#modules

man uname

It was my mistake indeed. In another session of this module, it teaches how to enumerate users and create my own list, but I had forgotten about it. I managed to figure it out here, thanks anyway for trying.

trying to find my next answer in the ip config but it doesnt show help or manual

htb-student@nixfund:~$ man ipconfig
No manual entry for ipconfig

ipconfig is windows

because it's ifconfig in linux

ifconfig is deprecated

if standing for interface

its now just ip for modern distros

yep

im trying to find how to answer this : What is the name of the network interface that MTU is set to 1500?

ip a

i guess its not really a direct question about a particular module but starting to notice a bit of a trend in these password modules where it shows a bunch of steps of how to get a particular bit of data by rdp and then passing it back to an smb share on attack box and then using some program to parse it, which i have learnt some things from that as well as the actual info extracted

but then it goes on to say you can skip all of that and use crackmapexec to get the data instead, im starting to wonder is there a reason why i would go through the steps manually rather than crackmapexec 🤔

multiple ways to crack an egg

sometimes crackmap might not give you the answer or work in the way you want

if you have machine access, wouldn't it be better to not mete out an "attack" through the network.

Correct me if I'm being silly pls

mete?

many things you can do with machine access

sometimes there's plaintext creds in an easily accessible file

i found the answer with chat gpt help, it gave me this command : ip link | awk '$5 == "1500" {print $2}'

am i really was suposed to come up with that answe alone from the module?

launch out an attack thorugh the network

there's a much simpler way without that

ip a

look for where it says MTU 1500

it just depends tbh

but it didnt talk about MTU and then that question

that's true. depends on the attack too, and whether there is creds or not and all

how could i know its ip a

ip a lists all interfaces and info

and ip a sure does have MTU in it

since you have the answer; look at that interface with that command and you'll find it

unless you have hundreds of interfaces (eg if the machine is running docker) running either ip a or ifconfig and then looking at the output it should show the mtu values for the different interfaces

as you get more used to using linux command line you will be able to filter the output of those eg ip a | grep 'mtu 1500'

(grep is very useful to be able to use not just for this)

@fathom pendant What do I gotta do to earn DM rights lmao.

Can I DM once I get answer for the CDSA exam?

Or do I gotta wait until I'm on a module and you're the only one available and there's no other option other than sending a screenshot?

step 1:

dont be weird

unfortunately I think youve failed in that regard already

https://tenor.com/view/stinky-loser-tiny-kitten-explode-gif-15623895175038521381

Anyone done skill assesment for WINDOWS EVENT LOGS & FINDING EVIL. I have found the answer, but not intended way. What I've tried, issuing a xml query to search for different .dll's through sysmon, while having the exclude option enabled. Any pointers?

I just wanted to say hi 😭 Didn't know I had to work for it lmao.

Actually, I already sent hi, but it was never answered cuz i didn't properly ask

if you've found it, and used the tools taught, that wasn't unintended. Good job

what's the question asking?

"By examining the logs located in the "C:\Logs\DLLHijack" directory, determine the process responsible for executing a DLL hijacking attack. Enter the process name as your answer. Answer format: _.exe"

Well, I'm dreading for cdsa, want to make sure I got my bases covered

more like a lucky shot that i found the right answer tbh

Not sure, try seeing if anything shows on id 8 (i'm assuming you looked over id 7)

Looking through manually doesn't seem like a good way tho :/

might be wrong

Can I send you a hi message? I couldn't get a foothold on initial target lmao /j

Feel free to dm me more details on what I did. And I can tell you my thoughts

What is the index number of the "sudoers" file in the "/etc" directory?

htb-student@nixfund:/etc$ cd /etc/sudoers
-bash: cd: /etc/sudoers: Not a directory

how can i know the index number? and why i cant go there

to the file

sudoers is a file

you can't cd to a file

ls is the command you're looking for

how do i find it index nubmer?

ls -i /path/to/file works

thanks i just typed man ls and saw it

thank you very much for your help it really helps to get hint or explanation instead of just being stuck.

think of it like this

ls = list stuff

Just asking ahead if I max out HTB (all modules eventually) will I be a ‘good’ pen tester

Assuming I truly absorb, understand, and relate all concepts

Im going in blind with a Software engineer background

i mean in theory, yes

We’re on the same boat (still studying though)

That’s good enough for me! Thanks

Thanks

I started studying in high school and just graduated with my bachelors

I have been promised many jobs and all of them have vanished 😅 I’m ditching this field in favor of security… which has been my game plan all along I guess

If I had a dollar for every job app…

😮

Dang, I’m still on the learning path, so yea, trying to get the hand also on this field

hello hello

I finish Linux Fundamentals

congrats, keep it up

thanks bro

hey someone wants to help me passing Networking

Hello.

If you have any questions or homework help lmk lol

I suck in SQL injections.

Can someone help me?

ok thanks

sorry but I don't have started that lesson

but look this video for help https://www.youtube.com/watch?v=YfZqz7o6BXU

someone probably can but they're not going to want to unless you actually ask your question

what do you need help with?

Some tutorials

well youre asking the modules channel

so the answers is going to be: do the sqli modules

:0, thx also, and nice to meet you

Yes

There was nothing to yes there. I made a statement

you should probably read #rules and #welcome you seem lost

@supple gorge sorry if i did not replied but i was trying to resolve the problem...and at the end i did it...if you are interested, everything was fine, the only thing that the module don't tell is that for the LOGON tasks Windows have policies that block normal users to run tasks, by default only Administrator can run it! Once you add an user (in Local Group Policy Editor->Windows Settings->Security Settings->Local Policies->User Right Assignment->Log on as a batch job) it works!

oh, so you need to add the user you created the task from, the permission to Log on as a batch job, to allow it to create tasks with scripts to be run? very cool.

