#modules

Invalid syntax near ''. Oddly enough I'm using the exact command shown in the solutions/walkthrough section of the module.

Invalid syntax near '\' Sorry, formatting

weird

it should work ¯_(ツ)_/¯

can you see if you can log in with administrator and the password

terminate the machine, and restart it

also restart your vpn

make sure you also have no other tunX interfaces

Yeah, it's very odd. Been stuck here for a few days. Evil-winrm fails with the creds I set

¯_(ツ)_/¯

try changing to EU vpn and repeating the steps to that point

not showing the full result @fading spoke since it would be spoiler; it didn't do require -Pn

Worked on EU vpn! Thanks, much appreciated

note: my test was with pwnbox + US-2

Hey guys little scripting here can someone help me?

That was my test but it doesn't work i receive the don't work output..

it's technically the last 19 characters

try with those

Yes okej but it doesn't matter rn because i got the Don't work output so it means that the conditions are not correct right?

correct

seems like something isn't working as you think it is

Is there any white hat guy

I need serious help 🙏🏽

with?

otherwise we're assuming that you're 1) trying to solicit work or 2) trying to get someone to do something illegal under the guise of pretending it's all legal

But based on the question can you help me and tell me wich part of the conditions is wrong?

i don't do bash scripting and you can likely just google this exercise and find someone that has

Don't ask about illegal hacking activities

Noted

But my situation is serious that's why I am here to take help

You can contact the police and Facebook Support. That's all you can do

^

@acoustic owl can you give me a hint maybe?

Hi! Doing skills assessment in Trust Attacks. Have a trouble: I can not launch Rubeus because of .NET3.5. Can not install this .NET, tried to install .exe from microsoft site. Maybe some ideas how to bypass it?

I truly appreciate that but for that if the page is viral this is not good for us 🥺

well then 🤷‍♂️

it looks like your size is wrong?

thug it out

wait nvm

but == will not match substrings

omgg i knew ittt

you will need to find out what operator will match a substring

i just didnt wanna seem dumb bc i dont do bash scripting 😂

i mean

it's practially similar in most cases

that == is a direct comparitor

dont u need tk remove the "" from value and var?

how you compare substrings depends on the language

no

Hello guys, could anybody help me with the OSINT Third Party Assesment. Where you need to provide the Cloud provider ? Kinda tryed everything

but there's a few other things that could be incorrect; but I just kinda clicked on the first medium article after googling about this module

true

try to output the last 20 characters with ||tail||

they aren't getting any output, they are getting their fail condition "Don't Work"

I personally used a counter (count variable), works well too then perform the comparison for if the counter is greater than the value required

oh, I see

yeah, confusing language barrier

"Don't work" isn't really a great fail string

I am currently solving the live engagement section from Shells and payloads module,
for this i have to use the Foothold PC through rdp
but the connection is so slow and laggy
my internet is good btw,

how to solve this
tcp connection also not fixing

the following feature could not be installed error. Could it be the trouble with specific version of Rubeus?

is ${#var} really a thing?

change vpn region

yes

Okej i will try all of you advice if i cant find it i come back lol

it gets the length of the variable

give it to chatgpt ans let it explain it to u

wild

a personal tip ||count=$(echo $var | wc -c)|| then compare the value of the count with the 113** and if it exceeds that no. of characters it executes the command in the if block.

bash is sorcery.

that's extra

also ${#var} basically does that

I didnt spend time on that one tbh just ran with that and solved it quick, only problem I had was the number of characters that the question asks for

thank you for this

https://tldp.org/LDP/Bash-Beginners-Guide/html/sect_10_03.html

still same

hey as long as you got the answer

did you try all vpn regions? also try with the pwnbox (don't forget to close the vpn on your machine when testing with pwnbox)

If issues still persist, contact support

academy down or is it me ?

seems to be academy

Seems to work okay here

I can't RDP to the machine, it's too slow..

...

Press enter

it does not work

Hi, about this question - Retrieve the TGS ticket for the SAPService account. Crack the ticket offline and submit the password as your answer. (ACTIVE DIRECTORY ENUMERATION & ATTACKS > Kerberoasting - from Linux).
I can't get the TGS in any way, it's always says Principal: INLANEFREIGHT.LOCAL\SAPService - [Errno 104] Connection reset by peer tried switching servers, restart my machine and to spawn a new target.
Can somebody please check it out?

use the eu vpns

where can I report problems from the HTB academy?

Tried that already, says the same thing.

try with pwnbox

If it's a semantics or target error not related to technical issues, #1234357888114364508 otherwise, support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Just tried that, I got the same error.

Same for me too

eu5 works

just tried it

is that DeepL?

yes

it repeated itself like three times lol

^

Sounds like it's going insane

maybe if the boxes up specifically for the user, these problems would not occur.

sorry

They are

it's not your fault, it's just DeepL being DeepL

You can't attack someone else's lab

Is it already?

Module ----> DOCUMENTATION & REPORTING

Section ----> Documentation & Reporting Practice LabSounds like it's going insane

Can someone give me a hint about this section, I have listed users and passwords and I have valid ones, but none of them allow me to connect to the DC, I have access as Local Administrator to the machine 172.16.5.200, 172.16.5.130 but I don't see anything relevant.

Only in cases of the docker containers can you interact with the same target

In my old company, proxmox was used and target boxes were cloned specifically for the user via API.

Ok? That's not how htb academy labs are structured

It wouldn't be conducive to learning if someone else can mess with your academy lab

Worked, thank you so much!

If that's how Enterprise structured it, that's different

But Enterprise != standard and academy != main site

Yes other users can interact on the main site labs, if it's not Release Arena

I agree with you

Hi all, I'm trying the PasswordAttackLab-Easy may I ask if after the port enmureation it's just only spread&pray to BF the right user and password or am I missing anything?

