#modules

I figured it out now though

Thanks for responding 🙂

hi, is answering questions in short form a bug or intended

like answer was p2p i can use peer-2-peer

intended

why tho

i'm not staff though so idk

i was just doing new andriod module same thing happened

#1234357888114364508 if you wanna sanity check; otherwise chat support

it just feels like i didnt read the module correctly but then i realize i was right

Am I at the right place to ask for advice regarding penetration tester job role path module?

hide the answer

Thank you

I already tried using Hydra and metasploit did not receive any valid credentials not sure how to proceed.

each service has a unique user; perhaps c:/users can help narrow things down

passwords for them should be bruetforced as well?

yes

I'm probably brain dead, I found the user list earlier all of them are in the username list but I still can't bruteforce the rdp or smb services. Maybe you can give me one more hint?

you absolutely can brute rdp and smb

nxc works better for smb

Been stuck on the Detecting RDP Brute Force Attacks in the Detecting Windows Attacks with Splunk module for the last 24hrs because every time I go to access the splunk application I get an error stating the server reset the connection. Basically hard stuck since no matter how many times I reset the target IP it still doesn't work and I've been waiting since 10am to speak to HTB support agent...

As I thought I'm just braindead, understood my error, thank you for responding

guys where did the general chat go

#general

in powershell, what's the difference between the following?

... | ? {$_SecurityIdentifier -eq $sid}
... | ? {$_.SecurityIdentifier -eq  $sid}

one of the solutions to a question in the ad enumeration module relied on the first, which omits the dot

the second is accessing the SecurityIdentifier property of the object that's piped to it, but how is that first one interpreted?

to answer my question: i'm overthinking it, it's just a typo in the solution

Did you run Seatbelt and the Seatbelt module AMSIProviders?

chek ls

Hi there, i'm doing the NoSQL injection module. I'm on the In-Band Data Extraction page, and struggling to find a valid payload for a GET request. Any help would be much appreciated.

Edit: Ignore - got it.

hi all I'm watching HTB yt channel on basic cybersecurity test would it be more beneficial to do the Linux fundamentals or to start the module itself

Hey , anyway did getting started module in the last section there is a box .. here the link of the box : https://academy.hackthebox.com/module/77/section/721

I root the box (using sudo -l ) but they say there is 2 ways to gain root .. any hints I try search for the mothd 2 buy no luck..😀

that's what you link to btw

Yes

there's no lab for this section

I send the link of the box https://academy.hackthebox.com/module/77/section/721

that's not a box btw; that's an academy section

module: Getting Started
Section: Infosec Overview

It small challenge machine

To pwn

where LOL this section doesn't have a machine or challenge

there's nothing to spawn here

Ok let me check the link

we can't send pictures her right?

not without linking your htb account per #welcome instructions

Ok

https://academy.hackthebox.com/module/77/section/859

sorry i made mistake i send the wrong link

read the blurb again; there's two ways to gain foothold not privesc

foothold means entry

one via metasploit and one manually

afaik only one way to actually get root from that

Guys I need help in Kerberos Attacks - Pass The Ticket:

When in use the .\Rubeus.exe triage I dont see any tickets available:

PS C:\tools> .\Rubeus.exe triage

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.2


Action: Triage Kerberos Tickets (Current User)

[*] Current LUID    : 0x49898

 ---------------------------------------
 | LUID | UserName | Service | EndTime |
 ---------------------------------------
 ---------------------------------------

ii yes the foothold i did it using metasploit (easy + no need to the authentication ) + Manuel already did it

then that's all there is, there's no hidden root vector

as it states:
Two ways to gain FOOTHOLD

so you've been chasing a rabbit hole

Sounds like you don't have any tickets then. You can confirm with the command "klist."

ah nvm it does mention two root vectors

but imo it's not really all that important @lime cosmos

"There are two ways to escalate privileges to root on the target after obtaining a foothold."

i suggest moving on with your life and moving forward and coming back to challenge a different way once you have more experience with other modules

ok i will back to it after studying priv esc module

if you're doing the cpts path; the linux privesc module is way down the line

yes am doing cpts path

imo getting the manual foothold is better than finding another root vector

@lavish ember no need to post content from the module. Remember it's against the rules for anything above tier 0.

shows that you don't need to rely on too many tools to get the way forward

yes i get it

thanks 😉

oh mb
can you help me tho?

I feel like it's glitched

Are you running the Rubeus command in the spawned command prompt or in the powershell session?

I tried both

rebeus lol i see this tool on mr robot serie

well the command prompt wouldn't have any. it's been a really long time since I did this module but there should be some in the powershell session. first thing i'd try is restarting the target i guess. it could also be you haven't waited enough time.

I tried resetting it yeah and didn't work also lol

So am I stuck there forever? haha

I'll try, give me a sec

okay tyt

Alright, works for me. Sometimes you need to execute commands under another context.

so the box is fine I just need to think of another approach with the command you mean>

yeah the command works fine

i was able to replicate pulling the tickets and also what you did pulling no tickets

I think I get it

It shows to me what the current user have only

not all users right?

Think elevated context.

okay it worked lol

Thanks for the help! ❤️

Stuck on Attacking Common Services - Easy Question " You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer." Found user but unable to bruteforce password using rockyou against smtp. Advice?

Have you tried with the wordlist provided in the resources section of the module?

yea didn't work as well

oh ok. i actually didn't take notes for the easy lab so i can't help much.

nvm, got it. stupid port 25 closed on me. had to revert box

Hello guys,
I’m stuck for two evenings on XSS module skill assessment, made everything but still the request is not reaching my myip:port/script.js. Any advice?

@runic rampart I was able to find the flag. I had to basically do a Mana attack that was shown in the WPA3 section (mac.conf), and then make sure your MAC address matches the target AP. That will jam the target AP, which will disconnect the client. Then, you can do the Wifiphisher plugin attack. That worked for me.

stuck on the final question in the Footprinting module, DNS Section (What is the FQDN of the host where the last octet ends with "x.x.x.203"? )

gotta dig deep y'know

so i gotta "dig" deep?

yep 😉

mhmm, ig i tried, lemme give another shot

maybe you only tried the surface level, remember, dig deep

What do you mean? Reading and doing all that IS the module...

going through the info first and continue with modules

ig he meant if he could skip this and go ahead with other modules and come back to this module later

Do the modules in order, that's very important because the modules depend on information you gathered from previous modules

Nahh, it's a module, keep following it

There are no info boards on academy

fine, then go through it tmrw, if u wanna do smtg practical rn

but I highly recommend doing it in the order, a lesson I learnt in my early days 😅

u dunno which command and/or information could help you during assessments

it's info about how the actuat pentesting cycle works

hey i tried multiple ways but i didn't finad any x.x.x.203

i've fount a 201 and few other FQDN's but nothing for x.x.x.203

if you saw a web app page that can modify the user info, and upload image profile, what you gonna think of to try and play around with?

the hint under question says, "Remember that different wordlists do not always have the same entries." when I used dnsrecon to brute force, it took forever

I didn't understand about modiify user info, using image upload ig, we could try to tamper the upload utility

Hello, good evening, do you help people with computer virus problems?

and if we can actually modify user info, it could lead to account takeover eventually

computer virus?

yep

I am sorry for confusing you, i mean we logged in and have a page to edit our informations, and also a way to upload profile pic image, so i wonder if there any we can test to look for any kind of vulnerabilities?

