X-Files :)

no, i'm pretty old lol

Authenticate to (ip:port) with user "admin" and password "admin"

• 2 The exercise above seems to be broken, as it returns incorrect results. Use the browser devtools to see what is the request it is sending when we search, and use cURL to search for 'flag' and obtain the flag.

Is there something I can do to resolve the error?

Bug bounty path module 1 "http methods, GET"

What kind of error are you getting?

X files

Oh was already said..

I'm reattempting and I think I may have misunderstood the question; though it does have a, new, part saying that the exercise is broken

Are you doing Web Requests?

I'm on bug bounty http fundamentals, doing http method get

That isn't a module name

Upper left hand corner should have the module name

My bad, one second

That's the one

CWEE - Whitebox Attacks - Skills Assesment

Hi guys, someone manage to find how to get the hash merged with the salt for the user Larry?

If anyone can give me a hint I'd really appreciate it.

Thanks everyone.

Reread the question. The lab isn't broken, there is a feature that is sending back incorrect information

I misunderstood it and didn't realize that was an intentional feature, almost got it

Thanks

Please dont forget me

don't reveal information about a skill assessment environment

What's the section link?

https://academy.hackthebox.com/module/158/section/1518

consider anything you find for a skill assessment as a potential spoiler, since you had to dig for the upload file location, it's a spoiler

also consider that the web server is basically in the UK, so adjust for timezones

Yeah, seems like they took that track out

I remember seeing it, but I can't find it now

Do you know how can I practice my tunneling skills??

just practice on the pivoting module sections with different tools

^

i practiced double hops with ligolo-ng on the socksoverrdp section

the environment/module doesn't really care what tool you use

Also, try to find some blogs about pivoting, double pivoting as keywords.

so long as you successfully do it

Hello guys sorry to cut you short I'm running through a problem and I can't seem to fix it,I'm new to this.
When I run
Nc -lnvp 9001 and open browser nothing happens and I'm connected to the VPN , I don't know what I'm missing or need to do please help

Nice guys

what module

Alert

So you’re doing a box. Please carry this issue over to #boxes

It's saying I don't have access

you don't say

I'm a noob to this things

Just looking for help

read #welcome for access to #boxes

Okay on it

awesome!

I'm in much appreciated

Attacking enterprise networks
Lateral movement

apparently the domains are different, INLANEFREIGHT Administrator has access, however my domain is: ACADEMY-AEN-MS01

don't share screenshots of module content above tier0

oh okay

my bad

I added the account to the administrators group, however I still can not navigate to the admin folders.

Nevermind

log out and back in

As in restart the rdp session?

I tried that

no as in log out and then log back in

I will read around forums, been stuck for about an hour already, tried interaction with UAC and ways to bypass it

Ahh okay will do

closing rdp != logging out

Well, I typed logoff in cmd and then logged back in.

No result whatsoever, will read around forums and will get back.

Trying with gpupdate

try

runas /user:<username> cmd

to open up a new terminal

and see if ur permissions work in the new session

Will do, ty.

Well, it did spawn me in windows/system32, alas access is denied.

DMs

Some guy in the forum wrote that gpupdate

Alrighty.

Nmap. Why is showing this error in every ip???

Probably because of connection issues, try swapping VPN to TCP

Hi all, I'm stuck for about 2 hours on this one - Windows Privilege Escalation on 'Other Files'. Sticky Notes it's not showing anything. Not able to find anything with 'bob_adm' string

OMG, just resolved.. was logged in as another user

this lab it's misleading haha

Does anyone have problems with proxying nmap through burp

Why…

Not seeing the requests in burp history

why would you do that tho

It's apart of the web proxy module

Did you set the proxy up correctly?

Yea, it works with curl and metasploit but not with nmap

reload burp

Still not working, I've been on this for about an hour, just gonna skip it

--proxies maybe?

burp doesn't proxy raw tcp packets

But it'd really only work if you used http scripts

nse scripts that support them

anyone managed to use ligolo for AD skillsassement 2?

my current network is as such
kali -> attack box -> foothold

attackbox runs ligolo client while kali runs ligolo server. I have trouble transfering huge files via http like sharphound to foothold.
I was looking into using smb server to do it but i cant seem to configure ligolo server to add a listener on attack box port 445 to my kali 445

If you use rdp to access the foothold, /drive:
If winrm is running evil-winrm has an upload/download function
Sometimes windows doesn't like smb that is unauthenticated, so you'd run the share with a dummy user:pass
With ligolo server/proxy you'd need to run with sudo to bind ports < 1024

That's what I was thinking layer 8 vs layer 4

layer 8 is user layer usually said in jest about user error

cleared with @jolly cradle
Looking to get help with understanding and moving forward with the Pentester path and need help with things here and there? I'm offering a paid program to assist with getting through the course, no guarantees of passing the cert exam.
As a brief note - this mentor/tutor program is about learning so:

• No direct answers
• More direct hints and help with solutions so that you can understand it better
• scheduling 1on1 sessions via vc
  for info DM me

Can confirm

https://tenor.com/view/its-free-for-broke-undatable-is-it-free-gif-12082383

Hate to ask but ^

https://tenor.com/view/not-funny-dwayne-johnson-seven-bucks-the-rock-fake-laugh-gif-20130201

friends and family discount 2x cost

typo in linux fundamentals - service and process management?

#1234357888114364508

oh thanks

sorry didnt know what erratum meant

the #1234357888114364508 forum channel is for suggesting corrections to content

yea i see now

awesome

hey guys if I am already on silver anual can I still get a monthly platinum sub ?

or do I have to let it run out first ?

because I do not see any option on the academy platform to subscribe to monthly platinum

You can only subscribe to one plan at a time

Good morning, I've been enjoying learning the fundamentals on the academy so far. Do I need to also learn programming for the more advanced modules?

