#modules

I’m planing to upgrade my subscription from monthly to annually if that’s a decent feature. So if anyone with annual subscription enlightens us I’d greatly appreciate it.

It's an alright feature: I honestly only suggest using it if

1. you feel like the process you're doing is taking forever
2. you've already tried getting some tips from this channel
3. you just wanna see if the Author did something different than you to get the same answer

the writeup doesn't necessarily explain the reasons for some tools (some of them are more obvious than others)

and if you ever want to give feedback or suggest a fix for a writeup that you're looking through #1234357888114364508 now exists and has the "writeup" tag for you to use to suggest

Thanks for the info. I thought the authors’ answers would be the most efficient and the right way to access the solutions so I wanted to see for that reason and although most of the times I can find tips and decent explanations to questions, sometimes it literally takes forever to find the right answer.

it just depends tbh

there's multiple tools that do the same or similar functions

and sometimes one works and the other doesn't

You’re right tho. Looks like I’m gonna stick with my monthly subscription hahah. Thanks partner

no problem

it's a better feature than what they were attempting previously, "1 on 1 discord help" Which relied on staff to message you... and you to see the message

so you can see how that works out

I thought so too

a fair bit of my criticism is mostly nit-picky regarding it; overall if you wann be sure you're doing the right thing - it's the way to go

Hi everyone

I have make a deposit on a trading account

Now I can't withdraw without the admin authorisation

what module?

It's a website

no one here can help you with that, reach out to the website support

Please help me withdraw it

this discord is related to the hackthebox platform not trading software

I want to hack it

<@&861185840277487616>

smbclient -L //10.129.160.13
Password for [WORKGROUP\root]:

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    WorkShares      Disk      

Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.160.13 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

@obsidian adder (this isn't me offering to help you hack) but I sent you a DM, I am desperately trying to save you from yourself here

I will not do it again

I have already regretted

I'm sorry this has happened to you, and I hope that everything will move forward as smoothly as they can. I also have a sense of morbid curiosity about this as well

the other thing is i'm morbidly curious about the link, if not to at least report it

it's why i requested it in DM

since sharing it here would be unwise

I found WordPress setup page but Idk where to go next

I already fuzz every and it only had css

Hello guys. Hope all Ok here. I need some help regarding the last assignment of command injection. I have been trying for days now but can't seem to find a proper entry point. I have ideas and some behaviours but can get that malicious command error message to pop up. Any help will be welcome. thank you

Have you clicked on every link watching it through Burp Suite?

smbclient -L //10.129.160.13
Password for [WORKGROUP\root]:

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    WorkShares      Disk

Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.160.13 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
NEW

anyony help i can't fix thet

yes i have. I have the different fuctionalities that are being received for move copy or cancel e.t.c. I am trying to implement a &ls or ;ls at the end but can 't seem to find any place that I see some change. I implement the injection at the end of the GET request link before sending for response.

Send me a DM

Can someone explain the problem to me? I am a beginner and this is my third lesson, and I have been trying to solve this problem since last Thursday

mr echo

looks like you're trying to access a SMB share

to access the SMB service you need to have the right permissions. sometimes guest or anonymous users can have permission to read or even more dangerously write files to the share

i see you're trying to access it as root, that might work sometimes, but other times you may need to use 'guest' or something

also keep in mind the -L flag you're using lists the shares, and it looks like you successfully listed the share folders. the ADMIN$, the C$, and the IPC$ are all default shares that generally can be ignored, I would focus your attention on the "WorkShares" share, and see if you can list the contents of that folder and maybe get some information

if you say what module and what section you're on you'd probably get better help

HI everyone! Is anyone willing to nudge on the csrf and xss advanced skills assessment? I'm not understanding why what I'm doing isn't working

Where are you stuck?

the initial xss

err csrf

or just -U ""

can I msg you?

yeah

🙂

generally if you're trying to test a Null/Guest login you'd use smbclient -U "" -N //ip/share and if it succeeds then good :D

to just list you would add -L which lists then exists

it also helps if you provide the module and section you're working on so we can have more context

android app?

what academy module is this in reference to?

Yeah

HTB doesn't have an android app

Oh sorry, wrong subc

read and follow #welcome to access more of the server lol

thank you so much

Hey guys,

i´m currently stuck with "RDP and SOCKS Tunneling with SocksOverRDP" in the "Pivoting, Tunneling, and Port Forwarding" module. I just can´t connect to the windows hosts. Anyone else with this problem lately? I tried tcp and udp vpn and pwnbox. Nothing works

you can connect to the pivot host though? make sure to give a good 3-5 mins for the windows environment to fully spawn

can't connect, or blackscreen?

Sometimes i can for a short time, then the connection dies. Yeah i´m waiting that time every time

ah

yeah tcp is better for rdp

Can´t connect :/
Neither with tcp or udp

xfreerdp /v:10.129.42.198 /u:htb-student /p:HTB_@cademy_stdnt! /cert-ignore /bpp:8 /network:modem /compression -themes -wallpaper /clipboard /audio-mode:1 /auto-reconnect -glyph-cache /dynamic-resolution
[04:58:11:339] [6399:6400] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[04:58:11:339] [6399:6400] [ERROR][com.freerdp.core] - failed to connect to 10.129.42.198

And even if i can connect, the connection dies within 15 seconds or so

lol you got a lot going on there

Support advised me to try this 😄

i'd add /timeout:100000

i can try that

error doesn't seem related to that though

are you trying to rdp into the victim host you spawn, or are you trying to proxychain into an internal network?

I would love to proxychain into the internal network, but i can´t even connect to the pivot host

well that's step 1

yeah i know :/

i'm not looking at it, but isn't the first pivot host a linux box?

No the first one is a windows host. And then you get to another windows host. I understood the concept of the module and it seems pretty straight forward (at least i think i do understand it), but i´m stuck here for a week now

so you can't even connect to the first box? even the pwnbox doesn't connect to it? if you have the pwnbox on make sure you're not on the vpn, and if you're using your own vpn don't have the pwnbox turned on

i also suggest wrapping the pw in single quotes

good catch

just as a habit

Oh, that i can give a try. I managed to get a stable connection now somehow, but i did nothing differently, i just respawned the pivot host over and over

i did nothing but i'll take the credit for fixing it

super twin powers activate

Finally got it

windows privileges escaltion, section dnsadmins, why does it first not work and than work in the explanation?

it's explained that you need to be a member of DnsAdmins to run it, in this instance

it looks like it's not entirely explained well

but it seems to me that in the first instance you are some other user that's not in the DnsAdmins group

Yes, but nothing has been changed in the description of the membership?

