it's on a different port altogether

if you do a full port scan it'll be more enlightening

another hint, it relates to the previous sections results as well

my pwnbox is linux but the questions are for windows file transfer

am i missing something

what questions

nvm

Windows File Transfer Methods 1st question

does the target have a webserver open?

yea

just do what the question says

no windows needed

Is the target windows?

:)

the target is windows but the only thing needed is just a wget for flag.txt

Can our instance pop out and follow like videos on opera

No

But there is a fullscreen button

That opens a fullscreen tab

hlp idk how to make my ffuf look reaedable

also my keyboard is wonky

It always looks like this

Gonna need a little more info to help you out. What's the command you ran?

Network Enumeration with NMAP
Host and Port Scanning
https://academy.hackthebox.com/module/19/section/102

How would I find the hostname of an IP? I tried nmap -sC -sV and going to the IP in firefox, as well as trying whois. What else could I try?

nvm i got it to work

my treminal was too skinny so i had to fatten it up

and it stopped spouting nonsense

make the terminal window full-screen/maximized

yeah ffuf is silly like that

yea also is there any way to get rid of the craetiv ecommons notes

Like the random junk

-ic

[i]gnore [c]omments

it's literally in the help page

alr ty

im blind and nglish is my worst class

whois won't help you

Check your output. I did what you tried and found the answer.

some services report the hostname of the device that's running the service

oh okay! i'll probably just have to look more carefully 🤍

good luck amal

you have my wishes

note the result may not say hostname

rather something close

@vagrant osprey type hostname in your own machine to give you an idea of what it's meaning

ohh that helped! thank you 🤍

yes

hello stranger

hi

just wondering if you buy a module with your cubes do you have unlimited time on the pawn box?

yes

a friend of mine brought the web request module and got this, just waiting for him to confirm he actually owns it

i believe the rule is they have to spend some kind of money on academy to get it

yeah he owns the module

did they actually put money in to buy the module or get it some other way

idk he has cubes on his acc and he used it to buy the web request module

https://academy.hackthebox.com/module/19/section/103
What does it mean "Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer"

The name of the service? I tried putting in all the service names and none of them were the flag

one of the services nmap queries shows the flag

am i doing this right? or do i need to reevaluate something

try some of the ways they showed in the module

i believe it notes you can add a parameter for more verbosity

i'll try nc

you start with like 70 cubes

im on Nessus Skills Assessment and found every one except the first one about What is the name of one of the accessible SMB shares from the authenticated Windows scan? (One word)

can i have some helpo\

did you review the scan reports that are on the provided Nessus?

YEs

you can see the the pic it says you have to spend money on cubes

I got evetrhing

i'm sure you looked then at SMB

what does it look like

shouldnt it be something like ADMIN$

no

if you check the windows_basic_authed scan you should be able to look at vulnerabilities then search "SMB shares"

it won't be a default sharename

so that narrows it down

OH MY

WOW OKAY I WAS JUST BLIND

Thank you i just used to default C$ something like that

time for a pair of glasses

thank you very much @fathom pendant

a lot of hacking is about looking for what's out of the ordinary

Hi everyone, I have a question I want to resolve and I hope you can help me.

I'm doing the Active Directory Penetration Tester > Active Directory LDAP > Credentialed LDAP Enumeration module, where I need to know which user account has ENCRYPTED_TEXT_PWD_ALLOWED

And the other exercise...

What is the userAccountControl bitmask for NORMAL_ACCOUNT and ENCRYPTED_TEXT_PWD_ALLOWED? (decimal value)

The exercise mentions two tools, ldapsearch-ad and windapsearch, but when I use windapsearch, with the user james.cross and the password Academy_Student!, it returns a credential error, when I use ldapsearch, it works, I don't know why it works in one tool and not the other. If I only use ldapsearch, was I able to finish the module? I've tried several commands, searches but nothing works, windapsearch still returns an error in the credentials. And they are right, the exercise itself recommends using it.

https://academy.hackthebox.com/module/19/section/108

i ran the vulnerability script, what on earth is this? how do i make sense of this output to find the flag

might help to put this into fullscreen

instead of using the limited window size

omg i can fullscreen

also it won't be a vulnerability per se

and it's funny bc this is the one you found earlier i believe

also you'd only run the vulnerability scan against a port you might want to check, as it'll test everything

ohh

basic discovery scripts are fine

i ran it against all five at once lol

because this is just a lot of info that means ultimately nothing

as some of these CVEs would be out of scope even if you were testing

as they can cause DDOS on the server

:)

didnt get anything out of individual scans

would -A help any?

it did not help

i will try again tomorrow

Yea but I thought the point was windows file transfer to run windows commands in powershell

But the other exercise had that

So its ok

you can do that...from the available windows machine for the most part

aren't you on a windows machine in the first place?

like

nothing stopping you from connecting to the vpn with your host machine and doing it

also that

but the provided target is windows

so like

Yea I dint know you could do that until I read the next qn

a lot of the stuff is built-in

:)

But we good I finished the module just wanted to make sure if the way I did was correct

tbf it did ask to do it from the pwnbox

Yea that too

pwnbox has powershell too

at least kali does, i assume it's on the pwnbox

it is

ugh report writing suuuucks lmao i finally stopped putting off doing my AEN report

How do u do that

yeah AEN is kinda huge

ik the chain off rip but like double checking i got the right images sucks

i at least documented for notes sake

so some of that is there

U doin the exam?

but some of the intermediary stuff that doesn't quite need a code block

nah Enterprise Networks module

doing the exam likely soonish

I think there's an icon by the terminal icon. It's blue.. or just search powershell. Idk I don't use parrot.

well pwnbox itself is also slightly different

so like

there's that

i'm taking time off work around the holidays to get my 10 days for the exam. maybe we'll get our badge at the same time, finally. feels like forever for me.

well i'm in a time constraint to start it

i'm sure you'll crush it

10 days + up to 20 bd for review and potential other 10 days if fail

chatting with rat has helped alleviate some of my worries and thoughts about my report before i've even finished it

about certain practices

have you done CPTS?

