#modules

Hello, I need your help with the Security Monitoring & SIEM Fundamentals module (Introduction To The Elastic Stack part)
I manage to connect to Kibana and send a request, but I can’t get the results, it gives an error.
Search Error: Batch request failed with status 0
I also unable to see SOC-Alerts Dashboard, after a while it gives me an error:
Network error, try again later or contact your administrator.
The problem is precisely in the request to the logs, since Kibana itself works without problems, but it apparently cannot receive data from ElasticSearch
P.S. I tried waiting 20-30 minutes, but the result was still the same.
Upd: Got it.
I connected from my host using firefox, the connection was successful, but for some reason I could not make a single request to the logs, although the interface was fully working.
When opening Elastic inside htb pwnbox everything worked fine

Re read the question and follow along with what the module is doing

Hello @slow ruin could you help me because i have created a model which has accuracy 89% but when i submit it to the url:5000 i got accuracy 0%.

Has anyone completed the new AI Red Teamer role? I am at Page 25 Skills Assessment and i need a little help.

LFI module is WAFed or something. I'm getting reset on the very first assessment whenever an existing file is requested via the language param. Have tried all techniques, all receive connection reset.

I can also request nonexistent php files via the same param and it just re-renders the site in English.

I'm guessing this behavior is unintentional?

on Advanced SQL injection module, is possible to get the jar file on my host computer? It is cumbersome to set up the lab every single time.

same status

you can connect over ssh no?

scp it to your machine 😉

thanks. I will try again, my computer didn't connect to the target, not really sure why, maybe because it is using 10. or maybe wrong vpn i am using?

If you connect to the VPN you should be able to connect to the machine over ssh to download the file

thasnk!

oh gosh.

wrong vpn file!! Thank you so much!!

😄 glad you solved it

enjoy!!

feels so stupid. Thanks for the pointer!! have a great day

who knows C programming here

ngl i feel like im not good enough for hacking

Hello, I'm on

Attacking common applications: Exploiting Web Vulnerabilities in Thick-Client Applications

I xfreerdp to machine, but i cant find the fatty.jar file, i restarted the machine. and searched for it but cant even find it.

You don't necessarily need to know C to hack

It's in the C:/ root

I forget which directory

nah i got no device,bad at hacking,forgets shit that i learned and more

The pentester path, for instance, barely uses any c and the only c used is to create a shared object file and is given directly to you

Notes are important

You sure you edited your hosts file @dusk yarrow

can u pm me i wanna learn from you

Dms are only open for #modules message (not free)

👀

https://tenor.com/view/spanky-throwing-money-cash-money-our-gang-little-rascals-gif-7602783295867595867

bruh im broke WHAHAHHAH

I've been slowly discord search optimizing the message

https://tenor.com/view/kermit-not-my-problem-sip-tea-time-gif-11560723

dude im 12

chill

Thanks for admitting to violating ToS

https://support.discord.com/hc/en-us/community/posts/360050817374-Age-restriction

uh oh

yall follow this boring stuff

why is that even important

Which directory is it in?

I checked dev, tmp and TOOLS its not in there

Legal compliance

Did you try Apps?

bro cmon im not falling into one of those predator shi

Yup it was in there 🤦‍♂️ .
Thanks so much.

As that one has a recent date

It's not about that lol

Literally HTB could get in trouble for knowingly allowing someone under the ToS to participate in the server, getting it shut down

Not to mention HTB has their own age requirements

https://help.hackthebox.com/en/articles/9456556-parental-consent-and-approval-for-users-under-18

Yes @spare dome you should get that parental consent form filled and submitted

ok

nvm im leaving here

Sup

Yeetus the fetus

https://academy.hackthebox.com/module/54/section/511

I'm in this module.

Doing fuzzing of vhost and subdomain.

could you check if your hosts file was setup correctly?

whats the content of /etc/hosts?

  GNU nano 7.2                                                  /etc/hosts                                                             
#
# /etc/hosts: static lookup table for host names
#
94.237.54.164   academy.htb
#<ip-address>   <hostname.domain.org>   <hostname>
127.0.0.1 localhost.localdomain localhost
::1                 localhost.localdomain       localhost
127.0.1.1 blackarch.localdomain blackarch
# End of file

Q1 just wants the name like; www abc 123, it's not asking for the full domain

Is that the IP you see too as your target?

Target(s): 94.237.54.164:37846 

Life Left: 14 minute(s)
+ 1  Run a sub-domain/vhost fuzzing scan on '*.academy.htb' for the IP shown above. What are all the sub-domains you can identify? (Only write the sub-domain name)

whats your command

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:37846/ -H 'HOST: FUZZ.academy.htb'

Looks good right?

I did everything correctly right?

Subdomain. Right?

Are you getting errors?

Are you sure that is still up?

I can't reach that IP + port in my browser

 :: Method           : GET
 :: URL              : http://academy.htb:37846/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.academy.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

:: Progress: [2560/4989] :: Job [1/1] :: 2 req/sec :: Duration: [0:20:13] :: Errors: 2520 ::

I've been doing this for hours. I had to change the IP address many times.

Did you change your hosts file accordingly?

Because that explains your problem. That the Ip of the target does not match your hosts file

Or the port changed

Okay wait I just changed it again.

I got a fresh ip again.

Target(s): 94.237.54.164:51789

Now change your hosts file

  GNU nano 7.2                                                  /etc/hosts                                                             
#
# /etc/hosts: static lookup table for host names
#
94.237.54.164   academy.htb
#<ip-address>   <hostname.domain.org>   <hostname>
127.0.0.1 localhost.localdomain localhost
::1                 localhost.localdomain       localhost
127.0.1.1 blackarch.localdomain blackarch
# End of file

Now make sure your ffuf command is using the right port

:: Method           : GET
 :: URL              : http://academy.htb:51789/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.academy.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 985
________________________________________________

:: Progress: [80/4989] :: Job [1/1] :: 2352 req/sec :: Duration: [0:00:33] :: Errors: 40 ```

Now i got stuck again when recompiling the .jar file after editing. I can see the binary unfortunately, when I try to open it nothing happens, but when i open the regular file that wasn't compiled it has no issue running.

This section is honestly a pain in the ass

If you want, use this command but just modify it for your purpose

ffuf -u http://monitorsthree.htb -H "Host: FUZZ.monitorsthree.htb" -w /home/kali/Downloads/subdomains-top1million-110000.txt

Because you have to decompile, recompile,

That fs thing isn't really helpful in this instance

Is it because i did something wrong? Or is it just buggy, that I'm getting this error.

It just overall sucks

You need to make sure to remove the file hashes from the meta-inf manifest

I did, but for some reason it got stuck only being able to be executed from internet explorer,( The files logo had internet explorer), and when I couldn't change it so it could be in its default way, I just said it probably wont make a difference anyway and recompiled it, but then I got that error. Ill just reset the target try again hope it works.

Yeah it's a terrible section in an otherwise great module

Imo it shouldn't even be in it (for several reasons)

Ok glad to know I wasn't incompetent and its just the section having its issues.

