also most of the modules aren't a step-by-step guide on how to defeat the challenges, the challenges make you think outside the box and apply what you learned

I get that

so you read that whole section and your only take away was drupalgeddon 2 and 3?

I don't paste the input they have directly cus ik it's just their output and that doesn't reflect the same situation on my system

For what?

To achieve RCE u mean

I've tried the listed methods and those do not work for me

I don't remember having to think much outside the box on this one, but /shrug

The top one, and then encoding it to base64.. there's like no explanation as to why it actually is done

I genuinely do not get it

anyone did this module https://academy.hackthebox.com/module/108/section/1233

It is explained several times in the module why you use those strings in webshell parameters

actually to the point when I thought it was repetitive and needed editing

That hash is so that the payload cannot be easily used with a cmd or whatever. The assessors need to know the hash to use the webshell. I think it was explained in the section, but it's been awhile.

Alright

How do u get that hash or can u just use the one from the module

Cus thats the only thing I can do to retry drupalgeddon2

I still really don't get the rest

You just create your own and annotate the hash you are using.

I mean you can just not use a hash value, it's completely up to you.

Well thats what I did I just straight up didn't do that

And my cmd just did not give me anything back when I tried to do RCE towards the address

Im assuming i can share this atleast

If nobody else is available to help I'll just carry on to the next part cus I cannot do this and I'm just getting unreasonably upset over it

you can DM if you'd like, but I'd really suggest re-reading the section when you feel a bit more calm. Carrying on in that state won't help, particularly in this module (fatty has a reputation...)

I'm fine honestly it's just tiring when I cannot find the reasonas to why something isn't working and I end up wasting time and not getting anything done and learning nothing at all

I'm a student and like, I have to make daily writeups with an hour count to show I'm actually studying and if they see me only doing 1 part of a module with 3 hours spent they'll be confused why I suddenly took so long on one thing when it's like 80% troubleshooting

ok, then yeah, I'd say re-read calmly, from the top, maybe try on the box as you go. If you're still stuck, feel free to DM, I should be around

Alright

if they really care and know what they are doing, they'll know that doesn't mean you're not learning, quite the opposite

troubleshooting is underrated, and so is taking breaks

I do not have the luxury of time to be taking breaks atm

Just gotta understand the text and push through

+1 to breaks, tbh I needed one earlier and it's a good thing to do

only you can know that, but make sure you consider the time you'll waste by missing things for simply being tired

then they don't understand htb. you're not supposed to learn everything in 1 hour. sometimes it takes time to think through them and complete them.

Okay but like

I’m new here, trying to learn

you should go through the modules are your own pace

It feels a little bad when it says like, for example, 4 days on the current module set I'm on and I'm at over 2 days (18 hours atm) and not even halfway

same

those estimates mean absolutely nothing

I get that, but it's a benchmark for people to look at, I don't think my teachers are gonna appreciate it if I go way over the estimate, and I'm concerned about that

I’ve used this before I just been super busy to get back into it. Also I figured I’m always going to be busy so might as well get back in it and stay in it.

we got your back when they unavoidably ask questions about the Password Attacks module :)

Haven't gotten there yet, may skip it cus I can't be doing repeat stuff from my education but thanks lol

I’m currently in a technical position now but all I do is install software on people’s devices.

yeah, if they do care about the estimate, maybe do skip that module

Why can't I talk in #general is there a minimum level to have access to that channel?

Hella boring doesn’t engage the mind

Yeah I'm sorry but the calm read isn't getting the job done for me

Who here has done or attempted bug hunting as a freelancer?

I generally think I'm either 1. lacking some other knowledge the path expects me to know or 2. vm issue

Cus it's like, colleteral that if I do not get 1 part right I can't move on and that smells

read #welcome to join general chat. This is not general chat

Thanks

alright, you can DM what you've tried

OK

RE: https://academy.hackthebox.com/module/19/section/106

When we're trying to enum services on a IDS/IPS protected perimeter, we use the -sA (as explained in the walk thru) and i understand why, but i dont understand if we need (or should?) pair this with the ip random options ?

would randomiznig or spoofing be best practice but ultimately not needed?

Also is the Firewall/IDS/IPS Evasion Hard lab supposed to take ~2hr for an nmap scan? https://academy.hackthebox.com/module/19/section/119

The section discussed speed/timing/performance but now exactly how that contrasts when trying to run scans against a Firewall/IDS/IPS target... seems like you couldnt really get performance and speed while trying to maintain stealth

im doing File transfer Module saying it take 3 hour . i've been on it for a few day lol

lol

Jeez ok

I guess that's the estimate for people who've been trained in it already or something

not that i cant complete it but i'm trying thing and while trying thing tiem pass

yeah some of those time estimates are wild, and i rarely meet them

i'm also taking note on the command . sometimes i'm just wreching my head for nothing . Like one command need to have win.ini and I didn't understand that part so i tried it and tried it then i was like okay let try with win.ini like suggesting i thought it was just a random file to show the command. yep it wasn't the file need to be a win.ini to work

so i change the txt file to win.ini just to make sure it work like i finally thought and that was the case.

yeah thats half the "fun"

keep a hammer next to your mouse, it makes it a little easier.

is there any reason a FTP server wouldn't be showing in my nmap results? i've reset the box several times and i'm running the exact command shown in the solution, but there's no FTP server shown
attacking common services > attacking FTP > Q1

https://i.postimg.cc/PfZybJzh/Screenshot-2025-02-07-170653.png

might be being filtered. have you done the section on nmap? try either running an ACK scan -sA or a source port spoof -g22 --disable-arp-ping...

Sometimes it just doesn't run

errr 21

port 21

Resetting a few times gets it going

You're overcomplicating the problem

It's a known issue that sometimes not all services start up properly when it spawns

right on

i'm familiar with nmap. i could try other techniques but it seems unnecessary when the solution gives a command which works. i'll try a few more resets

Also to answer your question, randomized is really only good for public targets but at the same time wholly unnecessary

The scan shouldn't take 2 hours

got it. more resets needed. thanks!

Hi there. I am on the Pivoting, Tunnelling and port forwarding Skills Assessment section. I try to enumerate the /16 network with this script: for i in {0..255}; do for j in {1..254}; do (ping -c 1 172.16.$i.$j | grep "bytes from" &) done; done; wait. It doesn't work. I think it is because it runs too fast. How can I make it a little bit more slow?

All ips are not reachable. It is no possible

You're doing far too much work tbh and depending on the type of pivot in use, pinging can be dead air. Best to ping from the host you're on

Rather than your attack box

Also why /16

It is /16 because the mask is 255.255.0.0. I a not even pivoting. I am just enumerating the internal network. I am in the third question

Think smarter, not harder, enumerate the actual interfaces

It's not actually /16

No one here

#rules jackass

#idgaf

regarding your last bit, how to make it more slow, you can always add a sleep statement in your block. ... do (ping -c ...); sleep 1... if i remember the syntax correctly.

