In module it is lab.local I will try inlanefreight but now my notebook battery run out. I will try to figure it out later

@modern epoch sorry for the ping. Do you mind if I DM you? I'm doing the NLTM relay Skill Assessment, when pwned BACKUP01, tried to abuse file sharing ...

I did try to reset, terminate start again, im user bob, i did do it 4 times now and none work error is KDC_ERRR_PADATA_TYPE_NOSUPP

Sure, no worries. Please DM and we can see

Dm me but these days I'm quite busy with family and friends, I ve got to redo the lab because didn't take notes but no problem

will pentester path modules prepare me to tackle easy htb boxes?

mostly: thing to note the boxes generally don't require AD

but other basic knowledge may help

the pentester path is more to get you on the path to well a Pentesting Job (or at least the mindset for it) you mostly need to be able to adapt to a given situation. Most boxes themselves have a gimmick or two to exploit.

@next bronze feel free to DM me. i have done NTLM relay module.

Take another look at the sections in the module. You have to combine several things to get to the flag.

Guys why video and audio is not playing in my vm linuk

If you need assistance with a module you can ask here. If it is unrelated to an academy module, please ask the proper channels. As well, read #rules and #welcome.

/rank

Can anyone nudge me forward on footprinting lab - Hard. I found out theres a pop3s I can connect to, but can't figure out how to login, is it any of the credentials found in earlier labs (easy/medium) or am I completely out of track ?

Hey guys,

i´m currently doing "Password Attacks -Medium Lab" i found the zipfile in the smb share, used zip2john, but when i want to crack it with either rockyou or the provdid worlists, john just ends the session after 1 second with "session completed". Anyone knows why?

you’re completely out of track

enumerate more😉

same here

i'll try to enumerate more

Not sure if I saved the keroberos hash correctly:

||hashcat -m 13100 --hash-type=19700 rc4_to_crack /usr/share/wordlists/rockyou.txt||

I tried removing potential whitespace but that didn't fix my issue and it seems like from what I read that wouldn't be an issue anyway.
https://academy.hackthebox.com/module/143/section/1423

that's not how you use hashcat, =m and --hash-type are the same thing, only use one, and idk what hash you have but that's not a kerberoast hash

Its not a kerberoash ? I thought the string 'krb5tgs$23$' would be associated with a kerberoast hash based on what I researched.

you cut off the first part, include the full hash

and the whole hash needs to be a single line,

To save your time, add one more piped command | Export-Csv .\hashes.csv -NoTypeInformation after your command, so that you don't have to deal with manually removing newlines.

@lusty thicket can u give another tip? Where i'm supposed to enumerate more?

i can't find any new information

scan both tcp & udp

no way

i forgot that

Hi guys. I'm on footprinting module skill assessment, medium lab. I got creds via nfs, then i log in via rdp, i got sa:xxxxxxx cred, but i can't log into sql with sa:xxxxxxx creds, is there anything i'm missing? I tried reusing ps, flipping usernames, none work. i've completed hard lab, done the medium lab two week ago, just gave up and come back, still i faced the same problem. please help 🙏

try running the sql as admin

Your Windows user has no rights to access the database. But sometimes users are lazy and use the same password for several accounts. Maybe there is a Windows user who is similar to sa.

Hi in the vulnerability assessment module they use cvss 3.1 and even nesus uses 3.0
Yet 4.0 was out this November so I wanted to know if we are still using 3.X or we should start using 4.0 now

Nobody any idea?

I am on Active Directory SKills assessment part 1 and I cannot seem to find a way to log into the domain. Anyone can give me a little hint?

ive got hashes but I cant log in with them

pth, if you can't then crack them

Simply state in the report which version you have used.

eyo okay I must be doing something wrong. Ive been trying every pth technique

lemme go back

So like there is no specific version that should be used ? Like we are free to use the one we like ?

Always declare the version. This way, your customer can understand the calculation method

Ok ok I see thanks

Hi guys, anyone can help me in Skills Assessment - File Inclusion ? I know I tried to exploit it as well but still doesnt work 😦

I feel like Ive tried every pth technique, none work

and I cannt crack the hash

lemme try invoke the hash

it's just a general suggestion, I don't know what you have, it might not even be right way

is it a ntlm hash?

yessir

yes

do you know the user that the hash belows to

Any nudge forward for footprinting hard, not getting the community string (tbh dont really understand the concept of it to begin with), been trying with braa, snmpwalk etc. only getting the generic reply, which does not seem to help me anyway, any help appreciated: onesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt 10.129.12.128
Scanning 1 hosts, 3220 communities
10.129.12.128 [backup] Linux NIXHARD 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64

All the hints are pointing towards this, but what do I do with it ?

I tried all the other wordlists, but this is the only reply I'm getting, and it does not tell me anything

WEB-WIN01$

I can enumerate pass-pol I can enumerate shares

but pth wont work

but wait gimme a sec

Ill get back to you in a minute

you generally cannot login locally with a machine account, if that's what you're trying to do. try other ways you can abuse it

oh my days

I completely ignored something

I am an idiot

I assumed something.

and I was badly wrong. Its okay, I am on the right path again

@ohyeah229

the snmp section covered that

though one thing is weird. I kerberoasted one service, cracked the hash, submitted the password to the question and it was correct. However when I type the user name to the previous question it says incorrect

its literally written in the cracked hash, wont accept the answer tho

yea it isnt correct but now Im confused again
but ill survive

i think you’re in the right section

go through the section again and connect the dots .

what question

nah its okay. I selected the wrong service but the password happened to be the same for both

which is why I saw the wrong samaccountname

I just keep stumbling

thanks alot. I got into the sql server. found accounts table, query it and done got the flag. One thing i don't understand, why did opening as administrator got me into sql server but not filling in the creds like normal ?

I'm doing the easy lab for Common Service Attacks and found a username from SMTP enum. I tried to brute force all other services and got nothing, and now I am trying to brute the basic HTTP auth on https://machineip:443. I am having some trouble with hydra to do this, as it is giving me a "SSL routnes:ssl3_get_record:wrong version number" error when I use this cmd: hydra -l [user] -P pws.list -f [IP] http-get / -I -v

Or sorry I meant this command: hydra -l [user] -P pws.list -f [IP] https-get / -I -v

Does anyone know how to address this error? I always seem to have dififculty dealing with this weird http basic auth pages with hydra, and now HTTPS isn't helping that

https://github.com/Charlie-belmer/nosqli/releases

ssup guys

i am back

the module didn’t mention 1 thing about that

Hey guys, I'm having trouble on the Procedures portion of Intro to Assembly, I feel like it should be super easy but I've been stuck on it for days now. I copied the code into Vim and saved it, ran it with ./assembler.sh -g, and then I assumed that the next step would to be to set the break point to Exit+0 (*0x401046) since it just loops otherwise but no matter where I look in the stack I'm not finding this 6 digit 0x with no 0s. Any pointers in the right direction would be much appreciated

Ok I got it, I was doing too much and just didn't do the most obvious thing

😉

you almost have it, which register points to the top of the stack?

also n in gdb to skip over the loops, then si to step over each instructions, but your break point should be right so there's no need for that

help me find an official moderator or administrator, anyone here?

