#modules

I think I've only used netexec that one time so far, I'm only a little bit ahead of where you are currently though. crackmapexec has worked for me in the past on pwnbox so I'm not sure if this is a new thing or what

#1234357888114364508

ahh thx!

Don't spoil answers

The simple thing is replace scanning for a specific port with scanning for all ports

?

:)

Thank you for doing nothing to help 🙂 I'll go ask elsewhere.

I'm saying your question revealed spoilers for a skill assessment

Sometimes nmap doesn't gather all the info, and you'll need to connect more directly

You can ask for help here at any time. But please do not post solutions/spoilers for modules

This is helpful. Thank you. I get you point but in this was a simple banner grab and I pinpointed down to the issue being with time out. But nmap for some reason is failing so I wasn't sure where to look from there.

Using netcat can get you the banner

I know. But that's not the point of the Lab. It's about nmap.

Even the nmap module tells you nmap can't always get you everything

I suggest going over the reading, you'll see more in the evasion reading that netcat (or ncat) was used in the example

nmap can only go so far

Hello all!

Currently I'm facing a strange issue with nmap. I tried to run an nmap scan (no spoilers) with the -sC flag to run all default scripts gives me the intended result in the in-browser VM. The same command does not run any NSE scripts on my own VMware VM

You can likely play with nmap timings to get it to work

Already tried with apt-get update, and then upgrade nmap

No idea for your issue, likely something slightly different enough to matter

Could be a bug. I'm also revisiting this module. If you do everything right, flag should be in the banner. I remember the last time spending hours with a werid problem just to come back the next day to see it disappeared.

what do you get with ls /usr/share/nmap/scripts/ |wc -l on each machine ?

Interesting, maybe it's just one of those things

I get 606 on both, so they should have the same scripts

Thanks marcielee, I've went over it again. I get your point but in the module, it also says it's just checking the intended results by connecting with netcat. For banner grabbing, namp should suffice. I'll investigate more. Thanks for the help.

Otherwise, it doesn't make snese if we had thousands of hosts to scan.

Timeout suggests you need to play with script timings

I believe it's like --script-args or something like that

I did have it in my script. --script banner --script-args "banner.timeout=30". It indeed wait for 30 seconds. Then this connection refused for some reason.

try this:

$ grep "dns-nsid" /usr/share/nmap/scripts/script.db 
Entry { filename = "dns-nsid.nse", categories = { "default", "discovery", "safe", } }

if it's in the default category also on your VM, no idea what's going on

Appreciate it! It's in the default category in both VMs, so yep, might just be a bug

sure thing 🙂 weird indeed

you could try --script-trace to see if it is at least executed but maybe not turning up anything

it looks like it's being executed, but still no result

dunno how far you want to debug this, but according to the script, "This script performs the same queries as the following
two dig commands:

• dig CH TXT bind.version @target
• dig +nsid CH TXT id.server @target

so I guess you could try them manually, I suppose they should turn up different results too

thanks a lot, I'll give that a try

Can you redact the target port? 😉

in the end, I reset my VPN connection and the script worked as it should!

maybe IPS, maybe a bug

odd! Glad it works now

hey guys, does anyone having problems with the windows priv escalation module? i do everything the module says and view my account in the localadmin list but still get an Access Denied. anyone knows about that?

did you escalate your account?

as i said i could see my account on the localadmin list

did you log out and back in?

yup

shutdown -l

and it happened to me almost in every section not sure what im doing wrong

then it sounds like the user you're running as doesn't have permissions

i log in with whichever account the lab gives me, i’ll have a look again

I’m having trouble looking for the unique domain record that’s supposed to be in double quotes. I have tried everything i know and still can’t figure it out

Hello, I'm stuck and I can't find the answer. The answer gives me 34071 but it is not correct, can someone help me please?

I can't take a screenshot it's the bash scripting loops module

https://help.instagram.com/374546259294234/

I'm on command injection skill assessment does anyone have a useful tip I've been attacking the URL? I'm just getting a big code base to come back to me

comb the site with burp to see what each button does. command injection is about injecting a command into the operating system, so try to find some place where you see something like that going on.

I'm not really seeing anything interesting just a bunch of status code 302s redirections OR status code 200 OK

try to think about what each button actually does on the back end, something that may run a command

Guys I'm in password mutations, I have done the mutated file from the .zip in resources. It's been one hour and a half it still didn't crack the password for sam

Its not the first time I do this module. I contacted HTB support and they told me to try to crack ftp but it's not doing much

The first time I tried doing this module I tried ssh, same thing

I have extended the life time of the box to 300 minutes should I let it run

it should be less than 30 mins

use -t 48 if you aren't

I'm using netexec

Hydra doesn't like me

oh idk then. i used hydra.

@ocean night what should I do?

🤷‍♂️ I can't provide support right now, sorry. Ask and see if someone else can provide any more advice.

Alternatively reach out to support again tomrrow I suppose

Ok thx

..butI find it really unlikely something would take that long to bruteforce in a module

What do you mean by "Hydra doesn't like me"?

It says connection error

Netexec doesn't say that, machine responds to pings

Netexec doesn't necessarily rely on pings for connection testing

No no it was just to tell him the machine is alive

¯_(ツ)_/¯

Do u know what I should do

Is your target still up? IS it within the VPN or not?

