i go to mimir 😴

rip academy

I was having the same issue. I had to use wget to download the latest version of chisel and run chisel from that folder.

Anyone here complete the first question on the Crackmapexec Skills Assessment who can help me out?

https://i.imgur.com/qtk4MvH.png

in the last module SOCKSRDP

i copy over the binarys but when i try to execute regsvr32.exe SocksOverRDP-Plugin.dll

it gives this error

this is the very first step setting up so idk what id "did" wrong?

are you in the correct directory?

yes and iam running it as administrator as said

in the module they just copy it to the desktop

did u disable real time protection

i think the dll is getting removed 🤣

i didnt disable anything

but now i will:D

check defender also

it is turned off

then it has to be real time protection

has anyone done Windows Fundamentals?

I'm mainly stuck on the skills assessment, I have been able to get the SID of the user i created but it keeps saying that it is the wrong answer

same thing with the group SID, I have gotten it but still prompts it as a wrong answer

Hey stop being fake shaow

?

also weird update, it seems to accept the user SID as the answer for the group SID but still doesnt accept either for the question about the user SID

so in short, have zero clue what im doing wrong

i am now subscribed to academy silver but can in use hackthebox bwnbox

?

who can help me for this https://academy.hackthebox.com/module/67/section/630,I can't find the share floder

Turn off the real time protection. I just got done with that module and bumped into the same issue

got it?

You should be able to in academy

Man 25 sections through AD enum/attack, 11 more to go.... so good but so big! Brain's starting to melt...

I have a question on Pivoting, Tunneling, and Port Forwarding -- Web Server Pivoting with Rpivot Section. I setup the rpivot on my Kali box and the ubuntu pivot host. I can curl the webpage in question (last question) and see the flag, using proxychains, but when I try to run proxychains firefox, it will never connect to the page with firefox. Has anyone expiernced this? or have ideas ? Thank you!

Might need to comment out one of the proxy lines if there's multiple sometimes its a weird issue

Hi...
When a module says it takes 2 days. Is it an actual 2 days or 16hrs(cause i have noticed the time length is either equal or less than 8hrs) ?

The timing is bs and arbitrary

It's mostly there for companies to have an idea for employees to get through content. (Enterprise stuff)

But the actual time varies from person to person

yeah...this makes sense

And sometimes you'll struggle on a module and take 3x the time

Can anyone help me in
ACTIVE DIRECTORY ENUMERATION & ATTACKS: Living off the land

Question:
Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer.

I used this:
net group "Domain Admins" /domain

And got this users
administrator backupagent bross
clusteragent dclick freightlogisticsuser
jhermann lab_adm ldap.agent
mmorgan mrb3n nagiosagent
proxyagent solarwindsmonitor sp-admin
sqldev svc_qualys svc_sccm

To find disable accounts used this: Get-ADUser -Filter {Enabled -eq "False"} | select name
name

Guest
krbtgt
Betty Ross
Jessica Ramsey

But none of the users have the flag

What command are you using to find the description fields of the disabled accounts?

hey can someone help me, im trying to donwload a program called "process hacker" and i want to make sure its safe before i downlaod it./ can someone lp[ease help me and let me know?

has anyone heard of the program?

<@&861185840277487616>

why??

what did i do did i break any rules?

Read the #rules

nothing wrong with the question

which one did i break

im very confused, which rule did i break?

which rule did i break???

Get-ADUsers bross

For example

If I recall correctly, Process Hacker was part of the sysinternalssuite

dude, you do realize im using proecss hacker in a legal way

im using this so i can remove viruses from my computer

So, not in a way related to HTB courses?

yes it is related to HTB courses

can you tell me what rule i broke?

you didn’t break any rule buddy

Relax. He didn't say that you are using it for illegal thing.

than why is this other guy freaking out saying to me i broke a rule

He got a bit confused.

ahh yeah i see how this is, the assumtions

My bad, you didn't break a rule...but it still sounds like you are asking people on here to help fix your computer rather than help you through HTB material

im not asking for anyone to fix my computer, i was just asking if anyone is aware of the program so i can install it

it’s safe as long as you’re downloading from a trusted source

have you heard of Process hacker?

He literally was only asking about a tool, if you don't know what the tool is you could have Googled and saved yourself some confusion

no

I still feel like he should have Googled it himself instead of asking in here. Is this really the place to ask about any random tool? I get that it is a pentesting/hacking related tool, but is it within the context of one of the modules?

