#modules

Host is up (0.31s latency).
Not shown: 92 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp filtered domain
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 2.77 seconds

it is port 53 I need to enumerate right? since it is asking me for DNS version

udp buddy now run it again

no

Host is up (1.8s latency).
All 100 scanned ports on 10.129.118.193 are in ignored states.
Not shown: 100 filtered udp ports (host-unreach)

Nmap done: 1 IP address (1 host up) scanned in 134.70 seconds

-p- buddy

any hint for Modern Web Exploitation technique SA Q3-What is the password for the admin user of the Vault web application?

does "sudo nmap -sU 10.129.118.193 -Pn" just do the top 1000?

yes

Ahh okay, that took me 1148 seconds so -p- will probably take ages

dont forget to save the output to a file

I actually remembered! hahah

my stress from modern web exploitation skill assessment last 2 questions are gone now. Thanks to that guy

are you sure this full udp scan is needed?

Stats: 0:54:06 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 4.94% done; ETC: 18:22 (17:20:23 remaining)

full udp is my last resort kind of thing. Scanning the snmp ports specifically can yield good results, but in the machines I've done there was rarely anything useful on udp (except for snmp)

its not

i could just tell you the port

but what fun would that be

why would it not be port 53 though?

I already have the answer but I just want to understand it

this is the solution ||nmap -Pn --disable-arp-ping -p53 -sU -sC STMIP||

it also uses port 53

services can have custom ports

yea but for this certain excersize its 53 right?

yes

do you reckon the lab could have a mistake?

since I am getting a version, just not the correct one

you haven't gotten the flag?

not the correct one

Host is up (0.22s latency).

PORT STATE SERVICE VERSION
53/udp open domain NLnet Labs NSD

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.45 seconds

thats the version im getting

NLnet Labs NSD

I know the correct flag from the solution but I haven't been able to replicate the result and get the flag myself

you know the correct flag, but havent gotten the flag yet?

can you say that out loud

I know it from looking in the solution

but I haven't been able to get it myself

the correct flag is in the solution so thats how I have it, but I haven't been able to get it myself from an nmap scan like im supposed to

its not about the flag or being able to continue, I just want to know what im doing wrong / misunderstanding

Hello! 😄

you're probably doing it right

reset the target and try again

reset the target but still didn't work, had to reset my openvpn connection for it to work

atleast I've learned to try that sooner next time hahahha

awesome

Hi, please, Can you help me please? I’m in HTB DACLs I module, I’m in Password Abuse section, I’m stuck on the last part, abusing Marcos’ account to get the gMSA of the htb-svc$ account to get the contents of the flag.txt file, I already have the hash of the htb account, I tried to connect with pth-winexe, with psexec, winrm, crackmapexec, and others, but it refuses the connection, then I try to do pth with mimikatz but to run it I need to access as administrator, but I don’t have those credentials. What should I do to get that flag, or what am I doing wrong? Thanks for your help.

Morning, I am at the skill assessment of the using web proxies module. I cannot get the flag for the first task. I can get the POST request that contains the getflag=true. I used ZAP for fuzzing the POST request 100 even 1000 times and can't get the flag. I insert a number in the body and choose numberzz from the payload and define the range. Every response has the same length. I looked at the posts of the forum and I am doing it the way like people describe it. Can anyone help me?

How to download python in my windows 7 laptop

You can do it with cme/netexec.. looks into the modules or how to access shares

https://www.python.org/downloads/windows/

Python 3.8 should work on Windows 7

Module: Cross-Site Scripting (XSS)
Section: Session Hijacking
Link to Section: https://academy.hackthebox.com/module/103/section/1008

I was just revisiting this module and had a question based on the example scenario discussed in the mentioned section. When it comes to blind XSS - session hijacking/cookie stealing attacks, in reality we'd have to wait for the admin to access the page in order for the payload to execute, right? Or have I misunderstood and there's actually no need for an admin to visit the page?

The "page" I'm referring to is, of course, the admin review page or whatever that we're targeting where our payload lies, to which we don't have access.

Hi,
I too was stuck , and ran this command and it works.
gobuster vhost -u http://94.237.63.109:32594 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --domain inlanefreight.htb -t 100 --append-domain

IDK, i specified the DNS in the hosts file but it didnt work for me but specifying the domain in the command does smh....

how to get roles sir

Read and follow #welcome to get your role

good day, do you have hosting that can suggest that supported to paymongo api? thank you

maybe ask in #general this channel is for the academy modules

no, I think both are custom groups. You can protect users in AD with preventing them from being delegated to

if there's delegations on the domain you would do that to protect certain users from being delegated to

not sure if that's what the module or section was about tho

interesting. I never knew there was a "protected Users" and "Protected groups" groups

Don't overthink it i believe the group's name is specifically "Protected Users" so by trying to dig deeper your looking at an apple and calling it an orange

And the "Built-In" groups require audit configuration to be tracked in that manner that you described

In Pivoting, Tunneling, and Port Forwarding Module, specifically in Web Server Pivoting with Rpivot.
as soon as I run proxychains firefox <ip> <port> the system starts to lag then freeze, then crash and tell me to logout and login again.
I'm using Debian 12, any help?

I tried ssh -D method and rpivot method.

hello, i am currently doing the passwords attack module, and now i have to use crackmapeexec but when i try to use it from command line it says that he doesen't find the module, i tried a lot of metod sto install it but none of them works, what can i do? ty guys

use netexec instead, since cme was deprecated.

Here's their docs on how to install it on linux
https://www.netexec.wiki/getting-started/installation/installation-on-unix

ty so much

.

Hey in the wifi pentesting basics modules there is a section connecting to wifi networks

I want to briwse to an http address and locate flag but i cant use chrom curl wget nothing is also working any help

I'm trying to pass the "How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)" question at "Linux Fundamentals / Filter Contents" and I found a lot of ways to solve it but I don't understand any of them since I've never been told that I need to know literally every Linux command before starting to learn Linux Fundamentals.

• What's netstat -tunleep4 command?
• What's ss -l -4 command?
• What's systemctl command?
• What's netstat -luntp command?
• What's service command?

And why is everything in this course based on that I'm supposed to already know everything before I start learning?

Thanks for the hint!

I wasted a long time scraping tom's ssh. You're a life saver

Can anyone help me regarding the skills assessment of the Wi-Fi Penetration Testing Basics module? Thank you in advance!

Hey @zenith wing can you help me

.

i wrote private message @limpid hemlock

Not today i guess

Hey guys, I got a question when it comes to running LaZagne on Linux. Do I just transfer these files to the target and run .laZagne.py all ? Or am I missing something ? Am I supposed to create a reverse proxy to the target and do pip3 install -r requirements to allow the target to reach the internet first and install the other requirements ?

Hey, I want in help of Reverse Engineering, or algorithm makers..
Anyone can help.me

I'm guessing there wasn't a "You should have module XX completed before this one" before starting this module? If you want to DM we can have a conversation on how you can approach something like this in the future.