If you follow a path it's got all you need

Okay, so it's not required? I have just been doing the basic modules so far.

The module authors always encourage you to go deeper and research on your own on topics,

good to know, but sad to hear it, thanks mate

programming can help you build your own basic tools

Good to know, thanks. If I decided to learn basics is it Python?

python is an easy one to learn

¯_(ツ)_/¯

Yes I figured, Python is mentioned time to time on the basic modules. That's why I asked. Thank you!

Hello guys I have a very specific question if anyone knows his business please dm me

?

love the vagueness dude

Crystal ball broken @fathom pendant ?

it's a bit fogged up

damn, mine is shattered to 1000000 pieces

my orb has been pondered too long, need to go put it in one of those bowling ball cleaners

considering my recent project getting things set up; the pondering has been too long

I'm sure you will be alright 🍀

now i just wait

Hello, I'm reading "Windows Privilege Escalation Skills Assessment - Part I" "Find the password for the ldapadmin account somewhere on the system." need help with this question nothing seems to work i have tried "RoguePotate.exe, PrintSpoofer64.exe,LaZagne.exe, JuicyPotato.exe" all of them but no user with "SYSTEM" rights via "nc"

Try a Metasploit module (search for "Juicy").
Also, you need to figure out a valid CLSID for this one:

https://ohpe.it/juicy-potato/CLSID/

In the module another way (method) of taking advantage of that privilege was shown, if the potatoes don't work, try the other one

Why are the exploits for this particular priv called potatoes anyway?

Can't recall, but I assume it is due to just finding it humorous, probably following the same naming approach with the DirtyCow exploits etc

hahah, I asked chatgpt the same thing the other day. I thought it had something to do with plugging glasses and mustaches on Mr Potatohead, given the "impersonation" angle. The bot thought I was cute for thinking that

Hey! I think something went wrong with my target? It's the "getting started" module and "nibbles" section. I was able to get the reverse shell from my target but when I tried again It's not happening. If I try to execute the php script by opening the URL on browser it will not open it's loading the page forever and nothing happens using curl?? Help

It worked before, not anymore.

Stop the loading and reload the url?

And make sure nc is listening

Already did that

With revshells it will be stuck loading

As it's connected to your system to execute the payload

Did you check your listener to see if it connected?

Do you have multiple vpns running?
Are you running the vpn and pwnbox?

Well, it's fine. I couldn't make it work so I just reset the target and pwnbox.

¯_(ツ)_/¯

This has to be the most stupid exercise in the path. What's the point of a brute-forcing exercise if you're gonna trottle me to death?

Likely your networking settings throttling you

for some reason bridged networking bottlenecks you, NAT doesn't

I did that part yesterday, only took like 2 mins to get the pin

i think this make modules much easier coz at first tiem it was nightmare for me to solve this module "information gatherring"

I could do it through the htb pwnbox, I located the mssqlclient and made the connection and when I did the queries I got the answer.
But I don't understand why I couldn't get it from my VM, I downloaded the script "https://github.com/fortra/impacket/blob/master/examples/mssqlclient.py" and run it and I could enter but getting no results

I suggest not sharing flags

it don't matter these flags are expired

But yes information gathering module updated, so the flags don't match up in some sections

now question won't accept these flags

even if someone want to use them

Also where are you getting the flags from? Since it's a tier 2 module

If it's the official writeup included with an annual sub, reach out to support

If it's some medium blog, then that's breaking ToS

coz i solved them 1 year ago

no one in the world use light mode for htb except me

something is not adding up on the module Security Monitoring & SIEM Fundamentals/SIEM Visualization Example 4 , like a mistake, who do i report it to ?

Ah ok. Same, I recently redid them and saved the new flags in my notes

You can't change/update answers to sections you've already completed even if the answers no longer line up

i wish i could reset them and do it again

Reach out to support

okay

so i only happen to information modules or with every modules

Iirc someone made an extension a while ago for firefox i think and shared in #resources-tools or #community-content

When they update modules, the amswer key matrix doesn't update, the page name stays and endpoint stays so it doesn't clear the answers

Cheers everyone 🙂 Very quick question: I just enrolled for the Pen-Tester path and got the welcome-mail. That mail says, the path and certification are meant to bring you from beginner to intermediate Pentester. Did I miss something or is there also a path + certification for BEGINNER pentester? 😄

even after 1.5 year or some u still active here

Nope

But as someone who knew nothing at the start, the path teaches plenty

ahh, okay, thanks 😄

If you have 0 infosec knowledge, the information Security Foundations path is the pre-requisite

i really see that, but the gap / path length from 0 to intermediate feels ... a bit dismotivatingly long 😄

It goes through

• networking
• os basics (windows, linux)
• command line basics

oh, okay, thanks. That one I have already completed^^". but i see that this could be considered a beginner path, yes 🙂

(just no beginner cert then)

no shortcut

Pentesting isn't beginner Cybersecurity

While the info is dense: there are practical labs to help reinforce the reading

fair enough, but is there a beginner CS cert then? (i think I've had a similar discussion about this already, sorry^^)

how about web app sec path

You need to know web apps before securing them

i dont want to have a shortcut, I'm looking for a "auto-save" at beginner level 😉

CompTIA Security+

It's a multiple choice theory based exam

u mean dev part?

Just an understanding of the framework

hmm , i thought u meant u have to be a full dev first

Thanks! 🙂 I took a look at that one, but just theory / multiple choice did really feel a LOT less valueable. Hmm. Looks like the OffSec OSCC is the only practical beginner cert currently. Maybe due to a reason ^^"

Okay, I'll continue the pentester path then 🙂 I just thought I'm skipping something here. Thank you all!

I mean being a full dev wouldn't hurt

Trust me, the path teaches you from the bare minimum.

