Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Otherwise

https://tenor.com/view/you-need-to-leave-hayden-sistas-s4e12-get-out-of-here-gif-25985741

Yeah I’m using the Pwnbox, when trying to connect VIA SSH it should be asking me for a password but I think it’s set up for only key authentication

have you tried to follow the course material the section you are on speaks about ftp etc

does anyone notice what am i doing wrong? im tryna send a requet to a local sql server inside it, or maybe im not supposed to , to achieve the version i cant remember how i did it tbh

It explicitly states to SSH into the target

Perhaps the ssh key has a password for it

oh. Idk then sorry, i thought you had a vpn issue

Thought so but even brute forcing it doesn’t work, and I followed every single step

If it's set up for a key though then you'll need to find that key

Here's a thought

And its a wild one

Are you specifying the port?

Yes 22

I am struggling with Information Gatheing -Web Edition skills assessment. Spicifically what is the API key in the hidden admin directory that you have discovered on the target system? I configured the inlanefreight.htb in the etc/hosts and tried crawlers, directory enum, vhost enum, and reconspider. Nothing is bringing back any information. Any hints would be more than appreciated

in ssh its either u find and steal the id_rsa and point at it via a -i flag or u can brute it via username if u have one and paswordlist probablyy rockyou

If it's a public ip:port, then you need to specify the port

Because it's running a docker container where the only scope is the provided port for the question

And the lower ports are generally locked down

This module is about brute forcing for the password

then brute it man 😉

It says you have to use SSH

Brother

Can’t, don’t have a password

Ssh isn't always on port 22

In this case it's on the port provided on the public docker container

check again hydra syntax. you can specify a specific name or a wordlist of name and same for passwords, then u can specify what type of service , in this case ssh

I have a feeling I know what the issue is, and it's not that

If the question/target spawned is a PUBLIC_IP:PORT

I’ll try the port it gives and report back

Then the service they are asking you to brute is running on that port

i agree , with u tottally but from what i read seems hes not even sure of the bruting part (?)

It's like any of the web modules

It's because he's attacking port 22... not the target port

here i am tryna help while being stuck myself 😂

It's different if it was a private ip (10.129.x.x)

Also dude idk what module you're working on, looks like one I haven't done

doing the web server side attacks

Well I haven't done that one

and there is no walkthrough either

im suppose to do a call to another internal service via ssrf exploitation

yeah they are right, the course shows -p 22 but just to show you that you can specify the port. Otherwise they would not likely specify the default port

Only reason I used 22 is because that’s what port they have in the example, its usually on that port for most of the modules I’ve gone through, but also just plain connecting via SSH trying to login tells me its key auth not pass auth

Examples aren't always 1::1 with what you'll do

ok , weird thing. the server runs on a docker. at ip:port

Just trying connecting via SSH and lmk what it says

Not that weird

wait im getting to that

Good afternoon. How are you? Could someone tell me if the HTB Academy videos would have subtitles available? Thank you.

There are no academy videos

i type in parts to get my message accross. so either way the docker runs on a serverip:port- which has internal services running on sub ports??? if u get me cause they cant all run on the same port essentially the docker port acts like a gateway i guess

I just assumed since it was a beginner module

Thanks!

so what do u specify? the docker port or the service ports

I’ve only tried 22, not at my desk atm to try the docker port

i was like wtf , there are videos and i missed them

Docker for your request internal stuff is 127.0.0.1

Or an interface otherwise specified

thats what i did via the ssrf btw , did a loopback to the service and tried to call it

via its specific port. doesnt seem to work

Because it's not external

mysql service isnt internal?

It's only exposed internally

It can be either

isnt it the same :D?

No

so its blocked for outside communications but accepts only inside calls, from the server

A service can be running internally but won't be able to be accessed externally

I.e. only running on localhost

but when i call it , nah fam im good https://gyazo.com/52b839b6a4cdb42258314912ecb69004

And not on the external facing port

Well. You're trying to make an http call to the sql server... it's telling you the error lol

Received http when not allowed

didnt work when i tried gopher either

but I haven't done the module so I can't point you in the right direction ¯_(ツ)_/¯

Just double check the reading

cant ind anything about it either

Well the first question is about SSH

Maybe I can connect via FTP but idk

Hi, there! Would someone please help me with the Introduction to Deserialization - Skills Assessment II? I found the serialized cookie, but haven't been able to properly decode its secret key

Ssh should be accessible via the ip:port

went throught the module again, there is only info about enumeration

and port scanning essentially

no i was wrong just do what the module says with the correct port

hello need help

I suggest not posting the cookie

We're not mind readers

hello marcielee

how is your day going

What do you need help with

You said you needed help, so what's the issue

If it's not htb academy related, I suggest reading #rules and #welcome

Hi guys, I am on the Windows Event Logs & Finding evil skills assessment. I am trying to figure out the first question with the DLLHijacking. I have configured sysmonconfig file to include event ID 7, I have made multple types of XML scripts to look for anything that might look not normal. everything from looking for images not made in sys32, to anything that doesnt have a "valid" signed signature. I am starting to think that it is not inside of the event viewer, a pointer would be helpful.

did anyone do the identifying ssrf section of server side attacks?

@fathom pendant so the problem is the LDAP - Authentication Bypass test which the responce im getting from brupsuite is different from the screenshoot which are used in htb-academy

please at me as i need to go

It typically will be different

hey, I had no luck with xml as well, i had to use another method.

it has major difference

¯_(ツ)_/¯

@fathom pendant i cannot see the location of user

Powershell?

My next Idea is using win-get

well if you reverse the two words and add another one, that is a good idea : D

??

Get-win...

i just dont know how related is Winget regarding this module. But Get-Winvent is definitely in the course

My mistake, I meant Get-Winevent. Thank you!

haha yeah sorry for the riddle, it made sense but just in my head : )

No no it makes sense in hindsight 💀

Frustration probably plays a part in not getting it

https://tenor.com/view/jfk-clone-high-i-like-your-funny-words-magic-man-jack-black-gif-18659433

^ I blocked youm you can ignore I messages.

kinda rude but ok ¯_(ツ)_/¯

I'm sorry. Would you mind giving a nudge about the deserialization SA ?