¯_(ツ)_/¯

it's poorly explained

and i also have the same output as int he powershell output

but the command does not work

so i can't follow the description...

it's likely that they are running cmd as netadm

and not as a regular user

i'd definitely post this to #1234357888114364508 for a correction/better explanation, unless ofc there's more context surrounding this i.e. previous sections

wait what, it explains it all in the screen shot

it literally says you can't do it as a regular user, only members of the dnsadmins group are permitted, then goes on to show an example of a user (netadm) who is a member of the group

what's wrong with it?

it doesn't show the switch to netadm

is the problem ig

i understood it to be the case that you're switching to a user with those privs ¯_(ツ)_/¯

it shows 'netadm' as the name

where? (aside from the middle screenshot, which is just getting info on the DnsAdmins group)

yeah there

i understand the logical move to netadm

it shows the user name and the group

it shows A username and the group

not that they're the user in question

^

is the mixup

while many people can make the logical conclusion that we switch the the netadm user, that we have previously attained creds for, it's not immediately obvious

i have creds for the netadm user?😂

https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adgroupmember?view=windowsserver2022-ps

Get-ADGroupMember just shows the members of a group

yes

literally at the start of the section you craft and use an msfvenom payload to create the netadm user

ok

literally found your skill issue

read further in the section

wait

hold up i read even further

it literally gives you the netadm user/pass in the question

haha oh shit

reading helps

sorry i was logged in as logger from the previous section

major skill issue here

always check the question for the section to see if there's creds you're missing

sorry my bad

¯_(ツ)_/¯

if they're expecting you to have creds for a specific user; and you haven't either previously pillaged that info, or what have you, then assume it's given somewhere

that it's either A: in plaintext as user:password or B: in the screenshot as username "user" and password "password"

yeah witht the right user it works

😆

Examine the second target and submit the contents of flag.txt in /root/ as the answer.

I found j***** creds and login it but can’t log to mysql

Any hints ?

😦

Not sure how I manually triggered this

Don't install from the requirements and just run pip install keystone-engine. There is an open issue on GH.

How did you achieve this?

I absolutely have no idea.

Maybe the support can tell you what exactly you did wrong

Even though I am blocked for 15 mins , I sure would like to know reason behind this.

Are you using a VPN?

No

Any browser plugins or proxying the site through burp?

What answer format is the dns exf part of detecting windows attacks with splunk looking for? I get hunderds of the *.letsgohunt.online results but it is taking none of those as an answer

At the of " Introduction to Windows Command Line" , the author recommends attempting the boxes in the Beginner track ? Is this good a idea ? Like could you pwn them with what was taught in the Infosec path up to that point and some google researching ?

does anyone have a moment to assist me in finding the right way to to go on the linux privlige escalation module. i can share my screen

Good morning chun chine!

NTLM Relay Attacks Skill Assessment - question 4.
Is there a way through sqladm? I been unsuccessful in elevating my computer account. any help for this question would be appreciated

why are my scan results different? is this my problem or HTB's ?

Please help or I will have to do unquestionable things to obtain this answer.

Did it happen while FUZZING or something?

filter your results you're definitely getting false positives

hello guys, can anyone help me with ADCS module skill assessment. i compromised DEV1 serv, and stuck on compromising DC1. i detect that i must attack via esc7, but i don't have a permissions to request and retrieve issue cert request

find the right template to use

I need a mod or something the bot wont let me send messages...

Module XSS. Section XSS Discovery How do I use the payload identified by xsstrike? Any suggested resources that I can visit to understand what a payload is in terms of XSS? Or is the payload identified by xsstrike only showing a PoC?

'><htmL/+/ONMoUSEOver%09=%09a=prompt,a()//

It ended up being right. Idk why the say answer format is "." if it doesn't start with a "."

Okay I got this

guys

i am confused

where are the machines that we are supposed to deploy or so?

like to nmap scan it and so on so i can answer the questions

Which Academy module are you referring to?

for example basic toolset

i see teh pwnbox

At the end of a section within the module ( if there's a task ) there should be a spawn target.

but those targets, i can see the machine

It spawns an IP which is your target.

like i can control it

Send me a screenshot.

sure

Here.

i will send it on private

sure

Hello, can I get an assist on the Intro to Assembly - Data Movement Question.
It says add “mov rax, rap and get the hex value. My steps:

1. Edit the m.s file to add mov rax , [rsp] to the bottom of the file. ——2. Compiled the file is nasm and made the .o file. Used assembly.sh to open gdb and run the file. Found the instruction at the end but the hex isn’t working. And ideas?

There's an intro to assembly module....🥹

Yup

It is so satisfying completing a module section without using any of the examples because you've done boxes related to the subject already! Module: XSS, Section Session Hijacking

Anyone else finding it difficult to do timing attacks during a solar storm? The response times are all over the place lol

Re this actually um... I can't seem to send the cookie correctly. Does anyone remember the format? I captured the request with burpesuite if anyone is willing to review it in private DM, in respect for other students that do not wish to see the "answer".

I did that one before you can DM me to take a look

I ptobably used some add on of my browser to add the cookie if it helps

sent a dm @viral jacinth

I keep getting 'invalid json' as a response to this. I even tried copying and pasting the code from the academy module and putting in my own values to see if it would work and it still didn't. Am I doing something wrong? curl -X POST -d '{"search":"london"}' -b 'PHPSESSID=oscjl8mlat3h0fu52ni06q3jpn' -H 'Content-Type: application/json' http://94.237.54.170:50990/search.php

"Active Directory Trust Attacks" section "GPO On Site Attack" , I use this command to add a user : New-GPOImmediateTask -Verbose -Force -TaskName 'Backdoor' -GPODisplayName "Backdoor" -Command C:\Windows\System32\cmd.exe -CommandArguments "/c net user backdoor B@ckdoor123 /add"

However, Instead of adding a new user, I need reset password of the existing user 'gpo_admin' . How should I alter this command?

I tried -CommandArguments "/c Set-ADAccountPassword -Identity gpo_admin -Reset -NewPassword (ConvertTo-SecureString "NewPassword123" -AsPlainText -Force)" but it seems to have failed.

Well think about it this way. The task is executing a command. You can input any command you want. There's a command line to change someone's password, you can lookup the syntax or use chatgpt to get it if you're not sure.

You likely need to disable real-time protection which is preventing the dll from loading.

this was from chatgpt :DD , I will come back to this section later.

you just need to know what to ask chatgpt. try "give me the command line to change a user's password in windows"

Thanks SuperNuts!