I did not know that, thanks for sharing

Good job on keeping at it

Yes! sorry again if i did not send you a screen...but i was working hard to do it and i completely lost discord! but i'm happy to share what i achieved with others 😉

Keep it up

I am doing user enum using kerbrute but it is not storing the user list in a file

Yeah, the output doesn't work properly

so any idea what to do to store the usernames ?

I forget what I did

just use some regex to parse the output, and kerbrute isn't the only tool you can use

the task said kerbrute so I was giving it a try

is kali linux or other linux disributors, is like my workstation in the hackthebox but just the real thing?

I mean the pwnbox is also the real thing

The pwnbox is just an in-browser solution

if i understood correctly, the terminal after i use "interact" is the pwnbox which simulates the real linux?

It's not simulating anything

can i work with the pwn box to hack some comuter for example? or i will need kali linux

You can however doing things outside of htb with the pwnbox may violate htbs terms of service

so whats the difference between my terminal in hackthebox and linux disriutor like kali linux?

Little to none

oh

so i dont need kali linux or something like that for now right?

only after i learned some

The reason it's recommended to download and install your own vm is because it'll give you more control over the environment, like tools

yea im trying to learn things one by one and not download and get new subjects before i learned well previus subject

It doesn't take much to set up any virtual machine

Marcie, correct me if I'm wrong, but there's a module that walks you through setting it up right

Kali and Parrot both have .ova files for easy import into virtualbox

Correct. Bonus points if you can guess what it's called lol

@gray shoal

Ye, been watching that after trying to do something on the pwnbox one, like the VIM tutorial on linux fundamentals, had some things.....

thank you

The other bonus to your own vm: you're not on a timer

Need to reinstall ParrotOS there cause I dont remember the password there to log in

If you used the .ova, it's parrot

If not: skill issue

@thorn urchin can you tell me about your exam experience? Have you seen anything come from the obtaining the cert?

I wrote a blog post

O yes I see thank you

tldr: I loved it, and it made crushing OSCP easy and Id consider that 'anything come from obtaining the cert'

if youre asking about job, Im searching atm

Really??! It made OSCP easy? Thats cool

Have you found employeers to recognize the cert? Are they responsive?

Searching atm

Or is OSCP still top dawg

Got it

OSCP is def top dawg still

cpts builds skills, oscp builds resumes

Likewise! ^^

Hey guys, I have an issue with question 3 of the web fuzzing skills assessment. I believe that I am inputting the right answer, but the site tells me it's wrong.

it asks for the full URL of a specific page, and I have supplied that url.

Are there broken questions in some of the modules?

NVM, search function solved it.

sorry

this question's wording sucks

hello there, sorry x the silly question, but is HTB Pwned machines experiencing any trouble?, I'm trying to spawn the Lab Windows Built-in Groups and is taking so long.....

#modules message

thanks buddy....

np, seems to be a platform wide issue, not much new info

targets have been spawning for me but just taking like 5-10 minutes to do so

Footprinting DNS, I performed both of these commands using multiple different wordlists to bruteforce but none of them are giving me the FQDN I need. Am I on the right track or am I looking in the wrong place?

subdomains of subdomains

a.b.inlanefreight.htb will be the answer

so I need to replace the inlanefreight.htb with one of the subdomains?

replace the b part of my statement so a.subdomain.inlanefreight.htb; if you want an accurate list of subdomains from the target use a zone transfer

I dont think Im understanding what youre saying. Im trying the dnsenum command but with different variations of subdomains for inlanefreight.htb

that's not the correct subdomain but that's the right format; the answer you'll get will be answer.subdomain.inlanefreight.htb

so you only need to do a first order subdomain, like www, internal, etc

So Im on the right track. Just need to keep looking

gotcha

you already have access to internal via zone transfer so cross that off the list

now we're cooking with fire (making progress)

Anyone know why my antivirus is telling me HTB is using a Cobalt Trojan Malware?

Trojan.PowerShell.Cobalt.a

what are you doing currently?

antiviruses get mad at quite a lot of things we do

hi

sup

alright so, every time i try to use smbclient on a windows box i get a timeout error. i have made inbound rules for file sharing on the target machine. anyone know whats going on?

Try putting // or \\\\ before the ip

only i have machine issue?

i can not ping

Not just you. It's an ongoing issue

ah then ok

thx

I mean it could, be you

the known issue is with spawning, not with interacting with boxes after spawn

So... Attention to detail is important "Perform a DCSync attack and submit the NTLM hash for the khartsfield user as your answer." I got his NTLM hash 3 hours ago and have spent 3 hours trying to crack it lol... I'm not happy with myself right now lol

happens to the best of us

Reading is hard ik

Hello!

I'd like to know if someone can give me a feedback or some hint to the exercise related to get simple cms.

Is in the getting started module

I need some help trouble shooting\

been stuck for a while

doing linux fundementals and its asking me to upload a php script to the website, but I keep getting an error. kinda confused

The error may be expected

yes i understand the first one is suppose to recieve an error but the second one as well>

i uploaded the listening port one

Yes

Because you aren't uploading an image, but it still gets uploaded

yes i see

i did that, reverse shell doesnt seem to be working though

Are you running the listener?

im gonna try a couple more things

before i inquire further

You need to have nc -lvnp 9443 before calling the php

Better than spending over an hour troubleshooting why nothing is working when you had misspelt a vhost entry in /etc/hosts inlanefreight.local turned inlanefrieght.local

It's also important to change the default ip that the example gives to your tun0 ip

yes, i replaced the ip with the target machine of my own

yup

This section is also very much a step by step guide

In either the browser or using curl you'll need to visit the url that has the php

Note; the page will be hanging because it's connecting to your machine

Anyone working on advanced xss and csrf module for a quick chat?

it is i understand, some of the code may have been copied wrong

Perhaps

werid. listener doesnt respond

Then you may have copied the wrong thing

do i include the whole php script including the <?php ?> brackets ?

Yes

i did do that

hmmm

What ip did you put in the copy/pasted script

That needs to be YOUR tun0 ip

ip a

not the machines ip?