I was infected

ig the server's not directed in what you're looking for, personally i'd suggest you to contact someone trustworthy in person, or fall back to trusted antivirus softwares.

if you want a suggestion you can DM me, about the specifics

Yes I can help you

A few hours ago I installed a file directly from discord and since then the cmd suddenly started appearing on my screen running users\public\microsoftedg and below some lines talking about RegAsm

Let me dm you okay?

ok

We can't help with that

Brute through the subdomains

what is the password here ? i believe their is no password in this right ? if yes then when its asking for password and i am just pressing enter its showing wrong password , so is their really password which i am missing ?

btw this is Skills Assessment section of Introduction to Windows Command Line

please do guide me on this asap :-))

Look at the instructions it mentions that the password to use for each consecutive user is the flag of the previous user

thanks buddy :-)) , i got it

Has anyone done the module Active Directory TRust Attacks: Attacking Cross Forest Trust

I cant seem to authenticate using rdp, has anyone experienced this issue before?

Hi am doing web proxies module ZAP fuzzer
I need to brutrforce the user cookie after encoding with md5 hash
But in the request there is no a user parameter or similiar in order to mark as a location

i haven't, but what's the issue you're getting? black screen?

the request does not set a username, it sets a hash of a username

Still, i dont have a parameter to modify

where in the request does it send off something that looks like an md5 hash?

Mind if DM u?

yeah sure

anyone have idea where i could find footprinting-wordlist

Anyone up to discuss the Pivoting Skills Assessment? I just have a quick question about the network addresses and masks/CIDRs that I've noticed.

Top of the page you should see a resources button:

hey i was able to do the brute force, turns out i. didn't notice that my target expired lmao

when i try to brute force using the given wordlist under resources the username didn't turn up in the results? am i missin smtg

smtp-user-enum -M VRFY -U u.txt -t 10.129.42.195

this is teh cmnd i'm using

try the other other modes

EXPN,RCPT also gave the same o/p and this time the target is running, i'm currently running the same cmd with -w 60 to increase timeout gotta see if i'd get the result

yup -w 60 worked

I'll have some time shortly, if you want to DM.

sent a friend req cos my DMs are locked

Attacking SAM

I have the registry files, but when I run the secretsdump.py nothing's happening, not sure if I'm missing something or maybe something whacky is happening with my kali?

post the command you're running

have the system file?

Yes I have all 3

``└─$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system - system.save
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[-] RemoteOperations failed: [Errno Connection error (system.save:445)] [Errno -2] Name or service not known
[*] Cleaning up...``

python3 /usr/local/bin/secretsdump.py -sam sam -system system LOCAL

you need a target

local as in the domain

this

at first I did - LOCAL like it was in the module, same thing happened

``└─$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system - system.save -LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

usage: secretsdump.py [-h] [-ts] [-debug] [-system SYSTEM] [-bootkey BOOTKEY] [-security SECURITY] [-sam SAM]
[-ntds NTDS] [-resumefile RESUMEFILE] [-skip-sam] [-skip-security]
[-outputfile OUTPUTFILE] [-use-vss] [-rodcNo RODCNO] [-rodcKey RODCKEY] [-use-keylist]
[-exec-method [{smbexec,wmiexec,mmcexec}]] [-use-remoteSSMethod]
[-remoteSS-remote-volume REMOTESS_REMOTE_VOLUME]
[-remoteSS-local-path REMOTESS_LOCAL_PATH] [-just-dc-user USERNAME]
[-ldapfilter LDAPFILTER] [-just-dc] [-just-dc-ntlm] [-skip-user SKIP_USER] [-pwd-last-set]
[-user-status] [-history] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
[-keytab KEYTAB] [-dc-ip ip address] [-target-ip ip address]
target
secretsdump.py: error: unrecognized arguments: -LOCAL
``

there's a dash between -system and system.save, remove that

the target is a positional parameter, not a flag

check the size of the sam and system files - do they match the target file's size

got rid of that dash "-" kept local, same thing happened

secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

they're big files - sometimes they don't transfer over entirely and it's something to check

get rid of the dash here:
-system - system.save
^

https://www.netexec.wiki/smb-protocol/obtaining-credentials/dump-sam

https://www.thehacker.recipes/ad/movement/credentials/dumping/sam-and-lsa-secrets#exfiltration

yeah I did

and on the -LOCAL ? also try without the security save

gives this same error

can you post the command again that you're running

remove the .save on both - never seen that before

``python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save -LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

usage: secretsdump.py [-h] [-ts] [-debug] [-system SYSTEM] [-bootkey BOOTKEY] [-security SECURITY] [-sam SAM]
[-ntds NTDS] [-resumefile RESUMEFILE] [-skip-sam] [-skip-security]
[-outputfile OUTPUTFILE] [-use-vss] [-rodcNo RODCNO] [-rodcKey RODCKEY] [-use-keylist]
[-exec-method [{smbexec,wmiexec,mmcexec}]] [-use-remoteSSMethod]
[-remoteSS-remote-volume REMOTESS_REMOTE_VOLUME]
[-remoteSS-local-path REMOTESS_LOCAL_PATH] [-just-dc-user USERNAME]
[-ldapfilter LDAPFILTER] [-just-dc] [-just-dc-ntlm] [-skip-user SKIP_USER] [-pwd-last-set]
[-user-status] [-history] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
[-keytab KEYTAB] [-dc-ip ip address] [-target-ip ip address]
target
secretsdump.py: error: the following arguments are required: target
``

you've still got a - in front of local. like i said, it's not a flag

remove the - on -LOCAL it should just be: LOCAL

LOCAL is your target cos you got the registry files downloaded on your LOCAL machine

so you need specify the target somehow - could try the ip

still gives same error

show again please

that is what LOCAL does

sorry, not same error - different one:

``└─$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[-] [Errno 2] No such file or directory: 'system.save'
[*] Cleaning up...
``

It can't find system.save is that the actual file name of the system hive?

yeah I just double checked on my desktop to make sure that's what it's named

remove the .save - make sure those system, sam, security are all in the directory you're running the script from

what directory are you running the command in?

desktop

can you ls -lash

I'm just going to re-download them

yeah one sec

that's a massive file mate

... 65 kb?

In AD Enumeration & Attacks - Skills Assessment Part II - Question 6 - I could never get creds from winpeas, snaffler, or seatbelt - has anyone else recently done this?

the netdb user

that sounds about the right size, the hive files in the labs aren't very big

really? in my experience they massive don't know which exact lab this is

i've got one from a lab i'm on that's 20MB

Hi , " you already have an active machine" how can i fix that ?

I can't start it

Stop the current active machine you should see it to the right of the search bar

dm me and i can help you figure out your command

it seems to have worked just re-downloading them

there should be a little icon glowing in the top bar of the website - which is your active machine

@prime magnet

not sure what happened before?

file transfers aren't always clean - especially the bigger they get

Thank you guys

cool

btw @prime magnet @peak bear please get verified!
instructions ---> #welcome

ok

why I got 'Noob' In my profile

you've been exposed that's all

DW we were all noobs at some point, I still consider myself rather noobish

Enumerate a common location that the module hits on quite a bit. If you cannot figure that out, you can DM me.

can anyone help with assembly language module on this question on how to use jump isntruction https://academy.hackthebox.com/module/85/section/892

I sure can

Dm privately??

you sure can help a lot dm me

I did email at that email but didn't got any reply yet does it usually take that long??

it can take a while, yes

Any estimated time I can expect??

no idea i'm not staff

Okay thanks for the reply

Perhaps this article will help:
https://www.hackthebox.com/blog/new-challenge-submission-process

Within 2 months we will either approve, reject, or ask for changes.

