#modules

Between the 2 node the write is "GenericWrite"

try using the powershell command

it'll take a few minutes

But I tried with this command :

Just to know I used the SID of the group 'GPO Management" or Forend

forend

The Object Ace is tied to the user SID over the object it has rights over

Ahh Thanks

Not on the goroup.

group ?

I tried to understand (search on internet) but "GenericWrite" is ACE ?

or ACL ? Thanks

it's the AceType

yes

I got this :

that's on another user

that's the rights over Dagmar Payne

this query takes a while to do/finish

Oh thanks

🙂

see: ObjectDN

Yes I saw (it's the user "Dagmar Pay,e" ) ?

well it's the User who's given name is Dagmar Payne

as you've seen in this module the usernames follow {firstinitial}{lastname}

I not see because I think it's was filter on the SID but normally the SID is unic to specific user no ?

so; with the Object Ace Queries - the Ace right is tied to the SID of the user that has the rights

It's how it's tracked in the ACL

yes but I think the powershell query is lock

it's not

hit enter; sometimes it can seem like it's frozen

but i can assure you it's doing things

as said previously: the query can take a WHILE

Yes Thanks

But ACE/ACL is not easy to understand

it's not inherently intuitive unless you mess with it a bit

by default, the GetDomainObjectACL finds all domain objects that our user(forend) has rights over. You can replace the * with the group name.

Thanks

that also speed things up

Identity just uses the Common Name of the object yeah? like username/groupname

yup

I did it by default for the first time and it took me like ~40/50 mins

yeah

but it's definitely a good way to better understand how they work at least

and that each right is a separate object

Thanks for the feedback In one another prompt I used this command with the group in parameter but no result

not just a group of rights under an object

sirg

I said nothing

i'll give you a second to realize

(hint, SID)

Yes sorry in my country it's the morning :p

def, agree

Thanks It's worked 🙂

The best way to understand how it's work It's try to use query as CN or GroupName ?

Really thanks for the help

i just mean looking at different users ACEs and what the GUID resolves to

but in general: The Ace query shows what right the SID has over the "Identity"

Ok But when you talk about ACE query are you talking about the the Raw Query present in bloodhound ?

or Powershell ?

ACE privileges are different from ObjectAceType
what BH showed you was the ACEprivileges eg: GenericWrite
that's why we used PowerView

Hence, we used Get-DomainObjectACL function to enumerate the ACL rights, and by adding ResolveGUIDs flag, it showed the human-readable format of the ObjectAceType

^

otherwise (as also shown in the module/section) you get a string that you'd then have to query in powershell again

tbh I will suggest you go over the the section again

Hi guys! After cpts and cbbh I would like to dive into tier 3 modules 🙂
Since it's a bit costly to me I wanted to hear your opinion which were your top 10 tier 3 modules?
I would be happy to take them all but don't think can afford it as a student, will be happy hearing your opinion!

I hear good things regarding the Kerberos Module and ADCS module if that's something that strikes ya

I really enjoyed cpts both web and infra side, so will start with those 2 modules you got me xD
Will be glad hearing any more recommendation!

#modules message these were recommended last time

Thanks a lot
Also looking for several web modules that are recommended

For web you can look into the whole new senor web path I guess

don't unnecessarily overcomplicate things

yea I will take a look at the ratings and reviews, all 15 modules cost too much for me even with the platinum...

Hello, I am working on the Linux privesc course > Information Gathering > Environment enumeration (full link : https://academy.hackthebox.com/module/51/section/1592)
The question at the end of this section is asking me to enumerate the machine and discover a flag. I used a little trick to discover the file looking for it's content instead of its name or location but this is rather unintended.

What would be the correct way / enumeration steps and commands to discover the expected flag location ?
Even linpeas didn't get it 😦

INTRO TO NETWORK TRAFFIC ANALYSIS - Guided Lab: Traffic Analysis Workflow :
Apparently the lab asks us to capture traffic from within the provided machine and analyze an incident related to host 172.16.10.90 for bob. But after going through the walkthrough provided in the lab it seems to be a completely different incident with different hosts too ....

Hello !

How to connect to do this exercice ! with user Kira but ssh ? rdp ? it is not okay

You need to create a mutated password list, and brute force your way through. There should be a step for creating a mutated password list and using hydra in the module

WINDOWS ATTACKS & DEFENSE
PKI - ESC1

did anyone have issue when run certify

Which service should you connect to??

ssh

Module Linux Privilege Escalation
Section Skill Assessment
Anyone tried optional way to gain shell on the system using web ?

like this ?

help me it's super long ^^"

For those using a virtual box instead of one of the lab instances on HTB academy, what virtual box are you using? I am using the virtualbox on Kali linux(Linux kali 5.9.0-kali1-amd64 #1 SMP Debian 5.9.1-1kali2 (2020-10-29) x86_64 GNU/Linux) and I have been having trouble installing the crackmapexec tool on there...as well as instal;ing the suggestions to alternatives with the same syntax(nxc, netexec)

Hey everyone, I'm exploring options for SMB brute-force attacks and noticed that Hydra only supports SMBv1. Does anyone know of alternative tools or methods that work with SMBv2 or SMB3? Any suggestions would be greatly appreciated!

hydra does support smb2/3, just need to compile it yourself, go to the HOW TO COMPILE section
https://github.com/vanhauser-thc/thc-hydra

thx bro! i did it with crackmapexec, but i will try the hydra solution too !

also take a look at netexec, it's cme but better

I doubt it's a vm or distro problem, sounds like a python problem more than anything

Bruteforce Kira’s user password not will.

I find finally thanks

yo

i need a little help with windows privilege escalation module - 3rd section, situational awareness. either im extremely stupid or the question is disastrously inappropriately asked.

nobody even talks about it in the htb forum

#Session Security
XSS & CSRF Chaining

Both of the scripts in this section don't work properly. They only effect the profile that the payload is stored in and not the profile with the new session

Anyone please free for DM?

Hello, i am doing footprinting medium challenge - when i xfreerdp i get: Failed to open display: :1
[Please check that the $DISPLAY environment variable is properly set. , did not find any helpful solution for this issue, how do i fix this? Kind regard!

