#modules

I'm going back to my game

Google banner grabbing, but like I said follow the section and just include the assigned target port when working the external part of it.

it is ssh service, but I have no success on run medusa output

Make sure you are providing the assigned target port in your command.

Got it, had to change the password list, Thanks!

I find it disappointing you can bypass the whole point of the module section

You're meant to get sshuser, ssh in, then use Medusa internally

hello :). i am currently doing the sql injections fundamentals module and cant authenticate to the mysql server. i am getting the following error:

ERROR 2002 (HY000): Can't connect to server on '94.237.49.130' (115)

any help?

Did you specify port?

guys but I get an error when I try to use my token to log in,how do I solve it?

yes

https://tenor.com/view/discord-gif-22897697

ok

mysql -u root -h ip(redacted) -p 57726 -ppassword

-p [port] then -ppassword

Try with just -p port and see if it prompts a password input

it did

same error when i type in the password

Ah mysql is -P port

Quick Google of the man pages

it worked(it asked for ssl but chatgpt gave me an answer to bypass that error)

thanks for the help @fathom pendant 😄

does anyone know how i can change the keyboard layout of remote windows machines for academy?

Locale

https://github.com/awakecoding/FreeRDP-Manuals/blob/master/User/FreeRDP-User-Manual.markdown

thanks

https://github.com/awakecoding/FreeRDP-Manuals/blob/master/User/FreeRDP-User-Manual.markdown

for skill assessment 1 Brute Forcing - is the hydra command really run that slow?

Hi guys

Its Depends on your wordlist

I use suggested one

ACL Abuse Tactics:

Hey hey! So I've gotten adunn hash, but cant crack it (hashcat -m 13100 hash.txt /home/rockyou.txt). I've run the hash through hash-identifier and I think there's breaks in it, just need a quick refresher if I need to run (echo "<base64 blob>" | tr -d \n) or am I just being dumb and grabbing too much/not enough of the hash?

Can you explain what assessment is that . I will tell my best

Use all in one rule

https://github.com/NotSoSecure/password_cracking_rules/blob/master/OneRuleToRuleThemAll.rule

You can also try this rules

hashcat -m 13100 hash.txt wordlist.txt -r rules/best64.rule
try this

skill assessment 1. What is the password for the basic auth login?

it's telling me Seperator unmatched- no hashes loaded

Oh try to use john

👍

Have you done

yeah session completed but didnt give a password, I'm thinking its the hash, can I email it to you?

can someone give me a hint for finding the upload directory for the file upload attacks skill assessment i cant work out where the file is going https://academy.hackthebox.com/module/136/section/1310

Maybe try to use a technique for reading files.

I got it, stupid hash needed to be one line and hashcat worked in 2 secs lol. thanks!!

I'm a bit lost on the Linux Privilege escalation - Service based priv esc - Logrotate section.
There's supposed to be a logrotate.conf file but it doesn't look like it's present on the system. Am i getting tripped up by one small detail?

it exists in /snap/lxd/ dir but i don't think thats helpful for this exercise

I don't recall if the file was there, but the section covers an exploit. Worth seeing if there is anything in your /home dir and if that exploit can potentially be used with anything you identify there.

Right, if you're hinting at the b******** folder in /home and the .log files found within, i've gotten that far.
I am successfully triggering the exploit (Theoretically?) but no shell is being sent back to my listener.
Reason why i'm fixated on finding the .conf file is because the logrotten page and module exercise specifically asks you to determine if compress or create option is set in that file. https://github.com/whotwagner/logrotten

You can DM what you are trying.

I'm having an issue with VIM in pwnbox, trying to use ESC or ctrl + [ to leave insert mode but I keep getting these keyboard interrupts on top left instead. I'm used to nano so I'm sure its probably my fault. wonder if anyone can point out what I might be doing wrong.

Run it with sudo, they messed up the user configs

I dropped a feedback on it, hopefully fixed soon.tm

I accidentally hit the shortcut to Lock Screen when trying to figure out VIM. Any chance is there a default password for pwnbox? I tried the two htb IDs on screen

No default password, you can try and use the in-browser terminal and go to the desktop and get the credentials off thay

But the password is random genned

Really appreciate your input! Although, think I may be still stuck on this one until that is fixed/ I think of another method. This is for Getting started/Nibbles - privilege escalation. I can only sudo without password on the file I need to edit for a root reverse shell.

Can try echo 'revshell_here' >> monitor.sh

i don't remember exactly what this is, but depending on what monitor.sh actually does you could also echo 'chmod 4777 $(which bash)' >> monitor.sh and bash -p

just shots in the dark that might help

Correct you can only sudo that sh file 😉 [full filepath is required]

This section walks right through the process

Sorry for the confusion but I'm not sure I quite understand what you're saying. '$sudo vim /home/personal/stuff/monitor.sh' still prompts me for a password.

Why is it not working?

http not https probably

Linux Fundamentals

Monitor.sh is an executable you can edit without sudo

Since you own it

I tried both

that should work, no?

because the pwnbox doesn't have access to the internet?

oh yeah

it says to use pwnbx

Only if you don't have a sub

doesnt' work in my own box either

i think only subs

Or if you've spent any money

:)

no active sub rn and can still use pwnbox a la carte

something like this applies to academy too

I just started the pwnbox

imo you'll have a better experience with your own VM

I do like pwn box just because it has a lot of tools preinstalled, but yeah I need to get my own vm configured with everything I need

it won't work in my own vm either

well inlanefreight.com is a real site, you should be able to visit it from your PC

i was able to visit it now without any problems

You are right

but I am not able to view in in my own machine

if you haven't spent money then pwnbox won't reach out to the Internet so it won't be able to reach it

have you tried http://IPADDRESS/ ?

I will try that but it's saying session timed out

Okay, I was trying to edit it with vim but then I couldn't swap between interact and command mode. I must've mis read, I thought you meant to try with sudo and full path

The vim on the pwnbox is messed up

Can I get some assistance on File Upload Attacks Skill Assessment:
I've ||determined the naming scheme of files and the directory where uploaded files are stored. I found an extension that bypasses the filters. But when I enter the command shell it no longer accepts the file.||

Not on the target

If the vim on the pwnbox is messed up find other ways to modify the file that don't require you to use vim.
My suggestion earlier was to use echo 'something' >> monitor.sh to append text to the end of the .sh script

Thanks! thats def a good reminder to use that in this case

it is for me :/

are you changing the MIME type of the file by doing this?