No

How is it gonna call back to you if you don't tell it where to call

I believe the section even says to change it to yours

inet 10.10.15.42/23 scope global tun0
\

Now what part of that would be your ip

10.10.15.42

Yup

is the 23 the port?

No

i assumed not. thanks

10.10.15.42/23 is CIDR notation

/23 refers to the subnet mask

woop woop got it

Now you gotta upgrade your shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

nope wouldnt let me

i got the flag already

😛

so did this basically let me browse around the server?

That's only one of them, there's still root

and thats how i got the flag?

You're moving around the server as the web user

Unless you breezed through the privilege escalation portion

priv escalation is the one im at right now

i just got to it

Have fun

(This part can be touchy. But it works)

So do everything as shown. I suggest copy/pasting the other revshell into a text editor before pasting it into the existing shell for the command

explain? confused why cant i just look at the files in the content directory then?

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

You can only access what that user can access

Upgrading a shell gives you a fully interactive shell where you can tab complete

so i was essentially accessing the server as an admin without having to be on their computer

having issues with the module php web shells, i hope someone can help, i know its kinda late

As a service user

It helps if you actually describe your issues

https://dontasktoask.com

im following everything exactly however when i upload the php the site gives me no confirmation that the php uploaded "added new vendor netven to database"

after trying to get a handle on some RL issues, I am finally back to tackling these modules

Service accounts are created by installation packages when they are installed. These accounts are used by services to run processes and execute functions. These accounts are neither intended nor should be used for routine work.

?

Then you may have missed something. You're using burpsuite to intercept the traffic?

Correct

yes 127.0.0.1 8080

config on browser as suggested with burp open

i see the php upload in burp and change the content type too

Afterwards are you forwarding the request?

so its like an automated user? used by the computer itself?

correct i fwd the request

Basically

You may need to fwd a few times

i actually fwd until i dont have req anymore in burp

oh that makes much more sense, i basically hijaked that service?

Bingo

Interesting. Try it again and look at each response as you forward it

i just terminated my pwnbox and restarting, i think i noticed something interesting

You may need to reset the target too if you want a fresh start

gotcha, okay let me do that too before i get into deep

okay so i got myself a fresh start, i havent done anything except get to the vendors page and NetVen already exist

i terminated both previous target and pwnbox and got new ones

the module makes it seem as if NetVen shouldnt exist until after I successfully uploaded the php web shell

No, it always exists

You can delete it and make a new one iirc

yeah i can delete that entry which is what i tried before reaching out

this time let me try as-is

I don't recall it taking much effort ¯_(ツ)_/¯

i think i figured it out

when you add a vendor there's a field above "browse" asking you to name the vendor. if you dont name it, it doesnt successfully add the "vendor"

that might be it

I remember it being something dumb

is there somewhere we can suggest edits to module? seems like they missed that step

#858470491676737536 , it's likely an assumed obvious step

Or it is stated and we're blind

Both are plausible

lol all good, thanks for the help

Also they do monitor that channel, sometimes you'll get a 👍 if staff sees it and fixes

Or staff will call you out for being blind

Which is equally funny

Regarding Dnscat2 What is the point of DNS tunneling if you already are connected to the victim machine in in question? Is the goal to tunnel traffic through the victim?

because in order to make it work you'd need access to the victim as it is.

Yes it allows you to tunnel traffic and gain access to more systems

Remember it's not always/usually just one device

okay

time to try it out :.

Fwiw ligolo-ng trumps like all the tools in the tunneling module

it works like a charm, i suppose the thing is it's quite laggy, def wouldn't be my first choice in tooling

Dnscat?

yeah

Yeah a lot of tools are suboptimal

For skills assessment part 2 I have admin hash for MS01 but I cannot use evil-winrm? Is this intentional? I get the error:

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

what does it say netexec (old crackmapexec) if you check for winrm? Have you tried another access method? You have the hash you can use pth with other tools over different services

Yeah I will either try different tools or go for privilege escalation. WinRM is available on the machine but I have the hash for SQL01 it seems and not MS01.

can you show me the first two and the last two chars/digit for the hash you have? (e.g. h5..8a)

13..64

I got the hash using mimikatz on the SQL01 machine which is likely the issue. The hash is not valid for MS01. May try and run mimikatz on that machine but I don't believe I have a user with high enough privilege.

mmm... I don't recon this hash maybe they have changed something in the labs since I did it some time ago

Also nt hash is diff from lm hash

I believe the pth uses nt

correct

yes maybe I got the lm hash

The order that ntlmv2 prints is lm:nt

That's what I am thinking. From what I can gather the previous solution was a PTH using the hash from SQL01 but things have changed.

Sounds like I may have to use the user found previously in the chapter.

Well the hash may change but the way you use it remain the same

Seems the hash is not used at all anymore from what I can tell. Will report back unless someone who has completed it recently can confirm.

Hash gives access to admin on SQL01 which is worthless as that access was gained previously.

You can probably dump creds using it

did you dump the creds on SQL01?

I can try but lsadump returns the admin hash which is effectively creds.

what about the sam and system?

They return the same hashes from lsa

can I dm you?

Sure feel free.

look for dm

did someone do: Analyzing Evil With Sysmon & Event Logs
I have a question about the pwnbox, it doesn't let me move calc.exe, what should I do?

Introduction To Splunk & SPL
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all 4624 events the count of distinct computers accessed by the account name SYSTEM. Enter it as your answer.

anyone have done this.. I still cannot find it

is this normal for a htb machine?

im on the file transfer section. its optional but i was tryna just see how everything worked

the target machines do not have internet connection

ah okay then its not working for a different reason ill try to puzzle it out

thanks

Read the hint

wait if this is the case then trying to do file transfers from a raw github thing isn't gonna work right?

ill just skip it

Going to bed but looks like they changed the lab. If anyone has any tips and has completed it recently feel free to DM or reply. Will check in the morning.

is that the local admin's hash?

