#modules

it took me way longer than it should have been but I learned so much while losing myself on its simple machines ^^

i also cant message you

The module explains every single step to you.

What was the reason for the Citrix box in windows privesc being windows 7?

The complete module is a walkthrough through the tasks. It shows you every step you need to take.
It is structured so that you can solve everything yourself after the path, but gives you more cool tips.

Hello all.
I'm stuck on
Skill Assessment - Broken Authentication
Assess the web application and use various techniques to escalate to a privileged user and find a flag in the admin panel. Submit the contents of the flag as your answer.
Could I get some help?

See if you can find a way to find a username. The website gives hints on what the name should look like.

thanks, but I found it already, and this gives me nothing 🙂

|| Once you have found a valid username, you can bruteforce the access.
Remember the password policy ||

did it also, the password is not exists in the rockyou.txt with filtered password policy 😦
I know there are time limits which I solved as well

Yes it is. Then you have probably selected the wrong user 🙂
Look at the hints on the page. They tell you how the username must look like.

Hello I have a problem with this exercice : I listed the TCP and UDP ports, I understood that I had to use snmp but I cannot find a functional command in the memory aid. I did this: onesixtyone -c public 10.129.202.20, braa public@10.129.202.20:.1.* and snmpwalk -v2c -c public 10.129.202.20 but that doesn't lead to anything

I'm using ||support|| user for it and found the way how to tamper into the ||htp_sessid|| but I see the message || User support cannot have requested role||

The username is incorrect.
On the website you will find hints || Something about codes||

It could be that the "public" community strings doesn't exist. So you need to find a way to uncover others

I must admit that I don't know how to do it, do you have any suggestions for me to document? I searched in the course I don't see where he talks about it to retrieve the community channels

Please

sure a quick search on google can help

https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp#brute-force-community-string-v1-and-v2c

thank you

Which section?

Footprinting - Hard Skill Assessment

Oh yeah no the snmp section shows you how to find a public string with onesixtyone

I just looked

I think I'm on the right track

Module:File Inclusion
Section:Basic bypasses
I have tried every combination of bypasses, tried also fuzzing it with Jhadix and other LFI wordlists(burp and ffuf) and always a illegal path, i have completed all module except this fking section, could anyone help pls?

./languages is a good start

bro i did this one too, with encoding, changing amount of slashes and dots, with null bytes also, but always a illegal path, maybe im dumb lol

you have to encode the ../

it works

tried this, also tried double url encoding but didnt work for me, do u see any mistakes?

dont encode everything

nvm i found a payload, thank you

Hi ! Someone can help me with the mssql part of the footprinting module ?

sure just ask, don’t ask to ask

Oh ok, i didn't want to spoil so I was thinking of doing MP 😄
I'm on the MSSQL part, the last question is : 'Connect to the MSSQL instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server.'
I'm connected to the MSSQL and I find one non standard DB and I find one table for this DB and I select everything in this table but I don't find any flag...

reread it 🤣

Sir, read the question very carefully

Ah !

OK ! 😄

Thanks for your help !

ive a question

i know nothing about coding and hacking but im here to get started

is there a free course which is useful?

or i have to pay to actually acquire some meaniningful skill?

They are some free modules on HTB academy, they are nice ! Also it depends of what interest you have...

I think free modules are very nice to discover different things, and after choose a path, and maybe paying for more

is it good to start here with no knowledge about coding whatsoever?

Starting Points on HTB is a great start to PenTesting in my opinion

i tried to learn some python but im not very skilled

if you're more interested in coding, this isn't really the place to learn, there's but a few modules on the basics

I would say yes, you have a lot of free modules which nice to begin, for example the module "intro to networking" or "intro to linux" etc.

i agree, before HTB, i was a potato when it comes to Linux, but now im getting the hang of it, still a potato, but learning more by the hour

oh yeah linux

i need linux on my pc

there's a Linux Fundamentals module

not on your PC unless you want to switch, you can run it in a VM

you can go to the Microsoft Store and search linux

i reccomend Kali Linux, but Ubuntu is more User-Friendly

Yea WSL is pretty nice

WSL? I wouldn't recommend that to a beginner

Fair point

so i can run linux as an application instead of an os right

The lack of a UI would be rough

you can run it as a virtual machine in VMWare or VirtualBox

ohh

so do yall work on projects or sometning

I did come across a book that’s angled at being a starting point for folks who don’t know anything about anything. Working through it might be a good start?

i see

i dont, but im sure these pros do

https://www.thriftbooks.com/w/penetration-testing-a-hands-on-introduction-to-hacking_georgia-weidman/11271986/item/23766143/?utm_source=google&utm_medium=cpc&utm_campaign=pmax_high_vol_scarce_%2410_%2450&utm_adgroup=&utm_term=&utm_content=&gclid=EAIaIQobChMIodrW9bCbggMVDSqtBh3I6Q7TEAQYASABEgLW0PD_BwE#idiq=23766143&edition=10756537

dont got the skills to work with others when it comes to Pentesting

have you used anything you learned for something actually useful

im still working on the starting points, so no

Nice reading ! 👍

This was beginner friendly in that it doesn’t assume you know anything

yeah that’s perfect

It walks you through the basics of Linux and programming and setting up a vm

how long have u been studyiny

And then builds on that

what are the builds like?

