#modules

If you have extra spaces it says it's wrong

hi I need some help with figuring out the Nessus Vulnerability Assessment section. I'm looking for an SMB share but the scanning the server doesn't get me an SMB share. What am I doing wrong with the scan?

cURL command in the Web Attacks Bypassing Basic Authentication section is not showing "Allow: ..." section for the headers.

Feedback, please trim whitespace

This is what the module shows

this is for the vulnerability assessment module

This is what I get

That was the mistake thx

I think they use the same code for all the answers so it would fuck with expected spaces

Looks like the allow is the only portion not showing

This is my command:

curl -i -X OPTIONS http://SERVER_IP:PORT/

Use the preloaded scan

i think i ran into that same thing and just fuzzed the options with burp intruder

Yeah, a feature I'd really like along with case sensitivity. Sometimes it's just faster to type it.

I don't see any preloaded scan

The target [10.129.x.x] doesn't have smb running, its simply hosting the nessus (or openVAS) service

ok

so where do I find the preloaded scan I don't see it?

There’s no preloaded scan

It should be

By preloaded I just mean it's an already done

So you don't gotta wait the 40+ minutes for it to go

I don't see a scan that I didn't do myself

like they didn't put a scan on there that was already done

It's been a while, but the report is there. Is there maybe a filter?

As I said it's on the https://targetip:nessusport

I figured it out! Thank you and @cloud urchin. Much appreciated.

for the last question on the acl primer for ad enum and attacks, is there supposed to be multiple answers to the question?

should only be one

the answer that the section gives is different to the answer that i gave, but i still got it right

maybe HTB can look into it ¯_(ツ)_/¯

ok thanks

got it

Has anyone completed the Bloodhound AD module?

best to just ask your question

Hello

https://tenor.com/view/kto-lbow-hi-hello-hi-there-gif-25347432

I was able to figure it out. Thanks!

actually...

This is the question.

How is DC01 not the right answer?

Try the FQDN of it

Run the collection again and analyze the results.

Tried it. Upper case, lower case, camelCase.

hey

Ran the analysis three different times.

But also it would be odd if it was just one computer that had one admin

in the drupal attack section in attacking common applications. not able to find option to add own module. tried `Once downloaded go to Administration > Reports > Available updates.

Note: Location may differ based on the Drupal version and may be under the Extend menu.`

Analysis or collection? I had to run the collection again to get that to show a different system.

Thanks. Running collection again.

GUYS IS THERE IS ANYONE HAS COMPLETED THE CRACKPASSWORDS USING CATHASH??

MOUDULE

i would wager yes

DID U COMPLETED IT??

no

KK

Dude, capslock

😛

how do i get the beard role

I KNOW 😂

BRO I GOT A QUESTION

Can you just stop with the all caps, but ok, what's the question?

kk

why i cant send messages in the general chat???

See #welcome

Idk what cathash is but I know what hashcat is

unable to find
Once downloaded go to `
Once downloaded go to
Administration

Reports

Available updates
.`

oh i mixed them up 🙃

this available updates option in drupal

But also: https://dontasktoask.com

Got a bit of a general question regarding the reporting and documentation module. In a professional setting I can see the benefit of using a tool like WriteHat or GhostWriter and I've been playing around with some local instances of these tools. The biggest benefit seems to be the ability to have a database of findings that you can quickly import into your final report, but it seems that you have to populate that database manually. Is that really what people do, just manually populate hundreds of findings into these databases? Or is there some publicly available database of findings out there that can be used with all the relevant information (CVSS score, description, remediation etc.)

They generally write their findings as they find them

@fathom pendant

They don't just wait until the end to update it

Haven't done this module

me 2

Ah okay that makes sense, and I guess as you write out a finding if you have a database that you can save them to then you would have that finding available for future reports.

okey

Anyway @rustic sage what's your q about the hashcat module

is there anyone completed the craking passwords using hacshcat

this is it

Yes but is there more to the question?

Like. The broad answer is yes

ya

kk

What is your actual question about the module then

Like are you having trouble with a specific section? Need clarity on something?

i didnt compete it bc was complex so am asking who has completed the module

complete

lots and lots of people have.

nice kk

BTW WHY WE CANT SEND MESSAGES IN GENERAL CHAT??/

As I said, read #welcome..

KK

tnx

I repoRts diz to ceo of HakDaBooks!

How dare you read the modules >:CCCC

done

uh,

Follow the Verification instructions.

Hi

https://tenor.com/view/kto-lbow-hi-hello-hi-there-gif-25347432

https://tenor.com/bozXI.gif

Why does it say everything I need is in the reflective injection folder😀

Thanks bro I appreciate you. Honestly that makes me happy because I know there was no way I was messing up filtering for ID 7😂

Ahhh the duality of man

everything you need is there in that folder

backdoor is getting uploaded but it is not able to get the session

Am I trippin

Yes

that's it

I used certutil on it and it gave me a different hash than the answer

Wild lmaooo

I’m thankful for you. It would have bothered me for quite sometime

Are you talking about the Attacking Common Applications - Tomcat section?

yes

Yes

The bot banned my message

Thanks again though @dim wolf

Because it treats it as spam

And you're unverified

how to get verified?

