#modules

I appreciate your input !

Please anyone help

I found the login admin page but it has Wordpress security plugin

And I got only 3 attempts left

Thanks

reset the target and try again

hi, I am struggling to find the answear of this and I don t know if I am not looking where it should be the answear, I tried over 10 attempts to answear and nothing... " According to the paypal.com website in October 1999, what could you use to "beam money to anyone"? Answer with the product name, eg My Device, remove the ™ from your answer. "

I used internet archive and looked to all topics and nothing...

that's a tricky one

yea... 20 attempts now, I looked all the way on the website, wtf

still didn t find the answear

nevermind.... fixed

awesome

Please anyone help how to bypass Wordpress security plugin

Im on admin login page

But I have 3 attempts left

reset the target and try again

Hey, i need some help with skill assessment on the pivoting & tunneling section
Can I DM someone?(I've this diagram and I dont want to spoil anything)

Bro Wdym

Hi, quick question for the Wordpress module
I'm the skill assessment and there is the "Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download." question.
I have done every question but this one.
Am I complicating things ? Or is there something I have missed ?
Thank you

Good Afternoon guys what do you think about this?

Hello, i'm stuck on the logrotate module of the linux privesc.

I found a writable log file, and tried to follow the step to obtain a shell however it seems that the only log file I have write permissions on it is never rotating.

Edit : I managed to solve the issue. For those who are stuck at the same step than me you need to append something into the log file so logrotate will be trigger.

You might want to be a bit more aggressive while looking for plugins

Well yes and no

To be fair this doesn’t really help

What you’re gonna want to do instead is specify an api key for wpscan

This will be a lot more fruitful then just your normal scan as you’re querying wpscans api for possible vulnerability matches and other curiousa

I did, but the scan did not reveal any "unauthenticated file download" vulnerability

I'll look into it again

Thank you for your answers

Or more accurately look at the plugins and look them up on exploitdb or google search

You’ll be able to find em that way

Which module are you working in?

I just was trying to hack a website I got the admin login panel and I found the user is admin but I can’t use brute force bc they’re 5 attempts there Wordpress security plugin

Can u help me

How to find the password

I’ll appreciate it

@acoustic owl dude I think this guy might be doing some illegal shit

Wtf no

Or something unrelated to the platform

Im just trying to get pass of admin panel

But there 5 attempts

Uhhh there’s no box that does that please read #rules

Do you have written permission to attack the website? If not, don't do it! It is illegal

I have small question

Does brute force work at login pages that have 5 attempts?

yes thanks a lot, I found it !
Although I did not understand something: what is the difference between:
curl http[:]//IP/resources
and
curl 'http[:]//IP/resources'

It seems your message was cut off

Yea sorry I just edited it

cause I was trying without the ' and I thought it was just not the correct request

as it didn't work

One parses it as a string, you see bash is very specific and if you specify a /, bash thinks it’s a special character and cuts it off. But since you’ve specified that it’s a string. Curl says “Okay that’s a string and an url, time to read it like one”

Do you have written permission for this? If not, don't do it! It is illegal.
Please read the #rules

Yes I have

My friend made website and chanlleged me

To hack it

That's... logic

Thank you 🙂

Hey no problem

I feel dumb but thx ^^

You are in the wrong channel.
This channel is about Academy modules.
Read and follow #welcome to use better channels for your question

Aight

Hey

Finally someone available to talk 😂

Have you got the error destination host unreachable.
This is becoming a thorn in ass with time.

In which module?
Is your VPN connection to the HTB Academy network active? Or is your target a Docker container with a public IP?

No I just do I ping to my local device connected to the same network.

Not every device responds to a ping

But what if I tend my kali to respond to ping I tried each possible resolution by ChatGPT and I got same error

Im tearing my hair out trying to get chisel and proxy chains to work on the last question of Pass the Ticket (PtT) from Linux (pentest job path)

I has no issues wtih the rest of the questions, frustrating that I cant get this part to work, no matter what I do I can get the machine to connect back to my Kali VM

I think your question is better placed in #homelab-sysadm . It has nothing to do with the Academy modules.
If you have no access, read and follow #welcome

Hello everyone, I am facing an issue while debugging a .NET web app (advanced deserialization module) with dnspy. My breakpoint are not hit. Do you know what could be my issue ? thanks

Hey everyone.

I found the answer, all DLLs were not imported (for those facing the same issue).

Could anyone help on essid stripping on evil twin module?

Seems pretty straightforward yet after setting up the rogue ap just like the module says and sending deauth packets nothing seems to happen

Hi guys, I ask again, maybe someone have solved this lab.

Hi guys, can someone please help me with CWEE - Advanced Sql Injection - Read and write files?

I’ve created a payload working just to pg_sleep(15) but I cannot go for more that it

I’m really frustrated actually

Hey Guys,
anyone is having issues with MFA connecting to htb?

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Where can I get a tip/help with zephyr initial foothold?

#1263635449335910531

if you can't access that channel you need to follow the instructions in #welcome

I have a question. If I get hired as a Security Analyst, or whatever what do they expect ? When I do the labs I tend to hit a roadblock and use the writeup. When I read the writeup it makes sense, but I am unable to figure out most of the box myself.

Better asked in #careers-and-certs, follow the instructions in #welcome to access that channel.

Hi i have some problem abour zephyr initial foothold
where i can ask some hint

#1263635449335910531 <--- as @cloud urchin pointed you to

Hi guys, i have some issue with the footprinting module, with Oracle TNS, i'm not able to install odat in my VM, i tried everything i found on the internet but nothing

"libaio1" has no installation candidate, and i get "externally-managed-environment" error using pip

Did you use the provided script to install everything? It calls to https://github.com/quentinhardy/odat, which seems to be working fine.

Yes, i just did a copy paste of the script given in the module

Also tried to do things manually with the github repo u just sent

it's just a python file you run

Dont i need the entire repo to run that file, like, doesnt it have required packages or something

yeah you need the whole thing but the script clones the repository

do you get errors running the script?

