is NETEXEC tool part of cpts?

Just to scan with ffuf the possible extensions in the website, there is something fastly than write -e .php,.phps,.html,.apsx etc?

never saw that tool yet

It is an alternative to CrackMapExec.

hello guys ,i need help

Module - Password Attack
Section - Linux Local Passwrd Attack/ Credential Hunting in Linux

i'm starting brute force for kia but process very long time this normal? 1 hours

I customized the file using the password list and special rule list in the resources section and I attack with the special file.

Did you try it without mut'ing the file?

yes

No, but it's a replacement for crackmapexec since CME is a pain to install these days

If it's the one I'm thinking of, mine sat for several hours until it found the password. I'm sure there's an easier way, I just went to work and came back and it had cracked it.

it is pretty much the same exact tool

my pass file my_passwd.list I think I'm using the right file

If it takes a long time, I can wait, but I don't want to wait in vain. 🙂

NXC is the same exact tool as CME but better (its literally a fork off CME)

hmm gif not working

From what I can tell the commands are essentially identical as well, but I went through several hoops to install CME just to properly follow along with the modules

Because it's the same tool

there's no reason to use cme over nxc anymore

didn't you say in the cme module 1 or 2 things didn't work with ncx and you had to revert to cme?

..?

what happen over last 2 month while i was gone, htb revoke my gif access? 😔

It's not that your access was revoked, it's that the channel that was open for all to posts embeded content was removed, and a limit employed on #general of the rank of Hacker (I think) to embed content

OoOOh

it's just edge cases, some uncommon commmands

Did you ever get an answer for your question?

it's been an hour i'm having trouble with the user j$$ i've tried to connect to mysql nothing i've looked for configuration files but i don't have much anyone have a clues? https://academy.hackthebox.com/module/147/section/1335

You should be able to connect to mysql internally with j* creds

it's too weird i logged in with the user earlier it didn't work now it does...

hey, i really wanna get started with htb module, how should i begin?

I'd argue introduction to academy would be better

ah ok

oh yeah i was forced to do that one i think

makes the CBBH path

what is CBBH?

not forgetting the fundamental modules intro linux intro AD ...

https://academy.hackthebox.com/exams/2/

thats 216$ i need to pay...

are there any options under 100$ or free?

That's just for the voucher

The course price is different

If you're a uni student, you can use your student email to get a hefty discount of $8/month

The live engagament in shells & payloads is insaneeeeely slow and people have been complaining about this for months as it seems

When can we expect that it will be fixed?

It's just on/off with latency issues

There's no permanent fix they can issue, just gotta suffer through it

Every single click takes 3 seconds it´s just paaaain

but thx for the fast response

https://academy.hackthebox.com/module/details/15

You can sign up with a subscription and unlock modules, and I think it's fairly cheap if you're a student

thanks!

what is your question exacly

what should i be looking for in this question?

read the example 2 about unmanaged code , the answer for question 2 is there , question 3 is tad bit trickier , search for ways to identify a process has been injected .

ive been using what was described in the section "Analyzing Evil With Sysmon & Event Logs" but ive had no luck

specifically the event ids and dlls

in the section about unmanaged code , they talk only about 1 event id that's the one you have to look at , and use the find button to look for a process loading a dll that it usually doesn't need

idk what im missing here lol

"If we observe these DLLs loaded in processes that typically do not require them, it suggests a potential execute-assembly or unmanaged PowerShell injection attack." this is a 1 to 1 quote from the module , and there is only one event about module loading that we have seen repeatedly

well i just found it and the event id listed with the answer from what im looking at isnt referenced on that page

"Additionally, by referring to both the related "Modules" tab of Process Hacker and Sysmon Event ID 7, we can examine the DLL load information to validate the presence of the aforementioned DLLs." from the same section

did you use a different id , if yes plz tell me i am very curious about it.

im interested to see how event id 7 would have gotten the answer but a different event id came up based on my filter

ill dm

so i see that its running an old version of sudo. i found CVE-2021-3156 as a vulnerability. can someonee help walk me through what to do? i couldnt find this on GTFO-bins which im familar with

generally the cve won't be on GTFO-Bins

gonna need to do some digging and figure out how to manipulate the cve to what you need

or just plug and play it

so my question is, i see these. and one that says shellcode. do i need to figure out how to use these while im shelled in? or is this something i need to do on my host vm

ahhh nvm i need to transfer it using scp

meterpreter/msfconsole has an upload/download command iirc

ahhhhh

as scp requires credentials to use

so if you don't have credentials for the user; or aren't running ssh on your machine:: SOL

figured out the upload for meterpreter, but even after running the eexploit.c and shellcode.c it doesnt work/grant me root. maybe im using the wrong vuln

so found it on msfconsole, but its saying session is wrong. it is my 3rd terminal that is open. thats what its asking right?

I did not no, sorry my friend

All good. Thanks for responding.

No, it's referring to the meterpreter session number

Sessions -l to list them

ahhh i got it

thank you! i should keep track of how many times you help me. i appreaciate your help ;c

easy

Is it just me, or is the RDP socks proxy module for CPTS super slow and flakey? I've gotten all the infra setup and when I go to launch the final rdp session through the socks proxy it refuses to load. I've tried setting the experience to 56Kbps per the module suggestion, but it still fails

Is anyone having issues with the labs not rdping?

Third times a charm I guess

rdp was janky for me as well

Hi everyone... I am struggling to answer a question in the Linux Fundamentals course and I have been fighting it for over a week. That is what I get for trying to learn something new with a concussion I guess. 😛 If anyone would like to lend a hand to this old man I would really appreciate it.

If nobody comes to you, then as this is a Tier 0 module, what I'd recommend is looking for videos / writeups to help you to move past the point that you are stuck at. Ideally I'd say go back over the module content, take notes and try to get past it under your own steam, but if you need extra guidance then there is content out there (HTB allow writeups / walkthroughs to be published for Tier 0 modules)

..just, if you do go down that route, don't just watch, replicate and learn 🙂

Which specific question are you stuck on?

It is in the Filter Contents section using curl.... I know I know, feel free to laugh at me. I am old and I can take it... HAHA

So is that question 3?

correct

Ok.. DM me with what you're trying, the issue you're running in to or whatever, I've got a little more time before bed.. again.. 😅

Ok will do think you

Anyone here done this section: https://academy.hackthebox.com/module/239/section/2604. I'm kind of stuck and need a little help

Hello, I am in module 231, I am stuck in the exercise of websocket analysis in burp, Apparently the application is vulnerable to xss, but I have not been able to read the flag, could someone please guide me a little bit.

Need help in this section: https://academy.hackthebox.com/module/109/section/1037 I'm stuck for 3 days🙁.

Are you stuck on the question? How much progress did you make?