I think something might be wrong with my browser

session is timing out on all the websites I type in

Not to my knowledge for example using PNG I leave the first byte as is and try to input the web shell string following that.

maybe try to find the ip associated with the url then navigate to http://IPADDRESS/

Could self improvement videos allow me to unlock general chat?

didn't work. I can't get any website to come up

so I think it's an issue with the browser

you can unlock general chat in #bot-commands with /verify and your HTB ID

id rec using another method to pass mime type test

theoretically you can doublecheck what mime type with file example.jpg

altho im not sure if file will give the exact same mime as php mime_content_type()

thanks I used that to get past it

Read #welcome

Is it a new vm and have you checked your adapter settings to reach out to the web?

thanks for responding but it works now, don't ask me how, lol. It is a fairly new machine and the adapter is on NAT. I actually looked at my Kali machine and compared them and everything was the same. I went back to my parrot machine and started a new session and it worked just fine. The website came up.

I am new to this stuff so I am taking copious notes, LOL

From my help desk days turning on and off fixes a lot of problems 😂

It

It's amazing that it works but you're right!!! LOL

It's a good thing I am a little older and wiser otherwise I would be buying a computer every week, lol

Anyone get this while working a lab? Specifically the Kerberos Attacks - Silver Ticket from Linux

When I have seen this previously it was a timing issue on the DC. My Kali box is set to the correct time, so I am guessing the DC might be off. I tried to RDP into the machine, but HTB Student cant RDP.

I am guessing I need to submit a support ticket unless anyone else knows an easy fix.

[-] SMB SessionError: code: 0xc0000016 - STATUS_MORE_PROCESSING_REQUIRED - {Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.

Will there be an Intro to Terraform module ?

Not sure if this is the right place, but I recently struggle a lot with various latency and lag errors in academy.
Sometimes starting an instance of pwnbox gives me "no instance available" errors, spawning the target systems takes minutes sometimes...is that just me?

When I try navigating, like scrolling up in the terminal, it takes several seconds to do anything...

I had “no instances available” also earlier today. I restarted the web page, chose a different server location and I was good. I haven’t had lag issues you’re mentioning, but I just got VIP so maybe those machines have less latency. Spawning a target does take 1-3 minutes for me usually

Switching the location seems to help here too. I feel like the targets used to be faster...
I got VIP too (I think, lol? Yeah, unlimited spawns, that's the one, right?)

According to your role you actually have VIP+! Lol

Haha, might as well, I think I treated myself last year with an annual, that's why I don't recall xD

Had these slow machines the last few days now, might just keep an eye on it

Sounds good I’ll pay attention to mine over the next couple days and report back if I’m also having issues 🤙🏻

I'd like to ask if the "Starting Point" tiers all count as 1 "achievement" that counts once towards the rank points

None of the retired boxes counts toward rank

ah got it

Although Im sure I finished an active one in tier 0 and didn't score a point

oh well will check out others in order

There’s a webpage on htb that breaks down how to earn points it might be /introduction sorry don’t know it off the top of my head

no you're good I appreciate it I should've browsed for it too

https://help.hackthebox.com/en/articles/5185158-introduction-to-hack-the-box

Hello everyone, I'm in the Skills Assessment of the pivoting module... I've sent the ligolo agent to the target machine and I've run all the right commands... but when I run xfreerdp I'm getting this error message, can anyone help me?

xfreerdp /v:172.16.5.35 /u:mlefay /p:'Plain Human work!' /cert:ignore   
[22:32:55:667] [69739:69740] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[22:32:55:672] [69739:69739] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

can you verify your tunnel is active?

Yes, it's okay

I used nmap and it worked normally for port scanning

if you didn't forward port 3389 from target network through ligolo, then xfreerdp can't reach it

ligolo needs to specify the forwarding port?

Ligolo should still work, it’s only local host port ports you have to create a different route for targeting 240.0.0.1

Use nxc to see what you get back

if direct routing isn't working

anyone could help me with this question : What is the name of the utility that can be used to view logs made by a Windows system? (Format: 2 words, 1 space, not case sensitive)
is on the module Windows Fundamentals

You can DM your ligolo setup commands and I'll take a look.

hello folks

best hint i can give you is that if you google it, its the first result

Looking for help on the Command Injection Skill Assessment. I found the injection point and tested each operator specified in the module. Any hints

I am working on the Windows Priv Esc module - weak permissions. I managed to add myself to the administrator group, but || takeown || fails

I suspect this is due UAC. Can I DM someone to get a hint here?

best advice i can give you is being creative with how inject

redirections pipes that kind of thing

is anyone else unable to connect to any htb box right now? i cant even ping anything

just switched vpn servers too

So I attempted something along these line ||$(rev<<<'imaohw+;')|| but that produced the same error

that's really close to what i did, from my notes - try base 64 encoding and stuff like that too

mine works fine

throw ${IFS} and ignored characters into the mix

That was my next thought but how would I decode if I can't get an operator to separate the original command and the command I'm trying to execute

base64 -d <<< [base64enc string]

This part is taken from the Assessment Solution:
https://academy.hackthebox.com/module/239/section/2599

||With the id 651599407998f5c5ff061491 of the card attained, students need to exploit the unexpected input vulnerability and perform two purchases, one for 1000 cubes costing 100 and another for a subscription with a non-existent name also costing 100 (therefore, the total becomes 0)||

My query is:
How come 100 + 0 becomes 0
First one is 100$
second one due to type juggling becomes 0
So total should be 100$ right
In that case the user cannot purchase it as card balance is 5$. Still the lab is working. It require more explanation.

thanks, rebooting worked :/

if you still struggle feel free to dm

bump, anyone?

there must be away... I do not think the module show explain the same and omit that part ....

if you're an admin you may be able to disable uac

I do not know how

if you suspect the issue is due to uac

DM?

I agree.

in the passthehash windows module earlier this reg key is mentioned
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy

id start there and check if that is 0 or 1

im still going through linux privesc so i havent actually done your module yet

wouldnt hurt to google around or look at payloadallthethings for ways to enumerate UAC

may I assume, that will disable the "enter your password" thing?

the exact description i have for the regkey is:
When is set to 0; built-in admin account is the only local account allowed to perform remote admin tasks. 1allows other local admins too.

so maybe im sending you down the wrong path

might not be related at all

https://github.com/swisskyrepo/InternalAllTheThings/blob/main/docs/redteam/evasion/windows-defenses.md

chicken and the egg, lol

https://answers.microsoft.com/en-us/windows/forum/all/disable-uac-win-10/220cfc17-999b-48d5-a7b2-350811242250

can't edit registry as my session is not open as admin

https://tenor.com/view/no-the-office-michael-scott-scream-gif-16929305

I managed to do it. But can't be this way, lol

Is there a LaZagne binary instead of python3 version?

Yes

Download from HTB box

In Linux privesc?

talking about Windows version

but this is probably because you did not move the whole directory

Yes I did

move it ALL. Then run it from it

then no idea... when I had that error was because I did not move the whole folder

No

That's illegal

actually tools like SharpChrome, Lazagne, SessionGopher, or most other tools are captured by windows. i wonder if the real environment will rewrite such tools on its own?

Can u please help it's urgent

is it with a module?

