#modules

||SilkETW.exe -t user -pn Microsoft-Windows-Kernel-Process -ot file -p C:\windows\temp\etw.json||

And CTRL C to stop it

Yes that’s what I did but when I open the etw in notepad and search for the spool’s PID I get no results

Hello

I know this is not really the most appropiate place to ask but I can't do the xss detection question from XSS module because owasp zap keeps changing the request by force from http to https(at least that's what it looks like). Other browsers work just fine but if i use the built in browser or foxyproxy it keeps doing this

if anybody ever encountered this issue or knows what's wrong i am in deep need of help

reset the target

oh wait

you're trying to access via https

you need to access via http

also this is the appropriate place to ask module questions

Alternate suggestion: have you tried clearing Firefox's cache? Once in a while that sort of thing happens to me with fx and I'm pretty sure it's a cached 302 redirect. I usually just pop a private browser to get around, but IDK if you can do that with zap.

https://support.mozilla.org/en-US/kb/https-only-prefs#:~:text=Select Privacy %26 Security from the,enable it for private windows.

https://support.mozilla.org/en-US/questions/1019210

:)

quick googling

it's potentially just a configuration thing with firefox

which takes a quick google "Disable https upgrade firefox" or "disable https firefox"

source: i had to look it up previously

That could be too. In my case I know the http will load just not with my current session. It usually only happens to me if I'm deploying a site to a new server and don't yet have a cert up, so it keep trying to redirect me like the old server did.

In his case, I'm not sure how he could have possibly gotten a 302 redirect from the docker instance when the IP and port vary so wildly so who knows.

yea whenever i change it from url it forces it back to https

see the above linked articles

:)

<3

must have not seen it. i thought it was an owasp issue since accessing the site on normal firefox worked

cheers

honestly it's just overall better to just use your own firefox and route through proxy

than to use the proxy's browser

Does Chrome work too or is it trickier to set up?

chrome should work

¯_(ツ)_/¯

but idk how it'd be set up

Hi

Do i get Direct access to the bug bounty hunter path modules

with the Silver monthly subscription?

monthly subs will give you cubes that you can use to purchase modules, including those in the Bug Bounty Hunter path

no

if you want immediate access, you will need to purchase an annual sub or the student sub

Ok thanks

Hey guys I need some help

don't we all

I am unable to find the exploit for simple backup plugin 2.7.10

I am unable to find a exploit which would help me to get access and find the flag.txt

in the hint it said "search plugin exploit" but it was not helpful to me

which section is that?

public exploits

under which module?

cracking into HTB

so you scanned, did enumerations, visited the webpage?

search in exploit db

yeahh

or National Vulnerability Database

I am confused with which exploit to choose

If you send the link of the module I can help you

https://academy.hackthebox.com/module/77/section/843

it is called Getting Started

ohh I just solved it

let go @plucky hollow, thanks!

my bad

no worries

all of it is just practice

Im having issues connecting with my target on pwnbox and in my machine (rdp)

what issue

Quick question, will I get to keep all modules I purchased even if I don't finish them if I canceled my subscription?

If purchased them via cubes u will keep them forever

If it’s an access based sup (student sup , silver and gold annuals) u need to complete them to keep them

woww, shoot I screwed up then, I subscribed for two months patinium and purchased modules with the 2000 boxes I got from the subscription, so now I'm losing what I haven't finished

Heyo guys I'm having trouble staying connected to the box I'm supposed to RDP into I'm working on the "Windows Event Logs" and I'm on the first part of it. I can initially connect to the machine, but after about 5-10 seconds. I am disconnected from it, and I am unable to reconnect like the machine is offline. I'm on the VPN and the machine shows it has >100 minutes of life left. I've tried Terminating/Resetting the target machine but that did not work

No u don’t lose them😅

No matter the way u got the cubes from as long as u purchased them via cubes u have them forever

wheeew, I was having a meltdown for a sec, I saved up for a year and a half to afford cert voucher and 2 month subscription.

U lose what u haven’t finished if u have (student sup , silver and gold annuals) only

thank you so much for clarifying

Np happy to help at any time

im working on this module: https://academy.hackthebox.com/module/87/section/883
I created a parrotOS VM. The module says I should use the command: cat tools.list to see the list of tools. When i do that i get this: cat: tools.list: No such file or directory
Does anyone know why or what im doing wrong?

as has been stated a billion times about it, you need to create a tools.list file

the parrotOS vm (nor the pwnbox) has the tools.list file

the list shown is what you can put into a tools.list file

okay thank you

Im having a issue with the file uploads room, I try to upload the file and view it on http[://]ip:port/uploads/test.php and it is not there and instead i get the error page

well is that the right endpoint to find it?

also it's not room

room is thm speak

Not Found

The requested URL was not found on this server.

that wasn't my question :)

i believe that module has you bypass an image upload, yes?

no

what section are you on?

im on the first one

name?

the very first section named absent validation

thanks

also to uhm actually here; the very first section name is Intro to File Upload Attacks

was your upload named test.php?

yes ik the intro u mentioned doesn't matter right now what matters is i tried to do the absent validation with a simple <?php echo "hello world"; ?> and yes it was named test.php

did you press the upload button?

it has been giving me the same response for every single type of php shell i have tried of no url and yes i did i swear i did the site is kind of bad

just launched it and did the steps and it worked just fine for me ¯_(ツ)_/¯

no errors here

ok i got it to work

i came from portswigger and thm so i think i was just struggling to adapt

¯_(ツ)_/¯

Hi

💯

Does anyone have any tips on the test pts?

still not working

Lmao you mean the cert exams?

says it is bad request

¯_(ツ)_/¯

Tips are, do the path related to the cert and take notes

yes

That's the only tip that can be given about the exam

Other than that you're completely on your own for the exams

Okay, thank you. I know that I will be alone in this exam, but how long does the exam take?

Up to 10 calendar days

¯_(ツ)_/¯

ok

https://tenor.com/view/depends-it-depends-depend-depending-gif-9450980667299967764

If you look at the pinned messages in each of the cert channels they'll provide more info about the exams

Do you have any hints about Sea Lab Season 6?