Just know after every step you basically have to recompile

Ayooo btw I'm not done yet. When my problem gets solved I always say thanks so it's still fuzzing.

I don't forget who helps and does good.

careful not to spoil content

I don't have the answer

It doesn't contain answer

Btw still thankx @fathom pendant @storm elk

https://tenor.com/view/lebron-sunshine-lebron-james-sunshine-sunshine-lebron-you-are-my-sunshine-you-are-my-sunshine-gif-509896211431970290

How did you solve it

have you tried anything log related?

Im gonna kms this is so confusing, and I think I just messed everything up and have to restart.

Id make sure to have the compile command on copy/paste lmao

Hey,
I'm doing the module Attacking Common Services and i'm under Attacking FTP
The first question is
What port is the FTP service running on?
But this is my nmap scan

nmap -sV 10.129.203.6 -p- -T4
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
53/tcp  open  domain      ISC BIND 9.16.1 (Ubuntu Linux)
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

If i can get a hint what i'm missing, that would be helpful

I would restart the instance. I had issues with ftp not showing up and after restart it then showed

Good Afternoon guys, I'm here in this module but i cannot find it the file for upload. The module is Aplications of Ai in infosec

I've done that once
isnt that wierd?
Ok now I see that, thanks

i found this on the scan (AEN)
2 Dovecot pop3d
2 Dovecot imapd (Ubuntu)
2 Apache httpd 2.4.41 ((Ubuntu))
1 vsftpd 3.0.3
1 (unknown banner: 1337_HTB_DNS)
1 Postfix smtpd
1 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
1 2-4 (RPC #100000)
Thats my Host & Discovery section in the Appendix of my report. Is it correct?

going through the attacking SMB section in 'attacking common services' module. crackmapexec fails to identify the correct password from the list when bruteforcing.
cme output:
jason:<the actual password> STATUS_LOGON_FAILURE
this is supposed to be the correct password though, and i confirmed i'm able to log into SMB with this. is this something to look out for when using crackmapexec?

Use netexec, crackmapexec is unmaintained.

Im in /using webproxies/ZAP Fuzz/ i get the flag but HTB says it is wrong?

Make sure there are no additional spaces at the end of the flag

It was probebly a space.. Thanx

All good, many a times I copied the flag to have an additional space find it's way into the end

I fixed it

can I get a nudge on the Blind SQL SA Injection point? I tried the timed and error based options from the cheatsheet, url encoded in Cookies, UserAgent, post params on POST/GET login.php and index.php but I see no result. Sometimes I think I got it but then it is just the lab taking long for no reason and if I resend the same payload it is "fast" again

After i spent the whole day on
Attacking common applications: Exploiting Web Vulnerabilities in Thick-Client Applications

I got this far, but now I'm having issues with ||fatty.server.jar|| being corrupt or damaged when I'm trying to execute it.

Could anyone help me? I'm sick of this section.

This is HTB's "Fatty" box. Many people struggle with this section of Academy, and some have had luck watching Ippsec's walkthrough of the machine, so maybe this will help you too: https://www.youtube.com/watch?v=3bvKLj0akMM

don't spoil info for content that you had to fuzz for; i believe that module is above t0

Sure, very sorry for that. I will try not to spoil anything again.

My issue was training the model on the incorrect labels. Make sure you train your model on the text and labels and make sure the labels map to the same text. Once i created a vectorizer and classifier i used the fit function with text and label as perimeters

https://academy.hackthebox.com/module/113/section/2154
im 99% sure i have the correct answer for this modules question but its not working

nvm the 1% came in clutch

reading comprehension demon

it has been a while since I did "Password Attacks". I am resuming my work today. But I cannot find the section with Kira's password, needed on "Protected Files". Can someone please tell me on which section is Kira's password provided?

Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer.

I'm stuck at Type Filters section at File Upload Attacks. I've tried all the possible things, and variations but I still get the error "the image "..." cannot be displayed because it contains errors. Not sure how to explain where I'm at withour spoiling anything

Ok nice guess ill be doing this tomorrow as well.

you bruteforced her pw as part of one of the early sections; it's why you can't find it provided

this module reuses credentials a lot

credential hunting in linux is where you would have cracked their login to pilfer other credentials

If you're still stuck you can DM me!

Thank you . Yeah , I know is coming from another section . I just couldn’t find it . Thanks

As a tip for future headaches, save passwords you crack/find

Yeah. Doing that now actually . Forgot to take proper notes when I worked on those . Thanks

That way , I will remember or know what password to use , if I have to resume work in a week or so . I can barely remember my name after today , lol

Hi all! I'm stuck for 2 hours on the last question on Active Directory BloodHound - Skills Assessment
Q-Find the percentage of users with a path to GLOBAL ADMINISTRATOR. Submit the number as your answer (to two decimal points, i.e., 11.78).

I have the total azusers and divided by 2 and x 100 (number of users with global admin reach). It's not accepting the answer. Open my eyes 🙂

I found the answer with a right click on global admins group

hey everyone, quick question: anyone ever run into an issue with sqlmap on Kali where the results just don't show up? just wondering if anyone's had the same problem.

no output?

so I'm trying to use sqlmap on my own machine(kali), I'm using the command sqlmap -u <url> --data="id=1" --dump-all, but it's not even showing the information_schema. It works fine on htbmachines, though. Any ideas what might be going on? I'm stumped!

I'm stuck, need help
Windows Privilege Escalation - Pillaging
Q:Find the configuration file for the application you identify and attempt to obtain the credentials for the user Grace. What is the password for the local account, Grace?
I can guarantee that I tried everything on the lesson, even the string used on the lesson is not being cracked using the steps. Anyone?
resolved: I was silly and downloaded the git repo instead of thre python script :/

on your own machine?

is the target vulnerable?

I did, same result

yup, im doing the HTB - SQL Essentials Module

I asked in pro labs section

Anybody can help with the last bit of HTTPs/TLS Attacks Skills assessment?

~~Intro to Academy ~~
~~Learning Process ~~
Setting Up
Linux Fundamentals
Windows Fundamentals
Introduction to Windows Command Line
Introduction to Bash Scripting
Introduction to Networking
Intro to Network Traffic Analysis
Introduction to Active Directory
Introduction to Web Applications
Web Requests

Hi Im abit confused on whether i should skip the underlined modules and start with the rest because i feel like i should focus more on diving into things that i really dont know.. i have gone through almost till the end of linux fundamentals and i felt like i already knew most of the information there although there are some new info any opinions?

I'd still skim through those modules as despite knowing things there's some good nuggets of information in them

thanks

ive already written notes anyways

paste the command you're using and remove the password, otherwise dm me. Remember to use the --local-auth flag if you haven't.

/feedback is a gift

😅

Or #1234357888114364508

yeah gonna do that instead.

