I've never had to do any of the faketime/ntpdate/etc stuff so its all Greek to me

which region do you use for htb vpn..ill try that?

Try somethign like faketime "$(ntpdate -q $Target | awk '{print $1 " " $2}')" <cmd>

okay thank you ill try it

heys guys , I'm having a tough time trying to complete these tasks on PTH module

Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt.
Using Julio's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\julio and read the file julio.txt.

I managed to find both hashes and complete the other tasks but these 2 nothing works
help please

I used the mimikatz pth submodule to do both of these

Iirc its the sekurlsa::pth

it won't say completed int i need help when i connect to htb vpn

@ocean flower you redownloaded the file between tries?

sudo killall openvpn

yeh

Then download and try a new one after switching vpns

<@&861185840277487616>

it's gone sorry

@pallid cove thats not what this server is about

I was already here :)

same brother i tried everything

Then reach out to support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

ok thx

Channel hacking

Read #rules and #welcome

Though judging by how youre talking youre either a teen, or English isnt your primary language

yeah , I get the cmd but than i cant do nothing to access DC01 :/

idk what else to do

? I was able to do it just fine

I did dir \\dc01\user to confirm [user being David or Julio]

You're not gonna find that on this server as thats illegal

The files are under \\dc01\$user\$user.txt

duuuuuuuuuuuuuuude

now it worked

i dont know what I was missing but thanks a lot

Probably forgetting the sharename

yeah I think so too

Getting hashes from Responder in "analyze" mode?! Why?!

So I'm working on "Active Directory Enumeration & Attacks"

https://academy.hackthebox.com/module/143

and I've just run Responder for a while, from the provided 'ATTACK01' machine. As instructed I'm running it in "analyze" mode so it shouldn't be getting up to any nasty business pretending it's someone it ain't,

sudo responder -A -I ens224 | tee responder_passive.log

"[i] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned."

[SMB] NTLMv2-SSP Client : 172.16.5.130
[SMB] NTLMv2-SSP Username : INLANEFREIGHT\wley
[SMB] NTLMv2-SSP Hash : wley::INLANEFREIGHT:<Redacted NTLMv2 hash>

But still I'm getting NTLMv2 hashes from accounts trying to authenticate to SMB?!
Now I'm as happy as the next guy to get my hands on some hashes, for sure! But ain't it strange?

Someone here to shed some light on what I just observed? Why did those machines just try to authenticate to my supposedly passive Responder?

no nbt-ns, llmnr, mdns requests
Smb is none of those things

True. But why were there authentication attempts?

Likely just a background script running to ensure things work properly

I see, so lab phenomenon. Not necessarily something one would find in a real network?

https://wadcoms.github.io/wadcoms/Responder-Analyze/#:~:text=Star&text=Responder is an LLMNR%2C NBT,and LLMNR requests without responding.

Also its still listening, its just not responding

It can happen in the real world, typos happen

Hey @fathom pendant I sent a dm regarding rules if that’s cool

Ill answer to the best of my ability

I see, makes sense! Thanks a lot!

it can be listening as well when a response is sent out via the dns, 'hey who is xyz' and every system gets the multicast request

I want to ask,
Active Directory Certificate Services (AD CS) attacks
Kerberos Constrained Delegation
Kerberos Unconstrained Delegation
Kerberos Resource-Based Constrained Delegation (RBCD)
Are the following concepts included in CPTS?

Do I cover them for CPTS, or only for CAPE when time comes?

ADCS is really only relevant for CAPE

only like 1 ESC is covered in the CPTS path; ESC8 in the password attacks module

but if it's not in the CPTS path, assume it's not necessary to be covered

Can you please use the full form of the abbreviation?😅

?

ESC and ESC8...

ESC is just short for Escalation

the numbers are just the order they were discovered

ESC 8 is the 8th escalation path that was discovered

There are numbers?? I didn't noticed that...

https://github.com/ly4k/Certipy/wiki/06-‐-Privilege-Escalation

and they are specific to ADCS

Hey guys, I'm stuck on bypassing UAC for the Attacking Windows Credential Manager section of Password Attacks and I'm not able to save the backup anywhere after privesc. Once key manager opens, I'm able to download the backup file but it disappears immediately. What could be causing this? I've searched around and haven't been able to find anything so I'm not really sure what else I could try.

@fathom pendant thank you so much for the link...things are much clear now...It's truly impressive you are online most of the time and give back to the community! Thank you!

save somewhere like the temp directory or C:/users/public

could also be a cleanup script running to prevent you from saving it somewhere on the local machine

no luck saving it to temp, C:/users/public, or any of the other users folders...

where might I check for this?

idk, if it's a cleanup script then it's there on purpose and you shouldn't tamper with it. I don't really recall any issues however saving or doing what i needed to do

i don't recall though saving a backup anywhere for that section

the only thing that tripped me up was running the command from the impersonated user in cmd, and not from the search bar

aside from that i ran mimikatz (and even lazagne) and got the expected results

hmmm

Hi guys! anyone knows what a crack is going on with my rdp session?

yea I even tried connecting a drive via SMB server running on my attack host but ran into an issue where I couldn't access it from the target host... I'm stumped because I tried everything from the section without luck.

has anyone else here done this module recently that could give me some pointers?

press enter

Hello

Hi, welcome. Please read the #rules and follow the instructions in #welcome to gain access to channels that are more appropriate for general greetings. This channel is dedicated for discussion of the various modules on Academy.

@cloud urchin ok thanks

now I cant copy/paste commands. the terminal inside is working, I can type, but cant paste?

ctrl+v not working? for windows machines they use ctrl+c/v for copy/paste; linux use ctrl+shift+c/v

also i suggest adding +clipboard to the rdp command

ctrl+shift+v not working, right click drop down menu paste not working

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible PowerShell Empire Activity Outbound"; flow:established,to_server; content:"GET"; http_method; content:"/"; http_uri; depth:1; pcre:"/^(?:login/process|admin/get|news).php$/RU"; content:"session="; http_cookie; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/CRi"; content:"Mozilla|2f|5.0|20 28|Windows|20|NT|20|6.1"; http_user_agent; http_start; content:".php|20|HTTP|2f|1.1|0d 0a|Cookie|3a 20|session="; fast_pattern; http_header_names; content:!"Referer"; content:!"Cache"; content:!"Accept"; sid:2027512; rev:1;)
this is the command I m trying to paste

what module is this for?

suricata

Suricata Rule Development Example 1: Detecting PowerShell Empire

can you not open a text editor?

nmap -sV -sC 94.237.60.55 -p- can someone tell me why does this command het blocked?

also try copy/pasting into a text editor (like pluma) in your vm then over to the rdp session

when i run it, the shell remaining on wait

why are you scanning a public IP?

if you're given a public ip:Port your ONLY scope is the port on that IP

i ran nmap -sV -sC 94.237.60.55 and gave me 2 services, ssh and rcpbind, but not the service under the port given by the exercise, can you tell me why? And also, why nmap -sV -sC 94.237.60.55 -p- doesnt work?

you don't have to nmap the ip

ok but why?

