#modules

oh maybe im still looking at the same file? i thought it would overwrite

it might

Just use curl. Without the o

yeah it'll overwrite

if it's successful

can you visit that webpage in firefox

output without the -o flag

can you visit http://94.237.54.27:58867

no it times out

Im doing it on my host, not on their pwn box, not sure if that matters

you might need to buy some cubes for pwnbox to have full internet access then

or use your own vm/other device

Or get a Linux VM or wsl

Can you curl on windows?

i think curl is a thing on windows

ok ill just do my own VM instead. i should be doing that anyway

will my vpn profile for labs work?

no

a vpn isn't needed for this

you'll be prompted to download the vpn profile for academy whenever it's needed

(you don't need to download every time)

oh ok

reason: it's a public IP: hence why ALL of us could do it

and tell you that it's you not giving htb money is why your pwnbox isn't connecting to internet

it's hyper limited to free users

yeah that makes sense

well it makes sense because the ip schema is public not private LOL

heres my result from powershell

that's from the page and not the /download.php yeah?

i appreciate the help btw

that's not the answer btw ¯_(ツ)_/¯

he cut it out

oh it wasn't obvious

i dont understand

the answer will be an HTB flag HTB{..}

i missunderstood

windows curl won't work

the webserver responds with "please use cURL"

i got it from my kali vm 🙂

worked perfectly

i didnt realize the ip they were giving for the target was public

sorry to prod on this again, but dnsenum looks like it doesn't go beyond the SOA you specify. that means the best workflow would be to use dig to find any possible zone transfers and then use the dnsenum tool bruteforce hosts in each subdomain. Thought id comment idk lol

Marcie, did you do the CPTS path? just a bit curious what you got going on/working on

not finished yet

been busy with life the universe and the theory of everything

haha fair, but that's what you're working on right? I see you help some people with offensive modules

shame there isn't a MarcieLee for CDSA haha, maybe payloadbunny

I haven't taken a crack at those modules yet

footprinting is quite a beefed up module. but i would imagine knowing the stuff on it could save your life ;c

thought about it but i wanna finish a before i start b

it's very much a teaching of the basics

good idea

attacking common services goes over ways to attack them and common paths to escalate

mssql was the one that fought my brain in one of the assessments LOL

it wasn't until i went back and looked at all the things from the section did I get it

does knowing mysql help for that module?

there's a section on mysql

but again they focus on different aspects lol

different methods and such

much like IMAP(s) and POP3(s)

¯_(ツ)_/¯

once i learned how to navigate via terminal it made the GUI version feel slow

Same, no reply yet

same

Hello, I need help with the same section but now with priviledge escalation

|| I noticed that "www-data" can execute with sudo "php" but I dont know what to do ||

IDK whats wrong. Ive used different vms, different vpn keys, but i seem to always have issues with rdp shutting down for no reason

check what that means in the website https://gtfobins.github.io/gtfobins/

404

you know what i mean

And what should I search there?

Or where?

‘php’

But how do I execute these snippets with php in the CLI?

copy and paste

Yeah, but how do I execute it? Some combination?

I copy and paste it, press enter and it Just jumps to another line without doing anything

Also I cant create files

strange

-

-

.-.

Idk what to do

whoami

i already gave you a hint

as soon as you enter it it should elevate you to root

whoami to confirm

It doesnt give a response

then you must have missed a closing quote

paste what you copied into a text editor to see if you missed it

do ctrl-c to cancel it

you'll likely have to drop back into the shell again

Give me a second, everything crashed for some reason

And yes, the shell drops

if you wanna be sure you can do the PHP stuff one line at a time, just don't forget the quotes

though if you wanna be sure a command is going

you can do python3 -c 'import pty;pty.spawn("/bin/bash")'

that is what I copy

So if anyone has trouble with using XSS-ing on this module, check to see if your personal/home router is blocking XSS. My router does block this. Pwnbox was used as a work around.

use this one https://gtfobins.github.io/gtfobins/php/#sudo

it worked, but why?

If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

That's why!

no, what i mean is why php didnt respond before

Well I don't know what your prior shell was

Likely something got lost in translation when you attempted to upload your php webshell before

they were using this one

it's from the meterpreter shell on getting started knowledge check

Yeah I've not seen that kind of php webshell before

Ah

||I wasn't meant to copy it after executing php?||

once you execute the php command once you're elevated

you can check if it works by well... doing whoami

Making the web page reply with root

If it's running as root that is

the meterpreter isn't manipulating the webpage afaik

it's the RCE one

¯_(ツ)_/¯

I know, but it's RCE via PHP

true

technically it just drops a revshell in php

Yeh

There's a lot of boxes and practice stuff around that involves PHP revshells

Or webshells, where you execute commands via the page itself or by the URL parameters

Rather than just getting a shell callback

but theoretically you could just have it run arbitrary code without a shell

Bingo dingo, which is why I mentioned webshells

(but you would do a test upload first, then do the callback)

test being the standard whoami stuff

once you're in the shell then you just work you way up

or around

technically speaking you could throw a second shell through meterpreter and netcat (which is silly)

The worst thing is that I was stuck there for 3 hours and I already knew what I had to do but it didn't work

thx people

It's okay to be stuck

Getting up again after being stuck is how progress is made

^

we all start somewhere

yep, i guess so

Hellboy667 is back

Ssup marcie

U banned me

@wooden igloo They would be out of their minds if they don't think that a community designed around getting around certain rules and gaming things wouldn't think about how to game a system so they can get the best price.

Depends on wether or not that is a detriment on them. On the counter, you are still gladly handing over money for a service that is expensive to operate and maintain, which means you are still overpaying on the service. I am positive they can do some math on an excel spreadsheet

Well, I'm sure that they've calculated that they're still making money on platinum subscriptions, so I'm not really disputing anything here. I'm simply letting the audience know that it would almost always be better for them to not get the annual plans, and thus HTB will not be making as much money.

Though maybe it's intentional and HTB wants users to stay on a monthly subscription over a yearly subscription, because lol cashflow

On the books, the monthly subscriptions will cause less fluctuations on a quarterly earnings reports. Likely they saw that annual subscriptions are more costly to have. I can't deny that as an user, we should stick with monthly subscriptions. The annual ones are less flexible and as you said slightly higher cost.

It's not clear to me why annual subscriptions would cost more - maybe the support provided is having some sort of effect.

It can be completely within their intentions to have multiple offerings for the illusion of choice, and that they know that it's a bad offering. But if they don't, then they should really rework their annual subscription plans.

Just so we are clear here, which htb site are we talking about? the labs or academy

Academy.

I don't compare academy, but most places try to incentivize annual plans. They advertise if you get the annual how much it is per month compared to the monthly plan.

I did the math here: #modules message

If it's not their intention to offer something so bad, the subscription plans do not make sense at all.

I remember some textbooks in the college/university where it is more expensive to buy the two semester access instead of buying the one semester twice.

At least they have an excuse when they have hundreds of different items on sale to keep track of.

Sometimes two of a smaller item can be cheaper than one of a larger item when the total size is the same or larger than the one larger item. Somehow. There's a reason for that too.

reason smidgon, the world is silly and most of it has no logic applied to it. chaos theory and all that

I'm sure there is, but it has to do with marketing and satitics, and having just finished that course can be mind numing to figure out

Well, like @wooden igloo said, you're assuming that everyone knows what they are doing.

so what you are saying is that getting gold annual is cheapest option out there

Only if you're getting the early bird price.

Early bird discount: Senior Web Penetration Tester path & cert!
The early bird discount is just them giving the cert and training for free though.

The early bird discount is 25% off gold annual.

