#modules

at least try to help me please

Not related to htb academy so no

I was gonna help in your post in community help but it looks like it got locked

Now I'm def not helping

fking lol

locked for what

It went to read only

So idfk

try to behave next time @obsidian sundial

hi do I need to tell the version of Samba running on NIX host?

Probably by connecting to it

scanning udp is not the right proto to find smb

But that looks like the hard lab on nmap

Which iirc is a bit more on the evasion side

how do you even recognize the module based on the output

NIX-NMAP-HARD gives it away

oh right

I'm one of the few literate gamers out there

indeed true

ok

dude reviste DNS Proxying part from the section Firewall and IDS/IPS Evasion

I have 50 free cubes, and have not taken a tier i module yet. What would you guys say is the best tier i module to represent the platform?

Whichever one interests you

I dont normally pay attention to the tiers ill have to double check

Like they're all pretty solid

So it's really whatever you want

I know my easy answer for Tier 2 though

Eww the list of Tier 1 modules is kinda gross tbh

shells and payloads/nmap are alright

I'm asking this because I have not been impressed with the tier 0 modules, even if academy does beat most of the sites out there.

So I think its a toss up between Shells and Payloads vs Password Attacks. Shells and Payloads is really beginner information and Password Attacks has some problem aspects we were just bitching about in the CPTS section

If you wanna be impressed save up for tier 2

and do Active Directory Enumeration and Attacks

Tier 1 Best module got to be Password Attacks

do tell, ad?

yes

I think I'll be stuck with password attacks, considering it took me ~20 minutes to crack the password on one of the boxes for the current season.

I think some of lab design for password attacks is kinda bad, but its extremely comprehensive in the stuff it covers

But I hated doing the module

So if you wanna see what HTBA really can offer I still strongly recommend saving up for tier 2

15 minutes for a password gang

AD Enum and Attacks is a module I genuinely recommend people do even if they have no other interest in HTBA at all. Its genuinely the best Zero to Beginner course for AD

Even my red teamer friend liked it even though he had a couple comments here and there

So dig up student email and get student subscription for $8/month. Gotcha, lol.

yeah

guy does htb planning to bring a any new subscription for 500 modules cuz man they are expensive

Cheap compared to other platforms.

There is actually a really cheap and hacky way to get all of the content for the various tier iii and iv modules, but I'm pretty sure it breaks some sort of ToS agreement.

40$ for a lab is very expensive, you can have two other platform subscriptions with that price

barring frustrations, I really liked that password attacks teaches harvesting Kerberos tickets in Linux

where does the $40 for a lab price come from?

isnt gold 40$?

tier 3 modules, 500 cubes I'm guessing

you do get 100 cubes back though

I don't disagree here, but if you compare it to the cost of live training, it's pretty cheap. Live training can easily cost at a minimum $2000+. Meanwhile, you can get all of academy for ~$1000, and it probably beats most of the competition out there, even if I do really hate some of the tier 0 modules lol.

but again i dont find any other platforms with HTB like quality content

no need to compare it to live training even, you can get all of academy plus all three certs for the same price you can get OSCP lmao

If you dont count the labs, hacktricks probably has every page stolen copy paste

but the labs are what really brings the value imo

hacktricks has labs?

No

thats why I said. "If you dont count the labs"

Continuing that discussion from #cpts about why I don't like the other platform, I like how academy at least forces you to use knowledge that you have already acquired.

It's amazing how you can tell someone how to look through a config file, how to change permissions on files, look for web proxies etc, and still not know how to get their web server back up and running.

If you can get that kind of training for $50, then it's probably worth it.

hi I'm getting closer to the answer I think. I am trying to connect to Samba. Is this on the right track:

┌─[us-academy-1]─[10.10.15.228]─[htb-ac-605555@htb-4cxzwormnp]─[~]
└──╼ [★]$ sudo smbclient 10.129.214.148 --W WORKGROUP --no-pass --command=sudo smbstatus

this is for the nmap enumeration module

why are you doing the command stuff

if you got a samba share just check it out regularly

because I don't have the password for the samba share

You don't always need one

ok

You also don't need to run it with sudo

Try listing the shares first

Do yourself a favor and do smbclient -h

tbf smbclients -h is terribad

True

read the docs on it instead

But it still gives the common flags

So does the module

with zero explanation lol

smblicent.py is better than smbclient, fight me

┌─[us-academy-1]─[10.10.15.228]─[htb-ac-605555@htb-4cxzwormnp]─[~]
└──╼ [★]$ smbclient 10.129.214.148
Password for [WORKGROUP\htb-ac-605555]:```

I think my default actually is the .py version, idr

Same

thats not how you list shares

ok

iirc I had issues with filenames a while back with impacket's smbclient

literally google "smbclient list shares without password"

you couldn't use \ for spaces in filenames

Gotta love it

in the end I had to use smbclient instead. I asked the sysadmin discord about this, and of course the most they could say was "have you tried using \ , after telling them I did just that.

A security guy was there, and he more or less went "yeah, impacket does that... it's sort of broken" lol

┌─[us-academy-1]─[10.10.15.228]─[htb-ac-605555@htb-4cxzwormnp]─[~]
└──╼ [★]$ sudo smbstatus --shares

Service      pid     Machine       Connected at                     Encryption   Signing     
---------------------------------------------------------------------------------------------

Its not showing me anything

"Yeah. That's Dave, he's just like that"

What

thats not how you do it either

What module are you even doing

smbstatus is for your own hosted samba share

And did you read it

Do this

I dont think so

I severely doubt it as well

I think they said something about just tackling the lab

Working out great

But if this is the module I think it is, not necessary

They never did clarify what module and section they're working on

I'm working on Enumeration with Nmap

I did smbclient --help and its not telling me how to list shares for a remote server

so I guess I have to research it

The hard lab yea?

Ive told you twice exactly what you should google

And ^

at least have the decency to tell me to fuck off 😂

People are bad at using google, and google's results are awful now

It's still explained in that module I believe

The top two results for what I said exactly to google provides the answer

Also a few results on Google were still just as useful

¯_(ツ)_/¯

^

Try Hack Me learning path(academy) or HTB academy? what is better?

If you search for "smb search for shares", one of the top results is https://superuser.com/questions/1492010/finding-all-samba-shares-in-local-network, and another one is https://askubuntu.com/questions/102924/list-samba-shares-and-current-users. Sort of conflicting answers. I dunno, I would use smbmap to list things instead of smbclient.

seems like HTB academy is expensive

THM is garbage.

It's overall better quality

htb academy is expensive but well worth it

He doesnt need to search for shares

if you are a student its only 8$

he already found a samba service, he just needs to lookup how to list shares from one

Which is a command thrown at you early on

Sure, but this is also a language thing. It sort of shows you just how annoying google is for this type of stuff now.

oh really

But really the module probably covers the programs you need to know, so you just type -h

ya if you have a student email address

I mean maybe but you provided a bad search string and I provided a good one. He didnt bother to google at all and ignored my recommendation twice lol

lol yeah

Maybe i can use my old student email address it's still available i think

My college closed mine out but my job pays for htb anyways so it didnt matter

got my job to pay for pro labs too

I can see there are 2 paths CPTS and CBBH

there are 3 now

cdsa for defense

You can pay for .edu emails.