Obtain skill [joking]

Try resetting the target

Yes target is up and life is up to 300 minutes, yes vpn

Please pm me

You were here asking before

And no, no one is gonna help you with server hacking

But I don't think it's abt the target bc it's not the first time I try doing this module

you may want to figure out your hydra issue, i don't know but i would wager hydra is faster that netexec since it's specifically designed for authentication stuff

I had the same problem the last time

Ok

Lemme see

if your syntax is right it should work, you can also try it on the pwnbox

How am I supposed to paste in pwnbox

in the right hand corner there's a clipboard you can paste things into

it shares the clipboard with the pwnbox

Hydra keeps saying "error all children were disabled due too many connection errors"

Still kinda lost I know what doesn't work though which is attacking the tmp folder and files nor the help parameter

And its even written grammatically wrong

check your command syntax, sounds like it's probably wrong. check the ip/port

proxy the site through burpsuite, turn on the proxy, click on every single button/link you see on the whole site. review what's happening with each button/link.

hydra -l sam -p mutated.list ftp://<ip>

It starts

But then after like 10 seconds it says that thing

wrong syntax, check your syntax.

yeah i was at the same spot a bit ago, if hydra just does not work at all, just use medusa

but try not to make too much threads or it wont work

Bro netexec has been running for 2 hours now

yeah netexec is not answer im pretty sure

Mmmmm

hydra -l sam -P mut_pass.list ftp://<$target_ip> -t 48 -v

use this command and if hydra still doesnt work then use medusa, the mistake u made is lowercase p, which specifies single password not wordlist.

Ok I got netexec medusa and hydra running all the same thing

Ig I'll just let my computer lay there and power it on tomorrow morning

dont run multiple brute forcing on one target

their gonna interfere with eachother and its gonna get messy and just not work, im speaking from experience

you can shorten the wordlist alot using this command

sed -n '/^[[:alnum:][:punct:]]{11,}$/p' mut_password.list > mut_pass.list

and the password is not too far down the wordlist, it will still take around 30 mins though.

I don't suggest changing the wordlist that they have you generate

Did that and somehow I'm still in the same place

I am stuck in the web attacks module of chaining idor Vulnerabilities question is Try to change the admin's email to 'flag@idor.htb', and you should get the flag on the 'edit profile' page. Can anyone guide me on the steps I should follow to get the flag? Please reply

Hey guys, dropping this message again
I am stuck in active directory Enumiration module under bleeding edge vulnerblities there in print nightmare there is no cve.py avliable in the machine I have rested the machine many times

Just use MSF

or get the python script from github its a know vuln.

ask in #boxes
If you have no access, read and follow #welcome

You are in the wrong channel
This channel is about modules in the Academy 😉

In the attack machine there is no internet so I can not clone the repo

But yea I just looked it up it can be performed using metasploit

If I remember correctly, the required tools can be found on the machine under C:\Tools

#boxes

Linux Attack Machine It Is.

You can pivot from your host

How can I? I have tried researching about this but to no avail

I am stuck in the web attacks module of chaining idor Vulnerabilities question is Try to change the admin's email to 'flag@idor.htb', and you should get the flag on the 'edit profile' page. Can anyone guide me on the steps I should follow to get the flag? Please repl

There is a module for pivoting in the academy i recommend reading.

Thank's For The Tip, I would do it after completing this module

I’m on the burp intruder section of the using web proxies module. I want to know if I’m doing this right. I have common.txt as the payload and added .html suffix. It’s taking forever to get through it and I’m wondering if this exercise was meant to be this long

Same problem here also

Uh oh nothing is ment to be too long in the academy. The goal is to learn and not wait for brute force or fuzz

Weird. It went through the whole 90 minute time and didn’t even get through the lowercase a’s lol

there is no file in that directory

but there is no other directory which contain tools

• I can not download becuase no internet

What am I doing wrong?

that doesn't prevent you from having tools on the system

How can I do that? Becuase the tools are not preinstalled

DId anybody solve JSON module in Advanced Deserialization Attacks? All my payloads dont work. Could anybody give me a hint?

Transfer the tools

last time I checked the tools were there

I am sorry, how can i do that

I have tried resetting the machine atleast 5 times but no good luck

there is a module dedicated on file transfers

I suggest looking into the file transfers module, there's a plethora

Resetting the target won't move the files or change your current working directory

Also terminated and started new machines

I’m still super stuck on this

how do you know the tools are not on the machine? did you search for them?

Yea searched in every folder but not present

how did you search? please tell me 🙂

was it grep? was it find ?

checked in all thes folders but not any file ehre

that's not searching in linux... use find... it will be something like find / -name blablafile 2>/dev/null

okay lemme try

you should do linux fundamentals before going into a ny windows/ad attacks

I am really dumb, So so sorry for wasting your guy time

it's fine taht's what this server is for 🙂

Thanks

Someone please ;-;

i've not done that module but if you can give me a bit more context and please upload a screenshot not a phone picture then i may be able to help

I'm supposed to find a .html file in the /admin directory of the site

neither of the steps from the screenshots you've shared indicate searching for html files

why are you skipping the names that start with a dot ?

Then I don't know how to search for html files based on the information in the section

ive tried without doing that

check the hint

no no no you are doing good about html files

you are using the payload processing right

But I can also just add the .html as a suffix right?

i'd say your problem is or can be that you skipp the words startigwith a dot and you grep for the wrong output. what's ithat file ?

I am stuck in the web attacks module of chaining idor Vulnerabilities question is Try to change the admin's email to 'flag@idor.htb', and you should get the flag on the 'edit profile' page. Can anyone guide me on the steps I should follow to get the flag? Please reply

I've gone through the payload without skipping also

it was taking foreeeever

set the grep match like this:

lets see if that works. running it now

i just started the lab now 😄

ok i found the flag.. but i'm using zap

what the

how slow is that burp comunity ?

did it finish yet ?

It goes through like 1 line a second

or more than 1 second

yeah... that's slow as hell haha

damn

hello guys! Can someone help me in a box?