For anyone working on brute forcing WPS with reaver, if you aren't getting the answer in like less than 3 minutes, either revert and/or try something different from the section. If you're waiting longer than 5 minutes, something's wrong

I'm pretty sure I just used wget

Hi

got stuck in Windows Privilege Escalation - Other files section need help

and then you just ignore these errors ?

-] Module Env_variable is not used due to unresolved dependence:
No module named 'psutil'
[-] Module Rclone is not used due to unresolved dependence:
No module named 'Crypto'

mainly wondering what else it could find if it had these modules installed on the target

You're getting those errors running the tool?

affirmitive

on Linux machine, never had them on windows

I brought over the entire Linux folder and had no issues running it, lol.

what have you tried, what is not working?

yeah I did the same, scped the entire Linux folder and still got those errors
the tools runs and displays some passwords, I am mainly wondering what else it could discover if those modules were present on the target

tried command from cheatsheet and modules got some passwords but none of the bob_adm

Ah gotcha. I didn't have those errors when I ran it.

hmmm, thanks for confirming I will try to download it again from github and see how it does

All good brother.

Ey

eh, still no luck ,maybe in your case the target already had the crypto and psutil modules

That or I just didn't document it in my notes.

Hello to everyone

Anybody here have completed the Tier 4 Secure Coding 101: JavaScript module?
I'm interested to take it but not sure that if it is worth 1000 cubes or not??

It says it's a 8 hrs long module, and doesn't seems like a big module.

Spent 500 each on tow tier 3 modules thats more worth it

Bypassing mac filtering module to find essid of 5gz band i ran command with sudo airodump-ng wlan0 --band a but the name i get isnt the answer

hi guys

#modules message

trying to solve Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.

I used metasploit, smtp-user-name and got 37 result, and any of this result isnt valid. Surfing the internet, i find out that there should be button resource with wordlist, but i think it was deleted few days ago. So how to solve it?

Have you tried just using a nmap scan?

yes

Nmap -sV

Which module is this?

25/tcp open  smtp
| fingerprint-strings: 
|   Hello: 
|     220 InFreight ESMTP v2.11
|     Syntax: EHLO hostname
|   NULL: 
|_    220 InFreight ESMTP v2.11
|_smtp-commands: mail1, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING

Footprinting smtp

The answer is in here

Banner + version number

its for the question 1

Yes

i need second

first one i already solved

Then why do you show this lol

That’s the first question

you asked for nmap

Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.

this is secon

Look what picture you post

what?

Read from there

i said that there is not button resource

Use the footprinting wordlist provided

WHERIS IT?

Scroll up

Above the table of contents

thx

solved

can anyone verify the last Q of SA for modern web exploitation is working as intended?

Good morning guys, could someone give me a foothold in the skill assessment XSS and csrf of CWEE

@analog dock Can you give me a foothold in the skill assessment? 🥹

I haven’t done it

Maybe check the forums

File Inclusion > Basic Bypasses # Path Truncation https://academy.hackthebox.com/module/23/section/1491
Suggests that if an extension is being forced into the user-supplied string (e.g. "./lang_" + $user-input + ".php"), it can be bypassed by pushing it out of the 4096 character boundary, however, the path must start with a non-existent directory while the section prior says that for a relative path to work the directory must exist (i.e., there example was "/lang_/../../../" where if "lang_" doesn't exist then the relative path is invalid).

Does anyone have insight on this contradiction if both are accurate or one is inaccurate?

Lab testing - referencing a bogus directory (e.g. ./bogus/../../../../etc/passwd) fails, so the requirement to reference a non-existent directory doesn't make sense to me, but I can't test that in the lab.

hello guys how do yall take notes

Hello,
Attack and defense -> PKI - ESC1.
Connect to the Kali host first, then use RDP to access WS001 as bob:Slavi123, and practice the techniques shown in this section. What is the flag value located at \dc1\c$\scripts?

I found the flag in \dc1\c$\scripts\flag.txt, but it is not being accepted

I use a wiki, but plenty of people recommend obsidian or cherry tree. Probably anything where you can link sections to each other. Play around with a few options and settle on one that meets your expectations & needs.

ah nice but what's your take on physical note taking is it too slow or your preference is just towards this side , and also what is better for long term usage

I do both. Read, hand-write my interpretation onto paper, then transcribe to the wiki. Most people asking this question are asking about what software to use.

I rarely go back to reference my hand-written notes, but the act of hand-writing helps me absorb things. The labs are a great way to make sure I can rely on my notes to perform a certain task. It all ties together.

yeah i like hand written notes too , i think we can really absorb all the things when we write it down , but digital notes they do help in quick checks or when we tend to forget things i guess , you know if you get by what i mean .

Hi All,
i am stuck in Information Gathering - Web Edition module , Chapter - Web Archives

question is very simple - + 0 Going back to March 2002, what website did the facebook.com domain redirect too? Answer with the full domain, eg http://www.facebook.com/

However, on wayback machine, its giving the same domain, i cant find any redirection.
picture attached.

cant attach picture 😦

any help will be highly appreciated, thanks

Read and follow #welcome to post images

Totally. There's an HTB meta-module on learning "Learning Process" that I haven't completed but has good info onthe subject. A few other techniques out there that can help give you a framework like SQ3R.

gotcha

@shut vapor btw asking from a newbie perspective which linux do you use and do you recommend it ? and why ?

if you want to take a screenshot but the output in the terminal is much longer than what shows on screen, what do you do there?

depends on which os are you on due to settings differences i guess

@civic steeple https://askubuntu.com/questions/194427/what-is-the-terminal-command-to-take-a-screenshot

Play around with a few and settle on one. Stick to the big names to start so when you're googling to resolve problems it's easier to find info. I've switched a few times through the years. I wouldn't want to suggest what I use is a solution, experimenting is half the fun. :^)

Hey in the bypassing mac filtering section in wifi pentesting module i dont see the wifi to connect to the 5g one

i started with kali but now i seem to like parrot os more idk maybe due to its lightness i guess

I was also unable to get "expect://id" to work even though I see it enabled in php.ini. A little searching doesn't reveal I'm doing anything obviously wrong. I see expect can be tricky to work with but a simple call to "id" should work. If anyone got through this lab and figured out there is a trick (or validated that it doesn't work) i'd love some hints.

both statements are correct

if you're attempting the character overflow you dont care if the path exists because the malformed path exploits truncation and not resolution

if you're relying on the relative path transversal the path resolved must exist for the transversal to be valid

Greetings folks. New to this discord and getting my feet wet with cybersecurity in general.
I'm having some trouble getting through the Linux Fundamentals module, specifically the Working with Web Services section. I am using the online Parrot VM instance the module provides.

I follow along with the instructions to install Apache. Starting the service resulted in an error, which I was able to correct by editing the ports.conf file to listen on port 8080 instead of 80. Now I can start Apache and get the service running with no issues.

Next it says to navigate to the default page in a web browser by going to "http://localhost". This does not work (see attached image). What am I doing wrong?

Running "systemctl status" gives me the following:

You have written that your Apache is running on port 8080.
So you have to call http://localhost:8080

Of course. That was it. Thanks!