Oh I mean like, it works from there towards the concepts of basic pentesting

Yes ! What i've learned with Hack The box made me win things in CTF, and help me get a job 😄

oh

thats cool how long have you been been studying

about 2 days, and im starting to understand things like NMAP, MySQL and john the ripper

im 16 is it a good age to start

I've done 4 year of studiying to get a master degree (one year of cybersecurity studying the others was sysadmin/netadmin) And I begin HTB like 2 years ago

You can start at any age 🙂

thats cool

i started coding at 12 and im starting htb now at 15

will i be able to use anything i learn for working on a project for myself sorta

Do I only have two hours of pwnbox in a lifetime or per day?

how you apply the knowledge you gain is up to you

lifetime, BUT, and it a big but

you can run openvpn on your own machine to bypass that "2hour limit"

i just wanna be able to make something cool and actually use it

Yea the pwnbox is just nice cause it’s a custom built environment so you don’t have to finnick with it

But is still useful for complete the questions?

yup, pwnbox opens a new window on your browser that acts as a machine running linux, and openvpn is hosted form your own machine

like a 'window' to see what that virtual machine sees, and use it as your own machine to complete the questions

thank you, exist a guide for run or install it if is necessary (openvpn) or similiar?(sorry I am just a beginner)

you can go to the HTB site, Starting points

or here: https://app.hackthebox.com/starting-point

tier 0, and to the meow machine

you should see the option to use pwnbox or openvpn, pwnbox is click to start, but openvpn needs to be run on your machine

thank you

if you need anymore help, feel free to DM me

😉

anybody got any idea why i cant access unika.htb

it just says ip took to long to respond

Have you entered the domain in your hosts file?

yup

and the same problem happens

hey guy someone did "Attacking Common Applications - Skills Assessment II" that can help me ??

What is the problem?

I'm stuck a long time on the "What is the admin password to access this application? " question

I looked in the ||gitlab|| but didn't found anything, tried the ||basic password as well|| and nothing ...

stuck on the file inclusion module the file inclusion prevention part, not gonna lie i dont understant it at all or what im supposed to be doing can someone explain

also I didn't did the first Q, but not sure if that got to with it...

try to read it another time, if still stuck the hint for the first Q is in ||PHP Wrappers section||

"Connect to the target machine using RDP and the provided creds. Export all tickets present on the computer. How many users TGT did you collect? "

At this point I just want to connect to the target machine. So does the certificate mismatch have anything to do with why I am unable to connect

??

https://academy.hackthebox.com/module/147/section/1639

Have you created your own user as explained in the module?

1. Cert mismatch means nothing
2. single quotes around the password as "$$" is a variable

U mean in ||gitlab||?

no, I don't have cred...

Read the section again. 😉

I found only ||root|| user and I can't get his password...

Use all the functions on the page.

Oh how did you determine that it was a variable?

well ik i need to edit the php file so that the disable_functions= system but how can i find disable functions in this massive file 😂

https://tldp.org/LDP/abs/html/internalvariables.html

for the first Q , find the version ...

Anytime special characters are involved, just wrap it in quotes

U mean the ||12.9., 11.4. and so on||??

No, the section in the module where it's about Gitlab.

done it not so hard when u understand the question

put the password between single quotes

bash uses $ as variable declaration

Module:Attacking Enterprise Networks
Section:Web Enumeration & Exploitation
error when log-in on wordpress site(http://ir.inlanefreight.local), found a valid username and password and there is an error, can somebody tell me what is wrong?

for some reason ||find / -name flag.*|| doesn't work , am I suppose to do privilege esc..??

No

Check all Functions on the Gitlab Page

ohh I got the password
I'm trying to find the flag...

???

but meterpreter doesn't have find command...

You don't have to find a user, crack a password, just use the functions of Gitlab.

note sure we understand each other...
can I DM?

sure

What designation do we typically give a report when it is first delivered to a client for a chance to review and comment? (One word)

Does anyone have one word answer for this question

It's in the section, read again

Without knowing which module and which section you are talking about, it is almost impossible to give you an answer.

i tried using all possible designations but couldnt get the final answer

module 1 Post-Engagement

Like I said the answer is most likely in the section the question is in

Module 1 that's not a module name

Module 1 PENETRATION TESTING PROCESS
Post engagement section

Read the section carefully

The word is in there

I can only see client being mentioned everywhere

not able to find exact designation

Yes but that's not what it's asking

Its asking about the report

In fact partial wording of the question is in the text

ohhh got the answer

thanks for your support

Learn2read :^)

Can I get a hint for the skills assesment in Introduction to Threat Hunting & Hunting With Elastic. I am looking for || event.code: "13" || but I am not sure what else to add or how. I have tried a bunch of different ways of looking for, registry changes/modifications, start up folder being ran.. I know it's right in front of my face. Most likely just overthinking this. Thanks

draft

Read the Question again

Create a KQL query to hunt for Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Hi, is there anyone that could help me? I'm do the HTTPs/TLS Attacks assessment. I have got a token by changing the cookie value to admin. But stuck at the redeem token.

Hey Guys, I going crazy here (in
"Attacking Common Applications - Skills Assessment II")

I did all the Qs but the first one: "What is the URL of the WordPress instance? "
I don't C it anywhere nor it's connection to all the rest of the assessment ...
can someone please help

u need to ffuf or gobuster vhost to find a wordpress site, add to /etc/hosts a ip and add inlanefreight.local and gitlab.inlanefreight.local, after ffuf is done add also another subdomains and curl them with grep "wordpress" to find which subdomain is wordpress site

not sure I got it

u say do ffuf for inlanefreight.local but in the assessment they say to do vhost for gitlab.inlanefreight.loca already...

and after I get the subdomains do ||curl -s * | grep WordPress||??

yeah assessment tells u that, but gitlab already a different a subdomain, just do ffuf or gobuster for inlanefreight, and u will find other subdomains, gitlab subdomain for next questions

I know I got it few Q ahead but it doesn't give me the WP

yeah curl -s http://subdomain.inlanefreight.local" | grep "wordpress"

DM me

Or ||| grep -i wordpress||

any ideas? Cracking the NT with rockyou and hashcat was no problem. For fun I wanted to also crack the SHA1 Hash but hashcat gets quickly exhausted with same wordlist. I used hashcat -m 100 (raw SHA1) and ignored potfile. Shouldn't that be the same password just different algorithm? Or is Microsoft using another SHA1 based algorithm here? In the module it states both NT and SHA1 are the hashes of the password. Cant find something about that in the MSV1_0 official doc. Ty!