It's why methodologies like footprinting are early on in the path

people who study for full stack end up getting for frontend first

*typically

But I'm not saying you have to, a knowledge of the code framework in use, like php, can be just as useful

you still learning or working now

Well I'm not working, hoping to get clients at some point #modules message

Thanks again 🙂 The courses looked very "beginner-ish" thats why I was confused about the mail telling me the path is "for getting from beginner to intermediate". I'm not working in this field, but I still want to build some good understanding and (ideally) some proof. Regarding the understanding, I'm convinced, HTB has the best content to get there. As for the proof I'm not sure whether CPTS cert is the right for me or whether it's "taking things too far" for someone who wants to widen his horizon 😅

As someone who went through the CBBH path with no prior experience in web testing. I learned a lot

I really believe that^^"

because it does get you to an intermediate level; the advanced level stuff (like maldev, BYOVD (bring your own vulnerable driver, Evasion) isn't included

Hello i need help with attacking common applications module, section Discovering and enumerating WordPress, Im trying tyo find the plugin 3 worded) but i've gathered 3 that did not work, i've enumerated using curl, all the different pages, done wpscan with agressive mode but still nothing, tried loggin in the admin panel to retrieve the plugins from there, still nothing, can someone help me please? this lab is not properly working

if even the admin panel is not showing the plugin in question then this lab might not be setup correctly or has stopped working as intended

loosing my mind here... cant enable selinux. its installed properly, changed the config file (enforcing, default/targeted), the grub file is also configured (quiet splash selinux=1 security=selinux) and more... tried in VM and pwnbox

question regarding .rhosts File:
The internet says it has to be like <hostname> <username> but the academy says its the other way around <username> <ip address> is this a mistake in the academy?

manpage of rhosts: https://man.cx/rhosts(5)

screen from academy

Can someone give me a clue on what the operating system is in the IDS/IPS evasion lab - easy, I believe I have found the answer, but no matter what format I put my answer in, it's giving an error message.

I used the format: [A-Z]{1}[a-z]+

Not sure if it covered fuzzing, but you can likely identify it with the right wordlist.

Thanks

if you're using pwnbox the SELINUX stuff won't really start up because when you reset the pwnbox it clears it

Hello. I'm stuck on the 'Footprinting Lab - Medium' skills assessment. I've made it onto the target box with the RDP client and am attempting to open the mssql server management studio as administrator (based on the hint, right click run as admin) and its asking for admin credentials to do so. have i forgotten / missed something?

Take a look around the system. Maybe you'll find some data.

will do

there's an important file to look for

i have the SA creds (if thats what you are referring to)

https://tenor.com/view/jensen-ackles-pointing-smiling-supernatural-dean-winchester-gif-13153687

https://tenor.com/bfKYp.gif

you figured out the outside the box thinking huh

hahaha yeah. part of doing the modules is trying to foster a new mindset. will get there - one facepalm at a time

Well, users are lazy. They like to use the same passwords everywhere 😉

and then some

i've heard admins are lazier

What this server for ?

Can anyone explain me

#welcome explains what the server is for

Oh okay

I have a question can I ask in dms

ask it here

#rules that's illegal dumbass

It about discord account

No you don't have gett it

<@&861185840277487616>

About how I can protect my account from hackers

we cannot/will not hack a discord account/server for you

don't click on suspicious links and don't sign in to unverified 3rd party apps

basic rules of the internet

Don't download cracked/pirated software or media. Don't click on the game demos sent in DMs. Don't join sketchy discords and scan QR codes to verify your account, etc.

if a server has you go to a third-party website trust it with a grain of salt

I am lost brothers need help

https://tenor.com/view/thor-thor-infinity-war-gif-25139201

habibi what is the problem

Help with what?

ooohhh shiney

do you need a map and a compass?

I don't know what to study or do 😭

that's not something we can really help with lmao

pick something that interests you, and study it

¯_(ツ)_/¯

it's how i stumbled onto HTB

i was interested in hacking, and found HTB

Choose a module in the Academy and learn

have a look at the 'paths' in the htb academy -

now i've completed the pentester path and am offering (paid) services to help others through the path

Oh oki 👍

Yeah i know that already but what if hacker have the access through your old email can he still cannge it ?

Potentially yes assuming that email is still tied to your discord account.

not sure if this is the best place to ask, but I'm currently working through the Windows "Finding Evil" module, and learned about how to detect DLL hijacking using Sysmond with the calc.exe example.
What I don't get; how on earth would an Analyst (Blue Team) ever get the idea to look for Event ID 7, and specifically the calc.exe and one instance of an unusual because unsigned and oddly located (malicious) dll file?

In this scenario, would we assume that a user reported the odd behaviour of the calculator app at least?

Omg

How to stop that

I put passkey also

Please help

What I need to do

something triggers them to investigate

nobody's going through sysmon logs for fun

Don't let an attacker have access to your email. And if they have that, that's your first priority to get that out of. It's also not really on topic for this channel. You can send me a DM if you wish. ¯_(ツ)_/¯

lol, ok, thanks! Yeah I mean, I'm super slow anyway as a beginner, but it still seems oddly specific, not something I see anyone checking frequently.
So like "hey, whenever I open the calculator, I get this weird popup / my computer starts smoking", something like that?

@urban sage sir can I dm you please

.\SharpHound.exe -c All --zipfilename ILFREIGHT 2025-02-11T10:17:38.5109835-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote 2025-02-11T10:17:38.5266107-08:00|INFORMATION|Initializing SharpHound at 10:17 AM on 2/11/2025 2025-02-11T10:18:02.6047472-08:00|ERROR|Unable to connect to LDAP, verify your credentials
Module:Ad-Enum-Attacks , section:Privileged Access

yeah maybe it's part of a bigger investigation but it's usually detected by edrs/siem first

gotcha, thanks for the feedback!
In my previous job I've scrolled through log files a lot, though admittedly industrial machines produce less volume in a pre-compiled log, it does take some time to get a sense for logs and what to look for 🙂

i gues you would be looking for known indicators then rather than randomly scrolling in hopes of divine inspiration

@prisma flume reset password, enable 2FA, sign out others on the services. Check the service documentation.

did you check if your user has proper perms for ldap queries?