Hey guys. Been lurking for a while, figured I'll jump in now that I'm going to school for cybersecurity and doing modules as well

glhf; this channel is always here for nudges forward and the search function can be OP for helping

I enjoy a good Ole search button. It's been my friend while I lurk

hey, atm i am doing the "Getting Started" module page "service scanning"

i am required to enter bob's password which is given in the module but bash will not allow me to enter any text here

anyone has any idea why bash will not allow me to input bob's password

you will not see typing the characters (e.g., the *****), type the password and press enter

text is being entered

with bash it's a security feature to not show the password or even masking characters as you're typing

this is also to prevent shoulder surfing as someone may see how many characters a password is

thanks for the help

didnt know that

hey can i dm really quick?

yes pls

Anyone did Ffuf module from CPTS as of late ?

guys can someone give me a hint in the skill assessment of advanced sqli

what am i doing wrong?

errors 372
is your hosts file correct?

seems so

the machine reset now so its a different port

Why do you define port on url?

cause the machine has a port

But you want to find subdomains, the port is to request for the specific service under this port

Can you try once without the port?

yea i tried that before still got errors

because he's attacking a publicIP:PORT

and the web service is specifically running on that port that he has to attack

so it's not on default 80

No, that doesn't work. If a target shows you a port, only that one port is available.

Got it

so all domains are linked to that port

https://academy.hackthebox.com/course/preview/intro-to-academy

for this specific thing: yes

what am i doing wrong then

guess i should try gobuster

could be some weird issue with your router killing the traffic, assuming on a vm try switching from bridged -> NAT or the other way around

Hello
Doing web proxies assessment question 3
I modified the cookie as was needed and i got the flag
But i dont understand why all cookies that were modified in the list give the flag?

not all will result in the flag btw

but a good handful; this is mostly by design of the lab to avoid spending a lot of time waiting on the attack to finish

Oh ok thanks

I have started Documentation & Reporting Practice Assessment. As I prefer working from my kali machine, I am trying to use Dynamic port forwarding through ssh so that I can enumarate from my machine. But It is not working. When using nmap from the parrot machine I get results from the target host (let's say 172.16.5.200) but I get timeout from my machine. I have also tried with chisel but I again I don't get results. Any idea why?

using sudo?

i used ligolo for my proxy needs ¯_(ツ)_/¯

so i never bothered with pf stuff

No without sudo. I have tried though with sudo as well but didn't work either

i assume with nmap you're using the -Pn flag?

yes

icmp traffic isn't a fan of some proxy/pf types

So it might not always work?

i don't have much notes on this module or using ssh port forwarding/chisel

Hello i have a problem with the linux module, i need to get the last modified file in the /var/backups directory. my input command is $ls -la -l -lt /etc/ which would give me the latest modified hidden file but it doesnt seem to work

i have connected to the ssh

Why so many -l in there?

-la is the same as -l -a

Same with -lt, -l -t

Look at the path again.

Also the path

i put the path behind it

Yes, but you want to look at a different path than the one you specify in the command.

i did not know that thanks, i was just smashing everything in there, got frustated xD

Read the question, then the command you put

https://tenor.com/view/baloo-sliding-to-be-dms-like-jungle-book-bear-slide-gif-10217253

Do as Balu does:
Look for the bare necessities
The simple bare necessities

Note: not all tools allow for squished flags

My favorite udp scan though is nmap -sUV

got it 🙂

guess samba wasnt a file xd

switching to bridge inst giving me any errors

If there's a d before the permissions, it's a directory

Though getting pedantic: everything is a file in linux

Hello @fathom pendant Im doing SCCM module. 'Connect to the shared folder \LAB-DC\SCCMShare\PUSH using the PUSH account and read the content of the flag.txt.' However the creds do not work. Can you help me with this?

hey guys do you also face with difficulties with Academy targets, most of the time the server wont respond. I was doing "Advanced SQL Injections" skill assessment but the generated target stalls every 1-2 minutes I tried to reset it but still works soo bad

@fathom pendant

in this questions this happened again *in new android fundamentals module

CoolName is correct answer but coolname is not

like its not programing question

or there should be hint saying 'case sensitive'

after 2hrs and about 70 cmds. I would like someone to please tell me which "CMD" line is to be used (not PS).

Introduction to WIN CMD LINE> Finding Files & Directories> 2nd Question. aka find Waldo.txt

Hi guys i'm at the Information Gathering-Web Edition module and Fingerprinting section and i can't access app.inlanefreight.local thus can't answer the 2nd question. Can anybody help?

Did you add it to your /etc/hosts file?

I've found the problem

I just finished this module, I used chisel and proxychains, if you need any help let me know.

cd to \ directory

and run this command

dir /s Waldo.txt

again i'm not staff: #1234357888114364508 for errors

i haven't done the module

What is the best place to ask for help on intro to bash comparison exercise?

I am stuck

in this channel

Ahoy y'all! I am working on the SIEM Visualization Example 2 module from the SOC analyst path, and I am totally stuck on the last question. It asks what should follow user.name in the KQL query in order to filter by admin users only. I feel like the obvious answer would be ||admin* or administrator||, but I have not been able to figure out an answer that the answer box will accept. Am I thinking about this right?

think of your first query you're only looking for things that start with admin [admin*]

think of all scenarios

Hello, Im stuck in the credential hunting in Windows i found everything execpt the WinSCP password.
To do so i mv Lazagne to the Windows but it says password not found is it normal ?

read and follow #welcome to access #1353066219653304450

@pale silo your post also is spoiling an active machine, for active boxes you need to ask for nudges for steps and not spoil directly what you've found

ok, thx. I'm now registered

oh, ok. sorry...

anyway, what should i do? maybe some advice?

ask in #1353066219653304450 but don't spoil anything

:)

ofc

Hello can someone give a bit of advice on the burp intruder module

The question is Use Burp Intruder to fuzz for '.html' files under the /admin directory, to find a file containing the flag.

Using the common.txt word list, with burp suite throttle this is probably going to take 12 hours, am I on the right track

Yeah sadly unless you have burp pro, intruder is super slow

Probably better to just use another fuzzer

I cant extend the machine either 😖

66 minutes left

Also missing a slash after admin

ahhh thank you of course 🤦

Ill try Caido or ZAP, thanks for the info

i don't recall issues with intruder on this taking too long

i just monitored the results

Im on 274/4734 on the wordlist with only 59 minutes left on the machine and no option to extend the machine

Im wondering if there is a smaller wordlist Im suppsoed to use

yeah the public IP won't get extended

Hi folks

I am on INTRODUCTION TO WINDOWS EVASION TECHNIQUES .

But I am a bit lost

Where do we suppose to compile the shellcode? on victim?

The shellcode itself.... should I use NotMalware ? the c# code? but insert the msfvenom line based on our IP address?

does the module not give you a dev machine to mess with?