I haven't done the module

How would I filter to look for DLL file within the context that it is a image loaded but I do not know the path at all?

You blocked the one person who would help you lmao

I haven't done that module

SSH is on port 22 btw

It's why I wasn't responding to them earlier

So lost again

Tried using the port they give but doesn’t work

Ssh should also be running on the port they give you

"Doesn't work"

It tells me it’s not

It should be

Tells me service not known

Reset target and try again

Nmap?

I already have

Just did a general scan I’ll scan just that port and let you know

Just trust and use hydra

Or netexec

i just redid the section, use the port they gave you

You don't need to scan

same here.. all is ok it will work

It worked thank you! Just got confused

you didn't have to configure sysmon since all you're doing is looking at the event log. assuming you're checking the right EVTX file, your thought process is correct and should lead you to the answer

Whenever you're given an ip and port combination, that is a public container. Consider all other ports on that system out of scope

I was able to figure it out, Idk why it wasn't working through event viewer, but I managed to find it using get-winevent! Thank you for the help though!

yea, use powershell for looking at logs, it's 10x easier than using Event Viewer

I watched a video on DLL hijacking yesterday and they only used PS as well. So I might as well get comfy using it 💪

Okay I will keep that in mind, I really appreciate all the help you have given me

I believe they touch on this on the intro to academy module

I am struggling with Information Gatheing -Web Edition skills assessment. Spicifically what is the API key in the hidden admin directory that you have discovered on the target system? I configured the inlanefreight.htb in the etc/hosts and tried crawlers, directory enum, vhost enum, and reconspider. Nothing is bringing back any information. Any hints would be more than appreciated

🤖 .txt

Also what is your vhost command?

i tried inlanefreight.htb/robot.txt

Yeah it's not there

There's a subdomain

I suggest using the bigger subdomain top1million list

but when I run something like the dnsenum i dont get anything

110000

Because dns isn't running

Gobuster and ffuf should both work

Ok ill try those. thank you

Also your hosts file shouldn't have the port

You specify the port in your command

It doesnt

👍

So make sure to specify the port in gobuster/ffuf

As a general hint: if you don't find it on one level, go deeper. Subdomains of subdomains exist

greetings, on module into the web proxies, burp intruder, which wordlist is used to see .html files? I tried SecLists/Discovery/Web-Content/common.txt but it dosent work...

FUZZ.html

^

Afaik that's all I had to do

Most of that module was just following the directions

I dislike bruteforcing because its luck, if they dont provide wordlist its pain. I am running it with now so its only matter of time

Generally the wordlist from the example is sufficient

But it should look like /admin/§file§.html @clever lotus for that section

oh I see, my regex is bad, I though that inside wordlist is .hmtl wordlist but now I see that i need to add .html in burp

thanks

got flag

👍

Having trouble with remote access into a windows machine (windows fundamentals)

v:10.129.158.151 /u:htb-student /p:Academy_WinFun!
[14:06:37:515] [35566:35567] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[14:06:37:515] [35566:35567] [ERROR][com.freerdp.core] - failed to connect to 10.129.158.151```

@fathom pendant

Pwnbox? Use rdesktop

im on my kali vm

@glacial wedge any questions you can ask here. I don't do dms

Try restarting your vm to fix it, sometimes it's odd

Or reconnecting to the vm

Hacking WordPress
Indexing Directories

Keep in mind the key WordPress directories discussed in the WordPress Structure section. Manually enumerate the target for any directories whose contents can be listed. Browse these directories and locate a flag with the file name flag.txt and submit its contents as the answer.

What should I do, there is a lot of plugins and directories out there

any hints?

damn

Start simple

I just randomly opened

some dir and it was there

Lol

yeah ahah

The key distinction here is the key WordPress directories, so regardless of plug-ins I'd assume

Delete that

yeah

But yeah just keep digging is the key there

Ah, I downloaded a udp vpn file

thats why I was recieving issues related to tcp connection when trying to rdp

ahem

After restarting my vm and downloading a new connection file (tcp) it still refuses to remotely connect

alright..

don't think it's vpn file then

what the error

add single quotes around your password. /p:'Academy_WinFun!'

always the little things eh

what exactly does that change do that allows the connection to succeed?

bash will read the ! operator and treat it as such

Tells bash to interpret the password as literal, since ! is a special character

^

So it doesn't try and expand it

It's part of the history command

I see, interesting

Im continuing to recieve error messages

[14:30:37:051] [9267:9268] [ERROR][com.freerdp.core] - failed to connect to 10.129.158.151```

ill try to use pwnbox but ill have to deal with its daily limit after an hour

You can extend the pwnbox time btw

Plus icon next to it

(I dont have a subscription)

Don't need a subscription

Just extend the timer before it expires

But I'd try another rdp application first

Like rdesktop or remmina

Are the arguments the same / do they come pre-installed

man rdesktop

And remmina is a gui application

Getting nothing

Wouldn't -server be the ip?

the man pages specify the port

¯_(ツ)_/¯

Oh

I see your error

It's not -server

It's just server:port

With server being the destination and port [optional]

rdesktop -u htb-student -p 'Academy_WinFun!' 10.129.158.151:3389

my command line is perpetually hanging

hah, this has been quite annoying

on to pwnbox

brutforcing on pwnbox is fun haha

/twentyseventeen/404.php?cmd=cd ."

How can I change dir?

'cd .'?

it doesn't work

such a stupid question

but idk

A webshell cannot remember a state. You can only send one command at a time
But you can, for example, list a directory like this:

ls%20/home

doesn't work

only 'ls' works

try ls /

maybe there is no /home directory

cd%20../../%20&&%20ls

in theory

why?

If its a webshell I always find is easier just to use the browser since firefox url encodes everything automatically.

