#modules

lemme show you the output

one sec

save it in a file idk

you are just being little dumb here @warped oasis

your hash is wrong btw

copy it from the output

from 7z2john

These both returned nothing:
||┌─[us-academy-1]─[10.10.15.249]─[htb-ac-657630@htb-ruckg6ubhl]─[~]
└──╼ [★]$ snmpwalk -v2c -c public 10.129.223.58
Timeout: No Response from 10.129.223.58

┌─[us-academy-1]─[10.10.15.249]─[htb-ac-657630@htb-ruckg6ubhl]─[~]
└──╼ [★]$ braa public@10.129.223.58:.1.3.6.*||

probably public is not the correct community string

go to the snmp section

read it again

Now that was way more useful than telling me how dumb I'm being, feeling dumb enough over here. It looks like a $ got dropped inside the hash.

you should not be copy pasting the hash in the hashcat command

get used to copy them to files

tell me if can crack it

yeah solved

I'm pretty sure I've found Tom's credentials FINALLY

I'm taking a break after this lab 😭😭

can i give you a tip

dont come over here after you feel a bit of overwhelming

please

I'm not

let your phone/discord pc app

you are

I just wanted to show you that your advice helped

and i know

ive been in your place buddy

i meant before getting it

Oh

you could have got it

alone

thanks, that's motivating

dont have to rush the labs

you've rekindled the fire my good sir

take your time

you tried one thing it didnt work you came over here

you did that like 5 times today

keep trying and understanding what is happening

why something works? why doesn’t? ask that type of questions

to yourself

and quality hours >>> quantity

just stop

After this lab I'm going to start from the beginning and really engrain the information that's been given

hopefully HTB servers are gonna be in the same place tomorrow

kk if u want

huh?

you have been actively solving stuff for a lot of hours today

why not just stop

becuase I want this lab done so I can I go back without having that itch of not having it complete

I won't be able to focus on the past material knowing that this one isn't complete

ok but you can do it in a few hours

let the brain assimilate the concepts

It is late

your probably right

Imma go at this for a little longer and then probably call it a night after 1000 failed attempts

I didn't even watch the world series I wanted this done so bad 😭😭

I think Imma swallow my pride on this one and just go back and relearn the material, thanks for the help @sly dome and thanks for the helpful tips

Now I'm actually getting off 😂😂

night bois

Hi All, currently on Pivoting, Tunneling And Port forwarding ---> SOCKS5 Tunneling with Chisel, I have created a Chisel binary and transferred it to the target pivot machine, when try to start a Chisel server on the pivot host I receive the error that says some libraries are missing on the machine as follows

ubuntu@WEB01:~$ 
./chisel./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./chisel)
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./chisel)

@slate creek Its been a while since i did that but from memory i had to use an older version of chisel

Hello

you can use an already compiled binary as well

How can I have access to such binary? xd

search on google for chisel, then on "jpillora" repository there should be the binaries

thank you.

hi im stuck in AD skill assesment 1, question 6 Submit this user's cleartext password.

• got hash but can't cracked
• try to create lsass
• try copy/move lsass to my linux but always fail
  any hint ?

In my case, I cracked the ticket

with rockyou ?

yes

nvm i just dump

@teal mountain

where is the main chat?

read and follow #welcome

also you just pinged a random person

#welcome

on Module: Web Proxies, Session: Zap Scanner
I've started zap from History tab I start Attack > Spider, and from the built in browser nothing happens when I try to click spider (add the ip) and start.
Get the following result. Feeling like I'm missing the alert to be looking for.
Am I doing something wrong with Zap?

Web Proxies. Hello Guys, How to setup FoxyProxy to only route traffic for a specific website. I added the IP on /etc/hosts with url proxy.htb so i want that BURP intercept traffic only for http://proxy.htb and not others website like https://youtube.com

you can paste the domain URL in "Proxy Settings -> Project -> Scope" in Burp and filter only for in scope request, otherwise in "foxyproxy" go over "patterns" once you have whitelisted what you need, select "use enable proxies by patterns ...". I'm sure a quick google search will show you how to do it too

https://academy.hackthebox.com/achievement/652912/232 finally, loved this module

Thanks @fiery berry

If you still need help, send me a DM

Can I dm you?

And try to help u

sure

Module: HACKING WORDPRESS
Topic: Remote Code Execution (RCE) via the Theme Editor

Use the credentials for the admin user [admin:sunshine1] and upload a webshell to your target. Once you have access to the target, obtain the contents of the "flag.txt" file in the home directory for the "wp-user" directory.

Hi guys. I did not understand the part obtain the contents of the "flag.txt" file in the home directory for the "wp-user" directory. WordPress doesn't have wp-user folder elsewhere.

Maybe not on the website itself. But that's what the webshell is for

static compilations 💪🏻

I found this post. Maybe I must do it by writing commands?

E.g. curl -X GET "http://<target>/wp-content/themes/twentyseventeen/404.php?cmd=cat /home/admin/wp-user/flag.txt"

Just a wild guess 😢

That's generally what you do with rce

found the flag, thank you so much 🙂

no i pinged moderators

Check again, you did not and in a server this large, pinging roles will be disabled

okay

no offence but how did you become a moderator?

lmfao

I'm not a moderator, I've just read #rules and #welcome , you should too

sure...👍

you good?

yea pretty nice mate

thx for asking

👍

should not the DC under the sections of AD enum & attacks have LDAP open?

Lets keep this to module discussion. This isnt #general 🙂

agreed

If i did the module, i would be able to answer

Module: HACKING WORDPRESS
Topic: Skills Assessment - WordPress

Hi again. I spawned and got an internal IP address. I am connected to edge-eu-academy-2.hackthebox.eu VPN. I am using a Kali VM on Virtualbox, managed to connect it to the VPN and tried to ping the target IP address. It's up according to ping.

I'm using WPScan for this assessment. Unfortunately, WPScan did not detect the IP address running WordPress. Why is that?

i will try later resetting it, weird it has LDAP closed

being a domain controller

the wordpress is not there !

if you did the ffuf module you have to know how to find it

It should be. The Skills Assessment is WordPress though haha

it is not ! little think outside of the box

i know what i say. i completed it

Hmm..It's quite weird. The questions are asking for WordPress details

find the wordpress under the domain

😭

Check the SourceCode from the Site

why are you ignoring what i said

🤣

its not there

domains can have directories and/or subdomains (virtual hosts in this case)

tried traceroute but no luck. do i need to assign the IP a local domain name?

like editing the /etc/hosts file?