Yes that was the issue. I have the mssqlsvc hash which looks to have access to MS01. I am thinking that's the new route to take.

the "Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host." question?

Yuh

how'd you get local admin hash but can't get the flag

I have local admin hash for SQL01 admin.

Still trying to get from SQL01 to MS01

ah, local admin usually have different passwords, since you know, it's a local account for that machine only

dump everything on sql01

except for real world environments that dont use LAPS 💀

I did and just found that mssqlsvc hash can be used to access MS01.

Guess it's just privesc from there or something

true you can manually set the same passwords for all of them

browse r/sysadmin, shits common

yeah I've seen a few myself

check what privs that user have on ms01

Hopefully that password is the first name and birthday of their firstborn child.

it's usually something dumber than that

Yeah back to square 1 but have a foothold on MS01 so I may quit here for the night. Have a meeting in 3 hours 🥲

Sadly, speaking from real breaches I've seen LOL

hello, this question is not so related to htbox but i hope someone could help,
in our home, me , my mom and my brother have computers, we are all on the same lan. im trying to strength my internet settings (close ports etc) so im going to my ip address on the browser and it asks me for username and password, i dont wanna go take it from the router, how can i get this info? i tried using one of those but it doesnt work: netsh wlan show profiles
(netsh wlan show profile name="name" key=clear)

anyone else having issues with really laggy rdp connections to module machines?

its actually bypassed the point of where i cant even do the modules because of it

im trying to follow a video of networkchuck

to strength the network

if you want to hack somebody's wifi, gtfo

its my bro

he also has no idea our password

just the login to the internet

yeah sure thing man, off topic, ask elsewhere

nice, now even the whole rdp connection dies

tried tcp vpn?

<@&861185840277487616>

What

i am using the one that its giving me for the academy in the modules. Doesnt seem to let me choose

nvr mind

lol, was using udp

yeah that can crash rdp if you have some packet loss

@gray shoal Please read the #rules . Also this channel is specifically for HTB Academy.

ok i thought if its my home its ok

nope, tcp is still terrible

like not even. Horrible is more the correct word

file explorer even crashes. And it takes 5 sec per click for anything to happen

that's not the rdp's problem then

pick a closer server

stop being bad boys for strangers on discord

yeah might need to get myself a vip subscription to get more private labs

all academy labs are private

wait

so how do i see where they are located?

the vpn server, either us or eu

yeah i have eu, but maybe i can pick a different one thats closer

I think the US ones would be us-east if you pick that, don't quote me on that though

Not sure what SERVER_IP I am supposed to use for this module section since no server_IP is listed https://academy.hackthebox.com/module/110/section/1053

if there's not a server that's closer then you just gotta deal with it

but in the end as long as it's not a 2000ms ping anything should be fine

I have ~200 ping to the closest server, it sucks but it is what it is

hey it'll feel like real life

played cs source with 125ms for years, you can do it I believe

real, dial up internet simulator

somone that did the following question:
Utilize the Get-WinEvent cmdlet to traverse all event logs located within the "C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\Lateral Movement" directory and determine when the \*\PRINT share was added. Enter the time of the identified event in the format HH:MM:SS as your answer.
please send me a dm, I'm stuck on it

its weird, since i havent had any connection issues before. but now its excruciating

might just be that particular server or module

any website, just a put request, you can use htb's website ig

maybe it's a route issue, maybe it's just a question of regenerating the vpn pack

i think so maybe, but this is a long module and a lot of rdp

it can be a couple little things that amount to it being very slow and annoying

what module is that? windows attack & defense?

ooh it's rdp

yeah no it will be slow

windows privesc

sorry you'll have to just take you time and be patient imo

nah, but it crashes

yea, it is what it is

thats the worst part

maybe you can have it be a little be more responsive with wmi instead of rdp if that's available

it shouldn't crash on tcp, never seen it happen

like i cant navigate it at all. It just crashes. Goes black, then i have to reconnect. Takes 30 sec for the screen to go from black to just loading the windows desktop

it's probably a windows vm with 4gb and 1 core, it's gonna have some kinks

general question, do i need any previous knowledge when i learn tier 0 modules? does all the information needed for the answers are in the module or do i need to look for info somewhere else sometimes?

yeah i recon

I'm sorry but after years of using windows you're just describing RDP on windows most of the time 😄

nah, its 16 cores, 6gb of ram with 3ghz cpu

it shouldnt be that bad

jokes aside, I don't think you can improve it much more, just take your time and see what works

pretty sure she meant the target lol

i know

the target windows server has that much power?

thats what it has

I'm surprised

same lol

im gonna try using a different tool

ok well, like what was said, try to use another region for academy (so a new server) and maybe the new vpn pack will help

hey Eleana do you know why i might be having this issue with setting up a share on windows target vm

oh you're not on windows yourself? having a windows vm can really help in those scenarios imo

well it's mostly preference so don't sweat it

do you think this is a firewall issue? i put rules inbound for file transfer on the target's firewall

you're doing it with a name that doesn't resolve?

wrong workgroup for the user?

should i specify workgroup?

just tried it in one of the sections, it's not crashing but the ping is very high today

probably, I don't remember smbclient args by heart, but on windows it should help, especially if the target is domain joined

because iirc by default it will try to resolve the username against the AD, so if it's a local user it won't work

you need slashes for this //ip

ah yeah (also probably \\\\ rather than //)

both works iirc

don't remember honestly

i think there's something wrong with my outbound routing

i can ping my machine from the target but i cannot ping the target from my machine

ip route add MACHINE_IP dev tun0 metric 100 will do the tric on your host

might want to remember to delete it afterwards

that is a quick and dirty fix, obviously your resolver should be checked so that it first uses the vpn

no tier 0 is for beginners, all the info needed to finish the modules are in there, same goes for other modules, but if you want to learn more, do your research

a general knowledge of IT and computers would be a good thing to have, but honestly just knowing how to use google will suffice

might be a combo for me being far away and even more high ping

thank you

89% done and i still feel like idk shiet lol

thats a lie, its just a lot of windows stuff that i need further learning on

since i only have ad and windows privesc and attacking enterprise networks left for the cpts

