#modules

Why would they change it suddenly? I'm used to INLANEFREIGHT from all the other exercises.
From Active Directory Enumeration & Attacks all the way Active Directory LDAP exercises.

but NOOOO they had to change it.

keep you sharp, attention to detail

Do i just start from the top and go down?

you can do it in the order that you like, I did it top to down.

Hi, I'm working on Attacking Common Services - Easy. I'm trying to use hydra to bruteforce a user's password against SMTP and FTP. When I use it against SMTP, it hangs. When I use it against FTP, I get this message (attached). I can dm the command, as it contains spoilers for the lab. What is this error that I'm getting?

Can I get some help on Password Attacks final assessment? (/modules/147/1356)

nvm

Related to my last post: #modules message
#modules message
#modules message

I see these users have had similar issues, but it doesn't seem like they were resolved.

i figured it out, finally... my ISP seems to be blocking path traversal. doing it on a VPN works.

Hello everyone,
Im on the command injection question of Web Enumeration & Exploitation https://academy.hackthebox.com/module/163/section/1544

Im not sure how to pass the socat variables into the url encoded path

How many threads you got on that thang?

Or how many simultaneous requests

Looking for a nudge on Abusing ACLs I found the user who should be able to get to adunn, I got their hash to crack --> impersonate, but nothing is cracking this hash. Any hints would be useful

I didn't specify, so it must be the default.

Hello, I am currently working on Module: Credential Hunting in Windows. I am on question 2 and I have copied over the lazagne.exe file to the Windows machine. No matter how I run it, it returns: "cannot start due to incompatibility with 64-bit Windows". I have noticed that there is not a 64-bit version of LaZagne.exe. I even walked through each command on the "Show Solution" and still returns the compatibility error.

havent done the module, but if you know you can establish a connection with this server i.e. you have manually tried it with credentials, then it is probably either an issue with the command, or an intentional configuration on that machine. I know you can configure how many simultaneous connections are allowed in ftp.

Thank you! I'll give that a shot

Don't thank me yet

If you go back through the older LaZagne releases, you'll see a release with a 64 bit version. I tried that and it worked.

Ok thank you!

Did you get what you needed?

That worked! Thank you 🙂

No joy. I tried using the -T4 option without much luck. I also tried resetting the target, resetting my tmux session, rebooting, etc. I'll try the pwnbox and see if that actually works.

I’m having trouble in enumerating the network shares module. I’ve used net exec and every time I get the brokenpipe error. When I use snaffler it gives me errors when I use the -x command when I try to direct what file extension I want to go through

Not what this server is about.

Talking about the Credential Hunting in Network Shares section of the Password Attacks module?

Yes

^

someone hint for password attacks skill assesment

i got wheer i need to crack some hashes

but doesn't seem to go for someone reason

You can DM what you are experiencing

only managed to crack 1

yo can someon tell is it possible

to exract hash from .ibak file

Wrong channel buddy

oh

Yes, it's possible. Research what the ibak file is, and then research tooling that supports it. But is this related to HTB Academy modules?

What box is this?

the first one on pen testing

like the starting point one

Then might be better to ask in #starting-point

ok bet ty

Just name the box. We are not psychics, so please, try to be as clear as possible if you want help

ye i found the answer

Well done

Hello ! I am in pivoting module , in dynamic port forwarding section and I do the dynamic port forwarding as shown in the course but when I try to connect to the target using proxychains xfreerdp I get error about Kerberos and then proxychains timed out

my god how it makes sense, i brute force rdp with net-exec got valid hit then try to rdp and cant

Wish I could help further, but I've not done the module you are working on, sorry.

Guys I am stuck on pivoting module, can someone share some videos so I can understand it better?

just search ligolo

and learn that tool

I also want to learn the theory of it

I managed to create an nmap static binary. I have written a blog post about it. You can also ask AI to walk you through the process.

I need help. I don't see any option to close the target system I spawned to complete an exercise.