In the INTRODUCTION TO WINDOWS EVASION TECHNIQUES Module, can anybody tell me what this question is asking? "What is the full value of the CmdLine which triggered a detection?"

i found the command but idk what form the answer should be in

For HTTPS/TLS attacks, has anyone been able to get TLSBreaker to work for the Bleichenbacher & DROWN and drown exercise? I tried cloning the same version from the course material, but it wouldn't work. When trying to connect to the target or using the pcap I get the following error message: WARN : CertificateUtils - Could not extract public key from Certificate!

The full length of the command starting with _

for the "RDP and SOCKS Tunneling with SocksOverRDP" section of pivoting and port forwarding, i tried connecting to the windows server through the provided host, using the techniques given in the section for the socks proxy, but the rdp connection keeps giving an error

Hello, can I get an assist on the Intro to Assembly - Data Movement Question.
It says add “mov rax, rap and get the hex value. My steps:

1. Edit the m.s file to add mov rax , [rsp] to the bottom of the file. ——2. Compiled the file is nasm and made the .o file. Used assembly.sh to open gdb and run the file. Found the instruction at the end but the hex isn’t working. And ideas?

Disable real-time protection

I've been trying to decode this reset token 41619c7fc10a11b73e4c243717d819a8 to find the algorithm behind it for Broken Authentication Module but couldn't make any progress. First I tried to decode it from base64 and then hex and some other combinations but results were useless. Any help is welcome

Looks md5 maybe

or something like that ¯_(ツ)_/¯

Either it's wrong or I don't know how to decode it :/ I've tried base64, hex, ASCII, md5 so far and all fruitless. Been working on this question for hours

¯_(ツ)_/¯

on the dc?

On whatever computer you're trying to run it on

i did that

what's the error message say

as long as real-time protection is off you should be able to register the dll

i already registered the dll, and set up socksoverrdp on the dc, as well as proxifier on the first host, the error message comes from rdp, where it says that either rdp isn’t enabled on the remote server, it doesn’t allow connections, or the ip doesn’t exist on the network

then you either have the wrong ip/port info, or there's a misconfiguration somewhere

double check everything, make sure you have the correct socks chosen for proxifier, all ip/ports correct, etc

the socks ip is 127.0.0.1, port 1080, right

in proxifier? yeah

also make sure all your rdp settings are configured correctly with lower settings like the module shows, and maybe set your timeout high on your rdp command

👀

use the value you see in rax as the answer, scroll up in your gdb screen

I'm on "Attacking Common Applications" -> "Splunk - Discovery & Enumeration". Could not connect to the splunk web ui on port 8000, keep getting connection reset on my browser. What did i do wrong here

https?

also any proxies running?

tried https. works. Thanks!!

Good ol typo negotiation

it's moreso that the splunk application operates with SSL certs

and it's not set up to auto-upgrade insecure requests generally

Fair! Thanks, Marcie. Yeah, that sounds right from what I remember now. I appreciate the refresher!

it's similar with how Nessus works

unless you have it set up to do so; it won't go to https

detecting windows attacks with splunk switching to https in the second half

in fact i think that is the only time you access splunk over https in the entire soc analyst path

Hey guys, probably a newbie question but I am in the Web Requests module > https://academy.hackthebox.com/module/35/section/247 and I am replicating what the example does but I can't understand why 1/ I do not receive the same results between web browser and curl request and 2/ Why my curl request will go through with fewer Header options when the ones that seem to do the trick is the User-Agent ? Edit for question 2 : is it exactly because if the User-Agent is MOzilla FF one , it will display the "use cuRL" message because it displays the HTML ?

if this is the right channel to post this -_-

For your curl question, curls default user-agent is curl/version, ie User-Agent: curl/7.54 so the server may specifically be looking for that when it's not able to perform other checks.

im doing the documentation module, would accessing rpc as anonymous and querying the users be considered as a low finding or its something we just wont put on your report?

If it were me, I'd probably document it - it's informational

You could use that information elsewhere

@shrewd bolt Sorry for ping but I can reply to your message in here :-) #cpts message

I've already tried using the dns-nsid script but without any luck. Do you see what could be wrong?

PORT   STATE    SERVICE
53/tcp filtered domain
53/udp open     domain```

i'll DM you

Hi, if my subscription expires can i access modules tire II which I haven't finished?

No, you'd only retain access to modules that you have completed IIRC

If you complete a Module with an access-based subscription, you will still have the ability to go back and review that module, even after your plan ends. Additionally, you are still rewarded Cubes when you complete Modules with an access-based subscription.```

You should generally be completing the modules you start. I.e. not having 3 modules open

(https://help.hackthebox.com/en/articles/5720974-academy-subscriptions)

Supplemental material to follow would be the writeup for the retired insane machine: fatty

thanks. Just got back on, But were my steps correct?

Given his response, that seems to be the case

THanks. still trying to figure out this assembly.

Attacking Common Services - Easy i used smtp-user-enum and found a username 'fxxxx' ,but brute-force using fxxxx all failed i don't know what to do next . please give some hints

What service are you brute forcing?

hey marcie when i have burp up and write "run" in the terminal nothing is being intercepted same with zap

ftp rdp mysql smtp

Follow the instructions on the page

ftp works

ok i will try again

Try a popular password list

ok

Hey people on the module PIVOTING, TUNNELING, AND PORT FORWARDING , there is the question "Reference the Routing Table on Pwnbox output shown in the section reading. If a packet is destined for www.hackthebox.com what is the IP address of the gateway it will be sent to?" and the awnser is "Students will find out when referring to the "Routing Table on Pwnbox" code block output that there is an entry in the routing table called default with its gateway being 172.62.64.1, thus, since there is no explicit/predetermined route for packets that are destined for www.hackthebox.com, the gateway of the default route (also known as the gateway of last resort) will be used:"

i type down the ip address 172.62.64.1 and it says wrong , am i a dumb or there is something wrong?

What section?

There's a bunch of sections in that module and I cba to check each one of those for your question

https://academy.hackthebox.com/module/158/section/1465

last question

"what is the IP address of the gateway it will be sent to?"

Bro its 172.62.64.1 what else would itbe

Make sure no spaces or weirdness

Or refresh the page and try again

otherwise contact support ¯_(ツ)_/¯

awh men

there is no whitespace and the thing is typed wright, i tried "172.62.64.1" yesterday and same thing

allright lets call support

My tip, put your cursor right behind the first number and press backspace a few times then at the and of the text box and hit backspace

Then retype the last number

There are no quotes

Okay

brah i just found the awnser, i copy paste from the solution and someone did a typo on the solution

?

so if you copy paste from the solution it will say wrong

The correct answer is on the page

Ah

The writeup

Yes if you copy the ip from the solution page it will say wrong

Yeah, submit that to #1234357888114364508

Also I suggest next time reading the page instead of relying on the writeup

Okay okay

I have something in my mind

You would have found the answer much quicker than reading the writeup

It sounds like, to me, up until this point you've just been using the writeup instead of reading and learning the content

if i can do the exercises

If i can do the exercises eazy,

I can do the cpts

So i dont need to read everything

Incorrect

You won't have a writeup for the exam

And lacking any bit of fundamentals for the exam will just result in extreme frustration

I can't stop you from continuing this path, but you'll get nowhere fast and will have to buy another voucher once you fail

In my head if i do the exercises by myself eazy with no writeup

i can do the cpts

That's closer to the truth

and on top of that ill do, by myself, all the recomended boxes on app.hackthebox.com

Eh

The boxes really won't help much

As they're individual things and not networked

So even if i can do the all the exercises all by myself i need to read the whole thing?