Ntlmv2

But it's also entirely possible that this password is intentionally not in the lists

I also don't think it's raw SHA1, there's like 80 different sha1 related algos in hashcat

https://hashcat.net/wiki/doku.php?id=example_hashes

Didn't read your first part

mhmm weird, Ntlmv2 looks different. So I also guess this is some other variation of SHA1. But as long as I get the NT hash its fine for now

no worries 😉

But tbh if you have NT hash you don't need to crack SHA1

yes true, sometimes I just like to play around with the other information I can find hehe

I think hashcat has an option to help properly identify the hash and mode needed

Just be careful because on an exam that just leads to a time wasting rabbit hole

yeah thats true, better not in the exam 😄

I would say if you were presented two different sets of data from different tools I'd cross check. But since it's the same tool then meh

yea

Also if you're meant to crack that user as part of the module, delete the image 😉

As it's still a spoiler

whoops yeah

sorry

The general consensus with spoiler imagery is: if you're asking for help delete it after you receive the help

Especially if there was literally no other way to express your issue

But Iam quite sure now this "SHA1" is not raw or something different, just took the password and converted it to SHA1 and its a different string

Yeah it's probably one of the 75 sha1 related algos

however lets go on with learning ;D

Gl hh

./ptunnel-ng: error while loading shared libraries: libcrypto.so.3: cannot open shared object file: No such file or directory

guys how to fix it

Try and install dependencies, if that doesn't work use a python virtual environment and install dependencies there and then launch

the target not allow to use apt

You dont need apt

Google python virtual environment

Also I'm just trouble shooting this one error you have, having context would help a lot

okay

module : PIVOTING, TUNNELING, AND PORT FORWARDING session : ICMP Tunneling with SOCKS

connect to the target and establish an ICMP tunnel. Pivot to the DC use ptunnel-ng

have a question, I wrote in the community help, but I will try here to. I'm on a staring modul, that I should download a VM but that VM that is offered is on Windows and one on Linux, the problem is that I'm on a mac. What is the best program to use if can't that prechoosen one? 🙂

do you mean the software that is used to run the virtual machines?

yes that is right

Depends on the chipset used in the Mac, if it's m1/m2 then you want utm. Also iirc virtualbox or VMware do have Mac versions of their software

But I didnt see it, I was looking for VMware but only found windos or Linux

https://www.vmware.com/products/fusion.html

5 seconds of Google

is their anybody whos ready to help me a real quick

any idea what am I doing wrong?

thank you @fathom pendant

Module: Windows Privilege Escalation
Section: Server Operators

I was able to obtain the NTLM hash for the Administrator password and crack it offline, but I can't RDP to the target using those credentials. I can still RDP in using the server_adm creds, but not the Administrator creds. Not sure how to get the flag from the Administrator desktop without being able to RDP to the target.

You don't need necessarily to log in via RDP, you can use for instance impacket-psexec and do PtH

any help?

I am getting incorrect answer error

what is this?

for the linux basics module

I was told to use the find command I provided the filename with extention, full filepath and only the filename in the answer but I get an error

you need to ssh into the target

Thank you!

oh

Hello bro, appreciate your help
I've found valid usernames and passwords, exacts 4 extra logins ||support.it support.gr support.cn and support.us||, but there are no flags there when I login there.
Also I've obtain the way how session is cooks and wrote script to brutforce all possible roles like ||support.gr:admin||
also, tried the strings like ||administrator:administrator|| and all possible various of it, but no luck
Could I ask one more tip? 🙂

Now that you know how the cookie must look like, ||you need a user with more privileges||

Just use Ligolo-ng

Which then has nothing to do with the task 🤷🏻‍♂️
But it will work, just like any other pivoting technique.

hi ,where is the help chat in this server?

can you elaborate

I am stuck at Automating Payloads & Delivery with Metasploit in the payloads and shells modules. Here is what I have done so far. I have run an nmap scan to discover the services running. The most exploitable services seems to be SMB. I have run the same exploit and I keep getting a ".... STATUS_ACCESS_DENIED: {Access Denied...." after running the exploit. What could be wrong or what am I missing am I even exploiting the correct service. Please help.

I cant loggin ssh with an ip, im new, im in linux fundamentals and i cant login with ssh. When i try to log, it freeze withou response. Help please

can you give us more details? Are you using the pwnbox or your own vm?

when i try to log, with ssh htb-student@<ip> , the temrinal doesnt show anything else

with connection time out

<ip> is a placeholder for the IP of the target that you must specify

im in a virtual machine kali linux

yeye i know i hve the ip, im in linux fundamental but the terminal doesnt show anything else

Are you connected to the vpn?

i hve to conect to the vpn and also ssh?

both?

yes, this was explained in the introduction to academy module

bruuuh didnt read it ty a lot

Hi why when I try do one of modules sometime the questions unrelated at all ?

some exercise would require you to use your analytical thinking

You mean googling the new thing ?

Idk such as netstat idk about and how related to IPv4

Hi. In the last question in "Intro to Assembly Language" ("The above server simulates a vulnerable server that we can run our shellcodes on. Optimize 'flag.s' for shellcoding and get it under 50 bytes, then send the shellcode to get the flag. (Feel free to find/create a custom shellcode)"). I've optimized the shellcode, got it under 50 bytes, tested that it runs on my local system, but can't quite figure out how to get it to run in that terminal shell. I simply connect, paste the code and press "Enter"... and nothing happens. Is there something specific that needs to be done in this exercise?

Im having issue with the answering the third question:

"Use john's TGT to perform a Pass the Ticket attack and connect to the DC01 using PowerShell Remoting. Read the flag from C:\john\john.txt "

https://academy.hackthebox.com/module/147/section/1639
SPOILER

SPOILER

review your command

read carefully the error and the question afterwards

Nm...fixed it.

following the advice of dpgg the path is in the question: "C:\john\john.txt"

Yeah apparently their are two john folders

well that didn't work. I will read that error

@cedar void are you in C:\john ?

