#modules

I face lag when using academy vpn maybe cuz of my region

storage keeps building up idk how

make a template

Gays! have simple issue , cannot connect using RDP. connection is very bed here. just moved the location to middle east and it just dont connect ot connects and with black screen. maybe there is another way to acesss. using command line without UI. im on mac

connection round trip is to high

if it's a black screen hit enter, and choose a vpn server closest to you

If enter doesn't work, center left third of the window, try clicking around that area, there's a button there.

is the general consensus to do the attacking enterprise networks blind and just do it as if it's a real engagement?

Yes, and whilst doing that write a report if you haven't done one before.

Thank you

HI! Anyone for Active Directory Trust Attacks module ?

Skill Assessment

did you fix it? I want to ask some question about it

hi, did you fix it? I want to ask some question about it

Choose correct project template. (Console App .NET Framework)

They added a note about it 😄

The walkthrough for the Evasion module has been published by the way.

In case someone needs extra help

Yup that was fixed with the support

That was a problem from me, all was right except the template i chose

I see that we all don't know how to read correctly 🤣🤣

Good day. I have a question on the Intro to Assembly module; specifically, “Debugging with GDB.” #i am trying to find the solution but am having trouble. I’ve hit the breakpoint on the gdb file and tried using the x/wx 0x4**** to review the rax in hex. The one I’m getting is wrong. Any idea on what I may be doing wrong

is that possible to pm you?

make sure you've stopped at the right step, and there's no need to use examine, you can see the values of the registers at the top

No problem

Thank you. I thought I did. I stopped at 0x****10 and don’t see it. Then I tried the x/wg command and it’s HTB is saying it’s wrong

I did x/5xb $rip

the question asked for rax no?

Yes. When I do $rax it says cannot access memory at address 0x2……

Is there alternative to RDP for windows? cose my connection is to bad, so it loads forever

Or maybe i can run target widows on my own

in most cases no

if you're getting a black screen, just hit enter

you can't run the target instances locally if that's what you mean

So i dont use vpn connection?

you can

i guess i'm misunderstanding what this means

either way: you can use the vpn connection on your own vm

it's generally not recommended to do hacking related activities on your main OS, and even Windows

Just one question about active directory trust attacks

I share what I have try if I can ask

https://dontasktoask.com

as long as you can ask the question without spoiling anything you're fine to ask

then you've likely stopped at the wrong step, you should stop at <_start+16>

Its about question2 on skills assessment

I think I miss something but I want to be sure

or <_start + 10> in hex

I did that. I may not have a correct grasp of it
Syntax: b *_start+16; run

i generaly cannot connect to any target RDP, i asume is connectivity issue is there a way to investigate ?

can you ping the target

and is the target running rdp services

2 important questions

if on your own vm, are you running the vpn. if so; don't be using the in-browser instance (pwnbox) at the same time

Then I did x/wx 0x4….. and got 0x00c0… hTB says wrong

hello i am stuck on PIVOTING, TUNNELING, AND PORT FORWARDING/Meterpreter Tunneling & Port Forwarding section. I dont know what to do.

section name and part you're stuck on, as well as what you've tried

why 0x4? try $rax

or amybe jus tlook at the top of gdb

the target is not responding, but vpn is ON and it has correct file. Maybe is somehow blocked by provider ?

could be firewall

which is why it's recommended to do this in a VM

Meterpreter Tunneling & Port Forwarding, i managed to answer the first question but i am having problems with Configuring MSF's SOCKS Proxy

@fathom pendant I could PM you ? I dont want to spoil 🙂

i haven't done this module

Ok 🙂

Ok, I’m a fool. Maybe I read the question wrong or misunderstood. That’s what I found when it said can’t access memory. That hex was the right answer - thanks a bunch

what exactly is the issue? i think the section shows you how to set up the proxy

the issue is it doesent work there is no active jobs, i was going over the course step by step but i guess i am doing it wrong

Same from Windows VM : Request time out

oof automod

msfconsole -q
[msf](Jobs:0 Agents:0) >> use auxiliary/server/socks_proxy

[msf](Jobs:0 Agents:0) auxiliary(server/socks_proxy) >> run
[] Auxiliary module running as background job 0.
[msf](Jobs:1 Agents:0) auxiliary(server/socks_proxy) >>
[] Starting the SOCKS proxy server
[*] Stopping the SOCKS proxy server

probably because gdb thought the value in rax is a pointer and tried to access that pointer's value

you can't start a proxy server without setting up the agent first

you have to transfer a msfvenom binary to the target first and run it

module 81/section 774, Tcpdump question Were absolute or relative sequence numbers used during the capture? I'm pretty sure the answer that the system accepts is incorrect. without discussing the answer here, how should i go about it? Is this something to submit to erratum?

thats the ./backupjob running in the background

yes, did you set up a listener in msfconsole?

your console output doesn't show that you did

[msf](Jobs:0 Agents:0) auxiliary(server/socks_proxy) >> use exploit/multi/handler
...
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> run

[] Started reverse TCP handler on 0.0.0.0:8080
[] Sending stage (3045380 bytes) to 10.129.97.54

i got a shell from ubuntu

ok, now set up your socks proxy again

so i fire a new msfconsole

no

you can background your session

type bg

i am on it

then you can set up your socks proxy

[msf](Jobs:0 Agents:1) auxiliary(server/socks_proxy) >> run
[] Auxiliary module running as background job 1.
[msf](Jobs:1 Agents:1) auxiliary(server/socks_proxy) >>
[] Starting the SOCKS proxy server
[*] Stopping the SOCKS proxy server

what is your config?

for the socks proxy

set SRVPORT 9050
set SRVHOST 0.0.0.0
set version 4a
run

maybe set SRVHOST to 127.0.0.1

0.0.0.0 is correct, that's all adapters

i don't remember and i don't have notes 😰

either use that or tun0

or if you're on parrotbox whatever the ens number is

tun0

SRVHOST => 10.10.16.59

it works now

then i guess you don't need the agent to fire up the proxy

i thought it required a session number

i managed to answer the second question

damn bro you really got us

Thank you for your help and time

thank SuperNuts too

haha i did nothing

thank you also, and it was tun0

<@&861185840277487616>

I'm having trouble with the final three questions of the skills assessment on intro to digital forensics. I've been using the Windows.Kape.Targets with the SANS and KAPE triage configuration to collect data, and I've manually parsed the downloaded files.
I've searched for strings related to registry key persistence in the relevant modules but haven't found anything. I also tried looking for mimikatz files and .DOCX files without any luck.

maybe the DOCX was accessed recently?