I know you know, I'm just being, well.. you know

I gotta hit up the Academy paths one day

banging my head against the desk figuring out the answer

hey everyone i had a dumb question. I am doing the question in module "Linux Foundamentals" under filter content section and the question states...How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only) I did research because i had no idea got the answer || ss -l -4 | grep -v 127 | grep "LISTEN" | wc -l || but how would one know which command to use and how to use it. (i apologize as i am still very new trying to learn). || netstat and ss || were not really touched on that much prior to this question

#boxes

Exactly how you got it: through extensive research, although a lot of it is just muscle memory and reading the manuals

Like I know for a fact a command has a function but will forget the flag or syntax for it so I'll consult the man page

I'm stuck on that one. I ran a connect scan through ligolo and the host timed out. I tried to do ports 1-10000 and the top 10000 ports.

I'm stuck on that one too.

What’s the exact error

If you can reach the target and its windows, try -Pn

I will try that. I was able to reach the target but didn't think to try -Pn.

Hello everybody

I was looking for help with the Dirty pipe section in linux privilege escalation module

how the heck am i supposed to do this i tried a bunch of things and still nada

any hints are appreciated

Did you complete the winrm one with leonvqz trying to connect to the DC? I'm stuck on that one. Could use a nudge on which method to use if you wouldn't mind a dm

What module is it

Didn’t make notes on many of them

Windows Lateral Movement in Active Directory Penetration Tester. Winrm section.

The question is pretty straight forward, simply follow the chain of exploitation and you will be dropped into a root shell

Haven’t

I did, it won't let me use the bash exploit, gives this error

and i became smart used the python one

compile the exploit on the target

Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer. i am stuck on this

doesn't work either idk why

I just tried it and it worked

how to filter on wireshark

huhhh

i compiled it on my system then scp'd it onto target

that won't work?

You must ensure that you have the same glibc library

idk how to do that, still a newbie

oh wait

rightttttt

can you give me a command to curl the whole directory? idk how to use Curl

Try to do the research about that by yourself, you will benefit much more than someone giving you the command

right thank you sm

can you help me out ser

Which section and module

cpts > footprinting >smtp

Thank you so much my man, I just did it!

Use the provided wordlist from the resources and perform enumeration, it can be done using multiple tools

Just make sure you use the wordlist

yea i did that captured it with ethercap used wireshark but i cant find the command used by the tool that is VRFY

Why ethercap and wireshark, use other tools to perform the enumeration of valid usernames

to see if i got i different response

Search for smtp enumeration tools

i used a username bruteforcer called smtp-user-enum

adding the --local-auth fixed it, thanks!

i tried vrfy expn rcpt and got no results

the question:

If I wish to start a capture without hostname resolution, verbose output, showing contents in ASCII and hex, and grab the first 100 packets; what are the switches used? please answer in the order the switches are asked for in the question.

the answer: sudo tcpdump -nvXc 100.
the answer is incorrect, what is the issue?

I don't think I have that module, but maybe you don't need sudo or even tcpdump, since the question emphasizes the switches

and you may want to at least add spoiler tags

on some serious note

switches used

Not the full command

Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt.
did the module show how to communicate with the shared folders ?

Pass the Hash (PtH)
password attacks

The foothold is linux yeah? smbclient

yes it did and im absolutely trippin bags

If it's windows, slightly different

But sounds like it's covered

yeah my fault my eyes just saw it now

i used the metasploit tool it found the user but the other tool couldnt find it

The device is domain joined, you just use //DC01/SHARENAME

Does anyone able to do this? Login brute forcing module I cracked SSH and I get the password but I cannot login in with the password and I have tried to upload my public key and I can’t able to upload it too because it’s required password and the password authentication is disabled. How do I work around this?

Did u specify the custom port?

Then it ain't the password

Wow that works thanks so f very much I appreciate that @fathom tide

When you have a public IP you must specify the port that was given upon you spawned the target

Sounds great now how do I login to ftp do I have to brute force ftp the same as I did with ssh or I need to do it after I login to ssh

enumerate the target

Will do thanks so much guys I swear you guys are awesome I have been working on it all day yesterday tried everything with ChatGPT too but never mentioned access it with port as I tried to do with ftp usually

Black screen after you connect?

Tried rdesktop or remmina?

Trying to specify the keyboard layout with xfreerdp /v: ip/u username/p password /kdb:0x00000409

And try xfreerdp /v: ip /u: username / gdi

Good luck how

Hi...
Anyone help u how to hack mobile phone

Please read the #rules

im stuck on https://academy.hackthebox.com/module/113/section/1097
i knowfor sure im using the right cve but its not working and i dont know what i could be doing wrong

i changed them according to the ip of my machine and the module host

ism.bat exists?

shit

wait no its still not working

but yeah that part was wrong

Dm

u goti t

problem solved if anyone was wondering

Hey Guys,
I was trying to clarify the steps I took for the module: Tapping into ETW

Am I allowed to post the steps I took?

@mortal basin is the new networking module going to replace the existing networking module?

the windows event log module is tier 2 so posting direct steps would be a spoiler

Ok can I get a reference about finding a string in a etw.json

Also is this going to be put into a pathway? Like IS Fundamentals

Seems like it’d be pretty important

^ that was part of my question

Was adding onto it 🙈

doesn't the module reference using 'strings'

No. This one is more basic, and focuses more and goes deeper into the basics

so a bit more depth than the standard net+/subnetting in the one in infosec fundamentals?

interesting

i'll take a peek when i can

Yes however when I was searching such a huge amount of the data the processes I ended up finding were not the ones I needed it was for a different PID

findstr is a built in command

I’m guessing that Would be outside of Notepad where I opened up the etw.json

i haven't touched this module ¯_(ツ)_/¯

so i don't have any notes on anything

Ok I was just thinking I missed a step or something of why I couldn’t find it

you likely missed a step or something

Yeah true thanks Marcielee!

guys can i get some help for password attacks module? i dont get how to dump hashes from the NTDS.dit file locally. all of the solutions i found are remote.

this module doesn't demonstrate secretsdump?

it does, and it is remotely done with :─$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -ntds NTDS.dit
secretsdump.py: error: the following arguments are required: target
So this is remotely done and i did transfer the NTDS.dit file so yeah

it has two modes

yeah the LOCAL one i think youre talking about, it says something about SYSTEM hive so i guess uiim transferring that to my local machine too now

yeah, it stores the bootkey

which is needed to decrypt the hashes from ntds.dit

won't work without it

hello everyone

So you’re the guy who made me spend hours on the bug bounty path

https://tenor.com/view/goku-prowler-stare-meme-angry-gif-14312537171363175004

"just 18 days btw "

Before you get bored, just do the CWEE modules. 😉

Good Afternoon guys, I need bit help. I don't know that file , I have to upload in this Module. In IA

Kevin Hart bunny I would

But I’m broke

Hello to all! I'm in the module Active Directory Enumeration & Attacks, specifically in https://academy.hackthebox.com/module/143/section/1455, and the question at the bottom is "Enumerate valid usernames using Kerbrute and the wordlist located at /opt/jsmith.txt on the ATTACK01 host", but the Target is the same attacker IP (and is a Linux host). It is wrong?

Can anyone give me a useful tip? Im on

Attacking common applications
Exploiting Web Vulnerabilities in Thick-Client Applications.