And did you connect to the DC01

Now I am . I saw that there were two john folders and I had access the wrong one

yes

So you got it now?

yep. thans

*thanks

hi guys, i am stuck on the markup box, i have managed to get Daniels RSA key and inserted into a file, set permissions on the file but when i try and use this on ssh it always seems to default to asking for a password for daniel, i also sometime get an error indicating something wrong with the "libcrypto", i have tried converting the file format with putty but that still doesn't seem to do much, i think i am doing something silly no doubt but kinda hit a wall if anyone can point me in the right direction would be much appretiated

can't seem to upload a screenshot of the error

Read and follow #welcome to gain access to the rest of the server, this is not the channel for this

sorry

what one is the best to post this?

ignore me, found it i think, cheers

#boxes is the channel for that

Cheers mate

I referred 2 people and did not get any cubes

They didn’t fulfill their duty in that case

It’s not a matter of just inviting them

Hello, I am stuck Linux Local Privilege Escalation - Skills Assessment -flag2 I see the flag2.txt in b**** directory, but i cant not find the credentials for that user so later I can log in, and cat the flag

which Kira

im not doing the module in order so i cant find the kira

So do the module in order

Smh lol

ok nvm i found it

Please I'm Stuck on File Uploads Skill Assessment

anyone available to help?

yes ask your question

I think I've found a working double extension bypass for uploaded file name but I thnk I need magic bytes manipulation I've tried adding php hello world code after it but still fails or get some weird base64 page

i didnt get any base64 page

so i dont know

if you uploaded it successfully you probably got the magic bytes

hint: GIF magic bytes do not work

I used jpg didn't see .gif in a js script I found while searching the site

then you probably also find the path where it gets uploaded and the naming scheme

you have everything!

no

keep enumerating in that case

Module: Windows Privilege Escalation
Section: Vulnerable Services

I'm able to catch a reverse shell, but I don't have permission to access the Administrator desktop, even though I changed the execution policy in Powershell to unrestricted.

I feel like I've seen all the pages and my problem is just with magic bytes to make my php payload print hello worldso I know it works

nah, the magic bytes only have the purpose of bypassing the filter

how come you didn’t find the naming scheme and the upload path but you are executing it? o.O

you can reach me on DM to avoid spoilers

ok

hint: first try to fuzz all the allowed file extensions

Anyone else having issues with the game crashing when running the script in the Scripting AoB section of the Game Reversing & Modding module?

They did onboarding

Stuck on the "Intro to Assembly Language" skill assessment Q1.

"Disassemble 'loaded_shellcode' and modify its assembly code to decode the shellcode, by adding a loop to 'xor' each 8-bytes on the stack with the key in 'rbx'. "

So far i've been able to decode the shellcode so the one I have now starts and ends with "4831...0f05" but I can't get it to run and checking it with GDB shows a bad line but I can't figure out how to fix it.

Has anybody done the "Kerberos Attacks" Skill assessment? I could use some help on that

how do i get more cubes without paying?

one way is referrals

i did that and my friend completed the intro module

buy i didnt get any cubes

wait 24 hours

also Tier II or higher only

intro module does not count

oh thats unfortunate

need help with AD Enumeration & Attacks - Skills Assessment Part II

Question #3

fps < 0.1 with RDP what to do :<

Oh my! I’m still in the intro and about to give up soon 😭😂. Nah, I love it here but omg, I really need to utilise these brain cells of mine in a whole new way 😂😂.

That seems annoying, your connection bad? If not, have you tried through PwnBox?

wow, a beginning ! good luck !!
I am suffering from slow internet speed right now so this becomes a pain :p

yeah! thanks for reminding that PwnBox exists! will try

Thanks! Total beginning in fact! 🤷‍♀️🫣 but I love a good challenge so.. 🤞

Anyone able to give a hint on my question from earlier? still stuck on this damn Assembly question lol

🔥

jeeeeez the one i was looking for

is it published??

just published 🙂

lets go

tonight gonna be a good night

sick

hii

anyone here?

@sterile hawk

anyone here??

why mention,

no one replied

nvm

so i am new to the whole hacking and coding thing

i want knowledge

best get reading then

reading what

everything

from where

annoying.

im just asking dude

https://academy.hackthebox.com/course/preview/getting-started

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

i have some basic questions-do i have to know coding for ethical hacking, if yes what language how much i should know as a starter what things to download ,all of these things

lolol

🤣

python 3 is a good start

ik pyhon but what is python 3

i know a bit of mysql

💀

....

like, read this and you will have your answers - https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

okay

thanks

then once you have read that if you have more questions, or they weren't answered, comeback but don't post in here. Post in #general

read #welcome & #rules

this shows no access

if you read #welcome & #rules you'll know how to get access

ok

hey

in the website intrest im getting a lot of options

idk a single thing

Welcome to the club

thankyou

Someone solved "Linux Privelege Escalation" - "Environment Enumeration"? I cant submit the flag.. it says its invalid?

Then you answered the question wrong :p

Or have extra spaces

Or a dozen other things

Well the task is
Enumerate the Linux environment and look for interesting files that might contain sensitive data. Submit the flag as the answer.

and I found the flag- but it says its invalid so

meh, I already got root access to the system

Nvm. LMAO.

This one was a bait flag

man lol i've been stuck on this assembly question for going on 4 days now lolol i think my brain imploded at this point 🤯

it's just for a different exercise

Currenlty on AD > Skill Assessment Part 1.
Q5 " Find cleartext credentials for another domain user. Submit the username as your answer.". Trying the following || Upload secretdump.exe|| But get Server Runtime error each time.
Any hints?

Module:Attack Common Services
Section:Attacking Email Services
have found a user, trying to bruteforce with given pws.list, but hydra cant find any creds, could anyone help pls?

Yeah for sure DM me

I forget if you need to use the full email for the password bruteforce

for sure you do

Ah yeah that tripped me uo when I first did it probably is why I wasn't sure

Woohoooo, vautia has answered my wishes. 🤩
As soon as I have finished CDSA, I will continue with webpentesting.

Just moved on to the Assembly Language Skill Assessment Question 2 and knocked that out quickly but still can't get question 1... last thing before I can move onto buffer overflow attacks...

