#modules

Thank you!! somehow there were 5 openvpns running. I killed them, it's worth noting that when I start openvpn again with sudo openvpn academy-regular.ovpn and then ps aux | grep openvpn it shows two processes. I imagine this is standard for sudo and not an issue but I am not sure.

My scans now receive all filtered (no response), except 166 filtered (host-unreach), which is a positive, at least recieving packets now. Is this now in the scope of the module and me just needing to mess with scan types or am I still having a network issue?

The number of processes looks good. But, it looks like there is still an issue. Did you try changing your vpn from/to udp/tcp?

I tried that last night but I will try again now

Make sure you are downloading new vpn files and removing old ones.

Well that was a far quicker task once I didnt try to rush through things and just enumerate it first.... for future reference is there a general rule for which ports are quickest for brute forcing?

So the default filepath for the vpn file download in my VM looks VERY similar to filepath I actually run openvpn from in a shared drive... I had been deleting and replacing a vpn I wasn't even using, and only realised now when I rm'd it and saw it still in the file browser whilst downloading a new one. I feel like SUCH an idiot... thanks so much for your help, so many hours wasted. it's all working now

Sweet! Happy that I could help.

anything that's not ssh :)

I need help!

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

Lool, my account is saying it needs compliance verification

ok and?

I'm not sure what that means I was just trying to sign up

is it a student account?

Regular

i.e. student email

nope, used my gmail

then check your email

or message support

on the website

us random assholes in the discord can't really help you

You ever finish the assessment? I could use a nudge in the right direction if you have

Contact customer support vis green chat portal

Thank you guys!!

Hi everyone !
I really need help with tcpdump!
We can see according to module command "sudo tcpdump -i eth0 dest net 172.16.146.0/24" should capture everything related that network
I tried to test it
My network (after ip addr command) IP is 192.168.0.107/24
however when I tried to use command "sudo tcpdump -i wlan1 dest net 192.168.0.107/24" I got this error
tcpdump: can't parse filter expression: syntax error

I searched a lot from google I found this command:
"sudo tcpdump -i wlan1 src net 192.168.0.0/24"

and that command captured everything I tested it, but why?

My ip is 192.168.0.107/24 however tcpdump capturing if i set it 192.168.0.0./24?

dest net command which is showed in that module is not working instead src net command worked

TY for the Australian pwnbox. 10/10 improvement.

on the resued passwords machine as sam

cant seem to externally crack mysql with hydra or get through with the top mysql passwords

nvm, solved it

Heli

My hachke ar pels solob my cons4n anad ils

Looks like you're on the right track, just checking my notes I dont see anything that stands out as wrong from your options... I used a different LPORT but I can't recall if I did that for some specific reason or just because I wanted to try a different port..

is there a section for questions for sherlocks?

thats what i got done trying. Everything Ive found points to this but I cannot get it connect. it'll successfully login, say uploading shell, and then crash. I've tried every relevant payload in the list! lol

thats my last question, on the whole dang section. smh

You're not wrong about the exploit you were using, although I'm sure there might be multiple attack vectors but that .rb file is definitely what the question was pointing too. I'm not an expert but the options looked like the ones I used so I'm not too sure why it's not working. Maybe something to do with the moving of the .rb file into your metasploit module directory? Maybe try deleting it, and moving it into your metasploit directory again. I'm just spitballing here though

thanks, that made the 4th time i tried that. I'll see another post of another way to do it, and then try it. To no avail.

Sorry I couldn't be of more help bro, that question took me way too long too because I overlooked the vhost name for like 3 hours before I realized what I was doing lol

Thanks. it's something super simple i'm sure. I'll get it eventually thanks for the input.

Im curious though if you ever figure out what exactly the problem was with using that exploit, it should work. What was that error again? some sort of json error right?

Unexpected json response. looking at the exploit down at the bottom is where it does this. I'm thinking its something to do with the exchange of the CSRF token. maybe?

That's my initial thought as well. which is a bit outside my already limited knoweldge field lol.. you using the pwnbox or connecting through VPN?

VPN

i think i'm about to give the pawnbox a shot.

I don't ever use it, do u?

yeah honestly sometimes I have to try switching from UDP to TCP on the VPN to make something work its pretty frustrating.

Only very rarely, the pwnbox annoys me the latency can be a bit much sometimes and just adds more frustration to situations where you might already be pulling your hair out trying to figure something out

I'm guessing you've already tried resetting the target?

maybe the rdp'ing into a vhost through a vpn might be having a hard time.

lol

yep

Maybe but I cant imagine how annoying thats gonna be on the pwnbox lol

right, thats same reason I dont mess with it.

well I'm stumped, give the pwnbox a go see if that helps. Based on the ruby script it looks like the script is expecting some sort of json content from the HTTP response and if its missing that or missing the key path it fails with that error. I have no idea how to remedy that issue though

thats whts up. thanks. when i figure it out ill let u know

It'll be frustrating if it works on pwnbox, cause now I really want to know why its not working for you lol

#sherlocks read #welcome on how to access more of the server

If you have completed the Malware Analysis module I could use some hints on the 4th question of the skills assessment section. That is all I have left to complete the module.

Never

Mind I solved it

I try to settle my ZAP for 1 hours and i failed. Can you, if you have time, send me like a video which show how to settle a ZAP.

hey guys, I have a Q regards a LD_PRELOAD Privilege Escalation

when I did it from the ||/home/htb-student ||it gave me|| mrb3n user||, but when I did it from the ||/tmp ||it gave me ||root ||
meaning the only difference is the location of the root.so

didn't managed to understand Y, someone knows??

yes, I have finished. you need to look for the redirect get csrf

<@&861185840277487616>

Could someone help for IntroductionTo windows COMMAND line: I am at Skill assement question 4 and I hard stuck and clueless what to do: I can screenshot for more context but only can send in dm since i am trash at hacking

I am unable to acces it: (acces dined)

@wild iron Haven't done the module, so I might be wrong.
Access denied might be intentional. Read the question carefully and try targeting a particular directory.

Ik it ask for desktop but i still get the same acces dined

arf

unsure if thats even progress

can you navigate to the Desktop directory or is that access denied too?