@still fractal This channel is for Academy modules. Please check the channel directory for the box you seek help for. If there is no channel, #boxes would be the place to ask. If you can't access it, please follow #welcome

are you able to give me first letter of the file so I can just see if I'm doing this right? or is that not allowed. or would it be different for us anyways

it won't be different. however i think you are doing the right things. how are you looking for the results ?

well there haven't been any. It's all just 404

and time runs out before I can get through the payload

its infuriating

expand the time, give me a screenshot of the results please also with the request sent

there isn't a button to expand the time for me

ah yeah there isn't one for me either on this one ah.. show me your results and the requests so i can see what's wrong

Yeah just had to start up another one so I'm restarting and I'm just gonna let it get through as much of the payload as possible

are you sure it's making the right request ?

look at the results, click on any of the 404 and aon the buttom you should see the request it made... please screenshot that

gotcha

yep it will never work 🙂

what

something is wrong somewhere...

remove your payload encoding if there is any

mmk

you see the payloads? that's wrong. they should simply be wordfromwordlist.html

Like this?

yes

also remove the last / from the request

alright NOW lets see

lol

found it now ?

no

It's slow

when you done with this and go to zap you will love how fast zap is haha 😄

ook has anyone done the footprinting module ? i've finished it all but the host based enum DNS ... i can't find the answer for this one: What is the FQDN of the host where the last octet ends with "x.x.x.203"? hint doesn't help i've literally run all of the wordlists

gonna take a nap while it runs is what imma do

you should've got it by now..

just got to 1992.html in the payload

not even in the letters yet

jeeeeezzz that's slow as helll.. but you are close

@tulip bobcat take the smallest list. If you don't find anything, use the next bigger one

no no no don't stop it now you are close

Lists with 5000 entries or more are too large

yeah i've tried the small ones already 😦

oh my god

And probably faster to do with ffuf than burp intruder on community edition

Have you found all the zones?

i fouond it

he needs to learn burp hence why i've not suggested other tool

Better to learn with other things

Don’t use intruder on community edition

It’s too slow

On burp pro it’s fine

i believe so 😄

welp. I'm very aware of that now haha

jump onto zap now, you will love how fast it is

it's gone through the common list in a couple of seconds for me

Ew zap

Yeah I like burp just not for intruder lol

Send me a DM with the zones you have found

hey everyone is free to like any tool haha 😄

Goodnight all thanks for the help I was going insane

anyone able to point me in the right direction for sliver skills assessment? I'm struggling to pivot effectively.

Sure

Where are you at?

can I DM? dont want to spoil

Sure

thx man, i've finally managed to finish my footprinting module 😄

Hello I'm working on Attacking WI-FI protected SETUP module and inside.

Online pin Brite force using reaver section

The question is what is WPA PSK for cor-vpn

It is running for last 2 hours

The same question for Another network took only 1 minute I tried resetting the lab but still

Any help will be appropriated

Is that the second flag?

If it's running too long, your approach is wrong

Try something else

HTB Staff wouldn't create something that required you to run a tool for 2 hours

Or would they 👀

Yeah it is second Question and I ran out of all my possibilities to solve this

There are 3 "uses" of reaver detailed in that section and 3 flags

Since you got 1 already and the last one is by itself in the question, why not try the last technique?

My stupid head Lol

Just found out now

Thanks

Your discord tag helped me here

Hello, guys, hope you day is going well!

I am currently trying to solve Login Brute Forcing - Web Services lab. It asks me to brute force SSH using Medusa. Issue is that I am using 2023-200_most_used_passwords.txt wordlist and I as a username I mention sshuser (as represented in the lab). I mention HTB generated IP and HTB generated PORT. It takes medusa up to 10 minutes to finish but it doesn't show me the password. What is it I am doing wrong?

I would appreciate any help regarding this 🙂

what is the command you are using ?

sudo medusa -h 83.136.254.158 -n 42786 -u sshuser, admin -M ssh -t 5 -P 2023-200_most_used_passwords.txt

well that sounds right, might wanna check a different wordlist ?

Also checked most 20 passwords used for ssh. I will continue my investigation and keep you posted. Thank you 🤝

actually i've just run it and it found the password... it's inm the same wordlist you got

medusa -h 83.136.254.158 -n 34260 -u sshuser -P /usr/share/seclists/Passwords/2023-200_most_used_passwords.txt -M ssh -t 10

maybe the machine is malfunctioning, I shall restart the instance

Also I've read that when you increase the -t it can drop some passwords, is it true?

yes it's true

but i think t 10 is fine in this instance

Anyone give us a nudge for the VNC password question on SA for Windows Lateral Movement module?

What session have you got?

I got the WSUS update to work and got admin on support but stuck on VNC password.

You will need admin privs in the VNC Server.

yeah I guess the server is on the DC?

Have you port scanned the Hosts? If you port scan DC you'll see that it's somewhere else

gotcha

VNC runs in port 5900

My life has become htb theme

Even I use htb theme in obsidian

I am stuck in the web attacks module of chaining idor Vulnerabilities question is Try to change the admin's email to 'flag@idor.htb', and you should get the flag on the 'edit profile' page. Can anyone guide me on the steps I should follow to get the flag?

Like you've done everything you think is necessary and yet you didn't get the flag?

Fellow friends, i was wondering how do you organize your tools for Win when there is not such all in one toolset such as kali for win targets. Currently keeping a folder of all the tools given to me in the modules by HTB and was wondering if there is a smarter way to tackle this.