In Getting Started Section > Knowledge Check, I obtained my initial foothold on the system, but I am unable to use wget to download LinEnum.sh from my machine after setting up the http server with python. My issue seems identical to this - https://forum.hackthebox.com/t/nibbles-privilege-escalation-python-http-server-wget-download-linenum-sh-stuck-at-0-downloading/285736 but it doesn't have any answers either.
wget log says:

Read error at byte 0/46631 (Connection timed out). Retrying.
I've confirmed I'm able to use curl and read a small text file i created in the same directory as well.
Can someone help?

I have a problem with submitting the flag... The flag is correct but not accepted?!!

in : HTB academy
Current Path : Bug Bounty Hunter
Q: For HTTP Headers

Make sure there are no spaces or anything or try refreshing the page sometimes I find it does that to me

I did all the ways

Anyone help me with the bypassing mac filter section i wifi pentesting basics module i cant seem to connect to the 5g network after doing all whats mentioned in this section

?

You can DM what you are trying.

Does anyone finds the introduction to windows command line module boring???

You can DM me what you are trying.

your error says it's a time out. make sure the server is running and you have the correct syntax and IP address. how are you setting up your http server? python3 -m http.server?

Yes, the server is running. I confirmed that I can read a small text file in the same directory via curl from the target machine.

try curling it instead of wget then, i believe the parameter is -o output.txt

I'm not following. I understand the extension we don't want gets truncated - that's easy - but why MUST the path we use BEGIN with a non-existent directory? It's still a relative path being processed, so my thinking is that it actually does need to exist. The section is so clear on that point though so I must be missing something. Apologies for the delay I had to run out.

You won't be able to get this one to work iirc, other techniques should work

Right, it's not setup in the lab so I can't experiment with it to validate one way or another.

It's likely just how it works tbh

Idk

Thanks. I've recorded the requirement in my notes to play with if I encounter it, but I'm open to clarification if anyone more familiar with PHP drops by.

When the path starts with an existing directory, the server resolves part of the path relative to it, breaking or limiting the traversal. A non-existent directory ensures the server doesn't prematurely resolve or restrict traversal logic, keeping the payload intact. Imagine the following path on the server:

/var/www/html

Now, a user submits this payload:

?language=existing_dir/../../../../etc/passwd

If existing_dir exists in /var/www/html, the server might resolve the path as:

/var/www/html/existing_dir/../../../../etc/passwd

This would then normalize to:

/var/www/etc/passwd

In this case, the traversal fails to escape the /var/www directory because the server resolves existing_dir as a valid starting point and truncates traversal relative to it.

Many web servers or file inclusion mechanisms resolve paths sequentially, checking the existence of each directory in the path. If a directory in the path exists, the server may switch to resolving the file system path relative to that directory.

Hello has anyone managed to download and use the tool xcat, it automates XPATH injections

its basically a subtle distinction the non existent dir only needs to exist at the string level not at the filesystem level

Oooh! Ok, I'm kind of picking up on what might be happening. It seems to identify that a path with an existing directory is the root directory and won't traverse down. That seems very bizarre, but I'll have to keep it in mind and try to setup a way of observing that. I haven't worked with PHP enough to have encountered something like this.

thats right

php has its quirks..

Use the docker version

You planning on getting that cwee ??

Yes, but I still have a lot to learn

goodluck mate, on the same path aswell

can you not have two academy labs running at once?

thanks, I tried your suggestion from the pwnbox instead and i could get the download to work. Not sure why it doesn't work on my VM

I don't think so. Doesn't make sense either

No

shit

password attacks is going to take forever

Fortunately, it doesn't take quite that long

ok it's taking a very long time for me

the lab for the password mutations section requires a wordlist of 187k passwords

and it's taking absolutely ages

even after i split the wordlist into 10 different files and set hydra to max speed it still takes like an hour and a half per wordlist

wtf am i doing wrong

If I remember correctly, there are two services. One of them can only be attacked very slowly

it's ssh

the password attacks module showed me that bruteforce of online services is the absolute last resort option for me

yeah this fucking sucks

but yes, you are not supposed to bruteforce ssh

well tell that to the htb academy team

idk i'll try something else then

brute forcing ssh is clearly not the right solution

if you read the question, it doesn't say to brute force ssh. it says to find the password for the user and then simply log into ssh with that. not saying it isn't ssh, i'd have to go back and look, but just saying that's not what the question is saying to brute force.

yeah i just noticed that

tbh password attacks is one of my least favorite modules for this reason (and that some of the bruteforces just take way too long, even if you do everything right)

just bite your teeth together and push through this module

that's what i'm doing, i just wish i could do something else in the meantime

as in something productive

Hello guys, I am on linux fundamentials, filtering exercises and i have a question:
"Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer. "
but i cannot connect to the website, entering the website url in the browser also does not work. Is the website down and i cant complete it because of that?

also, why is it required to use the pwnbox for that particular exercise?

alright, the website works, but the question about the pwnbox still stands

Good news on the site loading. It is not required to use the pwnbox.

I don't know why it says something about the target machine. Did a machine spawn for the lab? Maybe that's what it's referring to.

maybe they are referencing the machines which we usually run with vpn

and connect to them

What section is this? I'll load it up to verify curl on Kali works.

but it still makes no sense to use anything other than even your own machine if the target is an existing website

have you spent any money on the site? i believe the pwnbox has limited connection to the internet if you haven't spent anything

Linux Fundamentals, Filter Contents, 3rd question

I mean, I can't imagine why you'd need pwnbox for that, but I make mistakes answering questions on a semi-regular basis.

I have not, and yes it does have a limit, I'm just confused as to why would we need to use either pwnbox or a remote machine if the task can be done from our own machine. Maybe it's HTB's way of making us use the pwnbox and paying later on?

does anything actually say on the page you must use the pwnbox to complete it?

The question itself:
"Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer. "

yeah.. i can see where you're coming from, but it doesn't say you have to use the pwnbox. you can also have a vm of the pwnbox. either way you may want to post it in #1234357888114364508 and ask them to make it more clear

alright thanks

Hi all, i'm on CWEE path, whitebox, race conditions module. pretty stuck here on exploiting e-shop lab for getting 100$ balance, not because its hard, the vuln is pretty easy and obvious, I fully understand it. but getting the flag is not easy due to randomness, network latency etc. any suggestions to improve my odds with turbo intruder?

Can someone help me out here?

what am I doing wrong?

make sure not to spoil stuff

sorry

can someone DM me?

I need help from someone

hi can someone help with getting the flag from David's folder? I have his account hash but the hash won't work for getting flag from his folder. It still says access denied. The hash they gave me for julio works for getting Julio's folder and I got the flag in that folder. I have David's account hash but I think the issue is that's not the same as his password hash.

can someone help me get his password hash?

I'm assuming that's what's necessary for a pth attack

this is for Password Attacks Module's Pass the Hash section

if someone could DM be I would be very happy

how are you trying to use the hash

there are a lot of tools that can use the hash instead of the password, i'd look into trying different ones

I made 5 sessions and that worked

I'm currently working on a server-side attack module related to Blind SSRF and have encountered a challenge. While I can interact with the default HTTP port (80), I'm struggling to identify other open ports—particularly the one potentially serving non-HTTP (or sensitive) content.