I don't think * wildcard does recursion in this case

Give Desktop directory fullpath and try?

I have question related to Firewall Evasion hard lab. As I could able to solve the lab using HTB in browser vm, but when I was trying to solve it using my VM my netcat couldn't accept --source-port option ....I try to update the version of netcat available in my VM but still it not working ,,, does any one know any solution about it.

what was your command?

Use Nmap Ncat instead of gnu/netcat: https://nmap.org/ncat/

👍

?

Changing the path of the library does not make any difference in obtaining a root shell.

no spoilers please

it asks you for the byte that was missing

but it did...

can you share a screenshot

Oh thanks @autumn pilot , apologies for the spoiler, i sincerely thought that the content order was wrong even tho it was triggering. It would be best if the question was stated more clearly

i'm going to drop a suggestion on erratum, but awesome module so far. learned tons. Thanks again

yea

its diened

not sure how to send pics here...

send U in DM?

It is very easy 😉
Read and follow #welcome

I am having trouble with the Pillaging Windows Priv Esc. I am having trouble with the 4 question can't figure out the credentials for the jeff. I restore the Jeff's Documents via restic but I only see his email and M. So I can not login and finish the 4 question. Can somebody point me to the right direction. Please

didn't get it 😅

You have to verify your user, then you can upload pictures

You restored a Wrong Folder

I also restored the windows one, but it is empty

It wont be empty then again if its empty its a wrong folder or you are doing something wrong

Not in the section it is being backuped and because of an error Access denied it is empty

I am restoriring snapshots in restic2 or?

try just restic

I need a pass for restic like the 4 questions says

no, you will get it when you restore a correct snapshot from ||E:\restic||

I can't restore it E:\restic it is asking me for the pass

I can't even see the snapshots without the pass for E:/restic

the way of asking this whole question is wrong

i thought you were doing the last question when you said restoring

so, which user access do you have now?

Last question is easy with the SAM files

Grace

refer to the slack part of the section

Invoke-Sharp Chromium section or earlier

firefox part

i mean start from here
Abusing Cookies to Get Access to IM Clients

I went through that and got the flag for the third question

did you happen to read whats underneath the flag

Well clearly no

I need to go through it again

has anyone completed [Shells & Payloads] [Live engagement] host 3 exploitation using the server upload capabilities? am i wrong or aspx reverse shell mechanism only grants inetsrv privileges

you dont need restart at the end.
and i dont understand why you are getting a different user shell
strange!

Why do you need aspx shell for host 3?

i don't. i already solved it using msfconsole but i was trying to do it the manual way

Can you explain how are you doing it in manual way?

Guess I am pretty blind. Finished the whole thing thanks for help

on the web server there's a page called 'upload.aspx' where you can upload stuff and it'll be placed in the /upload folder. I simply uploaded antek reverse shell and got a powershell-like prompt but i couldn't navigate the fs because privileges were too low

👍

right, but that is host 1 not host 3 and for the task you dont need high privileges but if you want to further exploit ill suggest tomcat path, there maybe high chances of getting SYSTEM privs with that one. To finish the task just the folder name inside the C:\Shares is enough

yep didn't get it also...

did some manage to do the "Library Path" in "Linux Privilege Escalation" ==>> "Python Library Hijacking" ???

AD enumeration & attacks - skills assessment part 2 question 1. Someone is available to help me?

do anybody understand how to use the /bin/ncdu ?

read the documentation

@umbral fulcrum write it same the but change it /bin/ncdu cd /root

Hello, about the Introduction to Assembly Language module.

I finished the last section but using a shellcode from msfvenom because I couldn't optimize my code enough to reach 50 bytes (I got stuck at 63) I removed all the null bytes but that was not not enough.

Can anyone give me advice in PM to successfully optimize the code given by the exercise?

You can send me what you have and I can compare it to what I did

I don't get it
the /bin/ncdu is insted of id right?

@umbral fulcrum yes

so how come I'm not getting a root?

Let me see

AD enumeration & attacks - skills assessment part 2 question 1. How do i get hash? Responder gives nothing

ahhh BS I needed the|| "b"||....

thanx

@umbral fulcrum no worries

im a little confused on the advance file disclosure section for the web attacks module my xxe payload is working because i can read /etc/hosts however i try to read /flag.php and it says not found so i assume its not the right directory question is how do i find the right directory im going to check source code in a second that idea popped into my head typing this lol

still working on this?

Yes

can I ask for help in here?

are you getting any message like skipping if yes look at the log folder for the hash

||https://academy.hackthebox.com/module/77/section/847. I am stuck on this problem where I have to use netcat to grab the target's banner. But it always times out, am I doing something wrong?||

No, should I hack one of the machine and run responder from there?

wait, where are you running it now?

From the attack machine (parrot)

not the regular attack box right, it should be run on the attackbox that is part of the internal network

Yes, run from there

then it will work make sure you are setting the right interface

responder -I ens224 -A and tried also the other interface and nothing

Yup, wait for sometime or restart the lab

Thanks a lot, just wasted few hours 😄

hello there, some one can help me understand the RDP and SOCKS Tunneling with SocksOverRDP assetsment in the Pivoting module, for what i understand to use SocksOverRDP how is show in the module you need 2 windows machines, 1 for the dll and this will be the machine where we will send the rdp request to the rest and a second machine to run the SocksOverRDP-Server.exe and this machine should have access to the final target network, the question only gives me the ip for the first machine and now im using ping sweep and other techniques to find the second one, at this point i found a couple windows machines that are visible but when i try to rdp with the provided credentials it fails, i just want to know if im on the rigth track or just getting out of the scope of this exercise.

Follow the section exactly

You go a->b->c

3 sets of creds, initial-middle-final

the question only provides 2 so i imagine the extra one you mention is the one in the module explanation

Yep it's in the section

thanks, i was about to start credential dumping on windows

I mean you probably could do that via ntds.dit

got it, thanks i will take a look to simulate the full situation 👍

Does anyone know how to do this? ---> Configure SELinux to prevent a user from accessing a specific file.