"Traceback (most recent call last):
File "/home/kali/Desktop/odat/./odat.py", line 54, in <module>
from CVE_2012_3137 import CVE_2012_3137,runCVE20123137Module
File "/home/kali/Desktop/odat/CVE_2012_3137.py", line 9, in <module>
from Crypto.Cipher import AES
ModuleNotFoundError: No module named 'Crypto'
"

I get this while running odat, after cloning the git repo

pip3 install pycryptodome

If u do such things i get the error "externally-managed-environment", same with the htb module script

try running it in a virtual environment

you could also use --break-system-packages with the pip command, but it could break other stuff idk.

better to use a virtual environment

Trying with the venv, as u suggested, seems to be working, pycrypto installed

venvs are a pain in the ass. see if you can install odat.py with pipx

Ill try with this method to install the rest, thank you

Yeah, unfortunately it doesnt work

curses

Still same error tho, " File "/home/kali/Desktop/odat/./odat.py", line 54, in <module>
from CVE_2012_3137 import CVE_2012_3137,runCVE20123137Module
File "/home/kali/Desktop/odat/CVE_2012_3137.py", line 9, in <module>
from Crypto.Cipher import AES
ModuleNotFoundError: No module named 'Crypto'" even tho i installed the required packages in the venv

Just get the venv bro 😭

I just make an alias called venv to activate it and have all my tools there

I'm in venv now, i installed everything, but it says no module named crypto, i tried pip3 install pycryptodome and it says i already have it...

Am i stupid or this is fucked

Crypto and pycryptodome are different

By technicality

https://pypi.org/project/crypto/

Says i already have Crypto too, just find out that this command line "sudo pip3 install colorlog termcolor passlib python-libnmap" isnt working due to the external env error, even tho im in a venv

if all else fails, you may be able to use the pwnbox

Yeah, i think ill just use the pwnbox, btw thanks for the help u all

hi, do you know if we were meant to look at the hint here? Like to show us that we sometimes need to rely on our coworker's findings?

Hi guys, I got the module Information Gathering - Web Edition and I struggle with this, What is the API key in the hidden admin directory that you have discovered on the target system? I tried with SecList gobuster with top1million and did not get anything to help me get the api , can anyone help me ?

Hi
How in Windows Attack and defense Connect Kali? Any help

Use either the pwnbox or the vpn, not both at the same time. If the pwnbox is off and you're on the VPN you should be able to connect, especially if you can ping the target.

you should start with the basics

Which one?

Windows Machine Connected

then you should be able to RDP into the host

if you dont know how to rdp/ssh into a target you should learn basic networking and kali linux

i know these the issue is it explained them confusingly

honestly i dont underand you

we need more information

"What is the API key in the hidden admin directory that you have discovered on the target system? "

what I might do wrong :/ I tried several ways and still nothing

I used pwnbox , connectwd Windows Machine

Thanks gyus i fix it

If anyone can help me out that would be greatly appreciated. I have installed parrot and updated it. When I enter cat tool.list it says "no such file or directory" . I have the security version so I don't know what I'm doing wrong.

If anyone can help me out as well it’s a very simple thing I just am not experienced in the field

are you looking for help with a module?

your other post makes it seem like you want a hacker for hire or something

Did anyone have a problem with
Lab3?

I didn't what problem are you having?

Why nmap doesn't work well with tunnelling like sshuttle and Ligolo? It's a good practice to run nmap over tunnels?

nmap relies on raw sockets for many of its scans, things like proxychains route traffic through a user-space proxy which doesn't support raw sockets

A for loop with ping works great for host discovery over tunneling on the other hand

Try hack me or hack the box?

This is Hack The Box discord mate...

No I mean what's better

Need a nudge? 🛜 🐱

We're all biased... HTB is better

💯

but in truth:

https://tenor.com/view/the-road-to-el-dorado-both-both-is-good-gif-8304204

Is it free?

Honestly HTB better than all of them

Either I didn’t understand question right or I am dummy, I can’t get to port 53, tcp is filtered and Sonia closed

Some modules are some aren't

What's cheaper hack the box or try hack me

Go back and read about DNS in the module and then read the scan output... ||do the protocols match?||

iirc TryHackMe is mostly free

but simply doesn't compete with HTB content 💪

Btw are you the only person here?

No...

Rate your hacking skills in a scale of 1 to 10

I ll definitely do that. But, is suggesting that DNS would be on some other ports? That what was on my mind but didn’t have chance to tested…

This disucssion is probably better for #hacker-lounge or #red-team, you can access them by reading and following the instructions in #welcome.

This channel is for discussion about the HTB Academy modules.

Oh I thought this was the general

#general is over there.

-1000, I'm a script kiddie

What language?

English...?

Your a bot?

Yes

Seriously though go get verified, instructions here: #welcome, cos this isn't the channel for this

Bro when I click general it puts me here

Cos you need to be verified to access... Instructions here -> #welcome

Bro

It won't work

@fathom pendant you still active? come help this fool get verified

Fool?!?

what's the error you get?

Idk

as 0xW1LD said, follow the instructions to link your HTB account then you can access those channels.

sounds like you didn't even try

I don't know where to find account verifiyer

it says where in the instructions

did you read the whole thing?

No

read the whole thing.. it links it

I can't find account identifyer

https://app.hackthebox.com/profile/settings CTRL+F "Account Identifier"

it's on the right side, to the right of your avatar

there's even a nice little copy button for you

@cloud urchin was a syntax error, took a few hours to figure it out, won’t make that mistake again. Thx for the help!

I tripped over this same issue and fix. It seems to be a really common stumbling point. What I'm interested in is why is needed. Does anyone have an explanation of why "sudo" apparently doesn't run as root "enough" to make this work?

Hey guys. Is there any module that’s teaching how to bypass Protected management frame enabled access points?

no

hello

how to chat in general server

follow the instructions in #welcome

Hello everyone, someone help me with the phase of obtaining /admin.php in the xss and csrf skill assessment. Im already a moderator, but I can't get /admin.php

There are a few sections that go over enumerating API's and web applications, have you read over them again?

can anyone point me in the direction of a channel to find prolab help?

hi I am on the last question of the hard assessment for Attacking Common Services module. I am able to RDP into the system and log in as the one female user out of the three users. That's the only user I can RDP in as. I have to get the flag from the Administrator's Desktop folder and I found an unattended file that looked like it had the admin file but it didn't. I need to escalate privileges. I'm trying to use PowerShell or CMD to escalate privileges but I don't think its working. Can someone help me out here?