You may not realize that the annual includes paying for the

- Direct access to the entire Bug Bounty Hunter job role path
- Direct access to the entire Penetration Tester job role path
- Direct access to the entire SOC Analyst job role path

The monthy plans dont include this, or at least dont mention including this in their cost

Have you used academy?

why are you even asking that? why would I be here for? to troll?

I mean we are online, lol

Yes, because you don't seem to understand that those job roles are made up of modules that you can purchase with the monthly plans.

The gold annual includes an exam voucher. am I wrong?

Yes, and you can purchase an exam voucher. I've factored that into the cost.

What does this mean in their benefits section then?

✅ Lab exercise guidance via Discord
✅ No waiting to unlock modules
✅ Pay less than buying through cubes
✅ Exam voucher switching (applies to unused exam vouchers)```

Its not in the monthly?

That's my point. With the monthly plan, you aren't purchasing certs.

We know the exact cost of a cert for a consumer, and that is why I've deducted the price from my calculations.

how about the rest, aside from the exam voucher

People already get help when they post in this room, and many have said that there's no point in getting the additional help.

Thanks for clarifying, makes it alot clearer now.

the third point is already covered by the fact that I'm using the monthly subscriptions as a comparison. It's baked into the idea.

#4 is only true in a very strict sense (it is indeed cheaper, but it's not worth it. Spending $1260 to save $53? Really?), or if you compare it to the base unsubscribed price of $5=50 cubes.

And the fifth point from my understanding is already the default when you purchase a cert. It's not really a selling point even if it wasn't.

well still saving some cash on the cubes

I would not be surprised if someone thought it was a great idea to not do the calculations and force the purchase of a cert (and calling it a bundle) when you get an annual subscription. "You know, I think giving our customers a 5-8% discount is too much. Let's give them a 4-5% discount instead." is what you get as a result.

So what you are saying is that the monthly subscription should offer less cubes.

Wait, If this is true:

- Direct access to the entire Bug Bounty Hunter job role path
- Direct access to the entire Penetration Tester job role path
- Direct access to the entire SOC Analyst job role path```
Then they are offering the entire path pro bono, So in reality there are less modules to spend your cubes on

Why are you talking about this in modules? Move it to general etc?

idk its where @prisma spruce wanted to talk in.

This is about the cost of academy subscription plans. The previous discussion was here and the mods seemed to be fine with it in the past.

But it's not module based, this is the room for discussing module related questions etc.

it’s related to academy modules is it not?

if you want to get pedantic then yes

No. I'm saying that they would need to offer an even better deal because they've already given customers the price of monthly plans long before the first annual plan was released. The basis of comparison is platinum monthly subscriptions, and the annual plans are simply not competitive.

@prisma spruce In your calculations, you take all modules into account in the cost of cubes. This annual plan offers all these modules without you spending cubes on them. So in reality there are less cubes needed to spend

Yes, and it's really funny because the early bird cost of gold annual is cheaper than the cost of every module on academy. You get back a bit over 3000 cubes, so you can get a platinum subscription to unlock all the tier iv modules.

That is factored into the calculations.

If you're starting out from scratch and you have done tier 0, you're spending $516 with the discount price instead of $884. Go get it if you can't get a student subscription. You can use your remaining cubes on three of the four tier iv courses (to make things perfectly clear, the cubes you get back are baked into the price you paid. That's the $219/$234 above). This is a great price.

hey guys, just wanna check if its possible to troubleshoot the laggy connection from the openvpn connection (on local kali vm) to the htb-academy labs

reach out to support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

yep i have reached out, and I was wondering if it was because the only available vpn server is EU and US, but I am based in SG

you're gonna have high ping, that's just how it is

i guess there is no way around this issue?

nope, you're connecting to servers halfway across the globe

Maybe a pwnbox will work better?

Your connection to the pwnbox will be slow but the pwnbox's connection to the htb servers will be minimal

can you explain why you did this calculation:
It's an infinite sum, (20% rebate = 1 cube is really worth 1.25 cubes), so divide the amount by 1.25.

where is the 20% rebate coming from and why is it 1.25 instead of 1.2

Plus this is inaccurate as you will get back cubes, after completing them.

12 tier I - 600 cubes
35 tier II - 3500 cubes
24 tier III - 12000 cubes
4 tier IV - 4000 cubes