FFuF found the directory for it in 20 seconds, ty @fathom pendant & @waxen totem for the pointers. So much for it being a learning module for burp suite 😂

I would recommend using FFUF or Gobuster if you have the knowledge way faster

Hey guys, sorry for the irrelevant question, where can I ask for nudges regarding traditional machines?

@severe inlet thanks, I did and it worked a treat, I really think any fuzzing modules concerning Burp suite should have a word list supplied, I dont mind waiting an hour or so but the throttling just makes the learning process paingful\

You just need to understand how to use the intruder after that feel free to use ffuf or something else

Indeed, I have Caido installed but have yet to get my head around it, Once I break up from University I'll dedicate some time to learning it

Caido, burp, zap, all work pretty much the same with different interfaces

can someone explain why if i count installed packages with $ apt list installed | wc -l it counts 738 and if i use the | grep -c installed* it counts 737?

Headers exist

Hi! I'm on the Skills Assessment 2 page of the NoSQL Injection module. I have a good idea of what i'm supposed to do, but I'm struggling with a valid payload to trigger some kind of a different response. I have a valid username, and understand where the injection point should be, but can't seem to trigger it in any way, can someone please help me out?

oh right, so wc -l also counts headers then?

it worked on conf files before tho

not sure why it doesnt work on installed packages

It counts every line without filtering, apt list installed has headers
E.g
list of packages:

okay thanks!

Yep a couple of the binaries tell you they're not made for piping output

hey

https://academy.hackthebox.com/module/19/section/108
can't find the flag here .. i try default script -sC .. banner, vuln but no flag

You need to use an additional script not just default, banner, or vuln, think specific to the services on the open ports

i can't try them all (--script All ) it will take long time

So just try specific ones based on the services you've found

ok

Yes but I only have 1 IP.

Is the code in that Dev box ? How can I obtain that IP so I can RDP and do the required work ?

You'd have to jump back and forth from what others have said

Essentially you can have the introductory section open in one tab of your browser for spawning your DEV instance and in another tab work through the sections that contain your TARGET instances. I recommend building a few different payloads out, just in case, but follow along with the section, use what is provided and you should be good. Make sure you pay attention to detail when you are building things out. You'll have to terminate your DEV instance to start your TARGET instances. Hopefully that isn't too confusing.

How often can i re-ask the same question for help if I don't get any response?

It's preferable not to repost unless your question got buried

@rustic sage this isn't a hacker4hire server

So is 24 hours roughly ok?

If for some reason it hasn't been answered, sure

Al little bit , lol, but I’m on my phone right now . Let me take a look in a few . Thanks

But I'd also advocate for working on the problem while waiting on someone to answer

Rubber duck debugging is a real thing, you ask your question and immediately see the solution

Without a reply from anyone

Rubber duck got words of wisdom fr fr

Yes, of course. I'm pretty hard-stuck at the moment. I'm searching through previous hints, and i've found information for everything except the thing i'm stuck on. It seem slike people will only DM the step i'm looking for.

We can't read your mind on what you're stuck on

@fathom pendant they posted it just earlier

Ah right, buried

But yeah things like that get moved to dms because the module is above tier 0

So to avoid spoilers; it gets shifted to dm :)

Roger that. I'll delete my original, and post again tomorrow if no one has replied. Thanks.

You don't have to delete

I've seen cases where someone replies to a message a while later asking if still need help sometimes days, sometimes months

But either way deleting it really doesn't help your case

If anyone does what I do and use the "In: [hashtag]Modules" search function, they might just see my non-answered result several times, rather than something that can help them. It seems better to delete a question that hasn't been responded to.

I see now . Not the most elegant solution . Why not two buttons to start two different VMs: Dev and Target.

https://tenor.com/view/bookio-gif-13932157847762104386

I don't know /feedback <--

hey

still nothing find

i try many nmap script tom find the flag as they say + 1 Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.

-sC should show an interesting file on the server: it may not enumerate the page

i try it before and i did not get anything

i will try again -sC

If you're given ip:port, specify port

no port given

Then sC should get it

Note: you may need to manually enumerate past the script

waiting the results of -sC . hope so get the flag

i try the top script manually and nothing

There will be a .txt file that's revealed

i dont understand u

where ?

The -sC should find it

ok

nothing found

working through the footprinting module now and there have been a few times ive gotten an answer but not so sure that was the intended way to get there. is there ever a resource that shows the other ways i could have skinned the cat? (or maybe a less barbaric analogy saying other ways to get the same solution)

Who won the partner up with me or be my mentor and teach me python

Try http specific scripts

#programming ; read and follow #welcome to access it

Yes I try --script 'http*'

If you got the answer 9/10 times, it's intended

That will take forever

Maybe try just the http scripts mentioned by the examples

I try them... All lol

¯_(ツ)_/¯

I can't access the exam if I don't answer all the modules questions/laps ?

you need to complete the path 100%

hi MarcieLee, I could ask you a question via DM

where do i post about issues with a module? like i'm struggling and need answeres

ask here

sure

I am stuck on question 1 in the WordPress skills assessment. I have run every thing I can think of and the site say's it not a WP site. It's run on Apache 2.4 but I cannot seem to get to see the verison.

During web assessments it's always best to make sure to click on every single link you can find.

I will look again but the source code all looks the same

I mistakenly closed the cmd console when I rdp'ed into internal network in AEN. Is there any coming back from this without having to restart the target?

can you not simply re-open the terminal?

well,

The session was just a console session

press the space bar

Its not a full RDP session, but just a cmd console session

which I closed lol

ahh ok. i don't know.

gonna have to reset the environment

Hey I am on Getting Started in Privilege Escalation, I’ve ssh’d into the machine but I can’t figure out how to escalate privileges.

i forget is that the one where you have to get to user2 then root?

always check what your user can sudo;
always check for files that you shouldn't have read access to

Yes

Okay

those are separate bits of info btw 😉

sudo can be thought of as the linux equivalent to runas

man sudo or sudo --help iirc should get you more info what sudo can do

I’ve check sudo I’ve tried looking for etc/shadow, and ssh keys but I can’t find anything

gonna assume at this point you're user2?

if so: there is something hiding in the roots 😉

m

Hi, who can help me with the command to know how many services are listening on the target system on all interfaces? (Not only on localhost and IPv4) I am stuck

What have you tried so far?

can i get help from a pro hacker pls... I found an issue and I think this may need to be reviewed...

this wasted a lot of time of mine... and I just want to make sure I understand the instruction correctly.

@west canopy are you able to assist me please?

after 2hrs and about 70 cmds. I would like someone to please tell me which "CMD" line is to be used (not PowerShell command, since the module is only about CMD host enumeration).

Module: Introduction to WIN CMD LINE> Section: Finding Files & Directories> 2nd Question. "Waldo.txt"

I can tell you - that yes, a PS cmd worked, but the questions explicitly states, only using commands that we have learned up until this point, which was all CMD CLI... So, was there a package that was needed to be installed again once I ssh'd back into the instance and opened up the terminal for for the sudo PS / sudo CMD interface? because barely and commands worked

Might be more for #1234357888114364508

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/find

yah, tried all them bro..