I believe so

Though they do give you a username to start with

I believe

yeas I'm using the provided user and pwd list

I'll wait so thx

hey guys
does HTB have any resource to learn smart contract hacking at academy or not ?

Anyone have anything for this? it seems this problem has been going unanswered for a while now, I have done everything in the following paragraph

Hi
When using hydra or crackmapexec to bruteforce the password for MSSQL server, how do we know which authentication mode is in use by default? And if we were to change the mode, how can we do so?

Does anyone know why this error occurs?

Contents of shadow.txt

set context persistent nowriters
add volume c: alias benib3astt
create
expose %benib3astt% z:

Module ----> DOCUMENTATION & REPORTING

Section ----> Documentation & Reporting Practice Lab

I'm trying to dump the ntds.dit but I'm getting that error xd

Well mssql is windows, so, local-auth is usually the case

you mean Windows authentication by default? How ca we change the mode?

-local-auth I believe it's been a minute

Connecting by RDP and doing it from a cmd if I get to let me and not give me error, does anyone know why this happens?

In crackmapexec, if we are targeting Windows server that is non-domain joined, we use --local-auth right? Let's say in the same non-domain joined target, MSSQL server is running, and there is a user ABC who can authenticate to the SQL server using just the SQL authentication. Then, will simply using the command crackmapexec mssql {server_ip} -u abc -p {password_list} --local-auth work? Does this command work for both the authentication modes?🤔

It generally will work --local-auth

Generally sql auth inherits windows auth

sorry if this is not the correct place to ask this but if I downgrade my HTB Academy subscription, will I be charged for it immediately or will I be charged when my current Academy subscription ends?

I am doing the hard lab of "Attacking common services", trying to escalate the privilege to admin. I have got access to the MSSQL server as user f*, after which I impersonate as user j*. When I try to check if the user has admin rights on the linked database or not using command EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [linked_db_name], I get the output as 1 1 1 1, which is not the same as it shows us in the previous learning section. How should I interpret this response? Does it mean that the user has admin rights? Or not?

Support best place to reach out

I know if you cancel, you keep it until the expiry, unsure in downgrade

Next billing cycle

Sorry for the late response, yeah that was the case.
I was curious because after I build few chisel tunnels and was trying to access network D from C. I wanted to go back and access hosts on previous networks (let's say B) and I couldn't

I just finished the skill assessment in the pivoting and tunneling module, was really fun

I don't know if this is the right place to ask, as I am new to HTB academy, but can someone help me with the shells module. Its not the content that confuses me, its accessing the machines.

Wdym accessing the machines, either use your own vm + vpn, or the in-browser pwnbox

Right, that I knew. But I need to spawn the attack box. which I do.

And spawn the target

By clicking the green text "click here to spawn target

But then when I try and nc, its not working. I am working in the shells module.

Wdym trying to "nc"

What section are you working on?

Dont remember any exercise in there was doing it via nc?

NC isn't the only connection tool you can use

And most of that module is webshell stuff

Page 4 " Bind Shells"

And the bind shell is meant to be run from the victim machine, not your own

Right this isn't new to me, just the environment

ssh to target, create bind shell, connect to that target from the attack machine

nc -nv ip port generally

As shown in the section

Yeah I got it. its just a little confusing with how it is worded.

?

What's confusing about the wording?

Like what the target vm (pwnbox) is, and client. I understand bind shells are unique. Because in this instance you have to "sign in" just to start the listener.

Target isn't the pwnbox

The target will always exclusively refer to the 10.129.x.x

Yes, because bind shells have to be run from the victim/target

As they create a temporary persistence (until process is stopped/machine restarted)

The difference between them and revshells is that you can connect/disconnect as often as you want

So when it references the pwnbox, is that the webgui/openvn connection? just want to make sure I understand the right terminology

Correct

right 🙂

Attacker will always be your "home base" machine

Perfect 🙂

Thank you for your help, it helps clear up the terminology.

If you see a reference to a secondary network to connect to, generally 172.16.x.x, that means you're meant to navigate to it via the victim in some manner (the pivoting module teaches pivoting/port-forwarding techniques)

Good heads up, thank you. I have done some of this before. And It was recommended looking at some of these courses.

Also don't be thrown off by the need to sign in on some of these, assume the position that you have entered the network, and need to set up some persistence to connect back to later without needing to use a logged service like ssh

Right, thats usually how I think. But its good at starting at very beginning.

Some modules place you "in the middle" of an engagement, as a "your colleague found x info, pick up from there"

they need to fire his sloppy ass i swear

😜

dude constantly half asses reports and doesn't ever finish his job

In the ad enum skill assessment I they drop you in with a webshell, and II there's a connected linux host to start from

Hey he got me ceil's login amd saved me 5 minutes of hydra

That one is on my radar too, so thats a good heads up. I like how they kind of walk us through it

If you're planning on CPTS I highly recommend doing it in order

Stuff you're used to, you'll likely breeze through and maybe pick up some new tech along the way

Yeah, maybe I should.

If you're new to a linux env, I tentively suggest the infosec fundamentals path

I say tentatively because the linux intro module needs a tiny tune up

Stuff feels out of order

Compared to most other modules, it's the weakest

That I am not used to. I did do that one, but might have missed some stuff

I also suggest looking up a bash cheatsheet

So you can quickly reference file stuff

Like redirects

Probably should. I use bash everyday, but I use it MY way, and am self taught. So I probably have learned some bad habbits.

But thank you for your help. Much appreciated. 🙂

Good skills are built on strong foundations

Hey guys i already know the awnser but i wan't you perspective, what is the difference between those two?