It could be related to one of the blueteam modules

¯_(ツ)_/¯

¯_(ツ)_/¯

It is used in Malware Analysis module

Hey man, i dont wanna be that guy But PLEASE Before you come at me getting all mad and stuff, Start some Simple research. Theres a search engine called "Google", Obviously theres other ones but you get the point. GHEEZ

And tbh I'd trust htb not to provide a malicious link to a tool

And you could also have Googled, but the point is moot

Just download the tool from the official website source and you should be good

And also, With you not being to knowleagble enough You PINGED THE STAFF!

Well, like he said...he wasn't asking because it was in a module, he was asking to help remove viruses from his personal computer. It is like asking about tcpdump to help with your personal home router issues in this chat room.

Let us have a relevant discussion on the channel. A mistake can happen.

Either way

@radiant verge Is your question answered?

Nope still not answered

In future read #welcome and see how you can access more of the server

Firstly, Have you heard of "Process hacker"?

I have

go on their official website

To maybe ask your question in a more relevant place

Should i be good with installing it?, I scanned the EXE with virustotal but its coming up as Riskware and unsafe, I've seeen others install this application so i dont know if its safe or not

I haven't looked at the cdsa path is that in there? If so: I might consider it after cpts

you never know until you try

It is safe until you are downloading from a trusted source. (This is already answered).

Short answer: anything that gets process info and accesses info like that is gonna be classified as riskware

Even if not malicious

Can i send the Link of the place im installing it from? i think its the Official website

Yep

Be careful with the link

🤦🏽‍♂️

Source forge?

I cant find the Credentials (Attacking Common Applications - osTicket)

The fact your also treating me like im a bad person is just insane man

employee got hacked? 🙃

same

Not a bad person, just a suspicious one

I have tried all the credentials provided

Yes, it redirects me on that website when i want to install it

Is source forge not trusted?

I found this - https://processhacker.sourceforge.io/ in the module.

And I believe it is safe

Yeah source forge has a bunch of adlinks

I guess - I haven't checked myself yet.

Ok im gonna install it, i think i should be good

This is the part that has the actual downloads

The rest are all adlinks

is this for process hacker? cause for me this didnt show up

I'm on mobile so it might be slightly different

oh

Yeah well for me when i go try to install process hacker on the official site, it redirects me to Source Forge and than the download just loads

Ah

That link is for 2.39

I think mine is the older version on the site

Ah the Google link I had was an archive link

rip us lmao

Just ask your question

http://dontasktoask.com

That is indeed the module getting-started

I search this plugin, but I don't find

Now I cant try any other passwords, i read online and it just told me to use the default password, but it didnt work, so i tried to brute force it, didnt work, so now I am just stuck

What plug-in? You're just showing us the module question

Reset lab and try again?

I did

Rip

But the password didnt work

It is () right?

Idk haven't done that module

Welp

F

Indeed when I go to "memory aid" there is "Search for plugin exploits"' and I searched but I can't find anything that gives me a result

@dreamy solar hint 1: identify if this is public or private ip

Because it sounds like you tried to do an Nmap scan on the ip which is not what you want to do

public address

Hint 2: firefox

Yes I looked but why in the memory aid did I look for a plugin? I don't understand and I go around in circles

Why are you looking at memory aid?

because there is a "hint"

Yrs

Yes*

But what is actually pushing you in the direction of "memory aid"

I can't resolve the question even after several hours of plug-in research.

Think about what my second hint could mean

Perhaps there's a reason you're given the port alongside the ip

Ugh cloudflare being dumb rn

maybe try browsing the target url a bit more

then you might get the hint

The hint is referring to if you've already looked at the ip:port

Not as a "before you even do anything"

Okay okay ^^" this port does not exist

Wdym

So either I'm completely stupid or there's something I'm missing

Try resetting the target

The yellow arrows next to the ip

But also STOP USING NMAP

who can help me,in this module "WINDOWS PRIVILEGE ESCALATION-Pillaging" last question "Restore the directory containing the files needed to obtain the password hashes for local users. Submit the Administrator hash as the answer." how can I do

Nmap will get you nowhere fast with this exercise

so I use what tools?

Scroll up to where I gave you hint 2

I'm not repeating myself

(I don't know in another way

firefox

This section is intentionally done this way to get you away from Nmap as your only enumeration tool

@fathom pendantcan you help me

Things you're given:
Public ip
Port

yes but I don't use this for enumerates all ports with Firefox sorry

Haven't done this module I'd suggest reading the section carefully

ok

Why are you enumerating all ports?