No, read the SourceCode from the Page. Follow the Links

You could test your logic by trying it

From what I can see there are enough hints given that can help you

on the final question of the bloodhound module "Find the percentage of users with a path to GLOBAL ADMINISTRATOR. Submit the number as your answer (to two decimal points, i.e., 11.78). "

The query is killing me though

||MATCH (totalUsers:User {domain:'INLANEFREIGHT.HTB'})
MATCH p=shortestPath((UsersWithPath:User {domain:'INLANEFREIGHT.HTB'})-[r*1..]->(g:Group {name:'GLOBAL ADMINISTRATORS'}))
WITH COUNT(DISTINCT(totalUsers)) as totalUsers, COUNT(DISTINCT(UsersWithPath)) as UsersWithPath
RETURN ROUND(100.0 * UsersWithPath / totalUsers * 100) / 100 AS percentUsersToGlobalAdmins||

oh, i see. i found the local hostname. thank you so much

I'm using the hausec link

You need to rebuild the statement from this page for Azure

I'm an idiot, forgot...thanks

is HTB academy down?

no

"Check Carlos' crontab, and look for keytabs to which Carlos has access. Try to get the credentials of the user svc_workstations and use them to authenticate via SSH. Submit the flag.txt in svc_workstations' home directory. "

I don't see the file that they use in the module example for crontab that you would use when searching for 'svc_workstations' . So would I use the available script thats in the output of the command 'crontab -l'?

https://academy.hackthebox.com/module/147/section/1657

I wouldn't relay on what the module is showing since when answering the "Questions" you need to use what you have been taught and your brain. Did you check the content of that script by the way?

Well I only follow that module because until the 4th question , word for word its been following what is exactly in the module. And I have not. I probably would use a cat command for that

then go ahead

Now I see it

who can help me this module last question,I write a xml languge but it not right.https://academy.hackthebox.com/module/216/section/2300

i think they should add ldapdomaindump to the AD module, it parses the info in a nice HTML format

this is 2 cool

Yeah, it's pretty neat

but the module itself is long enough xD

True, and they can't possibly cover every tool

but they covered enum4linux which imho is meh

i think this is about own methodology after all

but cool !

this is nice

btw how do i remove bloodhound data 😆

clear database

dont see the button

im under the neo4j web dashboard

wrong place

go into bh

and do it there

might be blind

HAHA

oh i see it now

thx

i can also switch it

if you have pro version

nice

ohh nvm then

otherwise you can only have 1 db

i have the zip files so is ok

Can I pm you my query, it's driving me insane?

sure

thanks

please.

Ask better in #challenges

hello guys

I have one problem with the hashcat module

the question: Identify the following hash: $S$D34783772bRXEx1aCsvY.bqgaaSu75XmVlKrW9Du8IQlvxHlmzLc

I use the hashid and says that is wrong, i look at the hashcat ref and got the same...

I tried many different variations of answers and it didn't work either.

I have no idea how to complete this box. I have done the scans and searched for exploits but that is where I get stuck https://academy.hackthebox.com/module/77/section/843

I have also determined SSh is open

Read the Hint

can anyone give me a hint for password attacks medium

i looked around for files but couldnt find anything interesting

i got the ssh but dont know how to proceed

anyone?

im still stuck

Does anyone completed a Citrix Breakout Section in Module Windows Priv Esc?

ok i got something

Windows Event Logs & Finding Evil - Skills Assessment, someone is stuck on it too ?

DLLHijack seems like a complete fucked challenge

PowershellExec was easy

is there any hint for INTRO TO ASSEMBLY LANGUAGE Skills Assessment task 1

Module: PIVOTING, TUNNELING, AND PORT FORWARDING
Section: Skills Assessment
Question: In previous pentests against Inlanefreight, we have seen that they have a bad habit of utilizing accounts with services in a way that exposes the users credentials and the network as a whole. What user is vulnerable?

I was attempting to transfer files to/from || 172.16.5.35 || and my attack host but I had not been successful. Went back and (with the help of some hints from the channel here) tried a number of things. Finally figured out a way to get the files back to my attackbox.

||However, in the middle of that process, one of the potential fix actions I tried was getting a reverse http callback with an exploit and its been failing. While my direct issue is addressed, I've created an itch and I don't know how to scratch here. So steps taken: generated an exploit for the target host, transferred the exploit to the target host via the pivot host, started a msf listener on my attack box, opened a ssh reverse tunnel on the pivot host; and, ran the exploit on the target host. No call back. I triple checked the IP's and ports on the exploit, handler, and tunnel. No sure what I'm missing here.|| Any insight would be welcomed.

make sure you use the type that starts with 7. If you cracking a single hash, dont forget to put it in Apostrophs or make a dedicated file. 😉

It's first asking to id the hash

Ahh I see.. my bad

Which if you look up hashcat example hashes, there's only one

on the getting started module with web enumeration, i was able to get the test credentials needed, but im confused on how to use them to login/get to flag from terminal

Just go to the webpage in Firefox

https://imgur.com/a/b5I0584

no way to do it from terminal?

Technically yes, however, that's not the point. There's a login form you can enter and boom you're in. You can't 100% rely on terminal for everything

ahh gotcha, fair point

hey guys I'm stuck with the last question from Attacking Domain Trusts - Child -> Parent Trusts - from Windows any hint would be appreciate it....

who completed this Bad grades challenge ? sombody can help me to get flag on this challenge.

#challenges is the appropriate place read #welcome on how to gain access to more of the server

Don't dm me. Read #welcome it gives you step by step how to access the rest of the server

Hi there.

Is there any room/machine/lab I can use in order to demonstrate the first 3 Pentest phases?

Recon

Scanning

Gaining Access

Thanks in advance.

Most boxes do 2/3 there really isn't much recon on htb labs

Role doing the surface, splendid tractorizes in a glance of technique.

Do you actually contribute anything meaningful in your replies?

well, it's honesty

Its a bunch of nonsense, I don't even know what you're saying

well, don'

figure then

All you've said is some cryptic half AI generated nonsense that doesn't make any sense at all to anyone

Hello Everyone!

**Module:LInux Priv Esc
Section:Sudo
**

I tried everything in this section, doesnt work at all, searched for sudo version exploit, but there is no even gcc or make command on the box, checked sudo -l, and there just ncdu that is not on GTFOBins(also search in google), could anyone help please???(completed everything on this module except this section)

@misty schooner at no point did I give you permission to dm read #welcome and #rules

Sorry 😔

Just ask your question here

Ok

anyone knows why the DCSync attacks with Mimikatz into attackind domain trust windows section not work?

Hello mate, can i DM u please?