I have the ||fatty-server.jar||, but for some reason its not opening, even though I can extract all the files and recompile it. I checked ippsecs walkthrough on the box fatty. And although it helped me, I'm still unsure on why server.jar isn't opening. I have been stuck on this section for 2 days now.

You have to ssh to the ip provided, and run the kerbrute attack from there to the ATTACK01. Or did I not understand your question correctly?

eyah i figuered it out, cool stuff, thanks

Hello guys, I hope all doing well. In the Server-side Attacks box, Blind SSRF the following question ( Exploit the SSRF to identify open ports on the system. Which port is open in addition to port 80?) I found all open ports, and now the question is how may supposed to put them in the answer field?

yes, but both IP are the same, the one to ssh to, and the target IP. Is the same host. I ssh to ea-attack01 with the user htb-student. I think the target should be a windows host.

I mean just go for it i think it should work

I did, but the target (the same attacker host) is a linux, with only ssh and rdp ports open. So kerbrute has nothing to do there

who can help me with this please?

Ok let me do it again to check

What section is this?

Thank you!

I have the Jupiterlab open but i don't know where is the file for upload in this web

i'm in IA

Oops. Got me thinking thats something new in CPTS path..

lol

oh my good xD

Sorry mate. Someone will help you soon 🔜

don't worry friend anyway still i'm noob

Indeed not all ports are open, I was looking for a way to filter it but, I missing something

Ok so i remembered now,

You just copy the command it provided, your supposed to enumerate the inlanefreight.local domain, and for an easy way to count the amount.

||kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt > all_users.txt|| <---- Enumerates all users and saves into a file.

||grep '@inlanefreight.local' all_users.txt | tee matched_users.txt | wc -l
|| <--- Takes all counts of @inlanefrieght.local, outputs it into another file, and counts amount of instances of @inlanefreight.local there is.

Oh, ok, so basically don't mind about the target in the question and carry on with the examples used in the module. Thank you for your time!

You use the target ip to ssh into it, then attack whatever domain is shown in the examples unless specified otherwise,

also no problem bro.

Great. Have a nice day!

I am unfortunately in the same position. can anyone provide some assistance? or even just a hint so I could progress a bit

Hello everyone, Have problem with one of the module: Linux Fundamentals/Filter Contents. So far all example worked until I got 3 exercises at the end, none of them I can answer correct, not sure what I am doing wrong? Did anyone had same issue?

ask

I'm fuzzing on a module. I found three vhosts: test, faculty archive, then I fuzzed for extensions i found: php, php7, phps. Now I'm going after recursive fuzzing to find directories and files. With 3X3 combination of sub-domains * extensions to find a forbidden page.

So far looking good?

Btw one more thing, but because it takes so much time to fuzz. So I ran out of time for the server during this process so I had to change it multiple times. So the IP and port is not consistent in the results.

ok Figured it out... I will not give the answer, but you will need to play with the timing a bit.

One more thing recursive depth is 3.

I love the new Networking Foundations module, always good for beginners in particular to review some basics!

But for the life of me, I cannot answer some of the questions, even though I'm pretty sure I know the answer ^^'

Either I'm really on the wrong track here, or I just cannot get the spelling right xD

https://tenor.com/view/fiber-optic-cable-product-cable-gif-16468841

I even tried the British spelling, I just can't get my answer to be accepted

With and without dashes, with and without the word "cable"
Perhaps just a glitch in the module?

underwater sea cable

try it

Lol, not sure if you were serious, but I did, and no, not accepted

i am

damn

Glasfaserkabel xD

nope

@tiny frigate what section

Components of a Network

nvm

found it

I mean, the other day I couldn't get a password to be accepted for like 15 minutes until I realized that I misspelled the word "Administrator", so let me know if it's the module or me ^^

foumd ot uet

out it yet*

found it yet?

nope

do I need to throw a wordlist at this module? xD

Anyone:
"ss" and "lsof" won't show result, "ps" did but username provided was wrong answer...

so far

https://tenor.com/view/thomas-wtf-hey-call-shouts-gif-17534649

^

I cannot find it the flag the IA. Already That's enough for today

good night

should I be adding this to the erratum section, or will this likely be reviewed here? not sure what the process is

if you believe there is an issue with the question, make a post in #1234357888114364508

ok thank you!

Hi , I have a question about "Active Directory Enumeration & Attacks -> Attacking Domain trusts - Cross-Forest Trust Abuse - from Windows".
It says to "Perform a cross-forest Kerberoast attack and obtain the TGS for the mssqlsvc user. Crack the ticket and submit the account's cleartext password as your answer. " I connect to RDP server and I use this command ".\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap" and I get the hash for the "mssqlsvc" user but then I can not crack it by using john (I can not use Hashcat as it crashes).
Any help ?

@west canopy 🤔 <3

https://academy.hackthebox.com/achievement/667914/289 good module @sick fulcrum and @west canopy a few quirks here and there with some stuff being case sensitive (or me being dumb); i'd say it's pretty decent Net+ level material without being overbearing

@tiny frigate with ftp anonymous; when it asks for name type in anonymous then password type literally anything and it should log you in

yep that works! I was trying the netcat commands, maybe I misunderstood the assignment there or something. will play around some more 🙂

there's an ftp command 😉

ftp <ip>

yep! but that's too easy now! xD

i mean it's the best way to connect to an ftp instance as it uses the correct protocol language

ikr?

like how curl for http/s;
smbclient for smb;
openssl for imaps/pop3s

(last one is if you don't wanna use an email client)

nice try

youre getting deleted

https://tenor.com/view/you-just-got-absolutely-obliterated-barton-get-owned-destroyed-dominating-you-gif-20803863

what about me ? 😢

if hashcat is crashing that's sad; but it sounds like you got a hash so not sure what else to tell you

Well you are right , but I can not complete the section's question ...

I am curious also if I have the right hash , because for the next section's questions john works normally and I can crack the other hash

it's above t0 so it would be spoiling to post too much here, my DMs aren't open for general help

i would say run the command again and see if it gives something else

Yeah I know about this and thank you at first for responding (you are the only one <3). I am just at a dead end, that's all

try the pwnbox

Why does Hashcat crash? I had to tweak some settings in my VM to give it more RAM, where John just breezed through the cracking without issues. Seems like Hashcat is more resource intensive, without having looked into it much myself yet

vms are not real machines

hashcat was made for bare metal

even with proper pass through vms just add layers of abstraction that slow things down

working through information security fundamentals -- theres a good bit of super specific tool configuration in here (like configuring containers through multiple different services). would you guys recommend notating and going deep into each of these topics? or rather read to understand the concept and explore them when the need to use them arises

no

when it's time to get into the configs of kubernetes or podman rootless mode

you google it like everyone else

hm yea

(has someone already kicked the person that just "sent me a guideline"? was about to ask where I should report)

realized i had spent way way more time on linux fundamentals than i had realized

Thank you , I found the flag by getting the hash using the commands from my Linux terminal which for a reason gave me different hash value and I cracked it using john.
I tired earlier today to crack it again from PwnBox but again I couldn't.