You're give a specific port

yes... indeed

sorry

after resetting the machine it works

I finally have a glimpse

Technically speaking all websites have you access them via 80 (http) or 443 (https) but sometimes there exists alternate ports, which you would need to specify it in your request

yes okay thanks

The alternatives are usually for websites hosted on public servers but not registered

In which case navigation is done via http(s)://ip:port

If you really want to use Nmap to verify the type you can also do -p {port} to specify the given port

Perhaps after this module you should go through the Information Security Fundamentals path to get a better grasp of the basics

I don't see the connection with the plugin indicated in "hint'^^" Now that I'm finally unlocked I'm going to watch this

Metasploit will be where to go once you figure it out

I will do

Iirc it is pretty blatant with the plug in it wants you to search

yess I figure it out

ohh plugin is Metasploit ?

No

Metasploit is a tool that can be used to exploit vulnerable services

The way that's intended for this exercise is via a plug in that you should be able to search using Metasploit

Okay okay I see now

thanks you

who can help me

Mate if you ask a question, make sure you say what you’ve already tried

yeah,I try it but I can't find

can I dm you

Why

give you picture

Verify your acc here and you can also send a picture

#welcome

^ this tells you how

hello excuse me it's me again, do you help me please, I think I found the exploit to perform but I don't understand how to use it, I enter the target and once I launch the tool I have this

Did you specify the target port, 47193?

finally I managed to have access to the files which refer to all the users (GID / UID) (bug of my box agains)

yes

Can anyone help me in this?

In the setting up module, it's described how to set up a windows VM and a VPS.
I set up a parrot VM so I don't have to use the pwnbox.
Can I skip it or are these steps of value?

Hi! Got a bit stuck with this questnion on active subdomain enumeration in information gathering web edition

should i count all the records?

yes

thank you for your help

😄

figured out

Yes all A records

print("Hello World")

Any help with this ?

hint give the lab like 5 min to fully booted up and make sure you use the wley user

if you have the hint try ||pop3||

the step of stetting up a VPS? you can just skip it

the service

Perhaps you can change something in the options

thank you!

Yes

Using the email protocol, access the email

...with pop3

try looking up imap/pop3 cheat sheets online

However it's described to connect

the module/section taught you how to connect didn’t it?

:)

It even gives you a brief overview of simple commands

Ok I’ll try thanks

hint you can use the command under Users With Specific Attributes Set but change the value according to the UAC Values image and filter for the description

OK let me try

the annoying one is the one where you have to use imaps ¯_(ツ)_/¯

Because the command they give doesn't give you the thing properly

Thanks got the flag but have used -attr * 😆
What you have used for the displaying the name and description?

-attr description lol

Ahh...!!
Need to oil my brain

Try connecting with telent at 110 using the password you found from brute forcing
Then used LIST command to list the mails

Yeah..! POP3 kinda wired..!

Hi! i am doing the SocksOverRDP module. i am doing and following everrything to the T, i want to login as jason to 172.16.6.155 and i get this error. I did switch to modem connection as explained in the module.

https://i.imgur.com/4gs1zE2.png

https://i.imgur.com/cPXaGQV.png

Nevermind i solved it! For others in the future: Only switch to Modem connection in Experience with the 172.16.5.19 RDP

Hey, I am doing the "Using Web Proxies" module and the question is "The string found in the attached file has been encoded several times with various encoders. Try to use the decoding tools we discussed to decode it and get the flag."

The string is ||VTJ4U1VrNUZjRlZXVkVKTFZrWkdOVk5zVW10aFZYQlZWRmh3UzFaR2NITlRiRkphWld0d1ZWUllaRXRXUm10M1UyeFNUbVZGY0ZWWGJYaExWa1V3ZVZOc1VsZGlWWEJWVjIxNFMxWkZNVFJUYkZKaFlrVndWVmR0YUV0V1JUQjNVMnhTYTJGM1BUMD0=||

The hints says try 'base64 and url-decoding", Am i just supposed to n-times base64 decode and then m-times url-decode.
It just seems brute-forcey, and it seems i'm missing on something.

Any help?

https://gchq.github.io/CyberChef/

hey can someone help me out with a question .In linux essentials there is something asking me to find xxd binary.What does it reffer to ?

like I found 2 paths for xxd but what does binary actually mean

Got it, Clicked magic decode 5 times and voila

👍🏽

Other than getting the answer, is there an insight to be able to do this manually?

be able to detect which enconding is being used

you decode it with base64 once and it is obviously again a base64

repeat until it does not look like base64

what is the question

Makes sense, so in a nutshell just general familiarity with how each encoding looks like

yes

Got it, Thank you so much

base64 sign is the symbol for padding which is =

also only alphanumeric characters

dm

no

Submit the full path of the "xxd" binary.

which xxd

issue that command in the terminal

Hey, what you do in general if you have a user on the "*Print Operators" group which has the SeLoadDrivers privilege, however if you do a "whoani /priv" you cannot see the privilege, and if you do it from an elevated promp you do ?, i was able to do that from an RDP connection but most of the time we dont have that privilege, i've tried to bypass the UAC by hijacking the "srrstr.dll" with SystemPropertiesAdvanced.exe trick but no luck also i've tried the elevate.exe, in this case what any do ?

im doing the windows priv module

I'm working on the WordPress enumeration section of the Attacking Common Applications module. I'm stuck on the first question (find flag.txt) but was able to answer the final two questions. I have been navigating the site, viewing source code for as many pages as I can. I also fuzzed for subdirectories and found wp-includes, which itself has lots of subdirectories. I've been manually looking through all of those in my browser trying to find flag.txt but can't find it anywhere.

