#modules

Do you guys have cheatsheet for regex, I am in regex module and we dont have any cheatsheet for it, google is giving very long ones.

I want to solve questions like this

Search for all lines that contain a word ending with Authentication.

Search for all lines containing the word Key.

dnsenum --enum inlanefreight.htb -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt , when using this code on this website they tell me that it have nginx how would i can do a dns enumeration ???

Hey gang, Im designing potentially my first modular home network that I can open up ports on. Someone else incredibly well versed in networking is helping me out but I just want to run by is the logic through you guys before I run it through him if that's all right and allowed

I have not made any notes regarding the RDP connection. In other words, I did not pay attention to anything in particular.
Try

xfreerdp ………. /cert-ignore /tls-seclevel:0 /timeout:80000

• i have to do whois on the website but didn't work properly it says No whois server is known for this kind of object.

https://cheatography.com/davechild/cheat-sheets/regular-expressions/

Thank you very very much

I have just learned the hard way that LLMs cannot be trusted with regex

Any network doods willing to DM me would be massively appreciated, thanks

htb is not an official top level domain. This means that you must specify the responsible DNS server.

are you also in regex module

in infosec pathway

No, I just ran in to the secret regex question hidden in the linux fundamentals module

the cURL one for inlanefreight

i've do it in the /etc/hosts i know that

yea, that one was crazy, wasted few days and then looked for solution

If it's about a module, just ask your question.
If it's not about a module, Channel #homelab-sysadm is probably more suitable.

I like that it forces some research, but it's unnecessarily obfuscated imo

If you want to bring up regex, just bring up regex

All it did was piss me off and put me off studying for the rest of the day

$$ can be interpreted by your shell, and enclosing with double-quotes doesn't prevent that. Try single-quotes

so you are randomly doing linux fundamentals, or as a prequisite for cpts pathway

Prereqs for cpts

What? What exactly is in the /etc/hosts?
I mean, this file is more or less a replacement for the name server. In other words, you can simply look in this file and know which entries exist.

were you able to do it without llms or direct answer from google

That question? Fuck no
I didn't know regex existed before that question

Hello, i am currently in the "get started" module in the server scanning section. The exercise to be solved in this section is to list the available shared SMB resources, connect to the "users" shared resource with the "bob" user, move to the flag directory and send the contents of the flag file to solve the exercise. When listing the shared resources, some warnings arise:

Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

I have just started my cybersecurity learning through the platform, so I would like to know if the impossibility of completing the exercise is related to these warnings and is due to a technical failure or an error that I have made while trying to solve the exercise.

Sorry for the inconvenience...

LLMs were no help though

I had to check forums

LLMs seem to be VERY VERY bad at Regex

I bounced my thinking off a few while I was trying to understand it and most of them got it wrong multiple times

you mean that i have to do dnsenum in a subdomain of it ??

Is it supposed to be searched in Powershell?

No, I mean you have to query the relevant DNS server.

I am also doing the same thing, we can study together on discord sometime if you want, maybe I will not get demotivated all the time because of difficulty

Sure, but my brain is cooked for today

can I send you request

Go for it, I already messaged you earlier to ask about it because I searched the chat and saw you asking about the same question

thats funny cause I tied to reply and it said I cant do that due to some error

Just saw this, thank you

Oh, it says "no access"

Read and follow #welcome

idk what that means dns zone transfer or what btw iam in "INFORMATION GATHERING - WEB EDITION - skill assisment"

i have replace the inlanefreight.htb by the ip adresse target in the /etc/hosts

and start by whois but it didn't work

Done! My fault, thanks for your patience.

did you get to see the share? what did you try? mine has it too, don't worry about it

AXFR

thanks

No problem.

this worked for me btw ty i should've known this 😛

somone plz help me on module- Attacking Enterprise Networks > Exploitation & Privilege Escalation

172.16.8.20[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
CreateProcessAsUser() failed. Error: 216

getting same shitt again and again

Password Reuse / Default Passwords i need to do password attack to mysql in this section?

Maybe eventually

<@&861185840277487616>

If you're completely lost you can DM.

there's an internal sql service running

connect to target via creds mentioned -> test creds from default-cred-cheatsheet

Hello, i'm currently doing the Active Directory Enumeration and Attacks Skill Assesment Part II, when doing one of the tasks, i find it a bit WAY TOO GUESSY, so i checked online on WUs to get the information i needed, can someone tell me in private or here (if it's not a problem to spoil) how should i password spray 300+ users to find a password which is in the top 10k passwords of seclist ?

writeups for that module are prohibited and using them is tantamount to cheating

since it's above t0

https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

didn't know about that

you do have to guess, a bit

but the module gives you a couple test ones to spray with

well that was the only time i needed to but like how

also when you use a password list you're no longer spraying, you're bruteforcing

spraying is 1 password against loads of accounts

Yes i was talking about the attack in general, i tested the top 10 individually before that

Oh wait

again the module gives you a few common passwords to use

the password list given in one of the learning modules ?

nope

recheck the password spray section

I was thinking that i should not use informations like that

In a real assess i would not have a pregiven list of passwords

you won't need to use the >resources< button from other modules for any other module

no but you can compile a list of guesses

Password1! and <Season><YYYY>! are common enough

that's why i used the top 10 to 1000 password lists

as well as ChangeMe123!

but after finding the real one, it's a bit guessy since it's not in small common wordlists

but i'd go with a single password first

otherwise you might lock out accounts unintentionally

there's no account locking

according to policies

treat it as if there would be

it's not that guessy if you actually took good notes

lol

re-read the password spray section and look for the <password>

no but like

but like what?

Don't you think it's "out of the box" ?

to assume the password is the one used in a learning module

that's kind of the point? not everything is that straightforward

and not in the most used wordlists in the world

they do certain things on purpose

it's like not using rockyou's passwords

if they wanted to use a top x password, then they'd have used it

it's just not fun

if there's no hints

or no password reuses

if you really feel that way leave a /feedback

¯_(ツ)_/¯

the real thing isn't that you're "using something from the section as a hint" it's "Let me try something I saw previously"

break away from the thought process of "the section specifically says to do this" and think "the section references this to try"

and to a degree the skill assessments use (a bit) the knowledge learned from the sections to push you forward

ok but sometimes you gotta be creative

try multiple of the seclists wordlists

also: assume that the >resources< button with the lists is a colleague that gathered info for you

i have a drive with 2tb of just wordlists on it for this exact reason

this isn't good advice, to a point

Ok thanks, didn't know things could go "outside of the box" like this

you're sending them on a wild chase at that point

fair enough

i admit i did not read the entire chat haha

trying different lists isn't bad per-se but when you're trying to password spray, you shift from spraying to brute-forcing when you use a pw list

aah ok

Hi, I'm new to this. I'm interested in HTB certifications, but I've seen that many people say that Off-Sec certifications have more weight. I'm from Latin America and I don't know if those HTB certifications have a good weight when looking for a job.

look for job listings in your area

the only reason OSCP holds weight is because of it's length in the industry

CPTS has >>>> knowledge value

many people do the cpts path for the knowledge then do OSCP

also #careers-and-certs ; read and follow #welcome to access it

biggest advice for most of the things: think dumber

don't try and "outsmart" the assessments

try simple things first; what was mentioned or referenced; then move onto the more complicated things

not sure if this is the right place to ask this question, but does anyone know with ISC2 credits when they are submitted to ISC2? my acadamy account shows i have 8 but on ISC2 it still shows 0

