it said succeeded

OK are you following the steps exactly as shown from the section?

The pivoting module walks you through EVERY step

yes.. i already follow the steps

Lemme double check the steps

So you started on htb-student, loaded the dll, yes?

yes

let me try to reset the target again

Then connected to the first hop

yap

It worked!
Thank you 🙂

And ran the socks over rdp with admin?

And then started proxifier

yes, but i cant run it

When you launched rdp, did you get the message shown in the module?

rdp to victor? yes..

The whole "socksoverrdpdll enabled"

And you're transferring over the server.exe

Question on Session Security - Skills Assessment.
So after all I got it working, but I am just curious.

If I access other minilab directories(e.g. api/userinfo) using the vulnerability, shouldn't I still be able to collect the cookies? || why is it has to be that specific profile page? ||

the socksoverrdp plugin is enabled ? yes i got it
and then i turn on the "Local Resources" so i can transfer the file from htb-student to victor

Also the images are weirdly out of sequence with the text sometimes

anyway, i can run the exe after i reset the target

thankyou for your help ! 🥰

¯_(ツ)_/¯

what xd

the vulnerability is just a open redirect + xss

to steal a cookie

there is not even CSRF involved

http://minilab.htb.net/submit-solution?url=http://minilab.htb.net/profile?email=julie.rogers@example.com this is the open redirect and then the Country field of the profile is vulnerable to XSS where you insert a payload to get the cookie coz it has no HttpOnly flag enabled

you dont need any php

and no because the XSS is in the profile page

You're kinda going overboard my guy

then you make the admin visit your profile with the submit-solution open redirect

trying to explain

This sort of explanation is basically spoiling it

meh

And you should probably be taking it to dms

not the big deal this skill assessment

true

Instead of basically spoiling a SKILL assesment

anyways the solution is spoiled through the module

Even if it is trivial

in this specific case

Plenty of modules do that

yea

im sad 😦

It's up to the reader to discern that

Noted. Thanks for the help!

@hallow kiln

You don't need | before 2>/dev/null

Do it

seriously the first question is to brute force a win rm that is taking ages? HAHAHA

Does winrm take long? I legit don't remember

i have 107 users times 1500 passwords

around 169000 combinations

From what I see you're already verified

an amazing mod fixed it for me

Thought you were already verified earlier

ahh no way they did this HAHA

how evil are HTB staff

Just set threads and go

It's not that bad tbh

do you know how to brute force winrm?

Wait until you start using the mutated password list

Yes by using one of the tools mentioned

netexec (aka cme) does not support threads

Crackmap does support threads wdym

there is no such option

under my help panel

also i looked for it in the wiki

????

https://www.kali.org/tools/crackmapexec/

Literally right there

It's before you define the service

https://www.netexec.wiki/getting-started/selecting-and-using-a-protocol

yea true i was looking into winrm protocol

specifically

Why are you using netexec?

Hello everyone,

I'm diving into the "Documentation & Reporting Practice Lab" and find myself in need of a bit of direction on the first question.

So far, I've discovered some credentials on the NETLOGON smbshare using the command:
||proxychains smbclient "//172.16.5.5/NETLOGON" -U INLANEFREIGHT.LOCAL/asmith%Welcome1||
Given what I've found, I'm uncertain about whether I'm on the right track or if there's another piece of the puzzle I'm overlooking. Can someone provide a gentle nudge or confirm if I'm looking in the right direction without giving away too much?

Thanks for your time and assistance!

its the same

i increased the threads but i see no difference

It obviously still takes a minute

also python threading is buggy

You might also need to add -local-auth or something

its a +0 cubes question

xD

sorry for disturbing again
i try to remote to the targeted host but got the error (i already find on the search and see many people faces the same error)
i already try to run "Set-MpPreference -DisableRealtimeMonitoring $true" and make sure that real-time protection is off, but i still get the same error
did i miss something here ?

yea it wasnt that bad in the end

threads appear to help

docker run -v "$(pwd)":/opt:ro,Z vanhauser/hydra -L /opt/username.list -P /opt/password.list ssh://10.129.126.235 -t 64 am i chad enough?

why is connection to module labs so unstable? I have machine activated, I can ping and work with it for a few moments and after few minutes e.g pwnbox can't ping the target

like I'm slowly bruteforcing stuff and randomly the target is unreachable, my internet is really solid

Are you running pwnbox and your own vm at the same time?

with -t 64 i probably missed the correct combination?

+4k tries

pwnbox and connected with VPN

xD this is unreal for an academy module

this is the problem

mm

you have 2 vpn instances for the same user

Don't, lol that causes network collisions

well, I activated pwnbox cuz the connection was shit to begin with

If you're gonna troubleshoot using pwnbox; turn off the vpn

mkay

ohhh got it xD

17 minutes for ssh and working with 64 threads good to know

you're bruteforcing ssh?

cuz i am

Don't bruteforce ssh

wdym dude

Lol if you're on the pass attacks module: enumerate first

stop talking s**t

its the 1st section xD

bruhh, learning hacking through modules is messed up mann

i tried enumerating nfs

am exactly here

nothing more to enumerate

You can narrow your user list after logging in with winrm btw

oh lel, it succeeded 🤦‍♂️

yea but for winrm

you have to use the full list

C:\users

i narrowed it still took 15 minutes

there's also ssb ¯_(ツ)_/¯

im gonna test it

#modules message

but you cant specify user list, probably im doing a bash script

A better tool for bruteforcing ssh

fkn ssh protocol

o.O

why is it forced to complete 100% of the modules to get the cert?

its fun

it's really not lol

because

I love doing regular boxes where vulns are unknown. Here you just read the text and copy paste commands

I honestly think a lot more people would get humbled by cpts if they were allowed to do it without the course but I say hey let em get humbled

the skill assessments dont usually follow that

nah why this ssb tool is so cool

Because someone said fuck you to ssh

such a great input from madf0x

golang is unbelievable good for network scripting

When I issue the command sudo -l , it provides a user with a list of commands they are allowed to run as root right?