178 not 172

Apologies the text before is wrong it says 172

Writeup says 172

I will fix the walkthrough

I think I saw something similar in the pivoting skill assessment or something

I think it shows the final box as .25 when in fact it's .35

If a student is doing proper enumeration, that difference will likely not come up or matter

Okay back to my insane thinking, so even if i do all the exercises and the reccomended boxes by myself, i still need to read the whole thing?

Okay i think i'm being just lazy ill read the whole thing i thought that if i just did the exercises by myself i would be ready to do the cpts, that is not the case, right?

I that if i read the whole thing i forget it imedeatly the only thing i remember is how to beat the exercises because this requires some practice

Take. Notes.

No one can remember anything

And the content of the course is incredibly dense with information

I first read the writeup i follow along, then i go a second time by myself with just my notes

I suggest only using the writeup if you're truly stuck

then a third time no notes no nothing just my brain

To be sure you're on the right path

By doing the writeup first you basically skip any actual learning and understanding

Read the content. Take notes. Attempt the questions.

If you make no progress after an hour or so with a question, first ask here

If it takes too long to get an answer or push in the right direction here, then go to the writeup

Okay that sounds like the right path

Ill stop speedruning

It's a marathon not a sprint brother

Pace yourself, the exam isn't going anywhere, and isn't going to change in price any time soon

Okay gotta grind. Thanks. Now i need to go back to 4 modules

because i have speerun them

Make sure you understand the content before moving on

As the later modules build on the early ones

Okay thanks a lot

just a question is HTB paying you to stay here?

Or you just a kind hearted person that stays all days on discord helping noobs like me?

I wish

Just passing it forward

Thats bad they should pay you or at least give free stuff

anyways thanks a lot

Well I didn't say it wasn't rewarded

Just not with money lol

"Password Attacks - Protected Files", it says "*Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer. *"
but I don't understand what cracked password they are referring to ? am i supposed to know it ?
they ask me to log in to the host and crack the id_rsa, but if I'm logged in doesn't that mean that I already cracked the hash ?

You poor soul, you got kira's password earlier

This module emphasizes saving found creds

You got her password on the way to will

mmmmh... I'm not on my everyday computer, I just downloaded a fresh Kali VM and did a few modules, so her password is on my other computer... 400km from me lmao

F

Just pull up the hint from the credential hunting linux section or throw the mutated pw list at it

oooh yeah now i remember her, it was such a horrible time when i did it, thanks anyway ! it should unstuck me

48 threads is the most stable threadcount

With the hint list like a few minutes, with the full list like 20

NTLM Relay Attacks Skill Assessment - question 4.
Is there a way through sqladm? I been unsuccessful in elevating my computer account. any help for this question would be appreciated

Do they have seimpersonate?

not from what i can see

Oof

Then no potatoes

though i think with module, its forcing users to use NLTM relay of some kind, but not sure where

oh i remember why it was litterally HELL to find her password, in the hint, Kira has an uppercase, same for Will, but for the ssh it has to be lowercase kira

Technically it's because it's a *nix system

Any *nix system usernames are 99.9999% of the time all lowercase

Kira is the name, kira is the username

Windows systems are case agnostic, meaning you can write "bob" "bOb" and "BoB" and it'll treat it as "bob"

Similar to commands in windows, you can upper/lowercase them to your heart's content

@ember isle 2 things 1) don't dm without asking, 2) your question has been answered countless times in multiple academy channels

Sorry brother 😐

i can see my HTB instance working on the webpage, but when i click the Full Screen button it says 'Something went wrong, connection is closed'. Is there a fix for this so i can view it in full screen?

Message support

who is that

It's on the website

Green bubble bottom right of academy

If you don't see it, disable adblock

@fathom pendant I can't find out can please guide me once

Utilize the search feature of discord

why does hackthebox academy no longer allow you to extend the time on the pwnbox machine whenever time runs out

it does

Well if time runs out then nothing you can do

You have to extend the time before time runs out

FILE TRANSFERS > Windows File Transfer Methods

can someone guide me on this.

i use simplehttpserver to upload the upload_win.zip. but once i rdp into the account mention. And i tried to access the folder page. i got an error page. ( Access forbidden. error code 403. )

Simplehttpserver is a python2.7 module

But also how are you trying to access it

Are you accessing http://{your tun0 ip}:port/

In python3 it's just http.server

i ran with sudo python3 -m http.server 80 on my kali machine

Guys, if I have bought path for academy cpts (500€ option annually) I don't have VIP granted to spawn machines on app.htb and I need to buy it separatly?

Under what directory

They are separate subscriptions, yes

i am able to see the following uploaded uploaded_win.zip in my kali environment after running the service for http service. i placed in desktop/folder/XX.zip

egh, ty 😐

That's not what i asked lol

I asked where you launched the http.server from

It's recommended to only launch it from the directory you plan on sharing

hi is workspace virtual machine having internet access on? like you can visit google

You mean the pwnbox?

yes

It depends

There's limited internet access for the pwnbox

Unless you spend money, then it's less limited

im new to hackthebox it worked for the first time but then later i get connection timeout...

However the broad recommendation is to just use your own vm

okay thanks

Working in the -Footprinting module, in ftp section under host based enumeration- they ask to configure vsftpd server and do anonymous login. I configured the settings correctly but everytime i make ftp connection with target ip im not connecting as anonymous user.