I have 100 less ping on eu1 for some reason, maybe you can try that

i have tried them all 😦

idk. Ill wait and see

in the linux fundamentals module, in "navigation" it shows after typing ls it shows: Desktop Documents Downloads Music Pictures Public Templates Videos

but when i type ls i only see: └──╼ [★]$ ls
Desktop Templates

any insight ?

someone that did this mini model:
WINDOWS EVENT LOGS & FINDING EVIL Mini-Module
this part:
Analyzing Windows Event Logs En Masse

I can't seem to do it, can someone please help me?

the question is:
Utilize the Get-WinEvent cmdlet to traverse all event logs located within the "C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\Lateral Movement" directory and determine when the \*\PRINT share was added. Enter the time of the identified event in the format HH:MM:SS as your answer.

it's just different files/folders, just like how your computer might have different files than a standard new computer, don't worry about it

thank you

Module: Login Brute Forcing
We could do this bruteforcing using owaszap (burp) too , is there any added advantage to use hydra ?

speed and number of protocols supported, hydra can do smb/rdp/ssh etc etc on top of http, burp free is limited to 1 req/s, zap is faster but hydra can do thousands of req/s over http

Hi, can someone please help me find out why I can't see the /etc/passwd file.

read the section again, you missed something in the lfi request

read the section again

faster speed

any bug bounty hunter

in the module linux fundamentals, in section "working with files and directories" the question is "What is the name of the last modified file in the "/var/backups" directory?"

im pretty sure the answer to this questio does not apear in the module

like how am i suposed to come up with the answer?

it used chat gpt to help me , i got the command ls -lt /var/backups

its not even in the cheat sheet so how?

google

so not all the info are in the modules?

it's not gonna give you every single command ever, learn and apply

when i follow the current module, the instruction is Below we see two lines with short descriptions. The caret (^) stands for our "[CTRL]" key. For example, if we press [CTRL + W]

but when i do ctrl +w it closes the window, its a shortcut like alt f4, how can i change/cancel the hotkey?

you're using pwnbox yeah? ctrl w is a browser shortcut which closes the current tab. in a proper terminal ctrl w will work. one reason why a vm is better

Has the machines problem been solved?

Hello everyone, has anyone completed the skill assessment in the modern Web exploitation techniques? I needed 1 - 2 tips on how to get the passwords for the users admin and htb-stdnt.

should be

yeah

Great, thanks!

hello everyone , i have a trouble completing "Attacking Common Services" module - "WordPress - Discovery & Enumeration" second question " Perform manual enumeration to discover another installed plugin. Submit the plugin name as the answer (3 words)." . I tried to use wpscan and also ffuf (list of plugins for WP) but 2 plugins that were found are incorrect answers, anyone has any clue?

dm

Howdy folks,
I am struggling a little bit with the Footprinting hard assessment. I looked briefly in forums, and I see a lot of talk about SNMP. All nmap picks up for me are ssh, pop3 and imap services. What am I missing here? Should I assume SNMP by default?

2 things: udp, and reading the engagement

The engagement contains keywords that would indicate snmp would be running

basically when u run nmap , you only scans tcp unless u use the -sU flag

since snmp use UDP , you will not find it

Thanks! That gives me something to bold in my notes!

Hi, I'm in Windows Privilege Escalation Module in the Critix Breakout section, I spawn the target machine and get a linux machine instead of windows:

htb-student@ubuntu:~$ uname -a
Linux ubuntu 5.4.0-88-generic #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

follow the instructions

Oh sorry, missed it. Thanks!

How do I switch to root on the linux machine? It doesn't work for me with htb-student's password

And I need to be root in order to start the smb server

it does, just type in the password

You don't need to be root to start the smb server

Sudo works just fine

any bug bounty hunter

they are all red

Are you running any VPN software?
If so, try it without.

No my vpn is not connected right now

Back to normal

Guys what module should i take after introduction if i have no idea of anything?

Can someone give me a hint for CPTS - Attacking Common Services - Easy ? I've tried every command in the cheat sheet. I've only gotten a user, none of the supplied lists are giving anything

use the files comes with module

I have

Try with rockyou

Are you using user@domain?

no need , he just need to run it against the right service

yep, did that as well

I've done it against every service the node is showing

Are you using the local-auth flag?

No, i'm not aware of a password spraying tool (outside of nxc or cme) that would let me specify --local-auth

Hydra I believe has a flag like that

Maybe i'm ignorant - but I just looked through the man pages and the -help for hydra; neither mentioned it

I believe it's -local-auth

nah hydra is different

is it smb?

no

No, there's no SMB

then what are you spraying?

iirc there's no smb , you got user so no spraying

SMTP, RDP, FTP , HTTP/HTTPS

and MYSQL

yes you need to bruteforce on one of them

Yep, I'm certain

I've bruteforced them all lol

weird

you can specify the domain with hydra btw, don't think it's documented, found it by looking through the source code
smb2://<target>/workgroup:{<domain>}
https://github.com/vanhauser-thc/thc-hydra/blob/8c4165a83bc3126dd727244e0b5466c1a18aa67c/hydra-smb2.c#L214

Have you used rockyou?

no smb

maybe this

yeah ik

I've only used rockyou against one of the services, killed it after 5 min

I've spent an hour and a half against an easy module, this is ridiculous, lol.

Can you log in anonymously to ftp?

No, that was the first thing I tried lol

iirc the password is super easy

^

check that the labs is running correctly

It should be if they got the user

I remember brute forcing for 30 mins , then find out that the lab is down

But if they crashed the lab, yeah

are you

fuckin kidding me

How many threads did you specify that you killed it?

restart the lab, ran rock you because.... sure

works immediately

Restarting is the first thing to do when you think something should be working

the reason rockyou works, vs the list they privde

is because the list they provide is missing a 0.