I got ssb from a friend when he did the module

sometimes

I dont get why my answer is wrong?

(root) NOPASSWD: /usr/bin/******

whats the question

What command can the htb-student user run as root?

so I type sudo -l

I tried inputting it different with, with full path also

its gunna be the /usr/bin/** or whatever the real tool name is

yes I did that

omg

I tried it again and it worked

Im sorry

probably had a space or something

thx for it

gonna take a rest

for the password attacks

isn't it fun

nah but marcie humbled me hard

ssh took 30 seconds with narrow list + ssb

awesome

and hydra 3 minutes which is 6x

with 64 threads **

ssb is definitely much faster for ssh, but to be fair, it's very unlikely you'd be bruteforcing ssh out in the wild

It's because of how it handles its threading

Especially if ssh is only rsa auth

yea nowadays ...

which it should be, but ya never know

know what is fun now? hydra from docker comes without rdp

i dont have it installed what a moment

I stick to installing my tools lol

dude how broken is rdp, you just begin with it and it gets you the whole section

yeah shit is annoying.

sup bois

May I get some help on the footprinting module? DNS section

Ask your question

please**

Well I'm pretty sure I already have the answer

But it won't let me submit it

http://dontasktoask.com

lmao

Anyway whats the question

Like what question is it specifically

Do you want me to put it in here? Or is that considered a spoiler, its the first question

I've done everything successfully but I don't know how to submit it as the right answer

I'm pretty sure I have the answer for 1, and 2

Do you want me to post them in here ? And see if theyre right?

No need

Does your answer for q1 start with n, and for q2 is it l337 sp34k

If the answer is not accepted and there are no spaces in front or behind, your answer is probably wrong

^

Okay let me try harder, and let me try smarter and I'll be back

Also the outputs for some have a trailing.

Okay thank you, Imma try again

So if the answer to both my questions was no: then you're wrong :D

FILE UPLOAD ATTACKS

Skills Assessment - File Upload Attacks

Try to exploit the upload form to read the flag found at the root directory "/".
I have used burp repeater to try and submit a payload within a .svg image file.

Can anyone help please?

What exactly is not working?

The svg files are getting blocked on the front end. When I try to use burp to get around it, the .svg file is not getting submitted properly.

are you intercepting the right request?

try harder

I don‘t think so…

Well did you confirm .svg files are even accepted?

obviously no, the vulnerable endpoint was different

it’s something that starts with u

Thanks guys I'm trying harder atm

Hi, anyone who has completed the Skills Assessment II of NoSQL Injections?

how much time does it take to brute force the FTP under the mutation section? jesus christ HAHA

5k tries already

[STATUS] 774.29 tries/min, 5420 tries in 00:07h, 88642 to do in 01:55h, 45 active 💀

one thing im not sure why but ssb could not get the correct one. and i used the mutated with the custom.rule they provide under Resources

myeah, that's the one that takes forever

if it reaches 20k tries im just reversing the order of the list xD

imagine it is on the 25k 💀

proobably a bad idea, based on what the pass is

fkkk

im little mad about ssb

is it the password attack module? yea that's the most frustrating one to do for me

it should have found it

it tried the 94k passwords in under a minute

but if I remember right, if it's taking hours, you're proably doing something wrong

im at 12k tries in 14 minutes

yeah, I checked, don't reverse it lol

used 64 threads but only 45 survived

thx

great

target died

gonna just cut the list

who the hell designed this module

this section at least

yeah, the large wordlist is not needed to teach the concept imo

94k come on

and they chose the right one probably above 25k

could have kept the list to 20k for example

yea

the rule itself is 900 lines long

when the best rule used out there is best64

or something customised based on the password policy

w.e.

just w8

lets see some ippsec

kay not that bad at the end

18 minutes

~17k tries (?)

yup

Dont use 64 threads use between 30 to 48

its ok to use 64

Just saying, 64 Never worked for me in that section

it worked for me in all the questions i answered till now

Yeah for me as well except for that section

@thorn urchin did this happen to you? if the list is too long it just give false negative

internet diff

Usually what really happens for me is that its murdered the target ssh server and thats why it got a false negative

ah for real?

the defaults are honestly too aggressive for a lab imo lol

i even used 300 threads

its a con that its too fast. Not a perfect tool even though I like it

yea

Id try like...100 or 50 even

but it found it

with a smaller list containing the password (a.k.a narrowing the original list with some OSINT )

gonna keep using this

anyone has done the crackmapexec module? need some help with the skills assessment question 1, I had gotten a list and pretty sure I found all of them, I filtered out all the non users and did password sprays but didn't find anything

hey, anyone can let me know if for grab the AMProductVersion did use this command let Get-MpComputerStatus

yep

hmm ok., weird cuz the number grabbed is not accepted as a valid answer

strange, what number are you getting? DM me

.

hey did you get to figure this one out? i've been looking into the same and could not find the information following what's in the module.

hint after getting a user list it's a type of attack not spraying

also you may want to remove how you got the user list due to spoiler

ah gotcha, thanks!

https://academy.hackthebox.com/achievement/1009496/23

Took me longer than I care to admin all because of synatx / character issue

hi guys, for the command injection skill assessment, is the module asking for a clean result of command injection? because I can read the flag, but the output is messy since it is combined with errors. Here's an example of what I mean with another command. ||Error while moving: mv: cannot stat '/var/www/html/files/uid=33(www-data)': No such file or directory||

With a command injection it is often the case that you get various other messages in addition to the result.
The main thing is that your commands are executed.