I'd like some help on SIEM visualization Example 4 (https://academy.hackthebox.com/module/211/section/2276) as the answer I am coming up with isn't matching what is being required. None of those dates work, both looking at it with and without the Mar 5th, 2023 'no earlier then' aspect.

read the question very carefully

I've reread it multiple times. I've used the visualization that I made and the one that is made for you. Both of them are coming up with || 2023-02-27 || when I add the @timestamp, event.created, etc. to it. I don't even see a date that would match the 20XX-0X-0X format because the date for what I see is all double digits.

Hello, I need a little nudge for the AD Enumeration & Attacks - Skills Assessment Part I of the Active Directory Enumeration & Attacks. I successfully compromised the domain but there still remains a question where I should find cleartext user password. I use his hash to comprise the domain but I'm not able to figure out cleartext password.
Can some one nudge me please?

Have you tried looking up the kind of hash before decoding it with an online tool ?

No success to crack the (ntlm) hash nor online neither offline

There was a ticket you could crack

If you did the exercises in order

The ticket for the Kerberoasting part, i cracked it, it the step after, the next user.

Question number?

#6 Submit this user's cleartext password.

It seems I did a Secretsdump with svc_sql

Did you answer question 5?

yep

Tyied it with mimikatz without success (i got the ntlm hash thoiught)

Maybe check user descriptions, my notes aren’t very clear on this part

But I see a reference to DefaultPassword

Thx didn't tried that

So I'm on information gathering skills assessment and I'm currently on question 2

• 1 What is the API key in the hidden admin directory that you have discovered on the target system?

So I have found the subdomain of the vhost using gobuster, found the robots.txt file that has the hidden admin directory, however when i go to curl it, the results are quite peculiar

It says it has moved permanetly.....

I've went through every single writeup I found online, and they all found the answer here 😭

Perhaps HTB has changed this exercise and I need to enumerate deeper

Which I'm doing, I'm running another Gobuster, but this time with this subdomain, however the subdomains of subdomains I have found, have no directories that I can see inside

Try adding a slash to the end

I believe the lab for Blind SQL injection > Oracle Design is broken. It appears that the target from the previous lab is spawning. As a result, the script does not work and the payload has to be injected somewhere else. I tried injecting it at the vulnerable location, but the fifth character from the database is incorrect for that question

Anyone that can confirm this?

Make sure you are using port 8080

Ahh

okay I didn't notice that. Thanks!

Yes dkthugist@gmail.com

yesterday i was asking this que

and i am still there

which module?

password attacks in skill assessment easy lab

did hydra -L username.list -P passl.list ip ftp -t 64

haven't done that module, sorry

Slash at the end of the hidden directory?

What lab is that

.this

What is the name of lab you mentioned

https://academy.hackthebox.com/module/147/section/1334

Did you have username?

no

Hi @viral lotus were you able to get this working, I am stuck at the same last step where in I do not get teh shell instead msfconsole shows "command shell session closed"

yeah they gave username password list and custom rule to mutate the password and did that

What are the services running on the target

ssh ftp

Ok

What is the question

Is the lab ask you to bruteforce

For shells and payloads skills assessment - host 2 (blog) can I get a hint / nudge? I found the ||50064.rb script || but I don't know if I'm supposed to edit that script to use or something else. I couldn't find any reference to that in metasploit even though that's what it is using. Little confused and lost and nudges / help would be greatly appreciated! Please @ with response!

You have to move that payload to an internal Windows host.

Hello
I'm at skill assessment of command injection and I can't find the vulnerable request I already spent hours on this the only thing that I found is a post request but I doubt it's the intended request

can anyone help?

Thanks, found the mistake of selecting an incorrect payload option for the handler

Have you looked at the content in that exploit? Does appear to need configuration before you use it in metasploit?

hi did anyone faced the connection closed during request sequence when using burpsuite for the labs?

I am on the virtual hosts module of the DNS & Subdomains section for information gathering. Im not really stuck, but if someone could make the question more clear it would be helpful.

i understand that we are using gobuster vhost -u to specify the target url

fuzz for vhosts... find web...

the question is tripping me up though when they are asking for vhosts ON the target system

for example am i running

add inlanefreight.htb to your /etc/hosts file with the target ip, here's the sytnax:
<target ip> <hostname>

'gobuster vhost -u http://inlanefreight.htb:81 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-11000.txt --append-domain'

so -u http://<target-ip> inlanefreight.htb:80

and use the port provided in the target at the end of the url as well

no... put the syntax in your /etc/hosts file

ohhh

so i have to edit the hosts file to reflect dns

did i miss something in that whole module?

and i can make that edit with the pwnbox

you can do that edit with the pwnbox you just need to use sudo

not sure if you missed anything in that module since I haven't done it 😅

nxc

well i wasn'ts ure becuase it just said to brute force the vhosts on the target, so i wasn't sure where to put the target sstem IP

you can answer the question without adding any columns

?

That's a handy tool that can likely help you nxc = netexec. You could also do something else. If you're unable to sort this out, you can DM.

so '94.237.59.180:54920 inlanefreight.htb:80' in the hosts file?

or '94.237.59.180 inlanefreight.htb:54920' ?

i got it, thank you

hey guys one question regarding extracting creds from memory on Linux with mimipenguin

./mimipenguin-static 
[+] Searching: [SYSTEM - GNOME] (gnome-keyring-daemon)

that's all the output I get on all machines I have done so far, does anyone know the condition for it to actually work and extract the passwords like mimikatz does ? they don't go into much depth in the module about it, other than presenting it

Hi can someone help me with connecting to vpn on Kali Linux for a htb machine

I am trying to connect to it and it won’t work, every time I run the code with domain administrator.htb it says domain not found

Hello plz someone help me stuck at : Section : Phishing Module : Cross site scripting

CBBH

Hi all, wondering if anyone wanted to study together im from the UK 26 and just abit of a lazy bastard so hoping having someone to study with will motivate me more and be fun to bounce ideas off each other

happy happy

pm me

Hi all, i am currently enrolled in this module: https://academy.hackthebox.com/module/218/section/2389. But i cant access the Sysmon App for Splunk in the GUI, do i need to install this myself?