Yea its there

I found it

.

literally just said i hadn't lmao

if you take like 5 seconds to scroll up

One question for the file transfers module and specifically the python uploadserver. I have previously used it, but downloaded it from GitHub. Now I saw it could be installed with pip or pip3, great.! Could someone explain why it in one part explains the download as 'pip3 install uploadserver' and in the linux part they run 'sudo python3 pip install --user uploadserver'. My question is specifically related to the use of sudo for a python install (since my understanding is it should normally be avoided). Or am I missing some angle?

you're missing a slight angle on it

the pip3 is just to install it for your user

the sudo is to install it for all users on the machine (including root)

though a lot of it should be attempted first with sudo apt install python3-[insert package name here] though not all packages are in the repo for distributions

so you have to fall back to pip3/pipx or sudo

sudo also allows you to skip some checks that it does sometimes

either way it doesn't necessarily matter

multiple ways to perform the same functions

Module: Linux Privilege Escalation
Section: Escaping Restricted Shells
Link to section: https://academy.hackthebox.com/module/51/section/1845

Tried running basic commands such as ls and cat, and obviously they didn't work since it's a restricted shell. I then tried each of the escape methods listed in the module, but none seemed to work.

# Command Injection
echo `ls`

# Command Substitution
`ls`

# Command Chaining (Tried with multiple different meta characters, such as ; | && ||)
echo "Hello"; ls

# Environment Variables
# Couldn't print env variables and when I tried modifying the PATH variable, it said that it was read-only.

# Shell Functions
my_function() {
  ls
}

my_function

I tried combining multiple methods as well, but wasn't able to escape the shell.

iirc I did it with ssh

set the env in your ssh command

google around for 'escape restricted bash'

there's another way inside the restricted shell but I don't remember exactly

Using the ||-t|| parameter? I'd seen a message from someone above who did it that way.

yeah I think so

something like that

i found something literally in the first google search

so

¯_(ツ)_/¯

But you're saying you did it by setting the env variable in your SSH command?

i did that a few hours ago and it seems like google is needed

bro just kinda throws us in there

Just did that and found some dude's handbook with a ton of commands. Thanks

yeah so you found the two ways

let's be mindful of spoilers even close to the answer 😉 but there's enough info here for others to figure on their own past it

Only externally

Btw @next bronze when you doing a pentest, are there times where you need to read your notes on an attack to remember why it works and how to do it?

usually always

I'm not gonna remember everything lol

Or ya'll notes just like a cheat sheet like "Try this attack if you have this info and run these commands" without an explanation 💀

Ahh, okay, good to know. Now that I'm near the end of the path, I sometimes see things about active directory, even though I completed the module a while back, and I'm like "Oh, I've forgotten how that works."

depends on the context, usually there are some explanations since things can and will change for different enviroments

And then gotta look at my notes and spend a couple mins.

yeah that's why notes are great, refresher for the stuff you've done before

Okay, I thought maybe it was just me who had to refresh his mind 💀

I usually carry two laptops with me, one for notes the other for pentests

nah my memory sucks for things I haven't done in a while, having notes are a must

Like the other day, I saw something about Kerberos Double Hop and I was like "I swear I learnt that" but mind throwin blanks till I looked at the notes and spend 2 min reading it.

I gotta really improve my notes before I do the AEN blind. Some of my notes I just copy-pasted things cuz I was lazy at the time

copy pasting is fine, if you find that it's not good enough, just edit them while you're at it

Yeah, will do. Gonna change it to my own explanations so I don't gotta spend that long figuring out what the text means when I refer to the notes. I'm moving all my notes from GitBook to Obsidian, will give me a chance to review, restructure, and write things in my own words.

Btw does the Documenting and Reporting module have you write a report? (I'm assuming yes? )

yeah obsidian is way better than gitbook

the recommendation is to write a report for AEN instead

Ahh, I see. Best I finalize my notes before AEN in that case.

I only started off with GitBook cuz of the accessibility for me

you can send it to me, I'll take a look if i have the time

Oh, thanks.

or @proud pine is happy to help too

Noted.

@sweet jewel gonna say gitbook is better?

i do my notes in notepad

in point form 😡

That's hardcore 💀

if you want to sync for free you can set your vault as a github repo, there's a plugin that can push the commits for you automatically

wa solid bro

too based

Oh, didn't know that, I'll search for that plugin. Do you know if you have to write commit messages or does it just behave as a sync type of thing?

it generates the message for you, default its just a timestamp but you can set it to be whatever you want

Got it.

push, pull and commits are auto once you have it configured, you don't have to do it manually

Actually, this isn't allowed anymore. =X

Well, reviews for it, that is.

Oh, fr? Sadge

huh what

my bad didn't know that

why tho

Is it called "Obsidian-git"?

yep

They temporarily blocked everyone except me from doing them a few weeks back, while they talked internally on what they wanted to do. As of right now, even I can't do them anymore.

hmm

because they don't want you to do free work or other reasons

it's allowed still

but only for @proud pine lmao. #cpts message

No, the pin was taken down today - it was just changed. As of right now, even I can't.

welp

to me the documentation stuff is one of if not the most challenging thing

They didn't actually know it was going on, even though we had been doing it for a year now. They decided to review internally, and feel like it's sidestepping the TOS.

Same

Vulnerability Assessment
Page 16
OpenVAS Skills Assessment
" What type of FTP vulnerability is on the Linux host? (Case Sensitive, four words)" where can i filter for this for

I see

They're still reviewing what they'd like to do going forward, but as of right now, nobody can do AEN reviews.

well to be fair the documentation module did mention to reach out to academy stuff for reviews but I don't think that has ever happened

they also said the makers of that module have kinda moved on to other things within the company so they're not really available themselves to review

I have a small question here in Port Forwarding with Windows Netsh here the question is Using the concepts covered in this section, take control of the DC (172.16.5.19) using xfreerdp by pivoting through the Windows 10 target host. Submit the approved contact's name found inside the "VendorContacts.txt" file located in the "Approved Vendors" folder on Victor's desktop (victor's credentials: victor:pass@123) . (Format: 1 space, not case-sensitive) but how i am supposed to get window 10 or pivot host access??