Working on the footprinting module and am stuck on mssql: https://academy.hackthebox.com/module/112/section/1246; connected to the database with the password provided using mssqlclient.py and tried running this: SQL (ILF-SQL-01\backdoor dbo@master)> select name from sys.databases [%] select name from sys.databases SQL (ILF-SQL-01\backdoor dbo@master)>

Is there something wrong with the box or is it me? Also tried ```SQL (ILF-SQL-01\backdoor dbo@master)> SELECT name FROM master.dbo.sysdatabases
[%] SELECT name FROM master.dbo.sysdatabases

#Linux privilege escalation
Python library hijacking

Give a hint please.
I cant find the directory with write permissions or something else.
User doesn't have permission to setenv and permission to write in python directories

go through the section again

||arp -a||

||Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections||

After modifying the script with import os, then ...... in vim

you have to mention the full path of mem_status.py in order to execute properly

or you can use ~/mem_status.py

Rest puzzle I think you can solve

Thanks imma try

Hey. Try this:

su root
xdpyinfo
find the string behind "name of display" e.g., name of display：127.0.0.1：1.0 (which is "1.0")
export DISPLAY=:1.0

This is what your command should look like:

xfreerdp /u:htb-student /p:"HTB_@cademy_stdnt!" /v:10.129.224.186

I'm using that script and the list of usernames the same for the other questions but the thing is that there's not much a difference on response timings

@short hare @lusty thicket thnx, solved

Hmm.. Where i am suppose to find the /etc/host file? If i try cat it it just says "multi on"

/etc/hosts

https://en.wikipedia.org/wiki/Hosts_(file)

Oh my.. Sorry, my bad missed the last "s" :3

Hi guys, I was just doing an academy question on DLL Hijacking and had to find the process responsible for it. I really didn't know what to be looking for and any extra research I did said look for unusual looking executables, I eventually got it but don't understand how I'd have done it in a real scenario.
Any tips on what to be looking for when using the event viewer?

Module - Password Attacks
Section - Password Mutations

can anyone who did this part tell me how long should i wait before knowing that the password list is not right?

I do not have 17hr+

On web requests, POST, the website given to find the flag isn't functioning correctly for me. First picture is my side, second is the explanation.

Any idea how I can solve this ? While using TCP I can't connect to RDP , with UDP I can connect but it is laggy.

bruteforce a different service to ssh, it is quicker

you can also up the thread count

are you talking about the dev tools at the bottom?

thanks but it is not really answer to my question. and as you can see on the screeenshot the VM is not really powerful and suggests to rather decrease the number of concurrent threads

that's why I said bruteforce a different service

|| ftp ||

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

anyone here that could give me a hand. I want to download SAM,Security and System files off the machine im on, but my shell is really bad. How do i download things off a machine instead of uploading to it?

i would need some kind of http webserver no?

i have a metasploit shell but the download command doest seem to work

What do you mean by the download button not working?

the command in msfconsole

when i have a shell i can use the download option but it doesnt work. The output is like

download c:\windows\system32\config\SAM

Are you getting any error?

Usage: download [src] [dst]

i have tried to set the dst but still issues

Just try download [file] and see if it works?

It should save in your current working dir.

PS C:\users\public> download c:\windows\system32\config\SAM

Usage: download [src] [dst]

Downloads remote files to the local machine.
Only files are supported.

the SAM file should be locked while the OS is running, isn't it?

anyone have the issue with running Rubes on module : Windows Attack and defense , PKI-ESC1 :

Is that the meterpreter shell?

nah its just a basic shell

if you have meterpreter you could try with hashdump

some ways: https://juggernaut-sec.com/dumping-credentials-sam-file-hashes/

Try

download \\server\share\file.txt C:\local\path\file.txt

This is from ChatGPT.

Essentially i am stuck on getting this question.

Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

On Active Directory Enumeration And Attacks - Skills assesment 2

I didn't do that module yet, usually most of what you need is covered in the modules..I remember there is even a module specifically for learning how to download stuff, I didn't start the path yet, cuz I'm doing cbbh. Anyway SAM is a special file, it can't be copied like any other file, you need to use some other ways

i am system user tho so

it should be fine

Hi, I am stuck on the Password-Attacks module question where it asks me to use sam's credentials to find the credentials for MySQL and after doing some OSINT, I found that it is in the my.cnf file. However, when I attempted to open the file it did not have the credentials for mysql. I tried root root as the login and it also was not accepted by HTB. Can anyone help me find the login credentials for mysql?

Use the default cred cheatsheet

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

did the support is on maintance

I did use it and it gave me the default credentials root and root for the username and password

😦

I am stuck on Attacking Common Application Modules, Attacking thick client application , I got monta.ps1 , but could not run it run getting error to open powershell tried resetting the target but failed to start powershell any help?

Nope

There's more to look for on the provided cheatsheet from this section

Are you recommending I use a different default credentials sheet?

It's not gonna be in a file on the system

There's literally a "default credential cheatsheet" provided by the section

That you can look for MySQL in and find a handful of username/password combos

No, the search function doesnt work on my client, when I try to send the packet through cUrl the same way the explanation does it, I get no results either.

I also do not get the same packet in the network tab as the explanation shows

when i try to search a city

that's weird, I would try just resetting the machine, but if you've done that already you might wanna contact support about it, I haven't done that module so I really can't help you any further

Alright, I already tried resetting the machine but I'll contact support

thanks anyway

np dude, hope you find a solution

Anyone who completed the Skills Assessment on Kerberus Attacks that can help me figure out the last task?
What's the content of the file: \\DC01\Secret Share\flag.txt?

Has anyone made light mode?

xp_cmdshell, i think it was

I did solve the Attacking thick client application section.
What I got from the section, that application runs a process -> it writes some files as its flow ( we change temp permission to keep files even after process ends) . The flow is such that it delete the files, we modify bat to not delete files, run ps script to get the exe, use x64dbg to check assembly level code, than see that at memory level something is loaded .
Is the original exe script being loaded here?
And after dumping from memory we decompile using dnspy?

Can someone elaborate on this?

yeah i am past that part

i have system shell

Hi! I'm currently debugging in GDB and would like "print $rax" to be executed and displayed when a breakpoint is reached. But unfortunately I don't get the output when I append the commands to the breakpoint using "commands". Example:

$commands 1

print $rax
end
$

I don't get any output after I continue with "continue". What could be the reason? Thanks in advance!

anyone that can give me a hand here? been stuck for a couple of days now...

dm

In the assembly module each time I try to compile my assembly and run it I get this error anyone know why ? Even with the base program they gave me I still have this error

A segmentation fault usually occurs when writing a protected memory area. If I understood that correctly. But some challenges only have to run in the GDB (debugger). Then the complete execution is not as important as what is happening in the memory!

Ok thanks !

I knew it worked with gdb but I was asking myself why I was never able to run it like that

😉

Can you delete items from a table using a PUT request?

shouldn't curl -X PATCH http://94.237.56.248:35386/api.php/city/Evans_City -d '{"city_name":"flag"}' | jq this work

hello I'm doing the AD enumeration and attacks module and I'm getting different results from the same command, I've also noticed that in Wireshark:

I wasn't able to find these hosts with tcpdump or wireshark

is this a known issue?