I am stuck on:
Enumerate the server carefully and find the flag.txt file. Submit the contents of this file as the answer.

Under the "Footprinting" module Easy lab.
I've ran the nmap scan and found 2 open ftp ports but was denied access for both of them.
I tried connecting via SSH and was denied access because I need the valid 'public' key. Does anyone know if I am even on the right track or should I be looking somewhere else or taking a different kind of route?

I've also tried connecting via other RP's but the credentials they've provided resulted in connection errors for all of them

idr this lab exactly but two ftp servers with denied access on both would be pretty strange. You sure youve accessed anonymously properly?

Yes, I just ran out of time on my pwn box, so let me start a new instance and try again I'll show you the output

Nvm, just checked myself

Read the lab introduction again 🙂

Am I on the right track? I went over the lab intro and have tried tackling it from the beginning, but I still feel like I am running in circles

Are we supposed to know the domain name? Am I supposed to be utilizing inlanefreight.htb like the past exercises? Or is that irrelevant for this lab

Youre missing something extremely important in the introduction

finally got it after over 3 days 😄

that needs to be applied to the services youve discovered

One of the services even has a clue to tell you to use the hint in the introduction

i was deff thinking too hard lol

Module:Linux Priv Esc
Section:Sudo
i cant compile this exploit given in section, bcs there is no make or gcc on the box, also sudo -l gives a ncdu as root, i can run it but it just show a directories, could anyone help please?

Module: Web requests
Section: GET

I am having issue with solving the riddle. My target website is not loading properly and is not sending any requests when I hit the enter. I can also see that it's failing to load favicon upon loading website, what do I do? This is how it looks https://prnt.sc/4qu7uyGo5-UF and this is how it should look https://prnt.sc/elcllVzrObHp

I'm not picking up what your putting down in terms of the 'hint' your referring to in the intro. As far as I can see, the only actionable information provided is the valid credentials and the note about three servers running, with an emphasis on focusing on the DNS server first.

Yup so theres valid credentials, time to use em

But in order to enumerate DNS wouldn't I need the FQDN to utilize dns commands?

ignore dns

you have valid creds

I understand what you're saying, but I've already tried connecting via SSH and other remote protocols. The issue is that even with valid credentials, I'm still encountering a 'public key required' message during the SSH handshake.

Cool, so move away from ssh

you've found other services

ftp?

Sure

trying valid creds on ftp is always worthwhile

I've tried that but all the the commands I run inside the server just results in the same 3 output messages no matter what command I run

which server, which commands, which output

ftp 10.129.209.235 21
Connected to 10.129.209.235.
220 ProFTPD Server (ftp.int.inlanefreight.htb) [10.129.209.235]
Name (10.129.209.235:root): ceil
331 Password required for ceil
Password:
230 User ceil logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
226 Transfer complete
ftp> cd
(remote-directory) cd..
550 cd..: No such file or directory
ftp> cd ..
250 CWD command successful
ftp> put find.txt
local: find.txt remote: find.txt
local: find.txt: No such file or directory
ftp> quit
221 Goodbye.

Is this a spoiler?

dir -a

what even is find.txt?

just an attempt to write

HAHA

I was trying to 'put' a file find.txt

to see if it would do anything

always enumerate hidden files

amusingly, your ftp there foes reveal the FQDN youre looking for(but still ignore dns)

But rafa is right, always check hidden files

^^^

and port 21 is a rabbit hole

and if you find nothing on that server, try the other one

hi, on LINUX PRIVILEGE ESCALATION > Linux Local Privilege Escalation - Skills Assessment : is there another solution to get flag4.txt (and flag5) without running an exploit that will directly lead me to root privilege ? (no spoil please, only a "yes, keep searching" or "no you need an exploit" would be great) 🙂

ftp is one of the quickest protocol to enumerate

if you find nothing with a dir -a there is nothing

go next

?

How would I be able to check hidden files if the server is refusing my commands

Imma go off what you guys said

its not refusing your commands

its just your dir command didnt find any files to list

okay

my boy

that makes sense

if on 21 there is nothing

on 53 there is nothing

ssh needs key

its white and in a bottle

I didnt want to spoil that theres nothing on 21, they should go through normal enumeration

i know, my point is that enumerating an ftp server is a matter of seconds

yeah but theyre def new and footprinting is an early module so a little patience with them is warranted

ok

my bad

I'll still go through the grunt work, but your advice is still useful for future purposes

so I appreciate it

Its not like theyre acting dumb or being a jerk to those helping, this is normal learning steps

ikik

ive been there

and i am

you have 4 services to interact with, 2 of them are FTP and you have credentials

see the pattern?

and never forget hidden files

Ive def tripped over hidden files before 😭

it hurts

wow

so the repeated output was to throw people off ftp? 😂😂

wdym?

How it keeps repeating the 200,150, and 226 messages, or is that normal? Becuase initially I thought it wasn't taking my commands since all it was doing was repeating those same three messages everytime, but in reality that is just the normal interaction experience with a ftp server?

I found the keys btw thanks

@sly dome @thorn urchin

Thats normal ftp stuff

gotcha

https://en.m.wikipedia.org/wiki/List_of_FTP_server_return_codes

oh, absolutely

this is one of the situations you have to Google what you dont understand

you would have found that wikipedia article in that case, but dont misunderstand me, asking here is also valid

No its not that I didn't understand them, it's just I was expecting the command line interface to behave differently

Like when I ran the put command or any other command it was weird that it was just returining those ftp codes and nothing else

Found the flag 😅😅

hi guys i've finally completed the footprinting module (😭 ). i just wanted some clarification on the hard lab. we do a ||UDP scan ||because the question hints the server in question is a ||DNS server ||and ||UDP ||is often used for that yes? or no

just want to make sure it's not a right answer wrong formula situation

You're more meant to do a syn scan using source port 53 due to dns

So when we're looking at a DNS server it's best practice to do a syn scan?

If you read the ids/ips evasion section under dns proxy section it explains it more

I see thanks 🫡

You can't

You mean clear answered questions?