Total cost up to tier II/III/IV= 4100/16100/20100 cubes```
It should be instead:
```22 tier 0 modules -220 cubes + 220 Cubes
12 tier I -600 cubes +120 Cubes
35 tier II -3500 cubes +700 Cubes
24 tier III -12000 cubes +2400 Cubes
4 tier IV -4000 cubes +800 Cubes

Total cost up to tier II/III/IV= 3280/12880/16080 cubes```

oh so that is where you got the adjusted sum from

my bad

https://www.wolframalpha.com/input?i2d=true&i=Sum[Power[0.2%2Ci]%2C{i%2C0%2C∞}]

I see it now

Yeah, The HTB team should really take your advice and reduce the 1260 price to a more reasonable one or offer something that the monthly do not have.

Cuz at the moment, you can keep the cubes from doing the platinum monthly and spend them on the modules when ever you are comfortable. Its just a better a deal than the annual where to save money you have to literally do all the tier 0-3 modules in one year time.

It's actually pretty funny because it takes 13 months to have all the tier iii and below modules unlocked, which is a bit over a year

so true lol

Even less time if you are a student too

if you see that it's slightly over 12, you can tell yourself "wait, the numbers are that close and I don't have to stress myself out, and I'm only losing out on $53?"

can someone check I am not losing my mind please? https://academy.hackthebox.com/module/33/section/217 spin up one of the instances here, it's super quick and just see if any of the provided examples work on the page?

I cannot seem to get anything union based to work

I'm not sure if it's me or there is an actual issue

order by clauses work but union don't....

Plus once you unlock all the modules with cubes, you can cancel the monthly sub and keep all the open modules without worry!

okay so this interesting, works via pwnbox but not my vm, so strange, just continually spins as if the request is pending

so that's the mystery solved of that

not proxying my traffic and vpn seems fine

I seem to always have strange problems with the openvpn connection. Sometimes I am connected to the vpn but any connection outside of the htb network(like to the internet) is not working. Other times the vpn says connected but I cant ping the htb machine, but have internet working

i think i broke it

i used to save a temp string that was in fact that string that was "accepted"

Strange, it's always really stable for me. However this is the first instance where I have encountered a problem and it's via a simple web request.

Like you would expect there to be errors in complex pivoting scenarious etc but here we are with a simple post & get request and it's shitting the bed

I've never had problems with the vpn, probably reset the connection and the target and try again

also this target is a docker container in a public ip, the traffic is not even routed though the vpn, it's not a vpn issue for sure

I didn't even realise, I just do everything in a vm and start the vpn on launch

thanks, the troubleshooting continues

might be my implemented ovpn install or linux machine doing odd stuff. I do have this all on a parrot VM

Okay, so the plot thickens. I now run this from my base OS and have the same issue however not in the pwnbox

yep resetting the network connection and vpn connection(as they are separate) to get it to work.

so it's not the vpn connection

its something that is happening locally on my machine

I can live with this using the pwnbox for the moment but have to figure this out before the exam

maybe, internet is a trust that everything from physical connection to software to work

htb is a course at your college?

hello can someone help me with my mistake
dig ANY inlanefreight.htb @10.129.78.249
ParserError:
Line |
1 | dig ANY inlanefreight.htb @10.129.78.249
| ~
| Missing property name after reference operator.
whenever I put @IP_address I got this error ^

Hello, i have an issue with module/112/section/1245 this is the IPMI section, I got the password hash for the user, but my hashcat could not find the password based on the settings in the module: hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u The hash I had put in my ipmi file is 53159....:df3...Or is there a specific wordlist we should use ?

Ask yourself do you actually need to execute this type of password cracking attack

hello it's normal upload don't work ? https://academy.hackthebox.com/module/77/section/859

what do you mean

hi guys. I'm at cracking passwords with hashcat module. I installed hashcat in my vm but whenever I do anykind of cracking, i get errors. I think I'm missing some settings. Please help. Thanks 😊

First two screenshots actually look ok

Third shows a crash on illegal instructions

This is a runtime issue

i want to upload my payload but his click is not

How should i address the issue ?

Run hashcat anywhere else

Not in a VM hopefully

forgot to mention, i tried in pwnbox, it worked.

In general, using a VM for hashcat is a bad idea, but it can work

You just need to ensure you have a good runtime installed for whatever hardware is exposed, which in a VM will only be your cpu

POCL can be hit or miss, the Intel OneAPI OpenCL runtime has been more consistent for us

But running on your host is always preferable because it gives hashcat access to your GPU

Which will usually make a big difference

pwnbox also only has 4 vcores allocated, you're not gonna get much speed out of them

hey there guys,

eth.addr == XX:XX:XX:XX:XX:XX && arp.opcode ==1

this should be giving me ARP request count for specified MAC Addr on wireshark yes? Am I doing smth wrong here?

You rock 😉 thanks

Easy question: on Nessus Skill Assessment, the text says "Navigate to the web interface at the end of this section and log in with the provided credentials." but I cannot find the web interface at the end of the section. If it refers to the generated target IP address, when I use it, it does not seem to have a running HTTP service. Furthermore, for "web interface", it means the web interface of Nessus?

so i searched for a little bit, i think using a vm is not effective, is it? i've been using it since i started learning hacking.

VMs cause problems for hashcat because they don’t usually allow proper communication with certain devices like GPUs

Well, really ANY communication with those devices

And we need low level access to the GPU runtime/driver since we invoke runtime specific compilers to JIT compile our kernels

INTERMEDIATE NETWORK TRAFFIC ANALYSIS
ARP Spoofing & Abnormality Detection

can t get the right answer on how many counts of ARP requests the reference MAC address does.

my filtering on wireshark is correct I think:
eth.addr == XX:XX:XX:XX:XX:XX && arp.opcode ==1

any insights?

then should i just abondon using vm and install it on my host? I'm on CPTS path, using a vm has been very comfy for me, but i'm willing to make the transition. Thanks for you patience.

you don't need to abandon vm entirely, just run hashcat on your host

^^

thank you.

Just run hashcat on your host, everything else is fine in a vm

someone for me explain for what i've got this error ?

so this is interesting. It's happening at the network level. Tried another instance on another computer and same issue. However order by clauses work just not union clauses. So my firewall is doing something weird. Both computers have different OS's too, & also tried on a 3rd party VPN

you're in a meterpreter shell, not a standard shell, you can open one by just typing shell

can't say I've see anything like this, are you able to send standard sql queries?

shiit omg thx

ok, installed hashcat and run it. I got this. missing some configuration i guess.

nvidia gpu?

yes, msi pulse

install cuda toolkit

Yeah, the toolkit will clear that warning, though it should still be working with the primary driver

Do we agree that I must create a reverse shell with an extension php and not in sh?

Yeah, I am, that's the funny thing. I am going to check firewall rules etc. I haven't configured anything crazy and and I run debian for one computer & arch for another and have very simple UFW rules so it's really strange that these requests are dropping.

If that fails to shed some light it's packet capture time

gtfobins php

lets's go it's good i flag it

huys could you plz spare sometime? n00b alert here..

haven't done that module mate, sorry

❤️

guyyys i need help with a hashcat task for school could someone help me out a lil bit?

jsut ask your question and say what you have tired already etc, provide as much info as possible

oh okay okay then task is to do a rule based attack on a sha2-256 hash. password is in the rockyou.txt. User writes the word EITHER with a small OR capital initial letter (initial letter = letter at position 0 of the word. For other characters this should be ignored)
User replaces in the word EITHER every e with a 3 OR every i with a 1 (note: only small e or i!)
User replaces every t in the word with a / OR s with a $ (note: only small t or s!)
User appends a digit between 0 and 9 to the end of the word (even if the word already ends with a digit).

first hash the teach gave us was this: f894f194cec07991acc7a39b22527618dc21f0a903b7fd958cba6016c1d4fea7

so just to double check if the pass word is in rockyou then the rest can be ignored?

or are they saying it is in rockyou but with these variations then applied?

i mean the cracked password is in rockyou and u are jsut brute forcing the hhash for it

what?

idk man thats how the task is 😭

hashcat -a 0 -m 1400 f894f194cec07991acc7a39b22527618dc21f0a903b7fd958cba6016c1d4fea7 Desktop/Exploits_PasswordCracking/rockyou.txt -r Desktop/regelnPass.rule