You do not need to terminate it. If you start another target, the old one will be terminated automatically. It will also terminate after the lifetime as stated below (80 minute(s))

It'll take care of itself 🙂

awesome. I just got used to seeing option to terminate other machines while not seeing one here and got concerened. Thank you.

guys pls help on password attack assesment

i kinda got almost everything i would guess but cant move further

Hi everyone, in the Advanced Deserialization module, is it normal for it to show this in the Example 1 instead of teetrave website?

I'm on the Operating System fundamentals and I'm having trouble finding a ".bak" file... i see the original file in /etc directory but in the /var/backups I'm not seeing any ".bak" files in general. I've tried "find" and "Locate" on the "/var/backups" directory still no file any hints?

You can DM what you've been able to identify.

Oh my goodnes finally DACL II Skills Assessment done!

that was insane but super super fun!

If anyone get ths 'libcrypto' error which I was debugging for almost an hour! This is a really good site which I followed and I didn't get the error again!

https://github.com/dirkjanm/PKINITtools/issues/9

Ty htb for a very informative module!!

Hi everyone. Can a moderator please help me with verifying my account? I keep getting an error since yesterday when trying to do so and being told to get in contact with a mod/admin. Thanks!

PS: sorry for posting it in this channel, it is one of the very few in which I have access to send anything 😅

You can DM me

Hi everyone, i want to ask, i was doing the elastic module, i seem to understand it a bit looking at the solutions, but without it, I dont know how to get there. For example, im clueless on how to tackle the skills assessment, am I supposed to do extra reading in the tools or do an extra lab? Can someone help guide me in how to better understand the elastic module
Like for example, how are you supposed to know whether something is event code 11 or event id 1 or 3 or 5, etc... so that you can filter

Google important/critical event id's

You can find stuff like this https://gist.github.com/githubfoam/69eee155e4edafb2e679fb6ac5ea47d0

Also note down the ones you find in the modules

Attacking Common Applications Exploiting Web Vulnerabilities in Thick-Client Applications

I can't open start.sh after using FileBrowser->Config in Traverse.

Thank you

Any help for my question?

I don't know for sure because I don't know the perms, but in that section one user has perms over another, i think GenericWrite, so they can just change the password to anything they want for that user.

so the password is arbitrary and could be set to anything

Thanks. You are right. Before changing the samaccountname to DC03 it is the password for user felipe. 👍

Has anyone completed the Command Injection Module ??

I know right haha!

All the best with DACL I!

Yep

I am new here and going to start learning bug hunting and bounting which module should I choose

Junior cybersecurity analyst or some other

Hey guys, I have difficulty understanding a spl command for "Pass the Ticket" for the "Detecting Windows Attacks with Splunk" module.

index=main earliest=1690392405 latest=1690451745 source="WinEventLog:Security" user!=$ EventCode IN (4768,4769,4770)
| rex field=user "(?<username>[^@]+)"
| rex field=src_ip "(::ffff:)?(?<src_ip_4>[0-9.]+)"
| transaction username, src_ip_4 maxspan=10h keepevicted=true startswith=(EventCode=4768)
| where closed_txn=0
| search NOT user="$@*"
| table _time, ComputerName, username, src_ip_4, service_name, category

I do not understand how the transaction command works? please help

it is because there is no endswith, it is very confusing

Please guide me

so for closed_txt=1,
there must be at least more than one eventcode 4768 (same username and src_ip),
or after 10h it will automatically be closed_txt=1.

Am i correct?

Anyone can nudge me the Lab on Pass the Certificate on Password Attacks?

Check your DMs.

Hi, Why the reverse shell may not work. I upload the shell to the server, enter cmd=ls in the address bar, I get the answer, let's say shell.php, but as soon as I continue to write cmd=ls../../, problems begin, either the page does not show anything, or the shell itself disappears from the page.

1. Shell isnt uploaded properly
2. you're not doing it right with the cmd

Hi,
I was doing Introduction to Windows Evasion Techniques - Static Analysis
All checks are passed, but i didn't get flag!!

What did i miss?

And what matters is what OS is on the hacked machine and what shell we use (I mean what is written inside the shell besides the address and listening port.)