For the second question in https://academy.hackthebox.com/module/24/section/160 Am I going to be strictly using the pawnbox or my own machine?

"Upload the attached file named upload_win.zip to the target using the method of your choice. Once uploaded, RDP to the box, unzip the archive, and run "hasher upload_win.txt" from the command line. Submit the generated hash as your answer. "

Could I RDP into the windows machine from my Pwnbox? I am kind of confused

you can use either, it's your choice

So I can used the Pwnbox?

yes, you can

Hello everyone, I'm just beginning to learn to hack. What do you think is a good path to start with?

Module name Passowrd attacks
Section name : Protected archives
Problem : i cant crack the password for the archive Notes.zip

i did transfer my file to my machine using base64 encode and decode and then this command zip2john Notes.zip > zip.hash and then i did john --wordlist=/usr/share/wordlists/rockyou.txt zip.hash but i cant crack the password

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

use the mutated password list

thanks i cracked it

Solved the question I was stuck on but had to upload a webshell

ls

I have a reverse-shell on a "windows server 2016 ." How do I get a meterpreter shell??

Do the same thing you did to upload the rev shell, but instead use a meterpreter payload using msfvenom.

The section should go over if

ok I was just asking because I was hoping I could easily convert the rev shell

Nope

Meterpreter is a shell interpreter

Any specific reason why?

There's a shell to meterpreter module

i think metasploit comes with an exploit I need

Do you mean you didn't get the shell with Metasploit?

right

Then no, it can't be done

ah ok, thx for answering me guys

¯_(ツ)_/¯

If the module/section didn't talk about Metasploit its probably not the place to look

I'm actually at the skill assessment part of the windows priv esc module

I need to elevate to SYSTEM level

You can do that without Metasploit

Just look around and see what you can use

Also usually with academy the windows targets have some stuff in C:/tools

ok, ill give it a shot, I heard that you can elevate with juicy potato but wanted to do it another way

Honestly doing it without Metasploit is the better way, as you'll actually learn more

Currently stuck on the PtT from Linux section I cant seem to find an answer to "Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_)." - Anyone have any tips? Found a .keytab file in /tmp, tried to crack the hash but not succeded, tried kinit... not working with the format. really need some help with this, took me too long. thanks in advance

Best app for pracitce part Html/Css is a ATOM and POPW C0DE gys

/tmp is not where the machine account ticket is

go back to the part on finding keytab files

is this correct? i think it isn't but maybe you can correct me

How often do you guys face problems with VPN? I've had it in the nmap module (some scan didn't give me the right output) and now I'm doing shells and payloads and sth didn't work and when I changed VPN the issue was gone

I've never had an issue, but I know people do occasionally, switching to a different server and regenerating generally takes care of things

Yo I have a question

I often have a greyscreen trouble in pwnnox and port22 trouble on my VM.

Only doesn’t happen if I’m working only on one of them and with with my personal VPN disabled.

Anyone?

Shoot

How can I ha*k discord accounts using login links?

This is not the place for that sort of question

Not really sure that is ethicall that question here

That's not a big problem when doing modules. I'm more worried about having the issue during exam and possibly not realizing that this is the problem. For example if i run sth and won't get the output that I should get

But I want to learn it

What is your point? This is a HTB server, so discussions should be related to HTB.

Ok my bad

What kind of issue are u exprrimenting

Experimenting*

I currently working on password attacks module Passwd, Shadow & Opasswd i used unshadow technique downloaded the password list and used hashcat to find the root password. But it isn't working. Does anyone have a suggestion what i'm doing wrong?

I have a question for all of you: I just started my journey on cybersecurity.

Is it better begin with htb-academy or with try hack me? Pros and cons? I find HTB very comololete but sometimes I feel that to resolve pwnbox modules I need to look for external help, forums, etc

In the medium assesment in the nmap module I was running one command and it wasn't working. Then I've read somewhere that this might be caused by VPN so I used pwnbox and the thing worked. Now I was trying to navigate to the shell and I had runtime error. I've changed VPN and it worked

Considering it's illegal, no one here will teach that, so get out before you get banned

HELLO

In wich way did’t work the command?