the command seems to be right but i am struggling with creating the rule itself!

I can't really tell what the question is my dude, sorry. If they are saying it's in rock you then you can just run the hash against rockyou. But if the password is a variation of a password in rock you that contains the keyword EITHER it's a different thing entirely.

i am sorry man i dont know either sadly tho 😭

write a custom rule for it

it just says that the original word is in rockyou

yess i did! but i am making something wrong

if it's sha256 and you have a decent gpu, I'd first just try onerule and see if I get lucky

my rules so far are:
c
l
se3 si1 st/ ss$

then for the number at the end idk if u can just say $0-9 or something like that

so i just did it like this: $0
$1
...

i suppose the task is to modify the rockyou word with the rules and try and crack it with the rule based attack

cuz the rockyou.txt is all with lowercase letters

mm I'm not too familiar with writing rules either, but yes if the rule is right that should be all you need

status is exhausted

everything worked but like theres no password 😔

i mean the command is for sure right

basically task is to just write the command down. cracking the hash is just for u to see if u did the rules right

hey there guys anyone with wireshark filtering knowledge? need some help with it plz PM

What assignment is this?

I ask because you are the second person I’ve helped with exactly this problem haha

it is to try things out with exploits and stuff

on the schools virtual system

he gives us an insight of how a hacker gets their way in

Is it for a university class?

yes yes

so far it went well with trying out the brute force attack and the straight one

Ahh, where at? I’m used to getting questions every year from a few classes/professors’ students

the command and stuff i know too and did research to how to do a rule based one

germany

LMAO

Interesting

Not one of the usual ones

exactly

Well, easy enough to fix

ACTUALLY?

Yeah, you have the same issue someone else had who asked me this already

you're lucky that an actual hashcat dev is here to help lmao

i suppose i am doing something wrong with the rules urrghh

WHAT

Yes

THATS COOL

It’s the rules

AHAH

Same exact issue as the other guy, it’s actually really interesting

I think it’s a problem with the way your assignment is worded vs how the rule engine works

okay okay i mean the EITHER OR is confusing

Right

cuz for me i would have jsut listed all the rules down

Exactly

So here’s the issue, rules are formed from discrete “rule operations”

You’ve defined the different rule operations you think you will need

But you’ve not formed them into rules

Rules are read left to right, one rule per line

So a rule that needs to toggle the case of the first character AND swap e to 3 AND swap s to $ would look like “T0 se3 ss$”

3 operations, one line, one complete rule

okay okkay okay

For your case, you have several operations to do, and you know that some can be one operation OR the other

So you need to define all the possible rules that can make

so its more than jsut 5 rules

Yes

Iirc it’s 40

💀

oh well

They are easy to define though

Just build out the different cases

okay i gotta try out then

T0 se3 ss$ $1 would be one rule, then T0 se3 ss$ $2 would be the next one, and so on

another question is y what factor does the number of guess attempts in hashcat increase compared to the standard variant. thats why i wanted to like crack teh hash to see the differences

Not exactly sure what you mean there honestly

T0 se3 $1 could be another rule

right? and also do i need to add the T0 cuz in the rules orrr

Not for your specific word problem I think

Your rules have 4 operations each

well a task before that

First character is toggled, 2 replacements, and a number append

was to brute force a hash witha wordlist

Ah ok

nothing more nothing less

that was a task i did well i am just struggling with the rules rn

Yeah someone else in your class got to the same part and asked the same question

and the rockyou.txt its all lower letters no particular rules right so the amount of guesses would increase by a lot

RLY?

LMFAOOOO

Yeah I already helped someone on this exact problem which is why I was curious what school

Rules increase the amount of work as you might expect

(Words in wordlist) * (rules)

But that doesn’t mean it will take longer or be slower just because there’s more to do

It will usually be much faster actually

Having issues copy/pasting from HTB to pwnbox, running Firefox, any knowledge of what stops that from going through?

Because we can better take advantage of the parallel capabilities of the GPU with rules than we can without them

true true but the questiion is by what amount does it increase

It’s multiplied

so the factor is in this case multiplied by the rules

For each word in the wordlist, it will try it with each rule

yess

the more rules the higher the amount

Yup

But again, that’s per COMPLETE RULE

Not per rule operation

yep

so i gotta try out all variations of the rule

Yeah

can i do

se3 si1 ss$ st/ all in one line?

You will, unfortunately, have to write out all 40 rules

or is that another line itself with combinations

it prolly is

Since se3 and si1 are OR rules, they can’t be in the same rule

aaaahhhh

but what if both letters appear?

You would need to make rules like “T0 se3 ss$ $1” and “T0 si1 ss$ $1”

okay okay

Your problem says OR when defining the rules

true true

makes sense

but then i can do se3 st/ tho

right?

Right, you will ALSO need to have rules like “T0 se3 st/ $1” and so on

yes

jsut as long as the defined rules are together

se3 ss$ would work

too

Right, each line in the file contains 1 complete rule

do i need to add the TO at the beginning?

or jsut the rule directly

when getting into pwnbox do you get a browser popup about allowing cp ?

So because you have [toggle case][se3 OR si1][ss$ OR st/][append number] you need to define all the possible rules that that can create

T0 is a rule operation

It means toggle the case of the character in spot 0

aaaaaaaaaahh

OKAY

i will try then but sadly later since i have to go to work before

Ok

but i can jsut write down the rules at work and then copy them at home

hey i apprecaite the help a lot man

thank u so much :D

Yup 🙂

OH

i need to add the c and l rules too tho right?

TO c se3 ss$ $1

Why?

c and l don’t accomplish any of the changes your original problem describes

wasnt there a rule

The user writes the word EITHER with a small OR capital initial letter (initial letter = letter at position 0 of the word. For other characters this should be ignored)

Right, that’s what T0 is for

ohhhh okay

It toggles the case of the initial char

ahhhhh

so TO is in every line

if it matches then boom

if not then ignored i seeeee

The wording of the problem is to give you exact rule operations to use

Also it’s T0 not TO

OH

yes yes

0 being an index number

0 index

yes yessss

Yup

got it sir 😎

thank uuuuu

🙂

No luck, just checked the clock and it’s far into what should have been “tomorrow” will get back to you in 3-4 hours

Hm, ok let s check on the process.
You are on a the main module page,
You initiate the pwnbox
then hit on the Target Machine IP Address (below the pwnbox window)
AFTER you click and get the target IP address, if you then try to work on the pwnbox
the browser should be popping you up giving a
"Allow copy paste " dialog box.
If you check OK on this you re good to go

hi need some help in password attacks-medium module
[ERROR] does not support SMBv1
I am encountering this error when I try to brute force smb here. I tried to attack ssh but it was a waste of time. only 2 of them were running when I scanned. need some help please

smb version is 4.6.2 I tried finding some metasploit script but no results

Not sure if I'll get an answer, but module says getaddrinfo (performs resolution from node name to IP) return zero indicating success...

Then it goes to say if sucessful, display sandbox detected, if not continue... does successful mean the function returned 0? and why would that indicate there's a sandbox?

i got it thanks 🥳. is there anything more configuration i should do?

Hmmm you’ve got the Microsoft runtime extension which can be problematic

May not be a bad idea to run with -d1 added

Also CUDA toolkit seems not to be registered properly but that’s not a huge deal

Hi guys I need some help with module Broken Authentication, section Predictable Reset Token Q1. I have no idea what's the problem, here's the code:
||from hashlib import md5
from time import time

now = int(time() * 1000)

start_time = now - 120

file_path = "md5_tokens.txt"

with open(file_path, "w") as file:

for x in range(start_time, now + 1):

    # Get token md5
    total_str = "htbadmin" + str(x)
    md5_token = md5(total_str.encode()).hexdigest()

    file.write(md5_token + "\n")

print(f"MD5 tokens written to {file_path}")
||

Any idea why there are still instructions in some course modules to install python2.7 when it will not install in current versions of Parrot OS?

https://academy.hackthebox.com/module/147/section/1639
For the inital access via rdp using the credentials provided

xfreerdp /v:10.129.201.180 /u:Administrator /p:AnotherC0mpl3xP4$$
The credentials don't seem to be working

[13:18:47:213] [2569:2570] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server

Put them in single quotes

will try

Worked, Thanks

ok, noted. Thanks alot for your help. 🫡🫡🫡

How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)