I have been stuck on this last question for now its the third day in a row.

@heavy fable Try to ask your questions without revealing stuff that could be on the SA please

@heavy fable Think about what the module is about (xss and csrf) and what you can do with your new found mod powers

sry my bad

Escalation path can be found with the info provided in the module, no need to use privesc techniques from outside of it

ok thanks

Hey all. I'm in the GPP-Passwords Section of the Windows Attacks and Defense Module of the SOC Path. I ran the command to bypass the execution policy, imported the script to an admin PS terminal, but when I run the script, I get nothing printed to the terminal (no results or error). Suggestions?

Did you execute the function or try to run the ps1 script after importing?

Yes. I ran the three commands in the cheatsheet, and some variations I researched.

well, it worked for me, you may want to reset the target and try again.

OK. I did that too a few times 😛
Moving on for now, will return to it. Thanks for verifying.

@proud pine Sorry to hear about your job hunting troubles.

My ssh command never works

can someone help?

remember you're talking about a skill assessment you don't want to reveal any details about it

ok sorry

you do it like every day man

I was trying to be vague. Can someone DM me?

I know I do that its an autistic habit. I'm working on it I have trouble with stuff like that.

I say too much

I have a hard time with that kind of habit

its an impulse thing

wait ok someone is dming me over it

What is the command we need to run in order to display the 'ftp' client help menu?

I keep putting ftp -h but its saying im wrong

nvm tutorial was outdated

Hello ..in Binary Fuzzing section Sanitizers when I try to solve the last question and run asan_demo executable file, I get get this error "./asan_demo: error while loading shared libraries: libasan.so.6: cannot open shared object file: No such file or directory
" .. but this shared library wasn´t in the zip folder that I downloaded from HTB Academy! There was only this executable file

hi I almost have the the flag but I am running into an error with one last step from one of the assessments. I do not think I can explain what's going wrong without giving away details. Can someone please DM?

I'm 99% of the way there

or 95% or whatever

like I have one last step and then I know what the next thing to do after that is and then I get the flag

this is for the hard assessment for Attacking Common Services

I don't know if this is an HTB problem but I think I almost have the right command

its absolutely not possible to tell you what's going wrong without giving away details

I literally am just getting a specific command wrong

review the module for the commands

I am

I am using the exact command from the module and its not working

I even ran it by another guy who told me I'm looking in the right section

and the right subsection

its literally like one command I am typing and based on output from another command

if you're on the last step like you say, then it should give you an error and you may be able to figure out what's wrong with that. i didn't have any issues and i used the command directly from the module.

ok thanks

ok I think I copied the command and got something right so I think I know what server to access by name I just its not showing anything meaningful in the results

so like I run the command and its valid but it won't do anything

unless I try a different server but then I get an error I also can't post here without revealing details

but same command from the module

I'm sure I'm very close now

wait I think I got it

hey guys for the Whitebox Attacks - User Enumeration via Response Timing section, is there a smaller wordlist? the web app keeps crashing when trying to bruteforce enumerate

I found the flag

I don’t remember having the issue of the app crashing on me

Running into a bunch of problems with Advanced Sql Injection SA2.
Create Function seems to be failing, with the failure being blind its very hard to debug what is going wrong. Ive tried different file paths and I compiled the code on one of the other test boxes with the correct version.
Any tips?

I remember having to reset the target a few times before I got it working.

Where you getting a instant failure of the create function call. Chaining that with a sleep exits instantly. Or do you get a hang with the payload trying to connect out?

if you are - 1000 im a - 133333333337

It’s been quite some time since I did that module. I remember that I respawned and the script I wrote instantly worked

I’m about to head out soon, but if you don’t mind waiting a few hours for a response, send me your script and I’ll have a look when I get a chance

Sounds good, I wonder if I have a issue with the compiled binary, It seems like everything is working up to the create function call. Testing localy it seems that that calls likes to fail for all sorts of reasons from the file not existing invalid file type, version mismatch etc. Thanks for the help!

did you increase threads when checking? it seems like as long as its set to 2 or higher, it crashes eventually. as of now im just using the script from the module, but i feel like i'll be here forever lol

Congrats you did the great job there dude

I just completed that module and I can’t understand answers for the skill assessment questions that what particular are the answers and even in that practical scenario, 2nd question was nightmare

I can locate ip_scanner with volatility and timeline explorer but the correct exe is nowhere nearby to ip_scanner.exe

I tried every exe was ran and I don’t understand what that exe is the answer

There was so much time between correct exe and ip_scanner.exe and in between that time there were many more exe available so how we supposed to know which one is correct?

Can anyone help me understand this SOC path question?

It's me again it still won't let me in

What error are you facing when identifying?

Idk

Can you tell me what to do?

no... go follow the instructions in #welcome

if you encounter an error contact a mod

#bot-commands can you do the verification again

#1342917580561580063

#1342917580561580063 read and follow #welcome to access

also spoiling an active machine

/drive:sharename,/path/to/directory/ in xfreerdp

or one of the multitudes of methods mentioned in the file transfer module

I Found something lol

Literally same command except using nxc vs Netexec... Netexec fails to execute properly while nxc does execute

pipx --ensure-path iirc

Not sure if it is pipx, I tried and there was an error... netexec comes pre-installed in my parrot os

ah yeah forgot they did that

but at least now i know, the devil is in the details.. Notice how when the system notifies me of the error, it quotes "nxc", not "Netexec"

eh that's more likely how netexec is coded than anything else

you'd have to test on a system that installed via pipx versus install via apt

yea it's probably that, but hey! I got it working!! woots

if the issue is with netexec:
the issue would persist with pipx and apt install
if it's with apt, may have to raise the issue with parrot devs

Oh.. is there any parrot devs here?

not as far as i'm aware but they have their own discord server

but issues would be best raised on the gitlab

alright, thanks, I will raise it to them soon when I have the time

hi , I got this and I struggle by 2 days and I couldn t resolve, I tried go buster and I don t have vhost directory on SecLists , What is the API key in the hidden admin directory that you have discovered on the target system?