No read and follow #welcome and ask in #boxes

what problem you having?

.

How do you know that Zap searches for https and not http?

it is literally in the url it forces it into https

I also used burp instead of zap for this tbh

¯_(ツ)_/¯

It's hard to know why this is happening to you, it works fine for me, have you checked the browser or Zap settings?

can you send in dm a picture of your extensions? I want to check maybe I installed a bad one

for all i know this could be

sorry too broke for premium

Did you also in Firefox go to about:config and change the setting there?

yup

foxyproxy and just 2 localhost 1 for burp (8080) and other for zap (8090)

I don't use premium either my guy

dont you need premium to scan websites?

No

You don't need premium to intercept requests

but yes i think with burp the crawling is slow

did you try reconspider?

does it check for xss?

ReconSpider won't do anything

nope, then try xxstrike

its weird until now zap worked no problem

i still think an extension is doing this

i just dont know which one

what specific section is this btw

XSS disovery

ty

I thought he were trying to crawl the truth I wouldn't use zap for anything other than that

no

XSS isn't about crawling

i know if i try i can do it by hand but yk zap has been until now very convenient

loads fine for me in ff

also you can try fuzz that with some usefull payload https://github.com/payloadbox/xss-payload-list

but also this section refers to using xsstrike tool

ik sorry my bad, I did not interpret the question well

there's a reason i asked for the specific section that's being worked on

nice, i'm learning from you.

by asking the specific section i can attempt to replicate the issue rather than just throwing darts at a wall and going "try this? or this?"

instead of going based off my memory

hm

the site worked fine for me routing through zaproxy and it upgrading to https

?

so it changed to https by force

but it worked

maybe i have to turn on the academy openvpn or smth?

nope

vpn not required

as this is a publicIP:port

zap browser worked fine for me as well

¯_(ツ)_/¯

hmmm i see

so i typed https isntead of http in the owasp bar

it's upgrading to https via the zap reroute

and it worked

yeah

however

sounds like it's potentially an issue with your zap install

as shown by the message

but you don't need to intercept requests for this section tbqh

still i need to get into the site

did you install the zap certificate in your browser?

im using the built in browser

but yeah i got one on foxyproxy

on foxy proxy it sends a bad request

idk what i did wrong

when doing the web proxy module it worked no problem, then i remember installing some extensions and then this

then it might be one of the extensions you added ¯_(ツ)_/¯

i've added no extensions

zap still comes with some installed. You mind sending me a picture to know what to remove

i'm not a zap expert my dude

as i said i added no extensions, not that none weren't already installed

worst case scenario; just reinstall zap

¯_(ツ)_/¯

on the Pivoting, Tunneling, and Port Forwarding skills assessment
specifically the question:

 For your next hop enumerate the networks and then utilize a common remote access solution to pivot. Submit the C:\Flag.txt located on the workstation.

i've done a ping sweep on the internal windows host, looked at arp and netstat but can't really find a third host. any tips

probably doing something simple wrong

did you check all interface networks?

Hi 👋

I have problems can help

Hi

Can you help for module attack password

What's the problem

Explain what is the problem you face, if I have any answer or hint, I will help you

You can privately, I can't send a picture here

Anyone know how to perform string analysis on this? Do I need to navigate to the directory first then perform string analysis?

CDSA Developing YARA Rules for reference https://academy.hackthebox.com/module/234/section/2514

Did you manage to enter the ssh?

yeah, I tunnel in and everything already

but in the example, it just shows this:

I do the same but doesn't work with DirectX.dll

well it directly tells you where it is

"that resides in the" means that's the file location that it is in

:)

So I navigate to the directory first then string analysis correct?

Well, you have a path

the "/home/htb-student/Samples/YARASigma"

you'll need to ssh to the provided host first

but yes

note that everything before [user]@htb[/htb]$ isn't part of a command

everything after is

ok - I'll try that and report back. Thanks guys! I was pulling my hair out earlier cause after ssh in, bash would lag/delay alot lol

so the command isn't [user]@htb[/htb]$ strings svchost.exe

just strings svchost.exe

then change vpn regions

¯_(ツ)_/¯

I hope I gave you a useful hint

i have problem
in password attack
Linux Local Password Attacks
Passwd, Shadow & Opasswd

what is the problem?

we can't really help without knowing the issue you're facing

will is not in the sudoers file. This incident will be reported

"i have problem" isn't descriptive as to what's wrong

transfer the files to your system then

note will might have done backups to a file location he can access

:)

(""Examine the target using the credentials from the user Will and find out the password of the "root" user. Then, submit the password as the answer. "")

i'm aware of the question

Is it a problem after breaking a password or is there a mistake?

i'm explaining that you won't be able to unshadow as will

you'll need to find files that will does have access to

that will be your first step

Good, it's not difficult, give you a username

And you have a password file, use it

I don't know how he got the password. sudo 🙄

again

look for files will DOES have access to

No, I entered ssh, but I want to get a sudo password

sigh

Stop focusing on sudo

Ok

Have some problem with Web Fuzzing module in the beginning. I fuzzed for directory, it founded w2k.. like in the description above and the file dblck also like in description above.. I used all wordlists( but nothing else was found😔

Did you fuzz the right hidden_directory?

The one explicitly given to you

:)

???

You won't get the same results as the example

I Fuzzed the webroot first

Those messages aren't related to your situation

reinstalled. the extensions stayed. i just want to compare lists to uninstall them myself cuz i forgor

Doesn't the question explicitly give you a place to start?

¯_(ツ)_/¯

https://academy.hackthebox.com/achievement/badge/7afa7b8b-6576-11ef-864f-bea50ffe6cb4 finally I move on to the privilege escalation module

I'm waiting 🙄🙄

can someone explain this behaviour?

this one

Dude idfk

For what?

I told you how to move forward

I swear, I didn't understand anything

Look for files will has access to

I didnt think that this is a name of the directory🫣 🫣 lmao. found everything

ls -la

The problem is that I won't be able to open the file

...

sigh don't look in /etc/

Look first in home

How many simultaneous threads do you recommend for ffuf?