You are

my message got deleted too

It's following the instructions in #welcome

👋

Your message was likely deleted due to spoilers

Spoilers for a module over Tier 0

Come on man

i mean if he deletes it you probably shouldn't post it again

again

https://tenor.com/view/daddys-home2-daddys-home2gifs-stop-it-stop-that-i-mean-it-gif-9694318

in the attacking common app module. in the tomcat section. using metasploit tomcat_mgr_upload is producing below error " failed to execute the payloadand no session was created"

please dont this time

I only have one question left و I need help

I feel like I haven't been able to understand everything. I feel like I'm wasting time

https://tenor.com/view/monkey-laptop-mad-push-throw-gif-21934538

I believe if you do type(variable) it tells you the type

re-read the section and use the msf module in the section, it's a step by step guide. you aren't using the correct msf module.

i got the answer already. it is written in module to try with tomcat_mgr_upload too

ahh ok nm then

metasploti sucks

The multi/http/tomcat_mgr_upload Metasploit module can be used to automate the process shown above, but we'll leave this as an exercise for the reader.

Well, that's a bunch of messing around you'll have to do

To get the right settings and such

This is the type I think is unique or am I stupid I don't know

ohh it requires admin credentials. wont work with manager onr

Try without brackets

😠

not work : >>> x_coordinate = (42,)

type(x_coordinate)
<class 'tuple'>

Again

Try either whats just in the quotes, or without the angled brackets

Try multiple different things instead of just one and immediately giving up

not work` >>> foo = set()

for i in range(42):
... foo.add('Cake')
...
foo.add('Hello')
foo.add('World')
type(foo)
<class 'set'>
`

"Not work" isn't descriptive

Also yes it's a set, as it's a list of items

if it's better, you can translate the page into your primary language

Why did you delete the answer?

Also taking a look the answer should accept <class 'type'>

I don't have the power to delete

I have tried a lot. Why does the Internet not contain everything? I have searched a lot and did not find the solution

¯_(ツ)_/¯

The answer works for me

Idk why it's not working for you

. This is correct fully

I've tried every combination. Doing a bit of research, seems like this is a "problem" question.

Weird it'd be a clean 10%

So something seems off there with your math

yeah, that was the last of maybe a 100 educated guesses.

Just say thanks, no need to post a screenshot of answers. Well done.

I didn't know thank you

Am I the only one that feels some of the module questions are "gotchas"? It's also frustrating that you can't get through the module without 100% of the question completed.

Is there help anywhere else? I've tried the forum and most seem stumped by the same question. The ones that got it admit it was guessing.

overall not really. i like how they put a twist on the concepts to make sure you understand the content. one thing that you may think is a gotcha may be easy for someone else, and vice versa.

@cloud urchin you're saying "overall not really" to any other help?

i'm saying overall i don't really feel the modules have gotchas

got it.

the help part, i used discord and got help here

sometimes the forums had a good hint

I'll repost the question as it looks like my screenshot was removed.

Looking for help on the final question of the Active Directory Bloodhound module:

Find the percentage of users with a path to GLOBAL ADMINISTRATOR. Submit the number as your answer (to two decimal points, i.e., 11.78).

If it was removed it's likely because it contains some form of spoiler

BloodHound question: When wanting to see all values of a particular category (User, Group, Computer, etc) are the results limited to just 10?

some default queries return only 10 yeah, at leat for the legacy version

use that to calculate for the last question in the module

how can I get more nodes from a query?

check the raw query at the bottom

it's usually set by the n variable

I'm using 4.3.1, the raw query isn't being populated.

I finally got through the phishing section of the XSS module!

pwnbox was messing with me so i used a different machine to listen from and it worked perfect

on the bright side I really really understand it now after spending all damn day working on it

that's what it's all about

@wintry skiff were you able to get through the phishing section of XSS? I just got the flag if you still need help

Hi im stuck
INFORMATION GATHERING - WEB EDITION
Submit the number of all "A" records from all zones as the answer.

what u tried?

@strange forgeI tried all zone transfers but I counted 19 A records

There's 2 zones

Inlanefreight.htb and {subdomain}.Inlanefreight.htb

@fathom pendantYes, I found it inter***.Inlanefreight.htb
I counted the sum but I don't get the result

Add the 2 together

unable to get target ip. in the Attacking Common Applications - Skills Assessment I

Not my problem lol

I'm not staff

@fathom pendantWhat do you mean

If you're having issues, change vpn regions

ofc i meant to say, can u try. if you are on system. if its something from my side or htb issue

Results from 1 + Results from the other

No

okies

btw target ip also depends upon vpn? iam not able to get the target ip even.

Yes i was thank you

@fathom pendant ty bro

it keeps ongoing target is spawning

Yes

Does anyone know if we will continue to have access to the step-by-step solutions to modules we've already finished once our annual subscription ends?

nope

once sub ends all perks associated with the sub also end

alright. thanks!

Hi guys I have a problem with the module Hunting for Stuxbot

With the mimikatz question, when I enter arguments behind it's said that it's false but I don't understand why, arguments seems correct 😅

Okay nevermind my fault

Hiya.

Having an issue with the module in the title. I am tasked with examining a target and finding out the password of user "Will" and submitting it.

The password hint states Sometimes, we will not have any initial credentials available, and as the last step, we will need to bruteforce the credentials to available services to get access. From other hosts on the network, our colleagues were able to identify the user "Kira", who in most cases had SSH access to other systems with the password "LoveYou1". We have already provided a prepared list of passwords in the "Resources" section for simplicity's purpose.

Using the password list provided in the module with the name Kira using Hydra to crack does not yield any valid username password combinations.

Using the full username list provided in the module results the crack taking 7 hours with Hydra and the spawned target ends up timing out and despawning before it completes.