#boxes

Hi am trying to transfer a file via smb using http, for thr module file transfers but i am unable to do so using wsgidav. Here is the command I used for reference:

sudo -E /home/zack/.local/bin/wsgidav --host=10.10.15.232 --port=80 --root=/tmp --auth=anonymous

Here is the powershell error from my windows target:
PS C:\Users\htb-student> dir \10.10.15.232\tmp
dir : Cannot find path '\10.10.15.232\tmp' because it does not exist.
At line:1 char:1

• dir \10.10.15.232\tmp

•   + CategoryInfo          : ObjectNotFound: (\\10.10.15.232\:String) [Get-ChildItem], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

\\

try dir \\10.10.15.232\tmp

Sziasztok

@unreal aspenhi guys

PS C:\Users\htb-student> dir \\10.10.15.232\tmp
dir : Cannot find path '\\10.10.15.232\tmp' because it does not exist.
At line:1 char:1
+ dir \\10.10.15.232\tmp
+ ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (\\10.10.15.232\tmp:String) [Get-ChildItem], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

Still no luck

need help with this question Debug the attached binary to find the flag being pushed to the stack - #solved it :3

test through win exporer

It works on browser with just the url only i get an error if i go to tmp. Doing the same command on powershell/cmd without tmp also results in an error. Navigationg to the share on file explorer also gives me an error

map the drive

Are you actually mounting the smb share locally? Why not just wget [ip]/[file]

it's not a smb share

am trying to upload via smb from the windows victiom to pwnbox

webdav uses http, so to access it from windows, you'll need to map a network drive using the http url

Oh I see,
2 things from my notes:
Try using special keword DavWWWRoot
Try hosting with --host 0.0.0.0

happy happy lunar new year

Yeah

Probably got it already tho

Come at it with fresh eyes made me get the answer, but I have no clue why that is the answer. The question says 'when the events took place' but without manually changing the date to something other then the default, I can't tell when they happened. All I know is that they happened sometime within the last nearly two years. What am I missing?

This helped me though lol

it says no access?

Read and follow instructions in #welcome iirc

anyone know other method to dump dpapi remotely? nxc wont work for me

don't post answers to questions. i dont have my notes atm so copy and paste the question here and i'll give you the interpretation

I got stuck at Web Request>CRUD API, I upgrade the city, after I delete it and search, but I just get the country name (US)

Removed it, my apologies.

Security Monitoring & SIEM Fundamentals - SIEM Visualization Example 4

Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Dashboard". Extend the visualization we created or the "User added or removed from a local group" visualization, if it is available, and enter the common date on which all returned events took place as your answer. Answer format: 20XX-0X-0X

Anyone can help me with Web Requests>CRUD API?

yea, so it's just asking you to look at the visualization you just made (or the premade one). nothing else

But the pre-made one, and the one I made, don't show when thr events occurred, just their earliest since time. If they occurred two months later, they'd show up in both visualizations

it's not asking you for when the events occurred, it's asking for the date for which all the events are shown to you on the visualization. which is the date you set yourself

very weirdly worded but it's simple

Ahh. That explains it, and looking at the question with that in mind I can see what they mean. Thank you for taking time to explain it.

RDP and SOCKS Tunneling with SocksOverRDP

I'm trying to use ligolo-ng for double pivoting. First pivot goes fine, and I can reach the victor's machine. Then, I add a listener on the ligolo proxy on Pwnbox, try to execute the agent on the second pivot box, but I'm getting this error:

time="2025-01-28T12:13:20-08:00" level=info msg="Connection established" addr="172.16.5.150:11601"
time="2025-01-28T12:13:20-08:00" level=error msg="Connection error: read tcp 172.16.5.19:55694->172.16.5.150:11601: wsarecv: An existing connection was forcibly closed by the remote host."
time="2025-01-28T12:13:20-08:00" level=fatal msg="read tcp 172.16.5.19:55694->172.16.5.150:11601: wsarecv: An existing connection was forcibly closed by the remote host."```
On the first pivot machine (172.16.5.150), I get the following message:
```time="2025-01-28T11:31:05-08:00" level=info msg="Connection established" addr="10.10.14.230:443"
time="2025-01-28T12:00:48-08:00" level=error msg="accept tcp [::]:11601: use of closed network connection"
time="2025-01-28T12:11:47-08:00" level=error msg="accept tcp 172.16.5.150:11601: use of closed network connection"
time="2025-01-28T12:13:04-08:00" level=error msg="accept tcp 172.16.5.150:11601: use of closed network connection"```
Finally, on the ligolo proxy (Pwnbox), I get the following error:
```ERRO[2551] dial tcp 10.129.30.50:11601: connect: connection refused```
It seems to me that the ligolo proxy doesn't actually listen for incoming connections. Because, if I do `nc -nvlp 11601` on the Pwnbox, I do get respone back on the Netcat listener.