Which section are you stuck on?

for HTB boxes

It depends

Password attack
Linux local
Passwd,shadow & opasswd

..

Ok I guess don't take my hints

unshadow

He can't sudo as will, which is where he's stuck

And I've provided ways of getting unstuck

No

He doesn't

Privesc is not part of this

I would suggest not commenting regarding a module you haven't done, or at least stating that you haven't done it

find a hidden directory on the user directory Will Marcie tells you

¯_(ツ)_/¯

?

painful

then you can use file transfer techniques to transfer the files found on your attacking machine.

if you don't understand re-read the course that's what they used to tell me every time i got stuck and if you don't understand rest and come back to it afterwards sometimes it's useful

Dude idk how much simpler you want it given to you without shoving it in your face

unfortunately we can't give you the answer directly here, but the people who completed the module will do their best to guide you and let you think about it.

I feel like you're still stuck on the sudo

Made in this context means completed*

Not actually wrote it

It seems that you are a little distracted, take a rest and then solve again

thank you 😉

In the second command it matches the first 2 a‘s, then the next 2 a’s and then the last 2 a‘s

grep is not limited to one match per line

just curious if you have a nudge. ping sweep for the second nic on the pivot host doesn't seem to be giving me anything and some other methods of discovering devices on that second network doesnt seem to be returning much else

ping sweeps should find it ¯_(ツ)_/¯

for the entire 255.255.0.0 subnet mask or just x.x.6.1 ~ x.x.6.255

It's a /24 subnet

so the latter

Ye

strange

Don't think about it too much

Which module do you feel guys is a difficult one?

I mean it's heavily subjective per person

Ad enum was tough mostly bc it's a lot of info

I will start now attacking common services

Nice👍🏻

Need help on a module. I'm following instructions step by step and nothing is working

Security Monitoring & SIEM Fundamentals >
SIEM Visualization Example 4: Users Added Or Removed From A Local Group (Within A Specific Timeframe)

Make sure your time frame goes by day, and not by week

Today is not my day. I literally just solved it myself

Doesn't help I've been doing classwork since 9AM

I have been trying to use zaproxy as a web application assessment tool but it doesn't seem to be stable most of the time. So is there something I am not doing right or am I just better off staying with burp suite.

I've heard Caido is a suitable substitute

Thanks I will check it out

Can someone DM me Sams credentials from/for Password Attacks - Password Mutations / Password Reuse / Default Passwords. I did the module yesterday and didnt write the password down, since I didn't think it would be used again...

Nope. Go regrab it

I dont really have time to sit around and wait for another 45 minute hydra

You shouldn't need to wait 45 minutes... unless you were attacking ssh

its still slow with FTP

-t 48

:]

i was already running max threads

That's the most stable threading for that module

Well at least from my experience

More than that tends to cause issues

Very silly module guess I'll just mutate the single word and spray those cba with wasting my time

But yeah save all credentials you find in that module

apparently

lazzy design to reuse boxes

Well the focus is on the password techniques

So having a million boxes wouldn't help

The skill exams on that module aren't related to the rest of the module

But the sections are meant to teach different techniques and from the perspective of you sniffing around and enumerating

Do you recommend any place to find wordlists?

The seclists wordlists tend to be pretty good

basically cheated and looked up a forum discussion for this portion of the assessment. ping sweep didnt work but directly pinging the machine i found on the forum discussion does work. very frustrating

maybe increase the amount of ping packets sent would be the key to not missing devices on the network?

fwiw this is my pingsweep from powershell

 1..254 | ForEach-Object { $ip = "172.xx.x.$_"; if (Test-Connection -ComputerName $ip -Count 1 -Quiet) { Write-Output "$ip is up" } }

maybe ¯_(ツ)_/¯

just trying to think about what i could have done better incase im doing an assessment without a forum board to give me bread crumbs

but by all means that should work

but also if you use a tool like ligolo-ng you can just use fping through the pivot host :)

Is there something wrong with this?
copy C:\Users\htb-student\appdata\local\temp\lsass.dmp \\10.10.14.33\share\ /user:test test

Gives me an error on powershell and cmd
Edit: works without creds, looks like theres a different way to use this with creds

I see that ffuf gives me quite a few false positives, is there any recommendation?

if ffuf is spitting out false positives utilize the filter feature

generally a safe bet is to filter by response size (-fs)

I'm using a filter but in one it tells me what this is and in another it tells me what others are, practically with each scan to be sure I'm having to run the same scan several times and see which one matches.

what module and section?

also you can use multiple filters :)

low reliable

user=

iirc

ah it's a box

#boxes is for help with those my guy

not modules

oh ok

#boxes = labs on the app.hackthebox.com site
#modules = learning modules on academy.hackthebox.com
#challenges = challenges on app.hackthebox.com

:)

but you are not there

i don't do boxes 🙏 so i cannot nudge you towards the right answer

https://tenor.com/view/this-is-my-house-i-pay-the-mortgage-my-house-my-rules-angry-gif-15097848

To get the flag, start the above exercise, then use cURL to download the file returned by '/download.php' in the server shown above.

how?!?!?

dude

what module and section

giving us the question doesn't help

but also

did you click the button that says "click here to spawn target"?

also whenever you're given a location such as /download.php when dealing with webservers it's meant as
http://ip:port/download.php (if the target provides an IP:port) OR http://ip/download.php (if the spawned target is 10.129.x.x)

Web Request first page / section

ok

thank you

also first page/section means virtually nothing as half the time people mean the first interactive section

yes i clicked the spawn target

ok

the section reading should also have described what to do

im confused because of demons lol

yep i can indeed see that the section does talk about cURL

yeah all the tools to do this are given to you if you just read the section :)

In this module, we will be sending web requests through two of the most important tools for any web penetration tester, a Web Browser, like Chrome or Firefox, and the cURL command line tool.

cURL (client URL) is a command-line tool and library that primarily supports HTTP along with many other protocols. This makes it a good candidate for scripts as well as automation, making it essential for sending various types of web requests from the command line, which is necessary for many types of web penetration tests.