The workflow should always be - list you find on the machine, list they provide or specify in the module, list they instruct you to make (if applicable), rockyou

Been doing the AD Module for a few days now and i´m just amazed how well and clear everything is written. Big thanks to @blissful verge

Thanks for the help either way

Did the service hang for you after you connected to it? it is for me, even restarted the machine.

Not sure if he wrote the CrackMapExec module as well but I can’t recommend that one enough. Really enjoyed those two

CME skills challenge is also super fun

Havent done it yet, but will take a look, thanks for the tip

I have done 60+ modules adn it's the single hardest skills assessment

first time I had to ask for help

I had no issues when I did that module, it was months ago though

I assume this is happening for a lot of people but is spawning targets down? Can’t seem to spawn any targets in the Kerberos Attacks module no matter what I do

Been a couple hours

Had the issue yesterday, they also pinned a message about the issue. Today everything worked for me however

Finally completed the advanced XSS and CSRF skill assessment and labs. Phew!

Hello, has anyone passed the Modern Web Exploitation Techniques skill assessment?

Hello,

someone can tip me for the Skill Assessment - Broken Authentication

I am connected as one of the users

found the elevated users

but i am having this issue User cannot have requested role

got it

hi
in the web attack module, IDOR in Insecure APIs section, i was able to get user 5 alphnumerical data, but couldn't get the uuid, looking at script.js file i see that the uuid of user 1 is hard coded, any nudges?

Im stuck on the SQl portion now sigh

nvm writing this sorted my thinking XD

think more about leaking uuid

or maybe it was setting

cant remember which one it was more focus on

Can I DM someone about CPTS - Attacking Common Services - Easy

yeah i got it it was just that burp was burping too fast

sure

thank you - DM'd

https://github.com/scr1ptie/VHostWPort
Made this auto-conf bash script that makes it easy of not having to mention port every time for vhosts when the spun-up target is an external Ip with port.
Some of the module in the CWEE path spun up these kind of targets and so far this configuration has been working great.

Guys can I learn hacking on phone?

is it just me or the labs are really slow?

not just you

cool, was driving me crazy

can`t even nmap an ip right now

Hello everybody! in Introduction to Windows Command Line, all about Cmdlets and Module, We see an example of downloadin PowerSploit module! I tried to do this on my system, but the antivirus always block me! how can i do? i tried to select the folder in the antivirus Exclusions! but I always receive a message about a Trojan!

maybe I just need to turn off antivirus, do the job and after I finished restart it?

powersploit is used for offensive purposes, so defender detects it as malware

Ok, but is useful to have it on the system?

keep it in your pentesting distro, not your windows host

in general don't keep tools in your host

Thank you! So in the module of htb they use PowerSploit only as an example..

you'll use it when you're actually pentesting a target, not against your own computer

OK I just tried to download it to add modules to powershell, that is the task of the asked....but i had problems for the antivirus.

use the target provided at the bottom, not your own machine

Thank you!

I think I am missing something major. For Attacking Common Applications, the second sections, where do I get the IPs for the vhosts that are listed?

Hi, I'm in the lab of pillaging section in windows privilege escalation, in the last question. ||I used the restore option to restore the system32/config snapshot, and got the system,sam and security hives. The problem is I get the following error when I run the following: Run: sudo python3 secretsdump.py -system system.save -security security.save -sam sam.save local and get [-] read length must be non-negative or -1||.
PS. they have data in them

Check hashes, happened to me to

anyone here that has a toolset for windows privesc?

i lost my github repo with it and now i am depressed

dont want to make it again when i made it two days ago

like a folder that has all the tools from the htb module windows privesc

Wdym

Check file hashes to make sure it transferred correctly

That was my problem

Oh thanks, I'll check it out

Hi I’m having trouble connecting to the vpn

I did switch, and download a new one

Did you connect with sudo

Yes

Also what errors do you get?

Packet HMAC authentication failed

Is your system/openvpn up-to-date?

Don’t know

I have open on 2.6.3

Idk what latest is but you can do sudo apt update && sudo apt upgrade

Yeah, @manic onyx's suggestion helped me. I don't know why, but the files I had locally didn't have the same checksum as the ones on the box. I restarted the box and moved them again and now it worked

wpe

You're in the log poisoning?

Oh, I didn't notice, sorry. There's a blog post of someone who exploits it on a regular htb box, have you seen it?

I've used it, but nonetheless it was tricky and didn't worked more times than it did

Do you want me to dm the link?

Hi guys.

In CDSA, the exercise "Use the "cobaltstrike_beacon" index and the "bro:http:json" sourcetype. What is the most straightforward Splunk command to pinpoint beaconing from the 10.0.10.20 source to the 192.168.151.181 destination? Answer format: One word" ,

First I tried with the typical commands about intervals and times, then I tried with the commands in the reference query, then I searched here I tried with all of them (https://docs.splunk.com/Documentation/Splunk/9.1.0/SearchReference/ListOfSearchCommands) as it is said

Even I tried another way with all commands:
I catched the request from POST HTB Academy by BurpSuite then I created the req.txt from it, I watched the answer was in base64,
so I transforme all commands to base 64
#!/bin/sh
rm -rf ./todos_comandos_splunk_b64.txt
while IFS= read -r line; do
echo "Text read from file: $line"
echo "$line" | base64 >> ./todos_comandos_splunk_b64.txt
done < ./todos_comandos_splunk.txt

And Finally I launched the request for all Splunk commands in base64:
ffuf -request req.txt -request-proto https -w ./todos_comandos_splunk_b64.txt

But not successful

If it was an interesting problem, I would straggle with it, but after spending 2 hours with this exercise, I think it's too much for it.
Even the exercise in the Skill assestments for detect beaconing in malware only takes 1 minute for solving
"
Use the "empire" index and the "bro:http:json" sourcetype. Identify beaconing activity by modifying the Splunk search of the "Detecting Beaconing Malware" section and enter the value of the "TimeInterval" field as your answer.
"

Could you please send me a DM about how to solve it?