Good morning, everyone! How's it going? I'm starting my journey in hacking and have begun studying with HTB Academy and labs. I’m currently practicing with the Starting Point exercises, too. Honestly, I feel a bit lost about what to focus on first. Do you have any tips for a beginner on where to start? I’d like to work in Red Teaming, and right now I’m following the bug bounty path on the Academy and practicing with HTB lab’s Starting Point. Thanks!

There actually is, give CommandoVM a try:
https://github.com/mandiant/commando-vm
I personally would use a VM platform like this instead of holding onto tools on my host machine.

Download them as needed 😂

Just get your notes for whatever you'll need and the commands and urls will be quick accessed

help me with this https://academy.hackthebox.com/module/19/section/103

what to put in answer ?

Guys I'm in password attacks> password reuse/default password. I am inside ssh from the previous module but I don't understand how to login mysql . I tried the default password but its letting me in

read the section again, all the way through slowly, there's some good stuff in there

https://academy.hackthebox.com/module/19/section/108

no tengo acceso a ese modulo :/

#general message

bro fix this thing i can't get the flag https://academy.hackthebox.com/module/19/section/108

your cpts yooooooo

Nothing is broken

Nmap is only one part of the puzzle here

i am not a pro bro i am noob tell me which port to look for

I'm not telling you exactly what port to look at.

Maybe it’s best to go over fundamentals

bro you don't make any sense

there is 7 ports

We won’t hand you the solution

Start with the obvious, fundamental, ports

idk obvious ports

Also in your basic/standard scan include -sV so you can get some understanding

bro it will show SERVICE VERSION

i know nmap i am not new in it

but i can't just find the flag

Well that section says using NSE, meaning use nmap scripts

Read the section again maybe

Try some stuff out

but which script

The solution is in the section

thank you guys to help i appricate that hope god help you guys too

We aren't giving you a direct answer because that would defeat the purpose of learning, but try the commands shown and you might have luck

it will help alot thank you

some amount of critical thinking is necessary. we can't do that for you

And even then nmap will only give you a place to look

thank you guys to tell these things i appricate that a lot thank you

can anyone tell how will the flag look ?

i don't want to miss flag

Like most other flags

idk how the flags look

HTB{yapyap}

ok

hope i get it

I read it again

I don't get jt

me too

It's saying most services come with pre configured passwords

R u in the same module?

no man

but try default passwords hope it works

There's a pw cheatsheet

Yes I already tried those credentials

The blue links within each section are worth checking out

Hey guys

There's specifically a default credentials cheatsheet

Yes I tried it but there's no mysql

https://academy.hackthebox.com/module/109/section/1037 stuck on the lab here my payload is ip=127.0.0.1%0aecho%09${PATH} i get invalid input but soon as i remove echo it goes fine so echo is prolly blacklisted but idk how im supposed to read the path without echo

bro do ls

There is, it's running internally

I don't understand are you talking about the cheat sheet or the machine?

Why are you trying to read the path?

I am trying to get into forensics. My college at work who is on our forensics team gave me a challenge: figure out how to get into an excel sheet he provided. From what I have gathered excel uses aes-256 encryption but I gotta do more research on this specific file version.
My question are some ideas on what tools I could look into or more reading material to further go down this path of learning. I don’t want the answers just direction so I can find them on my own.

The machine

i am just stuck so bad at https://academy.hackthebox.com/module/19/section/108

It's why the first instruction is to ssh

Use one of the script types shown in the example

you know that your helpful

Yes I logged into ssh and I tried different command with mysql. I tried different default passwords to login to mysql but it's not working. I opened the cheat sheet in the module but I'm searching mysql with ctrl+ f and there's nothing for mysql there

i think you just said

bro there is written cheat sheet

but my hint cheat shit or nothing works just submit button and spawn target

Are you in the same machine I'm doing?? Do you know what we are talking about?

bro it is simple

there is cheat sheet

Can you answer me

look

Are in the same freaking module? If not pls stop, you can't talk about something you don't know

idk but when i try to do like ls then the ${PATH:0.1} for the slash and then home i get nothing im clearly being an idiot but my brain just aint switched on rn

Password attacks skills assessment - easy lab - is the password cracking usually a long process on it? and other than increasing the thread count what else can I do? It has been running for over an hour right now

shouldnt take that long

It's not 0.1 it's 0:1

bro every module have cheat sheet

there's your problem, review the list, think of things related to mysql

thats just a typo

wdym

not u

Mssql?

Please stop trying to give them advice tbh

Yes pls stop

@fathom pendant that was just a typo in my payload its a colon

i am trying every script on every port nothing works

Yeah ${PATH:0:1} will/should be /

no, but if you think of what mysql is, you'll get it!

tried everything nothing gives me flag

: (

I figured that I used the mutatated list from the resources and I am running Hydra with -t 48 but doesnt seem to be doing much

You can run like --script <type> without specifying

wdym

It's told to you in the section

/usr/lib/nmap/nmap: option '--script' requires an argument

Uhhhhh it's a database?

I meant specify the type my guy

agggg ok

Replace <type> with the type of script

You don't need to specify a port

But one may seem interesting

Knowing what default ports map to is important

ok

oh i just looked at the list, yeah you should be able to find it as mysql >.<'

port or script ?