Definity

I started with THM, as a full beginner it holds your hand a lot more, certainly good to get the hang of the basics, academy is definitely more complete but it does require some amount of independence, initiative, external resources and research

dont feel bad about googling a lot of stuff, you are lowkey supposed to do it

I don't exactly remember but I had less output. So that I couldn't answer the question. I'm going to re-do the assesment next week to test sth.

Maybe Academy is worthy to acqire those attitudes from the beginning?

just use both imho

Yeah, I've started with the thm too. Bit I only did the beginner modules. I'm studying cybersec at uni do that helped a bit

Don’t know in the states, but in Spain most THM paths requires premium account. If I have to pay I prefer focus on one of them

On one module I realized that I get different output using zsh, dnw

Nope

Yeah, you can start straight from academy, the information security foundations path will provide a good foundation for example

But I'm connected to the work VPN so maybe that's causing some issues. I'll test it

I’m following that path actually

I always experiment connection troubles when my personal VPN is on.

Thank you to everyone for the answers btw

htb vpn breaks my computer mtu for other vpn often

Then it's a good start, you can still use THM too and only do free rooms, about 60+% of the rooms are free

The thing that made me more comfortable was learning networking. So I really recommend you getting the basics of that. That's also often coming handy in my job. I'm currently working in SOC. So deff don't skip that

Indeed, networking is essential

I’m starting a network managnent degree

Linux and networking makes everything 10x easier

Yeah, I’ve been studying for months and actually didn’t start pentesting. Still on the network/linux state.

Stage*

xD jumping straight into pentesting would be messy xDd

how much am i enjoying broken authentication

python scripting is awesome dude

hey could you help me for Oracle TNS?
i logged in with the scott/tiger but i can not find the password hash for the DBSNMP user. any help?
select password from all_users where username = 'DBSNMP';
will not return password hash

the command for that is right in the section

Indeed, even following the right path may be messy sometimes 😄

Yeah I checked that, I can only get curl to work when using the socks4, I also tried socks5 and firefox never connects, I can see that after the 4th line here it just drops trying and goes back to my terminal prompt. I did try on the pwnbox and it works, so most likely something to do with Kali, I am going to move on for now but if anyone else has ideas I would love suggestions. For easy reference this was my question. "I have a question on Pivoting, Tunneling, and Port Forwarding -- Web Server Pivoting with Rpivot Section. I setup the rpivot on my Kali box and the ubuntu pivot host. I can curl the webpage in question (last question) and see the flag, using proxychains, but when I try to run proxychains firefox, it will never connect to the page with firefox. Has anyone expiernced this? or have ideas ? " Thanks!

Ok I got juicypotato working, but how do i access the cmd.exe with higher privs that was created?

The reason I cannot get to it is because I am in a reverse shell.

Hi all for Game Hacking Fundamentas, the section of identify and Dissect Data Structure i found two address the seems to be related with score value but when I modify it and continue playing the value change to original or less than original , if anyone could help, i don't saw how the theory its related with the challenge.

Anyone for help on Windows Privilege Escalation - Citrix Breakout? || I have access to the Desktop and a powershell sessions, but cannot escalate privileges.. the smbshare says it's up but copy says the path doesn't exist.. net use works but when i try visiting the drive it says it doesn't exists.. ||

There's still a pwnbox for the exam

dm 🙂

trying using another parameter when running the command, spoiler if needed: || look into -a ||

did you get it?

Yes! @rustic sage was huge help!!

Excellent! My issue with that section was not paying attention to the start and missing the fact that I was not in the cirtix session, glad you got it!

Let's keep on topic otherwise, messages will just get removed and potentially muted for repeated action.

If you don't have a role, please read #rules and #welcome

Boy, the Kerberos Attacks module sure is fire! IMHO it's very well done and I highly recommend it.

ill do it after CPTS path, actually is the only Tier 3 im willing to do

maybe CME one but idk if it is worth it

I personally don't think I'd bother with a CME module, the help menu is enough

thought so…

but im really attracted by the idea that mpgn is the author

I'm thinking Kerberos Attacks, maybe DACL attacks at some point, though it's a mini-module

but Kerberos Attacks is at the top, I definitely need to learn more about constrained delegation and RBCD

for sure ill eventually do a lot of Tier 3 modules, after exam

there's something to be said about overpreparing for the exam, people have gotten stuck because they were trying things outside the scope of the modules

reread my message 🤣 i probably mislead you

yeah, it said preparing for the exam

The CME module is another that is very well done IMHO, but everything is relative I guess. I can say I am now fluent with the tool and after completing the course I walked aware comfortable making PR's to the repo and even crafting my own modules. I might have gotten to that point eventually on my own, but the course definitely fast-tracked my progress. It was worth it to me, personally. I'm interested to see if and how the academy updates the CME module with all the changes going on with the tool.