On web cache poisoning how does the 3rd request get a hit meaning its unkeyed? The 2nd request gets a hit because the 1st was send but the value of the 3rd request was not sent so how does it get a hit?

# First request is miss
/index.php?language=valuewedidnotusebefore&ref=test123

# Request again is hit
/index.php?language=valuewedidnotusebefore&ref=test123

# Change value third request is hit
/index.php?language=valuewedidnotusebefore&ref=Hello

Solved this module https://academy.hackthebox.com/module/113/section/1211 only by looking it up online. Bruteforcing does NOT give me the credentials, credentials found online are correct answers, but do NOT work to login.

Any hints on ADVANCED SQL INJECTIONS - Skills Assessment create function ?

Hey there!

I believe that the 3rd request is a hit because the cache ignores the ref parameter. Even though that you changed the value, the cache will treat it as identical to the second request since the only keyed part is the /index.php and language=..

The first request is a miss because it doesn't have an entry yet which will result in a miss but it will store the path and language and the ref value is left out because it's unkeyed.

Hope this makes sense and helps!

I am still stuck on this one. You get anywhere with this?

Hi need a slight nudge for the Advanced XSS and CSRF exploitation Skills Assessment, stuck on ||promoting to moderator||. Have a payload that works locally but seem to have no admin bot triggering the response

Hi! I'm currently taking the File Upload Attacks module and whenever I want to make a fuzzing attack using burpsuite, every response is a 200 OK but in reality any of them work. I have read the resolution and it still doesn't work at all

Maybe you can try different filters other than 200? Looking at the size of responses for example.

I think I got it, main thing to look for is the hit or miss on the 3rd request when changing the value on the 3rd request where keyed will show miss and unkeyed will give a hit.

In the response field it appears File successfully uploaded and in theory only a few are allowed

Are you working on the Skills Assessment?

Yes

I mean, in the Whitelist Filters exercise. Not the final one

Okay you have fuzzed the file extensions in Burp? Do you see the values of "Length"?

Yes. The length is different

But how do I know which one works if all of them says 'File successfully uploaded'

If I use the repeater it changes and says 'extension not allowed' but I have to try one by one

If there's different sizes of the response it should give you different messages.

The only part of the message that changes is 'Keep-Alive' but there is no useful information

Anyone?

am doing the password attack skill assessment and ive alr gotten the domain admin hash n rdp in

where am i suppose to find the Administrator hash?

administrator hash ?

try to use techniques learned in the module

the ones that allow you to dump stuff

If you have the domain admin hash, that should be the answer.

You can DM what you are using.

you can dm me

Hi i am doing Skills Assessment - Password Attacks
i got initial access via ssh but I am stuck here, any hint please?

how to get hacker role

@knotty gulch this is not the place to boast about having an, illegal, botnet

Read #rules and #welcome

huh

why my name is this

i cant talk in general

Follow the instructions and you will be able to

okay

You can DM what you've tried, as what is shown in the section should work.

hi guys i am confused why cant i chat in general chat? i just joined

#welcome

is there a way for netexec to also dump the hklm/system?
password attack module says that it can only dump lsa and sam

It automatically dumps SYSTEM to be able to read the SECURITY and SAM files with the system bootkey

Not sure you can output SYSTEM from netexec though, best way to find out is to search in the nxc documentation

nvm

anyone can help?

learn ligolo-ng

Howdy 👋
I'm looking for help with** Intro to Whitebox Pentesting Skills Assessment Q2**
So far I believe I made the appropriate patches to the JavaScript code, but the check is not playing nice.
I followed each step one by one to the hint provided but I'm at a dead end and have revised this code multiple times based on info in the forum and on Discord.
If anyone can give a hand it would greatly be appreciated.

uhhh I need help with the Password Attack module section Credential Hunting in Network Shares. I really don't understand the whole section.