**Edit**: Fixed by explicitly specifying LHOST and RHOST when adding a listener:
```listener_add --addr 172.16.5.150:11601 --to 10.10.14.230:11601 --tcp```

I'm currently on vacation but can help a bit. Drop me a DM and I'll see what I can do.

si

HELLO GUYS ... Attacking Common Services - Easy. This machine drives me crazy always when i am connecting he show me this error and dont she me the files from the ftp server.Connected to 10.129.203.7.
220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
Name (10.129.203.7:kali): fiona
331 password required for fiona
Password:
230-Logged on
230
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||24812|)
dir
ls
?
^C
receive aborted. Waiting for remote to finish abort.
ftp> bye
221-
221 Goodbye

somebody can help

Did you try listing all?

😉

what u mean ?

man ls

he get blocked and do nothing anymore after he shows me the passive mode

Maybe something ||hidden||

yes of course 😄

Also could be a connection related issue

I seem to recall you saying you have some weird setup vpn then the academy vpn

I'm guessing due to region issues

he shows me since days and sometimes also i can not even scan the ports

i think i need to contact the support

i lose already so much time is really annoying

That would be best

Considering your set up isn't normal/average set up

i use a vpn from my laptop and the the VM ORACLE and the vpn from the HTB thats it

i think thats pretty normal

It's not

Lol

no?

Most people don't use a vpn at all on their main host os

And just use the academy vpn

i like to be anonymously (BATMAAANNN)

Vpns don't really make you anonymous

They just mask your traffic, but if you're using an authenticated service, the auth service knows who you are

why u said that. When u dont buy it from your credit card and use crypte which u also buy anonymoulsy then i think it do

And that info has to get back to you somehow

yes true

Crypto can still be tracked, in a way, they can know the wallet - maybe not the owner

No sense in being overly paranoid tbqh

Typical use cases for vpns is to get around region locks for websites and content

yes the wallet but of course is not attached to my name.... is not to be paranoid but i like privacy

True Anonimity is really a myth

and they dont need so see which demon slay episode i am on

😄

dont say that

To be truly anonymous go be a farmer with no devices connected to the internet

There will always be someone somewhere that can trace something back to you

¯_(ツ)_/¯

i am a really paranoid person so ... i like my things not being controlled i also dont use social media

That's just the truth of it

a little bit control u have ... but u need to know how to move

I doubt you do

of course the internet at home is everything but not anonymously

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Reach out to them though, maybe they can help you figure things out

But it just sounds like using a vpn in this case is shooting yourself in the foot

i will ask and see whtas the issue

Hi there. I am working onWeb Server Pivoting with Rpivot. I managed to get the flag using curl. But it doesn't work when I try to use firefox. I get a The connection has timed out error. What am I doing wrong?

Do I leave the terminal I used to connect to openvpn open?

I'm confused how this works cause I've always used the Pwnbox

Use sudo with proxychains?

Yes

So open a separate one for anything else then? And that will allow me to move around within the HTB Network?

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

Yes

Okay thank you! 🙂

I get this error: Running Firefox as root in a regular user's session is not supported.

Ah

I don't recall having many issues tbh

I just did proxychains firefox http://ip

I'm doing a linux fundamentals, and the question:

What is the Type of the service of the "dconf.service"?

came up.

So what I did was I ran systemctl | grep dconf.service

nothing came up.

So then i ran systemctl status dconf.service

and got the output:

Unit dconf.service could not be found

What am i doing wrong?

I believe this requires being ssh into a target machine

ya i'm ssh'd in

I can see all the services, but that one isn't listed.

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

doing the** Print Spooler & NTLM Relaying** in Windows Attacks & Defense and I get this when running the suggested command of 'mpacket-ntlmrelayx -t dcsync://172.16.18.4 -smb2support'

Impacket v0.13.0.dev0+20240916.171021.65b774d - Copyright Fortra, LLC and its affiliated companies

[] Protocol Client HTTPS loaded..
[] Protocol Client HTTP loaded..
[] Protocol Client LDAP loaded..
[] Protocol Client LDAPS loaded..
[] Protocol Client SMB loaded..
[] Protocol Client MSSQL loaded..
[] Protocol Client SMTP loaded..
[] Protocol Client DCSYNC loaded..
[] Protocol Client IMAPS loaded..
[] Protocol Client IMAP loaded..
[] Protocol Client RPC loaded..
[] Running in relay mode to single host
[] Setting up SMB Server on port 445
[] Setting up HTTP Server on port 80
Exception in thread Thread-2:
Traceback (most recent call last):
File "/usr/lib/python3.11/threading.py", line 1038, in _bootstrap_inner
self.run()
File "/usr/local/lib/python3.11/dist-packages/impacket/examples/ntlmrelayx/servers/httprelayserver.py", line 572, in run
self.server = self.HTTPServer((self.config.interfaceIp, self.config.listeningPort), self.HTTPHandler, self.config)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/impacket/examples/ntlmrelayx/servers/httprelayserver.py", line 47, in init
socketserver.TCPServer.init(self,server_address, RequestHandlerClass)
File "/usr/lib/python3.11/socketserver.py", line 456, in init
self.server_bind()
File "/usr/lib/python3.11/socketserver.py", line 472, in server_bind
self.socket.bind(self.server_address)
OSError: [Errno 98] Address already in use

Anyone had this before?

Address in use means that the port it's trying to bind to isn't available to bind to

You'd have to specify a different port

http server on 80

You're using pwnbox, pwnbox is running port 80 to serve you it in browser

Ahh yeah... Doh

@fathom pendant can u possibly help me with this one?

#modules message

Since you @ me. No

Running ligolo with sudo helps

hi Marci, remmember me lol?

@fathom pendant

https://tenor.com/view/what-do-you-want-argue-gif-4857255

started linux tutorial as you politely asked me lol

https://tenor.com/view/okay-ok-ok-ok-oh-ok-oh-okay-gif-18238573721271168162

and my command prompt is wrong I guess... its not Robinjo@htb[/htb]$

this is ok, right?

That's fine

then I entered first command ssh htb-student@[IP address], where the IP address is target IP

and its asking me for the password

Everything before the $ is just user@hostname[/filepath]

Correct

The password is just above the question

You might benefit from the intro to academy module which teaches you how academy works

can I get some help with this? seems I slipped through cracks 😛

please*

cancel i was just being a noob with -L, wasnt needed 🙂

Don't share screenshots of modules above t0

hey guys I am on the last question on skill assessment for fuzzing here is the problem though this doesn't work for some reason until now everything was so smooth but for some reason I can't make this work I found the flag from an online platform but I don't understand why it didn't work I have checked it multiple times and it looks totally fine to me can you help me maybe I am missing something

You're revealing spoilers for the skill assesment

oh sorry

Considering you had to dig for the subdomain and file extension

yeah right

Also finding the flag like that would be cheating

My tips are: making sure you're fuzzing is filtering the right size

And making sure that you don't overthink

With parameter fuzzing you will always generally get a 200, so you need to filter via other means

I think my machine had a network problem in the middle of the assessment because I literally couldn't get any responses

Then reset the machine

You'll need to update the ip in your hosts file

yeah I have done that

checked everything

Also make sure you update your command with the right port

checked that as well I dunno I guess I'll go back to it again and see if I'm gonna be able to get the flag

maybe I had a temporary problem who knows

or I am missing something

Also remember it's a post request :p

in future how do we go about asking for support without providing the screenshots / despite the spoiler tag?

Redact information, supply relevant info while not spoiling information you may have had to dig for

cool, shall do so, ta

Also I'd say, use a different list like names.txt, much shorter

Just did it myself and got it