Im not sure what im missing here. Am I on the right track or is there something im missing?

lowercase

Kira != kira if the system is linux

Im gonna feel really silly if that was my issue this entire time lmfao

it is

https://tenor.com/view/drake-gif-25177956

if you haven't already, i also suggest using -t 48 in hydra

are you live in discord?

Yeah been using that

no

you are here from hours

Bros just helpful

literally just woke up

Do you live here ? I guess when, consciousness will be digitalised and we dont have to take care of biology we coud stay up in our favourite subjects for ever )

Hi all, I am in the module "Shells and Payloads," in the section "The Live Engagement" at target number 2. I found the exploit to use: php/webapps/50064.rb, but I can't find it in msfconsole using the search command. I then tried the use command with the path: use usr/share/exploitdb/exploits/php/webapps/50064.rb, but it doesn't work. any hint?

you need to import it

did you try use exploit/php/webapps/50064

it doesn't work 😦

ty i'm gonna try

they can just use 50064.rb as it's just in the base folder for msfconsole

I manage to finish target 2, tx to your help guy ty. and yes use 50064.rb work ty very much

can someone help me with zephyr, give some tips on initial foothold?

Wrong channel #prolabs-zephyr , read and follow #welcome to access it

okay sorry!

may not have been my issue afterall. ran with kira as the username. No valid passwords found using the password list provided in the module

Mutate the list

👍

And it still was part of it

i'll give that a go

In general you'll use the mutated wordlist throughout this module

Aight, lets see how this goes

I also suggest saving any credentials you find

Hi everyone... i'm stuck in
"Signatur Exclusion Attack"

Every time when I change the value of htb-stdnt to:
<saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue>

I'm getting this error:
<b>Warning</b>: DOMDocument::loadXML(): Start tag expected, '<' not found in Entity, line: 1 in <b>/var/www/sp/vendor/onelogin/php-saml/src/Saml2/Utils.php</b> on line <b>87</b><br />
Something went wrong.

Even by just changing one single attribute value. How could a '<' vanish in the process? Any ideas?

how can i view only 200 ok responses when brute forcing a login using burp intruder

filter by only 200

I forget exactly the steps to filter

yeah i found it

thanks by the way

I used the mutated worldlist and the lab times out before I can get the password

Is there a way I can force the lab to stay there for longer?

hydra -l user (-L list) -P mutated_password.list protocol://ip -t 48

at most should be ~30 min

exact command you're using gives me this

im using the pwnbox for reference

estimated time != actual time

just be patient

<@&861185840277487616>

https://tenor.com/view/bane-no-banned-and-you-are-explode-gif-16047504

nobody? 😕

Took more than 30 minutes and timed out again

Im using the mutated password list using the provided custom file

Is that the wrong password list?

https://tenor.com/view/imnota-cat-fubuki-gif-18573529

Module: Windows Privilege Escalation, Question: Leverage membership in the DnsAdmins group to escalate privileges. Submit the contents of the flag located at c:\Users\Administrator\Desktop\DnsAdmins\flag.txt. Problem faced: I have injected the adduser.dll, however the netadm wasnt added to "Domain Users", and some have suggested to log out and log in again, but the changes were not reflected.

did you stop/start dns service?

do i have to do that before i log out and log in again? :0

after you inject it. Do it after you use the dnscmd.exe

you shouldn't have to log out for this to take affect, but if others say so

¯_(ツ)_/¯

I did whatever was mentioned in the module, but netadm user wasnt added to "Domain Admins"

@mellow holly any idea why it didnt work

sc query dns after each command

check to see if it actually started or stop

also mmay want to post your payload

this was the payload ```
msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll

@mellow holly I sc query dns, but nothing was printed on the terminal as well

???

hmm, do it from CLI

not Powershell

Yep it works on cmd, however though my user netadm was added to Domain Groups, I was denied access to C:\Users\Administrator, might need a nudge

Domain Groups?

sorry "Domain Admins"

not sure how you got that

ok, then you should be able to get the flag

you have what you need

hmm thats weird then, why am i still denied access

dont try to access it from the same command window

Are you attacking a DC or a regular domain-joined machine? Certificate templates are different.

I tried running a separate cmd or powershell terminal "running as administrator", and trying to cd into C:\Users\Administrator\Desktop\DnsAdmins but access is denied

try adding that user to the administrator group

and log in as that user

you need to start a new session, it doesnt extend to your existing session

the user netadm has already beeen added to Domain Admins

does it mean disconnecting from my current rdp session, and connecting to it again?

you can do that, or do runas

or do it from your attack box

you have multiple options here

even evilwin-rm

the point is, dont get stuck into thinking you have to stay in your existing session to leverage your new privilege.

@wanton idol @mellow holly thanks for the hint, i have learnt some lessons from this

https://tenor.com/view/ayye-point-happy-excited-what-up-gif-15029638

Anyone else having trouble with the VPN?

It says I'm connected but I can't ping boxes.

Hi can anyone help me in the SSI injection lab

Hi don't know why but actually without vpn's boxes are at +300 ms

Am I the only one ?

Anyone on the last question of the ADCS attacks skills assessment? I can't seem to approve a failed certificate request. I'll share briefly what I have tried so far.

I can't connect to academy boxes at all. HTB Labs are working fine though.