😋

Web Attacks: Bypassing Basic Authentication, the web app doesn't accept HEAD request, can someone please fix it.

nvm got the flag but not the way intended

for some reason on the hard machine in password attacks the samdump2 tool does not work

strange

but you could use other tools

yea i used secretsdump

Hello, i found the flag in Footprinting SMB but not accepted .

that’s a great tool!

did you check for spaces at the beginning & at the end?

yes

you might have the wrong flag

lol ok i found

hey ppl. greets to all!
I 've been setting up a listener to pivot through Nibbles (1st box @ GettingStarted Path) .
I was doing all other related tasks having the listener running on the shell and then an IP came up.
The IP was unrelated to the tasks at hand. (nope sorry haven 't kept the IP, just killed the terminal window)
Someone else poking around? Thoughts?

pivoting at GettingStarted?

such an advanced topic to get started

<@&861185840277487616>

wait

i was*

i didnt

rule 4

Keep it legal.
Do not request, suggest, perform, promote or in other way or shape discuss illegal activities. We respect and follow the Discord ToS as well as the HackTheBox ToS, and do not hesitate escalating matters appropriately, if we deem it necessary. If in doubt, ask a Community Administrator before posting or don’t post it at all.

i need help in fixing some proxy errors in my beta website

ok im sorry

also the topic of the channel is totally unrelated to your message

i dont even know what modules are

that happened because you forgot to read

#welcome

i told my friend about my website errors then he invited me to this server

he probably trolled you

@simple siren

Read the channel description
Discuss all modules here, from the fundamentals to the really mentals.

Modules refers to the modules of the HTB Academy

Hello, kind people. I am stuck on the Footprinting medium lab. I logged in as admin and I am into the SQL database. I gotta find the HTB profile + submit the password as an answer.
I found colmun: ids,names, password.
How can I change the entries?

SELECT TOP 200 id,name,password
FROM <table>
ORDER BY <column> DESC;
(I modified the query cmd, but it gave no results)

Am I on the right path?

Hello, I am a beginner , I wanna learn cybersecurity stuffs to fight hackers

Then take a look at the SOC Path

Are there unethical hacking here?

no

No, everything is done within a controlled environment.

Good

Read #rules

So , I am 15 and what should I do in this website?

Well, there's a lot to cover.

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Hacking kinda sounds bad

Can we call it cyber hacking?

Do I need to code here

Sigh... call it authorized intrusion within a computer system.

Not as far as I know. Not that much. Basics will be covered.

Wait, what can we do against hackers?

What do you mean by "what can we do against hackers?"?

Like yk, I was hacked alot of times before and I wanna do something against the guy who hacked me

Well, you could set up edr on your device.

Revenge isn't an option.

Report it to the police, use strong passwords, don't click or download anything suspicious

Just configure your PC better and try to run diagnostics.

These as well.

This went back in the chat, so I will put it here.

just find the table right click and select 200

no need for commands

I was hacked in discord

Oh..thank You a lot. I thought I had to make a new query.

any time

How can i select those 200?

Is there any setting or a button?

the right table is kind of visible but let me know if u cant find

right click on the table

Can we take it to DMs?

let me spawn the target

sure

I was hacked on discord once and I found the guy who hacked me, what should I do

^

report it to the police

I mean on discord, but now I am safe

Who is the top rank in this sercer

*server

Notes.zip

What do you mean by Top rank?

@rustic sage

Like the best ethical hacker here?

there is no ranking

Hi on https://academy.hackthebox.com/module/113/section/1211 Attacking Common Applications > Attacking Tomcat > Perform a login bruteforcing attack against Tomcat manager : am I supposed to use some specific wordlist ? because I don't get any positive results using default metasploit wordlists (nor am I using msf user list + rockyou (yet))

Hello, stuck on the Footprinting module Medium Lab.

What I did so far:
I ran a normal nmap scan in which I found ports 111, 135, 139, 445, 2049, 3389 open. I quickly recognized the nfs system running on port 2049 and I proceeded to connect to it. I got many IT_tickets, all of them empty except one which I opened.
It turned out to be a conversation giving the full configuration for a smtp server, plus domain names and a username and a password. I tried connecting to this smtp server using telnet, port 25 and 465, I also tried using openssl, no luck. I also tried connecting via smb with no luck.

I know there is supposed to be a sql database because the hint mentions it and it's been mentionned in many questions on this channel before, but from my nmap scan nothing makes me think of a sql server.

I would appreciate any help or hints !

Nfs

Hello there,Module:Password Attacks,Section:Network Services,has brute-forced everything, but on smb when connecting to the share, there is nothing, and it prints NT_STATUS_NO_SUCH_FILE listing *
could anyone help pls?

What do you mean ?

Go back to the nfs section

@swift tendon

?

Bruh 🗿

is that the last question?

yeah

DM me so we don't spoil things

enumerate nfs

Hi guys, i need a VM to hack on local, for a exam on my university. I need a simply one, no one extremely difficult. Anyone say how to find them?

you did not try RDP

he already did lol read the message

you should not try something on closed ports, people use to reuse passwords

thanks for all the answers, I did go back to the nfs lesson and I am now trying to authenticate using rpcclient and the credentials I found

maybe the smtp password is reused for his personal computer account

Oh if you found the creds, check 445

there is no need, just connect to the computer and enumerate from there 🤷🏻‍♂️

I did it differently🤷🏼‍♂️

Enumerated nfs, enumerated smb, then rdp as admin

ahh true

i used admin pass to run sql as admin 🤣

Also possible

im a fan of FreeRDP while it has a lot of hate

hahahaha wondering why

I use it too

im running it smoothly

Sometimes it errors out for no reason lol

Attacking Common Applications > Application Discovery & Enumeration:
The report.html header isn't being accepted as the answer?

it's seem like you are missing the first bit of that file name

LOOOL, wrong program

im a mong

apes together strong

https://tenor.com/view/apes-dance-moves-dancing-gif-17356395

Module: Pivoting, Tunneling, and Port Forwarding
Section: RDP and SOCKS Tunneling with SocksOverRDP

I'm trying to solve this exercise using ligolo. I've used ligolo for pretty much every other exercise so far in this module. I have successfully set up my pivot on the Windows pivot host provided in the exercise (internal IP: 172.16.5.150/16). Now I'm trying to RDP into the target at 172.16.6.155. I ran the command "sudo ip route add 172.16.0.0/16 dev ligolo" from my Kali VM, but whenever I try to RDP into the target, I can't connect. On all the other exercises I was able to RDP in no problem.

have you tried doing it the way it asks you too 😉

Isn't it .15 not .150?