<@&861185840277487616> (asking to hack someone's snap)

good luck with that

Marcie says you dont need that, and his advice is gold standard, just thought i'd mention.

And this ain't the server dumbass

@nocturne nexus dude, here's a tip, she's def cheating you.

Now go hug your crusty sock

It's illegal dumbass

No shit

are these trolls? some of these have to be trolling for a laugh?

"i can barely work an iphone" ... they're literally made for toddlers. anyways /blocked

Literally in rules stating don't ask for illegal things

I am needing a bit of a nudge on the final assessment, i am on foothold, and i am uploading my shell to website as a .war file, however, i cannot get the shell to run, i'm not sure if i am in the wrong directory or what, but i have uploaded three different shells, any help would be appreciated

https://tenor.com/view/i-saw-that-gif-14729957

Live Engagement*

https://academy.hackthebox.com/module/115/section/1139

Are you sure all the values are correct? LHOST, LPORT

ty marcie

oh, i'm not running the msfconsole, i was uploading the .aspx scripts you edit, i am doing the host1 tomcat apache server box

sorry i should have clarified

There's a handy cheatsheet command 😉

I'm aware what you're working on

Lol

oh sorry lol

Also you mentioned .war not .aspx

.war would be appropriate

oh yes i uploaded it as a .war with burp so it would see the file time, then execute the shell

Why not use the msfvenom command to create a revshell?

I need help with the file inclusion skills assessment

hmmm okay

Seems like you're doing a lot more than you need to

let me try what you suggested

lol i am starting to think so

Don't spoil skill assessments

But when i set the user agent as a php web shell it screws it up

Utilize all the techniques taught to you in the course

I did

Make sure you use the right type of quotes

It's easier to manipulate with burp

Could you check my request in burp to see if i screwd up?

No

My DMs are closed for renovation

Ill just send it here then

Read the channel topic, file inclusions is above tier 0

Anyway, if you break the logging you'll need to reset the instance

Tier 0

you can send

I tried like 5 times and it keeps breaking hence why im asking for help

Ok I found the ip assuming stuff. But the mask is 255.255.0.0. There has to be a more scientific way of finding the live host instead of assuming stuff about the ip

Still, providing screenshots of skill assessments is spoiling. I suggest taking it to dms with someone who's willing

Ignore the mask

Enumerate the interfaces

The interfaces are gonna be bigger clues

I.e. 172.16.5.4 and 172.16.6.4

^ not entirely sure of the context here but if you get route tables or traffic for the interfaces you should get a good baseline for whats moving around the network

in lieu of a scan for the entire subnet

Thats going a step far

Lol and overcomplicating again

just offering suggestions

again, not sure of the context

in this case they're not trying to be stealthy

is the start button supposed to work to deploy once you get the file uploaded?

Should be able to just click or open it in another tab.

^ once deployed it creates its own directory/file

War stands for web archive as an fyi

hmmm i must be doing something wrong then

Jar also stands for java archive as an fyi

Do you have a listener waiting, and are you sure it's calling back to the right interface?

i actualy didn't know that about the war file so it was helpful

yes i have my nc -lvnp running on 443 with the foot hold as the int

Remember: you're on a jump host and different internal ip

It won't be the 10.129 ip 😉

ah drats

okay

thank you

. cough

lmaooo

https://tenor.com/view/the-office-i-did-saw-that-coming-saw-it-coming-foresight-gif-14337702585479083289

i don't think i would have been in the right frame of mind to run an ifconfig to look for the same ip that the webserver was on

Introduction to Red Teaming AI will be a part of the new job role path about red teaming AI?

At least you found the creds

thanks lol

Many people miss it, even though it's on the desktop

i have learned to check that lol

i think i'm going to have to reset the machine i think i broke it lol

Good Afternoon guys i need a bit help. Still i cannot find it the flag here

I am trying to do the new module about Red Teaming AI and... it says that I found the flag but when I'm trying to send it into answer input it's saying that it's wrong, normal?

Nvm... it added a space after the }character.

it says its starting on the webserver and is showing as deployed and i am creating the shell as a war and extension as a war, but i still cannot get a reverse shell to it

nevermind i think i see something

But Ami going through the right track? I the process I am following?

Yes, I just learned basic assembly through that module.

yes, doing a loop through the stack, byte per byte is the right thing to do

i remember looking at the stack and pasting the result as the loop was doing its job

I am doing the Pivoting, Tunneling, and Port Forwarding Skills Assessment. I managed to RDP to the internal server. But when I use nmap to enumarate th target and don't see any service up

your loop doesnt properly iterate through the stack because you forgot to move rsp in a way that makes sense

RBX is the key

without also setting rcx you just let the cpu decide how many times it executes the loop

but he didnt show RCX so we dont know how he's looping

that's right!

yes, be weary of RCX, maybe use conditional branching

through the "jmp": "jle", etc... instructions

In other words, is it necessary to use any print function or the the value of the stack as string everytime it iterates?

but you shouldn't really care about breaking everything up as long as you end up seeing the stack getting decoded

besides, fyi I used rcx, 14

thats what the debugger is for

i mean if you're feeling confident you can print it but it's overcomplicating things imo, just iterate over each loop through the debugger

so that you don't have to bother with printing everything

lmfao i'm glad i can recall things from this module i took it 2 months ago 😭

i see, i get it. Probably its the instructions that is not making sense, that I have set.

yes, move the stack pointer register at each iteration

so that rdx can get the value of the next byte

(or something like that ig)

each stack entry is 8 bytes

Yes, tbh too complicating, Basically i was looking at other community suggestions in google, that was also asked regarding it,

each iteration should process 1 qword

afaik

oh yeah be weary of how long your key actually is lol

Alright, guys. Thanks a lot for your suggestions. I just back home, I will now sit for solving it again. @quartz lagoon @lusty thicket

awesome

good luck!

@fathom pendant got it, thanks i've spent over a day on it

guys i need bit help

@quartz lagoon @lusty thicket still not getting through. Feeling a bit hopeless here.

I changed my code to this

_start:

......
mov rdx, rsp
mov rcx, 14

decode:
xor [rdx], rbx
add rdx, 8
loop decode

remember you gotta move through the stack, 8 bytes by 8 bytes

Hi, I'm stuck at the Web Request module's first question in HTTP fundamentals, what am I supposed to write to the command line? I don't understand a single thing

like when I type in the terminal curl inlanefright.com it just places my mouse to the next line and doesnt output anything

You have typoed the url

and any text I enter is just a white line

still nothing

hi

This is the link im visiting but its giving a 404

http://94.237.54.42:51231/profile_images/phpwebs1.php/x00.gif?cmd=id

file upload attack

am I doing everything okay? idk why its giving 404

Windows Privilege Escalation - Further Credential Theft

I'm having trouble with the first assignment of retrieving the sa user password. I've found the encrypted password, and it should be decrypted when running one of the tools. However, I was only able to do it by researching an external script. Is anyone available to compare notes?