Thats too bad bc you can't

Because I personally haven't seen a button to reset progress, and every time I've seen it asked - the answer has been no

You can always just go back through a module, spawn the target, and attempt without looking at the questions too much

¯_(ツ)_/¯

HTTP Attacks completed! If anyone needs help with this, just dm me

Hi, Im trying to run blood hound and it wont login, ive started neo4j then run bloodhound but it wont connect? tried opening the localhost<port> for neo and changed user/pass to just admin, but it just wont allow me to connect to bloodhound?

have you waited a few minutes for neo4j to initialize properly

ummm not really lol. altho waiting now.

neo4j warns you when it starts that it may take a couple minutes before applications can connect to it

on bloodhound port is 7687 but loging into nero4j is port 7474. is this normal?

and databases being bolt and neo4j am iment to leave all that as default?

yeah admin port being different is normal. Idr thr default ports off the top of my head though

but presumably those two are correct

blood hound does green tick to show its valid etc, but yeah. just wont login

if it green ticks then should be valid so the creds youre using must be messed up

dunno if that helps at all

did you click login

lol yeap

its something I have to ask with the kind of people that show up time to time

ohh dont get me wrong, im aa total nub

did you change the neo4j password? Id be trying to login as that

yeah when logining into neo4j on browser it said click auth type user/pass then said change defaults (altho i tried logining into before changing) then changed to admin:admin

and still in neo4j browser atm

I'm getting an error trying to run the iis exploit on the meterpreter module

Using a kali vm, tried pwnbox instance and got the same thing

I'm using (windows/iis/iis_webdav_upload_asp)

Maybe it doesn't work on the target?

Like it's not vulnerable

Yeah, it ended up being a different module.

👍

Currently on module AD Enumeration and Attacks > skill assessment. Stuck on Q5 "Find cleartext credentials for another domain user. Submit the username as your answer."
Any hints.?

hi im stuck in AD Enumeration & Attacks - Skills Assessment Part I question 2,
i try reverse shell and doing file share from linux to shell.
try download PowerView.ps1 can't import-module.
try download mimikatz and rubeus but it cant use because its not folder.
i believe i need use mimikatz or rubeus but how i can get this folder from my linux ?

You can upload files directly from the web shell

rubeus is your friend

i can't download directly

find a directory to which you have write access

?

thanks

If you have been able to answer the previous question, then you should be able to leverage a "password reuse" somewhere where you can take the necessary steps to answer Q5

hey there!,
I m going through the
"Windows Event Logs
Windows Event Logging Basics" module.
Trying to use Remmina to rdp to the targer.
Although initial connection is made and I 'm landing on the desktop (logged in), after a couple of seconds it goes blackscreen and reconnection attempt #of20.
Tried to ping the target while this was happening and got no ping.
Terminated the instance, waited some, then rerun it.
Same result.

Maybe wait some more or am I doing smth wrong here?
(creds & domain are ok, checked like 5 times)

Hello, I successfully found the passwords from ||4 support.{code} accounts.||
I have found the way how to build cookies, ||support.us:support so {user}:{role} and I've tried all possible combinations for roles like admin:admin|| and so on, but nothing helps.
Could you give one more advice please?
This is the hardest step in the path for me 🙂

Hmm

Do you have multiple openvpn instances running (ps aux | grep openvpn)

hello guys

I need a litle help with an exercise of the ffuf module

the Fuzing GET parameters

I tried but I don't get any parameter after fuzzing

😥

you followed along with the example?

yup

thats weird, I just tried and I dont get a hit either

humrum..

and a look at very different ways of doing this

did you add the admin.academy.htb to /etc/hosts?

That was my problem

solved

yup

thx for the help anyway!

Module: PIVOTING, TUNNELING, AND PORT FORWARDING Section: RDP and SOCKS Tunneling with SocksOverRDP

Cant login as jason:WellConnected123!

It redirects me to 172.16.5.19

Any hint?

A -> B -> C is the order make sure you get the one in the middle

footprinting module is heavy... 🥵

hey gyus

me new

@fathom pendant A:htb-student B:victor C:jason

Did you follow the steps properly

You need a user with more rights, not just a role.

Bro I didn't get my cubes when I referred 2 ppl and they did onboarding

how to stop this

printing sideways

H

Am i too dumb for struggling everytime with the answers format on academy?

hi

I need help with the ffuf module exercises (the last)

i fundo the extensions

the subdomains

but this question: "One of the pages you will identify should say 'You don't have access!'. What is the full page URL? "

I'm not able to solve

I also found 2 folders in the subdomains

but I'm not receiving any pages...

please help

tell me if need help still

with the extensions found in the previous question, try to recursively brute-force the endpoint

I alredy did that bro

in all subdomains

that's why i'm stuck

bro you did it in the wrong way apparently

that's why I'm telling you to try again, please post the command used between spoiler tags

hey guy I'm in "Windows Privilege Escalation" ==>> "SeTakeOwnershipPrivilege"
and I didn't get the explanation there, they say if a user has "SeTakeOwnershipPrivilege" then I can use it and change it

but the user on the Q doesn't have it so how am I suppose to do the Q???
anyone have any tips??

Don't forget to open an administrative prompt in case you didn't

I'm going through the network enumeration with nmap module and I'm supposed to scan and list the number of open tcp ports for one of the questions and I'm only finding 4 open ports, but apparently that's incorrect. Any idea on where I could have gone wrong?

-p-

I tried that as well and I get the same four ports

-sU

I just need the TCP ports

are you sure?

" Find all TCP ports on your target. Submit the total number of found TCP ports as the answer."
Yeah

This is what I'm getting

Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-31 14:53 GMT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.062s latency).
Other addresses for localhost (not scanned): ::1 127.0.0.1
Not shown: 65531 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
5901/tcp open  vnc-1```

change the -sT flag

it's full tcp but maybe "something" is blocking a full tree hay handshake

Hey lads, I'm currently here at this step

https://academy.hackthebox.com/module/143/section/1274

But the previously bruteforced / sprayed passwords don't seem to work. What password am I supposed to use in the prompt then?