<br />
<b>Fatal error</b>:  Uncaught Error: Call to undefined function get_header() in /usr/src/wordpress/wp-content/themes/twentyseventeen/404.php:15
Stack trace:
#0 {main}
  thrown in <b>/usr/src/wordpress/wp-content/themes/twentyseventeen/404.php</b> on line <b>15</b><br />

wait let me remove that func

nah doesnt work

What exactly does the ls command show you?

404.php?cmd=ls

404.php
README.txt
archive.php
assets
comments.php
footer.php
front-page.php
functions.php
header.php
...

okay, now try
404.php?cmd=ls%20/

o

it does, but why 'cd%20../../%20&&%20ls' doesnt

Try cd%20../../;ls

server died

a sec

works

thank you

But why do you want to do this with two commands (cd and ls) when you can do it with one?

The xfreerdp worked with the pwnbox instantly

I genuinely wonder what’s wrong with my vm

I mistakenly forgot to extend pwnbox time and it ended, to be resumed tomorrow I suppose

Your VM must be connected to the Academy VPN. Then xfreerdp should also work without any problems

Hi. In the lateral movement module, the winrm chapter. I'm stuck with the second question Use Leonvqz hash to connect to SRV02. I connect to SRV01 with the password of the first user, request a TGT, pass the ticket but always get an error about a logon session sth when I try to Invoke-Command to read the flag in SRV02. I tried several ways but none worked. I had a similar situation many times and never know how to deal with it. Could you please help ? What's the intended way ?

(I connect to SRV01 with evil-winrm)

Was stumped with the same problem, you can search for my messages here and you'll find a away to execute and a good hint from @next bronze

If you are still stuck afterwards, you can DM

Thanks a lot. I will look for it.

greetings, I'm on the skills assessment section of information gathering, I have the entry in etc/hosts, but every tool I throw at it fails except banner grabbers

oh, and dig gives me...a little

Apply all techniques shown in the module to found subdomains as well

dnsenum fails

all the tools think the host is down

Restart the Lab and try again

after using hashcat to crack passwords from a SAM dump you get this

what is the uuid or hash that represents each user called? (e.g. a3ecf31e65208....)

I can grep those values out of the hash dump file to relate them to usernames, but is there a better way correlate usernames to passwords rather than this value?

Is this the appropriate place for feedback on Academy course content?

Close, see #1234357888114364508

I’ve done the former

It still isn’t working

Thanks man. That was helpful. For the bonus question though : Use PowerShell Web Access on SRV01 with Frewdy's credentials and connect to SRV02 using Helen's credentials. There is the double hop problem. Is there a simple solution to that ?

I guess declaring a credential object and explicitly calling it.

im kinda new and im under the impression that to really proggress and to fully use HTB you will have to end up purchasing something such as a membership or boxes it this true?

at some point you'll have to get a subscription or buy cubes for the academy. as for membership for boxes, only for retired boxes. active ones are free to use.

it can all add up if you go for everything, but its a lot of content. you can easily spend only on what you need.

Hello guys can I learn about evillginx or phishing on Hackthebox

Thanks. It worked. Do you ( or does anyone ) know why in that step explicit credentials work but pass the ticket doesn't ?

Hi, there! Would someone please help me with the Introduction to Deserialization - Skills Assessment II? I found the serialized cookie and its hmac key, but when I change the cookie value I got the error message "Error: authentication cookie was tampered with!"

For attacking AEN blind, is it recommended blind as in spawning the machine and having scope information and that's it? How many flags might I be looking for?

totally blind

Perf, thanks

I think it has to do with the logon information stored in the session.
I had even tried crafting a service ticket and passing it in SRV01, but could not get access.
The only way I thought, since I hadn't enumerated the SRV02 host due to the combo proxychains+chisel not working in the pwnbox, was to tunel through ligolo-ng, enable the service (did not know if it was enabled or not, but that didn't matter as well), access SRV02 via this service and then execute the rest of the Rubeus procedure.

@fathom pendant have stated before that the goal would be to achieve a high level AD role/group membership (Domain Admin, Enterprise Admin)

Excellent, thank you! Wasn't hoping to ask a repeated question but just wanted to make sure

Thanks !

I may be doing the skills assessment in a while. If you need any help, feel free

Thanks a lot ! Good luck !

anyone here?

wheneveri try to upload IP & Domain name in "/etc/hosts" even with sudo perms i got an error of permission denied.

whats your command?

Screenshot is in https://discord.com/channels/473760315293696010/565584648974106634

you can check https://discord.com/channels/473760315293696010/565584648974106634

use nano or echo "data" >> /etc/hosts (use >> not >, >> appends the data to the bottom as a new line)

Just do it via editing the file. Works 100% of the time sudo nano /etc/hosts

i do this. i dont like vim so i use nano

yea to exit vim or do the most basic thing its "(#!%)(%)KWTEFGLWQ(:"

not working

just do

vim is soo euwww.

sudo nano /etc/hosts, add it then CTRL+X then Y and ENTER

haha right! i need to actually get better at it since a lot of boxes dont have nano they have vim...but in my own env i use nano

on this section:https://academy.hackthebox.com/module/204/section/2233

Injection attacks in CWEE path PDF SSRF

I have found the port 8000 and the api endpoint /users that gave me a lead that their is a /users/adminkey.txt but whenever i try to print it using iframe i get a error not found can someone give me a nudge here?

More like get a masters degree first

then just do the IP <space> vhost

Thats just to exit vim

masters i have, vim is difficult 😉

yeah with nano i got it

thanks.

no problem. if you find subdomains, then add them too

yeppp added.

sometimes you can just add a space after the FDQN (like metapress.htb in my screenshot), and othertimes ive found its better to just do a new line all together

I use a tab, my /etc/hosts looks like:

 ⚡ root@kali  ~/htb  cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

# HTB Machines

10.10.11.24  ghost.htb <snip>

If we run a recursive ffuf scan on admin.academy.htb, we should find http://admin.academy.htb:PORT/admin/admin.php. 

i am trying to find this from 3 hours but didn't find it.