I do not know to be honest. I am using hashcat from my machine not a VM. It was working normally buy one day it decided to take rest and "core dump". I tried to trouble shoot it but it didn't work.

got it, might have to look into setting up a full device myself sometime, for more resources (:
Might pick y'alls' brain at some point about recommendations. Got an old laptop floating around, already cleared it from Windows and installed Mint at some point, might as well make this an HTB device ^^

you basically get limited by your CPU

for certain hash types

i meant in VM

most (if not all) is done via CPU on VMs; and if you have a shit CPU, you're gonna be limited memory is mostly there to help manage the threading and processing but the CPU (or GPU) does the heavy lifting of actually doing the hashing

vms are only cpu limited if you fail to set up gpu passthrough properly

and ram is also important, in the case of working with large hashlists

yes

it's a combination of factors

yo how are you guys? can someone plz help me with the SA for DACL Attacks II ? currently stuck on the first question, I got an attack path but it doesn't seem to work for some reason

Hey there guys! Just finished Footprinting-Medium, which was really nice, easing us out of the box just a tiny bit, but I have a question 👀
At one point in the box, a query is sent to the server, and you have to select...from a database. I accessed the GUI and saw the different databases on the server, one of them being "accounts". However, the query "select * from accounts" doesn't work, and we have to be a bit more precise.

1. Why doesn't it work with the "general" database accounts ?
2. How are we supposed to find the "detailed" path of the database ?
   I'm starting out SQLy wise, so that might be why, but I'm kind of perplexed 🤔

Was “accounts” a database or a table?

I'm pretty sure that it was a database!

I don’t think select * works on databases

Only tables

By checking the database🤷‍♂️

Like in the tree ? Because there was no "dbo" (...table ?) underneath "accounts" (...database ?)

Neither :/ at least I think so, I don't have it in front of me anymore

But I might have been wrong, I'll check again tomorrow! Thanks for the pointers!

cough spoilers cough

I had a question about using hashcat if yall don't mind. I've found a hash that is similar to 'admin:3372646:3457388...' When create the file to run HC against do I include the full hash string or remove the username 'admin' from the beginning.

Full hash

Iirc you may need to include --username

But it's been a minute

i didnt even know about --username 😆

Did you know you can output to a file? :)

If I include full hash with 'admin' in beginning I get an error as if the hash format is wrong. I tried without admin in beginning , it begins to run but estimate time of recovery is 3 days

i would assume you can but i just never used it ngl

just checked the potfile if ever needed

are you using the right mode?

the time estimate isn't the actual time it would take

btw

only if it fully exhausts a list

hmm I'm using -m 7300 which was listed in module, also tried 7400 but good idea ill peep further into modes

that's the right mode

are you using the provided wordlist?

actually on that one i think the password wasnt in the resources lol

i know rockyou worked tho

hmm yeah I don't think theres a provided wordlist for hashcat for this module/section. I checked resources and just the footprinting wordlist is there. Can probably use something in SecLists or rockyou though as mentioned.

I was using hashcat -m 7300 ipmi_hash.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u which is what was shown in this section

hey all, I am currently enrolled in the CDSA course. Should I take the modules in order from top to bottom or is there a specific order that someone would recommend? (I have 4 years of IT experience)

I haven't done CDSA but I think HTB teaches in a way that builds upon previous modules and sections, so I think it would be best to go in order from top down.

ty.. just was curious.

You may assume that I did not setup anything "properly" xD I'm happy I got it to work pretty smoothly (minus Hashcat, but so far John saved my hide in those handful of cases), had been using Pwnbox until recently, slowly working my way up (:

Maybe check with peeps over in #cdsa they might have a better answer

I posted the same question there too

ty for the quick response tho

the paths are constructed in a way that the knowledge builds on each other (in most cases); for instance in the cpts path, the Common Services module is after footprinting because in order to identify a common service you need to learn to footprint/identify it

(careful with the double posting though)

noted. I have been a member of HTB for a while but this is my first time posting in the DC

ty for the feedback

Oh no worries, I just recall that the moderators sometimes comment on that, I'm sure you're good 🙂
And welcome on the Discord

the thing with double posting is it leads to cases where someone answers your question to your satisfaction in one channel, then someone in the other channel (not knowing it's been answered) answers you again

Hi

I have a question regarding this file upload stuff. So I remember when I was asking Tlattice for help in Dms he told me not to use the slashes

The slashes request, but it gives a response of file uploaded successfully and i got this payload from payloadallthings on github, so if i did want to utilise these extensions in the real world (with the slashes) what would I need to do?

\x00 is hex null byte

everything after will be ignored

some functions interprete everything up to \x00

thanks

thanks

i see why evil-winrm didn't allow me to get the shared folder its because it cant fully make a authentication tokens like we do in via rdp so it has limitations ,,,,

Yeah I think its just http requests

yup

Login brute forcing module brute force attacks page assessment issue running the script it just hangs

Anyone?

Script is taking too long

Which section?

Login brute forcing

Brute force attack page

why is this site so busted?

Tried all the flags also, --help, -h, ?, etc etc.

There might be space before ftp

Remove it

ftp --? worked

wtf...

doesnt work in terminal but worked on the site, weird.

Yeah, the script should work just fine, just change the parameters and let it run'

Hi everyone! I have the following question - I'm currently on vacation in Indonesia and I planned to start my Penetration Tester job path while I'm here for the next 2 weeks.

I went to the billed annually option and it was 490$ (incl. VAT). But when I select my home country (located in Europe) in the billing address dropdown the price changes to 588$ (incl. VAT).

If I sign up with Indonesia as my current location and pay only 490$ will there be an issue with my access once I'm back to my home country? Obviously I want to take advantage and pay the lower price, but don't want to mess things up because of the different locatons 🥲

Thank you in advance!

Hello
i am doing the fuzzing module

in vhost fuzzing filtering result even when i add to the /etc/hosts the ip with academy.htb and use -H 'Host: FUZZ.academy.htb'

not sure if this is a question for this channel or HTB: Off-topic channel. Apologies if I messed is up

it works but then when i filter -fs 986 i get no answers

idk one time i asked in cbbh i got redirected in #modules

Is this group for learning hacking ??