Thanks

Infact, even copying the command from the previous module, password spraying, the same password that previously did get a hit no longer does

wtf?

Do I want to use -sS?

solved.

U did this one?

Why are you scanning localhost?

There's a button to spawn a target to scan

because I didn't get it ...
made me question the whole process (good thing they say it's a long shoot)

yes I did

Everything is well explained in the module, if it is not enough I may have considered to go and do a bit of research on google

Hi! I'm stuck (
"What is the customized version of the SNMP server?" Any hints?

Footprint module I guess?

yep

Working on the AD module, section ACL abuse tactics

This part is confusing me. Is the creating a PScred object, the line that says Password here. Are we putting in the wley password? or the password we intend to change for damundson

I did the Q
but first I enter as jordan
got the SeTakeOwnershipPrivilege enabled but when I tried to do the takeown it gave me error massage

so if all was the same only the takeown didn't work how was I suppose to know that ?? that's what I don't get

Try to read the output of snmpwalk

Thx, catched

wley

Thanks

Hello

😂

😂😂😂, bros scanning local host

Don't laugh at other people

Am so sorry

We were all noob at one point

That’s True

Support, i'm having issues with the 'Windows Attacks & Defense Module', in the PKI - ESC1 Lab, when i execute Rubeus with the generated PFX file i receive this error -> KDC_ERR_PADATA_TYPE_NOSUPP

Does anyone know if I am supposed to be utilizing ceil's account for the second lab in 'footprinting'? The medium one?

This is the question: Enumerate the server carefully and find the username "HTB" and its password. Then, submit this user's password as the answer.

Usually the skill labs are independent of each other.

Ok thank you, well in that case am I on the right track, I've tried enumerating the smb, nfs and ftp of the target IP and am having no luck

I've also tried the rpcclient but it's asking for a password which I don't have

Look closer at nfs

I found alex's credentials but his login isn't working for anything

Think outside the box

Rpc isn't quite the answer

Think about the open ports, and what they actually correspond to

Well I know we have rpc which you said isnt quite the answer, msrpc, netbios-ssn, microsoft-ds, nfs, and ms-wbt-server open

I already enumerated the nfs and came up with alexs credentials

let me try rdp

Think about port numbers

As they correspond to specific services 99% of the time

HAHA

his creds worked for ||rdp||

Congrats now keep digging

hi all .. I've started the ACTIVE DIRECTORY ENUMERATION & ATTACKS module and in the first question i'm stuck:

While looking at inlanefreights public records; A flag can be seen. Find the flag and submit it. ( format == HTB{**} )

I can't find this flag at all looking at the public DNS records for inlanefreights.com. Any tips ?

Are you sure it's not meant to be inlanefreight.htb?

I've just completed the Documenting and Reporting module and from what I see they always use "The tester" when referring to themselves.

Is this sorta like a resume where you want to avoid using "I"? Or does it not matter

The modules in general are written 3rd person

But for CPTS report and for reporting in general should I avoid using "I" and use "The tester" when referring to myself? Or does it not matter

Use First person

I still dont see it

You're reporting on issues not writing a novel

If you're performing a test with a team, or writing on behalf of a team I would say using "the tester(s)"

Okay thanks!

can you tell me how you do it?

I haven't done this module

no you should definitely be using 'the tester' and third person

Interesting

that’s because you are not reproducing all techniques taught

literally the first thing the section does gives you the flag

http://he.net/

i found a website and there is flag on it .but i cant submit it as the answer.

https://bgp.he.net/dns/inlanefreight.com

check trailing and leading spaces

I got it.Thank you

Footprinting Module : Lab Hard
Question : accessing tom via ssh using private key founded in imap/pop3 services. Do I have the right key or not?
Error Message while accessing via ssh : Permission denied (publickey).

Thinking of maybe the key I found is not tom's priv key lol.

Web Proxies Module : Encodre / Decode
||To decode: 4x base64 -> URL||
Had to look up what to how to decode the string. How should I get to the conclusion that this is how to decode it? Am I missing something in the material

did you apply the correct permissions to the file

yes chmod 600 id_rsa

check you copied it correctly

cyberchef would detect it automagically

Did you copy the ----Begin and ----End lines?

yeah, copied it correctly as well. I'll double check might be empty spaces

can i dm you

can i dm with someone about Web-attacks skills assesment?

ye

okay lmao, troubleshooted it.
nano id_rsa gives error
vim id_rsa is the correct one
lololol

what?

skill issue?

maybe lmao

xD

weird tho maybe i go with vim now instead of nano

shouldn't affect

yes sir :< now tried with nano as well now it works weird, skill issue fo sure

xD happens dude !

double check always

yea, thanks thanks! 🙏

Check openssh private key format to ensure you are copying the correct content of the found key.

yes sir, done with the hard lab now tyty

https://tenor.com/view/weezy-kms-shut-up-gif-25311755

Congrats, what was the issue?

format of the priv key that I copied lol

had to quadruple check it

😂 I was sure!

hahahaha

at least 3 times

I've been enumerating alexs windows machine for a while now and can't find anything useful

I found the conversation between him and the 'operator' on his machine but it's only a notepad.txt so it doesn't identify the operator either

And I can't get into the MySQL application thats on the desktop either

attacking common services?

it is MSSQL

Yea MSSQL is what I meant

Medium lab on Footprinting module

sometimes passwords are reused

I tried that

And its refusing my login

try harder

there are more ways to use a password for a Windows application

oh

I think I know what you mean

Nvm no I don't lmao

Am I on the right track at least?

yes

if you have the password

Run as a more privileged user

I tried that, its denying me access

You're not being specific enough: also make sure the logon mode is windows auth

To add on: sql service is only accessible via the lab, not external

I've tried those too

and wdym its only accessible via the lab? Like from the pwn box linux machine? not including the xfreerdp machine?

from the rdp session

Ok I'm still being denied access

right click > run as administrator

but you should be trying this stuff alone

in order to learn

I know i've done that already

it works

Are you using the special password found in an important text

wrong password then

I'm using the one associated with alex's account that I found on the ticket.txt file I found earlier

Wrong then

enumerate the host

my boy

Like I said earlier: start digging around

Sometimes passwords are in plaintext somewhere on the system, browse the files that he has access to

literally enumerate a little his personal folder

AD - Privileged access
Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt.

