#modules

yup I have

ok then again, focus on the php and js

you'll get it

okay thanks

guys how do i use an ovpn file to connect to a vpn server?

this is xss prevention?

sudo openvpn "name of file"

oh so i need to install that package first right?

yea

It's installed by default on Kali and Parrot

How will the purple modules count in completion percentage?
Will there be a new percentage "blob" or will they count for both?

any idea why im encountering an error with ssh conection after i connected to vpn?

Hi guys

idk what to do with the vpn cause its causing some kind of connectivity issue when i'm using ssh

Can u pls screenshot? I may not be able to help but someone else may be

@pine dune

Guys can someone help me pls

connect to the HTB Academy network using openvpn

$ sudo openvpn /path/to/file.ovpn

then SSH to the target machine

$ ssh htb-student@10.129.x.x

whats the issue?

I got my acc gotten from a hecker

yes but for some reason it says "no route to host"

which website

Reblex

contact their support then

They said I don't have enough info but I have photos that the acc is mine

U need to use the ssh username shown in the following syntax ''' ssh@username''' then enter the password they provide

well we can't do anything about it

Ok

It's ssh username@ip

its not even connecting, i did try to do that

What do you mean "not even connecting", screenshots help

Also

you're replacing 10.129.x.x with the target IP address?

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Also try changing vpn and pinging ip

yep

Yes this

A target isn't even spawned in the initial screenshot

doesn't mean they haven't spawned it

Sorry phone on 1 percent @fathom pendant will be more help then me anyways and calcuore

but.. have you spawned the target?

ofc 🥲

show us screenshots of your steps

I'm busy cleaning and prepping for a move so I'm in and out, and a game just dropped that I'm downloading

okay

Path of Exile 2 early access because copium

that's not the same IP address

the one

i just respawned it

the one in the middle

Are you connected to the vpn?

where its showing connection timed out

it was when i disconnected from vpn

yes

if you do ip a; do you have multiple tunX interfaces?

lemme check once

if so sudo killall openvpn then reconnect to the vpn

its showing me some real mess 💀

... it's beyond my comprehension

ip link for less information

we can only help with as much info as you give us

it should show your interfaces

"it's showing me a whole mess" doesn't help us figure out your issues ¯_(ツ)_/¯

uh sorry but whats tunX ?

tun0, tun1, tun2, etc

you can always show us screenshots if you're unsure

wait lemme retry

and another question

why is it necessary to connect to a vpn?

cant i just use ssh to connect to that ip directly?

because the machine isn't accessible from the internet

it allows only certain ips?

your machine is not in the same network as the machine you're trying to connect to

one way to communicate with the target is to use a VPN to connect to the same network that the target machine is in

so is it necessary to be on the same network to connect to that machine?

for HTB labs, yes

unless told otherwise (like docker containers with public IPs)

so not necessarily always?

oh

if you're unsure, safest bet is to connect to the VPN

can you please explain whats it saying in here ?

im a little unsure with what it means by "fingerprint"

and why did it not connect previously up until i used sudo killall openvpn

it’s a host key for the server to verify it’s identity

most likely because you connected to the VPN multiple times and didn't close your other connections

the first time you connect ssh doesn’t have this key on record

you're connected to the target here

you eventually have a whole bunch of diff host keys that will yell at you for various reasons

and this message basically means ssh has no clue the server is who it says it is

the message on logging in is just the "here's what happened since last time" message

not "ssh has no clue"

so basically it does not have any record of any host with that fingerprint?

yes

fingerprinting is how most devices ensure that there hasn't been any tampering on the other end

and the "host" in here is the target machine?

a device will generally always have the same fingerprint

and yes

yeah, pro tip split known hosts for different environments

the message “the authenticity of host x can’t be established”?

how is that supposed to cause an issue?

if you have multiple connections to the same endpoint that are all giving you the same IP you get Network Collisions

where no traffic can escape because it doesn't know how to properly route it out/in

so in layman terms theres basically 3 clones and 1 original but just because we cant identify the original one we cant kill the other three and let the original one go?

@fathom pendant

it's treating all connections as valid

and because of how the VPN connection works, it assigns you a static IP whenever you connect to it

Performance of the Citrix Breakout section of WinLPE is so bad I'm having to do this.

so basically the conflict is arising because i can only connect with one connection meanwhile i have a bunch of connections open, which are all valid according to the host

not the host

the VPN server

the VPN server that's assigning your IP

so it cant figure out which connection to use to connect to the host ?

since its assuming all the connections are valid

yes, as there’s no conflict resolution system in place

oh

and how are all the connections different from each other? dont they all have the same ip?

it's not that there's no conflict resolution in place, it's that it's assigning the device the same IP

so tun0, tun1, ... tun10 would all have the same 10.10.x.x IP address

so the routing process doesn't know how to resolve which interface to resolve it to

so… basically there’s no conflict resolution system in place

again, not about conflict resolution

LOL

you're not gonna have the same IP as another user

so there’s no intelligent mechanism for handling multiple clients in place?

there would be no need for you to use multiple vpn connections from one device

and using the vpn connection on multiple devices also causes issues, as the VPN pack has an assigned IP to it

because there’s no conflict resolution system in place

idk why you keep running back to conflict resolution LOL

it's like you just learned what that is in networking and are calling a spade a horse

so when i say i created another connection it basically means i opened up another instance where the vpn server assigned a ip to me, but creating multiple instances result in a network collision where its treating all the connections as valid since they all have the same ip and hence it can't figure out which connection to use to connect to the host and permitting none at last

if you strip away the jargon what you’re dealing with is resource contention, which is basically what conflict resolution is

yes

resource contention would be if it wasn't statically assigned and it was trying to get an IP from a DHCP server, not what's happening here

if you don’t manage the resources yourself openvpn will merrily assign what it can and that’s where the “conflict” happens

can be prevented with a conflict resolution system in place

that has nothing to do with how HTB handles the vpn system

uhh guys which one is the machine hardware name in it?

the only way to prevent it would be to hardcode a check to see if an instance of openvpn is running

uname --help

okk

are you talking about a conflict resolution system?