Does anyone know how to fix this error? local parrot vm connecting to rdp

it says it timed out waiting to connect, try increasing your timeout

I see. let me try

how much is default and how much should it be?

i have no idea what the default is. i set mine to like 100,000

okay thanks I will try it

dumb question but can you give the syntax, I tried --timeout=100000 and it didnt work

i don't even know what app you're using

xfreerdp

/timeout:100000

okay

thanks

yoo it worked thanks fren

i pretty much always add /drive, /timeout, and /cert-ignore to all my xfreerdp commands

you can't forget /dynamic-resolution 😄

ah yeah that too

that's a must have

guys someone can help me ? i'm trying to get the subdomains on the module " ATTACKING WEB APPLICATIONS WITH FFUF" but i get this error all time

first of all, your url is wrong.

is it?

Windows.Forensics.RecentApps.json is what I got out of your hint

did you try it?

Its a blank file

@soft cedar

you made it https instead of http

i try 2 always https and http

it is https

yes i know but i got error

the same error in http

this is subdomain not vhost i believe

you sure? never encounted any inlanexxx domain that is https from the modules

Hi, is it possible to dm someone for an hint about Skills Assessment - File Upload Attacks ? Can't find the upload dir despite a lot of tries

That's what the module shows. It's also for subdomain brute forcing on the real-world URL, not a fake internal .htb site (that's vhosts in the next section)

it is https

~~oh I get you now but does it actually work? ~~

yeah, you have to find the subdomain

we would need more information though, your command is correct so i would assume some kind of connectivity error to the server

can i show you on the academy room ?

i share my screen

well from my notes, i got it with http

interesting, try that then

should work with both i imagine

I have another target spun up, i will check later

but I just checked the step-by-step solutions, they ended up using http lol

lol lemme try again with http

error lol

can you provide the command you used?

sure

It works with https as well

interesting.

i just tested it on the pwnbox, no issues

wait you recive no errors?

what error are you getting?

only error and the numbers

hi, can anyone help me with the attacking entrenprise networks?? I'm in the lateral movement. I want to connect via RDP in the machine 172.16.8.50, but how?

lol work for you?

yeah works no problem, copy/pasted the command right from the section

try restarting your pwnbox

lemme try

wait a sec

i dont know why

alots error again

Do you have DNS setup correctly? It looks like you are trying to resolve each name and unless you have dns configured it will fail.

what command are you using

and can you visit inlanefreight.com from the pwnbox

the same ffuf -w "/opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.inlanefreight.com/"

There will always be "a lot" of errors, but if you increase the size of the terminal window or decrease the font size, the output is much more readable 😉

yes i have

sorry, I thought you were doing vhosts and not sub domains. Ignore me.

dont worry

Can you include the error text in a screenshot?

no i cant lol , the connection has timed out

yeah something up with the connectivity somewhere then

there is no name for the error , ffuf only cant search for domains

In your last screenshot it cuts off at Er what is the text after that?

it says Errors: 1325

Here:

i cant acess any site with my pwbox

yes it says Errors:

oh

i will try from my kali linux machine

keep looking, the doc may have been recently opened

I feel I’ve looked at every json for a .docx file extension but I’ll keep looking

lol still Errors, well i will go to next steps

Hello I have a question about the optional exercise in the "How to Write Up a Finding" section of the "Documentation & Reporting" module.
I'm trying to gather additional evidence for the findings where evidence was not provided.
When I try to access any IP discovered in the pre-populated Obsidian notebook from the target I get a routing error like "No route to host" or "Destination Host Unreachable".
Am I missing something ?

@soft cedar @gray merlin @cloud urchin solved here finally lol

i only spend 1:30 hours for this haha

nice

Gotcha. I still have more to learn about assembly and reversing

Just did it a moment ago, it does work. Did you check the log?

Fine to both checks?

Looks like its failing the other check

[05/10/2024 14:21:24] C:\Alpha\Static\NotAMalware.exe - OK - Undetected by Microsoft Defender Antivirus
[05/10/2024 14:21:24] C:\Alpha\Static\NotAMalware.exe - OK - Passed all checks

Did you select the correct template ?

Did you test in on the dev machine first?

Console App (.Net framework)

Not just console app

"Active Directory Trust Attacks" section "Unconstrained Delegation" .
I managed to get TGT of DC01$ by abusing the printer bug. I imported it in my session using .\Rubeus.exe /renew command, which said TGT was successfully imported. Klist command confirmed that. I need to get flag on DC01 ,but I cannot connect to it or list files on it. How am I supposed to get the flag on DC01 if I have TGT of DC01?

try opening a new powershell window and re-importing and then renewing the ticket.

you mean creating sacrificial process with /creatnetonly:C:\Windows\System32\cmd.exe with Rubeus?

yeah

ok

Hello guys can someone explain me in simple terms what the Get-NetLocalGroup command is in powershell?

if i understand to be used i need to import it first and when used it gives you the users that bellows to a given group am i right?

It queries information about local groups on a windows system

like permission, users that bellows to it etc? @cloud urchin

I restarted the VM and did it again now it passed.