The guy doing them moved to a different department in HTB, and is now doing infra security, rather than academy, so even that isn't available anymore. They're going to remove it.

fair enough

Is there a sample report that's a good reference for what standard the report should be up to?

Yeah, the documentation module comes with a sample report that is a perfect example of what your report should look like.

Most of my reviews process is just getting someone to have their report mimic it as much as possible.

Ah okay, that's reassuring.

Thanks a lot for clarification!!

It's still easy to miss some of the details/structure, or forget to redact creds or such, so having a real person to review was really beneficial. There's no way an automated system could ever really help with it.

We gotta redact credentials??

yeah, you don't want them plaintext in the report, what if it gets leaked

and I will usually clean up the output too

RDP access to pivot host is provided

How do you redact it? Like, I get how you can redact it in an image, but aren't reports supposed to have a section with all the users you compromised and their creds? How do you redact text?

<redacted>

No, there's no section for that in the template. Any place you would have it in a code block should be removed with <REDACTED>

Also you don't include passwords

flameshot has a blur tool as well for screenshots

Like remove things you feel are unnecessary from the output of tools?

Passwords, hashes, anything sensitive.

yep

Anything that could incidentally be used to gain unauthorized access to the environment

Oh, I see. So the only proof of compromise is redacted screenshots and steps to reproduce the exploit chain?

It's also very easy to forget about where all you might leak creds, so having a human review can help bring your attention to it. Like, you might redact a hash in a tool output, but then forget to redact in a PTH command.

@uncut ocean just had a look at the module again, the RDP machine that they provide has access to the subnet with the DC. You pivot through there

my bad ! i didnot look things clearly , btw arigato

i also stuck in same thing but i cant remember ryt now but yes look around other things also and enumerate a little

i got the operating sytem and ip of target

That's just the first page of results...

Perhaps have a look through the rest, or filter the results

I did filter for the address and looked at each one

I think its my wording

You're on the results page there - is there another page that might give you a better and more descriptive list of results?

What does the first page of results look like on that page?

and what page are you on?

(bottom right, pagination)

but cant i ingore the ones that are 0.0

WAIT

I GOT IT

Nice

IM JUST BLIND
AND NEED GLASSES thank you

Thank you very much

https://tenor.com/view/sorpresa-gif-17330134416128259640

No worries, removed the screenshot, even though it is a tier 0 module. Think the advice above is enough 🙂

DETECTING WINDOWS ATTACKS WITH SPLUNK >Detecting Kerberoasting/AS-REProasting

can someone hint me for this.

Modify and employ the Splunk search provided at the "Detecting Kerberoasting - SPN Querying" part of this section on all ingested data (All time). Enter the name of the user who initiated the process that executed an LDAP query containing the "(&(samAccountType=805306368)(servicePrincipalName=)*" string at 2023-07-26 16:42:44 as your answer. Answer format: CORP_

Linux fundamentals
trying to ssh, user@IP just fine, but when it comes to enter the password, I'm unable to input anything?

I feel like im missing something very basic here.

HI, could anyone help me with LPE-logrotten section, I'm trying to backup access.log, but getting the file with payload in /etc/bash.. directory with htb-student permissions. Should I use another log file for the escalation?

your input is masked for security reasons

Look for a log file you can access first

great, that was the original assumption but I must have had some typos! gracious.

I can write to access.log, and can create mon.log in the home directory. I don't see any files in /var/log I'm able to write.

Check closer to home

Nvm reread what you said

The access.log is indeed the one I'm referring to

Logs don't always have to be in /var/log

Yes, but the problem that I'm able to get the paylod, but with htb-student permissions.

htb-student@ubuntu:~/logrotten$ ll /etc/bash_completion.d/access.log
-r-xr-xr-x 1 htb-student htb-student 43 Sep 18 07:02 /etc/bash_completion.d/access.log*

So, the reverse shell is also as htb-student.

So... find a way to got your payload to not be htb-student and be root 😉 logrotten is the key.

Also you don't necessarily need it to be a reverse shell

Yes, it's clear that I can create any script, but the permissions should be for the root.

#modules kerberos abuse constrainsed delegation....
i am getting this error repeatedly

PS C:\tools> .\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:www/WS01.inlanefreight.local /altservice:HTTP /user:DMZ01$ /rc4:813XXXXXXXXd0f8764531bc8c52fa66 /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.2

[*] Action: S4U

[*] Using rc4_hmac hash: 81322a06e7a6d0f8764531bc8c52fa66
[*] Building AS-REQ (w/ preauth) for: 'INLANEFREIGHT.LOCAL\DMZ01$'
[*] Using domain controller: 172.16.99.3:88

[X] KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED:

what is going wrong ?

You might need to think a little outside the box to arrive at the answer

You need to trigger the log rotten payload somehow

preauth failed means the creds your gave is wrong

but it is right . i checked multiple tims

But focus on the log you can access at home @smoky vortex

It's a race condition thing

hey you are correct. but when i ran mimikatz previously to extract hash it gave me different hash for DMZ01. but this time i ran again and give me another hash.

you probably copied the wrong hash earlier

maybe . 😅
BTW thank you very much for your kind help 😄

anytime mate

I tried but netcat connection timed out

hi, for the information gathering web edition, ii'm stuck on question 4. recon spider ||on both inlanefreight.htb and the webxxxx.inlanefreight.htb|| do not come up with any sort of output whatsoever. i'm not really sure where i'm supposed to get the email address from. finalrecon does not seem to find anything other than the ||robots.txt entries in the subdomain||. i've manually enumerated those, to no avail. i don't know how to proceed, since there's not a ton of further surface area i can find to enumerate. i'm fairly certain that the answer lies within the ||webxxxxx subdomain||, but, directory brute forcing the root and the admin directory hasn't found anything

Hi, I am currently doing the password attack hard lab
I need help for the initial foothold for the lab.
I have tried using crackmapexec, hydra and crowbar and can't crack the password for johanna and it also takes really long. I am using a mut_password.list that was made using the password.list and custom.rule provided in the module. The services I tried are ||rdp|| and ||winrm||.

directory brute force wasn't taught in the module as far as I remember. BUT there are more ways to enumerate the domain. Don't be fixated on a single tool

perhaps there is something you are overlooking

Hello everyone, I need some advice which wordlist should I use from seclists to find last host which ends .203 in DNS in Footprinting module. I have used already some wordlists but with no success.

i just takes time

have u tried smb?