What’s your command

ffuf -u http://admin.academy.htb/FUZZ -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -recursion -recursion-depth 3

https://www.phrack.me/tools/2022/07/06/Ffuf-cheatsheet.html

you can use feroxbuster --url <url> its recursive by default unless you supply --depth 1 (this is if your really struggling with ffuf)

sudo apt install feroxbuster -y

i only used feroxbuster yesterday, its far easier to use.

Seems to be missing the port too

yea its my favorite, sadly no sub domains but I use wfuzz for subs

is ffuf and feroxbuster are same?

feroxbuster is faster in my opinion, only things I like more about ffuf is the "FUZZ" keyword you can supply

and feroxbutser do it auto?

what do you mean

means we provide FUZZ keyword in FFUF

so any keyword for feroxbutser?

I just got warned lol

but no, not that I know of

ok

feroxbuster -u http://10.129.190.61 -x php

Alright it can also do all work that ffuf can do right?

nothing wrong with ffuf though. like a lot of programs it can be picky with arguments.

Alright!

It cant search for sub domains and doesn't have the FUZZ keyword

well, i cant speak for that. it will do a good job.

Oh Thanks i got my point.

if its in the module follow through with ffuf but try out feroxbuster too if you're interested.

hmm with writing port i got it, Thanks mate

Glad to hear (it did mention it in the question)

HTB Community is awesome

we're all trying to learn too

honestly no port written in question.

ive spent hours on a question only to have it pointed out i had a type/wrong port/wrong FUZZ by someone here. lol

i think so htb must have to be more clarity at some points 🙂 for new learners.

this is what you wrote:

If we run a recursive ffuf scan on admin.academy.htb, we should find http://admin.academy.htb:PORT/admin/admin.php. 

:PORT

oh i agree. at times its kills me to read a question and wonder 'wtf is it even wanting from me'. if there is something particularly bad, try putting it in #1234357888114364508 for the staff to have a look it.

i have made a forum on this kindly react if anyone agree.

any idea why from HTB perspective \n is URL encoded to %0a ? In burp suite I get %5c%6e when I use the decoder tab to URL encode it

hmmm apparently I needed to press Enter in burp for a new line, then it encoded it right, while when it sees \n it interprets it as a literal string and not the newline character

that's good to know. the problem is it is sometimes tedious to select the invisible Enter when encoding a payload

Hey guys what do u think about my master hacker roadmap?

How long is it going to take you to do that

https://bytebreach.com/posts/what-certifications-should-you-get/

your time is the most important resource you have, don't waste it

DIGGING DNS - CPTS

I did this many months ago and im working back through it and starting towards my CPTS but im extremely confused with whats going on here. My naswer points to cloud30 but when I run dig - x <ip> i do not get that at all and I'm thuroughly confused and would love a little explanation :)(

looks like it should be inlanefreight.com but I just want to make sure i'm not understanding something

The decoder is encoding the \ and n characters separately, while %0a is the new line character

What module exactly is this?

Digging DNS is a section name, not a module name

And CPTS isn't a module, it's a path

They updated the module. So answers don't line up

You'll need to update your notes to reflect changes if you plan to refer to them

Howcome I be able to dump lsass process manually through RDP connection and then download it through meterpreter, but not dump it directly through my meterpreter session which was ran on the same user account?

The account has administrator rights

yea thats what I finally figured out was just trying to double check

caused slight bit of confusion, thanks for the clarity

i never used that module so i can't really tell you why.
What happens if you try with mimikatz?
https://www.offsec.com/metasploit-unleashed/mimikatz/

Nmap vs ffuf
Do you need both or is it a preference?

they do different things

idk why you're proposing it as a vs really

nmap scans ports; ffuf scans websites

Ok, maybe I was confused or thinking of something else.

Hi all, im stuck on the linux privilege escalation (environment enumeration), I know i need to sudo with lab_adm. HOWEVER i cant figure out how, i tried sudo -u lab_adm /bin/ncdu, but that give me permission denied, I tied sudo -l -u <command> nothing works permission denied. What am i supposed to do ? to get into the lab_adm accounts?, I tried sudo -i -u lab_adm <command> , and essentially any combination of sudo + switch + lab_adm you can think of. nothing is working?

I also don't understand how the password can be there in plaintext when dumping it. I tried cracking the ntlm pw but that didn't work and then I saw it was there in plaintext...

because sometimes it's stored as plaintext

simple as that

it's insecure and usually that's disabled but we're not here for secure environments ¯_(ツ)_/¯

btw you can hex decode that password string iirc

i can't figure out what's going out in that screenshot, sorry. there is so much going on i can't follow what's actually happening

So it is really a feature of AD

(un)fortunately

specifically it's a function of kerberos

The lower half is just error gibberish.

it's not error gibberish lol

https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection <--

dpapi is .NET data protection API

it was about the other screenshot

https://blog.netwrix.com/2022/10/11/wdigest-clear-text-passwords-stealing-more-than-a-hash/

oh the other screenshot is just error goofiness

meterpreter isn't really all too smart

especially if you are running through a pivot system

it is the pivot skill assessment right? your user in your meterpreter session is ml**** ?

Yup

if so, that user has administrative rights but when you are in RDP session, you have to click on UAC prompt

I tried to bypass UAC via different methods in metasploit but i couldnt figure it out. What worked for me is to run the msf payload as admin

then getsystem worked, etc

Finished the Active Directory Enumeration & Attacks module!🥳

congrats! i really enjoyed that one, though it was also infuriating in parts haha

Can someone tell me what is (https://academy.hackthebox.com/module/51/section/1590) this breakthrough? Is it sudo or CVE? I tested them all. No results

It's related to sudo so try all methods shown

hI

Read the policy bypass section. The sudo list explicitly states you can't run as root (!root)

https://gtfobins.github.io/gtfobins/ncdu/

hey does anybody know how to stop the target from spawning mine is stuck on loading

switch VPNs can sometimes help

the target will spawn based on what VPN youve been using.

Ok thank you

ok, it is a CVE-2019-14287 bug, I didn't understand it at first, I understand it now

still isn't stopping or loading properly will have to contact support I think

No

tried different region?