Get a student subscription and then do the modules you want to do. Think of certs later.

CPTS is more for system and CBBH is more for web

Oh just do whatever module i like to

There's some overlap of fundamentals

Not go to a directly path

I disagree

the CPTS pathway really assumes youre doing the pathway

Need to be carful

^

Oh so the paths are important...

Or assumes you already know some of the info

jumping around and going out of order will sometimes have pre-reqs it expects you to know and it wont tell you about em.

This HTB academy confusing

lol

i finished the cpts modules over the weekend and am studying for the exam, can 100% say they are worth it

take a long ass time to do them all but are really a lot of good material

The Paths are if you want a specific structure to learninh

if you are serious about learning pen testing

it isnt, throways advice is just only good for very specific kinds of people lol

Guys i need help. I've been stuck on:

Module: USING WEB PROXIES
Section: ZAP Scanner

I attempted to run the ZAP active scan but after an hour I only detected two vulnerabilities: path traversal and SQL injection. Both in the 'wp-comments-post.php' directory. However, it appears that these vulnerabilities are not the ones i need lol, ive been stuck here like 2 days, dont know what else to do. All help is greatly appreciated 🙂

one weekend? are you a machine?

This is confusing to me because it's pretty poor of me to assume that people know basic tech.

But if you are learning for the sake of it- it's not bad

no i finished them on the weekend i started back in march lol

maybe but the course is designed that way

I did a lot of htb boxes in parallel tho I couldve finished it all in 3-4 months I think if I didnt do boxes

it builds on itself

oh lol i though you finished it all in a weekend!

its 1032 hours of material ._.

holy fucking shit

Mate just yesterday you were convinced of the path you should do lol why are you here asking for paths again

Just go study.

I'm asking because if i didn't ask i wouldn't know it's 8$ as a student rather than 500$, I defenetly can get student vaucher. Just got 492$ refund 🙂

You still need to pay the 210 for the exam

but ya the courses are only 8$ a month

$8/month

I edited thx

For some of the tier 0 modules, I literally did a bunch of the questions/modules at once, and then later went back to read them.

Important clarification

Difference is, you had some skill and knowledge

and the 500$ is for a month too?

no 500 is for a year

For silver annual,?

No. HTB academy's pricing model is a complete mess.

i can link the plans 1 second

I'll let you read that again but slowly

k

https://help.hackthebox.com/en/articles/5720974-academy-subscriptions

Silver annual is paid... annually

I think you can do 2 months of platinum and buy the exam voucher and save money too if you dont have a student email but i just got my job to pay for silver annual

i dont need the exam actually, just looking for knowledge

So you are debating between $8/mo or $500/year?

the 500 option is the better option because it comes with tutoring afaik but i'm on the $8 plan so idk how good it is

It's not direct tutoring

^ this guy is the tutor

It's a request help feature

he's the goat

That pops up after you fuck up the answer enough

Ok, so there are modules in various tiers, 0 to 4. Tier 0 modules cost 10 cubes and also gives back the same number of cubes. The other tiers cost 50/100/500/1000 cubes and give back 20% of the cubes spent. Cubes cost $5 for 50 cubes, but you can subscribe to a monthly subscription (and cancel immediately after) to get 200/500/1000 cubes for $18/$38/$68.

Additionally, there is a student subscription for $8/month that also gives you back cubes as mentioned above. You can also take certification exams for $210. The exams include a retake if you fail.

There is also silver annual, which is an annual subscription, and it is not worth it.

Oh you failed this question 3x? Would you like to ask for assistance?

that would be so nice i keep failing one question

That's just because skill issue

yeah

https://academy.hackthebox.com/module/136/section/1291

i got the second question

HTB's help pages are all over the page and are not helpful at all.

You're probably overlooking the answer

my hot take is I dont think people that need the forced paid tutor help has what it takes to pass the exam

<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///root/flag.txt"> ]>
<svg>&xxe;</svg>```

and when i did that the upload button disappears and there is no text within the html source

i also tried without the .txt extension and got the same thing

Youre reading the wrong file

read the question again

there is no /root/flag.txt

oh

i'm stupid 😭

GOT THE FLAG!

Now i got you by the cubes 🙂 i got 70, And seems like i've done some modules in the past with the free subscription of "cubes" model

thank you everyone... this chat is amazing 😄

why does the upload button disappear when you read the wrong file? is there an easy way of "fixing" the problem by making the button without using burp to send requests to upload a new file that's not breaking the site or resetting the vm?

idk

its just a browser visual, who cares

when the button disappears you can't upload a new file that's why

So what

reload the page or use burp

it persists on reload

Dont get fooled by front facing client appearances

theyre meaningless

Youre a hacker so interact with systems like a hacker does

seems like the CPTS CBBHCDSA are just exams, They are not paths, How can i get the "paths" that lead into one of the CPTS CBBH CDSA? through the Paths?

job role paths

What about the Skill Paths?

those group different modules by skill

like local PE is the linux and windows PE courses

But they all eventually the same? Skill paths contain whole of the Job Role Paths for example?

Or it's bit different (maybe one has more than the other)

no skill paths are what they sound like

paths covering a particular skill

job role paths cover a cert

Check the number of modules to compare.

Unless youre focusing on something specific just ignore skill paths

You meant to ignore job ole path and take skill path instead i think?

No

No I mean what I said

Reading comprehension is hard

But that's why we're hackers, don't need to read to hack

Click Job Role Paths, you get three options

Bug Bounty for CBBH, Penetration Tester for CPTS, and SOC Analyst for CDSA

imagine getting lost in that part of the academy

you have a long way ahead with sone modules

some*

You can also click on Exams the. read what it says for the exam youre interested in

i think the tldr is

you can read

even the tldr of the tldr is

read

read

Yes. Unfortunately it's a bit crazy because there's an incentive for you to create a new account just so you can subscribe and do the tier 0 modules again for the free cubes.

Enumerating the course is the first step to being eligible for the course

it’s easier to come here and ask (ive done it)

HTB Academy's structure is a hot mess. You literally will not be able to find out anything about it unless you actually sign up for it.

What a great way to attract potential customers.

wat

Or you can just read

you didn’t use ine platform

i think it is very well documented and structured

but maybe im 200 iq

Without logging on, try to tell me how much each module costs and the pricing structure for the various subscriptions.

Just got it...
There are lets say 500modules
they permutate each module for each certification, Some of them will overlap with other certification and some will be unique to the dedicated cert.
But the modules are just decorated by those certs.
People should do cert/skill paths becuase they arrange and sort the modules in a way that 1 module is coverage the other module like "prerequires module".

https://help.hackthebox.com/en/articles/5720974-academy-subscriptions

Eh close enough

This shows the issue.

I've used INE platform, It's a bit mess too untill you get the point of the Skill Path and courses and etc...

The percent discount is wrong.

?

And why is this on help.hackthebox.com, and not on academy.hackthebox.com?