ACTIVE DIRECTORY ENUMERATION & ATTACKS
Privileged Access
What other user in the domain has CanPSRemote rights to a host?
Used given cypher query:
MATCH p1=shortestPath((u1:User)-[r1:MemberOf1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote1..]->(c:Computer) RETURN p2
Only gets forend user but it wants a different one. What am I doing wrong?

Their question was on an active box

into the output try to move up or decrease the zoom

tried playing around with the zoom can only see forend

try this one : MATCH p1=shortestPath((u1:User)-[r1:MemberOf1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote1..]->(c:Computer) RETURN p2

and lemme know if works...

Remote and insightful. The test of doubling hash tags and stuff is just worryings for an eternally quest for solution.

does not work 😦

Hello friends, I am in the Password Attacks Lab - Hard module and I have chosen david's password but when I enter the smbclient I get the following message

╼ [★]$ smbclient -U david%Q****y7! \\10.129.202.222\david
session setup failed: NT_STATUS_LOGON_FAILURE

try with smbmap, crackmapexec, smbclient even try to mutate the password and nothing

are you wrapping the password in quotes

! is a special bash character that will get interpreted before it gets passed to the application

did you copy & pasted my raw query?

which means the password smbclient sees and what you wrote arent the same

yes

and not worked?

nah

weird

@thorn urchin can i DM u?

about

maybe ill try resetting the machine

ok.

about a linux priv esc

just ask the question here

i asked too many times, no ones know i guess...

Module:LInux Priv Esc
Section:Sudo

I tried everything in this section, doesnt work at all, searched for sudo version exploit, but there is no even gcc or make command on the box, checked sudo -l, and there just ncdu that is not on GTFOBins(also searched in google).completed everything on this module except this section)

They added that section after I did it

anyone, know what could be the error?

but it's extreme unlikely that they added ncdu to sudoers for no reason

so its very likely the path, I would suggest digging through the man pages for ncdu to see if theres any functionality that could be leveraged or dangerous if you had elevated perms

yeah i know it, i can examine a /root with sudo ncdu, but i cannot open a file, move, or spawn a shell with this binary

also did citrix breakout section in win priv esc added after u did pass the exam?

yup

thats very funny bcs i did 99% of course and cannot finish this things just bcs there is a way that i see, like rabbit hole, and asked too much time in discord and nobody know this fking sh1t

comedy...

I got a few minutes at work, let me poke the section real quick

thank you sir ❤️

I did it

that was quick

you need to read the in application help closer

do u mean man ncdu? didnt undestand u well

nah just looking at the help from running ncdu

the 'hard' part is actually getting sudo to run it as root. Getting shell is the ez part

well first was done, i will check that thing

thank you a lot

np

imagine the skill issue when he completed it in 2 minutes

yeah, he is goat, im just noobie

i dont think so

just analyze what you have

reading is OP is all

https://man.archlinux.org/man/ncdu.1

literally an option to spawn a shell

I actually couldnt find that option in the regular man pages lol

but built in help is OP

with the ? key probably

I remember I just googled it

found the option

yup

🤷

reading issue along with enumeration issue have to be the most common ones

after sitting at the pc for 8 hours, and constantly what to do, it greatly affects this skill, but yeah i re-readed it and found a option

@thorn urchin thanks again sir

np

reset the machine, did the same exact thing, and NOW it works. sometimes these machines just dont work properly. thanks for the help

why are you not taking resta

rests

well im trying to take rests, but trying to complete everything fast(CPTS,OSCP,etc.) and find a job until december, so yeah a little bit hard

… 🤦

yeah sounds stupid, but without uni degree thats all i can do to find a job

Rushing through things is really not recommended

You'll end up dropping info

Everyone progresses differently

but I know that as much as I desperately want a job switch, Id have a lot harder of time being stressed out if I NEEDED a job by X date

I think if it's a matter of NEED, you take whatever you can get, not try to break into pentesting

^

The job market is trash rn

You're better off going into tech support or low level and transitioning to cybersec

100%, it will improve eventually, but for now it is what is

CPTS is not something that can be rushed I feel, personally at least

I’m kind of in no hurry, I started at the end of the summer, all this time I was taking a course and playing machines at HTB, and then I wanted to start the exam, but then it turns out that I have to finish everything with 100%, and it feels very different when you do a real case or you pass an exam (there you get 100 percent perfect, but here the modules are already boring and monotonous)

Ask anyone, you really don't want to try the exam without completing it 100%, there's a good reason they don't allow it

sure

guys here already helped me with my question, thank you anyway sir

have questions on the module **ATTACKING WEB APPLICATIONS WITH FFUF ** filtering repsonses on size says "Filter HTTP response size. Comma separated list of sizes and ranges" Doesn't that meant for example that "ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://83.136.253.102:52466/ -H 'Host: FUZZ.academy.htb' -fs 0-900
" would get me repsonses in the size between 0-900?

-fs is an exclusion iirc

-ms is a match

The -f{x} in ffuf is a filter out

so if I would like to filter for > 900 , what should I use?

Well if your filtering out 0-900 then all other results will be greater than 900

<@&861185840277487616>

<@&861185840277487616> wouldn't be surprised if other channels

https://tenor.com/view/speed-i-am-speed-lightning-mcqueen-cars-meme-gif-14031708

Woulda been sooner but discord kept jumping around and making me tap on the wrong tag

ah got it, thanks!

hi guys!

i have some troubles with aquatone in the Attacking Common applications module

https://i.imgur.com/f6iVsut.png

i followed the module very strictly

i tried researching this error but no luck so far

has anyone encountered this problem?

Which directory are you in? Do you have write access?

i have /opt

A user normally has no write permissions in /opt
Try it with sudo

i tried no luck

if i try to do it another directory

it says no target found

Copy web_discovery.xml into your home directory

Then run
cat web_discovery.xml | sudo /opt/aquatone -nmap

same:(

https://i.imgur.com/8hSaxJl.png

tried with the gopath too

https://i.imgur.com/X8xUvby.png

Aquatone is also no longer being updated or maintained I thought

uhh

thats bad

yeah i see last release from 2019

2nd question form this module needs the aquatone

...

Last updates were in 2019, I don't recall though having issues with it

Error's different this time, haven't done the module, but are you sure whatever's supposed to be in the web discovery file is there?