Yo

https://help.hackthebox.com/en/articles/6009966-cpe-allocation-htb-academy google is useful

ah perfect thank you 🙂

Hello

are we able to find the start and end date anyware for when we completed/started the course on HTB so we can add the ones that happend before I added my member number? cant seem to find that anywhere

no

@thin citrus don’t spoil modules over t0 please

Sorry

No worries. In other news, feel free to dm me what you got

I see you deleted my post👍 Ill dm you friday I went to my mom

Sure 🙂

any tips for Using EAPHammer? For the new module "Evil Twin Attacks"

im stuck on https://academy.hackthebox.com/module/176/section/1780 question 1
when i run the get-ggppassword script, i get no output

well ggppassword isn't a script

yes it is?

https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1 looks like a script to me

re-read Get-GPPPassword not Get-GGPPassword

In the Footprinting IMAP/POP3 chapter, do you have to prepend a random character before an IMAP command for it to be valid? Additionally, why is there no mention of how to read an email with the FETCH command?

im doing gpppassword thats not the issue

yes

also not sure why they don't use fetch; likely to encourage some research but an absolute oversight imo

More than happy to do the research but can be slightly jarring to spend so much time iterating through google when you have little time in the evening to learn

@young summit that module is >t0 also skill assessment so be mindful of spoilers

it's expecting the answer in the format of
a b c

no commas or delimeters

aha

thaks

@fathom pendant is it same for question 2 ? and other questions asking for multiple asnwers

for this one, yes

i found only 2 and they are incorrect are there more?

correct

your screenshot had >2 btw

I tried .ext1 .ext2 and ext1 ext2

ah

you're meaning that

no in the second question

yes there's more

make sure you run the ext fuzz on all subdomains

yes i did

for the subdomain the correct answer was the three from my screenshot btw

sry

there's more than 2

i'll use bigger wordlist ty

I thought they only asking for status 200 😢

Response size is also something that will need to be fuzzed.

Attacking Common Applications - Attacking Tomcat

Can I get a nudge on the wordlist I'm supposed to use? I've tried the ones in the tutorial (msf default wordlists), msf tomcat usernames against rockyou-10k, but couldn't get anything. Nvm, my tool was bugging.

Edit: Actually, it's target that's bugging: https://discord.com/channels/473760315293696010/1344092761028169770

can someone give me on the skills assessment webfuzzing

I'm on the hard lab for attacking common services. We'll see how long it takes me to solve it. I'm gonna work on Python later today.

how has everyone been?

no issues yet doing an nmap on it

anyone run into a similar issue with the "Introduction to windows command line" module? its telling me to import this module but its being blocked on the VM

PS C:\Users\htb-student\Desktop\Powersploit\PowerSploit-master> Import-Module .\PowerSploit.psd1
Import-Module : The module manifest 'C:\Users\htb-student\Desktop\Powersploit\PowerSploit-master\PowerSploit.psd1'
could not be processed because it is not a valid Windows PowerShell restricted language file. Remove the elements
that are not permitted by the restricted language:
At C:\Users\htb-student\Desktop\Powersploit\PowerSploit-master\PowerSploit.psd1:1 char:1
+ @{
+ ~~
This script contains malicious content and has been blocked by your antivirus software.
At line:1 char:1
+ Import-Module .\PowerSploit.psd1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (C:\Users\htb-st...owerSploit.psd1:String) [Import-Module], Missi
   ngMemberException
    + FullyQualifiedErrorId : Modules_InvalidManifest,Microsoft.PowerShell.Commands.ImportModuleCommand

PS C:\Users\htb-student\Desktop\Powersploit\PowerSploit-master> sc.exe query windefend

SERVICE_NAME: windefend
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
PS C:\Users\htb-student\Desktop\Powersploit\PowerSploit-master> sc.exe stop windefend
[SC] OpenService FAILED 5:

Access is denied.

Error message is saying that PowerShell is in Restricted Language Mode if you look closely — which means you can only load perform basic things.

I'm on the "Information Gathering - Web Edition" module and I'm a little confused what it means by STMIP and STMPO. Google has not availed me of anything so it doesn't seem to be a common term but something specific to HTB (I'm guessing)?

I'm guessing its something like the target IP but some clarity would be helpful

@foggy monolith Tried setting the language mode to full on the HTB VM (ssh into the powershell session) and doesnt really work out for me, it stays in restricted mode:

PS C:\Users\htb-student\Desktop\Powersploit\PowerSploit-master> $ExecutionContext.SessionState.LanguageMode = "FullLanguage"
PS C:\Users\htb-student\Desktop\Powersploit\PowerSploit-master> $ExecutionContext.SessionState.LanguageMode           
FullLanguage
PS C:\Users\htb-student\Desktop\Powersploit\PowerSploit-master> Import-Module .\PowerSploit.psd1
Import-Module : The module manifest 'C:\Users\htb-student\Desktop\Powersploit\PowerSploit-master\PowerSploit.psd1'
could not be processed because it is not a valid Windows PowerShell restricted language file. Remove the elements
that are not permitted by the restricted language:
At C:\Users\htb-student\Desktop\Powersploit\PowerSploit-master\PowerSploit.psd1:1 char:1
+ @{
+ ~~
This script contains malicious content and has been blocked by your antivirus software.
At line:1 char:1
+ Import-Module .\PowerSploit.psd1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (C:\Users\htb-st...owerSploit.psd1:String) [Import-Module], Missi
   ngMemberException
    + FullyQualifiedErrorId : Modules_InvalidManifest,Microsoft.PowerShell.Commands.ImportModuleCommand

Set-ExecutionPolicy -Scope Process Bypass

hello i'm blocked on the third module of the SOC path can someone help please ? 🙂

looks like shortest path to high value targets

actually nvm

hiya, so im on windows fundamentals, section ntfs vs share permissions... so i know if i disable the firewall all together i can smb client into the shared folder that works

but what if i wanted to make a rule so i can have the firewall on and still smbclient to the share how would i set the rule

Well, it gives you the attack path but not the same view

ive been looking stuff up and everything says ports and domain names but i have no idea what im supposed to do

it probably is find all path from domain user to HVT but they just moved the nodes

Once the proper inbound firewall rules are enabled we will successfully connect to the share

but i have no idea how to set it

create an innboud rule that allow 445 (picture is my screenshot during this module)

thats a port number though

i guess so, but bloodhound is just saying me, no data (which has no sens because they should be valid paths)

Good evening. I am running into an issue on the following module and could use some assistance. I can not tell if the issue that I am having is understanding of the function or if I am simply missing what is in front of me. If there are some resources that I could be pointed toward I would appreciate it.

Intro to Assembly Language > Functions > Procedures > What is the address at the top of the stack after entering "Exit"?