Tffff

Ill send a pic

just dm

man your elite level i mean elite is kinda my favourite rank on everything

@fathom pendant
ip=127.0.0.1%0als${PATH0:1} this works and lists style.css and index.php but when i do
ip=127.0.0.1%0als${PATH0:1}home i get just the ping results

anyone pls help about https://academy.hackthebox.com/module/19/section/108 i need nothing just pls help me in this

i am doing windows file transferes and in upload operations we can upload file from powershell with wsgidav cheroot python module by running this server and copying the files on this server from powershell and cmd but i cant list that share on windows machine

pls

Dmd

Bro u keep spamming the link just say what room ur in and describe the problem

i just can't find the flag

Jesus ghrist this fuyt

YOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO

IFOUD THE FLA

FLAGGGGG

-sC -sV

IFANLLLYLYY

anybody

i knew this will be in that shit port

but why didn't i checked it beofre

i am so stupid

wait is htb trolling ?

it says my flag is wrong

HTB{******}

remove white space

ok

still

Try, perhaps, something like "h"o"m"e

.

anyone help

ill try and if that works thats dumb as hell 😭

i got the flag but it says it is wrong

ur clearly just copying it wrong

I believe that method is gone over

bro how to copy it rightly

@fathom pendant

windows yuck

yep

@fathom pendant help

make sure u dont got any spaces before ur flag or after or it wont work

HTB{*}

it just don't work

@empty trout help

are flags the same for everyone?

It should be, if I'm not mistaken, be in a specific .txt file

yep i guess

Yes

Any hackers ?

@fervent siren dm me ill check its right

I am an Aspirant

That's not the right flag

its wrong

why ?

Because that's not the right flag

try one more time there is nother maybe that is not the one bcz

There's a different service with the flag expected

its not machintg with my flag if all the flags are the same

yh we all are here

atleast most of us

It's hinted at within the section which port to look at

#rules and #welcome

i can't open hint my just don't work

hey resolve my issue tooo........

I'm not talking about the "hint" button

are u using brave pop up will not appear in brave

sounds like ur htb connection just dead then just refresh ur page and stuff

I don't know how to fix ur issue dude

Likely adblock/popupblocker

what module is it i dont think i done it yet

windows file transferes

nah tbh mine does that all the time and i always have to refresh

You don't have to use the described method, you can use another

yeah i did that but i aint got no notes cuz im an idiot what section is it again?

i am trying on a local vm i am not using rdp

From what I heard wsgidav is just a PITA

yeah but everythingi s working fine but i wnna try this one its very new to me

i mean in file transferes module in windows file transfer section

https://academy.hackthebox.com/module/24/section/160

alr im spinning up the machine see if i can get it to work

yeah

U are a hacker ... Nice to meet u

Well me too kinda ... But still learning ... Thats why aspirant

trying to preform windows.memory.Acquistion using Velociraptor

keep getting this error becuse the machine is isolated from the internet

Checking WinPmem64: While resolving github
release Velocidex/WinPmem: Get
"https://api.github.com/repos/Velocidex/WinPmem/releases/latest": dial top: lookup api.github.com: no such host

This channel is for help with the academy modules on http://academy.hackthebox.com

never stop learning in this industry trust me

Yeah

I love this Industry ...

What Recon Tools are ur fav ?

This isn't an idle chatter room

depends what sort of recon ur doing lmao

Has It ever happened to anyone that while having reverse shell from windows, attempting to run exe/powershell scripts wont return in output (when it most likely results in error, probably permissions based errors)?

Read and follow #welcome

Any Recon ?

Like OSINT

And why the Hell was my Username changed to Ari McVerify 😭

#welcome <--

dont really do osint lol

for penetration tests its good but rn im just doing labs and working on bug bounty

bug bounty has some osint tho

Please just tell me the port or i am not using htb Academy anymore

I am not in pc too

It's one of the ports you've found

Currently on phone

I'm not telling you directly

oof

It id common sense

Web will be the only hint

You mean 80 and 455 port ? Or the weird 33 something elite called port

I found the flag at the weird port

455 isn't web

I see nothing in 80

Also 445* smb

I see nothing in 80

Well then manually investigate what the scripts, like vuln, may reveal

Ok tommorow i will not today thank you for telling that that i already knew

But isn't it troll to put a fake flag at elite port

im running the scan now ill help u out just give it a min

It's a flag for a different section

Ok

It's why I said earlier, stick with fundamentals

Bro thank you but just relax let me learn

yeah im not gna give u the answer lol

welcome to the club what bike?

Sister see already i saw another flag so i am so confused

@teal sparrow have u tried

You can dm

nah i installed ubuntu like 2 days ago and i have 0 tools 😭

Bye guys

Lets keep the chat on topic

<@&861185840277487616>

done

i can list the directories on web but why not on terminal

Intro Sliver C2, Anyone knows if sliver still supports multiplayer mode ? I can't get it to work

anyone has an idea?

It does

To make a new operator, do you use that new-operator command??? It doesn't seem to recognise it, nor does it recognise the multiplayer command.... did you encounter that?

Are you making sure to run the commands in the Sliver Server bin!?

I'm just typing sliver in my terminal 😅

Are you doing the module!? Check again.... The Module's content, it looks like you are running stuff in the Client and not the Server

[*] Generating new client certificate, please wait ... ```

It should be preceded by [server]

Hello everyone, I've been having an issue on the following question in the Wifi pentesting module: Decrypt the file located at /opt/decrypt.cap using airdecap-ng. Look for sensitive data indicating a user is attempting to log in to a website with a POST request. What is the password entered during this login attempt? (The WPA key for ESSID named CyberNet-Secure is Password123!!!!!!)
So I already decrypted the capture file using airdecap-ng and opened it using wireshark, I then used the display filter: "http" on wireshark to see the http conversations, after following the TCP stream of the POST request using Wireshark, I was able to to find the username which allowed me to answer the first question, I was also able to find the password, the problem is that the question is marked as wrong in HTB even though I'm a 1000% sure that its the correct answer because there is only ONE post request and only ONE login attempt in the entier capture file, so i'm left wondering if this is a mistake on the platforms end, because like I said there is only one POST request.