and it does work; you have to bear in mind it's a public container and can have many ports open

that's why you're explicitly given a port to attack

no luck mate

i suggest instead of doing nmap -p- use -p given_port

because just nmap without specifying the port only scans the top like 1000 popular/common ports

i haven't done the module so i can't really tell you what more to do; i also tend to use my own vm not the pwnbox

if you fullscreen the pwnbox you should have a clipboard icon in the bottom-right

also copy after the pwnbox launches, if you copy before... it clears the clipboard

i knew that -p- scan all the 65.535 TCP ports

i also prefer my own vm, but I keep getting disconnected, I will try again

yes and because it's a PUBLIC container, (public being completely open to the outside world) it can be running a LOT of services, and if there's a LOT of services it's gonna take up more time

but again

the SCOPE of whenever you're given a public_ip:port is ONLY the port given

so scanning for other ports is just useless

as it's literally going out of scope

this is explained in the Intro to Academy module

yes but why nmap -sV -sC 94.237.60.55 -p- doesnt work? It should scan all the 65.535 TCP ports running on that IP

it works, but it's going to take forever

because you're not only running a connect scan, you're also running a version scan, and then a script scan

so it takes many time right?

yes

this is the reason, got it

but again, you're missing the major point

only the scope, got it

don't nmap the full device

:)

thx

@twilit parcel dont dm people without permission

is that dm? ok, sorry

Yes, dm/pm however you want to abbreviate it. Don't message people without asking

got it. sorry

did someone ever run this exploit on Metasploit? It's taking so many time

What does this have to do with a module? That's not an IP on HTB. If it is, you're targeting the wrong port.

also that's definitely not the exlpoit to use

that's a denial of service exploit

you are doing something wrong here

im on the getting started module for pen testing, the exercise on public exploit section gave me the target 94.237.60.55:54566

Okay yeah that's fine then, but wrong exploit for sure

none of the modules call to DoS the target

this the result of the enumeration with nmap, i thought to use the httpd version or the wordpress version

plus isnt -p- scanning all 65k ports

the section said this

ye just saw

you a fresh account too?

When a module gives you a public IP with a port, just focus on that port only. No need to nmap scan any other port.

yes got it

Did you try visiting the website?

facts dont over think i started that too probably still am

what?

curl n dirbuster go brrrr

From your nmap scan, you can see it's a website. Did you try to visit the website to see what's there?

hello, has anyone solved “Bypassing Basic Authentication”

I need help with how to use Burp Suite please

Always best to mention the module section and question you're on

Hello

Can I DM anyone for the ESC attacks in the ADCS module

My Certipy command wont work it says "RPC connection refused"

I mean "Failed to get DCE RPC Connection"

I think its spoiler right

I marked it

Hey awesome people, i'm having trouble with the "Public Exploits" question in the Getting Started Module. I don't understand what i'm supposed to do. I can find a exploit using searchsploit for the httpd server, but there's nothing in metaspoloit. Am i missing something? I also scanned the site with WPScan to look for plugins and found none, only WordPress CVEs that are also not in metasploit.

As I said before, did you simply visit the website to see what it's hosting?

yes, WordPress

notice anything on the page?

yes it's talking about a plugin, i'll see if i can find an exploit

oh wow, that's a bad one haha

thanks supernuts!

i deobfuscated but it shows empty page??

im going step by step

nvm

i was doing it wrong

backwards

ah

won't work backwards haha

idk why my flag wont work

im almost positive this is it theres no where else to go

ye just wont work

the flag wont subit as correct

im looking at it it just wont go in?

41 sec 442

deobfuscation

yes

the lesson efore knowledge check

no

yes

the last lesson in it

yes i unpacked and i decrypted the bit64

Hello, I'm Brazilian and I'm new here... I would like to know a little about what this service is about.

https://academy.hackthebox.com/achievement/2059161/path/13

Hello can anyone help me? I am stuck on the Password Attacks Assessment. I was able to pivot to the internal host using ligolo and then ran nmap on the internal network but can't do anything beyond that 🙁

hey you can dm me if u want, i can try to help u

Hello

Can I DM Anyone for ADCS module

Hey i am new here. I am new to this channel as well as the subject. I am trying to type in general chat but it says check out modules.

read the instructions in #welcome more closely; as mentioned in one of the pins of this channel the "check out x channel" is discord pointing you to the most recently active channel you have access to. The instructions are a list of 3. :)

Which one from password attacks?

the assessment

Which one

All parts of password attacks have assessments

the final one sorry im stuck where i need to pivot to the internal network

are you using -Pn to scan the internal network? you can also use nxc to sweep the internal network, iirc you're given like 3 other internal machines in the brief so you can test creds and such on them

im able to see open ports but when i use the creds we were given they won't let me rdp or scan for shares

are there creds i need to look for before pivoting?

yes; there's creds you can find if you do some basic searching

sometimes a look to the past can lead you to the future

how can I change my academy avatar?

Gravatar

oh thank you! hadn't notice that

my "gravatar" entry on 1password is tied to my wordpress.com account and when I login it says my last activity was on november 2005 👴

thanks @storm elk

Might wanna change the password too 😅

You’re welcome 🙂

hello fellows

a person is bugging me on snapchat for a while

Then you use the block function @scarlet hatch

This isn’t a hacker for hire server

no

lemme finsh

If what you ask for is gonna be illegal, you’ll be out as fast as you entered

^

Guys please

Anyone can I DM for the ADCS module

I haven’t done that module, sorry 🙂

he said he have something on me , and I'm scared I might've clicked a link that he sent me , so is there any way that I could k that my device might be hacked or phished ?

ty

Maybe theres a reason, cause the connectivity is not working

most likely it was only an ip grabber, at most it'd be used to scare you

Unless his IP discloses his ISP

even then

Then he knows the location

not really

it heavily depends

Rarely shows any precise location really

Hey @eager barn u should rather just learn hacking and forget about ur issue

Mine shows the same country at least

you pinged the wrong person @shut wraith

Marcie if u ping me im gonna DM u

guess so , so it's not something serious right

Just knowing your ip isn’t that scary

thx a lot

You can always do a virus scanner depending on the device

tbh though; if you're afraid they have some blackmail on you: go to your local police/feds not a random discord server

i would've send that link that he sent me but pretty sure that would lead me to a quick perma ban

ye its not that serious but I was jus little scared

it would be against the rules, yes

thx a lot , I will just block him

Bro dont ever be scared

Whether ur getting hacked or not

dont click on links

dont use snapchat

Bro im retiring to play Bit Burner

Cause no one will help me with the module

Probably best to move this conversation to #general as it has nothing to do with modules. @scarlet hatch if you want to continue you'll need to follow the instructions in #welcome to gain access.

Do I need to complete the paths before scheduling an exam?

As I recall, yes

you need to finish the exam's requisite path, yes

Yes

thank you

Why

hi

Hi

I think you guys meant to post in #general

Hey @cloud urchin can u help me with the ADCS module

no

I think its not working properly

it probably is

Hi!!
Module:Password Attacks
Pass the Certificate
Please help me understand the reason for the error.
Question:
"What are the contents of flag.txt on Administrator's desktop?"
I'm doing everything described in the assignment. This error is already on two different VMs, as well as on PwnBox.

Can someone check it? I'm afraid it's not just me who makes this mistake.