The VPN needs to be switched or the zone updated

Yes

ah ok. then it may just be down. it happens sometimes

This is the first time its happened to me I guess today is my lucky day

well it usually happens to a few ppl

what module are you trying to spawn a target for?

Web services and API

Question regarding to the IPMI Mdule (https://academy.hackthebox.com/module/112/section/1245):

I obtained a IPMI users password hash. Shall I really hashcat that now? hashcat is mentioned in the module. i only use the remote pwnbox form htb and it would take forever to crack it on this vm

Ya its called Web services and API attacks

oh, cool, looks like a good module.

im seeing if i can spawn a target now.

ok thanks

target spawned for me

Currently blindly going through AEN. Honestly a lot of fun to not try to rush for initial foothold, but rather just poke around and try literally everything to see what works 😄

Thanks I might just be my instance I tried remove cache and such

no problem. im on eu5 for what its worth

ive been doing ippsec walkthroughs for cpts prep before AEN. though im itching to do it.

always a lot of talk about it, almost as much as the exam. lol

I finished the reporting module yesterday, figured id jump into AEN blind. Such a wicked amount of enumeration to do! It's fun though, just important to not get frustrated

Im honestly trying to go super slow and practice good notes. Also testing note structure to see how I like it

i tried doing the reporting module but my connection was so slow that i could barely look at the notes to figure out their attack path

so i rage quit and did some retired boxes lol

I'm US I have tried both US and just tried EU didn't work 😦

gtfobins not needed for this one

Definitely have already found some of my weaknesses though, that's for sure haha

again read the policy bypass subsection. it shows directly what to do

im a bit weak on web attacks. at least with the boxes that ive tried. though boxes aren't cpts.

Yeah, that's where I am weak as well. Enumerating web, and all things web attacks. Just much slower for me

doing Forest was good though. i hadn't touched anything AD for a while. im going to review the AD module and then try AEN

ctrl+shift+r to reload the page and clear cache and try again

Web attacks are just so delicate. One character off on anything, or one tiny tiny thing missed and you won't see anything.

Easy to get discouraged

yea i made that mistake with checkig SQLi. didn't seem vulnerable. then spend hours not getting anywhere to finally look up some hints to find i had mistyped my SQLi probing lol

i found the module easy though. but applied it outside of the walkthrough has obviously prooved difficult 😛

not remembering the space in the mysql comment can be pain --

i know right!

nagios@monitored:~$ python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
nagios@monitored:~$ ^Z
zsh: suspended nc -lvnp 4444

┌──(sam㉿kali)-[~]
└─$ stty raw -echo

┌──(sam㉿kali)-[~]
└─$ fg
[1] + continued nc -lvnp 4444
reset^M

(it's why the SQLi module shows the -- - portion btw)

hi guys how come reset wont work? i follow instruction to upgrade

but its stuck on rset^M and i have to exit terminal

yea, which helps a lot.

you need to do stty raw -echo and fg on the same line

stty raw -echo;fg it's a quirk of zsh

ohh i see dankeschone

and you cant always rely on sqlmap. any kind of waf (even using the corent --tamper) will prob yield few results (or a lockout depending on how agressive)

btw this question has been asked dozens of times in #1024429874246590575 and other places

can someone help on injection attacks skill assessment i found a ssrf and a internal application already and i think its vulnerable to xpath injection but havent proven it yet can someone advice me?

└─$ stty raw -echo;fg
[1] + continued nc -lvnp 4444
reset
reset: unknown terminal type unknown
Terminal type?

ok sorry

well generally that means it doesn't know what terminal language to use, bash/sh/zsh...

https://techtitbits.com/2010/10/resolving-unknown-unknown-terminal-type-error/

you'll want to set the TERM variable

export TERM=xterm-256color

how do you get that TERM var info? it's from YOUR Term var; so in a new tab do echo $TERM

that way you can set it

if i purchase the annual silver subscription, it unlocks all modules only for the duration of the subscription? or they remain unlocked forever?
Like if I buy them with cubes they are unlocked forever, right?

only the modules you finished will be remain unlocked

oh, that's cool

if you unluck with cubes i believe you still have them. or if you finish them

what are CPE credits?

some certs require ongoing education to remain certified, called CPE

depends on the org, but usually needs to be related to the certificate. i.e. my CompTIA Sec+ requires a certain amount every few years + an exam re-take of some kind.

I believe HTB allows for the sycning of CPE with ISC2

<@&861185840277487616>

dude got graphs in his bio, must be legit

agreed. with stacks of money emoji, definitely legit.

CPE credits are for certifications that require continued evaluation

https://help.hackthebox.com/en/articles/6009966-cpe-allocation-htb-academy

You might want to have a look at that video which explains what's happening when you upgrade a shell
https://www.youtube.com/watch?v=DqE6DxqJg8Q

thanks for your answers everyone

danke

german spotted

was my thought too 😂

we're not so much

haha

https://tenor.com/view/fed-spotted-goku-son-goku-meme-gif-13306343723370401392

me? 😄

Does blind mean no hints and looking at course material or also personal notes?

blind means: no hints or reading the questions

No, only using my notes and course material. Not looking at questions or using hints

And lots of Google

you can reference your own notes, and previous modules

Ah that makes sence. Should've done that from that start

And a wee bit of ChatGPT for quick script writing 😛

Wha.. not reading the questions? :D xD

Because im lazy

as a note @mint peak only one of the things on AEN wasn't covered; but it isn't required for full domain compromise

yeah, as the questions are leading and pointing directly to things

you get full compromise then go back to answer questions

Damn thats nice

Finally got an intial foothold after about 6 hours 😄 finding lots of vulnerabilities beforehand tho haha

that's what full blind means

https://tenor.com/view/bye-alice-rabbit-hole-gif-10924271

always keep this mantra in mind: "Keep It Simple Stupid"

i guess you're not german 😛

nah, just a lone aussie trying to find his way in this crazy world.