Because I googled your question

Ya fuckin knob

https://academy.hackthebox.com/faq What is even the point of this page when it shows nothing useful?

I actually had a discussion about this with @languid fjord lol.

whole of my questions just in this FAQ lol

The discount is relative to each other

#1080884182336675872 message

its gone on the site

I still see 11%, 27%, 36% on that faq page

what you pointed out was the monthly vs annual difference

Can someone dm me or so to give me a hand with firewall IDS/IPS evasion Hard lab? I have the port ||50000||, but cannot get the flag....using this is pawnbox either: ||connect to filtered port
ncat -nv --source-port 53 10.129.2.28 50000||

200 cubes = $20, $18/month is an 11% decrease

Its talking about the cost of cubes, vs cost of subscription

Sure, but then those numbers do not work for gold and platinum.

As said earlier; patience

500 = $50, 38 is ~25% off

24%. Not 27%.

ill poke them to update that - math is hard lol

32%. Not 36%.

It probably used to be slightly different

But recently I believe there was a wide price increase

And again, why is that page on help.hackthebox.com and not academy.hackthebox.com?

not that im aware of

because this is a helpdesk article?

^

https://images.0xem.ma/u/SUcDhT.png

And eventually the best way is to do some machines/CTFs and explore from google, Although it's the best when someone chew the hard part of te enumeration such as the HTB academy

same info on the site, and i will get those #'s update aswell

Like it's a valid place to look for help regarding any of the site

Why is the help for a hackthebox platform found in the hackthebox help repository????

Thanks guys for the great answers

LOL

Uncle Google and Auntie GPT really help a fair bit

But it's really nice when you have all settle down in a written path for details and after that you have a hands on machine to learn from and questions

Absolutely

You'll get nowhere just memorizing paragraphs

You mean high-school lied to me?

@prisma spruce the help article is now updated

I mean you can in some fields. Just not this one

That's not really my point here.

If you're trying to attract customers, you are literally losing them by forcing them to search for stuff like this.

I think you just hate the platform

Which is fine but meh

https://academy.hackthebox.com/billing/monthly-billing It'll need to be updated here too.

i know

that one takes some more time to push changes to

Getting people to sign up for stuff is a tall task.

Personally I wish the whole cube system was just gone and you just buy your shit

"Oh hey we have a platform. We won't tell you what's on it or how much it costs, but we'll definitely need you to create an account with us before you can find out anything about us."

did you time travelled from the 1970s? just curious

?

We aren't in the '90s anymore. People don't want to enter their email address to sign up for every new service.

https://help.hackthebox.com/en/articles/5272936-introduction-to-htb-academy btw for tier costs

guys can i get the format of the flag in web attack module idor mass enum cuz i have thefile but its not accpted idk if im stupid but yeah

never mind

im stupid

It does not show the price of cubes.

If you click "B&S: Academy Subscriptions", you get about:blank#blocked. I don't have an adblocker running in incognito mode, so I don't know what's up with that.

In a different browser, the button does not work at all.

Probably just a dead link they forgot to update

pinged them to update this - not working for me either

ill take some time tommorrow and go through these pages to make sure they're all accurate

It's mildly user-unfriendly to actually have to do that at all.

I know, but changing how things work on the website takes more time, and ive noted your feedback for those who are responsible for that

in the meantime, we can make sure these are up-to-date and accurate, and with time see how we can better show this information to users on the main academy site

It would probably help to not have to log in to see the free rooms, similar to what THM does. A lot of THM's user experience is much better, even though the user interface for the rooms is absolute garbage.

As it is, without actually signing up for academy, I can't really figure out what academy is selling me on.

https://academy.hackthebox.com/preview/certifications/htb-certified-penetration-testing-specialist

?

https://academy.hackthebox.com/course/preview/introduction-to-academy

"Start for Free"

yeah, but you can look at all the paths, and module overviews/sections without signing up

Compare it to THM, where I can see the actual content. I'm only restricted from answering any questions.

Fair, i see your point

That sounds like needing to rework the site to basically treat tier 0 as a whole separate entity

https://academy.hackthebox.com/course/preview/network-enumeration-with-nmap For example, saving the results. What do you think I'll get out of that without looking at the actual content of the page? Oh, you can write to files with >?

It absolutely should be.

Right now students and silver annual subscribers get 220 cubes for free from tier 0 alone.

Which involves an immense amount of work to not break other backend systems

This is something we are aware of though

things take time to change, but nonetheless we are aware of them

That Nmap has different output methods

Is this what you would think if you have no experience with nmap/have not done the module?

Yes

"OK what ways can I save results" is what I gather from it

If we're assuming basic linux knowledge of redirects. Then there has to be a purpose

Can we assume that? It's funny because you would not even know it's a tier i module.

Just that it's an "easy" module.

Anything to do with a tool I'd assume you'd have some minor knowledge beforehand of opening the terminal

At least academy isn't lazy and you won't (if've you signed up to see the other content) get stuff like "oh you can -use -o csv/json/xml"

but there's no real way of knowing that without signing up first

Directly from the link you posted

So it can be assumed it builds off Fundamentals

Yes, and there are tons of sites that try to reiterate how you can use > over and over again, even after they've covered it.

And basic knowledge

You're just mad because it doesn't work the way that you'd design the website. While some of your criticism seems valid, a good portion has been you malding about it

I don't know why you think I'm mad. Sounds like you're projecting.

All you've done is just bitch about it

@fathom pendant please be nice about it

Instead of bringing up your valid points and not being like "well why is it on the help desk article and not on the site" when I was proving a point about just basic research of info

I Google your question and you keep trying to move the goalposts

And my entire point is how this is absolutely awful for user retention.

If someone has to spend any time at all searching for any of these answers outside of a platform itself, then congrats, you've probably lost a customer.

I agree some of the layout sucks but you keep minutely nitpicking details when i prove you wrong

I mean you are in the server since 2019...

I am not talking about myself lol.

And that's your opinion

https://solitaired.com/email-registration-is-dead

Congrats

This isn't some obscure field of marketing. You lose customers when you ask them to do anything more than the minimum.

The other major reasoning for email sign up is for uni students, and businesses. It makes it easier to validate info if you're already in the system

And this is a niche field. Anyone with more than a passing interest can sign up, if you don't want to - cool. It's not like there's any pressure or need for htb to cater to even more people

Many users advocate for bringing back the invite challenge lmao

Before regular sign-ups you literally had to hack your way into htb to get an invite code

And that is how a site dies lol.

its what gave HTB its initial popularity actually

^

makes sense they removed it though

The invite code thing was funny too, because there's nothing like it in any of the boxes.

Also email verification prevents abuse of the system

This isn't really about email verification as much as it is about removing friction from the onboarding process.

Most online services require email sign up

I personally didn't have many issues with the onboarding

Some of the content wording sucks

Right now, the main academy page basically tells you "oh we're a tech platform focused on learning cybersecurity. We cost money, but you'll have to go out of your way to search for how much anything costs. Do you want to sign up?"