Change the VPN region
Restart the target
Try it in the PwnBox

Often modules that do not seem to work properly can be made to work again in this way

ok this is doing my head in... i've already put in the answer multiple times even after looking at the show solutions and its still saying its incorrect.. in "Linux Fundamentals" question 2 i've put "/home/htb-ac-2061563" and its saying its incorrect

did you ssh to the target system first?

nope, ill look into that, thanks

I need help with https://academy.hackthebox.com/module/147/section/1391. I tried with more than 1300 words but got no results. Please give me some advice

i've spawned the instance, i assume thats what i should be using? i've used the command "pwd" i get "/home/htb-ac-2061563/" and thats not the solution apparently

if you're talking about the attackbox (as in the parrot os system accessible through your web browser), then you still need to ssh to the target system, which is a separate thing that you also need to spawn, from within the attackbox. once you've done that, then getting the solution should be pretty easy

I think I turned my brain to mush
please I get some help I search around on the web but not much... already did some for find that users in the group for Q1 (useful as https://lazyadmin.nl/powershell/get-adgroupmember/)
https://academy.hackthebox.com/module/143/section/1275
What host can this user access via WinRM? (just the computer name)

computer/host name would be something like
Some-Computer-Name

I got that it be something like the host computer im current RDP into (academy-ea-ms01)
so by that logic it could be something such as academy-ea-ABCD1234
although Im interested how I can get the user ||Brian D|| to have access to computers on the network so I can finish the section of the module

I also tried doing https://academy.hackthebox.com/module/143/section/1485
but no luck, unless I am missing something, which would surprise me

I could legit start doing some ping sweep and brute force it although time consuming and would like to know another way

Module: HTTP Attacks
Section: Skills Assessment

Problems with the operation of TE.CL via a TE.TE technique. Can anyone help?

the canpsremote cypher query should net results

alright lets see where this goes... I swear if it was that simple going to have a fit

ugh bloodhound another thing I dont know great here we go again

if it doesn't you may need to re-run your ingestor (sometimes it doesn't catch everything)

you may also be able to run the Get-NetLocalGroupMember query, and instead of specifying the ACADEMY-EA-MS01 i'm sure you can either drop that ComputerName or use *

interesting I tried doing a wildcard aka * but I dont think I did it correct

luckily im not going crazy...
PS C:\Tools> Get-NetLocalGroupMember -ComputerName *
PS C:\Tools> Get-NetLocalGroupMember -ComputerName * -GroupName "remote management users"
PS C:\Tools> Get-NetLocalGroupMember -ComputerName * -GroupName "remote desktop users"

I'm having an issue with CrackMapExec. The module is "Using CrackMapExec" and the section is "Password Spraying". I've created the command for MSSQL password spray exactly as instructed but I'm getting weird errors "name 'logging' is not defined". Could someone help me?

what module jezz?

I have a feeling its the same 1 im doing

Module: Using CrackMapExec

ahhh interesting it seemed similar to active directory module i am doing painful it seems

Yes, I've done it not long time ago - it was painful but very rewarding.

I guess once I understand it better but so far some sections been more enjoyable than others

looking into it, the Get-NetLocalGroupMember requires a computername if it's not the local computer

and I finally got what I was looking for through ping -a $IPv4
but im aware it wasnt the intended way but jank is how we exist hahahaha...

i can dm you a query that'd help narrow things down if you'd like

instead of a jank ping

how does 1 find a computer name let alone its IP if they dont know either?
I worked from IP to computer name through ping -a
and sure

Don’t worry, a lot of stuff really ”clicked” for me too later after I’ve finished it. I did some AD machines on the main platform that really got me thinking about the stuff I learned. And there are more AD modules on Academy if you want deeper practice after you’ve finished that.

With AD is that there’s just so much stuff to learn but after some time you’ll notice it wasn’t that complex after all even tho in the beginning it seems overwhelming

I put this in my notes jezza and might ping you later on if that comes true for me hahahaha

Haha for sure 👍

AD really is a game of finding out "wow, microsoft really allows this, huh"

well MS cough cough really let anyone ||~~ backdoors~~|| in

all in for something about national security but I cant put my fingerprint on for some reason

I'm Eternally Blue when it comes to AD

Yet, another problem with CME:

use netexec instead

crackmap exec has been deprecated for over a year at this point, and netexec is the same tool (quite literally, same tool, same devs)

Thanks, will do. I presume the options are exactly the same as they'd be for crackmapexec?

i believe so yes

also looks like the issue is that it requires sudo for you to perform that action as it stands up an smb share

Interesting, I ran the exact same command with netexec and it worked like a dream

¯_(ツ)_/¯

Hello can anyone help me in intro to malware analysis debugging section question, Reproduce all the debugging procedures mentioned in this section and provide the hidden shellcode-related hex values from the final screenshot as your answer. Remove all spaces.. I have bypass sandbox detection but cant find notepad.exe in attach process

not everyone has enterprise it's best to say the module and section name

I have question about "Understanding Log Sources & Investigating with Splunk", in 2nd page "Using Splunk Application", it instructs to access Sysmon App for Splunk however it is not there in the machine. And it does not seem to be present in Splunkbase either, what is the approach there?

i need help with this excercise on the gettine started module, Public exploits. I have scanned the target and this is the result. Im new here.

Artificial

i dont know which is the next step

what?

did you visit the site?

the process of getting to the answer is in that section. how would you find a "public" exploit?

using searchsploit and then metasploit right?

not necessarily. google is your friend

trying to figure out my path rn

idk if i should do another skill path before going for either cpts or cjca path

you mean which cert to do?

have i to search apache 2.4.41 exploit on google?

yea, idk i should do cjc or go right to cpts if or when i do another skill path or not

read through the packet

scroll up and re read what you learned

just search it

Do you have to buy the Silver sub to get access to CJCA?

if you are done with "Information Security Foundations" skill path then you could pretty much go with CPTS, CDSA, CBBH. But with the addition of CJCA you could also go with that. I have realized along the path how important polishing basics is

so you recommend doing those foundations first

instead of jumping right in

to a job path

better foundation i suppose

I am certain a Student-sub would give you complete access to the path.

I highly recommend it. Focus on note-taking as well. Will come in handy on multiple occasions

Ah, so you have to be a student or get Silver? I don't see another way to access it.

yes

also yes. Or just buy the required amount of cubes

i have silver

got 2 vouchers

take full advantage of it

i have to remember to take my notes from getting started module into my own ntoepad

don't rush it, burnout gets really bad in Cyber

Use obsidian, notion, or any note-taking application. Make sure you back them up regularly too so you could access them on the fly

ive been using apple notes 😒

i have found some vulnerabilities about the server running on that port,and now? How can i use them with metasploit?

yuser1 i got stuck on that module for like 4 hours one night till 4am overthinking

Oh wait, I think I see. So you have to complete the path first, and then you have access to buy a voucher? Am I understanding that right?

In other words, you can't just buy the voucher, you have to complete the path first.

yuser1 take advantage of firefox i dont remember exactly the module how i got there but i know i did something without msf

you enumerated the host and found a wordpress site does indeed exists. Instead of focusing on the web server apache what stops you from visiting that exposed website? See if you find anything on the website

awoken said foundations r good start too

usually some modules, plugins, or even frameworks used by the website are vulnerable

apache is usually just the server right

wrong place avira

thats illegal

yes. it used to be that way iirc

and probably still is.
Complete path
Get voucher

yes the webserver

Awesome, thank you!

avira, you need to find another sub i think this is the page for HTB modules

not illegally hacking instagram accounts lmao

wrong place, friend

im feeling lost ahahh, where and what have i to search?