Please feel free to message me privately. Whatever y'all most comfortable with.

if i did that in a real life scenario then itd leave that port vulnerable cant i set a rule just for the one service or client model

i guess so but back then i didn't look in detail (i try bit i didn't succeded)

yeah im trying to figure out how i would set it as if in a realtime scenario

if i were going to want to do office work from home and needed to access the shared folder how would i set the rule

what i read said domain name inbound and techy techy techy... so it wasnt much help lol

To set an inbound firewall rule to access shared folders from home, open your Windows Firewall settings, navigate to "Inbound Rules," and create a new rule that specifically allows traffic on TCP port 445 (the standard SMB port used for file sharing), ensuring you specify the IP address range of your home network to restrict access only to those devices; this is typically done under the "Scope" section when creating the rule.

i guess you do have to open a port this docu i understand once you open the port you can set ip address rules... that would suck if you reached the lifespan of you ip from isp server and dhcp was down rolling you a new ip

be like yeah gettin that project done oh shit wait i cant connect my ip switched

Double Tapping because I am very stuck:

Good evening. I am running into an issue on the following module and could use some assistance. I can not tell if the issue that I am having is understanding of the function or if I am simply missing what is in front of me. If there are some resources that I could be pointed toward I would appreciate it.

Intro to Assembly Language > Functions > Procedures > What is the address at the top of the stack after entering "Exit"?

Please feel free to message me privately. Whatever y'all most comfortable with.

Intro to Windows -xfreerdp

Forgive me in advance for being new and clueless to all of this, including Discord. I'm hitting a wall with the literal first objective and can't figure out if this is a "ME" issue or a tech issue.

I open Terminal and run "xfreerdp /v:10.291.201.57 /u:htb-student /p:Academy_WinFun".

To which, I'm met with "[18:46:47:025] [6159:6160] [ERROR][com.freerdp.core] - freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex ERRCONNECT_DNS_NAME_NOT_FOUND [0x00020005]"

Am I missing something in my execution or is this something outside my scope?

I thin that there is supposed to be an '!' at the end of your password and you might try the following order:

xfreerdp /u: /p: /v: /dynamic-resolution

i found it

You're rule?

yeah your missing the !

yeah, to specify a port it has to be made custom

yo how do you hack a Instagram acc?

just asking

https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure or errem ip or domain i mean**

Thanks for pointing out my issue. Felt dumb but I can live with that if it means I'm moving forward. Back to work...

i hate it when they just say use this, with no explanation of what the hell it means

explain shell can only give me very small details can anyone enlighten me, or is there a man page

sudo mount -t cifs -o username=htb-student,password=Academy_WinFun! //ipaddoftarget/"Company Data" /home/user/Desktop/

chat GPT would be better than us at explaining this so...

i guess it would all be under mount

Looks like it's mounting it to the desktop though, so that's where you should look for it

i know what its doing but i want to understand the syntax better like how would i know to use that syntax and all, whats chat GPT?

https://chatgpt.com/

It's a large language model that can help explain stuff

i know its using cifs as smb for file i know its mounting the filesystem i know username and password is to like rdp into it... i just dont know where to find the info like if i had to do this on my own where they came up with the syntax

That would be in the man page for mount, also anywhere on the internet just google: mount smb share to cifs

yeah sure do that on the internet and get all these super prof from stack overflow... end up still asking the same question lol

i did that before asking here let me try chat gpt

chat gpt is breaking it down thanks so much

Hello, how are you? Can you please help me with the DACL I Attacks module, the Granting Rights and Ownership section, the last point: " Use the Managers group privileges to abuse the company's CEO's account chap, and gain access to the shared folder \DC01\CEO, without changing the CEO's password. Submit the contents of flag.txt as the answer. " I have the Managers group privileges, but I don't understand how I can take advantage of it to overcome the challenge, I thank you for your help!

Yabadabadoo

omg i love this thing

why do i learn more from ai then anything else when i search things

Keep in mind it's not gonna be 100% accurate so still err on the side of caution

nba youngboy?

What

Yabadabadoo vs nba youngboy

no ill double check with explain shell and other resources i never just take one answer as definitive i still question and see what other information i can find..... MORE INPUT STEPHANIE

Can someone help me on Http attacks please , I cannot get the flag on TE.TE

.<

Not a module but still

yeah this isn't the channel for that

What channel would you recommend?

what platform is that on?

I joined the server just for this question and idk where to ask

is it part of #1342649485515558922 ?

Ctf try out

I think yea

try asking there, you may need to follow the instructions in #welcome to access the channel

Ahhhh ok

can someone help me with the hard assessment?

did you use the lists given to you?

yes

why if I try the full username and password list they gave me should that do it?

because it didn't for me

tried rockyou.txt too

trying on a different port number

for ftp

will try ssh next because that's another option nmap has given me

if I try to crack via hydra it gives me a "too many connections" error

regardless if I try ftp or ssh or what port I give it

I managed to get the ftp ports to show up by looking up and finding ports that ftp typically can run on

Sup! Been stuck on server side attacks skills assessment for almost 3 hours now.

dm the command

I will but I have to get home first. I'm at a hackerspace and I'm gonna leave in 10 minutes. I'll DM with you when I get home.

but right now I have to pack up before I go.

it'll take me 30 minutes or so to get home and I'm leaving in 10

I'll keep you posted

So ive been still working on the pivoting, tunneling, and port forwarding module, specifically the section on SocksOverRDP, for about 10 hours total now. Ive tried various methods of trying to get the plugin and server to run correctly and it has not worked. I have tried changing VPNs, pwnbox, resetting the box multiple times, nothing has worked. It seems like the plugin installs but does NOT RUN when the RDP session via mstsc.exe is established, therefore the server is unable to do anything on victor's machine. Has anyone gotten around this issue? I havent gotten any responses over the past couple days so I feel like not many people have this specific issue. I feel like either i am doing something wrong that is not specifically documented in the section or that something is bugged and not working in the Windows machine that is first remoted into.

did you disable real time protection?

yes it is off

the .dll isnt being deleted

and it is being successfully 'loaded' via regsvr32.exe

i don't think it deletes the dll it just blocks it

it will delete it

try executing it manually in the rdp session before expecting automation to work

i followed the instructions provided and was able to do it

how do you manually execute a plugin in mstsc.exe?

you don't need to load the .dll on victor's machine correct? just the server?

as in, you only need the server for victor's machine for this step

so you have the .dll loaded on the htb-student machine, and the server.exe on victor's machine

this is what im not getting

i never get this popup

ok i figured it out

was running the wrong bit version of the .dll.

wasnt running the x64, was running x86.

🤦

👆

would have caught the architecture mismatch

what do you mean executing it manually though? executing the .dll manually?

yes

ok. i will remember this

awesome

can anyone help me use xfreerdp to connect to the host using drive redirection to transfer files back and forth easily.

i'm doing Attacking Enterprise Networks > Lateral Movement and i'm stuck at this command:
xfreerdp /v:127.0.0.1:13389 /u:hporter /p:Gr8hambino! /drive:home,"/home/tester/tools"

getting error for this: /drive:home,"/home/tester/tools"

no need for quotes, /drive:linux,/home/tester/tools

but you need single-quotes around your password

whenever your password has anything that your shell might interpret, which may be the case with ! here. If in doubt, try echo Gr8hambino!

tried but still not working

what's the error now

plz check your DM

Anyone else appear to be having issues with HTB Academy Servers?

Module name - Pivoting, Tunneling, and Port Forwarding
sub mod name - RDP and SOCKS Tunneling with SocksOverRDP
getting the error below on pivot host (172.16.6.*) host
Edit: Solved on its own 😭

for the last question on skill assessment 2 for intro to deserialization, do i need to do obfuscation? i can't seem to get RCE even though i am able to ping myself

I’m working on eWPTX Certification has anyone done this before

ig u should ask it in #careers-and-certs

Oh okay thank

were you able to get it? im also stuck here. i can ping myself but thats it. can't get rce

Hi! I have a question about the Linux Fundamentals module. I got the index number, but it is not correct, and I don't know why.

