#modules

when i took the ADCS a few weeks ago, i went to the specterops blog posts and found they are up to like esc14 or something by now. i wonder if they'll add those too.

or is it 13?

https://specterops.io/blog/2024/02/14/adcs-esc13-abuse-technique/

Wasn't there a recent update or windows blog post about mitigating one of the esc things?

Yeah ESC14 is out now as well, but I'm specifically referring to Bloodhound-CE integrating ADCS support without needing to use the fork

adcs support was there when i used bloodhound for the module?

the edges show the attack path

I'm referring to Bloodhound-CE, distinct from the forked version of bloodhound that was used in the current module

I doubt it will be added anytime soon, it's new and many changes are being made, they'd had to keep updating the module when something changes

just read the blog and set up a lab yourself

They also generally don't update modules with new stuff unless absolutely required... I think they learned from the push back of "thick client" in attacking common applications

Ah, that's a shame. Thanks

ADCS is a tier 3 yeah?

yeah

It's also likely they're working on an advanced pentest cert with the current ADCS module, so hesitant to make changes ofc

hey, facing a problem in AD attacks module, cross-forest from windows section, i got the hash for TGS for mssqlsvc but i cant crack it why? it gives a no hashes are loaded in john and hashcat, any idea why? 😅

do you need to crack the hash? also what's the error in hashcat

yes

Hi folks, i'm on the windows privilege escalation module, section "Interacting with Users". "Using the techniques in this section obtain the cleartext credentials for the SCCM_SVC user." Anyone can point how to get the right shell to drop the scf file , I'm trying procmon but can't see any share

1 sec

Custom charsets are not supported in attack mode 0 (straight). hashcat error

you should use a dictionary for mode 0, what's the hashcat command?

maaaaaan im dumb

i had an error in the command, tho weird it didnt work in john, cuz i usually use john more

smbclient?

in john it was saying no hashes loaded for some reason

Use the malicious scf file method

I made the file, just don't kow whezre to drop it

hashcat is better imo, much faster generally

but just found out with || net share || 🙂

thx

I'm trying to login to the Antak shell on the Shells and Payloads module...

It's not taking the htb-student username htb-student password?

look at the source code

Oh yeah I was looking at the screenshot wrong XD

Thanks my friend.

hey has anyone noticed that H I V E M I N D says... thing?

Yeah?

what is that 💀

what is this poll

it's a survey on whether or not you'd like to have a video walkthrough for the module you're on in case you ever get stuck

i don't think they'll ever add video walkthroughs

Nope

they will if we keep asking lol

They've stated multiple times that they won't

or add something like the writeups we get for the retired labs

That's also not happening

why not

Because the academy content isn't retired lol

i'm not asking for answers to exams

It's considered active content under their content guidelines

That's basically what a guide would do

you basically have the answers to every section of the exam in the modules

And the point of the modules is to be able to get the answers without needing a guide

Or the modules themselves are essentially a guide

a video or walkthrough would help you see if you're understanding things correctly

or make sure that you are doing it correctly and there is something wrong with the lab

You can find video walk-throughs of the techniques

yes

Which isn't happening

not siler but gold

And I stg if you say "well I'm paying for it"

Everyone is paying for the content, I had purchased the cubes before winning my sub.

I find the content mostly sufficient, and things I don't understand are easily researchable

Or you're given additional reading within the module to help understand

If you're watching someone else do it, why bother? The point is a majority of people would just copy/paste the commands from the video without actually learning

And htb doesn't want that

you copy and paste from the module itself though

The content is a great guide on the basics you should know. Any more content and they'd have to charge way more

There's already enough people c/p the example without modifying anything

the only thing you modify at this level is the ip and port

And in most cases you need to modify the command as directed by the question to get what you need

Not always

Sometimes you have to modify certain arguments within the command e.g. an ldap query

Moo you really gotta stop talking out your ass consistently

0-4 today 😂

Not to mention: if HTB doesn't want to do it- then they really don't gotta justify themselves on it

They're a company, and it devalues the overall experience if they just cater to the people who can't read or can only rely on videos to learn

If you need a video for a technique, you can google it and it's likely ippsec has a video with that technique in it for some box

i can recall one time when i was doing everything right, watched a video, and the same commands that i was typing the person in the video typed, but the only difference was that my commands didn't work but his did

this was on academy content and i think that video got taken down

If the video got taken down then it broke content guidelines

the video was immensely helpful for me to continue forward and ensure that i'm understanding everything correctly

Htb has a restriction on content for modules of tier1 and higher

the thing is, htb isn't going to teach you every single thing about hacking, no one can. this role requires a lot of research on your own, reading command synax for tools you've never seen before, etc, i think it gives a good balance of providing the info required and also making you think for yourself.

right but i'm talking about the things they're teaching... i can learn other things from other places

Applying critical thinking is essential to being a good hacker

then you're perfectly capable of watching a video of the same technique being taught

some modules simply due to the nature of them will be cut & paste, but you still need to understand the material. same with the higher level stuff, you probably can't copy/paste most of it, but you need to understand the fundamentals

The technique would be the same/similar just the target and output would not be

Which if you can apply critical thinking, you can translate a --> b

Pivoting

no but they just have the best ctf stuff i've come across

just 3

they also have the best training lol

me pivoting into a rabbit hoel

over the wire is one and i have to look on my main pc for the other ones

The only complaint I have for htb is sometimes they're just info dense

i think vuln hub

Which can be good/bad

Omg yes, the cdsa content is much more dense than cpts

proving grounds, thm, sans, pnpt, nothing close to htb

But it's just parsing what the "what if" scenarios are from the "do this" parts

If only they could ban the stupid

that would mean anyone below 100 iq which would mean nobody here lol

don't worry they are making new certification HTB Certified Discord Member

I can definitely think of a few

Certified Discord Moderator

no

i'd be happy if they just made new members go through #welcome before coming here lol

it needs to have a different name

People just click through and don't read

Hmm

https://tenor.com/view/reading-sign-cant-stop-me-no-one-can-stop-me-gif-13921932

nobody reads any of that it's like reading the eula or the terms before signing up lmao