^

yes

it is an nmap output

And your Nmap output was created using -oX?

sudo nmap -p 80,443,8000,8080,8180,8888,10000 --open -oA web_discovery -iL scope_list

Is there a way for my flipper zero to make fake networks that find data? (this is for LEARNING)

Module:Active Directory Section:Enumerating & Retrieving Password Policies Question:What is the default Minimum password length when a new domain is created? (One number) Done so far: rpcclient getdompwinfo, crackmapexec but everywerhe 8 chars long

Read #welcome and #rules there are no academy modules related to flipper

You should probably read up on flipperZero docs if you wanna figure it out

i would jump to pwnbox but since aquatone need chrome right? on pwnbox there is none if i am correct

It's chromium

Which is usually installed under burp

https://i.imgur.com/b8dwttg.png

this error on pwnbox

what i am supposed to do?

locate chrome

configure pwnbox?

there is none

i guess i have to install it

i installed it on Pwnbox

like this it works

...

This helped me greatly!

hello, can someone help me with this error?

Active Directory module, Attacking Domain Trusts - Child -> Parent Trusts - from Linux

Attacking smb. Can’t download id_rsa to log in as ssh does anyone know what I am missing to get the file

Skills

What is the error you get?

So when I log in as ssh without idrsa it gives permission denied but does not get to password entry

I meant when you try and download the id_rsa

When try to download via smb only read permission

Then open the file and copy/paste

¯_(ツ)_/¯

When it tells you no, it usually gives a reason and auth typed allowed. Most likely one being (publickey) if it's not configured for password: you won't get password prompt

I don’t think it was letting me open it either

Is there a command to open a file to read it in smb

I’ve been looking online

Should be like open or type or something

Or more

¯_(ツ)_/¯

Ok thanks I’m assuming so I’ll try it

I though I had to find a way to download it but if I can read it then yea for sure copy

I dont know what module you're working so can't be more specific

https://www.slideshare.net/OlehLevytskyi1/hunting-for-apt-in-network-logs-workshop-presentation :)

thanks

You are saving the ticket in the / directory, in which your current user doesn't have permissions. Try navigating to the home folder and try again.

Hint: ||payloadallthethings||

So once I find the 'kinit' command in the script output I found with 'crontab -l' Am I suppose to run the 'kinit' command in that terminal?

oracle TNS

Were you able to figure any good resources to help with this module? I guess I'm dumber than I thought, but so far the material feels like " 1 +1 = 2, now go ahead and resolve this college level algebra problem" lol...

Mybe we can help each other. I was able to figure out everything else but second PowershellExec challenge. You game? For dll, I ran a getwinevent on unsigned loaded dll.

So I resolved that issue. For julios question I am having trouble coppying this file to root. the file is in /tmp

"Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio. "

Doing linux fundamentals & have question " How many total packages are installed on the target system?
Tried 'apt list --installed | wc -l' and I feel like thats it but the box disagrees..Any suggestions?

Nevermind. I resolved that

maybe installed through snap or other package manager other than apt?

Anyone doing the Advanced XSS & CSRF? On the CORS Misconfigurations -- can't tell if the site is massively glitched, gotta really baby it, or just hit it lucky -- while I've gotten some test responses from the server, (a) not consistent, (b) every time I then try to go to the actual payload of course nothing. EDIT: Solved. Swear sometimes just gotta put out there that lost, then your mind can figure it out. Anyhow, (a) I def had an error I realized, and (b) still remain skeptical on if gotta baby the site, strike at the PRECISE moment in time, or what...

The password attacks password mutation module is taking forever to crack. Is there a more focused simplified way to do this?

~15 minutes

it took me 18

It looks like I'm going to be here forever!

I can't speak specifically for this module, but remember many of the pw modules being... frustrating. Are you using a GPU on bare-metal with hashcat? If not... ugh

its not the one about cracking

No, VM.

any hashcat process i've done for the academy took me less than 1 second

I have another laptop with a GPU, I might have to use that.

dude

it is hydra

1523 hours is a lot

nothing related to GPU here

Cracking would be hashcat (or john) -- brute forcing would be hydra.

1st. Do no brute force SSH with hydra

There is FTP open

maybe FTP password is reused on SSH

you wont start on difficult stuff like bruteforcing SSH

That's what the last module taught me how to do it.

So this is NOT cracking pw hash then? If the case, then yeah -- GPU, baremetal vs. VM, not gonna make a diff

start on easier things like brute forcing FTP

I'm on the academy module for password mutations

brute forcing SSH is not doable

from hydra

xd

it tells you to log in with SSH

not to brute force SSH

FTP open is not a coincidence

I've done like 75+ academy modules -- I don't remember the specifics of each and every one -- admittedly in re-reading, maybe you're using "crack" not in the context of cracking a hash, but rather crack as in solve, my bad.

yea he missed that, he was referring to brute force

yeah, I misspoke

go for FTP with maximum threads

but it did tell me to use hydra for ssh

-t 64

and

it is just teaching u it can be used for SSH

hmmmm

but why would they give FTP open

xD

I'll try that then

yes

it can take up to 30 minutes

it took me 18

Read the question again it's asking you to find their password, then log in with ssh

Not brute force ssh

This module gives you step z and expects you to take logical steps between a and there

there is a tool called ssb to BF ssh but it doesn't like long passwords lists

anyways, FTP is open here for a reason

good luck buddy

Thanks

Just to make sure I'm on the right track, I'm using the password list and the rules list from the resources file?

It is saying 94044 login tries and around 5 hours

Am I supposed to use the custom.rule file in the ZIP like the lesson instructed or should I just go with best64.rule?

custom.rule

did you sort -u?

Yep that's right

cool then, just let it be 🙂

yes, sort -u was part of the command

nice nice

You can use more threads

i didnt remember the amount of passwords

yeah, I need to split it up and use more threads

It is indeed 94k passwords

Don't need to split the list just more threads is fine

That makes me feel better

I'll just be patient

This module is all about patience

I appreciate the help, I was trying to be patient, I just wanted to make sure my commands were correct so that I didn't waste a bunch of time.

its around the 17k

After* if you wanna be technical about it

As most suggestions have been to use a sed command to eliminate the first 17k passwords

I ballparked it and deleted everything before 12k ish and did -t 64, it popped almost immediately!

Thanks again!

For the password reuse/ default passwords I figured out the answer, but it was by guessing with the resources given in the lesson. How was I supposed to use the credentials from the previous section?

Ssh?

Probably you should've brute forced the mysql service with default credentials which was local

You weren't, this is about default creds

you can do a simple thing to verify by ssh as user and attempting the logins manually

I just used a couple of default creds manually while I was ssh'ed in as sam and one worked.