Nope, I will try it right now

remember to use local auth

How long will it usually take?

Because reading the previous discussions about it, some say it takes fast

it just takes some time 😅

at least u know its in there

Ah I see

Thank you

stuck here

Take the smallest list. If you can't find what you're looking for, use the next larger one
Lists with 5000 entries or more are too large.

you are user1

Thanks I will try

u have to be user2 to see the contents

yes thats why i cant able to read file of user2 but what other way i have?

have u checked what commands u can run with sudo?

yeah

as user1 evn_reset , mailbypass and secure path

and as user2 /bin/bash without pass

do you know what /bin/bash does?

no

it spawns a new shell for the user running it

ohkye and if i can spawn the new shell with the user2 it wont ask for password and i will be able to cat the contents of flag.txt? is that right?

🤷‍♂️ try it out

got it but now heres the next problem how to esclate priv.

there might be private files somewhere

need help with the pasword attack easy lab i couldn't find the root password i tried bruteforcing the ftp service using root name and both the the password list given and the mut one but no result
also tried the rockyou.txt didn't find anything any idea what i'm missing ?

IIRC they give you password lists to use in the resource tab in that module right ?

thanks its fun doing these things i am happy and so much exited to be honest

yehyyyyyyyyyyyyyyyyyyyyy

yes i used that didn't work

think about what other file in the resource tab that might be useful 🙂

if im not mistaken, u should use the other file too

yes i know what u mean i used the rule file to mutated the password list still nothing

another one

username file ?

maybe?

i honestly dont remember much detailas about this skill assessment, but try using what you have, you maybe able to get a foothold on some service using that

@safe starThank you! I got the password

hey guys who could give me a hand on this module :

https://academy.hackthebox.com/module/145/section/1295

how would i connect the sql service after the ssrf vuln regonision

how to knw what to write instead of 0.0.0.0

wdym?

here serverrunning on 0.0.0.0 but how to wget?

use your IP

i used but it refuse

0.0.0.0 here means that its reachable from all interfaces on the network, which means let's say ur IP is (10.10.16.5), anyone one that network can reach it on (10.1.016.5:8000)

did u add the port number? "8000"

yes

show me how you used wget please

ohk

hey guys who could give me a hand on this module :

https://academy.hackthebox.com/module/145/section/1295

how would i connect the sql service after the ssrf vuln regonision

you sure thats ur local IP when you do "ip a" ?

got it worked

thanks alot brother

XD

not everyone has done that module to help, so u better respect people here who try to help at least

Why do you want to connect to the SQL server?

and keep "advancing" ig

Im on this site for 2 years , i know what im talking about

then stop asking for help if "you know what ur talking about" no one want to help an arrogant person

"Exploit a SSRF vulnerability to identify an internal web application. Access the internal application to obtain the flag."

the internal application that was found is port 3306 (SQL)

The module shows you how to access the internal web application

where ?

In the Confirming SSRF chapter

how woud i get to this chapter if i do it step by step ?

im on Identifying SSRF

i did , i ffuf the ports

and found 3306

the module left it hang like this :

The results show that the web server runs a service on port 3306, typically used for a SQL database. If the web server ran other internal services, such as internal web applications, we could also identify and access them through the SSRF vulnerability.

u were right thanks bro

good job

i found the password also for root but no sure if its the right way hahaha

u moved forward at least

yup thanks for your time

You have to do exactly the same as when confirming the vulnerability. Just now with the address and port of the internal app.

dateserver=http://127.0.0.1:3306&date=2024-01-01

HTTP/1.1 200 OK
Date: Wed, 18 Sep 2024 10:48:54 GMT
Server: Apache/2.4.59 (Debian)
Content-Length: 45
Connection: close
Content-Type: text/html; charset=UTF-8

Error (1): Received HTTP/0.9 when not allowed

Perhaps your port is incorrect

u mean dateserver=* http *://127.0.0.1:3306&date=2024-01-01

i will tell u

that who wrote this module just did a mistake ...

No, I mean the port
As you have already said, port 3306 is normally a MySQL instance and not an internal app.

there are not 100% right with the engagment with users ... to be in the place i am i did try hack me too and it took me 2 years

stop sharing answers pls 🙂

The modules are structured in such a way that you cannot simply copy commands and apply them. It is important that you understand what you are doing.

stop messing with my brain with easy thing just to make me a subscrubtion for 2 years

no one forced u to learn nor study

they are just make mess , make user to understand on extreme level ... sometime i feel they dont to this right

If you don't like how the modules are taught, you can always provide feedback via /feedback

listen budy , bassiclly i have a comunity in my country and im from the first once who started studey cyber like that

Have you followed the Intro to Academy module? https://academy.hackthebox.com/module/15

i see some errors i have an opinion

Let's be nice

Nobody is forcing you to study this “extreme” level

If you have feedback and want to be heard /feedback is what you should do

so what do u suggest ?

sure, idc tbh, but be nice next time and give constructive feedback, also comply to rules by not sharing answers twice 😄

pay 10K usd for good course ?

u have the full control and the work to keep it clean ...