Sometimes you won't get the same results as the example

ah... it's literally right there x) i didn't read it

you delete items using the DELETE method

Exercise: Try to delete any of the cities you added earlier through POST requests, and then read all entries to confirm that they were successfully deleted.

maybe they meant DELETE is a post request 🤔

Delete is a type of request

@thorn urchin Sorry for the ping. Got time for a question on the Kerberos Attacks skills assessment?

do request names like POST or GET have to be all caps

yes they do

I got a huge problem.

First, try to update any city's name to be 'flag'. Then, delete any city. Once done, search for a city named 'flag' to get the flag.
when I run curl http://94.237.56.248:35386/api.php/city/flag
i get []

you updated a city to flag and deleted another city? the response is JSON so you need to pipe to jq

there is no responce

[] is the responce

iirc you need to delete the city you added earlier

it returns all cities though

maybe, whats the question

let me try what you said

didn't work

what if I accidently deleted the flag

you can simply reset

idk

thats why we practice in labs with snapshots and not on real targets 😛

now it won't connect to my target

it pings just fine though

its probably because it wants me to use the built in terminal. thats dumb. and it worked on previous ip which makes 0 sense to me

@thorn urchin
C:\Tools>Rubeus.exe monitor /interval:5 /nowrap

C:\Tools>Rubeus.exe renew /ptt /ticket:<TICKET>
[+] Ticket successfully imported!

C:\Tools\klist
#4> Client: j***.k*** @ INLANEFREIGHT.LOCAL
Server: krbtgt/dc01.inlanefreight.local @ INLANEFREIGHT.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a50000 -> forwardable forwarded renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 2/21/2024 12:53:47 (local)
End Time: 2/21/2024 22:51:34 (local)
Renew Time: 2/28/2024 12:49:13 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DC01.INLANEFREIGHT.LOCAL

C:\Tools>more \dc01.inlanefreight.local\c$
Access Denied

So as the a*.j* user has administrative rights we've compromised server01 and are able to intercept the TGT ticket passed by j*.k*. However I cannot seem to figure out to use this to perform priviilege escalation to acess the "Secret Share" on the Domain Controller

Well youre trying to access the C$ not the secret share there for starters

@autumn palm

Access Denied```

Edit. 

Just figured it out. The shared drive is obviously not found under C$...

thats still access the wrong share

Thanks anyway. 🙂

ye lol

can someone give example of using PATCH

Hopefully never

its always been a .txt

whats Ffluf

Ffuf is a web fuzzer

is fuzzing like a spider?

Not exactly a spider will just crawl a web application usually, but fuzzing can help you find hidden directories for example among other things

Check out the github page it has a lot of good documentation and examples

https://github.com/ffuf/ffuf

Hello I do the indeed the course but it is not okay why?

chmod +x @dreamy solar

yo

im new to hacking can someone help me out

just tell me where to get started

just read on hack the box

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

ping uses ICMP. most pivoting tools can only transport tcp and fewer can transport tcp/udp. Ones that can transport ICMP are even rarer

sshuttle creates a simulated VPN but it is not in fact a real VPN

How about ligolo-ng? I'm trying to remember if I even tried Pinging any internal hosts on the network

Module: Abusing HTTP Misconfigurations
Section: Advanced Cache Poisoning Techniques

I'm having issues submitting a payload to fatget.wcp.htb webapp because the unkeyed parameters are getting URL encoded on the view, so there is no reflected XSS. The only parameter that actually yields XSS is the language, which is the keyed parameter so it's of no use. Tried working with both ref and content, but no success.

ligolo-ng does in fact support icmp 🙂

Nice ligolo-ng is hands down the best tool I've been recommended on here can't imagine not using it at this point

there are some situations where its not ideal

but its my goto for sure

hi skill assesment brute force login :

||hydra -l user -P /usr/share/wordlists/rockyou.txt -f 94.237.62.195 -s 55399 http-post-form “/admin_login.php:user=^USER^&pass=^PASS^:F=<form name='log-in'” -I -v||

i get this error :

[ERROR] optional parameter must start with a '/' slash!

any idea why ?

https://academy.hackthebox.com/module/57/section/515

try this: hydra -l user -P /usr/share/wordlists/rockyou.txt -f 94.237.62.195 -s 55399 http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=/form name='log-in'" -I -v

now i get false positives 😄

i h8 hydra for this

works fine on my machine

done

zap solved it

Hello everyone - I am looking for little help with Command Injection Skills Assessment. I am able to find the vulnerable method but I am unable to exploit it. Your help is greatly appreciated. The command I am using /index.php?to=tmp&from=2380029473.txt&finish=1&move=1%7c%7cbash<<<$(base64%09-d<<<bXYgJHtQQVRIOjA6MX1mbGFnLnR4dCAke1BBVEg6MDoxfXZhciR7UEFUSDowOjF9d3d3JHtQQVRI%09OjA6MX1odG1sJHtQQVRIOjA6MX1maWxlcyR7UEFUSDowOjF9dG1w)

hey

anyone no why nikto is giving me 0 hosts scanned when running it

Anyone please help me

@polar wagon injection skill assesment in wich module?

Anyone willing to give a nudge in the right direction for the last module in footprinting?

You mean the hard lab?

Start walking.

For Bleeding Edge Vulnerabilities in the AD enum and attack course is there a easier way to practice these attacks? ATtack01 machine doesn't have any of tools installed on it, cant install via git hub becuase DNS cant resolve on it, and even if you transfer them over from main box the dependencies arent installed. Best case just to deal wit setting up a pivot every time and just using my machine?

you can set up a pivot but getting relay to work over a pivot would be tricky

if you want to play with relaying more there's the ntlm relay module

I see what you mean, thanks. Not having much luck with it trying to figure out what im doing wrong.

Well you might need to find what's in the community before you walk

haha, thank you.

👍

Don't forget, you can always refer back to sections if you need to make sure your notes aren't missing something important

👍

I got the walk done found a nice community and also tried some sshing (to no avail) still not making much progress. I have the info from such walk but not sure what to do with it. Also the id_rsa keys not workig even after chmod ....

Did you copy the whole key? The ----START and ----END lines are actually crucial

Yea

So thats why im confused

Make sure you're also using the right user (same username of how you got the rsa key)

Yea im using the right one

I think..

I didnt have to use a name to get the key... Maybe thats where im wrong

Well the walk should have revealed a name and a password if I'm recalling

The steps and services involved are mostly outlined in the engagement brief for the lab

Alright thank you!

On to Windows Privilege Escalation Skills Assessment - Part I

Question: Which two KBs are installed on the target system? (Answer format: 3210000&3210060)

After nmap and visiting this and pinging provide nothing of interest
It's been a while at this point -_-
Any clue how to move forward from here..!!

Why is the ZAP HUD so inconsistent?