I don't have the module yet🥲 I am doing it for a project... I'm running it from the server rn

You can DM me what you got. I can tell you what might be messed

wifi pentesting basic skills assessment, question 3: I cant connect to the wifi

Hey bro i just sent you a DM

There may be something stopping you from accessing

The problem that I've been having

but what? my config file for wpa_supplicant is correct

The device you are trying to connect to

You can do it easily with GUI in a non hidden wifi network

but this wifi is hidden

And there is one not hidden

That's how you start the server right ?

Thanks B5null

I should use the binary!!!!!!!!????

wget -q https://github.com/BishopFox/sliver/releases/download/v1.5.42/sliver-server_linux; chmod +x ./sliver-server_linux

Thanks for the client let's get to work, send over the cfg 🤣

Thanks mate. I think it's gonna work now

You'll need to set the Server too

Alright

but I cannot connect to it

shouldn't dev user have SeDebugPrivilege?

There may be something stopping you from accessing

Well well well @dapper moth I appreciate your help mate... days of frustration

Probably one thing you haven't since you aren't connecting

Read the last sections again

If I give you more than this it would be too much spoiler

That’s not how it works 🙂

What’s the point of that?

Can I ask a question about a retired machine here, or is there a better place?

#boxes

thanks

might be that I am too tired, but I am going through "Information Gathering - Web Edition" - The "Creepy Crawlies" section, where it tells me to reconspider the inlanefreight.com domain, but there is ip/dns info? I have app.inlanefreight.local and dev.inlanefreight.local from a previous task, but not inlanefreight.com - what am I missing?

I havo no acces to this... how do i fix that?

read #rules and #welcome

if you mean that there is no ip info, inlanefreight.com is reachable on the internet, try it out

I pinged the host, it's active

As mentioned by others, follow instructions in #welcome

Thanks a lot.. didnt think to check the internet 🙂

nodemon

Is there someone who is knowledgeable about AD penetration?

I've gone through the AD Section, but doing the skills assessment section, I feel like I dont think I understood it well

hint?

Have you restarted the target?

Yo guys, i am trying to complete this LFI/RFI Module, and when i spawn the target machine and i start working on it, and it just keeps crashing. Like it is working just fine, and then sudenly i just get connection timed out, and i cant ping the ip, i cant trace it not even scan with nmap nothing. So i have to spawn new target machine, then it starts working for like five minutes, then it crashes again. How can i resolve this??

yes multiple times, also my vpn connection

Easier to ask your question

confirmed same for me

Were you able to connect to the Hidden one!? I got some errors with wpa_supplicant but I think something in my conf file is wrong

I guess it wasn't really a specific question but I'm on AD Enumeration & Attacks - Skills Assessment Part I at:

Submit the contents of the flag.txt file on the Administrator desktop on MS01

And I guess maybe I'm just too tired to really think about how to proceed from the previous section but when I looked at the hint, it said I needed to proxy over to the MS01 via the Web Application host and I don't really understand how I would have figured that out

Idk if it was just obvious, or what I would have need to have done to figure that out

Api Attacks: Broken Object Level Authorization
Can I get a hint here?

If I remember correctly there was a 5G Wifi to which you can connect via GUI. But there is a catch, you can't connect directly.

This path I've done it already

I think i wasn't able to connect ot the hidden one

I'm trying to get to the alternative path

You can "arp -a" or once you get a session to a host, check it's ip configuration, see if there is any other ip address and subnet and then tunnel to scan for different targets

that makes sense.

I guess I'm just too overloaded with life rn to be focused on the HTB Course. Think I'll take a bit of a break and come back with a clearer head

Yeah, you can DM.

If you’re still stuck check which login credentials you’re using, they’re different for the question than in the example

Adapting Sealtbelt.exe to not be detected by Windows Defender. What is threatchecker calling out here?

Has somebody finished OSINT: Corporate Recon? Stuck with Cloud Storage and tried a bunch of ways, but nothing worked for me... bit desperate

perfect, that was it. ty

Guys for credential password attacks> credential hunting in Linux I have to use the mutated password list from a few modules before this right?

Yes, that sounds right to me. This module has some tricky bits like you describe.

Uhh hydra is saying it's gonna take 7 hours

hang on I'll poke at my notes and see if you're off course.

Thx

You're on the right path, but my notes don't indicate what tool I used, only that I attacked the services I could access.

It obviously shouldn't take 7 hours. Either adjust your tool settings, try something different, or consider if your lab is bunk and give it a restart.

My notes do suggest this one was "frustrating" particularly because, AFAIK, you must look at the hint to have any clue as to where to start.

Yesterday i was doing another other room and hydra took like 3 hours. Idk why, I got the -t 48 flag

My cpu is at 5% on Kali VM and I have 4 terminals open all cracking different services. Hydra always gave me problems idk why it's not showing high CPU usage

Did you open it with ghidra or similar tool to check out that offset? FYI, I haven't done the module you're working on, just what something I would do when running stuff through threat check.

I am compiling the program it's checking

@gray yacht

Someone here solved Linux Special permission section? Do I have to go to every directory en do ls -l and see what is missing in the output of the commando they gave me?

i just got here

You can DM if you'd like.

Yes please

can someone give me a hint for password attacks lab medium im already in the machine as a user

Someone?

hey um

what do i do

it looked cool but i think its more than just talk about nerd stuff

from looking at the rest of this

What do you need help with @last spruce

Nerd stuff? Nerds make the world go round 😆

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Can someone help me check my gpu? Idk why but cracking stuff always takes hours even when people here say it takes 20 minutes max for a module

Are you using hashcat on your host or in a VM?