This is a channel for discussion of Hack The Box Academy Modules

Please move to a more appropriate channel @prisma flume

Oh okay thanks youu

Wait sign out others on the services what that ?

PS C:\tools> whoami inlanefreight\htb-student
Ig this account has the necessary permissions

Speak with support, or move to a more appropriate channel

Oh okay

I also tried from the linux attack box

ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)```

its seems there is a issue with ldap

get-aduser htb-student -properties * if this fails you don't have the perms

`msf6 exploit(windows/local/ms16_075_reflection_juicy) > exploit
[] Started reverse TCP handler on 10.10.xx.xxx:4444
[+] Target appears to be vulnerable (Windows Server 2016)
[] Launching notepad to host the exploit...
[+] Process 2376 launched.
[] Reflectively injecting the exploit DLL into 2376...
[] Injecting exploit into 2376...
[] Exploit injected. Injecting exploit configuration into 2376...
[] Configuration injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[] Exploit completed, but no session was created.
msf6 exploit(windows/local/ms16_075_reflection_juicy) > sessions -i 1
[] Starting interaction with 1...

meterpreter > getuid
Server username: IIS APPPOOL\DefaultAppPool`

I found the CLSID but it still failed pls help bro

389/tcp filtered ldap 636/tcp filtered ldapssl

ill have to reset ig

It didn't, but I also tried that when I was testing, and got me no where...
what seamingly was a dumb and easy section took me hours, without progress, I've given up this lab is broken.
I need someone to dm me the answer if he'd solved it. I practiced the content of that section going back and forth 3 times now? Lmao

You can DM. Won't give you the answer, but can likely give you some ideas.

OK will do

ok so, i have just checked the questions and i found them to be solved...

was i on something

but i swear they were getting flagged as incorrect

Hi am new here

Hey, any fix for [('SSL routines', '', 'no protocols available')] when relaying SMB over MSSQL? --no-http-server does not work for me. UPD: Fixed, just run as root with sudo su -

Hello im in the foot printing module for pop 3 and imap , when i connect using open ssl i dont get any response from server to my VM but the pwn box is working fine , any help?

are you running pwnbox at the same time?

you also need to log in in order to issue commands

no not at the same time , when i saw it hang i used pwn box

how am i to login without connecting first?

login where exactly

when it connects

1 login user pass

no resp to that sadly

in another terminal ip a and see if you have multiple tun devices, or look in your openvpn log that should be running and see if it created a tunN device greater than 0

if so then you have multiple vpns running causing a conflict

otherwise i'd reach out to support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

I need to Send my ip ?

i am running express vpn on my windows machine because openvpn is banned in my country

¯_(ツ)_/¯

?

What do you want

clarity on your statement?

no one said to send your ip for anything?

<@&861185840277487616>

Does it have to be on linux ?

this isn't a hacker4hire server

what are you talking about

Thank you for pointing it out

Aint sending information hun

i'm not asking you to, and don't call me 'hun'

i'm just trying to figure out what you're on about

because your message literally came from nowhere about sending ip

lol

Accept me then

?

I cant talk in the chats

??

bro

I cant type in general

if you mean you can't chat in #general there's instructions in #welcome on how to do that

Say that then

be less vague next time

ffs

how was i supposed to glean that you need help accessing general from "bro i'm not sending my ip"

Did you ever get an answer to this?

Did you ever get assistance with this question?

anyone having my problem switching to tcp server instead of udp vpn fixed it

Ah good to know, I had the same problem before. Also had an issue on the mysql section where it was complaining about a self signed certificate so thought it was an ssl issue causing both!

any idea why bloodhound ce is so much worse than bloodhound legacy? I'm trying to use ce but the same built in queries return different results for no reason

hi guys im doing teh Metasploit framework module and i'm wondering in the module section if you found way to get the flag. i've got it with type and powershell Get-Content.

like were you able to find other way that those I tried to uploaded it with raven but didnt work well

You likely missed something but I suggest avoiding spoiling the module as it's above t0

if someone know what's wrong

basically im able to have a normal session (so i can act, open shell etc...)

btw im trying this on a VM

Weird that it's setting the listener to 0.0.0.0 but that's whatever

What module is this for?

eleviate privilleges on windows, local_exploit_suggester told me that it can be used with the currrent machine

Thats not a module name

What academy module, do you mean the windows privilege escalation module?

oh yes im sorry

Try other exploits

i used many like uabhelper

Deleted your message as WPE is above tier 0

but many doesnt seems to work even if local_exploit_suggester told my it can work

wich is weird

¯_(ツ)_/¯

No session typically means that it couldn't connect to your listener

Try specifying lhost as your tun0 ip

im running on nat so i better just use publlic ip

instead of interface cause tun0 will sepcify local ip

NOOOO crackstation.net is down

hashes.com

thank you

whats that on the left? i just cant access it with firefox

hax

thanks g0blin

no worries nathans

😅

really explained it all well yk lmao

https://www.browserling.com

For all pages that you do not want to open in your browser

Noice

Hi, I am in the section Oracle TNS of the footprinting module https://academy.hackthebox.com/module/112/section/2117 and I could get the answer of question, using the user and password given along the section, but is that the right way? because when I run the odat.py all -s ip I don't get any credentials

well played!

Thanks guys

1 thing left to do...

Yes, I did the same. It doesn't give you creds as it expects you to use the ones from the example.

Quite common in many of the the modules.

Good to know, thanks!