Yep! I'm sure that would work and allow me to move on, but I'm just curious why ligolo isn't working in this case. I'd like to solve it using both tools.

Granted been a minute

When I type ifconfig within the ligolo session it shows .150

I haven't used ligolo for these yet

So I'm not gonna be helpful for ya

can you ping the host?

Are you sure its 172.16.0.0/16 and not /23?

That could definitely be my problem. Let me try.

Not yet. I'm going to try adding the route suggested by MarcieLee and then try again.

there is 2 network 172.16.5.0/24 and 172.16.6.0/2, so why did you use the 172.16.0.0/16 network lol?

make sure you have layer 3 connectivity before trying other things

Haha I think I just don't understand the notation for subnets well enough. This exercise is showing me I need to study up on how they're notated.

try this super quick

sudo ip route add 172.16.5.0/24 dev ligolo
sudo ip route add 172.16.6.0/24 dev ligolo

No dice. Still can't ping the target.

@vital adder Can you please create a module that explains about ligolo I have had time using the tool

i did lol

Ok let me hope that the module will come out soon

That didn't work either. Having a lot of trouble finding the correct path to add to my routing table

¯_(ツ)_/¯

No worries, I'll just go with SocksOverRDP for now. Thanks for the help!

Yeah it might just be an issue with your first host session

sorry for the wait but it's ligolo-ng worked just fine for me on that section

because the second target can't reach your attack machine you have to use the first target as a jump box but beside that everything should work fine

also with double you can't send ICMP

with double?

as with all of the stuff i "created" for the academy, i'm not in the academy content creation loop (yet) so everything is unofficial and probably non of it will be release publicly as long as i'm not a "academy content creator"

Oh nice, thanks! Yeah you've definitely done something in the right-hand screenshot I didn't do. I didn't add any listeners anywhere. I'll play around with that and see if I can get it working. Thanks again.

(i was finding article about double pivoting but it giving football for some reason 🤣 )
https://blog.raw.pm/en/state-of-the-art-of-network-pivoting-in-2019/

is this something specific to this scenario?

i have set up several home labs with up to 6 pivots

and i could ping through the 6 tunnels

you can't call back from the second target to your attacker machine so you have to use the first target as a "jump box" as in creating a port forwarding from that to your machine and call back using that tunnel

could be but duno 🤷‍♂️

don't see why you wouldn't be able to ping if you have connection

indeed you cant ping over a socks proxy

but you can over Gvisor network

nvm ping work

yea xD

nmap just being weird

no

read ligolo FAQ

is it due to the proxy happening at level 5 an ICMP at level 3?

it explains why it acts weird

it is all due to Gvisor behavior

it is

and Gvisor network is sane layer than icmp, like a VPN

this is why ligolo-ng is such a super tool

youll have to use some kind of layer5+ host discovery tool that pings a protocol

for host discovery when pivoting/tunneling through socks i usually do echo '' > /dev/tcp/IP/port

using most common ports

based on the exit code of the echo you can use afterwards a && operator and print HOST X active or something like that

Can you describe what you did to get "Agent joined . . . victor@DC01" to pop up in ligolo? Did you RDP to the target to start that connection?

Here's what I have so far:

hey guys, is it better to run an htb vm locally for learning instead of from the cloud? As it has kind of better performance?

Depends on your threat model as you should generally be treating htb as a hostile network (even though you'll almost, practically never, get attacked via another user). But if you only need boosted performance then yea: locally

It also allows you to access things offline if needed

alright, so I can still go through the modules and test em out on the same vm? Instead of creating one each time.

Yes

It has the added benefit of, you can check your previous enumeration

well yeah, you have to upload the agent on the target and then connect back

wait, did you start the session?

yes

alright cool. Then Ill make a vm

I don't see that in your screenshot

Yeah sorry I had started it a while before I took that screenshot

Seems like I need to upload a ligolo agent file to the final target (jason's machine) and runthe agent file from there. . . but that means I would already need a shell as Jason? In which case I could just read the flag? Feeling pretty confused.

No

You you have to have it on htb-student -> Victor

Start at point a then go to point b

In past exercises, once I start a ligolo session with a pivot host, I can open a new terminal and connect to the final target right away. No need to start a listener or anything. This exercise seems different.

Then c

With this exercise the final target is not connected to the first jump host

Oh!!! Got it. I was confusing Victor and Jason.

Lol in my head they were the same person.

Ye

There's a reason I boiled it down the way I did

it goes htb-student -> victor -> jason, yeah

It's a skill I've learned

Yeah thanks a ton, I appreciate the breakdown

Np

It's the same way I take notes

I cut as much of the fluff out of it as possible and break it down to what the core solution is

Hello, still stuck on the footprinting medium lab, I have used rdp to connect to the target using alex's credentials, and looking around the files in the machine I found the important.txt document containing the credentials for sa. I tried it on the mssql login window with no luck.
From the many comments I read on this issue it seems that you should use username spraying, so using the password with many different usernames and it's what I've been doing, I've been trying sa, admin, Administrator, root, alex, and I also tried all of them with WINMEDIUM\ as a prefix but nothing worked. Another comment suggested to change the credentials by writing "a" or "." instead of @ but it didn't work either.
Any help would be much appreciated !

1. you can't access the mssql service from outside the box
2. one of those usernames works

right click on the ssms application on the desktop and click ||run as administrator||

use the credentials you found for that

You really enjoy just telling people directly how to solve huh

Lol

well he already found the credentials

hello i am a newcomer i need guidance

I'm having a tough time copying the ligolo agent file from either my Kali box or htb-student over to victor.

