#modules

am i supposed to figure out which exploit lets me mess around in the http server by description alone or am i supposed to look at it on a search engine

narrow down the exploit to the one that will help you gain what you want flag or a reverse shell etc

jsut add reverse shell to keywords in the search

Think about file reading exploits

the only exploit for the plugin that specified reading files doesnt work, check returns target is not exploitable. plus i have 7 mins left on pwn for the day so im probably going to have to come back later

You can extend the lifetime of the workstation if i'm not mistaken

module: ABUSING HTTP MISCONFIGURATIONS
content: Advanced Cache Poisoning Techniques
any hint?

i couldnt extend the lifetime, im a free user so thats it for the day

Has anybody done the Pivot, Tunneling etc Skills Assesment using ligolo-ng? I've used it many times before (did the whole of Zephyr with it), but it isn't working on this box and I'm a bit confused. Not sure if it is because I have a new VM or I'm just stupid today

I have not, although the tools inside the module I would assume work best for it

what issues are you facing?

I can’t get a connection from 172.16.5 back to kali

You can DM.

In zephyr all machines could connect to your attack machine directly, here this may not be the case and you may have to create a listener on the first machine you compromised to forward the traffic to your attackmaxhine and have the other machines connect to the internal, compromised machine if you need to double pivot

Solved

Pls guys who would help me with this ? I can sort myself but my pwnbox time has exhausted How many partitions exist in our Pwnbox ? That’s page 22 of Linux fundamentals 🙏🏻

try fdisk -l

I dm you

can I dm you

do you solved this

can I dm you

can i dm someone?

Hey guys, can someone explain me in short : when do u use gobuster dir and when do u use FFUF? Like.. they both search for directories, so?

They both do the same stuff just in a different way, look at what options they have and which output you like more and pick one

I personally use ffuf for everything, others swear on gobuster

i use dirsearch

its kinda chaotic but it gets most pages

Ty alot 🙇‍♂️

When I dump something like "Administrator:500:aad3b435b51404eeaad3b435b51404ee:e53d4d912d96874e83429886c7bf22a1:::" Which part of this is the crackable hash? Is it the second hash after the colon or the entire thing after "500:"?

whole thing is crackable, hashcat can parse it

but the format is username:group:LM:NT

Ahh okay. LMNT hashes are slightly more legible than the ones I get from /etc/shadow

difference hash types, shadow hashes are usually salted

And they're, what, SHA512Crypt?

depends on the distro, could be bcrypt, yescrypt, sha256/512

is there a reason why i can upload a php file with the reverse ssh script in it to the server, try and load it with the url that the instructions told me to load it with and be met with "the requested URL was not found on this server"? i dont know what would casue it at all but after following the guide included in the section it keeps saying that the file was not found on the server

<p>The requested URL /nibbleblog/content/private/plugins/my_image/image.php was not found on this server.</p>

You're sure it actually uploaded and wasn't rejected because of the file type?

Module using crackmap exec: Use --screenshot to take a picture using Julio / Password1 creds, then submit DONE as the answer when finished. Any idea why I get this? crackmapexec rdp 10.129.146.226 -u julio -p Password1 --screenshot --screentime 10 --res 1280x720 Nmap shows that rdp is open and I get pings back. Error: socket.gaierror: [Errno -2] Name or service not known

add the ip and hostname to your /etc/hosts

go to the my_image directory, do you see your file in there?

Already is: 10.129.146.226 inlanefreight.htb dc01.inlanefreight.htb

also add the hostname

Thanks, that worked

The instructions say I am supposed to see an image.php and a d something but it was empty for me

Ill figure it out later

if it's empty then your file wasn't uploaded, but you should ss the title index of /nibbleblog/... and db.xml

After three days I finally finished the password attacks module. That was the most frustrating one so far lol

it's the direction of the traffic, when you use wmiexec, you're initiating the connection to the target, but what if you need a reverse shell? in the case where the target initiate the connection, you'll need remote/reverse port forward

I have a shell with wmiexec

yeah?

https://tenor.com/view/oh-yeah-gif-1994920054822995878

Hello, in module ACTIVE DIRECTORY ENUMERATION & ATTACKS, I've to connect to BloodHound but the credential for neo4j doesn't work ? Do you have an idea of the id:pass ? I've found neo4j:HTB_@cademy_stndnt! but it doesn't work

EDIT : It's neo4j:neo4j

is that your own vm or provided vm?

pwnbox

Oh, I see my error now...

BloodHound was on MS01 but I didn't notice that... My bad :/

me too,if you solved,can I dm you

Hii

hello

I am beginner I want to learn about networking any budy help me

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Why do most of the people I ask prefer NXC to CME? Aside from the CME installation difficulties, I haven't seen a huge difference between the two

CME is discontinued

I have to run it via poetry but it seems to still work just fine, though I'm only using it because the modules use it

Did you find a better method to answer number 2 ?

Didn't really try to refine it after. Just browsed around and tried some things that made sense

Ok thank you

What are y'all using to write your pentest reports for the exam?

Every single reporting software I'm testing out is full of issues.

All I need is an automated workflow to store my findings and quickly generate reports.

There's a template I think?

But for generating the report.. don't over think it, you'll spend all the time perfecting a report generator instead of writing the report yourself 😉

(I made this mistake when taking OSCP, and just ended up writing it myself using my notes and findings)

I've heard sysraptor is good

I couldn't get sysraptor to work because for some reason I can't get docker installation to work

you can use the online version

I think a lot of people did for their cpts report

Is it just built for pentesting reports?

Writing a custom report is way too easier it seems, than relying on generators.

I just wanted to know what you all think.

Maybe I'm overthinking

Hi! Yes! You can DM and i'll help ya

I figured it out, thanks though!

hey did you manage to get this ?

Which was this?

how to generate the CSRF appended to the end of the cookie at the end, i thinks is SHA1 hash

Yeah for sure, it seems like a good idea, but by the time you've sorted the layout and generator, you would've already completed the report

Which Module/Chapter/Question? 🙂

Intro Deserialization Attacks - Skill assessment 2

Ah yes. It was awhile back but I did it.

can i dm you ?

Yup

Does anyone have any idea what I'm doing wrong in the Sysmon & Event logs section? I'm on the Replicate the Unmanaged PowerShell attack described in this section and provide the SHA256 hash of clrjit.dll that spoolsv.exe will load as your answer. question.
I changed the sysmong config, set it, ran the commands and when I search by event ID 7 nothing comes up

I was able to get answer by using get-filehash {path} but I'm curious to why its not showing up in sysmon

Hey Wolfiej, long time no see. Hope you're well?

What module/section

If nothing shows up if you filter for event ID 7, then either your query is wrong or your sysmon config isn't capturing event ID 7

Ello o/ I am doing ok. New job (even got consulting in the title). I'm nearly always in channel, just not really focussed on looking to help people unless I get a ping 😄

How goes with you?