How was the AEN experience?

Congratulations, good luck if you're going for the exam!!

I'm currently working through the last question on /module/112/section/1069 which is find the FQDN of the host with the last octet of x.x.x.203

I've ran DNSenum and found several domains hosted on other hosts but can't find the x.x.x.203 host. the hint was to use other word lists, I have tried several of the lists located in /opt/useful/seclists/Discovery/DNS folder, as well as rockyou.txt. I'm assuming I'm overcomplicating and passing over something simple, can anyone offer a hint if they've recently done the same module?

Worth mentioning I've also done zone transfers to reveal IPs but x.x.x.203 isn't one of them.

You probably want to share the name and section of the module instead of the URL. Eg web attacks section X

Okay this is in the footprinting module/DNS section

You should be able to find it with dnsenum assuming the command and wordlist is correct.

I appreciate it I did try with that list, returned some results but not the host im looking for. however I will triple check to be sure. thanks!

I'm looking at my notes and that is what I used. Maybe the rest of the command is wrong.

What domain name are you running it against?

running against inlanefreight.htb

Run it against the domains you found doing a dns zone transfer

Do a dns zone transfer with dig against the main domain then run dns enum against the results. There is one that is more interesting than the others.

Thanks a lot, knew there had to be something small I was overlooking. that helped a lot

congrats ❤️

which is a better tool for cracking FTP: medusa or hydra?

I need a recommendation because I am doing the Easy Lab for the Attacking Common Services Module and tried playing around with medusa and it isn't working.

Medusa and Hydra are pretty much the same tool

I haven't been through that module yet, however I usually use hydra for brute forcing.

why did medusa not work for me? I set it to try every username and password in the username and password list provided in resources and it gets to like the 79th password of the first user and then it throws a 550 error and quits

will hydra work better potentially?

was it an issue with the server?

I need to log into the server and get the flag and have found via nmap that FTP port is open and it is vulnerable to FTP attacks

it's vulnerable to ftp attacks

Hydra is better, Medusa has a lot of problems in my opinion

I've personally only used (known) about Hydra

ok so I will try hydra then

the module introduce me to both

Until Login Brute Force module

I think there's also a nmap script ftp-brute you can also use.

There is, but Hydra is a lot more powerful

is the module from cbbh if completed are also credited to the percentage of cpts?

completing overlapping modules will count progress toward their associated paths

so completing Login Brute Forcing will count progress toward Penetration Tester, Bug Bounty Hunter, Basic Toolset, etc. paths

Super stuck on http attacks assessment. Could anyone help with a nudge? I have bypassed waf via the hint, however I can't get a payload to work.

How do I use cURL to obtain the source code of a website and then filter all unique paths of the domain?

Does this have to do with a module?

Yes, I am stuck on the Linux Fundamentals Module. I wasn't sure which channel to post on for help.

I don't remember the module asking for that, can you share a screenshot here of the question?

Yes here it is.

Oh yah thats a tricky one

Using the filters mentioned:
curl https://www.inlanefreight.com > temp.txt && cat temp.txt | tr " " "\n" | cut -d"'" -f2 | cut -d'"' -f2 | grep www.inlanefreight.com | sort -u | wc -l

there's an easier way to do this but REGEX is the next module so...

said regex:

curl https://www.inlanefreight.com | grep -Eo "www.inlanefreight.com[^'\"]* | sort -u | wc -l"

i copied and pasted the forum answer that explains a lot of stuff a while back

but people don't like to use the search feature

Yeah I just looked for my prev message regarding it

Istg this question should be made easier somehow seeing as its in a fundamentals module

it should be placed after regex imho

Facts

they simplified/clarified the question, at least

Hekkin love regex golf though

I did try that. It was stuck on the curl command with the stopwatch going on.

just wait for it

I got this error:
curl: (28) Failed to connect to www.inlanefreight.com port 443 after 132769 ms: Couldn't connect to server

do it from pwnbox

or with academy vpn active

hello guys is there a way to encode the base64 into ascii hex code? its kinda hard to use zaproxy because the encoder is not complete

you can use the terminal for that

if they're on free pwnbox it's likely not connecting due to restrictions

Has anyone done the "Using CrackMapExec" module recently? I'm finding that most of the sections dealing with proxychains seem broken. I'm finding that certain applications (particularly python scripts) don't work over proxychains while other applications have no problem and I can pivot using them without issue.

Crackmapexec is outdated I'd recommend looking at the equivalent commands for netexec

Yea I had to use the latest nxc to fix one of my issues

Python script just fails to connect, I've tried several different scripts

Is the dc01 host in your hosts file under its internal ip add?

thank you, was stuck here too. this helped a lot

Try running proxychains with sudo

Yea, I have it there

😭 that worked.... Why did that work?

I've been banging my head for 4 hours on this

Cos networking things

Prolly some port open shennanigans

raw socket and port

also cme > t0 so spoiler

if you really wanna know; sudo strace <command> shows you the raw instructions

Tough☠️

Ty man

Ty

you were also reading the module, no?

Anyone can nudge me I'm having a little bit of hard time in skills assestment of web proxy I'm stuck in cookie bruteforcing

Sometimes when I was stuck, I did the ad part, lateral movement and PrivEsc on my own

i suggest reading up on the things you struggled with

Also a a part of the web exploitation

only one was something not taught

Infogathering did myself as well

Socks proxy on the post exploitation?

?

Can I pm you bro? I need some help in web proxy skill assestment

Yh, shoot a dm

everything past web was taught

Oh

Well idk what wasn't

one of the web related ones

Lemme see real quick

Send bro thank you so much

are you referring to the question about decoding?

anyone help me on - Linux Privilege Escalation > Miscellaneous Techniques

Error: ./shell: ./shell: cannot execute binary file

I switch to burpsuite I no longer use the zaproxy

Oh yeah, the weird html injection.