So I think the reason I might've been having issues navigating vim yesterday is because I'm using a 60% keyboard. I think some keyboard layouts are different by default.

Ah yeah

Just did it on pwnbox works fine for me

somehow i dont have any files/directories in my home dir... trying ls command, no luck

I also tried again now it works with no problems

soooo weird and stupid

i got bored and decided to do it in firefox (sending the request) lol it was interesting at least ¯_(ツ)_/¯

😄

it loaded the page and displayed the flag

yeah in the middle of the assesment my pwnbox's time was up and I got a new machine I think I configured everything with no problems but who knows maybe I messed up something xD

you probably did something slightly wrong

thanks for looking into it though

yeaah probably

like typing application/x-www-urlform-encoded

right?

(starting point - tier 0) "Fawn" -> task 7 does not accept my answer, i have controled it on official walkthrough but i can not solve it, anyone help please.

ask in #starting-point

first i type in general chat they said type in modules now you said "ask in there" 😦

you are asking about starting_point, its logical to ask in #starting_point 🙂

just trying to be helpful for a change, dont take my noob status here LOL

yes i know it is not problem, thanks, i just wanna solve the task 😄

can someone help me with starting nessus in the vulnerability assessment section ?

htb note says “Note: The VM provided at the Nessus Skills Assessment section has Nessus pre-installed and the targets running. You can go to that section and start the VM and use Nessus throughout the module, which can be accessed at https:// < IP >:8834. The Nessus credentials are: htb-student:HTB_@cademy_student!. You may also use these credentials to SSH into the target VM to configure Nessus.”

i tried to start it using sudo systemctl start nessusd.service but the service is not found

for the Attacking SQL DB section of Attacking Common Services, I'm authenticated into the DB server and I managed to list available users. Unfortunately, I am trying to use the command to switch to one of those two users and I don't have permission. I also don't see the user the first question wants me to authenticate as.

I can authenticate as the user I'm currently logged in as of course but not the other user

can someone give me a hint?

perhaps being a thief may help

ok

it should already be started on the target machine

it takes a few minutes to fully spin up as nessus is a bit beefy of a web service

I took a minute to scan with nmap. All SQL related ports mentioned in the section are open but only one of them works for logging into MSSQL

or they are not all open but two are filtered which suggests they are also possibly open. I tried them and get a banner but cannot log in

maybe my previous hint about STEALING something wasn't clear

Hi all , In Attack Common Services - Attacking SMB , What is the name of the shared folder with READ permissions? - The method taught does not work smbmap -H 10.129.70.227 - [] Detected 1 hosts serving SMB
[] Established 1 SMB connections(s) and 0 authenticated session(s)
[*] Closed 1 connections

Looking at the forums people seem to have been able to solve this using the taight method. I have reset the machine 4 times. Does anyone know if im missing something?

Maybe netexec or smbclient

Awesome thanks, smblient shows the shares but not the perms, ill try netexec

i think netexec has the --readonly flag? i could be wrong and it's -M readonly

There are several tools that I recommend you to use when one of them does not give you information when listing shared resources, smbclient, rpcclient, enum4linux, netexec, smbmap

It shows with the flag --shares the perms you have for the credentials you use

ok I stole the hash that was made clear. I'm trying to crack the hash and the password cracker is giving me issues. I think I have some syntax error. I tried using chatgpt to correct the file and my syntax. I'm 99% sure I'm on the right track and one little thing is off. I don't think I can explain my syntax problems in vague terms because its an issue that probably requires me to show specific syntax.

So I don't want to spoil it. Can someone DM me? This is just to fix an issue with hashcat.

I came close but even with ChatGPT I'm not entirely getting this to work.

are you using the right mode, did you copy the whole thing, what is the error, chatGPT will fail horrendously at trying to correct a hash

ChatGPT gives me a password result decrypted but it won't work on my machine? Here's the error:

┌─[us-academy-1]─[10.10.14.83]─[htb-ac-605555@htb-yqmvvms7mt]─[~]
└──╼ [★]$ hashcat -m 5600 -o cracked_pass.txt cracked.txt pws.list
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-AMD EPYC 7543 32-Core Processor, skipped

OpenCL API (OpenCL 2.1 LINUX) - Platform #2 [Intel(R) Corporation]
==================================================================
* Device #2: AMD EPYC 7543 32-Core Processor, 3919/7902 MB (987 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashfile 'cracked.txt' on line 1 (WIN-02...C1E5EC2FCC130655C06623227F44FD72): Separator unmatched
No hashes loaded.

Started: Tue Jan 28 18:02:31 2025
Stopped: Tue Jan 28 18:02:31 2025

I'm scared if I post further I will give a spoiler

the hash itself starts at mssqlsvc

and it's a netntlmv2 hash

ok

so right mode

ok

password cracked

nice

ok now I have the password and its not letting me log into sql database as that user which is really weird so I'm trying to log into that user

the python script to log in as the cracked password for that user won't let me log in

what should I do?

What can I do so I can control a website?

I am looking through lesson I don't see anything that may work except the other script besides the .py one

is that a sarcastic response to what I said or is this a hacking request? if its the latter, that's against our server's rules

Sarcastic response

ok

what I'm asking is why can't I log in now that I have username and password of the user?

What does it say?

┌─[us-academy-1]─[10.10.14.83]─[htb-ac-605555@htb-yqmvvms7mt]─[~]
└──╼ [★]$ mssqlclient.py -p 2433 mssqlsvc@10.129.203.12
Impacket v0.13.0.dev0+20240916.171021.65b774d - Copyright Fortra, LLC and its affiliated companies 

Password:

Then when I enter the cracked password I get no response.

or I do it on port 1433 instead

and same thing

Try the 1433 port

I did

it does the same exact thing no matter what port I try it on

It js doesn’t say anything?

ya

Maybe the user has nothing

no sql prompt for me its really weird

😭😭

this sounds like a troll

No it’s not rlly

ok

but I would at least get a prompt

like something that shows I am logged in

True

I'm not even gettingthat

Have u tried other username?

Looks like you need credentials 👀

yes, the default one it gives me to start that I had to log into the server as initially

But I'm using the module provided me

You need to provide them in sharphound

Very weird tbh

ok so should I just get 1on1 help? ok it IS very weird

I seriously don't get what my issue is

what do you recommend I do?

Try Redfin

Reddit

or ask ChatGPT why it does that

-windows-auth

thanks

ok I'm logged in as mssqlsvc. I am trying to enumerate contents of the database file. I selected the right database. I am googling how to list the contents of that database but not getting very good results.

enumerating mssqldb sucks

ok

so don't worry too much

you are given how to find a table name in the section

ok hold on

😉 just gotta use some critical thinking to figure out which to switch out

(note you can do something similar for column_names)

ok got it

found the flag

note how the result is returned; it's given as a byte string

I'm onto the next section, which I will do tomorrow

ya ok I will write this down

always bear in mind how things are returned to you

ya I wrote it down

thank you

I am doing the SQLMap essentials module, and I am up to the bypassing web application protection part, and it all makes sense, but how do you determine what to use in a real scenario? Tamper scripts for eg. what information would a web application give away in order for you to determine the right tamper scripts to use? Or would you just try everything until something works? Same with prefix and suffix?

imo you'll get more clarity in the sql injections module; the prefix/suffix thing is how it injects the payload based on how the payload is processed on the backend

the sql injection module displays the query back to you so you can see where it's being thrown in

since sqlmap is mostly based on blind stuff; you're on a journey of fafo