Oh, cool. Congratulations on your new job
Are you also making the new modules for CWEE? I keep stumbling, but I'll get there

Making? Noooo. Doing... not currently, although I want to go back to it. New job + handover from old job is keeping me busy (- -)

Oh yes, mistranslation lol

But you have understood what I mean. That's the most important thing

I think I've got 9 modules to do now, booo 🙂

I have unlocked the first module of cwee but been postponing it lol

Too scared of it

I might be doing cwee soon

maybe

HA!

Web nerd

gonna become half a web monkey

I currently have 8 modules open. But I am currently concentrating on the CWEE path. I'll only do the other modules once I've successfully completed CWEE

@acoustic owl

same here
I did 80% of CPTS
but currently concentrating on the CWEE

Hi, anyone may help me understand this?

The module: Network Enumeration with nmap.
Section: Firewall and IDS/IPS evasion - Medium lab.

I tried solved this labs of many forms, but I can't do it, so I research in this channel for hints o help and I saw anyone said "pwnbox", so I try use the pwnbox and the same command that I use in my kali that this didn't work but, it works in the pwnbox.

I don't understand, why?

Sorry for my english, I'm improve this skill

That lab isn't an easy one. Lots of people have problems with it. And your English is fine. 😉

Sadly I dont have notes for that one (- -)

Don't worry, my English isn't perfect either.
The PwnBox is directly in the same network. I suspect that the problem is caused by the VPN.

maybe were you blocked by the firewall? and on the pwnbox when you tried the firewall blocking was removed already?

Aaah ok, It's rare this because with I use the VPN and I can see the versions of the ports

Mmmm maybe, I'll try after that I finish the module, probably the IDS can block me, and the pwnbox in the first attempt get it

did you check it via the browser status.php?

Yes, I'm. The file said we have 17/75 alerts

Right! i mean could have been that on your machine you already got to 75 and then it reseted and let you in with pwdnbox or maybe it was VPN issue

Okk, It could be. Thanks a lot @acoustic owl and @fringe urchin for explain me this, I grateful :3

Hi, can someone please give me some hint on the skill assessment of the file upload attacks?

I have read the source code and uploaded a ||.jpg|| payload, but I cannot get the code executed

Heya, anyone able to give me pointers on the logrotate privex module assessment? I can't seem get the ||reverse shell to start. I've found the access logs that get rotated and i can run logrotten to monitor them and it does pick up when it rotates. But my payload doesn't seem to get executed at all. I tried putting a payload of touch /tmp/hello and that doesn't work. Am i missing something?||

I'm getting a response like this:
https://cdn.discordapp.com/attachments/774040263278592041/1186827129766289538/image.png?ex=65fa2d65&is=65e7b865&hm=6ef3681578189da1095e25528cbe26c12800d5011edb3ebaeb900f2c0f394c77&

Oh I figured it out

just to check, the way i'm forcing a rotation is by ||editing the access.log file and that means logrotate when ran by cron will see it needs to rotate|| is that in the right area for how to do that?

MODULE: HTTP ATTACKS
SECTION: HTTP Response Splitting

Hey, so as to avoid getting spammed with DM requests in the future, is it possible to ask whatever questions you have here in the open channel? This way others with similar questions who use the search function can benefit from witnessing the correspondence.

htb down?

hmmm ok, similar mechanism as i'm adding to the file. Still no luck, but i'll keep at it

I don't believe so, what's up?

'Something went wrong
Error Code: 502

Our engineers have been notified and are working to resolve the issue.'

^^same issue over here as well

after working on my modules i couldnt get my flags submited, now im getting this on linux and windows machine

What's the URL you're trying to access?

https://academy.hackthebox.com/dashboard

oof ok, checking

ill just wait it out

i'm having the same issue

We're working on it, give us a sec, apologies for the inconvenience.

no worries just wanted to confirm

Im having problems spawning machines, worked 2 hours ago but it expired and cant spawn it anymore

@snow ridge there appears to be issues going on right now with the servers

he just said they working on it lol and you replied to it...

no time to read guys

Guess its movie time then

oof

It'll be back up shortly

I am just going to stare at the 502 error until something happens

You should be able to get back in now 🙂 It's recovering

Works ty

done

i assume its gonna take a bit for it to fully recover?

Anyone else still having issues with the integrated terminal? or is that apart of the recovery process?

We're still working on it, please stick with us.

Got it! Thanks. 🙂

real quick question. doing ELK and it says to Navigate to http://[Target IP]:5601. would that mean i take this IP and put into mozilla with :5601 after?

[IP]─[htb-ac-1206217@

I’m stuck on footrprintin medium lab. I’ve mounted nfs share but cannot see in it and cannot travers it. I get permission denied. And I going the wrong direction here

Sudo su

And go in

Ok

Things should be better now

We'll be monitoring closely

Thank you very do t know why I was stuck on that I kept trying Sudo cd which don’t work yes Ty

Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Discover". with this question what is my target IP exactly

scroll down to the bottom of the section and click on "Click here to spawn the target"

is htb having trouble rn loading these

i'm not sure. i'm working on something else rn

nvm its up

thank you i had to restart the page a few times

if you scroll a bit up, yea they had issues #modules message

but it should be better now

Hi team! I'm sitting on ZAP Scanner excersize for ages already and can't get it through. I've read through all the related messages in disc and on the forum - there is still no solution. First of all I was never able to get high level alert on any version/type of scan/infra (aka Parrot web instance or my own remote Kali) on ZAP. Multiple attempts, resetting the target - nothing. I wonder how it works on the side of those who see directly the URL and vuln description in High alert section straight in Zap scanner. wpscan also gives nothing. This is also a question to HTB, asking why this ex is operating so unstable. I was able to find the base URL manually, but checking the related vuln description on exploit-db.com does not progress so far. Whatever options I'm trying to contruct into url I'm getting the blank page back from the server, so no RCE at this moment. I'd appreciate if anybody could DM me to give a nudge.

I haven't done the module yet but I've used ZAP pretty extensively so lemme see what happens when I try it

Hi I need help with the Module DACL ATTACKS I
https://academy.hackthebox.com/module/219/section/2332

Follow along the section and use Pedro's account to connect to DC01 using the Administrator's account hash. Submit the contents of the flag located at C:\Users\Administrator\Desktop\flag.txt as the answer.