I put the 0 - Z on a payload together with the 31 characters then I select the cookie and then bruteforce after the result the flag still not showing

the process is the same, run the wordlist; re-encode in reverse order ¯_(ツ)_/¯

you also need to set the prefix to the decoded value

and you replace the WHOLE cookie

anyone ?

chill you just asked

i'm in lab

Is it okay to send a picture of payload here together with the processor option?

no, it's a module above tier 0

@upper ruin said they'll dm
my dms are currently only open to field clients that want to pay for tutoring/mentoring services for the pentester path

Well

I have every module documented with screenshots on solutions.

same

• writeup for each skills assessment in the path

i'm offering tutoring because why do for free what i can get paid for

Just gotta do AEN writeup.

Want my writeups?

no

Ok

i've already completed the path

i don't need someone else's notes and writeups

Sounds good

my stuff is organized in a way that works for me

Ah, fair.

I just realised my .zip Htb folder is about 600 megabytes

i just use obsidian to organize my stuff

.... anyone ??

1 sec

Oh man if I remember you didn't need a shell.

Just search a bit around the /var/nfs/general directory 👀

You can DM me if you're still stuck

Same

i got the flag but i'm trying to follow the module instruction

Oh.

shell isn't needed and you won't be able to do everything 100% of the time from examples

^

examples aren't always instructions

Especially in these few sections.

got it

Tbh I'd say they are a way of persistence.

same happened with logrotate section

it didn't worked as planned

Any hint for the fuzzing module, recursive fuzzing flag.

just set a decent recursion depth of like 4-5

I set it to 10.

Logrotate is such a pain in...the head.

You have about 5 seconds to get the flag, so you gotta have script prepared.

it was too quick

I'm gonna change it now

To 5

i mean 10 would find it

just make sure you start from the right endpoint iirc it gives you an endpoint to start at

It just keeps on scanning, i scanned it for like 15 minutes.

make a cup of tea

Sure.

It's because it's searching depth first (instead of breadth-first)

hi

@autumn pilot hello im sorry to bother you can i ask you for assistance?

can i ask why you sent a friend request?

sorry im not able to talk in gen idk why

not too much thought i wanted to know more about cyber sec

Read and follow #welcome

i have done like 3 box

ah well i'm only accepting dms for #modules message <-

okay sorry

what is a module in this context?

they are the learning content on https://academy.hackthebox.com/

i tried to do my thing it did not work

• Path: a curated collection of modules that serve the overall goal of the path name
• Module: A set of labs and reading with the overall goal of understanding the module name
• Section: the individual pages/parts of a module with the goal of teaching a small part of the overall Module topic

i know it is not technically secure but if u want to hack my htb aacc go ahead

i mean link to discord

its okay

i know what i did

not smart to leak your account token dude

why

it's ok, he knows what he did

they will take my account of nothing

i cant even use it

it's just general internet safety

they can if i cant im nice

and you can use it you're likely being dumb

LMAO

maybe

did you run the /verify command in #bot-commands

yeah

i think what ghappend was i was muted 3 years ago

because i said something against the guidelines

/verify has the bot dm you
/identify <account identifier> runs it in the server

Question regarding hydra and virtual hosts. Is hydra "smart" enough to understand and attack a vhost when you point it to one, or do I need some extra syntax ?

for example

hydra -f -L users.txt -P passwords.txt support.example.com -s 80 http-post-form '/login.php:username=^USER^&password=^PASS^:F=Invalid'

if you point it to a subdomain/vhost it goes after that

brute

fake

i will try

include the correct headers and you're good

anyway; this channel is for module content not troubleshooting user error for not getting your account identifier working

what headers ?

the correct headers

if it's in their hosts file there's nothing to worry about

WHAT MODULE

what of what

i'm not repeating what i stated earlier, i suggest reaching out to a moderator (shield icon) in dms

my bad u must be busy

i'm not a moderator

so i cannot help you with that

im asking u as a human

bud

i explained what academy modules are

and how https://academy.hackthebox.com/ is laid out

if you were; then that's not my problem

nor is it anyone in the server's problem

im okay im just saying

im trying to get my general chat to work

sorry that happened to you, but being serious it's not anyone's business

okay?

im just giving u context so u can have a chance to understand

@pseudo kiln if you replied you may have gotten caught up in the cleanup; sorry

aha yea seems to be, this was the reply anyway
login bruteforcing module. I am doing ||AEN blind||, there are many vhosts and I was wondering if hydra can understand a vhost when you point it to one, and as you said it seems to be handling it fine, thank you 🙏

ah, yeah

hydra sends the request with the header as specified (also if it's on default port 80, you don't even need to specify the port)

the http-post-form and stuff implies http

Hello! I've got a problem with the Windows Fundamentals module. I'm testing the connectivity from the Pwnbox terminal using smbclient, as instructed. I will get the following error message: "do_connect: Connection to 10.129.130.130 failed (Error NT_STATUS_IO_TIMEOUT)" Does someone know how to get it to work?

lots of censorship

what have u tried to do ?

hmm why did it timeout?

i believe there's a --timout flag you can set to like 9000

I copied this command from the module: "smbclient -L SERVER_IP -U htb-student"

and assuming the 10.129.130.130 is the spawned target IP

Correct

did u add the thing to ur dns list

try:

• respawning target
• changing vpn region
• changing pwnbox region

reset and try again

any 1 or combination of those

if you want to talk in #general you need to read #welcome and #rules and please don't DM people without asking

make sure you're also not running the vpn on your own system

idc about general anymore

you never cared about general 😭🙏

https://tenor.com/view/1blocked-message-discord-meme-troll-brick-wall-gif-23392632

Could you teach me the timeout flag,? I will try that, thanks.

bro acting like she didnt click to view the message

-t flag

you can also access smb shares with your file manager in linux

it's what I use for smb stuff instead of smbclient unless I need to use smbclient

they'd need to know the sharenames to connect to

you can list them in your file manager I believe

I tried this and got "uknown tar option" 😄

smb://ip

i also suggest this order instead:
smbclient -L -U 'USER' //ip

on some shells u need to escape the /

that's mb i trusted GPT on that one because i was being lazy

smbclient works with / you're thinking \\\\ (\\)

.