From the Linux fundamentals module -----> Network configuration

Probably explained in the section

They tell you about what seLinux is, but I didn't see any explanations of those exercises, they are alternatives to do

Optional exercises?

Yes

Put it in the section

You're better off Googling

I was just wondering if anyone had done it, since I've tried several things but they didn't work.

Optional exercises are not gonna be entirely intuitive and can often lead to more headache for something you're likely not gonna need

The truth is that it is complicated and long, since they ask you to configure several things with seLinux and AppArmor.

Module: Active Directory Section:Attacking Domain Trusts - Child -> Parent Trusts - from Linux -----> still stuck on the question how to get bross ntlm hash... Anyone can push me in the right direction

should be setting an ACL, you can look that up

I tend to skip the optional stuff

Someone's probably done it

I did some optional stuff but some of them just seemed too tedious to me

I like the optional stuff thats like "get into this extra lab machine" or "dont use provided creds and get a shell a different way"

To get bross hash do i have to get a windows system shell or can i do it all from linux box --- confused

Tried dumping ntlm hashes with mimkatz but with no success --> cant acess lsa process

Maybe any hint wich tool to use?

all the tools you need are explained in the section, since the section is about performing the attack from linux, that's what you should do

actuall dont think so that all tools explained in this section - got system shell but now what

I mean youve said mimikatz but what else have you tried

theres like a half dozen tools you can use

don't approach exercises with the copy-paste mentality

build your thought process while going through them

or if you do at least be thorough about it lol

tools from impacket you mean?

If you havnt tried them thatd be a good place to start

Im a big fan of impacket and theyre usually my first go to when appropriate

Having some sort of problem with the Protected Archives section of the Password Attacks module. So I used || zip2john Notes.zip > zip.hash and john --wordlist=/usr/share/wordlists/rockyou.txt zip.hash, but john just doesn't do anything, it just tells me "session complete"||

stuck on Web enumeration question on the path to pentester path the hint says everything is on the module, ||however, after reaching the admin login page, the module shows that the password is in the source file of the page, but it's not on the target provided page|| im missing something? should i go back on modules for possible solutions?

im dumb

whats the exact output. Could be the hash is already in the pot file.

My laptop died, but I'm getting the exact error in this pic

Your password wasnt in the list

I used rockyou, unlike the pic

Did it really go that fast through rockyou?

Because it happened almost instantly

zip hashes arent very strong

usually

and rockyou is actually a pretty small wordlist when it comes to offline cracking

I guess I'll try the mutated password list I made from the provided password list

Thank you!

generally for the module you should be using in the following order: discovered password lists on the host -> mutated list -> rockyou

idr if that section had a pass list on the host somewhere but some sections do so make sure you didnt skip out on enuming the system too

That makes sense

Thanks a bunch!

np gl

Hey guys I'm stuck on "Linux Local Privilege Escalation - Skills Assessment"
flag5, I can't make an interactive shell || stty raw -echo;fg || it keep getting stuck...

someone have any tips please

NM solved...

I've downloaded the Hack the Box Parrot linux image from Parrot website but it doesn't contain some of the tools/files that are supposedly in the Pwnboxes... for example the ffuf tool is supposedly installed (according to the instructions here https://academy.hackthebox.com/module/54/section/485 ) but in the linux image downloaded from Parrot it isnt. same for the SecList repo, it doesnt exists in /opt/useful ... (that folder doesnt exists actually).
I was under the impression that the htb image from parrot contains everything like the Pwnbox.

Anyway just something I thought to point out, maybe it wasnt the intention (that the Parrot htb image is the same as the Pwnbox) ?

Good day, Are there any good HTB modules on AV evasion?

Terimakasih

is there anyone here who can help?

@next bronze can i dm?

hi!! Can anyone access the machine for 'Windows Server' from the Windows PrivEsc Module? Cant connect to the machine...

Because they aren't 1:1 maintained my guy, it's more of a htb edition

There are currently no modules for this

Theres been rumors of one coming, but nothing yet

i really recommend to update the citrix breakout module

it is the worse for me yet

I am having trouble with the Attacking email services section and I am having trouble determining the password. I got the usernname , but not the password.

"https://academy.hackthebox.com/module/116/section/1173"

"Access the email account using the user credentials that you discovered and submit the flag in the email as your answer. "

I am trying to use the evolution tool now (since hydra and the other tools suggested in the module didn't work) and I am not sure how to use the evolution tool to brute force the password.

I google 'evolution brute force password' and couldn't find anything.

You don't need a gui client

That's all evolution is

You can connect via any of the methods mentioned in the section

https://i.imgur.com/b0s4gAP.png

i ma in citrix breakout module

why this is doesnt work?

https://i.imgur.com/98LhO3r.png tried with own msfvenom payload too

well for setup.msi at least you need to reference the path

.\

Not sure why your powerup doesnt find that command, could be a no good version of Powerup

the setup.msi i typod

buit when i access it from paint

https://i.imgur.com/BPeVB61.png

the PowerUp is from the attack box

so idk

what should i do know?

Every method? When I tried the 365 method .. it said I was using the wrong domain ...which was 'inlanefreight.htb'

@thorn urchini sent a dm

I havnt done the section, added after I finished the course.

I can only speculate based on what I saw you post

i am starting to feel like an idiot

first the attack box had a changed keyboard didnt had "_" for example

did not expect copy paste

than smb fucked up

than this

i cant continue without PowerUp

Don't do the 365 method, there's telnet and openssl

If that's what you're referring to when connecting

All that section is having you do is literally authenticate using known credentials

So trying hydra to find the password is unnecessary? I thought you needed the password for telnet

I believe the section gives it to you? What module is it?

Or you should have it from a previous section

Yeah it says "user credentials you found" so should already have it

I found the username but not the password. I tried using the hydra tool with all three email services but it returned no password. https://academy.hackthebox.com/module/116/section/1173

I'm currently on the on the MSSQL learning and the command sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 (IP) is currently giving me an ERROR that the script execution failed for all of the ms-sql-*, am I missing something obvious any hints would help!

Take out the @inlanefreight in your hydra command

If it fails it means that it's not able to use blank logins

ohh ok

that makes sense then, I thought we were supposed to use the basic creds that was inthe commadn thank you!