Thanks!

group names, members, member attributes i think

Np 🙂

thanks

Iguees its part of Powersploit and it need to be imported before use?

yep

Last question, after a certain time i will try some pentesting on cerain machines, for penteesting, is it always adviced to install all the needed tools on a vm and trying some pentest on you vm instead of you "real pc" ?

The trouble with running tools you're not familiar with on your host PC is that you may inadvertently open yourself up to exploitation by having services running you weren't aware of. Granted, those services would be running on your VM but at least all of your personal files won't be on there. Working from a VM is smart because you're working with a lot of moving parts and unknowns. Take snapshots and keep your host PC clean of hacking tools I say.

So beter to use VM thanks for you awnser 🙂

Hello, did anyone do Game Reversing & Modding skills assesment? I have a question about first step, I skipped it but I think not the intended way and I do not get the JWT Token afterwards 😦

@shut quest dm sent:)

wut why?

Sorry, than ignore it.

Apologies if this is the wrong area to post this, but I'm doing the Network Enumeration with Nmap module and on the question for the Nmap scripting engine "Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.", I believe I found the flag, but the grader says it is incorrect. I initially did nmap -p- IP, and found all the open ports, including one that was 31337, so i did nmap -sV IP -p 31337 and the result gave me an unrecognized nmap fingerprint that included "HTB{flag}" in the get request. I also then tried nc -nv IP:port and recieved the same flag as a 220 get request message. I entered that exactly, took off the HTB, took off the curly braces, and none of them worked. So i googled the question and found a reddit post where someone posted this exact flag and people said it worked, so has the flag changed, am I doing something wrong, or is this a bug/misconfiguration in the acedemy? If any of my terminology is incorrect, apologies as I am a newb still so feel free to correct me

Its the right flag, also don't post the flag/answer.

Make sure you don't include spaces

The full flag is the HTB{..}

Copy/pasting is also a better way to confirm than manually typing

They don't change the flags in academy content

Yes, I know and i entered the flag and checked both sides for spaces. I copy pasted multiple times, manually typed and tried other formats

Refresh the page and try again then

Otherwise message support

I did that multiple times, tried restarting the vm, and switched VPN profiles and even my computer

Actually taking a look

So i should probably just message support?

The answer you got was for the service enumeration section

Not the scripting engine section

Big Oof lmao

Thanks I did that one yesterday and didn't realize that was the same flag

Appreciate the help

Follow the section and use the same tactics shown. You may need to use something else to find the flag still

Thanks yeah I just needed to know if I was looking for the wrong thing. I'll figure it out!

• 1 Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.
  AD Enumeration & Attacks - Skills Assessment Part II
  can someone please tell me how? i trie winrm psexec rdp i cant get int oDC01 im on administraotr acc :SAD:

i did it...

finally... i completed dem......

im 70% complete

how long will it take to complete all?

Command Injections
onwards

command injection is fun

Footprint Module
DNS
What is the FQDN of the host whose last octet ends in "xxx203"?
I am stuck on this question, I have tried all the domains I have found on the right side and none of them give me an answer with the fierce-hostlist.txt list, only the main domain
Can somebody help me 🙂

Your screenshot has a huge spoiler in it so you'll want to remove it.

Why are you so many subdomains deep? You might develope some more progress starting at the top.

@sinful drift Retract then redact your images.

I'm on week 24 and 99%. I believe 70% was something like week 15-18..

Can't wait for my 26 week badge

Hello guys,i am checking msfvenom ,but i only find it in the module METASPLOIT.i have an exercise for university,where i have to make a malware,which only gives a reverse shell,in a legitimate program(for example zoom.exe ) .So i also want zoom to open and also revshell run.I got in virus total 11/70,something like this.Do you have any tip?is there any way to get it to 0/70? or 5/70?There is another module that saying these tactis?any youtube video?Thanks a lot

not the right place. check the course material from your school

there is not really course material....i sent here to modules,because i was reading from modules ;p

how is there no course material for a university

ahahahah,there is no course material for malware development + avoidance8

then why'd they assign you that

ask the professor how they want it done based off the course material

he said we should look for it,15-20/70 is okay,but the <10 will get extra.

i think the new module HTB launched is about this,ahhaha

yeah and people can help with the module but not your homework

relax bro

what do you mean? i answered your question

cool,thanks

np

The new module is about teaching av evasion fundamentals with a focus on Ms defender. What it doesn't go over is getting the lowest score on virus total.

thanks 😄

If you use xfreerdp look into the /drive parameter to directly map a folder of your attackbox onto the windows machine

Then you can just copy paste

How do I decrypt it?

2john?

yes

ugh the academy password attacks pass the ticket module have expired tickets or something

I keep getting a connection timed out error when trying to download packages. I know it’s not my internet because I have no issues with my own Linux with my own VM.

Have you run the --fix-missing?

nfs is probably already installed on the parrotbox

It won’t connect to the repository. It’s just not working.

^ Try locate that. Im using my own Kali box so I don't remember if this is installed or not in the htb parrot distro

@uneven oracle Can you ping to google for example?

Yes I can ping google.
It seems to be an issue connecting to the repository.

Yeah looks like it's not responding

You tried it on your pwnbox?

Is that NFS server already on your host?

I don’t believe so.

No, I'm just agreeing with you that it looks down. I'm using a Kali VM i moved from the parrot box a while ago. I prefer kali

Me too, but I was having issues with openvpn.

What was happening?

It just kept freezing when navigating through files.

🤔

maybe try kali again with another VPN server config

I don’t really know how to change the config.
I just downloaded the provided HTB vpn file and connected.

in the module page where it says "VPN Servers" use a different VPN server and download that connection file

US-1 has not given me any issues

I believe that’s the one I was using. Idk why I keep having problems.

Try US-2 perhaps? I'm unsure what the issue is for you

You say you're using the pwnbox, are you referring to the in-browser vm?