Just this, no HUD

I would assume you're gonna need to either first get a shell or do some web shenanigans

Module shows I should be getting something like this:

It looks potentially vulnerable to injection

And then at one point i got a message saying "cannot /GET ping" or something to that effect.

Read the section

I might just stick to burp. Any feedback on ZAP?

Apparently zap just sucks idk

Hello Sir, How can I solve this question? Determine the registry key used for persistence and enter it as your answer.
this question on "Introduction to Digital Forensics" module.

For Attacking Enterprise Networks, there is a certain machine that wil allow one to get a shell two ways. Both shells are service accounts and both have SeImpersonatePrivilege enabled. However, only one will allow you to priv esc via PrintSpoofer or JuicyPotatoNG. The one that fails to priv esc, will run the exploit and show a success message, but the account isn't elevated to nt authority/system. Is there a good explanation for this? Something I can read? Not knowing why one worked and the other didn't is bothering me.

I did solve the Attacking thick client application section.
What I got from the section, that application runs a process -> it writes some files as its flow ( we change temp permission to keep files even after process ends) . The flow is such that it delete the files, we modify bat to not delete files, run ps script to get the exe, use x64dbg to check assembly level code, than see that at memory level something is loaded .
Is the original exe script being loaded here?
And after dumping from memory we decompile using dnspy?

Can someone elaborate on this?

Read the section and follow the steps outlined in it and you should be able to determine it

First question : Yes you just modify the script not to delete the file after execution. Here you get those before execution. These tools simulates the entire process and shows you output for debugging/other stuffs

Second Question: After dumping memory file, we de4dot.exe to to make it readable for dnSpy.exe. Then opening this cleaned memeory dump in dnSpy.exe reveals the application running behind this. As it stored the password locally and fetching, we just used dnSpy.exe to reveal those and hence the password

Got in the ssh, Apperciate all the help....

Np

DONE
Understood

Is the original exe script being loaded here?
This was the question regarding files loaded in memory that we see using x64dbg, like we run restart-oracle.exe (the one created by monta.ps1) , so what script is loaded in memory when running this was my question.

┌─[sam@parrot]─[~]
└──╼ $smbclient -L 10.129.44.223
Password for [WORKGROUP\sam]:

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
Home            Disk      
IPC$            IPC       Remote IPC

Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.44.223 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available

can sum1 help

When you do -L btw it quits out after listing

Looks like it's a connection issue

¯_(ツ)_/¯

i reset like a billion t imes

dis is cray cray

Try changing vpn region, also waiting a few minutes after spawning

Can someone please help me

With?

We can't help with a problem you don't ask

Someone keeps harassing my girlfriend

Gonna stop you right there

Go to the police/platform they are being harassed on

ok danke

There's nothing we can do for you

Read #rules

What do I do then they blocked me

I’m so lost

wdym

Original Script : restart_oracle_service.exe and restart-service.exe both loaded in the memory actually

Explaination:
restart_oracle_service.exe runs to create monta.ps1, oracle.txt and restart-service.exe. Also during execution of restart_oracle_service.exe it spawns a powershell to run restart-service.exe hence the rest process goes.

that's how you run the restart_oracle_service.exe and restart_oracle_service.exe runs the restart-service.exe.
As far I know any program runs in windows at least for once it is loaded in the memory

For Proof:
look at the text 5435.bat generated by restart_oracle_service.exe

I think now it will be clear

It's indeed a tough one 😅

My girlfriend is being harassed

Contact with police

Does htb do maintenance everyday at this time? My target ip never loads around this around

I don’t want to do that I just want to get his account banned

Or hacked

why dont u go beat him up

He lives somewhere else

Cyber bullying

Try to load it in another browser mate

This happens daily, I tried everything usually around 9:30 it goes back up

What do I do I thought y’all could hack him

bro stop asking

u already got ur answer.....

Sorry

My bad

Yeah, also noticed it...

I didn’t mean any harm

Thanks. Indeed it's a tough one.

this section https://academy.hackthebox.com/module/67/section/2502 , make me feel like I am livin in 90s

Just wondering why there is no public writeups for pro labs in the google?

Read #rules my dude

cuz they are pro labs htb want to keep it clean since they provide certs if you finish one of them , writeups only available for retired machines

Your only recourse is going to the authorities and platforms involved. We cannot help you as any action like that, justified or not, is illegal

They don't really provide certs

ohhh okay. thats the reason. thanks!

It's More that it's paid, active content

And having a writeup bypasses any actual skill

really , I thought they do

They aren't traditional certs

Just "congrats you pwned it"

Which, in the grand scheme of things, doesn't really mean much as they aren't a timed activity

You can pwn it after a year, or after a few weeks

It's moreso just additional content to practice on

And it follows the overarching content policy that active content is barred from having writeups

The only writeups that exist for them are on Enterprise platforms available only to the lab admin

@fathom pendant thanks for the clarification

If you follow instructions in #welcome you can gain access to prolab channels where you can ask for nudges

CPTS path would probably be beneficial too.

great content

Yes it is. Just wrapped up AD enumeration and attacks. That second scenario had me tripped up for about a week and a half. But, everything needed to solve it, was in the material. Just had to go back and read my notes a lot.

yeah the web shell in the first Skill assessment great scenario

\└──╼ $hydra -l simon -P random.txt mssql://10.129.85.162 -t1
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-21 19:55:33
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 7 login tries (l:1/p:7), ~7 tries per task
[DATA] attacking mssql://10.129.85.162:1433/
[ERROR] Child with pid 2672 terminating, can not connect
[ERROR] Child with pid 2674 terminating, can not connect
[ERROR] Child with pid 2677 terminating, can not connect
[ERROR] all children were disabled due too many connection errors
0 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-21 19:56:11

can sum1 tell me why it dont work with hdyra?

why are you burting mssql, it has different authentication modes, try other services

^

Read: Error... "can not connect"

It failed bc it couldn't connect to the service

Ha was trying to do a search and typed in chat, every time I upload a basic photo shell it’s a blank page and my &cmd=xxx doesn’t work on Blacklist Filters portion of File Upload Attacks. Still fighting through it

don't overcomplicate , simple easy payload will work xD

anyone have a .txt of tier 0 notes to send 2 me?

could u all suggest best hacking book ??

there is no such thing, every book has its benefits and drawbacks

https://book.hacktricks.xyz/welcome/readme if this can be considered book ..

Did you know hacktricks has stolen htb content

Do a Google dork: inlanefreight site:hacktricks.xyz

(Inlanefreight is a fictitious company that htb uses in its academy content)

No, but had my doubts content looks similar.