If anyone has experience with advanced port discovery techniques or methodologies to identify such ports in the context of Blind SSRF, I would greatly appreciate your guidance.

so with only 5 session ids, theoretically if all of them succeeded, we will get 5 gift card codes right? but we need 10 to make $100 ?

Just keep doing it

ah got it, understood now

thanks @analog dock

I only got some succeeded when I was on pwnbox, when I use my VM over VPN connection, 0 succeeded... not sure if thats because of my internet somehow not fast enough?

Might be

yeah for modules that time-sensitive like race cond. and enumerating users, I also found using pwnbox got more accurate results than over VPN

am i doing something wrong?

just trying to ssh to a target

Remove the brackets

Hey

Can anyone help me using Chisel?

I m doing AD room (AD Enumeration & Attacks - Skills Assessment Part I)

But i dnt know how to use metasploit with autoroute. So i m using Chisel instead. But cant make it work

i m not able to work though and get the pivoting thing working
In the module (pivoting) we have both linux machines

But in AD i have the pivot host as windows machine.

I am able to get a reverse powershell on the windows machine and have the chiesel.exe on that machine as well

shit like that is what makes me go insane

while connecting the both i m not sure if it gets connected or not!! i try proxycahins nmap to the other network, but that does not help

the chisel syntax is the same for linux or windows. so just put chisel on windows and use the same commands

I did exatly the same

If you want to learn something better check out ligolo-ng. If you're adamant about chisel, I can reach out when I'm back at my computer.

will try this tool 🙂

And will keep you posted

If you want a video on it DM me and I'll share one.

I did find one on its repo

But if you have any which is better send me

One more thing I have aarch64 kali vm, i hope there is a binary for mu kali?

i'm having some issues with the 2nd question @ https://academy.hackthebox.com/module/116/section/1169

i can't connect with sqlcmd.
But i can with tsql and impacket-mssqlclient and i don't understand why...

this is the error msg:
Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : Login failed for user <SNIP>

Hey, anyone else working windows evasion module? I feel like I'm going crazy, I don't have access to the DEV box right? Only the target box? so I need to go fire up my own Windows dev VM and connect to the VPN? I was hoping to just use their VM while I'm travelling

You have access to DEV, you just have to keep the intro section open in another tab so you can spin it up when you need it. I have no idea it wasn't setup so you can access both DEV and TARGET in each section. Pretty annoying.

thx

agreed

can you tell I always fail shit by not reading the question properly?

hey im trying to ssh to target with my own VM but i need the VPN provided right?

how do i get their VPN working with my VPN i dont really get that part

What do you have set up? a personal VPN and you have the OVPN file for labs?

well i was just gonna get nord onto my machine once i know how that works

so personal

Also the VMs fight each other so I have to re-spawn target after I'm done on DEV, wat

Yeah that should just act as a pipe to the internet, so you can just VPN through that into HTB with openvpn --config ./your_file.ovpn

personal VPN or no shouldn't matter

cool if i pm you if i dont figure it all out with that?

Yeah go for it, but I am sending good vibes

should just work all OK vi VPN mgic

i already ran into a wall cause nord is saying it doesnt detect an OS

I'm in client-side js pollution module. I played around with jquery's getScript() in js console. Can someone explain why jquery getScript() uses the code from "src" property instead of the url in its first argument? the module kind of glossed over this as one of gadgets that just works. ```js

$.getScript("data:,console.log(Date.now());//");
1732489222608

Object.prototype.src = ["data:,console.log('pwned');//"]
Array [ "data:,console.log('pwned');//" ]

$.getScript("data:,console.log(Date.now());//");
pwned

Heyy

Yeah every time.

what? you can't spawn more than 1 target in academy.. you can just pivot into the dev machine.

still find it much easier to just build the code on your host machine and copy it over

i thought i remembered pivoting over, can you actually spawn 2 machines at once?

i see, they expect you to spawn the dev machine and create the code then try it on the target? really way easier to just do it on your own machine or windows vm

Yeah that seems to be the way to go but hte VS build is broken I'm gonn sleep and just use my own machine when I'm back tomorrow

part of the appeal of academy was being able to do stuff on their boxes

Just finished SQL Injections modules skill assessment , it’s extremely frustrating that the input box capitalized all input but apparently it wasn’t actually capitalized? Wasted an out creating web shells because input made it seem that ‘REQUEST[0]’ was being passed as all caps

Anyone can help ? I followed the steps of the example and it still doesn't work ?

Module :

There's an additional protection running 😉

thx I will look into that !

Something running in real-time

yeah real-time protection

I just turned it off and tried , but it still doesn't work

You'll need to re-download the dll

is it normal when I run the server it only loads for a split second ?

[Not enough details] you mean it starts then stops? Are you running with sudo?

because when I now run the command : regsvr32.exe SocksOverRDP-Plugin.dll. I have this issue

Use Google to figure out the error code dude

it worked lol

I want to learn how to hack

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

check article above.

anyone else having a ton of trouble with academy labs today? every time i do like an nmap scan or something the lab just goes down and i have to reset the target

i'm home from college right now and i'm on my (windows) desktop (i'm usually on a debian laptop) which means the issue is either windows, my home network, or htb academy

so im trying with Enumerate the custom script that is running on the system and submit its output as the answer.. i used all scripts that was in module, but WHAT THE CUSTOM SCRIPT I NEED TO FINDD??????

is it smth from here?

hard to say unless you include the module and section you're on

footprinting snmp

Hello, i'm stuck at Sqlmap bypassing WAF (Case #10).
I think that I found the specific keywords that is behind detected and blocked, but I don't know how to change the sqlmap behavior here...

ok it's either htb academy or my home network

try to google "tamper sqlmap"

I tried various tamper but they didn't worked and I don't find any other interesting one that could works

simple questioni

hey

I am given a target IP address in my module and I just have to save the file i belive I have to use curl -s -o

I get no URL specified

What do I need to do to adjust?

what module

Web Requests

so?

The custom script is on the target you need to analyze the output you receive

Anyone available to help me out? I don't understand why I'm getting time out errors.

I deleted my proxychains, then reinstalled it, hoping that would fix the issue, but that didn't work.

I'm using socks5 127.0.0.1 9050 in my /etc/oroxychains4.conf

Im trying to use proxychains to ssh into a user, but I keep getting time out messages.

I'm all out of ideas.

It's a script that was run on the target that you're looking into

0-0

Do you have the port forward/proxy set up?

so it somewhere in the middle of snmpwalk output?

Yes

0-0

¯_(ツ)_/¯

can u say first ;etter?