Because in the in-browser vm you don't need to download/run the vpn

My pwnbox/in-browser vm doesn’t seem to be able to connect to the repository.
When I use my own kali vm via openvpn, it keeps freezing.

Are you on the free plan? Works find on mine

there's a free academy plan?

Also regarding using your own kali vm: go to network manager --> tun0 connection --> ipv4 settings "only use resources on this network"

It's the default when you don't spend money

Yes.
Well why is mine broken? 🤷🏽‍♂️

That's why

Free users have very limited network access with the pwnbox

It should work in your own kali vm since they're both Debian based

Geez, I can’t even get through the free fundamental module? 😒

really?

¯_(ツ)_/¯

No need to be sassy lol. Installing nfs isn't required

it should come with all the tools on it, i'm surprised nfs isn't already installed anyway

Can any one help me to view attlog.dat file

i'm on a 'free' plan and i can ping google from the pwnbox without issue

Connecting to nfs is, via mount

Have you spent money on academy at all?

i can also update

yes, but never on a subscription

I’m not sure what you mean. Is this via the terminal?

If so, that sets a flag on your account

Via gui

interesting, never knew

Yep

I don’t see network manager.

It's whatever is showing your ip

Again this is for your own vm not the pwnbox

I know. But I don’t know where these options are.

Yep. It basically lifts the restrictions, including spawn amount

On kali, it shows your ip yes?

In like the top right or bottom right

If I run ifconfig

I meant on the gui

Or maybe you have an icon near the date

No.

Weird

Can you screenshot your desktop?

Hm I don't have much experience with kali tbh

Ah you have the zSec download of it instead of the official download

Which is why things look diff

Yes

But I should be able to find what you’re talking about. Idk.

¯_(ツ)_/¯

You say you can connect to the internet in your kali yeah?

Yes

This looks like what you were talking about, but it isn’t specifically referring to tun0.

That's setting a new profile

There is something wrong. Even with the pwnbox limitations, it won’t connect to the repository at all. I can’t download any packages.

You need to use this menu when you connect to the vpn

¯_(ツ)_/¯

again, what module and section? if it's asking you to use nfs, it's probably already installed

Could be a difference that HTB overlooked in a parrot update

It's not

doesn't the pwnbox come installed with everything you need?

The pwnbox is a static config across academy

Linux fundamentals.
Network Services.

It’s not installed.

It's not dependent on which module you're working on

Most things.

right but it should include all the tools

It includes most tools

Not all

Creating an nfs share isn't required for the module

This is purely an example of how you would set one up

Common misconception

It contains a lot of the normal offensive tools, but not a lot of the other basic tools

The HTB platform isn’t quite as cohesive as I would hope. It’s not flowing smoothly…

small hiccup for you, most other people get through it fine ¯_(ツ)_/¯

I'm also assuming your kali is updated

It’s pretty up to date.

¯_(ツ)_/¯

Either way

The vpn connection shouldn't freeze your vm

I've heard it doing dumb stuff requiring you to set the option to only use network resources

Idk what that’s about.
I wish I were able to follow your instruction to fix it, but I don’t see this options.

.

tun0 is the interface given when you connect to the vpn

are you connected to the vpn? i just connect and have no issue connecting to the course resources

You have an interface in that menu regarding your local/regular interface (generally eth0)

tbh use the terminal instead

much easier to read the info

Yes, but this is to set the interface to only use resources on it's network

After connecting via terminal

So what do I do after connected?

go back to that network menu

identify the vpn interface

select it

set "only use resources on its network"

I’m still not seeing tun0.
Click on vpn?

¯_(ツ)_/¯

i also find it weird you have 3 eth devices

but that's whatever

probably install the regular kali

^

zSec is a customized Kali version

which has many differences to regular kali

Ugh…

but can you show your terminal that shows you have the tun0 interface?

just use the terminal to connect to the vpn

and use the terminal again to verify the connection

that's what i said 😛

i don't like that gui

yeah, my steps are applying post-connection; to see if there's a (known) issue with the vpn overtaking the regular connection

on top of that why would you choose a custom vm image from 2 years ago over the official one that is up to date

they likely got it from the Udemy course

Is that safe? 👀

brother

it's not like it's leaking your full public IP

tun 0 --> tun1

sounds like you have multiple vpn configs running

and i'm seeing tun2 there

sudo killall openvpn

Idk which one is my full public ip… 😳

also; don't run around your system as root

none of them are

This is how he has us doing it on the Udemy course. Idk…

well don't

it's extremely irresponsible to run around your system as root

you can very easily and accidentally break your system doing that

Now what?

check the ifconfig to see if it killed all the openvpn connections

also try installing the nfs tool on kali

Well, yea I imagine I’d do some things a little different if it were not a vm.

even in a vm

don't generate bad habits

Never a good idea to be root user as a main account

especially since most people don't change default root password on their installs

If its a box you revert then whatever, but generally speaking it's not recommended

root:toor
root:parrot

kali:kali

well that's for standard user

yeah i know haha

i'm more specifically referring to --> root

I know i just felt like typing it

which is more dangerous

I don’t know how to identify the vpn connections, but it looks like less stuff popped up.

vpn will be tun

tunX

as it's a split-tunnel vpn

Ok. Well looks like the connection was cut.

yes

now reconnect and try pinging the target

the reason it freezes is because by having multiple tun interfaces it has no idea which one to bind the request to since they all can access the same resource

Ping the target?

yes

the "Click here to spawn target" button

ping that IP

I think it’s working.

that's the bare minimum basics of testing connection

if you're getting a response from the IP, then it's working

I’m going to try ssh again. It freezes when I ls the etc directory.

weird

¯_(ツ)_/¯

but anyway: if there's no questions related to the section -- the reading is purely informational

Do you have enough resources to the VM?