${#var} is the length,
$var is the raw value

thats why my i blocked on the awnser ^^ idk why its not specified in the module but i forgot to make more research

Nah, the coding modules encourage and require extra research

didn't knew it in the beginning thannks 🙂

@fathom pendant lol the tel it you in the next module -_-

(They may have expected you to do an (echo $var | wc -c)

i did a tail -c 20

Well yes to get the last 20

I meant to check the size

ow yeah posssoble

Hi guys, I have a couple of questions
Running kali-linux as the host OS or on a Virtual environment, which is better?

And
is using a laptop better than using a desktop or vice versa, if so, why?

Vm is better, common practice is to run your attack machine in a vm

It's probably better to run it as a VM, that way you can backup/restore or easily re-deploy etc.

vmware gang

Desktop may be more ideal as scalable specs, but most basic laptops can run most *nixOS vms just fine

As most vm require ~4GB of ram at minimum to run smooth and a lot of relatively cheap laptops run 8GB

So it really doesn't matter, no major benefits and differences?

Just preferences

The bonus to a laptop vm is portability

Well desktop are not automobile

👍

Okay, thanks

I'd say invest in an external drive to store vms on

That way if you ever upgrade/move on, you don't gotta re-set everything

Like a flashdrive right or can I utilize a hard-drive too for the vms??

Definitely not a flashdrive

Flash memory is too volatile

Hard drive is fine, external ssd would be better as it can withstand a bit more punishment

Okay and can I use any of these consecutively for 2weeks or more without having any issue?

Yes

Generally ssds are meant to have a long r/w lifespan

👍

hello everyone

after to solve an exercice in a module, is it possible to have an official solution?

Only if you have an annual sub, there's an official writeup/guide for each module

While I disagree with it, it is a thing

ok so it is exists with the annual sub. Thanks!

And is available without needing to complete the module

Hence why I have a partial bias against it

While I admit at some moments when I was deeply stuck i wish something like this would exist, but in hindsight I'm glad it wasn't

at least not for free

It's ok if you're truly stuck, and have tried every avenue to move forward. I.e. re-reading, asking here

My main gripe is that the answers aren't hidden/obfuscated in some way in the guide

Ish. Seems like an oversight. I've started writing write-ups myself that is mostly only meant to be read by myself and even I obfuscated the answers

Yeah, I've submitted feedback on it

Seems like some bug with the formatting

footprinting - dns - What is the FQDN of the host where the last octet ends with "x.x.x.203"?
Can anyone help me with this question please?

you have to find all the zones

You'll need to be fierce about it

Yeah, im using the right wordlist, and i've found some of the subdomains

cant seem to find the .203

I Absolutely love the red team experience from Parrot security on a VM…

remember that not every zone allows a zone transfer

The right initial subdomain might not be in the fierce list, start first with a basic transfer

sometimes using two ovpn at the same time work fine and sometime it conflicts like if 1 work other don't

what to do so that they don't conflict each other , i know they can work at the sametime but don't know how to do it manually

don't have two vpn connections simultaneously

because they don't work simultaneously

Yeah, you should only be running one ovpn connection to htb at a time

the traffic will be routed very weirdly

Otherwise you get collisions and dead drops

Where the vpn router doesn't know where to send the traffic back

So it just drops it

that what i use to think but sometime they work both at the same time thats why i thought their would be setting that i am not aware of

there is no such setting

ok

Hi its been more than 40 mins and I have retried a few times within that time span after almost every 10 mins I cannot spawn the citrix target from windows priv escalation

This one is spawning for more than 15 mins

any idea what should I do??

finally it spawned

it will happen in future also , next time use that 40 min on other place

i also wasted when it happened to me first time

yea I was making notes for the previous modules I missed

footprinting-dns-Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{...))? anyone can help me

Yes the user has admin rights! I was not able to execute other commands due to conection issue.

Hello Bhaiya

Hi everyone! In the Footprinting SMTP module I used Metasploit to enumerate SMTP users and find the existing user on the system. This technique was not shown during the module, and I completely understand that not everything is spelt out and some digging is required on our end. How should I approach these situations moving forward? I wouldn't want to find an "easy" way out that would undo the techniques I've learned throughout the module. How should I tackle this?

What do you need help with?

I believe the module also talks about smtp-user-enum

i tried many time but i don't knwo what is the wrong with me

does your command to return subdomains work?

yes

let me send it

dig axfr <domain.tld> @<nameserver>

this one and i tried all typies zone

Did you try brute forcing?

one time let me do it again

look in the DNS discovery wordlists for seclists, start with the smallest list and work your way up.

Hey! At this point, we should be able to leverage our new group membership to take control over the adunn user. Now, let's say that our client permitted us to change the password of the damundsen user, but the adunn user is an admin account that cannot be interrupted. Since we have GenericAll rights over this account, we can have even more fun and perform a targeted Kerberoasting attack by modifying the account's servicePrincipalName attribute to create a fake SPN that we can then Kerberoast to obtain the TGS ticket and (hopefully) crack the hash offline using Hashcat.
The question is: Why do i need to assign SPN? Why can't I use the default one?

It does not. I just CTRL+F'd to see if I missed it.

An SPN is required to generate a ticket in Kerberos. If there is no SPN you cannot kerberoast the account.

But why can't i get user SPN? Isn't it assigned by default to every user?

No, SPN is a Service Principle Name and are specifically associated with service accounts not general user accounts.

Oh, okay, thx

You can learn more here https://learn.microsoft.com/en-us/windows/win32/ad/service-principal-names

i do it

it is give me three subdomains

what wordlist did you use

subdomains.list

where did you get that, is it in the resources section?