Thank you in advance

hey guys, I am going through the Linux Fundamentals module, in the Regular Expressions sections there is a practice task stating "Search for all lines that contain a word that starts with Permit." I find the wording a little bit confusing (English is not my first language though). Are they asking for the lines that start with the word "Permit" OR the lines that contain and start with "Permit"?

it's the words that start with Permit

(because there are no lines that start with Permit)

so not "whatever Permit asdasdas" but "whatever Permitasdasdasd"

^

well the first might be included too

oh okay thanks I understand better now

it's not

"is Permit a word starting with Permit" ? yes, it is .

the excersize is looking through a conf file

btw, just stick a wildcard in the end 😄

the proper way would be [^|\s]Permit.*\s

aaaaaaah regex :° allways a bloodbath

yes regex

literally what he stated at the start of his question LMAO

Okay I was a little bit confused because I did find 2 lines starting with "Permit" and a few other lines that conatined "Permit" in them

it was a 'vocative|nostalgic' aaaaaah 😛 not a surprised one

But I think I get it now

Regex is (not) fun

in the pivoting tunneling and port forwarding module I am trying to follow the example of port forwarding via meterpreter, however when I attempt to set up my socks proxy it starts up and stops right after. How do I fix this?

Hi, I'm having a problem with the excercise on module Web Requests section GET, the one which asks to make a cURL request using basic authentication,

I've followed all instructions an the answer I've getting from the request is "Please use cURL%", well I'm, in fact, using cURL but it keeps giving the same response, I've even tried to put that ("Please use cURL%") as the answer to the question to solve the problem and pass the module, but it fails.

it's better to ask using module and section name

Fixed, thanks @fathom pendant

wdym by "same response"

that's also really vague

"Please use cURL%" <== the same response I mentioned some words before

Any way to send a screen capture?

I dont get it

yes take a screenshot and put it in the chat

if you're using curl http://ip:port but i've never heard of curl% unless it's something talked about in the section

I sent you a DM @fathom pendant didnt find a way to send the ss here

@harsh swan i meant send it in this chat

cannot send pictures in here

you should be able to

you should be able to send it in the chat, your account is verified/linked

well, I tried but cant

your account is verified which is the only req for academy chat

unless a mod fucked up the settings

oh sorry, now I can lol

Damn you ruined my next joke

xD

I was gunna say, "quick marcie, youre not an idiot, send a test image"

lol

ok I'm that idiot but help me please :/

thats a response from the webserver

guess is they dont want you faking the user agent

yes, well in the excercise it asks you to use cURL to get the "flag" then when I do that the only thing I get is **Please use cURL% **

curl has it's own user-agent

mmm

which youre overriding

but you shouldn't need to fake/spoof the user-agent

so like dont do that and see what happens

use curl why copying the whole req

that too

like that's the WHOLE header request

oh, fuk... Im such a noob, thanks guys I'll fix that right now

guys can you spawn target on Remote/Reverse Port Forwarding with SSH?

because it's the third day that I have problems with this module

I already contacted supports

#modules message

delete. dont spoil flags

why are you sending the whole request with headers btw

oops, well I followed instructions so...

why not just curl http://ip:port/search.php?search=flag

which would a better way? only headers?

eh full headers can be good practice for replicating clients

I was asked to send with auth params

well it depends tbh

if the section says to do it i'm not gonna tell you you're wrong

This comment is more of a slap my own face one. The XSS module, oof, man, attention to details. Pay attention to the actual cookie name when looking for the flag. Been banging my head for like an hour wondering why in the F is this not working 😂 .

maybe its just for practice and learning purposes, dunno Im very fresh at this

Hello I realise the "Command grep" with grep -r for this question but I don't find HTB{] ! Can you help me plz?

who said that was the format

follow the instructions instead of trying to cheese it

your clue here is Linux environment if it's what I'm thinking of

I followed them all, it didn't work

Why, I don't have this "request help" button?

silver annual perk

Aaah okay

Read the env carefully

It's actually been done for a while, I was going in circles a bit, hence the fact that I tried a grep command

is there a normal chat?

im trying to install centos 9 on oracle virtual box, im having many troubles, because instead of running it says "aborted" and doesnt open command line, any knows?

only if you can read

(#welcome)

modules channel isnt tech support

I’m a lil special

ok so I looked under HTB: OFF-TOPIC and just saw the bot commands channel

???

there is "general" and "magical-tunes" in there for me

mehhh it’s good dw I’ll just find out later

maybe you could try reading

#welcome

Yes because you havnt tried reading yet

#welcome

maybe your turn to try reading

Not well apparently because youre still an unverified account

HTB: OFF-TOPIC

you need a verified account to access general

I did: #welcome provides the instructions

yeah but when I asked all u had to say was that

I did: read #welcome

This channel is for module discussion only, stay on topic

Do you read? Stay on topic. Youre spamming the channel at this point

I did answer your question. Its not my fault if you cant read.

Youre still unverified

follow the instructions in #welcome if you want to access other channels

<@&861185840277487616> some peeps that are being off topic.

Alr guys, Delete ur messages here including you @rustic sage and @thorn urchin delete them.