Step 1: Complete the Discord User Job Role Path

Step 2: Take the exam

Or they read it and say "I can't access #general "

Impossible with discord my dude

who completed the xss module?

i can only imagine what kind of cesspool that would breed

You'd need to have a layered bot for that that takes text and spits it back out

Ntm the inability to moderate

And for discord to operate as a public server they need to have moderation

Especially since children can access this server

i think my idea is best

you need to be certified in order to access the entire htb server

And that's how you get unofficial crud to start, no and this is off topic

i'm only kidding

in xsstrike how do you know which payload is going to work without having to manually check? (is there a way to make the program run and then sort by what worked and what didn't?) every payload i checked manually ends up not executing

burpsuite?

you can automate the payload with it maybe

i'll use burpsuite i guess... i was hoping to use xsstrike since that is what they were using in the module

i would have probably finished the module already if i was using burp lol

The xxs discovery section?

yeah the phishing section one lol

man, the pivoting module keeps freezing my vm when i launch metasploit rev shells

the pivoting module sucked for me too

i think that's the one i was watching a video walkthrough on and where all of my commands were identical to the video

i don't exactly remember

Put all the query/params in the url and let it rip, it will give you the answer

in burp or xsstrike?

xsstrike

every payload i have copied from xsstrike ends up not executing

i'm thinkingn of just doing what i know and use burp and a random github list

You don't need to test the payload it generates

is the freezing with metasploit revshells in the pivoting module just my vm? it spikes my network usage and the vm goes to a crawl and no longer accepts inputs/freezes

i remember the module telling me that i do need to manually check

sometimes you need to restart the lab

to verify the above payload by testing it on one of the previous exercises.

one time i had so many sessions open that i needed to retart the vm

That was for the output they generated for that to be used on the previous section

oh i see

so basically grab any random payload i get from xsstrike and use it to create the phishing payload

brb gonna try that

Wut?

so like any one of these put the phishing stuff in there somewhere and put it in the text box and i should be good to go

Phishing section != Xss discovery section

https://academy.hackthebox.com/module/103/section/984]

that one lol

im runnong out of colors for my notes

Black

you have like 16 million colors to choose from

9 colors?

impressive

it's hard to remember what is what after you run out of all the primary colors

hes not wrong

That WHOLE section is a walkthrough, just read it and you'd be done with it already

the only problem i'm having is the payloads not executing lol

just execute it

i haven't used burp but i'm gonna

Just follow the section, slap the url in and mash that enter button, ???, profit

I'm failing to understand your difficulty finding the payload when they give it to you

Xsstrike has payloads that aren’t working for me for whatever reason

Everything was working in the previous sections so I’m not sure why they stopped working

If you read the whole page before taking any action you'll notice they don't mention xsstrike and they give you the payload

Thank you

bro fr skipped and rushed LMAO

A common user error that happens

Only took stating the payload is provided three times

does the skill assessment for the pivot module rely heavily on meterpreter listeners?

my vm just keeps freezing using it

You can use whatever method you like

same can be said for all the pivoting sections

well there are specific examples and a whole section on using meterpreter

Yes

Iirc the meterpreter section asks meterpreter specific questions

You can even choose not to pivot, but I'd look into what's causing it to freeze up.

meterpreter is lol

Meterpreter/msfconsole is dumb

Yes I can read, what's causing it to freeze? Ram? Borked version? Root cause analysis yo.

.

Network usage goes brrr

yeah not really sure how to troubleshoot it beyond what's causing it. my linux troubleshooting skills aren't great, and the vm straight up freezes except for a few mouse skips. it no longer accepts inputs so i have to restart the whole box, can't really troubleshoot it when it doesn't respond.

if i get stuck i'll just try on bare metal or the pwnbox

It's a vm you can at least look at the host to see what's going on

Not specifically modules relate but it seems that I can't post in the community-help section because after I did the first time I get "the original message was deleted" and also the MEE6 bot msgs me "don't send the same message over and over again!" even though I posted once. I tried again after deleting post and same issue.

CBBH- Broken Auth: Predictable Reset Token
-I've got my script to run and it goes through all the tokens for htbadmin and it finishes without matching or giving flag.
-I'm assuming my time is off so: the webpage time is UTC time and my pwnbox is an hour ahead, pretty sure I'm supposed to do the time from the webpage and covert it to epoch *1000

• (ex. 11:26:54pm on webpage --> 24 hr time= 23:26:54--> epoch=1712806014 *1000= 1712806014000)
  -Can I get some help on this, as my scripts are just running and then ending with no flag

This is a general FYI/Announcement for anyone using Parrot...

https://medium.com/@neat_mahogany_porcupine_191/burpsuite-no-longer-launches-after-parrot-upgrade-d1c6b17cb70d

Basically if you update Parrot right now it will screw up your Burp install. This fixes it.

If you send a large block of text mee6 sees it as spam unless your htb labs account is linked

Can anybody help with broken authentication-predictable reset token

i am a new user

hello evry boddy

Oh ok, thanks, that's really helpful. I believe I was within msg length, but I guess it could be that I haven't linked account.

yeah mee6/automod sees linked and unlinked accounts differently

I just started using Linux

Cd

Cd /

Cd

Cd ..

Hmm it's not working

Pwd

Whoami

Ping MarcieLee.com

what

is this a bot

My commands aren't working. I just started using Linux.

I'm not a bot

Ping calculac0re.com

Discord isn't linux

Oh ok. Where's my terminal then?

In your linux vm

I just started using Linux

Or machine

I installed bare metal

Ctrl+shit+T should be the keyboard shortcut to open terminal iirc

Oh ok nice.

Otherwise usually it's pinned to the taskbar/dock

Linux so much better than windows. It's a shame I just found out about the Linux world.

There's pros and cons depending on what you wanna do

I just want to use my little 4gb ram PC in peace. Windows was working the shit out of my PC for no reason.... And God the bloatware...

gaming on linux

I believe when you go through the OOBE if you set the language to English universal or w/e then it doesn't install a lot of bloat but it's still a pain

I tested it a few different times and it seems that the issue is with code blocks, which aren't allowed per observation.

anyone else have this issue in active directory guided lab part 2? don't really know what's happening here, logged in with the provided creds (htb-student_adm: Academy_student_DA!) and verified that the computer is in the domain. also opening active directory with admin just doesnt work at all.