😮‍💨 the terminal closed

It doesn't mention it, but I'm wondering how to best approach these situations moving forward? I'm assuming we're learning a lot of different techniques that are more difficult to utilize than just running a tool out there and I'm having trouble identifying how I was supposed to know that I should use msfconsole here

i will do it agein

I guess they expect you to manually do it or find a tool yourself

i think i used smtp-user-enum which is just a built-in tool for kali

So just Google "user enumeration smtp" and see what comes? It's just... it doesn't have much to do with anything we've learned din the module

You can do it with the module itself manually

What module?

it teaches you how to telnet in and check the user

the footprinting module

Well, it shows ue how to check the user using VRFY, which doesn't work unless you already have a user in hand

Also - after I obtained the username via Metasploit I checked it using VRFY and still got a 252 response code meaning that I got no indication whether it actually exists on teh system

It does provide you everything you need to complete it

So I couldn't enum the user using the techniques we learned in the module

using a tool is faster, otherwise just manually verify

check the "resources" section for the wordlist for the module

I don't think you're understanding what I'm saying. I tried verifying manually using VRFY after connecting via telnet but I had no username to verify.
Then I looked it up and used the wordlist in the resources section to find the username using Metaspolit, but even the username I got doesn't show up as verified after I use VRFY on it

So I'm not sure how I could have known that this was the username by manually checking it

Brute forcing with /home/htb-ac-1143937/subdomains.list: in this section

Try using something more fierce and hot from seclists

like what ?

like i said before, go into your seclists directory under dns discovery and look at the lists available. start from the smallest list and work your way up.

You should edit out the answer to the question here. Just for you I went and tested it myself and manual verficiation works.

Could you elaborate? I use VRFY on the username and get 252 (meaning Cannot VRFY user, but will accept message and attempt delivery)

that sounds correct. try VRFY on a user that doesn't exist, you'll see there's a difference

That's also how the VRFY section shows existing users with that 252 line

I used it on "antispam" (which doesn't exist) and it responds with a 252. DO you see the problem? I can't tell what actually exists.

252 means the recipient's email is valid but not verifiable

that's not what i get when i put a bad user in mine

Wasn't the whole point verifying? Shouldn't I get a response saying that the recepient's email si both valid AND verifyable?

i suppose you can figure it out with deductive logic. i used the smtp tool i mentioned earlier on the module myself, but if i did it manually i would have reasoned the one single response that was different from the rest is the valid account. plus that's what the link the module gives says.

you may be able to ask the creator of the module the thought process or the 'right' way to do it

if you're a subscriber you can also enable a walk through which shows you how the module creator did it (it doesn't really explain it but shows you the steps from what i understand)

Module: Password Attacks: Attacking Active Directory & NTDS.dit

I'm on the last question of the section and I've managed to obtain the ntds.dit file the target and now I have a copy on my attack host. How do I dump the hashes? It's not mentioned in the section. The only mention of dumping the hashes is when crackmapexec gets the ntds.dit file from the target and dumps it automatically.

You can use secretdump.py from the prev sections to dump the hashes

Thats the way where you need to manually get the hashes and crack it. Its easier with crackmap, but id suggest trying out with the secretsdump

Would I need LOCAL in the command?

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -ntds 
<path_to_ntds.dit> LOCAL

Yea but you missing SYSTEM

I thought that wasn't necessary, I don't really understand the syntax of the command in that case.

Why is it needed?

System has the key for us to decrypt the ntds file

I see. So I'd need to extract the system hive as well?

From the machine? Yep

Thanks

A quick google search will give you the location where its located

Or i think prevs sections have it aswell

But yea i remembered i googled that

Yeah, it's there in the previous section.

Hello, I am on skills assessment for attacks webapps with ffuf. whenever I try to go to http://academy.htb/ it becomes https on its own. where did I mess up?

Sounds like it's using https

how do I get it to load then? also afaik, all the academy stuff uses http mostly

in my experience they mostly use https

okay so what seems to be wrong then?

for this module it may use http though

am I supposed to include the port?

no, as far as I remember

not in /etc/hosts

which question are you stuck on, the first one?

yes, just adding the ip and the academy.htb to etchosts first

you're not supposed to visit the site, the question says to fuzz the subdomains/vhosts

but how will it fuzz if it cant redirect? will just get erros

Hi to all. Would it be possible to request some input? I am on the File upload module in the type filters section and have successfully bypass the image extension, content-type and MIME magic byte. When I try to reach the file I can only do that through curl otherwise I am getting the below error. Thorugh curl I can see the PHP webshell but this is not run as interted. Any thoughts?

Read the vhost fuzzing section again

I did it with a different bypass filter and different extension

okay thanks. I got it. getting a bunch of hits

make sure to filter out bad results

does anyone know how i can figure out which os it says

ive tried reading up and down the module but cant find anything showing me how to determine the os from that code

the module is rated easy too (im cooked)

Check the TTL from the response

And use that on Google for OS

ahhh okay thank you

👍

TTLs are different for all the OS’s

Anyone else having problem spawning machine in new module "INTRO TO C2 OPERATIONS WITH SLIVER" and section "Probing the Surface"? I have been trying to spawn that for over an hour and tried it many times. I think there might be some problem with that module

On which VPN server are you, I have tried to spawn the target on us-academy-2 and I got an IP

Anyone?

I tried EU1 and 4 I think. Ill try US then

stll no luck

after initial axfr when i brute force all subdomains usi8ng dnsenum and a fiercly long wordlist against all subs from the zone trans - i get nothing

query failed: refused

then you are doing something wrong. Which name server are you using?

@hexed lintel you solved this one?

pm'ed

yes

Cann you tell/show me how you have done this one

dm i will give some hints

Anyone else having targets not spawning? "Target is spawning.."

working fine for me

Changed VPNs, and now it's working 👍

still on the attacking webapps with ffuf skills assessment
question3

is there a problem with my command?