Can anyone please break down these commands in the Miscellaneous File Transfer Methods module?

xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer
rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files'

i don't get where am I supposed to be getting the domain (-d) and username+password from given that in the paragraphs before the commands there's no mention of this requiring me to have obtained valid credentials to the Windows machine I'm attempting to connect to.

When you spawn the target it should show you the credentials needed

Does this mean that those flags I mentioned are the domain of the machine I'm attacking and that the credentials are compromised creds belonging to a user in that domain?

I'd just assume yes

Just spent ages struggling with the imap/pop3 section of footprinting, because I was trying to do it from my kali vm. Nothing was giving the expected results, tried it on pwnbox and it worked perfectly. Is there something wrong with my kali instance that I could fix?

Note that the VPN and PWNBOX can't run at the same time, in case that was causing the issue...

well, the VPN is still running on my VM even after I loaded up pwnbox, I only loaded it up after struggling for hours

might be some firewalls

This is all I was getting from nmap for example

which is?

my machine

🙄

It's not that the Pwnbox won't "run" when you use your own VM connected to the VPN, it's that they both share the same IP address which will cause connectivity issues due to two devices trying to use the same IP, so you can't use both at once, you need to choose one or the other.

Okay, well pwnbox was not running the whole time I was banging my head against a wall thinking I was doing something wrong!

well your example doesn't really provide enough info to provide a detailed answer as to why you may be having issues, it could be your box's end, something inbetween, or the target. impossible to tell.

I'm guessing it might be ssl related, I was able to connect to imap/pop3 ports but not secure ones, so could not authenticate

all openssl connections got to CONNECTED(00000003) then nothing until the connection timed out

Use a different payload, the null byte payloads tend to be finicky

Thanks, @safe star Helped me out 🙂 turns out I wasnt fuzzing properly and using the incorrect extension (where I needed to use double extensions)

I'm finally freee

awesome

I'm not an Alt just never verified

Great

Initial Enumeration of the Domain - Anyone know why is it getting error sending over UDP for kerbrute userenum. Same issue when compiling directly from the parrot OS inside the inlnaefreight.local. Then tried using the pre complied older version but it keeps throwing error saying.

"2025/02/08 00:46:11 > Done! Tested 1381 usernames (0 valid) in 0.270 seconds
2025/02/08 00:46:11 > bufio.Scanner: token too long"

i cant bruteforce ftp

Worked fine for me over Ligolo: https://youtu.be/qou7shRlX_s?si=IzLdNqaJw6bXrZvP

I am at "Initial Enumeration of the Domain" and Its the same issue even if I am not Pivoting and compiling directly on the Parrot OS present in the inside network

This is the AD module, correct? Which VPN server are you using? Because it's important to use the one geographically closest, otherwise you're never going to get the speeds you need.

Here in SoCal, I found that us-academy-5 and us-academy-6 are the best options.

Going to try respawning that from my end and see if this can be reproduced; hold on

considering academy pawnboxes have no internet connection, how do i get the encoded_flag.zip onto the pawnbox?

nvm, you can copy link and download in pawnbox

The PwnBox has an Internet connection all set and ready to use; it's the target machines that don't. Even if it didn't, you have SSH credentials, so a simple scp will allow you to copy files to and from the PwnBox from your real machine.

For "Information Gathering -Web Edition" When doing Web archives the way back machine for August 8th 2018 redirects into a GoDaddy site, I'm assuming I did something wrong. Just double checking here.

Never mind I figured it out. Had to use ".eu/en" rather than ".com"

Where can I check the details regarding the change log of a module? When I click on the change log button it just says "Added 11 new sections" but I can't actually check what are those 11 sections

You seem to be experiencing a connectivity issue. I don't know which section you're working on but have you confirmed you're targeting the right port and that it is indeed open?

yeah

after some tried it will fail so decreased to only 3 thread

then i will create another wordlist by excluding the tried password and try again

Have you tried another tool?

yeah hydra is not working i mean after some tries it will also fail

netexec is slow and crackmapexec as well

Are the other tools also giving you connectivity issues?

i think it doesnt even interpret threads

yeah after some tries

i restarted teh vm

Have you tried switching VPN servers?

many times same issue

le me try it

again same problem

Try it with the PwnBox

Hi! I'm working on a Windows module, and there's a task:
"Identify one of the non-standard update services running on the host. Submit the full name of the service executable (not the DisplayName) as your answer."

I found Foxit Reader Update Service (this is the Display Name), entered FoxitReaderUpdateService (this is the Name), but got an incorrect answer.

I can't find any other suitable process, and the hint says the service is related to PDF, and Foxit is specifically about PDFs. I tried entering both Name and Display Name.

What should I do?

Go based tooling will not work with proxychains. If you are having issues without pivotting too this may bot be your issue but thought it was worth mentioning

Was curious about that "will not work".. no personal experience with it, just reading up on it now but this looks interesting.. https://github.com/hmgle/graftcp?tab=readme-ov-file#principles

are the buttons in the header on the sample web app in https://academy.hackthebox.com/module/145/section/1346 supposed to not be working?

It's been a while so I don't recall exactly but it's something to do with the way proxychains intercepts packets with LD_PRELOAD not working on go binaries. This is what I use to get around it https://github.com/xjasonlyu/tun2socks

They seem to be working for me - you mean Dashboard, Modules, Paths, and the others on the top right?

If you have JS disabled, they will not work

..a lot of the site will not work with it disabled

No, in the sample web app in the exercise: Menu, Reviews, and Contact

If you have it enabled, any adblockers, or errors in the console?

Oh right, sorry. I don't know

Let me try here..

It's an injection exercise and there's no input field, so I'm a bit confused

Not doing anything for me, so I assume they are not supposed to, or the target is broken.

Perhaps it indicates that you need to investigate what is happening behind the scenes

🤷‍♂️ again, I don't know, sorry. I've not worked with that module

No worries, thanks anyways 🙂

Sounds like you're on the right train of thought though if I were to assume

if you inspect the page source you can check whether they are supposed to be functional or not. Check the form html code, if it has action=# then it's not a functional button. A functional button would have action=somefunction.php, basically pressing a button triggers a php function (if there is the code for it).