To be specific they site htb academy as the reference

But its like, barely altered

Ok thank u

Hacktricks is more of a reference guide than a "read this" book

You find a thing, and look it up

Like LoLBAS and gtfobins

Hacktrics is just like a public notes

shut uppp pls

Footprinting - DNS. Last question of the task : What is the FQDN of the host where the last octet ends with "x.x.x.203"?
I've tried 4 different wordlists but no results that end with 203. Anybody suggestion what i did do wrong?
||dnsenum --dnsserver 10.129.239.38 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb||
Found subdomains: ||app.inlanefreight.htb: 10.129.18.15
dev.inlanefreight.htb: 10.12.0.1
internal.inlanefreight.htb: 10.129.1.6
mail1.inlanefreight.htb: 10.129.18.201
ns.inlanefreight.htb: 127.0.0.1||

Your List is much tooo big
Take the smallest

idk man

Footprinting --> IMAP --> Try to access the emails on the IMAP server and submit the flag as the answer. (Format: HTB{...})

I try to connect, get some info but dont know what todo next to get the answer(s). Still looking for the admin emailaddress too. Anyone a nudge?

Hi,
Look here -> https://www.atmail.com/blog/imap-commands/

If you stil feel stuck DM me

Hi guys

can someone help me with one question from the Broken Authentication module?

Log in to the target application and tamper the rememberme token to give yourself super user privileges. After escalating privileges, submit the flag as your answer.

I got the PHP cookie and try to decode it but nothing happen

I see that when I logout I got one HTBPERSISTENT cookie but

again, nothing

the cookie is also in plain text so I don't know what to do exactly...

printf("Please Help!\n")

navigating is ok but how to fetch the email? I cant get it done with 1 FETCH <id> or ALL

when doing hackthebox academy modules....are you guys more likely to use the lab instance or your own VirtualBox lab?

I prefer pwnbox, did use my own VM before but the pwnbox is comfy, few scripts so i get all my tools in an instant ready and personalized.

Can I DM someone for AD Enumeration & Attacks - Skills Assessment Part II ? Im stuck at Q11

You are really close, read documentation of how to use FETCH command from link that I sent you

Re doing Attacking enterprise networks and I get errors with this command proxychains enum4linux -U -P 172.16.8.3

ERROR: nmblookup is not in your path.  Check that samba package is installed
ERROR: net is not in your path.  Check that samba package is installed
ERROR: rpcclient is not in your path.  Check that samba package is installed
ERROR: smbclient is not in your path.  Check that samba package is installed
WARNING: polenum is not in your path.  Check that package is installed and your PATH is sane.
WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.
For Gentoo, you need to install the "samba" package
For Debian, you need to install the "smbclient" package

I already checked and all of those tools are installed and located in $PATH variable. Any ideas? I don't remember having any issues when I first did this module

!! Found fix by using -q flag with proxychains

Found the other mailbox an got the info i needed. Thanks!

i realllllllly hope the exam isnt as slow as these modules man

Found fix by using -q flag with proxychains

What is any different from the time you took the CBBH exam?

cbbh was smooth

but the modules where also smooth so

not really comparable when handling websites and ad

Hi guys, I'm on Remote/Reverse Port Forwarding with SSH. I think I'm doing the right thing but am not sure if it's me or the machine

I have everything set up to the point that I can port scan the target through the pivot

I presume it's a job for RDP from here but it won't connect

I need access to the Windows target to download the payload

Could someone please let me know if it's me stupid or machine stupid

Nevermind 🙄

It was me stupid

Hey can anyone points out why certuitl is giving this error. Neither certutil or curl is working

Trying to upload juicypotato.exe to tragert for priv esc

I mad really getting mad with this..!

Just for this little thing stuck for hours

Even if I want to create a text file it doesn't show but the command get executed
Look..

save to another dir other than c root, it needs elevated privileges

Hi, I'm currently here -> https://academy.hackthebox.com/module/details/85 trying to complete the competency assessment. Unfortunately I haven't been able to get anywhere for 5 days. Has anyone already completed this and could you please help me? Thank you very much!

which question and give details on where you're at so people can help you

here #modules message

Gladly, just a moment

Oh, I see you answered that once. I had already searched here, but unfortunately I missed this answer. Unfortunately, after copying from rax to xor, the shellcode is always unusable. And that's why I wonder if I'm missing something. Here is my current code:

prepair:
mov rbx,0x2144d2144d2144d2 ; In RBX ist der Schlüssel gespeichert
mov rcx, 14 ; 14 Durchläufe im Loop
mov rdx, [rsp] ; [inhalt] ohne [] die Adresse

decodeLoop:
mov rax, rdx
xor rax, rbx
add rdx, 8 ; Zeiger um 8 Bit Byte verschieben/erhöhen
loop decodeLoop

end:
mov rax, 60
mov rdi, 0
syscall

If I then do a break on “loop decodeLoop” and see what $rax is. And then putting them all together one after the other always results in unusable shell code.

Hmm, should I delete the code here?

mov rdx, [rsp] copies the value in the pointer to rdx, and not the pointer itself, so +8 would just simply add the value instead of moving the pointer

also why mov rax, rdx, this instruction is unnecessary

you should modify the given code and don't over complicate things

Did they actually go over your exam again, or did they ignore your email?

Now I have to mentally process your information! Hmm, the mov thing makes me think. So then something like XOR [rdx], rbx?

correct

Thanks, I'll go ahead and change it and try it out...

oh my bad there's no template given, but you're on the right track

Hi everyone, y

Hello why I don't do my scp request ? help me plz

use scp -r for copying directory

^

If you ls -la chisel I have a sneaking suspicion that it'll have d at the front of its perms

Wow, it finally worked. And all because of one small mistake. Thanks for your help! 🔝

Anyone else not able to spawn targets?

"Target is spawning..." for 5 mins

just bought academy student monthly plan, the grind is on 🔥

Anyone available for a hint on the Whitebox Attacks Race Condition section....can't seem to be able to get anywhere with it at the moment...

May the force be with you

Try Switching vpn servers

I am having issues with the targets the last 3 days. They are spawning but everything, e.g. ssh to them, is extremely slow (and I mean extremely extremely slow). I have tried switching udp/tcp files, eu 1 to eu 2, etc. but it still the same.

I've had my soul taken so many times today because RDP won't connect or rev shells

You are not alone

Just jumped back on the Pwnbox and it works first time. No doubt it's my fault

no it was not

its been like this the last week or so i want to say

and it becomes worse as you get near peak hours

its basically impossible to do anything around EU peak hours now, its really really sad

I'm about 40% through CPTS and I've found that it really depends what you're doing and your connection too. I had days where RDP was making me wait ages for each keystroke

I thought it was in my head! But the night and mornings did seem smoother in EU

nah its blatantly obvious that HTB's infrastructure cant handle the load

It's annoying because the lessons are already vague enough without having to guess if it's your connection.

