#modules

not that i can think of, i know that burp has a encoder/decoder tab in the gui. i dont use zap

@shut vapor do you need zap to take a list of params and encode it then issue reqs? (or similar?) if so encode the list before your load it into zap

Typically they're explained with hands-on exercises

I'm fuzzing a value, but then encoding it several times the last of which is to hex so pre-encoding won't work in my case. I mean, I could do it all in python but I was trying to do the exercise in zap/burp since that's what the module's about.

or whatever, cobbled together bash probably would be quick& dirty

Have you done this module already?

I think there is a full command-line version of ZAP, but with community scripts, under pre-processors you should be able to encode everything like you want and fuzz. I did the module very recently so I remember it well enough

yea that's it. I found the to-hex.js

just had trouble figuring out how to use it

no kidding? didnt know that. maybe zap MIGHT be worth using afterall.

@shut vapor i would suggest not getting TOO attached to zap, nobody uses it in real world. i did all the zap modules with burp in the sections ive encountered it

Yes well, click on the add-on button, add the community scripts, then go to the scripts tab and enable the to-hex.js and you should be able to choose it in the encode window

Good part of the day guys! Right now i'm stuck in Module (Login Brute Forcing) UPDATED, NEW, Skills Assessment Part 1. What is the password for the basic auth login? -> the task is easy to do it, just brute force it using hydra with passwords and usernames lists. I've done several lists from SecLists but neither of them are not working. Can somebody help with it? Maybe because of being updated module everything is not working or i'm dumb))

The username and password lists are given in the intro, these are the ones you need to use.

I'm pretty new to web proxies, but since ZAP is non-proprietary I thought it was better than Burp

have you done this module?

yessir

ok, will try again

Just use the provided wordlists, it's very straightforward if you use them with hydra

This is not the place @sterile fiber

We are not hacker for hire.

need help for this

i found the function but its not being accepted idk if im making a mistake with the format

OH nvm got it, its from the table on the section

Big thanks, it worked, my command wasn't actually right

No, I'm just stating how htb modules are typically laid out

Can some one help me with the last question in skills assesment for information gathering web edition i cant seem to get the api key i used reconspider and pulled a dev website but in json file i dont get anything

Subdomains of subdomains

I got all that subdomains at last i try to get the api key from that webpage

But i get a json file when i cat it it has nothing its supposed to have some information

i think you're supposed to make the request to the json file using the approprite http method

link the section? i may have done this one

https://academy.hackthebox.com/module/144/section/1311

Its the skill assesment section

ok i was incorrect no special method, that i can see is needed to get the key, you want to DM me your request and output?

Of information gatheridng web eddition

Anyone able to help me out? I'm on the sliver C2 module - trying to maintain persistence, followed the same commands (At assumed breach portion) - when I try to download the string using powershell against 10.x.x.x:8088/staged.txt - I'm getting a 404 & therefore no other session is being generated, I've got a HTTP listener on 8088:

http -L 10.x.x.x -l 8088 --website delivery

Can someone help me with a sanity check on: https://academy.hackthebox.com/module/234/section/2515

SOC Path -> Yara -> Hunting ETW/Yara

The walk thru does several yara scans on running processes but when I do them im getting errors about the yara rule files not meeting syntax requirements

bro, can you give a hint where should i find username for ftp, there are a lot of .txt files in ssh tunnel?

Once connected via ssh to the target you'll find that you have a bunch of files and folders, one of them is username-anarchy. That coupled with another text file should help you find the username.

module is done, thank you a lot

Hello! In Lateral Movement section of 'Attacking Enterprise Networks' module, how would I RDP into ms01 on 172.16.8.50 with user ilfserveradm? Evil-winrm works with other user and xfreerdp but not for this one that I need.

can somone explain how this FFUF command would not pick up vhosts ffuf -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.inlanefreight.com/

or subdomains

iots the one fdirectly from the module

You wrote "fuzz" instead of "FUZZ". Generally, case is important in the command line.

same thing happens with capitols

ffuf -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.inlanefrieght.com/

it rmeoves caps when i past it here wierdly

this time you mispelled the domain.

ffuf -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.inlanefreight.com/

mistype when putting it here, am i missing a flag or am i missing something that you should do when fuzzing?

cause this is the exact same thing taught in the modules but it misses subdomains

The command looks good to me

yeh same here, it picks them up if they ar ein /etc/hosts already but how can you know what they are without putting fuzzing first lol

You don't need to add anything to /etc/hosts for this exercise. inlanefreight.com is a publicly registered domain.

i know this is for my own project

was hoping somone might know how this command could possibly miss a subdomain

I'm no expert but if the subdomain in question is not in the wordlist then it's going to miss it for sure.

its in th wordlist

I just tried with that command and indeed it didn't find the subdomain

ffuf -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb'

same goes even with that

is it just me or is ffuf with the pwnbox unbelievably slow

i cannot chat in general. why?

does ANYONE know how to stop this

im dying here

Ctrl+C doesnt work?

not the problem, i probably shouldve been a little more specific lmao

but its posting every result every tick

and i have no idea how to stop it from doing that

also, 2 requests a second for whatever reason

Make the terminal full screen

This is just a weird scaling issue with ffuf

odd how that fixes it lmao

but im still at 2 requests a second, i dont know why

Likely your isp or router limiting traffic

If you use nat networking in vm it should be marginally better

thats sounding a little alien to me

why would my isp or router limit the traffic? it wasnt giving me this problem before

still trying to get help on this

found the issue, HTB timed out my target IP and just turned it off and i didnt realize lmao

Lollll

Do it blind

Figure out if the user is for the host you're trying to connect to

But working through the problem better preps you for the exam

yeah I get it but I've been stuck here for 2 days and can't solve the issue by myself and would really love to move on

Make sure your routes are all set up properly

Can someone explain how this is supposed to be performed? Is the intention that I copy a Base64 econded string manually into a Windows host?

yes

it only works well for small files tho iirc

"This content" would imply something you've just done or what's being explained by the module section

🤬

https://discord.com/channels/473760315293696010/588029217376043023 = 🚫 ???

🤦‍♂️ !!

@midnight galleon

gain access -> verify your account -> #welcome

🤡 🤦‍♂️ 📵 🙄!?

🙅‍♂️ 🎆

please keep conversations in English

ok alright um acoustic oh ah yes yes, will do, pffft cant verify, owwwwww

😭

⁉️⁉️🔜➡️➡️➡️ #welcome 🤓🤓🤓🤓🤓 ➡️➡️ 🔜 #general 🗣️🗣️🗣️🔥

can someone help me with the login brute forcing web services module, when I try to login to ssh its asking for a fingerprint and giving me access denied

nevermind i was using the wrong port

hello im currently on the webrequest page two ive tried $ GET 83.136.255.36:35306

$ curl GET 83.136.255.36:35306 http//1.1

and $ curl 83.136.255.36:35306 http//1.1

im extreamly new so im not sure what im doing wrong

Hey im new on on hackthebox if someone can help me with what modules are the best as a beginner in cybersecurity

Start with the fundamentals if you're learning something from them. Linux, Window, basic shell stuff, etc.

i agree with quolt

I don't know what module you're on and I probably haven't completed it, but usually you put the http:// in front of the IP address:

curl get http://83.136.255.35:35306

oh that may be it then

one second

no it didnt work

curl: (6) Could not resolve host: get
<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Blank Page</title>
</head>

<body>
This page is intentionally left blank.
<br>
Using cURL should be enough.
</body>

thats what it sent back

what module & section are you on. I might be able to have more insight knowing what you're looking at.