That's great to know thank you!

you can typically check the same thing by just hovering the link, browsers will show you the target on the lower left corner

stuck on https://academy.hackthebox.com/module/113/section/1211
i've gained rce, and i am looking through the system, but cannot find the flag. anyone have a hint or trick to figure out where it is?

nevermind, got it now

guys i have some problems with zap hud

it is not working as expected and when i delete it and install it still not working

how i can solve this problem

this is in the spawned machine in htb

not on my own pc

Good Afternoon guys please someone can help me with this ?

assuming that the command that returned "Message left for the administrator" is identical to the second one, why did you remove the closing single quote ?

that's what's causing you to get a > prompt

I don't have that module to tell you if you're doing anything else wrong

ups

that is Stack-based buffer overflows on linux x86

I know, but I don't have it and it's been about 20 years since I smashed the stack for fun and profit

holy crap now I feel old

looooooooooooooooooooool

• First try: You are likely not overwriting EIP
• Second try: Missing the single quote as @urban elk mentioned
• Third try: You can't just add some magic variable called shellcode (and still missing the quote)

okey okey

Im trying the session hijacking module xss and when trying to set up php server via 0.0.0.0:80 it wont let me due to it being already in use has anyone had this issue using htb pwnbox

use a different port?

The PwnBox uses port 80, you must use a different port

not sure if you found the solution for this, check the number of passwords you have in the mutated list, that makes a huge difference. I just re-run the module, it took 20 mins roughly. Note: I used -t 64 for number of threads

guys i cannot kill the process until 12000

y

Nothing happens with another port

What do you mean by nothing happens?

I send payload and my php server recieves nothing

Its ok now it worked when using my ip rsther than 0.0.0.0

Using port 80

Port 80 is used by the PwnBox. You cannot use this port.
Use 1234 for example
Your payload must then be something like curl http://10.10.10.10:1234

Hi im just starting and have the student subscription where should i start, do i go straight to pen test job path or informational security or where.

I have no previous experience

information security foundations skill path

what

Thanks

If you use y instead of n you'll kill the process

i used y bro

your screenshot says otherwise

@ancient niche Please don‘t spoil any flags

sorry sorry

I have a general question. Why if CME is outdated and followed up by NetExec, is the usage of CME still all over the place in the HTB Academy modules?

Because the modules have not yet been updated. But you can simply use NetExec instead of CME

I know and was happy to have someone point it out to me. Still a bit of a shame as the HTB content is so great. Thanks for replying.

It’s not that difficult to just use netexec instead of crackmapexec when you see it

they will be updated in time

I know. The syntax is practicly the same.

It is the same afaik

Just extra possibilities on netexec

Wow! I did not want to start a discussion. I am a huge HTB fan

Too late, fight started

I believe they did mention somewhere to use nxc and not cme.
But even if they didn't, simply visiting cme's github repo points out that it's outdated due to hostile fork.
Look at the forks, you'll see nxc.
So it's not actually that hard to figure on your own.

LOL

Hostile fork sounds dodgy if you mishear it...

Eh ... yeah. But also sounds kinky.

guys i'm stuck here since 3 weeks

hi all

how are you?

Hi all, I am stuck on MODULE: Whitebox Attacks - SECTION: Skills Assessment. I can login as larry, but cannot go further. Somebody suggested to look for a race condition, but I can't find anything working. Any hint would be very appreciated. Thanks a lot!

hi, dont want to make you upset, but while you are still using kali, you will never become valuable ethical hacker,

...

?

isnt my message in english?

xD

Yes, but
a) in the wrong channel
b) what exactly does the OS used have to do with a person's ability?

guysç

i got it 🙂

module completed 🙂

can you understand something without having the source to explore ?

thank you so much all 🙂

Kali is just a debian distro with some preinstalled tools, there is nothing wrong with that!

Also the most widely used in the industry, so how would knowing the distro not be useful?

3 weeks stuck oh my good xD

Did you ever heard about opsec?

Of course, wtf does that have to do with the base distro you choose to use?

More “preinstalled” stuff you have, more vulnerable your os become, there is many old services and expired stuff runing on that os, its just looks cool so its a reason why it is overrated

Any “Fater” os

Raw debian, rhel, Arch, fedora and etc,

If you want arch based os with preinstalled tools, select blackarch

Parrot is also a variant, but it also has many exp. Services there.

But kali is better theb windows 11

If we judge from point of security*

https://tenor.com/view/john-oliver-cool-sarcasm-sarcastic-gif-8465330

So I understand correctly, pre-installed tools on Kali are bad, because expired stuff and old services, but on blackarch the same pre-installed tools are okay?

yes, because it's Arch and apparently configured for OPSEC by default 🤡

Its better then kali

Yeh its ok, still using kali,😂

Nothing is configured for OpSec... Not even Tails OS or QubesOS. If you are stupid and accept a cookie or hit a site that has a unique tracker, then all that goes out the Window. OpSec is a human thing. "loose lips sink ships" *Most * of the techno components can be mitigated in an automated Fashion, but the human factor still has a play.

Anyway, not the place for this discussion, let's stop before the mods get involved!

JAJAJAJAJAJJAJAJA

While I’m currently taking today off, how exactly do you guys take notes for academy modules? Do you just focus on the code aspects of the modules or do you also focus on other parts?

i do everything and i make drawings

🙂

It's important to remember the process of how you got there, the code itself may not be relevant or useful for long

I am doing Pivoting, Tunneling, and Port Forwarding Skills Assessment. I have already RDP into the first internal server. I scan the interfaces. In one interface there should be 3 live hosts. Instead there are only 2. I tried to RDP to the machine that it is supposed to be the next hop. But it is no alive. What's the problem?

idk

hi guys, this might seem dumb but its my first time using meterpreter and I need to find a file in htb-stndt's Documents folder. Currently im in C:\Windows\32 and I have no clue how to find that fodler. Any ideas?

cd ..

I know the host should be alive but it is not. Is there a channel where I can get in contact with support a report the problem?

yeah and then?

cd to C:\ and the dir, and the cd folder

you should fin the user folder

find

got uit

thanks

finishing AD skill assessment prt 1, man i learned a lot from this gg

Who has been able to complete SAML signature wrapping lab i HAVE tired lord knows for over 5 days different formats it seems not to solve

please take a look.. i am trying to install selinux, but all I got are ignore msgs

have you spent any money on academy? pwnbox has limited internet access if you haven't spent money i think

I spent money, subscription is on, this is VM

oh ok, well you can see right there you can't resolve that host

so check dns stuff

looks all network related

i will try reboot 😉

If all hosts didn't spawn, I guess reset it.

it worked lol

Yeah i recommend to wait 3-4 minuts to get sure the lab start properly

It keeps saying check modules

I can’t type in general

Please read #welcome

I have followed step by sstep way of making this attack work for a over 24 hours now and nothing. I am lost and have no idea what to do next

I have placed the unsigned modified assertion on top of the signed one ,below it etc its not working

I am using saml raider and pasted the modified payload in both beautified and minified versions still i cant solve the lab why

this is on the SAML module

Hey can i dm you please?

no

alright thanks

I have been literally stuck for 3 days on this SAML module : Signature Wrapping Attack can anyone please point me in the right direction i would be so grateful.