Vague in a good way

Ah well. I'm sure it'll work itself out 😄

yeah, the content is soooo good, and up untill fairly recently, the infrastructure was good too

but its infuriating recently. Having to RDP back into your target every 10 seconds because connection drops etc etc

and yes, ive tried every single VPN, every single pwnbox location etc etc

Well, I am sure that everything will be back to normal soon!

I could do with some explanation for a Getting Started: Privilege Escalation

I got stuck going in circles trying to get a reverse shell or run a script and ended up watching a kinda tutorial that nudged me in the right direction:

Although I was running sudo -l I didn't really understand or could research what I was meant to to with the output but I got through the task in the end.

Here's my notes output if anyone could explain / breakdown what the sudo -l output meant and what ||/bin/bash|| was doing?

So the last line of the sudo -l output, let's you know that you can run a shell (/bin/bash) as user2 without a password prompt.

has anyone done this room

my objective

i dont see a home dir

and when i do home i dont see a flag.txt

So if Im uderstanding this right

'Sudo -u user2' = Run this as user2

'/bin/bash' = ran without argument because me/user1 was allowed to because id did not require a password (NOPASSWD)

the result was a shell as user2?

because you would be in /var/html/www
try ls /home to see the home dirs

Here you just trying to type home as a command, you are not listing the directory as @stark vortex mentioned. ls /home would be worth trying.

i get invalid here

try a + or url encode the space character so that the entire string is together and highlighted in burp

So remember what you are trying to do: bypass blacklisted characters. In this case you are trying to inject the command ls /home, but (as far as I remember) both spaces and / are blacklisted. So you need to use what you learnt from the previous sections and replace those somehow.

Im using the new line character

Which in this module is the bypass that works in every section

There was a section for just bypassing space and all 3 ways mentioned there work. But then you have to bypass /, which was exactly the section after the space one, which also works.

Take your time to understand what you are doing, don't just rush to complete the exercise.

guys

anyone familiar with nand to tetris ?

This doesn't seem relevant to an academy module

dude

where is the channel for such topics then

Read and follow #welcome

@high reef let me know if you need more help, I spawned the target myself to remember the exercise

how to include rdp password or username to smb upload?https://academy.hackthebox.com/module/24/section/160

check your dm

Hey All, can anyone help me with lab setup on Advanced XSS and CSRF Exploitation Module from the Senior Web Academy. I cannot access the URLs and am trying to see if I missed a step. 🙏

howdy folks on the server side attacks module theyre using tplmap unfortunatly kali comes preinstalled with python3 when tplmap requires python2 cant install with venv getting a bunch of errors anyone know if theres an alternative to tplmap that utilises python3

I love your icon

Have you entered the domains in your hosts file?

I did. I had to reach out to HTB....it was a dns issue on there end. All resolved.

Hello man can you help me plz on the skills assessment exercice PASSWORD ATTACKS Password Attacks Lab - Hard, I do a brute force but nothing...

https://academy.hackthebox.com/module/147/section/1356

Footprinting: SNMP -> enumerate the custom script. What part of the module does explain how to do this?

Walking

Literally perform the walk and you'll see what it's talking about

You're not executing the script

I did the three things they learn, but i couldnt find what they are looking for. Could also be me not understanding correctly what they look for

In the output: first look for something.sh

Until you reach the final output line of that bit: that's all under that OID

I must to do bruteforce or not ? I don't find others solutions for moment

Because it's actually addressed as 172.16.5.0/24 and 172.16.6.0/24

Kinda/sorta. The addressing for those subnets is different

They both fall under the main network as 172.16.0.0/16 however they were subnetted to be separated

So hosts on 172.16.5.0/24 can't communicate on 172.16.6.0/24

(Unless they share an interface)

If you have access to a purely segregated 172.16.5.x system and a 172.16.6.x system, try pinging them from each other

The /16 is purely to indicate the overarching class B network is /16

It's just one of those sorts of networking things you learn

Excuse me can you help me ? I just need an information for my exercice ^^"

It's also funny bc recently in my class I just did some networking where one of the labs was configuring a static class C IP on a windows vm lol

Fun fact as well: the networking on htb/vpn is Class A

grep the output with "HTB" and the flag was there. Thanks

I recommend just reading the raw output as well to understand it, the braa command they give is also far simpler and less noise

Will do, thanks.

As there's times you won't just be able to grep for a flag format

I.e. one of the skill labs

I've tried to do it manually first

but failed several times. Thats why i asked what did i miss.

Nah you're good. The snmpwalk gives a LOT of visual noise

So if you don't know specifically what to look for then it's just like "woah dude, I just sat down"

I'm attempting to log in to MS-SQL in the "ATTACKING COMMON SERVICES" module, but I'm not getting any response. Even with the -v option, there's no output. The service is pingable.

ah finally got a 115 (Cant connect to server)

what could i do here?

no, absolutely not

Hello man can you help me plz on the skills assessment exercice PASSWORD ATTACKS Password Attacks Lab - Hard, I do a brute force but nothing...

CME, try --local-auth or whatever the flag is

better try hydra, crackmapexec is slow

What are you brute forcing?

with the list mut_password.list ?

This is still vague

Maybe

I do not trying to bruteforce. I got credentials, but still no connection can be established.

using mysql and sqsh

Well you can't connect to mssql with mysql

Impacket has their own mssqlclient tool

^ plus it would just be easier to help you out if you shared a snippet of your code or the error

holy shit, thanks. XD

Simple mistakes lol we've all been there

i feel like an idiot, but failing makes us smarter hahaha!

failing mistakes

Failing implies the lack of success at the end

pinging doesn't really tell you anything, tbh

Some hosts can be configured to not respond to icmp requests

no one uses classful networking anymore. The most likely reason, if this is some sort of lab scenario, is that someone forgot to change the /16 to a /24 when typing it all up

Classful networking has been dead for twice as long as it has been around by this point. I don't understand why people still teach it.

Well, I do know why they still teach it.

It'll still show up in the ifconfig no?

because it is not okay rockyou?

AFAIK my home network isn't classfull but still uses /16

My home network is a /24, because it's a default configuration for my router.

I was also just referring to the general ip as a/b/c because that's (in general) how most people learn it

Sure, but even then it's not useful to call them as classes because a 128.0.0.0/8 address is not a class a address

if you're bruteforcing a service then I think mut password list is the way to go unless you are targetting the wrong service.

Classes are determined by the first few octets, are they not?

Not quite.

Oh wait, yes, if I'm following you.

Ye

Like it follows the address schema of private class not so much that it is (though usually its interchangeable

I test smb, winrm and rpc with the list mut

I forget something?

is that all the services?

It's just that it's not useful to call something a class a address when what someone probably means is a /8 address. Saying that htb uses a class a address doesn't really mean too much. You can configure your own private network and give it any address. It's only when you have public + private stuff that you have to take into account addresses that you can't use. But by default, if you're going to host a server in the cloud, I'm pretty sure you're always going to have a 10.0.0.0/8 block of addresses that you can work with.