Had no problems getting it from Kali to htb-student

can i get help, i am 13

you were 15 earlier today

i was jk

what should i rlly do

i need help

i got some things called machines

i am using pwnbox

Thank you, indeed I could open mssql as administrator but I am not sure whether to use the Windows Authentication or SQL Server Authentication now. It seems I can only connect through Windows Authentication and I'm trying to find the correct database to get usernames and passwords

i need help

i am a beginner

i got machines

stop spamming you'll will get the 👢

i need help

trolling

first u said ure 15 now ure 13

Before you were 15

it doest matter

i was actually trolling

i admit it alr

Read #welcome and #rules

when using xfreerdp use the /drive tag to mount one of the directory on your machine as a mounted share drive on the target machine, something like this: /drive:home,"/home/(your user)/share-tools" and on the target you can access it from the normal file explorer or in \\tsclient\home\ with cmd

Note that you can actually run the agent straight from the mounted share drive: \\tsclient\home\agent.exe -ignore-cert -connect ip:11601

i use this method in my original screenshot and sorry missed your last ping but you after you create a tunnel you basically have to use it 🤣

on the victor machine call back to the first (htb-student) target instead of your machine

They figured out their issue was mixing up Victor and Jason user

Hi community, I'm stuck in the Windows Event Logs & Finding Evil module in the Tapping Into ETW section, I am replicating the example 2 to solve the question, I can not find the requested: "ManagedInteropMethodName that starts with "G" and ends with "ion".
My sequence of the attack is to run the Seatbelt script, and then run SilkETW to capture the records and finally filter into the etw.json, but it is non-existent, I don't know what I'm doing wrong

oh yeah i know, just adding some life quality with the /drive thing

Yeah /drive is super useful

I almost never worry about it since I have my tools linked to my nginx web-server on my vm

hello guys hop you gius all doing good

wishing a good luck for evryone here

I eventually wanna revamp it and make it look cool with links, been a minute since I dabbled in css and html

So fun side project

starting tosay some practice with ad in the main plateform hope is going to help me to practice my skills with ad

The only real way to practice ad on main platform is prolabs

the active dircorty track not going to help ?

not as good as some of the prolab will

but that's a good place to start

beware that some of the later box in that track will have some (let say) non AD stuff like phishing

Flag acquired! That was a lot of fun. Felt like I learned a lot. I really appreciate everyone's help. What a great community.

Also, I'm naming my firstborn child Victor.

Allahu akbar

Mashallah

Well it looks like you're canceling something [the ^C denoting the sig-int]

no, this line [] completed: 100.00% (1/1) after I press enter. But if you do nothing, this line will simply appear "SMB dc01.inlanefreight.local 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False) "for some time and nothing will happen, the command will end on Tamout

thank you men i want to try some of the pro labs but someone says like u need to be soo good with windows privillige escalation

It's probably an issue regarding proxychains if I had to guess

yes but not quite

hint you are trying the right thing hence shit ton spoiler in that message

what xd

If it were a proxy chain issue, I wouldn't be able to run the --rid-brute command to get the list of users. I also wouldn't be able to simply receive data from the domain controller. would just complete its work immediately without output

i did that skill assessment with cme 6.0.1 so if you are using an super old cme that could be the issue (there was some issue with ldap stuff) but you can shoot me a dm and i'll help you troubleshoot

Hello!, there are anyone who has solved the skill assessment II of nosql injection module? im only need to know how to get a ||time delay in server side javascript injection for mongodb||. Thanks.

pls remove all mentioned with spoiler like this one 🤣

ok, ok, but if everything had gone smoothly and I had figured out how to move on, I wouldn’t have come asking for help. I've been trying to move from this point for a whole week, and I saw the hint

sure and i can help you troubleshoot, i'm just asking you to delete the spoilers

5.40

*in dms

bro

i am new here

what should i do with machines

i am in tier 0

you’re on the right track

Module:attatcking command servise Session:attacking FTP I need get in the FTP server but the target keep disconnecting and I have reset it over 15 times What can i do

Hi

Hi community, I'm stuck on this question: Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Dashboard". Either create a new visualization or edit the "Failed logon attempts [Disabled user]" visualization, if it is available, so that it includes failed logon attempt data related to disabled users including the logon type. What is the logon type in the returned document?

For Splunk module ?

What exactly is not working?

This is for Kibana, I don't understand what is required with the "logon type in the returned document". My query is the same as listed in the instructions

My logic was that by logon type, this means either the eventcode or the action

what have you tried?

@dull thistle once you have configured Elastic search as per the lab navigate to the table and specify the "logon type"

0xC0000072 – "User logon to account disabled by administrator".

for your filter that error code is for disabled accounts

if you get the answer for the next one please DM me i've tried every combination need to go for a walk now to clear my mind

guys the machine on htb is it about acheving the domine comprimise or being a root

Are you referring to academy or app.hackthebox.com

Each machine has 2 flags, root and user: you perform them mostly Blackbox aside from ip

i know

but thers is

a diufrence between acheceing a domaine controle and being a systeme

Yes

in the machine

But this isn't the appropriate place for discussing this

sorry guys then its just most of the time doing acdemy thats why sorry

Still learn the appropriate place to ask, especially since you have access to most of the rest of the server

Like #general

any hints for this please ?seems so easy, I must miss something simple

Hello I search some help

Sometimes Nmap doesn't give you all the answers

You saw in the vuln result a specific thing, just look at it manually

Ok I hear it, I will try to find this

Ok I did find ! I don't think find this thanks

very odd... the same command worked almost instantly from my kali while it was not from the pwnbox... anyone has already seens this behaviour ?

Version diffs

FILE UPLOAD ATTACKS

Skills Assessment - File Upload Attacks

Try to exploit the upload form to read the flag found at the root directory "/".
I have used burp repeater to try and submit a payload within a .svg image file. But as you can see below, it doesn't get executed.