It's been a minute since I've done this, so no

Just pay attention to the output

but its huge

bruh i'm fucking dumb I was targetting the table of the previous question... I want to kill my self right now 🙂

HOWW DA FUCK THE FLAG IS CUSTOM SCRIPT

omggg, and its says nothing about this flag, even previously i tried it, it was wrong, maybe spacebar in the end(((((( stupid question

It's the result of a custom script

Mood

Can someone explain something about arp spoofing please

I'm in the new Active Directory Pentester Job Role Path, and I'm the Windows Lateral Movement - Secure Shell module,

It made no mention of having a port forward/proxy set up.

yes

It does actually say ssh can be used to tunnel if you read it. Also the Pivoting module is listed as a pre-req so you should be able to set it up.

you're right

So at the end of the mac adress section in introduction to networking it shows an arp cache posion i believe, i dont understand why the same reply is sent twice

Context \/

looks fine to me

Well i assume its correct but i dont understand how this shows a successful arp spoof

in the modules it suggests that it will take a certain number of days to complete. do you know how they are basing that? I know it is completely dependent on ones prior knowledge and how well one pics up the concepts but on average is it based on 8hrs a day or ??? just trying to get a rough estimate on how long to shoot for.

1 day is 8 hours. that said, those estimates really don't mean a whole lot at all.

thank you ! I just wanted a rough estimate.

whats most important is that you absorb the material and understand what everything is

agreed. normally it takes longer than one day to do it in 8 hours and normally it takes more than 8 hours worth of work (or at least it does if your taking your time and making sure you do it well instead of rushing it)

in my experience at least

did you solve it?

found it was adding --no-http-server for future referance
FAILED: [('SSL routines', '', 'no protocols available')]

Why is this a module? When was the last time anyone has seen a WEP protected network?

Tomorrow

LMAOOO GOOGLE DRIVE AND WINDOWS DEFENDER BOTH THINK MY NOTES ON SHELLS AND PAYLOADS ARE MALWARE AND WINDOWS DEFENDER KEEPS DELETING THE FILE

defender recognizes certain commands and treats them as malware

yeah i know it's just hilarious

it literally won't let me move the file to my documents folder without deleting it

You can configure defender so that it does not scan certain directories

https://support.microsoft.com/en-us/windows/add-an-exclusion-to-windows-security-811816c0-4dfd-af4a-47e4-c301afe13b26

Hi, I'm almost finished the moduelo Network Enumeration With Nmap.
It was hard but I would like to improve with this tools, any tip to practice?

need help in windows priv esc citrix breakout

not able to access SMB share from restricted environment

i'm using my own kali linux
do i need to use pwnbox?

I'm attacking the nibbles box rn and I keep getting an error in metasploit that says "exploit completed but no session was created"

type 'options' in your msfconsole session and make sure all the settings are correct

also could be the wrong exploit

hey can anyone help me out? when i run this command on my personal VM (have the VPN connected) it doesnt take the command an just keeps spacing until i cntrl C. Same command on pwnbox in htb academy actually goes through... im kinda confused at this point on what to do

do you have the pwnbox on too?

yeah

terminate it. it shares the same IP as your VPN and messes up the connection.

done and same thing

sudo killall -9 openvpn

restart the target, reconnect to the vpn, wait 3-5 mins and try again

will do thnx

Hello everyone, it's the local village idiot, hard stuck again and I've came back to this one like 20 times

tellin me

I'm stuck on Firewall and IDS/IPS Evasion - Hard Lab

This is as far as I've gotten in terms of my scan command

sudo nmap 10.129.253.124 -p- -sS -sV -sC -O -Pn -n --disable-arp-ping -S 10.129.253.200 -e eth0

And it has the audacity to just throw up an error

sudo nmap 10.129.253.124 -p- -sS -sV -sC -O -Pn -n --disable-arp-ping

This is the last scan that produced results

But for the life of me I can't figure out what services it's asking for

I even tried the ncat scan but it was strange and didn't help

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 71:c1:89:90:7f:fd:4f:60:e0:54:f3:85:e6:35:6c:2b (RSA)
|   256 e1:8e:53:18:42:af:2a:de:c0:12:1e:2e:54:06:4f:70 (ECDSA)
|_  256 1a:cc:ac:d4:94:5c:d6:1d:71:e7:39:de:14:27:3c:3c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.0
OS details: Linux 5.0
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

so same thing happened.. i waited a while tho and it gave me a disconnected message. Meaning im connected but i dont have any prompt for commands? idk what this means tbh im new

provide the name of the module and the section you are working on

me or @novel finch ?

you

Linux Fundamentals - worling with files and directories

How many tun interfaces do you see in the output of ifconfig or ip a

1

How many ports are open to you via an nmap scan

is the command nmap p?

You can do a simple sudo nmap -sV <IP>

do you solved this,I also have this question

ima see myself out

i had a personal vpn on parent OS LMFAO

Additionally, you can try to ping the target machine to verify that you can reach it

its working now

ty

https://academy.hackthebox.com/module/263/section/3092,For this module, why I followed the tutorial and failed even at the last step? I don't understand what is wrong here. Has anyone encountered this before? Can anyone help me?

which module

do you solved this

As shown in the figure, after I completed the first figure, I waited for about 5 minutes and executed it, and found that the error still occurred.

@autumn pilotcan you help me to solved this

Check if the update has been successfully downloaded on the target system, if not follow the steps outlined in the section related to such behavior

All of them failed, whether I did it myself or followed the relevant tutorials, the result was still the same.

Windows Privilege Escalation - Miscellaneous Techniques - Always Install Elevated
I am trying to replicate this section in a vm and i enabled both the registry entries. but when i try to execute msfvenom's payload i still get the policies denied error

I've just tested the exercise and it worked

Are you using the tutorial steps? Does this have anything to do with my network? I am a user from mainland China.Can I message you privately?

found it, DisableMSI should be configured and disabled

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
DisableMSI REG_DWORD 0x0

I don't know how many times I have tried it, and I don't know what the reason is. I hope someone official can help me troubleshoot it.

Yes solved, do you need help ?

yeah

can I dm you

Sure

Hey, I'm on transferring files with code
and i encountered this problem
tried to download a file with the provided command and it errors me
anyone knows why?

htb-student@nix04:~$ perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh");'
Can't locate LWP/Simple.pm in @INC (you may need to install the LWP::Simple module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.30.0 /usr/local/share/perl/5.30.0 /usr/lib/x86_64-linux-gnu/perl5/5.30 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.30 /usr/share/perl/5.30 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at -e line 1.
BEGIN failed--compilation aborted at -e line 1.

(you may need to install the LWP::Simple module)

note that target machines are not connected to the internet

Should I try and download it offline? is that what the exercise meant for us to do?

at the end of the Pivoting module in CPTS it mentions a track about pivoting but I cannot find it

any idea where it is? I could really use some pivoting practice

I dont think there are many free moduels offering pivoting

the prolabs/endgames usually do, but those cost money

not free, in HTB Labs they mentioned a track about pivoting.

I'm a HTB Labs Subscriber already I just can't find it

I clicked on it and it took me to the tracks page

I searched there but couldn't find it

hm yea It feels like they cleaned up the tracks at some point?

but why would they remove such a valuable track? this doesn't make sense

if I google it I find write ups of machine that apparently were part of this track like here https://0xdf.gitlab.io/2021/04/27/htb-toolbox.html

"Toolbox is a machine that released directly into retired as a part of the Containers and Pivoting Track on HackTheBox."