I'm an unoffical mod

it will work

consider actually being specific with your requests for help

help me verify my identity in #bot-commands

oh just DM a mod/admin then (I'm not actually a mod/admin) you can see who is a mod/admin on the righthand side

it literally is right there in the message "please contact a mod or admin"

Thanks, the right hand has many!!

i never knew it was on my right hand 🙂

:D

If you still need help, you can send me a DM

https://tenor.com/view/the-office-dwight-schrute-gif-14865294

me whenever I see payload's name in the forums when searching for a nudge

i desperately need help

send payload a DM so he can help resolve the issue :D

he is mod :)

we need the undertaker meme with Payload LMAO

hello, i need help. from Linux Fundamentals module, section: Filter Contents. (https://academy.hackthebox.com/module/18/section/80) what is this question means?

basically all unique links in that domain :) you're gonna have to filter for it considering cURL pulls the page source

is that include the javascript src ? it must be in the domain www.inlanefreight.com right?

any calls to a different src won't be included

curl does the same thing that "view-source" does (essentially)

For windows attack (CDSA), on credential for object properties Q3, cannot generate the bonni 4771 ID on security logs. How can this be triggered even after following the example?

Footprinting - Hard

need a nudge, i tried all 4 wordlists inside SecLists/SNMP/ for SNMP to enum community string, without success, which file should i use?

the same wordlist used in the section

oh god damn, ive overseen the result, didnt notice it has found it alrdy xD

i've tried every possible answer but it is incorrect. i even download the page source (https://www.inlanefreight.com) and inspect it manually, extracting everything with the domain www.inlanefreight.com and sort uniq it exclude other domains, emails etcetra.. still incorrect answer. i've submit many answers but still incorrect. does it have submission limit or something?

No submission limit

From google:

The route or also known as “path,” is the part of the URL that comes straight after your domain (i.e., yourdomain.com/PATH) Destination Type: what kind of document do you want to share. Destination Document: the hyperlink of the original document URL.

I'm not really sure what's happening. I'm wrapping up "basic tools" module and trying the optional exercise. I spawn the target and the in-browser Pwnbox. I tried nc'ing to the target host and port, ssh'ing to it, using a browser, but I'm not getting any kind of banner or anything other than TIMEOUTs. I'm on the third target reset. Any thoughts?

Are you running the vpn on your system at all?

No, I thought with the in-browser pwnbox that wasn't needed? I can ping the IP.

I'm just trying to narrow things down

If you run the vpn on your system AND pwnbox it causes issues

ah, yeah, definitely not doing that. :)

What is the question explicitly asking

"Apply what you learned in this section to grab the banner of the above server and submit it as the answer."

Then do what was explained

I've tried:
nc <ip> <port>
ssh <ip> -p <port>
browser

Note: using netcat will take a moment for it to give you a banner

Usually up to a minute

it timesout

times-out? however you write that. haha

Timeouts

reset the machine and try again

They've done that a few times already

strange

maybe the lag is just too much. >200ms for most

Try nmap ip --script banner -p port

¯_(ツ)_/¯

What's the module name?

please help advise me.

curl -s https://www.inlanefreight.com | grep -oE 'href=["'\'']https://www.inlanefreight.com[^"'\''"]+' | sed -E 's/href=["'\'']https:\/\/www.inlanefreight.com([^"'\''"]+)["'\'']/\1/' | sed -E 's/href=["'\'']//' | sort -u | wc -l

Finally

Basic Tools haha

Is that the actual name of the module?

Once I added -Pn it came back as filtered/unknown. Without it - "host seems down"

Getting Started -> Pentesting Basics -> Basic Tools

Oh yeah forgot about this module

Section?

Ssh is the answer

I think I'm going to chalk it up to lag and try later. I hit my pwnbox spawn limit. :-\

If you can: set up your own vm

Have that - was looking for the openvpn file but don't see it.

oh, found it...

It's a public ip for this exercise, so vpn not needed

netcat ip port should work

damn. from the VM it came back immediately. Thanks - lesson learned.

Suggest me the course for cyber security

I am fresher in this field. So suggest like that only.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

can someone help me with this
To get the flag, start the above exercise, then use cURL to download the file returned by '/download.php' in the server shown above.
the file im getting doesnt have a flag

Information Security Fundamentals in academy

Well you likely have to do stuff to make it readable

help.. I even use hakrawler to extract path from the url. count every unique endpoints url. but submited answer is incorrect. actually this question is easy but i don't understand what it actually wants. i've submitted many numbers but incorrect.

The answer is less than 50

is what i'm doing that correct or i missed something?

I believe so

I dont recall all of what I did

But 24 is too low

So there's something being lost in your filtering

can anyone DM me for some help with the skills asessment on the Injection attacks module? thank you!

do you mind pointing to me what am im missed?

No

As I said, I forgot what I did to get the answer

@ocean minnow i think there is something with the server at the moment, at my machine didn't downloaded anything for like 5 min , at my VM i curled google and redirected it for 5 secs ...... i found the answer but i am not sure do you want the answer or want to discover it yourself ....

WEB ATTACKS

Advanced File Disclosure

Question:
Use either method from this section to read the flag at '/flag.php'. (You may use the CDATA method at '/index.php', or the error-based method at '/error').

1. I used the CDATA method and it is working BLIND. Thus I can't read the flag file.
2. Itried to use the error method but there are no errors showing in the response code.

Any help would be greatly appreciated.

Thanks
@hallow remnant I'm testing the tool with the skill assessment, just for the sake of testing it. Although it found the injection type, it seems that the payloads it found are not working, it didn't find the working payload I found manually. So my question is is the tool really working as expected, did you indeed use one of the payloads it found, or did you just get the injection type from it but found your own payload manually ?

Don't cheat or "hack" your way to the answer in the future

Also if you did it in an automated way that's very likely against the ToS

yep apologies

They can see deleted messages btw

Any hints for this @fathom pendant

Haven't done that

Switch to tcp vpn download my guy

Hi guys ! I have a question concerning the module "Getting Started", in "Privilege Escalation", "SSH Keys".

Unless I am misunderstanding something, i do not think that what is written here is accurate.
If we are able to get read access to the .ssh folder of a user or root and have read access to the ssh keys, we can use it to potentially connect to other servers if they have the id_rsa.pub in their authorized_keys.

But it should be very unlikely to be able to connect to the server itself using this key unless the admin generated the key on the server itself and didn't bother removing it.

Am I missing something ?

You're missing the one most important ingredient to pumpkin soup

to be able to use ssh keys, it must be stored somewhere

this is accurate info: the id_rsa key is generally stored in the hidden .ssh folder, and the public key as well - (which is added to authorized keys) - they are used to match each other. If the matching keys fit for other devices it doesn't matter who generated the keys

it's like having one key for multiple locks

in some instances a user's rsa key ends up being the root key as well

that's pure madness honestly 😄

it happens more often than you think

convenience over security

though you can generate keys with a password ¯_(ツ)_/¯

literally requiring a password to use them

(this is touched on in the password attacks module)

But it still seems crazy to me that a server admin would generate the ssh leys on the server and then add it to the authorized_keys instead of doing it locally and then using ssh-copy

that isn't the point

when i say added i'm not generally meaning manually

it's via whatever method works

that's what I have difficulty to understand..
I do not have a lot of experience in pentest and this is the first time that I had to use the id_rsa of the root user in order to connect to it on the same machine

because the root user is a defaualt usertype on linux distros, like Administrator on Windows Machines. When you run sudo x then you run the command as root. In a properly set up environment: regular users are limited on what they can sudo

root is what's known as super user

and at this point in learning you have no access to shadow files or a user that has a sudo bin they can escape from

so you take advantage of whatever user2 has access to

from the perspective of an outsider: you don't know root's password

so you can't just su to root

I mean, you are absolutely right,

my mind was just focused on the fact that the private key is meant to be kept confidential and should only reside on the client machine from which you connect to the server.