maybe be humble, learn, give good feedback, and stop bragging every two messages

opinions could be hard to hear sometimes

in cyber they all deletes it XD

if the person is bragging and arrogant, ofc they are

anyway i think we should stop and keep this chat on topic

The modules show you everything you need. If you don't like this way of learning, you may need to look for other options

my current feedback is for the specific module

"NEW"

then provide the feedback using the correct method, /feedback

As mentioned before @rustic sage , if you don't like it, provide /feedback and if you think there's errors in it, post in #1234357888114364508 . Let's try to keep the rest of the chat clean for other users of Academy who might need help 🙂

thanks atleast there are some activity here and u educate me with new things

Am I the only one having connection issues with the Skill Assestment LAB on "Using CrackMapExec"?
Chisel connects to the server but the subnet 172.16.15.0/24 can't still be reached.. Obviously using proxychains 😄

Hello guys ! I try to install and enable SELinux on my Parrot Virtual Machine. When I set “permissive mode” on config file and reboot, SELinux status is always on “disable”. Config file is correct . Anyone have suggests?

Need help, the broken authentication seems to have changed. I have done everything this chapter said to do this module for assessment, and I've done everything the people in the forum said to do, but I'm still stuck on it.

You can send me a dm

100%, thanks a lot. Really appreciate it

nmap not working for me, i dont know what i've done wrong

Im connected to the config and so on

try with -Pn

thanks

trying now

it worked i can see the ports coming up

wowee LMAO

you can ignore logs

yeah ik, it'll do it's thing

i wish i had GalaxyArts without an extra S, my old account had it but i just created a new htb account since i forgot about it

i deleted it but i cant seem to have it changed with the singular "S"

Hey guys im stuck here

with?

Module

I tried ReconSpider, gobuster and all but nothing

idk where to begin im stuck :p

both gobuster and reconspider will will be helpful. You'll also need to add any domains you enumerate to /etc/hosts

what have you got so far?

yes already edited /etc/hosts

but idk the gobuster to find the admin dir dont work and when i use ReconSpider my result file is empty

so what subdomains have you been able to enumerate so far?

just this one web1337.inlanefreight.htb:50558

okay nice, and what have you done since finding that one

just tried ReconSpider rn but 0 results

what other tools do you have at your disposal?

gobuster

yessir

ow wait

im on the right path thank give me a sec ^^

yeah np, by adding the web1337 subdomain to vhosts you've essentially just uncovered another layer, just gotta keep going from there

okej so i find the robots.txt file

just need to try to go in the admin dir

yeah have a look and see what you can find

yes, you can go through the pivoting module with ligolo. I just did it a few days back. Connection refused suggests the system/port to which you're connecting is closed. What are you doing there; it looks like you're trying to run the agent on your attack system? I think you want to start with a proxy on your system and the agent on the pivot.

The ligolo quickstart had everything I needed to step through.

can i dm you?

Sure, I'm not at my primary deck but I can do what I can to answer questions.

okej find the api just little problem with the /'s ^^

but im prety sure for the last 2 questions i need to user ReconSpider but idk i always receive an empty result.json

right, have you uncovered any other subdomains other than the web1337 one?

not yet should i reuse a subdomain enum on web1337?

i guess yes ^^

yeah I suggest trying that

then go ahead and spider anything else you find, I believe that should put you on the right track

omg thnaks okej that was a trickkyyy one but love it

thanks for you help

But with that domain normaly it already should have found the dev subdomain no? bcs with appen domain it try everything again when it find another subdomain

Hi guys I meant to scan this website but it does not let me, is there something I’m doing wrong?

You need to specify the port in the port argument of nmap not include it alongside the IP address

Anyone available to help me with a practice exercise? (windows powershell)

ask you question mybe i can

I will post the question and i will post what i did 1 sec

Question: What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack? The flag is the name of the user account.

What I did so far:

$event = Get-WinEvent -FilterHashtable @{ LogName = "Security"; Id = 4625 }

run command, prints the list of entries and i can see visually a bunch of failed attempts, then i pick one from the list of the entries that fits the description in the question (in this case for example the 7th entry)

$event[7] | Format-List * | findstr "Name"

I can see the info, but when i put ACADEMY-ICL11$ the answer is wrong

on the broken authenticaton module brute forcing passwords i have unzip the rockyou.txt file and used the cat command to show its there but when i use this command wc -l /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt it says no file or directory. What am i doing wrong. Please can anyone help ?

The nibbles machine on the academy path, you have to pay to play it ?

ensure the .txt is on the path mentioned

I have done this and I am still getting the same thing

The path to SecLists is probably different in your distro

try crawling to the right path, maybe it's different

Sorry you have lost me KamalCh

when you you cat the full path /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt

does it work ?

i have not tried that yet but I will see what happens

I get the same thing no file or directory

then chances are like said above your SecLists has a different path, so you can crawl into it sowly directory by directory to make sure you have the right one

Please can you give me a clue on how to do that ?

are you using the HTB virtual machine or are you doing it through VPN ?

I am using the HTB virtual machine

Maybe you should do this module first
https://academy.hackthebox.com/module/details/18

Ok thanks for the help

Here you will learn the fundamentals of Linux

yes definetly you'll need to get used to linux and its basics, for now you can google the 'find' command on linux to find the SecLists directory on your machine

on the other hand, I'm giving a shot to the cpts training, and in the getting started module, they talk about the nibble machine and a walk throught, is there a voucher or something to get it ? or do I have to subscribe to the labs monthly too ?

(I only have a sub to the academy for now)

Thankyou both for the help

I figured it out, question got me confused, I had to SSH on the DC and do it from there

no worries man, I'm a noob too. I just happen to know a bit about linux because I come from software engineering. gotta help eachother out

Would it be possible to give me a little hint on where to look so I know i am going in the right direction ?

The machine is in the path. If you have unlocked the corresponding module, you can play this machine in the module itself

You can use find https://man7.org/linux/man-pages/man1/find.1.html

if you're trying to use you seclists wordlist, I'd say google these commands for now (ls, cd, find) in linux, that's all you need to find your wordlist

thats what i have been using

Oh great!