Thank you, I'll try to utilize google to figure the machines that were part of the track.
finally I'll put my google fu skills to the test lol.

kind of weird, I don't see any mention of them removing tracks officialls, yet a lot of them are gone

Analyze the event with ID 4624, that took place on 8/3/2022 at 10:23:25. Conduct a similar investigation as outlined in this section and provide the name of the executable responsible for the modification of the auditing settings as your answer. Answer format: T_W_____.exe

Iam not finding any TW_.exe file

Please advice

the AD module has pivoting

This is good to know, thank you :)

Intro to C2 operations with sliver / initial acces/ ............. why do we need two listeners, and it's on different ports, why? and it works , why ? I am a bit confused this part

the first listener is holding the stager that will then execute the shellcode in memory to connect to the second listener

Thank You

hi, i have recently been having issues with metasploit on my own VM and the Pwnbox as i see, is there any one that can let me know whats wrong, i have followed every step in the module

check the port

have done that and now a new error has appeared XD

Note that docker containers cannot communicate back to you via the internet; in case of getting a reverse shell

true, i am using the pwnbox to see if it works

the target is HTB target

Look for other potential vulnerabilities

also realising that might work XD

I'm basically at the same point you were a couple month ago, did you find out what was wrong with process injection ?
The course is pretty straightforward (litterally a walkthrough, so easy to follow), but even redoing everything step by step, debugging and stuff, even copying the solution of the gold annual solution, using msfvenom+aes encrypt or micr0_shellcode, the calc.exe is triggered but not the shellcode :
https://academy.hackthebox.com/module/254/section/2930 "Introduction to Windows Evasion Techniques"

seems like it's this issue but it is closed : https://discord.com/channels/473760315293696010/1259770802237083679

https://academy.hackthebox.com/module/267/section/3124#questionsDiv for this section second question I found the name like "Rxx Mcxxxx",but I use this name,it is hint me this is error answer.what's wrong?

do you solved this?

can you help me

I was able to get this a couple of weeks ago. I should still have things on my VM and can compare it to what you are using and see if there are any differences. You can DM if you'd like.

can you help me

With that section of the module?

https://academy.hackthebox.com/module/267/section/3124#questionsDiv

this module

I haven't done that module.

ok thanks

HTB Academy Assessment IP: 10.129.x.x
This is not accessible. Should I use Pwnbox itself?

The VPN will re-route any traffic related to targets in the 10.129.0.0/24 subnet

If you're having connection issues, kill the vpn, change regions, download a new one

The application was on port 8000 😅 , nothing was on http/https ports.

8000 is an alt http port

Typically

So still http, just not default

Oh i see. first time using VPN one instead of Pwnbox. Since I saw the error, I thought something related to connection. Cheers

Well if the module tells you 8000 or your scan reveals 8000 then that's on you tbh

Yh correct, It did mentioned as well. My bad

helloo

i need help with the question im doing rn

For the record it still desn't work so I created an erratum here : https://discord.com/channels/473760315293696010/1310600690069934140 . If someone knows the answer to this issue, please let me know

which place should i go to to ask for assistance

If its a module, this is the right place @hexed matrix

i need help with this question

The exercise above seems to be broken, as it returns incorrect results. Use the browser devtools to see what is the request it is sending when we search, and use cURL to search for 'flag' and obtain the flag.
I have tried everything to find the flag but it wont even budge

I do not understand what went wrong

can you help me

can you help me

can you help me?

Dude stop @ people and asking, it's giving desperation

Like chill

ok

i need help with the skills assessment test for the web attacks module. I'm at the last step where i need to do an xxe to get the flag content. when i try to do the LFI bit, i stop getting any output in the field name so i get an empty response like this: Event '' has been created. what am i doing wrong?

Did you "search for 'flag'"?

does any one finished the wifi pentesting module ? iam stuck at last step

there are a few

which one to be precise and section

Connect to the WiFi network and submit the flag found at IP 192.168.1.1 or 192.168.2.1.

i have get the essid and the password but it gives me error when connecting

I don't know which module you mean exactly, but what does the error message say?

Wi-Fi Penetration Testing Basics

the skill assessment

Okay and what does the error message say?

Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control device
rfkill: Cannot get wiphy information
nl80211: Could not set interface 'p2p-dev-wlan0' UP
nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
p2p-dev-wlan0: Failed to initialize driver interface
p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
P2P: Failed to enable P2P Device interface```

Try it as root, not with sudo

no thing also

$ sudo su
# wpa_supplicant -c wpa.conf -i wlan0

Do you get the same error message?

yes

i don't know what is the problem i have tried all solutions and the machine is without interned so i can't install the required dependicies

Is there any admin that can help me getting price quotas for Cloud environment BlackSky for businesses?

You'll need to get in touch with a sales representative through the website

I'm stupid, I searched it up and it was in fact to search flag right away

All good, it happens

Hey everyone

How are you all doing?

Thanks, is there a quickchat function available? Dont want to use a "company" email for obvious reasons.

There is, but they are more general stuff related than sales

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Thanks will try that!

Did you change the mac?

Anyone solved skill assesment forwifi pentesting basisvs

Im trying to solve 2nd question password for wifi network with bssid d8 d6 3d eb 29 g5

there is no users on the network so i can spoof there mac

Look again in the module. It will explain how you can obtain a password

what about the last

Unfortunately, I can't do anything with the error message. Have you tried connecting via gui?

yes but i got nothing also , i though that the error is in the password or the name of the network but i have searched for 3 passwords of the 3 networks but i got one only which i submitted in the question 2 , so idon't know i am going in wrong way

Can you check your dm

Hello, I'm new to this field. I'm in the process of solving the alert machine. I'm having a few problems. Could someone help me?

#1309940693002752140

windows fundamentals module -> introduction to windows.
the lab it spawns doesn't even ping, and it looks like any lab spawned in this exact module doesn't ping.
i tested other modules, the labs' pings normally, what may be the issue here?

Windows, by default, has it's firewall setup to block ICMP requests so it won't respond to ping. You can use nmap to validate the RDP port is available:

$ nmap -sT -pT:3389 10.129.83.21 -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-25 12:15 CST
Nmap scan report for 10.129.83.21
Host is up (0.0086s latency).

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

but i can ping other windows labs such as file transfer windows labs

Often times they turn off the firewall in the labs, but not in your case in Windows Fundamentals.

or at least modify the firewall to allow ICMP

ah fair enough, gonna test the port, thank you for clearig the confusion 😄

Sure, even better since you have access to the lab machine as Administrator, you could turn off the firewall and try pinging again. Playing around with things really clears up the concepts for me.

accepted the fact that ill probably never complete the wifi pentesting basics skills assessment 🔥

Im trying to somve the last question

Conect wifi network and submit flag at ip 192.168.1.1 or 2.1

haha i was just being dramatic i just finished it

I have completed the cpts and cbbh and done zephry, dante prolab. I used the prolabs to further learn the art of report writting. Also I have completed 61 machines from the tj nulls for OSCP and i find myself been able to complete easy-hard machines with little to no write-ups. I don't plan on taking the cpts or cbbh certs.

Questions

1. Do i need to go over the oscp course materials and pwk to pass
2. what could be the recommended next step

whats your plan? Pass oscp or just get more knowledge?