And to be fair, this exercise was a learning experience because I wouldn't even have crossed my mind to try this key to login to the root with it.
I would, however have tried it against other servers on the network if there was any.

I spent way too much time on this one 😅

it makes sense still to keep the key on the target itself

because to a non-technical user they wouldn't think about .ssh

as it's a hidden file so a normal ls -l won't find it

¯_(ツ)_/¯

I've used keys I compromised on real red team engagements to further compromise the machine I found the key on. Tons of people don't understand how to properly do ssh proxy jumps, don't understand the importance of read-only deploy keys for applications, don't understand the dangers of agent forwarding, etc. So they do dumb things like copy their ssh private keys onto remote servers.

I'm trying to do the Active Directory Skills Assessment 1, and for question 3, I can not seem to get the hash of the ***_sql user. I am 99% certain that I need to use power view, but I can't find it on the system, nor can I figure out a way to upload it. I've already established a reverse shell with nc on my attack machine and made an http server on my attack box to use to transfer the files over the shell. But no luck

you can upload with the webshell given, or using smbserver, or through a web server

Im not there yet but if you cant get access to the tools you may have to "live off the land" with buitin tools

Did you manage to figure it out? I am also wondering...

I've tried, but have found nothing 😦
will keep trying. I'm probably overlooking something easy

break at start, then use si to step over each instructions

yes that part is pretty clear, I also managed to actually read rax with display $rax but nevertheless he doesn't accept the hex? maybe I am missing something

ah, got it, I entered the hex in reverse instead of just c/p ... suppose I got a little confused with the little-endian formatting.. tks for your help

they asked for the hex value in the register, so just give that, and you don't need to do display $rax, it's shown right at the top in gdb

jesus, yes you are correct, I can see it now 🙂 thank you

Can you help me @next bronze

?

WEB ATTACKS

Advanced File Disclosure

Question:
Use either method from this section to read the flag at '/flag.php'. (You may use the CDATA method at '/index.php', or the error-based method at '/error').

1. I used the CDATA method and it is working BLIND. Thus I can't read the flag file.
2. Itried to use the error method but there are no errors showing in the response code.

Any help would be greatly appreciated.

both works, use similar code as the section, remember to modify the email tag

Sir I did all of that. And the curl to get the xxe.dtd works but it doesn't display the response

why are you curling your own dtd

That's how they did it in the module. What alternative do you suggest?

in the module they told you to curl your own dtd? you're supposed to get the target to retrieve the file

I mean, I can see excatly what you're supposed to do in one of the screenshots in the section

do you get a request on your webserver?

Yes I do

make sure your dtd file is correct for the type of attack you're using

This is the dtd file:
<!ENTITY joined "%begin;%file;%end;">

should work, restart the target

I have restarted and tried it 3-4 times

why are there 3 dots in your request

I removed that but nothing changed

Another thing. I can't do the error method because the error code doesn't show in the response code no matter what I do like deleting letters or referencing non-existing entities...

This whole thing exercise is rigged

I can get the answer with the first part of your xml, so make sure the rest of your request is correct

But I didn't change the rest of my request. The only thing I changed is the email section to the &joined; entity...

DONE! That took way too long but I now fully understand everything. Quite happy.

onto the last one
sorry that was not as a reply to this but what I said earlier. The AD skills assessment

This exercise is so stupid

then you're missing something, check everything again

I showed you everything and you said you got the answer using an identical request

I don't have the rest of the request and like I said, I only used the first part

add a tel number

If you need to, take a break, relax and come back. The best thing you can do while learning is be relaxed. This field is difficult and will challenge you.

Sure but the problem was that I didn't add a phone number to the submission form even though it is not a requirement. This caused me to be stuck for the entire day. Is that a take the break moment or a HTB needs to fix their exercise moment

if you think what you did should have worked, then the answer lies somewhere else, being able to test and troubleshoot is part of developing a methodology. in the real world, you don't always know what happens when you change something, so it's important to be thorough. for now, take a break

On the digital forensics course, on the question “Visit the URL "https://127.0.0.1:8889/app/index.html#/search/all" and log in using the credentials: admin/password. After logging in, click on the circular symbol adjacent to "Client ID". Subsequently, select the displayed "Client ID" and click on "Collected". Initiate a new collection and gather artifacts labeled as "Windows.KapeFiles.Targets" using the _SANS_Triage configuration. Lastly, examine the collected artifacts and enter the name of the scheduled task that begins with 'A' and concludes with 'g' as your answer.” Target: 10.129.228.172
Life Left: 92 minute(s)

The link it says to go to has nothing on it and won’t load or establish a connection

It would be so cool if academy had videos too, reading so many pages get quite exhausting sometimes

So true

did you rdp in

I’m using Microsoft Remote Desktop to try to rdp and I’m doing that to the target address but also not working. Have a feeling I’m rdp’ing wrong lol(I’m new to this)

the target address is 10.129.228.172?

That’s correct

are you able to rdp in then

Not with Microsoft Remote Desktop

can't say I've used that for the modules but it should work, what's the error

you should do it in pwnbox if you don't have a linux vm

I’ll try that. Spawning one now.

do you know the command to use rdp on that?

Pretty sure. Just gonna use remmina

Just ran sudo apt-get install rdesktop

Then ran rdesktop then the target address, said yes to the certificate trust, then got a Failed to Initialize NLA and a Failed to Connect, CredSSP

Just gonna go back to remmina

xfreerdp /v:10.129.228.172 /u:'Administrator' /p:'password' /size:1400x1000 +clipboard /dynamic-resolution /cert-ignore &

Trying that now

Jus got something that looked like some kind of help menu

did it work?

No

Just got a help menu, a correct usage format, and a few errors

send it

Help menu’s like 100 lines, the usage says xfreerdp [file] [options] [/v:<server>[:port]]

And the error says [ERROR] [com.winpr.commandline] - Failed at index 1 [/v:10.129.228.172]: Invalid sigil

try respawning the target and using a new IP, give it like 5 minutes to fully spawn

Ok. It’s the same target no matter what pretty sure. But respawning now

Nvm. The new target is 10.129.27.37

Don't post the target IP publicly cause I'm pretty sure u can get hacked that way

eh; they'd have to be on the same vpn server first off

second off if a user is found to be attacking another: then their account gets banned

I am having issues with the last question of this module:

"What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word) "

https://academy.hackthebox.com/module/143/section/1485

This is what I have tried so far:

||"Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}"||
||
$gpogroupsid = Convert-NameToSid "GPO Management"||

||"Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $gpogroupsid} -Verbose"||
||
" Get-DomainGroup -Identity "Dagmar Payne" | select memberof"||

You need to wait longer for get-DomainObjectACL

It looks frozen but its still doing the search, it can take up to like 10 minutes iirc

There is a faster way to do it that they dont teach that takes just a few seconds if you go research it

bloodhound ?

no

just a better way to write the command for this specifc task

still using get-DomainObjectACL

Oh okay .