Wdym all of them unless you give examples we cant really help all too much

The solution is funny though

Solution uses PS

exactly - that's the issue

Maybe try find waldo.txt C:/

I’ll have a look when I get on my pc

Same, am on phone rn

thanks.. that's all i asked is someone to review... I already found the answer.. but it was using a powershell command, but that was not a taught command in the module... which is why i wasted so many hours...

and any command that was taught did not work

nope..

tried it

work on it when you get back.... 🙂

now you know why i pinged a staff member

No need to ever ping staff

thanks - appreciate that tip.. I won't again..

@dense tree figured it out, if you can see PS in the prompt its a powershell prompt and where is aliased to where-object which has a different syntax

To fix: run cmd to enter cmd context then run the where command

This absolutely makes sense!

issue I had is that I overlooked; although I knew how to access cmd & PS through the xfreerdp >WIN VM.
I didn't know that I had to use the CMD prompt inside the PS CLI that that I ssh'd into... But you taught me something new about this VM instance. Thank you very much.

Hi

Module: Windows Privilege Escalation
Section: Kernel Exploits
Section link: https://academy.hackthebox.com/module/67/section/627

To exploit CVE-2020-0668, the text says:

we can also look for any third-party software, which can be leveraged, such as the Mozilla Maintenance Service. This service runs in the context of SYSTEM and is startable by unprivileged users.
What if "Mozilla Maintenance Service" is not present in the system. How can we find the third-party services that runs in the context of SYSTEM and is startable by unprivileged users?

In this case you will have to enumerate the system and take stock of what is installed, and, subsequently, you will perform a research to find if any of the found services can be used to escalate your privileges. In the future, when you advance and hone your skills, you may find something that hasn't been uncovered yet.

Wordpress module skill assesment find the vulnerable plugin with unauthenticated file download but i have no idea how to use the poc

Course says: 'An attacker can employ various methods to force a null origin on a cross-origin request, which is subsequently trusted, resulting in a Same-Origin policy exception.' this can be done by using 'sandboxed iframe'. But it did not work either:

The module you are referencing is a Tier III module. Please do not post any content from the module.

Others did that too, but sorry

You can send me a DM and we'll see what's not working.

Man I was about to grind out shells and payloads then the internet went out

Good morning, when i put in this command curl https://inlanefreight.com | grep -oE 'https?://inlanefreight.com[^"#]+ i stays stuck at >

i think i found an unintended solution in web service & api attacks on the section of "Information Disclosure (with a twist of SQLi)"

can anyone explain me why this happens? thanks in advance!

is the target machine also available for just 2 hours to free users? if im using openvpn n my own machine?

or thats just for pwnbox

pwnbox

afaik

You forgot the closing '

where can u report unintended solutions

#1234357888114364508

Could anyone help me in module 77 section 843? Please DM me
I am inside of "Getting Started" and at "Public Exploits"

Okie dokie, another 'Print Spooler & NTLM Relaying section.' question.

I have successfully rdp'd from kali to DC1 and changed the registry value to 1 and restarted DC1.

Back on the kali machine I've run ./dementor.py 172.16.18.20 172.16.18.3 -u bob -d eagle.local -p Slavi123 and impacket-ntlmrelayx -t dcsync://172.16.18.4 -smb2support

I have received two error messages:
||[-] exception RPRN SessionError: code: 0x6ab - RPC_S_INVALID_NET_ADDR - The network address is invalid.||

||[-] exception RPRN SessionError: code: 0x6ab - RPC_S_INVALID_NET_ADDR - The network address is invalid.||

Both don't answer the question. Unfortunately, being in Aus RDP is snail slow and makes the whole process pretty frustrating. Would love a hint in the right direction, Thank you!

reported it thanks @acoustic owl

hello. I am at Pivoting,Tunneling & port Forwarding Module where we have to use meterpreter for port forwarding, my question is: the module is not seting the active meterpreter session into the socks_proxy module of metasploit. so How will it route the traffic through the pivot?

I think there is a option to set session like we set other parameters, but HTB didn't use it, dont know why?

It doesn't in fact have any option to set the proxy session because it's creating a proxy server on your localhost with the specified port

because it doesnt have a session option

I know, but should it not route the traffic from the meterpreter session?

that's the autoroute's job

The socks proxy allows our attacker machine to interface with msf's network structure through proxychains, msf itself creates routes towards the target through an active session using autoroute

okay, so the scenario is this: first we created the socks proxy to route all traffic from msf network structure, then we used autoroute to add a route to that network structure binding the session to it. so we can use proxychains to route through msf network and use the routes created by autoroute!

is this correct?

kinda lost me there but essentially:

• route/autoroute: creates iptable route to route traffic towards the networks in the active meterpreter session
• socks_proxy: runs a server on the local machine to route any traffic given to it through metasploit's ip route table
• proxychains: runs a command through the socks proxy

https://docs.metasploit.com/docs/using-metasploit/intermediate/pivoting-in-metasploit.html

Yeah. I got it, Also sorry that my question was confusing.

https://i.imgflip.com/9n7rvr.gif

Ok

@analog kiln I will now delete your messages as it violates rules of the server to ask for such.

Ok

Hello, has anyone completed the Spookifier challenge? I already have the flag, but I'm trying a reverse shell, and it doesn't work. Am I the only one trying to do this?

#challenges is the correct channel

If you do not have access go identify your account, instructions ---> #welcome

hello guys
im doing a simple task in one of the sections in introduction to windows command line

to do the task i need where but it's just not there
is there any alternative commands you can suggest

Dejavu

#modules message

ty
i didn't realize im in power-shell not cmd

yeah it was in the previous sections that specify the prompt differences

where works here

yeah mb, didn't remember the exact commands cos I don't use CMD very often

https://tenor.com/view/hyouka-oreki-gif-15182750

Where do I ask questions about a lab in a module?

I am stuck on Linux Priv Esc Environment Enumeration lab

you can ask in this channel

#modules

Guys I am on the second user on the machine but I don't know where to go from next.

I did the sudo with the binary as another user.

I don't see anything useful in the second user's home directory

module/51/section/1592

Uhhh never mind guys i just found it, was in a place I never expected it to be at

It is just confusing because it said this module is for linux environment but the lab got nothing to do with that at all. It is totally irrelevant.

Could anyone help me in module 77 section 843? Please DM me
I am inside of "Getting Started" and at "Public Exploits"

Can I DM someone on LOLBAS: Rundll32.exe section in Windows Evasion Techniques module?

Guys how do I link my hackthebox with discord? and also why i cannot chat in #general ?

Check #welcome

Thanks

Hi can someone help me, I do not understand what is wrong with my powerview. I cannot get the Get-DomainUser function to work

Get-netuser works fine

it clearly stats that the first cmdlet is not recognised, its powerview i guess. make sure you use the correct version of it of re-check the syntax

also try re-loading the module

I know that, but I downloaded the exact version in the module, can you share a reliable version otherwise

https://media.discordapp.net/attachments/1321805410734440549/1357352923956252792/image.png?ex=67efe4eb&is=67ee936b&hm=1ad1f4f5f21f7b06f682ce109e69c3f708bcd3cd15421b47bfc8d825b02988a9&=&format=webp&quality=lossless&width=1114&height=699

https://academy.hackthebox.com/module/136/section/1291
i added line 19 in burp . but it still not working why ?

I used this:https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 when I was doing AD

guys what should I do if all the ports closed ?

scanned for the UDP ports?