🤷‍♂️

And that was the point lol

hey i am on Pass the hash module and i cant rdp to given machine

Module : **Web Fuzzing ** - Skills assessment - Q: Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains?
Found two extension, am I missing something?
||Only .php and .php7 give 200 reply ||

can anyone test if they can access the machine by rdp or not

Authenticate to 10.129.195.220 with user "Administrator" and password "30B3783CE2ABF1AF70F77D0660CF3453"

i can't either. i'm connected to edge-eu-academy-2.hackthebox.eu VPN

I guess you may freely reset the target

its 3rd time i have reset it

did you reset it? make sure you can ping the ip

If you read carefully it doesn't say authenticate via RDP

but in next quest it does

can I see your command to RDP into the target?

i tired with reminia and xfree rdp

here is my command

can I see xfreerdp?

xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:10.129.204.23 /u:Administrator /p:'30B3783CE2ABF1AF70F77D0660CF3453’

try: /pth:<hash>

ok

One it's giving "403 - Forbidden", that's a valid ext

aha, thought only the 200 was the calid ones. maybe I misinterpreted the text in previous session... "We do get a couple of hits, but only .php gives us a response with code 200. Great! We now know that this website runs on PHP to start fuzzing for PHP files."
not the clearest

If you read the following question you'll understand why isn't working. Being said, now you should have understood how to login without using RDP

Hiii

hehe boii

for a begginer would people recommend using the pwn thing on the site or to download my own stuff like parrot to the mac?

its my mistake , i always ssh, rdp to machine before reading module 😅

both

Hmm why's that

I'm totally down for both tho I'm just wondering. Plus ik it'd help with the one a day pwn access

Hey guys, has anyone done the Dante Pro Lab? I have a very simple question about it. Please hit me up if you have done it. Or if I need to ask in some other channel.

Ask in #prolabs-dante

i dont have access to that channel

if you have no access, read and follow #welcome

Did my post get removed? If so then why?

Hey Guyz, I'm doing the active directory attack module, I'm at the first skill assessment and I don't get how to Upload tools in the Machine.

Tried to copy \MyIP\share\MyFile

Tried to powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile

Tried to Upload from the antak webshells

But nothing seems to work

A bit of time passed since I did it, but doesn't have this web-shell a build-in file upload? What about making it simple by uploading a nc.exe binary and go from there

Hi, I am trying to figure out if you get cubes monthly with the Silver Annual plan. Does anyone know?

You do not, you get cubes from the modules you complete

The silver annual subscription unlocks all modules up to Tier II directly, without cubes.

What did you post then?

Hi ! Thank's for your reply, It has a builtin file upload, but when you upload the file doesn't appear in the directory where the shell's pointing or in the directory where the shell was installed...

are you sure? What if you try to get a reverse connection back after uploading the file?
If you find yourself in a folder with many files filter the results with dir |findstr /i nc, anyway that file must be somewhere

Thanks !

Get-ChildItem -Path C:\ -Filter PowerView.ps1 -Recurse -ErrorAction SilentlyContinue -Force helped me find my way

Hi, i am on the module related to Windows Event Logs and there is a question i couldnt answer for myself.

See this command:

I understand the first 2 Lines.
The 3rd line wants to inject something in the Process with ID X. But was is the PoshCode in that Case? I think the PoshCode is something i wanna inject, but i am not sure how to get the PoshCode.

Okay nvm. In this case the poshcode is just base64 encoded PowerShell Code.

I DM'ed you since the post was removed again

It probably contains spoilers is why

oh that may be it

Hello I have a problem with this exercice ( SHELLS & PAYLOADS Antak Webshell );

Did you edit the webshell properly?

yes this ?

There's another one that you need to edit, the ip section

The section even tells you :)

Hi, I'm lookign for apropriate place to discuss old HTB challenge (Crypto / Rookie Mistake).

Heyo! Anyone here used the w3m terminal browser with burpsuite proxy?

#challenges
If you have no access, read and follow #welcome

I've follower steps and still got "No Access" to link you have provided :(
Probably I'm missing something obvious.

try ++verify

Got it! Thanks!

ACTIVE DIRECTORY ENUMERATION & ATTACKS // Attacking Domain Trusts - Child -> Parent Trusts - from Linux. I got the hash but when i enter it in the answer box it does not say it is okay. can someone tell me the format for the answer

NTLM hash only (the second half)

Great question

Linux Privilege Escalation > Python Library Hijacking: None of the directories in the PYTHONPATH containing psutil appear to be writable to htb-student user and it seems that htb-student doesn't have permissions to modify path. Am I missing something here?

nvm--figured it out

Are there any HTB Academy servers/boxes down atm?

Hey guys! I'm getting a very weird problem with Pivoting (on the Attacking Enterprise module) and I was wondering if theres anyone here that can helP? Please PM me if possible, Im fairly certail I have setup everything right

Anyone know privelege escalation for Grandpa Machine?

Or are there any Admins/mods that could check the status of one? I can't connect to the web server of one that is pingable; it's stopping me from cleaning up unfinished mods

Better ask in #boxes
If you have no access, read and follow #welcome

Cheers, Ill go to #welcome and see how to get in 🙂

I have HTB Enterprise so I cant see my identifier?

idk

How can I get the identifer and get access to the no access one?

Maybe the support can help you (green bubble)

can anyone help me with an issue in metasploit? Im trying to solve a module, but this exploit that is required has two variables (RHOST and RHOSTS), but when I set one it also sets the other, but I need the two variables to be different IPs:

msf6 exploit(linux/http/50064) > set RHOST 172.16.1.5
RHOST => 172.16.1.5
msf6 exploit(linux/http/50064) > set RHOSTS 172.16.1.12
RHOSTS => 172.16.1.12
msf6 exploit(linux/http/50064) > options

Module options (exploit/linux/http/50064):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   demo             yes       Blog password
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     172.16.1.12      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'fil
                                         e:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The URI of the arkei gate
   USERNAME   demo             yes       Blog username
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  172.16.1.12      no        The target address


Exploit target:

   Id  Name
   --  ----
   0   PHP payload


msf6 exploit(linux/http/50064) > 

If it's needed, I'm working on module https://academy.hackthebox.com/module/115/section/1139, questions 4 & 5. I am trying to run the 50064 exploit to gain access to the Inlanefreight Gabber website on host 2

Edit: I solved it by ||using a different payload (specifically php/reverse_php)||, however, for the future, how do I fix this issue with RHOST and RHOSTS?

Hey guyz, I'm trying to do the first skill assesment in ActiveDirectory attack

But after uploading a mimikatz using antak I can't make it work (it seems the reverse shell, or the antak shell can't work in its embed format)

So I tried to Kerberoast it from my Linux Machine, but it seems I'm doing something wrong ( I'm currently using the administor hash extracted from sam/system/security ) to try to use the GetuserSPN.py which is'ntworking

Any nudge ?