Guys, I'm getting even more confused. 😄

after all these years still mess up \/

I guess it's just broken.

@spiral sapphire

also make sure you're not running the vpn on your own system while using pwnbox

I'll try to respawn the target. Not running the vpn on my own system currently.

just wanted to make sure because that is a common issue people have with connectivity

Got it, I only have the vpn file on my VM if I'm running that. Since I'm running Pwnbox I don't have my VM launched.

👍

Again, with a new target!! "do_connect: Connection to 10.129.96.27 failed (Error NT_STATUS_IO_TIMEOUT)"

okay bro

maybe u should uninstall

u ever suck at something ?

Hello I'm doing the section: Attacking Common Applications > PRTG Network Monitor.
I've managed to create the notification which created a user prtgadm1 with password Password123 and when I run the command:
nxc smb 10.129.201.50 -u 'prtgadm1' -p 'Password123'
It returns:
SMB 10.129.201.50 445 APP03 [+] APP03\prtgadm1:Password123
Which is a sign that the user has indeed been created. Now the section says to use psexec, wmiexec or evil-winrm, and I've tried each of them and they all seem to authenticate successfully, but don't yield a shell:
psexec.py prtgadm1@10.129.201.50
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Requesting shares on 10.129.201.50.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
Am I not running the wmiexec, psexec or evil-winrm commands correctly?

Try a different tool

help me on - Linux Privilege Escalation > Shared Libraries

issue is i'm getting this file - /usr/bin/openssl and payload not working with it

your user is not admin, as it should be

Sure, what tool?

Smbclient.py from impacket, there's also your file manager which should work for SMB

missing something there

try it fr

Ah yes you're right

Please leave if you're here to be annoying

why do u care

do u have a box to root?

or something

Last warning!
Stop harassing other users. If you need help verifying your account, contact a mod of your choice via DM

anyone

starting to think we can get notifications of scammer bots by the use of capitalised "Mate"

do not open that "guide", @sinful narwhal

yahh

just ignored

I tried again with the correct command and yet I still can't connect.
I get the same behavior, where the command succeeds in authenticating but doesn't give me a shell.

does netexec now show "(Pwnd!)" next to your user account ?

In my output no it doesn't, it just says:
[+] APP03\prtgadm2:Password123

ok, that means it still isn't a local admin. Something must still be off with your payload

the content is not crystal clear on this. Make sure you have the payload as described, and nothing more

can somebody tell the version of gitlab: https://academy.hackthebox.com/module/113/section/1216
In the question, I have found the version, but hackthebox is not accepting it

Go to /help

it is right channel to talk about modules right..?

It's the right channel yep

I literally mean to go <URL>/help , its the first thing it tells you in the footprinting section

Error: ERROR: ld.so: object '/tmp/sell.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.

help me

that where I am, from there I have sent the screen shot

Some libraries can't be manipulated depending on permissions

That is not the full version, are you logged in ?

no

It's looking for the full x.y.z version

I restarted lab 4 time everytime im getting same file - (root) NOPASSWD: /usr/bin/openssl

Also sell.so

You need to be logged in, Read the start of the footprinting section again.

Gtfobins can help with that

it's my exploit created by me

Did you name it sell.so?

🤔

yes

Ah ok, not shell

i men i compiled it and

I don't remember compiling a so file

no it was a C file

Well yes, you compile it into .so, it's been a hot minute

I just utilized gtfobins method instead of preload

Gtfobins explains how to use a shared object file

doing the same

i didn't use LD_Preload

instead i used the in-built load library option

Welp guys Idk what am I doing in CTF 😭

this channel is for help with https://academy.hackthebox.com modules not ctf

#1336347627452629033 <- for the CA CTF

Ok 👍

Introduction To Splunk & SPL

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes. Enter it as your answer.

i think have a correct request spl but i have no results

hey guys , am stuck at the intro to digital forensics skills assessment , question 1 , I've used the Windows.System.VAD and tried to search in the results file for the process but it dind't seem to work. any hints please

Guys how can i use EyeWitness with list of vhosts???

Is it possible?

Hi, i wonder how can i continue if i cant download Software Requirements since on the website i see there is technical issue with download ¨
https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/

{ HTTP ATTACKS -> HTTP RESPONSE SPLITTING }
Heyy friends, I figured out xss part and i try to send to /?admin but everytime i send it, it returns me the request for /?admin with empty log, really could use some help here T_T

mysql -h <host> -u <user> -p'<pass>'  --skip-ssl-verify-server-cert                            
ERROR 2013 (HY000): Lost connection to server at 'handshake: reading initial communication packet', system error: 11

any idea what to do about this error ? It's through ligolo, typically the --skip flag solves it but not this time.... And the target does not have mysql binary installed so I can only check through the pivot

I've never received that error before. Are you able to remotely access that host and troubleshoot? Which module/section are you working on?

Read the file | parse the file, get the “name”:”value” | sort and remove duplicate, this will reduce a lot of noise

Is it in the same file with the “svchost.exe”?

||AEN, but looking again the subet is not in scope , maybe thats why it's failing||

No idea, but it’s in the results folder

Appreciate it

Hello, are there any French people to help me?