I couldn t find anything on scan, If I put the port it just finds /index.html :/

well if it's a public ip:port then you don't put both in the hosts file, just the ip and specify the port in the request; second you want to run a vhost scan not dns scan

I did ok on /etc/hosts, I don t find vhost file on SecLists

you'd still use the DNS subdomains list

it's just how it performs the request will be different

i'm sure the module went over vhost scanning

I will run the command again...

if only my reply told you the other thing you're doing wrong

here I also specified the port..

reset the target, update your hosts file, try again

ok

Huh

also

--append-domain

you may find that more helpful first

i suggest researching how tools work before just copy/pasting what you may see; sometimes a tool may have updated since a module released and the time you get around to it

after the scan I added into the /etc/hosts , but couldn t connect to what I found...

spoilers, dude

my bad...

I did to find admin...

robots are helpful

but now I need to get the api...

that's all i'll say on the matter

the other thing being: if you don't find info on one subdomain, keep digging further

It says that it couln t connect

when I curl the admin

or that it is moved permanently

-L to follow links

or just visit in a browser

unable to connect

curl
curl: (7) Failed to connect to port 80 after 1 ms: Couldn't connect to server

finally done

:))

anyone up for a quick sanity check on a step on AEN ? It will be a yes or no question, I don't want to be spoiled by the walkthrough and I'm just afraid I'm blocked by something silly (instability)

looking for some assistance on User Enumeration via Response Timing
tried different thresholds, amount of threads to enumerate, seems nothing is coming back. when i use the valid account to test response timing, its always inconsistent, so its very hard to set a proper threshold without potentially missing it...

low threshold, high speed =every username comes back as valid,
high threshold, high speed = site unstable and lot of invalid usernames
low threshold, low speed = lab times out
high threshold, low speed = lab times out

pls help lol

I'm embarrassed to even ask this but I think I need a sanity check, I'm certain this flag should be accepted on the windows CLI skills assessment.
I've made sure I'm not copying any whitespace by accident so I figured either it's a red herring or an issue with the answer submission

[Get-Flag, Get-Flag]
PS C:\Users\user7> Get-Flag
The
Flag you are looking for is {Not_giving_out_spoilers!}```

maybe submit without the brackets

legend, thank you

awesome

you could try different vpns in hopes of getting a more stable lab for you. Or you could try sending each request more than once and take the lowest response time out of x tries

hmm im not using a vpn to connect. can you use a vpn for a better connection if the lab doesn't require it? lol

oh its one of those setups, nevermind then

so yea I'd try going the "only print username if the response took longer than 100ms 10 times in a row" route I guess

If you want a hint to get through the list faster, the username starts with the letter ||f||

sad part is the text file is like 600,000 lol

!!!! thx lol

browsers don't allow direct access to file:// uris like that

even if it did work why would a remote servers flag file be accessible in your local browser?

I didn't try with curl, good reflexion I will see

here the flag is to validate the question, I'm just asking if anyone has already succeeded and could explain to me what's wrong with my payloads

debug properly

try a harmless payload to see how entities are processed

2 days on this, already modify with a harmless payload

Idk what im doing wrong

hello guys in the phising/ in XSS module is it normal that the website won't work? it says:
Not Found

The requested URL was not found on this server.
Apache/2.4.41 (Ubuntu) Server at 10.129.200.177 Port 80

yeah I was wrong the f i was lack of h in the spelling.

check if the port is a good one

Hello can someone please explain me in the Windows PrivEsc module. How is it possible to launch elevated powershell and cmd ? And what is the purpose of escalating privilege since we are admin if we can launch elevated powershell and cmd
Typing the command whoami /priv will give you a listing of all user rights assigned to your current user. Some rights are only available to administrative users and can only be listed/leveraged when running an elevated cmd or PowerShell session.
In all the examples we have to open elevated powershell or cmd . And when i do that i understand that the user is already administrator so i don't really understand what is happening

because of the different integrity levels

and certain actions require a high integrity level

So when we can open the elevated powershell on the host it's mean we are already administrator ?

yes

Did you get your sanity check?

but SYSTEM is still a step above you

so all the privesc we are doing are from admin users to system not from low users ?

lower privileged will need to escalate to admin before escalating to system

and which part of the windows privesc module talk about it ?

you're the one doing the module buddy

can anyone give me some tips ? I tried the admin and could not access to get this question , After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb.

lol i finally got it. had to make a script that saved my progress through the wordlist -.-

crawling is helpful

i gave you a hint earlier regarding this assessment @nimble scroll ; dig deeper into subdomains if it's not on a.inlanefreight.htb maybe it's on b.a.inlanefreight.htb

ok, I will try

looks like it didn't find any emails or links

same here

I don t find any clue with crawling :/

I don't know too

:/

what should we do?

still no luck even with chatgpt...

I also looked in the cheating sheet, still no clue

maybe I find something

let me try

ok

also refuses the connection

I checked the hosts , I changed the targed and same...

nothing

still stuck

there were some guides on youtube but they were taken down by HTB :/

@nimble scroll Careful with spoilers, AGAIN

but now what spoilers I gave ?

because the module is above tier 0; posting writeups/guides/videos on content above tier 0 content is expressly forbidden

subdomain names that you had to dig for

ok

but still could not get the emails :)))

if i get a non-empty results.json you owe me a beer

it doesn t gave us that much details :/

so we can get results.json

we can get, but empty :/

that s our frustration

what clue we could use to finish at least ?

even burp suite shows blank info :/

I give up man :))) I don t know I am doing wrong...

skill issue tbh

welp, I want to improve my skills but without having an clue I can t correct what I am doing wrong :/

I wouldn t be here if I was with skills

reviewing the message I deleted: you forgot the port

I did the port but it shows refused, I checked also hosts and same

not empty

if it shows refused then you likely typed the port wrong

congrats but that doesn t help me to understand what I do

as a note you don't put the port in the hosts file

it's always in the request you send

I did not

nobody could help me with this : Using the skills acquired in this and previous sections, access the target host and search for the file named 'waldo.txt'. Submit the flag found within the file.

wait

I am on stuck on that since two weeks

python3 ReconSpider.py http://x.y.inlanefreight.htb:42203 worked for me

i find it

ok, I will retry

i just spawned a fresh target and it worked like a charm

@fathom pendant thanks for your help i find the email i'm amazing

if all else fails and YOU'RE SURE you did it right, reset the target

otherwise not sure what else to tell you aside from

and @zenith pike

the only other random thing i've seen people have issues with is if they're using a personal vpn, sometimes that messes with things (note not the academy vpn, but a vpn service like Nord, Mullvad, etc.)