I have subscriptions in lab platform can I join with this VIP+ subscriotion to htb academey or they are different?

They are different

You can probably search in:modules VIP+ and you can find a bunch of people ask the same thing

can't login wiht david creds in smb

Passwords attacks lab hard

Are you sure you're copying the password correctly?

aha

That was it, wasn't it

nah

still getting error

either passoword cracked is wrong

Hello. I am having problems with the Footprinting NFS module. I am following the instructions and I try and mount my target-NFS folder, but I get the following error 'bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program.'. Where do I find the helper program ?

On googling this, I think I need the nfs-utils package (or equivalent). What command do I need to run on parrot to get this ? Apologies for asking such a basic question, but I am a little bit new to this

Is there a more reasonable way to do the "Attacking Common Services" FTP module?

I'm using the command: medusa -U users.list -P pws.list -h <ip> -M ftp -n 2121 -t 128

It's taking a long time and I'm using the resources from the module.

Also, it seems like medusa ran the first username with every possible password in serial, and then after that was complete is running every username with each password in parallel. Is that normal behavior? I hope the serial/parallel analogy makes sense.

hydra? Anyway should not make any difference it took me 5 minutes to find the right username and password

Currently doing Module: Web Attacks , Section : Mass IDOR Enumeration.
are you suppose to follow a long with the manual fuzzing of the exercice? Cause when I go to target the uid is not shown (at all) as in in the material

it doesn't show either in burp when i capture the traffic either..

read the HTML source code and make sure the inspect every function, then once you have an interesting endpoint go from there. For me didn't matter if I had to follow the module or not, once I understood what it teaches then you got to use your brain this was my approach for every module I did

How is digital forensics a proactive tool? Isn't it a reactive measure? Module: Introduction to digital forensics

I guess by using digital forensics on your own incidents (but also incidents of other companies) you can define new rules for your SOC to detect the same kind of threat actors in the future proactively?

you are not only figuring out what happened but also define how it can be detected faster in the future

Anyone complete module footprinting

#modules

I am moving on to the 3 assessment labs today

Hi, on Documentation & Reporting > How to Write Up a Finding > **Optional Exercices : I am trying to write to gather additional evidence for findings but I cannot find any host up within the scope network.
Is this normal ?

Hey @obtuse quest , I am having same issue here. Were you able to find a solution to this?

Too many threads you get false negatives

https://academy.hackthebox.com/module/112/section/2117
Footprinting - Oracle TNS

I have logged into the db and I am unable to find a hash for DBSNMP

Can someone please assist. I have been at it since last night.

sys.user$ does not exist

Nevermind, for anyone in the future make sure you logged in as sysdba

https://academy.hackthebox.com/achievement/badge/83dff39d-8565-11ee-b5a6-bea50ffe6cb4

https://academy.hackthebox.com/module/54/section/511
In question
One of the pages you will identify should say 'You don't have access!'. What is the full page URL?

I literally open the page in a webbrowser and i see You don't have access!. I copy the address, paste it in the textbox and I get Incorrect Answer... whats the trick (bug)? (the hint doesn't help it suggests doing what i did)

Hi, not sure I'm in the right place to ask this questions, but I have interest to learn a wireless/network testing/cracking, need your recommendations what module should I start first?

I think there's a Wireshark module

There's not too many wireless courses in htb

As these are focused on in-network/physical

Yeah, it's intro to traffic analysis. It's really good

Thank you ! will have a look on it. Appreciated it

"Try to access the emails on the IMAP server and submit the flag as the answer. (Format: HTB{...})"

|| I have gained access to the IMAP server however, the only inbox that I found that contained anything was DEV.DEPARTMENT.INT which contained the admin email, but no flag. Am I missing something||

Did you try getting the file list with [ls -l -a] in terminal to also show hidden files?

No, the module didn't talk about that really... If I'm connected to imaps, how would one go about doing that? Do I need to use ||p143 instead of 993?||

The different port? I'd have to check... maybe someone else here remembers. 🙂

Maybe it added a space after the url you pasted into the answer box... an error like that is easy to overlook.

no general in this server?

thanks for the reply.
but nope i checked no extra space...
this is the url i got, opening it in the browser it prints You dont have access....putting it in the textbox says it's incorrect...

what do i do wrong? (maybe there's another url that has this message? but then the question is written wrong i dont know what else could it be)

look at the hint

i did its the first thing i do before asking here
the url i got is wrong? i mean it does show the message in the question...if there are multiple pages with this message that i need to find then the question is written in a confusing manner

the url is correct, you did you replace the port?

yes the url i pasted here is exactly what i put in the answer
and its the url that i open in the browser to see the message

that's why it's wrong, like I said, look at the hint

ohhhhh ok lets see if use the word PORT instead of the number

yep, should remove the url now since it's the answer

how hard can it be to add a regex that will accept just any number after the : when it checks the answer

anyway thank you very much @next bronze

the hint confused me cause it shows an example with the word PORT and in the hint it tells you to "use" PORT and my brain took it for REPLACE PORT

🔥

That makes 14/15 🌚🔥

Use commands to fetch the file

Read #welcome

Haha yes... the old "insert your own info for any word written in CAPS"

14/15 towards to?

I'm assuming one thing and I'm really excited about my assumption lol.

That smells damn strong of a new path... 🔥🤩

if i get this right, with the monthly subscription we dont get access to the modules, just a monthly supply of cubes and unlimited pwnbox time, correct? we get access to the modules only with yearly subscription?