but there's no resolution that needs to happen on HTB end

as this issue only occurs locally if you're a dummy and run multiple instances of OpenVPN

but again, you're not contending for the IP being resourced

¯_(ツ)_/¯

we can keep going in circles all day bro

there's a reason the vpn connection doesn't dynamically assign you an IP

i get what you mean

the conflict resolution system needs to be implemented locally

i'm tired of running in circles with you

guys 💀

how am i supposed to know the path to htb-students mail

use one of the commands listed in the module

theres nothing as such in the working dir, i went into "/" but even theres nothing as mail, its possible that mail is a subdir of one among the many that are in "/", but isnt there any more efficient way ?

ok

Hi everyone! Has anyone had any success with the Exchange Portion of the MSSQL, Exchange, and SCCM Attacks module? When I try to log into OWA it just redirects me to a blank page. None of the tools(mailsniper) seem to work either.

Having issues with the first question on crackmapexec skills assessment. I've ||got a list of users with --rid-brute 10000|| Not getting anything when ||asreproasting||. Any help would be awesome.

I don't think the exchange module is working properly.....

nvm got it

why's that

After trying to log in to owa with the given credentials of htb-stdnt, the page doesn't load

I've tried waiting 1/2 hour but it still wasn't working

strange stuff

yeah :/

you need to make a post in #1234357888114364508

I was hoping someone could confirm that what I was doing was right/wrong

before reporting an error

used to take 8m or so for me to boot but it did end up running in the end

I'll try and spin it up again

did you login to owa with inlanefreight/htb-student?

thanks

the RDP was working for me, but none of the tools that used owa were working

like when trying to get the Global Address Table with mail sniper, it errored out saying invalid xml

and that was just me copy/pasting the exact command from the module

I'm booting up the target, but it'll take a few minutes

I really appreciate it 🙂

that awkward moment where you are not sure if the target is still spawning or if its broken and you are just waiting

it happens after trying to log into owa

the target spawns fine, and I can RDP into it

but anything owa-related fails

I mean its not spawning for me yet lol, still waiting for an ip

ah

one sec i'll get a screenshot

it went from spawning to "click here to spawn", nice

I'm trying again lol

Sure

after trying to log in as inlanefreight\htb-student it just loads this page and never does anything

yikes maybe try refreshing the page

got an ip now

yea I can log in normally

I did it with INLANEFREIGHT.LOCAL\htb-student

strange

I wonder why it doesnt work for me

It can take up to 10-15 minutes for exchange to fully load

mine has been up for a long time

did you use HTB_@cademy_stdnt! as the password?

yea

lol now it is saying the username or password is incorrect instead of redirecting me

Hello
Ad directory attack - skill assessment part 2 - question 4

I have been stuck on here basically for 12 hours of computer screen.
I decided to look it up and turns out I already did many many many times the crackmapexec commands and it never gave me the username.
I'm on mobile and I'll send a pic of the output but it's never gave me the answer.
Also I tried all commands and all variations of commands from password spraying - making a user list and not one of those commands gave me a user list. By all variations of commands I mean:
Enum4linux, with creds, without creds, copying it the same way as the module , downloading enum4linux-ng.py and trying with and without creds and with all flags that could help get a user.
Tried all commands of rpcclient but this one just says logon failure immediately so I figured its a creds problem.
Ldap also immediately gives me network error.
I found a user with kerbrute on DC but it's not the right user.
Now finally CRACKMAPEXEC, oh my beloved, turns out this is how you solve it, it always gave only one output , Ik I cant spoiler previous questions here but yes it basically tells me that the credentials for user A are right, I never got any diffetent output ever from crackmapexec and im not kidding i changed ALL the flags multiple times. The only time it gave a different output is when I'm enumerating smb shares but I can't connect to those.
Also I tried the only script from internal password spraying from windows and I get the first line of output which lets me know I imported the .PS1 file correctly but I let it run for 40+ minutes and i also got no output from that.
This is the only question I had to ask for help for during this skills assessment

Literally the only question, I was thinking holy shit if I can finish all of this assessment without getting stuck I'm a fucking rockstar

Hi, anyone solved the skills assement for Malicious Document Analysis module ?

Is there a way to see when your cubes regen (monthly subscription)? I tried looking in all the settings on dashboard but you could change plan but it didn't give me a date

in the billing section if you select monthly plan it tells you when it renews

perfect thanks

You can send me a DM.

Thx

Hi im back again with the same issue

XSS skills assessment

Dm what u did so far

Hello, for the Windows Attack and Defense > Object ACLs (https://academy.hackthebox.com/module/176/section/1789).
I managed to generate the sharphound ZIP file.
How do I get to visualize it in BloodHound? I tried downloading bloodhound from Github, but it wouldn't let me.
The remote name could not be resolved: 'github.com

I guess it's locked on this machine.
Does it have bloodhound installed already? I can't find it anywhere.
I am trying to replicate the graph shown in the section.

You can install bh on your own machine, the pwnbox also has the legacy CE, which if i recall the user/pass is neo4j:neo4j

Did anyone else find the pivoting module super awkward, i'm following parts step by step but getting different results to the exact same things run from the lessons

then you aren’t following step by step

https://academy.hackthebox.com/module/158/section/1429

followed this one step by step, meterpreter session doesn't get established with the exact same two commands

socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443

msf6 > use exploit/multi/handler...

@lusty thicket did you not find the same with that module?

i haven’t done that module

so how do you know im not following step by step then 😆

did you set the payload in msf console?

yeah

exactly the same as in the lesson

set payload windows/x64/meterpreter/bind_tcp

@fathom pendant this is the response i get in msfconsole
msf6 exploit(multi/handler) > run

[] Started bind TCP handler against 10.129.202.64:8080
[] Sending stage (203846 bytes) to 10.129.202.64
[-] Meterpreter session 3 is not valid and will be closed
[*] 10.129.202.64 - Meterpreter session 3 closed.

its session 3 because i tried it 3 times got the same issue each time

is your listening portion on your tun0?