Can anyone help please? @sly dome are you available sir

Anyone have solved Skill Assessment 2 for NoSQL injecttions?

Just make your questions

remove the magic-bytes you dont need it for XXE

also you are using wrong magic bytes for a svg body

its the same thing that happened to you the other day

I removed but now it's telling me only images are allowed. @undone narwhal @sly dome

well

is an skill assessment

try to bypass those things

xd

I've been trying for 2 days. Can u give me any nudge

has anyone done the attack kerberos module?, is it worth doing if i have already done attacking AD module?

not the right request to intercept

or maybe i dont remember it correctly

but xxe is the right track

right now i dont have my notes

later we can see it

Thank you very much, day has been saved!

Hi All
I got a problem with a second quest in Windows Privilege Escalation Skills Assessment - Part 1
I used Windows-Exploit-Suggester but there is no any CVE exploit in response which will works. I know that CVE-2021-1675 works in that case but don't know why Suggester does not show me that one CVE
Someone maybe know how can I find this CVE-2021-1675 by myself?
I also used winPEAS..

Okay when u get your notes plz let me know. I think I will skip or else I will waste the rest of the day

So close to completing. But skills assessment is too hard. I repeated everything that I did in the module. But it doesn't work

remove line 22 and see if it works

Okay one sec

Nothing happens

It doesn't reject it but it also doesnt load it

is your machine up?

Try it for urself

94.237.48.48:52201

Did it work for you @undone narwhal

it did

But I did exactly the same thing and it doesn't work?

After I send intercepted request it rejects the file

Exact same request but different response @undone narwhal

@undone narwhal that is the exact same payload that I had. And I still coppied and pasted and it didn't work. It just sends back a blank thing

dm me

Haven't done it but based on the topics it covers, Kerberos attacks is probably the best module you can do to supplement your knowledge, it's first on my list after the CPTS path

From my point of view it is worth it

They just started getting expensive after level 2 don't they....gotta work out what one I fancy

It describes the attacks better than the AD Enum & Attack module.

This has always been the case
Tier IV = 1000 Cubes
Tier III = 500 Cubes

Yep, I know. I've just always stuck with level 1+2 on my student subscription

With the student subscription you can not do modules above Tier II

But also the modules Tier 0 - II are great

Wtf does this have to do with modules

2 days to finish the skills assessment for this

well done

wasnt that difficult

ty guys for not reporting cuz i didnt mean i was trying to shre it on another server

wtf im doing

im so sorry

👍🏼

Hello guys,
I'm dealing with the module "Password attack" task "Password mutations".
The task ask us to bruteforce the password of "sam" using the mutated password list.
I'm bruteforcing with hydra, but it shows that it will take 10 h to test enumerate all the passwords in the list.
Do anyone have some hints on this task?

Hint: don't brute-force SSH, too slow

Thank you!

Yes that's ture maybe I should try other ports first

Yeah, see what else is running

HI, anyone has solved the skill assessment 2 of NoSQL Injection that could send me dm for help me. I get the way to extract information but i cant do any more. Thanks!

https://tenor.com/view/meme-gif-24843255

I didn't want to provide details that could be considered spoilers, but in summary, I've found the 'point' in the responses from which I can infer data extraction. I can extract information related to the username, but not the password. For the password i only can get that 'this.password' exists, but nothing for the length o characters.

Im pointing out that you havnt told what module this even is 😂

theres dozens of 'Skill Assessment 2'

Oh bro jajajaja sorry i talked about No SQL injection. Thank you for telling me

check close puntuation in the responses

@woven copper I founded the point some time ago and i can use for enumerate usernames and only can get one, the same that is in the placeholder in the login form

can i DM you?

oh i remmeber , did you enumerate all funcionalities on the application ? beacuse i think there was a login , some password reset maybe ?, mm what could you do with that

im trying in this moment with forgot password, but for now i only can extract information in login

really interesting, so the inyection its on login , but you have a forgot password funcionality, also you have usernames , I have to ask , how do you think that a reset password funcionality works ? how it could be implemented ?

only say that token will be sent to email address

and when user present that token, how the application knows its a valid token ? come on man you got it , I'am not going to give you the answer.

there is a form where i can send the token, but i dont have it

I will take a look at the token form.

go try harder and if you still stuck feel free to DM me.

thanks bro, i'll try

took me 18 minutes !

but use the hint our friend provided

weird that latest FreeRDP version has a bug for PassTheHash

version 2.3 that comes with default Parrot/Kali mirrors works like a charm

but 3.0.0. is bugged, prop to developers

guys this cmnd is worng or what cuz its taking toolong and not giving annything back

hi i'm stuck on linux privilege section Logrotate
i try logrotten ./logrotten -p ./payload b*/a*.log
message Waiting for rotating b*/a*.log..
can't get reverse shell

I know when I did that one, the shell last for a very short period of time, are you sure it is not kicking back and just closing? I found this write up helpful as well

https://ivanitlearning.wordpress.com/2021/04/17/hackthebox-book/

guys if i have writedacl on the domain

can i add myself dcsyn rights

Great story but not the place read #welcome and #rules

I think if you have writedacl over a user that can do DCSync then you could add those privileges to a user you control.

Removed. Thanks

yes i have it ovet the whole domain

i want to add those to my user

but the cmnd is taking like 20 min wtf

Xd

Evil-WinRM PS C:\Users\svc-alfresco\Documents> Add-DomainObjectAcl -TargetIdentity "svc-alfresco.local" -Rights DCSync

it not closing, just always waiting for rotating

Guys

I want to try

GOAD-Light

Is it a good practice for Active Directory

Or its too hard like

For a beginner like me whos trying to practice the ad module

i google this and it give me some type of lamp, wtf are you trying do to lol?