Get-ChildItem can be a powerful tool if used correctly

I am really strefull with that and anything is working

stressfull

python3 issue

on htb machine, wonderfull

https://academy.hackthebox.com/achievement/1758645/144

Seems like you haven't installed Requirements or You are not using python3 version, Please install using: python3 setup.py install

python3 setup.py install
/usr/lib/python3/dist-packages/setuptools/_distutils/dist.py:265: UserWarning: Unknown distribution option: 'console'
warnings.warn(msg)
error: Multiple top-level packages discovered in a flat-layout: ['core', 'plugins'].

To avoid accidental inclusion of unwanted files or directories,
setuptools will not proceed with this build.

If you are trying to create a single distribution with multiple packages
on purpose, you should not rely on automatic discovery.
Instead, consider the following options:

1. set up custom discovery (find directive with include or exclude)
2. use a src-layout
3. explicitly set py_modules or packages with a list of names

To find more information, look for "package discovery" on setuptools docs.

?

what are you even trying now lol

I tried to run the command

and it fails due python

the ReconSpider i'm referring to is the one from the creepy crawlies section, it's not the same as on github

:/

¯_(ツ)_/¯

there's no setup.py for this ReconSpider

https://academy.hackthebox.com/module/144/section/3079 <-- this section

help Get-ChildItem may provide you with more options to use

and adding -example gives you a few examples of what you may do

what is the "help Get-ChildItem"

how to change my nickname?

I ran the command and the results.json are blank

I did not find anything....

add the port at the end of your command

I did

i changed it because previously it was a single letter; making it hard to mention/@ you

to get your username the same as your htb account name read and follow #welcome

ok i'll try

in powershell run
help get-childitem -examples

but that message wasn't originally for you

it was for the person having issues with the windows CLI fundamentals module

:)

I still did not solve :(((

I resolved with spider

is not working

but did not get anything in results,json

you had the right subdomain and your command appeared correct

¯_(ツ)_/¯

at least almost correct

:/

specifying the port with reconspider as http://x.y.inlanefreight.htb:port

I did that, I also checked hosts ip , subdomain

and still nothing :/

and you have the x.y.inlanefreight.htb in your hosts file?

yes

and if you visit http://x.y.inlanefreight.htb:port is it blank or do you see a page link?

wdym "is not working"

if you're in CMD, then yeah help get-childitem won't work

because that's a powershell command

I am in Introduction to Windows Command Line
Page 7
Finding Files and Directories

i'm aware of where you're at

lol

i'm trying to figure out what you're saying "isn't working"

I am using dir

solved the question after 1 more target

so you're in a CMD prompt; not powershell

ls and all of that buy anything is showing my the path to acess on waldo

do you see PS C:\current\directory> ?

xD

i'm making sure we're on the same page

and there's no language barrier

https://tenor.com/view/elmo-sigh-gif-5895699729383201961

JAJAJAJA

I was on power shell

ok

My mistake

do help get-childitem -example to see examples of how you can use get-childitem

But, How can i get access on the cmd

if you're in a command prompt (not powershell) you just type powershell

and it'll drop you into a powershell prompt

if you're already in a powershell prompt; just type it in

if you don't even have a powershell prompt or command prompt open, wtf are we doing here

I was verifying and yes I was on the right place

Still have a problem with Lab 3 of "Enumeration with nmap" Did anyone have had issue with it?

yeah

I might didn't understand question right...

i'm not telling you the exact command to use to find waldo.txt; i'm helping you get to the conclusion on your own

I get it

It is the best way to learn

but is the same, is not working

source-port shenanigans is all i'll say; the reading may shed light on what i mean

for sure

is not working

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

the error it gives you may be more helpful than

is not working

let me ask this, are they talking about DNS in lab 3?

no; at least not directly

that will be big help

cos Im looking in wrong place...

but again start with my initial hint and read the IDS/IPS evasion section and re-attack the host (replacing specific -p XXXX with -p- for nmap)

I am trying since the very begginning

you can't share screenshots here because your account isn't linked

read and follow #welcome to see how to do that

Ok

if you've been trying to send screenshots alongside the comments of

is not working

that's what's leading to the extra confusion

and they were talking about DNS in a lab before (2)

running services, it doesn't specify DNS

:)

don't think of the labs as connected (completely)

consider each one a blank slate

this is helpful for many modules beyond nmap

I did it, and its completed

but each skill assessment is their own entity

Thanks a lot!! I start going crazy

O, yes is working now

lol

re-reading the section, the reading talks about recursion

I am here

though the reading uses CMD and not powershell; powershell can do similar enough

run
this
command
help get-childitem -examples

ffs

i was missing the s from the end on previous bits

Am not sure what am using if PS or CMD at this point being sincere

for christs sake

i'm walking you through how to do it in Powershell

the reading refers to using CMD

if you want to switch to cmd from powershell you just type in cmd

ah it doesn't pull the examples

ok

got it

now you should be able to run the cmd example (modified to fit your needs)

note: if it doesn't return anything go one directory back
C:\Users\htb-student --> C:\Users\

ok

thanks for your patience

you should find the flag quickly from this point

Need nudge on SA evil twin

I didn't no, then went for a needed walk in nature :) If you're still up for it let me know when you see this and I'll dm. Thank you!

Hi I'm on the Windows Attacks & Defense module in the Print Spooler & NTLM Relaying section.

I have executed "impacket-ntlmrelayx -t dcsync://172.16.18.4 -smb2support" on Parrot
and "python3 ./dementor.py 172.16.18.20 172.16.18.3 -u bob -d eagle.local -p Slavi123" on Kali

with different combinations of sudo, and multiple restarts of each system.

Would someone confirm for me that this is the correct method and that it works for them?