I have added the user to the Backup Operators group but i cannot login with the admin hash.

thx mate

Am i the only one facing spawning issues rn?🥲

what's the error

This scan is definitely taking awhile lol

The user is part of the Backup Operators group but i still don't have the permissions

permissions to read the flag?

https://tenor.com/view/cat-no-nonono-noooo-cat-no-gif-25423213

Nuh uh wont work 🥲💔

The get the NTDS.dit and

Ahm HTB student version is worth it?

https://downloads.intercomcdn.com/i/o/985282808/9327f9ced28072c250409bae/image.png?expires=1709920803&signature=8e64ada9c823af09ec1788cbb87dc431152b99cab1dfc38daa3895875186a43a

you're giving me conflicting information, first you said you can't login, now you said there's no permission. which is it? and what's the error

+100000

I'm not clicking that link, sorry

Ahm yeah But I can access only upto tier 2 nah!?

You mean the student version of HTB Academy? Absolutely. It's what I use and it's great for the price.

Which is pretty good tbh

When does tier 2 end?

Like lets say at least u can get the 3 certs full path

I didn't even realize there were tiers

Yeah some advanced modules are not covered in the students plan

Like the new Certs

And advanced AD stuff

Gives me something to save my cubes for I guess

Yep

Im thinking either ADCS or OSINT

Yeah so that only I'm thinking like double minded buy , no no don't buy.. so I'm here to discuss

last time I saw something like this was when this happened 💀

Tbh, its really really worth it

Like giving that price, man it’s really worth it

With the student edition you probably have 6 months worth of modules depending on how fast you go through them

I'm working on the Thick Client Apps part of Attacking Common Applications, i successfully obtained restart-service.exe, but when opening it in x64dbg and using memory map i can't find the read/write mapped location to dump the bin. can someone tell me what i'm doing wrong?

Still no VPN is working for me, can i study please 🥲💔💔💔

LOL

The user Pedro has been added to the back up group from windows the user is not showing as part of the group and there is a no permissions error.

from linux I can get the sam security and system but the hash doesnt log the admin user in.

Yeahhh for me too

i'm not seeing any MAP RW privs here from the user

Is this clearer ?

Finallyyyyy

It worked

Havent done the module but I think I have an idea why this isnt working - user tokens define their privileges as well as group delegated privs, those tokens are only assigned when you login, so youre currently still with a token that doesnt have the backup ops privileges, you would need to log out and log back in - or perform the attack from linux like you have.

skill

SAM hash probably wouldnt work because you need the ntds.dit one, I recently came across a scenerio where the ntds.dit admin hash worked and sam admin hash didnt. Use the ntds.dit admin hash instead - its a domain joined object.

Hi Rami3l, Yeh i tried that no luck, abit confused why

if it's not showing then it probably wasn't added properly, have you tried doing it again? the admin creds you got from the reg hives are for the local account, which is probably disabled, but you can dcsync with the machine account hash

ehm, in AD attacks module, im the userenumeration section

i spawnede the attcking host, but nothing is there, no other machine is there to attack ._.

am i missing smth?

Thanks That's helpful.

the Permissions are showing pedro is added to the group.

didn't you say "user is not showing as part of the group"?

No I didn't I said running the command to get a copy of the sam and NTDS. no permissions error shows.

is this real?

like does this happen?

nvm worked after restting >_<

unless I can't read that's exactly what you said, I'm having a hard time understanding what's the error here. but since you have dumped the reg hives of DC, you can dcsync with the machine account hash

That's a Typo Xre0uS, The user is part of the Backup Operations group.

okay so there's no error, then just dump ntds and get the admin hash?

I figured it out.

got question

how the hell do i do the service login on login brute force

its all fucked

even the question doesnt make sense at all

I sent you a dm with screenshots, can you check please

read and follow #welcome and you can upload screenshots

don't remember, you can check the hint

I don't want to upload hashes

just show the command and any errors

in fact you can just copy and paste them

hints dont help

im desperate

this is fucked, never doing brute forcing again

your diskshadow command is not correct, there's an extra command at the back

and again, you can dcsync with the machine account hash

Please don't post information for modules over Tier 0.. take it to DM. This is covered in our Terms of Service.

hiiiii g0blin :).

👋

there's nothing sensitive being shown there, just commands and output. not being able to post anything makes it very difficult to help others

With respect, I disagree. I've nothing against people helping each other, but posting information pertaining to modules over T0 is not permitted.

https://academy.hackthebox.com/tos this?

and for me to be able to help, I'll need some information

Then again, take it to DM 🙂 Appreciate you offering your assistance

when I reply to DMs, people just use me as their personal tutor and DM whenever they want, so I don't do that anymore

Ahhh @hexed spindle T2 module

I'm done, nn

My bad, just saw your post.

Long week

Just like a speeding driver saw my finger as he almost plowed in to me, but didn't see the 40 MPH sign 100ft down the road as he drove over 60 MPH

Speeding drivers

Sorry 😄

btw question, when submitting a walkthrough, how long does it usually take to get accepted/rejected?

Sorry, I had searched and someone posted more than I did 11 days ago 🤷🏾‍♀️

🤷‍♂️ I should just stop trying I guess

Rock on 😴

Keep on keeping on, just be kind.

been giving me some trouble too :c

after some suffering they work :P.

are some of the target machines not working either?

it's that or I could be dumb

Strong possibility

I can't even ping the target host :c

been fine all day but just had one working, respawned it as time was almost out and wouldent work, had to grab a new vpn pack to resolve

even if im using the built in vm?

it hasn't been an issue before this

unless something looks very wrong here im not sure what im doing differently

currently doing the public exploits part

ping it without the port :

that

would explain some things

thanks :)

https://tenor.com/view/need-more-coffee-grumpy-cat-christmas-cheer-bah-humbug-gif-12423663

Can't connect with RDP to the lab in Living off the lands

I've tried with :

rdesktop -u htb-student -p 'Academy_student_AD!' 10.129.22.65
rdesktop -d . -u htb-student -p 'Academy_student_AD!' 10.129.22.65
rdesktop -d INLANEFREIGHT.LOCAL -u htb-student -p 'Academy_student_AD!' 10.129.22.65
xfreerdp /v:10.129.22.65 /u:htb-student /p:'Academy_student_AD!'

all of those ssh and rdp sessions are an absolute nightmare with responding and laggyness but double check the password provided, a few labs switch up the user/password combo for some reason

🤡

Restarted lab again

and it work now

Hello!
I’m having some trouble on SOCKS5 Tunneling with Chisel module/158/section/1437
When I tried to upload chisel it couldn’t execute binary as it was sent from my machine that runs aarch64 while ubuntu @web01 is x86_64
So I then transferred and x86_64 binary of chisel to the pivot host which runs and connects to my attack host. All good.
The problem is when I then try to xfreerdp I get the following error:

$ proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/aarch64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:9050 ... timeout
[17:51:46:831] [329929:329931] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[17:51:46:831] [329929:329931] [ERROR][com.freerdp.core] - failed to connect to 172.16.5.19

I would really appreciate some help, is it still something to do with aarch64 into x86_64 ? HELP! I have also edited and confirmed the proxy chains like the module says to do.