Mp me

Having the same problems this morning. The target machines are slow/inaccessible. Doesn't matter if I try to use nxc vs crackmapexec. Or if I use another way to proxy (ligolo instead of chisel/proxychains). I've tried 3 different VPNs too. 😦

I get that crackmapexec is outdated, but the module is required to do the CAPE exam so would be nice to be able to actually complete it. :/

Hello!
I'm currently finishing this module, however on the Skilss Assessment I get stuck. I know where to try my injection, however I can't get any injection to work. I tried multiples but none worked.
If someone can help me?
Thanks a lot!

im stuck on https://academy.hackthebox.com/module/113/section/2164
ive followed the steps up until making the 'new' client, but im still getting a connection error and i dont know what is expected of me atm

does any know of a module that can be used to map a network?

Ok, how about VM, whats seems to be the problem there? In config file its set to enforcing and default, but when I command sestatus, I get disabled 🫠

I haven't messed with SElinux

This is for conversations about htb academy modules

Ok, thnx anyway. Maybe someone else can help me ✌️

It's not required

So i didn't mess with it

Yeah, you dont get cubes, its an exercise… i dont know how much is selinux used “IRL”

It can be used quite a bit, it's just not necessary to set up

Then I want to practice. To begin with practice, I have to enable it first, right? Lol

Hey

Hello , are there any french guy to speak or explain me something

Regarding what?

<@&861185840277487616>

lol

Bypassing SElinux isn't covered like at all

Hello!
I'm currently finishing the Whitebox Pentesting 101: Command Injection, however on the Skilss Assessment I get stuck. I know where to try my injection, however I can't get any injection to work. I tried multiples but none worked.
If someone can help me?
Thanks a lot!

Might wanna mention the module 😅

mb mb

Feel free to dm me

Tell me everything you tried

Glyph cache, refresh the page

what do you need help with?

advice for progressing outside of hackthebox I have already done quite a few modules plz

Lots of research and practicing

has anyone ever had issues with getting a reverse shell through docker container ? like bind shells work, but not reverse shells

Docker containers may not have access to other networks. This means that a reverse shell is not possible either.

run as root

or manually forward ports

damn got to know, this docker thing makes it 100x harder

I could not escape docker or root it

you don't have to be root to get a revshell

you haven't set up networking properly

I did, I did this a million times, but this time when I do it through docker it does not work

prove it's not a network issue

and try to ping your machine from this container

sadly all machines have ping disabled

the container does not even have ping lmao

use netcat or curl instead

yeah curl works, is how I downloaded ligolo agent

But then a reverse shell should also be possible.

from the container yes, not from the target near the container

however bind shell was possible on the target near the container

on ligolo I did listner -add 0.0.0.0:9002 --to 0.0.0.0:9002 --tcp which typically always works for me

i guess that means not all connections are blocked just some protocols/ports

Thank you, indeed I hadn't copied the payload correctly, I wasn't adding the user to the admin group. After that I did see the (Pwn3d!) next to the username.

Could someone help me please. I'm stuck on the Wi-Fi penetration testing basics: Airdecap-ng

What was your command?

token length exception would seem to indicate that you've selected the wrong mode or the hash is formatted wrong

sure, but what's your hashcat command

sudo hashcat -m 170 found-hash.txt /usr/share/wordlists/metasploit/ipmi_passwords.txt

I tried different password files

@burnt hill don't paste hashes; spoilers

170 isn't ipmi

https://hashcat.net/wiki/doku.php?id=example_hashes#:~:text=IPMI2 RAKP HMAC-SHA1

sorry

170 is sha1 with utf16 little endian encoding

so, ipmi has its own type of hash?

correct the module i believe mentions the correct mode to use as well

yep did a quick search of the reading, and it is mentioned

in the module when using metaesploit gets the user and the password in plain text, but when I run the ipmi_dumphashes I get the user in plain text and a hashed password

I tried to crack it whith hashcat and John, but no success

Thats because the password isn't in the wordlist that hashcat uses

Flow should be
Given wordlist->rockyou

I used this one as well, but as you told me before, my mistake should be that I used 170 for sha1 instead of the ipmi on, but I don't know how to guess the number for ipmi

1; the module reading gave you the correct mode
2; example hashes on the hashcat wiki is your friend

I am gonna re-read the module and check the hashcat wiki

thanks

Question about the module "Password Attacks", Section "Credential Hunting in Linux", at the Question, do they expect me to somehow "hack my way in" again? I mean they do not give creds.

Thanks a lot, as you said the code for hashcat was on the lecture, I was trying to grep the hashcat help but my mistake was writing in lowercase, so I was getting no results for the code, but when your help and re-reading the module I realized that, also the given wordlist was the clue

little nice-to-know: if you want grep to work non case-sensitive, use the -i parameter.

Hi, i have no clue how to continue on Ad module skill assesstment 2 Q4, use a common method to obtain a weak credential...
I try everything i know but not working

did you spray?

I need to have a list of user rigth? to do that

kerbrute is your friend

Now i get it, i miss something important

ty thoug

Shameles bump: Question about the module "Password Attacks", Section "Credential Hunting in Linux", at the Question, do they expect me to somehow "hack my way in" again? I mean they do not give creds. The htb-student creds also dont work.

you need to hack your way in; this section needs a touch up since they don't hint at a user to start with

ftp is better to brute

thought so. sigh

Thank you for the feedback/hint.

though if you wanna speed up; the hint can help a lot

I meant the first feedback LOL. Back to "work". Thanks again.

The windows event logging basics. Trying to find another way to gain access to the event viewer logs without Windows 10 Pro. Anyone have a work around?

you can use powershell for this

or just rip those logs out of the filesystem

Please read the channel subject before sharing anything pertaining to modules.

I didn't even mention the module name 😢

that came off like more of a general ques

resolved!

Not seeing where I can view my favorite modules list...I must be going blind? 🙂

You should see it at the bottom of your dashboard, if you have a path enrolment active it'll be below that

got it. thanks!