💀

hi after some times

do most people here find the footprinting module to be confusing?

is it a slower module the first time you do it? Its taken me a little while to get through.

I'm in the last few sections. Actually, I'm currently taking notes on Windows Remote Desktop Protocol section of it.

I am trying to get the valid username on the webpage http://<ip>:<port>/question2/ but we don't have a clear text that says it's a wrong username, so we can just analyse requests but there is 2 another vars hidden "wronguser" & "count", how may I do?
https://academy.hackthebox.com/module/80/section/767

Well I found myself by testing one bye one and searching something interesting... but I did not find a link.

Hello peeps, when you say to do AEN blind, does it mean not to read anything at all? Or just the questions?

Also what do you guys use to have a fresh Kali install for each test. If you even do.

you do not read the questions when you are doing it blind.

I think most people use their already built vm or build one if they don't have.

fresh install = build the tools.

Yeah maybe I'll use a VM then. I heard some people use some sort of cloud VM thing which sounded great.

sorry for the ping @autumn pilot but can you handle this real quick (user akrios47)? the shortener link lead to a steamcommuniqy

https://app.any.run/tasks/e6d04f2a-fbdd-4327-b8f9-6d031bd7ca2d/

Hii everyone. Is there anyone who has done the module "introduction to digital forensics"?

Hi everyone 🙂 . I'm stuck on the XSS via websockets exercise in the Modern Web Attacks module. Could anyone possibly help me out 🙂

hello i have to write on an existing file i confess i don't really know how to do it i'm stuck on the skill assessement of attack common service easy

https://academy.hackthebox.com/module/116/section/1466

what's up

I checked f* on all the privileges in the database

can I msg you :)?

sure

looks like your command is working, its just not a valid path?

^

how do you know that is the correct webroot path?

I find the path but how to find the flag you have to use the cmd c=dir C:/

??

how did you find the path?

btw, every single person needs to see this because you guys keep blinding me: Burp -> Settings -> User Interface -> Display -> Theme: Dark

I need 2+ characters because I need one upper letter + 1 number, so this is normal I am getting "0" as output ?https://academy.hackthebox.com/module/80/section/777

on phpinfo

alright, then you're gtg

let's go i find the flag

but there are a lot rabbit holes with lots of useless services for easy skill

Btw I tried with lower as well but no upper letter :

the easy is the hardest btw.

Try adding -e to your grep commands

And using double quotes not single

just finished the pivoting module.. is ||172.16.10.*|| just a red herring?

Where do I place -e ?

the skills asses.?

ya

i was going to try and pivot till i found the final flag on the box i was already on, but there was a 4th network

if we found the creds for the DC then it would work.

grep -e

Some shells and configs are weird with grep and regexp

At least I think it's -e or I'm thinking something else

what does it mean "btw"? sorry I'm French I don't understand the shortcuts yet lol

by the way.

I cannot ssh into the target from either VPN and pwnbox, I already reseted it, what can I do ?

What module and section, and is ssh running on the target/the intended method of authentication

linux fundamentals, working with files and directories, I would assume it is intended

in the morning it was working fine for other sections, took a break, returned and now nothing, does not respond to ping ssh nmap etc

You use the ovpn file right ? Try to regenerate it or if you have a vpn activated try disable it

yes did that, VPN is UP, but the issue not related to VPN, machine is not responding from Pwnbox either

which region your vpn is ? I will try in my side to check if it is only you who has an issue with it

UK

good point guess I could try to switch to Germany

If you're testing with pwnbox be sure to turn off the vpn on your machine

If not, then there's other reasons that your system isn't connecting to the target

Also what is your ssh command?

got it, so it does not allow both vpn and pwnbox to interact at the same time

Correct, because the pwnbox connects to the same vpn config

i have an issue too

So it receives the sane ip

i tried UK vpn and it dosn't work

ssh htb-student@10.129.180.220

Hello, im new here. I would like to ask if the interactive pwnbox should be able to ping the target system? I am not using any vpn

pwnbox works after taking down vpn, so maybe there is something with UK

"UK vpn" there's no UK one

pwn box

There's EU, and US

Yes pwnbox is not the same as vpn

Or I mistaken i still need to use the ovpn file with pwnbox ?

I am currently on SG Pwnbox location.

Depends on the module, but generally yes

Pwnbox automatically connects to the vpn config you have selected

well, i can't ping the machine then

Us-academy-[1,2,3] or eu-academy-[1,2]

i will connect my vm with kali and try with the ovpn file

What can I do now 😦 ?

ah I see vpn server is diff from pwnbox location

Yes

I am currently on the nibbles module. Working on the privilege escalation. I manage do the previous lab but once im doing the privilege escalation, i can no longer ping

It works fine for my spawned target

got it working, thanks guys, I think having both pwnbox and vpn connection on VM is what prevented the connection

That'll exactly do it

It causes network collisions

As the vpn config will assign both machines the same ip on the vpn network

interesting, I initially assumed that pwnbox is part of the internal subnet, good to know

Is it supposed to be hard to nmap the WPE assessment 1 box? Or is it goosed?

Tried as well with "\" but nothing :(.

You don't use escape characters for regexp AFAIK. But anyway -E is used for the special cases also [[:alnum:]] may be what you're looking for if you need upper/lower/numbers

Or [[:alpha:]] for just a-zA-Z

What exactly are you trying to look for?