Oh no needing to do research in a field that's built on research

oh no leaving money on the table

The people that are willing to spend money are generally or already have researched the platform before signing up. And even the ones that don't, it's relatively cheap

"We already know our customers and are not looking to expand."

That's what I'm getting out of it.

¯_(ツ)_/¯

As far as I know they don't have a relative need to expand

Their servers already eat shit often enough

Totally! HTB Academy is designed to introduce users to the cybersecurity world and impart the knowledge needed to start their journey. All Fundamental and Easy modules are perfect for beginners, combining guided theoretical learning with interactive, hands-on practice on live targets.
I guess it fits the modus operandi of the industry, lol.

Yeah kinda

From my point of view, customers tend to go "I have no particular interest in your site over the other. I'm interested in the product." Having customers to go out of their way to find out how to enumerate smb makes sense. Having them go out of their way to learn about the platform itself is pointless. They would rather use a competitor instead.

Maybe but also like what competitor

All of HTBs competition either sucks or also requires signing up for important info

The only ones that dont are hyper focused smaller courses

If your business isn't growing, it's dying. You can't rest on your laurels.

And HTB isnt, CPTS has been a massive win for them and its only a year old

And CBBH and now CDSA

And word around the watercooler is a mid-level cert soon

We have plenty of things in the works 😉

Academy socks instead of regular htb socks?

That would be a breakthrough product i think

Programmer socks?

HTB next day shipping when?

htb underwear?

We do have lots of proper technical content in the works though

idk what we're doing for swag 😂

imagine

htb long johns

@fathom pendant just fyi...i got the flag for it.

Was it patience?

@fathom pendant lol...i mean i needed them lol...but it was the need for ||sudo||

Oh yeah that too

thanks for quick replies though

I run everything as root.

Cruise control for cool.

It's because you're binding to a low port

In case you wanted to know

I just completely missed you weren't doing sudo ncat

cool - that is good to know

and yeah - i should have tried that

Iirc anything less than 1023 is a "reserved port" which requires sudo to bind to

yeah 1024+ is any user

for this module: https://academy.hackthebox.com/module/136/section/1291

what would be a good way to know what the directory tree looks like without reading the question to locate the flag?

Can u tell us the module name and the section 🙃

hi guys, wanna ask the experienced people here, is crackmapexec or hydra faster for cracking password?

I use crackmap for common services

But i switched to netexec

For hydra use it for web brute force login pages ..

for just password bruteforcing? hydra easily, cme is not used for that it can do password sprays, but it's definitley not fast

Im not a noob tho

yea like using a wordlist ?

and we use netexec now, cme is not being maintained

hydra

netexec? that's the first time i heard of it.

i am gonna go find out more about it

it's just better, updated cme

yeah really liked it

Same as cme

When i fo like mssql smb ftp i use netexec tho

can i use sudo apt install netexec?

does it work ?

idk it just feel better XD

pipx, read the docs at their github

https://www.netexec.wiki/getting-started/installation/installation-on-unix

I don't use cme anymore, it's still there as backup nxc has yet to fail me

wow. thank you guys!

just trying to be better everyday

hydra john or hashcat?

different uses, hydra is for password brutefoce, hashcat/john is for hash cracking

I use hashcat for hash cracking, faster with a decent gpu

word.

looking for help in Documentation and reporting....
i ran sudo bloodhound-python -u <REDACTED> -p <REDACTED> -d inlanefreight.local -ns 172.16.5.5 -dc ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL -c All --zip
im given the bloodhound output files of users, groups, computers, and domains in that zip.

so far only tried using hashcat for the mutated password list.

all these files HAVE the names and whatnot, but when I import this data to my local bloodhound gui, I'm not seeing users names, only Object IDs, and no workstations.. only two of the cyphers run... "All Domain Admins" and "Shortest paths to Domain Admins"

what am I doing wrong?

is it importing proerly?

it ingests and succeeds through the gui if thats what you mean... How can i check to see if the data has been corrupted or imported improperly?

Does the instance that is running the bloodhound gui NEEEEEED to be on the victim domain?

have you tried sharphound/rusthound? I've seen bloodhound python not getting the data sometimes

im running bloodhound via docker-compose on my local VM. NOT pwnbox.

this was my next move, I guess it wouldnt matter if i used a script or toolkit that wasnt exactly mentioned in the "previous pentester's " notes.

and the data IS there i can see the workstation names in the .json files

the other objects are 0?

Has any solved Trace challenge

the object IDs that are visible go something like S-1-5-21-382938547-23487235953-2342348blahblahbalh

i can see their relationships with groups...

you should try using legacy, CE is not very good atm

ill look into that after running sharphound

i seem to recall having this same issue when following the AD enumeration module

Just pulled the "previous pentester's" bloodhound output down to my vm and that shows EVERYTHING. I'd like to just use this as PoC for screenshots and whatnot.. but I'd like even more to know why im not collecting the same data. maybe im not using the correct ip for name resolution? i tried to dig for the ns from par01 using dig ns inlanefreight.local but it just hangs...

the dc is the ns

try with -k?

and did you try the other collectors?

bloodhound-python is giving warnings of Skipping enumeration for HOSTNAME.INLANEFREIGHT.LOCAL since it could not be resolved. on more than half of the hosts. I'm currently trying the other collection methods to see if i can produce the gpos.json file, ous.json file and a few others that seem to be missing.

I don't think you need to specify -dc

im using the -d flag for --domain

talking about -dc ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL

Ah yeah i see mybad i already stopped doing that

looking at the provided sample report i can see that they ran sudo bloodhound-python -u 'bsmith' -p '<REDACTED>' -d inlanefreight.local -ns 192.168.195.204 -c All

our scope is 172.16.5.0/24 so were going to replace the -ns with the ip for our NS at 172.16.5.5

but to no avail. we only output 4 files.

im using a user account i found with responder, grabbed a hash for and cracked with hashcat

hi i'm stuck on module using crackmapexec skill assesment question 1

• already got 3k user list
• set FQDN to /etc/hosts with internal network 172.16.15.x
• using proxychains crackmapexec ldap to A********t attack
• its been 20 min i got nothing and still process
• am i on right track
  thanks

nvm got 1 account for 30 min

what's wrong?

Using the correct VPN connection file?

Yep

Btw leave it, I got it

was problem of pwnbox running simultaneously

ah

Hello everyone. Where can I ask questions related to boxes?

Best ask in #boxes

If you have no access, read and follow #welcome

Started Attacking Common Services Easy Skill Assessment. Can't seem to get a foothold. Enumerated all of the services that were found with an nmap scan. I am trying to bruteforce RDP right now using the wordlists provided in the module. Am I on the right track?

No RDP password found, it just finished.

I looked at the website

Brute force isn't working on any of the common services.

I tried default credentials and anonymous access as well.

Okay, looks like it was the wrong users.list. I didn't realize the Skill Assessment list was different than the modules. I'll re-download the password one too and keep working on it tomorrow.

Thanks

how you got the hash should tell you a lot about it

In the Documentation & Reporting Module...