Make sure you're on the target and not just the pwnbox

Not yet. Can I DM you?

Hey all, I'm stuck on the SMPT module (answer 2). I can't figure this out.

If someone has any advice, would love to hear from ya

you know the process

@pure seal careful with revealing credentials (even if they're given) as the module is greater than tier 0 (free); also you're another victim of "it's on the desktop"

Oh. Sorry, didn't know about this rule

see channel description

Use msfconsole and the wordlist they provided 👀

bro can u help me little.
https://academy.hackthebox.com/module/147/section/1322

where is kira password ?

If I remember correctly, you received this password in one of the previous lessons

you discover it in the cred hunting linux section

i don't see kira before 😭 , can u tell in which section it was ?

always save uncovered credentials; some modules reuse quite a bit

yesh bro , but i don't see kira before as i remember , can u tell in which section it was ? so i can figure it out.

read up a couple sentences

you crack their pw as part of that section

which section ?

#modules message

[MODULE]: Advanced XSS and CSRF exploitation
[SECTION]: Skills Assessment

Hi all, I might need a help with first part of a skills assessment. I have the open redirect working and I have found the way to store the XSS on the page. When I try to trigger the whole flow myself, it looks like it is working fine because all the requests are being triggered.
Leaving the code here: https://pastebin.com/yd35QgXs

your payload is a txt file

Module: File Transfers
Section: Windows File Tranfers Methods

In the Lab, we have to RDP using provided Creds, but my xfreerdp3 command is failing:
What could be the issue here. My command is correct I checked. I am connected to VPN as well.
One difference is, solution used xfreerdp and Kali has xfreerdp3.

Guys when you created a dump file on an attack machine why mimikatz on this machine is unable to see it

?

what could be the reason?

u may give wrong location

show the command

mimikatz # log
Using 'mimikatz.log' for logfile : OK

mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'

mimikatz # sekurlsa::logonpasswords

sekurlsa::tickets /export

dir *.kirbi

yeah, but is it really matter? When I access the xss endpoint the request is being executed anyway with my session

the /users.php?userid=3 is being executed

okay then, maybe it doesn't matter

your session vs their session

setup a canary

the same error

the situation is that it gives me errors on my kali and doesn't give me errors in pwnbox

what the hell I can't understand

damn

ah I overdid it. It worked when I removed half of the steps thx m8

awesome

hello ı need a help about this module https://academy.hackthebox.com/module/77/section/843 ı tried every thing to same but ıt dıdınt work

you're not gonna be able to replicate the example

you need to understand the flow that was used for the examples

• identify the service
• search for exploit

in this case you're given a public ip and port to test against

which is running a webserver

whyyyyyyyyyyyyyyyyyyyyyy

@acoustic owl

bro why john not working

@fathom pendant

@dry falcon do not randomly tag people

We are not a helpdesk/paid to help you with your modules.

Try with a modified pw list maybe

#1234357888114364508

1. try with the mutated list
2. don't just ping people randomly

Hey everyone, I'm currently working through some of the old Academy machines that I skipped initially, I'm on "Ignition".. Is it known that you can't seem to find the services on the machine? I've tried:

sudo nmap -sC -sV <IP_ADDRESS>
sudo nmap -sV -p 80 <IP_ADDRESS>

It just comes back with "Host seems down. If it is really up, but blocking our ping probes, try -Pn"

So, I add -Pn and it just takes much longer to go through and gives me "Host is up, all 1000 scanned ports are in ignore states"

I seem to remember this being an issue before, too... Any help greatly appreciated!

Ignition is a starting point machine read and follow #welcome to access #starting-point

Ignition isn't an academy machine

👍🏼

Im doing the crackmapexec module, I'm having issues on the 'Searching for Accounts in Group Policy Objects' session on the first question, I always get the '[11:18:16] ERROR NetBIOSTimeout on target 10.129.204.177: The NETBIOS connection with the remote host timed out. connection.py:172
' message

Im using nxc btw

Oh ok, after trying a lot and sending a message here, it just magically worked

timeout
sounds like it's having issues connecting/maintaining connection i.e. high-ping

Hmmm, thanks marcie

use --smb-timeout 120

nxc automatically gives up after a while when the connection is slow

this workeeed thanks a lot xoriath

Ill note that down

In the ffuf module, I mean, nowadays web applications sit behind WAFs. What I miss in the module is what needs to be considered in such cases—not just how to bypass them, but also regarding rate limits...

finished thick client app section and wtf was that 🤣

an abomination that shouldn't be there

does anyone know how can I use my student ID on the academy to share my progress to my github portfolio ?

https://tenor.com/view/thats-the-neat-part-you-dont-invincible-gif-27194608

there's no public API to share your htb academy student ID; been bugging for ages about one since there's only a vague mention of it

well "public" as in an api key and stuff to use

It would be really cool if there was one, it would be a nice add to my portfolio

I hope HTB creators notes this down

/feedback

thnx

you may need to add the word "cable"

which channel again ?

any channel

i dont see it

/feedback is a command

ohhh

this module is inconsistent in how it expects answers

drop the word cable then

it worked ty

deleting your messages because they contain the answer

(spoiler text does nothing)

ok

modern web :8003

Hi so I'm on the shells and payloads live engagement, and I wanted to know why 172.16.15 is the LHOST you're supposed to put in the payload, how do I know what interface to use, as it gives quite a few interfaces when i use the command "ip addr"

you're attacking internal web apps

and you're doing so through a foothold machine

so the exploits need to call back to the foothold machine, where the ip matches the same subnet that you're attacking

Ahhhh

yeah I know its i'm attacking internal web apps, but how do I know what interface name that is, or am I just supposed to memorize what the names of every vpn interface is

Not all are relevant to your task

Loop back is you, eth(x) is your wired connections if you have any

tun(x) is tunneled vpn

inet is where i find my ip address on a local network

Maybe stands for internal network? I don’t know

But each type of interface has its own use — Google the ones you’re not sure of but they should all mostly be under the same type for your Htb vpn connections

I'm getting en192 ens224

which i have no idea what that means

Looks like that’s for ethernet based pcie

VMs NICs etc

https://askubuntu.com/a/1305449

Yeah I think for the future I'll just chatgpt, out of which of these interfaces is the one for a VPN

ens192 is a secondary network adapter

which means its dedicated to tunneled vpn connections

i mean it likely is

You're attacking a web app that can't see your 10.10 IP address, so you need to pivot.

i never used the 10.10 address, i actually used the host 1 IP lmfao and kept getting no reverse shell back

i used 172.16.1.11

Did you set up a pivot agent? I always use Ligolo-ng for that sort of scenario but I also understand that there's no module for it.

no i didn't, sadly

I just enumerated the interfaces and used the one designed for vpn connections

Hello, Im working on footprinting for DNS in pentester path. In last question they ask to find a hostname whith IP ending with .203. I tried multiple wordlist for subdomain bruteforcing. I dont get the intended ruslts. Any help is appreciated

Hey, the last question of the section Anatomy of a shell of the module shells & payloads is not working

like, i get the ps version using the $PSversiontable command on the pwnbox

but it's not the right answer, i think the fact that the pwnbox is being updated makes it obselete

or maybe there's something i don't undertstand

LHOST is the tunnel IP of your attack box which is reachable from the target.

don't reveal module content above t0

^

not the always tunnel IP

Isn't it the OpenVPN tunnel IP?