Hello, where can I ask for help about academy modules ? It is currently for Intro to Forensics

This is the correct channel, feel free to ask here!

Okay, so I'm currently stuck for the first question of the Rapid Triage & analysis section where I have to find the new name of the renamed uninstall.exe. I searched in many ways with the Zone.Identifier but I could not find the information

I have a problem with living off the land and question “Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer”

I used a net and qsquery with filters commands

I found users: jessica, krbtgt. Guest but i dont see any flag.

module : ACTIVE DIRECTORY ENUMERATION & ATTACKS session : Living Off the Land

Well there's a user with admin privs, so start with that portion of the question and note it's disabled

Found, 2 hours for a question 😭

i figured it out . feels great!

Hey, I'm trying to use getuserspn to kerberoast the machine in first skill assessment of Active Directory Attack Module

GetUserSPNs.py -dc-ip 10.129.156.4 INLANEFREIGHT.LOCAL/Administrator -hashes LM;NT hash of the admin found using sam secret system key

But can't make it worked

https://academy.hackthebox.com/achievement/1009496/112

Having trouble with the IMAP/POP3 part of the fingerprinting module. I selected the inbox which has the flag mail, but if I use fetch with the "all" flag I don't see the flag

Use 1 fetch 1 body[]

Thank you, will try

I never found that syntax anywhere I researched

I'm gonna have to take good notes on this, wouldn't wanna waste time during the cpts exam looking up IMAP syntax lol

#modules message

I found it in 5 seconds on Google a long long time ago

Really? I tried hackstricks then looked at atmail, asked an AI search engine which also retrieved information from atmail

Seems like I should have paid more attention to atmail, my fault for just skimming the page

the luck i have, kali failed to install, now pypykatz won't install on parrot.. making a win10 iso to install mimikatz...

Not the place to ask, this is for module discussion only

ftr I dont know of any challenges that can be beaten with only hydra. Itd have to be a super lame challenge

Any tips on the last question on the Skill Assessment of Understanding Log Sources and Investigating with Splunk?

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the process that started the infection. Answer format: _.exe

Tried a variety of process names, tried various techniques shown in the module but for some reason all of them are wrong.

Edit: Answer was right in my face the entire time. Tip from me would be to try establish an timeline, and re-create the steps taken by the attacker. The answer is discussed previously in the module.

Hi, I have a question about Dante prolab, kindly any one completed this lab, DM me

Could someone tell me the difference between 'http::////127.0.0.1' and 'http://127.0.0.1' what are the extra colon and double slash??

hello there @lethal shard
did you find a solution, can a I dm you ?

Am I suppose to find the kerberos ticket for linux01 in the temp directory ?

Nope

ask here https://discord.com/channels/473760315293696010/742339564940820580

the linKatz tool can list all of the Kerberos tickets on the machine...just as long as you run as root?

You just need to run it and see

Hey there what commands other than curl can let you download something from a web server

my mind is drawing a blank atm

Wget

thank youy

deosnt seem to have either on the system thanks anyways

That's weird considering curl and wget are default on linux

its freebsd

Ah can't help ya there

yeah gotta change my strategy

You might be able to install it

not a bad idea actually

thank you currently im just sending request to the root account

https://stackoverflow.com/questions/13331044/how-to-download-a-file-from-webserver-to-your-computer

Good luck on whatever academy module you're working on

sense lab

This channel is for academy modules on htb

Read #welcome

could the kerberos key I need be found in this 'var/lib' directory?

Poke around and find out

I don't have access to the server or channel you shared

Read #welcome on how to gain access to more of the server

anyone had any luck with "Attacking Common Applications - Skills Assessment I", I've located the bat file using ffuf and have listed the flag using the 'dir' command (using burp to url encode) however the 'type' command doesn't work? any ideas/hints?

How do I get access to HTB: Serious Discussions Channels, any idea?

#welcome

Thanks for your help!

Hello,

I was working on Footprinting Lab - Easy and while I was able to find the flag easily using the ||ftp server with the non-default port|| I was wondering if there was a point in the prompt pointing out that the DNS server was open. Is there another way to solve this challenge simply by enumerating the DNS server, or does that eventually lead back to the original solution? If anyone would be open for discussion within DM I would love to learn more about it.

Thanks @sly dome for believing in me, I finished the rest without any help. You were the last person I asked for help, and I appreciate the advice you gave me brotha

Noob totally lost on Nibbles. Read everything available still can't get to root.

There's not a lot of instruction on setting up the smbserver.py script in the "Attacking SAM" module.

Where do I put the share?

Inside the path?

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/

is CompData a folder in Documents?

I am confused. The github doesn't have instructions either.

sudo impacket-smbserver Sharename -smb2support \SaveDir

is the "Sharename" a folder in \SaveDir?

CompData or Sharename is the Name you want to give your share. So on the machine you want to connect you call fe 10.10.10.46\CompData

you can name it whatever you want

But do I have to make a folder or does the script make it?

it will save it in the place at the end of the script fe. \tmp

Thanks I'll try it

sure

give it a go

Same, "system cannot find the file specified"

Nevermind, the windows side was in the wrong directory

Just to clarify for anyone else that runs into the same problem. The Sharename is essentially an alias for the \SaveDir

It does not create a folder with that name inside of \SaveDir with the name of whatever you call your sharename

stuck on one of the modules and it advised that i click request help, so i did, was a channel/ticket made that im supposed to be able to see or is a mod going to dm me or how does that work

It takes a while to get help for the "request help" option. I finished up at 10:00 p.m. last night and didn't get a response until after 2:00 a.m.

what module?

Linux Buffer Overflow section of the Binary Exploitation module.

And okay thank you.

What am I looking for when they help though? Is it a DM?

Yeah, DM.

I haven't made it to BOFs yet. I did them in TryHackMe, but not yet in academy.

Heyo! Anyone know how to reset bloodhounds neo4j db

Hello everyone. Not sure if there's a proper process for reporting typos in the modules, but I found a very minor one under /9/section/48:

(Please see attached). It should read something to the effect of ..."handle different, sometimes adverse, situations where something does not work as expected"

@spring compass f'in newb

for any erratum there is a separate channel: #858470491676737536

❤️

community edition or legacy?

community endition the one for linux GUI

the docker version yea?

no im running it locally on Klai

so legacy. are you accessing it through a browser?

This guy here:

nope just a bloodhound&

how does the CE compare to legacy? do you know?

i tried CE but icons were not loading and pre-populated analysis queries neither

Damn sorry I cant post a screenshot on this channel

I feel stupid, Thanks a lot!