From what many have said, the pitfalls they ran into have been overthinking the problem

Oh for sure, a couple times I was looking at things and reality checked myself like, im looking at something waaaay to deep

https://tenor.com/view/alone-all-by-myself-playing-alone-gif-6856262228128042127

i think. and i hear this all the time. and i know ill fail and think theres a trick to it .... i think im more worried about doing AEN blind then the exam hahah

As a personal preference, I always force myself to change vectors if I am unreasonably stuck on something for too long or can't make any progress. Seems to help me a lot. Go outside, reset, reattack with a different perspective

that's not too bad

probably healither then me who will just keep trying and wont leave the computer until i get a breakthrough haha

Of course some things are definitely tricky and hidden in there, but at this level its usually not that

my workflow currently through modules and skill assessments specifically, is to track what i'm doing in canvas on obsidian

Just swapped over to Obsidian after taking entire course notes in VSCode. Certainly a nice change

oh, and ive been improving on that (though I dont use canvas yet). do you also use something like gitlab to sync notes with obsidian?

i.e. sniff the foothold → test A ❌ → test B ✅ → exploit B

nah i should set it up for my cpts notes though

i used sublime for 80% of the course and now also need to change completely to obsidian

You don't NEED to change. Use what you personally prefer

^

personal preference and comfortability will be the kingmaker for your notes

i need to look up all of obsidians actual benefits. im using it more for notes on boxes.

the canvas feature is nice because it allows a flow to be made

This is an example of my flow for the XSS skill assessment

oh, 100%. obsidian is nicer and easier than sublime. im liking the code blocks and tags, and the hierachy.

I use Obsidian to graph networks

oh. nice!

Just a personal preference for visualization of a network

oh interesting. ive only done that with draw.io

with canvas as well?

I do not use canvas

Only .md files for notes, and Obsidian graphing

So like network diagram?

Learning Markdown syntax has been a game changer for organizing notes

well thats something else ill look into then!

nah more like my attack path

also you can export the canvas as an image

is that what this is?
https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2023_02.svg

ive wondered how they did their mindmap

mindmap is different

likely xmind

a mindmap is a general flowchart that you'd use

as opposed to the workflow is what you actually did

there is a cool plugin i tried for obsidian Enhancing Mindmap
i gave it a go just for nmap, it is quite nice
it doesn't work quite well if I throw it a whole file...

eh that looks like a mindflood to me

trimming some branches

I don't like things throwing too much info at me tbh

i like being able to quickly parse what i'm given

it's why i dislike LinPeas/LinEnum

yeah you are right, i was just trying the thing, i do not plan to use it anyway

installed 😉

yea i agree. i end up ignoring 95% of it.

Hello amigos. If we have SSL encryption, we know the CSRF token which is passed through the URL and not the body of the request with a GET request. - Would it be possilbe to have a CSRF vulnerability if the victim visits the attacker website even if we have SSL encryption? The answer is YES but i dont understand why? We have SSL encryption normally everyhing should be encrypted isn't it? So normally the CSRF token is also encrypted thus we can not get it which makes this attack obsolete?

SSL doesn't inherently block CSRF

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

https://portswigger.net/web-security/csrf

both of these use examples that include https (SSL)

https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/preventing-cross-site-request-forgery-csrf-attacks

The problem with those kind of attack maps is what you leave out and also the maps become quickly too big for the screen so it is loosing the whole point of having all laid out in front of you. If I have to scroll and zoom here and there, it does not give me a better idea. But your use for actual attack chain on what you tried is nice, linear notes can become quickly messy, even more when you look at them after 3 months and wondering wtf is going on there...

yea i agree.

It's why I detail and label the cards/images

Use groups to put things together

I.e. if everything is on host A, then detail what's on host A and have them as one group object

thanks for the advice. Sometimes when i'm trying stuff, I find it quite hard to take a step back and take detailed notes on the fly as I don't want to lose the thread. But at some point, I'll lose the thread of what I already tried lol There is some find line I still need to figure i guess.

download it from the github repo

https://github.com/ParrotSec/mimikatz

that's just a clone tho, the actual repo by the guy who wrote it is https://github.com/gentilkiwi/mimikatz

you guys make some serious notes, you're scaring me

notes are good

dont be too impressed. mine are scattered and i still use google or HTB search function more than my notes hahaha

we are just speaking about good notes

Wait until you see my obsidian graph

yea, for me its more aspirational hahaha

• what do you do in life?
• taking good notes
  no wonder why you are all alone : D

is there a way to 'gift' subscription or something like that?

like if the company i work for wants to buy a subscription for me, how would that work?

will the redeem a gift card work for subscriptions too?

ive wondered that too. as far as i can tell, they'd have to buy a giftcard and email it to you

i dont believe they can directly buy memerships/subscriptions. likely something in the enterprise accounts but nothing outside of that, as far as im aware

you can just buy it and claim the cost?

no, they have to buy it with company card

theres a prolabs room

Why cant i see it

module web attacks/Insecure direct object reference/ mass enumeration.... the following is not showing the same as on the course, hence the rest of the content dont seem to work, http://94.237.59.63:47517/documents.php?uid=1 , it does show documents, please help ?

Sup 🤙

i see it in the 'archive' section of the server, down the bottom. unless you need the Fullhouse prolab

Dont see it actually

#1263635449335910531

It says No Access

oh, then you prob need to verify

Oh snap

Um….how long does it take to for the target to open port?

#welcome

once the target is spawned the port should be open

I need some special access or what

Yup….um…target isnt allowing ping, arp, nmap, telnet 😤😭

i believe its moved to #1263635449335910531

make sure youve got the right vpn connected, and if not download a new connection file. switch vpns if you need. and/or its possible the target needs to be reset

Aight let me re-download…I already tried resetting

Is there preference on tcp or udp?

i usually go tcp, though its slower

but more stable

Lolz…didn’t work

whats the module/section?

Meow

Basics of pen testing

Meow isn't an academy module

Read and follow #welcome and ask in #starting-point

Basic ts, are you using the starting-point vpn

Yup openvpn

but is it the vpn for Starting Point?

the vpns are different for endgames, prolabs, machines, starting point.