Kerberos and maybe CME

and after exam, more

I don't recommend OSINT and LDAP 😦 , you can pass it

thanks for the review

my point does stand, the Kerberos Attacks module goes into attacks that are way out of scope for the exam

okk

you'd be better off doing a pro lab for hands-on practice, but that's personal opinion

now who have free time

I have a problem in "Windows Privilege Escalation Skills Assessment - Part I"

the intro academy module wont let me see what the target says in firefox

you can just add your issue on to your question here

which section? and send screenshot of the issue if you can

interactrion section with target

that one is just an example of what your target will look like

this is your target and what happens if you go to this site?

nothing, says it cant load

yea i mean screenshot of that lol

when i watched someone else do it they had text on the website

did you use http? also with the port

yep

try restart your target

yep did 3 times

I appreciate if anyone help me with this. Password Attacks > Windows lateral movement > Pass the Ticket From Linux > Q 8 : Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_). I have tried anyhting I know, found a kerberos ticket at used find / -name "*keytab*" 2>/dev/null and found the file /etc/krb5.keytab. however I can't go further than this, tried kinit and it does not work with, tried hashcat to crack the NTLM but still does not work 😦

it's should be something like this

just shows this, no padlock

hint when using kinit you need to use LINUX01$ without the domain at the end

try it on your browser instead of the pwnbox

...bruh

works

nice👍

stupid game

jk lol

also this is because of free pwnbox doesn't have full access to the internet and this target is docker with public ip but still the pwnbox should be able to access those target but HTB been having some issue lately

hmm

ima get vip over the summer or before when i actually have time

Regardless of whether I use PrintSpoofer, CVE-2021-1675, or JuicyPotatoNG, I cannot perform privilege escalation. There will always be errors or prompts for some operation timeout.

@vital adderso can I dm you

this time sure but next time ask question in details like this here first instead of who can help me with ...

ok

That was a challenging but enjoyable module!

I'm currently working on the CME module...the Skills Assessment has been a challenge so far! I am only on Question 2 since starting yesterday.

wow it works, could you please explain why the domain should not be added? no way I could have figured this out without help

i'm doing that module right now lol and just wish that they would cover more about attacks without protocol transition 🙏

that user isn't a logoed domain user like the others user in this section for example if you ls the home dir you can see all of the other users (with the domain) also i think this is a computer account and you are auth to the DC01 with this computer account

ahhh got ya, thanks MRtom! it really needed some critical thinking 😄

Hey all, struggling a bit with the first module of Understanding Log Sources & Investigating with Splunk, Introduction to Splunk & SPL. I'm an actual SOC Analyst and use Splunk every day, and I really feel like I am providing the correct answers to questions 2 and 3 as phrased, but for some reason, I'm missing something. Any guidance would be appreciated 🙏

huh, I checked my notes, I did use the domain at the end, but put the whole thing in single quotes otherwise you need to do character escaping

also relevant to @slate creek

i guess this would make sense but for me if an attack involve a AD machine like DC01 i would most likely used DC01$ not with the domain at the end like with an AD user

I think the system recognises it cause it's both local to the machine and valid for the domain

good to know there's two ways to do things though

but yeah, a $ can break the whole thing, single quotes all the way

You should change your environment variable to match the value provided in the linikatz.sh example's output for Linux01$

nc: bind failed: Address already in use
any fixes?

use a different port

Thank you

the module be like : attacking common services and then brute force .

i don't know if that's a good idea xD

hey Guys, I just solved "File Inclusion" : "Automated Scanning", but in a different way then it was intended (I think), I just have 1 thing that I didn't get:
at the end I got 2 the "example" file but when I tried 2 do ls it didn't worked (but when I entered cat flag it revealed the flag), does some 1 know y?

Hi ppl,
Total noob here
I was wondering if someone can spare a minute to help me out if possible

Just ask your question

Most likely the vulnerability was lfi not rce

❤️
I m running the JavaDeonfuscation Module in the academy,
I m done with all the steps except the last one.
I get a key by deobf curl output (HEX) -> De-HEX -> make a post request as required :
curl -s https://server:port/keys.php -X POST "key=De_HEXED_KEY"

(output is the HEX key again)
I ;m sure there 's something stupid I ;m doing but this got me in a loop between the HEX/de-HEX key

ok but if there was no Q then I wouldn't know about the flag in the folder...

idk haven't done it so I can't be certain : but short answer is, if you got the correct answer then it was probably an intended method ¯_(ツ)_/¯

sorry ppl, found my way there,
I ;ve missed the "-d" flag, each of the five times I got to try..
everything fine> thnx