Directly from the reading

https://curl.se/docs/tutorial.html Also use this tutorial to learn how to use curl

ok pero i had used the web browsers it wont work , maybe this why im in the void

was there just now.

perhaps because the page is looking for the curl user-agent (don't concern yourself too much with user-agents at this time)

whats the point of Discord tho' like wtf

OK, use Firefox ill try again

don't use firefox

use curl

ffs

as the question states

Firefox will send a different user agent, dude.

the question wants you to use cURL so use it

ok, the firefox inside the terminal says "no internet connection"

the syntax is provided by the section you're reading

adm

Oh ok, where is CURL'/?

READ THE FUCKING PAGE

holy shit

stop being so dense

https://tenor.com/view/big-oof-size-small-medium-switch-gif-17355313

curl is installed on your attack system or pwnbox

the syntax is given to you, and shown how to utilize

it is a command line tool

meaning you run it in the terminal

not from a browser

Open a terminal and type curl

🤣 bro i read it like twice now

then you aren't understanding

like powersheld?

powershell works

Sure

but it pains me to read those words

the syntax will be slightly different in powershell though

as technically curl is just an alias for Invoke-WebRequest

and i don't know offhand the flags and such to get it to work like in bash

Why are you trying to use curl from within powershell? The module wants you to use curl, and curl should be in pwnbox or kali linux. Connect via VPN or use the pwnbox. What does this even have to do with powershell?

likely a windows host

bro im a beginner lol

So do the beginner modules first.

this is a beginner module

t0 fundamental

Learn how to setup and connect ot HTB using the setup module

tellme more

how to connect to VPN academy

it's why it gives the syntax for curl directly

do you have the in-browser vm running yes or no

i just want to get this out of the way first

the "Start Instance" button

is that on your page?

did the intro onboarding ... but now wanted to start a cheap module , like web request

that's fine

yes

The in-browser VM is the pwnbox. It has curl installed in a terminal.

ok click the Start Instance Button

and when it loads

click "Full-Screen

done!

now near the top you should see some icons one should have a $ sign on it

that's the bash terminal

this is where you'll run the curl command from

i did open Parrot smh

Did you get the terminal opened?

done!

$> icon

https://tenor.com/view/deep-breaths-deep-breath-deep-breathing-caryanne-gif-24937623

Great. now type curl

it should give you some output.

yes , help?</

curl -h (as shown in the section) will tell you all the different things you can do with curl

curl: try 'curl --help' or 'curl --manual' for more information

from here you should be able to do this question

Shorthand is curl -h

you can also man curl and also read the online web page help docs

HTB takes a lot for granted, such as the ability to arrive at conclusions based on given information

i mean, you used to have to "break" your way into getting an account

one sec pls

well in academy specifically, there's very much a focus on curiosity mindsets

you need to be able to be curious about using the tools you were just given in order to effectively do things in academy

anyone want to make a team?

also @tranquil crystal i was right; it does require the curl UA; just copied the chrome UA and it returns "please use cURL"

#1225791307256168448 if you can't see it; read and follow #welcome

Try asking in #1225791307256168448

thanks guys just found it

there are 2 types of people in this world:

1. Those who can arrive at conclusions with incomplete data

ooh that's like a Mr robot type saying

not really

ehh

it's just a play on the 2 types of people tropes

word

it's been a saying for decades prior to Mr Robot

I mean it wasn't an insult Mr robots a good show

fair enough

ngl i jumped on this disc to search the answer to all my questions, i was not disappointed in the history of this chat. I was also not expecting such a spectacle to unfold before me

lol

i cri every tim

oop 53,895 is the number obscured btw (53,897 now)

dont skip ahead do the intro to security fundmaentals in order, you wil thank yourself later

don't think he was following a path

just picked one that was interesting

it shows you not only how to do curl requests but also how to issue a get request using a tcp vfile and other things that may come in handy (not sure if that translates to powershell but i suppose there would be a way to do it if you had to, in a pinch. i think wget comes on powershell default, and curl does now too(? after a certain power shell version)

i got it , wow thanks... sure!

right on. but yeah he should still look into the security foundations or fundamentals path or w/e its called. i just finished a second run thru of it, its been vastly improved since i went thru it 2 years ago or so and i even learned that trick about the get request via tcp vfile in linux, was nice

ill dive a lil into it.

web requests is part of the intro to security path, i recommend it for you

if you're trying to break into web sec then do that first, then go to port swigger web academy and do labs there. but definitely get those foundations out the way, htb presents them very well.

@fathom pendant speaking of hopping around, whats your opinion on hopping around? im more of a "read the book cover to cover" kinda guy and i reckon you have familiarity with a lot of the modules/paths on here, what say you?

im considering doing some hopping at the moment.

i've done the modules in order and haven't skipped any even during frustration

there are modules you can sort of skip past and it not matter, but not really many in the course

as the paths are curated to lead you into the next topic naturally

as opposed to here's topic A, now topic C, now topic B which would have been useful for understanding C

yeah you pretty much read my mind. ill chive on.

like could you? sure, and then you'll read something from the "earlier" module in the path and go "ohhh that makes Y from later module make sense more"

awesome!

Anyone able to help a hint for the Footprinting Lab? I've been stuck for two days and feel like i'm missing something stupid

which one?

Hard?

--> UDP

While trying to run the reverse shell on https://academy.hackthebox.com/module/115/section/1106 I tried to follow the solution and what was written in the module but it seems that the written powershell command is wrong. Has anyone ran into that issue before:

run that command in cmd instead, as said in the module

:)

Sorry 😦 Footprinting - Medium . found a thing but don't have permissions

did you snoop around for an interesting file?

not even that far into it.

did you get a user:pass foothold yes or no?

if yes; you got that far into it to be snooping around

Brilliant it worked right away. Thank you very much for being so quick and knowledgeable!

check all open ports to see what else you might be able to access with the creds you found

No no creds yet. I found the techsupport part but thats what I cant get into

ah after mounting you may need to explore as root

It was indeed something stupid. thank you! I forgot about su

yeah

or sudo ls

:P but slightly more convenient to use su

bad practice i'm sure but oh well. I can't believe i spent two nights on that

eh it happens

this one is kinda outta the blue to have you need root to explore

but yk

is what it is

Yeah that definitely wasn't covered in the modules leading up. But I learned and hopefully won't repeat that, thanks again!