#rules

enumerate everything dont just use terminal all the time have to actually use your eyes i suppose

read the nmap output

the http_title returns WordPress site

WordPress is a very famous CMS. Open your browser and navigate to http://ip:port

are there usually more than 1 way to collect flags

sometimes when there is an unintended path. but usually there's only 1 intended path

for that module for example

ahh ok

that one i dont recall if i did anything with that WP vuln

i dont wanna say too much

better not

but I think T0 modules allow for spoilers

like nibbles

idk what if spending 4 hours on it till u figure it out or ultimately use walk through is good too lol

definitely engrained some things in my mind doing it that way

Please refrain from posting flags.

thx guys

Again refrain from posting flags!

sorry, i have not read

didnt know this rule

any way, using google is often the best solution

i like bing

just enrolled in info security foundations

i wanna learn about these fortresses and sherlocks but that should come after i do skill and job pths?

it's ok to use writeups ~ IppSec

Any help with this?

pleasure

If you've never read the #rules for the server, I highly recommend doing that and as for posting content do not post and spoil content on module content over Tier 0, along with credentials, hashes, flags, etc. If something cannot be asked or described as it would likely result in spoiling content it should be taken to DMs, as long as you have consent from someone willing to help via DMs.

fortresses unlock for hackers+ rank, sherlocks is blue team activity you could pretty much do anything without certs. Watch a bit of IppSec read 0xdf's writeups and understand how they do what they do

certs give you the required knowledge

in password attacks module
i am stuck at Credential Hunting in Network Shares

can i dm someone? I got answer for the 1st question but cant find the answer for the 2nd one

As this user, search through the additional shares they have access to and identify the password of a domain administrator. What is it?

This has been hit on numerous times and a search for previous related questions and hints might help you before going to DMs. Give that a shot if you haven't already.

the section on Common credential patterns helped me a lot there on the network shares topic.

@void badger I recommend you delete the video.
https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

found the password for domain admin
had to rerun manspider multiple times smh
tysm @gray yacht @signal berry

hi guys . I am new in here . can i connect htb vpn with kali linux in VM ? parrot os is very heavy for my computer . dont work nice .

Yeah you can do

Download the vpn file

Then

am download vpn file and

run the code

but

'''sudo openvpn <vpn file>'''

yes , but dont see this " Initialization Sequence Completed "

Send me ss what you are seeing

wait please

i must open VM

my computer is old sorry (

Np

oh sorry , when i was power off the VM the vpn file delete. I must download again . 2 min

okay , now it is solved

i saw this v" Initialization Sequence Completed "

so now where i must write "sudo killall openvpn" ??

Hello guys, I noticed earlier that people suggested to do AEN module blind as a preparation for the CPTS exam itself. I tried and got few flags. But after that, I could not see any other way out. I mean I intended to do the whole module without looking at any of the text or questions. But I got stuck. And I checked the text. And there is no way I could have figured things out on my own even though I have completed all the previous modules. Take for example, the wordpress site. It enumerates users and finds a username which is very specific to the environment. I did the enumeration but with a standard list from Seclist. So, I will never find the user. What can I do to improve?

Hello. I'm doing the skills assessment for Introduction to Deserialization Attacks and would appreciate if someone could tell if my payload is in the right direction or not 🙂

Reverse shell, not bind shell. First 2 commands for linux compromised host, 3rd command for windows compromised host

is it me or the 'hacking wordpress' skill assessment is down? at least it is what i get from wpscan. I tried by myself many times and event read the solution. It doesn't work

yes sorry

I'm trying to access mysql with the default credentials from an ssh machine but I tried the default credentials but it doesn't work can you help me understand what I should do if it can help this is the link of the module https://academy.hackthebox.com/module/147/section/1328

As mentioned in the Note at the top of the screenshot, you're opening a listening port on the target machine. 0.0.0.0 indicates that you are opening it to external connections (if you run netstat -tnlp on the target system, you will see the same thing for all the ports you scanned with nmap). So the python command is opening port 1234 on the target machine.

The nc command is the one you run on your attacker machine, meaning you're connecting to the port you just opened on the target machine. The syntax is nc <target-ip> <port>. For example, this is similar to when you're connecting via netcat to an ftp service by running nc <target-ip> 21.

you can DM me 🙂

Module Password Attacks> PtH lab> Final (not optional) question. I using reverse shell like the question ais asking. I'm getting feedback that process has been made on DC01 but I never get the listener (NC) to flip over to a shell. I've gone through the show solution and how I am doing this appears correct.

To reply to this and just so HTB knows I had to essentially disable the DC01's firewall to allow for the reverse shell to work.

can anyone help with double pivot using ligolo on AEN?

I had posted this in the cpts chat but was asked to post here. I've been having trouble in the Pass the Certificate lab. On Kali, when trying to generate the DC01 certificate using the impacket-ntlmrelayx -t http://10.129.234.110/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication command. In Kali, it errors out and just drops. On PwnBox, instead of creating a pfx file, it just dumps the certificate to the console. I copied it to a text file but when I try to run the gettgtpkinit.py to generate a ticket, it gives me a non-serial error and never completes. Though now I look at it, maybe I need just try shadow credentials.

Hello does anyone want to hear of a theoretical science

Depends what is the games code on

Like free fire

Never heard of that game

Where are you from

America

Apologize

@minor bluff ooh I am from India

Hola

Hola

Oh

Hi Timmy tec

Que tal ?

Which game you know how to hack

They said ni

Ok

I apologise

To the chat

Anyhow you want to hear of a theoretical science

No

Please explain

@minor bluff be my friend

That's over my brain

Sorry there was a break

@minor bluff let's be friends

I don't accept freind requests on here

Sorry

Why

To avoid risks and im anti social

No I am actually 16 yrs old

Just wanted to make friends

Hi everyone! I have a quick question regarding the SSRF Module in the first section I was able to ffuf for the open internal ports, but I am stuck from here. Tried doing ip:port/admin.php but only keep getting an error. Any suggestions?

I have completed all the SSRF labs under portswigger but wanted to continue my CBBH cert path

@minor bluff where have you gone

??

Sorry I was staying quiet as what the guy said was not of my expertise and I don't think your telling the trueth

Truth

Oo

I am actually from India

That part yes

That's true

@marble ferry Your questions and discussion have nothing to do with modules. Please read the #rules and follow the instructions in #welcome to gain access to more appropriate channels.

Hi, I'm stuck at Introduction to Windows Evasion Techniques > Static Analysis. The log file says undetected by Microsoft Defender Antivirus but I'm still not able to get the flag.txt. Can anyone guide me on this?

Sorry

I just realized this isn't general

have you analyzed the malicious file?

@marble ferry Also, no illegal discussion is allowed here

Try curling the location

Ok I was not aware about that

But where can I make friends

I told you already. Read the #rules and follow the instructions in #welcome to gain access to #general. This channel is strictly for discussion of the modules on Academy.