Possible spoilers ahead
Is the ||Kerberos 5, etype 23, TGS-REP|| hash for the user || sq**ev|| supposed to be crackable?
Or is this to prove that, in the time since the last test, the sqldev admin has moved to using a stronger password?

|| I've already found the other Domain Admin and Administrator and possibly their cleartext password through bloodhound gui ||

anyone knows whether both LSA and SAM store credentials? or only SAM store credentials?

SAM stores LSA secrets

wel...

SAM stores SAM secrets, and you also take SECURITY and SYSTEM which store LSA secrets

https://www.thehacker.recipes/ad/movement/credentials/dumping/sam-and-lsa-secrets

these are what are referred to as Registry Hives.

ah thank you. i was kind of confused about the difference

no worries. i hat AD

SOOOO confuzzling

service credential is stored within LSA secrets while SAM is for user credential?

i don't wanna wrongly assume things

oh wait, LSA stores the domain cached credentials too

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)

this is a good read i just found on this topic

Guys i do need help ;D. Split the network 10.200.20.0/27 into 4 subnets and submit the broadcast address of the 2nd subnet as the answer.

Am doing networking, finished all tasks, just cant finish this one

LSA secret contain cached credential, Reversibly encrypted plaintext, Kerberos tickets (TGTs, service tickets), NT hash, LM hash and LSA secret can be found at hklm\security. While SAM stores credential for local account! LOL thank you!!!!!!!!!!

yes

hehe

Remember, you start counting at 0. 24->256, 25->128, 26> 64, 27-> 32

Split it in four, remind yourself which address is the broadcast address, and submit it.

im glad someone understood the question XD i was like idunno 21? what is this technique called? subnetting? subnet splitting?

subnetting i guess.

borrow host bit and use it for network

Yea i still cant figure it out tbh

/26?

broadcast is till kinda not obvious for me

nope :/

😦

broadcast is the last address in the subnet

I know, but i have problems with counting it. I split 32 into 4, but answear is still not correct :V

Are you counting from 0?

yes

i was thinking maybe 10.200.20.0/8 but no

This is your last question, right?

yes

How were you able to answer Split the network 10.200.20.0/27 into 4 subnets and submit the network address of the 3rd subnet as the answer. and not this one?

Idk it was ez to count when it was subnet, but it kinda works diffrent when its broadcast and not network adress?

Ok, so you understand that the broadcast address is the last address in the subnet, right?

it is easy to count cuz it was 0 / 8 / 16, so answer was 16

yes i do

Ok, and the second subnet is followed by the third, yes?

just wondering... 10.200.20.0/26 has 64 hosts on 4 subnets right???

62 hosts on one subnet

Wikipedia may be wrong but the end of that first subnet (the broadcast address) would be 10.200.20.63 ? no?

In Subnet host count
https://en.wikipedia.org/wiki/Subnet

No, wikipedia isn't wrong. You just don't know how to phrase your question.

For instance, the 192.168.5.0/24 network may be subdivided into the following four /26 subnets.

i follow

that is what wikipedia is showing in the section on subnet host count

hey guys I'm currently stuck on
Exploiting Web Vulnerabilities in Thick-Client Applications
on the compiling Invoker.java

I get the massage :
"javac: file not found: fatty-client-new.jar.src\htb\fatty\client\methods\Invoker.java"

but the file is there...

someone can help please?

Hi guyz ! Trying to do the following section
Using Web Proxies
Proxying Tools

But it seems that I'm doing something wrong

I started burp. Turned the interceptor on, checked that it will listen 127.0.0.1:8080

But when doing proxychains curl something i do not see anything on burp

is it 10.200.20.19?

my proxychains.conf have the following
http 127.0.0.1 8080

And not other Proxy in the proxylist

mmmmh can't understand why but it worked for msf with proxy option, with curl as proxychains but it killed my laptop on the nmap --proxy option (I guess cause of the dns resolver)

-Pn

This option for nmap is to treat all the hosts as online, skipping the host discovery nothing to do with proxychains

Well if I use proxychains NMAP keep saying me that it can't resolve dns and crash my term

If I use the proxy options, it's working but I do not see anything in burp

which one is the proxy option?

There is some confusion here, I advice you to do a search on google on how to set up Burp Suite since I don't remeber if the academy modules covers that

nmap --proxies http://127.0.0.1:8080 SERVER_IP -pPORT -Pn -sC

That kind of proxy option

O cash

I see what you are trying to achieve I did not understand at the beginning, what it the module anyway you are having problem with?

Using Web Proxies
Proxying Tools

I succeeded to the questions

But can't understand why nmap is not working with the proxies option or with proxychains launch

Did you forget to change SERVER_IP to the IP you are trying to scan?

Of

Nope i didn't

I used the ip of a wrbsite returned by nslookup

Damn

Anyone , can u tell me what is the exact road map of devops. Is there anything relevant with hacking and cyber security stuff?

Hi there everyone,
I 'm running the WINDOWS EVENT LOGS & FINDING EVIL minimodule.
Doing the practical exercise there:

1. sysmon is installed, *.xml file changed, saved AND updated

2. cmd (admin) starting silketw just as described on page (parameters/options)

3. PS running seatbelt tokenprivileges

4. cmd (admin) terminating silketw.

5. etw.json file timestamps match event viewer timestamps on imageload events BUT
   I don get any method names in the file.
   Checked once, twice for potential misconfig on my side...
   So here I stand, baffled, requesting assistance 😛

Hai

Any one help me

Module: Web Attacks
Skill Assessment
Need a little hint. I've been able to locate the admin user and its uid. but when I try to update the password I get no luck. with a POST request I get 'Access Denied' even tried GET, but then I get invalid token

Any one give me 2000 coin

nvm, must have mixed up the tokens

Module : modern web exploitation ,, second order LFI ,, changed the names multiple time using different bypassing techniques but did't work anyone might help

Hey everyone. Could somebody give me hint on:
https://academy.hackthebox.com/module/112/section/1078
I got the SSH, set chmod to 600, but still can't connect to FTP using:
ssh ceil@10.129.131.161 -p 21 -i id_rsa
neither port 2121

my bad, I think I got it

using sftp solved the problem, might help somebody someday 🙂

The issue I've encountered was forgetting to replace "include" with "exclude" in the sysmon config file 😅

Hello everyone,
I've just finished the "AD Enumeration & Attacks - Skills Assessment Part 1" lab.
However, I'd like to discuss another way of doing it.
I used CME via proxychains for the last question:
proxychains crackmapexec smb 172.16.6.3 -u 'Administrator' -H XXXXXXXX -X "more C:\Users\Administrator\Desktop\flag.txt"

So I already dumped the Hash via secretdump :
proxychains impacket-secretsdump inlanefreight/XXXXX@172.16.6.3

My question will be: Is that possible to get the flag on the Admin's Desktop on the DC01 without using CME? Like I wanted to do it with a golden ticket but I didn't succeed.. Could someone tell me if that was possible?
(I had the SID of the MS01, the SID of DC01, the krbtgt hash of DC01, and the Domains admin SID of DC01... All was good to make a golden ticket.. but without success...)

you can use impacket-psexec for instance

Well, I created first the ticket via rubeus (Rubeus.exe golden /rc4:YYYYYY /domain:inlanefreight.local /sid:S-1-5-21-2270287766-1317258649-2146029398 /sids:S-1-5-21-2270287766-1317258649-2146029398-519 /user:hacker /ptt) and made a "ls \DC01.inlanefreight.local\c$" and that wasn't working. Do you know why?