OH

I KNOW THE ISSUE

you need to use the SPAWNED TARGET

not the example IP

but that is the same IP i got in my target

is it?

yeah 100%

Did you get the backupscript.exe to the .19 host?

i mean either way, (being totally honest) getting the bind shell isn't even necessary to answer the question

just reading comprehension

yeah true but that kind of makes it more frustrating because i feel like im jumping ahead and missing something

no ricky but thats also confusing because it doesn't mention how thats done

you can use any pivoting method you prefer

is that needed for it to work @gray yacht

you transfer the file over to the windows host; as it shows a forward to the windows host for RDP

You can use SSH or like marcie said other methods, but to trigger what is being shown in that section, you need to get the executable file to the windows host and execute it.

i think or just to the windows host

thats frustrating because its only shown in the image nothing is mentioned in the text from what i can see

And i don't know how im meant to do that

yeah

the bind shell needs to be set up on the windows host

In a previous section you had creds for a victor I believe. You can use them to RDP with SSH

^

ty checking!

this section reuses creds a fair bit, mostly because it's a showcase of pivoting not so much exploiting

xfreerdp /v:localhost:3300 /u:victor /p:pass@123

yeah that makes sense, but i would rather get it to fully work, i feel like im not learning if im not doing the full thing from start to finish

well yeah, i'm just stating, it seems like this section is bouncing off the previous section

true

which can feel clunky for sure

100%, ahh man xfreerdp isn't on the pivot machine

(and maybe something for /feedback, or #1234357888114364508 )

SSH from your machine

you can't rdp from an ssh session anyway

but i can't get to the windows machine can i though that was the point of this

there's no display variable set in an SSH session

use a previous pivoting technique to set this up

ssh -L 13389:172.16.5.19:3389 ubuntu@IP

Try that from your VM

Then xfreerdp from your vm with a similar command to what you used earlier. Add a drive to make the file transfer super easy.

the way that it's poised is "hey what if you social engineered this dude to run this malicious backup script"

so in a realistic sense, you wouldn't need to go in and detonate the payload yourself

ty guys, that did it @gray yacht

Yeah that's how another one was setup and it can be confusing, as it isn't explained for those who don't really understand that stuff yet.

but there's also a valuable lesson to showcase "if it isn't working, this is what you'd expect"

yeah true, sometimes thats the best way of learning, when it doesn't work

it would be handy if they had some videos on this module though just to make it super clear

not sure why they don't put videos on academy 🤷

imho documenting what to expect if it's not working is valuable for learning

because it bypasses the actual learning, and someone can just skip to the end and submit the flag in the video instead of putting in the work

Would be a pain to fix videos, at least that's one aspect I can think of.

not to mention whenever a module gets updated, they'd also need to update the video to match the content

Ha, that's another. Folks putting them on 2x fast and still asking for hints, lol. There are some legitimate questions or assists, but then some are easily answered in the content.

no i don't mean walkthroughs where you see the flag, i mean like teaching the material

the only content that can have videos for it is the free content (Tier 0) content

it'd be hard to do that, but it is something i've considered reaching out to g0b and the team about for trying to do an explainer series for the module reading

but you get into grey areas where the module sections are the walkthrough for it

i.e. Attacking Enterprise Networks module

my guess is due to the annual sub they want to sell, as that does include walkthroughs.

the annual walkthroughs are shit for explaining what to do tbqh

they're good for sanity checks

i think videos would be really good to help those that don't learn with reading as well as seeing it done

it also runs into the case of people sharing the video of paid content so they don't have to buy/do it themselves

it could be done with different creds, etc and flags so as not to give it away

true, but people could just share text tho right

that's a lot of extra work tbh as the flags in academy are meant to be static

i guess it would have to be a differnet environment then

yeah, but are you more likely to read a wall of copy/pasta text -- or watch a video

idk just throwing ideas out

haha 100%

your idea has been pitched by others before, it's just not something (at this time) that HTB has any intention of doing

mostly for the cited reasons I did, and the fact that they'd have to also update videos if/when content gets updated

yeah true

i.e. for the info gathering - web edition, module there was a massive overhaul of the module so they'd need to make a whole new video

what did they change in that

a LOT lol

basically changed like a whole section

so its not like they could have a different environment so that the principles stay the same,but the users, passwords, flags, ips etc are different

and because of how backend shenanigans work, when they updated the old answers were still there for the new content questions

ahh

i.e. instead of grabbing flags from various subdomains (imo this was better), they just had you submit the various subdomain names you get from fuzzing

mind you, you still had to fuzz for the various subdomains to grab the flags from

sounds complicated to update stuff then

😆

but imo having to subdomain fuzz, and grab a flag, reinforces the idea of you doing it right

but you can find vids galore on the various t0 modules

i've considered recording content for t0 shit at one point but gave up bc it's boring to me

t0 modules?

tier 0

the 'free' tier that cost 10 cubes, and refund 10 cubes on completion

I'm still stuck. I must have 12 hours now on these three last questions for Web Information Gathering Assessment.

did you check for subdomains? :)

i need to run back through a handful of modules and re-update my notes and compile a quick-sheet

what part you stuck on @flat patrol

the last questions from the skill assessment, i'm guessing

i haven't updated my notes to reflect the new Skill Assessment, should probably do that at some point

thanks for the help @fathom pendant really appreciated!

it's good to note here as well, even if you don't think it would be worthwhile to go back and do updated content -- do it anyway as you may have a different perspective than when you first went through it

https://academy.hackthebox.com/module/158/section/1431 --- plink and proxifier both tools used in the examples of what we could use on the windows machines don't exist on the windows machine when you connect

you can always transfer them

whats the best way through rdo

rdp*

xfreerdp /u:user /p:pass /v:ip /drive:name,/path/to/folder

man sharing all the golden stuff here nice ty

not something that hasn't already been shared before

¯_(ツ)_/¯

also read the man pages

i dont remember that in the modules so far but i might be wrong

it's not

the typical file transfer methods were shown in the file transfers module, like standing up an ftp server, smb share, web server

yeah i should probably go back and redo that one

i might be being stupid here, but i used that command, i see the drive in the file explorer but it says i don't have permissions

ah its working now nvm

thats so useful ty!