Were you able to get it figured out? I ran into the same problem. I could use help, please.

Yeah. Dont compile it on the host/pwnbox. Transfer the .c file to target and then compile with gcc. The gcc versions on pwnbox and the target dont match.

Select functions and files through search. This technique is much faster and quicker, though it is not as comprehensive and may lead to many missed opportunities. We can search for certain sensitive functions through the code base (e.g. with find/grep or text-based search). For example, if we were dealing with a PHP web application, we may consider searching for functions that execute system code, like exec, system, passthru, and others, as we will see later in the module.
Hey guys. Why is it difficult to find key functions in a whitebox test? Dont developers have some way to like organize all functions into one place to manage their development of the app ? It seems very disorganized

Why is it difficult? There are different frameworks and structures developers use. How are you struggling exactly?

If it's a whitebox test, you have access to the source and are able to navigate the codebase and are aware of sensitive methods etc, it should not be too difficult

I dont want to spend time enumerating for key functions in a whitebox test. Things like VScode should have a method of organizing all functions for me -- developers should be using such a method to develop better

And how would you have it organise functions?

Vm

Hydra too

At the end of the day, developers will code appliances as they see fit, following a framework, or not

It takes all functions and puts them in a table with all their relations and what they call and everything

That's called static analysis

As part of a whitebox test, it's your opportunity to understand the underlying logic of the appliance, and then to understand what mechanisms may be abused, what unsafe functions may be called and how you could potentially reach them in order to abuse them

The style of the project, while sure you could scrutinise a developer for, is not part of the job 🙂 There are modules out there which provide static analysis features for various languages in VSCode, I'm sure

(like GitHub provides when selecting classes, function calls, etc)

Boom! Thank you! Phew, that was scary! 😆 I appreciate your help 🙏🏽

But as static analysis goes, that's basic stuff

Thanks I will try to develop my own method to automate as much as possible

Glad I could be of help.

Sure.. just, don't spend more time developing your methods than is required to complete the white box task 😉 Easy to get caught in that rabbit hole of "surely I could just.."

Going down the road of static analysis, variable taint paths, that kinda thing.. it really is a rabbit hole

Fun though 🙂

On vm it will always be slower

Any of the Pentest modules focus on code review? I need to get much better at doing them. Specifically Java code review

Yeah there is

The intro to whitebox (im doing now) and the whitebox attacks, and the javascript obfuscation modules

And if u want to get better at code review, replicate the web apps u attack and then review their code and match the vulnerabilities with the code

Thank you much!

There is also one project u can do

Make a website -- add many functions to it, like input fields and logins, then slowly remediate vulnerabilities

Bro I'm not kidding u it's been like 2 hours now and it's still trying to crack one hash and one hydra

running hashcat on host will be quicker. Depending on the protocol there isnt really anything you can do for hydra

no module takes more than ~30 mins to crack anything, and 30 mins is on the high side

I’m having trouble looking for the unique domain record that’s supposed to be in double quotes. I have tried everything i know and still can’t figure it out#

Nah bro I'm telling u

Theres something wrong with my pc

Did you do a zone transfer or anything? It helps to say the module and section you're working on

What module teaches zone transfer?

Axfr is a part of one of the early cpts modules iirc, it's been a minute

where can i check when my current sub expires?

I'd imagine you can find that information here https://academy.hackthebox.com/billing

I don't have an active subscription so cannot confirm I'm afraid

yeah mine has reactivate, but doesnt give me the date that it ends

Did you cancel your subscription?

(but it's not expired yet)

yeah, trying to work out how long i have to finish this module tho, since will have to wait a fortnite from today minimum to renew again

Yeah, can see in source if it's in the cancelled state it doesn't show the end date

One sec..

appreciate it

Sent a DM

Module: Documentation and Reporting
Section: Notetaking & Organization
Link to section: https://academy.hackthebox.com/module/162/section/1534

Under the sub-section "Artifacts Left Behind", it states it's recommended to provide the client with file hashes of web shells, payloads, or tools that we upload to their hosts.

If I'm moving all my tools at once in a ZIP file, do I provide a file hash of the ZIP file or the file hashes of the individual tools once unzipped? I'm guessing the individual tools?

I just need the path to the directory where all the tools will be stored and the zip hash before unzipping.

ok dumb question; im doing the SOC Analyst path and got to the windows event viewer portion > when launching the target is says 'RDP to Target' .... Am I using my own RDP program or one within the pwnbox?

Doesn't matter. If your host is connected to the VPN you can use your Windows RPD, otherwise use whatever VM you're using to connect to the VPN. Alternatively you can use the pwnbox.

oh i see. i got it now! thanks!

general question any commands to check what hosts are alive in a subnet? most of the time icmp ping are disabled so ? using proxychains

Most everything in academy can be pinged so from your jump host you can do a sweep. Also from your jump host you can try to view arp, but that won't always paint a full picture. Alternatively you can do nmap scan on common ports 135/139/22/445/3389/5985.

yeah was a general question mainly regarding if i encounter a situation where its disabled

all i can think of is this proxychains nmap -sT -vvv -Pn --top-ports=10 172.16.113.0/24

when i did this i got Nmap done: 256 IP addresses (256 hosts up) scanned in 252.77 seconds

If you can, ligolo would allow icmp and faster scans with nmap

fuck im stupid

i forgot ssh -N -D 0.0.0.0:9999 database_admin@10.4.50.215 doesnt support icmp

socks doesnt allow icmp

the thing with ligolo is i have timeout issues with douvle pivot meaning my other agent cant connect to me

Should be able to. Just need to stop the first session and start the second session

shouldnt it connect first then stop the first tunnel one

Yes

But you need to port forward

yeah u do listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp

then connect ur other agent

listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601

Then have the second agent connect to the ip of the first agent

yeah i just get timeout issues was unable to verify agent

etc

Running that proxychains method as root PrinceAli1?

no i use -sT i believe if u use root it does -sS and that can lead to issues am i correct?