Rerun the command for the forendsid

And just wait

I literally watched YouTube while I waited lol

Not the command with the group variable I created(||Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $gpogroupsid} -Verbose||), but instead just forends id?

||$sid = Convert-NameToSid forend
Get-DomainObjectACL -Identity "GPO Management" -ResolveGUIDs | ? {$_.SecurityIdentifier -eq $sid}||

That works too

So the first command I used . Okay

you waited 10 minutes

The reason is because the search is looking for the rights that the sid has over the identity you're looking up

Could take 30

If you look at the results: you get the object, what rights the user has over the object, etc.

@cedar void I'd take a moment before moving on to try and understand the output, it is explained in the section - but it's not quite obvious until you perform some tasks

I.e. using rights to assign an spn to do password cracking

Not going to lie Ill be taking another pass through the ACL stuff, we completly new for me

^ I spent a solid few minutes trying to understand the output and the example from the module before it clicked

Once I did everything else I did made more sense

gonna have to study bloodhound more too. I got really lost with all of the options in there.

I didn't care for needing bloodhound for some tasks, as a note: you'd want to use a docker bloodhound for parrot, as the latest in their repo is 4.0.6 and the bloodhound on the windows targets is 4.1.0

So the collection data gets borked

Like I really want to learn bloodhound in and out. Seems so good. Same for burp

It's good

considering buying the bloodgound module but probably overkill for now

I just prefer to learn LoLbin type stuff

As bloodhound is "noisy"

fair enough. I should spend more time on lol because my end goal is red team

Like bloodhound is good if your challenge is just "see if our EDR even works lmao"

how long does nessus scan take usually?

The skill assessments for that module have pre-populated scans

The scans themselves can take easily an hour

meaning I don't actually have to laucnh it?

hello can any one help me with the module : attacking common services section : attacking email services i already found the m**** user for the server i am not able to only find the password for it can any one help me with the worldlist to use cause i already have tried with pws.list provided in resoure and also the fastrack.txt worldlist

Nope, just sign into it via the https://target_ip:nessus_port

The module should give you creds

hey @fathom pendant can you help me with this one #modules message

Where can I report outdated info on modules?

Try without the @domain

#858470491676737536

Gracias

i already tried

I forget what exactly I did, I just remember it didn't take long

if you can be more specific that would be great help.

I dont recall so I can't be more specific

was not funny at all

Listen if I don't remember it usually means I didn't fight the struggle bus with it. Or at least didn't fight long with it

Hey hackers , I just pwned popcorn without metasploit 🤗🎇🍿. What a start to the new year 🎊🎇 . Thank you to the community for sharing knowledge🪔🧁

no not even intrested to know .. nothing vauluable to learn so i'll pass

Congrats but this isn't the channel to share progress on starting-point machines

Oh cool, thank you

This is only for academy ,right ?

Read #welcome to find out how to access more of the channel

And yes this channel is regarding academy modules

Awesome! Thank you!

Thank you MarcieLee.

Hello mate : ) That problem is magically gone with 2023 😂 I did nothing with my tool nor pc but problem is gone very interesting and I am happy😅

I think I'm a little confused. I'm working on the Pentester job path and they have us attacking boxes and all that, but does a client always provide the machines IP, or is there scenarios like a Blackbox scenario where we aren't given any IP to work with, and we have to rely on osint?

If so, then how would one even go about trying to find IP addresses for the machines?

There's still a scope to work with

And that's also something that's discussed in the meetings leading up to the pentest

What sort of external recon is allowed and such

Well I mean in the real world a hacker's not just going to know the machine IP, how do they do it if we don't practice the same techniques?

Would that not be a crucial step in the attacking process if you were treating it as a real attack?

I guess what I'm trying to ask is why we aren't required to go through that step if hackers are.

Is it just like super easy to get the machine IP, and it's not worth the effort?

This might be a dumb question because I guess you could just get the companies website IP, but in scenarios where that doesnt lead you anywhere, what would a hacker do to figure out that info?

which module is this about?

The Pentesting jobpath

Theres modules that teach about OSINT

So then it'd just be an OSINT thing?

weird

If I was trying to protect a system, I would think that the mach8ne IP would be like holy information not to share with anyone outside the company.

I need a little help

Can anybody recommend me a fast and good VNC for android, using which I can get access to a device sharing local network with me?
[educational purposes only]

This is modules chat

btw

What chat then

Do i have to go to

Probably somewhere in HTB: Serious Discussions

Can u recommend a VNC then?

Hello has anyone completed Protein Cookies 2 challenge??

Behind every website you visit is a machine ip that you could pentest and there is no hiding those

Fair enough

And if you get paid to pentest then you are provided with what a company wants pentested. This may be one or more websites but it can also be that they give you access to their internal network directly as a low privilege account to see how far you can get once you are in

hyy guys

if you need help for this,you can dm me

Nice little tip I found, if you are restricted and can't get PowerView running on your box and you need to lookup a domain SID to perform a /ptt attack. You can use sid::lookup /domain:INLANEFREIGHT.LOCAL within mimikatz to get the domain SID.

It's kind of wild how easy it is to accidentally break the law with hacking, whether it be malicious or not.

Read and follow #welcome to see more channels

Better ask in #challenges

Figured it out, you can just use whatweb to get the server IP address a website is running on.

Reminder: this channel is for assistance with academy modules.

IS there like a general chat channel?

Read #welcome and follow instructions to find out

hey new here learning ethical haking unethical hacking is a plus too

Read #welcome and #rules

@next bronze Wow, it really seems to have clicked. Skills assessment 2 has been really fun. Been going through it, very methodically. SLowly but surely. Its amazing how these skills assessments drive home techniques we've learned (thats the point I know).

lol, Im guessing that doesn't have to be done for a module. So you best not ask that in this forum. The admins will tell you the same thing

well, the reason won't be valid. They won't I can guarantee it

want me to show you 5 instances wheere they told people that asked unrelated stuff to dont ask it here

its against the rules

Does anyone have advice or hints? This question seems to not be in any of the forums which makes me think it's an easy question, which is doubly frustrating

there are tools like rubeus used for that in the module

I can't figure out how to get them on the machine though, and they're not there already

the file transfers module showed a few methods for that

Keep the conversation on topic. If you need assistance with a module, you can ask it here. If not, read #rules and #welcome.

Nah nvm

I found a way.

awesome

?

that’s good

alr?

really great

bro alr

don't ping.

https://academy.hackthebox.com/module/17/section/88

In this room, when visiting the website with the port specified it works fine when browsing the website but I get a timeout when I visit wp-content or wp-includes, website shows a 404 nginx page when a directory doesn't exist or a page has a firewall but it seems to be glitching out for the directory needed

hello can any one help me with this

Enumerate the Linux environment and look for interesting files that might contain sensitive data

the / signifies a directory

Enumerate the Linux environment and look for interesting files that might contain sensitive data. Submit the flag as the answer. https://academy.hackthebox.com/module/51/section/1592

Yes I know, its common sense to put a /

did you end it with a / ?

what have you tried?