Will try that options as I was only using Burp Suite, thanks for the advice

Ok sir

CBBH > File Upload Attacks > Whitelist Filters section.
I don't get why the "file_get_contents('/flag.txt');" function did not work here? Just showed a blank webpage and all the other functions worked.

You don't have a period between flag and txt, maybe that's it?

Going to delete that since it contains spoilers for content above tier 0

In your message you didn't have the period

My bad, but yeah I did have flag.txt

I checked phpinfo() and that function "file_get_contents" is not disabled, so should've worked am I right?

I don't know

apparently not

I just don't know php that well, nor what protections that box has in place

There is something wrong with that challenge

Careful with the screenshots in tier 2 modules and higher, its part of the rules. Try doing it by intercepting the original image file and modifying the request

That's what I did in OWASP ZAP

You can use Burp

Doesn't matter what you use once your payload is uploaded

The file is there but it is not showing the flag the way I would cat a file in PHP

I had to id by doing cmd= something but why not just be able to see the flag with the other functions?

Yeah

No need, I just clicked the image from the homepage and removed "view-source" and it is a blank page

Which section are you on?

File Upload Attacks > Bypassing Filters > Whitelist Filters

This section is supposed to be about the filters and not how I form my payload so why do I need to do all that extra hassle to get to the flag because my initial payload is not functioning.

And did you get the flag?

That's what my URL is and I got nothing

refresh and visit

How did you get it? Did you get it with file_get_conents?

use inspector to find the URL that the file was uploaded to

Thats what I thought as well since I saw something on the syntax too

Where did you even get "echo" from? It is not on the cheat sheet it says just <? php file_get_contents .....?>

And why they don't teach that I need to insert an "echo"? I should have to look it up on another website and not the HTB module?

In PHP, functions that return a value need to be explicitly output using echo, print, or some other output method.
file_get_contents() returns the content, but does not print it unless you tell PHP to.

that's what chatgpt says

working as intended

Hey everyone I know this might come off as a dumb question but I just started the practical modules In fundamentals of Linux. Im going through the questions on finding out the hardware name and stuff and I cant seem to ssh into the host server. I downloaded the VPN config file, loaded it into OPEN VPN, it shows connected, and when trying to ssh in, the terminal keeps spitting back invalid password. Im using the student password with htb-student@10.10.14.206 for the public server IP address and its accepting it as valid but the login credentials for the student account to access are showing invalid

It is in the cheat sheet look it up, there is no "echo" in that function

I shouldn't have to research an "echo" on some 3rd party website when I am paying HTB to teach me all about their modules.

You can post in #1234357888114364508 if you believe there's a mistake

There are things you will need to look up yourself. It's not possible to include every little thing.

it is technically true, the command gets the contents of the file. it just doesn't display them to you.

does not need to be in the sheet cheat since the server run on linux it should take commands unless disable

I get that but not for such a minute detail like missing an "echo" from a php function in the module cheat sheet.

Alright just post in #1234357888114364508 and they can adjust it

Anyone that completed the DACL attacks 1 module? I am stuck on the last question of the skills assessment.

I shall

Did you see the hint?

Yes, I used threatcheck and it says no threat found

I used the step by step guide for the question too and on the little side bar thay shows "SSH with user htb-student and password HTB_@cademy_stdnt!" And its still giving me permission denied, please try again

Can you say the exact section

@cloud urchin system information, linux fundamentals

Yes I saw it, I had the hash of jose and jeff but i got no acccess into dc01 only smb but only read permission then I was trying to play with bloodhound to find a way to get access into the DC01 machine but i don't find the path for dc01

You can DM me

There are no tricks on that one, you should be able to SSH in. Try manually typing the password if you were pasting it maybe.

@cunning canopy so I tried the ifconfig command and its only showing one grouping for that. I can list out any details that it shows. I didnt know i couldn't run the pwnbox and open VPN at the same time so ill try that now but I had tried that before and I believe I got the same result with incorrect login credentials specifically the password. If anything, I can send you or @cloud urchin pictures of what im doing so its a little more concise. Im sorry about this im just not sure what im doing wrong specifically or if its my doing or not in this instance but I cant imagine the login credentials provided are incorrect on the given module

That's a tier 0 module so you can post the info here too if you need, or hit up aw0ken since he's being kind enough to help

AD Enum & Attack Module

LLMNR Windows

I put the password correctly but it doesnt work to RDP to my attacker host

There are no tricks, maybe change regions or servers

@cunning canopy @cloud urchin I cant send screenshots or pictures I dont think I have access to post pictures in this group at the moment but ill dm you @cunning canopy if thats okay with you

Can u please check if u did this in ur notes do u specify the domain with the username

Because other modules specified that

mstsc inveigh.rdp

The notepad:

drivestoredirect:s:Z:
username:s:htb-student

I include my fake drive to share tools

Maybe i have to without this stuff?

yes

Sounds like you're already connected to the target

Sir even the normal command it doesnt work

it also looks like you may be trying to log in as a local user

how to specify the domain

Plz tell me whats the domain name even

I guess ill finger print this IP

i don't understand, are you using a Windows machine to RDP into the target, or are you already logged into the target trying to pivot to another host?

because your screen shots show you are using Windows to RDP, but you are RDPing into the spawned target

Im on a Windows VM trying to RDP

Because I need to share my windows tools

You can share the tools via Linux too.. but that's ok

Somehow I think the Domain needs to be specified

so likely the problem is you are not specifying the domain along with the user, so it's trying to log in as a local user.

How to do it

a lot of times the section provides that info to you

I know in other modules we include the domain in the username

But i didnt see the domain ill check now

Still didnt work

Specified domain in the rdp config file

There is some certificate problem maybe?

Thank you everyone for all the input already and the help is very much appreciated! Turns out im an idiot and was overthinking the question instead of looking at something as simple as actually clicking "spawn the target." Thank you again @cunning canopy and @cloud urchin for the input and suggestions and hopefully I wont make too many additional dumbass mistakes as I go along lol

You have the domain and username mixed up, swap them

Probably studying too long without a break lol

@cloud urchin I've been going cross eyed doing a bunch of the beginning modules and after going through reading like 7 of them, it suggested linux fundamentals as a path in the same section and i jumped right into that and went a little cross eyed 😂

ya don't be discouraged. despite being t0 it is still difficult.

Thank u very much kept it in my notes

Can u give me ur HTB profile to upvote u

haha sure thanks

https://app.hackthebox.com/profile/644552

Can u please remind me where the upvote button is

i'm not sure haha. i think you just click on the icon?

that's alright if you can't find it

i'll updoot you aw0ken

correct link https://app.hackthebox.com/users/644552

https://tenor.com/view/gta-respect-mission-passed-video-game-mission-complete-gif-17882011

@cunning canopy stupid follow up question for you lol, why would I have to ssh into the spawned target ip address and not the displayed ip address which was the 10.10.14.206?

i'm not aw0ken but yeah that ^;
if you need a handy little shortcut for remembering --
10.129.0.0/16 is the academy lab spawns
10.10.0.0/16 is generally gonna be the vpn user ips
Examples will rarely ever match what is given when you spawn target.