I captured the request in burp and tried these payloads:
ip=127.0.0.1${LS_COLORS:10:1}${IFS}id - Input invalid
ip=127.0.0.1${LS_COLORS:10:1}${IFS} - Got output of ping
ip=127.0.0.1${LS_COLORS:10:1}${IFS}${LS_COLORS:6:1}${LS_COLORS:5:1} - Got output of ping

I sent you a DM

Hello, I'm stuck on the user david I was able to find and crack the things to find on his directory share I have the password but I can not find the cred Admin to look what is in the B**** it's been an hour I brute force his account (I think it's useless but I try anyway)

https://academy.hackthebox.com/module/147/section/1356

is anyone in module 231? modern web exploitation techniques

i am but i haven't completed it

Just ask your question. The chance of getting an answer is much greater

i need a push on the skill assessment actually. i'm stuck on the 2nd question, not sure what to focus on. i'm assuming i'll need to gain the ability to change the name server so i can bypass the pdf filter, but i can't log into the webmin portal and haven't been able to do anything with the vault as i don't have any creds. i think the next step is to get into the webmin portal or get creds somehow, i messed around a bit more with the library but couldn't find anything more there beyond the 3rd username which didn't seem to do anything on the other sites.

anybody who have completed Privlege escalation assessment Lab 1 ? Tried very hard for last 3 weeks no luck

JAVASCRIPT DEOBFUSCATION > Skills Assessment

Why the flag is not "correct" ?
https://academy.hackthebox.com/module/41/section/519

I am stupid I removed ||n|| :(.

anyone ?

hey guys, i need help with AD Enumeration & Attacks - Skills Assessment Part I
I have been stuck on it for days

could someone help?

What did I just tell you…

“And specify what you’re stuck on. No one even knows what you need help with”

perhaps you need to send the disk over to your machine where you have administrative privileges

and mount it there.

oh so on the active directory module assesment 1. I am stuck on the last question, i was able to get the clear text password for the user t****y. but i dont know what to acually do after it.

You answered question 7?

yeah

So do that attack

thats the problem

i could not even connect to the user t****y, i tried psexec and enter pssession

Why do you need that?

Just do the attack

how i f do the attack as a normal user it dosnt have the permission to do it

i even tried runas

Go back to the dcsync section

^

You literally answered question 7, saying that t**y can do that attack

So why would it not have permissions to do that..?

plus, you should utilize Bloodhound to find an attack pattern.

unless you guessed the answer

i did use bloodhound

In that case you just lack understanding 🤷🏼‍♂️

how do i do it as the user t**y?

Go back to the dcsync section like I said

i am on it

There’s a tool you can use

psexec?

Bruh

Read the section

HELLO

What advice do you have for those new to the HACKER business?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Are vhd disks only mountable on windows? if i'm not mistaken

no, you can mount it in linux too

I used windows but there is a way with linux

A friend of mine sends people's credit cards through a discord channel and my friend buys items using this credit card.

#modules message

thx which means you have to find a way to get Administrator's passord on Windows to be able to mount the disk?

thx 😉

no, you just run as admin on any windows vm.

How do I steal my friend's passwords?

you need admin privilege to mount the disk which is something you didn't have on the target cuz' you dont have the admin's password.

with David i can't connect me to rdp and winrm

thats why you send it over.

okok

David is not part of the remote desktop users

https://discord.com/channels/473760315293696010/569177628918022185
read Rule 4

i understand

you can interact with that acc from the cli

using runas

i know i am stupid, but i am still stuck, itried mimikatz, secrets-dump, invoke-dsync

Secretsdump works

the secretsdump.exe

No

……

yess thx a lot for you help, you light up my vision

you need to be able to access that host from your kali

its an internal network

cause i couldnt se the py one on windows

oh so port forwarding?

Who says you need to do it from windows

yes sir.

so i could use chisel

I prefer ligolo-ng

^

Thanks

Sorry, I didn't read the rules, I'll be more careful.

anyone done the wordpress skill assessment? i've solved all questions but this one which has no sense
. i got rce on the system 🙂 the only flag.txt files in the system are not working for this one

Soc > windows attack > print spoiler. It’s requiring I use impacket but I’m getting issues with NTLM relay.py any one can help?

NTLM relay config object has no attribute set add computer smb

I’ve been stuck for two days any thing could help with this install

Never mind, I figured it out if anyone is having trouble use the entire path along with Sudo

Sudo (full path of .py) then command

Fuck man

I tell you this Academy really likes to ambush you and booby trap. You with things that are not even mentioned.

Any hint at the Skills Assessment blind sql injection? I was able to run sqlmap and identify databases, tables and columns, but I don't understand why sqlmap cannot dump the information from the columns

i found it that way in every module ... there arereally weird questions you have no idea how to answer even if you got root on the target lol

They leave so many things out like it’s cute. It’s not cute to sabotage people by skipping steps.

Normalize not ambushing students

I've done the whole pentester path and I haven't found that to be the case as long as you read and understand the materials, if by ambush it means to apply some thinking outside of just copy and pasting commands, then I guess they do that

I’m using the SOC path

same thing applies

sometimes you just have to run as admin. in linux ports below 1024 require root.. so when you're dealing with listening ports you need to keep that in mind. nothing really to do with the module but instead basic linux

can you help me understand this question ?

is the only one i could not answer in the skill assessment for wordpress module

Sounds like there's a plugin that's vulnerable running on the site that allows you to download files without logging in. Have you enumerated that plugin?

^ it's excatly what the question asked

did you got the flag and made sure when you pasted it in no whitespaces where copied with it?

i already solved all the other questions which even requires you to get rce and i got 🙂 my issue is i can;t find what file ???

i don't know specifically what file, my first guess would be flag.txt

there are only 2 of them in the system and they don't work ...

if you have rce, you should be able to search for files too

looks to me like you found it

also grepped for content 'HTB' 🙂 still couldnt find that thing ..

it's right there in your screenshot??

can you read ? i said them flags not work. i used them for the other questions in the module 🙂 already tried them

really bad worded question with no context and can't be answered ..

did the find the plugin?

yes, everything else is answered

you should delete that image

all i need is to know what to look for... what file ? what should it contain ?

grep -r 'HTB' / did not find anything usefull either 🙂

did you use the correct plugin, shell wont help you here apperently from what i read

let me try to get any flag with that thing ...

worth a try to get it via the plugin. i havent done that module but thats someting i found searching for the question here

nope, not working

sounds like you didn't find the right plugin

and yes it's the correct plugin as the next question is what version number is that plugin which i answered correctly

unauthenticated file download != LFI

does the plugin starts with an S?

yes

thanks ... that helped 🤦 i'm really dumb

"can you read" he tells me

it was not in the screenshots lol 🙂 so yes you should've read

i re-read the question for you at the very start lol. read it next time.

he instead read and gave good feedback which helped a lot

what impacket tool are you talking about? I'm able to run ntlmrelayx just fine

I think he figured it out, he wasn't running it as root

I’m having trouble with dementor not connecting to the relay can anyone help?