Anyone able to help me figure out why I can't get nmap scan to run through proxychains?

I ssh to my compromised ubuntu server using
ssh -D 9050 ubuntu@10.129.209.111

The connection is fine, but I am still unable to reach the windows host using

proxychains nmap -v -Pn -sT 172.16.5.19

i've been getting the same issues @distant swift you on the pivoting module? haha

Yes, page 3 question 2

are you sure you setup proxy conf correctly?

@lusty thicket My "tail /etc/proxychains.conf" matches that of the lesson.

that might be your problem, i believe the newest proxychains uses proxychains4.conf

yeah thats mine

proxychains4.conf

if everything is setup correctly, it should work. reboot the target and let it fully spawn 3-5 mins. if it still doesn't work, it's very likely your setup

do you have the socks proxy set up on msfconsole too @distant swift

he needs to set it up with proxychains4.conf

that too though right? but the lesson also mentions having the socks proxy set up on msf console before using proxychains nmap, or am i misunderstanding?

he didn't mention that, he just said he's using dynamic port forwarding with proxychains

ah ok thats not the method in that lesson specifically but ok

yeah it is

it goes on to explain using metasploit with proxychains as well, but from what they posted it doesn't seem like they're that far in the section yet

ah yeah i must be on the page after

same page, it's just a small section at the end

@dim ridge No, I've only been trying to get nmap to work thus far.

https://academy.hackthebox.com/module/158/section/1426

youre on this one no?

Yes thats the one

ah yeah sorry i was looking at the one a little later about meterpreter

what result do you get when you nmap @distant swift

nmap -v -Pn -sT 172.16.5.19
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-06 20:09 EST
Initiating Parallel DNS resolution of 1 host. at 20:09
Completed Parallel DNS resolution of 1 host. at 20:09, 0.00s elapsed
Initiating Connect Scan at 20:09
Scanning 172.16.5.19 [1000 ports]
Connect Scan Timing: About 15.50% done; ETC: 20:12 (0:02:49 remaining)
Connect Scan Timing: About 30.50% done; ETC: 20:12 (0:02:19 remaining)
Connect Scan Timing: About 45.50% done; ETC: 20:12 (0:01:49 remaining)
Connect Scan Timing: About 60.50% done; ETC: 20:12 (0:01:19 remaining)
Connect Scan Timing: About 75.50% done; ETC: 20:12 (0:00:49 remaining)
Completed Connect Scan at 20:12, 201.29s elapsed (1000 total ports)
Nmap scan report for 172.16.5.19
Host is up.
All 1000 scanned ports on 172.16.5.19 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 201.33 seconds

what do you get back if you add tag -p3306,3389

still nothing

sorry try 3389

Try sudo

I tried it as sude, nothing differs.

does anyone know how i can hack my kick account back

like the streaning website

streaming

you are doing 'proxychains nmap -v -Pn -sT -p3389 172.16.5.19' right?

No one here is going to break the law and risk prison for your kick account. Your only recourse is reaching out to kick support.

ive tried

everything

It's showing its reading from /etc/proxychains.conf here

oh well. keep trying or give up then. this isn't kick support discord, no one can help you here.

https://tenor.com/view/well-that's-too-damn-bad-holes-too-bad-oh-well-suck-it-up-gif-14703423262202948839

lol

I actually think I had this same issue. Does the module require you do this because I recall just ignoring this problem and connecting with RDP as if I could ping it anyway

is that illegal?

to hack your own account

i just need someone to tell me how not do it

its not 'your' account, it's kick's account that you use. yes it's illegal to attack their infrastructure without their permission.

^

oh

im cooked

i had 40k followers

i think youre right @acoustic thorn

😭

then you should have no problem reaching out to kick and getting access back

they say theres no way of verifying its me but ill try harder

🤷

@distant swift What does ur proxychains.conf look like?

you have your answer. no one here can help you, i'm not going to keep repeating this. this channel is for discussion about the hackthebox modules and isn't the place to discuss this. reach out to kick support, again, they are your only recourse.

I couldn't make sense of the issue. I tried pinging a million different ways before telling myself it was bugged😂 I'd be curious to know if there is something I've overlooked though

also @distant swift what is the result of this on your machine where your proxychains config is ls /etc/ | grep proxy

@cloud urchin may i ask what is this sever for?

not a hacker for hire server

This is for students of htb academy

you want to know more about HTB, check out #welcome

omg im so sorry i thoght it was hacker for hire

does anyone know where i could find that tho

anyone telling you they can do it is lying and trying to scam you. you need kick support.

✅

nope, because stuff like that is illegal

• what supernuts said

i dont know the laws i thoght becuase its my account i can hack it

• you could be someone trying to hack someone elses account

It seems to work with specifying the port specifically.

yea you can never trust anyone i guess

you're missing the other party's consent

weird, but good stuff that it's working, try to rdp to it

It worked.

I'm still not sure why I can't see anything using "proxychains nmap -v -Pn -sT 172.16.5.19"

Thank you for your help

Proxychains sucks at relaying tcp scans

I'd be willing to bet if you repeated the same steps on another machine it would work fine

In general

that is true, but this is specifically the command given in the pivot module to use

Do you prefer ligolo?