Also alnum encompasses :upper:

grep -E "^\[\[:alnum:\]\]\{2,12\}$"

what is the exact parameters you actually need?

does it need to start with an upper/lowercase character?

because here's what your current grep looks for; any uppercase laters then any of those matches that have any alphanumeric characters (so basically a nonsense sort) then for any that start with any character that's between 2 and 12 characters long

I just spent a considerable amount of time trying to do command injection with Linux commands on a Windows machine. In the Windows Priv ESC module

Learn from my mistakes people

I was like whoami, great. Now ls ...hmm l's' ... Whyyyyyy???

that’s why I use PS lol

funnier thing would be in PS

most binary commands in linux are ported to PS

well "ported"

(they're just aliased)

like wget is just an iwr alias

Ah so that's why they sometimes work

sometimes ?

a few minor differences with PS is that it really wants you to specify an outfile

Hello,
I'm stuck at the beginning of the assignment from "WINDOWS PRIVILEGE ESCALATION : Print Operators"
I compiled UACme and used the appropriate "key" for the command but i can't get it to work.
Any hints pls so i can advance ?

Perhaps use EoPLoaddriver to automate the steps.

but i want to learn how to do it mmanually

hallo where can i find help

that is what i call a boss move

Not "start", just one upper letter & 1 number minimum.

And minimum 3* (I was doing something wrong, I was saying 2 but it's free) characters.

I started with : Qwertyuiop12345!@#$%, no need special character.

One or more numbers :

Q1 works:

Need a capital letter :

I'll try it.

😭

Well I'll try them.

PasswordAttacks - Pass The Ticket Module

Not sure why this is happening but when rubeus uses the /ptt option without relying on the kirbi file generated by mimikatz it fails to perform listing on a target despite the tgt being cached, as well as being a tgt of a domain admin, kinda sus. However, doing a /ptt with a kirbi file gives no problems when trying to list a target. Can I get some help on this, please? Thanks 🙂

Found, thanks for your help :).

sometimes it's just dumb

yo anybody knows a machine that focuses of Azure AD?

Anyone else having trouble xfreerdp'ing to the host in "Windows Privilege Escalation Windows Server"? It won't let me spin up pwnbox on this either even though it says I have an instance. I can ping the host ok but xfreedrp gives me "ransport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]"

<@&861185840277487616>

No available instances for labs. What’s going on

I've been struggling with that all week. Sometimes works, sometimes not.

Appreciate it, I didn't think I was doing anything differently but I am sleep deprived. LOL

I noticed that too in the module I'm on :/

I’m down

Ca works

East coast is fucked for some reason

are they finally fixing their garbage instances

I thought I tried CA but I'll give it another go.

Try that one just got on

It did! Thank you!

Date : 2024-04-11 03:17:00pm
1712805420000 ms
1712805420 s

No hash :
htbadmin1712805421000
htbadmin1712805419000

Hashs :

• c7bc56455c6c12227f20953f10efa218
• cbfb2d01d1c158d4d7420e54f4fae996

Is this normal if after trying my two hashs it's wrong ? https://academy.hackthebox.com/module/80/section/779

I have use this algo to find the hash for htbadmin, but it tell us that there is -+1 seconds between the generation of htbuser hash & htbadin hash, so I added 1s or removed 1s to have 2 possibilities, but no one worked.

 
<?php
function generate_reset_token($username) {
  $time = intval(microtime(true) * 1000);
  $token = md5($username . $time);
  return $token;
}

#modules message

Well so we need to use the python script given :(.

Hey I thr remote reverse port forwarding with ssh section on pivoting and portforwarding module

I need to rdp into windows internal server to download a payload I uploaded to the Ubuntu serverBut I try to do xfreerdp and connect and it fails any idea what to do?

yoo does the ADCS attacks module cover all the ADCS attacks ?

no only till 11

left 13 and 14 right ?

there's also 12

13 and 14 are very new, only announced couple of months ago

eeem okay

ig still worth it tho

Password Attacks Medium Lab
i cant get any service by nmap scans, tried all ports in UDP and TCP, Full TCP, SYN
disabled Ping. I already reset the target to see if it is just bugging. can someone tell me what scan type u succeeded with?

yea, there are labs for you to practice with too, well worth the price

I just use - - open

Module - Attacking Common Service - Ftp attack

is this normal almost 1 hours

im not even getting filtered ones, despite open
like all ports i scan are closed, i wanna know what exact scan you guys used, to check if the Lab is buggying or its my fault

DM if you like

Add -T4 to speed it up

fragmentation takes way longer from the testing i just did to a htb box.. if its not necessary maybe drop -f as well

Didn't notice the -f

Lol

I'm used to all args being before the IP

It's saying that the passwords "does not match", why??? https://academy.hackthebox.com/module/80/section/781

Tried with ZAP as well to be faster :

Because old isn't Some1234?

But it's about this you think?

Because juste before I typped something wrong it did not give me this error.

I will try to set the valid one.

Mb bc I sent a request and valid it so the password changed before my fuzz, thanks :).

Does anybody else experience issues with machines performance now? I'm doing an assessment for the Modern Web Exploitation Techniques and the machine response is super slow. It's just impossible to do anything. I restarted the machine, it helped for a couple of minutes but now everything is freezing again. (No, I'm not running scanners)

Try changing vpn regions

Same (just tried both EU regions)

Did you try the US regions?

Trying it right now

A little bit better but still freezes occasionally

Thanks for the advice anyway

Password Attacks Medium Lab

||i used crackmapexec against the smbserver, found the user and his password
logged in via smbclient ad downloaded the zip file
stuck at the part where i try to crack the hash of the zip file

is this a rabbit hole? should i focus more on the ssh servie and brute it even more?||

You're on the right path also delete the password and user part as it's still a spoiler (spoiler text does nothing)

which path of the two i mentioned is the one i should focus on 😄 brute ssh or offline cracking the zip hash

brute force is rarely an option, not when you have something to crack 😉

plus bruteforcing ssh is painfully slow

yeah often 4 threads, thats why i ask, before i throw a big mutated list onto it 😄

Also: it's likely the pw may not even be in the list 😉

Trying to brute force a valid cookie but john+wfuzz is not starting?
https://academy.hackthebox.com/module/80/section/782 (question 2)

I'm on Windows Escalation Privileges in Academy the "Communication with Processes" part. How am I supposed to get accesschk.exe onto the target machine? I've tried starting up a python http server but doesn't seem to have python on it either.

there are many ways

py server smb server scp xfreerdp with /disk

It's /drive:

🙄

the point is, there are many, many ways to xfer files

even IEX/IWR

There’s a copy of the binary on the target in C:\tools

If someone know :).
Btw my cookie is : ddb2m5ir23hjjfjfpqu18eih95
I tried decoder from burp suite = nothing, nothing with some tools like Decodify or online..