I have used Sudo

i should forward port 445 right or 389?

even after port farwarding port389 and 445 it doesnt work the secretsdump.py authenticates and just says cleaning up

can I dm someone for some SMTP questions?

best to just post it here

i tried, but the bot is removing my message as I'm spamming according to it

go to #welcome and follow the steps so you can talk and stuff

alleluia 🤯

Nice! Saw you working on that module for a while. Glad you got through it.

It's a pleasure, thank you very much. Yes, I've had a lot of trouble.

hi, anyone completed "Server-Side JavaScript Injection" in nosql injection module?
https://academy.hackthebox.com/module/171/section/1687

idk, my script are broken when trying to get the flag. It only managed to get arround 16 character and then it give me weird flag format.

can someone help me

Hello can someone please help me use any dns enum command to find mail1.inlanefreight.com and a command for retreivign the TXT records from it? Thank you

can anyone help me with "Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Dashboard". Either create a new visualization or edit the "Failed logon attempts [Admin users only]" visualization, if it is available, so that it includes failed logon attempt data where the username field contains the keyword "admin" anywhere within it. What should you specify after user.name: in the KQL query?" please? Im struggling bad. I dont know what kind of answer is correct and i tried everything possible. Can anyone give me any hint?

what's the issue? what module and question

What exactly do you want to do?
Why do you want to find mail1.inlanefreight.com if you know it?

dig ANY inlanefreight.con
dig TXT inlanefreight.con

hmm, trying different approach rn. let's see what's happened

No, pivot with chisel / ligolo-ng.

wdym

In order to run secretsdump from your attack box on that host, you’ll need to have access to the that network

Hence,pivot

i would try searching for it

btw thanks @soft cedar for helping

okay, i'm stuck... again

idk bro i didn't have your issue

you might just have really bad luck

you shouldn't need to use sudo

Hello, I have a question about port forwarding, in this command :

ssh -R 192.168.5.19:8080:0.0.0.0:8000 ubuntu@[IP] -vN

Who owns port 8080 ? 192.168.5.19 or ubuntu ?

Take a look at the right side of the query with the word admin

Then take a read at this to help your understanding

https://support.microsoft.com/en-us/office/examples-of-wildcard-characters-939e153f-bd30-47e4-a763-61897c87b3f4

What can we do to the left side of the word admin?

no one "owns" it, it's listenening on all ports and forwarding it to the other address it has access to on 8080

Yes, but this port is located on which of the two machines ?

well the 0.0.0.0:8080 is on the ubuntu machine
the 192.168.5.19:8080 is the destination

meaning whenever it receives a connection on 8080 it tries to push it to the x destination on 8080

Ah ok, I didn't understand the command at all, I thought that 0.0.0.0:8000 was our local machine and not ubuntu.
Thanks to you !

it helps to read the man pages

https://man.openbsd.org/ssh

can anyone help me with this module? i dont see any forum

Idk where to go for this question but ive been looking for the correct student identifier so I can utilize this discord and I LITERALLY cant find this 60 character identifier and I SCOWERED my settings page

if you're trying to verify in discord, click the link in #welcome

I tried that but it keeps saying my password is wrong, AND I even created a global account to link to my HTB Academy acct

the identifer is not in academy

app.hackthebox.com and academy.hackthebox.com are separate logins (for now)

.....im a dingus....I think I know my issue (my dumb ass is using mobile since im at the laundry mat and of course that wont work lol) sorry for the silly question

nvm, got it

bruh i thought only rookie and beginner do academy

pro hacker gaah daam

can somebody help me find where did "windows fundamental" module mention about lusrmgr.msc(local user and groups)?

anyone can do academy, there's plenty of modules for novices and pros

well, academy is for everyone💀

now i dont feel that bad , my confidence ++

besides the ranks don't mean shit

why

it just means they've pwned a bunch of boxes on the main site

sounds like something an unranked person would say

well i tried retired machine , so i respect person with rank

jk lol

¯_(ツ)_/¯

i am wrong or does this channel become more of general for academy members , coz before only they talk was only about modules content

it's only for discussion of module content and assistance with modules

this is the modules channel of the academy section of the htb discord

the #general chat is the gen chat of the server

but majority are now person with rank there no rookie like me there😔

eh

rank doesn't mean shit; and it's mostly just talking shit

if u say so , i belive u

i was on sterak for 50 days , still can't figure out what was special prize

they haven't announced prizes for streaks yet

so far it's just been badges

ok

10 cube on 30days streak would be cool af

don't they measure it in weeks

yes

Who can help with BLIND SQL INJECTION Skills Assessment, user agent, login, password finds nothing. If you remove the user agent, we see an error, but I can not confirm the injection?

There are three badges for this
https://academy.hackthebox.com/my-badges

For 1, 4 and 12 weeks

oh now there's 26, 52 and 107 weeks

damn

Hello

<@&861185840277487616>

@bronze holly we don't do carding here

Ho ok can u suggest me someone

No

Read the #rules of a server you join

Carding is illegal. Full stop.

https://tenor.com/view/michael-jackson-eating-popcorn-enjoy-i-like-nom-nom-gif-11040065238845078056

waiting on the ban hammer...

K sry

I think I found an unintended solution for Footprinting - Hard Lab. Anyone willing to talk about that in DM?

sure

@bronze holly pleas read the #rules

Thanks a lot for helping bro, i just finished it

Hey I am doing the skills assesment for AD enum & attack Part 1. I am brain lagging on how I am suppose to do question 2 Kerberoast an account. I tried to use Inveigh over the webshell and a meterpreter shell but I don't get any response back from PS. could someone help me out?

Hello, what modules do you recommend to start hacking, I have knowledge of networks and Linux.

inveigh doesn't do kerberoast, check the kerberoasting sections on what tools you can use

you can check out the information security foundation path, after that, the penetration tester path

gracias

Thanks! I was thinking of having to need to poison and than continued thinking that it was the kerberoast page.

Hey anyone wanna team up/ share knowledge on machines

can anyone help me on ad enum & attacks skills assessment part 2 on q7? I'm not sure if SQLEXPRESS is supposed to be the user I login as and if it is, I keep getting untrusted domain errors from mssqlclient, cme, and sqsh isn't working for me

that's a service account? check what prives the user has

INTRODUCTION TO DIGITAL FORENSICS : Rapid Triage Examination & Analysis Tools:
stuck on this question, I see the zone ID but not sure how to see the rename.

"During our examination of the USN Journal within Timeline Explorer, we observed "uninstall.exe". The attacker subsequently renamed this file. Use Zone.Identifier information to determine its new name and enter it as your answer."

wdym? I was stuck on how to login with mssqlclient using this account because I kept getting untrusted domain errors Like I'm not too sure if mssqclient can be used for q7

nvm i was trolling

Sure Dm

Perhaps you could just say what exactly you need help with. What have you tried? What is not working as you expect it to?