Module: "Linux Fundamentals", can't to connect with ssh to htb-student@94.237.45.59, wrong password or ip, I don't know

chapter "System information"

I got ip address using ifconfig in parrot Vmachine

I don't see it being specified in the task

help pls

ohhh

my bad

thanks

You also need to use the specified port if there is one

Generally in most circumstances is as simple as adding -p

I'm stuck trying to enumerate the ftp server to find the flag. I've so far tried to login anonymously but that requires a password still of course, is there another method for logging in I'm missing or do I need to find the credentials somehow maybe with nse?

Password: anonymous

Footpriting?
u: anonymous
p: just press enter?

sometimes you can just hit enter

It depends how it's set up

I'll try that out and add to my notes

now I'm waiting endlessly for ssh's reaction.

nothing happens

Well if it's not generally quickly: you're doing something wrong

Reminder as i said earlier: if it's a public ip: you'll need to also use the port

ssh htb-student@10.129.150.169
ssh: connect to host 10.129.150.169 port 22: Connection timed out

2 things:

1. I'm assuming you're connected to the vpn
2. can you ping the box

can someone help me with the linux privilege escalation module? I'm stuck at the introduction where i need to "enumerate the linux environment and look for interesting files that might contain sensitive data. Submit the flag as the answer"

MODULE: HTTP ATTACKS
SECTION: Software Vulnerabilities
Question:

I've gone ahead and solved this section's exercises, but I came across a behavior that I don't quite understand. In the section, they give an example of ordering the requests as the root page "/", then the 404 page "/404", and then root "/" again. The module explains that the descynchronization results in the /404 page response as returning back to the request to the 2nd root "/" request. To me, this suggested that third request could go to an arbitrary page (e.g. "/doesntmatter"), so long as the Host header was the same.

In practice however, I found that the third request does matter, and I don't know why. More to-the-point: if I request "/", then "/admin", and then "/admin" again, the exploit does not work. But if I do "/", "/admin", and then "/" it does. Why the discrepancy?

hey im trynna replicate what shown in the creds enum in linux in the AD module using bloodhound

i launch bloodhound from my attack host but i have no idea what to put on the neo4j URL

its says database not found

have you started it?

the sudo neo4j start from the ssh connection?

ssh? where are you running it?

bloodhound needs a gui, you won't be able to run it in ssh

ok my bad

do it in pwnbox or vm

its worked using xfreerdp

anyone else having issues with labs crashing? they are spawning fine but stop responding after about 3-5 min

Going through the Attacking Common Applications module, I'm at the Thick Client & Web Vulnerabilities section. I've built the new fatty-client-new-2.jar which works fine. i'm able to connect to the server without issue, however when i go to compile the traversal.jar it doesn't launch after building. Double clicking on it does nothing.

Still stuck? I solved it the other day. Happy to help. Feel free to Ping me

im stuck in your eyes

I meant i'm stuck at environment enumeration, not the introduction

y?

who said you couldnt put ascii inside png files :)?

as for whether or not a file gets executed as code that depends on the server settinga

but typically it works based on the file extension

review the section notes about bypasses

well its a .png so its not gunna be interpreted as anything else

the whole idea behind this kind of attack is to go after the ambiguous parsing between them

you want to convince the upload form its a png and convince the server its php

examine the bypasses for it. review the section notes

What I try to do if my initial guesses dont work is to script generating the different combinations and then use ffuf to brute em

is trying some doesnt work then try ALL of them 😛

¯_(ツ)_/¯

unless a function is changing the file name it really shouldnt be

and even then its usually a pattern

which module are you doing

anyone complete the attacking common applications module that can help?

https://dontasktoask.com

i did ask

Read the link

its about asking better questions to more likely get a response

Going through the Attacking Common Applications module, I'm at the Thick Client & Web Vulnerabilities section. I've built the new fatty-client-new-2.jar which works fine. i'm able to connect to the server without issue, however when i go to compile the traversal.jar it doesn't launch after building. Double clicking on it does nothing. -- i asked that earlier

never got a response so i asked if anyone's done it

Then shoulda referenced it lol

Id recommend watching ippsecs video on the box Fatty, this section is straight ripped from that box and you can follow it along to understand it better

i rebuilt this all again following the steps correctly again (step has a mistake in it) but it still doesn't work

alright i'll check it out

he's using software that's not included in the virtual machine

ah yeah you need to do some code reading for that one 🙂

shouldnt matter. try to follow along with the concepts

this is the hardest section in the module

i understand the concept. recompiling it works fine, up until i recompile it again for the traversal.jar

and one of the worst sections in the whole course

hence why i'm reaching out for help

Right, and my help is to follow along with that video

Youve definitely made an error with the second jar so you need to pay attention and see if you can discover what that error is

there's only 1 step

honestly decent chance you just have a typo in your code

im able to see the php script i uploaded in the nibble section of etting started but visiting the url to run it is just displaying half the command and not establishing a reverse shell

Ping me and I can help ya out

ping you where

I must have a bad remote shell script because none of the ones in the chest sheet or in the instructions are working, I know for a fact netcat listen is on the right port because I copy and pasted the commands to try and make it work

did you change the IP to your own tun0's IP?

i tried both setting the ip in the command to tun0 like the guide says and using the one listed under tun0 in ifconfig

both? those mean the same thing, there should only be one correct tun0 ip

i tried "tun0" and the actual address neither work

screenshot the reverse shell you're using and the output of ifconfig

ok you aint gonna believe this but every time i copied the address from ifconfig the copy selection left out the first 1 in the address

https://tenor.com/view/it-be-like-that-sometimes-like-that-sometimes-snoop-dogg-sometimes-just-like-it-gif-12501830

On the footprinting lab hard I’m getting this. I thought v3 of snmp didn’t let you enumerate because of requiring authorization (snmpwalk)

is it smb? i though it was NFS version that cant be. i dont have mine open so take it with grain of salt

now im on the http server file transfer for the linEnum script but i keep getting 404d

Well there’s no username they gave to authenticate

I tried logging in guessing some default usernames and passwords in imap and pop3s with no luck

So looking back into snmp lesson they didn’t go thru v3 I tried using engine I’d but still wants username

yea nwm dont listen to me. i read it as smb and not snmp... im too tired to stay awake

I’ll come back to this later pm me if you have a clue of what I may be doing wrong. So far nmap and tried all scripts snmp* . Tried snmpwalk but authentication issues. Maybe guessing can use braa haven’t done that yet

running the file with my reverse shell as root for privelage escalation is starting then immediatelly stopping

the community strings aren't properly encrypted on the the server, i think, so you can literally get a dump while enumerating it.

whats your rev shell, and also sounds like youre doing a local priv esc? if so why use a rev shell

1, im not sure im still learning the basics and 2, the guide tells me to

idk if the guide and the machine are different versions cause i nknow nibbler exists seperate of 'getting started'

shouldnt be enough to not work

might have a typo in your command

the reverse shell as root is working its just immediatelly stopping after, and copying commands into the virtual machine has been messed up for me today

though the easy way in this scenario would be to not use a revshell even if it tells you to because thats silly, you already have a shell to work with.