You can take some other shortcuts;
If you're given an ip:port, that's a public ip and the scope is only the given port, you'll usually be able to assume what method you're using to connect by the content of the reading. (though typically they are web containers, but you shouldn't expect being able to get a reverse shell)

if you don't have enough clues from the reading; sudo nmap ip -p port -sV will generally start you in the right track

nah you kinda explained it as succint as possible

if you wanna know more about the targets and such; the Introduction to Academy Module is great https://academy.hackthebox.com/module/details/15 it teaches you the basics of how you'll interact with the various academy targets and reading

another thing being:
Spawn Instance → Starts the in-browser pwnbox, which is NOT the target -- just an attack box
Click here to spawn target → Spawns the actual target, which will either be a 10.129.0.0/16 or public:port spawn.

Going through pentester role path was fairly easy going until password attack section what a slog

That's what everyone experienced

so in win fundamentals, I was going through ntfs vs share permissions. And I see alot of data in terms of types of permisssions, is thius something which is very useful in cpts or something to learn by hert

or is it something u skim over and remember that it their

the important thing to know about share permissions:
NTFS: Local File System
Share: Across the Network

@cunning canopy i'm deleting just in case the OTP is not dynamic

not sure i haven't done it, it could be that your script isn't doing something properly

Had anyone used ligolo for the double pivot on AEN?

hi people, im trying to install PEDA for section Attacking Applications Connecting to Services on module Attacking Common Applications and im having problems with regex and a module named 'six.moves' that i cant install. any help please?

I dont recall needing PEDA is it linked in the module?

If its a python module pip install --break-system-packages (package name) unless theres a "requirements.txt" included

no "requirements.txt" included.

will try that one

and what about regex problems?

still

same

yes and use it as example

i think im gonna try gef

Dead link in AD module https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html

Im doing the enumeration module in the pentest pathway, on SMTP. Used a tool not even talked about in the module to find the answer to the second question. I used smtp-enum-users I know that nmap has that as an NSE script. Was the intention to use that considering the footprinting portion of the section literally only talks about nmap? Also looking through the documentation on the NSE script smtp-enum-users, there doesn't appear to be an option to extend the time in which the query will wait for a response before cancelling which is required for the correct answer.

Quick Question Guys, I've been trying to use ffuf, I know that the response for wrong username is "invalid username or password." and for the right username its "invalid username or password" (without period), when I use ffuf -fr "invalid username or password." it does not show the one without "." but in burp it does, how to solve this? thanks

1. Are u sure theres nothing else u can use as a signature
2. Can u proxy through burp to see the full request whats happening?

#1234357888114364508

Hey can anyone message me pls that has done the documentation and reporting practice lab

Its really really really annoyiing bc i alr dumped ntds and sam on the dc yet the user they want me to find pw for by dumping the ntds.dit isn't even there??? So its like i cant crack the hash if no hash

I guessed the local group the svc_reporting was part of but yet no user. Not in either database and i go to the C:\Users and nopeeee not there.

try multiple ways of dumping/finding creds

ah nvm it's the q asking specifically to dump ntds

i'm assuming you used the user b* to get ntds

you can use netexec to dump ntds as well

Hi I'm working on the cjca pat im in the Intrduction to bash scripting module Conditional Execution. In the pwnbox I tried enter the script to follow ./CIDR.sh inlanefreight.com but it says "permission denied". Is this just an example, or I'm suppose follow along?

did you do chmod +x ./CIDR.sh

you can follow along but also if you're on a free htb account, be aware that the pwnbox has very limited internet access

i used s*, i winrm'd into the dc and the s* user had a folder in home directory. Ill try netcatexec rq. Ill lyk too if it goes through at all.

Ok yea then I have to renew it this week.

once you purchase any cubes on academy, the restriction is lifted

Thank you!

so permission denied is likely something else

it's helpful to look at the whole line to find the error

because permission denied is very vague

Yea i tried the command you mention and it didn't work

gotcha will do

you can also try running it with sudo

No dice still lol Im restarting my VM

@fathom pendant You goated asf i was literallyu abt to suplex my laptop and shootit w/ a c4 nerf dart i was going to crash out imemd;i;ately ong no bap. Netexec is goated too

if the question doesn't ask for you to do so, you don't need to follow along 100%

Yea there is a question that require my to use the if-else condition in the Excercise script to get a character number.

Here is the question for the Condtional Execution section " Create an "If-Else" condition in the "For"-Loop of the "Exercise Script" that prints you the number of characters of the 35th generated value of the variable "var". Submit the number as the answer."

yeah that's the important thing to figure out, i wouldn't worry about the CIDR.sh

Ok

Thanks!

can anyone help with the answer of this
AEN
External Information Gathering
Perform vhost discovery. What additional vhost exists? (one word)
Tried:
||answering as number and alphabet (for ex- one) nothing working||

you can dm me @wooden seal - dm me the asnwer 🙂 if you are still stuck (as for others, please do not dm me, ask permission first)

had to add you firsst nvm

I have question regarding solution of this question from AD Enumeration & Attacks - Skills Assessment Part II.
Submit the contents of the C:\flag.txt file on MS01.
The flag is certain sentence that suggest something.

Do we need to do that to get the flag. And how do we know x user has access to remotely access to ms01, as bloodhound output does not show this.

another thing I feel is confusing is that
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2
cypher query to search canPSRemote edge finds nothing, but I can use evil-winrm to access the host. I used netexec ldap for collection with -c ALL.

anyone knows how to find/use prebuilt queries in bloodhound (v8.0.1) like the old one i cant seem to find it nor seen any articles on videos on it Nvm i was being blind for a second got it

https://academy.hackthebox.com/module/147/section/1328 Is the problem in this section related to the article? I don’t know how to start, please help me

it is, they provide you a way to look for default credentials

I'll try

Thank you, I made it

Busy with this module: https://academy.hackthebox.com/module/115/section/1139> The lab is really slow 🙁 Any way to get support on this?

This module exercises patience.

i Have a question is it allowed to publish write-ups on HTB academy modules..?

only for tier 0 i guess

not above than that

ok thanks

guys i am new to ligolo

i am getting this error dont know why

are you running an nmap scan or so?

hey guys iam new to the hack the box i want to learn go deep into it can anyone me pls

es

yes

hello can u change javascript time by using the consoles

I might seem dumb asking abt this but is it possible to hack in mobile

There are several modules in the Academy about Android hacking.