Yea sure of course. Tough to mention a lot without spoiling though. Well, basically I was able to get access to the admin's account which later revealed a new endpoint that is asking for a pin. I did notice that the value of the ||host|| header was reflected in the response. The ||Forwarded|| header can also be used. But yeah, the problem is, I was expecting this to be chained with a web cache vuln but it seems like that specific page is not being cached. I see the ||Cache-Control: no-cache|| header which indicates that. And yeah, stuck here 😄

@mystic loomi need help on something

Connect to DC1 as 'htb-student:HTB_@cademy_stdnt!' and look at the logs in Event Viewer. What is the TargetSid of the bonni user? . with this question, I tried to login with bonni and the bad password in order to create a log, I can see the log with 4625. 4625 has no targetSid. The event sid 4771 does have those yet the failed auth doesn't show in 4771

been at it since yesterday. this is the credentials in object properties section in windows attack and defense

ok im lost, I cant seem to figure out how to get the number of .log files in the Linux Fundamentals module. Im on the 'File Descriptors and Redirections' section. Any help would be appreciated

I dont really remember anymore, but maybe the specific field is not called TargetSid, try to look for all the fields that contain SID's

also searched for bonni within the last hour and got no luck. did see 2 events tho

Send me a DM

I keep trying to check /sys/ for files with *.log but keep getting access denied on what seems like everything. Not sure what im doing wrong. Like am I checking the right place? I feel like the anser is in front of me and that if I rout the positive hits to a text file maybe that will find my answer? this ones been frustrating me

jsut got it nvm

Is this the Credentials in Object Properties? If so, I used the wmic utility, here's a link to a helpful article https://www.lifewire.com/how-to-find-a-users-security-identifier-sid-in-windows-2625149

Yes it is

shit im looking at the link thats smart

need a bit of help here
https://academy.hackthebox.com/module/143/section/1271

im guessing the ||jsmith.txt|| isnt the right file to use here?

use the userlist you have gathererd previously

right.. is that not the ||jsmith|| file?

no, it's the specific domain userlist

your right, i see that last paragragh in the previous section. It teaches you using crackmapexec.. i wish it taught you how to do it with kerbrute

kerbrute does not query the domain like cme does, it just brute force it

if you want an accurate list of all the users, you'll need to use cme or other tools

gotcha

is there an output flag for CME? -h doesnt state one unless the obv is "-o"? ||sudo crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users|| doesnt write a file.

--log, I usually use it with --log $(pwd)/users.out

you bring up something i've been meaning to ask: pwd in my mind has always meant "password" up until now that im doing cpts. what does it stand for exactly? i know its the path however what does that acronym stand for in this context?

the command? print working directory

ahh okay makes so much more sense. i wish my brain didnt default that to password.

also, should use netexec now, it's cme but better

ill try it out now! thanks

anyone free to help with a Linux Fundamentals module??

what exactly do you need help with?

copy the URL of the section youre onto here

oooooooooooooooooh thats how I should prrrooobably lead questions lol sorry im very new and new to this whole "asking for help" thing as well 😅 trying to get better at that last part especially hahaahha

https://academy.hackthebox.com/module/18/section/79

alright thats the index, what specific question are you struggling with?

Idk if this is the right place to ask but if I get the 8$/month student subscription, will that cover all of CBBH/CPTS's material?

yes

oh thank god

thank you

you'll need to purchase the exam voucher separately

yeah that I understand

so basicly I keep doing the find function, specify the location which I believe would be /sys/ (i think) since the question asks how many files in the system have the .log ending , then i do, -name *.log, and I get a bunch of access denieds. I know that the section talks about stdout and stdin, so im wondering if I have all that sorted into text doc's that ill find my answer there

its a very confusing section, ive read it like 4 times already lol

are you using pwnbox or a personal vm?

sorry for my very base level question 😅

pwnbox

hmm maybe you gotta run "sudo find *.log" ?

or locate *.log ?

oh yeah cause theres 2 ways to locate things, I forgot about that

ssh into the target

the one part I did remember to do 🤣

https://academy.hackthebox.com/achievement/386037/134 the web part of cpts path is really good

@crystal steeple what time its take you to complete this module

Could someone help me with ad enum & att part 1 can't I don't know how to elevate privs on ms01.

1 day ,nothing complicated about it, pretty straight forward as all web modules , studied for 10h i think since i had free time

last question?

No 4th

@crystal steeple is you practise it on tryhackme or any other platform if yes put it here

Try and test the creds on the whole network hosts

The sql creds?

I am working on module Password Attack on winrm service. When brute force attack with command: crackmapexec winrm TARGET-IP -u username.list -p password.list. I assume if I run it again with the same target, I should get the same result every time. However, I did not get the same result - sometimes it works other times it does not. Please advise, if you know. Thank you very much.

Yes

I only found 2 hosts one has the admin flag.txt and one is the DC.

have you tried it with ms01?

Yeah I am logged in on RDP

DC just rejects SQL creds, I am stuck on elevating my priviledges so that I can read the flag

why do you need to login to DC? the question is for ms01

Use cme to test the creds on the whole subnet

I don't have a need yet to login to DC

ill try that

Has anyone don’t the password module in academy? I’m stuck on the last user smb flag. I have successfully logged into the smb share but have no privileges to list directory so I see no way to get the flag

Done not don’t

Anyone?

my only prior experience is PJPT from tcm security

and i dived into htb academy

no success

what was your command?

It hit on MS01 but I already knew that.

huh? your task is to get admin on ms01

^

so just log in with the same creds on MS01?

That account doesn't have admin

send a screenshot of your cme output

says Pwn3d! there

svc_sql is an administrative acc.

Than I don't understand why I can't open the flag

T2 module 🤦‍♂️

Don't share info like that for modules above T0 in public, thank you.

Sorry my bad

have you tried running as admin?

I am kicked out now, I will try later after I cleared my mind a bit.
But you mean as in like right clicking and run as admin?

or you know, use a number of cli tools instead of rdp

Can someone give a help with the Module crackcapexec - Skill Assessment

I've got the first flag, using the --rid-brute 5000. I found actually only two users.

is there anything that I am missing here?

I can read the flag just fine

maybe increase the number

7000 | 10000?

Hey MakingItJazzy, I have the same problem, have you resolved? Have some solution?

ugh.... I hate when I dont understand the answer...

check what you can access with those

Just solved Linux Privilege Escalation - Skills Assessment... bit sad I took the easy route. 😓 Anyone else had this "problem"? Why don't they remove this way. (Don't get me wrong, I researched afterwards, where I took the "wrong" route... but yeah.)

?

@next bronze You where right I just straight up opened the file.

https://tenor.com/view/unlimited-power-star-wars-gif-10270127

Can you give some help? I have already broken down all the SPL queries provided in the module, I have analyzed all the fields but I still haven't found the service name
"Detecting Golden Tickets/Silver Tickets"
For which "service" did the user named Barbi generate a silver ticket?