thank you

the module is web requests

http requests and responses

did you copy-paste my example above because I made a typo.

no i typed it in

cause get shoudlve beenGET

nvm

i justed typed it

These results show that you're making a connection to the server and pulling it's content so you're half way there. I'm assuming I know what question you're working on, but do you understand what it's asking for? What question are you trying to answer?

btw, if you wrap command line stuff in 3 backticks (e.g. ``` stuff ```) it blockcodes it so it looks nice.

not really i dont know much of whats going on

this is the question:Send a GET request to the above server, and read the response headers to find the version of Apache running on the server, then submit it as the answer. (answer format: X.Y.ZZ)

Ok, well, then ask a question.

i dont know what its tring to tell me though

Formulate a question to convey what it is you want to understand.

ive never been good at that

ill try

it's a thing you can learn to do

you can DM me if you'd prefer, less noise in the main channel that way

Plenty of links in my profile to different resources on question forming

I’ll keep that in mind

does anyone know the key bind for network tools on mac?

im trying what it tells me but its not working

or how to get to network tools

mac sux

ik ik

its all i have atm

I have to have the dev tools to get past this module

Command key == ctrl on macs afaik

anyone able too help get an email asap? it’s urgent any help appreciated 🙏

No

fuck some guys made an acc bout my dead mate and we tryna find who it is

It said crl shift I

That's illegal, see #rules

okay mb

Even if what they're doing is fucked, what you're requesting is still illegal

I understand what "this content" is referring to - it's a base64 encoded string. When they say "copy this content and paste it into a Windows PowerShell terminal" it seems like there's a way to do so WITHOUT manually typing all 64 characters into the Windows machine, and my question is how do I do that.

Yes, but how do I copy+paste from a Linux environment to a Windows environment?

Ctrl+shift+c in linux terminal, ctrl+v in windows powrrshell

Literally just highlight, copy, paste

Any help on how to solve this error?

mimikatz # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

do you have admin privs or seDebugPrivilege?

no

Then you're not gonna be able to privilege::debug

can someone help me with Intro to C2 Operations with Sliver -> Skills Assessment-> Q3 Escalate your privileges and submit the contents of the flag.txt file on the Administrator's desktop on the domain controller I caont find the way to DC I use the user f... and after that I can get any other access to DC

look around user directories

thanks

How do I switch cmd to run as admin locally and not on domain. I tried .\usrrname but it didnt work

wym? send a pic in dm

You can hold shift and right click on the powershell/cmd executable or shortcut then choose run as another user and enter the local creds. i never had to do this for any module though so not sure what you're actually trying to do.

Gotcha, thank you! I was doing last module and was stuck on Lateral movement cuz my pwn.bat didn’t work but Tlattice helped me out with different method.

lets say i am on a low privilege user and i manage to find the creds for root. however, i am not able to log into root user as the system has PermitRootLogin prohibit-password. How can i priv escalate?

generate an ssh key for root

if you can ssh to the box and root has ssh privs

if you're out of ideas thats a good first step

if you're on windows, you might try connecting to a dc and doing a runas, or something with winrm

or just a plain dc login as domain admin

oh i could have just ran su on the low priv user haha

thanks

cool cool

Linux Fundamentals / Filter Contents
I've just learnt how to work with files and filter their contents, how am I supposed to know all of this?! I don't even understand what second and third questions mean

good luck with that last question

Have there been any reports of DC01 not responding in the last question of the Pass The Hash module? I have been trying all day, finally reading and running the commands as listed in the solution - no connection to nc.

Do i need to go through a whole different cybersecurity course to answer these 3 questions or something?

second question can be answered with a command you've been introduced to already

I dont even know what ProFTPd means

not necessary to know what it means

oh ok makes sense

But i'm not gonna start PWNBox knowing only one question

you can use your vm if you have one

Do i just download VPN connection file to VM (Even though i dont even know how to exchange files between host and guest) and execute it?

you can always just google how to share files between host and guest

and yea you'd have to download the VPN file and run openvpn with it

Wait i can just drag and drop the files onto machine lol. Ok, good, i'll try it

Where can i find resources of footprinting module. I'm not able to find footprinting-wordlist for SMTP user enumeration

in the upper right part of the page, above the table of contents

You can always log in to HTB in your vm

Thanks @cloud urchin

Somehow when I press hint no hint appears i don't know why

anyone able to help me with this? #modules message

What is the one place for all equivalent to kali for windows tools ? ( Not the OS part rather than having all the tools at hand )

... currently copying all the tools provided at windows modules to my machine for future usage

how to do monitor the NodeJS Debug Console to view console log?

module : secure coding 101 , is the variable name in the module is the actual value of those encrypted strings or is it for only to tech about the modules , like testcase and _0x2b2171

Module: Windows Privilege Escalation
Section: Interacting with Users
Link to section: https://academy.hackthebox.com/module/67/section/630

The subsection on "SCF on a File Share" states the following:

A Shell Command File (SCF) is used by Windows Explorer to ... <SNIP> ... If we change the IconFile to an SMB server

I don't understand the explanation 😅

Especially this sentence:

An SCF file can be manipulated...

If I'm understanding this right, an scf file is just placed in a directory/file share frequently accessed, so when it is accessed, the scf file is automatically executed and makes a request to our smb server (responder) and captures the NTLM hash?

So an .ico file doesn't need to actually exist on our attack host since we're using responder?

Hi, Module: Active Directory Enumeration & Attacks
Section: AD Enumeration & Attacks - Skills Assessment Part II
Question: Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.
I've the ||CT059|| credentials and the Admin access on MS01, but once I use the command: ||Get-DomainGroupMember -Identity 'Domain Admins'|| on MS01 it gives me this error: ||Warning: [Get-DomainGroupMember] Error searching for group with identity 'Domain Admins': Exception calling "FindOne" with "0" argument(s): "The specified domain either does not exist or could not be contacted."||

What I'm missing?

yes, as soon as the victim reaches out to your host via SMB you'll capture the hash.

Where are you hanged and what walkthrough are you using?

im super hype after an hour and a half of reading about windows privesc from the module and miserably draining my life away trying to figure out how to use the windscribe attack, only to find out all you had to do was set the right payload for the meterpreter session, I finally got it to work and got system ^^

yesh!

made a note to myself in bold lettering with 24 sized font.

I think it's pretty cool that you can use pipes as an attack vector for privesc on windows.

Module: Windows Privilege Escalation
Section: Interacting with Users
Link to section: https://academy.hackthebox.com/module/67/section/630

Having trouble with the question at the end of the section. Not sure which share they're referring to in the hint. Would appreciate a nudge.

look thru the SFC on File Share portion of the notes, its almost identical

not too sure if they modified the chapter cus i did it quite sometime back, my own notes seemed to be simiar to that^

Prolly modified it then cuz a directory/share isn't mentioned. Thanks anyways tho.

let me try it again hehe ill update u

Thanks! I'll keep trying as well in the meanwhile.

okay i understand the hint now haha. look for a shared folder that you in a windows server have access to, that other users with similar roles has access to as well

lmk how that goes

What are you trying to do specifically?

Via WSUS? That SA will have you to think outside the box in order to obtain the flags

Got another nudge? I've got nothing 🫠

And it is pretty much structured as to pivot from one Host to another

ill dm u

Ok

Oh sorry
From the section’s steps it should be pretty much it

You are getting no results or are you getting some kind of error?

@dapper moth you are majestic Sir.