Are you including the found file extensions?

yes. and from some writeup I know that its .php7

Try changing your vm to bridged networking

Okay

NAT can sometimes cause issues that force your network to crawl

can someone explain to me how to do this

Try adding a new city through the browser devtools, by using one of the Fetch POST requests you used in the previous section.

AEN target Server is really unstable no? especially when already testing internally? unable to fully load the web-site for like an hour already. No hope in having a stable south east asia server. :<

I suggest not including screenshots of the AEN module, as many do it blind

aight deleted the pic my bad

Try changing vpn region

Yes even with pwnbox vpn region matters

Hi
I think there is something wrong in academy content. How to report.

If you believe it to be a technical error: support
If it's an error with content: #1234357888114364508

Cool, raised request
https://discord.com/channels/473760315293696010/1243959974942605332

If walkthrough the right tag for HTB academy content issue.
It is apt one out of the three

hello everyone
I'm currently working on 'file upload' module and i have a question which i can't figure it out.
on the white list section when i fuzzing the extensions with the wordlist in the module i have different results. some of the results writes 'Only images are allowed' and some writes 'Extension not allowed'
why do i observe different results?
i do understand that the backand code relate differently to each extension and some are a belong to a white list. but i don't understant if the other results belong to a blacklist

anyone here did the supply chain attacks module and can help me out with the last bit

Which section

white list section

figured it out!

Hi guys, I am hoping to get some help. I am doing "Attacking Common Applications" model and for each page, the target is an IP address (with no port). The problem is that I cannot connect to any of the targets, and on the rare occasion it connects its soo mega slow. I tried regenerating VPN keys to different locations, I tried pwnbox rather than my own vm, and still same error persisting :/ Any ideas?

It seems like the problem is only in this module

Does the ip adress happen to start with 10.129?

Yes exactly!

Then no port will be provided

Maybe if the reading specifies a port, then you'll need to use one

Well, if it does connect on the rare occasion it seems to be default port 80 so port is most likely not an issue

I think for all rooms its port 80

http://ip:port

Did you scan it?

*labs not rooms

Rooms is thm terminology

Yup, all filtered when I force it with -Pn

Then message support

If you've tried all basic troubleshooting and nothing is working

My only other assumption may be you somehow have multiple openvpn connections running

If you do ip a and see multiple tunX interfaces

Then you have multiple running

It wouldn't explain not working on pwnbox :/ I am nearly finish with whole CPTS path, just AD and this module missing and all others were ok

Then message support

Oki thank you! :/

Idk what more you were expecting tbh

Exhaust all troubleshooting and still fucked? Support

I was expecting to get info if anyone else is having this issue within the community. I know support is there, there is also a reason why Discord server was set up to have community to ask questions, no need to be pedantic

if multiple people are also experiencing the issue, bringing it up to support allows them to look into the backend and see if it's their providers being dumb again ¯_(ツ)_/¯

hi

Password Attacks Lab - Easy

sudo nmap -p- --min-rate 10000 10.129.202.219 -> ports 21 and 22 open
OS - Ubuntu
FTP - vsftpd 3.0.3
SSH - OpenSSH 8.2p1

with the provided resources on the lab (Password-Attacks.zip) I've:
1- used hydra (for ssh and ftp services) with the original users and pwd list -> no results
2- generated a mutated list using custom.rule and used hydra again -> no results

next step MSF console or am I missing something?

i ate too many donuts omg

can i get help with subnets

I literally just refreshed myself on subnets last night what's up?

I also gave some advice in this channel a while back regarding subnet calculations

im stuck on calculations in intro to networking modules

its for noobs but i dont get it

What exactly are you struggling with?

i keep rereading how to calculate but i need it explained like im kindergarten 💀

Ok, so first question: since we know that an IP is 32 bits in 4 octets
We can simply divide the CIDR notation (27) by 8 (octet) you'll get n and some remainder, the n would be the number of "full" octets. Adding up to 255

The remainder is how many "left-justified" bits are in the mask

Since we fill a subnet mask left to right you fill in the remainder bits then 0s

So with /27 its 11100000 --> 128+64+32

https://tenor.com/view/huh-rabbit-cute-gif-15676652

So the decimal notation would be 255.255.255.x

yeah im cooked

Ok let me break it down easier

An octet is 8 bits, correct?

yeah thats easy

Ok

An ip address is 4 octects

so 8x4?

Yes

and what does that number (32) represent?

So when we divide our cidr notation we do not resolve the decimal, we just leave it with the remainder

32 would be a full IP

Or full mask

Let's break each 8 individually

ohhh

ok but how do you convert each octet into 1s and 0s (binary)?

So. With the example, we do not care about the 10.200.20.0 portion

For the subnet mask we only care about cidr

/27

so the /27?

yeah yeah

Yes, cidr notation is how many bits from left to right there are

ok so you take 32 and divide by 27? or subract 27?

Divide by

You get 3 and 3/8

bro no?? 32/27 = 1.185

Sorry misread

We divide 27 by 8

Since we are in sets of 8

OH OH OK OK

3.375

Don't resolve 3/8

The remainder number is important

wdym resolve?

Divide

We don't want the decimal representation of 3/8

This is important

wait dude where did you get 3/8?

This means that the left 3 out of 8 bits of this final octet are flipped on

3 remaining

oh ok

Then it's just converting 11100000 to decimal

yeah but how

It helps to just create a chart

|128|64|32|16|8 |4|2|1|
|  1|1 | 1| 0|0|0|0|0|

so anything over 8 = 1 ?

?

so anything over 32 =1 ?