Heck yes

plus your two JavaScript modules (Secure Coding 101: JavaScript and Whitebox Pentesting 101: Command Injection) are then modules 16 and 17... 🔥🤩

21y4d has all of the paths 😄

yes, use the student plan if you can, and 2 months of platinum + exam voucher is generally better value than silver annual if you just want to do a single path

because it gives all the needed amount of cubes like silver annual does? but have to wait for 2 months? 😦

I got all the Whitebox Pentesting related modules early today. I'd be damned if a subscription model to minimize the pricing for Tier3+ is later introduced lmao.

yep, 2 months of platinum is enough to complete a path, and I mean, it's not likely you'll finish everything in a month

A kind of Gold Annual Subscription. I'm almost certain that something like that will come

That'd be really cool fr.

new path + advanced cert coming 👀

i am considering the academy paths/modules vs the htb vip subscription (machines)
i understand it's technically better to start with the academy as things are (probably?) arent thought as deeply in HTB but maybe they are?

https://tenor.com/view/both-agree-yes-good-gif-4591420

sounds logical, gold annual, eventually platinum annual

wonder how much that would cost 😳

if you don't have experience, best to start on academy

Would be Reasonable for sure

you can access a number of htb boxes for free while you get started on academy

15 x 400 = 6000 Cubes = 6x Platinum Sub a €58, roundabout € 350.— plus Exam Voucher

less than OSCP, that's for sure

Some of the Whitebox Pentesting modules are dependent on the Secure Coding 101 module tho.
So there might be a possible mix of Tier 3 and 4 modules to be thrown in the path

AD enumeration & attacks - skills assessment part 2 question 7. I have administrator access to sq01, run mimikatz, lazagne and the administrator hash what I get is not good to ms01. What I am missing? How should I get access to ms01?

What other hashes did you possibly get

If the two modules are also included in the path, there would be 17 modules.

sql user related hashes

Nah from your mimikatz/lazagne stuff

administrator, guest, defaultaccount, mssqlsvc

We will know exactly when the path has been published

I fear the year 2024 will not be boring

Seems like it won't be

The administrator hash is belong to local administrator

I fetched the only file there was, ||gave me and email, but not a flag||

Hi everyone,
I am working on the ''Introduction To C#'' module and have been stuck on a particular exercise for a few days now. It's the following one: ''Import the Library-Question library appropriate for your OS and dotNet version, using the HTBLibrary namespace. What is the output of the Flag.GetFlag() method from the library?''
I am working with Visual Studio on my system, so not using any VM. Just VS 2022 on my Windows PC. Reason I find this exercise hard is that I have no idea how to properly handle the .dll file that comes with the exercise. I have tried a bunch of things but none seem tow work. I believe I do know what it is that I have to do (roughly) but I lack the understanding/know-how to actually make any progress. I'd appreciate it a lot of anyone could help me out. Thanks in advance:)

You need to use the right fetch thing

1 fetch 1 body[] should work

I linked an article a while back about imap commands

Alright, lemme give that a try I used || 1 FETCH 1 BODY.PEEK[HEADER.FIELDS (FROM EXISTS)] || but maybe I used something wrong there

Don't do .peek

Also you're only grabbing the header not the full email

yeah that'll do it, user error, got that thanks
and probably stupid question, but the last question I have is finding FQDN... I assume I'm overlooking it, but I don't see it anywhere... any hints?

edit: machine restart fixed that problem

Omg finally, we’ll have what will beat the OSWE. I got goosebumps

Yeah right there

I like the way you keep tracks of modules and price 😂

The hardest web certification ever in the world

We should better get used to ctf and web challenges to start getting familiar reading source code to spot vulnerabilities

It will be 30 days exam 😂

Those who fail will go to jail

Well it made me more excited than my engagement 😂😄😂

Hi all, I am having some difficulty with the HTB Academy Hard Footprinting Lab. I saw SNmP protocol in the UDP scan, but cant use the tools that the module presents... Am i doing something wrong?

Can you ping the machine to see if it is alive ?

you also found a valid result and then tried to query with a wrong community string

Oh yes, it will be penned by 21y4d, bmdyy and vautia. So it's almost unsolvable 🙈

maybe we can buy the exam vouchers as a subscription

But hey, challenge accepted 😁

AD enumeration & attacks - skills assessment part 2 question 7. I have administrator access to sq01, run mimikatz, lazagne. The administrator hash what I get is not good to ms01. What I am missing? How should I get access to ms01?

Already responded

Look over the other results you get from those dumps

Thank you!

Hey !
i'm doing the sqli assessment and and i only get white pages..
i'm pretty sure my shell.php is good but nothing happens..

If your shell is calling back to your ip you'll need to have a listener on the attack host, otherwise you need to do the ?c=insert_command_here

i'm using the second method and nothing happens,
the website gives me a 200 code and nothing else just a big white screen burning my eyes

Hello guys. Anyone doing the "litter" Sherlock challenge?

I found already the communication happening between the compromised host and the C&C. My problem is trying to decode the contact (trying not to give spoilers here). I can see part of the commands but not all

Best to ask in #sherlocks

ok, thanks, first time here

No problem 🙂
If you have no access, read and follow #welcome

||Cyberchef|| can help 😉

Yes, already using it

ok found my mistake into my SQL query because of spaces..

i got it thank you!

i got it thank you!

np

Tried evey hash, but none of them is worked. Can we discuss in private? Don't want to spoiler anything.

DM me your full mimikatz output

<@&861185840277487616>

Module: SQL injection fundamentals, section: Using Comments. I got the 'Login successful as user:admin" message, but not flag. Why?

I am still stuck at the same thing: skill assesment from: introduction to windows command. Here my issue I am unable to answer the question I have tried countless different command It always get acces dined or nothing

is it mssing on purpose the password ?

also ls / tree doesnt work

am i supposed to do in a different way maybe ? root escalation ?

Im having trouble on the linux fundementals.
The question is: What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?
My answer is sudo find / -type f -name *.conf -newermt 2020-03-03 -size +25k -size -28k -exec ls -al {} ; giving the result of:

why cant i upload a photo?

either way these are the only 2 results

-rw-r--r-- 1 root root 27381 Apr 3 2021 /etc/dnsmasq.conf
find: ‘/home/htb-ac-1012663/.cache/doc’: Permission denied

so i put dnsmasq.conf as the answer as that is the only one that shows

but it shows up as wrong?

idk what im doing wrong

which content is that

ik its linux fundementals

but which section

@eager loom

@eager loom https://www.youtube.com/watch?v=iGPI1OwakCY

It can help, he does explain nicely

Thank you i will have a look its 3am for me though so i will do tommorow i give up for now.

no dramas

@real delta

I know this is basic stuff, but I'm so proud of me for getting through that last tcpdump section 😅 It was stinky as hell for my brain! I def need more practice!