Imma check my notes in a bit

Going through the modules in the "Penetration Tester" job path and I'm at "File Transfers" which heavily deals with PowerShell. Except none of the previous modules have exaplined what PowerShell exactly is (I know what it is generally, I'm wondering if I missed something in previous modules or are people supposed to blindly fill in the gaps)

No, you didn't miss anything. I can't find a "PowerShell" fundamental HTB module like there is for bash unless it's under the Windows fundamentals. PS is, of course, a shell but consider it's somewhere between a shell and a programming language that can leverage .NET. It's object based. Someone linked the following YT video when I was griping about how much I dislike PS and it helped me "get" the concept that's very different from bash.:
https://www.youtube.com/watch?v=UVUd9_k9C6A

Crank the speed up to 2x and zip through things if you're reasonably well versed in bash / cmd.exe already.

Just checked here and pulled it with the same commands as the section. You gotta approve the update in the 'Update Services' console

There was some kind of error that SharpWSUS wasn't able to get if the update had been installed or not, always returning that it didn't but in the console said it did

Anyone can help me for node debug monitor?

Anyone has the Secure Coding 101 for JavaScript? There is one thing I don’t quite get. I wanna purchase it cause I think is a windows based Java script ( not javascript ) tutorial for obfuscation and deob, but windows based. Am I right?

javascript is platform agnostic and mostly used on the web, are you talking about the lab environment?

search the channel, i havent done this module but ive heard it brought up here in the past (somewhat recently even) there might be some clues left behind

oh so it’s a web based module?

I was looking forward for a java script module for payload development

@quiet trout I have search the chanel, did not find anything about this

Oh i see what you're saying im not sure about that. i dont think payload dev is involved i think its for secure coding technique, not javascript malware development

input sanitization, perhaps type safety, etc. etc.

oh i see, were you the one having the trouble with the console.log(...) stuff from yesterday?

that being said you're gonna wanna check with someone who has done the module for a better idea

Seems like it’s malware based huh

@quiet trout yes I am. I like to know how to view console.log in node debug monitor

Im a little bit confused by the xsstrike tool - there are alot of positive results but if im testing them they all fail

could it be that theyre all false positive?

i dont know the context here but the little dev work i've done with nodejs express would lead me to believe you start up the debugger, connect to your address in the browser, then open the developer console and issue your cmds there?

false positives

if you're sure you're using them correctly, false positives

none of them get executed -- just embedded within " "

maybe the tool is outdated?

are you able to break out of the html/scripting context and get a payload like <img src=x onerror=alert()> ?

manually?

and can you show us the requests you're trying them with?

just to make sure you dont have any syntax issues?

everything gets encapsulated within ""

yeah thats the "game" defeating the context

there's a sanitization occuring encapsulating them in the quotes, you need to "break out" of it

@quiet trout the context is this: #modules message

"> <img src=x onerror=alert("wtflol")><!--

tried alot but all not working - alot also from paylaod all the things

are you entering the console.log(..) in the browser dev tools console?

i was referring to the broader context of the lab, im attempting to offer some suggestions without being familiar with the lab, since no one else whos done it is curently active

I really appreciate your input and help

yeah np, just trying to get familiar with how you're approaching this... though im not entirely sure my approach is valid, but its often how i've done very limited js debugging... via the console in the browser dev tools

started an nmap scan with nmap -Pn -sV -sC -p- 10.129.196.213

I used the mouse scrolling wheel while nmap performed the scan which showed its progress percentage. After 15 min. of scanning it is only 3.75% complete and has 7 hours left to finish scanning all 65k+ ports...

Why is it taking so long?
https://academy.hackthebox.com/module/77/section/850

don't perform a full 65k port scan (-p-) unless you don't see the service using default top1000 ports

+1 ^ use the --top-ports 10000 option

the q is just looking for a web server, just let it run with default ports first. at least for labs, you typically won't be looking for nonstandard ports. even in real world i always start with default (top 1000) and then kick off larger scans while I'm reviewing the initial data.

sure, top 1000 no problem, top 10000 takes only marginally longer and is a good one to remember for baseline real world scans and box scans on app.htb

basically anything other than the 65k scan is going to return MUCH faster results, also note that you can press spacebar to get namp to return its progress rather than whatever mouse scroll wheel button you were using just to prevent an errant click but use what you prefer

(and if you do need full 65k port scans for whatever reason, try masscan instead of nmap... way way faster, generally speaking... only slightly less reliable)

Scanning 10k ports says will take 30 minutes as opposed to 7 hours... still kinda long tho

yeah do the base scan, 1000, im not sure that 10k port scan should take THAT long, sometimes the pwnbox vms are slow

but it's over now. The time remaining was a lie...

haha i mean really, you know what ports are typical for web servers yeah? just hit those ports for the lab 😉

yeah but in a real world scenario, if you need to be thorough... what if you need to scan all them ports? masscan will scan all 65k ports much faster but it's less reliable. What if you need reliability and be 100% thorough?

you can use nmap but on a large network like a /16 or multiple /24s, that scan may take a week (or more) to run... you can run masscan more than once to see if it maybe missed anything the first time, it probably won't keep missing a port unless there are network issues... and typically if you miss one or two services, it's not the end of the world

as always, time remaining is an estimate and not exact

if it's a ctf on a nonstandard port, cross your fingers 😉

you can also use -t and other switches to speed up nmap, but then you might run into the same sort of potential reliability issues anyway

then you sit on your hands, or try to do something productive while you wait. also in a realworld scenario you're adjusting timing options and such to bypass waf which adds even MORE time to the scan... your best bet is to do thorough enum on the application stack, target analysis get an idea of what you're dealing with an still proceed with an initial target of the well used ports and any you think MIGHT be being used outside of that, then run your 65k port scanner after so you can set it and forget it just for good housekeeping, if it even matters at that point

can someone help me with sliver with last question Access the other domain controller in the forest and submit the contents of the flag.txt file on the Administrator's desktop I have access to DC02 but I cant abuse to DC01 I use trust key and I dont get access to the DC01

Hey, i;m in the certificate transparency logs page
And I didnt really understand 2 things.

1. Why do we need CT logs, who is looking at them?
2. And I didnt really understand the The Merkle Tree Structure concept, is the root hash always changing? a bit confused...

Guys

Who a hacker here pls reply

@surreal chasm

Need help with anything?

Another question:
if an organization decided to signed one of their internal services with their root CA which is signed by a trusted world wide root ca, Would the certificate being signed be logged in the CT logs?

@surreal chasm regarding certificate transparency and who is looking at them, some relatively recent news: https://techreport.com/news/google-will-not-accept-entrust-certificates/

this article doesnt really say what Entrust did

shall I google it for you? 🙂

Yes pls dmz

I googled it, Found that they did not meet google's security expectations or something like that..

Bro pls dmz it 🙏

?

Pls dmz

Are u a hacker?

DM me if you want

I need a hacker

dont know what a hacker is..

I did

Bruhhh

Sry wrong person theb

You did something wrong then

what do you need help with

I wanna hack a scammer with his ip

no

Whyyy

that's illegal

He's a scammer;(((

doesn't make it any less illegal

Bruh

But ty for asking-_-

@velvet sparrow did you do it through psexec?

i cant open splunk page, but vpn connected

try https

i think you have to wait for it to launch if its anything like elastic, it takes a while

There is a part in the section with a PowerShell command to grab the path that WSUS is using for the file and transfer PsExec64.exe to that path and name

can i dm you

ye

doing brute force first module

and the script is trying all the pins and didnt find anything lmao

any help?