Thats right

it's whatever IP will be reachable by the end target

But in this case, it is

for instance the skill assessment has you go through a foothold/jump-host

Okay

just expanding on the general knowledge

I have a samsung galaxy book 360 pro 1T 5G and I'm thinking for MSI Katana 17 17.3in i7 16GB 1TB
RTX4050 Gaming Laptop
What do you recommend?

thanks everyone I will try again to setup again

you were literally just advised on this in #cpts

both are fine

thank you that work perfect

clock skew

means your timezone doesn't align with the KDC

did you try ntupdate?

anyone else getting this issue?

what module is this?

DACL 1?

sudo timedatectl set-ntp false
sudo ntpdate -s IP

revert previous commands

sudo timedatectl set-ntp true ```

see if above cmds worked

like ik ntupdate didn't work but maybe with timedatectl

try clauding it

yeah

What was your faketime command?

Good afternoon. I am having problems with burpsuite and zap while doing the following module. Is this user error or just the vm?
Using Web Proxies > Intercepting Web Requests

Did you use the right subdomain in dnsenum, because the correct answer is a subdomain of a subdomain.

Try this faketime "$(ntpdate -q IP-ADDRESS | awk '{print $1 " " $2}')"

Windows Lateral Movement > Windows Server Update Services (WSUS)
Event Log To Get Filename

TimeCreated  : 2/26/2025 11:27:50 AM
ProviderName : Windows Server Update Services
Id           : 364
Message      : Content file download failed.
               Reason: HTTP status 404: The requested URL does not exist on the server.

               Source File: /Content/wuagent.exe
               Destination File: C:\WSUS\WsusContent\02\0098C79E1404B4399BF0E686D88DBF052269A302.exe

Copying PsExec

 PS C:\Tools> cp .\sysinternals\PsExec.exe C:\WSUS\WsusContent\02\0098C79E1404B4399BF0E686D88DBF052269A302.exe

Dir

PS C:\Tools> dir C:\WSUS\WsusContent\02\0098C79E1404B4399BF0E686D88DBF052269A302.exe


    Directory: C:\WSUS\WsusContent\02


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/11/2023   6:10 PM         716176 0098C79E1404B4399BF0E686D88DBF052269A302.exe

This one is a bit of a lengthy process @tulip copper . So first you have to enumerate all possible subdomains, and then use dnsenum to find out subdomains of those subdomains, one of those outputs will have an FQDN that ends in 203

You want that IP to be the DC

I'd say setup ligolo as a pivot instead and try to work the time again.

Instead of using proxychains, setup your pivots with ligolo. I don't recall where you are in that module, so I can't really say.

You might need to create the patch again after replacing it with PsExec

okay I'll try it

nothing damn

All good. If you want you can DM so we don't clog this up.

it's because you have quotes around your $() and quotes inside the awk command

you don't need to put quotes around $()

step 1:
run the command without faketime, see what happens

step 2 figure it out from there

Your vm might be autosyncing with host

Probably

Also your date/time in your date command and the date/time from ntpdate don't line up

Anybody know why the host IP address is blocking my nmap command ?

I am on the VPN, and I get a response saying to try -Pn

it might not be blocking your nmap command, could just be set up to not reply to ICMP Echo Requests (which -Pn flag in nmap means nmap is trusting that you know the host is up)

NMAP uses ICMP Echo (ping) to check if a host is up, not all hosts (especially windows by default) allow replies to those

can i dm someone about HTTP Attacks - Skills Assessment? can't put ||the CRLF injection ||to work 😦

Is it odd that I get a response saying my actions are illegal when I am just using the command that is in the module ?

that's just a generic message ¯_(ツ)_/¯

it's saying it's illegal if you don't have permission to test those resources

Right that is what I figured. The module wants me to check for open ports but for some reason I cannot run nmap against the target IP

Are you trying against the example IP? or the spawned target IP?

Pwnbox != target
Spawn instance spawns the pwnbox
Spawn target spawns the target to scan/attack/connect to for exercises

Also don't run vpn and pwnbox at the same time

Hello, I am working on the "Information gathering - Web edition" module, and it asked me to download a tool to use for web scraping. I tried to download it, but I am getting an error.

it wont let me paste in the screen shot lol... it says "error: externally-managed-enviornment"

So I'm currently getting started with windows fundamentals and attempted to connect to the machine through what I presume was the required method, but got this error. I don't know if I'm missing something or was supposed to do something before this, but I'm a little stuck and could use some guidance whenever possible please.

You’re connected to the vpn?

Thank you for the answer, I will try it again

Yeah, I have the vpn thing running in another tab.

I did see something showing the creation of some sort of folder, but I assume thats if youre running it in windows, which my vm isn't windows.

Did that, and it looks like it isn't pinging the target.

--break-system-packages

I have a doubt with proxychains. When i connect to the target with ssh i set up a dynamic port forward on port 9050. ssh htb-student@10.129.114.195 -D 9050

I know that the host 172.16.5.130 is up and it has a webserver on port 80, running an nmap scan on the pivot host results in that port being open but running the same nmap scan on my machine with proxychains does not work and says that the port is filtered.

proxychains nmap -v -sT 172.16.5.130 -p80
PORT   STATE    SERVICE
80/tcp filtered http

Am i doing something wrong?

@cunning canopy careful spoiling modules above t0

-_- you've done it a couple times now directly spoiling a specific username

Module >t0

See channel topic

because i am busy between other stuff

Also a svc account is different from a direct user account

solved it by running it with sudo but why does that fix it?

Because proxychains is silly

i heard ligolo-ng is better. altho for simple stuff proxychains seem a bit faster to set up(when its not acting stupid)

Ligolo-ng is better regardless

It works on a different layer, essentially

ill def redo the pivoting module again with ligolo

@fresh stone I got you homie on ligolo
https://arth0s.medium.com/ligolo-ng-pivoting-reverse-shells-and-file-transfers-6bfb54593fa5

I'm working on Attacking Common Applicaitons, and attempting to do the Splunk - Discovery & Enumeration, and the Attacking Splunk chapters but the Splunk service isn't coming up on the target system. I'm getting connection reset errors when trying to browse to Splunk.

My nmap shows the target is also running prtg and that one works fine.

Is it just me? Or is this module currently broken?

tyty

Https?

Also try resetting the target

The module spawns a handful of different apps at once

https brings me to the Atom feed and not the full Splunk app.

I've reset it at least a half dozen times in the past hour. 😦

That looks correct

You want to navigate to a different port

Port 8000 gives me a connection reset error

Instead of the Splunk login

In Understanding Log Sources and Investigating with Splunk - Using Splunk applications, I can’t seem to add the apps is this all preconfigured? It says to sign up for a Splunk base etc…

The module target is already configured

Even after trying https like marcielee mentioned?