Thank you @soft cedar

😭

Isnt that crackstation?? I didnt know you can "crack" cookies with it

i never cracked a cookie with that

only hashes

Same

Cookies and hash not the same thing

I know but maybe because it's an hash idk lol.

There is cookie as base64 for ex.

Just testing.

^

hash and encryption not same

For me the best way is to go with browser and burpsuite, surf each page and click each button. And then look for parameters in burpsuite in history tab.

PW Attacks Medium
i need a hint for cracking this zip hash, do i need to make a mutated list?

Has anyone done the Whitebox Attacks module? I'm stuck on the Client-side Prototype Pollution question and would appreciate some help. I got a simple XSS payload to work (an alert to show up), and am now trying to construct a payload that will actually perform the attack (i.e. elevate my privileges so that I can access the Admin panel). This is what I have so far, am I on the right path?

||/profile.php?proto[src][]=data:,$.get('/admin.php?promote=2')||

yes, use the mut wordlist.

But it does not solve my prbl :(.

got it thx

Which channel is for pro labs?

#welcome and you'll see all the prolab chans

If you read and follow #welcome you can find it

At least you asked

#welcome then you should see kt

is there also a chan for help on the academy?

this is it fabu

in here?

#modules

Yes

RIGHT HERE

AH !

my quest comes to an end 🙂

Well with 6 for lengths it works but it should be the size of the cookie no? 🤔

damn my super long message disappears in here for some reason, mee6 is warning me

If your message is getting deleted then it's because it's very long and automod sees it as spam

ok i ll type it again -_-

If you read and follow #welcome you'll be able to do long posts and add images

Its an anti-spam and troll measure

Thanks a lot!

If you on computer just ctrl +z

my bad i did not, will do right now

It's how the mods keep us from getting steam cards -.-'

If on mobile copy before you send it again

They stingy af

Automod yeeted the msg unless you mean for after

I meant next time before you send it just copy before clixking send

If you think its gonna be long

Also for large blocks of code/output put ``` on the line before and after to have it be better readable

I saw it for a brief second it was at least 30 lines

Which usually indicates a misunderstanding of the source material or an xy problem

Do higher ranks get bigger message count?

@tawdry osprey also, unsure if you did so in your og post. But be sure to include Module Name and Section names

No

Ah so it can happen to everyone

It's literally just getting verified/linked has it gated

but hacker rank can post gifs in gen 😄

https://tenor.com/view/lets-go-the-rock-rock-go-rock-lets-go-lg-gif-18455293

Linux Fundamentals > Filter Contents > cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

I tried the following : "curl https://www.inlanefreight.com > htb.txt && cat htb.txt | tr " " "\n" | cut -d"'" -s -f2 | sort | awk '/inlanefreight.com/ {print $0}' | wc -l
"

You don't really need to output it to a .txt file

Also you want to sort -u

which gives a result of 20 , and the "right" way as found in the internet says : "curl https://www.inlanefreight.com > htb.txt && cat htb.txt | tr " " "\n" | cut -d"'" -f2 | cut -d'"' -f2 | grep "www.inlanefreight.com" | sort -u | wc -l
"

https://tenor.com/view/anchorman-steve-carell-laugh-good-one-banana-gif-4958026

Your initial command is missing the -u

Otherwise sort just lists alphabetically

-u removes dupes

i have the same result : 20

curl $url > htb.txt && cat htb.txt | tr " " "\n" | cut -d"'" -s -f2 | sort -u | awk '/inlanefreight.com/ {print $0}' | wc -l

How may I get the persistent cookie ?https://academy.hackthebox.com/module/80/section/782#questionsDiv

it skips the /index.php/* and /* for some reason

The answer is higher

wen moon ? 😄

https://forum.hackthebox.com/t/linux-fundamentals-filter-content-filter-all-unique-paths-of-domain/270162 there's a handful of different suggestions on the forum

thank you sir

.

This one also includes a breakdown of a command used

oh okey, so when i get to the final question, what do you suggest to dont look with periferical view the answer? xD

Read the flag is not a problem?

You don't care?

actually i do care

anyway, its okey

No there's no way to hide or remove progress from a completed question/module

Nvm I am just stupid lol.

I just did not notice the button "remmeber me".

That would cause many issues in the long-run

Like an idiot. 😭

is the citrix breakout module supposed to be so painfully slow?

But did we learn from this experience?

?

Hi folks, ii'm on the windows privesc module, on the citrix section

i'm not able to copy files to citrix, i got the cmd.exe and userflag, but can't seem to use smb or anything to my kali

Take a ss and type it manually

I typed the flag manually, but for the privesc part, not sure how i'm supposed to do without being able to copy a script or something 😄

if I can avoid typing powerup I'd be fine 😄

Guys can I ask about CLSID with JuicyPotato? I'm just wondering if they have different permissions. Like if you find one that lets the program run, are you reet? Or do they have different privs? Trying to suss out if my command is wrong or could I just need to keep trying CLSIDs

just keep trying differents CLSIDs until one of them work

Nevermind, I just changed the command and it popped right out 😄 Pure luck I was on the right CLSID though 😄

congrats

I think I'll go eat a potato in celebration

im doing the same module atm - you should be able to reach the pivot host instead of trying to directly talk back to your attacking machine

I ended up downloading powershell scripts to the Linux machine, and doing copy/paste from here. This iis painful but works

The scripts are already on the Linux host.

this has to be the most painful module ever 😄

anyway, I kept this one for the end 😉

im about to buy the gold annual package; looks like I get access to t0-3. it also seems like some courses reward you cubes..? does that mean if i want to do a t4 i need to either buy cubes or save up reward cubes?

you can get tier 4 module using the saving cubes from the modules you have done

is 1000 reachable?

it's not easy but if you finish 5 module tier 3 you can gather it

imo tier 3 modules are more interesting execpt the OSINT module

seems like gold + vip labs should be more than enough

If you do all the modules in the gold annual, at this time you should be able to unlock all the t4 modules. that's a lot of learn'n to do in a year

I’m on windows file transfer methods and connected to target through rdp. When trying to use powershell it won’t work for file downloads because the network on target says there is no internet

are you trying to transfer from your vm connected to the vpn?