Shouldn't take long.... Have to check if it's installed in any of the Hosts

Hello guys, I'm having an issue with one of the sections in the Linux Fundamentals module. On the question about the Kernel Version and the name of the Network Interface with the MTU 1500 I cant seem to get the correct answer even though I have found bothof the kernel versions of the machine and the network interface with the correct MTU. Do you guys have any idea what could be wrong, Im following the format the questions suggests.

can any1 help?

add section name, question/exercise you need help with, details of what you've done, etc

makes it easier to help

brute force, on login brute force

you are supposed to copy paste the python script but it hasnt done anything so far

wait

Hey guys, some modules might be outdated. The Kernel version on my Machine was updated while the asnwer on the section was not, any idea where I need to report this. Just lost 2 hours of my life 🙂 trying to figure out the correct kernel version

which module and section

Module: Linux Fundamentals, Section: System Information

the kernel version and the answer to the question are the same

losing my sanity with advanced deser. XML

this should be somewhat right?
||

<?xml version="1.0"?>
<root type="System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
  <Tee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    ...
  </Tee>
</root>

||

What is the Kernel Verision you got?

the answer to the question

just send htb-student ig lol

i did it, but with no result

so 4.15.0? because my ParrotOS system has a different Kernel Version

yes

if it's different then you probably aren't SSHed into the target

Hey, just finished the Tunneling and Pivoting Module, that was a great one and a must have ! I just got a question if someone can explain to me it would be great. I understood how to do port forwarding pivot etc BUT if I am not wrong the module does not explain how to use a transfer method form the victim (not the pivot machine) to my own attacking machine. Example: I want to download the LSASS file from the Windows machine I got access in by using an ubuntu pivot. I want this file into my kali machine so I can crack it, how can I perform the transfer ?

forward a port on pivot box to your attack box, then start whatever server you want, e.g., Flask upload server, running on the port forwarded to. use curl to upload your file, specifying pivot box IP with forwarded port as the target

Thx I will try that 🙂

They don’t need to, It would be no different than a reverse shell with port forwards

I need help with wordpress skill assessment last question rce not working for me. Im in admin panel put the php shell into correct theme but not showing any feedback with curl

hello, is there any way we can use our own hosts as attacker hosts in internal network for AD specific modules ? HTB instances hosting Parrot OS is way too slow.

Is it legal to crawl the website? or should we use a machine from previous pages?

it's a website made by HTB dont worry

Can you help ? somehow my rce not working but I did everything correctly

are you sure?

yea don't worry you can crawl it

thanks

they ask you to do that

let me check

xD

I was in split window, i didnt see it
anyway, thanks!

dm me for no spam but can you explain what you tried ?

k

What is the one place for all equivalent to kali for windows tools ? ( Not the OS part rather than having all the tools at hand ) ... currently copying all the tools provided at windows modules to my machine for future usage

What am i missing ? Win Priv Esc - DnsAdmins

Got into the domain admins group. Why dont i have permissions to view the administrator page?

i'd have to look to see if you're even supposed to be able to do that, but right off the top of my head just because a user is part of a domain admin group doesn't automatically grant them permissions to everything, even the domain admin group can be denied access to things

also, if you escalated your privs, remember you need to log out and log back in to gain the privs sometimes. i think if you logged in and then escalated privs you're still in your non-escalated session

Thats where the flag is so maybe i should. How do you log out from a rdp session ? You mean pop an other ps ?

close the session/log out and rdp back in again

Nahh didnt work

check the permissions of the folder i guess

sounds like you didnt' actually close the session out properly tbh

Rdp isn't vnc users are logged out when season is terminated/sigint'd you can be super sure by just logging out of Windows first then killing rdp if it doesn't close itself

shutdown /l /t 1 in cmd (or ps I think it works too)

Closed everything and hit disconnect. Am i missing anything ?

Not sure wdym

try signing out instead

Not such option

Or is there?

sure let me google for you

try logoff in powershell, or ctrl alt del to see if log off is there

haha brother you were right. Ngl had some disbilief about this in the first place logoff worked

Didnt pass my mind of sign out if there is not option in the power button

Should have been mentioned somewhere in the module though

maybe.. but it is pretty basic windows functionality

i think it is mentioned somewhere

help

guys iam stuck with an queston in the

Linux Fundamentals

System Information

task /question = uestions
Answer the question(s) below to complete this Section and earn cubes!

Target(s): 10.129.156.62 (ACADEMY-NIXFUND)

Life Left: 75 minute(s)
SSH to 10.129.156.62 (ACADEMY-NIXFUND) with user "htb-student" and password "HTB_@cademy_stdnt!"

answer: ssh ACADEMY-NIXFUND@10.129.156.62
ACADEMY-NIXFUND@10.129.156.62's password:
Permission denied, please try again.
ACADEMY-NIXFUND@10.129.156.62's password:
Permission denied, please try again.
ACADEMY-NIXFUND@10.129.156.62's password:
i keep typing the password but it doesn't work

you're using the user "ACADEMY-NIXFUND" which probably doesn't exist. it's ssh user@ip, so ssh htb-student@ip

ACADEMY-NIXFUN is the hostname of the pc, not the username you log in with

owh thats why thanks

They use curl to make a POST request.

Hi, is there any chance to reset progress in htb and start's all from 0 ??

no but you can just go through the modules again

Wont they reset it for you if you ask really really nicely 😄

i've never heard of that so idk

i've seen staff comment and say it's not possible to reset the modules

Yea that is obviously BS. They might not have a button for it, but for sure they can do it.

Its all in the DB...

Sorry I don't think I can be of any more help without having done the module. Looks like an express app though I would research how to debug a node/express app and see how it applies to your section

Aren't you running it with node in terminal/vs codium? Check what app.js accepts then, enter what you want the JS code to do.
It should show in the terminal if the return is "console.log(input[0])"

I used visual code debug mode and test it with node run dev in root directory of the app. Monday I look further

Then I will see 😄 , thx bro

does anyone know how to open a quick HTTP server that accepts POST requests?

kinda like python3 -m http.server 80

that option doesn't handle POST requests and I was looking for an alternative

No, we cannot do that.

It's not something our stance will change on either I'm afraid, sorry.

I don't think there is one
since accepting POST means handling the POSTed data

which is a custom action in most cases ig?

you can type a simple python server however and make it handle ur POST data
you can let any LLM help you

Anyone else having issues when trying to solve tasks that involve SSH conections?

No matter if I connect via provided Instance or via VPN and SSH connection from my host machine.

After establishing the connection I am able to run a few commands. But at some point the terminal suddenly freezes on me and I cannot type anything anyone. At that point I have to open another tab an reconnect.

Did run into this issue on multiple occurences now. Which is really annoying, since I have to be fast and reconnect for each invidual task.

Check if you have multiple VPN instances running.

sudo killall -9 openvpn or reboot

I can check logs if you want

I am currently doing AD Enum module that uses ssh to connect to a linux host on AD set and it is working fine
so IG check ur VPN

If you want me to check logs, DM your Academy user ID or email

I will check, but in the past I also restarted my machine. And the issues was still there.

But like I said, it also happened for me from the provided HTB Instance. So that's strange to me.

Could maybe be a Pwnbox instance in the background still running perhaps?

Anyway, can check if you want.

So you are trying to insinuate that a company that creates all of this is not able to make a query to the DB and reset the progress? I mean that is nonsense obviously. HTB can do it for sure its just like every other place you have to be a big shot for someone to go out of their way to do what you are asking. 😉

There are other reasons for the inability to do this, which I am not at liberty to discuss.

It might seem like a straight forward task, and obviously we COULD perform a query to remove progress, but there are other systems and processes that would be affected. Sorry

..and it doesn't matter who you are, bigshot or whatever. We do not perform this task for anyone.