Don't apologize

Sometimes writing your question out can make you rethink how you're doing it

¯_(ツ)_/¯

true indeed!

hey, help needed; for the Python3, there should be a simple question, right? In "Code block 2" the blank should be filled with what, to output all numbers in a terminal?
I've tried using print(f'{num})

and it works in IDLE

however, the answer is incorrect

and the hint is "Each underscore represents a letter or symbol"

why would print(f'{num}) be incorrect
and instead just ask me to use
print(num)
that is my question 🙂

Because sometimes it's dumb

lol 😄

But also your print(f' command has an open quote

oh sry, I closed it in the code

You would need to print(f'{num}')

yes, you are right

but "this is not the answer we are looking for" 😄

print(num)

Well it's specifically talking about code block 2, python is indent based context

yeah

used tab instead of four spaces

but the answer specifically asks print (num)

¯_(ツ)_/¯

not print(f'{num}') // although it would work 😉

If you want more practical experience with python3 I suggest looking into a (free) ebook: automate the boring stuff

Anyone can explain me what I am doing wrong or forgetting? [DATA] attacking ssh://94.237.53.115:22/
[ERROR] target ssh://94.237.53.115:22/ does not support password authentication (method reply 4).

Brute force - assesment 1

Well since it's a public server I'm assuming that you're meant to use an http brute force method, and you're also most likely supplied a port to use

Ah, i understand. Thanks.

generally for academy content public ip:port = web ¯_(ツ)_/¯

You are right, missed it 🙂

Hi! Can anyone give me a hint about Intro to Assembly module? I am stuck on that procedures section.

Hello, could I get some help with the "attaching thick clients" portion of the module "Attacking Common Applications"

Honestly cant find the the MAP section which is Read/Write.

Here is what I have already done:

Restarted x64dbg with only the Entry breakpoint
Tried importing Ghidra and analyzing the exe (no strings found apparently)
I have tried searching in x64dbg for the Ascii (4D5A - MZ) and its apparently only in two places as a file header (the restart service block with its .text,.data, .bss sections) and (the dll section which is irrelevent)
Dumping these gives me the error file isnt a .NET PE which is frustrating.
Any help would be appreciated.

I just finished it

I can help heh (Ive sent a DM request)

Oh thatd be great

I'll pm you

Did you complete ELF executable examination part ?

I have no clue, reverse engineering or whatever that was is new to me

Xd

Lol

I got the answer but it is not accepting as correct

So I am stuck for few hours and need to confirm that

I think I am not using the correct answer format

Could I get a nudge on Linux Priv Esc - Environment Enumeration

you can dm this was one a little annoying

what module is this for? i might be able to verify whether or not you have the right flag

attacking common services : medium assessment
anyone has the flag for help?

Attacking common applications

Hi, which discussion thread can I go to to ask questions about a Box? Referencing the box Naught

Can anyone help me with smbexec? I get the error: "You can't CD under SMBEXEC. Use full paths." I have tried cd C:\Windows and even \server\share\path\to\file_or_directory.

read #welcome to verify and then go to #boxes

dm me the section and what flag you found

escape the backslashes

and its saying you cannot CD 🤣

hi!

we can help you if you let us know what your issue is and what you've done, but giving you the flag defeats the purpose of an "assessment"

i meant someone solved the assessment not the actual flag, so i can dm my progress

nevermind

If you give context of your issue and what you tried it's more helpful.

||i found an ftp server running on a non-default port and extracted a file with some creds , tried to brute force ssh with it but nothing worked . ||

did you try brute forcing ftp

Bumping this in case it was missed overnight

"At the Web Attacks - Skills Assessment, can anybody please help me? I am trying to perform a POST request with <!ENTITY name SYSTEM "php://filter/convert.base64-encode/resource=flag.php"> as an admin, but I am unable to retrieve the flag. I have also attempted using GET requests and other entities such as details and date, but I still have not succeeded."

if you want to dm we can try to diagnose this 🙂

I am facing error with whatweb each time I try it I am getting ERROR Opening: /{machine_url}/ - exectuion expired

any help

send it

Hello 👋
I am on the "Active subdomain enumeration" module on the question section. I dont have ans information about "inlanefreight.htb" domain with nslookup, dnsdumpster or shodan. Any problem ? Someone can have some informations, its just me ?

OK, was found. I need to specify domain name and ip of the target that i just started

Thank you all

Anyone having any issues in the Module: Using Web Proxies for ZAP Replacer? Im not able to get ZAP to replace anything...