You don't have to create or configure an ftpd server

ftp ip [port if not 21]

Wait for it to ask for username then type in anonymous

Then press either enter or type anything for the pw

When following along with the lesson it says create vsftpd server and then walks you through the settings to change it to anonymous. When i run ftp ip they don’t ask for username it auto logs me in as my user name . Should i uninstall vsftpd? @fathom pendant

If you read carefully, the goal of installing it is to just look and understand the settings

ftp ip should work as the target isn't running ftp on an alt port

Also ip is the target ip

fiona

Gotcha thanks for that. Confused at the point of installing and practicing with it if having it installed would prevent you from making the connection

That wouldn't affect you being able to connect

Much like having ssh enabled doesn't stop you from connecting to other devices with ssh enabled

Yea that’s my question I’m doing everything you said with exact command line but it’s not asking me for “username” it’s just auto connecting me as my username. So that’s why my original question was why am i not connecting as anonymous when i have the settings changed to allow it @fathom pendant

Changing settings locally does not affect the remote settings

And yes it should ask for username after the connection completes

If you link your app.hackthebox.com account to the discord following instructions in welcome you can paste a screenshot here

If you're seeing name (ip:user): that's where you input the username

hey guys i need help to find where the answer would be for this question

I don't know where to look

TTL

The reply TTL can help determine the underlying basic OS as most OS have different default values

ah so like ttl=128 or ttl=255

@fathom pendant ??

Brother I said "reply"

oh

Reading helps

oops lol

RCVD (0.0152s) ICMP [10.129.2.18 > 10.10.14.2 Echo reply (type=0/code=0) id=13607 seq=0] IP [ttl=128 id=40622 iplen=28 ] this part then

Yes

Now utilize Google

Plenty of resources can help you find the answer

Note: the answer isn't looking for a specific OS version/flavor

I.e. kali linux or Windows Vista

ah ok

Just the underlying OS type

ok hopefully i can figure it out

Google will help you

Think about how you can search for TTL and OS

ok 🤔

Literally just google it

plenty of online charts and resources

ah ok

Don't ask me what you think the answer is

There's no penalty for putting the wrong answer in the answer form on the page

It's working

Type "anonymous" there

Also your screenshot contains a spoiler for the other question

what do i exactly look for? a ttl like "128" "255" "64" ?

"TTL and OS"

Then in whatever documentation you find, search for the relevant TTL and it'll be as simple as copy/paste or typing it out

so for example "64 – Linux/MAC OSX systems"

Yes, but that's not the ttl shown in the example

Again you're looking at the reply TTL

ah ha so "Linux/MAC OSX system"

No

wow yea deff thought that was showing the user i was logged in as never thought to type anonymous there thank you

That's not the TTL of the reply

The TTL is 128

your ttl is 128

if its not a linux/mac os then it must be a ...

Windows

FINALLY

Idk try and see if the answer page takes it

👍

i did windows system the first time, thats prob why i got it wrong

Part of learning is getting over the fear of looking for additional sources

and all the other times i was waaaay off

Well the answer knows it's a system, that's the S in OS

yh

smh

Thanks @fathom pendant & @wanton idol

i didnt even do anything lol that was all to MarcieLee

lol

n

?

Labs are down for anyone ?

https://status.hackthebox.com

Looks like just you

¯_(ツ)_/¯

Nvm I’m up

Thick client lab sucks

anyone facing issues with pwnbox??

I was

with my 100000 ping I guess its going to take some time

Guys, need help with Mac fundamentals ) Where are the Applications related to the system stored at?
Unswer: /Applications
Isnt it ?

It's likely revealed in the reading

Also make sure no extra spaces

Found )

@vale island There down for me at the minute, my bitdefender is saying the certs are outdated so idk 😮

switching to vm doesnt seem like a bad idea actually

It's more reliable overall

its what im gonna do for the time being 😛

pwnbox seem down

Raise the issue with support

switch vpn i was having the same issue

Whenever you say switch to the VM, that means just configure one in the area of the VPN servers and download VPN open source and do it that way right ?

The thick client lab was terrible

They really need to fix that module it’s poorly done

section*

Thank you sir

yeah i agree but u cant lie its hard to explain

did you find out how it works? I also have nothing on txt record.

hello guys

Attacking Common Service - Attacking DNS

this command not working- > dig AXFR @ns1.inlanefreight.htb inlanefreight.htb

my hosts
10.129.207.161 inlanefreigh.com

This section confused me a bit.

the command doesn't work how?

dig AXFR @ns1.inlanefreight.htb inlanefreight.htb
dig: couldn't get address for 'ns1.inlanefreight.htb': not found

i added my hosts but still dont working

Yes because it's not in your hosts file

double check your hosts file and the target address

For the @ use the IP instead

┌──(z4c㉿theuzzay)-[~/Desktop/tools/subbrute]
└─$ dig AXFR @10.129.207.161 inlanefreight.htb

; <<>> DiG 9.19.21-1-Debian <<>> AXFR @10.129.207.161 inlanefreight.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.

Also inlanefreigh.com has a typo

it has 2 typos

yes i fixed it

output transfer failed

so the command worked, but the zone transfer failed.

Okay so looking back at the module, with your corrections you should be able to do the @ns1.... and follow along with the section

okey

did you correct the 2nd error?

yes I'm trying subbrute now

can you show me what tail /etc/hosts says?

161 target machine

there are still mistakes

look closely at your target address vs the addresses you have in /etc/hosts

ns1 address?

i'm not sure which question you're on so maybe this doesn't apply, but you're targeting a .htb tld but in your /etc/hosts you have a .com tld so it looked strange to me. is that how it's supposed to be?

when you were using dig axfr@ns1.inlanefreight.htb you didn't have .htb tld in your /etc/hosts, you have .com

my question - Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.

that's why it's not resolving

oh understand

im changed htb

not .com

this command true?
hydra -l -P pws.list -f 10.129.203.12 smtp

No

SMTP doesn't use authentication, try other email protocols

Apparently you can bruteforce smtp huh

Been a minute

But also. You need to include the domain in your username

okey

username

Delete this as it's spoiler

Think about how you draft an email to someone

yes undrstn

You don't just send it to their username, you send it to their email domain too

I found

thx

In future: you can substitute usernames with first letter then *

So m* in this case and people who have completed it will know

I'm looking for help with a module question, is this the best place to post it?

yes

I'm stuck on the ACTIVE DIRECTORY LDAP module. There is a question in the "Credentialed LDAP Enumeration".

The question: What is the password history size of the domain? (How many passwords remembered.)

I can't figure out how to find the answer. I've retrieved the password policy, but it doesn't list the password history.

have you tried all the tools?

The module covers two tools, I've tried them both.

I've answered every other question in the entire module, stuck on this last one.

one of the tools shows you the answer

are you able to give me anything more? I pulled the password policy using ladapsearch-ad.py which doesn't include the history setting.

that tool does show you the answer

the terms 'password history length' and 'password history size' in the context of AD refer to the same concept, they are both number of the previous passwords that are remembered but cannot be reused by a user when changing their password.