So I RDP with the given creds, and im supposed to use mssql with a specific command but it almost seems like I need to do some kind of pivot or something? anyone have a nudge?

You should be able to specify a db with sqlcmd

mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth

You'd still need a host with access to that internal network (if the initial target isn't linux)

So can you break it down for me?

I RDP into the host which is a 10…..

That host has access but not sure what to do. I tried copying mssclient to RDP but Powershell wouldn’t run it

There's a windows version sqlcmd which is native to systems that have sql installed

what do you mean

I am in the MSSQL application but can't find any leads

any leads?

Like any further clues

you have to be seeing a non-standard database

under Databases

Are you referring to the master, model, msdb, and tempdb ?

those are standard

There's more

automod gotcha ass

If there's a link use a backtick before and after

why I can not post anything?

like this

Because what you're trying to post is getting flagged by automod

It's hitting a false positive for spamming probably

You can get around this by linking your main htb account to discord following the instructions in #welcome

yes, got it, when I tried to paste multiline message it's recognize it like spam

there are 5 valid user:password combinations

any of them let you tamper the cookie to get admin

haha, this is disaster module for me 🙂

sry 4 users

are you logged in as any of those?

these what I found give me nothing, just regular pages, no flags inside

yes

just tamper the cookie 🙂

I did 🙂

do it correctly

Then you're doing it wrong

¯_(ツ)_/¯

||support.gr:support - NjhjOTI2MDA5MDYyMGU1ZjQ3MWVhYWVlY2IwYmNlNTk6NDM0OTkwYzhhMjVkMmJlOTQ4NjM1NjFhZTk4YmQ2ODI%3D||

cool

then change to admin

and use the same encoding

and scheme

tried already

dont think so

how are you doing the md5 ?

to ||admin, administrator|| and many other similar like ||root, superuser||

$login_md5 = md5($user);
$role_md5 = md5($role);
$ooo = $login_md5 . ':' . $role_md5;
$sessid = urlencode(base64_encode($ooo));

this is php script I've created

it allows me to pass the cookie and I have the authenticated response

but no flags inside 😦

come DM

I'm still getting nothing

I feel like I've gone through a million files on MSSQL

I'll try again

its a super suspicious database

it is in front of you

not even hidden

I have the credentials for the admin but they're not working. What am I missing? https://academy.hackthebox.com/module/77/section/728

works for me

ensure you are writing it correctly

I copied and pasted and also entered manually neither work

those creds?

That worked but how did you know that?

the question is

what creds were you using lol

read the section

I read that section

Which file was it in

what do you think

Thanks @sly dome @fathom pendant

I finally found it

any time

Does this come with experience or how did you know to search in that one specifically

accounts?

The module tells you about looking in non-standard databases

I'm not sure which file it was in so I should go look again

go ahead and find it !

But also you should just be looking at EVERYTHING anyway

treasure hunting = CTF

yeah, but there are like a million files for the folders inside the accounts tab

you guys knew because the the one that had the ctf was in plain sight?

Database

Nope

I fumbled around each db until I found it

¯_(ツ)_/¯

Okay I'm just making sure it was a process for you guys as well not just for me

Attacking Common Services goes through the actual command line queries you can do

lol its a database go for tables

Cuz u guys make it seem ez

It's all about your methodology

for this exercise going for the command line is hitting yourself

Mine is "gain access, look at all things relevant/that stick out"

Wait what

you open Databases folder, you see accounts database, you look tables, you open table

You can do it via the create query option in the GUI or the command line and powershell/cmd terminal

why would someone do it more difficult xD

I did it via the create query

good job but overkill !

How did you do it?

You can just click through in the lefthand browser

I thought that was easier

clicking with the mouse

Huh?

I did that and it gave me nothing

Right click

:)

right click > show entries

it is like 200 entries or something

Yep

The hint talks about it

wow 😂😂

methodology -> click a lot of stuff

I did over kill it

its like fkn treasure hunting

the worst part of enumerating is looking through stuff, but it has to be done

doesn't hurt to know ¯_(ツ)_/¯

You still got the right answer

yea Transact-SQL is super useful

but GUI's are designed for standard employees using MSSQL xD they dont like command line at all

And truthfully there's only a handful of ways to get it, right click > view, query button, sqlcmd, create a dynamic port forward tunnel

Nice

Thanks a lot

the port forward is a sexy one

Wholly unnecessary but funny af

Imma act like I know what it is and then hopefully I'll run into it later down the road😂😂

Good news, there's a whole ass module on it

(It's mostly different techniques)

Okay nice thats reassuring I'm just not there yet

Yeah

And it's mostly just reading and following instructions

Nice

I'm starting to realize how ambitious I was when I said I wanted to get the CPTS in a month😂😂

a little TOO ambitious actually

You just need to beef up your methodology tbh

But that comes with practice

And even just taking notes properly can help

Don't just copy/paste a new command that's given to you

Break down what the individual components do

Such as, ssh user@ip [-i id_rsa]

And knowing how to use the flags to connect to nonstandard ports as well

:p

Yea you've mentioned it before a while back and that's what I've been doing, and I can admit that approaching the material from that viewpoint has definitley increased my overall productivity and efficiency as a whole

Imma try and knock out the hard lab tonight so that I can finally move onto the next module tomorrow, wish me luck hombres

Any pointers would be greatly appreciated too haha

And again each lab stands separate from the previous labs right? So the credentials I found for HTB are irrelevant?

Yep

anyone remember this part?

where did we identify that? i have been following the module thoroughly and didnt see

idr, it might've been something you coulda spot with bloodhound but werent required to. I dont remember

BH has not been used at this point

so im wondering why they write that