Alright perhaps a problem we'll wait 🙂

Was able to spawn academy box and pwnbox just now, FYI

hey hope everyone is having good day!! Could use some help with the footprinting module for dns. The Last question asks "What is the FQDN of the host where the last octet ends with "x.x.x.203"? After running dig axfr inlanefreight.htb (ip) i found the different domains and checked the domains from the output using dig axfr. When ever I then try to uses dnsenum I get the following error, I even checked and made sure my seclist waas updated and did that. Is this a error because the domains cant be brute forced or because a error is preventing it from even attempting to brute force?

the list does not seem to exist

@acoustic owl

But you are using /opt/... in your command, not /usr/...

when doiing netstat -ano in dual home machine(has more than one nic)
TCP 10.129.43.8:139 0.0.0.0:0 LISTENING 4 means port 139 is available for one nic where
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4 means port 47001 is available for both nics

am i right?

@acoustic owl thank you for that, I changed to source from opt to "usr" but Im still receiving the same error

The path to the file must be correct

Submit to #1234357888114364508

thank you for the help i made correction to my exact path and dnsenum worked !

Module: File inclusion
Section: Basic Bypass
Can someone help me with what filter I need to bypass in /index.php?language=languages/en.php I found out that I can put anything after languages but nothing before it I have tried encoding multiple and putting other things beside the ./

Hello guys,

Active Directory module - Kerberos sectiyon

İ use the cred for htb student but not working how to fix it

im use forend acoount sqldev account not working

anybody else having problems with connection? i will start a target instance and after interacting with it (icmp request, ssh) after maybe a min it will stop.
i did killall openvpn, changed server, reset and it never worked
switching to eu made it a bit better, but still very wonky and not working at least remotely smooth (laggy ssh session, but stable)

could it be this? I am est so idk

all good here

hmm i will reset my machine, 1 day uptime which isn't usual for it

https://book.hacktricks.xyz/pentesting-web/file-inclusion#filter-bypass-tricks

thanks

find through an SPL search against all data the other process that dumped lsass. Enter its name as your answer. Answer format: _.exe

anybody able to give any hints or tips, currently trying to solve this problem, any help is appreciated

there's an event ID for this: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events

thank you!

guys i reset my machine, checked proccesses for openvpn and theres just 1. was just in a ssh instance for a target and now i have no connection, cant ping, nothing

i was running openvpn in tmux but i've reset now running in a normal terminal window

nvm , am good

Got it I thought I need to do something more was overthinking it

thanks supernuts

Hi guys! I'm having some issues running dementor.py

are you connected to that subnet?

Can someone please give a hand with this one, I just don't understand. Should I install anything?

i'm connected, but it said that cannot find dementor.oy

dementor.py

yeah it can't connect, address not valid. you're not preceeding your command with proxychains, how are you piping that to the ip's?

ok hold on a sec

this is the real problem

if it's in your folder just type python3 dementor.py ...

don't include the ./

also make sure you're connected to that network

that the thing I can't find dementor.py

i'm pretty sure they give the link in the module

I got it, but shows this now

yep, again looks like you're not connected to that subnet

you'll need to pivot/tunnel

yeah it just expired a min ago ill connect again and try

ok, i'm confused. I got three ip in the example:
-172.16.18.4 this one is for the impacket-ntlmrelayx
then I got other 2:
-172.16.18.20 and 172.16.18.3 these ones are used with dementor.py
My question is, should I change one of these ip for the one that im connected to, in this case 10.129.15.151?

I feel so dumb.... Sorry. I was making the connection from my own kali and never rdp on the provided one xD. that's why, I wasnt connected. thanks for the help

im working on the documenting and reporting module and the sample report zip file is password protected. did i miss something? i tried cracking it with johntheripper but no luck.

if u read on the first page of the section itll tell u the pass

We've included a sample Obsidian notebook and a sample Internal Penetration Test report (in both MS Word and PDF formats - zip password hackthebox) that can be downloaded from the Resources tab in the top right of this or any other module section. These are great supplementary resources to keep for yourselves but also helpful to have on hand while working through the content.```

Anyone available for help on the exercise section of HTTPS/TLS Downgrade attacks? I'm fairly certain I have the right answer, but I don't know what format it wants it in.

awe man. im an idiot. thanks

hey guys
why I am getting this error

timed out
likely unstable connection

add --smb-timeout 5

I don't know where to ask this but
Just creating an account in (ISC)² = Being a member of (ISC)² ???
Also is there any fee for being a member if I don't take any of their certifications?

I visited their website and still not getting answers to the above questions

try reaching out to their support

isc2 is for their certs and stuff, CISSP most noteably, you'll need a certain amount of points per year to keep the certs that's why academy has that option, the membership is $50 a year. if you don't have/want their certs there's not really a reason to be a member

also #careers-and-certs

its worked
thanx

does anyone knows
how long will it take to brute force the password for sam

Interesting little trick at the end of Attacking Enterprise Modules with Double Pivot. I have genuinely appreciated (and currently) the entire CPTS path.

Depends on the wordlist and depends on the password. For the sake of concept, you shouldn't overcomplicate it until you have to. Occam's Razor.

Also, depends on which tool you decide to use.

hydra -l sam -P mut_password.list ssh://10.129.xxx.xxx

is it correct

DM me 🤝

don't attack ssh

it will take far longer to attack ssh than other services

ftp?

if it's open, sure

also you can use more threads with hydra

-t n

48 is the most stable

so it means
account credentials are same for ssh and ftp?

tip: whenever you achieve credentials for a service, always check for reuse

ooh

default is to use the account's existing password for other services unless otherwise specified

do you know esteemeted time to brute force
bcoz its taking longer

~20-30 minutes on average

Patience is a virtue for this module

and rewarding 0 cube
what the h..