I can’t figure out how to change that…

i would still recommend using the regular version of kali. with your distro being so out of date you're bound to run into issues moving forward.

Frozen

looks like you're connected

Purely informational…
I’m thinking I need to master all the given material.

what specific section are you working on?

you don't

there are times where they give you examples and configurations to worry about

and then showcase how they take advantage of it

Well that’s an older section.
But whenever there is a section that requires ssh into host, it doesn’t work well and freezes at some point.

then; change vpn region there should be a spot on the page to do so

And frozen.

steps to change after you get the new connection file; --> kill the current vpn --> download new file --> run it

I’ve tried that. I’m on the one closest to me I believe.

yeah again, the freezing could be a myriad of things and you really strongly need to consider installing a modern non-custom version of kali

Running ls locally looks to me an issue with VM resources.

that's not locally

ya goon

hang on

that's a remote system

that above screen?

ahhh right

carry on

if all else fails: Message support

¯_(ツ)_/¯

this bubble in academy; if you don't see it --> disable vpn

I’m tired lol.
I’ll try later on my Ubuntu vm. See if it’s the same.
I was having an issue logging in on there tho…

they're gonna be better at actually working with you to resolve an issue

I’ll check in with support.

well if you're using the same config file it could be the vpn region that's giving you the trouble

you don't have to use the closest one to you

You’re great tho… 🙂

the ping difference is often negligible

well yes, but on a technical level if it's purely related to a box connection --> then support is the way to go

to test if it's a connection issue;
ping the host --> let it go for around 2-3 minutes --> see if there's large variance in response times

i.e. random 5k ping jumps

I’ll try different ones.

sometimes some servers just get messy for a bit and work fine later

How long you been doing this?
You certified?

nope

1y+

basically around the time i joined the discord

Well you seem to know quite a bit.
Why no cert yet?

life circumstances forced me to change priorities

I see…

Well I hope the best.

I would like to ask why the password for cracking ssh is the same as the password for cracking ftp, is this a coincidence or is it just a coincidence?

Hi, anyone some hints about the first step in Game Reversing and Modding Skills Assessment? I found a way to play the game, I jumped straight to the playable scene but BepInEx says that the token (JWT) is null and no requests are made to the server. Either I have some misconfiguration regarding the scoring server’s IP and port or this is not the intended way and I jump to the playable scene too soon and thus skipping the login process. I tried to the insert the load scene method call in multiple spots to try to be after the login process but the result was the same. Any help would be appreciated.

Thank you!

password reuse

often on the same device people will re-use the same password for things

Does the same on Ubuntu.
And that’s the standard image.

Please I need help. I still can't start my pwnbox

'You have used your allowed pwnbox time'

It's being more than 6 days now.

message support

if it's academy, that time should reset daily, if it's main platform -- you need to upgrade to VIP/VIP+ to continue using pwnbox

suggested solution: just set up your own vm

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Thanks

hello team can someone help me with BROKEN AUTHENTICATION module Brute Forcing Passwords
section

Good morning guys, a question I have and it is all the machines, can brute force tests be done on them?

Whether a BruteForce attack will be successful depends on the module. In most cases you will not achieve anything with it.

What exactly is not working?

i can’t find a password

can’t brute force it

stuck here 3 days tried all things

if you did that section can you help me

Have you tried to find out the password rules?

yeah i sorted rockyou 50

with that policy

however showed only 3, 4 passwords and tried all of them

but no success

There should be more than 3-4 passwords left

can you give a hint me please bro

or can you help me

sure, send me a DM with your found password rules and how you filtered the file

What does pwnbox use to view docx

Anyone doing Windows Evasion module? I am on static section, my binary has evaded windows defender, but the flag isn't created?!

I don't think there's any program that can do this job, for some reason. In the module that I needed to open a docx file, I googled around and found a web page that could open these files for me

Rebooted, still the issue with flag generation persists.

You have to compile it to x64 and select Console .net framewrok when choosing a new project

And also use release mode when building

you can install something like officelibre or openoffice to read them

Password Attacks Lab - Hard

why error?

because timeout

damn it

Yeah I have taken care of those build instructions

Hello, I have problem at Password attacks module, Protected files section

When I run ssh2john.py I get this error:

Traceback (most recent call last):
File "/usr/share/john/ssh2john.py", line 193, in <module>
read_private_key(filename)
File "/usr/share/john/ssh2john.py", line 103, in read_private_key
data = base64.decodestring(data)
AttributeError: module 'base64' has no attribute 'decodestring'

Are you using the right Python version? Sometimes I get similar errors when running a script written for Python 2 using Python 3 and/or vice-versa...

a lot of the 2 john files are written in python 2

Python 3.9.2

Ah, then try Python2, as pointed out by MarcieLee

iirc 2.7 works

a lot of submodules were changed in 3 and even 3.9+ (btw latest python is like 3.12)

Hmmm so I need to install python 2?

Yes, seems likely

yes

What does the shebang in that script say?

the base64 subprocess no longer uses .decodestring

Password Attacks Lab - Hard

How do you mount the last step? I don't know how to do that at all.

why it wont work??

you have to send it over to your linux / windows vm and mount it there

plenty of guides linked in the discord on how to mount it in linux

I followed gpt4 and it came out like this

You are using .NET 8

yeah i wouldn't follow GPT for this

The module uses .NET Framework ...

What you are doing will never work

https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0 @pliant coyote this is what I followed that worked

also did you mkdir the /mnt/vhdmount?

This is wrong @polar widget

if you didn't then that's why it's not recognizing the vhdmount as a mount point

@kind turret (mostly because I'm too lazy to check) I'm curious, does the guide for the Password Attack - Hard Lab incl steps to mount in linux/reference any article?