It's a much better tool, yes

he's on dynamic port forwarding in the pivoting module

going to move to that after this module

i tried ligolo for the first time the other day, seems nice, but i need to figure out how to double pivot it wasn't working when i tried

It worked fine for me

I'll have to give it a go👀

so easy to just port forward crap

sshuttle worked nicely just now

You need to port forward a listener for a new agent

i think i need a htb module on it because i'm dumb i wish they included it in the pivot module

ahh

well that explains it

It was in like 0.4 when i went through the pivoting module

Has anyone noticed a large amount of bot traffic recently? I've been seeing a lot of get requests from random Ip addresses seemingly looking to exfiltrate from my python http.server during module exercises. I should clarify I usually use the attackbox

that's been going on for 30+ years

i remember connecting my pc to dialup and it would instantly be scanned

Lol well I'm see a lot now but fair 😂

just run it on the vpn nic instead of publicly

can somebody help with the web module for beginners

how do you mean @cloud urchin

probably, ask your question

I hadn't thought of that actually, what would that look like exactly

The exercise above seems to be broken, as it returns incorrect results. Use the browser devtools to see what is the request it is sending when we search, and use cURL to search for 'flag' and obtain the flag.

idk how accurate this is but chatgpt says to use ```python -m http.server 8080 --bind 192.168.1.100

Most commands that allow you to open ports also allow you to specify which interface to open those ports on [all interfaces by default]

--bind is the right one

marcielee knows too much

php -S ip:port for a php server

At least I think it's -S for a php server

it is

I got bored one day and spent a lot of time on google

So to be clear the --bind/-S restricts connections to the specified ip?

apparently, try it out

ah ok i get ya sorry i wasn't following, in context of a python http server

so you're hosting it on the private address to avoid it being reachable publicly no?

In this case it was being hosted publicly, just wondering about the parameters that were mentioned

i don't recall any module that requires a public http server being open

Maybe I'm misunderstanding lol

me neither hehe

its late im not sure im understanding much 😴

Where did you see the traffic though, and im assuming you just did something like python3 -m http.server?

I feel the same lol I'm not sure I'm making sense. Time for me to wrap it up haha

Yeah exactly

that should keep it on the private ip though, shouldn't go public

That's what I thought so I was surprised to see random ips interacting with it. A mystery for another day I suppose 😴

are they public ip's?

are you using a vm? it depends on your network setup. youll need to be forwarding ports unless you have a device in the dmz or you have just a modem.. not aware of any modern router that allows traffic through and routes it to a specific device without explicitly setting it up

I ran an IP lookup on one, it geolocated to Finland so probably but I'll admit since I'm just on the attack box I didn't dig considerably

do you mean you're using the pwnbox?

Yeah

ahh.. i have no idea then

that's on HTB

A mystery for another time haha

that makes more sense though as those pwnboxes are internet connected

Yeah I'd be very concerned if I was seeing that on my personal vm

Definitely going to try that --bind trick though thanks for the tip

Im kinda new to discord, why can't i react to messages with emojis on this server

probably need to follow the instructions in #welcome

ah 🤦 that might help

woo! freedom!

I love this kind of details lol

https://academy.hackthebox.com/module/158/section/1434

anyone else able to get the web page loaded through the browser here, mine times out

i was able to yeah

hmm :S

weird, my rpivot connection is successful, then i run this but it times out in browser proxychains firefox-esr 172.16.5.135:80

was it the writing error?

you could also use foxyproxy and just set the port to whatever you're using

yeah good point, i'll try that ty!

I made a couple of videos on this I could share with you if you'd like.

same issue, doesn't seem to be the command, seems to not be reaching it not sure

sure

I didn't even bother with rpivot, just used ssh -L

Want me to DM or just post them here.

i think here is fine?

haha it seems like everyone skipped over this modules tools, surely they need to update it then

not really related to modules but yolo lol

you can dm if you want

https://youtu.be/de7IP_uZK6E?si=Mj_sNs7aJoZ2QWjL

https://youtu.be/EvENMuvxPW0?si=Me0rC5hHwUQ6j7mg

thanks

Np.

the alpha releases have trouble with double pivots in my experience

0.6.2 has been my go to.

0.6.2 is good

yeah

Yup

trying it with SSH -L still getting a timeout for port 172.16.5.135:80

How are you running it?

ssh -L 13389:172.16.5.19:80 ubuntu@10.129.202.64

Hey guys

Should be to the .135:80 right?

🤦‍♂️

haha oops, i used bash history and forgot to edit the ip

yeah this is my last flag for the night haha

All good

hmm still getting timeout tho
ssh -L 13389:172.16.5.135:80 ubuntu@10.129.202.64
firefox-esr 172.16.5.135:13389

Think about what the SSH command is doing. How did you connect via RDP earlier?

Using these
ssh -L 13389:172.16.5.19:3389 ubuntu@10.129.202.64
xfreerdp /v:172.16.5.19:13389 /u:victor /p:pass@123

localhost

https://tenor.com/view/patrick-star-dumb-empty-head-moron-spongebob-gif-11976325420190756370

Thank you! i could have sworn i used the ip for xfreerdp tho 😅

Nope, lol. Add this stuff to your notes.

doing it now haha ty

hi everyone! was curious if anyone could nudge me about the password pattern for the exchange modules' spraying exercise

Ive tried Season2021-2024!

and Inlanefreight2021-2024!

Hi, seeking help for injection attacks skills assessment. I can read the /etc/passwd but i cannot find the internal page.

Can you read the / directory and find the filename you need?

Curious if anyone has ever gotten JuicyPotato to work without access to Visual Studio. The version from 2018 hosted on GitHub doesn't cut it for the modules and the CI is completely gone; where else is a prebuilt binary available besides an attempted pillage from the SRV01 box?

And what alternatives are there for exploiting SeImpersonate? @gray yacht any ideas?

Hi guys, so

Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

So i tried everything and its not working

the max response is 7

is it normal for the ADCS labs to take a while to deploy? mine has been deploying for ~10 mins

No. /flag.txt doesnt work

machine is taking forever to load

what module

what about PrintSpoofer or GodPotato?

try ctrl + shift + r

or start another machine

Windows Privesc § Assessment 1. Have SeImpersonate but all the prebuilt binaries I'm seeing on the Internet are 6 years old and thus incompatible.

oh yeah the juicypotato worked

already tried refreshing the page :/ also im tryna practice XSS and this is the only easy one there

Didn't for me. Getting timeouts because the only binary I can find is from 2018.

its all about the -c option

what about another machine

wanna try an easy machine first

oh i thought that was academy

not sure

nah labs xD

its okay ill keep trying

Perfect, that was all I needed.

hey Guys
i am stuck with a question in the Attacking enterprice network module

i already exploit the vulnerability but i can't find the flag anywhere

Happened to me too yesterday, after 10-20mins of waiting the loading state reverted back to « click to spawn target »

(And then it worked)

I’m pretty sure there was more to that vuln

You should be doing the module blind tbh, meaning not even looking at the questions

As the module itself is the walkthrough

For LOLBAS: RunDll32 on the win evav techs I they use a local package source but I cant find anywhere to download it

https://academy.hackthebox.com/module/254/section/2834

They show this but I cant see a download for it anywhere, can someone point me in the right direction?