Yeah still can be a typo killing the process too quickly

can i put something like sudo su - at the end of the file and just root myself then and there

since you already have a shell and just need to escalate I would instead use a simpler payload like /bin/sh -p

basically yeah though idr if su works for this kind of scenario

doesnt hurt to try and learn

i am going to try the sudo su then the one you said

go for it

experimentation is king

using a revshell when you already have a shell is more useful for cases where the priv esc is like an automated service or is spawning a sep process you cant interact with

swag

👍

after taking about 4 hours to set up the VMs i think i can finally finish malware analysis

• 1 What is the IPv4 address of the hostname DC1? tips for footprinting dns

nslookup

└──╼ $nslookup DC1 10.129.63.18
Server: 10.129.63.18
Address: 10.129.63.18#53

** server can't find DC1.lan: REFUSED

are you logged into the dc itself?

ok so i'm confused on this
Intro to Malware Analysis -> Debugging
what exactly does it mean by "our VM/machine", because i've seen HTB refer to my own personal VM as "our VM", but i'm not entirely sure in this case

i don't know about that module, but i believe in practice you detonate the malware on the same machine that has inetsim running since i think it simulates traffic to fool the malware into thinking it's successfully connecting to its c2 etc

the malware is on HTB's target machine, and i'm using my own VM to run inetsim

i'm not sure though maybe it runs on your kali box and responds

i can see how that can be confusing

been a while looks like inetsim does run on the kali

its you machine

so what IP address do i use

is it my VM's TUN IP or is it the target's IP

it says in your screen shot

looks like i set it up correctly then

and now my target RDP connection is bugging out :(

service_bind_address should be tun0, along with dns_default_ip

ok we're all good. thanks for clarifying

i don't think RDP likes me having two simultaneous VPN connections

because it's losing connection every minute or so

Finally 🕺

I'm trying to connect to the smbclient and rpcclient however I'm either getting an error nt status timeout or nt status host unreachable error. nmap scripts seem to not be working either is this something on my end?

can you ping the IP?

ahhh no I can not

i want to find cms of the vhost and i try each tool in the section no lock? help....

Use the provided tools and Google

Why does this not work for me

well youre looking at mysql instructions, are you sure youre connected to a mysql instance? looks like youve got windows there which tends to use mssql 😉

It is mssql, but the module only focuses on mysql commands and my google fu seems to be weak today

which module

https://academy.hackthebox.com/module/116/section/1169\

I can't even get sqsh and sqlcmd to install properly so I have to use the mssqlclient.py

the module discusses mssql

Nvm, I found the command

Hello, i'm studying a specific course for cybersecurity, and i want to practice in hand in hack the box about the section that i was studying which is SSH, so i typed in the academy search bar SSH, but i'm lost and don't know how to practice for this specific thing.

there is no single module that covers just ssh

No i'm talking about the sections, because i don't see sections called SSH but i see it appears in the search bar.

the search bar searches module contents

some modules have sections that reference or utilize ssh

but theres not a dedicated ssh module

academy isnt a good option for just learning ssh

thanks i found answer but i don't know how to do it.

For each section of the course i want to practice in hand, so for example : i saw a section about reflected attacks and wanted to practice it, so i typed in the search bar reflected attack or xss, how can i practice after that if there is too many modules having this section?

Trying to use netsharegetinfo <share> to get more info on the share to find out the customized version of the share but I'm unsure of what exactly it wants me to put or if i'm using the wrong command? figured everything else out

you pick a module you like and do that

if you wanna do the xss modules do the xss modules

I don't know which should i start with.

Just pick anyone randomly?

Sry i'm new.

if youre new Id recommend following the CPTS pathway

it covers a little bit of everything

what is the full term of CPTS?

figured it out

Certified Penetration Tester Specialist. its htb's cert

even if you dont go for the actual cert itself id recommend doing the course

I wish i can just focus in hack the box because it's all in hand experience, but i'm rolling in programs that i bought and i have to complete them but i prefer to practice in hand for each section the course covers.

academy is extremely hands on

every module has practical labs

Yes, let's say you are in a course, you saw a section talking about Session hijacking, how you will practice for it in hackthebox?

the module will have a section specifically for you to practice it

The names are different, how can i recognize and know that this section is covering what i need for the course?

the CPTS course?

or your personal course?

ignore the search bar its confusing you for some reason

No, i'm in a harvard course, there is a section mentioning SSH secure shell to connect to a remote server to execute commands in computers remotly, so i typed in the search bar of hack the box academy : SSH.

But i saw too many results under them with a green typo : SSH. But after clicking , i don't see any section written as SSH.

I already told you

academy isnt a good resource for just ssh

some modules will have sections covering elements of ssh thats related to their topics but thats it

So if i clicked on any module / section mentioned in the search bar as ( SSH ) it means that there is a section for it in the module even if it's not written as SSH in the module or section?

more or less yeah

for instance the password attacks module will discuss ssh in the context of bruteforcing ssh

while the pivoting module will discuss using ssh in terms of pivoting

Thanks for explaining, i will paste this to you from harvard course : SSH is a secure protocol by which you can execute commands on a remote server.
If one wants to communicate with a remote computer and execute commands there, one may issue an ssh command. The following is an example of using the SSH command to connect to a server at Stanford University. You would still need appropriate credentials and permissions to successfully connect.

ssh stanford.edu
If one has the appropriate access rights, one can execute commands directly on a remote server.

So after this one, i can just hop into anything written as SSH in hackthebox, or i have to practice specifically for what mentioned in harvard course?

Thats up to you lol

but I would not recommend just hoping into random modules for that lol

i'm surprised ssh wouldn't be covered under the linux fundamentals module

academy isnt a generic basic education platform

it might have a small segment about it, idk

The practice way that i prefer is to read and after that practice for it, then next section of the course read and practice for it in hand, but i don't want to practice something not related to what i read in the course 🙂

ill be blunt Krozza you may be attempting htb stuff a little too early in your learning journey

I understand but all i need is to know how to practice for a specific thing that i'm studying, because you said that you don't recommend just choosing a random thing

Yeah I dont think thats an effective usage of htb academy

ssh is just one command, a very simple one at that, that securely connects you from one computer to another..

not to the minutia youre looking for

So if you were me and you saw a topic in the course that you are enrolled in, how would you practice for it in hack the box?

Depends on the topic

Im not doing your course so how would I know

Okay i will clarify

htb might not be a good practice for some things in your course at all

i would imagine the course itself is the best resource for the course you're going through

Stored Attack
A website could be vulnerable to an attack where it is tricked into storing malicious code.
Imagine where one could email malicious code. If an email provider blindly accepts any code sent to it, any person receiving the malicious code may become a victim of an attack.