Worked, Thanks.

I tried everything but it didn't work. I've been stuck for two days

i remember being stuck there too

i eventually grepped for the flag

Can you help me please I'm so stuck here and I'm tired of trying

I have tried everything that comes to my mind and I have not found the flag

you could always use the grep command 😉

i use but i can't find flag

i recursively search within files with grep and then list the filenames that match your search query to find the flag. grep -r -l 'search-query-here' /path/to/search
but i can't find

These two commands are both basically equivalent right:

"Get-ADGroup -Identity "Help Desk Level 1" -Properties * | Select -ExpandProperty Members"

"Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred2 -Verbose"

https://academy.hackthebox.com/module/143/section/1486

Hi, in the shells and payloads module, live engagement section, 3rd host, the host is vulnerable to X vulnerability, I used msfvenom check function for that X vulnerability and it is sure vulnerable, but when I try to use the exploit it says that exploitation completed but no session, I am sure that I set all the required options for that exploit

I would appreciate any help I was stuck on this for 4 days

glad to hear that, good work

So I am on the linux fundamentals and doing one question asking how many total packages are on the system. How would I use the find command to find "Packages" I know how to find it if its a certain file extension but idk what they consider a package

AD Enumeration Module on the Kerberoasting from linux section. I've got the SAPService creds, but how do I check what groups does he belong to?
I've tried with almost all the tools mentiond in the Credentialed Enumeration from linux section but with no success

check the output of GetUserSPNs.py

make sure the options are configured right in msf

if you have to do apt install then it's a package, google how you can use apt to list installed pacakges

Yeah I found the dpkg

Yeah I am pretty sure

also use the right variant, the hostname gives your a hint on the vulnerability type

I went through the whole module for a second time. I've tried encoding, http, https, smb shares, ftp, and still nothing

Hi guys, I'm having an issue on the Footprinting module, Hard lab, and I'm not sure if its a local one or I'm missing something. I found an SSH key, but when I try to connect with it, it just times out. I've changed the permissions,but still no luck. I've got a verbose mode log, but unfortunately, it doesn't help me much either. Has anybody else encountered this?

you can use that, but there are a few extra things listed in the output

are there any errors?

hi

how can print the value of a function?

def list(data):
finall_list=[]
for i in data:
finall_list.append(i)
print(list(data))

output : None

because the function isn't returning anything

I sure did

I tried the manual exploitation but it crashed the system

you sure about that? that exploit has variants for different OS versions

msf should work, use the one with the last word starting with p

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

What does it mean by submit the number?

So, sometimes the upload works when I use the webshell, and I can see the files. But they come in with a size of 0 bytes, and when I use them in the reverse shell I get no output

checl if there is no extra lines

i really encourage u using vim to check and remove any extra blank line at the end

I did

Exploitation completed, but no session was created

My lhost and lport are correct
Target lhost&lport are correct

And yes I made sure it is lhosts

restart the lab, and try again, if it still doesn't work, dm me screenshots of your msf options and ifconfig of the attack host

I did this more than 10 times
I will dm you

can someone give me some advice on misc techniques for linux priv esc module...i am trying to run the cp command but i get this error after the mounting :

||[root@htb-zilqzxubew]─[/home/htb-ac-814020]
└──╼ #sudo mount -t nfs 10.129.2.210:/tmp /mnt
┌─[root@htb-zilqzxubew]─[/home/htb-ac-814020]
└──╼ #cp shell /mnt
cp: cannot stat 'shell': No such file or directory||

Idk how I didn't notice it, thanks

holy moly file transfers is such a wordy module.

Thanks, but it doesn't seem to be the case, I tried connecting with a password instead but I'm not getting any response either, its like the ssh service is completely unresponsive

nvm

I got it. It turns out my downloads on my host machine were corrupt and at 0 bytes for some reason. I also refreshed the VMs a few times and the used the native Antak upload option and it finally work
Thank you!

Anyone available to sanity check "Information Gathering - Web Edition" .. Vhosts section, just want confirmation on a flag is all 🙂 TIA

what’s the question

I have 2 vhosts giving the same flag, just want to confirm it isn't an issue with the module is all

And that I've maybe just nit uncovered the correct vhist yet

the flags are all different

This was my assumption, ill retrace what I've done to see what the deal is 😅

Nevermind, using a different wordless uncovered the final vhost

8 hour days

But also the time is absolutely bullshit, some take you longer, some take you shorter than the time estimated

the estimate doesn't matter, go at your own pace

https://tenor.com/view/waiting-gif-21631787

@tiny reef How, 😂I am trying but unable to do

Me waiting for my exam result 😂

Totally not what I was actually typeing dang lanageu settings.

I am going back and forth between the BBH and the SOC. Has anyone else here done the SOC? I cannot even get 50% done because everything keeps crashing.

Also, for the BBH, are there many folks that did anything with the hackerone?

hey so i run into an error when i wanted to clone the XSStrike

it says: fatal: unable to access 'https://github.com/s0md3v/XSStrike.git/': Failed to connect to github.com port 443 after 129614 ms: Couldn't connect to server

and am in a htb innstance

can someone help?

can it even connect to the internet?

1: if you're connected to the 10.129.x.x target, they have no internet access
2: unless you pay money, pwnbox is limited as well

yea its connnected to 10.129.x.x

so i have to make a new target?

Then point 1

The targets don't have internet access

You have to download on your system and transfer over

hey have you done the tier 4 AD modules? the LDAP and powerview modules, any thoughts on those?

xsstrike might already be installed, check in the usual directories

^

i mean it loads on the website

?

but i cannt clonne into the terminnal

the target is 10.129.x.x

"It loads on the website" now I'm confused

Are you referring to pwnbox?

sorry if my english is a bit bad mann am from greece

afaik none of the spawned targets can connect to the internet

Or are you ssh/rdp to the 10.129.x.x target

Pwnbox is the in-browser vm

The little window

the pwnnbox says: uk 67 ms

Then that is NOT the target

Have you bought cubes?

i am conected through the htb vm ad when i try to clone the Xsstrike it says the messsage i send earlier

[This is also why it's suggested to make your own vm]

not bought

@fathom pendant have you tried using WSL instead of a different VM?

my teachers friend works at htb so he gave me cubes

OK your messaging is confusing. Please link your main htb account following #welcome so you can post screenshots

Nope, I prefer the abstraction layer of a vm hypervisor

Less likely to incidentally brick My computer

Oh, okay. I have gone back and forth between Hyper -V and VMs. I think that wsl seems to user fewer resources. Plus. it boots up dater. Well, in my mind anyway. lol.

My point being is wsl is more closely linked to the main OS

hyper-v is still a vm, and wsl uses hyperv to virtualise a linux os

i will try to make it more clear. when i am in the module and go at the end of the page there is a button that says start instace or spawn i dont remember, i press that and it spwans a vm.

I understand. You want that barrier. I have different boxes for different activites, so I guess I never think of that. I have been thinking of just using my PI4, or save up for the 5, lol.