Thanks

OOOH, thank you both! I thought 8000 was http so didn't even try it 😄

Signing up and downloading is for you to mess with on your own time

Afaik splunk only operates on https

i have a question

so if alias md = mkdir right and i can find that by typing get-alias mkdir

i got nothing, but if i type get-alias md i get mkdir

how can i search in the reverse format

get-alias ifconfig

CommandType Name Version Source

Alias ifconfig -> ipconfig.exe

like this for example what if i wanted to search by ipconfig.exe to find ifconfig what would be the proper syntax in powershell

i tried this but get no output...

Get-Alias | Where-Object { $_.Definition -eq "ipconfig.exe" }

Hi someone can help me ? I can't connect the VPN of htb

Sorry for the delay. Thank you! That worked!

It was the lab, needed to be resetted

would you be surprised if i told you that's what the error message tells you to do

I wonder, do you guys use whitehat for report creation (or any other tool) or just simply word? Also, I checked the HTB's penetration testing report template and I wonder if it was also made with whitehat

need help with server side attacks skill assessment confirmed ssrf is possible but everything i try fails gopher:// file:// etc i found port 3306 but not really sure what to do with that since it will prolly have a username and pw

Do you guys know of anyway to by pass a program with an access key? It’s a main.exe file

Bypass access key

I’m dealing with a very secure file that seems to be unbreakable

This discord is about the HackTheBox platform, this channel specifically for talk about the various modules on Academy.

@cloud urchin okay you have any directions to point me in?

If you would or could please

Sounds like you'd want to learn about reverse engineering. It also sounds like it might be legally sketchy, I don't really have any suggestions for that.

Okay thank you

Has anyone done the introduction to red team AI? I’m on the first one first question manipulating the module the first question I’m not sure is this suppose to a flag or a specific answer. It’s hard to tell what it’s exactly wanting. I got the job done I just don’t know what it wants entered. Module/294/section/3342

When was the AI red teaming job role path started? Because I only see 3 modules on it at the moment.

Definitely something to consider after CAPE, provided it's more mature later this year.

I even put the word done in all capitals, but that doesn’t work either so this is really misleading

Hi guys stuck on the web proxies module using zap in the CBBH path,i just cant get to turn on the break point button in the HUD any idea how to or am i missing something

it's not a complete path yet

So there’s more coming?

probably

it'd be odd to only have a couple modules for a full job path

OK, cool because a few of us are working on this right now and the first few questions are very vague as to what exactly it wants from the user to input as an answer (question 2)

People reading this message in the future visit the IP and click on your question question two you need to upload what you did. It’s a bit weird

Yeah, it's going to be fun to see what happens when it is complete.

Yeah, my fault. It could’ve been worded a little bit better as to what you’re supposed to do, but that’s how you do it.

I did see that at the end of the error. I was concerned with the "...You can override this, at the risk of breaking you Python installation or OS..." I was just being cautious 🙂

Word on the street is a purple team and an advanced blue cert

I can’t keep up with these certs lol I’m stuck on cape

I just want to get one done a year

🥳🥳🥳🥳🥳🥳

I’m doing the file upload attacks module and am up to whitelist filters. I have found the extension that bypasses the filter and can upload, but when accessing the file, the browser sends back an error saying the image cannot be displayed because it contains errors. What am I doing wrong here?

<@&861185840277487616> : bot

👀

guy's what's the worst thing someone can do to a site when it's vulnerable to XSS and HTML Injection?

Any nudge in the right direction would be nice

they are a scam bot

You can DM me if you're still stuck

Thanks ❤️

lol thought that was weird

Thanks

https://tenor.com/view/harry-potter-marauders-map-mischief-managed-gif-16088629

@rustic sage ig ya

does htb have module purchase history?

i don't think so. you can contact support on the site and ask for your old invoices, but it only shows buying cubes not using the cubes for the modules

i could be wrong but i haven't seen it myself

support could probably answer

i stopped my student sub and im like 90% sure i bought a module with cubes but now i have to buy it again🤔

gonna buy another sub anyway but still weird

maybe im trippin

i'm sure support could look it up

alr ill see

So I am doing Fundamentals of linux, came through a question that I couldnt understand properly; What is the path to the htb-student's mail? from https://academy.hackthebox.com/module/18/section/70

did you check the env?

an environment variable can be set even if the file location itself doesn't exist

No I didn't. Ok, So I will study 'env' and then try to solve this. Thank you @fathom pendant

env is a command in linux

it prints info about the environment

I get the answer. but I have to explore it more as this is the first time I came to know about this cmd. Once again thank you, much appreciated.

most commands have either a <command> --help or man <command> you can look up alongside google

a good portion of my google searches are
man <command>

because i can't be bothered in terminal, and it is nice to have a browser tab to ctrl-f through

With a student sub, modules are unlocked free if covered by the sub (up to tier 2 I think?)

Hi can anyone give me a hand with advanced sql injection module error based section…

Once the sub ends, access also ends I believe.. not 100% sure on if it also ends if you complete it, but something within me feels like it does (for student subs)

Any luck?

👀

Sup

Why i cant talk in #general

#welcome

Thanks.

When to use what reverse shell method, like php, laudanum, msfconsole exploit, msfvenom. I am just totally lost, with the live engagement for shells, I remember with the first host I tried using burp to change the content type to text/HTML, so I can pull through a aspx file instead of looking at WAR and being like oh yeah war is a Java based file, let's use a Java exploit.

just gotta find what language its running on like you said

php shell when target supports php

laudanum when target supports asp, jsp, php or coldfusion (people still use this apparently)

There was a section yeah in the module that teaches you how to find what language a target supports, or am I imagining it

msfconsole when target is vulnerable to know cves

or you don't care about stealth

yeah ik, but i think this one module was bought with cubes but i might also just be crazy

not a big deal tho

Which module?

Ah yeah msfconsole isn't stealthy?? Is that why we use msfvenom to conduct a stageless payload?

i use wappalyzer and just manual checking

like index.php or aspx

intro to assembly

its in the student sub but i thought i bought that one separate

Ah yeah true or just common sense like Apache tomcat is a Java based Web server for Java based Web apps so obviously it uses java

every edr/av has a poster of msfvenom on its bedroom wall

Once I pass I want to buy the shirt, cut it into a crop top and wear it around indefinitely

have you seen this signature?
see something, say something

Shits an achievement while my boyfriend gloats about his 3 hour accounting exam he took 7 weeks off to study for

Hey there
I am currently working throug the password module: Credential Hunting in Linux
Since there is no initial access given, I assume that I need to figure out my own foothold even tough the module is about finding passwords on an already loged on system. Correct?

correct you need to find the user/pass to log in with; don't be afraid to use the >hint< button

Sweet thank you very much. But I should also be able to solve it without the hint?

use what you learned earlier in the module, and don't forget to use the resources provided in the module.

Alright, so I try everything I learned to get my inital foothold, so that I then (when I am in) I am able to use what is in the current module.

Yeaaah, probably gonna need support on that one @safe star, not seeing an unlock which would suggest access from student sub, but am seeing completions for part of that module.

Support will be able to check I'm sure

Sorry to not be of any more help

It’s fine, im gonna get another sub anyway

this is how know I'm learning
one of the modules in attacking common services did not have any hydra involvement and i was thinking why not use my previous module knowledge to brute force the ssh instead of doing medusa so i cracked the ssh password , hackthebox truly a great learning platfrom thank you guys .