I shows the path right there, this is just because the box doesn't have access to the internet so nuget doesnt work on it unless they do it this way

you don't need to dl anything

The file isnt on the box either, i did check. The idea it to compile outside of the box

I just used the normal source but figured I would ask anyway

the module comes with 2 instances, theres a dev box and a target box, you need to spin up the dev box from one of the early sections and in there it should be

if you awnt to build it on your machine then just use the normal source yea

Ahhh okay, thankyou I didnt remember the dev box

Hi guys! I'm stuck on Information Gathering - Web Edition, I tried all what I learned during this module but I didn't manage to solve the last three questions. Someone could help me please!

I'm stuck in "Advanced XSS and CSRF Exploitation
XSS Filter Bypasses", can anyone help?

Sure

Lmk what u have tried so far

What exactly is not working?

Send me a dm so as not to spoil anything

Hello guys, Id like to ask you some questions because I’m new and don’t know much about.

1. In Kali Linux when I scan my network with /24 I can see from my mobile network and my laptop,have open ports, like 53/TCP . Could you please tell me how can hide my open ports and generally hide any vulnerabilities pls?

2. When I try msf or toolkit to make a session all the times missing something and doesn’t work. So can I have a specific commond , downloading or something to make me strong.

Last one, on Hack the Box when I open the machine can’t work on that. Is that because starting easy easy till I wou learn?

I will appreciate to get my gold answers.

Many thanks

Module fingerprinting: "What version of the SMB server is running on the target system? Submit the entire banner as the answer."

nmap -sV -sC RHOST -p445 says:

445/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 4```

But Samba smbd 4 and smbd 4 aren't accepted as correct answers.

Good afternoon, I am running a lab on attack common services and I cannot make these changes in the temp folder on the created machine, it gives an error that there are not enough rights, what is the problem, has anyone encountered?

try to use nc to connect to it on that port. The answer expects a version like x.y.z

That just gives (microsoft-ds) open and nothing else

if you try to do "nc <ip> 445" ? without nmap I mean

Yeah it doesn't return anything

okay my nmap -sV -sC scan returns the full version number

outdated nmap or something?

Wow I've found another example of a module task only working in pwnbox. Pwnbox returns a different version number

what version is your local nmap?

Same exact command sudo nmap -sC -sV -p445 -vv RHOST

Nmap version 7.95

weird, my vm has 7.94SVN and gives the right results

pwnbox and personal machine getting different results also occured to me in the firewall / IDS evasion medium lab.

Searching on google it seems this error isn't a one off either.

I only remember having issues with this once where nmap would return the wrong string instead of the flag

99% of the rest I could do on my own machine

That might have been the firewall / ids one.

ah yea

that looks familiar

same version in this case, so not a version issue normally... I've done this on a parrot VM and didn't have the issue, for what it's worth

Hi huys currently doing ( Documentation & Reporting - Notetaking & Organization ) and the question is " Steve is learning about the tool that can make logging a session easier. He messages you for help mentioning that he would like to try to split the panes vertically. What do you tell him? (Answer format: [key] + [key] + [key], i.e., fill in the values for "key" and leave the brackets and + signs.) " ive tried everything so far im not sure what im missing

did you solved this?

4 keys total

yeah i got it thanks

i had to install nasm

Cool. I solved the first task in the assessment, but I've been stuck on the second Task for days. So, if you can help me with that, it would be awesome. Thank you.

if its allocated memory dynamically with mmap or malloc it defaults to non executable, make it executable

might be wrong tho without any context

Hi, can someone help with machine Certified

#boxes

i'm not to the skills assessment yet- i disassembled disasm.zip but the flag is a mix of "leat" and coded values? d154553m811n9 81n42135...

It tells me that I don't have access

#welcome

@lusty thicket - any clues on decoding the flag for disasm.zip? (no spoilers)

i haven't done that module

cool- it's fun 🙂

you done?

Use the hint and the technique you learned from that section that matches the hint.

Hey guys , how can hide my open ports

use rules

yeah- i did that but i get HBT{d154553m811n9...

revisit how you can disassemble the .data section of the binary from that module section, it was at the last part.

you already got the flag, what's the problem?

If the server santizes these characters
; & | < > ( ) ` $
And I can input command in
ls - l {command}
What command should it be so that it can print the flag ?

i'll try entering it again- it's says the flag isn't valid

make sure you entered all the string from the .data section(like shown in the module's section) of that binary

it worked- must have mistyped it; thx for the help!

Can anybody help?

mention the module and section to add more context

It's not from htb

General cybersec situation doubt

Thanks

#programming or #web read and follow #welcome to access

Hello guys, I'm having trouble answering the first question of the Introduction to Web Applications module
"Check the above login form for exposed passwords. Submit the password as the answer." Could someone help me

Did you check the page source?

:)

How do you say, ":)" without dc turning it into an emoji

By disabling it in settings

hack the box?

Of the spawned target login page

AD Enumeration & Attacks part 1:-
Enter-PSSession doesn't work in "rlwap nc ", it doesn't show any output, sometimes it(terminal) just hung-ups! any idea what to do?

I see

i am stuck in this session hijacking section in xss module don't know which input field is vulnerable can someone help me?

Doesn't the section show you different ways to find out?

yeah man i tried but i am not getting any response back in my server

Are you having it send the request to your tun0 ip and port?

yes

how can i send the ss here?

hi guys
Login Brute Forcing Basic HTTP Authentication

After successfully brute-forcing, and then logging into the target, what is the full flag you find?