Write it out yourself

Don't worry about what is or isn't 1

I don't have a paper on me to write it out myself

  2^7 2^6 2^5 2^4 2^3 2^2 2^1 2^0
  128  64  32  16   8   4   2   1
  -------------------------------
    1   1   1   0   0   0   0   0
= 128 +64 +32                     = 224

| 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
| 1 | 1 | 1 | 0 | 0| 0 | 0 | 0|

Yep

yeah so anything over 32 = 1

Then you add together anything that's a 1

and the 224 represents what?

The last part of the mask

Basically it identifies the network

so my answer to question one would be...?

11100000/224?

Well the first 3 octets are full

It's asking for decimal not binary

And no

We combine the concept that we got a whole number (3) and that those represent the full octets and what you just calculated

so 3 full octets?

/24

Yes

Which is 255.255.255.0

And you add on what you just calculated for /27

Which is the .224 ending

HUH

how did all the 1s turn into 255 💀

Math

11111111 is 255 in binary

^

whats the conversion

128+64+32+16+8+4+2+1

OH FOR EVERY 1 ??

  2^7 2^6 2^5 2^4 2^3 2^2 2^1 2^0
  128  64  32  16   8   4   2   1
  -------------------------------
    1   1   1   1   1   1   1   1
= 128 +64 +32 +16  +8  +4  +2  +1 = 255

^

omfg you guys are goats

it clicked

The second question is a bit more of a work through (kind of)

so my final answer is 255.255.255.27?

No

shit

i was so confident too 😭

We just converted the last portion

11100000

aint no way

all this just for the /27?

it's why it's easy to remember shortcuts ¯_(ツ)_/¯

what modules got subnetting like this

Every 8 bits is 255 until you can't do 8 anymore

introduction to networking ---> subnetting

The broadcast is the last address in a specified subnet range.

yeah im not worried about that tho just calculating

The range is determined by 256 - the last number in the subnet mask

NO!

get outta here i got important shit to do no life

2 mutual servers??

you're in my HTB team discord????

wtf???

Skill issye

Ye

GTFO

whats that?

Say this to your mum

i wanna join a team ik nothing tho kekw

Something that is for smart people

U wan a team ??

I can get u in a team

no thanks youre an embarassment

Wut

Why is it

idk you give off cuck vibes

Fine

I had a team

emphasis on had i can see why they left

mb i dont wanna get banned i'll chill

<@&861185840277487616>

Ping here if you need more help after

Also https://www.youtube.com/watch?v=pITq64bSbMQ

yes yes i get it

the /27 converts to 224, right?

Yes

because 128+64+32

so my answer is...

255.255.255.224/27

Nope

WHAT

Don't need the /27

255.255.255.224

/27 is only used on the IP to indicate the type of network it's on

now broadcast address time 😎

That ones not as hard

The following questions require some logic

ik im scared

boutta shit out the donuts from the festival

https://tenor.com/view/brother-ew-ew-what-is-that-whats-that-brother-gif-14318384540422820315

ok so how is it found

It's the last address before the next range

It's why a device can't be assigned that ip

this is all it has not even how to calculate it

so our range would be 0-224?

No

the address is literally 224

Range is 256-224

That's the subnet mask

Subtract 224 from 256

And that will be your range per network

okkk

so each subnet will be 225.255.255.224-256

Wrong

kms

The subnet will describe each range

This method they show does work btw I just manually checked it

You just have to adjust for whatever your / is

For /27 you place it after the 27th bit

10.200.20.0 -->
0000 1010 . 1100 1000 . 00010100 . 00000000

So the spacer they use is after the 3rd 0 in the last octet

https://tenor.com/view/blue-cry-sad-bad-day-gif-10315802272088746122

000 | 00000

Flood that with the 1s on the right

00011111

Convert that to decimal

(For some networks you would need to figure out which segment it's on to find the broadcast)

Or my method, take the range and subtract one (for this case)

wait bruh

the broadcast address

is literally just 31 at the end of the CIDR

?

Wdym the 31 at the end of the cidr?

because the 4th octet is /32 and you just minus 1 for the range

It doesn't always work that way

oh well it worked 😂

There's very few conveniences

Take for instance if it was a /29, that wouldn't work

As the range is different

you would just add 1 if the 4th octet is below /32

Nope

/29 has a range of 8 (6 usable hosts per)

oh so it would be 36 at the end

Nope

Stop thinking in terms of the cidr notation

Anyone managed to make fatty server work with Module section: Exploiting Web Vulnerabilities in Thick-Client Applications?
I confirmed that I am connecting on the right IP: 172.16.17.114 (that's already the one set in hosts and un-modded java client tries to connect to). I modded the java client to reflect correct port 1337, getting some response but after app hangs and wireshark shows syn/synack/ack then tls1.2 client hello, ack from back from server, then 'tcp previous segment not captured' thats it.
I have watche ippsecs video on fatty, he's doing socat to redirect, but obviously there is no socat on win vm.

Side challenge. Find the network address, broadcast ip, and subnet of 10.10.14.33/28

mf i didnt even get the method right for the broadcast address 😭

Ik that's why it's a side challenge

You know the range yes?

i gotta split this network 4 times first 😭

What's 4 in terms of 2^x

Shift that many bits to the right for your mask and start from there

X being the number of bits

https://tenor.com/view/kill-me-drink-bleach-gif-22890796

So we know that /27 is 11100000; if we need to divide by four (fill in 2 bits as 2^2 = 4); the mask becomes 11111000 at the end

which would make it be (let me type)

1 = 256+64+32 =255

Where did you get 256 from?

Huh??

cuz of 255 then just add 1

https://tenor.com/view/wrong-drumpf-trump-stupid-gif-6220235

marcie is my new mom holy shit 😭 wrong wrong wrong

We know /27 is 224

yeah...