Do not beautify or minify. That’s the thing with this module.

please take a look i am stuck here
" Using the known subdomains for inlanefreight.com (www, ns1, ns2, ns3, blog, support, customer), find any missing subdomains by brute-forcing possible domain names. Provide your answer with the complete subdomain, e.g., www.inlanefreight.com."

Footprinting module SMTP: i cannot find the user name. i got the list like root,admin....but all showing wrong. what should i do to get correct answer.

I am on the easy lab for Attacking Common Services module and I found that the server is vulnerable to FTP and that FTP command work according to nmap. I am trying to brute force the password with medusa but it gets up to a certain number of passwords for the first username and then throws a 550 error.

can someone help me with this?

the question is:

You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer.```

if someone can DM me I think its a syntax error because I used to username and password list from the resources section and tried a bunch of things to make it work. The -F flag I tried to force it. I tried -t 4 -vV instead of -F. Before that I tried the exact medusa command from the Attacking FTP section of the module except with the username and password list from the resources and the target IP specified in the easy lab.

if necessary someone can DM me if there's a high risk of spoiling it

no nmap didn't say that

I just tried that as a guess

but with 'password' as the password

in fact I just tried it didn't work

I am reasonably confident I need medusa

quick question. When Netexec gives me a (Pwn3d) for LDAP. What does that allow me to do ?

Isn’t that just a domain admin?

could just be user

exactly, its just a user, but this one user has (Pwn3d) on ldap and others do not

either this account has special privileges or something is misconfigured in a way that makes your life easier

Pretty sure it means you can access that user and use them for LDAP searching

hey if any1 wanna duo on bug bounty (beginner)

it depends on which nxc module is in use

#general is this way sir read and follow #welcome

it doesnt let me access it mate

oh aight excuse me

and by "beginner" do you mean

1. you want to duo with a beginner or
2. you want an experienced person to basically do all the work

there's also the bug bounty hunter path (link in the pinned messages of #cwes ) on htb academy which gets you sorted for the basic stuff

a duo with a beginner ofc

oh btw i cant find my account id

#welcome contains the link directly to your identifier

gotta go on my pc

aight thanks mate

You can try Landscape mode , that does the trick here 🙂

i just requested the desktop website since im on iphone

Ah that works too

ye they have a mobile OS detector thing, gotta request as desktop mode

hello guys, I'm a new member and beginner here. I'm having trouble in the "network enumeration with nmap" module, more precisely in the "service enumeration" section, can someone give me some hints or methods?

I've tried a bunch of stuff and got all the ports and services, but I'm totally stuck on this: 'One of the services has the flag you need to submit as the answer.' Like, I'm a total newbie here and I'm lost. I've been at it for over 2 days trying other solutions.

The module shows you further options for requesting the ports found

I'm a bit confused. Is there a 'flag' we’re supposed to find on one of the open ports? I tried checking port 80, but didn’t find anything, so I think I'm doing it wrong. My English isn’t the best, so maybe I misunderstood the question.

The flag is a string such as HTB{this_is_your_flag}

You have to query the ports found as described in the module to see if they might give you some information. You will then find the flag on one of the open ports

Hi @gloomy spindle, did you ever figure this out? I'm also stuck there

Oh, I get it now. I just need to check out a different port. Before, I thought I was doing it wrong and that the flags were like 'ACK/SYN'.

Alright, thanks a lot for the tipss

@compact seal yes, DM me and I'll give you some hints

Hello, Im doing Pivoting, tunneling and port forwarding module, in Remote/Reverse Port Forwarding with SSH, Im stuck in how Downloading the payload to the Windows target, can someone please help me? I'm in Starting Python3 Web Server on Pivot Host step

ACK/SYN messages are part of the TCP handshake

he thought the question asking for a flag was talking about SYN,ACK,FIN,... etc flags

Hello everyone, I'm looking for a little tip in the module Abusing HTTP Misconfigurations sectionPassword Reset Poisoning. Am I in the right place?

https://dontasktoask.com

okay wanted to ask nicely. I can't get any further in the module in question. I have already tried the overwritable headers described in the module, but I can only get a reset token on my server.

In the search here in the chat the question came up several times with no visible answer.

Yeah, this channel would make more sense as a forum I think

heavily disagree

it was an idea that was heavily pushed back against when they tried to change the cert channels to forums, and the #1263635449335910531 is hit/miss for the related prolab content

Hello Everyone, I'm looking for a hint for the module Pivoting, Tunneling and Port Forwarding in the RDP and SOCKS tunneling with SocksOverRDP Section in which the question states "Use the concepts taught in this section to pivot to the Windows server at 172.16.6.155 (jason:WellConnected123!). Submit the contents of Flag.txt on Jason's Desktop." and I can't seem to find answer. I have RDP onto the windows machine using creds given and I am trying to transfer files from Pwnbox to Windows machine but files get removed instantly from the Windows machine , I have also scanned the Machine and also tried transferring fies through smb shares but then too I can't seem to figure out how to transfer file.

seems like some protection is running in real-time

Whats the point of SOCAT Redirection Reverse and Bind??? Why would someone even bother to do socat redirection if you need to establish first some sort of tunnel to the internal host and execute your payload in there to connect back to attacker machine?

I already established full bi directional tunnel to be able to execute the msfvenom payload on the internal host and then I need to do socat redirection on top of it? I dont see anyone would even do this kind of thing. What is it a redundant full tunnel but this time it doesnt use SSH? 😆

¯_(ツ)_/¯

i only bother with ligolo; my beloved

makes a lot of stuff so much easier

I love sshuttle though. And met tunneling.

also some of the labs place the victim in the position of having been phished and running the script

but since they can't automate the script in a way to know what your vpn ip is; you kinda gotta do some funny stuff

But still seriously I want to hear the opinion of someone regarding the module of SOCAT Redirection Reverse and Bind.

it's just another way of performing the same trick in the event that some methods may be blocked from execution

¯_(ツ)_/¯

same thing different hat

and bind is just that it binds to an interface

Yeahhh right???? Like I will accept it if its some sort of auto execute payload in which you dont need to establish full tunnel first in order for the payload to be executed.

rather than it being a reverse shell it opens up the port on that interface

it's one of those "gotta do it myself" things since there's no feasible way for them to automate it

https://tenor.com/view/thanos-fine-ill-do-it-myself-ill-do-it-myself-gif-22181201

You got the token? Then just use it, it is tied to the account it was issued for

Honestly, I had no clue before. I thought the flag would be like that, haha. But now it's all good—I found the flag!