@rustic sage you said you have the NTLM hash, how did you get it?

python3 /opt/keytabextract.py /etc/krb5.keytab

great, then just use the keytab file with kinit

that's all

i tried that but get this error kinit: Keytab contains no suitable keys for LINUX01INLANEFREIGHT.HTB@INLANEFREIGHT.HTB while getting initial credentials

one minute, let me check notes to see exactly what I did

thanks

i used this command kinit LINUX01$@INLANEFREIGHT.HTB -k -t /etc/krb5.keytab

yeah, it doesn't work because of $ in the name, it breaks the whole thing, put it in single quotes 'LINUX01$@INLANEFREIGHT.HTB', or you can do character escaping but it's easier with the quotes

yep that worked silly mistake on my part nearly had it, i appreciate your help

you're welcome

For this module(https://academy.hackthebox.com/module/24/section/1574) i am playing around wih the urlretrieve python method since its a 'playground' section

Why isn't this command 'python3 -c 'import urllib.request; urllib.request.urlretrieve("https://raw.githubusercontent.com/Automedon/Codewars/master/8-kyu/5 without numbers !!.js", "test_js_too.js")
'

Downloading the actual javascript file my local machine rathern than taken me to what I think is the python command line?

Good Afternoon I having issues with local File inclusion skill assessment stuck whole day... can anyone lend some assistance

Module name Password attacks
Section name :Pass the Ticket (PtT) from Linux
Question : Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

I'm having issue with using the kerberos ticket in my local machine, i transfered the TGT of julio and put it in my env variable but the command proxychains impacket-wmiexec dc01 -k -no-pass does not work

how did you use kinit?

just ask your question you're going to wait longer if you don't - https://dontasktoask.com/

? i dont know about kinit the section doesn't talk about it

the TGT is already on the machine i just transfered it

ohh... did you set the environment variable properly then

yes i did it properly

and i put dc in my etc/hosts file

two things, i would check the md5sum and verify they file you have on your attack box and the one you took from the target server are the same

i also didn't use the -no-pass flag

or forgot to write it down

i already looked at it and it's the same hash it's so weird

i think i'll just try on the pwnbox maybe it'll work

verify /etc/hosts because it doesn't know what dc01 is

if that doesn't work i'll go back to the module and redo it for you

i just got an other error with proxychains it says dc01 does not exist so yeah i think you're right but i just copy and pasted the ip in my etc/hosts file

hang on i'll redo it

thanks

i can give you the svc_workstations pass to ssh if you want

Hi there people,
General question:
Is an estimated ~2hrs a normal time for 'nmap <IP> -p- ' completion?

nope

hm, then I should probably flag this differently, thnx @mossy hatch

no problems my guy

my ticket expired... but it's working for me

/etc/hosts

172.16.1.10 inlanefreight.htb   inlanefreight   dc01.inlanefreight.htb  dc01
172.16.1.5  ms01.inlanefreight.htb  ms01

let me go back and get a valid ticket

did you remember to install krb5-user

yes i dit install it and make the changes

just i'm not sure which ticket to grab it may be that because there are 2 tickets

i would restart the lab

1. transfer one of the tickets from julio || in /tmp || over. I just base64 encoded and decoded
2. the file name needs to be the same as it was on the lab machine.
   2a) example: mine was named "krb5cc_647401106_r0zCZX" on the target so for me I had to export KRB5CCNAME=krb5cc_647401106_r0zCZX
3. edit the /etc/hosts file on your attack box with the same IP and domains as it gives you in the module
4. execute proxychains impacket-wmiexec dc01 -k as shown. if it says the ticket is invalid.. go back and get another one

also word of advice, once you get to the point you're prepping for the exam and helping others, don't take handouts 🙂 redo the lab yourself and test your knowledge

i'll try again thank you for the help

i didnt downloaded krb5-user actually on this machine...

looking back at the section it appears you onlu need it for evil-winrm, but i installed it anyways🤷‍♂️

Can someone help me with Logrotate in Linux Priv Esc? I've done the section as stated and have referred to the Github, but I get nothing returned.. Also confused as to why there is no config file...

You do not need a config file.
Find the logfile with write permissions and test what happens when you write things there

But how are you supposed to know which exploit to run... there are two for logrotten and it depends on what option is set within the /etc/logrotate.conf file

who can give me a hand with this question:

In the 'titles' table, what is the number of records WHERE the employee number is greater than 10000 OR their title does NOT contain 'engineer'?

from SQL Injection Fundamentals Module and SQL Operators section
I really would like to check if my query is right, that all

@acoustic owl Can I DM?

Sure

select * from titles where number > 10000 or title not like '%engineer%'

number and title are just tags i used, but in your case they can differ

can anyone give me a hand on the file upload whitelisting task please

tell us

I cant get any filters to respond