-sU and -sS yes

all? if its a Lab or module, that should not be the case. try -p- and also UDP

and -A

is this by any chance part of the Footprinting module?

can you ping the target?

I tried the command: ss -tulnp | grep -E '0.0.0.0|::' | grep -v '127.0.0.1' | wc -l

Not reachable

is your vpn up? may need to restart vpn or Spawn the Instance again

still the same

i can't find flag it doesn't exist

SPN Jacking

Has anyone done Question 2 in skill assessment in advanced SQLi?

You can DM me

Hey guys, has anyone completed "Advanced SQL injection" if so then could you please help me with final RCE skill assessment?

You can also DM me

Hi, as funny as this may sound, can someone give a hint where to go for solution 6 - the last question in Windows Lateral Movement SA? I have the VNC password

I'd try to get on the host where you got that password from.

lol - I ran "Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion -Recurse" on my local....

not recommended

i mean, not like it breaks anything

thank god

Citrix Breakout, Windows Privilege escalation, question 2, admin flag.
I could || spawn cmd || and read the first flag. Looked for easy paths to escalate. Found none. So. Now I want some tools. So I tried mounting a SMB share, failed. So checked connectivity. When I ping my Kali and the IP I could first RDP into, there is no connection. Pinged localhost just to verify that ping worked. It did. Is this expected? Should I find a route without needing anything uploaded? Not sure how to upload anything. Also tried alter the network settings in the VDI I'm in, but got denied. Any hint on how to move forward?

And btw, it is indeed extremely laggy the instance, but I guess you already know that. cheers

literally all it does is just Get information; Get-Help Get-ChildItem will explain it

You can use SMB sharing method as the module mentions it, in order to get files. Make sure you are running the SMB share from the right place

Ah ok. So ping not working is expected (silly me), but when launching the "right way" it surpasses it. Great, thanks!

Goodluck, and yeah it was hella laggy

@midnight vigil i don't do private dms unless either;

• I already know you
• it's for business

Question about a specific situation in the "Linux Fundamentals," course. I've completed it. I've run into a problem in the "Task Scheduling" unit. There is a single question in it. I made an honest mistake in my answer. I provided x-xxxxxxxxxx (obviously this is not the correct length answer, I don't want to give any hints). The answer was what I provided, but without the hyphen (again, I'm hiding even the answer length). I tried the answer without the hyphen, and it was accepted. It still shows as the answer. But I can not, for the life of me, do anything to get the green checkmark to complete the "Task Scheduling" unit in "linux Fundamentals." What am I doing wrong? And yes, I hit Mark Complete & Next at the bottom.

Figured it out, I had another tab open.

Naturally I had to ask before I could figure it out.

https://tenor.com/view/vlod-rubber-duck-duck-vlod2-bathtub-gif-3004830228421712541

done, But it seems to me that I didn't do it the way I originally intended.

You can DM if you'd like.

help plz... I am at user3 of skill assessment section of windows command line module.
the flag from user2 is not the password for user3?

try putting the password in single quotes 'like-this'

nope

i haven't done that module in a hot minute ¯_(ツ)_/¯

but i'll let you in on a secret; most stuff can be done with other users so if you're stuck try using a different user

i found the flag with "whoami" command... it worked as the answer for the previous task

but not as a password for the next one

like i said it's been a minute ¯_(ツ)_/¯

argh... CAPITAL LETTERS

Hi folks, can I please get some help with "Intro To Windows Evasion - Static Analysis"

I connected to DEV box. Copy/paste the 1st C# code. Added the msfvenom shellcode, using Kali's IP and port 4444. Then build ... no problems.

The instructions say "add the executable to C:\Tools\Alpha\Static"

I did. But after almost 10 min I see no flag. As a matter of fact, I run the .exe and I get no shell.

All this was done on DEV. Can I someone please DM me or maybe give me a nudge? what am I missing?

Was this also done on DEV ?

add the executable to C:\Tools\Alpha\Static

By the way. My executable was created at || C:\Tools\exercise\ConsoleApp1\ConsoleApp1\bin\x64\Release\net8.0\ || which is klind of weird. I do not see any || net8.0 || in the screenshots.

Yes

Do I have to move to TARGET?

A few things here

• The question wants you to place it inside "C:\Alpha\Static", you placed it inside C:\Tools\Alpha\Static
• The file should be placed inside the machine associated with the question, which is the the TARGET machine
• You didn't mention whether ThreatCheck found known bytes
• I would recommend targeting .NET framework 4.7 instead of 8
• You can get the flag as long as there is no detected bytes on your .exe but you mentioned that you didn't get a reverse shell, i would recommend spending more time on the DEV machine until you are able to get a shell from DEV

This is awesome! Thanks. I will do that.

One quick question. Do we have to add old Framework somehow to Visual Studio Code? I do not have 4.7 as an option.

From the course

Go back and make sure to select the indicated project template

Yeah, found it in VS

https://tenor.com/view/idiot-hammer-old-man-oldman-gif-12695907

not a programmer.... VS is not something I am using regularly, lol ... I know that's about to change though 🙂

It's just a matter or time :) By the end of the module you will be more familiar with it

Thanks again and for the patience , lol …

The checker script (which gives you the flag) tries to check if it's a .NET framework binary which includes Cryptography (for the AES) and InteropServices. If you really follow the section step-by-step, it should give you the flag.

Nvm, solved it, thanks

Pivoting, Tunneling, and Port Forwarding -> RDP and SOCKS Tunneling with SocksOverRDP

wtf is this issue? its stressing the hell out of me. It happens every time I try to run the command or even just extract the files. i've reset my machine twice and I’m still getting the same problem

Hi all, am struggling with the HTB academy module "Information gathering - web edition". The skills assessment part. Getting confused with the vHostd bit

What about it? I've done that module.

3rd question: what is the API key in the hidden admin directory....before thst it gives the target IP and port....then says vhost needed for questions....am assuming need to add that to hosts file for enumeration to work but added it s few different ways without success...so just looking for start point really to be able to put into practice what learnt from module...did nmsp scan and that port it specifies isn't listed

Show me how you put it on the /etc/hosts

utilize the techniques taught throughout the module to move forward
the /etc/hosts file should only contain the IP not the port or protocol so

ip hostname

Ah well that's one thing did wrong

to access the host with ffuf or any http type protocol; you do http://hostname:port

to fuzz a subdomain you'd add -H "HOST: FUZZ.hostname" in ffuf

Ok let me try that

all this stuff you should have encountered in the module

Did but may have to revisit parts

i also suggest taking notes as you go through things 😉

Good call

that way if you take a break it's not jarring to come back and mess up a fundamental thing

Yeah hit nail on the head there that's exactly what's happened

Ngl I'm just on here to be friends with hackers close age I'm high school age Btw so please don't be weird

read and follow #welcome to access more of the server, this channel isn't #general :)

Oh thank you sorry

for the SMB module, am i to change the smb.config file to further gain access?

or to make the txt file show?

wdym smb module
did you mean: Footprinting module, SMB section
Attacking Common Services module, SMB section

also, no modification is needed to smb.config

yes

yes
motherfucker i asked a or b

this isn't a ternary question with a hidden third option

footprinting

no modification is needed

Just enumerate the service no modication to smb files is needed

Also before asking about any question you can provide the link to the module you are currently in or name it so we can help you since some modules might have similar content