So i tried different wordlist and etc but nothing got:

hydra -L /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt -P 2023-200_most_used_passwords.txt 94.237.53.186 http-get / -s 53496

Can someone help?

Could someone help me on http attacks, http response splitting?

Hey guys I'm stuck on this challenge right here in Getting Started.

I ran nmap scans:

Found open ssh version 9.2, looked it up on searchsploit, msfconsole, didn't find any exploits for that.
Found rpcbind on port 111, didn't find any exploits either.

I ran go buster directory enumeration:
/wp-includes (I didn't find any important files there)
/wp-admin (Asks for user pass, which I didn't find)
/wp-content (Empty page)

Ssh is not the vulnerability

Any directions I'm missing here?

Looking at the screenshot, it seems like you scanned a public IP.
Public IPs are Docker containers. You ONLY have the specified port available.

You're given an ip and port, use those. Whenever given an IP:Port, that's your scope as those are docker targets

That's weird because I was learning about nmaps in this chapter.

Well the getting started module isn't just about nmap

Yeah it's about dir enumeration too..

It helps to also provide the section name

Not just the module name

My bad, Public Exploits Section

Yeah, nmap not required

I think I got the direction. Thank you

Just enumerate in other ways, like web

I'll look up for vulnerability in the wordpress version

It's more direct than wp version

The plugin

Look directly at the page and it'll hit you in the face

I'm not seeing it but I'm keeping on looking.

Now I see the simple-backup thing, page has an empty directory.

tried /wp-includes/simple-backup and /wp-content/simple-backup - not a thing.

Ok I think I found it. It's the plugin

Utilize msfconsole for the plugin name

Exactly what I'm doing right now, thank you

"Not a thing" well if you're accessing the directory it's a thing

Only on those dirs it's empty, but /simple-backup is a dir I mean

Well you're thinking linearly

It's not on msfconsole nor searchsploit so I found it on google

The exploit might be, for instance, lfi

The exploit is on msfconsole

Ik bc i used msfconsole for this

Yes

what, but this one is called simple backup file

can we "evil-winrm" if we can "Enter-PSSession" to it i.e MS01.inlanefreight.local?? (talking about active directory)

File read

:)

[Plugin] [type]

ahhh

well either way I found it on exploit db too if I wouldn't have understood that on msf

Yoo that's so cool
I appreciate the help @fathom pendant

Did you ping me in the forum?

Yeah lol

You can ask here.
Some other person might have the same doubt and can search in the channel history later

https://medium.com/@mrclimp/web-archives-a-journey-through-digital-history-f18c152cbb6a cant get this question right

i found the answer but for some reason doesn't accept it

Htb used to be eu, not .com

i just opeened solutions

since archives been hacked

so there isn't all data there

o nvm

it was 0 instead of O

Right but i was gonna send my payload and screenshot of what im doing, dont know if thats allowed

Probably not that detailed.
I’m afk but can give you a few pointers later

prob gonna spoil it lol

Don’t think they will be any different than the ones in that forum post though

gotcha, so do u want me to dm u what i did then?

Yo gentlemen and ladies

Module is file upload attacks

Ok

I’m able to upload a file with character injection

Except that idk how would php server would interpret them

In other other words how do i access the uploaded image

go to the upload directory and navigate to your payload

Idk what the character is

Like %00 would eradicate anything after it

If it’s a slash, it probably won’t work

It is indeed a slash as well

And back slash

Extension is .php8/.jpg

Try something else

Any idea about “./“?

“.\” sorry

.\

No different

can i have any documentation about these chars

If you jkow any

You can check the source page and see what the file name looks like after

Hello everyone who have already solved LinkVortex?

this channel is for academy talk try #boxes

Idk

Oh thank you got it

think about uploading afile.. with a / in your payload. if you add a / in your payload it's going to try to put the file into a subdirectory that probbaly doesn't exist

There’s Other extensions that work here

I used burp intruder with a long wordlist to inject multiple files

What you suggest would work but will consume lot of time.
I mean i’ll have to use repeater for each successful submission

Yeah kinda

Than manually visit the page

you can just see if it was successful within intruder itself

But it’s not base64 decoding. Like php server interprets them differently

Intruder shows successful submissions, but in order to retrieve it i need to know how to access it, for that i need to know how php server interprets the injected chars

If you know what i mean

TLattice told you how...

you can view the source code of the page.. if you're uploading something like a profile picture and you can see the picture after you upload it, you can also right click and go to open image in new tab and see where it' stored

Yep but that’s time consuming like I explained
Thanks

no its not

takes 2 seconds

That would require individual requests via repeater than visiting the web page and see source code

Not every request would work

I got 20 submissions, in the end i would have no choice but to try the manual way

Thank you for your time gentlemen 😊

are you able to upload a profile picture?

I gotta check my notes cause It’s been a couple of months since I did the module

I can check it out when I hop in the pc

Anyone able to help on this one, https://academy.hackthebox.com/module/158/section/1435
Have to rdp to an ubuntu machine and use netsh and then connect to a DC through rdp on the port set up, but it's not connecting

Connecting to ubuntu machine -
xfreerdp /size:1500x800 /u:htb-student /v:10.129.42.198 /p:'HTB_@cademy_stdnt!'

Set up portproxy -
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.42.198 connectport=3389 connectaddress=172.16.5.25

Then attempt to connect to DC via rdp
freerdp /v:10.129.42.198:8080 /u:victor /p:pass@123 [20:27:16:536] [49938:49939] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer [20:27:16:536] [49938:49939] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] [20:27:37:583] [49938:49939] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer [20:27:37:583] [49938:49939] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] [20:27:37:583] [49938:49939] [ERROR][com.freerdp.core] - freerdp_post_connect failed

Hey guys im doing the web proxy module, any one knows the problem here? it was working perfectly yesterday

Try reinstalling the certificate

Just like you did before

can you help me with that i'm quit new with this

i did nothing before i use the browser from burp suite

the default one

You didn’t try burp with foxy proxy in firefox

?

i dont remember trying it, you know what i will make some research to night and let you know if i found out 🙂

@tender nimbus download foxyproxy as an extension on your browser, set it to go to 127.0.0.1 port 8080
or just use the proxy settings in the browser, but its much easier to use foxyproxy.
To install the burp cert i think its sometihng like https://burpsuite
Then try navigating to the web page

Excellent 😊

Hello can I get a hint for web blue print

is it a challenge?
#challenges <--

And please don't post your question in every available channel.