DM me

Can you help me with this one?

You should be using the mutated list, but also are you sure that service is running

hey guys, did someone ells had problem in : "Exploiting Web Vulnerabilities in Thick-Client Applications"
compiling :
fatty-client-new.jar.src/htb/fatty/client/methods/Invoker.java
?

Can someone help me with the skills assesment of the NTLM relays module. I am stuk on Submit the password of the SQL user 'sqlftp'.

proxychains rdate -n 172.16.6.3
rdate: Not enough valid responses received in time
rdate: Unable to get a reasonable time estimate

proxychains ntpdate 172.16.6.3
ntpdig: no eligible servers

Any hints? Necessary for kerberos

the xsltproc tool is truly amazing
just discovered it in while doing Nmap enumeration module in HTB academy

Hi everyone, any help regarding https://forum.hackthebox.com/t/whitebox-attacks-prototype-pollution/302688 is appreciated. Thanks in advance

yes, i believe this is the right app.

have you completed the assessment yet?

You cannot read the cookie.
But maybe you can find a way to get the admin to do what you want it to do

Ah okay, will try that. Thank you, much appreciated.

Hi all, trying to complete https://academy.hackthebox.com/module/211/section/2276 but my answer is not correct (Date expected in the format 20XX-0X-0X). I also checked that no whitespaces were sent in the answer, to exclude this possibility. Can someone help please? Edit: Now I found the solution but don't understand why this is correct.

I'm working on it too. This is really the worst part of the entire CPTS path. Such a shame until I came here, I thought everything was great. In short: It takes a lot of time, you don't learn anything from it, and you will never use it again

Can someone DM or assist me with the last question of DNS footprinting module? I have these from the zone transfer and dnsenum, but not sure where to go from here...I tried different sizes for the dnsenum command, but no go. Using this ||dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb|| Found things like|| vpn/ws1/wsus internal and mail1/app and ns.dev||, but kind of lost after this....can someone give a nudge please

Why do you want to bruteforce the inlanefreight.htb zone? It gives you all the data voluntarily via zone transfer

You only have to bruteforce zones that do not give you the data voluntarily, i.e. if no zone transfer is possible

That was indeed a hard one, i completed it using the modules bash script, not dnsenum. But, I think you're on the right track, try using this subdomains you've found in your command ||"xxx.inlanefreight.htb". (From the "things you found", I dont see the **exact **correct subdomain though)||

@acoustic owl ok

@pale wraith ...maybe i missed something, but let me try again...I have more found but didn't want to post all the findings in a screenshot here

I can DM what i found or post - I guess

feel free to

Im dumb though, just finished this module

Does anyone have any hints for intro to assembly language skill assessment task 2? Here is my code global _start

section .text
_start:
; push './flg.txt\x00'
xor sil,sil
push si
mov dil, 't'
push di ; push NULL string terminator
mov rdi, '/flag.tx'
push rdi

; open('rsp', 'O_RDONLY')
mov al, 2          ; open syscall number
mov rdi, rsp        ; move pointer to filename
syscall

; read file
lea rsi, [rdi]      ; pointer to opened file
mov rdi, rax        ; set fd to rax from open syscall
xor al, al          ; read syscall number
mov dl, 24         ; size to read
syscall

; write output
mov al, 1          ; write syscall
mov dil, 1          ; set fd to stdout
mov dl, 24         ; size to read
syscall

the file is called flg.txt without "a" so you can write it in one mov

you can also save the first xor sil sil by using a register that starts as 0 like r8

hello everyone , so im going for cpts and now im the Pivoting, Tunneling, and Port Forwarding module and im really stuck in the skill assessment . i already checked out the HTB forum but did not find anything so if anyone has completed that module and can give me a little hint , i would appreacte it . thanks

i dont know specifically where you are stuck, maybe providing more info would help, anyway i would recommend giving a chance to the ligolo-ng tool which does really help make pivoting easier

well the part that im stuck is , i already got the vfrank user and im already in his machine and there i see a range 172.16.10.0/23 and i find a host which is 172.16.10.5 but i can not rdp into it from frank even tho we are on the same network . i tried to double pivot and rdp into it using the user mlefays machine but can not do that too

but nobody seems to be talking about that ip address or that range at all in the htb forum . makes me feel like im in a rabbit hole .

I could use a nudge / rubber-duck on Password Attacks Lab - Hard

I've gotten to the point where I have two windows files in which I can dump with secretsdump.py. After doing so I'm given some hashes and trying to feed into hashcat using multiple password lists. Unfortunately the only hit I've gotten so far is Johanna, which I already have a password for.

hashcat -m 1000 users_to_crack.hash pw.list

So, am I just looking to find the right password list to use here, or am I off base with my thinking. Happy to jump in a DM, didn't want to post too many details to not spoil.

Ive tried:

password.list & mut_password.list (resources in module)
rockyou.txt
fasttrack.txt
10-million-password-list-top-1000000.txt
100k-most-used-passwords.txt

finished the MF

all I can say is GD...
I think there R million way 2 explain it and they did it in the top 100 of the hardest ...

I did that module a long ago so don't remember it very well but i dont think it's a rabbit hole. Did you try also winrm? I dont remember if RDP was the right way to get in or not

Take my words very carefully because i dont' remember it well. You can try an nmap scan to be sure of which service is open

the last question says : Submit the contents of C:\Flag.txt located on the Domain Controller.

the only thing open is rdp

Ok ok so rdp is the way in. Where are you trying to RDP? From the windows machine or from your attacking machine?

i have already done rdp into the use mlefay

Wait i've had a shard of memory

Maybe RDP isn't the way in

Look carefully around the file system

and also done rdp into the user vfrank

the last thing i have to do is rdp into the ip address 172.16.10.5 which i assume is the domain controller

ive been on it . i did not find anything . and if rpd is not the way , what do you think is ?

Can i DM you?

yes sure

any hint on nmap ids/ips evasion lab 2

im stuck

nvm i got it

Getting Start - Nibbles - Privilege Escalation, the python server wont kick on to be able to actually transfer linenum.sh file to target machine

just stuck

It appears to be on in the screenshot you sent.

connection keeps being refused

You are using the wrong IP address. Check your address on pwnbox and pdate yoru command to match.

ohhh wow

i feel stupid

lol my bad

All good!

i got the connection to go through but now its saying file not found

Sounds like you should check where that file is in relation to where y ou are running your web server.

can anyone give me a quick hint on the IDS/IPS evasion lab -Hard

i can't even find the service the client is talking about

bump ❤️

Correct.

trying to download snmpwalk, sudo apt install snmpwalk - unable to locate package snmpwalk

is there a different installation that I have to do? I tried looking it up, but couldn't find one for parrot

Is it not in snmp?

idk, I went to run || snmpwalk -v2c -c <ip> || as the module (Footprinting - SNMP) suggested, and it said snmpwalk not found

do you have snmp package installed

sudo apt install snmp

ah, I think that would be the problem thanks, I didn't know I had to install an snmp package as a whole

thanks

sure thing

nvm i got it

Sorry for the repost, this keeps getting buried:

I could use a nudge / rubber-duck on Password Attacks Lab - Hard

I've gotten to the point where I have two windows files in which I can dump with secretsdump.py. After doing so I'm given some hashes and trying to feed into hashcat using multiple password lists. Unfortunately the only hit I've gotten so far is Johanna, which I already have a password for.

hashcat -m 1000 users_to_crack.hash pw.list

So, am I just looking to find the right password list to use here, or am I off base with my thinking. Happy to jump in a DM, didn't want to post too many details to not spoil.