I have also tried to see if i could make a new directory with the rockyou.txt

i have used the cat command to show the rockyou.txt is there

You cannot search for a file with cat

But you can use find to search for it

i Know

I know

But honestly, these are things you really need to learn first before you get into hacking

@exotic copper when you run this what does it show ? find / -type d -name "SecLists" 2>/dev/null

it shows /usr/share/wordlists

good so that confirms two things 1- you have SecLists and 2- The path to it is /usr/share/wordlists

guys i'm doing password attacks the hard lab i got access using johanna creds and i found the kdbx file and cracked it and i got david creds but i can't do anything with it tried to rdp with it and didn't work and i found smbserver running so i tried to use it there but no luck anyone got an idea ?

yes I know this i have looked into my files and they are all there

but when i try the path it tells me no file directory excists

do you see the difference between the path you were trying and the one showed by the find command ?

you will really have to do the linux fundamentals, I think it will unlock a lot for you

found a fix?

Hello, look more around smb

certbros showed brute force login and i cant find it in the actual website does it have a diffrent name or something

my bad it worked i was copying the password wrong thanks

suppp

Hi, who knows how to do a real hack?

That’s illegal

I know that too, but this person stole my money and won't give it back. I also have his ID.

Contact legal authorities

And your bank

I even went to the police and nothing was done.

That's why I'm so angry at that person.

Wait for the process. We can’t help you.

This isn’t hacker for hire

Are you just teaching cybersecurity here or what?

We can't help you. As EverydaySparkling has already said, contact the police and your bank. There is nothing more you can do.

Can someone please give me a nudge on this: What is the API key in the hidden admin directory that you have discovered on the target system?
From: Info Gathering - Web Edition - Skills Assessment

So far I've tried:
||- ffuf

• gobuster
• finalrecon
• wfuzz
• scrapy with ReconSpider
• Read comments in the forum
  All with trying to get subdomains and vhosts||

I'd appreciate some help

I don't have bad intentions, I just want to prove to this idiot that what was done to me was wrong, like withdrawing money from a card.

You need to get knotted mate

We can not help you.

Okey bro

I want to learn something, what is the reason for this server It has 250 thousand members.

These are all people who want to learn cybersecurity

or playing CTFs

you need to use gobuster and fuzz inlanefreight.htb

Cheers, let me give it a go

let me know how you go

did none of the tools provided you with any information?

Not so much as to allow me to find any subdomain 🤦‍♂️ But I'm now trying with gobuster fuzz as advised. Erroring out on this as well though tbh

can you show me the command that you are executing?

I am on the broken authentication module brute forcing passwords. i have the rockyou.txt file and i have checked it to see thats is there but when i try to complie some passwords into a file it wont let me, what am i doing wrong also for the rockyou.txt it says file or directory does not excist what am I doing wrong ? I am getting really frustrated

my guess would be that you didn't make any edits in the /etc/hosts/ file

I am confused what do i need to edit in the host file if i only want to nake a new file ?

not you, sorry. The guy above you.

If the error message says that the file does not exist, then the path is incorrect

But as I mentioned before, I recommend that you first familiarize yourself with the basics of Linux before studying other modules. Most modules require knowledge of Linux or Windows.

Ok thankyou

Mind if I DM you?

go ahead

Please can I DM you for some help ?

Hi, have anyone done the moduel blind sql injection yet?

Currently 256 users have completed this module

Just thought id tell you I solved my problem but thankyou for you help and advice

Anyone able to give me some direction here? I'm on the Intro to Assembly module, nearly done on shellcoding tools and the lesson has us writing a short simple assembly code and converting it to shellcode with no null bytes. However, upon running my python script it errors out with "elf_assert(magic == b'\x7fELF', 'Magic number does not match'". I've googled around and can't seem to nail it down.

have you assembled the code into an elf executable?

You know what, I overlooked that, good call. I think it's time for a coffee break.

thanks @next bronze

Credentialed Enumeration - from Windows
what am i doing wrong? I'm using the neo4j: and provided password and it's not letting me in

:

I am trying to complete the "Windows Event Logs & Finding Evil" academy lab. When starting the RDP connection I am able to connect initially but then it disconnects and I am not able to connect again. I have tried both the VPN and the pwnbox. Initially I was having an issue with the "allow connection from other PCs on the local network prompt" but I realized I just needed to click "yes". I am still having connection issues however. I am able to connect for around 30 seconds and then I loose connection and am not able to connect back to the machine.

It's given as user:pass

yes

that why i didn't said anything

Text wrapping pushed the password part to the next line

did the whole answer worked?

still doesn't work, i downloaded the zipfile to my pwnbox, do i need to be using bloodhound from the windows machine?

Dude

So you used neo4j as the user yeah?

yes

Ohhhh you're on the pwnbox

yes

Default is neo4j:neo4j

The credentials given are for the windows host

:)

omg

how was i supposed to know that?

It's likely able to be figured out through context

https://tenor.com/bBCAdvgC6z0.gif

Into a CMD or Powershell console _

First sentence

https://tenor.com/view/t-he-point-when-over-your-head-right-over-your-head-you-missed-the-point-gif-11386417

Do ... do we need to get you an eye doctor appointment (joking)

Why am I not allowed to type in #general ?

Read and follow #welcome

OBC?

or SC?

I can't find my acc identifier

It's on the app.hackthebox.com website not academy

screen shot?

Can't share screenshots, he's not linked

Account identifier can be found here: https://app.hackthebox.com/profile/settings

Come on, I don't want to download an app

It's not downloading an app

Lol

That's just the subdomain

https://app.hackthebox.com is the main labs site

Yh yh I got it

Alr I linked my dc acc to the web in the settings

Linking in settings does nothing

Bruh

Why make it an option lol

You gotta actually do /verify or /identify in #bot-commands

For eventual implementation

/verify will have the bot dm you to handle the process in private to prevent leaking your identifier

Now the bot isin't even working well in the dms

reinstall discord

I just iden. like a minute ago.