We are adding the next 2 bits in sequence

Again it might be handy to make a small table to fill on

1 = 128+64+32 = 255

So we add 16 and 8 to 224, since we are adding two bits to the left

.... thats... not how math works

How the fuck are you getting these numbers

i mean the binary 1 equals that combo

No... it doesn't

11111111 = 255

OH THE WHOLE THING IS 255

I THOUGHT IT WAS EVERY 1

...

Brother

You know what binary and bits are, yeah?

binary is 1s and 0s

bits are for IPs

.

Bits are a combination of ones and zeros, 8 Bits to a byte

A number in an ip is an 8 bit number

They are called octets because they are grouped in 8s

An ip is made up of bits, but not all bits are IPs

Binary is just the mode of counting, like how decimal is for normal counting systems

Bi meaning 2 states, 0 or 1

Off or on

hello everyone
I'm currently working on 'file upload' module and i have a question which i can't figure it out.
on the white list section when i fuzzing the extensions with the wordlist in the module i have different results. some of the results writes 'Only images are allowed' and some writes 'Extension not allowed'
why do i observe different results?
i do understand that the backand code relate differently to each extension and some are a belong to a white list. but i don't understant if the other results belong to a blacklist

Nope

White-list is more restrictive than blacklist

You either use a or b

White-list means exclusively allow these things

can you join vc?

No

Bits are the building blocks of computers that only speak and interpret binary

ik what bits are

Anyway

The other important thing for subnetting is starting at 0 for your hosts, then counting up

Hey, this is an English speaking discord

Ja aber darum geht es hier nicht

Es ist ein sehr langer prozess dies zu erklären

Read #rules . Its illegal so it shouldnt be discussed here

English #rules

sorry i am trilingual

Not the point lol

It's an English only server

es ist nicht legal

i can translate for you i just told him its a long process to explain that not exactly legal

I suggest pulling the convo into English

All you needed to do was tell him to type in English

geben sie auf English ein @craggy cove

Ich kann kein English@stable bone

@fathom pendant he doesn't know english tho :(

Too damn bad

Google translate or deepl exist?

💀

<@&861185840277487616>

Since it sounds like the convo is leaning illegal anyway

google translate sucks ngl

It gets the job done lol?

no no i was telling him its not legal 😭

K

You aint translating a diploma lol

And that's where the convo stops

Gpt is free along with self hosted llms trained on translation, those should work probably better than Google translate

alr fine im sorryyy i'll go back to my subnets

if they continue, and refuse to speak English, then they can be removed ¯_(ツ)_/¯

like ollama

dont bro :\

ollama is not a LLM, just software that you can use to interact with an LLM. Mistral, gpt, llama2/3 are llms. Anyhow this is off topic.

Not you, the other guy

holyyy bro i thought i was about to get banned 😭

https://tenor.com/view/lawrence-fishburne-get-back-to-work-boss-gif-15075204

https://tenor.com/view/sir-yes-sir-yes-sir-gif-21589754

how it feels learning from marcie

thanks, I have taken care of it

oh the menace bunny is a mod 😂

and can speak German 🤷‍♂️

ayooo bro is dope af too

i only learned it cuz ive been here a while but im from mericuhhh

What can't the Swiss do?

make good chocolate

I think we have the best chocolate

nahuh my grandma does

https://tenor.com/view/toblerone-silly-lift-rage-gif-7198145

Well we sold it away

Attack the PRTG target and gain remote code execution. Submit the contents of the flag.txt file on the administrator Desktop.PRTG Network Monitor

Page 23
Privileged Access

Privileged Access

no argue about it. it just that in this module i can observe two different responses and i want to understand why

This is why. Lol if it's not on the White-list it's denied

hey, i just send you a message on private convo so i won't annoy here everyone

I'm not accepting dms

yo

ok
so i actually can't understand your explaination.
i use burp intruder with a payload within the module.
i can observe 3 different results:

1. succeed
2. Only images are allowed
3. Extension not allowed

the 2nd and the 3rd actually means the same. but if we'll relate to the sentences themselves we can see a different. which cause by a code in the back-end that relate to different extensions differently. All i try is to understand if the difference between the negative results can point on a vulnerabilty in some of the paylods(e.g if a payload gets the 2nd result it might be blacklisted and the 3rd might be whitelisted)

not really

ig the difference between 2&3 is related to the mime type and content type

It's white-listing specific image types

just use the list created in the module to bypass the whitelist filter

So, you get "only images are allowed" then "extension not allowed" means that generally the image extension you're trying to use is not working

For instance it could be set up to only accept pngs but not jpegs or other image formats

White-list .png

yeah that possible too

¯_(ツ)_/¯

Command Injection - Other Injection Operators. Found the answer but it rejects since the format isn't correct. Can someone tell me the correct format?

is the academy module Password Mutations lab question supposed to take quite long to crack like 30 min or longer? Or am I on a somewhat wrong track?

It takes ~30 minutes yeah, as long as you're not attacking ssh, and you use like 48 threads

the question is ssh :
Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer.

And ssh is painfully slow

ok, thx make sense

Step 0) enumerate

Step -1) the questions often give an end goal, not a start

ok i see

Also for this module the windows and Linux labs get reused

So enumerating users from C:/Users/ and /home/ (and root) will give you a more concise list for the sections up until the skill assessments

For the Linux Privilege Escalation Wildcard section, what is the purpose of the line --checkpoint=1

This doesn't make any sense

The first line is to add everyone to sudoers? After that I'm definitely lost.

the module explains it

Not very well. What is checkpoint=1 supposed to do?

I'm assuming the second line tells tar to execute the root.sh that was created.