I've been there, that module is actually fun tho

I did a couple guided projects on tcpdump and wireshark on coursera so it wasn't that bad but I def felt I needed to think outside of what I was taught for that last part of tcpdump

If you want hands on practice with wireshark, go check the labs for sherlock

It is so much fun to be a detective 😄

Uses the same principale tho

after that you feel like a real hacker

ahhh I'll make sure to check it out! Thanks bobby!

🫡

I'm just so happy rn 😂 this is wonderful

Happy for you, me atm I am having a aneurism

we're gonna make it! I'm sure you'll get it soon!

Yeayea maybe in few more days

@rustic sage

Hi guys 👋

I have a problem kinda

Spill it

yea ive done that mistake 100 times already

but tried with the correct one and doesnt work

Guys can you give me some advice?

Module: Windows Privilege Escalation
Section: Skill Assessment 1
Problem: Find the password for ldapadmin account somewhere on the system.

My Question:
I used all the credential hunting techniques and plugged ldap admin into find.
Can someone give me a nudge?

@wild iron why arent you using backslashes?

Just ask your question

https://dontasktoask.com/

doesnt change much

then try to specify the full path ... youre starting with '/' which is the beginning to a linux path.... you should probably start by using C:\

tried it already

I got tricked I knew one girl then we chatted and we had meetings and she was trustworthy and she had one task riddle and if someone would guess that was the winner and we were getting the price and she texted me that I needed confirmation letter for the company from insta and I thought it was something new so I said I didn't know that so she said add my mail in insta and give me access with it I'll do it and I said okay then I got hacked

bruh XD

So I didn't know my bank account number and I gave her my ID what a dumb me and ://///

I'm gonna call the police

Now there's a thing

@mild flower - Unless you can somehow tie this in with the HTB modules. This is not the right place.

He tried to hack my fb but I had 2 steps on it so I brought back my fb

havent you got is IP ?

was he using a vpn / dns /proxy ?

And I know where he came in my acc and he was using iphone 6

The Password Attacks module is not 8 hours. smh

xD

It feels like it takes for years...

Eight hours plus 🤪

dont worry i am at introducing windows command line its says 4 days, i feel like a good 2 weeks

dang it.

I'm only working about my personal ID

And I remembered I have this girl in the fb list and I texted her on FB and she told me her IG was hacked and she didn't write a post about it

Module: Windows Privilege Escalation
Section: Skill Assessment 1
Problem: Find the password for ldapadmin account somewhere on the system.

My Question:
I used all the credential hunting techniques and plugged ldap admin into find.
Can someone give me a nudge?

She removed my mail from my account

Is this possible to know the current Mail?

Bro, this is the wrong channel

Sorry://

i love being completely ignored

Sorry

XD

okaaayyeeee

not currently accepting friend requests from accounts i dont share a server with. thanks

Check your rights on the System

couldnt get juicypotato to work. i was looking at SeImpersonate, is that at least in the right direction?

Try it again

would this be an issue?
JuicyPotato.exe: PE32+ executable (console) x86-64, for MS Windows

Guys do you know someone who can help me ?

The police.

`# systeminfo

<SNIP>
System Type: x64-based PC `

I would hav e helped you if I done it tho, im fairly new, im doing all the module fundamentals/ easy , I come from far away and I havent reached your lvl yet

#rules

im literally three modules away from getting my CPTS voucher... not here to play games with you

this account just tried to friend me XD

I'll try but I don't think it will work

guys in cmnd injection modeule normally we can output a / using the ${HOME:0:1} or pwd or path but on the exercices the **${HOME:0:1} ** wasnt outputing annything just the ping is it because the home varaible wasnt set

huh ? is that a threat of some sort ?

Nothing we can do for you here

nope not at all. im simply stating my intention here.

whats your's?

Okay thanks a lot ✨ I'm going to call the police then

bro I am stuck too I am looking for the asnwer, same as you so far no one help me tho, so "I am not here to play game with you" Is simply a rtar.. statement

Sucks to be you, can't help you

He was just saying that he would have helped you if he could have. Same here. I am not to that section and can't help.

well i gave you the only logical next steps, given the provided information.. i cant help you any further... i dont even know what section of what module you're working on. simply provided a possible fix

Yea I told you that it doesnt work buddy, where you getting at ?

btw if you verify your acc, you could post snapshot/screenshot to help your situation

Or i think add your student id or smt to the discord*

from the htb website

Go onto Hackthebox --> create an account on academy --> do fundamentals modules / easy module

and aslo creat an account on labs

and do starting point

it helps a lot

to get your fundamentals

and you will be able to chose the path youu want

if you friend me just for asking dumb shit like hack fb then kindly Grab a dick and eat it whole

sorry about that

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

rip

I downloaded my fb history and can I see his IP address?

I know the IP but I'm not sure if it's right

Stop. No one here will help you. Call the police.

Ask fb support and call the police

Okay thanks

Trusting some rando on the internet and getting burned, and then asking other randos for help. 🤯

😂

@acoustic owl Thanks for the nudge I wasnt aware of the -c flag !

Attacking common services lab I'm getting an error on the last question:

Login as the user "jason" via SSH and find the flag.txt file. Submit the contents as your answer.

It gives a "permission denied publickey" error

Permission denied (publickey).

The password is correct from the previous question, so I know that's not the issue.

deobufiscation ?

it's not an error per-se

you need to enumerate to get the rsa_id

that is telling you the accepted auth methods for this service

which in this case is the pub_key/id_rsa

btw as you are here @fathom pendant have you done the module introduction to windows command line?

i don't think so

fuck

¯_(ツ)_/¯

im so stuck idk what to do

just ask your question my guy

I downloaded the publickey earlier. What do I do with that? I already have the password to login.

you use it to log in

stuck question 4

so each user's password is the user from the previous question's answer

naaah

really ?

and all you gotta do is do dir /a iirc

How do I log in with a publickey? I know I can use a private key to login, I didn't think a publickey would work.

it's the same thing

omfg i tried everything and still getting access denied

it just means it uses a pub/priv key pair @heavy marsh

@wild iron are you logged in as that user?

if that work you will become my god

Okay, so I have a public key, no private key, but I have the password. How do I log in?