Tl;dr tools exist that allow you to search shares for sensitive info

I know I used both snaffler and PowerHuntShare but I had a problem understanding the output from it.

hey @fiery trench can you dm me the code that you have at the moment so I can help

@gray yacht You able to help out with Exploiting Web Vulnerabilities in Thick-Client Applications?

yo where can I ask about fortresses?
I completed it and all 11 flags, but I cant get points for 1 on the task, because it says I already own it

on #fortresses ?

its locked

I think you have to link your acc

Cool

you can dm me if you still need help

I can only use this to talk...

I cant talk on general

Anw

I wanna know who is the best hacker in the server

#welcome has instructions to link your htb account

Hi I have a problem in Ad enumeration and attacks skills assesment part II
When i generate de hashdump of administrator in sql01 it generate the administrator wrong
I compared with posts and it not the same hash
Can I talk with someone in dm?

It's not wrong, it's just the local admin hash for that host.

It's not wrong, it's only the local admin hash for that specific host.

Attacking Common Applications Exploiting Web Vulnerabilities in Thick-Client Applications

I can't open start.sh after using FileBrowser->Config in Traverse.

Active Directory Enumeration & Attacks -> Bleeding Edge Vulnerabilities -> PetitPotam
i've been stuck for a whole day on this, tried to make it work out but nothing useful,

sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController

python3 PetitPotam.py 172.16.5.225 172.16.5.5

no route to host

nothing came to my mind for this issue

No route to host == the ip may be incorrect

Or theres no way for the tool to reach the requested host

Hit the Resources button in the top right 🙂

cant someone just search and replace crackmapexec with netexec in academy 😄

🤷‍♂️ I mentioned it as you didn't

Nevermind I guess

The module does include information regarding how to use datasets however

Modules do not always have all teh answers documented in the sections. It can take a bit of outside of the box thinking and research to achieve the end goal

Hit up the #boxes channel

This is for Academy Modules

oh sry miss

They are not, no.. but have a read back over. torch is so freakin useful

You may need to do a little research

Either that or I'm completely missing something

Hey I. The evasion module I'm stuck at static analysis portion i don't see how I can compile the code for the revshell

oof

Aaah interesting, more insights yeeh. View #modules message , in this the message I posted earlier you can see a difference in bloodhound queries that are used (CE vs legacy), that will explain the krbtgt user not showing up (maybe you already saw this)

#1234357888114364508 can be used to report errors, or I can pass that on to the team once I get home

Yo why does someone ppl’s username start with "0x"

Hi im stuck at the trust attack skills assessment qn3 like I tried the trust account attack but I am having a hard time getting to dc04.mssp.ad so anyone could be kind enuf to give me hints please?

https://x.com/Hacker0x01/status/1963615070610477394?t=tZJ5x4WAyzBCnj9LP0Z9Bw&s=33

Hi how can i report someone sharing active machine writeups ?

Hello everyone, Can someone explain in simple terms what these networking concepts mean: CIDR notation, NAT, subnet, and route? I’m having trouble understanding them.

FYI @young radish 😉 I've passed that feedback on to the team btw

Apologies for the inconvenience

hi

Wow nice, well done! Home stretch

Attacking Common Applications Exploiting Web Vulnerabilities in Thick-Client Applications
I am not able to view start.sh after selecting FileBrowser->Configs in traverse.jar.

You can use /spoiler or send a message to a Mod

Looking to talk to support - ACL Enumeration module. RDP session always crashes and port closes causing me to have to reset and try to rush through before it crashes again please @ with responses

Hi could anyone hint please?

Qn3?

Yeah the ad trust attacks skills assessment

The one where i need to compromise dc04.mssp.ad

AD was tough but I got it

Wanna DM? @shadow cloud

Sure thanksss so much

Someone help me while I help him? 🥺

Introduction to Windows Evasion Techniques > Dynamic Analysis
Anyone knows why the execution of the file just keeps timing out? I got the reverse shell when running the executable from the -DEV box but on the -TARGET VM I just never get the shell back...

when i do pivoting with ligolo, how do i start a file server that is reachable by the internal systems for file transfer purposes?