For oscp you are probably well prepared, if you want to gain more knowledge the next steps could be looking into the advanced cpts path, towards malware dev (evading av and edr solutions) like maldevacademy or towards red teaming with certs like crto

Anyone available for a quick hint for the SA for Advanced SQL injection? I'm stuck on Q2 and I don't know if I'm even trying to exploit the correct vulnerability.

did you ever find a solution?

The solution is in the reading, the module itself is a guide if you're really stuck

The issue might be your grep filter grep -v '127.0.0.1' may be two specific try a broader search with grep -v '127.0.0' instead

I just finished Attacking Common Services Hard lab. I still feel like there is a lot I need to know about MSSQL and the modules didn't touch on everything I needed to complete the lab. Anyone have some resources?

what didnt they go over?

brother the module is the resource

I mispoke out of exhaustion. They did go over everything in the module for the lab, what I am meaning to say is that I want a deeper understanding of why certain things work. For example when identifying users that we can impersonate it gives us the following command to use: 1> SELECT distinct b.name 2> FROM sys.server_permissions a 3> INNER JOIN sys.server_principals b 4> ON a.grantor_principal_id = b.principal_id 5> WHERE a.permission_name = 'IMPERSONATE' 6> GO
What is "distinct b.name" and how would I have known to use that without them telling me to, etc.?

Just a general ask. Is brute forcing the footprinting dns exercise on a laptop from 2009 on public wifi supposed to take like an hour lmao

I'm assuuming yes, but just want to make sure.

you can use chatgpt to break down commands you're unfamiliar with

they wont break down every command shown

use pwnbox if thats the case

No

Also why are you doing this on public wifi

Distinct gives you only unique values from the column. Distinct b.name means you get only unique values from column b.name. Pretty sure that's universal in all flavors of sql iirc but take that with a grain of salt.

That's about the dumbest thing you can do

It's an htb module lol I'm not doing anything illegal.

Assume any network you don't have control of is hostile

Yeah, but if (for instance) you're opening ports for file transfers, other hosts on the network can find it

If you're not specifying an interface to bind to

Gotcha, that's important to note. I have my ftp daemon disabled and stopped atm. Currently just doing the dns module

Learn how to bind your tools to an interface :)

Idk what that means I just use systemctl and netstat to show me what I have running on my machine. Thanks for the answers marcielee and TLattice, btw. Gotta go back to work.

By binding to an interface I mean only opening the port up on a specific interface (like tun0) different tools have different ways of specifying or cfg files to use

Instead of (usually) default of all interfaces [0.0.0.0]

ok this is absolutely not supposed to happen why is this happening

this is auxiliary/scanner/smb/smb_login metasploit module

null authentication is disabled btw

idk

thank you

try nxc

Are you sure null isn't available

it's just smbclient -N right

smbclient -U '' -N //ip/sharename

oh

oh dear

ok nope still doesn't work

¯_(ツ)_/¯

Isn't that what connecting to the given .ovpn file given by the academy is for? I'm probably misunderstanding that.

What I'm referring to, more specifically, is telling a program to only listen on that interface and no other ones

I just want to add for those struggling with Knowledge Check using metasploit, using the second exploit will work much easier to get a foothold. just add RHOSTS, make sure TARGETURI is "/", and change LHOST to VPN ip. Also I suggest checking for the first metasploit exploit, make sure you got your TARGETURI correctly set. It should lead to the upload page. I did not go through with that one but I watched some help videos and thats seems to be where my problem was. I imagine its very easy to make that mistake.

Which module/section are you working on?

password attacks, credential hunting in linux

the only thing i have not tried is brute forcing ssh which i really wanted to not have to do but i literally have no idea what else to do

i'm gonna save that for later so i can have it running while i'm away from my computer

Well if you get some time between running brute force attempts and want to know a bit more about the SMB output, you can DM me.

ok so interestingly it appears the username sam does not work with any other password but every other username works with every other password

which implies... something

interesting

Can anyone give me a hint on Active Directory Enumeration and Attacks Skills Assessment part 2, question 8? I have a system shell on SQL01, and I've dumped SAM, tried to PTH with both the admin an mssqlsvc account hashes. I also found the cleartext password for the mssqlsvc account, but can't use it anywhere...

Enumeration. You've likely missed something during host based enumeration.

anyone here know python ?

and ethical hacking

im lost with this python script i made and dont know where to ask

have you tried local auth

Hmmm ok I'll take a step back

As in trying to log into SQL01 with the creds I've found so far?

If you can't seem to find anything you can DM and I'll at least take a look at what you know.

Ok thanks!

Submit the contents of C:\Flag.txt located on the Domain Controller. can someone help me with this question in Pivot and tunneling assessment

im in using rdp ip 172.16.6.25

pls help

Look for shares if you're on the last machine, check the files

#programming

How do you not know what your own written script does?

how to send image here

can i dm u

You need to link your account following #welcome

And no

I'm assuming you're on the last hop, not the DC

Check network shares in file explorer

yea im on the last host not DC

i saw the file system there is not networkshares

no *

Click on "this pc" and wait a moment

aight

you don't have to hop anywhere else from what I recall ¯_(ツ)_/¯

Iirc that's the vf* user you get to last

Ya

But shit ain't loading

Maybe I restart rdp

Also theres another IP active 172.16.6.45

I can ping to it but not rdp

You don't need to RDP

I'm guessing that's the IP of the domain controller that gives the share

Oh ok

Instead of guessing identify which IP belongs to the DC.

great idea

I don't recall needing to remote into the DC for the pivoting Assessment

I'm sure there are a few ways to do it. I know my time was about out on that one so I quickly used what I had to access it and get the flag, but yeah with what I had, I could have finished it out a few ways.

I just recall it being laughably simple

i got the flag

how to know the ip that share belongs to and like other details

or iis that in ad enumeration module

Iirc it was just labeled //DC01/ or something simple

besides maybe AEN, is AD enum and attacks the hardest and/or most time consuming cpts module?

Password in single quotes

it shows you a valid error message

so i wouldn't think it's the box

did you ever figure this out? i am facing the same error

netexec is a great tool that can do tons for you.

I see. So, I close the ticket?

Not the infra

okay i'm completely lost on password attacks/credential hunting in linux
the hint gives an SSH user/pass pair which idk how we were supposed to know? because i've tried brute forcing all three services that are open on the remote host with the provided username and password lists and none of them work. am i doing something wrong or is it a technical issue? i've had a few times in academy where i got the right solution but for some reason it just wasn't working on my computer, including earlier in this module.

reset target after each attempt

i have tried many many target resets

If you have issues with your mutated list then you're going to have more issues. Make sure it's correct.

the mutated passwords list? you mean all 187k of them? that's gonna take like 10 hours

and that's assuming the provided username works too

i tried using the provided username and a list of mutations of the provided password and that didn't work

It should be about half that amount

Ok thanks buddy

That password list is the resources one right?

yeah

You likely missed a step, it should be 93k or somewhere around there, I don't remember the exact number

ok what the hell

either way that's going to take longer than the lab is able to stay open

Use the cheatsheet command

Nd see

Yes, and your thinking from earlier can help 😉

don't tell me if i'm right but there's no way this isn't a lead, i just can't figure out what the hell to do with it

Question with Web Requests/GET. I have read the page, I have more search results in curl. I do not see any flag. It feels like I am missing one small thing.... looking in the wrong place... missing one flag...