Im not on the vpn and I’m not having trouble with those kind of transfers it’s IEX transfers

And anything related to downloading files off internet

On target machine not host

where are you trying to transfer the file from

Following the screen from this long list of examples raw.githubuser….

why not try the methods to/from the windows box to yours?

I don’t have windows

I’m on a windows transfer method

so you're trying to download a file directly from the Internet? if your victim box doesn't have network connectivity you'll need to download it to your machine which does have internet and transfer it over

you aren't going to be able to download from powershell if the computer has no internet access

you can download using powershell on a webserver you host on your attacker box, for example python -m http.server

then use the PS command to download from your kali box

Ok

write that one down, you'll use it a lot, you can specify the port by adding the port number to the end python3 -m http.server 8000

Pretty sure none of those machines have access ti internet. Its intentional

All the techniques mentioned in the module doesnt mean they all work on that specific target

But its more "one of the ways"
There are aswell more ways not covered by the module

Was about to say it says “fileless” transfer kind of defeats the purpose to download a file transfer a file to be fileless but ok

Iwr and stuff can still get a file and execute from memory and not download to disk

Once my life stops being flipped turned upside down

I also need to finish the course

So I have connected to the SQL server using mssqlclient.py for Selmpersonnate module in Microsoft Privilege Escalation. I am getting no output with any xp_cmdshell commands. I did enable it. Have restarted the target a couple of times. SQL (WINLPE-SRV01\sql_dev dbo@master)> xp_cmdshell whoami
SQL (WINLPE-SRV01\sql_dev dbo@master)>

try and get a rev shell.

looks like xml vs the raw request

so in sqlmap, it must be the xml vs the raw request?

Also request vs output

ohhhhhhhh

It looks like you're only highlighting the request portion in your right side

Which is gonna be different from the output

so i was legit copying the post request itself in text file for sqlmap, but should have actually gotten the output

Yes.

i thought i just had to copy the post request itself vs the output for sqlmap

You were copying the literal request used

aghhh no wonder. i was bugging like i had the right command but kept throwing errors at start

yup lol so terminology wise, the output for this post request is the response

If you navigate to the output side in burp it should be the same

Yes

You send a request and receive a response

yeah lol everytime i think i got it boom some dumb mistake like that lol

thank you

2xx is generally success, 4xx is generally error

whats up ya'll currently stuck on a module skill assessment Introduction to windows command line. "User4 has a lot of files and folders in their Documents folder. The flag can be found within one of them."

I have tried Get-ChildItem | get-member | Select-Object name, .txt to retrieve flag info but yet have had no luck. any advice would be highly appreciated

it may be me not knowing how to properly use PS and filtering

You'll need to either loop through and read all the flag.txt files (only one has a flag) or find a way to find the one that does have data in it and only read that

Password Attacks Medium Lab

||when logged in as user d....., why does HIS id_rsa also work for r... ? is this a random trial and error, or did you find any evidence that r... has the same private key||

Why would he have it pw protected

Also: spoilers still again spoiler text does nothing

When asking for help, when it comes with usernames always go with first letter then *. Those that have done the module will know what you're referring to

not sure if you still stuck here. Just use Wireshark and look for DNS.

You can DM me if you want

jsut got it. Its always right after i ask for help i swear lol

Looks like SQL Injection Fundamentals labs are down.

Anyone else having issues?

or

This doesn't make any sense, why would we even need to add a comment?

we add a comment so the rest after the comment will not be executed

Wouldn't this work just the same

SELECT * FROM logins WHERE username='admin'

??

no because based on the sql code its using AND operator

thats why you would use a comment so after the commend nothing will be executed

the AND operator checkes to see if both are true

Why add it in the first place then if you're not sure if it's true?

so if username is admin AND password is something is correct then its correct, if username or pass is incorrect then it wont work

can you explain more?

So is the password actually "something" in this case?

no thats just an example

it just showing as an example

Hmmmm...

Still doesn't make sense.

what part?

maybe i can try to clarify more

Why you need the AND and the command after AND

also why "admin'--" is passed as "admin"

wouldn't this be passed as "admin'"

ok they are showing the sql code just to help you visualize but in reality we wont even know what the code of the sql database would be

the AND command is there to see if username and password match in the database

if they match then you can log in if not then you cant

Well how does that command bypass authentication then?

I guess that's the ultimate question here.

yeah which is where the -- comment comes into play

you will put the username in this case admin then put the comment after username. so like admin'--

the comment makes everything after it not be executed

but what is the ' for and how am I authenticated with just admin and no password?

Wouldn't that be a NOT AND?

there is one account that is created which is admin so if you basically choosing an acc that does not require password bc you used a comment to not execute to see if the password matches to admin

So the database is seeing the AND as true in this case even though it's false since it's commented out?

comment just makes it seem like there was never an AND password = 'something';

it makes it seem the whole code is just `SELECT * FROM logins WHERE username='admin'-- '

thats it

So this is just an example and SELECT * FROM logins WHERE username='admin' would work then. So what is the point?

but you are missing AND password = 'wtv';

thats the point

if the code was written SELECT * FROM logins WHERE username='admin' AND password = 'wtv';

the comment would bypass it

and we are able to log in as admin in the web

do you get it now?

I'm going to hit the "I believe" button, and just put it in my notes. I appreciate your explanation.

LMAO fs prolly someone else can explaiin it better than me

No you did great, better than the module, I kind of see what's going on now.

So the comment makes the rest of the string not matter, but it still gets passed as being true?

yeah basically

So why wouldn't

SELECT * FROM logins WHERE username='admin'-- AND password = 'something';

not work without the extra ' ?

what's the point of that '

after the --<space>

There are two important parts, one is the single quote in closing the username and the other part is the SQL comment

Then to me it would look like ''admin' -- '

If they used double quotes you would need to match, admin"--

So which quote is tied to which? Those first two in my example I just wrote are two single quotes.