I don get it yet

take one of the commands given in recursion and change it to fit what you're looking for (and where you're looking)

am doing that, where is not working and gonna try with find

Yeah I have some time. DM when you want.

Is not showing me anything

find looks for text not filenames; and as i said you need to find where waldo is

it's not on C:\users\student, if that file location even exists

with HTB academy you often need to modify the commands they give you to work with the situation presented in the question

i can tell you with certainty that the string "waldo" doesn't appear in waldo.txt btw

what

find /?
Searches for a text string in a file or files.
FIND [/V] [/C] [/N] [/I] [/OFF[LINE]] "string" [[drive:][path]filename[ ...]]
/V         Displays all lines NOT containing the specified string.
/C         Displays only the count of lines containing the string.
/N         Displays line numbers with the displayed lines.
/I         Ignores the case of characters when searching for the string.
/OFF[LINE] Do not skip files with offline attribute set.
"string"   Specifies the text string to find.
[drive:][path]filename  Specifies a file or files to search.
If a path is not specified, FIND searches the text typed at the prompt or piped from another command.

don't worry about that

men challenges like this are so great for me I really enjoy this, but this is making me crazy

because you didn't pay attention to what i was trying to tell you lol

where is for locations
find is for text in files

There are some things that I dont understand yet

the EXAMPLE is just that, an example

you need to work it to fit what you need

I am trying just with where

you don't need to change much about the where command given to find what you're looking for

ok ill try something

I think that I got it

I am on it

but, what is the flag?

if only there was a way to type out the contents of a file 😉

cat isn't a CMD command

nor is it aliased

it's also case sensitive

My bad.

I got it

I just learned a lot

thanks, thanks a lot

https://tenor.com/view/brooklyn99-brooklyn-nine-nine-b99-jake-peralta-andy-samberg-gif-18315615

I spent two weeks on this and finally, I really learned a lot.

Just giving myself a bump now 😊

Hi I'm on the Windows Attacks & Defense module in the Print Spooler & NTLM Relaying section.

I have executed "impacket-ntlmrelayx -t dcsync://172.16.18.4 -smb2support" on Parrot
and "python3 ./dementor.py 172.16.18.20 172.16.18.3 -u bob -d eagle.local -p Slavi123" on Kali

with different combinations of sudo, and multiple restarts of each system.

Would someone confirm for me that this is the correct method and that it works for them?

Hi im doing attacking commin services SQL databases
The question is "what is the password for mssqlsvc user"
I loged in with the creds that were provided but i couldnt find mssqlsvc user in the database to impersonate to and get the pass
Any tips?

did you try being a thief?

😉

hi guys, no voice chat here?

i need help im a gold member and i need voicechat support can someone help me somehow? its a simple thing

lol, this is a very good hint that I was able to figure the solution even though I don't remember anything about that module.

there's no official help for academy modules; if you're on annual you should have access to the writeups for the modules

what is the writeup thing? and yes i am on an annual

go to https://academy.hackthebox.com/settings

there is a "step by step solution" feature for annual gold I believe.

though it doesn't teach anything

just goes through step by step; the teaching is done by reading the module

oh ye i have it but still i dont understand their solution. like how am i suppose to know to write this specific line of code

ye

this is why i need help in vc

it's likely in the reading or known via some pre-requisite, it helps to know what module and section you're on

please create a vc channel here it would be great

there is an academy vc

where?

or there used to be

It's still there

https://discord.com/channels/473760315293696010/889971295637340231

but tbh you're not gonna find much help without actually saying what you're working on

why i dont have access to this?

im a gold member

ah; likely tied to account linkage -- read and follow #welcome

it just a line of code i need to know why they wrote this specific one. i never guessed it.... ill say it in vc when i share screen so it be clear

from WHAT MODULE

just say the module name and someone may be more amicable to helping you

instead of just saying "i'll say in VC"

or they can explain in chat or via dm if it's a spoiler

also you wouldn't have access to screenshare in the vc i believe that's tied behind another thing

and yes even though you're a gold annual member on academy that doesn't magically unlock everything, they're working on getting things set up for academy verification so you don't have to jump through a million hoops

wait what? isnt the academy gold gives me also subscription to to the HTB app labs? why it says im free subcription type on there?

no it doesn't

gold annual is only for htb academy

it doesn't translate to htb labs

separate platforms, for all intents and purposes

I suppose i need to get the hash for the user and crack it but i cant find the user
Im loged in as "htbduser", i already have his password since they were given to me.
Why do i need to get the current user's hash
How is it gonna help me?

not to mention it's not a listed perk of the silver or gold annual sub

who said you'd get the current user's hash?

:P

Hey guys anyone has solved Escapetwo HTB active machine?

is the vip annual for labs worth it?

what will i gain from it if i have academy?

#boxes read and follow #welcome to access it

the subs are separate, if you want to practice retired boxes then VIP is worth it

ok i now linked my discord to here. what now? how i gt access to vc?

nope you haven't linked

unless dc is bugging

yep haven't linked

i did

the instructions to link are in #welcome <--

linking via https://account.hackthebox.com or the discord button don't do anything atm

oh

idontfind my acc identifier

https://app.hackthebox.com/profile/settings

can someone come to #889971295637340231 voice chat ? i need help in the nmap module

Oh thanks

ask

Which section? If you're referring to the hard lab, the reading explains a bit more on what's going on. Basically a misconfiguration

#modules message

ye the hrd lab only

Hi to everyone

none can come to the vc? its better than typing

but it says:

Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.

Yeah, it's firewall misconfigurations, you can run some of the same scans with -p- instead of -p xxxxxx

how the h am i suppose to know what type of scan should i perform out of all nmap features?

It's mentioned in the reading section IDS/IPS evasion

i read it

but what is mentioned there?

Due to misconfigurations and trusted ports

it was already spoon fed to you

I have a silly question.