Read and follow #welcome and you'll be able to

a lot of features are missing at the moment, though the pre built queries works for me. but I like it more since I can access it directly from my host (through port forwarding) so it's a lot more responsive in general

i dont understand the part about accesing it directly from your host as a comparison between CE and legacy

a

talking about the rendering part, since it's essentially a web application, viewing it in a VM with a lot of nodes drawn are quite laggy without gpu acceleration, accessing CE directly from my host's browser makes it much better

I agree

Im trying to verify but i cant

read and follow #welcome

I have a question do I not have an account in htb app if i have an account in htb academy or am i misunderstanding something?

that's correct, the two accounts are not linked

ooooh

Hey how come I cant upload new artifacts now? It just keeps getting stuck at 0%

Sorry this is in relation to the bloodhound db wipe post above

thats why my "forgot password" was not working thanks for the help!

make an account on htb and use the token there to verify

are you using the right collector?

the new sharphound collectors are for bloodhound CE and won't be accepted by bloodhound legacy

Ohh! So what collectors are?

try 2.0.0

okay! Also do you recommend I use CE instead of legacy? is it easier + better in any way?

no, I use CE more but a lot of stuff are missing there, unless you know how to write your own queries, sitck with legacy for now

Okay sounds like sound advice! Thank you!

ON Module Login Brute forcing, Skill assessment - Website. 2nd flag:
Been running hydra forever. is rockyou.txt the wordlist to go for?

So Im using Legacy v4.3.1 and SharpHound Collector v2.0.0 and it still gives me this weird error. You think it has anything to do with wiping the DB? maybe I should reinstall neo4j?

there should be a message when you run the collector that tells you which version its compatible with, check if that lines up

Yup, says: 2023-11-03T01:17:24.4819880-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound

try restarting both neo4j and bloodhound

did that, also reinstalled neo4j. Same issue. Thats weird tho

try rusthound maybe? though I've never had a problem with it ingesting data from sharphound

okay lemme try that. Is it possible to use the bloodhound-python collector with proxychains? Thats worked the best for me always

Hey just tried rusthound and end up with the same issue, any tips?

If the collector is a higher version, you won’t be able to ingest the data into bh

A higher version meaning? Ive used both SharpHound 2.0.1 and 2.0.0?

Also Just tried Bloodhound CE and It has no problem injecting the data

2.0.0 should be compitable, but try an even older version

if not then there's something wrong with your bloodhound installation

okay, for now im just gonna run with bloodhound CE. Learn some custom queries

Hello for this exercice there aren't a browser?

type firefox in the terminal

yo

Can i ask a question about vmware and stuff

i get its not the right place but im stuckk and i think im close to figuring it out

just ask

aight

ive been trying to setup vmware and parrot the las 4 hours

that didnt work at all

so im trying to setup kali now

problem is its a torrent not an iso

and i dont know what to do about that

im 100% new to this

this one was quite good to practice pivoting for me. But there will be a dedicated module anyways

and just trying to setup a vm because im low on money and cant afford to pay for hbox rn

did you download the torrent?

mhm

im using vmware fusion on mac btw

im wondering if its just impossible at this point

some dude on another discord tried to help for 30 mins but nothing

if you downloaded the vmware prebuilt vm, you'll get vmdk files, which are virtual disks, the OS is already installed for you, there should be an option in vmware to scan for VMs, try that

mind if i dm you?

i understand if noti just wanna get this over with so i can start learning linux basics again tomorrow

sure go ahead

And here again I sit. With the Password Attacks module wasting my time.

While you wait for the password to be cracked, you can read another section or drink coffee, or even better, do both

please does anyone have any good tips for enumerating php version that a site runs on I'm on File Incusions module so I'm trying to read the .ini config

keep getting undefined variable error

You could use the file inclusion to try and read the php.ini, but sounds like you gotta fly blind for now. I haven't done the module yet, but have done a couple file inclusions with php on boxes. You can DM me if you want. 🙂

that's what I'm trying to do and gives errors

I don't know if it's the right PHP version or not that I'm specifying directory of

Then you should probably enumerate it. Here's two official lists of versions: https://www.php.net/eol.php and newer: https://www.php.net/supported-versions.php
The list isn't very long. Either try them manually or write a script that automates it for you. 🙂

The module probably tells you where to look. From the top of my head I think it should be something like /etc/php/<version>/<service>/php.ini Where <version> is something like 7.0, 7.4, .... (see version list) and <service> is something like apache2, cgi, fpm or some such. Depends on the configuration of the server.

(as you can see, I'm not good at using the reply-feature, sorry 😄 )

so I can use burp intruder to run through a list of numbers ?

Im having trouble getting vimtutor working

Honestly, I don't use burp much, so can't really tell you. Personally, I'd write a quick python script with the requests package. But there probably is some burp module you could use.

unlike you I'm no programmer lol

But again, might not even be worth automating. You probably know the webserver. If it's apache, try apache2 for version, if its nginx try fpm. And for versions, you will likely succeed with a version between 7.0 and 8.0. Thats only 6 versions in total. So trying manually is likely quicker than automating it. 🙂

thanks man

You're welcome. 🙂

*apache2 and fpm goes in <service> of course, not version. Had that wrong in my last message.

I keep getting errors on using mimikatz. ERROR kuhl_m_sekurlsa_acquireLSA ; Memory opening. googled it but cannot find a solution. any ideas how to solve it?

Section and Module please

AD Enumeration & Attacks - Skills Assessment Part I

I managed to get a lsass dump through the web application, cannot open it now though.

do you have privileges to dump lsass process?

apparently, I dumped it through rundll32

You should do that in a elevated session, onty then it will work

and for this assessment you dont need to dump lsass process

ah wait im wrong, about this

which user do you have access to?

I just started, no acces but the webshell

did i run into a rabbithole?

yes and no, get a shell first and then follow the questions asked in the assessment

kk will try other routes 😄 thx

dedserver

working on the Intro to Assembly Language skill assessment not sure how to input as the answer. I guessed I was supposed to insert the shell code in as a hex string. however, it does not fit in the length available. The code looks to push 14 things on stack that is 224 character of 'data' if you convert it to a hex string. the input box given to answer the question does not allow a string that long... I tried to just jam in whatever fit after a xor'd it and it hated my answer. What type of data am I supposed to be putting in the box?

its a flag like HTB{...}, when you decode the shellcode you have to execute it

Hello，I have a question
The file upload modules says MIME type is Magic bytes
but according the wiki , I think MIME type is equal content type not Magic bytes.