my general thing is "permission denied = need root"

short simple, to the point

thats why the sudo alias in parrot is what it is

please

mines a lil different >.>

well that's not my full alias list lmao

just the part that shows please is an alias for sudo

there's also the other funny alias

fucking

when you gotta sudo sudo well anyways gonna crank out this module... hopefully, if im not too dumb

i’m stealing this that’s brilliant

ok i got the second set of credentials but it's not working. does it take a long time for the thing i need to log into to start up after spawning the target?

perhaps think to see if the second set of credentials can be reused

one of the first things you should check when logging into a system is /home/ [linux] and C:/users/ for windows

gives you a condensed list to try

ohhhhh

:)

also generally shoot for the stars first

just a "fuck it, maybe it is" shot for admin/root

ok i couldn't figure out how to search to find the credentials but i did it manually and got the flag. thank you!

Used scp to copy it over myself and having the same problem: it's exhausting on the mutated wordlist and exhausting on rockyou.txt, no matter what happens.

Is the -O flag a problem? Because without it, I'm getting a hang at "Initializing backend runtime for device #1" for what seems like an eternity.

it shouldn't matter too much

depending on your device CPU it may take a few minutes to initialize I also don't suggest using optimized kernels

Not a CPU I'm using but a row of 6 Sapphire Radeon RX480s on risers

And the CPU in the device is an unlocked Rocket Lake 11600K. So shouldn't have a problem initializing anything.

well if you're running it in the VM you're not using shit

js

but it shouldn't take long to initialize

Nope. I'm running it on this and it's still hanging at "Initializing" for whatever reason.

i'm not familiar with running hashcat on a rig like that ¯_(ツ)_/¯

that shit is way outta my price range to think about

for context i use an i5-7200U just fine

not even GPU

could be driver related

but this is beyond what I know

It took me 2 years to initially build — not sure if the fact that the GPUs are 6 years old has anything to do with this, but might try switching to pocl on the 11600K CPU and seeing if that makes a difference.

Rusticl worked perfectly fine in the Windows password cracking section; now, it's regressing. Might be an Arch update that's the problem.

it wouldn't

as a note this bad boy i'm on is 10 years old

ah you're not using hashcat? or rusticl is just what's being initialized

Rusticl is the OpenCL backend

ah

gotcha

try running it with -b for benchmark

there's also --debug-mode

Will once the thing finishes rebooting. Took me 2 years to build this thing, and password cracking and mining use the same kind of computing power, so it shouldn't be a problem at all for what was originally a mining rig to crack passwords.

they don't actually

mining rigs are tuned differently than cracking rigs

#general message source: one of the dudes that helps maintain hashcat

so i'd trust this man to be correct 99% of the time when it comes to talking about hashing

there's also an official hashcat discord you might have more luck asking in there

otherwise if we keep speaking about it the mysterious chick3man himself may appear like beetlejuice

🤣

nah but fr chick3nman is pretty chill

https://tenor.com/view/a-mimir-kratos-a-mimir-meme-god-of-war-ragnarok-kratos-god-of-war-kratos-gif-26091600

and more than willing to explain stuff if you ask

that was fun, i be back tomorrow

thanks for the help

https://tenor.com/view/mimir-kratos-tree-god-bless-god-of-war-ragnarok-gif-27208064

Does this imply that custom.rule is required in combination with the mutated wordlist?

no

the mutated wordlist utilizes the custom.rule when you make it

you don't add the rule ontop of the already made list

the total size should be ~93k if i recall

Yeah, well aware of that. Alright, time to copy this thing over to my M1 MacBook Pro and see if that thing can crack it.

¯_(ツ)_/¯

Alright, M1 MacBook cracked it. Yeah, definitely seems to be something wrong with the way Arch switched to Rusticl as a backend.

Honestly tempted to just install Garuda on the beast of an Ethereum rig that has seen new life as the password cracker that it typically is before adding the BlackArch repos since Garuda has a much better driver setup out of the box.

How does a Python virtual environment work internally? Like those made with Pipx, I mean I understand that they maintain the autonomy of the project and that the dependencies do not interfere with each other with other projects but I don't understand how it works internally.

¯_(ツ)_/¯

basically sets up an environment for them to run in

like a specific room in a house; it's for a specific person/thing and you keep things related to it there

Metasploit question.

after I have the

[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed.

How do I cat the location of the flag or the flag itself

i don't find vhost starts with the prefix "web-" in Web fuzzing module - Virtual Host and Subdomain Fuzzing session. Help me please

try a larger list

task require using common.txt and i also tried

Can you drop the command?

gobuster vhost -u http://94.237.59.199:53691 -w /usr/share/seclists/Discovery/Web-Content/common.txt --append-domain

check your url

Even your gobuster output should tell you what's going on wrong

URL is not wrong. i checked

It's not wrong, but remember, gobuster feeds the Host header value with the hostname part of the URL

they successfully seem to have found subdomains though that wouldent happen if their format was wrong

just not that one with web

it should be in seclists/Discovery/DNS/subdomains-top-1million-110000.txt (filename may be out of order but just check the directory and it should be there)

thanks bro

https://academy.hackthebox.com/module/67/section/601 Why does poc not have a dll file?

sometimes you just need to scroll a little bit

?

Where are the word lists stored on pwnbox

which one are you looking for? /usr/share/wordlists/

And there's also /usr/share/seclists/

yea i found the seclists in wordlists itself

dns subcategory

Hey, am working on AD module atm - quick question, after I have enumerated domain users with SPN, how can I figure out the internal IPs of these accounts?

i'm not sure what you mean by internal IPs of the accounts

please don't reveal spoilers, especially if it's the walkthrough

I mean after getting the SPNs and cracking the hashes of 1 of them, i want to use the credentials to pivot into another internal computer right? But I cannot figure out which internal IP the MSSQLSvc is on

you're not going to get an IP from an SPN

and since these are AD users, any domain-joined host is going to accept their creds as valid if you have them

ohhh

Ohh ok mybad

But anyway I can know why they chose that subdomain

There were so many sub domains to choose from

Hi, everyone if im having technical problems doing an exercise in the academy can i ask here?