Start instance is the pwnbox

yea thats what i did

It is not the target

sorry i got confused

And using that, it gives you the error

it doesnt give me the error when i do the xss discovery

the error shows up when i try to clone the xsstrike

¯_(ツ)_/¯

Message support then

ok ill do that

thanks for your time

As it appears to be a pwnbox issue or something

ok thanks for helping

Yes, I have done both. I thought they were very good.

thanks, time to use my cubes I guess

which one would you do first?

can someone give me a tip as to maybe what i may be missing on commands or steps? i am on python hijacking section under priv esc linux...this is my error:

||htb-student@ubuntu:~$ ls
mem_status.py mem_status2.py status.py status1.py util.py
htb-student@ubuntu:~$ sudo /usr/bin/python3 /home/htb-student/mem_status2.py
[sudo] password for htb-student:
Sorry, user htb-student is not allowed to execute '/usr/bin/python3 /home/htb-student/mem_status2.py' as root on ubuntu.
htb-student@ubuntu:~$||

What do you have more difficulties with?

hmm I don't think I have difficulties with those atm, just want to learn more

this is what is in the py script

||#### Hijacking
import os
os.system('cat root/flag.txt')

global _TOTAL_PHYMEM
ret = _psplatform.virtual_memory()
# cached for later use in Process.memory_percent()
_TOTAL_PHYMEM = ret.total
return ret||

follow the steps shown in the section

@lusty thicket are we to edit the mem_status.py script?

no

ok

@lusty thicket so i cannot run this command sudo /usr/bin/python3 ./mem_status.py...i need to run this sudo /usr/bin/python3 /home/htb-student/mem_status.py...but i only get available memory output and that's it

go through the section again your task is very clear

@lusty thicket went back and got this result

||htb-student@ubuntu:~$ sudo /usr/bin/python3 /home/htb-student/mem_status.py
uid=0(root) gid=0(root) groups=0(root)
Traceback (most recent call last):
File "/home/htb-student/mem_status.py", line 4, in <module>
available_memory = psutil.virtual_memory().available * 100 / psutil.virtual_memory().total
AttributeError: 'NoneType' object has no attribute 'available'||

so got the flag...i get where i went wrong and needed to do...ty

I am wrong ore are the cheet sheet in last time a littel bit broken?

About CSRF, in the input when we give a file, when we pass a .js file, will it be executed when we send it?

does anyone know how to fix the target system in the cross site scripting module on the physhing session?

because it says that the target doesnt have internet

it says the connection has timed out

strange

anyone around for a quick dm about modern web exploitation skills assessment (dns-rebinding)?

can somebody help me with one of the Linux Q's? Ive been trying to find the answer for awhile now but i get 0 results when looking for it in the terminal

would really appreciate it, its making me insane ;-;

Are you ssh to the target?

It also helps to give more context, module and section name

tyty, no its just on the local machine

im working on Task Scheduling and the Q is the find what is the type of service of "syslog.service"

Ah

I already tried systemctl -p Type

and it returns nothing

and when im the show and search for type, still nothing ;-;

it might just be my local machine or something, but just wanted to ask first to see if im doing something wrong

Hint: ssh to the target

in this one i cant ssh to the target

damn

and trying to start an instance doesnt work either for me :PPP

Ah yeah this can be done without it

You're using systemctl yeah?

yea

tried it with two different ways, -p Type and show

Combine tags

systemctl show syslog.service -p

Iirc that's how I got it

still nothing

this is what i got

https://ibb.co/GCzgcW2

Don't put type? See what happens

systemctl: option requires an argument -- 'p'

Ah

Like I said it's been a minute

haha its okay

It's weird that of you run 'show' it gives you nothing

ikr ?!

Bc if it didn't exist: it would tell you

¯_(ツ)_/¯

oo rlly :o

Yeah

well it does exists.... i just dont know how it doesnt have a type

and htb is asking for it

It should

Is the thing

should i reboot??

¯_(ツ)_/¯

lets find out

Probably

welp that was expected.. still nothing

I'm checking my machine now

Otherwise it might need pwnbox to answer

okiokki

I'm using a parrot VM myself

So the environment is mostly similar

aa, im using thehtb version

idk if it rlly makes a dif

It really doesn't

figured :P

Htb-edition is mostly marketing stuff, since pwnbox is based off parrot

Ah it might not show then, do -p LoadError

;)

0.0 this is the output ||LoadError=org.freedesktop.systemd1.NoSuchUnit "Unit syslog.service not found.||

Ye add r in front of syslog.service (rsyslog.service)

And you'll get the answer

how tf

how did you know it was rsyslog and not syslog 0.0 ?! im so confused now @.@

👍 found it out by fuckin around with locate and find

Like I said, fucked around a bit. Because there has to be a system logging service running

god... tysm, srry that you spoonfed me

ill take this as a lesson to fuck around and find out

Nah it's more of a pain in the ass

Some of the modules do genuinely have those "lmao you thought" moments

smh my head.. cant wait =.=

Helping you helps me be more accurate with others in the future

ahh yeah ofc :P,, tyty for the help !

when I did it, I did it on the pwnbox. Which is likely why it gave me the answer without having to fuck around ¯_(ツ)_/¯

You had the right steps so it's not like I directly spoonfed it to you

It's just on parrot OS it's slightly different enough to be a pain

yeah it was likely to give it to you on there

ill know for next time some shit like that happens just gotta dig for it 🕳️

About CSRF, in the input when we give a file, when we pass a .js file, will it be executed when we send it?

hi guys for the lab hydra im on login form attack and + 1 Using what you learned in this section, try attacking the '/login.php' page to identify the password for the 'admin' user. Once you login, you should find a flag. Submit the flag as the answer.

i got the password and iam logged into admin but the flag dont work

hey I am a beginner should i take the Nmap Network Enumeration with Nmap

I am unable to spawn my lab in the firefox browser. I am operating from another laptop.

The tool both correctly identified the type of vulnerability and gave a working payload.

For transparency's sake: I passed it a captured burp request (vs. messing with the tool's other functionality).

also guys I cant connect to hacktheboxtarget on brute force I used to be able to but not anymore

Hello everyone.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-01 20:59:12
[DATA] max 4 tasks per 1 server, overall 4 tasks, 200354 login tries (l:14/p:14311), ~50089 tries per task
[DATA] attacking ssh://92/
[ERROR] target ssh://94.22/ does not support password authentication (method reply 4).

• 1 Using what you learned in this section, try to brute force the SSH login of the user "b.gates" in the target server shown above. Then try to SSH into the server. You should find a flag in the home dir. What is the content of the flag?

anyone hoiw to fo fix

did you put the right ip in your command?

does not support password authentication
means you can't brute it, also module and section would be helpful

For those who struggles with the module INTRODUCTION TO WINDOWS COMMAND LINE”, question # 5 (user4) - use Get-Childitem cmdlt

Service Authentication Brute Forcing

hydra

and yes i used the target ip but I cant visit the website

or ssh the prev sections I could use the target

I tried spawing my IP machine on three different browswers with no luck. Again, I am using a new laptop because the power unexpectedly went out on my old laptop

Login Brute Forcing

your meant to make wordlist and pasword and then brute force ssh with the ip

hydra -L //Desktop/bill.txt -P /william.txt ssh://94.22 -u -f -t 4

ssh://ip:22

please send your messages in one coherent paragraph
the port is not 22, use the port specified in the target ip

hydra -L //bill.txt -P /william.txt ssh://94.ip:36504 -u -f -t 4
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-01 21:10:40
[DATA] max 4 tasks per 1 server, overall 4 tasks, 200354 login tries (l:14/p:14311), ~50089 tries per task
[DATA] attacking ssh://94.237.56.188:41986/
[ERROR] could not connect to ssh://94.237.56.188:41986 - Connection refused

reset the target

thank u

disable adblocks, and contact support if still doesn't work

Do adblocks turn on by default when downloading a new browswer?