Because in the module there’s an example output that says 'flags: [S]', I thought the form of the flag for the answer would be the same as that.

Thats specially for network traffic, network traffic like TCP send flags with their packets to signify different actions, usually displayed with shorthand a combination of S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or '.' (ACK), or 'none' if no flags are set.

Hello, does anyone know the estimated time to become an Elite Hacker? I saw that I need to complete 70% of the content..

70% of active content

Not all content

Active content would be the machines and challenges

Also #general <-- read and follow #welcome to access

And do you know how long it takes to achieve it?
Do they change every month? ?

to be clear, not to be confused with Academy content

This has nothing to do with htb academy, trying to point you in the right direction

There's also the https://help.hackthebox.com site where you can search help articles related to your questions

Ok thanks,

can someone help me?
I'm stuck on Web Requests first flag

Isnt this is the command we are supposed to use?

You must specify the url and not only the endpoints

Or am I doing something wrong?

/download.php is the resource on the spawned target

?

So it would be http://[target:port]/download.php

There should be a button "click here to spawn target" on the academy page

Curl requires a url to work properly

yeah, but that just leads to and empty page which sais 'this page is intentionally left empty, using curl should be enough'

use curl on that spawned target/download.php

It's very common for the web modules to give you the endpoint /download.php, it's assuming you know basic web knowledge

The endpoint is attached to the spawned target

I'm new, i have no idea

And I'm trying to explain how it works

I'm listening

You have a spawned target yes?

Yes

Instead of visiting it in the browser

You use curl

curl -O http://spawned_target/download.php

So the command would be 'curl spawned target ip'?

Replace spawned_target with the ip:port it gives you (if it gives it in the form ip:port)

Or just the ip

If the ssh port is open ,what is the next step for get to their ssh

What academy module is this for?

Education...

thanks

Thats not an answer

Then it sounds unrelated to https://academy.hackthebox.com

I suggest reading and following #welcome to access more of the server

@fathom pendant just a quick question, with the command your provided why did you use http instead of https?

Because (most of the time) the web server targets aren't running https

:)

So you'll get an error

oh, okay

thanks

is there any effective way to bypass amsi? i have tried all the ways in the Windows Evasion module, but all of them are almost useless.

hi @fathom pendant ..

I haven't done that module, please don't tag me like that in the future

Especially if you just asked the question

My simple web server works well.

Web attacks is a t2 module

Please refrain from sharing direct module content

How do I find the path to the home directory and the mail directory….???
i thought it was /home/htb-student

env is a great command to list environment details

im stuck on https://academy.hackthebox.com/module/113/section/1094
you get a username and a password made on the other machine when u follow the guide.. but what do i do next to get into the actual system to receive the flag? im a little clueless

once you create the user/pass... you can use that to log in

i believe psexec or wmiexec should work as well

i dont know how to

i tried wmiexec but i cant run a succesful command with it

and the googling im doing isnt making things clearer

one step at a time: you verified that the user you're meant to create gets created yes?

yeah

i also checked if i could use rdp but the other machine doesnt have a domain

you should be able to just log in with that user

you're not connecting to an other machine, so to speak

idk what u mean with just log in its not like i have the other machine in front of me

if you look carefully it's not having you create the account on a different machine

okay now i really dont get it

is it really not? its a powershell command being sent to the target

the powershell is being run on the target

We could also try to RDP to the box, access over WinRM, or use a tool such as evil-winrm or something from the impacket toolkit such as wmiexec.py or psexec.py

yeah?

did you try that against the spawned target?

yes

there is no other machine in this instance the powershell commands being run are run on the machine that prtg is running on

yea i know that'

did you try using WinRM?

no because im pretty sure thats a windows application

🤦‍♂️ so is RDP, technically

i can take a look at evilwinrm

and who's to say the host isn't a windows host?

lol

no yea it is

uhh yeah doesnt seem to be working

don't know what to tell ya then

i'd reach out to support

where

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

yeah okay i dont have an annual subscription though

they dont let me lol

im here because this is the only place i can get support without overpaying

you don't need a sub to talk to support LOL

yes u do

no, you don't

Content Guidance

that's why

💀

the reason i said contact support is because something isn't behaving as you think it should

thats not true

which is different from "Content Guidance"

i never said that i didnt think its not behaving as it should

user gets created
it's not letting you log in with said user
Things aren't working as expected

no

im working with tools i dont understand

??

bud

i don't get paid enough ||at all|| to dig into what things you're trying to do or what needs to be explained to you

and since theres no information i cannot tell whether or not it is broken

from what it sounds like you've explained

• you followed along with the module
• the user gets created as expected
• you verified the user gets created with the credentials
• you attempt to log in via the various methods (RDP, evil-winrm, wmiexec, psexec) and it doesn't log you in

that last point is telling me that something isn't working as it should ^

are you specifying the domain\user?

for me its just cus im working with tools that have poor documentation

theres no domain

i checked with uhhmm whats it called

enum4linux or whatever it is

when you did the smb check it should have given a domain\user

i mean enum4linux works too

yeah

but nxc smb ip -u <username you created> -p <password you created>

(if you don't have netexec installed, i suggest installing it)

i tried smb as well with smbclient

every time I look at any chat at any time, marcie is here. a hero

think it just kicks me out though

redact the user and password and show your smbclient command

-L

smbclient --help | grep -C 3 "-L"

or man smbclient and search for the -L flag, and it'll tell you why it's doing what it's doing

oh damn

yeah okay i still dont know how to use smbclient to get in

imma keep it real with u i just chatgpted the command

https://tenor.com/view/jaina-lee-ortiz-this-is-exactly-why-exactly-why-thats-why-thats-the-reason-gif-10112873528228326914

are you on the pentester path?

na

ah, explains why you're a little lost with smbclient

ive used it succesfully before

i found a vulnerability in inlanefreight

but i just dunno how to get in

is that On purpose for a future section ?

the Footprinting and Common Services modules go over how to use smb

what module is this related to?

active directory intro

yes it's on purpose

the user they give you is an admin

ya thats great but i cant find what command i should use instead

take out the -L from smbclient

i ruined my future self 😭

-L Lists the shares then exists

no yeah i did that that doesnt work

in order to connect to a share you need to specify a share

ive tried a bunch of other listed wildcards orwhatever theyre claled

//ip/share

you can't just connect to the baseline ip and cd your way through

ic

btw this is the overview of the module you're on

surprised not to see Footprinting or Common Services on there but i can see why not

okay yeah i dont think smb is helping

i did get in but i dont think theres anything in there

¯_(ツ)_/¯

i mean dir is helpful

what share did you attempt connecting to out of curiosity?

all of them, but only IPC$ actually let me connect

yeah IPC isn't gonna lead anywhere

the other ones were just permission denied

¯_(ツ)_/¯

awesome module

not sure what your issue is, could be a technical issue on the lab end

but the only way to verify is to chat support

and not select the Content Guidance

i also suggest resetting the lab, changing vpn regions

¯_(ツ)_/¯

Ok

hi! im about to start the Documentation & Reporting assignment at the end of the module. Can i do it blindly as a way to practice my skill instead of following the incomplete report? i mean doing my own report... or should i do it the right way?

you can do it with your own report, but the AEN module is the one people recommend to do blind

id go through that one the right way and take Attacking Enterprise Networks blindly

that's the one that will actually test you better

cool!