@lusty thicket hey for the attackingcommonservices module SMB attacking did the smbmap worked for you ?

smbmap -H <IP>

Can any body give me hint to find password for MySQL login in footprinting hard lab. I obtained credentials from snmpwalk query , but that's not working in MySQL .. it's showing access denied

is that common password attacks ? :))))

is the whitebox attacks - rce lab buggy? got rce but the lab crashed or something, restarted got rce again and crashed, third time and its throwing 404s lol

U mean seclist . No not that

im saying is the module name common password attacks ?

No it's cpts

machines are slow

Did anybody here completed footprinting Labs in cpts

me

don't use mysql try the other services, then dance 🕺

Yeah pretty much that’s what I’ve done as well literally right after I started dancing the password revealed

Bro the flag is in the database .. I only want that password , if I get it I can access the database and the flag

Can u tell me from where did u got that password for MySQL

bro I already provided you the best hint..... Same as you I keep scratching my head because of this CPTS module....

its not like HINT A, go force yourself using HINT A, no go for other choicesssss

this is the pain for the CPTS more service more pain....
CBBH attack surface is smaller but you have to look for the right parameter....

hey guys

anyone up

Hey can I ask a question but it out from the Cybersec

What wrong with Instagram reels ? 🙂

We don't know @lime cosmos - also - read #welcome and #rules - is more of a question for #general - as thats offtopic talk

why?

idk

Just ask yoru question - do not ask to ask

Also - same goes for you , read #welcome and #rules

Hey, is something wrong with academy's module exercises? Can't seem to connect to the vhost the section is using and I have completed all the steps for the pwnbox to find the target

Maybe it's weird question but im in AD Enumeration & Attacks - Skills Assessment Part I and i have to work with this weird antak webshell.
Besides being very coarse while using, it has some weird behaviours like im changing directory, then send dir to list all the contents and directory haven't changed at all

Another wonderful feature of this webshell is errors while sending exe files

like here

anything i can do when a target isnt spawning?

Wi-Fi Evil Twin Attacks:Evil Twin Attack on WPA2
Perform the evil twin attack as demonstrated in this section. What is the discovered value of the WPA PSK?
I am following all the steps from the module to perform the Evil Twin attack on WPA2, but I am unable to successfully complete the attack and retrieve the WPA PSK. What could be the issue?

Does anyone have an idea why this chisel and proxychains arent working

some protocol lower than layer application does not work

oh god, now it makes sense. Thank you

can someone tell me how can I paste my attachment (image) on this channel, pls?

I want to ask a question

idk

Trying to use burpsuite for a module, cuz it has a browser built in, for shells and payloads but for some reason every time i try to access google it gives me an unknown hosts error

i can access the internal hosts

just not anything internet facing

Use normal browser and use foxy

I dont know if i can use a normal browser, i can't find any

there's tor but it's refusing to download

Firefox has foxyproxy on it that can send traffic to burp

I dont actually need burp, i'm just using it for the browser

Are u using ur own machine or pwnbox

pwnbox

What are u trying to do

If u click on firefox u should be able to access internet

I'm trying to do the live engagement for shells and payloads, and one of the exploits is online but i can't access the internet

I don't think there is firefox on the foothold machine

Ahhh ok

Are you rdp into another machine?

yeah

i got it tho I used nohup firefox > /dev/null command

Ok

trying google.com to see if it will work

and nope

If u ever need a file on a machine with no net you need to use the file transfer techniques

Most machines wont have internet access

someone did the titanic machine and got a hint? i am stuck getting a shell after finding user flag

You should be able to launch Firefox from the terminal with just firefox

He got foothold on an internal machine

With no internet access

I think this is his situation

wait I don't think i even need it I can just search for the exploit module on metasploit

That module skills assessment doesn't require the Internet.

Yuh I told him to use file transfer methods to bring any file

He needs

I just used searchsploit -m <exploit name>

to download the payload, cheers

ERROR 1698 (28000): Access denied for user 'tom@10.129.3.96'@'localhost'
...guys this is the error message I am getting while trying to connect MySQL .. I searched on Google and this error occurs when the user doesnot have sufficient privileges ..does anybody know how to fix this

is this for footprinting

her actually

check your history

Anyone remembers at which module-section it ranks and compares wi-fi adapters that support monitor mode?

Did that a while ago and the search function didnt yield promising results

Yes I got it

Yeyeyeyeyeyeyeyeye

thank you 🙂

Hey, on IDOR mass enumeration, I found the flag file, first with burp and then with the bash script (after editing it a bit). But however I try downloading the file itself there is no flag in it. I have tried submitting the filename itself, or inside curly braces, but that does not work. So, now I'm clueless. Need some help to understand. Thank you

there should be a flag in the file you get

I reckon Burp would give you the contents of the file/ the flag iirc

If its the filename flag ... with very long name, its no flag inside 🙃

I got nothing from that bro

did it not tell you how he logs in?

:P

Yeah I got the password of that but this error is occurring due to something else bro

I remember getting the contents easily with Burp Intruder. Examine the responses well

Ok, did it already but I'll do it again. Thanks for suggestions

Ok, got it, messed up the url when I tried grabbing it, thanks!😅

Bro can u check dm .. message contains password that's y I dm u

wait i just thought are you trying directly to connect to mysql without checking other servcies

my dms aren't open for help for modules

you're skipping a step

check ALL services

I used SNMP , ssh with private key

there's more services running

i'm not walking you through the whole path

you have a rough idea what you need to do

Oke bro let me check again

Massive latency with the academy PWN box

Ah now it’s back

just ran through it with a vague recollection of steps as I just woke up, it's working as expected

i was confused by your error, but it makes sense now, you were trying to connect to your own local mysql instance I thought you were already at the ssh step

hi there! i got stuck and cant complete task 8 of meow. I had a problem yesterday while doing the exercises and now i cant neither reset or insert the flag

#starting-point

also reach out to support if you're having issus

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

tx!

Why are credentials often given in hints for these modules, that makes me feel like I'm using hints to finish things 😦

then don't use hints, there's ways to get creds without hints, usually

is this about shells and payloads module ? I found no way to this day to complete it without the hints either, I do not see how it is possible to find the credentials without the hints for that module skills assessment

desktop

desktop ?

yes

you're given a foothold

oh you mean the pwnbox vm they tell you RDP too, I got it

Is it possible that enumeration or privesc isn't the focus of the module?

thanks for letting me know, this mystery was really bugging me

Small bit of enumeration is all you need on that foothold to get creds, hostnames, IPs, etc.

yeah I only ever had issues with the creds which were in plain sight lmao. I personally never used the VMs HTB provides as "internal vms". I just use my main Kali VM and tunnel through them everything, so I never inspected one.

Hi, looking for a nudge on the Sliver skills assessment, trying to pivot off of Srv09 to DC02. I've got System on Srv09

Was it you that asked me for help in the Forum?
Couldn’t get my notes yesterday

Nope, not me. Should I ask these type of questions there instead? New to the platform

No, you can ask here.
Was just curious if you were the same person.

Iirc there’s a ps script somewhere

bruh. Found it. Thanks

How'd you get the admin:admin123@#$ without using hints

check the hint provided by marcilee

So its on the desktop

Like desktop in a text file?