This is how I did it, hope it helps: I ran the query from the reading, found the event with the Barbi user. Click the timestamp, and set the timeline for +/-5 secs from that event. Then you can run a query against all events within that timeframe. There will be a log where the Barbi account credentials were used, so check the entire log and you'll see the answer. Hint: It's one word

I got the same problem with the flag..did you figured it out?

Password mutations… been working it for 2 hours… see I can hydra against FTP… set my password list with the instructions and I’m coming up dry

hello guys i need help

Module - Password Attack
Section - Credential Hunting in Linux

I created a list for kira user with the special rules and password list in the resources and did a brute force, but it could not be found. I cannot access the machine, what can I do?

https://academy.hackthebox.com/module/147/section/1320

Can anyone find the ssh

Yes

I solved it...if anyone need a hint at this exercise at the future, just DM me...

a

Maybe stupid question but how are predictions on how many days a path can take calculated? Is it like 20 days 8/h work day?

Valuable tip, thanks bro

don't attack ssh

yes sorry just seeing this, you need to download foxyproxy and set it up there. you dont need to click open browser anymore.

witch module is this? i want to do it.

looks like one of the modules from the SOC analyst path

Man currently doing Exploiting Web Vulnerabilities in Thick-Client Applications and boy is this an information overload when you have no prior knowledge about decompiling JAR files and related tasks

I feel you @buoyant void. I only recently started playing with Linux. I am still on the linux fundimentals course and it kicking my old ass. I spent 6-8 hours yesterday answering 1 question. I was able to find it but my method went from sorting to little to just a little to much. I am still unsure why my method was sorting more than intended

I guess I need to "get gud" or something... LOL

I'm another soldier into the pile of Reverse Engineering in Attacking Common Applications. Pro: Learning Reverse Engineering Vulnerability Research and Exploitation of Thick Clients among accepting the fact I am learning how to interpret java+syntax (and run analysis of exe/bat files in memory). Sickkk. Con: What. da fuk. ;-;

Anywho, I got jumped by a pair of .jars. Should I be worried if I'm still sane? Lmao

Anywho, Just figuring out how to leverage the injection among the information. I think I got it if I'm not lazy and actually muster up the intelligence to read the source code and not cut corners, but even better was learning I could simplify the compiling process of the modified file and save time, but you need to first understand what you're doing and what you are using. I'm basically stuck on the final mile. If the VM didn't suck, I would have an extra 3 hours to my life. Also, beware of architecture. Cryptic, but If you know you know.

I'm at the point in my CPTS and CBBH I've taken on teaching a friend. This is tremendously useful. There is a forum and helpful comments around (for the module mentioned). Once you've read those, reread the section and take your time. I'm on day three. It's good. Get Gud.

TL;DR: Reading this is optional. However, I'm ~82% through CPTS. A huge helper module should be The Learning Process. If you haven't done this one, you should. Good Luck.

Congrats or I'm sorry - i'm not gonna read that

Lmao that's kind of the point~ Thanks Marcie 🙂

Stuck on Session Security - Skills Assessment

I found the cookie through the redirection and when i tried to paste the admin cookie in the http://minilab.htb.net/app/ i got no auth error [image 2]

Can anyone point how to go through this?

Exploiting Web Vulnerabilities in Thick-Client Applications is driving me nuts, trying to do all the compiling and going through source code is a nightmare with the RDP latency smh

I just made a comment on it, worth a read perhaps?

I'm also on this exact section.

Yeah just saw your comment, you finding the latency holding you back at all? Personally I just need to understand the syntax better so I don't make any simple mistakes that derail everything I think

Maybe this is a stupid question but when you're editing something like Invoker.java what should I be editing it with? I was opening it up in notepad but something is telling me that's probably not ideal

Dude if the latency wasn't so painful, I'd save 3 hours, but you have to think about what you will professionally come across in your career--Systems 10+ years old, maybe OT or IoT systems that are very picky. So it makes sense, but I agree, I was frustrated.

Yeah I'm 2 hours in and I decided to just take a break for a while because I find I don't learn very well when I'm just raging out and frustrated

the general suggestion for the thick client application section has been to read the writeup for the retired Insane machine Fatty

that section has a long history of not being liked for a multitude of reasons

Yeah, there's nothing too complicated, just make sure you read the code and interpret its logic. It will pay dividends in the future.

I think 0xdf has a writeup on that machine I'll go check it out now

probably

0xdf, ippsec likely has one, plenty out there

but this section is basically ripped from that machine

Both 0xdf & ippsec's walkthrough are good. the forum was helpful too.

Oh cool Ippsec has a video on it gonna make a coffee and watch it hopefully come back to the section with some fresh eyes

Knowing Fatty was a retired insane machine is pretty neat, though... insane lol

How can i access more of the server? Just says done reading and directs me here, cant type in general or anything

the section seems oddly out of place in the module, although I understand why its there it could've benefited from some introductory information about Java compilation at least I would've found it helpful lol

That's the spirit. also, it might be helpful to work in the desktop folder. Make sure you keep the client jar in it's original place and don't forget absolute vs relative paths, Lol (This still trips me time to time.)

HTB ratings are based purely on the steps required

actually read and follow the instructions in #welcome

don't just click "done reading" - actually read and follow instructions

Yes this was my biggest issue I kept losing track of what folders I was working in and then the damn latency was making everything 10x worse

Nice! Fair, but honestly, I just think it's cool CPTS gets the reverse engineering exposure it requires.

Yup! Lmao, the next after the fourth or fifth time, you typically remember everything lmao

there's tons of challenges as well on the main site

focusing on all sorts of aspects

True^

I've just streamlined Acad for the time being. I'm overdue for a live ctf

box, similar things imo

Notepad should be okay. But if you're skeptical, I ran across recaf in the discord server chat history

did you just miss the CA CTF event?

or did you participate in that

I did miss it ;-;

the next one will be HackTheBoo (their halloween event)

Sweet, will want to participate in that one for sure.

Thank you, Marcie. Good to hear from you. I'm off for now though. l873s

gl, hh

Guys, sorry to just drop in like this. But I'm having issues with my Kali setup. When i run the firefox proxy though 8080 for zap, I'm getting errors at every page. - Your browser sent a request that this server could not understand.
or -The proxy server is refusing connections
An error occurred during a connection to www.google.com.

This one is new for me. It was working, until the other day. I have changed the cookies, any ideas what can cause this?

Or where is the best place to post for help? This is my first time on this Disc server!

is this related to an academy module?

if not: read and follow #welcome and maybe in #web would be the best place

Yes, sorry i should have stated this. Im on an introductory module, learning about Fuzzing using ZAP

Im wondering if i have done something, that has triggered this. The setup was workign fine before, and i can still fuzz the site using ffuf

<@&861185840277487616> i think

<@&861185840277487616> a bullshitter

indeed it's a masked link

good thing discord tells you when you're clicking non-discord links

I wanted the 50$

блять -

it's a u.to link which is either: phishing OR credential harvesting

On a srs note guys, and idead where ive fucked up here?