I have a silly answer

#modules message

how? im a beginner so idk those clues you saying sorry

i thought i just need to scan using -sV for version

then in the solution i see big mess for a beginner

The reading related to the command run explains it

And I don't do deep dives for free

everything was already covered in the module, you should spend more time reading through

damn

really?

all they said in the question is:

Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.

how out of all the features i have learned in the module i need to guess what to choose. i thought only -sV needed

cuz they only say version check

Sometimes you're given "just get root text"

look at the cheatsheet

Also nmap doesn't always have the ability to get all the info

i did... still i didnt think i need what in solution but only -sV

Sometimes you need to be more manual, for instance nmap wouldn't tell you all the subdomains and directories on a target

im trying to understand the logic

You do because of how it's set up, nmap version scan isn't all too smart

you're not just running nmap for fun, you know

there're specific options

It just makes a guess, and can be wrong

ofc so i thought -sV is enough for version check...

You're also given the info that the sysadmin attempted to implement a firewall/ids/ips system

So there's other info given to you

The module is above t0 please don't share answers

And it's a skill assessment

where?

in the assessment

In the brief above the questions

@lusty thicket I'm going to ask nicely to not be so passive aggressive

any good way to reliably speed up brute forcing stuff in CPTS, the spawned machines are mindnumbingly slow to respond to ftp attacks for example, and/or end up dying on me for no reason.. and I've been trying to add threads, break up lists to 8 and then 64 files and launch 8 x 1 thread processes at once to keep things flowing, adding some monitoring and sending results back to a non-ephermal netcat listener, but I keep getting stopped by machines stopping responding, dying on me killing my processes. I know I can hydra resume for example, but then if the pwnbox dies the restore file is gone.. this reliability issue is really starting to get to me trying to get thru low level stuff, I've been very VERY patient with it so far ..

Depending on the tool you can specify threads

48 is most reliable for the password attacks module, for instance

i.e: on a multi hour medusa brute force attack in 'Attacking FTP' where I am patiently adding time to my pwnbox and target, not running anywhere near the limit, eventually came to a failure deep into the attack just using the basic instructional material :

ACCOUNT CHECK: [ftp] Host: 10.129.20.33 (1 of 1, 0 complete) User: florence (25 of 79, 1 complete) Password: simple (268 of 333 completeERROR: [ftp.mod] failed: Server sent unknown or no response. Server may have dropped connection due to lack of encryption or due to anti-bruteforce measures. Enabling EXPLICIT mode may help with the former cause and increasing the socket check delay (e.g. -c 1000) may help with the later.
CRITICAL: Unknown ftp.mod module state -1
[..]

I know I can add threads but this doesn't increase the speed for these attacks. I've been going up to -t 100 or so , but instead concurrency seems to improve speeds more with these boxes, which is what I've been doing.
I know this can happen irl and we should plan for failure, but if there is no ratelimiting or no blue team stopping you etc you generally won't see this kind of failure rate irl. this is driving me literally insane and makes the content feel unusable.

If you use too many threads your connection will drop as well

Sometimes less is more

I don't recall if I needed to mess with the threads too much for common services -> ftp section though

I'd say make sure you're using the tcp vpn download

Good evening everyone, I am in the bug bounty section, Side server, in particular SSRF Blind, the question says:
Exploit The SSRF TO IDENTIFY OPEN PORTS ON THE SYSTEM. Which port is open in addition to port 80?
I tried ffuf, but each 65k door tells me '' State 200 '', can you tell me how to solve this module politely?

so i read the thing also

Yes and I haven't found the sweet spot i guess, I've tried default 16 32 64 and 100 commonly and speeds don't seem to increase much on ftp brute force IME.. where running multiple processes on a split list DOES seem to work much faster. If t48 is the one sweet spot that just works without machine failing I guess I will try but I feel like reliability is my biggest complaint here. Machines dying on me before their limit is up.. really kills my desire to proceed.
I have used pwnbox and UDP VPN so far, idk if ive tried TCP, maybe that will help.. appreciate it

But none of the modules require you to bruteforce more than 30 minutes at most

i dont undertsnad when should i know when to disable arp and when to disable icmp or stcmp etc?

and what are the effect? their dfirene

Disabling icmp means nmap doesn't send the "you up" icmp echo request [ping]

Marcielee, you who always give me excellent suggestions, would you give me help please?

Haven't done this module

really???? omg

you mean the "ACK"?

a myth falls

No

ICMP is its own thing. Whenever you ping something you send an echo request, when it comes back -- thats the echo reply

By chance you don't know how to do a port scanning with SSRF?

No

really? 😦

Use Burp to intercept traffic and pay attention to the responses and you should be able to use something there to filter.

Really

I haven't dove into web stuff

Shhh don't spoil

so ICMP is for echoing pings?

@vital zephyr stop lol I removed the first time

ICMP is ping

(Among other things)

so why would we disable it though?

so IDS wont detect us?

and IPS

You're disabling it and telling nmap that you know the host is up;

oh i see

Ids and ips can still detect

and how we know it is up though without pinging?

why? Just to understand, that the user was giving me some guides and I was showing them what I did to understand where wrong

Well in the academy modules: you should know the spawned target is up.
For other things, some OS (windows) don't respond to ICMP echo requests

Take to dms

and I don't know if I bother the Lord

ok. am i begginner or advanced right now?

that's why i'am writing here

?

Beginner

lollzz

Could you be clearer please?

shame on me bb

You can DM

I suggest doing the information Security Foundations path

And the new Networking Foundations module

i started from nmap that was my first course

is there more begginer path?

Well you're putting the cart before the horse if you don't know the basics of networking

yeye i know but it didnt show me the real beginner path

where is it?

Basic Toolset
is the first module in the path i have

This one

how do i get into it?

on site

Like how you got to the basic toolset path

But instead scroll to find the information Security Foundations path

hi, i am trying to do the 'Nibbles - Initial Foothold' task from the Getting Started of Penetration Tester path but the IP is unreachable (I tried to reset the target and change the vpn server but still don't work) and the target resets itself after 10-15 minutes, do you have an idea ?

oh ok

It shouldn't be resetting after only 10 minutes,reach out to support

the info security is the most beginner path module?

Yes it contains the basics, at least for the Penetration Tester and bug bounty job role paths

I am busy with the Understanding Log Sources & Investigating with Splunk, Using Splunk Applications but the lab should have Sysmon App for Splunk installed but I only see this. Am I doing something wrong here?

Nope, nothing wrong

Maybe > find more apps ?