So after you read this, how would you practice for it in hack the box?

I wouldnt because that sentence is vague nonesense

it's just reading but never in hand practical experience.

yeah that's a very broad statement and could be done in a myriad of different ways

let me use an analogy

you're not going to be able to study each way before moving on in the course without taking up a ton of time

Youre basically doing the equivalent of "Learning what food is" course and then asking how to use a habachi training school to cook mexican food.

LOL

I'm just trying to practice man, i hated reading alot without in hand experience

Oh I get it

i feel like i'm doing litterly nothing

I thought it was

I didn't vibe with college education for the same reason

Honestly what I would do in your shoes?

it may be Rei, i didn't do that one

I just started htb like 3 days ago I could've sworn it had ssh

lemme check

Take your college course and focus on the course. and if you have extra time. do the htb penetration tester job role pathway course as well. But dont necessarily try too hard to match up the information in both to each other.

huh I guess not

I just went right into htb without any linux experience and it's been something for sure

Appreciate it, what i mean is that for SSH or Xss or anything else that i see in harvard course, i want to enter hackthebox to practice for it but get lost and then continue reading without practicing 😦

your course sounds like its in the babys conceptual explanation stage of security, htb is for the practical elements that come after

krozza you'd be splitting your learning

htb has a lot of advanced concepts

yeah so either dont. or make sure theyre kept split lol

Thanks for clarifying, i thought about that but wanted to be more accurate in my practicing experience.

krozza from my experience coming from almost nothing with htb, you gotta rely on google and your own study methods otherwise you'll suffer

you're putting the cart before the horse

yeah

I think youd just confuse yourself more trying to do so. I mean you're confused already and havnt even started lol

its okay to take babys steps

as much as it sucks you gotta just stick it out in the harvard course for now until you get the ideas down

write everything down/take notes

True, thanks for the support guys, never thought i will find amazing people like you so open and willing to help.

❤️

<3

this chat can be extremely toxic you just got lucky

htb is incredibly fun but difficult if you come from not knowing anything

so after your course you'll prob have a better time :)

Hahaha yeah i felt am gonna get toxic replies but gladly my lucky day i guess

or even the middle if youre a fast learner!

that too

I'm coming from knowing nothing basically

I've been uhhh

skipping around modules to say the least

Yeah i'm feeling it now, it's like everything is hard during the first day lifting light weights in the gym but then gets easier after the muscle grows.

now that it's been a day or 2 I need to go back and redo all the ones I've done to reinforce what I know

yes :)

@cloud urchin Appreciate it ❤️

trust fox more then me though

he knows what he is talking about, I am just yapping

Yeah gotcha, keep memorizing stuff and reviewing your studies 👌

Fox ofcourse knows better then me, and you also giving good advices 👍

man i'm at a loss on this module. teh attacking common applications one. i cannot get fatty-server.jar downloaded, it just keeps loading in the jar's text window instead of downloading

Third question credential hunting in windows. Uploaded lazange but it appears powershell doesn’t have python on it and work work

I wish i can help man, solving problems is part of computer science that i choosed to begin with and i understand now that i just have to accept it 😂

it was a doozy

How long did it take

Any hints on why lazange isn’t working on victim for the third question for credential hunting. I migrated the .py but it’s not running as it says Python doesn’t exist and the victim doesn’t have outside connection to the internet

3 days

minus personal VM setup because trying to work on the target is laggy

the commands in this module do not work if you follow them exactly, and it doesn't explain what the command does, this should be updated imo

Need help for below question:

ATTACKING COMMON SERVICES

Attacking DNS

Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.

I added " inlanefreight.com" and the Target IP into /etc/hosts. Then created and added "ns1.inlanefreight.com" to resolvers.txt . then ran subbrute but all of the subdomains it gives me ends with "inlanefreight.com" not ".htb" not sure if that makes a difference. Lastly I run dig for each subdomain but it times out. Can someone please help?

How to see the full path of CPTS? I find myself manually selecting modules is there a way it does automatically switch to next module after one completes a module/path without having to do that manually?

found my mistake. inside resolver.txt it should be IP address not domain/subdomain name.

need hints

i opened wireshark and started capturing, then ran malware and after a few seconds stopped capturing, still scrutizing. the answer format got me thinking, it should be only 3 values like 1.1.1?

it says provide the domain, not the ip

on the introduction to nmap module could someone explain the suddon use of sudo in the example? from the first image to the 2nd

I know the first one is just reading commands

certain switches require sudo permissions

ahh I see

is their an indicator for it?

i would look at the man pages

it's probably there

i didn't do this, but i believe theoretically you can capture the packets that detail the server it connects to

https://academy.hackthebox.com/module/85/section/877 I think that I found the answer , but need someone to validate the format ?

well, for starters, getting to know about tool is not doing anything, so man or --help simply works. but when you do scan a network, it requires some permission to do so. so you sudo.

I see

In order to find a domain, using dns filter is helpful?

if what you're looking for is a DNS query, i would investigate why you're not capturing any DNS queries

because from the way you worded it, it sounds like you couldn't capture any network activity

I did capture the traffic, i was looking for ip, knowing what domain means. mind just off sometimes. well if you did not do the module, there is no more help i can get from you. Thanks for trying.

if the question is asking for a domain, i'd assume you would filter for a domain name and not an IP address

that being said, i did say theoretically, so if it doesn't work, then it doesn't work

there is a surefire way to get to the answer, and i would say scrutinize the disassembly in IDA if you want to figure this question out

also i just finished the module a couple hours ago so it's all fresh in my mind #modules message

Sorry, I misunderstood you with someone else.

i was actually confused which tool to use for getting answer, did procmon, and ida, then someone suggested me the wireshark (that's how he got the solution).

may i dm you what i found?

sure

I'm working on the sqlmap attack tuning module and I got the table with the flag but its keeps outputting blank. I tried restarting the host a few times now with the same results.

which table are you working on and what's your command?

Is what I run and the table is flag5

Database: testdb
Table: flag5
[1 entry]
+----+-----------+
| id | h}ntent   |
+----+-----------+
| 1  | <blank>   |
+----+-----------+

I copied the get request with the param from burp to a file

try adding --no-cast switch. after -T flag5

I have

sqlmap -r req.txt --dump --batch --risk=3 --level=5 -T flag5 --no-cast

[23:39:27] [INFO] resumed: 1
Database: testdb
Table: flag5
[1 entry]
+----+-----------+
| id | h}ntent   |
+----+-----------+
| 1  |           |
+----+-----------+

Thats when I decided to restart the host again in case risk 3 mucked it up

so usually what I do is to open the the req file copied from burp with a text editor and add * at the id parameter to indicate the injection mark.

you are on track increasing the risk / level

I'll see what happens and thank you!