linux fundementals

can anyone give me a hint

no :) look at the commands provided by the section

its a section on filtering contents, i dont know where to look for the services s

i read it all lol

click the cheatsheet

and browse those commands

note: those commands were all given to you earlier in the module

if you need help understanding the command: there's the man [command] that will usually give you a help manual (if the creator made one) or sometimes [command] -h or [command] --help

my terminal keeps freezing

one second

im so confused

nothing in the cheat sheet mentions services or listening

and the network ones dont look rightr

Did you try them?

It’s a tool mentioned in the sections

It’s very simple

cross-post for the SQLMAP module https://discordapp.com/channels/473760315293696010/958071178713514045/1186326496999133245

Hey guys, still stuck on the last question of the "Pass the Ticket (PtT) from Linux". I have a root shell and found the keytab file, but i keep getting the error "kinit: Keytab contains no suitable keys for LINUX01INLANEFREIGHT.HTB@INLANEFREIGHT.HTB while getting initial credentials".
I´m running the command: kinit LINUX01$@INLANEFREIGHT.HTB -k -t /etc/krb5.keytab

What am i missing ?

there's a ccache file that would be better (and it's not in /etc/)

hint: check the section again - there might be a tool as well to help you find it

(i found it by manually looking around, spent about 15 more minutes than needed)

if you want to find it manually: look for the daemon that runs the realm

OK thanks for the hints, i will try that later 🙂

Hi, I just did the lab on the Passwd, Shadow & Opasswd of the Password Attacks Module. In the last step we needed to crack the root password and I got stuck in that. I've read on HTB forums that using the provided password and rule file from the module will crack it, but why does it help?
I assume that usually, when cracking passwords in HTB boxes/ the CPTS exam I'll use the rockyou wordlist, and not a custom crafted password list and rule.

hi. I tried hashcat on my host machine, also installed cuda toolkit and simple cracking worked fine. But when I do mask attack, I get this. I tried -d 3, returning status:aborted. but sometimes returned status:exhausted. Others like -d 1 and -d 2 returned status:exhausted. The command I used was .\hashcat -a 7 -m 100 .\hash.txt -1 01 '?d?s' "D:\Softwares\wordlists\rockyou.txt" -d 3 How should I solve this? Thanks.

what module does this relate to?

in the password attacks module you will generally use the mutated_wordlist you created early on for any password cracking

and sometimes in engagements you will need to craft a password list: and since most everything from the path is on the exam i wouldn't rule it out

Okay, thanks! but I guess that on the exam I'd have to perform enumeration and maybe use OSINT to craft such a pass/user list.

there's no real OSINT for the exam everything you find will be internal

any idea why I cannot bruteforce it?

not only that I cannot even ping the host

@paper gust what do u think abt this:

okay it got autoblocked

about what?

I would try resetting the machine

the rules i weote

tried 3 times

your attack is working how you wrote it, which is the problem

basically i seperated all single ones first like T0 se3 $num

I will try once again reseting the pwnbox and victim

T0 si1 $num
t0 ss$ $num
t0 st/ $num

be aware, the rules per your assignment is for [toggle case][replace OR replace][replace OR replace]{append number], so as far as i know only 4 op rules make sense, not 3 op rules

and then 2 like
t0 se3 ss$ $num
t0 se3 st/ $num
t0 si1 ss$ $num
t0 si1 st/ $num

yes, those look correct

though syntax matters

I have not even started

yes yes but i included like the the seperate ones too

cuz it can happen that for example e or i isnt in the password but only like a 't'

for those cases

you dont need to

ohhhhhh okay i see

rules will no-op safely

but it looks perhaps better ykyk

so if you specify se3 and there's no e, nothing happens

you should have 40 total rules when you are done, FYI

that is also vrry true but does it just skip it?

rules are operated on left to right, and rules that no-op just continue the loop

so T0 se3 st/ $4 will work even if the first character isnt toggleable, there's no e, and there's no t

it will simply append 4

Which module is this? I had a similar situation and it was related to firewall blocking my connection. Firewall from the box itself. It was part of an exercise.

Password attacks Lab - Hard, module password attacks

yes!

Than it’s not related . I’m in the prerequisite modules.

Is there someone with sufficient javascript knowledge that i can ping for a quick question ?

okay so u say T0 se3 $4 would be useless?

shoot

so u rly just need those for operators each 9 times since u wanna get the numbers

so basically 36 rules

10 times

0 - 9 is 10 different numbers 🙂

Have you tried changing the server you’re connected to? Maybe use TCP connection or UDP…

yes 10 times oopsie

OKAY NICE HEH THANK UUUUU

MODULE: AD Enumeration & Attacks - Skills Assessment Part II
QUESTION: (7) Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.
ISSUE: I get this error message. What is wrong with this? Can someone help?

anyone help with why i am getting this error? i tried running powerview and sharpview but nothing on having the command run through ok...

PS C:> Get-NetUser -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users"
The term 'Get-NetUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1

• Get-NetUser -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Manageme ...

•   + CategoryInfo          : ObjectNotFound: (Get-NetUser:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
  
  

This is for AD enumeration and privilege access section

can anyone assist on why nothing in PS is working for this section? i did importing commands, too

Can i dm anyone at Injection attacks skill assesment?

can I dm you?

sure

Hi, I need some direction here .. I'm on the Skill Assessment - Website of Login Brute Forcing (2nd Question: Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?)

This is the command I've been using (with the wordlists of the cheatsheet also)
|| hydra -l user -P /opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt -f 94.237.60.78 -s 30908 http-post-form "/admin_login.php:username=^USER^&password=^PASS^:F=<form name='log-in'" ||

The rockyou file just times out (the pwnbox) due to not finding anything. What am I doing wrong here?

Some questions from me: Just to confirm some things:

• 1. || form name has to be log-in right? With the dash in between? ||
• 2. || the URI should be /admin_login.php right? ||

Feel free to reply here or in a DM if it would contain to many spoilers
EDIT: Found it 😛 || I messed up the parameters of the form ||

Why are you using username "user"?

sry didnt saw ure on skills assemssment

The Hint is: || You may reuse the username you found earlier. || and in the first question || the found username is user ||

All good, I just found it! ... I knew when I was gonna post the question, I would Jynx it 😄

Ok got it, linikatz is powerfull, thanks for the hint 🙂

Can someone give me a hand with the privilege access section for ad enumeration module? I am wondering why powershell is not working at all...using this Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users" for example - it says Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users"
Get-NetLocalGroupMember : The term 'Get-NetLocalGroupMember' is not recognized as the name of a cmdlet, function,
script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is
correct and try again.
At line:1 char:1

• Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Rem ...

•   + CategoryInfo          : ObjectNotFound: (Get-NetLocalGroupMember:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Footprinting hard assessment found the ||snmpv3 that's open|| but I'm having a hard time enumerating it.. the module doesn't mention anything about that version... Do I have to install another tool?

it's not actually v3

nmap is wrong

use the regular tools

Module: Introduction to NoSQL Injection
Section: Skills Assessment II

I'm a little muddled on next steps, and I'm wondering if it's perhaps due to my payload formatting.

• I've enumerated a valid username.
• I've identified a password reset functionality requiring a token I don't know the value to.
• URL-encoded payloads (e.g. param[$regex]) are throwing 500 error codes about missing parameters.

Could anyone help with a nudge?

is that intentional?

just nmap things

ah ok gotcha thanks, that gave me what I needed

although I do have what is probably a dumb question... in this case I went felt as though I had tried everything so I looked at the forum and found that I had to enumerate ||snmp|| which I hadn't thought to do... if there's ever ||imap or pop3|| is it common to enumerate ||snmp|| or is that a case-by-case basis

just got into HTB wondering if someone can help me with a box

tried to google but it just gave me walkthroughs

the hint is given in the info brief

this isn't the right place to ask: verify your account in #welcome and you'll have access to ask in #boxes

oh sorry

Can someone give me a hand with the privilege access module of ad enumeration - i keep getting this - and not sure why it won't work -

you need to import it instead of just calling it

hello y'all, anyone who is willing to give me a hand with IIS-ShortName-Scanner 'cause I'm having this issue:

$ java -jar /opt/IIS-ShortName-Scanner/release/iis_shortname_scanner.jar 0 5 http://10.129.82.253/ Error: config file was not found: config.xml An error has occurred: null

any hint to listing a whole emails contents for imaps? I tried ||1 fetch 1 (BODY[HEADER.FIELDS (Subject)]) and variations of this|| but it didn't give me what I needed

well that's because it's only reading the subject field... just do body[]

it'll grab it all

thanks 'ppreciate it

fetch 1 uid(body[])

try

don't need uid

since it's only 1 email anyway

yes, that is the question

INTRODUCTION TO C# --> Declare a byte variable aByte and assign it the maximum value that a byte can hold.
My code ||
#include <iostream>
#include <limits>

int main() {
unsigned char maxByte = std::numeric_limits<unsigned char>::max();

std::cout << "The maximum value of a byte is: " << static_cast<int>(aByte) << std::endl;

return 0;

}
||
Output is 255 but that is not the correct answer. What am i doing wrong?

for privilege access all i am finding for remote users is|| forend|| - any advice or how to tweak the PS query to find other users maybe?

command get not found in ssh?

wat

Try use python -m http.server to send files from VM to Citrix….

yeah, get isn't a command, wget is

huh... good to know

for some protocols like ftp and file transfer stuff get is a command

ahhhhh see I got confused there

makes sense now

any idea what i should do here?

Do dir to make sure it's titled Backup and not backup

hey guys. In this module it states the following...

"For example, the above script showed us the Linux version to be 3.9.0-73-generic. If we Google exploits for this version or use searchsploit, we would find a CVE-2016-5195, otherwise known as DirtyCow."

When I google things like "3.9.0-73-generic exploit" or "linux kernal 3.9 cve" or any other variation like this, I cannot get any site which states CVE-2016-5195 to come up? What's the trick to find good exploits when googling, or even a full list?

could try using exploitdb

Marcie, I gained access to the ssh, and I have done literally everything... am I missing something? I've ||checked /etc/passwd for the user, nothing, went through both the available users that I was allowed to access, and nothing...|| I couldn't gain access to root. Do I have to have root priv's to find the answer?

it comes up in exploitdb but only because it matches a keyword in the range
"Linux Kernel 2.6.22 < 3.9"
I used 3.9 in my keywords.
But what if I was looking for an exploit for version 3.8. It wont return this cve becuase the keyword doesnt match. (Even though its in the range)

Is there another way you can transfer the file?

its smb and i only have the creds to the account

Can you rdp to it?

And yes I can see it’s smb..

I can rdp to another user I will try mounting it there

Sounds good

Hi guys anyone have any hints for the Working with Web Services module, specifically the question regarding a web server using a php command, thought I had it with php -S localhost:8080

can someone help me figure out how to or the command to use to find what user has access to the host ||ACADEMY-EA-DC01|| for the section privilege access / ad enumeration module? I have tried a few methods but nothing works. Like - $hostname = ||"ACADEMY-EA-DC01||"; Get-WmiObject -Class Win32_ComputerSystem -ComputerName $hostname | ForEach-Object { Get-WmiObject -Class Win32_ComputerSystem -ComputerName $_.Name -Credential (Get-Credential) | Select-Object UserName

I hate life... go looking through every damn ssh directory of 3 users to think ||why dont I try just logging in as root without a pass|| only for that to work

If you know the flag's format you can try running grep -rnw . -e firstfewchars

so I copied the file to the rdp user desktop folder. Can I create a smb drive for this so I copy it?

If you're using xfreerdp you can add /drive:linux,/tmp/ to mount the tmp directory to it

You can mount with xfreerdp

There's links to resources on how to mount the vhd once you crack it

Can you please share the link. I could not find it.

Do I need to create a smb drive or I can connect to the desktop folder directly through xfreerdp

It would have been in the sql database then.

Still stuck at same problem without feedback; would welcome assistance on the NoSQL problem if anyone has any help to provide.

Granted I havnt done the module, but I would be looking for either a way to bypass the token check, or trying to leak a generated token

and then use that to issue a password reset to log in

also you said url params, are you able to issue the requests as a post request? I find NoSQL stuff easier to mess with as post requests for some reason. Could just be a personal psychological reason though, not sure if theres a technical reason behind it.

You can do it with xfreerdp literally just add the /drive: part I mentioned in your command

oh also usually with NoSQL if youve gotten an error 500 that means youve successfully messed with the backend, your syntax/formatting for your payload is just bad

with me now having the footprinting module done, is there any retired machines that would be similar to module lab content without being too extraordinarily difficult?

Footprinting covers a wide range

Honestly? Id just wait till after youve done the course minus the final module before doing any boxes

Most boxes cover 1-2 protocols

most boxes that are doable are gunna tap into a wide variety of possible subjects that will be spread throughout the course

Ok, cool thanks! I didn't know if there were any retired boxes, that would allow me to keep refining what I've learned through footprinting, but I'll keep going for a little bit before attempting any

Attacking common services taps more into how to effectively attack a service

Ok, cool thanks

there technically is, I just dont actually recommend it

Noted

cause youll likely just end up doing the little bit you know and then get hard stuck on the box making little progress

assuming you dont have prior experience before CPTS

<@&861185840277487616>

Need help for introduction to Malware Analysis, skills assessment:

After which function in x64dbg should a breakpoint be placed to unveil the decrypted content of the .tmp file? Answer format: C__________t

I got the right answer, I'm just struggling for the pasw few minutes to make the decryption actually work and fild out what the decrypted text is

I'm giving up for now, but if anyone ever got this to work, please let me know

ty

np

its in a few other channels too

Skills Assessment - Using Web Proxies . Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload). I think I did well but it says it's not correct, I'm stuck. Can anyone help without spoiling too much? Or DM me (if it's allowed)

Yeah, I ended up sorting it out.

What you said was what I was intuiting/trying; the trouble I was having was finding an appropriate vector that I could work with. That particular assessment is pretty tricky in obfuscating the vulnerability. I ended up relying on a third-party tool to help ID the vulnerable injection point (and class of NoSQL vulnerability, which ended up being the part of my problem).

Thanks.

np glad you sorted it out

Hey y'all! A question. I would like to give my report for a review (as part of the Documentation and Reporting module). To whom I can be a burden 😁 ?

solved by myself. I was doing the cookie part well with intruder, I made a silly mistake in the request body. Well, I take it as a lesson

Hello, at windows command line - Skills Assessment the second question the password don't work for the ssh

previous flag cannot be a password i think because of the space

It can

Passwords can contain spaces

I will try again

You dont necessarily need it

these things go here https://discord.com/channels/473760315293696010/858470491676737536

Hello

Is this the support page?

I've been fucked around HTB twice now to the point Ive authenticated my account yet I still cannot login due to Unauthenticated user

I've already had to create a new account I do not want to create it again

Please fix this bullshit

Can't even come back and tackle a box perhaps without fixing my account

this is not support

You can contact support via

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Still unsolved for me... but it's insane how different and shocking they make you go from challenging Malware analysis to jokingly easy obfuscation... still important to cover, but it's funny how different both modules are

Anyone able to help steer me in the right direction with this question please? Not entirely sure what to input as the answer.

Working with IDS/IPS > Skills Assessment - Snort

There is a file named wannamine.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to the Overpass-the-hash technique which involves Kerberos encryption type downgrading. Replace XX with the appropriate value in the last content keyword of the rule with sid XXXXXXX within the local.rules file so that an alert is triggered as your answer.

[19:35:25:950] [11583:11584] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[19:35:25:950] [11583:11584] [WARN][com.freerdp.crypto] - CN = WS001.eagle.local
[19:35:25:232] [11583:11584] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server
[19:35:25:232] [11583:11584] [ERROR][com.freerdp.core.nla] - SPNEGO failed with NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D]
[19:35:25:232] [11583:11584] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_AUTHENTICATION_FAILED [0x00020009]
[19:35:25:232] [11583:11584] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[19:35:25:232] [11583:11584] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