I do not remember

Its been maybe over a year since I have done that one

lol

i just looked and it mentions using losetup; interesting (for local loopback) -- it all works virtually the same after

neat!

which section of the module is this in

Thanks for pointing out! I was wondering that same thing

i'm referring to specifically the Write-Up for Password Attacks - Hard

What?! I'd love to know the details on that.

it's similar to the dislocker/qemu-nbd method but instead of the nbdN partitions it creates loopN partitions

¯_(ツ)_/¯

pretty quick imo

That's it? mnt the rest?

yep basically once you do the dislocker -u<password> you mount that to another mountpoint (so requires 2 mnts) and it's accessible

the guide makes mounts in /media/

Interesting, I'll have to give that a try as well since I used also another tool

ye

losetup is as simple as losetup -Pf <file>.<ext>

and it should create the partitioned setup on the first available loopN device

the rest is just using dislocker to open and put it on your system to read

here's the man page for losetup https://man7.org/linux/man-pages/man8/losetup.8.html

Ty

np, it's fairly straightforward

at least if you're familiar with dislocker

SAM and SYSTEM are good files :)

(also it's never recommended to mount anything to your home directory)

but since you're on pwnbox it's not as big of a deal

just don't go making bad habits

just to give you some hope: you're in the home stretch -- this is the last set of things you need to do

Why is the ntml I cracked out this

Have you tried pth

Not sure why you’re trying to crack

I'm trying to run proxychains (nmap) on the final challenge of the pivoting module...and I get this error - dig: parse of /etc/resolv.conf failed

I'm used to cracking passwords because here's the chapter on cracking passwords

it can be cracked

using the right pw list of course

Please help me Marcie.

It’s the password attacks one?

you use the mutated list for this

yes

Ah I see

Does anyone have any idea why proxychains might not be working?

sounds like your conf file is messed up

I've got socks4 127.0.0.1 9050 in /etc/proxychains.conf

i also don't recall using dig for it

I didn't use dig, I just ran proxychains.

¯_(ツ)_/¯

idk what exactly your command is so I'm just going off error

I'll reset the box.

It's really annoying because I have to shutdown my computer to make the error stop looping.

¯_(ツ)_/¯

also having you say "Just ran proxychains" doesn't really help much

like you just did proxychains?

no other command following it?

finally

gg :)

proxychains nmap 172.16.5.35 -Pn -sT

Then it spits out the dig error and a bunch of [DNS-request]: IPv6 address blah blah blah.

Definitely not the proxychains conf file.

add -n

Where?

I have to shut down my computer every time this error occurs, so I'm not wanting to experiment a whole lot.

to the nmap command

but also; why are you scanning that IP?

it sounds like something in your setup has gone wrong somewhere

That IP turned up in the ping sweep.

So. Just a question what are. Thought. On the the lockbit . Guy they offer 10 million to find

not relevant to this channel

read and follow #welcome to access more of the server

Guess I have to format again.

Linux is not without its problems. 😐

Apologies I thought I was in general

nope, #general can only be typed in and accessed by following #welcome

i doubt it's an OS issue

might be a layer 8 Issue

I'm playing with the proxychains conf file.

¯_(ツ)_/¯

LOL now the payload won't work...

Segmentation fault (core dumped)

Cute.

Well, figured that out.

with a simple dynamic chain i was able to get it to work just fine ¯_(ツ)_/¯

It was set to static.

Er, strict.

Dunno how that happened, but whatever.

so was my config

¯_(ツ)_/¯

Yeah well, now when I go to start a proxy server in Metasploit, it starts and then stops immediately.

Any ideas for that...?

• 0 Try adding any of the injection operators after the ip in IP field. What did the error message say (in English)?

Command Injections

Page 2
Detection

Detection
Im on firefox and I do the ip and then the ; and it doesnt do any error message it just shows my cmd why

auxiliary(server/socks_proxy) >> run
[] Auxiliary module running as background job 0.
[msf](Jobs:1 Agents:0) auxiliary(server/socks_proxy) >>
[] Starting the SOCKS proxy server
[*] Stopping the SOCKS proxy server

i used ssh -D for it ¯_(ツ)_/¯

Have you got any new jobs in metasploit?

LOL good point @fathom pendant

I'm not sure. How do I check/stop them?

Recently I faced a similar issue and restarting my Pwnbox helped.

But jobs (in pwnbox) are displayed near the enter field

Also you can use jobs -l

No active jobs.

Can anyone help with the skills assessment on sqlmap? i keep getting empty responses when dumping the database

You r using pwnbox?

Write the question here

yo is the show step by step buying annual worth it?

meh

ic but does it give the steps to how to do it?

it requires a combination of techniques with sqlmap to get it to output

yes, but it doesn't hide anything - so you could very easily cheat by doing so

i c

¯_(ツ)_/¯

imo i've had little issue with following the course content and getting answers

No one is going to guide you through the real world penetration test

the Write-up/solution is there for me if I want to double-check if i'm missing something

So. It may help, but not too necessary

i mean bruh ive wasted hours cause of some dumb system technical stuff

when i was doing right ting

if you're sure you're doing it right -- reset the lab -- wait a few minutes -- then attack it

Many people have completed many modules without it. If you don't like reaching out to others and are hard stuck and researching the problem isn't providing results then yes I can see it being worth it. I'd only use it to see how my solution compares to theirs which can be valuable as well.