Some questions don't

¯_(ツ)_/¯

Overall you'll receive 20% of the cubes spent

yeah

Your focus shouldn't be on the cube reward tbh

Just learning tools

Sure

Any help on this skill assessment of windows event log By examining the logs located in the "C:\Logs\Dump" directory, determine the process that performed an LSASS dump.

I’m currently in the log I have searched event id 1 but couldn’t find neither event id 10 have tons of information but im stuck with the right word to use in find & filter through, I have used lsass but its doesn’t exist same with dump kind of confused with the right keyword to use & filter through 🙏🏻

Hi, I currently have a problem on the CDSA module called "using splunk applications"

The splunk base website loading without no end, someone find a way to do it differently ?

https?

hi guys, i need help. i am stuck at command injection skill assessment.

still need help on this...

Hello
I am stuck on this part
https://academy.hackthebox.com/module/54/section/502

Attacking Web Applications with Ffuf
Filtering Results

I can't get the site to load after adding admin.academy.htb to /etc/hosts
can anyone see what am I doing wrong

add the port in the url

I have

http

meanwhile it works if I just copy past <IP>:<PORT>

http vs https

ah it worked.

I tried this yesterday and it worked till here, but there were too many errors on ffuf. Ima run ffuf again. I will see if there are any more issues. Thanks for your help

these targets are running http

yeah so you'll need to filter like the module

Hi guys, no intention on interrupting you but, do you have any info regarding Attack Passwords Skill Assessment easy? Running bruteforce over FTP using given usernames and password lists (haven’t done mutations as that would be insanely large) but not success yet. Am I skipping something? (im hating the bruteforcing along this module🤮, should’ve been wordlists with 10 o 20 passwords, not 200)

also ffuf is weird, it's best to run the terminal in full screen

you're not interrupting

it takes a while. its slow. use hydra. even I was stuck on this. that module was a nightmare.

the userlist and password list should be fine

using 48 threads should get you the next part

I see. wait I am sending the output once done

don't bother

the issue is likely you're getting a bunch of "does not exist" errors

aka not a 400/404

oh that's a whole separate issue

all errors?

that sounds like something is going on on your end

will run it again, maybe I’ve modified something inside one of the files, thx

also 38 req/sec are you running your vm with nat networking?

yep

yeah that'll severely limit

should I use bridged adapter?

switch to bridged

it's likely that since nat is using host adapter and AP, it's getting hit with your host's firewall rules

uh its at 4 req/s

weird

you were 100% right

switching to bridged worked for me --> ~400 req/s

Ill try with a diff adapter

what's likely happening is there's some weird thing going on with your adapter or router that's causing this to happen

what's your ffuf command?

tried different adapters, not working. NAT was the best

brother

is academy.htb in your /etc/hosts?

yep

i see admin.academy.htb in yoru earlier output... but is just the base academy.htb

@fathom pendant

oh. wait

:)

the errors are likely DNS errors

YOOO ITS WORKING LFGG

Thanks @fathom pendant

i just happened to think about your /etc/hosts screenshot

Why can't I ask in general?

You must activate your account 🙂

how

https://discord.com/channels/473760315293696010/477042232109826048

read and follow #welcome

there's instructions on how to link your htb labs account to the discord

Thank you do I have to create an account on the site?

Hahah yes

okay

you work here ?

lol no

staff have a lime green colored name

staff that aren't also mods have Green cube next to their name

No, but, I think you thought I had a lot of skills

okay I thought he worked here

look like it

just informing you how to spot staff :)

mods and admins have a neat shield next to their name

Okay and you work here ???

no

see the above rules :P i neither work for HTB nor am an admin

I just live here

https://tenor.com/view/my-house-agent-malcolm-green-ruthless-s1e24-my-home-gif-25241314

Can you help me how to find ...

your Account Identifie

Okay ✅ wait

it's under https://app.hackthebox.com/profile/settings

as stated in the #welcome message

doesn't exist

because you need to be signed into your lab account to access it :P

that link works for me on my account

¯_(ツ)_/¯

okay

Invalid account identifier ???

DM ??

i mean are you copying your account identifier from your profile?

I did

Sorry. Busy now I can help Later

try regenerating and copying a new one

I sent you my email and password

wat

that's highly irresponsible to do

please don't sent randos on the internet your email and pass

you should never share your username and password with anyone, ever

even staff won't ask you to do that

Okay

☠️

I think she likes me😂😂

this is why cybersecurity is an important field

and security awareness is important

@rustic sage i highly suggest you delete that login info from your DMs with them

I am not a thief 😒

not the point

She knows I'm good

sharing login info is still highly irresponsible

sure bud

I hope this is a joke

thanks for helping

Thanks

glad you got it to work

while they may not have malicious intent, it's still not good security practice to share login details

ever

Thank you, I am a quick errand guy 🚇

it's why policies in businesses is to do a password reset. Not ask for login info

@rustic sage since it's resolved I also suggest changing your password

as a "just in case" policy

:P

I wrote all this to her

And She changed the password

brother did you actually log into her account?

☠️

Yeah 👍

omfl

i would have guided without logging in

as that would have been the more responsible thing to do

I'm kidding, I didn't log into her accounts

I took a screenshot and explained to her how

sure i'll believe you

¯_(ツ)_/¯

anyway it's resolved now

Thanks for the tips

and he said you should learn Python at first.