XD

Game of active directpry

oh that thing

https://github.com/Orange-Cyberdefense/GOAD

to be honest if you are a beginner just do the Dante prolabs

yea i know about this and if you have 100GB+ lying around for VMs then you can to set up those labs

they have a light one

ig like you said

you need a base ubuntu host

ill just do the dane

i mean if you look at the writeup some of not most of them is cover in the academy and ProLabs will 100% cover the rest

go for Zephyr ma boi

i read and ig i need to configure alot of things

yep Zephyr is super fun and kinda for beginner

but you guys need to know that im a noob

and

nobody was born as an expert

you'll learn on the job lol

i just finished the module active dirctory and box forest and got to exited

im just asking like is ita good idea to go for it

to do zyphyer and dante

finish the path 🤷

attacking enterprise has a good lab

u know i want to practice something like what i learned so i dont forget abou it

do w.e. u like man

just make good note lol, don't remember everything

ty guys

for ur help

Dante has very little ad, but if you subscribe to prolabs you unlock them all for the month so you can try both, Dante and zephyr

80% of zephyr is covered by CPTS (Allegedly)

In DACL Abuse I Password Abuse Section the final question " Abuse Marcos access rights to gain access to the gMSA account htb-svc$. Using the gMSA account credentials, read the contents of the flag at \DC01\GMSA\flag.txt and submit it as the answer. "

I have the hashes via ||gmsadumper & gmsapasswordreader|| but neither work? I have tried ||cracking|| & ||overpassing|| but it's not working

any pointers?

"Whitebox Attacks - Prototype Pollution PrivEsc" : I am following the chapter 1:1 but I don´t seem to get a pollution, hint in the right direction would be really appreciated

Before you can dump the hashes, you need the appropriate user.
The question helps you to find the right user. Then you can dump the hash with ||gMSADumper||

I have the user as listed in the question but the hashes don't work?

I know it's a skill issue with something I am missing

Also, thanks

Send me the command you used via dm.

thanks

vuatia's modules are usually structured in such a way that you cannot follow the module 1:1.
You need to adjust your payload for sure

I just got it 1 sec ago, indeed I had to dabble a bit with the payload 😄 Thanks though

I'm learning digital illustration, and with that I want to learn how to make indie games. In your opinion, what is the best unity or unreal one?

This isn't really the discord for that lol

Hello , I am new here and I am a student, what to start with

are there any tricks on get xfreerdp to utilize the screen resolution?

I am new here so I have no idea what to do and what to start with

read the man page for /dynamic-resolution

Pls help me

Hello

#modules message

still get it like this from the pwnbox

#modules

I have already told you yesterday where you can start

Ok but how to destroy the machines

I don't know any commands

then you can try with "width" and "height"

What?

Is there anyone I can ask about kerberos attack module skill assessment last question?

he doesn't want to learn

How to hack the first machine

It seems so

No I am just confused on what to do

I ain't trolling or annoying anyone here

I just need guidance

I am being serious

I am confused

The Academy is structured in such a way that you teach yourself everything

Wth

So how come will I be able to destroy the machines

start here -> https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Are you doing a specific module? What does destroy even mean?

You will never destroy a machine

Like yk random machines

Like practice machines

To test out hacking skills

Vpn and stuffs

Test out what when you haven't started learning?

Yea like

The starting point

do you got a link?

Let’s stay on topic please.

a link to?

Like there's gotta be a tutorial

I just need the tutorial

At the Starting Point there are corresponding walkthroughs
Go to #starting-point

It says no access

If you have no access, read and follow #welcome and #rules

First, you're in the wrong channel for starting point questions, read and follow #welcome. Second, there are walkthroughs and write-ups you can read.

still need help with this one. Would it be possible for me to send a dm to someone for assistance?

Just ask your question here

nvm, me stupid

thx for help!

I've already obtained the user, but I'm unsure about the next steps. The hint mentions, 'If a user logs in, we can steal their identity.' Do I need to use Rubeus to monitor user login? but I rdp in and it use parrot terminal do I need to swap to use window or something ? I don't know what to do next

Wait until you learn about /drive

Yeah, use Rubeus

How can I use Rubeus in linux env?

There is a Windows Machine, right?

Check out C:\Tools

But I RDP in and it is linux Machine

This is the Question, right?
What's the content of the file: \DC01\Secret Share\flag.txt

Yess

I have no idea where you logged in. The machine I used at that time was a Windows machine

what? but I use xfreerdp with ip that the module gen for me

You have creds from ||annette.xxxx|| right?
If so, use xfreerdp from this machine to connect to the machine ||x.x.8.35||

it works but I have one question I have the credentials but how did you know that we need to connect to machine ||x.x.8.35?||

Enumeration 🙂

Knowledge is everything! In this world so hard and volatile

🏈 🏀 ⚽

"Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer. "

https://academy.hackthebox.com/module/147/section/1391

hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

Did I do anything wrong here?

Ok I gonna find a way to do it , thank you so much!

currently on the AD/ Initial Enumeration of the Domain trying follow follow along and capture the network traffic. Feel like I'm must be doing something wrong. cause neither wirewhark or tcpdump gives me any output that suggest the ip range mention in the section... any ideas?

Ping Sweep is your friend 😉

Do a wc on it to see how long the list is

I think your command is correct

If it's > 90k then it's correct

It is over 90k. So what should I do next?

jesus

Did you use the custom.rule from the zip? And did you copy the syntax of the given command from this section

it is correct

94k

brute force user “sam”

its told to you

Well you're given a thing to do

I did use the custom.rule and password.list from the resource folder

Sorry my network is being slow

Enumerate first on the target

the dictionary is ok

go ahead

^

You honestly ask a lot of questions without doing

so use nmap?

Are you asking me?

You're this deep into the path, you should know what to do

Sometimes the sections are vague and doesn't show everything

They give you enough information

They shouldn't be needing to tell you to use Nmap at this stage tbh

It should be your first instinct. Even if you're given a service name

Pretty much all the modules up to this point have been centered around enumerating a given target

Im on a learning journey and I am not going to know everything as I attempt to find solutions to my problems. Everyone doesn't reach their path the same way. Thats all ill say about that.