^

i've used it to double check if i missed something if I feel a command is taking too long to complete

Command Injections

Page 2
Detection

Detection + 0 Try adding any of the injection operators after the ip in IP field. What did the error message say (in English)?

i put in the ip and the escape sequence

and no error pops up even though im doing right ting

VPN failing for anyone else?

then i add cmd after and my cmd pops up

it's just asking for you to input any injection operator

i did it works but theres no error

not full injection command

just the operator

i did just the operator

i did all the operators after ip

no error msg im on firefox...

it's not gonna be a full popup

ik im on burpsuite

it's literally asking you to do it in the input field

im looking at the html code no error

you don't need burpsuite

think; it's like trying to type something invalid in some forms

the response is on the client side, you're not gonna see it in burp

bruh

i got it..

so again; not a box issue -- a you issue :)

😦

you need to take a step back and read the question carefully at times

"in the IP field" meaning in the textbox where you'd put the IP

tru

you're doing something that's likely meant for a later portion

after you discover your input is being sanitized or detected in some way

proxychains nmap 172.16.5.35 -Pn -sT
|DNS-request| fe80::de8d:8aff:fe52:ed88%wlx788cb5a00b21
|DNS-response|: fe80::de8d:8aff:fe52:ed88%wlx788cb5a00b21 does not exist
dig: parse of /etc/resolv.conf failed
D-chain|-<>-127.0.0.1:9050-<><>-172.16.5.35:3389-<--denied
Nmap scan report for 172.16.5.35
Host is up (0.000031s latency).
All 1000 scanned ports on 172.16.5.35 are in ignored states.
Not shown: 1000 closed tcp ports (conn-refused)

So we're making a bit of progress, it stopped looping.

Got to 4chan.org/b/

it worked for me ¯_(ツ)_/¯

Well it's working for me too.

But the point is that the box isn't working.

i mean literally just dropped the nmap scan with proxychains and it worked

ssh -i id_rsa -D 9050 webadmin@10.129.229.129

Connected ^

i literally just ran through this skill assessment and changed nothing in my conf files

and it worked

Well, guess I get to format.

¯_(ツ)_/¯

It's just really weird.

spawned a fresh lab and was able to still do the same ¯_(ツ)_/¯

idk why your proxychains is doing a DNS request

it looks like it's checking your /etc/resolv.conf for some reason

I’m at Password Attacks Lab - Easy

Any hints please? I tried Resources, mutant list and rockyou, used hydra to brute force ftp

what is your command

root is not going to be your entry point if you're trying to bruteforce that way

hydra -L username.list -P password.list ftp://10.15.65.20 -t 64 -f

drop to -t 48

Examine the first target and submit the root password as the answer.

I don’t know who first target is so I used username.list too

also since the username list is much shorter it's faster to do -u

64 threads tends to break the ftp service and drop packets

yes; even if you're using the pwnbox

I tried this but didn’t get anything

Wait really ? Isn’t -u when you have a username ??

no

-u goes goes through the username list and iterates instead of password list and iterates

I fucking hates password attacks

at the final hard one but it's getting on my nerves really

maybe it's a sign to take a breather then

what's getting on your nerves about it?

netbios keeps timing out and figuring out Johanna's password from mutated list would take a quadrillion years

i have a problem in file upload module under whitelisted filters here is the problem when i upload a file using the reverse double extension method and try to access the reverse shell AFTER i fuzz it using the intruder in burp i can only access the file extension without the first name and get a blank page with the reverse shell itself without being able to interact with i've got on burp the two files were successfully uploaded and so far i've managed to access both but with the same issue and i've used the simple-backdoor.php payload in kali linux located in /usr/share/webshells/php/simple-backdoor.php

it really shouldn't

it's fairly high up in the list tbh

iirc i brute it with winrm

not with smb

I switched to my Kali box and now the VMs keep shutting down.

¯_(ツ)_/¯

Yeah, just one of those days. Got it working now.

Totally different box...

Now giving me 3389/tcp closed ms-wbt-server

I used ssh -D

I was able to get NMap to run through proxy chains, but every port is showing as blocked.

What a joke.

Whenever you start a windows lab you should generally wait a few minutes for the services to start up

Still showing closed.

Two boxes, several restarts

Kali and Parrot both say the same thing.

I sure hope the actual test isn't like this. Because this is extremely frustrating.

change vpn region and try again ¯_(ツ)_/¯

I guess.

After that whatever.

like i said, it worked for me idk why it's not working for you

I don't know either. I've used two different boxes, restarted a couple times, dozens of VMs...

And now the boxes won't even ping.

change vpn --> terminate lab --> respawn it

All the VPNs are giving me a ping time above 600ms.

Is that normal?

Maybe my Internet is screwed up.

depends; if you know your average and it's above that then no

is it a stable time above 600?

if so that's manageable

if it's unstable then definitely no

I restarted my modem, yeah the ping is now down to 120ms.

xfreerdp isn't working through proxychains either.

I'm going to try another lab for a sanity check...

And if that works I'm going to write a very nasty email.

It should

Make sure you type the ip correctly

I know it should.

Believe me...I am triple checking everything

Is the pw wrapped in single quotes?

Yes.

Dynamic chain ... 127.0.0.1:9050 ... timeout

Hmm

Anyone have issues with metasploit socks proxy server with proxychains? It starting SOCKS proxy server and after that already Stopping the SOCKS proxy server. I using both sametime, 9050 and 1080 port. I use 1080 for metasploit and 9050 for SSH dynamic tunneling. I think issue is that proxyxhain command is always try use first port in list in .conf file. If there is any method to choose which port to use which proxychain command

Got it.

I established the -D connection via SSH.

Let me try proxychains now.

Port 3389 is still showing as closed on NMap... Even though I'm using the -Pn flag.

Is that an NMap problem?

Maybe, if you can rdp it's open

Right. Well now I'm just letting the scan run fully to see if it lists the port.

If it lists the port... As least I can test it.

Now it's showing open, hmmm

Well, it's been an adventure, Marcie. I really appreciate your patience and the sanity checks.

Have a good rest of your weekend.