Well the simplest answer is xfreerdp has built-in file transfer tools, so does evil-winrm

(/drive: for xfreerdp and upload/download for winrm)

ok thank you, was trying to think if making an impacket-smbserver with ligolo listeners would work but that seems way simpler

Listeners just need to point from x to y

hello, i currently have access to jump01 and dmz01, how am i able to find file01 password from jump01?

Password attack module skills assessment module.

I'm confused with the reverse port forwarding command. Google says you run the ssh -r command on the pivot machine, but on the example in htb ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN this command is clearly run from the attackers machine since "ubuntu" user is the pivot machine(?)

===

i did snaffler, but i already inspected everything. in HR and Private, and did not find anything useful...

What should I do if the exact file 'rockyou.txt' is being used as indicated by the module and gets disabled like this?

uncompress /usr/share/wordlists/rockyou.txt.gz

Yes you run the ssh command from your machine.

Why sometimes using the compressed version works? I tried with other tools I don't recall now but works sometimes

just did it, yet it failed

afaik that file should be uncompressed after install, though i'm unsure how gzip compression works

I'm gonna reset the target machine and the instance I'm in, let's see if it works

for the connection error, i'd check if you can interact with SMTP

try sudo gunzip

Try smaller rockyou list, based on the error in your screenshot?

I'm as root already

seclists has some smaller rockyou.txts you can try

the file got uncompressed, but the problem is the hydra getting disabled

but usually hydra works with rockyou

thanks

I'll try the seclists

I've restarted the instance and the target machine, now hydra got the password using the wordlists/rockyou.txt normally

Any luck? I'm also stuck at the 3rd CTF (insecure function)?

Any luck? I'm stuck for 3 days at this part...

hi everyone, are you able to spawning targets?

gzip -d to decompress

this wasn't the issue

yo

Contact Insta Support for help with Insta accounts.

i have done that beore

bruh

Please read the #rules
Only Insta Support can help you with your problem.

Hello, my name is Mohammed. I am a beginner in cybersecurity and I am trying to learn more.

Hi, please read #welcome to gain access to the #general chat

I want to learn security

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

How do I start?

1. Sign up at https://academy.hackthebox.com
2. Study and run through some fundamentals in Academy's "Getting Started" module https://academy.hackthebox.com/course/preview/getting-started

Thank you my friend, can I contact you?

No, sorry

Hang out and chat here

Ok thank you tell me step by step

What?

Hello, ı need help badly

I want to start learning but I don't know where to start.

@dense ferryHello, I really need help right now. I changed the email address for my Hackthebox account, and I'm not receiving any verification emails. Is there any way to reset this because I can't access my account?

Unfortunately support is not provided over discord. You'll need to reach out on the website. You can also email customerops@hackthebox.com

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

I connected with them through chat, but no one is responding on the site :/

Please be patient, a majority of the team are probably asleep. Someone will get back to you though

thank you sir have a great night

You too 🙂

@frank bloom we don't promote taking chats off of discord. if you read and follow instructions in #welcome there's a careers channel (#careers-and-certs)

Hi guys, has anyone encountered a situation where when a reverse connection occurs via shell, the cursor moves below the $ sign and no longer accepts commands.

anyone give me a nudge on Password Attacks Lab - Skillassessment?

I’ve moved forward with the module leaving this part. Will complete it with a fresh set of eyes later this week.

Helo

imo check the chat history in this discord

thank

Hi anyonr can give hints on AD trust attacks skills assessment
Gain access to the DC04 (Mssp.ad) and submit the contents of the flag located in "C:\Users\Administrator\Desktop\flag.txt"

Are attachments prohibited from being sent?

yes, must be, only screenshots are allowed iirc

Well, yes, that's what I meant, screenshots.

this is gonna be funny

is it corp osint?

password attacks

i think i missed it then

or forgetting about it

trying it by my own

sht is not gonna work but

lets see

i dont think you should share this as it could be marked as spoilers

this too

fair

i mean i dont think so because the module doesnt teach you how to write ur custom scripts

theyd showcase some tools instead

idk mods wil dlt anyway if it violate haha

well no problem then

can u share the link btw i cant find this one

https://academy.hackthebox.com/module/147

there we go

are u kidding me

nvm

had a whitespace at the end :p

AD Trust Attacks skills assessment
Gain access to the DC04 (Mssp.ad) and submit the contents of the flag located in "C:\Users\Administrator\Desktop\flag.txt"

anyone coud be kind enuf to hint please?