Yup…it is

Iet me try “/identify” on #bot-commands

i can see youre verified now. go to the #starting-point channel and show some screenshots of your process

Aight

Module: Kerberos Attack
Section: Unconstrained Delegation - Users

User callum.dixon has Unconstrianed Delegation set + carole.rose has genericwrite over Callum
Goal: Compromise domain

I am having problem with krbrelayx.py. I use it with the NTML hash of Callum
sudo krbrelayx.py -hashes :3E7...

And then I call the printerdebug.py using the user carole.rose
The listener of krbrelayx.py fecthes no TGT in case.

What I may have done wrong here? Could someone help me

FINALLY got a reverse shell on a box I have been working on for hours. Such a wonderful feeling

you can list accessible shares

also you might be able to access \\DC01\david\

make sure you're using the right hash, and run it a few more times, also try using the other tool, demetor or something

generally you access a share via the \\<host>\share

With the NTLM GEnerator:
C@lluMDIXON:3E7C48255206470A13543B27B7AF18DE (NTLM)

Only to find out about 2 minutes later I literally didn't need the reverse shell at all

mate, there is no way im clicking on a random whatsapp link...

Surely nothing bad could come from this?

it finally let me through 🙂

@dreamy spade we don't share group links here; read #rules and #welcome

Hacking WordPress
Skills Assessment - WordPress

I try to scan a site with wpscan, but I get "Scan Aborted: The remote website is up, but does not seem to be running WordPress."

and there is nothing in source code about wp

we don't do that here

@glass quail im not looking for a beginner

AHAHAah

we don't take illegimate jobs

@glass quail i think u need to spell the word illegitimate correctly first before u blame me

Dawg the #modules is not the place to try and hire someone to help break into a smartphone

Dare I saw this whole discord

Dawg, i cant type into other channels so not my problem.

Lol

Just dont read it

<@&861185840277487616>

<@&861185840277487616>

oh, okay, you did it first

It doesn't matter how I spell or look this is not a black hat recruitment center

too slow

kicked the user

Hacking WordPress
Skills Assessment - WordPress

I try to scan a site with wpscan, but I get "Scan Aborted: The remote website is up, but does not seem to be running WordPress."

and there is nothing in source code about wp, could be a problem on server side?

Okay, will repeat, cuz too much spam from that guy

I don't remember 100% of this module but did you ran a gobuster / fuff? Maybe wp is in another dir

hm, no, I didn't
Let me try

you don't have to run the tools, just explore the site

ah

Hey you guys,
Module: Linux Fundamentals
Challenge question: What is the name of the last modified file in the "/var/backups" directory?

I am logged in as user htb-student on the HTB server computer (I used the username and password given at the beginning of the module, using ssh[username]@[vpn]) and I'm facing a challenge regarding the question above. The dir is: /var/backups

ls -la -i command is not displaying the file name whose last mod was on 3rd of AUG, 2021. inum is 262151.
Was the file deleted? Or am I missing something?
PS:
ls -lai /var/backups
returns nothing. Bc it returns the same thing I'm tryna crack:
What is the name of the file modified on 3 of AUG, 2021?

/var/backups ?

hey, if you take a look at man ls , you'll find clues on how to resolve the question

i think you also could filter date with some command

That's the path, yes...

Thank you, trying

you can also have a look at the man page for find command, there is also a possibility there

I tried that using:
find . -type f -newermt 2021-08-03 ! -newermt 2021-08-04

See, the funny thing is that to move to that directory (whose name is a blue dot, apparently) means using the command cd .
But cd . also refers to the current directory, so if you are already in /var/backups, cd . will not change your current directory but will confirm that you're already there. So what now?

The . Is just current dir

ion follow...

What section exactly are you working on?

Working with Files and Directories

Yeah the question itself doesn't refer to the inode

Unless you're referring to the second question

True, I just needed the index to try and find the file that corresponds bc issa unique identifier.

In which it's asking for the inode number of a specific file in that directory

No, already answered

How would you go about the first question

The first question has nothing to do with inode

the dot . refers to the current directory but not a directory in particular. So each time you change directory to another, the directory you are in is symbolised by the dot .

@fathom pendant

Oh oh yes ok

You don't need to index anything for the first question

Many ways to sort by modified time

ls has a way, so does tree

ok

So what did you use

My brain

I told you 2 commands that have a way to give you the information

man ls, man tree, ls --help or tree --help can help you find what arguments to use

I'm sorry, should I have mentioned I'm just starting out? mb

And I'm telling you how to find information

I'm not going to spoonfeed you every step

Run any of those 4 commands to see what their respective tool can do

man <toolname> gives you the man page (if available) of the toolname your provide

And a lot of commands have a --help or -h option for a more brief list of things

resourceful. ty

The dots were confusing me. I overthought them to be some sort of hidden files. Correct answer was NOV 12, 2020: apt.extended_states.0

lol... now they are typing... and wondering what just happened...

No, the correct answer is the file name

well...

As that's what the question asked for

You brutal, I'll give you that

Suits a hacker

Thank you, again.

Broken Authentication

Brute-Forcing Password Reset Tokens

• Takeover another user's account on the target system to obtain the flag.

1. I tried to fuzz for usernames first but I am not getting a different error for a correct username:

ffuf -w /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -u http://94.237.59.63:41162/index.php -X POST ...SNIP... -d "username=FUZZ&password=a" -fw 756

2. I tried fuzzing the token with the password as password for whichever user it is reseting but I cant find a valid token or the token scheme:
   ffuf -w tokens.txt -u http://94.237.59.63:41162/reset_password.php?token=FUZZ -X POST ...SNIP... -d "password=password" -fw 595
   Any help would be appreciated

Question for anyone that can help. I got the Student plan now from the Platinum when I started the CPTS path for pentesting. I am at 30 cubes now and from what I understanding with the Student account we have access without cubes. Please help 🙂 thanks.

yes that's correct, you can just access the modules

That is what i was thinking. I cant its asking for cubes still. 😦

is it a tier 3/4 module? you'll only get access to tier 2 and below

student sub only gives access the t2 and below modules

Hacking WordPress
Skills Assessment - WordPress

Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.
I found a FLI, but what file should I download, how may I find it

"...pattern.php?ajax_path=/etc/passwd"

yeah i am getting this on Web attacks which is Tier2

then you still on non-student sub

i have the student account

then message to the support

it's not active yet, has your previous billing cycle ended?

or have you been charged the $8?