VAT is calculated according to the country of origin. To determine the home country, things like your address, bank details, credit card, etc. can be used.

idk

Guys, I stuck on skill assessment of Broken Authentication. Password seems to be uncrackable, cookies also seems random . What do any hints

hey! ive just done this module, are you on this question?

if so, show your /etc/hosts & the command you're using. See if it differs from mine (could be why you're not getting the same results)

hi so I'm on the easy lab for the attacking common services module. there's only one question. I gotta log into the server and get the flag. I'm trying to crack my way into the server. I nmapped it in order to see that ports ftp, pop3, imap4, and smtp are open. I found an smtp username with smtp-user-enum. I am trying all of these different syntax with hydra and they aren't working:

   76  hydra -l 'fiona' -P pws.list -f 10.129.203.7 smtp -t 64
   77  hydra -l 'fiona' -P pws.list -f 10.129.44.4 smtp -t 64
   78  hydra -l 'fiona' -P pws.list -f 10.129.44.4 pop3 -t 64
   79  hydra -l fiona@inlanefreight.htb -P pws.list -f 10.129.203.7 smtp -t 64
   80  hydra -l fiona -P pws.list -f 10.129.203.7 smtp -t 64
   81  hydra -l fiona -P pws.list -f ftp://10.129.203.7 -t 64
   82  hydra -l fiona -P pws.list -f 10.129.203.7 smtp -t 64 -D inlanefreight.htb
   83  hydra
   84  hydra -l fiona -P pws.list -f 10.129.203.7 smtp -t 64 server inlanefreight.htb
   85  hydra -l fiona -P pws.list -f 10.129.203.7 smtp -t 64 --server inlanefreight.htb
   86  hydra -l fiona -P pws.list -f 10.129.203.7 smtp -t 64 -h inlanefreight.htb

I got all that from my history but every time I try attacking smtp from kali it says it completed attacking the one target but no password found. I also attacked ftp and it still wouldn't work.

so all that's left is try imap4. I actually tried more iterations than just that portion of my history.

but I think that history snippet will give you an idea of what I have tried.

I tried ftp several times tho not listed above and it didn't work

be careful discussing modules above t0 @quasi wave I dont have the answers for you sorry not quite got here. But no spoilering anything above T0 (not saying you have, ive just made that mistake a few times)

skill issue

ok so what am I doing wrong? that doesn't help since I thought I am doing CPTS to gain skills

and just saying skill issue isn't specific

are you saying to focus on FTP?

I get it I'm trying not to spoil but my answers are the wrong answers and I'm clearly doing something wrong with it

if you have constructive criticism I would love to hear it

wait hold on I had wrong IP some reason let me try IMAP again

I'm gonna keep trying I gotta get it

what mode is your smtp enum in?

smtp-enum found a user

gotcha, know where you are.

I'm not using that anymore because that's not the issue. the issue is getting the password for that user

I got the user yesterday

use a different list

I'm trying an FTP attack again but with right IP this time

yeah hydra can be a pain.. needs specific settings before it can work smoothly. What command are you using ?

but I used the only list in the resources

(strip out any references/variables obv)

┌──(kali㉿kali)-[~/Desktop]
└─$ hydra -l fiona -P pws.list -f 10.129.44.4 ftp -t 64 

You know when you scan and fuzz a website, threads speeds up things - can sometimes cause issues... well Hydra is the same. Play around with that!

I did. well, -t 64 gives me maximum threads. are you saying that can cause an issue?

and if so does that mean I am doing the right thing focusing on ftp?

it's not in there

then do I get a list from kali's default list? would rockyou work better?

yeah

I gotta go to sleep

I'll try tomorrow good night everyone

Hi guys i just started the CPTS course, im actually stuck in "gettins started" module in public exploit, using metasploit
I have to identify the services with nmap, done that i dont know what kind of exploit found by metasploit i should use, i found that smtp is running, tought it would be the vulnerability

can anyone help me in Constrained Delegation from Linux (Kerberoasting Attacks)?

i get error when i run:
psexec.py -k -no-pass INLANEFREIGHT.LOCAL/administrator@DC01 -debug

1 select "INBOX"

• OK [CLOSED] Previous mailbox closed.
• FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
• OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft *)] Flags permitted.
• 0 EXISTS
• 0 RECENT
• OK [UIDVALIDITY 1636414280] UIDs valid
• OK [UIDNEXT 1] Predicted next UID
  1 OK [READ-WRITE] Select completed (0.001 + 0.000 secs).
  1 fetch 1 all
  1 BAD Error in IMAP command FETCH: Invalid messageset (0.001 + 0.000 secs).
  what am i doing wrong?

What is the best module for 500 cubes?

they are all really good

Depends whatever sort of knowledge you wanna gain

did you do a script scan? it's not snmp

Did you get correctly, if I finish all exam related modules I will get 2 exam vouchers?

Or I have to pay 200 bucks anyway

You need to buy the voucher

Unless you have silver annual

#starting-point

single -? btw

I already got it. Its a multi-answer question that should accept both -h and -?.

nope

either way not related to htb academy

if you wanna suggest a change to it there's support chat

I did a search exploit on SMTP, but honestly i dont understand the choice of the exploit, cause i get at least 10/20 different exploit

Idk if i explained myself, i mean that on metasploit, i did "search exploit smtp", i got 27 different exploit, and here i dont understand which one i should pick

you're over thinking

i suggest visiting the given webpage

Good Afternoon guys, I'm stuck here with this module in IA. I don't know where is the file for upload this page of the browser.

Module AI sorry

enumeration modules

hmmm, alrighty I will look into it

naming scheme may give it away

really?

what ?

they were responding to me

not you

ok sorry

file
open
?

nope this say that i have to path the file and upload but i don't know where is

i'm reading the manual but i'm trying still find it

it'll be wherever you saved the file

¯_(ツ)_/¯

but I haven't downloaded any xD

I am stuck on skill assessment of sqlmap essentials. Found working payload and found final_flag table but there are only two columns id and conyeny and no flag . What to do any helps

@solemn fractal Please do not spoil answers to module questions

Which module is this from?

Oh I’m so sorry I didn’t mean to I will never do that again here is the question again, can someone please tell me what wordlist I should use for skills assessment part 2 in login brute forcing I tried 2023-200mostusedpassword but didn’t work out

you need to complete the first assessment to be successful

the webpage from assessment one logging in gives you the parameters for crafting a wordlist for assessment 2

I did complete the first one @fathom pendant

so you logged in to the webpage for assessment one where it gives you a whole bunch of info

Which payload did you use?
You can send it to me by DM.

Yes but what’s the wordlist for the password to brute force the ssh @fathom pendant

you craft one

:P the module teaches you how

Thanks I able to get into ssh now what exactly do I need to create the username based off name like do I have to use Jane smith or who’s name for the ftp username I have the password I really appreciate you Mr. @fathom pendant you help me with the last one now what should I do with ftp username so I know how to generate username used username-anarchy but don’t know what the name of the person is can you pinpoint it

i believe all the info should be apparent

i'm not walking you through everything

this is why i have a paid tutoring service

Please for the last time just tell me what the name of the person should I use @fathom pendant

ey guys i have to this file in jupyter lab but gives error. I don't know why

I got it on the report Mr. @fathom pendant no worries I still appreciate your help thanks now I got the information for the person I need

Enumerate

Have you adapted the URL in the script to the target URL?

in theory is the vm machine of vpn but have error

look at this

Read the error message
It cannot find the file you are trying to upload.

i know but i don't know why

Does the file exist?