Ive tried:

password.list & mut_password.list (resources in module)
rockyou.txt
fasttrack.txt
10-million-password-list-top-1000000.txt 
100k-most-used-passwords.txt

It should be in one of those you've tried

Really? I'll try to dump and re-crack, possibly copy pasted wrong multiple times I guess :\ Thanks!

I dont recall if there's a list you can find on that lab

So don't wanna send you down a rabbit hole

My notes dont mention it unfortunately, but there are definitely some of those labs where you need to track a password list ON the host itself.

Hello, I'm working on Network enumeration with NMAP on the Service Enumeration section.
The question asks me to enumerate all ports and their services. Which I do with:
sudo nmap -p- -sV [target ip]

Then it asks me to submit one of the service's flag as the answer. But I do not see any flags of the services. Can anyone give me a hint to move on?
It talks about using tcpdump but Im not sure how I would use it from my given result so far.

nc -nv ip port

I'm a dunce... I was expecting them to all show in the output and forgot about the --show flag 😦

"This has already been cracked"

is that output somewhere? Or in verbose mode maybe? There definitely wasn't any output like that in my logs

Usually if you run it again, but if you're running a whole list idk

Got it, this is something I'll remember for sure, first big blocker so far. Thanks again! ❤️

So this establishes a connection with Ncat, I would assume that I would see intercepted traffic but I do not. Will I have to run another nmap scan?

No you won't see intercepted traffic

That's what tcpdump does.

also nc is not ncat

netcat and ncat are diff tools

Literally just connect and wait

okay

Once I installed ncat it overrode netcat aliases

fair

Hello

I’m using ffuf and HTB say that I have to make the command -u http://admin.academy.htb:PORT

But what represent PORT

It’s the PORT Of the flag?

Whatever port the http service is running on if not 80

Ok Thx

And in sudo also?

Sudo sh -c ‘echo « Server_IP…..

I put the server ip of the flag

what

Can someone tell me how to connect to a shared smb drive on windows for the question
Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt.

I have david's hash

For PasstheHash section of password attacks

I am currently using Invoke-SMBExec on the windows machine
.\Invoke-SMBExec -Target 172.16.1.15 -Domain inlanefreight.htb -Username david -Hash c39f2beb3d2ec06a62cb887fb391dee0 -Command "cat david.txt"
Should I use impacket smbexec on my attack box to access the folder instead of the victim box tools?

smbexec is for using smb to gain a shell on the target, its not for accessing shares

you want smbclient

or if youre on windows you can just access the share with the UNC path

though I dont think you can pth that way

Quick question for those who already have access to the Academy... I want to have a few modules in SOC Analyst Path... I need to unlock by purchasing cubes, or if I subscribe (monthly) I already have access on it?

Monthly subs give you cubes to purchase content with, the only subs that unlock content without cubes are Student Monthly and Silver Annual

Tks 🙂

then any advice on what should I do to get the flag?

I prefer smbclient via linux personally

When do you recommend buying the vip to do recommended boxes?

I just finished nmap module

Should i wait until i finish the shells and payload module? Or what

tbh Id wait till you have more modules under your belt at least

The jump from early cpts basics to real ctf boxes can be quite large

Yea i agree, i will just try to finish all modules then or at least till i start AD module

I think i would’ve covered pretty much what needed for the boxes?

difficult to say cause most boxes are typically gunna pull a little bit from a wide array of topics that CPTS covers

if youve got no prior experience id wait as long as finishing thr priv esc modules first

I do not think I can access the DS01 machine from my attackbox I found a Invoke-SMBClient in the tools dir I guess I need to use that

you could always pivot 😉

but Invoke-smbclient sounds viable if it supports pth

I dunno how to pivot yet

fair

revisit the mimikatz part of that section

will look into that

I got some basic experience since i have pjpt under my belt but i’ll just take your advice and wait till finishing the privesc modules

still need help?

it is possibile that every 4minutes rdp service crash?

i am trying to finish some ad modules

So i am still stuck. I tried using mimikatz to access the DS01 machine
.\mimikatz.exe privilege::debug "sekurlsa::pth /user:david /NTLM:~c39f2beb3d2ec06a62cb887fb391dee0~ -Command 'cmd.exe' /Domain:DS01"

It still opens a terminal in MS01/david

even tho it shows Domain DS01

Yeah sometimes the whoami is dumb, but just try and get the answer from that point

You're literally that one step closer

Also if that's actually the NTLM of David: please edit it out

I dont feel like looking it up to check

I tried using dir \\DS01\david it returns cannot connect

I tried to use an rdp session and use the explorer gui but sadly I could not find it in the network drive

I tried using \\DS01\david in explorer and it was of no use. I thought to check the AD dashboard but it too only had MS01

I have low iq I had to use DC01 not DS01

👍

https://tenor.com/view/i-may-be-dumb-dumb-moment-gif-25154732

question: any suggestions on what I should try next? Looking for tips as to potential avenues I might try for this lab.
Im currently doing the "Firewall and IDS/IPS Evasion - Hard Lab" and I'm not quite sure how to proceed. The objective is "Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer. "

Ive tried running
sudo nmap -sV -T 2 -p- <target>

That just turned up and open ssh port and an apache web server. While a vulnerability scan on port 23 showed it was vulnerable it also seems somewhat outside of the scope of the lesson to try brute forcing or exploiting it since the module is on nmap.

I figured maybe since the hint referenced a data intensive application maybe it might be a UDP application but

sudo nmap -sU -T 2 <target>

didnt turn up anything promising as far as I could tell

short of taking the time to run

sudo nmap -sU -T 2 -p- <target>

in the case their are some weird services on other ports, what should I try?

Reread DNS proxy section

roger that

ahh I see now thanks! giving that a try

Can someone help me on "Introduction To The Elastic Stack"? Im having some issues on solving the first question

I followed the instructions but didnt work

Module: Documentation & Reporting

I was not able to gather the same data as the "previous pentester" when using bloodhound-python.
I imported their data into my docker-compose instance of bloodhound gui

Am I supposed to be following along with the Sample report?
Am I supposed to be able to crack the sqldev user krb5tgs23 ticket?
or is this proof that the old findings have been somewhat remediated?

so now I do not get it ,I rechecked the hash .\mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /NTLM:hash /run:'cmd.exe' /Domain:DC01" exit I get this error ERROR kuhl_m_sekurlsa_pth ; CreateProcessWithLogonW (0x00000002)

Honestly my takeaway was the previous tester was a complete knob. You can get DA in sub 5 minutes of the lab with something the previous tester missed.

literally thats what im thinking

ive started to just rewrite the whole report.