As mentioned, you can always run through the module content again 🙂 You just wouldn't be able to submit the answers, as they have already been answered.

O well thank you for clarifying. Its not like i want my progress reset, so it doesn't matter to me. I just thought the answer was silly 🙂

hi guys currently stuck at "ACL Enumeration" lab yet im stuch at this question " What flag can we use with PowerView to show us the ObjectAceType in a human-readable format during our enumeration? "

I’d suggest reading the section again but if you still don’t get what flag should be used, you can use the Get-Help [cmdlet] to display the options to that cmdlet

👍

Hi guys, I really need help on "The Live Engagement" module on shells and payloads. Im not sure if I understand vHosts correctly and im struggling

Ive found these on the target. but after copying them to my attackbox /etc/hosts file i still cannot access them. What am i doing wrong

those look like internal IP's and you wouldn't be able to reach them without pivoting

can somebody help with nginx

my bad i understand the task now

why I don't get the 36% discount for unlocking modules with subscription:
"+1000 each month to unlock modules à la carte
36% discount"

Yet, all senior web pentester modules still cost 500 cubes. I subscribed in the afternoon, hoping to get some discount on this, but it does not register. I paid for a module with 500 cubes to start on CWEE, but this whole cubes thing is either not well implemented or documented

Or you get discount for purchasing cubes? I'm confused tbh

this odat crap is fucking annoying

I can't get it to work for Oracle TNS foot printing module. Tried following the install guide from the github page and tried everything I could find in the text channels here with no luck

this module needs to be updated

can someone please spoonfeed me on the Pass the Ticket (PtT) from Linux bonus question? (From Windows (MS01), export Julio's ticket using Mimikatz or Rubeus. Convert the ticket to ccache and use it from Linux to connect to the C disk).

i've dumped all of julio's b64 .kirbi ticket with both mimikatz and rubeus on MS01 and converted them to ccache with impacket-ticketcoverter. when i try exporting the KRB5CCNAME and using it to connect to the C drive (smbclient //dc01/c$ -k -ls) using the LINUX01 machine, the ticket never works. i've been at this for hours, what am i missing here?

currently stuck on Windows Attacks & Defense: Credentials in Shares.
Invoke-ShareFinder is erroring out and I've got no idea why.
Server01 also isn't showing up in the Network section at all, but is responding to pings.

the error says it can't find the pdc

Target instances have to be modular, so try to reset your instance and the target also. They can bug out. It is normal even in the wild to find unexpected behavior, so dont be discouraged.

One of the modules has you convert RIDs in Hex format into decimal. I had a script take the enumdomusers output and do it for me. What does getting the RID in decimal format get me though?

Hello, it seems that the box for the Reverse Shell part of the module Shells & Payload is not working.
I can't ping the IP. I used the right vpn config file. Tried to reset both the box and my machine and nothing changed. Am I alone to have an issue with this part of the module ?

have u tried chaning ur vpns ?

Yes I did, I downloaded a new config but it didn't work...

do u see any erros when trying to connect ?

hi all. I'm new here. Am doing the HTTPS/TLS Skills Assessment. I managed to decrypt the user cookie with padbuster and then encrypt a custom admin cookie and I got access to the /admin portal, yay! Got the token and put it into redeem token. Now I'm stuck on the last step to get the flag. I feel rather stupid and stumped. Can anyone help please? I've been trying for hours and I know the answer is probably right in front of it. After redeeming the token it says: "Token successfully redeemed. Check you email for further information.", but it doesn't lead to anything. Looking at /token in Burp, I can't seem to induce an error when forwarding to Repeater either. I'm totally stuck. Very appreciate any help. Thank you.

No the vpn connection works well and I'm assigned an IP. But I do not know why I can't ping the machine. It worked with the previous module like 10min earlier...

do you still need help

man i still dont get what exactly its asking for "What flag can we use with PowerView to show us the ObjectAceType in a human-readable format during our enumeration? "

the flag has a whole header talking about it btw

man i really feel dumb right now ..

ive tried Get-DomainObjectACL -ResolveGUIDs etc still no luck so far

its asking for the flag not the command too

the flag is right in the header title too

yeah i did submit the answer as ObjectAceType yet still

idk what im doing wrong

just look through the section

i found it just by searching human.

you should also have notes for this

"Documentation and Reporting", section "Effective Remediation Recommendations". I feel like every expensive penetration test I've been on the receiving end of is a copy paste of that "Bad" example. Specifically "Example 2"

no

apperantly i kneed to read, funny how that works 😆

Can anyone give me a sanity check of the "Error-Based SQL Injection" section in the "ADVANCED SQL INJECTIONS" module? I believe I've found the required information to generate the reset link but seems wrong answer

In Passwd, shadow & Opasswd module;
Using hashcat to crack passwords from unshadowed hashes and is throwing me “Status:Exhausted” what am I doing wrong?

cmd I’m using is;

hashcat -m 1800 -a 0 unshadowed.txt rockyou.txt -o unshadowed.cracked

exhausted means it ran through the password list and did not find any matches

try using the mutated password list

Thanks so much

So, i think i connected to VPN (I wish anyone ever told me it's done through terminal before, i spent 30 minutes searching for openvpn in apps) and now terminal doesn't display that input like above, like, i cant type any commands now. What do i do?

You’ve connected to the vpn, great, now you can connect to the boxes or modules

But i cant input anything, do i just need to open another terminal tab?

Yes

The vpn tab must remain open

ok

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

Oh god my own VM is lagging more than the PWNBox

How do i complete this question if target's passwd file looks like this? What did i do wrong?

I dont even know what passwd file is for, why are these questions are so hard like if i skipped entire path

do /etc/passwd, not etc/passwd

also if you don't know what passwd file is for then maybe you should take some steps back and do the linux fundamentals path or something

This IS Linux Fundamentals / Filter Contents

I've been told how to work with files not what all these default files mean

I'm not even talking about 2 other questions that dont make any sense

oh right, my bad. I don't have the path myself so not too sure what exactly it covers

but did you try cat /etc/passwd? your screenshots don't have that first slash

Ok i passed the question by randomly trying each one of these words

I guess the username is the word after second "/"

nah that's the program name. Username is the very first word

ok thanks

also im not sure if it's covered at that point but if you add -i to grep it'll search case-insensitively, so you should still get a match with grep -i 'ProFTPd' for example

It was covered that i might want to read manuals for every filtering tool but most of them have, like, 1000 lines

reading man pages is a good skill to have to help yourself often. Most of the man pages you could also search for online in a browser and there you can search in a more familiar way like using Ctrl+F

As for first question, I know about ifconfig from a completely different course but it shows 4 services and that's wrong answer

ifconfig just lists network interfaces rather than services associated with them

that's more for something like netstat or ss

Right when i thought i began to understand this

netstat is a tool that shows network related info, not services

hi, if you still need this, the File Transfers module is great for this. tl;dr, you can use this snippet:

$ pip3 install uploadserver
$ python3 -m uploadserver

File upload available at /upload
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

AD Enum & attacks - Kerberoasting from linux
what is the intended way to solve this?
What powerful local group on the Domain Controller is the SAPService user a member of?

Hey guys am new here.. And I want help

I solved it with PowerView but surely this isn't intended as it wasn't talked about in the section

with?

My discord acc is hack I made this new acc

@midnight galleon

so.. what do you need help with?

So can u hack my old account someone is using it... Ik gmail and username

that's illegal

so no

?

Wht illegal?