How to get clear usernames list from crackmapexec output?

use --users to get a clean output, save the output to a file, then

cat users.txt | python -c "import sys, re; [print(username) for username in re.findall(r'\\\\([\\w.]+)\\s+', sys.stdin.read())]" 

Insane! Thank you)

Hello guys someone can help me out with the module NTLM Relay attacks?

Hi ! Anyone know how to modify that payload to receive /flax.txt ? I was trying few different ways and its not working 😄
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>

Little stuck on the file upload attacks module i have sent the request back with repeater and had no errors so the file should be uploaded i get a http ok message. But when i try to visit the file it says not found and im sure im in the correct directory because i checked the source code and forums

Thats the wrong payload

Theres two in the section for xxe use the other one

This is for the skill assesment btw

Sure

Hi guys How are you Hope you are doing well. I finished my ejpt certification and i'm confused what is the next step, I have fairly good knowledge of the basics (networking, os, etc..) except scripting I have only the ability to read code, I can't write, So what do you think guys do i have to improve my self be OS and scripting and stick to the basics, or I can jump toward PNPT.

I have sent you PM

ffs bro im so stupied hahah, ty for the help 😄

Just try it. You'll notice for yourself if you're still missing something.

Take courage, you have nothing to lose

Guys, is anyone else having trouble connecting to the windows attack host in the "AD enumeration and attack" module (section: ACL Enumeration)? When I use xfreerdp it just gives me a black screen. Ive reset the target and the terminal 3 times but I just cant get it to work...

Press any button, after login

Holy, thanks.

Pressing enter multiple times worked

Hello everyone,

Since yesterday I'm stuck on the module 'ACTIVE DIRECTORY ENUMERATION & ATTACKS' and more precisely on "DCSync" and "Priviged Access".

In the instructions it says:

"""
In this section, we will move back and forth between a Windows and Linux attack host as we work through the various examples. You can spawn the hosts for this section at the end of this section and RDP into the MS01 Windows attack host. For the portion of this section that requires interaction from a Linux host (mssqlclient.py and evil-winrm) you can open a PowerShell console on MS01 and SSH to 172.16.5.225 with the credentials htb-student:HTB_@cademy_stdnt!. We recommend that you try all methods shown in this section (i.e., Enter-PSSession and PowerUpSQL from the Windows attack host and evil-winrm and mssqlclient.py from the Linux attack host).
"""
However, when I try to connect via my Windows machine "MS01", the credentials indicated don't work.
Is there anything I haven't understood?

The credentials htb-student:HTB_@cademy_stdnt don't work when I run htb-student@172.16.5.225 on the RDP machine (Windows).

So I can't finish the module questions

what exactly is the issue? a black screen?

htb-student@172.16.5.225: Permission denied (publickey,password).

is it not prompting for a password?

is that the full command?

Yes, it asks for a password "HTB_@cademy_stdnt"

there's a ! at the end of the password

Yes I know miss my copy and paste

But even with the "!" it doesn't work.

you're sure it's pasting correctly?

We agree that I simply need to connect via RDP to my Windows machine and from this machine I'm supposed to connect via SSH to the IP: 172.16.5.225 (which should be a Linux?).

ssh htb-student@172.16.5.225 password HTB_@cademy_stdnt!

screenshots would be helpful, you should verify your account so you can post them, read and follow #welcome

It's juste a simply ssh connection 🙂 but it doesn't work 😦

if you paste the password in the terminal, does it paste correctly?

cause this really seems like a wrong password error

yes, several times. I've been stuck since yesterday evening and I've repeated the operation several times.

I'll have to do some pivoting ? 😦

my notes are very bare on how I solved this section, I did do pivoting though

hi im new at hack the box. I already sign me in and downloaded the starting point data for Open VPN but don't know what to do now. Can anybody help?

Guys someone did the Module NTLM Relay Attacks?
I'm a bit stuck in the Skill Assessment

Can i get any help with the web attack skill assessment?

What section is this?

These modules are htb academy not hack the box

hey guys, i have some questions about the Silver Annual for hack the box academy, with who can i talk to, to get some responses ?

Must be because i just launched the machine again and ran into no errors

Never mind me. I made a big dummy move and forgot that sending data is different per request type

Ive been doing linux course on htb but ive been stuck now for a while trying to get vimtutor running. The error i get is: Error detected while processing command line:
E484: Cannot open file /usr/share/nvim/runtime/tutor/tutor.vim

(whoops)

Ping the rule break role not just an admin numbnuts

why are you being rude

¯_(ツ)_/¯

Friendly fire!

Because dude is asking about doing something highly illegal, after admitting he grabbed their IP

rude to dvsii

Oh that's just because he should know better lol

It's literally in the rules

Unless he was just in here cleaning some other mess up

They're right, it was my mistake. A skosh passive-aggro, but easily fixed. I know Marcie means well; we cross paths enough along the channels

can anyone help me with this issue?

We're good!

Did you try googling the issue first considering this isn't the first time you posted it?

well what do u think

like ofc i have

ive read multiple forums

https://vimhelp.org/usr_01.txt.html#vimtutor

You'd be surprised how many people don't

looks like you're using nvim, it should be at /usr/share/nvim/runtime/tutor/tutor.tutor but imo there are better ways of learning vim than that, like watching a video on it or something

i am using nvim

i tried following a tutorial from scratch installing and running vimtutor but for some reason it still doesnt work ill try again later

I meant watching tutorials on using vim, does the same thing as using vim tutor

Run :Tutor from within nvim

tried it but i get a different error

And that is?

let me checl

please help on file inclusions Log poisoning section question 1 i have shell but when I use pwd command it doesn'nt print out any output I have found flag which is question 2 but i can;t answer question 1 which is pwd command

https://github.com/neovim/neovim/issues/4071

okay i think its case sensetive

that can be the only thing

as its working now and hasnt been all week

but im sure ive tried both

Most linux things are case sensitive...

why u soo mad all time :((

im new i know i do stupid stuff sometime but im pretty sure i had tried both

I'm not mad lol just low expectations

.

What does your shell command look like, are you doing ?cmd=

&cmd=pwd in burp repeter

And your shell is set up to take commands?

let me rephrase there's page output of all the logs but there doesn;t seem to be pwd command output

yes ive answered question 2

Interesting

probably is lost in all the log junk

resend the payload of the header

and try again and you will see it much probably

Hello guys, in the Silver Annual, they say "Exam voucher switching (applies to unused exam vouchers)" what thats means exacly?

And other question is the "Lab exercise guidance via Discord" what looks like, is like a coach, explains the exercise, give you hints ? i would like to know, if anybody here have any reviwes let me know !

or send the header with some specific string like your name or something and then grep for that in the output

It means you can switch the voucher it gives you for either one of the other exams.