But the question reads as follows:
Access the Sysmon App for Splunk and go to the "Reports" tab. Fix the search associated with the "Net - net view" report and provide the complete executed command as your answer. Answer format: net view /Domain:_.local

So it should be installed on the VM but it's not so I can't go through the lab/questions.

VMs on Hackthebox aren't connected to internet right so I won't be able to download new apps.

they are, but if you haven't spent money on the site they are limited

Anyone finished the Evil twin module?

I "bought" this module before with cubes, but I should be subscribed to a plan if I understand you correctly.

then your pwnbox should be able to get online i believe

Try other ways of stripping

You're misreading the ip there, might need new glasses

The targets aren't internet connected

Did you click on other things on this screen or get to this and throw your hands up in defeat

Nope checking the list with installed apps in the lab but can't find anything sysmon related

Hi guys. I'm working on Nmap module, Firewall and IDS/IPS Evasion - Medium Lab. During my first scan (sudo nmap <target_ip>), port 53's state was filtered but after some attempts like changing the source port nothing changed. so I did a new basic scan (sudo nmap <target_ip>) and port 53 was open. I don't know why

Sometimes it's just like that

Labs can sometimes spawn bugged out

I feel like, I was so wrong that htb helped me complete the lab hhh

Hello !
I'm doing the FootPrinting module, and I encountered the following question in the DNS part:
Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{...})
Have you got any indication ? I tried the dig axfr command but it doesn't seem to do anything.
Thank you !

Have you tried any other methods the section showed you? 😉

or even subdomains of subdomains

or even of the main domain

Hi fam
Windows Event Attack and defense, in Kerberostring.
I've Connection with pwdlab in Windows Machine and after i cant smbclient dont Connect. Any help

Ok I had a spelling mistake, but thank you

After completing the exam are there walk thoughts for the module sections that you completed? For a few of them I wonder if I did the intended solution.

no

Ah bummer. Thanks

Do you know why enterprise admins need to approve exam vouchers? I thought there were unlimited vouchers per academy seat.

I do not know, probably have to reach out to support on the site for that.

so that your company knows who is taking the exam and roughly when to expect results

well there ya go

Thx

since for EP plans, you don't get an email with your result (i'm assuming your EA gets the email)

reach out to support though to get the full info

i'm just going off broad assumptions and logic

Oh are you saying test takers do not get a results email and only the EA's do?

correct enterprise test takers do not receive the congrats/fail email

(but the turn around is much quicker for EP)

Ah cool Thank you for the info!

it makes sense since businesses pay the big bux for it all

Yeah its crazy expensive. But seems inline with similar programs from other offerings

being able to move around seats between users is really neat though

...

yall I need help with Find Files and Directories for Linux Fundimentals

then #modules

Uhm... check where you're at marcie...

wait

https://tenor.com/view/hook-tootles-gif-20149244

DW I've done it before too

tbf i just saw them asking for help in #general and have been tabbing back and forth (excuses)

You know just saying you're stuck doesn't do anything for us, gotta be more specific like: Which damn question?

my bet is on them not being ssh to the target (it's common)

How hard is it to ssh into a target?

What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?
I dont kno how to do that

Not hard

Isn't there an example command that does almost exactly this?

No,

yes

ctrl-f for find

it's on the page

I tried this tasty command
find / -type f -name *.conf -user root -size +20k -newermt 2020-03-03 -exec ls -al {} ; 2>/dev/null

This dude gonna struggle on the next section fr

why are you specifying the user as root?

ah

also your size range is hitting too much

Ohh look at that... there is a command that does almost exactly what we need

almost

the big thing with academy is adapting a given command to fit your needs

also not all config files are .conf

sometimes they're .cfg

or .config

but i can't recall the answer exactly

and i believe they updated the fundamentals module, so some answers may differ from when i messed with it ages ago

find / -type f -name *.conf -user user -size 25k -size -28k newermt 2020-03-03 ls -al [] \; 2>/dev/null

https://tenor.com/view/stopitpatrick-stoppatrick-youarescaringhim-stopitpatrickyouarescaringgim-gif-23995581

*ehem* -exec

why are you specifying a user?

also that

dear lord, I'm brand new to this

dear lord think about each flag

-user <username> you don't know which user the conf file belongs to

so you shouldn't include it

find is very powerful if you know how to use it

honestly though never used any of those flags in any box
only:
find / -perm 4000 2>/dev/null

find / -type f -name *.conf -size 25k -size -28k -newemrt 2020-03-03 -exec ls -al {} ; 2>/dev/null

are you asking or telling

you want -4000

not 4000

go type it in a terminal, we can't evaluate it

would it be that, I ddi it in terminal, nothing came back.

did you do it in the ssh session?

can't really recall since I barely use it

Yes

it fuzzy matches permissions instead of exact matches

-4000 matches files with any permissions that include SUID

Yes, ssh is active

o i c

but did you run that command in the ssh session?

Yes

not in your own pwnbox/vm terminal

so if you look at the username of the user it says htb-student?

Yes @nixfund

👍

welp time to spawn the target and confirm

you missed something in one of your -size

+N is greater, -N is less than

ah

N is exact

man find is helpful

you're secretly a terminal emulator aren't you 👀

then type
/size and hit enter

https://tenor.com/view/mission-impossible-seriously-gif-20108370

So, man find /size?

I do suck at this tho

man find is to open the man page for find

man find
/size

btw you misspelled: -newermt and are trying to ls a file

then once it's open /size
within man / is a search operator and everything after is the pattern

ls a file isn't a bad thing

if you ls -la a file it'll give you the filepath iirc

dunno doesn't work with it

I did /size and it worked

that will tell you what you need to know about the -size argument

there you go, now you know how to search man pages for useful information

so, I would (from what i just read) -size +25k -size -28k

nvm I'm an idiot

and it seems like you had some other misspelling

https://tenor.com/view/adventure-time-demon-cat-i-have-approximate-knowledge-of-many-things-wise-wisdom-gif-4593239

yeah oughtta escape the ;

yeah that's important

can't understand why the semicolon is needed

so, no ;

you need it

I just don't know why

\; at the end of the -exec command

because that tells ls that the -exec argument is finished