DM me I might be able to help

pleasee help

https://discordapp.com/channels/473760315293696010/1413081775206436916/1413081775206436916

delete pretty much half your answer and you should get it correct

I need some help. Not sure if anyone is available to assist. I’ve launched the machine in the Kerberos module under "Unconstrained Delegation - Computers". As required, I need to connect via RDP. I’ve tried using the built-in Remote Desktop Connection tool on Windows, as well as xfreerdp from HTB’s Pwnbox, but neither was able to establish a connection.

possibly try a different version????
https://github.com/jpillora/chisel/releases

I tried the latest one was giving errors so i was using v1.7

Its handshake is working it says connected and when i am trying to connect to the windows host it showing me its doing something

I've tried both sides of the half but nothing.

please help me

probably the port is the issue ?

need more details I guess to help you

Note: If the connection to the target machine fails, wait 2 or 3 minutes and try again.

thats what the section says, proabably need to wait

Thank you. Please give me a moment, I'll provide more details shortly.

Yes, I also noticed that waiting is required. However, I've already tried waiting, but still cannot establish a connection.

which port are you using ?

sometimes using ovpn and the pwnbox might be the issue as well, you need to use either of it

Hello Guys, I'm new here

3389

Just git clone and build chisel with the commands provided in the reading material:

git clone https://github.com/jpillora/chisel.git
cd chisel
go build

I just tested it, the version works fine. I was able to get the flag.

welll ... 23389

the task says

use argument /port: for xfreerdp tool

Thankyou so much ill try this now

Can anyone guide how to learn white hat methods?

My idea is to log in to the machine as derek.walker and then perform the required tasks.

Connect via RDP to the target IP on port 23389 with Derek Walker's credentials

it literally says you to use the port 23389

Your rockyou.txt is in gzip format, just uncompress it as you cannot you use it like that.

Yes, you're absolutely right. I had a misunderstanding. Thank you so much for your help!

its not working in the Pivot Host

how did you get pass this?

I didn't get this error. Are you using your own VM or the pwnbox?

Pwnbox

Should i try with vm

Did you read a specific note in the section of the module?

I am using my own VM. This might be the difference

I did i tried to do exactly the same as the content

Ill try that too then

There are two notes in the section that will help you go past that error

Are you talking about the —reverse

I did that too

Same thing

Read the notes and you will establish a successful tunnel

Thankyouu for your time ill read through it again and try

I tried v1.7 too it works but issue

.

👀

I found a version that works. If you are stuck you can DM me. I'll be available for the next 30 minutes or so

if i connect vpn udp ? NOT WORK WITH ME

i test all VPN connection file. US 1 ,2,3,4,5,6

you have 3 links that can help you there at the end. If you study the first one you find a grafic there that help.

try to refer to the questions format again you have the answer!

hmm I used this version if you want to have a go

https://github.com/jpillora/chisel/releases/download/v1.7.6/chisel_1.7.6_linux_amd64.gz

can someone explain this further

"We can also use NFS for further escalation. For example, if we have access to the system via SSH and want to read files from another folder that a specific user can read, we would need to upload a shell to the NFS share that has the SUID of that user and then run the shell via the SSH user."

especially this part "we would need to upload a shell to the NFS share that has the SUID of that user and then run the shell via the SSH user."

He DMed me earlier. Turns out he figured it out already. 1.7.3 worked for him.

I haven't tested it out myself. I used 1.7.6 as well.

oh nice! thats good to hear!

I need some guidance on Windows privilege escalation - Citrix Breakout section.

Long and short of it; I can't seem to get the UNC path to work (trying to follow the example for practice) - Paint -> open and then all files + UNC path to the users folder (or the user in question folder). Still getting the disallowed dialogue.

Is this by design?

Have you been sharing your account with someone.....?