Is that true??

it depends

python is a fairly easy to learn programming language but it isn't required depending on what you wanna do ¯_(ツ)_/¯

https://automatetheboringstuff.com/ is a good intro to python from the ground up

you're funny 😆

Well, thank you

but if you're interested in penetration testing stuff as found on HTB academy; then python isn't really as necessary

if you're looking into doing bug bounties tools can be made quickly in python to automate simple tasks

Is There a Good Channel on YouTube

i don't really watch coding content or anything like that on YT ¯_(ツ)_/¯

These look good to me.

Pro Code 🧑‍💻

we're getting off-topic for the channel you can look in #programming for any sort of tips or stuff that other people have found and shared

You're so kind.

And I helped you

Thank you, too. hahh

if you wanna sign up for HTB academy to look into some of their learning options, that's also helpful (be aware it's a bunch of reading). They also have a beginner bug bounty cert

Hey guys, newbie here..

It costs $1260 too expensive. Is there a subscription per month like $50 or $60?

yes

1260 is for the gold annual

there's cheaper options

if u have a university email you can get access to upto tier 2 modules for 8$ a month

hello shark

hii

this channel is for discussion and help with academy modules, not a gen chat

if you want to access #general you need to read and follow #welcome

ok, got it

Yes, I have a university email. Can I get a discount for subscribe to 1260?

no

okay sorry

the discount is a monthly sub of $8 and includes all modules up to and including tier 2

bruh start with 8$ a month to see if you like it. even tier 2 modules are tough as is

so you'd have to still purchase an exam voucher separately

only if you don't have much pre-requisite knowledge

some of them are fairly easy, comparatively, if you know some of the underlying concepts ¯_(ツ)_/¯

yes. thats my pov as a noob

do skill paths then

build up skills, the job role paths also build up basic skills

and it's recommended to do those paths in order ¯_(ツ)_/¯

as they build off each other mostly

i.e footprinting before attacking common services teaches you how to 1 sniff them out and test for basic misconfigurations

like anonymous logins for ftp or NULL/Guest sessions for SMB

you're right. I'll do the free trial and then pay for a year.

there's no "free trial" so to speak

Thank you, too.

I also suggest setting up a VM to work off of

it's just overall best practice to work off a VM

Hello I am kinda stuck on this question for quite a while "Investigate the USN Journal located at "C:\Users\johndoe\Desktop\kapefiles\ntfs%5C%5C.%5CC%3A$Extend$UsnJrnl%3A$J" to determine how "advanced_ip_scanner.exe" was introduced to the compromised system. Enter the name of the associated process as your answer. Answer format: _.exe" if anyone could provide some hints that'll great

OMG.. getting pretty annoyed with the instability of the pivot and target systems in RDP and SOCKS Tunneling with SocksOverRDP. I get all the way to logging in as jason on the target system and before the desktop loads it times out. I tried to kill and re-initiate the RDP session to the pivot host and now I can't even connect to it. This is my 3rd attempt after resetting the targets.

use the tcp vpn download

it facilitates the multi-pivoting better than UDP

nice, ok

Although.. the issue is from the foothold host to the other hosts, so I'm not sure how my vpn connection factors in?

Maybe in the remote desktop settings switch to modem as shown in the section

I have been doing that

Finally! got it 🙂

anyone able to give me a hand/insight? Im trying to get php wrappers to work, but / and = are caught as malicious and dual url encoding gets it through, but never renders anything on the page

What academy module?

If it's not related to academy then maybe #web would be better

ah ok thanks, ill take it there

Hello can anybody give me a hint, I am on Attacking Common Services > Attacking FTP. I managed to find the right FTP port and have already got the username r..., I was not able to get the passwords.list file from the FTP . I have tried with my normal kali user and the root user, but the file just doesn`t download (stuck like in the screenshot). From the comments I found I need this file to brute force the login with medusa. What am I doing wrong? ^^

You don't need to be root to connect, as you're just logging in as anonymous anyway
It seems like a connection issue

Try changing vpn region and respawning target

Strange I was able to nmap and connect without issues, could also download the users.list, just not the passwords.list

Ig the passive mode is the problem

¯_(ツ)_/¯

I will try to reset the target and change my VPN region if this is not working, thank you!

I'm looking for some guidance on how to get past SSL_ERROR_RX_RECORD_TOO_LONG when trying to get the sites in the tests at the end of modules. All the docs I'm finding say it's a server-side issue.

have you tried using http?

It worked, after changing my VPN region and resetting the target I was able to get the file straight away 😉 Thanks again!

I have, but then I get connection timed out.

is there a port you need to use?

Yeah, I did account for that.

what module and section?

I need some direction for Windows Privilege Escalation Skills Assessment 1. I'm attempting to run JuicyPotato.exe on the target using nc.exe binary. I've been through almost all of the CLSID.list (system only) after running GetCLSID.ps1. Yet, I dont receieve any output or error when running the JuicyPotato.exe command. I've seen in some examples that they get a "Testing {Enter CLSID here}" but I dont receive that. I've also run Set-ExecutionPolicy bypass -Scope process. I can provide screenshots if need be.

XPath - Authentication Bypass

i think you import GetCLSID then run a command like Get-CLSID

but i could be mistaken in how it works

Import-Module GetCLSID.ps1 ?

ye

but iirc there's other tools that take advantage of a similar thing

I was just running it. I'll try and import

a lot of .ps1 scripts are just import-modules

if JuicyPotato doesn't work maybe PrintSpoofer might

¯_(ツ)_/¯

When you mean kill and re-initiate, you mean CTRL^C?