Try logging out and back in again

good question, ill have to check that out

i guess its for a month

it won't be active until you've been charged

And check your Status in the Dashboard

so I will have to wait for the platinum month ended? I cant end that now and move to the student account to keep going

Hi I am having trouble with the Command Injections module. The 'Bypassing Space Filters' question does not have the right answer possibly. The question is what is the size of index.php, I ran an ls -la and it seems to be 882. I tried 7056 in case it was in bits. I don't know what's up, could someone who has done it before check if the answer has changed since then?

correct

Thanks. I wondering if i can end it early and move to the student so i dont have to wait

as the "downgrade" is less money it won't go through until the sub would roll over to the next month

you'll have to message support for that

Yeah ill try and connect support

as upgrades are a simple matter, pay the difference -- downgrades aren't as simple

could you have a look at this if you have done the cpts or command injections module on academy

be patient

you literally just asked

I did this a week ago and my index.php was a different size. Are you sure you are in the right place?

well there isn't really any other place to be

I just tested and I got the expected size for the right answer

i ran pwd I am at: /var/www/html

you don't even need to run pwd

just ls -la will do

yeah I attached the screenshot for the ls -la, it is 882 for me

Are there not multiple examples in this section of different versions of the same page? Maybe you are in the wrong one

did you spawn a target for that section or are you reusing the previous one

yeah that was the issue I had to respawn the target

I thought it would have stayed the same

Thank you 🙂

Each page has different filters which is why the index.php is a different size even though the tool is the same

Is there any bug system or official way to report bugs/issues with modules?

#1234357888114364508

Module: SQL Injection Fundamentals

Note: The data types of the selected columns on all positions should be the same.
Link: https://academy.hackthebox.com/module/33/section/806

Can someone explain what they mean by this? Because when I performed a UNION Injection in the exercises in this module, and even when I performed a regular UNION query in the database server they provided, I can just use any integer in the dummy columns, regardless of the data types of the corresponding columns in the original query. For example:

cn' UNION SELECT 1, @@version, 3, 4 -- -

it means the amount of data from your union command should match the amount of data of the original query

The number of rows?

columns

I understand that the number of columns should be the same, but the note talks about "data types"?

data types; like integers, strings, tuples

it's saying "they can make any of the values of the remaining columns whatever they want"

because the example is basically col1, @@version, col3, col4 which matches the amount of columns the query pulls from

where it's inserting the @@version command in col2

I think their question is that why did the module say the data types must be the same

Yes

they didn't

?

"regardless of data types"

unless i'm misunderstanding

there's a quote from the module

I was saying that I was able to perform the union statement regardless of data types of columns which contradicts what's written in the module.

Hence, my confusion.

either way iirc mysql will do conversion for union queires

OH

they're just talking about sql tables in general

as in all the data of a NORMAL TABLE in a column will be the same type

so ints will be casted to strings if they're different or something

Oh, that's prolly why it worked.

when you do union queries conversions will be done to present the data for you

Do most of the popular DBs convert? Or is it a MySQL thing only?

all sql like DBs do I think but it's been a while since I've worked with them

So if it converts... why the note in the module? Isn't it sort of redundant? (unless there are DBMS' that don't)

that I don't know, extra info I guess?

I see. Guess it's a good thing to know incase I ever come across some DBMS that doesn't have the conversion feature.

Thanks @next bronze @fathom pendant

I beleieve the note was mostly referring to if you're combining 2 different tables

Regarding this, iirc at the exercise at the end of the section, you interact with 2 tables: employees and departments. One of these tables had a date column and I was able UNION strings into that column.

¯_(ツ)_/¯

So I don't think the note applies to MySQL if Xre0uS is right.

it's been a minute

Hahaha alrighty. Thanks

if anything throw it in #1234357888114364508

does the password attack final assesment - hard have a stupid long passwork spraying portion? just taking forever, and want to make sure i'm not wasting time because I'm stuck

I don't recall spraying being part of the password attack hard assessment

I remember bruteforcing at the start

Does anyone know if netexec/crackmapexec works with IPv6?

i don't see why not

but that's outside the scope of module content

well password spraying for a specific user. Maybe i'm not misusing the terminology. have 1 user and a long pre-made list of passwords, trying every password against that one specific user.

password spraying is 1 password against many users

my notes say I used the mutated list

aye thats what i'm using. Just taking a long long time.

i don't recall if i cracked it against smb or rdp

but it shouldn't take more than 20 minutes

as the password isn't that far in the list

doh, im trying agaist smb

i mean smb should work i believe

im around the 40 minute mark and still going. made my mutated list based off the rules given in the module resources.

the rules and password list from the given resources should be enough

i got the first user that way. I was trying for a 2nd user on the box. first one i got pretty quick just came to a dead end so i started bruteforcing another user on the box

@late moth if I'm not wrong brute force shouldn't take more then 5 mins in modules

thanks for th eheads up. i'll take a look again

all used password should be in rockyou list

yeah you're not gonna brute a second user

the second user has a password that isn't in either mutated list or rockyou

you have to find it another way 😉

got it, think i know the avenue just gotta figure out how to do it lol

2john is valuable

this assessment is a lot of back and forth

What am I doing wrong?
File Upload Attacks - Type Filters
||I found that I can upload .phar.png, .phtml.png, .phtm.png, .pht.png (or .jpg/.jpeg) and I have uploaded with different mime types (png/gif) || I'm able to upload the files no problem, but I haven't been able to successfully execute php on any of them.

you don't necessarily need to execute your command from the url, if that's what your are trying.

Okay, I'll give it a shot. Thanks

there is no need to give the solution

It was a suggestion, not a solution

Hello, everytime I reboot my vm(VirtualBox) I get asked to re-install ParrotOS and it does not save any files from when I had it on, anyone know why? I'm using the HTB Live .iso