*browser

depends on how now you are, you'll need basic networking knowledge, do Introduction to Networking if you aren't familar with it, then after that, sure, nmap is a great tool

depends on the browser, brave yes

I don;t think its the adblocker since I can watch youtube ads

it worked for hydra but when i try to ssh into it it says └─$ ssh b.gates@83.136.250.104:39697
ssh: Could not resolve hostname 83.136.250.104:39697: Name or service not known

oh wait maybe it is

google how to specify a port with ssh

danke

Oh wait yes it is. Not all videos have ads

Support isn't available

I wonder if I have to set up the pwnbox whenever I get a new laptop

Is it possible that antivirus software block my target IP spawining? I got a notification from mcfee that it blocked some risky connections

your mistake is having mcafee installed in the first place

bruh... it came with my PC -_-

but really, first time having a premium antivirus, I got hit by Redline.. they were no help (called 5 times), I had to self troubleshoot and find the script that was running every time I ran my pc... tough times... This was a few months ago... I would have found that shit in minutes now but back then it took 2-3 days

Off topic... sorry.

To answer wandacalverton, you don't need to set pwnbox, it's web based.

antivirus won't block target from spawning, it's done by htb...

It will always tell you it blocked risky connections... it would be a problem if you got a page not found

PS: now I'm on windows defender

as someone who works in an AV company, I can tell you that they don't give a f about regular consumers if they get hit by a virus, support won't be much help unless you paid for their incident response or similar, if they even have that service for b2c

So what do you think could be the issue since I don't have any adblockers or scriptblockers turned on. I can't think of anything other than the fact that I last had my web based pwnbox open on my old laptop before my laptop went black because of a power cable failure

yo i have flag for HTB but it dont accept it what to do?

Oh that's good insight...

they had 3-5 technicians get remote access to my computer... they knew even less than I did (with 1 exception)

I had sec+ (among others) level knowledge.

MOst went, oh if macafee scan didn't find anything then you're safe. And I"m like no... I'm not... it still screams every once in a while.

One guy actually pulled out Autoruns which was pretty decent on his part. He also looked over th file system, he just didn't spot the thing that didn't belong...

Which btw, it was named ./Steam

I missed that shit too until I found the script hanging.

(again sorry for offtopic)

wrong flag

it not

check formatting

its correct
HTB{flag!}

nvm there was space

what's the issue, target is not spawning? Sometimes it's finnicky.

try a few times, change servers tcp/udp all that stuff.

If you wanna try to troubleshoot, use a different device and see if that solves it (to see if the issue is device related)

I tried targeting the IP for any lab ...and everytime I try to do that , it reverts back to the 'Click here to spawn the target system!' text after attempting to spawn the target IP address each time.

I tried on Edge, chrome, firefox and brave and I am having the same issue

lol that's a funny story, I'm surprised they even offer remote to consumers, hope you didn't have to pay extras. b2c supports are (usually) outsourced and the quality varies wildly because they don't care much about consumers after they have sold you the product (I'm in b2b so I can talk as much crap about b2c as I want)

"Click here to spawn the target system!' "

Are you spawning the module's target or pawnbox, are you have the same issue for both?

Maybe click and give it some time, the browser shouldn't matter

The pawnbox opens fine. Its the target IP address that I am having issue with

hahah, I got a 1 year macafee sub w/ pc, so ig that was included.

Yeah, they didn't really care much, interesting to see from someone who works in it

It was a stressful day...

But I think I remember them talking and checking whether my subscription included that and talking about upgrading or something, don't quite remember it, but eventually they got the (higher tiered support guy that spun autoruns)

at this point I'd ask for screenshots... how long are you waiting when you press spawn instance?

Everytime I try to spawn the target IP , it never gives me any IP address

give it a second.

Is anyone else having a similar issue?

It shouldn't be because of your device bud.

You could try it on a phone if you wanna check lol

ah you got hit by the classic upselling "pay more so we can fix it for you"
and I don't work for mcafee, but their consumer AV is well known for being crap. no idea about their enterprise products though.

try another section?

I tried this severl times all night. Nothing has changed so far.

I tried another section as well

welp, this sounds like an email support situation.

unless someone else got more ideas

I'm stumped on this one now too, anyone able to provide a nudge in the right direction please?

Maybe it is. I already emailed them

Is grabbing someone’s IP but not sharing it legal

I've heard the mods usually say

read #welcome

How are you grabbing it lmao...

Here in my hands, I hold 10.0.0.10

What is that?

feel free to dm, I'd want a picture of the yara and the seatbelt.exe

mind I'm in the middle fo the cdsa exam.

But generally, you check the packets, maybe make a super broad rule to then specify the answer... just gotta find the right string/command

I have no idea about hacking or coding

I want to learn tho

start off by reading #welcome

Ok

I have to pay for a course?

Wait

.

I read it

yes, buy cobes or subscription

Do u know how to grab ips or no

I want to learn to hack

what do you even mean by grab ip

I grab 127.0.0.1 all the time

What is that

bud... you're way ahead

gotta learn the basics

my ip, and yours, and everyone else's

WHAT

MINE?!?!;

hmmm @next bronze , you got his ip?

NO

STOP

PLEASE

DONT

yeah just ping it

Why😭

Hi i just joined hack the box and wanting to learn the fundamentals any tips on what modules to start with for the basic!

ping Krox_ ain't working lmao /j

alright before this gets out of hand, that is a private ip, if you want to get started, hackthebox has some free tier 0 modules, check those out

there is a security fundamentals path

thank you

Where do I find them?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

I think there is a "getting started" module and some initial tier0 modules that you can use if you're a complete beginner

i found it thank you for the help

Thx

to answer all the people asking to learn to hack.

You gotta start from the basics, learn basics of networking, learn the basic of OS, software among others. After getting the fountationals down, you can move forward and learn bit by bit

Biggest tip is stay curious and poke around, go little by little, don't try to jump the horse

Has anyone tried a chamoy pickle kit

This is a random question

maybe, maybe not... but bud, this channel is for #modules related questions... I think there's a better general channel for that

What is a module

I have no clue what any of this is😭

this is for HTB: Academy

the #welcome should explain stuff or so I'm told

Ok

Have you hacked anything before?

Anyone^

What even is that

please check #welcome , get verified, this isn't the channel for this

knowing how to use google is an important foundation skill to be a hecker

we're on their shoes

oh, it's an idiom (on his role)

I don't perhaps need to spawn a new cloud address after attempting my htb academy lap exercises on a new computer?

Anyone have any issues with the CPT- Attacking common services Hard lab final question?