Im using pwnbox so i don't have to stop, but want to get back to my own Kali setup

Suggested course of action? Reinstall Zap and redo the proxy settings or?

you don't have to use parrot

you can use whatever distro you're comfortable with

both Kali and Parrot are Debian based so most tools should be universal between the two

Ah, sorry. This is about my issues with ZAP. I am learning to use it for Fuzzing, i have set up the proxy in the learning module. But for some reason, today, i cannot use Firefox at all when the proxy is on now.

it was working before... I've cleared the cache of cookies, but no luck

ye just a bit of an info stuff

i haven't messed with zap/burp and setting proxies

oops, my bad. I meant to say I'm using pwnbox 😅

sorry, bad context from me there!

that's irrelevent tbh

also: if it's been a day/you've terminated and restarted the pwnbox you'll have to redo the settings

Yeah. Key point is that my virtual machine has issues. Ok, if no other suggestions I'll reinstall all related applications, and then redo the security certs ect on the proxy

so you need to re-set it up between sessions

.

well you're giving mixed signals here

are you using the in-browser pwnbox or not

if you're not: then don't be running it

if the in-browser pwnbox is running and you're doing a module that requires the vpn: it will mess things up

Im using pwnbox, presenty, because my setup has stopped running. I am wondering if anyone has an ideas.

(networking reasons)

.

.

you don't need to constantly bump your message

just be patient

someone that has more experience may come along and offer their help

ok. My apologies. Ill wait for someone. Cheers 🙂

if i complete a path on htb academy while being on monthly sub can i access the course again after my sub ends ?

any modules unlocked with cubes are yours forever; if you're referring to the student sub - yes

any module 100% completed is yours forever under the annual subs and student sub

oh yes student

damn respect

Anyone can help regarding this?

can someone please give me an hint on this corporate osint module cloud storage section

check the website source code, grep for s3

Thanks 😊

yes i use the mut-passwordlist.list

custom.role

Hlo

I finished this module with few searches from this discord channel. @fathom pendant I'm having difficulty finding definition of zone I thought it's the SOA record. why is the (number of) loopback = zone(s)? any reference? I haven't found anything on google (likely i'm searching wrong term here)

It's what it's directly tied to

can you elaborate / send me reference about this (maybe DM if it's giving too much spoiler). Why loopback and not SOA record though? I thought each zone should start with SOA record.

The loopback is part of the SOA record

The loop back is on the same host relative to the query

I.e. when you see the loop back, it's on the same server you asked the information from

On Windows Privilege Escalation - User Account Control do you have any idea why the shell is not comming?

Hello guys i have a question for the members that just finish this learn path the job rule path penatration tester

must i have some basic requirements or can i start with that ????????

Hi! Can someone help me with the Advanced XSS and CSRF Exploitation/ CORS Misconfiguration module? 🙂

Hello guys i actually had a problem, i am new to hack thebox so i dont know much but i am not able to use a virtual machine with hack the box using the openvpn which they provide

any suggestions and help pls

u gotta give some more info to get help

yes sure see so i downloaded the vpns which hackthebox provides i connected to them using sudo openvpn /path/to/vpn_name.ovpn and then i succesfully connected to it but whenever i spawn a machine and try to ping it i am not able to ping it cuz i am in a different network then the target machine so how to fix this like what to do

like for example if i spwaned a starting point machine i wont be able to pwn it through a local vm

try this

you must be mispelling it

yeah i did this the issue is that the target machine and the local machine are on different networks

becuz they have differenet ips

they dont have to have same ip

mb they WONT have same ip

if u running it like this u good to go

oh so why am i not able to ping the machine then

send terminal ss

yeah fine

of like what situation

if u copying htb's ip and using ping idk why it aint working

just send ss for the ping <IP> awnser

yeah fine

make sure you're connected to the vpn, don't kill the connection (ctrl c) after you run the command

yeah i am not doing that that was previously told and instructed in the walkthrough

btw how to s4end ss

i am not able to send

bottom left + icon

yeah it is showing use apps

you need to get verified, read and follow#welcome

it should show documents pictures and all those things right

this

yeah just a sec

yeah done

this is what it shows

the ip in the highlighted in yello is the target id

ip

look the page up on ur browser

and keep with the exercise if u can reach it

i didnt get u what do u want me to do

copy paste the ip in ur browser

if it gets you to a web page the IP is up

yeah

there are no chances ip is down tho

as long as u know to start it

yeah i did that

but its not showing anything it shows an error but the target machine is up

terminate connection reset vm and spawn another one

If it is a machine from Starting-point please use #starting-point

`# Module name: PIVOTING, TUNNELING, AND PORT FORWARDING

Section name: RDP and SOCKS Tunneling with SocksOverRDP

Type of correction needed: Error fix

Description: whenever I run the command in the screenshot, it gives me this errors, I have run it in cmd and powershell, with normal user and as an admin, the binaries are 32 bit binaries but I have tried it with 64 bit as well`

yeah sure but it happens with every machine

is your tun0 ip 10.10.x.x

yeah

it is

in the walkthrough itself it told me to configure some setting and only tun0 should be visible

so i think thats fine

are there other tunnel interfaces? also reboot your vm and download a new vpn file

contact support if it doesn't work

na

no other vpn interfaces one interface is there it my wifi

just tested this, definitely works

could it because I am unzipping the zip file in Linux first then transferring

I dont see how it would affect it tbh

idk i tried downloading the zip file wihout extracting it

windows refuses to open

might restart the machine this is annoying

should i configure the network of my vm to internal network or it shoukd work pls tell

you just need to connect to the vpn

hello

hows wolfie

what

@dry halo hi

hi

Hy can anyone help me

I really want to start In cybersecurity but I don’t know how

If anyone knows something it’ll be appreciated

did you solved skill assessment 1?

from AD enum and attack module

start with the basics, learn networking, linux and etc you can find the fundamentals on academy https://referral.hackthebox.com/mz7pVWd

I’m sorry can you be a bit more specific I really dunno how htb website works, where can I find the fundamentals even YouTube will do fr

you sign up for Academy

and then you will see modules, I advise you start with Linux fundamentals

Can I talk to u in private?

@rustic sage

sure

Actually, that's what I did, but I can't find it.

Hey guys, I've a question regarding the Introduction to Splunk & SPL, I am really struggling with the last question (it's about finding the account with the most login attempts within a span of 10 minutes), I have tried to use timechart , bucket _time span=10m and nothing works, I have seen the hint but i found no resources about the range() function and how to use it.

If you take a real hard look at the screenshot you were given by dpgg vs your screenshot you will notice something very explicit. Go character by character if you still don't see it.