If I uninstall this garbage platform I will not install again. And I don't think this the fault of dc because the /identify cmd works in #bot-commands but in the dms

My module labs have been stuck like this. Any suggestions on how to fix it?

Then do the command in #bot-commands or dm a mod like @storm elk to help sort it out

Change vpn regions

I guess I should just download linux on wsl2 and learn the basics myself instead of playing these petty games with a broken bot

it will take time

don't do anything

try refresh the page

it will eventually be there.

I can do this by just changing the pwnbox location, right? I've done that but it's still spinning

no need to change the vpn

how much time its been

Like 20 minutes

did you refresh the page?

Not pwnbox location

Pwnbox location and vpn region are completely separate

You will need to respawn your pwnbox to connect to the changed vpn

Even still sometimes it's still stuck

I've changed it to different regions, but it's stuck still. Am I doing it wrong?

yes that a problem

Also protip is you can change regions then switch back once it gets back to the spawn target button

That's pwnbox, not vpn

Vpn regions are generally [us|eu]-academy-[1-6]

Not sure about enterprise differences though

I'm on HTB enterprise.

Reach out to support then

¯_(ツ)_/¯

Any way to force restart a target? My target has been spawning for about 20 mins

did you refresh the page?

multiple times

Reach out to support or do the above troubleshooting of changing vpn regions until it triggers it to say "Click here to spawn target!"

or tried to start the module again

prob gonna reach out to supp then, ive tried changing regions and exited module etc

Maybe HTB servers are messed up rn if multiple people are having the issue.

this may be it

Exiting the module doesn't do much tbh

rip guess ill read next module aha

As the request is being sent to the backend

Like you can start it on one device open the page on another and you'll see the same thing :p

https://status.hackthebox.com/ Doesn't show any issues here yet @astral steppe

odd then, not been able to pass thru 2 diff modules bc stuck on spawning unfortunately

The status page isn't always accurate

I demand free cubes

If enough people go to support with the same issue then they can raise it

You can demand a free lambo, doesn't mean you'll get it

Hello to everyone,

last 2 weeks i am having problems connectin to some windows machine on the labs through rdp.

This happens only with some modules, once i change module or submodules i have noi problems connecting.

In particular i have huge problems on connecting on he "Trust Attacks" module. So i am 2 weeks now i cannot finish not only the assessment but sobmodules included.

Once i change module or something i have no problems

Any clues?

[14:17:19:708] [158024:158025] [WARN][com.freerdp.crypto] - CN = SQL01.inlanefreight.ad [14:17:23:724] [158024:158025] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server [14:17:23:724] [158024:158025] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014] [14:17:23:724] [158024:158025] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail [14:17:23:724] [158024:158025] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

Logon failure is the main thing meaning something about the credentials is incorrect

Can you log in with other tools?

credentials are correct, this happens to me only to some trust attacks labs

no

it works for like 20 seconds everytime i reset, and then stops working

Can you log in with other accounts from the module?

¯_(ツ)_/¯

I'd raise the issue to support then

using TCP or UDP?

tried both, multple vpns also

kk, thank you

It't would be valuable to add on the page some info about "/etc/bash_completion.d" and how the actually the payload is executed or at least, a link on blog posts where it's described in more details. I think, one step of explanation is missing.

I don't recall anything about /etc/bash_completion.d

You probably did something slightly different to me

@sturdy ingot @astral steppe what vpn regions are you on/tried

Infra team are looking in to a potential issue. Please stand by.

fine now; was on uk at first then us east then back to uk

Web Attacks - Skilss assesment

Try to escalate your privileges and exploit different vulnerabilities to read the flag at '/flag.php'.

I cant find any parametr in website but I foun user id and uid then I listed users but still I cant find anything

Was it just the one issue with academy @fathom pendant ?

Looks like it

(re starting instances)

But that infinite spawn thing has been a thorn for a while tbh it comes and goes when it pleases

Usually though only one or two people not a bunch

me ?

I listed until 100

?

..

We're talking about something unrelated to your question

ah sory

You'll need to combine all the techniques perhaps something about the reset password

You will definitely use all techniques taught to an extent from the module

Also grep -i can be helpful for finding things where you may not be sure of how it's capitalized

Hint: The thing you need is front of you but you have to pay attention to the details of the website

thanks I will try

Glad to join this great group

Module: AD Enumeration & Attacks - Skills Assessment Part I
Section: Skills Assessment Part I
Question: Submit the contents of the flag.txt file on the Administrator desktop on MS01
My Approach so far-
I initially tried to use chisel but I was unable to transfer this file, So I am using netsh.exe right now to pivot, But I am making some mistake and cannot figure it out, I cannot figure it out

I have listed some screenshots, please help me understand what is wrong here

Hi
please read #welcome and #rules

In particular, Rule #4

Hello, Everyone im new to this. Trying to sign up for a student account, has anyone gone threw the Domainless Student process if so how did it go and how long did the process take. Thank you. Feel free to dm me.

That's not how the socks proxy works

I've only tried this one I believe:

I finally got a new "Spawn Target" button so keeping my fingers crossed that it works this time 🙂

i'm stuck on module 18 section 81 trying to use the find command to answer the question "What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?" but I have been typing find -type f -name *.config -user root -size -25k -newermt 2020-03-03 -exec ls -al {} ; 2>/dev/null in the terminal and nothing shows up

Am I formating the command wrong?

Are you connected to the target via ssh?

yes

And you're running that command from the ssh session

And doing whoami should say "htb-student"

can you tell me what is wrong?

yes

I suggest revisiting the pivoting module. I personally used the ligolo-ng tool instead of chisel

whoami says "htb-student"

Oh

Your size flag is wrong

Does anyone know if HTB Enterprise allows you to change the VPN at all? I only see this 1 server:

-size -25k _<< is size less than 25k

Reach out to support for your case

oh ok

- is for less than, + is for greater than

Yeah I've already reached out to support, but my question still stands.