This is the entire output of the policy:
Default password policy:

[+] |___Minimum password length = 7
[+] |___Password complexity = Disabled
[*] |___Lockout threshold = Disabled
[+] No fine grained password policy found (high privileges are required).

i see, my results had more information, you can DM me your command if you want but your command is probably missing something

So you got a string decoded correctly there

but you're not following the instruction on the question correctly 🙂

Hi everyone! I'm on the last step of the XSS and CSRF module skills assessment and am really confused. Could anyone sanity check my work?

You're one step away - re read the description in the Questions section @deep lantern 🙂

a payload I tried to generate an error with is returning normal output hehe

This contains spoilers

It's a tier 0 module

but yeah.. suppose shouldn't just be dumped here

I still like to avoid people just trying to ctrl+f the flag lol

Besides if they're following the content it doesn't take much

why ask for flag? you paid for the exercise

or maybe not if it's Tier 0

Eh it's mostly the frustration of being stuck

nevermind got it 😄

i understand but remember why you're on HTB Academy

Read the question carefully

on the socksoverrdp section in pivoting tunneling, and port forwarding, i tried connecting to the target host using the method mentioned in the module, however, i can't seem to connect through the host provided, over the socks proxy set up on the domain controller. i ran proxychecker, and it seems that the test passed, but i can't connect using mstsc, as it gives an error, stating that either rdp is not enabled on the server, its being blocked, or the ip isn't available. ive checked the ips multiple times, so im not sure why im not able to connect to the target host

Please avoid posting spoilers :)

I am so sorry 🙂

I mean.. you have the answer there

Just correct the format

Obviously missing something as there's a character missing

but yeah..

What section are you specifically on, the decoding section?

Really? because thats all i got back .. 😐 so i am missing a charecter ? Thank you!

Flag formats are usually HTB{<flag>}

It's likely missed as the output tends to bleed into your bash config

One of the quirks of it not outputting a newline

ahh yes

well this is a little odd

If it helps I tended to add ;echo to the end of my bash commands for this module

because thats the flag i got back.

So it gets clearer

As "echo" by itself should just print a new line

If not echo ""

Or if you wanna be cooler, | echo

So it appends a newline

hmm that still have not worked and i have passed the correct serial.

Making it much easier to parse

Or even outputting to a file

That looks right to me

mmhm

Right .. but its not accepting it 🙂

Make sure you don't include the whitespace characters

Tips: place your cursor to the right of the first character, press left arrow, spam backspace a few times. Do something similar on the right side

If you highlight the whole line and copy it, it also copies the new-line character

Which is a whitespace (invisible) character

Hi, Attacking common application Splunk > Enumerate the Splunk instance as an unauthenticated user. Submit the version number to move on (format 1.2.3) , this is really weird i cant get the version correct any help pls

Yup, Just checked that .. no white spaces 😐

well... that's the answer... I'm looking right at it ¯_(ツ)_/¯

Yeah I know.. its why I came here for help.. its a little odd this one.. i know that should work.. but it does not 😐

https://academy.hackthebox.com/module/147/section/1320 this section yeah?

https://academy.hackthebox.com/module/41/section/441

...

no its this one the very BASICS

That's the problem

You're following instructions for a later part of the module...

..how..

On the deobfuscated min.js code, add a line console.log(flag) and run that

this is why I asked what section you're specifically on

omfg.. did i just over kill something basic?

Literally all the steps you did in between are answers for other sections between the one you're on, and the one I linked

You get the answer for the section I linked

This section is regarding the source code, and finding a secret flag within it

Which can be seen that there's a "flag" variable

Yes

You misunderstood the instructions lmao

^

Can I DM you please? Still having issues 😐

A --> B --> C

Sure dm me your decoded source code.

is there a way to check if a module instance is running correctly?

There's a middle host between the target, and the one from the question

i ran the socks listener on that

So you're on the .5.19 host?

yeah

If everything is set up and running properly, you should be able to get to host C from Host A

the hint says theres a firewall, does that mean i wouldnt be able to use socks

You can disable it

for the most part though it's as easy as A (disable RTP) --> B --> C ¯_(ツ)_/¯

is there a specific way that i need to run mstsc

Aside from doing the advanced options to set the username... I don't think so

It's mostly just following the steps

Initiate the dll --> rdp (get the success message) to B --> transfer socksoverrdp.exe and run as admin --> set up proxifier (on A)

Then from there it should just work™️

alright, ill try and see if it works, thanks

I basically just rewrote the steps from the section in simpler terms ❤️

As it's easy to miss with the 300 screenshots in that section lol

Module: https://academy.hackthebox.com/module/147/section/1638

Task: Optional: John is a member of Remote Management Users for MS01. Try to connect to MS01 using john's account hash with impacket. What's the result? What happen if you use evil-winrm?. Mark DONE when finish.

So i first tried with impacket-psexec which failed due to error ADMIN$ is not writable and C$ is not writable, and when i tried evilwinrm, i got the remote PS for john. What i didn't understand is, why didn't impacket work? is it maybe due to that, impacket maybe tries to exploit the SMB service to get the shell which it fails cuz you can only access the shares through MS 01 Admin while evilwinrm uses winrm service to exploit and get the shell ? or I am completely wrong lol.

Basically

John doesn't have write access to the C$ or Admin$ shares

welp u beat me to it LOL

And since he doesn't have write access, you can't look at it

anybody know how can I share image to show my error?

verify your account -> #welcome

I am getting error here
module: https://academy.hackthebox.com/module/74/section/1393

what's the problem? the error messages tell you exactly what's wrong

was there a specific question you had about them?

when I type
Get-ADComputer -Identity "ACADEMY-IAD-W10" -Properties * | select CN,CanonicalName,IPv4Address

why server is rejecting

the very first line you type after that shows the problem, did you read that?

I don't know how to solve this error

it says Get-ADComputer : The server rejected the client credentials.

you will need working credentials

yes
but I am using the given credential

there must be something else, but i'm not sure i don't have that module. the first error is because the computer is already created in the domain.

Yes if it is already created
then second command line should run

I don't know
which credentials is it talking about

also this error is happening

well it doesn't seem to like the session credentials you're using

yes

which user are you using?

looks like you found the root cause

but this credential is for joining the host to domain
And I already have done it

Either log into the box as the domain user or run a new terminal as the domain user. The creds you were given for the box was a local account.

so, if/when cert time comes, am I going to have to classic exam stripping words out of the text to answer questions? Because I feel like I may not remember a fair bit precisely despite definitely understanding and being able to explain the functions of everything going on and their applications

divulging contents of the exam is not allowed.

you will know once you take it

oh, I meant generally speaking is that a practise but I guess that comes into the same thing

oh well big thanks

hello i have a question. Sometimes when I get hash, it is on many separate lines. I need to make it all to be just one line in a text file. Now until now I used to do this manually, going into text file and fixing the hash myself. There must be a better , more efficient way to do it. How do you deal with these rubbish hashes that you cant copy smoothly?

rubeus?

try adding /nowrap

you could save it to an output file

i think it's because you're double hopping

yes i think so too. I will try to output to file, thank you SuperNuts.