Footprinting - SMB

is it alright to drop screen shots here?

you need to link your account to share screenshots; though i believe that module is above tier 0 so screenshots would be spoiling content

#welcome <-- instructions on linking here

The module is tier II so no

You can dm screenshots if its above 0

so long as the screenshot isn't revealing content and is just basically errors with stuff like passwords and such redacted

the section though gives you all the info you need to get the answers

i figured but i've been stuck on this for the past week....and i'm just now asking for help

You really shouldn't get stuck if you understand the material
Read it again and try harder

note you may not just be enumerating SMB, i believe the section also talks about enumerating via RPC

something that catches people off as well, at least with the filepath, is look closely at the filepath and think: does that look like <redacted> OS structure?

i.e. why would a windows machine have C:\Home 😉

in honest im getting about 70% of it? i understand whats being kicked back to me but i'm just spinning my wheel and refusing to give up

Which question are you stuck on?

connecting to the discovered shared to find the flag

First you need to find the Share that you can access
After that you should use something taught in the section to find the flag

im feeling like i'm using the correct cmd but not getting the comfimation of login with the anonymous login

For me i broke it down into
Which share can i access?
What tool can i use to access this share?
Find the flag

did you list the shares?

i did

to connect via smbclient you need to specify a share
smbclient -U <some username> //(ip or hostname)/sharename

if the sharename contains spaces you'll need to wrap it in quotes

then you can just dir and navigate through that

cd as well

run the -N -L [Target IP] is not enough then?

-L lists shares then exits

oh!

see that i did not know or missed that in the reading

You need to understand the options and what they mean to use them correctly

man smbclient or smbclient --help

:) man is your best friend

(except when a tool doesn't have a manpage)

oof, learning this and linux at the same time should have been a better thought out plan

now you know, and hope you put it in your notes for future use ¯_(ツ)_/¯

I've been banging my head on the table for 20 mins... I can't figure out the format that your system demands for the answer, even though the webpage calls out what I am providing as the answer... How do I be more specific, I don't want to give anything away?

I'm doing the Android Fundamentals.

Here's the question: What is the name of the function that returns the string inside the cpp file? (Format: FunctionName()). The web page literally states the answer followed by a colon...

Having to post more nonsense because there's a damned ad in the way in Discord

The format they're looking to is just the functionname() as stated by the question

Also you can dismiss the ad

THANK YOU!

The problem I'm having is I have provided... wait...

hey guys, i have a question to ask about iframe vulnerability, since i scanned the web with nessus i found iframe is vulnerable to clickjacking, but it’s worked through burp request only. Is there any way to inject and affect to all users?

The question literally tells you the format: no : after means no : in your response

What module is this related to? If it's unrelated to htb academy read and follow #welcome to access #web

I'm not including a colon. I'm formatiing it exactly as it's asked for words()

Hi

Casing may matter

We can't help you with that

Does anyone know how to do that

O

Not the server for that, if the chat was deleted its gone and you may need to contact Microsoft Support in order to restore it

Thanks

I've run into this quite a bit. It semantics.

Some questions specify a "format" by many do not even though there is a very specific way to answer. The problem is there is no pool of correct answers based on people submitting in different ways.

Make sure to include hyphens. One time I had to use lower case as the exact same answer with a capitalized first letter was wrong.

cough #1234357888114364508 cough and /feedback

I was doing the PTT from Linux and on the last 2 questions whenever I try to Smb with the cp and export for the current key it just says no cache found. And then lists the key I exported

Hi, i did the assesment File Upload but I don't understand why my upload get interpreted and executed. I don't find anywhere a special config allowing those type of files to be executed.

So I figured it out but the flag.txt file is saying its a wrong answer

it's because the webserver is a server that allows it to be executed; as most do. if you're referring to how you leak the upload location i suggest re-reading the module to get a firm grasp of what exactly it is you interacted with

QQ: Is there a way to either have the academy VPN either allow internet to google; support split tunneling; or maybe just not use libraries that pull in outside resources? (http://fonts.googleapis.com/css?family=Open+Sans:400,300,300italic,400italic,700,700italic&subset=latin,cyrillic)

(It makes the page view on the nibbles task take quite awhile to load up in a browser)

the academy vpn is already split tunnel

the problem isn't the vpn, it's the lab itself

because of how things get processed

if it wasn't split tunnel you wouldn't be able to access the regular web while connected to it

So just do what I did (basically just blacklisted the googleapis domain for now so it's 'quick')?

typically adding in the domain nibbles.htb or whatever box it may be fixes some of the fonting issues, at least when the lab is based off a retired box

I can't access regular web while connected to it; that's why I assumed it wasn't split tunneled

well it works on my machine, i take it you're using kali?

ya

maybe funky DNS stuff on local network causing issues?

is your openvpn up-to-date?

yup

just did a apt upgrade about 45m ago

https://bobmckay.com/i-t-support-networking/ethical-hacking/hackthebox-vpn-internet-not-working-aka-enable-split-tunneling-on-htb-vpn/

google is your friend

there's also network preferences tab <

my google query :)

Ya probably going the checkbox route vs bash script.

ty for help

👍 next time though:

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

regarding PS Scripting and Automation - I was trying to follow along and write my own script on my local. Will I be able to continue with the variables if I can't install AD?

run powershell elevated, first off

🤦 it's the little things.. I swore I had it by default...

but also your system wouldn't be registered to an ad set even with it installed

and setting up a general purpose AD lab for your local daily drives would suck

Indeed, I'm just playing with it at the moment with making a scipting module for this section for pratice. I'll eventually have a server instance and a VM soon as I continue with the academy.

This system is pretty decent

Yeah, but most php server allow files ending with php, etc. to be executed which isn't the case here and in the course the only reason possible is a modification in mod-enabled. And this file wasn't modified.
I'm only referring to the RCE not the upload function.

guys I have a question in pintesting In a nutshell or it's more like a trouble shoot I already have the answer but it's not working can I dm someone

@sour roost I hear you.. This channel is for us who are in the academy and learning about all that info as you dive deep into it

🔥

so state the question here?

Don't ping / DM staff .. always ask permission from mods.. Read the rules closely... If you are going through a module in the academy, this is a good channel. Otherwise they may point toward a channel with the answer your looking for... But Shoot it

ok I'll revisit the rules section thanks 👍🏼

this is also a good channel #1234357888114364508

I am working on 'XSS Filter Bypasses in the 'Advanced XSS and CSRF Exploitation' 'https://academy.hackthebox.com/module/235/section/2677'.
I am able to execute javascript that popups the standard XSS box and also able to connect to my python webserver.
But when I use the basic xhr payload to extract data from '/admin.php' I get no response. I tried to host the exploit file on my python webserver and updated the xss to point at my https://kali_vpn_ip:4443/exploit" I see:
10.129.233.62 - - [04/Apr/2025 12:14:16] "GET /exploit HTTP/1.1" 200 -

So he can access the file but it's never executed. Can someone help me with this?

As the name of the section suggests, it's about XSS filter bypasses. This means you have to find out what is being filtered and then adjust your payload accordingly.

The strange thing is that I am able to access my webserver got 'code 404, message File not found' but the xhr payload does not execute. Tried also with src instead off fetch(). And with fetch() I used also '.then(r => r.text()).then(code => eval(code));' to execute the payload. No luck either.