If you want a range you need -size +[min] -size -[max]

Just curious if there is another VPN or if my company gets allocated a single dedicated server.

That's a question generally only support knows since a majority of people here aren't EP users

So troubleshooting and help is gonna just overall be different

You can maybe ask in #1024429874246590575

See if other EP users know, and your Q doesn't get drowned out

I loged in as Administrator in this web but nothing changed

The administrator has a new button/feature the regular user doesn't

there is no new button

Yes there is

Log into the other user and compare

i tried typing the command using -size +25k -size -28k and there is still nothing showing up

Are you sure it's .config

Some config files are .conf

Or even .cfg

that is what the question is telling me

Is it though?

Or is it just saying a config file

oh let me try like that then

its saying config file

It didn't specify an extension

😉

what is a typical linux config file extension

Most times people shorten the word "configuration" to "config"

i figured it out

i forgot to put the / at the front of the command

?

Ohhh

sorry for the trouble

Yeah

im guessing he searched it in the current dir instead of root

find <directory to recurse from> [rest of options]

Im sure there is no changing I checked a lot of

Perhaps events

There's something on the admin home page that isn't available on the users

I opened 2 windows
1 user
2 administrator

but there are the same

They shouldn't be

Look for a schedule

I'm trying to push you to it

But I can only push so far until you're off the cliff into the ravine

Hello everyone,
Quick question regarding the Pivot and Tunnelling module.

In the skill assessment, after the second pivot, both flag (in C:/ and in DC disk) are accessible from the same account once you RDP in the host. Is that normal or that's something that should have been cleaned up at reset? I was expecting one more step to get DC access. But all it took was a click on that volume...

Do I need to change the admin password?

I mean yeah to log in as admin

I thought you did that already

This is intentional

Oh?

I checked a walkthrough after I was done, and the guy was importing data into bloodhound etc... going full AD pentest and I was like "right click was enough..."

That's where I got confused haha

That walkthrough is against tos btw

Since pivoting isn't a tier 0 module iirc

Oh, didn't even know that wasn't allowed to write walkthrough for non-tier 0 modules

Well, all it did was confusing me that time

https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

Because he overcomplicated it

You can report stuff like that btw with /spoiler command

Alright thanks a lot for the swift answer!

Hey, I changed my file transfer method and it worked, so still used chizel for pivoting. Thanks for the help

But I still want to know what was wrong with my netsh proxy setup

¯_(ツ)_/¯

I'm not familiar enough with it

Ligolo is op

I couldn't double pivot with logolo, somehow the agent was getting connection refused...

Ended up using netsh for the second pivot

understood, i was just stubborn to get chisel to work

You gotta set it up properly

Listener_add --addr [victim]:port --to [you]:11601

Yeah I assumed I did a mistake somewhere, first I was using port < 1000 which was taking admin permissions I didn't have.
Then re-did the whole thing and still got stuck -.-

To get the second one on

And you need to make sure to start the session and tunnel

I closed everything after using netsh and solving the problem, so I can't show you the conf

I need to get used to discord still haha. I'm used to doing things by myself.

New ligolo even lets you make new interfaces on the fly

Yeah that's pretty neat, same for the routes

Super user friendly

With ligolo the tunnel interface means you don't have to forward to specific ports and can directly interact with the network tunneled to

Still need help? @last sorrel

Discord sneezed

Im in the using crackmapexec module trying to answer the question in the MSSQL enumeration and attacks section. I found the flag in the DB but its not accepting my answer

It did haha

Oof

I think it has brainrot

Don't spam tag me

Killed it and all good

Sorry, my discord froze…

It was discord resending messages

Looks like they got linked though

But I’ll take that as a no

@storm elk

Is PlsqlExclusionList a config file for Oracle TNS? It's unclear to me whether it also falls under that category or if its a different thing. My searches indicate that it's used for Oracle SQL Developer as opposed to Oracle TNS, but I'm not sure if they're the same thing.

I've been working through the Footprinting Medium Lab and when i enum nfs share (TechSupport) i got 'TechSupport': Permission denied any idea ?

Enumerate using sudo

It's one of the weird things about it

I'm assuming as well you used -o nolock when mounting as well

when you have LFI in windows machine - which file will you likely target the most

You mean like a world readable file?

yes

it works, i thought the Permission denied because i dont have creds 😕

https://security.stackexchange.com/questions/239419/windows-file-to-look-for-to-test-lfi

On your own machine?

Careful with spoilers

i can access C:\xampp\mysql\bin\my.ini but can't find any useful thing like creds

@shut raft Your post contained a flag, be mindful of that when asking for help

What module?

If it's not an academy module you'll need to ask in a diff channel

ohhh that was for me huh 🥹

And you

I tried to enter that flag without the b and quotation marks but its not working

Someone else also posted a question with a flag

What module are you doing?

Using crackmapexec

im in the section for MSSQL enumeration and attacks

👍 I haven't done this module but always be careful with sharing the commands/output for modules above tier 0 especially

Especially if it contains a flag

noted! I thought since I hid the screenshot it was okay but I know now, thank you

Using the spoiler tag for screenshots and images does nothing

As anyone can still click it

Hi friends, I'm in the last step in the using web proxies module, I can't answer the third riddle, what is the flag, 88 characters, I'd appreciate your help

Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

Help please, I think something is wrong with my target, reset the target twice and still everytime I nmap the new ip nothing :

After decoding you need to use intruder with the alphanum list and the Decoded 31 character hash as the prefix. Then re-encode in the reverse order you decode

Also make sure to untick the "encode special characters" button at the bottom

What module?

And section?

Did you try resetting the pwnbox

Getting started - Nibbles - Initial Foothold

Did you change vpn regions while the pwnbox was running?

yes did a reset on both, I don't have my set up to use vpn so I'm using the pwnbox for this one

nope still always same region, I thought there was maybe a trick to it but if it's really just set up, I'll try it out later when I get home with a vpn connexion instead of the pwnbox

Us academy 3 spawned fine for me

¯_(ツ)_/¯