Just asking as IIRC proxychains like that tor2socks or whatever the command was hooks methods used for initiating connections, which could be the reason for the false positive all open ports

torsocks, that's the one I was thinking of

no idea what torsocks is

If sticking with proxychains and nmap, try using the --unprivileged flag with nmap?

Proxychains (kinda) but for hooking connection methods for applications, routing through Tor (again, via SOCKS)

What module or lab is this regarding btw?

Bit late to ask.. lol

stil lots of false positives

Running nmap as root (-sS) should provide a faster scan so would -T4

its just me playing around lol

#red-team might be better to discuss then, as this is a channelf or module discussions 🙂

You using the internal IP of the first agent?

the Thick-Client Applications section really making me pull my hair i'm at this step "Rebuild the JAR file by following the same steps and log in again to the application" the instruction here isn't clear should i recreate all the previous steps (compile ,create new folder , and extract etc..) really confusing

Sorry it was slow here.

yes yes

anyways break my head is getting clustered with this running around

i do have a way of making nmap work

but it would be netcat script

proxychains bash -c 'for i in $(seq 1 254); do nc -zv -w 1 172.16.113.$i 445; done'

like this

If you step away from it and come back and do it again I feel that helps.

my ego refusing

no clue but its working now

Hello everyone .. I'd like to ask yesterday I completed my misc chall and I submitted on htb wanna ask when may they respond to me ?

[Agent : confluence@confluence01] » ERRO[0637] could not register agent, error: connection write timeout

this is what i get lol

database_admin@pgdatabase01:/tmp$ ./agent -connect 10.4.113.63:11601 -ignore-cert
WARN[0000] warning, certificate validation disabled     
INFO[0000] Connection established                        addr="10.4.113.63:11601"
2024/11/05 06:37:54 [ERR] yamux: keepalive failed: connection write timeout
2024/11/05 06:37:54 [ERR] yamux: Failed to write header: read tcp 10.4.113.215:59648->10.4.113.63:11601: use of closed network connection
ERRO[0040] Connection error: keepalive timeout          
FATA[0040] keepalive timeout

Does sliver only works with its own stagers, implantes or beacon.... i cant have a reverse shell through a vulnerability back to the Sliver server ?

sup i am back

weclome back @fervent siren

how are you doing man ?

can anyone help with https://academy.hackthebox.com/module/19/section/108

If you're asking for help, please post the full module name and section. So that people on their mobile don't have to click it (for me, opening this link on my phone will open discord browser and then when I move to my default browser, I just end up on the homepage). You'll get more responses this way

ok

module 19 section 108 idk how to get the flag

Please, I said full name

not number

Module : Network Enumeration with Nmap Section :Page 7 Nmap Scripting Engine

just a quick question mate @dapper moth

isn't anyone here good at hacking enough to help me ?

Feel free to dm me and I will have a look in a bit when I have time. Send me everything you've tried.

But as I mentioned yesterday, the answer to get there is within the section really

You can use other triggers, but eventually have to use its shellcode

The Academy Module has a section on this

I saw, I still dont have enough any cubes for it, my sub does not cover that painfully

I see, thanks

Yo dudes, I am stack on Skill Assessment last question of DACL II module. Anyone free to discuss what I am trying to do and not working?

@ocean night

Why are you pinging him for this?

We were talking about finding functions during whitebox

Do you need help with a module or something?

When I need help with a module, I will tell you that I do. So don't annoy me any further

Dude you’re in the #modules channel, that’s where people ask for help with modules

If it’s not related to a module and only for goblin, just dm him

Shut up

tf is wrong with you lol

Now, be nice please

If it’s meant for g0blin only, I agree, best to dm them.

Should I be running Inveigh/Responder on every host I compromise on a network?

can some one help me with Exploiting Web Vulnerabilities in Thick-Client Applications(in Attacking Common Applications) ...............??? i am hard stuck in this part of the module

Whats problem? Give summary of what you tried

i have already updated the invoker.java file but when i am trying to compiling it ... it give me errors

lets say i have a nc shell open, and there is a file i want to take from inside there into my machine. whats a good way to do so?

https://academy.hackthebox.com/module/details/24

Message me ur commands to compile it and Ill show u errors

but i am blind

Any ideas of interesting forums to learn and see what is going on secretly

Hello I need assistance with exploiting Sysax FTP Automation 6.9.0 in Attacking enterprise module for privilege escalation. I'm trying to add the ilfserveradm user to the local administrators group using this exploit, but I'm stuck. The solutions provided by Exploit DB and Hack The Box material have not worked for me. If anyone has experience or guidance on this, your help would be greatly appreciated.

are the servers ever bad? when I ping my target its responding well but when I nmap it, it wont give me anything back

@everyonejust help me in module Network Enumeration with Nmap section Nmap Scripting Engine

What exactly is not working?

i can't find flag i found a flag on a port and when i submited it says wrong so then i heard that is another section flag so i know i should scan 80 but how ? i am trying everything but can't find anything

Did you use the scripting engine?

@unique sun @fervent siren don’t try to ping everyone

You would’ve annoyed 265k people if it worked for you

bro some people did so btw sorry

That ping doesn't work for you

Thankfully

yes

can some one help mee with java compilation error ......

fatty-client-new.jar.src\htb\fatty\client\methods\Invoker.java:144: error: unreachable statement String response = "";