try resetting machine

second time

check the rules file... in one of the content key word, there are 2 big XX so you gotta figure out what goes in that

ah jesus it works now

the problem is itll prolly disconnect after a bit.

I've already poked around there and tried a few things, also poked around the output of the alerts but just not sure what to put in the answer box.

have you poked around wireshark?

Im trying to figure out how to upload a file to a windows machine. wget wont work. I use the drive feature in rdp and it just keeps disconnecting for no reason on me

try to go into the packet, identify what it's looking for, try to understand it, then figure out what's supposed to go on those XX

for what module?

what I do, create a share folder on windows, then use smbclient to put file there

can you post the full rule?

oh, you got the alert to work?

I removed the XX to broaden the scope and allow the alert to work so I could work backwards however when I use either of the above no alert is generated.

yeah... can you post the full rule, I don't wanna go dig thorugh my notes

┌──(ruderaph㉿kali)-[~/academy/windows_attacks_and_defense]
└─$ xfreerdp /v:10.129.125.40 /u:bob /p:Slavi123 /drive:home,"/home/ruderaph/sharedrive"
[19:40:18:496] [14022:14023] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[19:40:18:496] [14022:14023] [WARN][com.freerdp.crypto] - CN = WS001.eagle.local
[19:40:19:143] [14022:14023] [INFO][com.freerdp.gdi] - Local framebuffer format  PIXEL_FORMAT_BGRX32
[19:40:19:143] [14022:14023] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[19:40:19:156] [14022:14023] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[19:40:19:156] [14022:14057] [INFO][com.freerdp.channels.rdpdr.client] - Loading device service drive [home] (static)
[19:40:19:156] [14022:14023] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[19:40:21:014] [14022:14057] [INFO][com.freerdp.channels.rdpdr.client] - registered device #1: home (type=8 id=1)
[19:42:08:571] [14022:14023] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 110: Connection timed out
[19:42:08:571] [14022:14023] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[19:42:08:571] [14022:14023] [INFO][com.freerdp.client.common] - Network disconnect!

OK so it was running good, but whever i search for powershell using explorer. Its like it freezes and disconnects

i've never used it that way so I can't help... but i'd guess, does bob have access to the share... also do you need to transfer files to windows? i don't remember really needing it...

If anything there's probably a shares folder already setup for you to use smbclient

think of the offset 12 and depth 10... also each is a byte, a byte is a group of 2 hex

what does offset, depth, within and distance means. You're almost there

If you replicate the module, yes.... At least i couldn't find the script on the system... Ive used this method many times, this just started a week or two ago. I was able to transfer the file, but i get about 25 seconds before it disconnects now.

I wouldn't be able to help with that method as I haven't used it, maybe someone else

Awesome, thank you!

I got it with this

This is not the channel for this. Please keep the channel on topic. You will need to wait for a response from the support team. Thank you.

K

Please also ensure you read #rules and #welcome.

Thanks my bad, cracked with -a 6.

Okay

Sorry about that mod

Question, do you guys utilise a VM or use your NATIVE OS? I've got a Mac but haven't tried HTB on it yet

Moved from windows

It's safer and better to use a vm, in the event an update fucks up your tools you can roll back a snap-shot

❤️ the new adcs module

🙂

would love to see a cloud module too 😄

hey guys im thinking of maybe getting an academy subscription. Can anyone here who took a sub tell me how worth it was?

The optimal price point for you as a consumer is the student price plan with a valid *.edu email address (assuming you have one). This currently gets you access to all the trainings for all of the currently available certifications.

Absent that, the monthly plans that afford the most discounted cubes are the most economical.

technically won't be true considering CWEE is comin

Currently is doing the technical heavy lifting in that sentence

Since the CWEE isn't released

But I figured since they're just getting started with the platform, that wasn't an imminent target for them

What's cwee

advanced web cert from HTB

they haven't released it yet

the path for it though contains tier3 modules

student sub only goes up through tier2

I'm not just starting I have some htb experience, like I can do easy boxes. I wanted to know if by doing the academy stuff I can do medium and hard stuff

I do have edu email

then student sub is your best bet tbh

How advanced is stuff below t3

it assumes basic levels of experience

nothing crazy

like attacking services and basic enumeration stuff

there's the Job Role paths which are the cert paths that are more structured

Hmm I think I'll try for t3 stuff instead then if thats all t2 is

or you can just search for a topic and do the module that has it in it

there's a bunch, and you might learn something you didn't know before

it's not ALL that t2 is

there's a fair bit of tier2 that is hard to sum up briefly

some of tier 2 includes active directory attacks, XSS, Web attacks in general, Command injections

some of the tier0 stuff includes stack based buffer overflow

Get a student sub, see if you like it.

If you do, you have until the end of the year to decide if you want to go for gold annual.

yes

Hello. Guys I just solved a question from the footprinting module ftp htb machine: I just want to know why I couldn't do it on my own vm. Thanks in advance!

the auth key that you get from a windows hash is rc4_hmac (some pth techniques will use rc4 as their argument instead of pth)

thank you

skill issue; i didn't have issue in my own vm

but reality; sometimes it's dumb

you can get it to work sometimes

I'm not sure I typed the same command

on htb machine

again it's just dumb

So you have no idea?

it's hard to narrow down the exact reason why it's not consistent on a vm versus the pwnbox

I see

too many variables to consider ¯_(ツ)_/¯

the auth key u are saying refers to?

the hash

Oo. the password hash

yes

okok thank you so much

very helpful community here

technically speaking the hash you get from responder is an auth challenge key with the LM and NT hashparts for NTLMv2

there's only one actual part of that response which is the NT/LM hash for authentication purposes

i believe that section diagrams the parts of the hash

yes

i haven't reach the lateral movement module LOL. but thanks though

One of the modules I know talks about it

and diagrams all parts of the response token

@fickle thicket Checkout the preview of https://academy.hackthebox.com/course/preview/ntlm-relay-attacks, it expands on the topic.

ah. i am on student subscription. don't have access to tier 3 module

The preview is free to access

of any first section within a module

Use incognito to prevent redirects

ok thanks. i'll take a look

Mimikatz - does Pass the Key or OverPass the Hash
uses the same command as Pass The Hash? which is sekurlsa::pth

it's a pth

passthehash

i see. so i guess is the same. since both uses pth

any chance to have a relaying across a pivot section added in that module? think that would be really useful

Yeah absolutely. I remember I researched how to do that with meterpreter and it was something definitly worth knowing about. I will discuss it with @mild mango and see how it goes.

pass the key is not pass the hash, the former uses a kerberos ticket, the latter uses a NTLM hash

awsome, looking forward to see that added ❤️

holyshit. plaintext is the guy in the Pass the Ticket (PtT) from Windows example LOL

@next bronze I am working on updating the section about Coercer, going to beef it up by also adding techniques to coerce authentication with LOLBAS

and julio

almost like they're the author or something

ah nice, I'll check back the module when that's added

"Sidenote: pass-the-hash != over-pass-the-hash. The traditional pass-the-hash technique involves reusing a hash through the NTLMv1/NTLMv2 protocol, which doesn't touch Kerberos at all. " you are right. i just read this. but i just find it weird that the command is the same LOL

the command is the same for simplicity sake

so the only difference is the pass the key uses kerberos and pass the key uses NTLM authentication protocol.

ah i have alot more to learn

also try not to ask questions BEFORE you finish reading something that's likely gonna explain it more

ok. noted. sorry about that

Hi guys, i'm currently doint the Windows privilege escalation of HTB Academy. So i have to connect through RDP to the machine to do a privilege escalation but i have this error message

you have to do some win-rm stuff to enable it

i forget the syntax

but it's definitely covered in one of the earlier modules

Yeah i remember it was in a module, i didn't know if i had to do it or not

thank you

they did have you do it for one of the sections in an earlier module

for sure

and if the section says "RDP to IP with CREDS" then yeah

Alright, thank you

might be off topic - is there a way to connect academy to roles/details on this server or just htb?

You can only link your academy account if you have an annual subscription for an "academy user" role, but it doesn't give you anything special