Guys, I need help here, please. SOC Analyst Introduction To The Elastic Stack: second question. Now, execute the KQL query that is mentioned in the "Wildcards and Regular Expressions" part of this section and enter the number of returned results (hits) as your answer.

I have found the username for question one but when I put in what I am seeing as the answer I keep getting that the answer is wrong.

Ok yeah, I just think there's a break in what I'm trying to convey. I appreciate the added nuance to my statement though

Because I think we're saying similar things just in a slightly different way

If you connect to one of htb's vpn, you'll see that you aren't on a /8 address

10.10.0.0/16

And academy I believe also adds 10.129.0.0/16 I'd have to spin up the pwnbox to see

is htb academy site down ?

Works for me here.

its just keeps loading for me

Uh, nvm. The homepage is up, but I can't connect to any of the other pages.

Works for me other than the question I am currently stuck on.

So it's up, but there's probably something happening with their web server.

Yeah I was gonna say it looks like it just died at least isn't loading new requests

It's active as I can at least ping it

I managed to visit another page. It's probably just high traffic.

yeah probably , i just got in

You can try https://status.hackthebox.com/, but I have never found it useful.

Sometimes it's a bit slow to keep up with issues

A few weeks back there was an issue with the vpns for close to half a day. I never saw anything about it on that page.

It's probably not meant for it, but if it doesn't tell that sort of information, it's effectively useless for me.

It's kinda hit-or-miss if it lands on status.

I think it needs to be a hyper prolonged issue. And it needs to be in-part at least verified/hookable to the api

It's likely that since the api could make valid callbacks it was like "all good, nothing to see here"

hi

anything wrong with that ?

mysql 94.237.55.163 -u root -p -P ||30809||
Enter password:
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/run/mysqld/mysqld.sock' (2)

https://academy.hackthebox.com/module/33/section/183

Is -P the port flag for mysql?

yes

try -H before the ip

^

na, its the same, after password ( which i copied ) error comes up

Any hint for Injection Attacks module -> skill asessment ?

Greetings im on the "mini module" UNDERSTANDING LOG SOURCES & INVESTIGATING WITH SPLUNK and the section Introduction To Splunk & SPL I am having a hard time understanding what I need to do with the last question in this sectioon Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes. Enter it as your answer. I know I can get the answer the unintended way but would love to do it the right way! I have a SPL query that I think solves the question even though its wrong any help will be appreciated.

its "-h" <---

now it works

I can never remember the options.

me neither lol

I hope you don't run into issues where you need to specify -h localhost or -h 127.0.0.1

Wasn't there one tool where it used to be one thing then switched to the other flag

i use my instinct to guess the right commands and syntax for the options lol

and the kali linux history as well

i use joplin 😉

whats that?

is it like ancient spell or smth like that?

it's like cherrytree

for commands?

thats cool

brotha im doing the learning way or whatever its called module

im literally being taught wisdom

that module is hot garbage

Huh... just looked on pwnbox and it's

10.10.10.0/23
10.10.14.0/23
10.129.0.0/16

wdym by that

its great to hear some kind words

I don't like some of the other tier 0 modules, but that is the only module I will call hot garbage.

ancient wisdom

It actively teaches pseudoscientific nonsense as well as absolute falsehoods.

if you had to pick best module from Tier 1 or 2, which one will it be

tbh....ngl....i prefer to live in perfect but fake world than sad but real world

Well, I instantly laughed at the part where it spouts the bs "Einstein was bad at math"

Maybe he was, compared to Hilbert, lol.

he was bad

but he was very creative

and he slowly became good at it

It's moreso the framing of the statement

#858470491676737536 message

ehhh

alr, im not Einstein soo

which will you put on first place @prisma spruce

I dunno. Go and do them to see what you like.

It's all subjective

I mean just open a module and read no need for all this Philo shiit

What one person may say is different from another regarding a topic

i like to hear others' options especially when they arent hostile

The main issue for me is that the learning process module is similar to one of those garbage "motivational" speakers, except it's even worse because it spouts absolute bullshit.

but its good to have different point of view

tbh i needed that motivational boost ngl

Some forms of bullshit are fine I guess, like Gladwell's 10000 hour thing, but I would not want to see it in any sort of serious publication.

Unless they're writing about how it doesn't really work that way, lol.

thats 416 days

a little more than a year

Gladwell's 10000 hour rule is pretty similar to the "walk 10000 steps a day" rule

it just depends on how you view it ¯_(ツ)_/¯

whats the 10k step rule?

10,000 hours can also mean spending dedicated time on it

being passionate

and obsessed as well lol

10k steps a day for a healthy heart or sth along those lines

bullshit, i got such genetics that they drain all fats from my body, i look so skinny

Yeah, and it was picked because the character for ten thousand just happened to look like a guy walking lol.

This would not have happened if the Japanese did not decide to officially simplify their script after WWII.

almost 180cm and 54kg, am i cooked?

Everyone is different

i wished there was someone like me

isnt this what all people are tryna find? soulmate?

never saying she/he should be the same

but like? close interests etc

Yes, but we are more similar than not. Which makes it hilarious when researchers talk about how the "everyone learns in a different way" thing is again, mostly nonsense.

I am only trying to find a way to finish all modules in one day lol

get neuralink chip and try

heard these things make u smarter, basically tony start from wish

HTB has taught me so much about how slow I learn

Do three questions a week so you can keep your streak up. /s

It's just how people absorb it. Thus people get a crutch on only learning via video.

https://poorvucenter.yale.edu/LearningStylesMyth

Yes I'm aware lol

I actually hate videos and will ragequit if I'm presented with one.

I'm moreso stating people that were told "you're a visual learner, so reading is gonna be difficult" internalize it

It's even worse with the non-educational stuff, where they try to talk as quickly as possible without saying anything useful at all.

Oh you mean salespeak

Nah, not even that.

Imagine someone talking about the canon of some random creative universe.

Throwing in buzzwords that add 0 value

Ohhh

Do i need to add the domain (which isnt mentioned) to etc/hosts for the skill assesment in Footprinting?

Or they can slow down, but still say nothing useful: https://www.youtube.com/watch?v=0eLEqdrWSsc

It'll probably help.