Np if u can't do it tell me I'll ask someone else

hacking your discord account is illegal

Thee hell bro actually that's my account and someone is misusing my acc

so? contact discord support

Nope they said according to our term nd service we can't help

still not an issue for us to solve

I thought you'll can help..

Shall I share my
Gmail. Nd username to u

?

even with the fact that it is illegal, hacking inactive discord account is not possible unless you have some weird 0day/extremely complicated bug in which case i would be more interested in reporting it and cashing it out than hacking someone's account

So ig you should just enjoy ur new account and don't click free nitro links again

The last couple of days I been trying to get the Attacking Common Services - Medium skill assessment lab to work but its been giving me closed ports on some of the services.

Had to restart it a bunch but I got it working again.

Need help in
Wi-Fi Penetration Testing Basics
Wi-Fi Interfaces. How many interface modes are available ? As show in the module iw list shows that but the correct asnwer prove to be way less than shown ? What am i missing?

Also, not said in the module but in order to scan for networks you will need sudo rights

hi ik this is from a few days ago but im running into a similar issue my terminal shows "all ports in an ignored states" i tried disabling the firewall, but it didn’t help do yk how can i fix it?

<@&861185840277487616>

Oh sorry mods it apparently got already deleted

No problem 😉

Hello
I'm in Windows Event Logs & Finding Evil -Skills Assessment
Q1 : I found the answer using power shell By examining the logs located in the "C:\Logs\DLLHijack" directory, determine the process responsible for executing a DLL hijacking attack. Enter the process name as your answer. Answer format: _.exe
I answered the question But in Q2 I cant answer it I'm thinking about ProccesID related on the Q1 but how can I thinking about it ?

Don't reveal spoilers

OK

Better to state the questions themselves too, gives more context to your question

Q2 By examining the logs located in the "C:\Logs\PowershellExec" directory, determine the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: _.exe

Is there a related between ProccesID and what I will search about it ?

You can look for the specific event by filtering on the processID related to the type of event the question mentions. But you have to answer with an executable ending in .exe

So try to research which ID's correlate to the type of event in the question and narrow down from there

You don’t need nmap for this, just open the ip in your browser

is "Intro to nosql injection" skill assessment 2 solvable without doing blind/error-based injection and enumeration? Got a solution by doing error-based, but still wondering why it's needed

i alr got the ip but i need to scan all my ports using Nmap specifically it's my homework

Hi,

Module: Attacking Common Applications
Section: Other Notable Applications
Section link: https://academy.hackthebox.com/module/113/section/1102

I am stuck at this point. I don't get any connections back to my netcat listener. What am I doing wrong?

You’re trynna scan your own network or the target machine?

my own network

try doing the nmap module or google how to bypass firewall with nmap

It seems to be stuck on this while loop. When I print res, it is being printed as empty new line.

Hello all, anyone who did the AD Skill 2 know why my Socat don't want to connect ? (few details for avoid spoil)

└──╼ $sudo socat tcp-listen:135,reuseaddr,fork tcp:172.16.7.50:9090
2024/10/27 09:01:47 socat[5451] E connect(5, AF=2 172.16.7.50:9090, 16): Connection refused

Really blowing my mind

that gave me problems too, you're better off using msf

dm what you're trying to do

did you use GetUserSPNs?

im pretty sure you just check groups after getting access to the user

guys i cant find the profile id on the website, i have a student sub

but when i try to identify it says id must be at least 60 character

oh its on app

sry

I have a question in the SSH pivoting with Sshuttle part. I run everything from my Kali and use the VPN, and my 'attack' IP is the one connected to the tun0 interface. When running the sshuttle pivoting, and checking the output from the tool, it was my eth0 IP address that got connected to the windows host on the internal network. How can that be?? (Since the VPN is creating the tun0 interface, I mean.)
This is the output:
fw: iptables -w -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL
c : Accept TCP: 10.0.2.15:51538 -> 172.16.5.19:3389.
c : Accept TCP: 10.0.2.15:50042 -> 172.16.5.19:3389.
I'm just very curious about how the networking part works in this case (in the output, my 10.0.2.15 address is connecting to the 172 over RDP)
Thank you in advance

Where is the incident response module?

I cant Find it. I can see incident handling but not the incident response one

Did you ever get the answer to this? I can’t get the service flag to be viewed as well

i did bypass firewall and it didnt help too i should've listened to what u said first about the ip i changed it and it worked, thank u sm

Academy.hackthebox.com/module/263/section/3085

can anyone help me pull the service file ? I obtained a shell with sharp no psexec but the shell is worthless and I can’t more type cat etc files. Tried various servers without luck someone had the same question but it was a dead end in the chat

“Use any tool to get a shell on SRV02 using the service application layer gateway”

the Incident Handling Process module covers incident response

if it doesn't, Security Incident Reporting covers it

I think I used Impacket's services.py, but had some errors by trying to point the file to my attack box.
I could only pull it off by pointing it to a local file

Yeah, I mean I got the shell, but it is hell on earth to read this file and I don’t have the annual subscription because I pay monthly so getting an answer for anything is literally impossible because I’m not paying the extra money I guess apparently

Can I DM you later? I’m not near my computer now. I took a break. Could use a walk-through on how to get this file to be read.

I also got monthly subs 👀

Sure

Yeah, they burn you big time if you don’t want to drop $1000 on a one year subscription

Better than offsec though

Added

Can I use wsl for taking the exams ? anyone tried it or only vm.

can anyone explain me how we can find virtual host or subdomains which are not public with virtual host fuzzing

use ffuf

Doesn’t the module demonstrate?

actually yes

i dont understant

Can I send you dm ?

What module is that

information gathering web edition

yeah we can but how this works i didnt understand that

ask questions after you're finished reading

ok

it shows you how right after

yeah i get it . it is talking about those subd which are public but does not reside on dns server . i was thinking that if the subd is not on public we can only acces it on the internal network . yeah i got it we are querying the server for subd this time there is no interaction of dns in here just changing the host header of a HTTP req

Heyy

Hi

How Are U Bruh!!

Good. If you wanna chat, come to #general but first - identify your account via the instructions in #welcome

Ohky

Does anyone know if you could share a prolab among your friends

Hi 🙂 has anyone had to do any keyboard remapping on VMWare, mac host to linux guest ? I've been getting along working through the modules with copy paste but I really don't want to be relying on that come exam time...

The "language specific key mappings" get me the closest, but some keys are still wrong. However I can't modify/disable/delete those (the checkboxes are disabled). I then thought I'd reproduce them as custom mappings, but the UI for that is silly... it only takes "basic" keys as input, plus modifiers, so I can't for example create a mapping for '§'. Even attempting to copy-paste it into the box unhelpfully turns up a 'v'...

Any clues ? I can't be the only one struggling with this, yet somehow google and even chatgpt didn't help.

(it's probably a bit cheeky of me to use the "Setting Up" module as an excuse to ask this question here, but I'm not sure where else to ask and #general was... well, not helpful... so lets say I'm asking in the context of Setting Up 😋 )

I've tried turning the VM off to see if those settings are enabled, I looked for other places that could enable them... no luck so far

just realised it's probably easier with a screenshot. This is what I mean

Is there anyone for a sanity check on Advanced Deserialization Attack?