Okayyy I’m sorry

Can you tell me at least where should I ask

i think he's trying, he's asking if its a challenge

Yes it is a challenge from HTB I’ve got the file but I can’t send it here

verify your account in #welcome

hi guys
Login Brute Forcing Basic HTTP Authentication

After successfully brute-forcing, and then logging into the target, what is the full flag you find?

So i tried different wordlist and etc but nothing got:

hydra -L /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt -P 2023-200_most_used_passwords.txt 94.237.53.186 http-get / -s 53496

Can someone help?

Okkkk I will Thanks everyone

anyone? 🥹

you tried rockyou?

looks like the connection was reset

I have a shell with SSH connection. How to run this msf console exploit to Privilege Escelate?
I don't understand the part with the sessions.

looks like you have the wrong options

@cyan lark you would run that on a session where you have a meterpreter shell

from what im seeing looks like you're not providing a session number, am i right @cloud urchin

idk, no ide what he's trying to do, but the nic seems off, probably need an open session for that since i dont see a rhost option

get the shell with msfconsole, use bg to put it in background and then use this and use the session number that the meterpreter session is on

I ran a linpeas on the shell that I have access to through ssh

that's probably not the right exploit

but i could be wrong

It is the right exploit, I just don't understand how to pass over the shell to it

The command is just "get"?

get ssh user@ip -p etc etc?

Working on Module Footprinting Assessment Hard - I've discovered a user ||Tom and got their credentials|| currently logged into the IMAPS server but having a very difficult time with the IMAP commands, and their output. Can I be given a hint if I'm in the right direction or not? The phrase "HasNoChildren" indicates to me that the inboxes are empty but I'm very unfamiliar with IMAP

||```
1 LIST "" *

• LIST (\HasNoChildren) "." Notes
• LIST (\HasNoChildren) "." Meetings
• LIST (\HasNoChildren \UnMarked) "." Important
• LIST (\HasNoChildren) "." INBOX
  1 OK List completed (0.001 + 0.000 secs).

this has helped me a lot on imap sessions https://donsutherland.org/crib/imap

Hey man, Is it the msf module, your doing? it sounds like you need to read the part about starting shells and sending them to the background before starting the exploit

Getting Started module, Privilege Escalation section.

You need to provide an active shell session for that exploit, and that has to be established before you are using the exploit

yeah that's not the right exploit

like i said

For sure not the right exploit then, totally agree

Way more complicated than what it needs to be

I have an active shell already

its just through ssh, I don't know how to run the exploit on it

did you try sudo -l

Yeah

does it show anything?

there you go

I ran the entire linpeas script. I got the exploits

Does this syntax look right im getting errors ||1 FETCH 1:* \Answered||

you can run /bin/bash as user2 it seems

I am inside user1, user2 is my target

im not sure IMAP is the place to go, wrong path

Re-read the section. Look at what access you have with sudo. Use https://gtfobins.github.io as the page says. You'll want to bookmark this page and lolbins they are used a lot.

from checking my notes

Alright I kinda felt that way too, mailboxes have no subsidiaries/children

Thanks for the advice

I have read it multiple times man, I'm just asking for more directions lol

I got these two alerts with the linpeas just like the section says to do

i just handed it to you on a silver platter, exploit your sudo privs, use gtfobins to see how

But blue doesn't mean much.

no problem, let us know if you need any more help, try another path for now 👍 any other mail ports?

What do you mean, these commands cannot be ran as sudo which is what I need, no?

@cloud urchin @fathom pendant you see any issues here? i can't seem to get past this one, tried resetting the target and everything

re-read the section on sudo again, sudo lets you run a binary as another user

My friend, I read it.
I only have access to user1. I can't su as user2 because I need a pass.

sudo is not su

the syntax for this is sudo -u

re-read the section again, use sudo

Check your IP addresses

I am looking at it. I don't see the answer.

sudo allows you to run a command as another user. you're trying to run a command as user 2. use sudo -l to see what commands you can run as other users. use gtfobins to see how you can abuse various binaries and escalate privileges.

My friend

I am on user1, not user2, on sudo -l I can see that user2 has an app that it can use with sudo.

Raz

I don't understand

the sudo command lets you run commands as other users without needing their credentials

you just need your credentials

the output even tells you that user1 can run this command as user2 with NOPASSWD

if it's NOPASSWD then you don't even need to input your password

ohhh

I thought it means that user2 can run this with nopasswd,

Why does sudo -l ask me for user2's password now?

I think I got it. I can su to any user I want but not perform anything other than what they're allowed to run with no passwd, right?

su is not sudo. with su you are switching your current user, which requires you to input the target user's password. with sudo you are running commands as another user, and depending on how the sudoers file is configured, it may require you to input your current user's password

NOPASSWD in sudo -l simply means you can run the command without supplying your password to sudo

I appreciate it guys I understand it now

Where have I went wrong here though, do you know?

you're trying to run multiple commands

just execute the command you're allowed to execute

thanks @gray yacht isn't that the right ip addresses tho, it doesn't really explain very well in the module, i wish it would use names rather than just putting the ip addresses relevant to them...

netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=<GivenTargetIP> connectport=3389 connectaddress=<DCipadd>

I got it thanks so much @dark hedge !!
So there is no need in even using the sudo -u command, right?

if you're allowed to run different commands as multiple different users, you'd probably need to specify -u

I now realize I need to move on to root.

Do you have one of those cheat sheets for POP3

So I would RDP in with the provided htb-student credentials and verify the internal IP address of that host. Then, the question provides you with the internal IP address it wants you to target, so I would use that one in the command.

which isn't in sudo -l

checking