When I look at your directory tree on the left, there is no such file

already that there is not file but i don't know which one it is xD

they changed the SAs from the last time I did this, so i had to redo it for my own sanity check.
Used to give you a user <bill gates> and a list of password complexity requirements

i know is that but i don't know where is 😦

I have not yet solved the module. You probably have to create this file first.

yes but It is supposed to be in this module but I'm rereading but i cannot find it oh my good

I really haven't solved the module, I can only make assumptions. Maybe you created this file in one of the previous lessons.

nope this is the first exercise anyway thanks

anyone plz help me in module Windows Privilege Escalation > Weak Permissions

on Replacing Service Binary

Any hint for assessment attacking authentication mach ,I know it is jwk but I tried everything I learned nothing correct wz me

Has anyone complete Windows Privilege Escalation and can helps me with "Pillaging" cause amb so lost with it. Please DM or response

anyone plz

Hii, im having a problem in the reverse shell section in the Shells & Payloads module, im putting the right payload and cmd returns me some errors

ey guys someone can help me with this?

Hi, in module attack common service; in the last lab HARD last question: find flag in admin desktop; it’s all day i try to find the way… thx for hit

I feel like I'm staring right at it, but I'm just not seeing it...

In the Metasploit module, section "Payloads" is a target that you're supposed to exploit Apache Druid on. All fine and dandy getting the exploit going with MS, but what I'm not quite seeing is, how I would know to even look for a vulnerable Apache Druid version? All nmap has give me so far is some mostly DoS susceptible Jetty version

I'd like to understand how I would have had to enumerate this target to get there.

you'd likely run some additional enumeration beyond just nmap

nmap doesn't really do web enum stuff

yeah, this module didn't specify how the enumeration part would've happened, but this is something I still want to learn to do better, so I'm curious how I should have done that ^^

because this module is focusing on the using metasploit aspect

i wouldn't worry too much about it

ok thanks 🙂

likely visiting the ports using netcat and other ways to enumerate

might poke around a bit more on this target just for the fun of it (:

someone has completed the module AI?

hello ??

On the Replacing Service Binary part of the section or the skills assessment?

yes, Replacing Service Binary part

Does the section say to follow along in the lab env? I don't recall.

I don't mind looking over what you are doing. You can DM.

Any idea with Grace questions?

Hi,

currently I'm doing the shells & payload module and in the last part of it.

I've been stuck with the pivoting method (to access the internal networks through the compromised rdp from my device)

Send me dm !

Did you get the answer to the first question? If so, review the section and enumerate that where you can.

You don't really need to pivot

Yeah, I think so. But while connecting with the RDP, seems very slow 🙂 that's why. though solved host3 related problems.

Now just trying to solve the host1 & 2. but that compromised rdp has no browser.

Yes it does

firefox in terminal

Ah I see, thanks! why not brain isn't braining... (cricket noise)

Attacking Common Services - HARD: last questions... any hit please

send me dm !

hi, started windows fundamentals and I have a problem:
PS [10.10.14.2] /home/htb-ac-1698620 > Get-WmiObject -Class win32_OperatingSystem | select Version,BuildNumber
Get-WmiObject: The term 'Get-WmiObject' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

<@&861185840277487616>

you're running powershell on the pwnbox, this is why

wmi isn't a linux thing

yes, where to run powershell? my parrot os doesnt have PS

Need help with :**Attacking Common Applications Attacking Thick Client Applications **. Anyone who has completed penetration tester path help me with this please

Send me dm!

there should be a target to spawn and connect to to run the commands

windows fundamentals
that should be your clue that you should be on a windows machine

spawn instance != spawn target
instance == pwnbox
target == target machine to connect to

anyone know what the module completion times are based on?

I believe they are based on the time in which a person can complete the module.

😭 😭

well yea

but what defines that time? was it people to tested the module? maybe just read time?

But this is a statistic that will not always be the case depending on experience and how each person internalizes the concepts.

bros day 1

yea - was just wondering what it was based on

thanks haha

Now im day 1680

actually wild

feel like im talking to a ghost

testers and averages assuming 0 complications

ok thank you

what do you guys do that gets you community contributor? do you make challenges?

nope challenge and box creators have their own roles

I just yap and help a lot

damn

this guys a volunteer W mans

It's what pushed me to go private; too much for free

do u got a website?

or is all ur stuff private

ur talking about your course right

or the tutoring idk if u got a course

mentorship yes

and tutoring

it's not a course

just private help with the pentester path

You help a lot

Hey guys, I am doing the filter content section of linux module, and the question they have after the module completion is

How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)

and they dont have any content related to port scanning in this section, we aren't even their yet so why ask this question since I have to google it and rather than giving me something related to filtering content which would make much more sense.

Am I doing it wrong or its just not making sense for everyone else as well.If the section is on filtering content then why ask port scanning at the end, thats just silly

Hello
Does sharphound results differs from user to another

I other words
If I collected data using domain admin is it the same as any other domain joined user ??

When viewed in bloodhound ??

They give you a list of commands in one of the sections one that's useful for listing network statistics

but aren't they supposed to give us questions related to modules we just completed. Its like you tell me a story and ask me a question about another story which is written in a book in public library

Well you still need to filter the results of netstat

thats just complete nonsense, atleast tell me beforehand, at first I literally I thought I am the biggest noob in the world

That happened to me in the cdsa 😭

and you were given a set of criteria to figure out

The module gives a list of relevant commands in one of the sections

Asked me a question about something they introduced next section

And a brief description of the command

Taking good notes you'd be able to refer and see what command may be useful

Yea I just saw it, its in the cheat sheet. Still annoying since I didnt wanted to cheat

Part of learning in cybersecurity is getting comfortable reading and looking up the man pages

I am taking notes in obsidian

Cheat sheet isn't cheating

But that's not what I'm referring to here

It isnt but its a shortcut

Cheat sheet is just a summarized list of info

¯_(ツ)_/¯

I have taken shortcuts before and didn't learn everything eventually so I have decided not to cheat or take shortcuts in this thing

https://academy.hackthebox.com/module/18/section/70 <--

This section gives a list of commands

has anyone done the introduction to digital forensics and can help me pls for a class, i've been stuck on a question for almost an hour

It's in how you use the info, not that you used it

Note down what each of the switches do
netstat --help or man netstat if you wanna read some documentation

THANKS ALOT

I asked in CPTS and a guy told me to message here since its not a module of CPTS pathway but I am like its still a part of infosec pathway which is a prequsite to CPTS.

Well tbh I havent used discord, I am fairly new so no point in aruing something which I dont know about

it's just because module questions go here

general questions and discussion about cpts go in CPTS

(same for the other certs)

what if its a module in cpts, still here?

still here

it's still a module

ohhhhh I seee

and there's the discord search feature as well

which makes potentially finding the answer 10x easier than reasking the same thing

I have no Idea, let me check

yes, I have a target, and user and pass, but when I try to connect with xfreerdp, I get error, doing nmap works, but ping doesnt

Are you running pwnbox and vpn at the same time?

If so: that's where your error is [user error]

no, pwnbox is terminated

Are you sure you're connected to the vpn, and only have one vpn connection running?

sudo killall openvpn then restart the vpn process

I've been stuck on the skills assement 2 for active directory enumeration for two days now, could anyone help me?

I can't figure out how to get past question #7, where I need to gain access to the admin desktop on MS01

i used mimikatz to get the hash of the admin user on sql01, but it just gives me the local admin user so I can't really do anything with that

Has anyone solved OnlyHacks?