so even i choose annual, it''l just say "academy user" and no rank? I'll always be a n00b?

Yup, there are no ranks in academy, that's a main platform thing, the only roles you can technically gain from academy are the cert roles after passing their exams

hey guys need a bit help in "Windows Privilege Escalation" ==>> "User Account Control"

I didn't get where to look for in the "UAC bypasses" link: https://github.com/hfiref0x/UACME
if I want to find "technique number 54" ...

If someone can please help me get it clariid

there's a list of methods you can expain in the repo

Hello, kind people of HTB. I need assistance with the followning thingy:
Password Attacks - Linux -> Passwd,Shadow,Opasswd

I found the root hash, and now I am using the custom.list that I made by modifying the regular password.list with the custom rule.

Am I on the right path?

Hey guys

Just joined here wanted some assistance on ESCAPE machine

Is anybody free ?

wrong place, read #welcome to get verified, then ask in #boxes

Solved it.

I didn't find anything that say "technique 54"
so I'm not sure where to look ...

Its right there staring.😅

oppss 😅
I guess I underrated breaks ...

thanx ...

Hello all, I'm stuck connecting to the kali vm in WINDOWS ATTACKS & DEFENSE module, kerberoast worked, via vpn to WS001, but don't know how to find the ip address for the kali vm, anyone have any ideas? tried rdp and ssh from my parrot to 172.16.8.25 and tried the same from WS001

yeah, I ended up just using the pwn box

Anybody got any advice? I need to connect to DC1. no port 22 on the system so i can't port forward. When i try to connect on the computer i get this.

try to ping it

oh, you already have a console session? rdp to DC1 from WS001

I know there's a specific part where you're supposed to connect using powershell, but I'm not sure this is the one

have you done this module? Windows attacks and defense

Do you have notes on Credentials in Object Properties

probably, but you gotta ask a specific question

DM?

ok, thx! if it is doable from the pwn box, I'll do the same

sure

you can use rockyou.txt, just gotta find it

awesome, thx, was wondering about what password file to use

Anyone familiar with the DNS page of the Footprinting module? I'm stuck on the first question and don't really know what I'm looking for/how to proceed

Module: Network Enum Nmap Medium-Assessment --- redoing assessment but im not sure if the answer changed over time --- does it still starts with HTB{...}

Can someone help me with this skill assesment WINDOWS LOGS AND FINDING EVILS stuck for a long time any hints??

Or is it now starting with: NL......

Do you retain access to modules you've completed?
Even if subscription expires?

Yes, anything you complete is yours forever no matter what sub you have

Awesome,thought it was something like that.

Module: Network Enum Nmap Medium-Assessment -- can anyone tell me if this is the right version for the answer:

Actually think this is the right answer, but i cant submit it to check it, because i have already given a correct answer once --- guessing that the answer changed over time which is quite annoying

@supple gorge

Module Windows Event Logs & Finding Evil
Tapping Into ETW

https://academy.hackthebox.com/module/216/section/2325

Thanks with powershell it work

Ssup guys

check the module and re do their steps. check the logs and look for different sysmon ids that may relate to it

Why isnt anybody responding to my simple question -- is it because the answer is obvious -- maybe it is -- nevertheless im to unexpierienced and uncertain to be totally sure it is correct

not everyone did that module, and this is community driven. I haven't done that module so I can't help

ok

it would be easier to help if there were more specific details rather than just checking for answer

hey guys, there's literally no other export func that starts with attach in kernel32.dll. Module is intro to malware analysis

@supple gorge dont know how i could give more specific details to my question because there isnt much more to do than finding out the DNS version with a nmap scan -- fairly simple process

Im to 99.999% sure its correct, but i dont understand why they have to change the answer

Might be a formatting thing

Maybe extra space

I have already submitted the answer once

Or maybe the question changed how they expect the answer, can you put the question here, or at least the part where it asks the question and says how it wants it?

huh, what section is it?

https://academy.hackthebox.com/module/19/section/118

Gotcha, I don't wanna submit it without doing the course (I tried with my meager knwoeldge of nmap and the simple scan didn't work), you're probably on the right, you could reach out to support for a more sure answer

In a browser that doesn't block pop ups or ads and stuff, there should be a button in the bottom right corner where you can reach out to support, I've done it before

to report this situation with the course, you could say so in #858470491676737536

Sorry for not being much help

actually its not the first answer which has changed -- i know you could argue it doesnt matter, because the process is the same -- nevertheless if your new to this stuff and therefore having a certain uncertanity i think it matters

@supple gorge thx for you effort

if you got through the lab and foun a service version for DNS you are more than likely right, but I understand the wish to get confirmation

What command are you running for this output? There is a Nmap script you are supposed to run to get this version, the standard Nmap version flag is not enough

Hi, I'm stuck on the last question in the Password Attacks Module -> PtT in linux lab. I tried using PtH with the NTLM hash of the LINUX01$ (discovered from /etc/krb5.keytab), and tried generating a ticket using rubeus but it doesn't work for me. Any suggestions?

How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)

i tried ||netstat -l | wc -l|| and the result is incorrect, what am i doing wrong

Is there someone that have finished the Advanced XSS and CSRF Exploitation module ?

Hi, I am trying to answer the question here - but the URL fails https://academy.hackthebox.com/module/54/section/505 - I can get to http://academy.htb:PORT but http://admin.academy.htb:PORT/admin/admin.php doesn't work

This doesn't work - ||ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:51718/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs 768||

No response at all

bruh

||curl https://www.inlanefreight.com/ | tr '"' "\n" | tr "'" "\n" | tr "=" "\n" | grep https://www.inlanefreight.com/ | sort | uniq -u | wc -l ||

I am currently doing footprinting medium lab and I am having an issue with accessing the NFS (if that's even what we should do). The rest of the open ports are winrm and rpd. Not much to do until you have creds.

I did a "showmount -e 10.129.228.163" and I get that there's a share with (everyone) appended to it. I mount it but then I get that only the nobody user can access it. I tried changing the nobody user when mounting to my own user. it shows up as me but I still can't access it.
Any ways to trouble shoot this?

why isnt this giving me the correct answer

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

thats the question

I have no idea what to do to enumerate the user from the SMTP on the footprinting module. Can someone assist?

Testing

smtp-user-enum

So every time I've tried this command i get an error, every resource I look up how to input it isn't getting me anything

I downloaded the footprinting-wordlist file but cannot get it to find it

Got the scan to work now, helps to be in the correct directory

So it went through that file and it couldn't find any results

Don't use the default time

Do -W 15

Also why don't you use idk man smtp-user-enum or smtp-user-enum --help

So based on smtp-user-enum --help, I believe my issue is the file of usernames. How do I find that?

well if you downloaded footprinting-wordlist

...

Magic, it works all the sudden

So I've run that previously and it turns up no results. Command I ran was smtp-user-enum -M VRFY -U footprinting-wordlist.txt -t (IP) -W 15

Getting 0 results with that

Increase timing then

So made 2 changes at the same time, and one of them worked, moved the -W in front of the IP address and changed -W > -w

I realized the timing wasn't actually increasing and the --help always showed the ip last as well as having case specific options

Hi, I'm was stuck on the last question in the Password Attacks Module -> PtT in linux lab. I solved it finally, but I think I did an unintended way because of the hint they provided (didn't use it at all). Can someone DM/guide me in the intended way?

Use linikatz to find it iirc that's the linux01$ yeah?

I tried with linikatz but when I tried to export it and connect via evil-winrm I got an error and couldn't connect

Why export and connect?

Just transfer it over via the many transfer protocols

Just as in the previous question I found julio's Kerberos ticket, exported it from the ssh session as root and used from there evil-winrm. Tried to do the same with the LINUX01$ ticket that linkatz found but with no success

You're referring to the ccache file?

yeah

Ah OK so you're using export to mean transfer

Or am I misunderstanding

Ik there's 2 cache files one is old/expired the other is current

For julio? yes. LINUX01$ had one file I'm pretty sure

Navigate to the directory its found in and see

Going to check it out, Thanks!

OH MY DAYS FK OFF fatty-server.jar

Whoeevr created this module want ppl to suffer