I solved the question but i don't know if it is the intended way. can i send the query to somebody to check it if it is good?

i use this command - > hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

What is going on if ms6 does not create session but does for other people doing the module?

Could also be they didn't disable all the protection

You're likely setting one of the options incorrectly

which one can it be

i tried everything already

Your lhost looks wrong

I am stuck on the assessment of the Using CME module, in the 3rd question (trying capturing DEV01's flag). I got ||james|| credentials via ||ntlm relay|| but does not appear to unlock any futher access. Any nudge would be highly appreciated!

it is the tun0 one

I've not seen an academy ip that was 10.0.x.x

Take a closer look at your screenshots, no its not

Your screenshot shows your lhost variable as the eth0 interface, not the tun0 one

@rustic sage I have sent you a DM

ok i was checking the vpn and it turned off wtf

it had never happened to me

Maybe you accidentally hit ctrl-c?

i allways go to new tab

idk this was strange

ty tho

Well generally, unless there's major connection issues, the vpn doesn't just shut itself off

idk it was not ctrl c as it was still on load

¯_(ツ)_/¯

Idk if you're still stuck, but mind if I DM you? I'm also on hard lab and have been stuck for a bit.

DM me for hard lab tips if need be

yes DM me

Most likely, but ps gets pissy if you don't explicitly say where a file is.

Hi all,

I'm trying to complete RDP and SOCKS Tunneling with SocksOverRDP of the Pivoting, Tunneling, and Port Forwarding module but I don't seem to get it working and I'm starting to wonder if the machine might be broken.
What I have tried so far:

• Follow the SocksOverRDP approach
• Port forwarding like a few sections before
• Using RDP from within the RPD host. (So rdp into the 'target' and inside rdp to 172.16.6.155 using the UI program)
• Resetting the target numorous time (including waiting +15 min)

Am I correct asuming that all these approaches should work or is this a special network setup that will only work using the SocksOverRDP approach? aka, do I search for a mistake in my SocksOverRDP experiment or should I indeed asume a broken enviroment.

And offcourse after asking the question everything works...
I have no idea what went wrong but it works now. Sorry for the noise 🙂

In ad enum & attacks skills assessment part 2, I'm not sure why but every type of import or install of PowerView/ActiveDirectory or RSAT-AD-PowerShell doesn't work? commands like Set-DomainUserPassword or Get-DomainUser are not being recognized as cmdlets, etc. after. Not too sure why this occurs as the PowerView I import from C:\Tools in the other sections of the module lets the cmdlets work fine.

execution policy bypass maybe?

yeah i tried that with powershell -nop -exec bypass but commands like Set-DomainUserPassword still don't exist for some reason

maybe i'll just try to use mimikatz setntlm

what is the command you used to import the module

I tried Import-Module .\PowerView.ps1 or .\PowerView.ps1 or Import-Module ActiveDirectory

ok, it should be the first command. try that again and see if one of the cmdlets work, if not show a screenshot of the import command

and make sure powerview is in the same directory you're executing the import-module command with

^

That or specify full path

ACTIVE DIRECTORY ENUMERATION & ATTACKS

LLMNR/NBT-NS Poisoning - from Windows

I cannot get this command to work:
(Get-Command Invoke-Inveigh).Parameters
I am trying to use Inveigh. I have already imported:
Import-Module .\Inveigh.ps1

Can anyone please help?

try Inveigh.exe

Iirc inveigh.exe is 1000x better than the inveigh.ps1 script

yah, the powershell version is no longer maintained.

Pretty sure I gave up on getting the .ps1 to work so I just used the .exe

I mean the ps1 worked fine for me

And using both- the exe is far more functional and nicer

And it allows you to do far more while it's running

Out of curiousity, what does (Get-Command Invoke-Inveigh).Parameters.Keys return?

Hello, on the Practical Digital Forensics Scenario section I am getting a error while trying to convert it to csv as they do in the example:

C:\Users\johndoe>python C:\Users\johndoe\Desktop\files\USN-Journal-Parser-master\usnparser\usn.py -f C:\Users\johndoe\Desktop\kapefiles\ntfs\%5C%5C.%5CC%3A\$Extend\$UsnJrnl%3A$J -o C:\Users\johndoe\Desktop\usn_output.csv -c

Traceback (most recent call last): File "C:\Users\johndoe\Desktop\files\USN-Journal-Parser-master\usnparser\usn.py", line 263, in <module> main() File "C:\Users\johndoe\Desktop\files\USN-Journal-Parser-master\usnparser\usn.py", line 180, in main journalSize = os.path.getsize(args.file) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "<frozen genericpath>", line 50, in getsize FileNotFoundError: [WinError 2] The system cannot find the file specified: 'C:\\Users\\johndoe\\Desktop\\kapefiles\\ntfs\\%5C%5C.%5CC%3A\\\\%3A'

Any ideas?

Your error is at the bottom' file not found error', it can't find the file you specified.

yeah, but the file do exist

apparently not

wrap the filename in single quotes

sorry not the filename the filepath

Thanks, I did tried with double quotes, single quotes actually works Can we have it with the quotes in the text of the module? 👀

Works for me

whats the difference between the system owns and user owns?

for questions about the main platform, verify your account in #welcome and find the appropriate channel (probably #boxes)

in the Attacking common services module- Easy assessment. I found the user, when iam trying bruteforcing with mysql. iam getting hit with "Host '10.10.15.30' is blocked because of many connection errors; unblock with 'mysqladmin flush-hosts'
". tried resetting target too.

hm

i use the custom.rule file for passwd file

yes

other service but im read the a htb forms

he says use the custom.role and brute force kira ssh service

What I don't understand is that this is not in the module anyway, we know this technique, but why couldn't I find the password?

can i dm you pls

yeah they kinda hint at uppercase, i had to figure this out for a while. the wording tbh is very very bad

you never BF ssh unless its the only service

nmap the network and try the other services. remember that this is after the 'password reuse" section i believe

solved thx

There was a small part I missed but I figured it out.

Can anyone give me a hint in the first question introduction to Linux privilege escalation? I tried everything to find credentials for lab_adm but there is nothing

PTH module is fun

Working through the ESC1 module and I can't figure out which step I'm missing here. Error output is pretty generic and I can't figure out from the -debug what's going wrong either. Tried different versions of WMIexec as well with no luck

did you update your /etc/hosts?

Yeah, I have LAB-DC.lab.local in /etc/hosts and I can ping lab-dc.lab.local as well so I believe it's properly configured on that front

just LAB-DC.lab.local? you need to add the domain and hostname too

I'm not sure I follow. Isn't LAB-DC the hostname and lab.local is the domain name?

yes, add those in

Huh, interesting. I've never run into having to format my /etc/hosts like that before

@next bronze Thanks for the assist!

np, when you're dealing with kerberos, always add 3 things to /etc/hosts for dc's ip: hostname, domain name and fqdn

Will do, thanks! I've never had to use more than just the FQDN so that's illuminating.

you always wanna add ip and hostname to hosts incase there is internal targets that only auth from the target IP

if you add the /etc/hosts, i believe it routes traffic through no?