Hi! Any hint for Log Injection from HTTP Attacks module? I can't find a way to bypass the character sanitization

Have you tried analyzing network traffic?

yeah, thats how i got my foothold

I have an admin shell on SQL01

https://tenor.com/view/are-you-sure-about-that-the-rock-you-sure-gif-24604462

yes will send ss soon

Password reuse exist

yeah so this should work, right? maybe i should try with another username?

I don’t think that’s the hash

but it works for admin account on sql01?

Was it changed?

I don't think so, i got in with msfconsole and used getsystem to escelate privs

try running lsa again in sql01, if you have already done so, you should see what data you get

just did lol

should i restart the lab? is this wrong?

try sekurlsa::logonpasswords

i dont even get the administrator user when i do that

Is Same with sam?

wdym?

Sam command

Might have to restart cause that should’ve worked ngl

sorry idk what the sam command is in mimikatz but its the same hash when i do hashdump in meterpreter

ok restarting lab thanks

whats the sam command though?

oh im so dumb its lsadump::sam

got the exact same hash again

restarting lab didn't work

I am positive, even the vpn I want to be open is not LOL

Now start it up again and pray lol

@gaunt forge please stop posting images with hashes. Those are spoilers

the hash is wrong lol

Even still; spoilers with what you've done

I suggest taking to dms if someone wants to help

the prayers doesnt help lol
it gets stuck here

it says "Initialization Sequence Completed"

Thats exepected

alright, could you help?

No

Open a new terminal ans should be good to go

Try scaling priv manually in the sql and run mimikatz manually

ok will do thanks

ill just try with the method getsystem used that should work

yees! how I forgot that!!??
ok, connected trough xfreerdp
ping still doesnt work
Get-WmiObject -Class win32_OperatingSystem | select Version,BuildNumber DOESNT WORK ;/

Alr dm

ok, maybe it doesnt work with all those errors lol

those errors look like nothing

though it looks like an interrupt signal was sent somewhere

xfreerdp /v: /u: /p: /drive:./,IT /dynamic-resolution /cert-ignore +clipboard my boilerplate xfreerdp command

ok, dont do facepalm again lol
copy/paste xfreerdp /v: /u: /p: /drive:./,IT /dynamic-resolution /cert-ignore and add credantials?

boilerplate? this is the first time I see this word LOL

credentials and target

boilerplate/baseline

as a note with the /drive: option it mounts a share under \\tsclient\sharename

i got myself in the habit of using inconspicuous names as the sharename to at least pretend to be stealthy (before blasting mimikatz and sharphound)

iirc tsclient stands for terminal services client that's actually the underlying exe behind rdp, mstsc

i spy with my little eyes a windows rdp session in the back there

and in your tray 😉

hawkeyed 😉

also pinging a windows machine isn't 100% reliable as typically ICMP Echo Requests (ping) are set to be ignored by default on firewalls on them

is there something I need to do with that window? i just want to get this command to wooork

Get-WmiObject -Class win32_OperatingSystem | select Version,BuildNumber

brother

my brother in christ

go to the rdp session and open powershell

OMFG I didnt see that little icon on tray!!!

my brother in christ, You have a beer on me!

g2g now! thank you!

hello

Hi

windows fundamentls / windows security

in the pattern description in the code block, it says sa1, sa2, etc

will sa2 always be that 3 block string (674899381-4069889467-2080702030), followed by sa3 being the relative id?

i interpreted it as sa2, sa3, sa4, then sa5 being the relative id

since everything was already split up by -

yes

so there is no (etc), its just sa3

well etc is anything beyond

if the code is split up by - then sa2 is getting chopped to multiple pieces

that means sa2 isnt a single entity

it's not getting "chopped up" necessarily

what could follow?

it's just part of a longer set of numbers

sa3 and sa4 are just natural results of that split

sa2 just identifies to which device something belongs

everything that follows is more direct information about what's being identified

then it's a single entity

yep

it relates to the device (or domain) that created the entity

that way any searches will say "hey this entity is part of x.local, let's search their SID db for info"

thats why the 3 block chunk remains constantfor all sids created on the same system or domain

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers

is there an actual name for sa2

yeah

domain identifier!

thanks 🫶

nt authority in stand alone systems

*System

that's vague

not really

System is the highest level of authority you can have on a (local) windows machine

nt authority\System

nt authority is just the delegator

that has absolutely nothing to do with sa2

¯_(ツ)_/¯

just saying it all depends

Someone can help me with task?

battle of gods

yeah, i also just realized sa2 is not really a formally named field

what module and section?

if it's not related to htb academy read and follow #welcome to access more of the server

Penetration Tester / Footpriting

Footprinting is the module name

Penetration Tester is the path name

Oracle TNS

and what exactly is your issue

if it's an issue with installing; i suggest going through the install script line by line instead

Can i dm you?

~no~

my dms are currently only open for #modules message <--

would someone mind pointing me to the starting point in this diagram?

User Account Control flow char

cant tell where its starting from

left most blue box

user performs operation requiring privilege

ah perfect thank you

dont know how i missed that one there

Hi everyone! I'm new here, and new to this world of hacking. I am on HTB Academy module "Getting Started." I'm trying to do the walkthrough of the Nibbles box, but already at the nmap scan it appears the box may be down. I understand that it's retired. Am I not actually able to do the box? Any advice would be great. 😊

Are you connected to the vpn?

Using the pwnbox in the module

What about with -Pn?

Did you spawn the target?

👀

So first, because it was a retired box, I didn't realize at first that I needed to spawn anything. Was using the IP in the screenshot. 🤦🏻 But now that I've scrolled to the bottom of the page and clicked "spawn target" it's just spinning and not spawning.

I'm a noob 🤦🏻

After exiting the page and going back it's still spinning though.

It takes a minute (not literally, maybe sometimes 💀 ) to boot up.

Fair enough. It's been a few though lol

There's a couple things you could try in that case. Try Ctrl + Shift + R. Try clearing your cache.

Well, it's just not doing it tonight. I've done everything else in this module. I'll move on to a different one and come back to this later. Thanks everyone.

Literally recently done that module and it does take forever to spawn

I didn't have to... cos I already do labs anyway but if I were you I'd read all through the nibbles part and just do it all at once after getting it to spawn

Also the gettingstarted box at the end of that module is pretty fun

nice and easy but was a little annoying to exploit cos I was tryna be fast and fucked up the shells a lot

@mild plover https://0xw1ld.github.io/htb/2025/02/14/Nibbles.html

yet another writeup, just in case you wanted to see my perspective on it

Sweet! Thanks. Always looking for more information and perspectives.

Look for other areas where you can.

can someone please explain explain to me how to set up this question from linux fundamentals, filter contents section: Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths (https://www.inlanefreight.com/directory" or "/another/directory") of that domain. Submit the number of these paths as the answer.

i googled it, got the correct answer but imcurious as to how they got the answer. if that makes sense what im asking. I wanna know how to not just keep going to Phd Google hahahah

#modules message

Read the RegEx one, might shed some light onto it