I have more success with PrintSpoofer tbh. However, I need to get more comfortable with JuicyPotato. I'll reset target and try again! Thanks!

Can anyone help me with a phishing email I keep getting it's so confusing

at least you know it works

what academy module is this related to?

Ah apologies it isn't

we don't help with any phishing emails or such

No problem

you can keep it to yourself for posterity if it's horrendously bad grammar

those are always fun

It's just the series of events seem very strange but I won't divulge if it's against the rules 🙂

this wouldn't be the place to really discuss it anyway

as this channel is for academy modules

No problem

you can read and follow #welcome and maybe there's a channel that may be more apt

Okay thanks

just be mindful of not sharing personal details such as email

I believe your issue might be surrounding CSLIDs and the system itself. If you look as the powershell script, you can sort of glean what the logic is attempting to do. My theory is that if it isn't a Valid CSLID, or the script isn't working, then you could try to adjust the script in the Parrot OS on the target box, or, try a different CSLID. Hopefully this helps with JuicyPotato. ;D Also, PrintSpoofer is also nice for LPE if available as Marcie pointed out.

Also, dont forget syntax

That's good information! Thanks! I'm trying PrintSpoofer for this exercise now and I think I found the problem. I'm not getting any output for any of my commands. i.e. PrintSpoofer.exe -h So, correct me if I'm wrong, that means I need to get a better shell?

sounds like it

sounds like your shell isn't sending error to terminal

exactly. Back to square one! Thanks everyone. I'll grind it out

DM me how/when you figured it out! Would love to know how you got it!

For sure!

I don't have the module unlocked but I doubt it's an issue with the module. doesn't sound right that there's an SSL error on https and times out on http, so is there a response or not?

make sure the url parameters are correct

Ah, I bet that's it.

Im in the Broken Ath module, cbbh path, so im stuck in the default credentials, section, looking for scada dafult passwords, but none works, what should i do?

one set should should work; just gotta dig around a bit for default passwords

that what i think

look for all the keywords on the page

not just SCADA and HMI

Just to confirm, i'm ins scada-pass.csv, im i good?

ohh

https://github.com/scadastrangelove/SCADAPASS/blob/master/scadapass.csv yeah?

I was on seclists

ah

idk if the seclist one is the same

but keywords on the page may help

such as company name

iirc it might also be in the Title of the webpage

precisely because of that I was looking for

maybe

try looking for just the company name

Guys, i don't see explanation on pwnbox usage/access by premium plan or other subscription ...

I'm platinium at the moment

unlimited

Got it

I know but where is it to access it

wdym?

on the web page ...

when you open a module there's usually either at the side/towards the bottom the "spawn instance" button

ah alright

I thought it was like HTB VIP

thanks

the spawn is only accessible within a module

the other annoying thing is it resizing whenever you go to the next page

which there is no way around that

as it draws it's size from the most recently loaded window/portal

Hello, I hope you are well. Please I need help to do pivoting with ssh combined with proxychains. I'm currently following HTB's “Pivoting, Tunneling, and Port Forwarding” module. I just installed proxychains and not proxychains4. When I do dynamic port forwarding (ssh -D 9050 username@external_ip) and use proxychains to scan an internal network address (proxychains nmap internal-ip) I always get this error until the end: |S-chain|-<>-127.0.0.1:9050-<--timeout
|S-chain|-<>-127.0.0.1:9050-<--timeout

if you 'just installed' proxychains then it may be using the proxychains4.conf. on my kali box it uses proxychains4.conf i believe. if that isn't it, double check to ensure you're selecting the correct type of proxy

hey, having problems with Attacking active directory and NTDS.dit module in the password attacks module. so I'm having problems running crackmapexec, I've done this a few times now in other modules with no problems. when I run the command I am not getting any output. I did once get it and it was coming back but can't mind was it said. is there a way for crackmapexec to display logs of what it is doing so I can troubleshoot and see where it is failing. image for reference:

as i'm using proxychains instead of proxychains4 my configuration file is /ect/proxychains.conf and in the en there is socks4 127.0.0.1 9050

usually it will output something, looks like it can't reach the target at all. are you connected?

yeah I am connected to the vpn, can ping the machine

sounds right to me. do you have a proxychains4.conf inside /etc?

solved

you don't need to su to root for crackmap

it's bad opsec to be running around your system as root; very easy to accidentally break something

ok wasn't aware of that. same issue running as regular user

Anyone having issues with academy ?

gonna try a fresh machine and reboot vm, see if that changes anything

make sure you're still connected to the vpn

i'm using EU VPN and i keep getting booted out my RDP session and i can't run commands becasuee its so slow

So, I'm getting a sparc/bsd shell using revshells and msfconsole multi/handler. I've never had this issue before getting a reverse shell. Probably going to need some more assistance troubleshooting.