Wow you understand that where is this from though ?
I’m still new to this

? It's just permissions and such, generally the only people with write access to C$ are admins

hey, i have a problem on brute force login skills assessment - service login. i know that the method and the wordlists that i am using are the correct but i cannot find the proper username and password

Try cycling through usernames instead (-u)

Doing username cycling is loads faster if the list is way smaller

Interesting i might as well check this out

@past scaffold don't dm without asking

sure sorry

Try adding the Nickname (same as first name) with cupp and see if you get a hit off it

It won't take long

Also don't forget to reduce the pw list using the given rules

If you don't trim the list to the rules provided; then it's gonna be a long time

See the sed commands they provide

@open gulch ask before dm. I don't do dms unless I feel it completely necessary.

I haven't done the cdsa path, I've only seen common questions regarding some modules

Hello please any hints on Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the port that one of the two C2 callback server IPs used to connect to one of the compromised machines. Enter it as your answer.

I found the the two IPs from the previous question and also the source ip but I am not sure what the answer format should be.?

Hello 👋🏻, I’m trying to get .vhd file, can’t get it from smb, any hints please.

Password Attacks Lab - Hard

why cant you get it?

Not sure, seems encrypted so that’s made it unable to get in regular ways, or maybe because the user I got is not admin ?

you are copying it your local disk, yes?

The user you have should be able to access it, can you elaborate on "seems encrypted" are you getting errors?

Yes I got errors when trying to to get the file

It helps if you share the errors

smb: > get Backup.vhd
parallel_read returned NT_STATUS_CONNECTION_RESET
smb: > getting file \Backup.vhd of size 136315392 as Backup.vhd SMBecho failed (NT_STATUS_CONNECTION_DISCONNECTED). The connection is disconnected now

Reset the lab

It seems like your connection is unstable

I did that multiple times

Then use a different vpn region

I read HTB forum, they were talking about mounting Bit-locker encrypted vhd files to Linux

That's for after you get the vhd

Focus on getting the file first lol

Can’t be just network problem, it’s few days now without any progress 🥲💔

maybe try transferring a different way

Thank you 🙏

I need a hand with the Broken Authentication module / Predictable reset tokens Question 1
Anyone I could chat with to discuss my script for solving this? I've been at this hours and reaching the end of my wits

How do you identifiy vulnerabilities without vulnerability assessments/scans? manually?

"does not necessarily require" doesn't mean you cannot do assessments/scans

Attacking Common Services - Hard Question : Once logged in, what other user can we compromise to gain admin privileges? i can't get in mssql using fxxx's creds but i can't find other creds either. please give some hit

I supposed you need to try a diff auth method/

if you are using impacket, you need to add -windows-auth

i'm not using impacket

i just rdp to the target

sqlcmd should work

But using impacket tool is generally better

then you can simply type SQLCMD.EXE in powershell.

is there other creds needed here?

no just that.

Nope

F* can access the sql service just fine

Impersonation will be one of the keys to victory

'sqlcmd -S SRVMSSQL -U fxxxx -P 'xxxxxxxxxx' -y 30 -Y 30' i use this didn't work

always login failed

sqsh impacket-mssqlclient sqlcmd . all said login failed

you need to enumerate further. do you have any other credentials you can try to log into the sql server with?

i tried this

it worked

You don't gotta do all that

yes. now i know

No they don't lol

so this mssql is using Windows authentication mode?

Yes

ahh ok, my notes are kinda part for this part

oh i got it

thanks

i have other creds down for some reason

hello guys,

I would like to tell you about a tool I wrote in Python that prints all the data on Mysql to the terminal.

hopefully it benefits your business 🙂

output

It's best to put things into a codeblock
```py
<code>
```
That formats it better

Using asterisks just makes it more annoying to parse

Also this is a spoiler

Ya goof

At least redact the password

ok i will make the arrangements

Anyone have an answer for this one..? Please DM. Thanks

Hey, have a qustion. Is possible to unlock high tiers on free account? Or its only T0

Only t0 without spending money

And like 1 t1

two users i was able to impersonate don't have admin rights

One will

They specifically have admin rights on a specific place

Maybe re-read the sql section

ok

why nothing happened?

Module: ADCS Attacks
Section: ESC11

I have got the NTLM hash for DC. But I cant use it to login to WS01. I have tried both the PTH and Ticket.

Out of Ideas need help

Could anyone provide some insight re the Password Attacks module, specifically the Network Services section?

I am using the username and password list provided in the module and using hydra to brute force correctly. Is it expected that the crack takes several real life hours? I know in a real engagement it would realistically but given this is a training I feel like i've done something wrong. Is there an aspect to that module im missing? I don't want the answer given to me, i'd just like to know if I am doing something wrong and should pivot or if im just being impatient and need to wait a bit longer.

Exact question: Find the user for the RDP service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer.

Can someone help me?

I did exactly what the module asked, I downloaded the files, uploaded them to the Windows machine, but when I try to load the dll for socks to work, it blocks, even though I have disabled all protection mechanisms.

Module:

Pivoting, Tunneling, and Port Forwarding

Section:

RDP and SOCKS Tunneling with SocksOverRDP

disable real time protection?

struggling with the password mutations exercise. I think I knw how to do the final part of it but believe I have made a mistake creating my mut_password.list file as the file is only 1504 lines long. am I able to type exactly what I've done in here or is that against the rules? I understand the mut_password.list is supposed to be around 90,000 lines.

Around 64k.

Which question and section on password attack you on.

password mutations, there's only 1 question

You did downlaod the resources, right?

*94 I think

Yh, mb.

so to create the mut_password.list file I downloaded the Password list from the resources, created custom rule from the academy:

:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@

and then created mut_password.list using:

hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

This is giving me only 1504 lines, have I done something wrong? only thing I could think is the custom rule but seems everyone is using that

I did this, it didn't work

lemme see how it is when I do it

cheers mate

I can't login wth

ahh dw

loggen in

haha damn. I've looked through my results and something has definitely went wrong on my end. the rule should replace every "a" with a "@" but there are still plenty of a's, I'm gonna delete and start fresh

Try it and see if it's fixed.

don't use --force

Why not

it's a command for devs and can mess up the output

Oh well.

Use Cupp for passwords.

no just don't use --force with hashcat

you can still mutate the list without it

Oki.

( I used it and it worked for me ) 94044.