I've got the flag, directly copying, wrote it down manually, still having issues

Also where does thediscord request help button post to?

nope, that cloud address is accessible from any machine

Done verifying

Likely wasn't actually sending a POST request, Hard to say without seeing it first hand

https://tenor.com/view/hackerman-gif-22344136

That's exactly what its like! Don't forget the being asked to hack insta

And I don't understand Why the 'Adblock Detection' Screen comes on when I can go to youtube and watch videos with ads

This is hackthebox labs

probably cause post and get requests are structured differently

BUMP , This is driving me insane

Wait reloaded the page and it had accepted, even though it said it was wrong -.-

in brute force login for hydra when you brute force into SSH why do they then bruteforce the 2nd acc in FTP

instead of just brute forcing again from ssh?

because SSH is very slow

:)

I got stuck on this part for more than 3 hours.
"Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_)."
in Pass the Ticket (PtT) from Linux of Password Attacks module.

By now I have gained all the accesses available, like root, julio, david etc.

I have found ccache files along with outputs of "find / -name "keytab" 2>/dev/null".

But I am failing to impersonate to read the flag in \DC01\linux01.

The command I am using is: kinit LINUX01$.INLANEFREIGHT.HTB -k -t /var/redacted/ccache_INLANEFREIGHT.HTB

Is the ccache expired?

Not sure. But I am getting such error:
kinit: Client 'LINUX01$.INLANEFREIGHT.HTB@INLANEFREIGHT.HTB' not found in Kerberos database while getting initial credentials

then try the method of export KRB5CCNAME=/path/to/ccache

also it's likely that the .INLANEFREIGHT.HTB is what's fucking up your kinit, try just the LINUX01$@INLANEFREIGHT.HTB

also it's yeeting it because it sees codeblock as spam if your account isn't linked

Hmmm... I exported KRB5CCNAME and it is showing the right file. But still I am getting the same issue.

iirc there's 2 ccache files

one is expired, other isn't

I am seeing only ccache file, is that in the same directory?
||Ticket cache: FILE:/var/lib/sss/db/ccache_INLANEFREIGHT.HTB
Default principal: LINUX01$@INLANEFREIGHT.HTB||

oh wait yeah there should only be one

it's been a minute since i did this one

When I check klist, I can see I have already impersonated a few service principles. Like:
-krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
-ldap/dc01.inlanefreight.htb@
-ldap/dc01.inlanefreight.htb@INLANEFREIGHT.HTB
May be I already have the right to accomplish the task. Is it just to use smbclient //dc01/linux01$ -k -c ls -no-pass?

try

Sigh. Not working.
root@linux01:~# smbclient //dc01/LINUX01$ -k -c ls -no-pass
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

kerberos needs fqdn, use the full name

Thanks !

You mean for my smbclient command?

yeah, dc01.inlanefreight.htb

I want to end this task with an unintended way. I am so tired lol
root@linux01:~# smbclient //dc01.inlanefreight.htb/LINUX01$ -k -c ls -no-pass
session setup failed: NT_STATUS_CONNECTION_RESET

Finally found the way from the HTB forum. There were guys like me who struglled, some of them even skipped the module. There is a need to add a little more hint to this task. The existing hint is confusing and even misguiding.

Currently stuck at Windows File Transfer Methods module. Is this question limited to only using powershell?

Upload the attached file named upload_win.zip to the target using the method of your choice. Once uploaded, RDP to the box, unzip the archive, and run "hasher upload_win.txt" from the command line. Submit the generated hash as your answer.

there's a few ways to transfer: SMB, Mounting with the Remote Desktop Program, Hosting a Web Server

Can somebody help me with PHP Web Shells in Shells & payload section , I cant find credentials to login to rConfig web page

I stored the queries in a variable so instead of typing everything out it was just a variable. If you want you can dm me.

hi, I am new to hack the box and is having troubles with Ninetail, can anyone guide me on what i need to do

been stuck on the linux priv esc module for a while now the sudo section ive completed the skill assessment and everything else i identified what i can run as root with sudo -l ive checked gtfo bins, tried to find exploits online asked chatgpt but cannot figure out what to do am i on the wrong track or something

got it

Wrong channel, I guess this is the one you're looking for #starting-point

oh yes sorry i am new

but i have no access to it

read #welcome

if my htb account is enterprise can i still do it

read #welcome and find it out since I don't have access to that info

Does someone knows what is "special rewards" for Weekly Streaks

Check your Badges

https://academy.hackthebox.com/my-badges

Badges is the only one rewards?

idk

Lol, got it

But you're sure to get badges.

another platform has a similar system. But you have to be active there every day.

When you reach a goal, you get a badge

I wonder what's the highest streak week that's going on. I'm on 6 week streak but I wonder if I started late and missed some week.

I have no idea. As you can see, I don't even have the first week streak

As soon as I find some time again, I'll finish the CWEE path

Do u mods have all paths/modules?

I buy the modules like everyone else here

Ah, I just noticed. Thought you'd be keeping up the streak. I guess you chose to chill for now lol

Can anyone DM me or can I DM anyone about Client-Side Prototype Pollution in Whitebox Attacks?

Before the CDSA exam, I prepared for the exam with various things and therefore didn't do any new modules.
I hadn't actually done any modules since the CDSA exam. But more due to a lack of time.

What exactly do you want to know? Just ask your question here

I can't get my payload to execute on the client side, even if it works on my end.

I'm trying a simple GET request to see if it works and I get nothing.

When sending the link to the admin, I don't get any request to my http server.

Nothing is ever sent to your HTTP server. You have to find another way

Check this Page
|| https://github.com/BlackFan/client-side-prototype-pollution/blob/master/gadgets/jquery.md||

And read the Hint from the Task

Yeah, but what option do I have with the payloads? Can't extract cookies, can't extract content of the admin page...

My idea was to fetch the content of the admin page and send it to my HTTP server.

Ah, okay, maybe I did find something. Let me check again.

As the hint says, let the admin do something for you

I didn't know I could see what I needed, but I solved it now. Thank you, much appreciated!

Any tips on the last question on the Skill Assessment of Understanding Log Sources and Investigating with Splunk?
Splunk - find through SPL searches against all data the process that started the infection.

As far as I've found out, the .exe file that "created remote threads in rundll32.exe" was simply downloaded thru msedge and executed manually thru explorer. I don't understand the question

WEB ATTACKS

Web Attacks - Skills Assessment

Try to escalate your privileges and exploit different vulnerabilities to read the flag at '/flag.php'.

1. I found the reset page.
2. I fuzzed for parameters
3. I cannot find any parameters.

Any help would be appreciated

What exactly is unclear? You seem to have answered the question

Try to list the users

Ok, I've found the answers, I thought the task was to investigate the origins of the .exe that was the answer to the previous question (which eventually led to compromise). My bad

How do I list users if I dont have initial access. All I have is the reset.php and the index.php which is an auth page. I also have profile.php and api.php but can't do anything with those...

You can't do anything with it? Really not? Take a closer look at these things.

Hard to keep the streak when the exam is 7 days long haha

This feature did not exist before.

it's been 5 weeks, it was out when you took the exam, I'm just speaking for myself that it gets hard to keep streak while you're doing the exam

Yes, it came out before I took the exam. But I didn't do any modules before the exam, or work through the modules I had already solved again. At least partially. But of course that didn't give me any points.

But don't worry, I'll get those badges lol

Has anyone encountered this error with evil-winrm? I've been setting up a new attack VM (parrot Linux VM hosted on M1 Mac), and I haven't been able to get evil-winrm working.