Hi, can someone help me in the wpe first lab? I'm stuck on privesc ||I can't get the correct CLSID for juicy potato even though I ran their script, it found nothing||

didn't realize reading was such a skill issue

yeah I’m a little slow but as I said we’re new to this so we don’t really know how to verify yet

if only there was a channel that explained it

mad r u really going to drag this on

https://tenor.com/view/no-yes-giga-chad-giga-chad-gif-23156898

Whats going on?

people not reading

ok guys he posted giga chad he wins

people crying about verification instead of discussing modules

i think he’s trying to say you can access other channels once you verify your account

Lets keep this channel for module discussions please

👍

yes serrrr🫡

but arguing about who can read or not was so much more interesting

word custard

for the shell and payloads, live engagement module, is there a built in browser on the foothold? cant seem to find one other than tor which fails to install or update

or am i supposed to install one

firefox

you can't install one because the jump host/foothold doesn't have internet access

i was digging for a browser, couldnt find one but using the command "firefox" starts it up, thanks

anyone else having connection issues to targets atm 😦 i remember having issues when i first started but then its been fine but today im having issues again and its making it very tricky to know if im doing something wrong or just an intermittent issue 😦

yeah I am to

@rotund sphinx @delicate kernel #modules message

you linked us to a channel we’re in???

click the link

christ

and it'll show a message that's explaining the issues

ok i guess not just me then at least

mb it’s not working rn it’s slow for me

hopefully its sorted soon

yeah hopefully

almost like I link things because they provide useful information addressing the situation at hand 💀

sometimes

some of us are new to the app, We don’t all have knowledge you do so calm down.

which is why I provide the information lmao

Since we’re not in general or smth I’m not arguing with you here.

But thank you for the information.

np

Hope we good now.

Yo, if there's someone who solved the WPE first lab the intended way, pls dm me.
I solved it by first getting system and after that got the ldapadmin creds

Job fair tomorrow ;c but I have no cert apart from my CCNA lol

should be interesting

what does this have to do with modules?

your MOM @thorn urchin that's what it has to do with modules, your mom!

You should read and follow instructions in #welcome

i hate you

<@&861185840277487616> off topic

ok

but you should avoid this kind of language

@thorn urchin ik this is “off topic” but next time you should say “good luck out there, but please refrain from talking about other things besides modules in this channel.”

no

Then it’s on you if they hate you.

👍

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

good luck

thx

Hello, im stuck no the Server-Side Attacks, Nginx Reverse Proxy & AJP
When trying to setup the proxy/nginx on the Pwnbox, I keep getting the error

nginx: [emerg] "location" directive is not allowed here in /etc/nginx/conf/nginx.conf:57
I searched for similar doubts here on Discord, but I couldn’t fix this error
someone can help me?

im not up to that module but the error message sounds like you got your nginx config file wrong

iirc location blocks need to be direct children of server blocks

here my config file, idk im doing wrong

looks like your server directive isnt inside the http directive

did you comment out the other server block or was that just there as an example?

sorry that no one cares ab ur job fair :3

I never asked anyone to?

can always chat about it in general after verifying your account with the instructions in #welcome

^

there was no reason to bring it back up though either, esp after mod already addressed it

Ah thought I could reply since it wasn’t deleted :3

that's the first helpful thing you've ever said to me madf0x ty,

I already told you to read #welcome but ok

Could I get some help with the Foorprinting? I'm in section "Oracle TNS"

I need to download || sudo apt install oracle-instantclient-basic oracle-instantclient-devel oracle-instantclient-sqlplus -y ||
But the issue is there is when I run that command I cant get || sqlplus ||

I can provide screen shots if need be

To be more percise it says || Unable to locate package oracle-instantclient-sqlplus ||

now working, thanks for help! i forgot to comment "}" ahhh

are you using parrot? those packages aren't in the parrot apt repo iirc

there's another tool you can use, forgot the name but search this channel

It is in the parrot OS, im using the VM supplied by HTB

So what tool would that be?

search the channel

are we having any connection issues today? I can´t keep a connection between pwnbox and a remote machine through xfreerdp or remmina on Introduction to Digital Forensics

each minute I spend like 30 seconds reconnecting

Hey guys, im working on Attacking Common services Attacking Tomcat section and I have the reverse shell, but I am unable to find the flag for tomcat_flag.txt. I have a root shell, can I get a push towards which directory to look?

Cant get a reverse shell on the auto repair website. Just says timed out

you can search for it

Yeah im using ||find / -name "tomcat_flag.txt" 2>/dev/null|| but It doesnt give anything

Yes we're aware

our team is still working on the problem unfortunetly

Its mostly around spawning, though

try locate

ok Thanks.. So, I will try it later.. Thank you for the answer

||locate tomcat_flag.txt|| gives me an internal server error

internal server? are you still using a webshell

mind if I dm?

how come https://status.hackthebox.com reports everything fine when its clearly not.

🤷 not sure

Ill mention it to them again in the AM

a status into page should probably reflect the status of the core offered services of the platform lul

this command will find it, use a revshell

are you guys getting labs? for 3 days I can't spawn any lab

refreshed the page and everything

has been working in the past day for me

weird pwnbox works just not the lab. trying to do AD skills I

I can spawn Labs, just can´t keep connectivity to it. But @languid fjord just answered above they are aware of the issue

sounds good thanks

np

I uploaded a revshell with msfvenom and I still cant locate it

look in the tomcat dir in opt

Thank you so much I got it

heyy i dont understand why is don't work https://academy.hackthebox.com/module/144/section/1256 for thrid question

i keep getting the error even in the eu vpns

Same for me when I tried with Pwnbox - UK region.

guess we shoud move forward

Yep, I just skipped it and will come back to it at the end. Hopefully the environments and connections are more stable then

Hi all, can I have a nudge for advanced xss and csrf exploitation - xss bypass please? I managed to inject a xss payload and it worked with exfiltration for my local account. However I never got interactions from “admin” user using it. Any hints would be appreciated.

Hello everyone

For this question, under footprinting SMTP these are the results I came up with but none of these are the correct answer. Looking for a hint in the right direction please

currently having issues with the skills assessment for pivoting module under pentesting, looks like it's lagging out been waiting 45 min so far for the target to spawn

Check hint section it mention something about wordlist

the footprinting wordlist that was provided but I dont see any wordlist provided by the module

You will find it below cheatsheet button

should I make a report that I can't spawn anything? or is that not needed as its a global thing?