Okay guys I have been stuck on a question for an entire day and now I am actually asking for help

You didn’t ask anything

First question in Find files and directories want the name of the config file created after 2020-03-03 and is smaller than 28k and larger than 25k

find / -type f -name.conf -user root -size +25k -size -28k-newermt 2020-03-03 -exec ls -al {} ; 2>/dev/null

i’m stuck in the intro to assembly skill assessment p1 😭

I looped xor for me to grab the hex of every $rdx value after each loop [ 14 ]. Have a large code with in theory, is the shellcode. But when running the loader.py, nothing happens

Looks like you didn’t add a space between -newermnt and -name

Okay I will try that. so a Syntax error

Hello guys I got stucked in a problem and want to know something from you guys I thought maybe you guys can help me

And what problem would that be

Working on a few modules with xfreerdp and have the same issue. I’ll connect to tgt box, it’ll work for a minute or so, and then the connection will drop. Happens on both my VM parrot and pawnbox. Any suggestions?

Hmm so buddy actually someone from a fake account of an Instagram is doing some illegal activities like blackmailing

No, can’t help you there. Contact police and instagram support

This isn’t hacker for hire

find / -type f -name *.conf -newermt 2020-03-03 ! -newermt 2020-03-04 -size +25k -size -28k 2>/dev/null

@safe star Typed it exactly like this and nothing happened it just looks like the command line resets and I have to start over again

I DID IT 😭

want me to doc my process on it?

try taking out the !- newermnt

My hero. thank you so much

Do you experience some issues while working on target machines? After I ssh to them (either from pwnbox or my own vm connected to vpn) the shell is stuck after a few seconds for a few minutes. Then it repeats (a few seconds everything works fine and then stuck for a few minutes). They targets are literally unusable.

Is it possible to connect on 2 different machines like a vm and main pc to a lab with vpn at the same time ?

No

ty info

kinda but the vpn will switch between devices randomly

I wanna use wsl but idk maybe stick to vm

yeah vm is the best option

Yea, I’m having the same issue. I notice it on ssh and freerdp

Yes, it's possible. I believe you'd have to connect to the VPN on your host PC and then bridge the adapter with your VM.

I see ty info I wanted to try with wsl

bec. wsl I can't open website only if I use rdp

yeah it's not really setup for that and there really is no need for it either

you'd have to do some networking voodoo on your end to achieve it

yet more struggles with Windows Attacks & Defense: Credentials in shares. can't rdp to the target from the pwnbox.

had this issue yesterday as well

this module as a whole is the most inconsistent i've encountered so far by a huge margin

probably something wrong with your command, error says logon failure

my guess is credentials based on your error message

xfreerdp /v:10.129.204.151 /u:bob /p:Slavi123 /dynamic-resolution

does it need to be bob@eagle or something like that
edit: nope. @eagle and @eagle.local don't work either.

even pwnbox is kinda laggy

try adding /d:<domain>

dont think that would make much of a difference tho

yea same error

hmm it works if i RDP directly from my actual PC

so it could be a config thing with xfreerdp and the certificate not looking legit

you can add /cert-ignore

try rdesktop -u user -p pass ip

this worked ty

also Invoke-ShareFinder is working when it wasn't yesterday 😄

Attacking ColdFusion
the exploit for the RCE timesout?

i didn't have that issue

both metasploit and the python one didnt work for me

sounds like something's up with the network connection then

working from pwnbox so idk

probably your config or the target timed out then

Academy.hackthebox.com/module/263/section/3085 question two. Use any tool to get a shell on SRV02 using the service application layer gateway service and read the flag. Can anyone give me a walk-through. I have tried no sharp however the shell was completely worthless and does not provide any output.

it's a tier 3 module no one's going to provide a walk through

if you have the annual subscription there's a built in walkthrough

Yeah, I don’t have the annual

I don’t want to pay all that money

maybe check the hint and go over the section again

Check the hint? No way

i have a serious serious problem.I am doing module attacking common applications,assesment 2 ,and while i have found the WORDPRESS URL ,i doesnt accept my answer!!!

either with http:// or https:// or non

any tip,cus i am losing time for no reason

the protocol and url worked for me

got it, bound to the port in the exploit(nc -lnvp port) and the exploit was trying to bind to its on port

i am sure i tried it before,but now it worked...nvm....thanks ❤️

hello everyone. quick question, can I follow a learning path to one of the 4 certs by using the student membership?

also can someone explain me what do I need for the vpn file and how can I use it? I feel a bit overwhelmed with the instances and vpn thing

[17:00:23:772] [8544:8545] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[17:00:23:772] [8544:8545] [ERROR][com.freerdp.core] - failed to connect to 10.129.181.88
why this happens ;/

Did you start the vpn service?

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

The openvpn.

Direct access to all modules up to (including) Tier II

• This includes the Bug Bounty Hunter, Penetration Tester, and SOC Analyst paths.

Attacking Common Applications - Exploiting Web Vulnerabilities in Thick-Client Applications
I got an issue, anyone know what could be wrong?

Thank you guys for the support!

Yes so not the study resources for the certification itself right? for example CDSA

yes, it started before
and then disconnected

[18:04:28:283] [31917:31918] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[18:04:28:283] [31917:31918] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[18:04:28:307] [31917:31918] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[18:04:28:307] [31917:31918] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[18:04:56:563] [31917:31918] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 110: Connection timed out
[18:04:56:563] [31917:31918] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[18:04:56:563] [31917:31918] [INFO][com.freerdp.client.common] - Network disconnect!

└─# xfreerdp /v:10.129.19.148 /u:htb-student /p:Academy_WinFun!
[18:05:24:308] [32303:32304] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[18:05:24:308] [32303:32304] [ERROR][com.freerdp.core] - failed to connect to 10.129.19.148
and now cant connect

Try to use "rdesktop".

nvm started again

Oh I love xfreerdp, funky tool.

there are a lot of reasons why that can happen. most likely in this case your target died or it's because you didn't wrap the password in single quotes.

Yes it is. The path is the course, the cert you get by doing the exam. Exam vouchers are bought separate. With the student sub you will have access to all the modules in each of those paths.

• SOC Analyst Path (CDSA)
• Penetration Tester Path (CPTS)
• Bug Bounty Hunter Path (CBBH)

Hey guys, how are you? Can someone guide me in the xpath part of the skills assessment, injection attacks, I've already managed to get to the part where it lists but I can't get out of it, any tips on how to get all the ids?

it keeps disconnecting me after some minutes do u know any fix?

restart your target, wait 5 minutes for it to load the entire box.

Restart your VPN, check if it connects.

Thanks!

.

nvm, i think I can fix it, forgot to add an ip in the hosts file

its alsways down and failed to connect it just keeps disconnecting me after a minute, is it my network issue or from htb? can support help with this ?

nvm x2

Try rdesktop.