OH THANKYOU

Hey guys, im relatively new in htb academy. Please, what is the best way of taking notes from academy? Thanks

they are many videos on youtube

they will help you out

Technically you can, some tools might not work if you are not using a rooted android. Lookup nethunter, there is also a rootless one.

hii gues i was doing priviting skill assessment last one..i successfully gainded rdp using ligolo..but now i want to tranfer mimikatz to it..but i cant do with that my python server because i cant connect..how to do that

base64 thing?

if you are connected with RDP you can use /drive:<sharename>,/path/to/the/mimikatz

In Module Attacking Common Applications > Attacking Thick Client Applications , Q.
" Perform an analysis of C:\Apps\Restart-OracleService.exe and identify the credentials hidden within its source code. Submit the answer using the format username:password. "

When I run RestartOracle-Service.exe file as administrator in command prompt, it doesn't create the .bat file at C:\Users\cybervaca\AppData\Local\Temp\2\ after doing the permissions changes . Also, when I monitor it in ProcMon, I don't even see the RestartOracle-Service.exe process. What am i missing?

i am exactly doing this right now too, i tried to do it but it gave me permission access denied error so i tried to to change the permissions of folder 2 inside /temp but when i run it, the .bat file spawned at /temp instead of 2,

I got the permissions access denied a couple of times. You just have to get a new vpn and repeat it until you dont get that error

can i dm you

yeah

thanks alot man

i was banging my head with this from last 3 hours

i was like i am missing something..i was questing my skills

even gemini havent told me this

ai failed

Threat Hunting With The Elastic Stack
Hunting For Stuxbot
Question: Stuxbot uploaded and executed mimikatz. Provide the process arguments (what is after .\mimikatz.exe, ...) as your answer.
Answer: "lsadump::dcsync /domain:eagle.local /all /csv" exit

why this answer is not correct????

hi guys . i can not connect vpn file / how can fix this ?

sudo openvpn C:\Users\acer\OneDrive\Desktop\academy-regular.ovpn
sudo: unable to resolve host parrot: Name or service not known
Options error: In [CMD-LINE]:1: Error opening configuration file: C:UsersacerOneDriveDesktopacademy-regular.ovpn
Use --help for more information.

you have openvpn installed on your windows?

you can dm me

Thanks, sent a request.

send some msg as well

yes i use wsl

i try this yesterday and do this /

but today cant

im doing the junior cybersecurity analyst modules and im on task scheduling. Do i have to use my own VM to run the commands? When i run the 2 initial commands on pwnbox what comes up is nothing like the demonstration.

i have no idea with wsl..i always used vm..

if your pc supports vm , then definately you should have your own vm..its good to have

terminal is same

i have one

i was just asking

yeah but i used kali openvpn which is preinstalled

oh okay , i understand you . thank you

I'm working on the password attacks skills assessment (https://academy.hackthebox.com/module/147/section/1356) and I've set up proxychains as it was described in the section but when I try to run an Nmap scan on one of the internal hosts it says it'll take 4 hours. Is there any way to speed this up or is there a workable alternative to proxychains available? Thanks!

try ligolo

it is faster than proxychains + you dont need to setup proxys and edit files everytime

it will handle everything

https://github.com/nicocha30/ligolo-ng

why i cant write #general ?

Read and follow #welcome

ohh thank you . how can i write command ?

i do , thanks man

Hey, someone know wht's wrong with my temporary SMB server (freepbx to HTB machines) :
sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test

Hello, someone can help me with the module Broken Authebtication?

I'm doing the password attack module in the password defaults section and when I connect to the ssh machine I have to try the default credentials to access mysql but the default credentials but I don't know if I should do bruteforce?

this is the link of the module https://academy.hackthebox.com/module/147/section/1328

yes I used the credentials he told me but they didn't work

sorry I deleted the photo

it doesn't work anyway

Hey guys I am in need of some help. So I’m on the nibbles walkthrough module, I’ve done everything up to establishing a Meterpreter connection to the nibbleblog site. I haven’t been able to figure out how to establish a user shell. The walkthrough hasn’t been able to push me through. I have figured out the login info and everything else but just cannot manage to get a user shell. I think I’m lacking context or perspective somewhere, some please advise me

.

Which module

@opal shuttle Nibbles

yuers

remove that..dont spoil here

are you telling me?

yes

its basically upgrading your shell

when we get rev shell...we dont have some features...if we want that features then we need to upgrade shell..its all about that how to upgrade

he is not even removing that

so you are getting 50 percetn discount on swag show

what will you order

i think we have talked before

let me check dm

yes but i didnt understand what is the meaning of double enter

@devout lily removed your message because it contains content from a module above tier 0

sorry, how can i send content legally? Making a screenshot is better to show the contest

Any content from modules above tier 0 should not be shared in any way. Simply mention the name of the module and section. You can however copy paste code blocks and ask what they do... e.g.

Example Message:

I need help with Shells and Payloads - Spawning Interactive Shells

python -c 'import pty;pty.spawn("/bin/bash")'

I don't understand what this does.

ok thx. Right about that command, i have to put it on my local shell or in the netcat (remote) shell?

It's a command for your remote (unstable) shell. If you try to use backspace or other characters in your remote shell you'll notice something like ^H pop up, that's because the shell is not fully interactive. This command will make it interactive.

Hey hello guys Actually I have a very light pc with i3 2nd gen 4gb ram so I am using live boot Linux in it and now I am facing a problem in Linux. Whenever I try to boot in live Linux and go on Firefox then every time it asks for captcha and it's persistent captcha it doesn't go away after filling it asks again and again. Anyone know the solution then please help 😞.

That question is out of topic for this channel please try #1024429874246590575

If you don't have access, read and follow instructions in #welcome channel

Can someone please clarify which VM this section is referring to? I went to the Nessus Skills Assessment section as instructed and started the instance, but Nessus is not pre-installed. The instance does not appear to have anything extra or different compared to the others.

I tried accessing it via https://<IP>:8834, but Nessus is not running. I also connected to the target VM via SSH using the provided credentials, and Nessus is not installed there either.

Am I missing something, or should I open a ticket to report this?

The target you spawn

This?

the IP below

no, that's the pwnbox

the pwnbox is the attacker machine

I tried, there is nothing in there

are you on the vpn?

I use the pwnbox

ok then you should be able to get to that target from within the pwnbox

https://10.129.202.116:8834

what do you see when you go to that

Okay, now it worked, either I am too tired or it got scared (the usual) 😂
Thank you both and sorry @ancient coyote @cloud urchin ❤️

The webserver also may take some time to fully stand up so give it a couple mins after you get the IP

Yeah all good, I think I am tired, will continue tomorrow

😂

after you get ip, wait for 5 min extra

Im not here yet so im no help

@opal shuttle Please take care not to spoil skill assessments

yeah i have that in mind

hi guys i am stuck at the very last part skill assessment of PIVOTING AND TUNNELING MODULE..when we have ..i cant say more

Hello, in the module 229, section 2456 (IP Source & Destination Spoofing Attacks) in the decoy_scanning_nmap.pcapng file, why do we observe the reset connection packets on closed ports to occur only for the attacking IP, while the decoy IP is performing syn connections as well?
https://academy.hackthebox.com/module/229/section/2456

Can I get quick sanity check on Pass the Hash (PtH) Skills assessment bonus Question? I dont need help just want to check my understanding

So I found the strangest bug?

oh?

The machine in atttacking FTP at https://academy.hackthebox.com/module/116/section/1165

it spawns the wrong machine, it does not have 2121 open 😄

I enabled walkthrough mode to check my sanity, but the exact nmap scan does not show 2121 open.