Any hints, suggestions?

i really need to start making a list of things i've tried that have failed when i'm really struggling with a lab because approximately 95% of the time the correct answer has been a variation or combination of things that i've tried and that have failed

yea, it is just maddining.... like you can not find your glasses... spend 4 hours looking for them..... they where on your head the entire time...... Or something like, it is -U and not -u....

yep

I am not sure if the wording is messing up my tired brain...

The exercise above seems to be broken, as it returns incorrect results. Use the browser devtools to see what is the request it is sending when we search, and use cURL to search for 'flag' and obtain the flag.

genuinely could not have thought of a better analogy

if you're tired, just get off for the night

i can't count how many times i've been up late trying to figure something out only for me to log on the next morning and figure it out immediately and think "how the fuck did i not figure this out last night"

Yea, I am going to have to tap out then, tis that time where I go lay in bed, waiting for the insomnia to let off...

U solved?

not at my computer rn, i’m eating ice cream while metasploit does its thing

if this doesn’t work i’m off for the night

gl buddy u got this

What's the deal lol. I had to disable Windows Defender Firewall and disable Microsoft Defender Firewall to connect remotely? Are these the same thing with different names? It's just a little confusing I had to disable the same thing twice it felt like

Implies a null login

sam is an account that exists, thus requires a valid password

fiona is nice

hopefully im thinking of the right lab

HOLY FUCK HOLY FUCK HOLY FUCK

holy shit i literally used the same credentials for SSH earlier in this module and i wrote "PASSWORD REUSE" on my notes and i still missed it lmao

well either way i got a foothold

*guest you mean, right ? https://blog.whiteflag.io/blog/guest-vs-null-session-on-windows/

doing AEN blindly is really brutal too many rabbit holes at least i think they are

hi, trying to solve Footprinting Lab Easy
Enumerate the server carefully and find the flag.txt file. Submit the contents of this file as the answer.

I connected via ftp 2121 port, find the .ssh directory, but when im trying to cd .ssh, i just get permission denied, had someone else same problem?

I did this before and now I am a paranoid who spam spraying any creds the moment I get them

anyone know how to hack into friends snapchat account for fun?

ofc this is just for entertainment purposes

tell that when your friend files charges

nah we've known each other for 4 yrs

This is illegal

im not gonna do anything just text myself

tell that when snapchat files charges

Still, you’re not authorised. This isn’t the server to ask for illegal things

so does someone know why its so?

https://www.instagram.com/reel/DCuLM0LgpWQ/?igsh=MWd6YzFra2V2dnNhYQ==

I'm not able to reproduce. Maybe it's something with your ftp client?

Basically we just need to make the same request (GET request to /search.php?search=flag), but using curl

it's actually the ||User-Agent header|| that determines whether or not it shows the flag 😉

Have an improvement idea for requiring creds to auth inside modules.
At the end of a section where the target is spawned, you can click on the target IP and it copies to clipboard.
When it also specifies credentials, might it be useful to make the username and password fields clickable as well?
E.g.: Authenticate to "IP:PORT" with user "user@site.com" and password "password123"

what is wrong here

someone actually help

Did you confuse the curl command by using -h instead of -H

Also - check your json and your quotes encoding

Yeah this too

-H is not there in curl

Uhh yes it is. curl -H "<header>" URL

@karmic plover

Oh

You have to use -H instead of -h

Oh yeah my bad, -h is more like for —help

Istg half my problems is always using -h when I mean -H

oh ok

thanks it worked

however tho its saying the cookie is invalid

while i literally just copied the cookie from here

I think you should set the header cookie instead of using -b

how

okay let me try

Can anyone give some advice on the footprinting Medium Lab. I scanned TCP/UDP ports and have tried to enumerate different services. I found a fileshare related to support but can't seem to mount it I get a permissions error. I don't see another route to take, am I missing something?

-H ‘Cookie: <ur cookie>’

could you write the whole thing

cause i dont know where to place the cookie in the header

Just replace your -b ‘PHPSESSID=….’ with -H ‘Cookie: PHPSESSID=…’

ok i found it

I tried what you told me

it did work, but i still figured out how to make the -b work

now it returned this

do i need to do Content-Type too

Yup

🙂

Delete that

@hexed matrix

I don’t want you to get in trouble

mb

so basically yes i found the flag

thanks for the help

Ay no problem mate dm me if you need anymore help

Oh btw what module are you on?

Web Requests

Oh that one

the one about GET reqs

what does the hint say

well now im onto api

GET request but somehow what you’re doing is sending POST request 🙂

oh shoot

i meant post

Hehe

which one are you on

web requests are fun, I can never understand them, but they're fun

so that means even if i do not understand this chapter i could still do the others without being affected right

I just completed ffuf

Funny how I learnt to use those stuff before I actually learn the module

I learnt sql injection before I knew how to use burp suite

Something like that

Kinda weird

not right

The best way to understand is to practice

the web requests module is enough to understand web requests

i do understand how it works

but i could not memorize the things to type in

do i need to llike memorize the commands and stuff

no

Saw you post this here, so I moved my comment. I'd look into that NFS a bit more.

Thank you, I'll keep trying at NFS!

i need help with this exercise https://academy.hackthebox.com/module/35/section/219

Some please help me with the exercise I copy pasted above

Cause I suck at hacking

And can’t figure it out

What exactly is not working?

Hey so I was missing running NFS as root, I have a user and a password which I could use with RDP. I'm on the system but can't seem to connect to ssms with those creds, right click run as admin doesn't take the same found password, and RDP as admin with password re-use doesn't seem to connect. I know I'm on the right path just missing something around the account to use, any hints?

If you find creds, I would always pass them around to see any access they might provide and not focus on any one thing.

OOOOOOHHHHHHH I knew it was something I was not clicking in my brain, thank you.

Instead of memorizing try to understanding what the command does

Because we always have —help or man in every tools

And every tool follows a basic usage pattern

1-2 months ago in my case

so I have passed them around open services and within the RDP from the account I found. I have tried guessing accounts like admin and administrator but not getting much.

Be patient bro

You can DM the creds you identified, so I know exactly where you are.

Attacking Common Applications
Exploiting web vulnerabilities in thick client applications

So...I modified the Invoker and the ClientGUI thingy, compiled it and made the traverse jar, instead of doing it 1 by 1 and taking time.

For some reason, the .jar displays the content of the file instead of downloading it. I have used the 1:1 script provided in the module, anyone got an idea what could be the issue?
I am stuck for about 3+ weeks on that.

3 weeks is crazy

It is.

have you found the solution?

can anyone give me some tips on command injections module? i cant find the injection point, and there are over 1000 lines in the http response. ive tried a few things but im not getting any useful outputs so far.

what section is that

I was literally stuck on this module like yesterday lmao

skills assessment