I tried to nslookup the FQDN of one of those SPN results but got back nothing 😦 I am just wondering if there is any other way of figuring out what IP is the MSSQL service in

yep

if you haven't done it yet, you can use adidnsdump to get all the IP addresses and hostnames in DNS

I’m currently working on the “Using the known subdomains for inlanefreight.com” exercise in Hack The Box Academy, and I’ve encountered a strange issue with DNS enumeration on my local VM.

When I run dnsenum on my local virtual machine to brute-force subdomains using a wordlist, the tool freezes and doesn’t make any progress. Additionally, my internet connection on the VM seems to drop, even though other devices on my local network still have internet access.

I’ve tried using other tools for DNS enumeration on my local VM, but I’m experiencing the same problem: the tools don’t seem to work properly, and my internet connection on the VM becomes unstable. However, when I run dnsenum from the Hack The Box Academy's external VM, it works perfectly, and I was able to complete the exercise without any issues.

Given these observations, I suspect there might be some network or firewall limitations on my local network or VM configuration that are causing this behavior. Here’s a summary of what I think might be happening:

Potential network restrictions or firewall rules on my local network that could be blocking or limiting DNS queries.

Resource limitations on my local VM that might cause it to freeze or lose internet connectivity under heavy load.

Possible DNS server rate limiting or blocking due to the high volume of requests from my local network.

Has anyone else experienced similar issues with DNS enumeration tools on a local VM? Do you have any suggestions on how I can troubleshoot or resolve these network and tool performance issues? Any advice or insights would be greatly appreciated!

Thank you!

same here

will try it out. thank you!

Hello I'm on Web Attack Module in Local file disclosure section, I follow the example in the section but couldn't get the injection success, The web respond with "Your browser sent a request that this server could not understand."

Double check your payload, make sure all your open and close tags are there.

I try typing and even copy paste directly from the section it still the same error

someone finished the ADCS module ?, I have a question about the SA (already pwned just want to check something)

Hi guys I'm currently struggling with https://academy.hackthebox.com/module/19/section/103 Service Enumeration with Nmap, I don't get this part where they use tcpdump, what are these IP addresses they use, why two of them?

Hey guys, just a quick notes for those of you doing the Web Attacks module , the curl request mentionned in the course just wont work as is, if you struggle to find how to do them you could always go in the element inspector and copy the requests as curl but basically you can't go curl http://SERVER_IP:PORT/documents?uid=1 as the curl request won't return anything, you have to change the request to a POST request (easier on burp) but the request would look like curl -X POST http://SERVER_IP:PORT/documents? -data-raw 'uid=1' and there you'll be able to follow the course

You don't even have to do that if you're speaking of the local file disclosure section

they are just showing you what's goind on behind the scenes , those IP addresses are yours and the target after completing the tree way handshake the SMTP server (ur target ) send you data

https://academy.hackthebox.com/module/67/section/601 The textbook doesn't say where the system came from.

Hm, ok, so this first command with tcpdump kind of connect these two IPs and the second command with nc is making a request tot he specified URL and because of the connection established by tcpdump command I receive a response?

But it still doesn't work for me

└──╼ [★]$ sudo tcpdump -i eth0 host 10.10.14.174 and 10.129.106.121
tcpdump: eth0: No such device exists
(No such device exists)

How can I get the name of the device?

tcpdump don't make any request is just listening

you might want to do some networking stuffs first , check intro to networking module

Yes it does, the cmd shell right above that

@shut quest It weird, the same payload on my own VM it not work but on pwnbox it work

Hi All, im having an issue on the Responder where im unable to capture the event can anyone help me with this.

¯_(ツ)_/¯

it's in the IDOR section not in the local file disclosure

am not there yet

you curling to get user data?

just to get the body of the page as stated in the course

which section

I believe it's Mass IDOR Enumeration

curl -s "http://SERVER_IP:PORT/documents.php?uid=1" | grep "<li class='pure-tree_link'>"

<li class='pure-tree_link'><a href='/documents/Invoice_3_06_2020.pdf' target='_blank'>Invoice</a></li>
<li class='pure-tree_link'><a href='/documents/Report_3_01_2020.pdf' target='_blank'>Report</a></li>

That didn't work for me

#!/bin/bash

for i in {1..20}; do
for hash in $(echo -n $i | base64 -w 0); do
curl -s0J http://IP:PORT/download.php?contract=$hash
done
done

This work fine for me

what worked was ```curl -s -X POST "http://SERVER_IP:PORT/documents.php?" -data-raw 'uid=1' | grep "<li class='pure-tree_link'>"

<li class='pure-tree_link'><a href='/documents/Invoice_3_06_2020.pdf' target='_blank'>Invoice</a></li>
<li class='pure-tree_link'><a href='/documents/Report_3_01_2020.pdf' target='_blank'>Report</a></li>```

That's SYSTEM.SAV.

it's not even in the Mass Idor Enumeration module

contract=$hash it's documents.php not contract

Repeat what you learned in this section to get a list of documents of the first 20 user uid's in /documents.php, one of which should have a '.txt' file with the flag.

It's the same thing

Why isn't it working?

Even in the potato screenshot, it seems that you have not imported DSInternals.psd1

Now that it's imported have you tried just .\system?

That's what I'm asking where the SYSTEM file came from.

I did it yst it fine with the normal curl, I just went back and try again... yea it take POST method now

oh that's great you took the time to test it

I had another problem with the next module tho

the bypass encode?

like when you intercept the request that download the contracts (download.php) the request parameter is supposed to show you a MD5 checksum I believe and it did not at all

yeah

I had something like MQ%3B%3B (not sure) and it roughly translate to MQ== which to me is b64

ya in the right track

double check the method parameter and endpoint

Am working on something else so am not currently doing the courses but I'll go back later to see if it's a blocking point or not

well I just manually clicked on the file to download it while intercepting it

It's been a while for me on that module, on phone and I don't have notes specifically for that.

I'm assuming you saved the reg with an elevated terminal?