¯_(ツ)_/¯

i don't generally use msfconsole multi

i'd say make sure the payload is set right

I dont either but I tried it as another option. The reverse shell is coming from a command injection. Even after loading a payload. I still can't execute it. So, I'm a little confused there

guys pls help here

You cut off all the parts that say what the error is. From what I can see it's timing out, try adding /timeout:100000

on top of /timeout:100000 add /dynamic-resolution and /cert-ignore

rebooted VM, rebooted machine, running as regular user, can ping machine, ifconfig showing tun0 for VPN connection. is there not a way to do verbose to see where it is reaching in the process? might just have to try on the pwnbox instead of VM

thanx

no i delete it before installing proxy

Well I don't know about your setup but that could be the issue. I have the latest version of proxychains on my kali box and it uses proxychains4.conf. maybe restore that and try it with that, your ssh command looked right for dynamic port forwarding so as long as proxychains is setup correctly it will work. you didn't show your /etc/proxychains.conf but from your description 'it is setup properly'. maybe reboot the victim box.

that wmic command needs to be ran in cmd, not powershell

weird, running fine on pwnbox. must be an issue on my end

isn't there a powershell equivalent?

Your command looks off to me. Technically by default you can use 9050 as the port to dynamically proxy into/out of; so your ssh syntax looks fine as long as you a) know the password b) the next best thing to a password. What I see that looks off is the command for the nmap scan. Try using the IP address specifically. No Port Number.

(You may dm me a screenshot of your command output.)

the command works in powershell, but specifically for getting the sid i don't think it works. the module says specifically to use cmd.

ah

yeah weird stuff

i'm not really sure, but that's my guess based on his screenshot plus the info from the module saying to run it in cmd

yeah

why can't i access the admin desktop ?

check privs

https://www.tenforums.com/tutorials/84467-find-security-identifier-sid-user-windows.html#:~:text=OPTION SIX-,To Find SID of All Users using "Get-WmiObject",command prompt%2C and press Enter .

i've retrieved the sid before a bunch with powerview

i'd more curious to know why the module says to use cmd and why it doesn't work in powershell but works in cmd

it's likely because wmic in powershell is aliased to get-wmiobject

so syntax is likely slightly different

it's likely a case if needing to do -Identity

that makes sense, the error he showed did say invalid query

or because it's useraccount instead of win32_useraccount

and that slight change might make it work

¯_(ツ)_/¯

if anyone is interested and hasn't heard, broadcom has made vmware pro free for personal use, so you can get the pro version right now totally free. i believe you can take snapshots with it and create a virtual network for a separate vlan for your vm's, and some other little stuff.

nice

I haven't used vmware in a long time I been using VirtualBox

pls look at this

is that what they're called?

not SAM.save or SECURITY.save?

etc.

yes

even with capitalization?

Transfer those files again, one of them is corrupted

okay

thx for this info

guys I need help with the shells and payloads module, last question, I tried using the metasploit modules for eternal blue (PSEXEC and others)
and still no luck

and @fathom pendant wdym closing and reopening it

as in exit msfconsole

then running it again

already did

I also closed the lab and machine

and making sure you set LHOST to the proper interface

and regenerated a new target

it's the IP of the "target" (aka the foothold) machine no ?

no

considering the targets are on an internal network; the callback IP should match the similar interface

gotcha

as the internal machines don't have access to the vpn network

shit
everytime when I try to move system.save
it shows error

if you're connected via xfreerdp; there's a /drive: option

no need

your attack host has an interface on that network

172.x.x.x

do I need to add /drive in cammand

yes

kk thanks

/drive:name,/path/to/directory/

got it thanks

can't understand pls explain

that's just the format that would be added to the xfreerdp command

name would be whatever you wanna name it
/path/to/directory/ would be the path to w/e directory you wanna share

i believe you can do ./ for current one

okay

Module: Attacking Enterprise Networks

I'm having a similar problem, I have the ||pivot with ssh dynamic port forwarding||, I can reach the ||172.16.8.20 web application from my host machine|| but when I try to login ||with the administrator password found on smb the page begins loading infinitely until it gives me a "the connection was reset error|| can someone help me?

try flipping the path and name

means?

means do the path before the name

also try putting the password in single quotes and see if that fixes it

sometimes it's a bit touchy

well you didn't specify the name

try wrapping the password in quotes

just the path

ok

.

i believe you must have the /drive flag syntax correct like MarcieLee said

after /PassAttack add ,name

/drive:name_of_drive

you put the path you wanted to mount as the name

isn't it /drive:name_of_drive,/path/to/folder ?

i think it should work /path/,name as well

it works either way afaik

xfreerdp goated??

if it's not the syntax then restart the victim box, make sure you're on the vpn etc

Either way works

sometimes it's just silly

i didn't know that

I always do path,name

idk if you need to close off the folder with / or not

yeah let me try

You can also just try remmina

Take ownership

Hey, I am doing the same but neither any potatoes nor PrintSpoofer works so far

I was able to get JuicyPotato to work, however I'm still stuck on question 2 and 4. 😄

Did you reboot the victim machine between tries? I recall the potato attack only working once, and then it would not work again until I rebooted it all, then it worked once again.

ah no, I didn't thanks

yeah see if that helps

everytime sam and security file moved nicely but only system file getting network error

which version? the NG or any older/newer?

k4sth4's Juicy-Potato

Guys im doing an nmap on an ip adress and its taking ages its gonna take forever how do i speed it up

what module

how long is 'taking ages'? depending on your scan settings you may need to change your expectations

-n

Do port scan and service scan separate, add --min-rate=xxx

ye im just doing an nmap -p- scan on an ip address

or just do -T 4

not doing a service scan

what academy module is this for?

:)

It's the getting started moudle

service scanning section

ah

Hey guys. Does anyone have an idea why would my webshell not run when it apparently starts with a letter "b"? I was naming my shells "backdoor" and couldn't make them work but when re-named them "webshell" they ran just fine

-T 4 Doesn't set a min-rate.

yes...it does

nope.