I’ve done the sql injections fundamentals if that’s what you mean. I just understood that it only shows the process and payload because it is a learning environment, not like any website out there would be showing you the back end. So in that case it is mostly a guessing game for what parameters you use in your injections?

yep

that's how SQLi has always been

Interesting. Do the guesses get easier to make over time?

eh

it's why sqlmap exists, to take the tedium out of manual checking

Yeah fair enough. Thanks for the help!

Hey HTB team: I encountered 500 server errors while accessing the PDFs linked in Module for Indian Evidence Act of 1872/Indian Penal Code of 1860:

https://academy.hackthebox.com/module/90/section/1980

https://legislative.gov.in/sites/default/files/A1872-01.pdf
https://legislative.gov.in/sites/default/files/A1860-45.pdf

Might want to check this out. Cheers!

not much HTB can do about some indian government site having errors

you may be able to google it if you'd like to find more

why logon fail??

I'd hope India's laws for cybercrime were open to the world somewhere.

https://www.indiacode.nic.in/bitstream/123456789/15351/1/iea_1872.pdf

https://www.indiacode.nic.in/bitstream/123456789/4219/1/THE-INDIAN-PENAL-CODE-1860.pdf

that wasn't too hard

If you wanna suggest a change, #1234357888114364508

Thank you for heping a newbie 🙂

thanks @fathom pendant : #1334013002709467136 message

Please don't tell me there will be another cert!

Looks like it

Can't wait to see what it's about

I actually finished the path already.
Academy won't even let me close the path since I finished the modules prior to launch.

🔥 🔥 🔥 🔥 🔥

The lab is nice! The fundamentals is way to heavy on theory!

yeah but why does the slash matter, it did work though, so thank you, just want to know why

That’s just how the server was setup 🤷‍♂️

I know I'm late but when you run your gobuster command make sure you word your domain as <domain>:port number, otherwise it wouldn't work the way you want it to

how was I supposed to know that 😭

It said permanently moved so closing it usually works with those

We’ll now you know

I thought it meant the contents were moved to a different page, so started enumerating for more subdomains

I ran into it at one point too

how did you think of it

Just closed it🤷‍♂️

I also think the error says where it got moved but can’t remember what’s it looks like tbh

it never said it

the directory without the slash was probably a file, that says something got moved permanently

the slash told the web server i was accessing a directory

read the last line

Thats the only explanation I could find why the slash worked in finding the api key while the same url without the slash didn't

on Attacking common services - easy
Is the SMTP user exists on the provided user list? I already tried -w 5 up to 85 with increments of 5 but the results is always 0 exists.

I also did VRFY and RCPT for smtp-user-enum but does not yield any results. Again -w 85 already.

Which smpt-user command are you using?

smtp-user-enum -M RCPT -U users.list -D inlanefreight.htb -t 10.129.203.7 -v -w 85

I used the list provided on the Resources tab of the lab. Already used both module of VRFY and RCPT.

I have tried this command and it works, smtp-user-enum -M RCPT -U users.list -D inlanefreight.htb -t 10.129.203.75 -w 10

Check the user list to see if it is correct

I may have need to restart the lab then.

its correct

yes, restart

Please take talk of the skill assessment to DMs as to not spoil

@chrome furnace - you were told to take this discussion to DM. Please do so.

copy that

This is not the server for this @snow arch

Hacking someone's WiFi is illegal

@storm elk okay I have no money 😥

That doesn't make it right to steal someone's WiFi.

What’s your advice for a newbie ?

Like someone who just wants to start ?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

👆

???

Same here

surely there will be more modules guys

You finished the modules prior to the path launch, @median gale?

Likely more to come alongside an announcement

Hoping that it wont be as heavy on theory and text as the "Fundamentals of AI"

Don't be afraid of hitting walls in learning

@fathom pendant you available for question.

hi

don't ask to ask

buddy

@lusty thicket not sure what your getting at.

True true

Has anyone completed the ADCS attacks modules? If yes, just reply to this msg and I will PM you!

Is it normal that Firefox takes a while until the Proxychains is working?
It looks like it first waits for all these requests to timeout and then finally sends the request to the IP I want to access.

[proxychains] Strict chain ... 127.0.0.1:9050 ... academy.hackthebox.com:443 <--socket error or timeout! [proxychains] Strict chain ... 127.0.0.1:9050 ... firefox.settings.services.mozilla.com:443 <--socket error or timeout! [proxychains] Strict chain ... 127.0.0.1:9050 ... push.services.mozilla.com:443 <--socket error or timeout! [proxychains] Strict chain ... 127.0.0.1:9050 ... darkreader.org:443 <--socket error or timeout! [proxychains] Strict chain ... 127.0.0.1:9050 ... push.services.mozilla.com:443 <--socket error or timeout! [proxychains] Strict chain ... 127.0.0.1:9050 ... ublockorigin.pages.dev:443 <--socket error or timeout! [proxychains] Strict chain ... 127.0.0.1:9050 ... push.services.mozilla.com:443 <--socket error or timeout! [proxychains] Strict chain ... 127.0.0.1:9050 ... ublockorigin.github.io:443 <--socket error or timeout! [proxychains] Strict chain ... 127.0.0.1:9050 ... cdn.jsdelivr.net:443 <--socket error or timeout! [proxychains] Strict chain ... 127.0.0.1:9050 ... cdn.statically.io:443 <--socket error or timeout! [proxychains] Strict chain ... 127.0.0.1:9050 ... ublockorigin.github.io:443 <--socket error or timeout! [proxychains] DLL init: proxychains-ng 4.16 [proxychains] Strict chain ... 127.0.0.1:9050 ... push.services.mozilla.com:443 <--socket error or timeout! [proxychains] Strict chain ... 127.0.0.1:9050 ... ublockorigin.github.io:443 <--socket error or timeout! [proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.5.135:80 ... OK

Even after accessing the page one time when I refresh the page it first waits until one or two other requests timed out again and then it refreshes the page.

Is this related to using Proxychains? Can that only handle one request at a time?

https://tenor.com/view/gn-gif-12936861620693672296

i can't rdp to windows host..

Have you tried not using powershell?

it's in strict chain mode

have you connected to HTB vpn using openvpn?

i tried, but its not work

its logon fail

same result

firefox pre resolves domains and connects to mozilla services in the background and these requests are forced through proxychains so when it sends these requests at the same time each one must wait for the previous one to complete or timeout before proceeding

I spy with my little eyes thr reason why

@small basin

You have pwnbox running dude

yes

You can't use pwnbox and vpn on your own machine at the same time

ah, i try vpn when not running pwnbox

.

Well you can't have both running otherwise you get ~problems~

ok

i mean run 2 separate odd ones and they are not at the same time

i tried with vpn first, it didn't work

and i try with pwnbox

Well in your screenshot they both were running

Make sure you're disconnected from the vpn before trying on pwnbox again

okay, i will try again

If it works you owe me $20 and some melatonin

..

Thanks! Should switching to dynamic_chain solve this? Because I tried and it still waits. Or is there another config I can change?

or random chain

you can also isolate proxychains to specific cmds like curl

and if that doesn't work you can turn off proxy dns

doesn't the module cover the config file?

it's work

omg.

..

Unfortunately not. It just says to add socks4 127.0.0.1 9050 to the config which is already there.

curl works fine

need help with a module, information gather Vhost, brute forcing vhost. i have ran gobuster everyway, used dig, created my own wordlist to narrow my search to the prefix of the answer. i have used the other tools in the sections, im not getting anywhere. any hint or tip would be grateful

random_chain has the same problem.
even if I disable proxy_dns.

The only thing that makes it less annoying is to reduce the timeout:

tcp_read_time_out 150 tcp_connect_time_out 80

But thanks for the explanation! 🙂

i just completed the windows fundamentals skill asessment but even after completing the steps like i should, it always says that the SID is wrong

@opaque walrus don't post images that contain flags, should be common sense

shuffles back to sleep

sings a lullaby

Dude's the dad to the entire server

I even devoted a lullaby to Marcie #general message