This example is weird too, there's an odd number of parenthesis.

And the --<space> is not part of the original command since it's escaped from the parenthesis

In that example you're closing the variable username, then closing the where clause, and finally commenting out the rest of the string

The single quote that is after the comment you injected is part of the original code

So I made it down to the question at the end of the module and it's asking to login as a certain "id", but id is not a parameter that I have access to with SQL injection, as I can only modify the code adjacent to username.

Also tried this

the -- wont work bc its taking as a username as you can see

even then you still need to specify a username

With something like that you can try ' or id=5 --
You would need to close the username, inject the id, but you can't have it be an and

Yeah, that was one I tried, came up with

it's somehow not escaping the pasword

you forgot to )

somewhere around there

you got this

just look where to put the )

Yeah, it won't escape the password

show me what u did?

Oops I did

shhh let him figure it out

this isnt so much relevant to a specific module - but ive been studying HTB academy/followed up with hacktricks.xyz and ive noticed theres a ton of overlap. did one copy the other?

its almost word for word in the footprinting modules

if u fr stuck stuck then we can show u the answer but u got to show us what u have done first

I figured it out, I had to add the ' first so that it would complete username field and then comment out --<space> at the end to escape the '

If I'm not mistaken, the person that does PEASS also does hacktricks and is an avid supporter of HTB. They may have consulted with him for some of the modules.

I guess I'll build a local SQL server so I can run trial and error injections on labs and the exam.

oh that makes sense

nonetheless its been pretty helpful to summarize the massive sections like ftp with hacktricks

Thanks @shut quest and @wanton idol

I appreciate the help!

anytime!

You're so close!

I got it!

LMAO

it somehow worked

Somehow

LOL but im so glad i was able to help!

Me too! The rest of the module has been easy thus far, just took a second to wrap my head around this. I guess it's one of those harder to explain, easier to trial and error to see input vs output for what is really happening.

Especially because I imagine each case is different.

Most SQL injections can simply be avoided if the dev takes the 3 seconds to rewrite their queries properly.

can we remove this is kinda annoying

Inspect page source and delete it

clever

someone help, i'm doing the pivoting skills assessment and i've gained initial access as a user on the first server.
I couldn't find creds so I decided to start enumerating the other hosts through this ssh session, I tried -D 9050 on ssh and when I went to use proxychains with it configured correctly socks4 127.0.0.1 9050 I ran nmap with -sV, -sT, -Pn. I was seeing a whole load of messages, i cant remember what it said but it had DNS and a 5:1 in it (or something like that). The thing is it spammed that msg and ends up causing a memory leak or just a lot of memory usage. It's been working fine before but all of a sudden it's just fucking me over. The only other way I think I can get around this getting a meterpreter shell, putting a nmap binary on the server to get ports then forward what I want to attack.

If it's the socks message you can suppress that in the config

would logging in to ssh with a ssh key change anything?

I think this might have something to do with it

netstat -antp | grep 9050

tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 ::1:9050                :::*                    LISTEN      -       

I recall seeing a port and then the ssh service on that site where it says LISTEN, I can't see it here

dns request 2001:558:feed:1 < this is what's being outputted

i just need to enumerate more so I can get creds

-n will prevent nmap from trying to resolve DNS

thank you

i got it, i put chmod 600 on id_rsa without trying it with default perms so i was opening ssh as root, that's why I saw the port open but not listening

I wish someone would shorten the brown notification at the top of the labs now it’s so big it’s an eyesore

Is there someone who has done the advanced sql injection ? I need to ask a quick yes or no question please.

Holy fucking Christ
I can see the ssh process listening on 9050. And when I do proxychains I still get this shit, it literally crashes my computer every single time

check you /etc/proxychains

make sure that the 9050 is uncommented and the 1080 is commented

Only entry is
socks4 127.0.0.1 9050
And I was doing ssh -I id_rsa -D 9050

ssh -i not -I

I am doing that I’m just on mobile right now

anyone having problems with the footprinting module section SMTP when attempting to spawn the exercise machine

I got this one with RDP but the wording says to upload the file before rdp. Im wondering if we missed something. I've tried using SMB and ftp with no luck. If rdp is the way they should have mentioned this on the course material right?

That might be true. Although there are many things we do during the modules that wasn't in the learning material. It's bothersome yes.

no , any transfer files method should work since there's no firewall no AV

The course only showed how to upload or download from windows and there are no credentials working for smb and ftp

did you read the file transfer methods ?

I am sure all of this is coverd on it

Hmm impacket?

https://academy.hackthebox.com/module/details/24

I know, Im in this module.. but this exercise ask something that its not explained on windows transfer files part

Maybe later on the linux methods this will be explained

hi i am stuck on shell and payloads module

having more erors with ps code

i disable AV

but still no luck

try https://www.revshells.com/

mm

problem solved

Hi, can i DM you for the same issue?

Sure

in the CPTS "getting started - knowledge check" anyone else had issues with not being able to connect to the target? I ended up finishing the module questions in pwnbox because my vm woud work for a couple minutes and then no longer be able to communicate with the target.

it would start working again when I terminated/respawned or just refreshed target but only for a minute or two till it stopped working again.

Make sure you're not connected to two VPN's at the same time. Choose either pwnbox or your VM, not both. They conflict. You have one vpn key. Using it on multiple simultaneous connections will tear down your connection.

I am sorry I am posting this in "modules" But I can't see pro labs channel. No administrator/moderator I messaged is responding. When trying to do identify this is what I see "I get this message upon identify - Identification error: please contact an online Moderator or Administrator for help."

In #welcome I cannot see the pro lab as an option

enterprise account or just regular htb? I don't think the enterprise accounts can register

if you want to get access to the prolabs channel, you should link ur discord with HTB account

that's their problem they are trying to resolve

Is that done using "identify"?

yes

ok. thanks

if you haven't try regenerating your identifier and give it another go

Thanks @shut quest . I did that but no luck. I get the same error when I try to identify - Identification error: please contact an online Moderator or Administrator for help

So if you are already in PowerShell you do not need to add poweshell -nop -c... Essentially you are trying to launch PowerShell while in PowerShell

thanks

@weary owl

Np

can anyone help with this question from Broken Authentication-skill Assessment- Assess the web application and use various techniques to escalate to a privileged user and find a flag in the admin panel. Submit the contents of the flag as your answer.