Kerberos checks a handful of things in its query back and forth for auth

After performing the ESC1 attack, connect to PKI (172.16.18.15) as 'htb-student:HTB_@cademy_stdnt!' and look at the logs. On what date was the very first certificate requested and issued?

on that one ive got the runas and powershell up and then ran the Get-WINEvent -FilterHashtable @{Logname='Security'; ID='4886'} and 4887 and the earliest one should be 12/19/2022 but its not it. am i missing anything

someone asked this a while ago as well

there's so little videos explaining the process in a nice manner on youtube about it, I'm almost convicned that almost nobody except for microsoft knows how it actually works in its totality

It's just hard to condense down tbh

Kerberos just asks for a few things and it's a pain of you don't have them all

the kerberos module explains it pretty well

hello do you know how i can import external librarie in vscodium
its for the question in introduction to c# Libraries

Hi, why when I paste a 100% correct flag it says it is incorrect?

the rdp boxes for academy suck ass

im even on tcp

Make sure no extra whitespace characters before and after

in the Attacking common services module- Easy assessment. I found the user, when iam trying bruteforcing with mysql. iam getting hit with "Host '10.10.15.30' is blocked because of many connection errors; unblock with 'mysqladmin flush-hosts'
". tried resetting target too.

Yeah that happens, try the command shown

mysqladmin flush-hosts

iam not logged in

You don't need to be logged in to run that

It's not a server side command

Alternatively restart your vm and try again

annnnd tcp D/C on rdp again jfc

Try changing vpn regions

If it's a consistent issue no matter which vpn you use: message support

do we know whwere the regions are?

because all it says is us 1 2 and 3

Try EU

you can measure the ping yourself

I dont think they've publicly stated where the servers are hosted

But it can generally be understood as West/Central/East

For the US regions

But changing region doesn't just mean from within the same geographic area

I've had times where switching to EU worked when US was being dumb for me

And then vice versa

could this play a hand in the issue?

No

100k ms for pwnbox hosts on the west?

i LIVE on the west coast

have you considered upgrading from dialup

Those timings are solely for pwnbox spawn locations and have 0 bearing on the vpn stability

im runnong on google fiber

just teasing

I've also seen, firsthand, where I've changed machines and the pwnbox delay is different

Like my own physical machines

wtf

90% of the time when I'm doing sanity checks I'm doing it from pwnbox because I don't feel like spinning up my own vm

And the concept is the same anyway

So it could be some weird connection thing

does anyone know curl ?

But again, the best way to actually get an issue resolved/looked at is to message support

Support doesn't regularly check the discord

hello
Please help me with the lab work.
Web Attacks - Skill Assessment
https://academy.hackthebox.com/module/134/section/1219
Who can I contact?

Have you tried doing the thing

But in all seriousness: it helps if you provide info on what you've tried and what errors you may be facing

Yea

Just saying "I need help" with no additional info doesn't help anyone help you

We can't read your mind

I found the administrator's id, tried to change his password, but I can't log in with his name and new password

changing the administrator's password doesn't help, I can't log in with his password

It looks like you need to re-encode the data into a token

¯_(ツ)_/¯

Also careful posting images as they may contain spoilers, if it's not something given to you by the question: then it's a spoiler

Holey

us1 is slow

us2 a bit better

At least 2 isn't showing jitters

Hello, im doing Server-Side Attacks

Replicate the steps shown in this section to connect to the above server's "hidden" Tomcat page through the AJP proxy, then write the Tomcat version as your answer. Remember that the port you will see next to "Target:" will be the AJP proxy port. Answer format: X.X.XX

Why do i receive that error? I should have configured the ajp module properly

i forgot to comment a }

Heya, I arrive with a bizzare question.
Could someone tell me, how is that possible that I can access the Administrator folder from ps, but can't from cmd shell? For both shells I used the same account.
Could it be that ps has some higher privilages? Or It might it be a bug, since I still coudln't view the contents of the folder even after accessing it

anyone run into this problem w/ hydra cracking SMB?

i wonder if msf could help ^

not a hydra problem, it doesnt have a path to that host

cd'ing into a dir has nothing to do with permissions

cmd just isnt letting you because it doesnt see the point

wdym it doesn't see a point? It says that the access is denied so I though It could be connected to the integrity levels

it isnt

just a quirk of the developers

cmd knows you dont have any perms to the folder so it doesnt let you cd into it at all. PS basics goes hey maybe you have some weirdo permission on a sub folder and lets you.

CD just changes the process current working directory

the cwd is just a setting, it has literally nothing to do with permissions

you can have a cwd to folders that dont even exist. just typically shell applications dont let you do this cause itd confuse users and have little benefit

If I can't find a specific plugin id on my nessus scan do I have to do it over again? I was able to answer every question except that one

finally 🙂

Use one of the predone scans

I really liked that module

well except the thick client

the performance of rdp is below zero

Is there a certain way you are supposed to search for plugin ids? Noticed it won't show even known plugin ids I put in

just because you can cd to it doesn't mean you can ls or read files

so it's the same

The module tells you all you need to know to find info

got it thank you

The whole module is a tutorial for it

Thks for the answer, but i am stuck i some activities despite having tried a lot of options.

As its a tier 3 module, there won't be any official or even sanctioned writeups for it

just ask here what you're struggling with

ok, I will think how i can ask it properly and then come back

Guides and walk-throughs for modules above tier 0 are expressly disallowed by HTB

ok i didnt know. thks anyway

didn't know that either

So are youtube videos on the module eventually taken down or is it like if they see your username they will ban you or something like that?

yeah i think they dmca them etc

They'll eventually take them down

They issue takedown notices and issue bans on accounts if necessary

well damn

iwent complete stupid on pth lol

I mean it's part of the website ToS and content creation guidelines

there are so many guides for htb

theres also a site that sells exam andmodule flags

Got it, thanks for the explanation @thorn urchin and @next bronze

Which is also against ToS and if you buy them you're also really only cheating yourself

Also exam flags (afaik) are dynamic

**INTRODUCTION TO DIGITAL FORENSICS : Skills Assessment **
what hunt options should i pick in Velociraptor to get back the data needed? Seems like all the ones that i think makes the most sense are not pulling back what's needed.

oh i know. id never buy them. i was just saying they need to take down that site

Then report it

You can either dm a mod/admin directly or use /spoiler

which channel?

i'd love to tell you but that's the entire point of the skills assessment

based on the information you want to find you're gonna have to choose certain options. the search option will help a lot

You can use /spoiler in ant channel it doesn't pop up, it just sends it to the team that handles it

nope