That section provide us with a script to automate the process, modify the script double check the endpoint, parameter encode method then you good to go

I'll try later indeed, ty

yes

Linux Privilege Escalation, Escaping Restricted shells, Command Substitution

They mentioned Command Subsitution as a technique for escaping restricted shells, but do not show an example. Does anyone have an example for it ? I could not find any online either.

Command Substitution
Another method for escaping from a restricted shell is to use command substitution. This involves using the shell's command substitution syntax to execute a command. For example, imagine the shell allows users to execute commands by enclosing them in backticks (`). In that case, it may be possible to escape from the shell by executing a command in a backtick substitution that is not restricted by the shell.

what's up when I do this module:https://academy.hackthebox.com/module/280/section/3134, I use ffuf and gobuster,I found a hidden dir but not have gzip file then I ffuf backup dir also not have

can you provide more information ? what request did you do ?

For humor reasons, you mind opening a new command terminal that is elevated, cd to c:\tools and save the system reg again?

I use like this command ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic -u http://94.237.59.63:55428/FUZZ -e .gzip -recursion -recursion-depth 3 -rate 5000 ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic -u http://94.237.59.63:55428/ur-hiddenmember/FUZZ -e .gzip -recursion -recursion-depth 3 -rate 500 gobuster dir -u http://94.237.59.63:55428 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -q gobuster dir -u http://94.237.59.63:55428/backup -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -q

this module wasted too much my time

do you finshed this module?

what's the name of the module ? cuz the link you provided only goes to web fuzzing

yes

Web Fuzzing-Validating Findings

how do you solved this

well actually I thought it was the module I solved but it's not this one it's really similar tho, in CBBH we use ffuf a lot, try to reproduce the request in burp tho

sometimes it helps to correctly visualize the request

Someone else is having the same problem I'm having.

@shut quest

and see if they are correct, you can also use the -proxy-replay parameter to pass your ffuf request through burp

yeah this module I remember I do it but maybe this module is a new module

I remember have module name ffuf to test web application

yes

The other thing you can try is if you did the diskshadow steps and pull the system file from there

you're fixated on a hidden dir tho but is it the only hidden dir or are there other folder that could lead you to said .gzip file ? @quick crane

boys, need your help with this one:

Intro to Assembly Language, conditional branching: "The attached assembly code loops forever. Try to modify (mov rax, 5) to make it not loop. What hex value prevents the loop?"

I've prevented loop running by changing rax value to 2, so it has to be 0 after cmp subtracts 10. However, I just can't find the flag (hex value) and wonder if I did it right?

same

fuck I found this lol,but I not see it

thanks your reply

you're welcome

Could anyone help on this

Did you do the poc?

yes

If you run whoami /priv what is the status of SeBackupPrivilege?

able

I did everything the article said.

Not sure then without spinning up the lab which isn't happening right now for me

Hi guys, I'm doing the Internal Password Spraying Module in AD Attacks and Enumeration and the machines (both Windows and Linux) does not spawn. anyone else have this problem ?

tried to revert couple times and gave it some time (10 mins) to respawn

just to note that before it happened, in the lab I got only 2 ICMP responses - 1 from the DC and the other from .255 machine.

pretty sure that I've got the answer straight under my nose but dunno, doesn't work

I have complete this, got question can ask me haha

thanks bro lol when I have questions I'll ask for help with you

sure can DM me incase in case I not respond here

Hi, can i get some help on the Stack-based BufferOverflows on Windows module?
The target machine in the questions is extremely slow and loses the connection a lot (can't even get more than 3 minutes on the machine.)
Any help would be appreciated and if any of you got the same prob pls tell me. (Ive done all the troubleshooting necessary and still nothing)

@next bronze can I dm you about that when you are free ?

go ahead

Does somebody has ssh connection problems too? (Working with IDS/IPS => Modules)

ok,dear bro

Hey everyone, I am working on the HTB basic toolset and currently on the 'Attacking Web Applications with Ffuf' module. I'm working on the parameter fuzzing - GET/POST portion.

The module suggests fuzzing the parameters for a php webpage in relation to passing a key through the URL (GET request).

I get the concept and what is happening but what I don't understand is why they suggest to use the term 'key' - http://<url>/admin/admin.php?para=key - How do you know to use the term 'key'? Is this standard protocol or could something other than key be used? How would you be able to identify something like this when you are in the dark about the target?

@shut quest The SeBackupPrivilege permission, after I set it, unexpectedly changes back to disabled.

Broken Authentication Brute-Forcing Password Reset Tokens
i try ffuf -w ./tokens.txt -u http://83.136.255.40:41881/reset_password.php?token=FUZZ 1 -fr “The provided token is invalid” i get the pass reset but i dont know the next step Did you specify a username when resetting the password?

#modules

Take a look at the exact request that resets the password

more details plz

What do you need to reset the password? Take a close look at the request.

Do you mean I have to specify a username? I don't know what you mean exactly.

That is possible. That's why I say look at the exact password reset request.
The application must somehow know which password to reset.

dear bro do you finished this module

bro do you solved this

I have already specified a username, but when I try to log in, it does not respond.

dear bro do you solved this

bro do you solevd this

I have already specified a username, but when I try to log in, it does not respond.

I don't know by memory what the exact request must look like. But the application needs to know which password to reset, a verification (PIN) and certainly also a new password

The server should always send you an response. Even if the request is incorrect

INFORMATION GATHERING - WEB EDITION
Skills Assessment
What is the API key in the hidden admin directory that you have discovered on the target system? Have found the hidden directory but not the api key any ideas? Seen other people sturgle too with this task but none seemed to comeback to give any hints

Just visit the hidden directory

Currently stuck on Linux Fundamentals, page 6, see Qs below
1. What is the path to the htb-student's mail?
I ran a search for all files from root containing the string "mail"
find / -name *mail*
Here's the last 3 lines of output:
...
find: ‘/snap/core18/1885/var/lib/snapd/void’: Permission denied
/snap/core18/1885/var/mail
/snap/core18/1885/var/spool/mail

It came up with many results, but none of them are correct (afterall none of them are in htb-student's directory)

2. **Which shell is specified for the htb-student user?**

it should just be bash right? Afterall i'm seeing all this bash config and log files so surely?
ls -a
. .. .bash_history .bash_logout .bashrc .cache .gnupg .profile

Idk if this module is broken, or if i've missed something, pls let me know what you think
||(Also how do i post images, it be great if i could show a screenshot of terminal output)||

:)

duh

wait forgot to give Qs

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.26.1</center>
</body>
</html>

Are you connected to the target? :)

-L to follow redirects

Yeah i think so! i remember doing the ssh, is there an ssh option to view connection status?