Exploit the target using what you've learned in this section, then submit the name of the file located in htb-student's Documents folder. (Format: filename.extension)

can anyone remember where is the file

i am on this target but no any documents and files

"Located in htb-student's documents folder"

Linux is case sensitive

Hello guys, I'm on the Windows Privesc module doing the Citrix escaping. I'm giving the machine 5 minutes to load, however when I rdp into the IP, the thinclient doesnt come up

Im just stuck in the linux host

yep i found it

the other day it worked nice, today its not working anymore

Hello (totally new here, so forgive me if i am in the wrong place)
I am doing the skill assessment of the FFUF module, and on the first question i am sure i have the right answer. however I get message that its wrong. maybe i am needing to put the info in a different format or something. I dont want to put the found answer here for spoilers.
question: Run a sub-domain/vhost fuzzing scan on '*.academy.htb' for the IP shown above. What are all the sub-domains you can identify? (Only write the sub-domain name)
can someone help me out?

dm me your answer

What are you guys discussing about

Hi guys 👋

I need help in finding flag of WordPress directory listing challenge

I can see wp includes shows n number of files

But unable to find flag.txt

Help me in finding

some help?

please contact customer service

a

I am creating a Windows attack VM as per HTB academy guide. Issue is vmware player has no snapshot function, but I found 2 work arounds. One would be to manually copy all the files where the VM is stored to another location. The other one would be to create an .ova file of the current VM. Is one of these 2 the better option ?

use virtualbox

vmware workstation is great but player is not worth using because it's missing some important functions like snapshots

I agree, I just got accustomed to using vmware ESXI from work

it;s what offsec recommends too

yeah esxi is great, but player is not exsi

does your work not give you a workstation license?

🤔 never actually asked them, good point

English

Hi everyone!
I am in "Windows attack defense" modules skill assessment.
Can anyone help me there is no log with above ID. I did what module showed. I guarantee, I 100% followed module without problem but I can't find events

most normal xfreerdp experience

im doing LLMNR/NBT-NS Poisoning - from Linux and some users are getting cracked and some are not. What other wordlist to use other than rockyou?

can somebody help?

module?

@slate halo

Active Directory

rockyou works just fine

why am i getting exhausted then?

maybe check if you have copied each hash on the a new line
and run hashcat with sudo.

or you can use JtR.

You cannot crack all the hash

Sometimes the password are strong so they cannot be cracked

/cert-ignore sometimes helps

ooo alright

Now i saw that the same user has different hash from responder

linux or windows

Linux

it's NTLMv2, every captured hash will be different

its really strange that some crack and other not

it's not strange at all, some hashes can be cracked, others can't

so i just need to try different hashes until one cracks

wdym try different hashes, if you can't crack a hash from a user, then you can't get access to that user

I cant asnwer the question''Crack the hash for the previous account and submit the cleartext password as your answer.'' I have cracked only two users

did you get the answer for the first question

yes, I got it

im stupid, I thought they were asking for a different user

/timeout: 50000

what does that do

Ah

Ouch

Ngl I don’t know but it should allow the session to be made , it worked for me when I got a timeout error. I believe it increases the timeout length

God damn the latency on these lab servers is buck wild.

It increases the timeout so when the latency spikes you don't get disconnected

It's in ms

So 5000 = 5 seconds

Thank you!

ahhh alright will try it

hi, what modules can I do on HTB without paying? also is there a subscription fee instead of a per-module basis?

All Tier 0 Modules are free of charge

All the tier 0 modules

ty!

is after doing cpts and cdsa can i able to land job in SOC entry level

HTB's certificates are not yet very well known. But you will definitely have the knowledge afterwards

not with cert , iam asking the knowledge gained from those path

I have been at it for a few days,
Is anyone able to help me?
I just need to answer this one question to finish the whole module

Enter the keyword that should be specified right before the content keyword of the rule with sid 10000098 within the local.rules file so that an alert is triggered as your answer. Answer format: [keyword];

I did this lab. The question is actually asking to find the field before the keyword "content" and before the sid.

take a look at the example 3 in that section.

the answer includes "; "

Anyone able to offer a nudge to get "iamtheadministrator" creds on Windows Priv Esc Assessment 2?

I have a root shell

SYSTEM

Thank you, I was going crazy, the ";" was the problem.
I thought the Answer format: [keyword]; with ";" was just a formatting issue.

thats the beauty of HTB ha

guys this is a insane problem for me

see this carefully i cannot see bottom bar how i work with this issue

can anyone help me?

can not scrol down and see bottom bar.

refresh the page and mixmise the window

yep do it no work

any sugestions?

make the window smaller

yah did it also

htb not well maintain it i think

that's got nothing to do with it

just adjust the window

so terible

final step on this module

try hard to finish this within a day

but no luck

I mean if you're looking at leaks it should be easy right?

no i used to it for zero cubes questions or get some idea

no that shit

sure buddy

i waste my time and give a hard try all over the day

not a leaks i use my own

i don't follow.

on Escaping restricted shells, is it expected that I use the methods outlied in the article or research my own?

there are 2 ways to do it, one of the ways is in the module

im doing the lfi skills assessment and i cant seem to find a method that would gain me rce any help for a nudge would be appreciated

hello i'm stuck for the last question for skill assessement hard for attack common services, i managed to connect with fiona i know with which user i can make a privsec but i made a password attack on all services i don't understand why it doesn't work. https://academy.hackthebox.com/module/116/section/1468

Hello man

can you help me plz ? with this module : https://academy.hackthebox.com/module/158/section/1439

I have my paylaod :

My listener :

But it is not okay ?

Can you help me please?

tried each way multiple times

try something with echo

thanks mate 🙂

ended up getting in via another method but im gonna try to find that one as well lol

understand it now, was really close before but makes sense now. thanks again ❤️