What ppl actually do with these streaks

Nope

@languid fjord ngl, I find it funny that you have to explain the difference between blackbox and whitebox pentesting for a senior level cert

It's marketing

guys

i need help

when i spawn a target and try to connect via ssh htb-student@ the ip adresss it keeps saying connection close by ip addess port 22

what am i doing wrong

Is port 22 open?

im stuck in Password Reuse / Default Passwords module in password attacks i loged as sam got a note.zip file from kira but don't know how to crack it ... also where do i find the default creds that i should try i found the defaultcreds on github tried to download it to the attackbox but got some python error and the port for sql in the machine isn't even open ... any hints pls ?

ill check my ports

You should check the ones that are open on the box that you're trying to connect to.

try to download a differant vpn or you may have to fix something in the config file for ssh not really sure what you'll have to fix tbh

its 30 minutes of cardio exercise above 120 bpm

Solved?

not yet

DM? Did that part last week, maybe i can help you

Any help with #cpts message ? ❤️

The notes.zip is irrelevant for this section

Has anyone else done the SOC Analyst training in here?

Read the question: use the default cred cheatsheet

I need help here, please. SOC Analyst Introduction To The Elastic Stack: second question. "Now, execute the KQL query that is mentioned in the "Wildcards and Regular Expressions" part of this section and enter the number of returned results (hits) as your answer."

I have found the username for question one but when I put in what I am seeing as the answer I keep getting that the answer is wrong.

The question here is asking how many hits

Not for a specific name

Hit's being the number of times I am finding said name?

I got the name for question 1.

Perhaps. I mean it depends on what the query is for the subsection/whatever you're doing

event.code:4625 AND user.name: admin*

with admin replaced with the answer from the first question.

But yes: hits is how many times you get results

Also it doesn't indicate that you should modify the query

how do you read a docx file in linux

i asked chatgpt , gave me a few tools but doesnt work

Use office libre

wont install

It will if you download the office Libre suite from the website

And follow their install

okay thank you i will instal it now

:) the install works just fine

yes i followed chatgpt command to install it that why it didnt work probably

i will go to their official website and follow their instructions

Yeah it's best to follow official documentation

if it's not an important file there are websites where you can upload the .docx

I'm sure there's a cli tool somewhere that converts docx to pdf directly too

yes not an important file i think

its related to a lab im working on

trying to read a docx file

Thanks, had to re-read the question again. This helped.

Hey guys, im trying to dump cached credentials with mimikatz, after executing "sekurlsa::logonpasswords" it returns (null) on the user i'm targeting, any idea why is that?

Search for "online docx viewer" with google then. You'll eventually find one that works the way you want it to.

wdym?

Oh on the blog?

Yes.

hello there, any hint about WinPrivEsc onto WPE Assessment II would be good appreciate it....

cuz I guess the admin password found is a hanging fruit or big distraction...

cuz I tried to use that creds with Runas also with RDP unsuccessfully

im stuck in the medium lab in Password attacks module, i got a user creds , did ssh and stuck cuz can't get to root

i tried multiple techniques in linux creds hunting section but nothing seems to work

a hint would be appreciated :3

thank you , but i just installed libreoffice instead, maybe for future personal usage

nvm i think i figured it out

You might have to try a few of them because they don't always give the right output.

I know there are .xlsx viewers that crop out a lot of the content.

I also believe Google docs can read docx

bam

Well, it usually works, but there are probably some cases out there where the output is horrendous.

Yeah. There's an extension I believe for better support

Hi guys, i have a quick question.. once i buy the cubes, will there be any expiration date for them?

afaik no

Im planning tk use them after an year😅

Why?

Because company buying me some cubes and i bought silver already. So

lol ouch

i see, i will keep that in mind thank you !

after completing modules , you get some cubes back

Making my way down the Pen Tester pathway, learning so much

yes 🙂

great path

Much better way of learning

where are you at ?

I used to just do CTFs but I noticed I wasn't really understanding why I was doing things

I only switched to HTB academy yesterday, so I'm only on the 2nd module "getting started"

i am @ 60% now, this will be fun 🙂

60% overall?

yes

How long did that take? I'd imagine it takes a good amount of time

there is no time line here but i think less then 1 month

i do not know tbh

I mean for you

it was for me 🙂

im 30% in and it did take me 2 months or so

its actually related to how many hours you dedicate to htb academy in a day

because i had final exams to do and stuff

yes i take every weekend and 3-4 hrs after work

btw does the academy count for rank in htb too ?

No

no

ok

Separate platforms

i wonder i get higher and higher lol

I'm just going to focus on Academy for now, until I got a big chunk of it done

good idea its worth it

I like how its a lot harder than some other sites I have tried

it doesn't help you as much

HTB academy is really rich, as you go deep in the course you will then see why everyone who tried it has nothing but thanks for it

that's good to hear

I'm just finishing off a cyber security degree and have learnt nothing so far

if you like frustration and pain you are 100% right on track 😄

I do I do. I'm not new to CTFs, I just switched from another site

I just want to get a better foundation to my skills

Well academy is still a good place to realize how many gaps you may have

there are many gaps that's for sure

having trouble connecting to some rdp sessions all of a sudden, was connecting fine about 20 minutes ago

Reach out to support who can assist 🙂

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

thm?

thanks, was hoping for easy fix since support closed for day, i'll reach out there tho and just chill tonight 🙂

Exactly that

I thought a meme was coming

I think it would be funny if htb created pointless modules like "how to use vim/tmux"

How to escape vim

google it 🙂

top 5 questions about vim i think

It's fun to see that in an exam, because there are more ways than :q

If it's a sticky-bit then there's a ton you can do

with vim?

priv esc for example

Yea. Priv-esc with vim is neat

has anyone in here taken the cpts exam yet?

No one has. You would be the very first

Oh, I see what you mean.

I thought you were talking about exiting the file still lol.

Yeah, expanding on the "how to use vim"

vimtutor

There's probably someone out there who doesn't know how to exit vim because they have a f-122 keyboard and they had long ago bound their f24 key to esc+:wq!

no one knows about

Ye it's neat

There's a thm room on how to use tmux, and you can pretend that you're learning when it's one of those things that you set up and never touch its configuration again.

tmux is great

It is.

And there's a room on classful networking. It never ceases to make me rage because we still talk about it.

and netexec is too 😄

Well it's good to know defaults and private ranges

Private ranges don't really have anything to do with classful networking.

Well yes, I'm more referring to the private ranges within the classes

Other than that

Everything is CIDR

except that only works for 10.0.0.0/8

I mean 172.16.0.0 -> 172.31.255.255 is a relatively small range comparatively

And it makes it sound like it's some sort of static thing, when sane people would be dividing their 10.0.0.0/8 block

Yup or use vlans to further subdivide

I'm right in thinking you can manually assign a range (on router/switch) to assign via dhcp yeah?

Yeah.

A classful description of this is a mouthful.

Mhm

I'm in the early modules for linux fundamentals! there's several questions I can't answer without using sudo, yet I don't know the htb-student's sudo password. Is there somehwere I might find that?

Wikipedia states that they divided class A networks into smaller subnets. I don't know how they did it back then, because if they could have done that, they could have gone with vlsm

It'll just be their password