Oh well thats not it

log as user1

You need to be that user to see their desktop

my guy

I cant acces any other user apart from user 1 & user 0

user3 password is the answer to user2 question and so on

At best I can do is cd user3 on powershell, but cant get anyfurther

you can definitely log in as other users

im just bad relax

I've never needed a public key to log in. I tried "-i" like I do with the captured private keys, did not work.

ok i just got into user 2

wtf

you just became my god

but seriously ive tried that and it didnt work the first time, i just tried now didnt work, and just redone it and now it works ?

nice and i am happy rn

I have the password, why isn't SSH working?

It doesn't even prompt me for a password!

Just checked, the machine is still up. Nmap scan shows SSH is up.

https://academy.hackthebox.com/achievement/1009496/237

Not a fun one

does anyone knows how to use gci -recurse and look for only length

Anyone else having issues with posts disappearing in erratum?

Same problem (
Any trick/solution?

"reset target" and waiting about 10 min - timeout =/

Still getting the same error on SMB Attacking Common Services lab

I had to reset the machine.

I've already restarted it many times =/

HTB is trying to teach patience apparently

That's what I've been told numerous times

honestly i believe you

sometime i write the answer

10 times before it works

anyone able to help me with this pls ?

What module @wild iron ?

there is 10 times more of them

introducing to windows command line

at ssection skill-assesment

all good

😄

When it doubt restart the machine. I just wasted over an hour on a bad ip.

outch!

I'm cry
this is wasting my time

nice to meet you I am crying

try to think outside the box maybe

tried chatgpt

Where can I talk about the Sherlock labs?

under the sherlock

#sherlocks

Where? I can't see any channel

No access🥲

verify your account

What module is this?

Attacking Common Services : Attacking SMB

what you looking for ?

Target always down, like after 5-10 sec after respawn

maybe you are ddosing them, can you delay each try ?

Nope, target/port just down, before I start bruteforce

you reckon is a mistake that you do or thats from their part, you can still contact support if thats on their end tho "if you think so"

I haven't done that module yet, cant be of anyhelp

sorry brother

Check if you only have 1 vpn running

Over pwnbox

respawn target, change vpn region

I don't use vpn, only pwnbox and restart/respawn target many times =/

then change vpn regions and try again

about 20 times

reboot ?

Host/target just down after 5-10 sec

on the question:
Send a GET request to the above server, and read the response headers to find the version of Apache running on the server, then submit it as the answer. (answer format: X.Y.ZZ
ive tried the commands... however i keep saying connection time out.... i have tried rebooting panbox and also target but same result came T^T

Hey all, anyone able to give me a hand with INTRODUCTION TO THREAT HUNTING & HUNTING WITH ELASTIC hunt2? I'm fairly sure I got the right answer but seems to not like it when I submit. Would like to know if my understanding is completely off

try to refresh the page sometime it works

No luck.. perhaps im completely wrong with my finding.. thanks for the suggestion

specify http

ah i see. thanks ><

hey, anyone knows what to do if responder.py isn't listening anything?

what are you trying to listen to ?

SMB requests

port ?

is it in a module form academy ?

80

Mmm.. idk

The script (responser.py) might not be designed to intercept SMB traffic specifically. If it's a script for intercepting HTTP traffic, it might not work as expected for SMB.

Port 80 is typically associated with HTTP traffic, not SMB (Server Message Block). SMB usually operates on ports 445 (for newer versions) and 139 (for older versions). If you are trying to intercept SMB traffic, you should check the correct port.

Mmm.. I'm just following the walkthrough guide.

on starting point ?

Yep

tier 0 or tier 1 ?

i mean what machine

whats the name of the starting point

Tier 1
Responder

Learn the basics of Penetration Testing

what step are you stuck on ?

i mean what task

Are you running it with sudo?

I'm suposed to get this, but my terminal is blank after listening

true that can help tho

yeps

have you added the thingy in /etc/hosts/ ?

Yes

are you trying to hash crack ?

Hash , yes

ik the file rockyou.txt must be unzip or smt

this is not true, responder listens on smb port, among many others depending on how it's configured, the second part is correct though, port 80 is not smb

i just ask chatpgt xD

dont blame me

😦

go into your file /usr/share/wordlists/

look for rockyou

you will see it is in a folder

you must get the txt out of the folder

Nah... I unzipped it already

oh

so whats the step are you stuck on ?

my terminal is stuck at this step

the target isn't gonna send requests to your listener on its own, use RFI to force the server to request a file to your IP

Fetching the NetNTLMv

Are you running this on your machine or did you ssh into the provided machine first?

My machine

I’m not sure what module you are on, but is there maybe a machine you need to ssh into first?

The walkthough showed this thing and same in my browser

also, this is the wrong channel for this, please check #welcome and verify, then move to #starting-point, we'll help you there @latent harness

oops! okay

His is different to mine they must have updated it. Im doing the find files and directories bit.

oh yea

are you listening on the tun0 interface?

you think responder works in wsl? never tried it

it's probably buggy as all hell

because WSL

I need help pls

thats the command i run

but I tried evey name none work

Im still stuck on same questions as yesterday :((

Can someone help in "File Upload Attack"'s skills assessment?

what was your question ?

Ill show 2 seconds

I dont have the skill required

Tbis is what im running and read the forums and tried alot of varients of commands similar

Do you know someone who has?

Ususally the support or admin they usually do

Its either it shows nothing or 1 thing that isnt giving me correct answet

Have you watch the link i sent you last time ?

Yes i said it wasnt in there

Which section is that in linux fendamentals ?

Umm

I can check ive done it

It is "find files and directories" first question

Other 2 ive done

alright lemme check

Ty 🙏

Ok whats the command your running again ?