papa sparkling fr fr

Kind request for help.
.
I am on Nmap module, with Firewall evasion Lab - Medium.
Please check pic, my command is correct, Not sure why I am not getting the version for DNS

Nmap alone isn't going to give you the whole picture all the time

I also tried the dig command as per Nmap docs: "dig CH TXT bind.version @<IP>". But still didn't get the content.
Can you please tell, what else can I try
Ref: https://nmap.org/nsedoc/scripts/dns-nsid.html

I'm still confused by this... I can't find this to use in 'sploit itself... I did see that you could specify some credentials in the script that was pointed too but that's it

You can DM

Hi anyone alrealdy resolve this question

What question?

Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.

Is from Footiprint SMTP

don't copy/paste about info on a machine

especially modules above tier 0

marcie, do you have any hints you can give about the question I was asking about the shells and payloads engagement?

you don't need to do anything to the script beyond use it

then of course setting the options

using the vhost and such where applicable

how? I can't get 'sploit to recognize it / import it unless I'm missing something

?

So how do you sujest we can talk here?

should be able to just use <exploit>

i have a ticket in with support but did anyone have any issues running the command sudo apt-get install gvm && openvas on the getting started with OpenVAS module?

actually asking a question instead of copy/pasting the module question and going "what's wrong"

I already use exploit but continue not acept the user that I have found

exploit isn't in metasploit...? I don't know what I'm missing lol

wasn't talking to you

it is

just trust

this is gonna piss me off soooo bad, that makes me think I'm staring at it lol

literally don't do anything beyond use exploitname.rb you don't need to import it or anything

...

Is not work

that was for me

the user that i found continue to receive wrong answer

hold your fuckin horses

you're not the only one asking for help

Here, I'll bounce with that info, I should be able to figure that out, thanks as always marcie o7

lol

don't use -D, and use the provided wordlist

if we can share screen there is no fun

I try get some help

If i can show you... always we dont have how to get understand

told you how to find the answer with the tool you're using

you're going to continue getting the "wrong answer"

just did it myself, told you how to adjust your usage

it seems the way it's set up is to always verify that whatever@inlanefreight.htb is correct regardless of if whatever exists or not

so you need to verify whatever

is it normal in the module of pivot in the chisel part when executing chisel on the victim target I get this error ? :

ubuntu@WEB01:~$ ./chisel client -v 10.10.16.37:1234 R:socks
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34' not found (required by ./chisel) ./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.32' not found (required by ./chisel

nvm found this command online when building the binary sudo go build --ldflags '-linkmode external -extldflags "-static"' and it worked

yay complrteed weba attacks

skill assesment was fun

Can anyone give a hint on DACL II SA first question? I've got a PC account that has access to another PC account, but can't see the path to the target with the flag?

Try to use an older realse versión

Oh, you allready solve it, my bad

nw thanks for the tips tho

Um

Who you

Dunno why tho since this morning every time I connect try to connect to rdp i get these error

[09:35:19:616] [22255:22256] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[09:35:19:617] [22255:22256] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[09:35:22:733] [22255:22256] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[09:35:22:733] [22255:22256] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[09:35:22:733] [22255:22256] [ERROR][com.freerdp.core] - freerdp_post_connect failed

You a hacker

Ooooo

Check the vpn, ip.
Also restart the lab

I am doing Information Security Foundations pathway , r there any htb machine to do , or the machines only start from penetration tester pathway

Hey, I'm on the Hacking WordPress module at the Skills Assessment.

I was asked to use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.
I have 3 vulnerable plugins, one allowing me LFI - I don't know where the flag file is.
One plugin allowing me to read private posts. (I'm not finding a private post)
And another plugin allowing me other kinds of things (not files related)

Does anyone know if Q1 for DACL part 2 skills assessment require abusing constrained delegation? Not sure if it's a rabbit hole as that is covered in part 1?

bro
Obtain a shell on the system and submit the contents of the flag in the /home/erika directory

got it will retry in an h or so

That's the last question, I'm not there.

I have 3 vulnerable plugins, one allowing me LFI - I don't know where the flag file is.....

i completed this module but long time ago

dont remember sorry

You're good

I’m

Bye

i think so i a

Well I got shell, I guess I'll just get it with the shell.

that was the main objkective right

I am unable to start an attack box instance on my account. Anyone else having issues?

I mean yeah, but still don't understand where that flag is

what fucking flag?

the flag location is in the fucking quetion or am i missing something

i swear man blind fucking people

Calm the fuck down

what flag u talking about?

I am talking about this question for the 100th time

sorry my bad

I don't want your help @zenith acorn , I'll wait for someone else

haha bro im sorry i am the blind one

accept my sincerfe apologies

which is better use for enumeration gobuster or ffuf

ffuf

Just don't be a dick to people, it's not hard

but yeah if i want to help i needed to start up teh machine i guess

any reason why?

but bro if u want some advice

u know the vuln righr? then research it maybe look up a PoC and try it

should get u the flag

just look wpscan output and check some links

time to get some weed for me. sorry for many messages

This drives me nuts. Working on Abusing HTTP Misconfigurations Password Reset Poisoning.

But I cannot access interactsh.local:Port/log. any insights?

Do you have it on your /etc/hosts?

what a shitty attitude

you know what? What a dummy i am. damn port

That ain't supposed to be there haha

Hi HTB Community, I am new to the HTB world and am currently working through the Intro to Network Analysis Module, I am stuck at the Familiarity WIth Wireshark portion, I am using Pwnbox VM but do not see eth0 or wifi filters available in Wireshark, am I missing something obvious

thanks thanks!!

HTB Community is there any way to know whether the discord user still uses their account without being in their friendlist?

Let me know for real

I want to msg my old friend but I don't know whether they still use their account

I am getting the following error when trying to capture on ANY of the devices listed:

The error message tells you what you can do

Check different vulnerabilities identified with a tool covered in the module.

For some reason I can't upload shell with the account I hacked into..

Whether it's manually with the theme editor or using exploits on msfconsole.

You don't need a shell to exploit that vulnerability.

Are you still working on the question you posted?

if you still stuck on the same question

do what it sais and it should get u flag

Yes

im trying to help you:)

i feel bad

If you're gonna help, please take to dms to avoid spoiling

Did you run an automated WP tool covered in the module?

I did.

yseah sorry....

With an API key?

bro is ignoring me

@zenith acorn move on

It happens

letting go is not my string suit

Yes

I just reached an API limit..

you can us emy api token

so sorry am ior listen too what i say

Btw (slightly off topic) hope you're doing better

You can create a new account and email

Then start researching the identified vulns. I wouldn't really read up the cve.mitre stuff, but rather blogs and other references. Look for something that correlates with what the question is asking. I'd also start at the top and work my way down.

I don't see the unauthorized file download with the mail vulnerabilities in the WP scan

are we really living in a world we nobody can lose his or ehr temper anymore?

Like it has been said already Research

Yo chill

You have everything you need. Good luck

You don't have to help me if you don't want, you don't need to do it with an attitude

Thanks

wow youre the one wiith a attitude

Wpscan is only one of the tools, look at the id'd plugins. And as ricky said research.