I have one question

ask

definitely not in the wallpaper

Wallpaper is grey

look in the 37th shade of grey

I hope you're trolling

the file is the grey

I have the tism its hard for me to get jokes

is that a thing

WOT

Yeah over text it's hard for me to synthesise what is a joke and what isn't

So sometimes people will be sarcastic and I won't understand

it's in your desktop folder

should be

Yeah I figured

good morning, I'm working in this module "Meterpreter Tunneling & Port Forwarding" in the second question but when I'm running msf6 auxiliary(server/socks_proxy) > run
the proxy automatic stop

Cba to checked, closed my laptop for the night

] Starting the SOCKS proxy server
[] Stopping the SOCKS proxy server
msf6 auxiliary(server/socks_proxy) > clear

anyone know what is the reason ?

was srvport set correctly?

the module said msf6 > use auxiliary/server/socks_proxy

msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050
SRVPORT => 9050
msf6 auxiliary(server/socks_proxy) > set SRVHOST 0.0.0.0
SRVHOST => 0.0.0.0
msf6 auxiliary(server/socks_proxy) > set version 4a
version => 4a
msf6 auxiliary(server/socks_proxy) > run

Can you hack free fire Dimonds

version 4a? i think this should be version 5

oh let me try

msf6 auxiliary(server/socks_proxy) > set version 5
version => 5
msf6 auxiliary(server/socks_proxy) > run
[] Auxiliary module running as background job 7.
msf6 auxiliary(server/socks_proxy) >
[] Starting the SOCKS proxy server
[*] Stopping the SOCKS proxy server

same

okay buddy

is tor running on that port?

nop

im going back to bed

ok thank you

is something going on with PWN box servers ? lol

can i get a hand regarding advanced sql injection module/**/

Anyone?

I have a question. If I get hired as a Security Analyst, or whatever what do they expect ? When I do the labs I tend to hit a roadblock and use the writeup. When I read the writeup it makes sense, but I am unable to figure out most of the box myself.

when doing the exam is the setup more reliable than the module boxes? i'm frequently finding myself having to reset the module boxes to get the responses i'm meant to be getting and i'm worried about doing the exam and failing because the box wasn't responding correctly

Mines like this too😭😭 no idea

Hey everyone, wasnt sure where to ask this question. But if im looking into a Academy subscription, but also want to play around in regular boxes once I have learned certain skillsets, do I also then need a regular htb subscription?

Hello,

I'm stuck on SSRF skill assessmnet

I've found the request that may contain the vulnerability but nothing works

How to unlock general chat?

active boxes don't require a sub, but yes they are separate platforms

read and follow #welcome

Thanks!

Thank you for the reply, I added a secondary email to my main HTB account and under Academy billing the student is still greyed out, is there a way to fast-track the ticket I have open for this so I can subscribe and start my prefered path? If not is there a estimated time that this takes?

wow you guys are fast. Thanks again.

i didn't do anything but thanks

Good afternoon, I am struggling on the following section and was hopeful someone could take a look at it. I have not been able to find support on the forums.

Web Attacks > XML External Entity (XXE) Injection > Local File Disclosure

The examples do not return appropriate results and the same issue persists when trying to find the flag.
(e.g. injecting the following will not return the needed value.

<!DOCTYPE email [
<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php">
]>
)

Feel free to DM me if that is easier.

it helps if you describe your exact issue (without potential spoilers)

Should I double tap the message or just leave it and pray?

i'm not sure what you mean by double tapping the message. usually someone will respond to your message though

Sweet, I'm just hopeful to finish up this module today and have had mixed results on receiving responses. (Double Tap::SLANG:: To send again or insure that it was received.)

repeatedly sending the same message does nothing but make more people annoyed and provide a negative perception of you

How do I shutdown my pwnbox so I dont waste time?

Pwnbox Settings > Terminate

Hello guys, I need some help with the "Using the Metasploit Framework" > MSF Components Modules question. It says that I need to find the flag.txt file using the EternalRomance exploit, but I had no success. Used both of the scenarios and no luck. I've also tried a bunch of other exploits but again, no sessions created. Any pointers?

Hey,
i'm following the pivoting module and I made autoroute as the module says, but i'm getting this error
And when trying to scan with proxychains + nmap getting nothing really.. tried -sV to get the banner but it doesn't really work

Hello

Sir i need help

help with what?

Basic hacking app and command

Which module, which section and which question are you on?

I don't understand

Was it compatible in the module?

Also try sudo with proxychains

you ask for help in the channel for the Academy modules
Which module and which section are you currently working on?
If your question is not related to the Academy modules, you are in the wrong channel

sudo seems the way to go, thanks

Best to ask in #1263635449335910531

You right sorry

@candid spire spoiler tags don't do much of anything as anyone can click on them and view them redact usernames and such with first letter and \* (this is to avoid markdown nonsense) so m* and R*

again, use \* to do the redactions because otherwise discord treats things between *text* to be italicized

Is anyone available to discuss DACL Attacks II - Skill Assessment Q2? I have discovered the m* user has rights to modify GPOs affecting R*, and I also discovered the ||file the logon script|| is pointing to. I also have the a* user's password, but when I try to modify the ||target file of the logon script|| I get a permissions error, essentially saying I need permission from myself. I have also tried modifying it as the s* user, and adding t* to administrators and modifying with that user but no luck. Any help would be appreciated, thanks!

Hello Guys, I need some help regarding pentesting, first machine. There is a share on SMB, and I need to get into it to get the flag.
But the SMB needs a password for the user "Bob"

I tried searching everywhere for this password and I cant find anything related to it. I event tried to check in the ftp port if there is a file that can help me figure out the password

The hint says, bob likes to use weak passwords

onesixtyone dict.txt file even is not opening

check the reading carefully

you're given bob:<password here>

bob:welcome1

i saw it and tried it

it also failed to log in

bob <- username
welcome1 <- password

i tried it also

welcome1
nothing happens
i read that whole document about 5 times

what error are you getting?

Nt status not found

looks like the world gave its back to me, the machine lifetime ended

I spend 2 hrs looking for a password

NT_STATUS_NOT_FOUND is a different error than NT_STATUS_LOGON_ERROR

did you check the available shares; the way that SMB works is you need to specify the sharename you want to connect to

the available shares are users, printers$ and another one called ICP or something like that, my machine lifetime ended so I cant fig the exact name

I wrote the following command and run
smbclient -U bob \\\10.129.42.254\users

and it keeps on saying that error

¯_(ツ)_/¯

the logon is valid though

otherwise you'd get "NT_STATUS_LOGON_FAILURE"

i tried taking a step back
checking the shares again

But what I notice is
when i keep on running smbclinet -L -N <IP>

there is always an error regarding the -N flag

is there something to do with suppressing the password

-L --> List shares and Exit
-N --> Don't ask for Password/"No Password"

smbclient --help

I guess I need to refresh my mind and then hit it back on tmrw

but can i ask u one last question, general question it is

Looks like you're not specifying a share

Is it okay that those commands doesnt run on my personal VM but runs on the pwnbox ??

Is it an internet connection problem ?

if it's not running in your vm are you connected to the vpn?

yeah yeah I am

if you're connected to the vpn: don't use the pwnbox

I even tried to ping the address and it returns normally

(or if you're using the pwnbox, turn off the vpn while using pwnbox)

Oki thank you so much really appreciate that help and happy to be within the community

also

with smbclient you can use //{IP or Hostname}/sharename instead of \\\\{IP or Hostname}\\sharename

👍

Thanks man