Sorry i can't get the token. As stated in the lesson, I expect a reset token from the mail that the admin receives. But I cannot understand why this does not arrive.

Hi all, I am stuck on MODULE: Whitebox Attacks - SECTION: Skills Assessment. I can login as larry, but cannot go further. Somebody suggested to look for a race condition, but I can't find anything working. Any hint would be very appreciated. Thanks a lot!

look at the cheatsheet and use the provided x-headers to overwrite the host, when the app uses one of those headers to construct the pw reset link it will send the admin a "wrong" url

That's exactly what I did. I cannot use the host header directly as this is used by the CDN to forward the request. I have also tried the other headers discussed in the module. But nothing lands on my server

you are using the interact.sh that is provided right?

Hey. Sup

Hey. Please read #welcome and #rules it will explain how to get verified

yes. interactsh.local:PORT/log. There are logs if i use the interactsh address in the host header

I think you need to drop the port, the port is just for you, not the admin

Am I good now?

Yes 🙌 come join us in #general if you wanna chat

I have some serious stuff to ask. I've been trying to figure it out since yesterday.

I'll try it out

State the name of the module and section and be enlightened 😅

How to do the firewall IDs ips evasion medium lab.

Firewall and IDS/IPS Evasion - Medium Lab

This one.

It's so difficult, I had to join their discord just to get this 🥲😭.

let me know if thats not it and i start up the lab again

Man, some of these pages feel really long.

All of a sudden, it's so quiet here. Does someone know how to solve that. It's basic stuff. You guys must be super intelligent than that.

The question is: After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer.

Hello, Im doing Pivoting, tunneling and port forwarding module, in Remote/Reverse Port Forwarding with SSH, Im stuck in how to send the exploit to the windows target from the pivotHost, because I cant do it by RDP

Hello there
I am currently working on the "Using the Metasploit Framework " Module on the section: Session.

I already figured out the first two Flags. But now I should figure out how to become root. Is this a "privilege escalation" exercise, or should there be another way using Metasploit for that?

Doesn't msf have some privilege escalation modules?

Maybe a previous section shows you how you could do it via RDP?

for password attacks/network services question 3 ive logged with evil-winrm with ps i got user allowed to login with rdp but im not getting any hit password wise is my approach bad?

i'm in the Web Requests Module Section CRUD API.

A little side mission says "Exercise: Try adding a new city through the browser devtools, by using one of the Fetch POST requests you used in the previous section."

But there's no way to trigger a POST request since there is no search function in this target box. Should I just move on?

or is there some way to trigger a POST request

There are browser extensions that can do it or use something like burp or curl

Reducing the number of users to run the attack against is a wise approach.

im running it on a single user

i checked who had rdp access as i said but im not getting hit on that user

net localgroup "Remote Desktop Users"

Maybe try to run the attack against a different service and not the remote one you identified?

You can DM if you don't get anywhere with that nudge.

Probably an other one and not the "Using the Metasploit framework one". But I guess, since its a Metasploit Module, it will be sure some priv esc with Metasploit and not something like linpeas.... So it looks like I answered my question myself. Thx for the help anyways ❤️

argh im a dumbass should of tried same user on another service got the hit instantly

Well, anything msf can do, can be done manually anyway

Nah it's easy to get sucked in by what a question is asking. It happens.

If you still can't get through this, you can DM.

I'm working on Server side attack module final assessment and there is a SSTI vulnerability I did url encode in my payload but it does not work after several attempt finally i go to the solution and copy the url encoded payload from there an it works!
No it's my issue or it's the lab issue?

I'd honestly have to see what you're talking about to give you my opinion. You can DM if you'd like.

If I look at the ls output, everything seems fine? Am I blind? Or is this a bug?

Ah nevermind.... it asks for the file name, not the full path 😆

@gigostack @gigostack @rain mountain

Please don't just ping any user without context

☝️

https://tenor.com/view/will-smith-men-in-black-gif-4907321

yup

If you are a complete beginner. Can you learn all you need to learn to be able to complete the CTFs without any additional outside learning sources? Honest question.

Yep, mostly... thing is hacking is a mindset, not just about knowledge

you're always going to need external sources since it's impossible to know everything about everything you encounter

srry what was it that you changed here?

I just mean to be able to complete the CTFs challenges?

Same sentinment...

Is it mostly or all I would need to learn? Who has an all in one option? The level I want to be is to complete the hardest CTFs. That’s it. Not looking for a job in cybersecurity

No one has an AIO option, CTFs vary wayy too much for that

you can't

What was wrong with your path? got the same error

what does aio mean?

all-in-one

mate... go do some boxes... ik for a fact you're not a skid XD

Understand. Where else is good to learn? What about THM with HTB? Is that enough knowledge to gain?

HTB is considered more intensive than THM, and there's always new modules being released

True

hi guys question on the 2million machine, i just started but every time im going to register and use that creds, it wont work, i just registered 3 different account, it still prompt the "User not found"

#boxes

If you can't access it head over to #welcome

@lusty thicket @quartz lagoon guys! Alhamdulillah, I solved it, finally! Thank a bunch for your help guys! Really really means alot, I was stuck in there for days!

Hunting Evil with Sigma (Splunk Edition)

Using sigmac translate the "C:\Rules\sigma\file_event_win_app_dropping_archive.yml" Sigma rule into the equivalent Splunk search. Then, navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and submit the Splunk search sigmac provided. Enter the TargetFilename value of the returned event as your answer.

hi dont know how please
regards

What part?

Please, I have been in this problem 2 days, Im doing Pivoting, tunneling and port forwarding module, in Remote/Reverse Port Forwarding with SSH, Im stuck in how to send the exploit to the windows target from the pivotHost, because I cant do it by RDP

the last

i make my sigmac target image

but in splunk research i have problem

that does not narrow it down

no reponse during the research on splunk searcher

i have this

Looks fine, but you should remove the message since its a tiny spoiler

sry i supposed that

but you see the sigmac target image is good

Did you adjust the timeframe in your search?

yeah i make all time

you can dm me a screenshot of the search and I'll have a look

yeah

you can RDP onto the target, right ?

as described in the section before

I cant, when I use xfreerdp from the pivot ubuntu machine to the windows machine, it says that xfreerdp need to be installed

did you finish the section before ? How did you answer the last question ?