The third line seem unnecessary

its required

All it says is that it displays a progress message

What does it actually do?

what does what do

the --checkpoint=1 command

well if you're unsure if it's necessary or not, run it with and without

There's no lab for this one

https://www.gnu.org/software/tar/manual/html_section/checkpoints.html

you're basically redirecting a bunch of file descriptors

"A checkpoint is a moment of time before writing nth record to the archive (a write checkpoint), or before reading nth record from the archive (a read checkpoint). Checkpoints allow to periodically execute arbitrary actions."

By creating files named --checkpoint=1 and --checkpoint-action=exec=sh root.sh, and then using a wildcard to include these files, these filenames are interpreted as additional command-line options by tar. The --checkpoint=1 option sets a checkpoint after the first record is processed, and --checkpoint-action=exec=sh root.sh specifies that the sh root.sh script should be executed at this checkpoint. If tar is run with elevated privileges, the script will also execute with those privileges.

if you don't include --checkpoint=1 then it won't hit the checkpoint therefore will not perform the action.

Makes sense now, I was starting to wonder what this had to do with wildcards! The * essentially just takes every file and archives it with tar?

Is that right?

Does it automatically run --checkpoint=1 first? How does tar know what order to go in?

ello there i'm doing the module hacking with wordpress and i'm in the skills assesment page and i'm stuck with injecting the vulnerbility, is there anyone who can help me sort that out?

the first line adds htb-student to sudoers; and says that you can execute all commands as root with no passwd for all files btw

well it makes the root.sh file do that

Yeah, I realized I messed that up, thanks!

So if I'm looking at this right now, the --checkpoint file names don't get read as filenames to be archived, they are just appended to the command as a modifier?

So that's why it doesn't matter what order they're in?

basically

I can't access general chat to talk to people

it's one of those sort of weird quirks of file descriptors

read and follow #welcome

@fathom pendant can you help me?

https://tenor.com/view/confused-no-nope-gif-5413974953753901704

* is just a wildcard for any character(s), so when you tar a whole directory like sudo tar -cf archive.tar *, the * wildcard will include all files in the current directory. The shell expands the * wildcard to match all files in the current directory, including special files like --checkpoint=1, effectively turning them into an argument for the tar command because the tar command interprets the files as part of the command itself.

^

Roger! Thanks!

as for the order, you'd have to test i don't know. i'd imagine it would work either way because they are arugments for the single command being ran but maybe not.

i need help with completing a module would be thankful if anyone can help?

ask your question and someone may help

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

i'm stuck in the module "hacking with wordpress" where they ask for "Submit the contents of the flag file in the directory with directory listing enabled."

i haven't done wordpress module

what is your exact issue. what have you tried, etc.

so i'm of no help here but ^

section name

i took access of the wordpress admin panel

https://academy.hackthebox.com/module/17/section/64

this is the one

I haven't done that module, but it looks like you'd probably find the answer in the "Directory Indexing" section?

i'll try it out

On the Linux Privilege Escalation Escaping Restricted Shells section, the command here makes no sense

It doesn't work in the lab or on my machine

It says that it's supposed to execute the pwd command after the ls -l command but I don't see how that would even work

so when you run that command it doesn't list the contents of the directory? works fine in my kali box

it runs ls -l on the output of pwd

`<command>` is an archaic version of $(<command>)

yeah, ls -l works, but not pwd

only on my machine, not the lab

works fine to me ¯_(ツ)_/¯

it's not running them one after the other

what error do you get when typing ls -l `pwd` in your terminal

just do `pwd`

ah

rbash is treating it weird then

it works fine in normal bash

pwd is the one that it's not allowing

ls -l is supposed to run

rbash is restricted bash

try regular bash, not restricted

rbash will restrict commands to enhance security

rbash seems to be limiting what can be done

yup, don't use rbash

so either the goal is to escape rbash or you're missing the point

¯_(ツ)_/¯

maybe the point is to show that rbash enhances security

you can escape rbash

That's what the module is trying to show: How to escape the restricted shells

ls -l `pwd` == ls -l $(pwd)

The
ls -l pwd
command doesn't make any sense

it does make sense

what is $(pwd)

¯_(ツ)_/¯

it's an example

$(pwd) gives the output of pwd as stdin

pwd is print working directory, and it's piping the working directory path instead of using the letters pwd when using pwd in the command

$(<command>)

the question is asking you to use different approaches

^

so just do your research

I know what pwd does, I just don't see how that command works.

https://tenor.com/view/bart-simpson-the-simpsons-pipe-bubbles-gif-14556539

it takes the output of pwd and use that as the argument for ls

I would really love to hear how others solved the last question on:
Getting Started > Knowledge Check

I have an initial foothold but cannot escalate privileges.
I get an error when attempting to import LinEnum.sh

(I eventually found a solution on Google, but wth? How would I have known that?

look at the spawned webpage

"permission denied"

Couldn't I just use ls -l since I'm already on that directory?!

usually when you transfer a file over you need to chmod +x the file so it's executable

also; you're in another user's home directory

AS STATED EARLIER it was an example

they can't write to the file

ahh yeah misread that

because they're trying to write to a user's file that they don't have permission to

yea

That wasn’t the issue…

as a general tip /tmp is usually writable by all

instead of maybe a world writeable dir, like /tmp/

Right. That’s the first thing I had to do.
How would I have known?

Experience

it's general knowledge and experience

What do you mean?
What’s on the page?

leave it to marcie to rip the words out of my brain

¯_(ツ)_/¯

and tbh

Okay, I looked at the solution to the restricted shells, it basically says GOOGLE IT?! lol

you can get it w/o LinEnum as i believe up to this point you learned how to sudo -l

and other stuff

i just looked at the section and with the limited information that they give you, it's not really surprising

Had nothing to do with anything in the actual module

^ yup. sudo -l is the very first command i run when i connect to a linux box, always