And send screenshots.

hey anyone able to help me with this htb academy XSS scripting lab?

sure, which section of the xss module

the instructions tell me to listen on port 80 but it is saying that port 80 is in use... the section is "phishing"

lemme look at it a sec

ty

dm me

it does not disconnect from there but gets freeze screen

there are problems with VPN in EU and US today

are there? https://status.hackthebox.com/

yes there are and have been for several hours

multiple people have confirmed the same issues

i haven't had any issues on US

Attacking Thick Client Applications
when i execute restart-oracle i can't find it in procmon

thats fine but that doesn't mean there isn't a problem

yeah but you're claiming there IS a problem with US and EU, when i haven't had any that indicates there aren't actually problems with at least US

just because you're having a problem doesn't mean it's the VPN

just because you personally haven't had issues doesn't mean there isn't a problem

Wtfbro is the only person who's commented about issues

and me

so that makes it more than one person i.e. multiple people

yep, 2 of hundreds

probably your end, vpn isn't having issues

I can assure you it's not my end

my internet works just fine, but oddly it's only HTB VPN where I have problems

and I've tried multiple VPN's multiple times with the same issues

so you telling me you personally don't have issues doesn't solve it for me or wtfbro

been stable for me and many others, don't know what to tell you, seems like it is an issue on your end

it's not, but thanks for your input

it is

i've been on all day zero issues, every time someone comments on an issue and i provide some advice it seems to resolve their issue and actually wasn't vpn related. i'm not saying you're wrong, but you've provided nothing beyond "me and one other guy are having problems"

RESOLVE: Cannot resolve host address: edge-us-vip-9.hackthebox.eu:1337 (Temporary failure in name resolution)

I'll brb

yeah that's 100% your end

but it's not

you can't include : or the port when trying to resolve a host

I downloaded straight from the site without editing

no problem here, your end. don't include the port.

check your dns service etc

Im using google

and Im pretty sure they're fine

so use another provider then, again no issue resolving hosts here. plus your issue is resolving a hostname, not the vpn like you claim

so looks like you were wrong afterall.

yeah same here, I am from eastern europe and internet connection is not great here but it's stable, usually have 60-70 ping in europe game servers for example, but struggling on htb servers

Maybe try to see if connecting over udp or https makes a difference

udp/tcp isn't going to matter if he can't resolve the hostname

he needs to fix his DNS

again it's not my dns

it is, and you even showed a paste of the problem

adding a :<port> after the hostname is going to fail every time, the port isn't part of the hostname

okay if you can explain how my correctly working dns which allows me to talk to you right now is the problem I'll listen

and if you still fail to resolve the host, try another upstream dns server

there are too many reasons to list, bottom line is now you're moving the goalpost, at first you said VPN issue now you're realizing it's DNS. one of them could be because you already have discord's address cached, another could be because the resolver simlpy can't resolve that particular address for whatever reason, which is why i said try another upstream server

plus you haven't shown trying to resolve a real hostname

https://tenor.com/view/dns-haiku-dns-haiku-tech-pod-it-was-dns-gif-27399037

I have not moved the goalposts, I have been very consistent. hey @languid fjord can you get in here because this is very poor response from HTB

your query was invalid due to the port thing like i said

instead of investigating just blame the users

lmao pinging staff because you don't like that i'm right

this is unprofessional at this point

and in fact I will @jolly cradle

don't ask for help then i guess if you don't want it

what happens if you try to resolve a hostname without the port attached to your command? does it resolve? (this isn't even related to HTB at this point, not the VPN like you originally stated)

maybe reach out to Google if you're using their DNS servers

I'm not going to continue responding because this is extremely rude. you haven't provided help, you've just blamed me and @tired dagger for having problems without providing any assistance other than for your own ego by claming I've moved goalposts, and some weird insult by me pinging staff when you have personally taken this convo out of control

I literally gave you all the answers as to why your stuff wasn't working, which you refuse to even attempt to try because you just assume you are correct when you can't even perform a standard DNS query

why are you even asking for help since you know everything and refuse to try advice given to you when someone points out what you were doing wrong in the first place

then you bother staff over it. just reach out to support on the website if you don't like the answers here.

chill guys

Hello. can anyone pls give me a hint in Linux Privelege Esc / Environment Enumeration.

search for HTB

Nah it does not work vpn and even machines itself on htb has some issues I can't do any task without errors it is so frustrating

Can someone at least give me a light on this injection attack skill assessment?

Reread the advanced data exfiltration section

❤️thanks

Those who are having issues with the VPN, please raise a support ticket via https://help.hackthebox.com. Someone will come back to you when normal office hours resume. I've checked over the infra, and do not see any issues ongoing at the moment. Anyone that is having issues, feel free to DM me with your current ovpn file and username. I'll be online for another hour or so.

Switching to TCP may help, as some ISPs do block the port used by the HTB VPN servers over UDP.

@tired dagger @hushed raven

We also have an article dedicated to troubleshooting VPN issues here https://help.hackthebox.com/en/articles/5185536-connection-troubleshooting

Attacking Authentication Mechanisms, I do the skill assessment, I can forge anything, tried lots of things, but in the end I don't know what to forge. Any tips in terms of methodology on how to enumerate possible solutions? I feel like it's just brute-force at this point, but that looks wack

Thank u so much. but i have a question.
is there any other way ??
i mean i found the flag by searching HTB{ but it is interesting for me does the HTB really wanted me to find the flag like that?

yeah, im pretty sure thats the only way.

they had multiple "HTB" appear and it was in the most random file

alright. thank u so much

This assessment is literally broken. I'm 100% sure that I did the payload before which succeeded at the end

@old oasis can i DM you? Just to check something

sure

It’s not
You have to remember to append a new line at the end

Can someone make an AD path group?

It got me stuck for a day… but that’s what it is 🤷‍♂️

If anyone get stuck with any of the modules, feel free to ping
Finished a while ago

as in a group of people to do the AD path?

It would be nice to have the active Directory path be a subgroup somewhere

I know it’s not a test yet but it would be super cool of HTB to do that

Yet 👀

Can someone help me? I'm stuck 🥲 I'm doing something wrong and I wish someone could show me where the error is, I'm doing the injection attacks skill assessment, I'm already 80% done but I'm stuck now

||I'm trying to use the order to find the depth but I'm doing something wrong 🥲||

man how come all the servers are showing 700+ ping

im in australia and the australian server is going from 700 to 1000

im trying to do the last shells and payloads lab but its torture

Hi everyone,
Information Gathering Web Edition - WebArchives:
While pages for Google, IANA, paypal, facebook, are working fine
I 'm having trouble finfding the HTB pages. While there are snapshots marked on the calendar, the landing page is in another date, e,g, question 1, takes you from Aug2018 to Feb2020 if I correctly recall.
https://academy.hackthebox.com/module/144/section/1256

Someone?

Anyone else having issues with VPN? I redownloaded VPN pack, rebooted VM, killed all services, etc.

^^ ah nm. I see that wonderful convo from earlier

i'm in indonesia and have the same problem, but the ping looks really random, sometimes it's 100ms, sometimes 10000

need some help here

Please don't post full payloads like that

i thought something wrong with it thats why i did that

Am I allowed to ask questions about current boxes or should I avoid that

Right.. but spoilers

its in the text

reverse shell module

For active boxes or content, you can ask for guidance, but keep it to DM's if someone offers to help

I've been researching all night and i got school tomorrow 😦 still stuck

Sure, but you could've said something like "I'm having issues with this section, could someone give me a nude or advice please?"

this is the question

Read the message I forwarded above please 🙂

i am doing shells and payload module of pentesting path and in reverse shell section of this module the guide was to paste the payload in the powershell and then trigger reverse shell but that payload giving error

I'm having problems with chemistry I've been trying reverse shells for the cif and I've brute forced the web directories and found nothing useful and I also looked for cves on the open ssh

This channel is for Academy Modules - go to #1297256768526618674

If you need to validate your account, follow the instructions in #welcome

and sir me?

I can't help you, as I'm not familiar with that module. Someone may offer to help though

Just be patient 🙂

ohk sure

..buuut, it looks like a syntax error.. one or two of them..

What is the first error you see?

sir i copy pasted it

from the hackthe box academy

i dont knw what code do

Ok sod it, DM me a screenshot of you running the command and the first error after attempting

looks like something that happens when you don't use the raw code off github

I'll see if I can help

where did you copy it from

Oh man..

It's ok SuperNuts, I got it

Have you tried base64?

but there are so much errors and also it has character limits in powershell i gues

and if i baseencode it it will exceed the limit i think so also its easy module and reward no cubes too