Yes! I used xfreerdp to get remote access to the windows machine, and the flag was in a "Flag.txt"

so why not do that again ?

Because, I cant get access from my machine, I need to use the pivot machine

why ?

the scenario is exactly the same, they are the same machines in these sections

Hi there,
I am on Beyond this Module of Pivoting, Tunneling, and Port Forwarding. There is a link that seems to be broken. When I click on "Containers and Pivoting" I am redirected to Tracks but there is no Containeres and Pivoting Track. Does anyone have an idea if there is a track where I can practice my tunneling skills?

Because, The host windows doesnt have any directly conection to the network were I am

neither did it have it in the section before, but that didn't stop you

This is what appears, [04:23:04:850] [16130:16131] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[04:23:04:850] [16130:16131] [ERROR][com.freerdp.core] - failed to connect to 172.16.5.19

pause for a second

in the previous section, you had this setup, yeah ?
your machine, 10.x IP ------> 10.x IP pivot 172.x IP --------> 172.x IP windoze

10.x IP <------ 10.x IP pivot 172.x IP <-------- 172.x IP windows, Yes, thats the previous

not sure why you took the time to invert the arrows, but sure, doesn't matter. Ok

so you followed the section to be able to RDP from your 10.x IP machine to the 172.x IP windoze, right ?

Yes

ok, now in the new section, we have exactly the same setup, right ? (Notice that even the spawned machine is the same if you browse between the (at least) two sections)
10.x IP <------ 10.x IP pivot 172.x IP <-------- 172.x IP windows

Yes I have it

so why can't you RDP to the windows machine the same way ? Did you try ?

Yes, I tried and that what appears :c

you tried exactly the same technique as shown in the previous section ?

you can DM details if you'd like, but I just did it

Perfect I DM

congrats !

Hey, im having doubts in the 3rd exercise of this section, from the Splunk module. https://academy.hackthebox.com/module/218/section/2356

I believe I did everything right and user the right SPL query, but still cant do it.

Hi, I am having problems with the section MSSQL in the footprinting module https://academy.hackthebox.com/module/112/section/1246
The last question is "Connect to the MSSQL instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server"
I can connect using the done credentials backdoor:Password1 but when I try to list the databases I get no results, I am using this query: "select * from sys.databases"
Anyone who can guide me if I am doing something wrong or there's a reason I amb getting no answers?
Thanks in advance

HTB Credential Hunting - Can't Find the Correct Password File
Hi everyone,

I'm currently working on the Credential Hunting section of the HTB Windows Privilege Escalation module, where I need to search the file system for a file containing a password and submit it as my answer.

I searched for common password-related keywords inside files using:
"findstr /SIM /C:"password" C:*.txt C:*.ini C:*.cfg C:*.config C:*.xml"
This returned some results, but none of the passwords worked when submitted.
Someone have any clue or can help me with it?

Can someone help me for DACL Attacks I : Skill assessment question 3. Find the credentials to connect via RDP to WS01 and submit the flag in the Administrator's desktop as the answer. Use port 13389 to connect to WS01. I was able to get rdp to the PC and found some interesting files, but nothing seems to work. Any hints on what to do from here?

i'm on host2 of the Final Engagement https://academy.hackthebox.com/module/115/section/1139

do i need to import that .rb file? i can applying the 'use' function in msf and setting my rhosts and ports in that exploit but am getting an error when running it

so i was wondering if that is the right ruby file i'm supposed to be using

@tranquil wren careful with the above, the server is rife with scammer bots. Please report if it's the case

thank you, i haven't gotten anything yet

have you tried adding a semi-colon at the end of your sql query?

select name from sys.databases; should do it (?)

Yes, I did

what command did you type to connect to the mssql server?

python3 mssqlclient.py backdoor:Password1@ip -windows-auth

hello, i am currently trying to familiarize myself with the windows os module. they ask me to rdp via bash to a windows os and then work from there in powershell

hello jeremy, what is actually your question?

sorry i have been invited for a pm session

i thought that ment i was in the wrong place to ask my question here

the problem is that it doesnt allow me to get to the windows vm via linux bash anymore

xfreerdp /v:10.129.201.57 /u:htb-student /p:Academy_WinFun!

this is the command i am using. i spawned the vm and then spawned the target

that's weird, maybe try python3 mssqlclient.py backdoor@ip -windows-auth and then enter the password manually?

place the password between ' '

like 'password'

alright ill give that a go

i am not able to do it

oke i am i now ! but it feels like i didnt do anything different.. which is making me feel pretty confused atm

tried but still not working, I can connect, I can query, but I get no results.
I am trying to insert a picture to show you, but I can't figure out how to do it

on windows do WINDOWS+SHIFT+S to make screenshot that you can then paste here

but try to rerun the machine maybe it'll fix it cause your command should work i mean i'm pretty sure i did the same thing as you

it's weird maybe @fathom pendant can help

I have the image but I can't paste it here

read and follow #welcome @burnt hill

thanks

try this : SELECT name FROM master.sys.databases;

same as before

other queries work?

if I do enum_db; or for exemple select * from master.sys.databases; I get no results as well

try to add GO at the end of your query, like : SELECT name FROM master.sys.databases; GO

i really hope this works lol i gotta go

if nothing works maybe just restart the target machine and if that still doesn't work i hope more qualified people here can help!

Incorrect syntax

thanks a lot, I'll keep trying

<@&861185840277487616>

don't click the above

instead of python3 /path/to/mssqlclient.py , you may have impacket-mssqlclient, give it a try

syntax is otherwise the same: impacket-mssqlclient backdoor@10.129.201.136 -windows-auth

@ocean night someone acted already, another scam bot

Aha yup I see

Thanks

sure thing

Hey

@safe star

whats the module

Nmap

Firewall and IDs IPS evasion hard lab.

I found this helpful query in the community help zone : Also the answer isn't on port 53 for the hard lab. Specifically read the proxy subsection under ids/ips evasion section it gives you the flags. You do not need to do anything too fancy. (Note the example gives you a port, just do it with -p-)

have you found the port needed?

I don't know. I got a few ports.

Don't really know whether it's the right one or not.

dm the ports

dont think there should be that many

@dusk yarrow

Ummm, I've lost them.

Wait a second

I'm on Windows Privilege Escalation Skills Assessment - Part II, Question 3. I've got a SYSTEM shell but I can't seem to dump any hashes with Mimikatz, getting an error when I try "privilege::debug". Is this the right approach? Thanks.

You know what, when I finally got the opportunity who could help me. Now I'm in a position where I can't help myself

😭 I'm so f up.

what error

you can dump hashes in others ways too