I went ahead and got the next question done and working on the last one. I'll circle back once I get case 7 finished up

np and try with curl too, that worked for me, just add *

iirc I also had to reset the target upon each flag ^

Adding the wildcard got it. Thanks a million.

Didnt have to restart

Ok I lied. I will because risk 3 butchered it lol

Haha

..

Command Injection module finally done, skill assessment was shockingly easy

Attacking SQL Databases
im having a hard time connecting to the target should i rdp with the given credential? to perform the task

Guys any input

Just enroll in the Penetration Tester job role path

So it’s CPTS path?

authenticate to the SQL service.

T-T HAHAHAH THANKS

Yeah to take the CPTS you need to complete the Penetration Tester job role path. Every time you finish a module it'll give you an option to continue the penetration tester path and take you to the next module

Thanks that’s what I exactly wanted

@mrn0b0t I'm sure it's different for everyone but yeah command injection was far easier to figure out than file uploads. Barely took me 20 minutes. Best advice for it, take a few minutes to look at every request and then the actual command injection part is just everything taught in the module really simple

so anyone willing to help me with a lab i'm stuck on?

essentially i found a private SSH key via IMAP. as far as i know, I can only copy paste the key. I made a id_rsa file and did chmod 600. only issue is when i use it to log i nto SSH it tells me "error in libcrypto and a permission denied public key.

if you copy pasted it, make sure it is properly formatted.

as far as the banners?

it has the -----BEGIN OPENSSH PRIVATE KEY----- and the ending banner

Make sure that the key is copied without any additional line breaks or whitespace characters.

one thing is, you can send it over to ChatGPT to check it for ya.
remember to say please xd.

can VIM show line breaks or whitespaces?

or do i need to use a text editor?

I mean vim default shows $ at the end of a line

already got the hash and cracked it now i have the password of mssqlsvc but for some reason i cant log in as mssqlsvc using sqsh

try a different auth method.

Try using mssqlclient, sometimes sqsh is dumb -- especially if you're using parrot

thansk guyss

but you can use %s/ //g in vim to get rid of the extra spaces.

Ssh keys have a bunch of lines

so i literally type in %s/ //g ?

I believe you can do that in vim

You can also use sed to do it

You mean command mode

at the command mode

yeah ^

Insert would Insert the chars

You don't have to use : to the front either

still cant log in using mssqlsvc

idk what im doing wrong

im using the password that i got from cracking

what have you tried?

sqsh mssqlclient.py

like @fathom pendant said, you can use mssqlclient.py
its quite a handy tool

Spoilers as the pw is an answer to a question btw

did you try windows authentication?

yeah deleted it

What is the specific syntax used (omitting/obfuscating the pw)

I think mssqlclient needs the -windows-auth but I'm not 100% on that

correct

Unsure about sqsh since I couldn't get it installed at the time I did this module

for sqsh, you specify the server name\\acc name

got it now

restarted the vm

so i tried extracting the key directly from evolution so there was no formatting error. i am still getting the permission denied public key.

When you extracted again, did you change the permissions

what module are you working on?

shit lol

srry for cursing

My guess is footprinting: imap/pop3

We do not give a shit if you curse lol

yeah i did chmod and stil lsame thing

okay idk all the rules or not lol

im working on the hard lab the footprinting module

Ah

damn you remember all the modules lol

But yeah, either your key is wrong, or you're using the wrong username

Spelling and casing is important

Bob is different from bob

its actually a problem unique to that module 💀

Not really

well i got the tom username and dudes password from braa

Sounds like there's something wrong with the syntax

i just checked it out

If you are so sure you have the correct perms and its the key itself
You can use curl to retrieve it. You dont need a GUI tool

I just asked chatGPT to format it for me

Another thing you can try is pasting the key into another editor, I had a weird issue where it swapped characters around in one editor

https://gist.github.com/akpoff/53ac391037ae2f2d376214eac4a23634

You could easily download a mail with something like this

curl -k --url 'imaps://10.129.145.94/INBOX;UID=$MAIL_ID' --user $USERNAME:$PASSWORD > mail_file

You can also connect via other ways directly in the command line lol

yeah but openssl/nc never works for me

A billion ways to crack an egg

true

Worked fine for me

^

Sounds like you had bad syntax and are trying to blame the module

¯_(ツ)_/¯

There are definitely occasions where the section provides not-so-optimal commands

I.e. 1 fetch 1 all for imap when body[] actually retrieves the message

not trying to blame module im trying to figure out what i'm doing wrong

ill try the body[] command

I wasn't talking to you

Hi Guyz, I was learning about SSH keys in the Getting Started module. I wanted to try it out for myself so,

1. I opened up a VM Kali and created a Private SSH key on my host machine.
2. I copied the key and pasted it in a text_file (id_rsa) in Kali then entered the following commands on my terminal:

• chmod 600 id_rsa
• ssh <target_system_username>@<target_ip> -i id_rsa

but after this it said connection refused, why is that?

can someone please help me out with this.

also that curl command did not work for me it said log in denied

The ssh service needs to be running

On the target

Can you ss your keys or something?

It would be best to md5sum

ss my keys?

Screenshot

screenshot, but Marcielee wants you to md5sum the key, guessing he has a copy.

I'd have to spin the lab up and grab it

But screenshot works too

I am in LFI module automated scanning section. when I try to scan for new LFI strings I do not get any hits even tho I use the same command and wordlist in the example
ffuf -w /opt/useful/wordlists/Security-Wordlist/LFI-WordList-Linux:FUZZ -u 'http://94.237.49.138:54324/index.php?language=../../../../FUZZ'

Ive also tried without the ^M as well

Btw no space between the brackets and body

That's why it didn't retrieve

The ^M is a special character not read by the program btw

Similar to $ as end of line

Looks like your program uses ^M instead of $

no actually VIM did that automatically when i copy pasted it from evolution. it does'nt normally do that lol no idea why.

what do you mean no space?

you mean no added line from the brackets?

yes

it's literally just 1 fetch 1 body[]

not body []

when you do md5sum <keyfile> what's the sum

here's what i got

also it works just fine for me

so mine just worked after copy pasting it again from evolution lol

no idea why that worked this time

ill try that md5sum though because i've never done it

4496658cd8c13c64de541c4ce2b305ea id_rsa

youre using the imaps syntax for pop3 which is why it says "weird reply" lol

i tried the same command for both imap and pop3 becausethe imap wasnot working either so i changed it to pop3 incase it worked on that

same value as Marcie's

it should work

ssh tom@ip -i key_file

if you don't add the key file as an argument it thinks you're connecting via passwd auth

which in this case: is disabled

well i got it to work lol

I tried using filters but none of them fall through I then tried using LFI jhaddix till the same

history is important to avoid making mistakes twice

you have my approval for using vim and tmux

also as an aside; show columns is a good query if you wanna be able to quickly narrow a search

real heckers use nano

blocked and reported

lol nano makes me suicidal

that is @haughty stirrup behaviour

doesn't count in my books

anyway

i forgot how straightforward the hard lab was for this module

it is a good lab for repetition would have completed this waaaaay faster if i had updated my copy paste skills

I'm following along with the module here, but now I'm stuck. I can't get these commands to work to steal the hash and can't move on without it. Is there another term I'm supposed to replace "master" with that I'm missing?