I used nmap and the relevant port shows me an rsa certificate and the info about the OS system.

Step 1) enumerate

You got some info, figure out how to use it if possible

The modules roughly build off of each other to build your skills

If you're asking if you should do something, just do it

That's how you're gonna pass the exam, by trying different things

I do honestly believe you can do it. 99% of the people that are doing the path to completion can pass it.

The 1% are the people just infodump learning

you’re on the right track

Also, I know I come off as harsh at times, but it's because I genuinely want people to succeed

Like some answers seem snarky (because they are) or even just obvious answers

But I don't like just hand feeding the answer, especially if you just didn't try

you can’t force people to learn

Socrates: "I cannot teach anybody anything. I can only make them think"

My intent wasn't to get the answer and I want to do better and become a hacker. Sometimes I can be stuck on a problem and not know what direction to go in. I started this yesterday and I don't just ask you guys , I use chatgpt too and google

Unironically this book my school is having us read is all about Critical Thinking in Everday Life, by Ridel

It really helps

Thats why I also show the screenshots of what I did ...to show that I made the effort to do the problem before asking the question. I screenshot all of my solutions to a problem for reference material

Must be Asian la

I was more speaking generally, your screenshots didn't show you attempting the question only mutating password

2 + 2 * 3

Failure

You forget the pemdas

https://tenor.com/view/steven-he-welcome-to-the-failure-gif-24563965

The answer is 8 la, you do the 2*3 first la

Hi Team, there is any channel for Dante Pro Lab? I'm starting work on it

#prolabs-dante read #welcome on how to access it since it'll say "no access"

What do you mean?

I see, thanks!

Anyone experiencing any issues with pwnbox and rdp into targets at the moment? Mine just keeps disconnecting every 2-3 minutes

Hello Guys !

i'm in Footprinting Lab - Hard i found Credentiel of tom but i cannot connect with SSH i need keys ..

any advice or help ? thank you

can someone help me on https://academy.hackthebox.com/module/23/section/1494 ??

regardless of what i send trough fuff , all resuzlts return a status 200 , which seems to not be the result im looking for ^^"

double check whether or not you have both your vpn and the pwnbox on at the same time if you do then that's the issue

hint there is only 1 or 2 other service running on that box maybe give that a try

hint filter for the size not the code because if you are fuzzing a parameter on an existing page because that page exist the code will always be 200

thanks for the advice! i suppose thats the -fs option then?
i kinda dont really understand what you mean "on an existing page"
but shouldnt i be getting 4xx codes when fuzzing a language value thats not resulting in an output? or if i fuzz a parameter name that´s not getting handled by the server?

i mean a page that exist like the index.html page, if you fuzz any parameter on there the code will always be 200 but the size will change if you hit something right or different so yes the -fs tag

Hi! I'm going through the Active Directory LDAP module. I'm on the last page "Skills Assessment", and I can't get a stable connection to the target machine.
I tried:

• connecting from my Kali VM using the VPN (I see nothing specific in my VPN connection logs)
• connecting using the Pwnbox (I have unlimited hours)
• resetting the target machine
  Connection issues look like this:

┌─[eu-academy-1]─[10.10.15.158]─[htb-ac-739180@htb-oyatrr7p1d]─[/opt/ldapsearch-ad]
└──╼ [★]$ xfreerdp /v:10.129.64.205 /u:htb-student /p:<the-password> /size:1024x768 /kbd:"Belgian French" /cert:ignore
[14:41:17:969] [4129:4130] [INFO][com.freerdp.gdi] - Local framebuffer format  PIXEL_FORMAT_BGRX32
[14:41:17:969] [4129:4130] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[14:41:17:992] [4129:4130] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[14:41:17:992] [4129:4130] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[14:42:31:689] [4129:4130] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 110: Connection timed out
[14:42:31:689] [4129:4130] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[14:42:31:689] [4129:4130] [INFO][com.freerdp.client.common] - Network disconnect!

What's the proper way to report that kind of issues? I've tried to find a proper "contact customer support" page on the HTB website, but didn't find it.
Thanks!

how i can start in hacking infosec idk if its the same area

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

i will take an look thanks

@ornate vapor read the #rules don't dm anyone here without asking first and nope learn what you want don't ask me about it

ok

first make sure you don't have both your vpn and the pwnbox on at the same time if you do that's the issue also this command seem to be working for me:

xfreerdp /v:10.129.202.128 /u:htb-student /p:'Acad_ad_enum_skillz!' /dynamic-resolution /cert:ignore

HTB did have some connection issue lately so if the issue persist maybe reach out support

Thanks for double-checking. I'm able to connect, but the connection keeps dropping. At the beginning I only had the Pwnbox running, but now I have both (I started my VM to see if it worked better). I'm gonna terminate the Pwnbox and try again. HTB currently doesn't report any connection issue on https://status.hackthebox.com/. I'll keep trying and contact support if that doesn't work.

that site is for main platform not the academy also after killing the pwnbox wait a few min if things is still buggy

are they trying to teach us to be patient when brute forcing with the password attacks Labs? 🤣

hum i'm getting nothing from imap and pop3 i need that key to make tom log to server :3

hi im stuck in linux priv flag5

• already create reverse shell like in Attacking Tomcat section
• sudo -l, /usr/bin/busctl
• try to upgrade shell with python pty python -c 'import pty; pty.spawn("/bin/bash")'
  not working, any hint thanks ?

imap is the right track

double check your commands

I was doubting i'm just strugling with the commandline in IMAP to log as TOM

Hello everyone, stuck in Web Attacks module,Section:Mass IDOR Enumeration, exercise is enumerate all files and find a txt, there a script also, but nothing returns me a txt file, im also done a manual enum with burp, there just pdf's, could anyone give a hint or help me pls?

over complicating

that is more an skill issue

but imaps is indeed your goal