Ive tried a few 2 second leg me get it up

sudo find / -type f -name *.conf -newermt 2020-03-03 -size +25k -size -28k -exec ls -al {} ; 2>/dev/null

try that

sudo find / -type f -name *.conf -newermt 2020-03-03 -size +25k -size -28k -exec ls -al {} ;

Ive tried it

With and without the end bit

2 sec then

sudo find / -name "*.conf" -size +25k -size -28k -newermt 2020-03-03 2>/dev/null

sudo find / -iname "*.conf" -size +25k -size -28k -newermt 2020-03-03 2>/dev/null

either

@eager loom

ill try

ty

worked ?

it returns a file but it not saying it right

whats the file ?

make sure you're running the command on DC

dnsmasq

I just found that out

not the right one

thats wierd only thing that shows up

have you tried with the variant -iname

yes

idk why its not working

i just tried the -iname again still doesnt change anything

same result

sudo find / -type f -name *.conf -size +25k -size -28k -newermt 2020-03-03 -exec ls -al {} ; 2>/dev/null

try that one

ill try 2 sec

i get an error

i can copy and paste from the vm

so im having to type it all out

im using the one on their site

missing arguement -exec or something like that

maybe you added an extra space

forgot the closing argument {};\

yea

that fixed it but it just returns nothing now

huh ok interesting

😭

find / -type f -name *.config -newermt 2020-03-03 -size +25k -size -28k -exec ls -al {} ; 2>/dev/null

try it like that

find / -type f -name *.conf -size +25k -size -28k -newermt 2020-03-03 2>/dev/null

another variant if not I am not sure

i tried first one same thing

does nothing and that second one ive already tried

idk i think something is wrong is there like an admin or something

i can somehow talk too

i dont think there is a config file with all these parameters on this vm

must be

find / -type f -name "*.conf" -size +25k -size -28k -newermt 2020-03-03 -exec ls -la {} \; 2>/dev/null

if it doesn't work, restart the target

oh yea that ;

ill try ty

( ;)

ffs

cant backslash here

@next bronze how do you do that commadn line thingy

backticks ` single for in line, triple for code blocks

frite

oh yea thats cool thanks

yea still returns nothing

restart it then

alright will do

still nothing

you sure you entered the command correctly? I'm able to get the answer using that command

im 100% sure

did you try with sudo ?

or without ?

just did with it

and still nothing

wait

did you ssh into the target

im vip im using 1 on the site

pwnbox?

i think so idk what its called

the instance u can start on the site

you need to ssh into the ip given

even when im directly connected

oh or u mean

i have to do it different?

i think i understand

have you done the command ssh iptarget

this, whatever the ip there for you

omg

ill explain

so i thought this was for people using there own vm to connect to like this machine i guess

i thought if i was directly on here i dont need to do it

oh well in that case ssh htb-student@iptarget

happens, now you know

ty lol

omg its done 🥳

Well done boy !

how to upload files vial curl

windows or linux?

linux

curl -X POST http://<ip> -F 'files=@<name>'

the server needs to accept uploads

chisel error :( how to fix this

the host doesn't have the c library needed for chisel

but it was demonstrated in the module

the shoul have chisel installed, if nottry an older/newer version

is there a way i can include all dependencies on build

(i dont know golang btw)

you built it from source?

yes

grab the precompiled version from releases

that was also demonstrated in the module

Enumerate the Linux environment and look for interesting files that might contain sensitive data. Submit the flag as the answer.

got root flag instead, now I'm confused xD

this worked

Someone can help me in dm to settle my ZAP ?

Hey alll where is the Sherlock section here

read #welcome and #rules after that use /verify at #bot-commands and go to #sherlocks

Pleae need help with Server side attacks module set up NGINX AJP reverse proxy i keep getting this error when i try start up nginx:

nginx: [emerg] "upstream" directive is not allowed here in /etc/nginx/conf/nginx.conf:36

thanks

@hxriazaka looks like an error at line 36 of your nginx.conf file

What is at line 36?

How we give way to a request in ZAP ?

Server IP and port

Hello everyone, I want to ask Does anyone have finished Windows privilege Escalation SeDebugPrivilege [RCE]?

I put my HUD but when I click on Break button nothing happen

995 people have completed this module.

Hello @PayloadBunny, I have already answered the question and finished it ,
but the question doesn't need to gain an RCE

Guys i need help, i stuck

Hi I am having trouble to copy files from victim to local using scp
scp will@10.129.140.240:/home/will/root.txt /loot
my loot directory is in my pwnbox home directory with path /home/htb-ac-399878/loot
I am getting /loot: Permission denied my directory permissions are 755

I stuck in linux fundamentals with task: Use cURL from your Pwnbox (not the target machine) to obtain the source code of the “https://www.inlanefreight.com” website and filter all unique paths of that domain. Submit the number of these paths as the answer

I fight with this task for very long and just cant finish it :v

Hi, (not sure to be in the right place to ask this, please let me know if there is a better place). I would like to ask question to some HTB Academy team member (about report writing).
Is there a specific way ? or should I just try to DM some peopls in this chan that have the HTB Staff role ?

/ isn't your home directory, it's the system's root directory - so /loot is not in your homedir. You want to use the full path in the scp command

hi, what's is the module URLplease ?

when I try to use this scp will@10.129.140.240:/home/will/root.txt /home/htb-ac-399878/loot
I get /home/htb-ac-399878/loot: No such file or directory

https://academy.hackthebox.com/module/18/section/80

You're 100% sure the directory exists, at that path? If so, I'm a bit rusty on what scp expects precisely, but maybe it needs a complete filename - try /home/htb-ac-399878/loot/root.txt.

you can DM if you want or talk about it here : have you manage to get the page source code using curl ?

i think scp only works from client to server?

scp can be used to copy from client to server or from server to client. But the initial connection (the box where you run your scp command) is always the clicnt

so he has to run the command from target machine right

@sterile epoch - I managed to somehow not make this a reply to you, sorry

yes I just created the directory

and assigned 755 permissions to it

Can someone hack someone's IP with their discord username, they have been bullying me and I'm not mentally okay for it

I'll give their discord username

does this place look like a hitlist where you give in name to hit?

try

scp will@10.129.140.240:/home/will/root.txt /home/htb-ac-399878/loot/root.txt