Its just 2 dots, you got 3 there buddy

wrong syntax

oh wait

And that's what I was missing. I had the correct amount of dots for one of them and that's the one that I didn't need lol

lol

Thanks

np

Nope

Ligolo does portforwarding like a portbind, all you gotta do is bind a port to a local one and access from there.

Youre welcome!

172.17.6.20 is in a difference subnet than 172.17.8.0/24

^

use -windows-auth, also blur out passwords please

Deleted. WIll remember that

Why didn't I need to use -windows-auth for the original login?

because it's telling the program that you're authenticating with a local user instead of a domain user (i think)

i could be wrong on that

it's at least triggering an auth for windows systems

i.e. a ntlm auth mechanism

I don't think the module explicitly mentions needing to use -windows-auth so I could've been stuck at that for awhile lol

It also seems to prefer sqlcmd and sqsh, neither of which I can get working

well sqlcmd is a windows binary

and sqsh is just dumb afaik

It's weird. I managed to get sqlcmd to work on a single terminal instance, but when I switched terminal instances it didn't recognize the 'sqlcmd' command anymore

I recall the module explaining mssql using 2 types of auth, windows auth and mixed mode or sumn like that, not sure its the reason but -windows-auth specifies to use windows authentication when the server is tied to an AD network.

likely because it was only temporarily added to your path

Can mssqlclient allow you use batch queries?

¯_(ツ)_/¯

i haven't tried

There’s sqlcmd for Linux too.

E.g a situation where you want to enable xp_cmdshell but without enable_xpcmdshell 💀

TIL

i mean you can try

worst case is "no"

I think I did
Which is why I prefer sqsh 😄 but tbh whatever stone that kills the bird lol

Yeah . I have tried, “I think it worked” for checking users you can impersonate / current priv but you don’t add go

any insights please as to what I am missing?

alrighty, I'll try again, thanks!

even after filtering?

yes

why is this happening?

did you try to find the "exposed param"
You have the wrong param buddy.

I try solve first exercise of linux module and I copy then type the passowrd

ssh htb_student@10.10.11.253
htb_student@10.10.11.253's password: 
Permission denied, please try again.
htb_student@10.10.11.253's password: 
Permission denied, please try again.
htb_student@10.10.11.253's password: 
htb_student@10.10.11.253: Permission denied (publickey,password).

Dont copy-paste the module examples everytime with the intent that its the same environment in the assessment.

It's a pain in the ass doing DNS enumeration on the htb spawned servers lol. They seem to be very finicky

this was the page no matter where I click it does not respond. I normally like to try the examples where the target is same as in the section.

94.237.48.205:49425
here is the ip you can try visiting it. I tried to look at the source it wasn't much sense

2 things:
1: that doesn't look like a target IP, that looks like an example
2: the username is htb-student

the target IPs follow 2 formats: either private IP 10.129.x.x or public IP:port

Youre not listening 😄 If this is the module youre doing https://academy.hackthebox.com/module/23/section/1494, thats not the right parameter.

oh alright I will look elsewhere then thanks

this ip address is for one the HTB machines

it's not for an academy module

linux fundamentals?

yes

yes

what section?

I guess I get whats wrong now

system information

perfect, now get your flag 😉

and you clicked on the button "click here to spawn target system?"

spawn instance =/= spawning target

spawning instance spawns the in-browser pwnbox

but i try that vpn and I confuse what ip address inter

??

no I want to connent with openvpn

if you're using your own vm/vpn the tun0 ip is YOUR ip that the labs will communicate with

you still need to spawn target system to connect to it

and perform the tasks

again not "Spawn instance"

ok i get it

it will give you a 10.129.x.x address to ssh to

thanks

also as stated previously it's htb-student not htb_student

the ip you were attempting to ssh to is either yours or another user that's been assigned that ip

even if the user doesn't exist: ssh will still prompt for a password

Password module
Credential hunting
Third question
Tells me to use lazange but the victim doesn't have outside connection, had to smb server it over. Lazange.py can't run on the environment. Lazange has a folder for windows but apparently needs Python to work. Tried to run it all sorts of ways but no luck

Maybe I need to import the entire git

Maybe I should of used cmd

Idk I'm stuck if you're bored but I spent about 2 hours on it.

Im not sure if i can paste links in here, but go on lazange github, click on releases and there is a .exe version. You need to wget that to your attacker machine and transfer it over 😛 goodluck!

Agggggghhhg

Ok done. Thanks

HTB always gets me on some crazy technicality

Its all trial and error my friend, it happens to me all the time, don't worry about it

Ok I was thinking I was a dunce, did you pass anything yet

I did that module I'm on the attacking common services one now

This module is an ass whooping

Good luck

Thanks, you too

Attacking Thick Client Applications

thanks for your reply, can you tell where is the probelm is from? feeling stupid here.

In the Blind SSRF Exploitation Example module, does anyone know if it is possible to perform a portscan via the html we can upload? I have tried it but I cant seem to get it to work

Hi all , in the AD Administration: Guided Lab Part II i have been trying to connect to the Windows machine so I can do the 2nd part of the assessment for the last two weeks and I can't seem to get the Windows VM to function for longer than a minute. Any ideas?

It's driving me crazy

i just want to finish the module

not yet

ill give that a go

thank you

why freerdp is super slow and laggy? any solution for that?

why not

HTB{FLAG} : FLAG like this ?

guys, i am doing sherlock (Nubilum-2), the quesiton is (What was the originating IP address the Threat Actor (TA) used to infiltrate the Forela’s AWS account?) with the provided input it appeared that the domain of the IP is resource-explorer-2.amazonaws.com. how to find the IP address of that domain ? I did (nslookup resource-explorer-2.amazonaws.com) The output was (Server: 192.168.100.1
Address: 192.168.100.1#53

** server can't find resource-explorer-2.amazonaws.com: NXDOMAIN
)

does anyone faced this issue?

keeping in mind that the outputs IPs were wrong when i submitted the answers

wtf is the bread enthusiast role?

exactly as it sounds

did you try submitting the answer?

WHAT

explain yourself

enlighten me

O_O

well damn nice

.\SharpHound.exe?

why are there three sharphounds

oof

i wonder what the issue is..

maybe try running it with -v 0 and see what it outputs