Why are you erasing it ?

Did you specify the port?

Because spoiler

Yes but its not the one it is looking for

It contained info that you have to fuzz

True

Did you also and it with /

nope... none was given, do i just assume port 22?
Also ssh did say i successfully connected, and my bash prompt change, so idk if port will make a difference

Thas was it...

http://x.inlanefreight.htb/hidden/

Thank you, much obliged

The port message wasn't for you

dearest apologies

If your prompt that's running the command says htb-student@[servername] then that's the right prompt

What is trivia night? Is it some kind of quiz event?

Also whenever you run find, also add 2> /dev/null to the end

Yep, it says htb-student@nixfund
so yea, any other ideas?

That will throw all errors into a void

And only show you results

What's the exact section name, can't be bothered counting page numbers

idk where to find 'section name', so here's the link: https://academy.hackthebox.com/module/18/section/70

It's near the top of the page

Ah you misunderstood the question related to mail

You don't need to run find, check the environment first

oh dam it was a directory

The shell question can be answered there too I believe

yep, got it now, probably should re-word that Q because the answer was a path, not the name of the shell.
Thanks for the help tho!

Well actually...

Whenever a program is defined for a user it generally either resides in a local or /bin/ or /usr/bin location that's usable by everyone

It's why if you do which python it doesn't return a version, rather the path to where it's running the command from

interesting

hi guys sorry for disorder, does anyone did "documentation & reporting" module? i can't crack the password of lab_adm, i have tried with rockyou, but nothing

i have red also some comments on the forum, but they say to use rockyou to crack the hash, but nothing

uuh' the monotony ... love it

Also technically it's a binary not a directory. If you type the shell in the terminal it'll start a nested session

the mail i mean, it never crossed my mind to cd into the path i found 😅

what's up with this? vpn is on btw
from XSS module - phishing section

Well the user's mail dir doesn't exist

That's an issue with zap

Those Java errors are zap related

oh dang, yeah, it is a directory, but its empty

I'm 3 modules away from completing CBBH track. Any tips before taking the actual exam. I honestly did not take any notes since I believe everything is already organize and I can just go back if I forgot something.

Honestly not taking notes is a bad idea

Notes can give you a quick glimpse into something that you can then use to look at the direct module if you didn't write something down

I see

Anything to add aside from making my own cheat sheets?

Ntm notes can help you outside of HTB context

Context for commands

And a quick breakdown of it

I see

So that you understand it better

Instead of just copy/paste and pray

Thank you.

just had to upgrade smth and do an autoremove

one last thing. where do you recommend me to take the exam? kali or parrot?

Whichever you prefer

OS literally does not matter in the slightest

okies

thanks man

just completed intro to the academy but can't unlock linux fundamentals

You get this sorted out?

ehm, what do you mean fort sorted? i have copied and pasted the hash on my machine, and tried to crack with hashcat

So you were unable to crack it?

nope

You can DM.

ok

hello chat

gm internet hacking conglomerate

anyone able to help with what i'm doing wrong here? it looks like this should work
└──╼ [★]$ snmpwalk -v3 -c public 10.129.202.20
snmpwalk: No securityName specified

try -v2c

that works but doesn't hit any results. I can see the version is 3 and 161 is open udp

which module is this for

footprinting - hard lab

i'm not there yet so i'll avoid trying to give more pointers
aside from maybe making sure your community string is right

np! i'll keep banging on it. thanks for offering

You need the right word to walk with

Did you try one of the tools to enumerate what the word may be

i thought so but that isn't working either.

Wdym?

It should out put something like [community_string]

Where the string is what's in the brackets

my notes on snmp suggest using onesixtyone+braa to find community strings

👍

Well. I was moreso hinting at it to get him there on his own

:)

I misread the output from 161. it was there this whole time

https://tenor.com/view/asdf-asdfmovie-i-can't-read-i-cant-read-punished-lion-gif-3532527054645921660

🤦‍♂️

many such cases

Happens to everyone

The funnier bit is you likely could guess it too

whats the error you get

/etc/hosts add the following
SPAWNIP WS001 (I think it shoudl be WS01)

@fathom pendant turns out I'm dumb yay

Took way way longer than I care to admin to find out about nested subdomains

You can't log in

WS001 cannot be resolved. Specify the IP address

Of course, here is a step that can try it again and put an ip

You have an ip and you have credentials, log in

use the IP instead of WS001

user bob and paswword Slavi123

nwm ill go and figure it out on my own, ty to everyone for your time.

Find out this is good, you have hints in this unit and you have a cheat sheet that you can distinguish your mistakes and overcome them

Hey guys,

Intro to Whitebox Pentesting > Skills Assessment Part 2
I have managed to fully patch the code and it executes just as expected: logs a unique simple password of specified length. Running it locally everything seems good but when I submit my code for review I get the following message: "

Result: Original Purpose Failed.

should log a unique simple password of specified length
"
Anybody completed this module and can give me some help?

Sup yall, anyone here recently completed Information Gathering - Web Edition (Updated version) module? Im stuck on one specific question

just ask your question

Which module?

Skill Assesment, Question "What is the API key in the hidden admin directory that you have discovered on the target system?". I have found a subdomain and checked it's robots.txt, which contains a certain "admin related" path. Upon curling this webpath, i get back a html body containing "Moved permanently". Intuition tells me, that the api key that im looking for should be somehwere here in a directory and yet a gobuster search with big directory list doesnt return any results. Am i on the wrong path?

Apply all the techniques shown in the module to the subdomain found. Then you should find what you are looking for.