Hey, im busy with nmap service enumeration 'https://academy.hackthebox.com/module/19/section/103'
and need to give a flag, i scanned ports, then activated tcpdump, then used nc on all the ports, after this i got the same flag on every port. Can someone help me?

If things are not executed, it may be because certain keywords are blocked.

@acoustic owl Do you mean the payload in the 'Comment' page or on the 'https://exploitserver.htb/exploit'?

The payload you insert on the page.

@acoustic owl Got the flag

using nc you'll get the flag on one of the ports
220 HTB{FLAG}
the 220 isn't included

[status code] [text]

can anyone help with the last question for dacl1 SA. i have 2 users ntlm hash...

How poorly written is the material in the hack the box?
I have an empty box that says "Submit your answer here".
Above it are two statements, and no questions.
Install myapp.apk by dragging and dropping it into the emulator. Then, open the embedded terminal in Android Studio and run adb root && adb shell ls -l /installed/apps/. Replace /installed/apps/ with the correct path to find the app’s home directory.
In English, sentences that are meant to be questions end with, "?," a question mark.
Your last sentence should say, "What path do you replace /installed/apps/with to find the apps home directory?" if that is what you want answered. I ASSUME that's what you want, but in 40 years of doing this I've learned InfoSec is NEVER about assumptions.

But what's great about this? The next box with a "Submit your answer here" has only statements above it too, with no question anywhere to be seen. I'm sure someone is just going to read these to me again... because that'll solve the problem. It'll make question marks suddenly appear.

Since you're charging for this product, could you at least achieve the minimum standard and have questions where you expect answers?

EDIT: Turns out "What path do you replace /installed/apps/with to find the apps home directory?" Isn't the question. So how do I find out what the question is in the Android Fundamentals module skills assessment? I found a flag.txt, but that value isn't accepted.

What is the actual question?

Hi there, I've been stuck on a question for 5 days (yes, I enjoy bashing my head against walls), but I finally gave up and started looking online for the answer. Turns out I was actually doing the right thing all along. It's part of the XSS module, specifically in the "Session Hijacking" section. Here's the question: "Try to repeat what you learned in this section to identify the vulnerable input field and find a working XSS payload, and then use the 'Session Hijacking' scripts to grab the Admin's cookie and use it in 'login.php' to get the flag." I set up my PHP server on ports 8000, 8080, and 4444 on the following environments: my host machine, Kali VM, and the HTB Pawnbox. When I manually visit the IP:PORT of my PHP server, I can see the requests hitting my console. I used the payloads from the module and the one I found online , but whenever I try to insert the payload into any field (except the email field), nothing seems to happen. Can you help me out? I’m kinda desperate at this point.

I could use some help with the box: Administrator I was able to get to michael and thought I changed the password for Benjamin but it only shows that it was changed for SMB and not WINRM. Even smbexec is not working so Im wondering if I messed something up. Thoughts?

find the app's home directory

I've put that in.

Not accepted.Matched the format

Checked capitalization

if you're sure it's an issue --> #1234357888114364508

also reach out to support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

did you adjust your script.js?

dude somehow i just got it

didnt edit anything just restarted the target

also module is above tier 0; i suggest removing the payload used

yup sry for that

there shouldn't be a payload/guide online but people violate ToS a lot and it's hard for staff to keep up sometimes

yeah i keep finding some article that just does the entire exercices and doesn't give answer but give every step to get there

still against ToS

https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

Yes i know you need the url or something ?

i gave you the url in mp if you need it

done thx for the help anyway

intro to windows command line... so im supposed to use the previous flag as the password to ssh into the current user for flag but ive tried everything i can think of and none of these are relevant even tried to forum related answers and still a no go

hi everyone I need help regarding HTTP Response Splitting

will anyone help please

@light siren please don't share the answers :)))

that's illegal first off
#rules and #welcome

so the answer is NO, don't be a dumbass

@light siren make sure the output that gave you that answer doesn't have capital letters in it; since it's a password -- casing will matter

what... the output is exactly what im typing i havent changed casing...

ive been trying this for like a hour now, its redundant... it should be ac....11

for the windows fundamentals skills assessment does anyone actually know what the pw is to ssh intoo user 3 here, SSH to 10.129.204.9 (ACADEMY-ICL-SKILLS11) with user "user3" and password ""

• 1 How many hidden files exist on user3's Desktop?

ive tried all the passwords it should be, none of them are working, and ive used exact casing

the output i have is all caps

let me try mine is all lowercase when i used hostname and who am i

systeminfo?

:)

yeah that one is all caps, weird huh well anyways tyvm, i tried verifying with hostname, netip, and whoami

i even tried searching for missing flags maybe lol

Get-ChildItem -Path "C:\Users\user2" -Filter "flag.*" -Recurse -ErrorAction SilentlyContinue

if you want the heaviest of cheatcodes --> userN@HOSTNAME 😉

it was right there

as a note: whoami will always lowercase

i also checked with systeminfo; and i got the answer as expected

hi everyone I need help regarding HTTP Response Splitting

please help

Windows privilege escalation - interacting with users:
I found the right path, tried different flags for catching, but I never get anything back on Kali.
Why is this not working?
|| I tried .lnk .url .scf to no avail ||

hello folks

so I am still working on INTRO TO WIN EVASION TECNIQUES - STATIC ANALYSIS

I manage to get a reverse shell after building the c# code. That's good

But my understanding is that I need to put that on TARGET. c:\alpha\static , which is other other VM.

The problem is ... I cannot have both VMs working at the same time.

Do we have to compile , develop, etc on DEV. Export to Kali. Start TARGET, upload to get the flag? seems a very convoluted process. Maybe I am missing something. I do not see Visual Studio Code in TARGET

Guys, I'm currently on Applications of AI in InfoSec, Model Evaluation (Malware Image Classification). I got this far, but never get a flag. Can anyone suggest where I'm going wrong?

anyone please help me with http response splitting

That's what you essentially have to do.

https://tenor.com/view/cringe-eeee-gif-24636179

I have VS code in Kali

can I build the solution there?

Or it must be a Windows box?

I mean as long as you compile it how they want it compiled.

ok

Assuming this is about the "HTTP Attacks" module, you can DM me.

let me make more cofffee.... this is gonna be a long module, lol

I give up for today. Regardless my efforts, no hash is captured.
Btw, this module is quite depricated. References are being made to anchient python2 scipts and the example syntax for responder corresponds to an outdated version.

You can DM if you are still running into issues with this one.

https://tenor.com/view/mommy-dance-dancing-grandma-floss-gif-8359016448227801777

I guess I have to transfer that to TARGET... let's see how it goes ...

Thanks, will do tomorrow 👍Have to run now

There are still many scripts that run with Python2.
Yes, software is updated from time to time. But that does not mean that a module is depricated.

time to break out the 2to3 and bash head against the wall

You will need those juicy .NET libraries, shitty to do in Linux sometimes but doable

Good point

I may have to spin a Windows VM. Do not really want to pass all that to my actual Windows host. I will have to create an exclusion, etc.

Still not getting a flag. I did transfer the malicious executable without any obfuscation. So my question now is ... the file we need to move to get the flag, is the one generated using the AES encryption?

1st version gets immediatly deleted (obiously)