Who gets called away mid pentest 😂

Dude was catching that last HR visit

fr

I dont think its intended way but personally id just scrap all the former testers notes and just redo everything from scratch

Module: Introduction To The Elastic Stack

I wasnt able to do perform the Elastic search according the question guidance

Any help is welcome

Was going to do this in hopes that it makes me look a little more organized and reasonable

Hi, I'm on the Network Enumeration with nmap module on the nmap scripting engine section. The question wants me to use NSE and its scripts to find the flag that one of the services contain and submit it as an answer.
I tried:
sudo nmap [ip target] -p- -sV --script vuln -A

Im not seeing the flag for the service. Can someone give me a hint at what I'm doing wrong? I have a feeling it may be because I'm searching all ports and got lost in the big output.

so that worked and I found the service but now im a little lost on getting the version. I tried running a version scan on that specific port, I tried connecting with ncat with port 53 as the source port, and I tried a banner grab. I was able to get what the service is but not what version it might be. Any suggestions?

nvm got the flag

hello i need hjelp i am on footprinting module on skill asasment medium am loggin in via rdp cant find the password mysql

don't forget to run as sudo so ncat can bind to 53

Can somebody givme me a hint regarding the Linux Buffer Overflow module? I am at the "find bad character section" and i'm pretty sure i found the correct 4 ones, but can't get the answer accepted 😦

that is precisely what I had forgotten

never mind... i missed an x and didn't see it xD

I was doing the 8th question in AD Enumeration & Attacks - Skills Assessment Part II and I found the flag.txt on the desktop but it says its incorrect, is it me or htb?

Make sure you have no spaces at the beginning and end. You may also need to reload the page once for the flag to be accepted

did all of that, not sure what it is

yo hjelp me

where

give me all the answers to footprinting module

bro am tired

try harder :))

am on the footprinting module skill ases medium

foot printing module was a pain yeh

Lol

That’s one way to ask a question, not a good way, but a way nevertheless

u guys have done the module

Yup

Have all the answers as well

oh my freinds

So?

pliss

What will that accomplish for you?

give some answers just one

Then what?

then i can have good night sleep

Why?

You wouldn’t have accomplished anything yourself, nor would you have the knowledge

5 hour on one task can u pleive

Then go back in the module, because clearly you don’t have the knowledge yet

ok i will try can i add u

so u can hjelp me later

You can ask here later

And ask a proper question, tell people what module and section, what you’re stuck on, what you’ve tried

ok i will do more reasearch and learn

thx bye

👍🏼

I'm stuck at Hunting Evil with YARA (Linux Edition) on the YARA & SIGMA FOR SOC ANALYSTS module.

Study the following resource https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html to learn how WannaCry performs shadow volume deletion. Then, use yarascan when analyzing "/home/htb-student/MemoryDumps/compromised_system.raw" to identify the process responsible for deleting shadows. Enter the name of the process as your answer.

I don't know if the question is poorly written or i'm being dense but the technique used by the WannaCry ransomware for shadow deletion is the usage of both vssadmin and wmic to delete shadow copies. Yet the answer is not one of them. Strange thing is question asks for a single process.

Hi everyone, I'm working on the Pivoting, Tunneling, and Port Forwarding module I have a question onWeb Server Pivoting with Rpivot. I was able to connect to the Apache2 Ubuntu Default Page, but I can not find the flag. Any hint would be much appreciated!

is it normal my instance isn't connected to the internet?

Yes, most/all spawnable machines won't have internet connection

so that means I can't do most of the modules no? Or at least follow them

The pwnbox has internet connection. It's the one who has the Parrot OS.

The spawnable machines are the targets that you connect to, these don't have internet connections.

So, which one do you mean by instance?

this. the one where you can spawn to use the terminal and stuff

This is the pwnbox. How did you noticed that it doesn't have an internet connection?

If it didn't you wouldn't be able to connect to it

when I use mozzilla, it says "The connection has timed out"

What are you trying to access?

just google ig, to test the internet connection

but even when I run some commands on the terminal, some commands need internet connection, therefore they don't work

Check if any proxies are enabled, if this doesn't work try terminating the instance and starting it again

try accessing google directly

how do I do that if you don't mind me asking?

I can ping it, but I can't access it on mozzilla?

Click on the foxy proxy icon on mozilla, and check if it's enabled

if you can ping google you have internet connection

terminate the instance and boot another one

i only have 1/1 instances tho, after booting this off I don't think I can get another one going

try contacting the academy support

i'll try restarting it

this fixed it, ahahah thanks

Hi guys, I think there’s a problem with one specific question in hack the box module MacOs fundamentals. The first question in the module say “what is the version of your Mac” but there is not instance or up that you can connect to.

iirc I had the same problem and there are only a few guesses possible if you take a look at the hint

from what I can remember there's almost nothing really unique to the module vs the linux module.

But there is nothing in the module that you can connect to a Mac like the windows module that u connect to a windows pc from Linux but in the Mac is different

Yeah. You're supposed to use your own mac for that module.

I got it 🤣🤣🤣🤣🤣 I jus look up for the version on Mac available and then start typing 😂🤣🤣🤣

You don't need it though. There's nothing really unique about macs (in the context of that module)

Thanks brother

That module is trash anyways

Recommends maccleaner which is at best invasive shovel ware that doesnt do anything. People pay me to get rid of it.

The module creator argued with me over it lul

Was going back and doing some Academy training. The Nibbles Foothold module with lab actually.
I was doing this earlier and using my normal lab VPN and it was working fine. But when I attempted to enter the user.txt flag from the actual app.hackthebox labs Nibbles the answer was wrong both with and without the HTB{} - so I am thinking maybe the user.txt is different in the actual academy module machine for Nibbles. Which I attempted to spawn and ping but I cannot seem to get any response now.
Are we supposed to be able to use our normal labs ovpn with academy modules or no? And if not, I could use some tips on why I seem to be unable to connect to the academy box. I made sure to sudo killall opvpn in between my VPN sessions.
https://academy.hackthebox.com/module/77/section/852

theyre different platforms and thus need different vpns

the box is cloned for the module but it is not the same as the original box.

Ok. Well I downloaded the academy VPN file and am using that now but still not getting any ping response

the same methods should work but the original box is gunna be integrated with the flag system

yes because you can only use academy with academy

right. I am using academy and spawning academy

weird... now its working 🤷‍♂️ all of a sudden

I liked it more than the intro to linux module, lol

It covers the basic unix stuff in a much better way than the intro to linux module.

Maybe. but telling a mac user to download and run maccleaner is like telling a windows user they should totally run Norton. Im not gunna be able to take them seriously after that.

is there anyway to copy something from personal computer to the htb one in academt when popping out to fullscreen?

nvm figured out the clipboard