Time to do sqlmap module.

removed --force and still getting 1504 :/

Did you in any way delete something from the custom rule.

hello any hint to find the answer to this question, Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the port that one of the two C2 callback server IPs used to connect to one of the compromised machines. Enter it as your answer.

I found the 2 ip address and source ip but none of them seem to be the correct answer.

you used what I sent into the chat yeah?

I'll double check but nah just copied it from the module and pasted it straight in

I used what I have shown here.

Just download, extract, and execute that hashcat command without using --force

Don't delete stuff from the provided files.

hang on, I've created the custom.rule using vim. is it part of the download in the resources?

...

You already have a custom rule.

Don't make a new one.

When you download the zip from resources, there are 3 files.

Custom rule, password list and username list.

Don't touch any of them'

Just use the hashcat command.

lmao thanks bro, I didn't see that the custom rule came with the resources. thought we had to create it ourselves. that'll be why mine wasn't working

Yeah, all good.

I should be able to finish from here. thanks for your help bro

Good luck, ser

• make sure to verify

what do you mean by verify?:)

#welcome message

bymp

ntlm hash for dc you mean the machine hash of dc?

yea

LABDC which is DC ntlm

machine accounts don't have any particular rights so it makes sense that you can't login directly using it, you'll need to dcsync or silver ticket

I have DCSYNCed and got the hash for DC and WS01$ but they dont work. Tried creating silver ticket as well. Not sure what Im doing wrong here.

DC ntlm hash should be able to get me anywhere

no? machine accounts don't have special rights for logging in

use the DA hash you got from dcsync

then either one or both of your IP addresses are incorrect

look at the data again and find solid evidence that points to two IP addresses being C2s

hi

can i connect to the target machines from local vm

?

Can I send you Dm please ?

Sure

Thanks!

Hey guys, anyone else struggling to connect to VPN? Seems awfully slow today

Yes

i am too its very slow

Struggling to even connect to the VPN :/

yes, use openvpn

i can't help you any further than this

my notes aren't accessible at the moment

so first i have to connect to the vpn then try to connect to the target. Am I right?

yes

Thanks!

sounds good thank you.

Has anyone encountered problems while working on the "Using Splunk Applications" module?

I cant seem to get past step 3 where it is shown to download the file

is reset progress feature is not there in modules

i thought it was there 🤔

still cant connect

no, there is no such feature

connected to the vpn file from the academy

is the target available

yes

should i disconnect it from the pwn?

yeah, you should disconnect from pwnbox

the server won't know where to route the traffic if you have both pwnbox and openvpn on

ok thanks

let me try

i want to report one site which is showing htb modules ans whom should i dm

I am having issues with Academy VPN too

HTB Labs VPN works fine, but Academy one does not reach the modules machines

Has anyone encountered problems while working on the "Using Splunk Applications" module?
I can't seem to get past step 3 where it is shown to download the file

just loads endlessly when I try and donwload it

hi all , i have a question aboute the shells and payload module in the live engagement section. Is there supposed to be a web browser on the foothold machine?

ty

Do you guys help on modules? I’m stuck on the xss course

On the phishing section

ask your question

I injected the page to make it look like a login and password page. I’m trying to use netcat and get a response but I’m not getting one

I was told to try port 443 or 4444 but I’m still not getting anything

When I put in test:test I don’t see a response in the terminal ,but I get the error response page from the website

I asked someone on the website for help but I’m being left on seen lol so I came here

Can you help?

dm me your payload

Hey guys I have a question Im in the “Information Gathering - web edition” doing the Active subdomain enumeration and keep getting this message when trying to use nslookup. I had the same message using pwnbox am I doing something wrong?

ok

you are given a domain

then, nslookup -type=NS <domain name> @<target ip>

what's the output

I’m overlooked the other questions that I already answered

Idk what’s going on now I started new instances of pwnbox and target

Drop the @ symbol man. Think dig uses that syntax but not nslookup

yeah that's dig syntax

my bnad

Okay thanks it looks to be working

Hi do you guys know why i dont have acces to the general channel?

you need to verify your account -> #welcome

thnkass

For the using Sysmon and Event Logs to Find Evil question using the reflective DLL injection, I cannot for the life of me locate the wininet.dll. I am getting plenty of 7 event IDs in event viewer but I literally cannot find anything to do with a wininet.dll. I have also tried looking for the reflective_dll.x64 but to no avail. Also, found the answer online and even searching using a custom xml query to search for the hash answer I cannot find it lollll

Its driving me insane

How do you use given files outside of the pwnbox, inside the pwnbox ? I tried logging into htb on the vm but that ended badly…

filter for calc.exe

Are you not able to curl the download link?

uh oh, my newb badge is showing 😂. thanks man

doesnt show anything

Also, logically if you were to do it exactly as it says in the lesson you could just certutil the sha256 sum of the dll that you rename to WININET would you not

Idk im perplexed the other two were fairly simple

what is your filter

<QueryList>
<Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
<Select Path="Microsoft-Windows-Sysmon/Operational">
*[System[EventID=7] and EventData[Data[@Name='Signed']='false']]
</Select>
</Query>
</QueryList>
This is the one I used most recently

As a sanity check, I applied the simple filter where you have just the ID of 7 selected and then used find to search for the string that is the sha256 answer and nothing popped. I figured it must be myself improperly executing the inject.exe, perhaps that is the problem. When I followed the steps specifically (moving inject .exe and x64_dll.dll to desktop and renaming them to calc.exe and wininet.dll respectively) it was unable to run properly, I assume because the functions that perform the message box pop etc are contained in one of the other DLLs in the c:\tools\reflective injection directory

Can someone point me in the right direction ? I am doing a Prolab and I would like a hint. In which channel should I redirect my question ?

Read #welcome and you'll have access to the pro labs

Thanks i am having trouble identifying

When we call a function and explicitly set the value of a parameter, e.g. foo(bar=42), this parameter is called a _____ parameter. (Fill the blank)

Does anyone know the answer?

yes

chatgpt gave me the answer to that instantly

Generally when you ask a question its good to give context of the module and section

Instead of just repeating the question

It also helps to say what you tried

okay in python func

Scrolled up in that section, look for highlighted words

The section talks about 2 different kinds of parameters at least

I couldn't find the answer but I will try again

I think my answer is correct, but there is an error on the site

it's in the Function Call subsection ¯_(ツ)_/¯

im stuck on this one too. I input the payload to create the username and password fields, but when I try to add the script to remove the url input bar it doesnt work. In addition I have the same issue you do with setting up the listener.

In fact the answer to q3 is in that section as well

You can wrap the payload in <script></script>

i know positional

So what's the other parameter mentioned?

I did not find the answer to the second question

I'm literally looking at it on the page

bar