Can you interact with it thru netcat?

or is the port completly closed

completely closed

i even restarted it etc

Ive had something like that happen before with a box where port 80 wasnt open. I just had to restart it

already did

never had this before 😄

well a reboot again, and it is now open

problem fixed, strange issue

now prob should delete as this answers a question on the mod

people can ctrl f this issue now

Hey can any one tell me why there is only 2 option for doing payment on HTB and can i use my debit card to pay?

yes

But i am getting card declined even though i have international payment on and sufficient funds

call your bank

also General is prop better if you have further questions

or these

I dont think debit will work

it will thats how I paid

(ofc depends per country)

our debitcards aint like creditcards

What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?
can someone help me this

its from linux fundamentals

i tried it in root directory but ain't worked

find is your friend

i tried with this in pwnbox
using find

i know what to use
but not where to use

there are config file in /var/backups and in root and in other directory also

Search the entire system

okay then what shall i type in name *.config or name *config

-name "*.conf"

The module explains how you can filter the output. ChatGPT is also a good resource for this kind of thing.

I like for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

its not .conf

its config

then the above command is".conf .config .cnf"

now its three

so i tried with .config

i am not wrong at this point

I'm struggling with the Server-Side-Attacks module Identifying SSRF. I have found three ports can someone helpme moving forward?

Hey Guys Whats up hope everbody doing good. I have a lot of problems using proxychains4 and crackmapexec this two combinaded make me a lot of headache und lose a lot of time. I am stcuked in the Skills Assesment of Crackmapexec. Have anyone some tipps how to solve this problems of connections. proxychains4 -q crackmapexec ldap dc01.inlanefreight.local -u skusers.txt -p '' --asreproast skasreproast.out
He dont do it and always stucked or gives errors. Tried also this one proxychains4 nxc ldap 172.16.15.3 -u skusers.txt -p '' --asreproast asrep.out
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.15.3:389 ... OK
LDAP 172.16.15.3 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:INLANEFREIGHT.LOCAL)
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.129.204.182:88 <--socket error or timeout!
[19:05:01] ERROR Exception while calling proto_flow() on target 172.16.15.3: [Errno Connection error (10.129.204.182:88)] [Errno 111] Connection

they wont work. Use Ligolo-ng. Im not sure the exact reason im sure someone does. @gray yacht Has a good video on how to use Ligolo-ng and it helped me alot

you can just tell did you solved the question of linux fundamentals

Yes i also prefer to work with with ligolo but since they install the chisel already and have no another opurtunity to connect trhew chisel

is so annoying

done

Its because of the difference of tunneling. Chisel nor SSH port forwarding will work. Unless anyone else knows a workaround I would use ligolo

why one of the staff has name Cry0l1t3

is academy down again?

Nope

its was in the home directory of linux fundamenttals pwnbox

tell him to give the answer i almost spend 2 hours on that

find files and directories

1st question i had done others

Why not? What's wrong with that name?

i just saw that in the home directory of my pwnbox

no progess sir, are your referrring dateserver=http://127.0.0.1:PORTS_FOUND/index.php&date=2024-05-08 I have tried this burp but no fruitful progeress,where am i missing out

bro
find files and directories
1st question

i know find

i did bro or i just got too strangled

just tell the answer now bro it will be huge help as i also need to burp labs now also i am fried

its not some rule breaking or somehting

okay then i will type the cmd
tell where is the error

yes

sure

find / -type f -name *.config -user root -size +25k -size -28k -newermt 2020-03-03 -exec ls -al {} ; 2>/dev/null

and also @cunning canopy bro how can i use openVpn and use my machine

Hello, can someone help me with the module "Password Attacks"? Specifically, i need help with Pass The Certificate. Im not being able to do the DCSync part. I am REALLY stuck on this.

is openvpn in built?

😂

what is your machine ? @eternal saffron

no need to tell it worked

hello

Hello. Please read #welcome and #rules it will explain how to get verified

Hi everyone. I've a problem with Linux Fundamentals. I'm using built in terminal and so far it's impossible to get a correct answer. I found a YT walkthrough that I am checking if my answers are not right and most of the time I'm doing exactly the same as in the walkthrough but I'm getting different results that are not accepted as correct answer...

I already did

@cunning canopy is openvpn safe or is it vulnerable to somehting do i need to keep check on something

hey all

Thanks. I tried to do the Shadow Credentials (msDS-KeyCredentialLink), but the klist command doesnt work in this particular lab.

Hello again. Please read #welcome and #rules it will explain how to get verified

answer?

Hello, I cannot crack the hash of keytab svc_workstation.kt with any tool after extracting the only AES-256 hash using keytabextract. Password Attacks --> pass the ticket from Linux. Am I cracking the wrong keytab file? Wordlist gets exhausted and crackstation doesn't recognize the hash

any another person how can assure me how openvpn is safe ?

It’s a file you’ll need to use before you can connect to the targets

The file itself is harmless

no i am talking about the connection that is it safe to connect through this public ip address

Well, as with anything in IT, nothing is 100% safe. Make sure to use a vm - HTB tries to keep it as safe as possible

How can i get help for this? I dont find anything related in Google about this particular Topic for HackTheBox.

okay i am doing it on a vm

I cannot use the forums because i get this message everytime i try to log in with my HTB account;

@awoken and @

@cunning canopy and @storm elk

the pawn machine are different for eveyone?

i mean their ip

On academy, everyone has a private instance

on htb labs?

if someone is spoofing on the ip that is known he can be the man in the middle?

so that safe ?

You’re overthinking this 🙂

well i try to go in deep to every vulnerable opportunity

that would a red teamer will require ?

so might have more knowledge than me currently

Also , if we are not talking about academy modules, best to move to #boxes or if you’re gonna do starting points, #starting-point

if want to share i can listen

Or #general

there will be too much noise leave it i would find myself

Solved, it was a small rabbit hole. won't spoil the solution

last qustion @cunning canopy and @storm elk how many users are currently in discord group?

First number is a 3

good its low

Lets move to some other channel @eternal saffron

This has nothing to do with #modules

where can i find people like me or a team to join

i was just asking that

Question on Active Directory Enumeration & Attacks | External Recon and Enumeration Principles

Am I supposed to be enumerating inlanefreight.com or .local? The beginning of the module said .local was what you have to use, but that doesn't appear to be a legitimate website? please @ with replies

Ah thanks, read it as no recon whatsoever - had to re-read it

XSS skill assessment got destroyed by me in no time! lol

I solved it. I forgot to resolve the DC01 hostname to its IP Address:

echo "<DC01_IP> DC01.<CORP>.LOCAL" | sudo tee -a /etc/hosts

anyone had any issues with windows agent using ligolo not connecting on double pivot on AEN?

i about to start HTB CBBH program, i am looking for partners and study group to travel along on this journey

I my second agent wont connect at all ive tried various ways

i have encountered something like that,..any luck?

Would u mind sharing how you got it to connect, also have u tried the --retry flag when connecting windows agent ?

Hello. I has an issue with editor machine. I obtained ssh creds for oliver but he can't run sudo. I tried many things but i can't escalate my privs to root or read root.txt . Can you give some piece of advice where to look for?

Need help on the Linux Privilege Escalation Linux Services & Internals Enumeration https://academy.hackthebox.com/module/51/section/1777 The answer isnt working. I know how to know what verison of python is installed. Python2 isnt isntalled, python3 is; however that is not accepted. Any one have ideas?

It's looking for a specific subversion

yea I the sub verion. but its not accepting the answer

*I know the subversiion

python --version doesnt return anything, but python3 --verision does

wrong channel mate

@fathom pendant promotion

I dont have access

#welcome