Little effort went into making the ffuf module due to this I would appreciate some help from some peers

No context is provided for fuzzing of the parameters

In the examples they use the FQDN admin.academy.htb:port

I'm not sure where to fuzz at this point

I think they give plenty of info

They do not

The problem is that you're given an IP any new student will not understand how dns works

You can fuzz a subdomain unless there's a record for it

Look at the full command, they specify -H "fuzz=key" --> -H "<fuzzed_param>=FUZZ"

If you're given a subdomain then you put that in your /etc/hosts

In other examples they have sub.inlanefreight.com this works because it already exists on the internet

No sub is given

ip domain

Yes I've been recursively fuzzing looking for an extension with php for an hour

Without anything applicable

If you need to fuzz for a subdomain then you put the FUZZ at http://FUZZ.domain

I should have been more clear

Sorry the goal is to fuzz a parameter

Look at the example given

That's the problem

It doesn't work because admin.cademy.htb does not exist

This? https://academy.hackthebox.com/module/54/section/490

With no enumeratable subdomains for obvious reasons

So... add it to your /etc/hosts

Yes I've done that

When you fuzz with it you do http://url:port

You don't include the port in the hosts file

I'm sorry I'm not trying to be rude I'm just very frustrated with this man like I get it you're community but I really believe there is a lack of context for this challenge

I just did this the other day with no issues

It gives you the full uri of http://admin.academy.htb:port/academy/admin.php?FUZZ=key

I got it

Then you just need to determine the fs that would yield no useful info

I stg an hour ago I had tried using ip sub.dom.htb

My bad, user error

It happens

I've been there before

You miss one thing

Yeah specially after rolling through the module then hitting brick wall

Messes up the flow you got going

Thanks @fathom pendant

https://tenor.com/view/goku-freeza-frieza-dbz-minor-spelling-mistake-gif-22504422

Good evening guys, someone who knows about vurneravidilidaes, could you tell me if this text sees any vurneravidilidades?

PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3f:d6:c3:c5:f9:20:4e:37:76:15:f8:31:f1:8f:55:9d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGX+sgrYOhdqxwGagOyGEOyYGRk8CCmuJkUYwUb6iLYM768wKrKHSpAexT54tw1YrQQBATfV66j+xz9oFt0isls=
| 256 5e:aa:a4:e6:5b:d7:40:c0:0c:ad:e5:ff:61:c7:91:0e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIbjDG+DkDWrXksvoE+kkgxN/owCQxHNSLCqHm4Zn4q5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

wut

what module do you need help on

What are you talking about?

This channel is for help with academy modules

a ok sorry

And helping the occasional lost soul find the right channel (by reading and following #welcome )

Hey guys do you know why its not working?

PS C:\Users\administrator> Get-ADUser -Filter {Name -like 'Robert'}
Get-ADUser : The server has rejected the client credentials.
At line:1 char:1

• Get-ADUser -Filter {Name -like 'Robert'}

•   + CategoryInfo          : SecurityError: (:) [Get-ADUser], AuthenticationException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.Security.Authentication.AuthenticationException,Microsoft.A
   ctiveDirectory.Management.Commands.GetADUser

how do i install the cheat

The question is Connect to the target host and search for a domain user with the given name of Robert. What is this users Surname?

Your command is full of errors related to authentication, and specifically says "the server has rejected the client credentials"

But how can i do? The hint was use the Get-ADUser with a -Filter ?

try a username/password combo that will authenticate

mb was connected on wrong host ^^

thanks 🙂

Heyy wsupp

I have searched every .json for the text .DOCX and nothing. Do I have to contact j0seph myself and ask for the name of the .DOCX

wish i could help you more but i don't have access to my notes

thanks anyways

└─# ffuf -w ./subs.txt:FUZZ1 -w /usr/share/wordlists/seclists/SecLists-master/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ  -u http://FUZZ1.academy.htb:31985/FUZZ -recursion -recursion-depth 1 -fs 0 


 :: Method           : GET
 :: URL              : http://FUZZ1.academy.htb:31985/FUZZ
 :: Wordlist         : FUZZ1: /root/subs.txt
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/SecLists-master/Discovery/Web-Content/directory-list-2.3-small.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________

[Status: 301, Size: 337, Words: 20, Lines: 10, Duration: 85ms]
    * FUZZ: courses
    * FUZZ1: archive

[INFO] Adding a new job to the queue: http://archive.academy.htb:31985/courses/FUZZ

[Status: 301, Size: 337, Words: 20, Lines: 10, Duration: 85ms]
    * FUZZ: courses
    * FUZZ1: faculty

I'm struggling to finish the module ffuf, skill assessment section. Is anyone able to identify something that could possibly be setting me up for failure here that is familiar with the module?

Or share a hint that I'm possibly missing

I shouldn't have to specify file extension right? I would assume thats irrelevant

Potenially could a directory file size be 0, containing additional pages be missed by my -fs 0 setting?

yes you'll need to specify the file extensions

you found ||3|| file extensions yeah?

yeah currently looking for the page then so on

i believe it's -x .ext1,.ext2,.ext3 to specify extensions

or it's -e

i genuinely forget for a sec

I think its -e

Its just that this scan/fuzz has been going on for a while now

and the expected requests is plus 1Mil + 3 jobs

I dont know I was thinking that usually a HTB bruteforce is pretty quick

usually is :) what question exactly are you on?

i'll give you another hint: you only need the subdomain that returned all found file extensions

Having some difficulty with the format for the answer of the last question in "Web Server Pivoting with Rpivot" within the Pivoting,Tunneling, & Port Forwarding module. I'm running "proxychains curl -v 172.16.5.135" and there is basically a variation of "I Love Proxy Chains" in the title header(?)....and copy/paste from there directly into the answer field is giving me an "incorrect answer". I've ensured no extra spaces at the beginning/end of the string. Any thoughts on what I should do here?

did you use dir-list-2.3-small?

i believe so yeah

damn what am I doing wrong then

Ah I found it, that took a long time tbh

any tips for skill assessment command injection?

i don't think there are any broad tips, the module goes over the material really well so make sure you take good notes

took 52 mins

(deleted the spoilers)

I am aswell

Password Attacks - Protected Files