No. I haven't used the account in a while though (several months if not longer)

Also.. best not to post the answers here... you might spoil it for others

I agree 100% with you. Fortunately they're not the correct answers otherwise I would have obscured them in some way.

I dunno... seems likely someone accessed your account and completed the section? Otherwise it's a very weird bug

Oh, I didn't notice that. Then it's a very weird bug indeed. You might want to reach out to support

Thanks for your help, much appreciated 😄 and yeah, I'll do that

Just click on the HTB logo on the bottom right corner of your screen. It might take a while for them to respond though

Usually a couple of hours

That's great! Thank you

if you did the module previously, then the answers remain, HTB can't erase the progress (barring deleting your account) it's due to how the backend works

That section was updated and those are the answers prior to the update. Unfortunately you will not be and to input new answers for the new questions, but you can still go through the content, lab, and solve them.

same here

Figured this out, it was because I put the UNC path into the top address bar and not the actual file name box next to all files drop down... woops

Hope that helps

I'm working from my phone right now, but you both can DM what you are trying.

I was doing it in this bit but you need to do it into the red marked bit

Anyone know how to not have a full screen citrix while also xfreerdping into a linux environment?

xfreerdp into linux lab machine, running the citrix file fullscreened the connection.

I solved it with the use of Claude 🙂 tip: part of the answer can be found in the SQL injection section.

https://academy.hackthebox.com/module/289/section/3237

it's expecting it as "a-b" not "a b"

also deleting the image since it contained the answer to another question in it

sorry about that 😅

still no luck

and spaces worked fine until now

it's not expecting a-b cable, just a-b

Strange that, i've not seen it spelt with a hyphen

it's as it's written in the module

i legit copy pasted the spelling from prev. module, still wrong answer

Network Media And Software Components
^ this subsection in the section you linked

it's hyphenated in the reading of that first paragraph there

as a note:
Modules is the big name
Section is the chapter name
Module - Network Foundations
Section - Components of a network

dang... it worked... so from now should i take it as a rule of a thumb to look for how it was there in the section while writing the answer?

yes

Thanks a lot for helping out buddy 🩶

Still nothing

Hello friends, I want to ask you, can I learn only by phone or computer?

you need a Computer

Thank you

I am losing brain cells.... i am struck on these 2 questions... can the answers be from sections before or the same section only?

they'll be in the same section

oke

also i helped you with that first question like 30 minutes ago, it's NOT expecting the word "cable"

its fiber isn't it

no

maybe technical term of it?

fiber-optic?

well, RJ45 is fast too

for lans it said twisted pair ethernet cables in prev. section, but there is no mention of them here

that too, nope

and rj45 isnt a cable if i understood it right... its a type of connection, no?

ok, that's outrageous.... how can it be ethernet????? yk what.... fair..... im just too dumb to get the answer 🥲

maybe i should take a break and get back into this

Can I find someone to send me cybersecurity lessons in the form of ملف بي دي إف

دروس الأمن السيبراني

نعم

I have no clue

Maybe use google translate in hackthebox

Or learn English first, since it will be used a lot

I use translation lessons via links I don't understand them I want a simplified explanation

ChatGPT is your biggest friend

Yes I use it all the time

hello for the skill assesment of the "Attacking Wi-Fi Protected Setup (WPS)", i found the second question really quick, but for the first one i would like to know if it is normal that it takes a lot of time? because the ap keep getting locked and idk if i should try another way?

How to protect Wi-Fi from hacking

That wasnt the problem

Use WPA3 without WPA2 failover, and make use of a very long sturdy password ^

but as time will tell, WPA3 will possibly also become vulnerable for something

If you click on a small hole in the Wi-Fi device, it will restart from scratch and ask you to re-enter the password.

thats what is expected to happen when you click a reset button

Yes, and the problem is that the Wi-Fi password is usually admin.

Not really, that is not your wifi password

that is commonly the password for the router

router > broadcasts the wifi
from the router you can configure your wifi

When you enter the address to control the Wi-Fi via the phone, you are asked for the password. All devices are admin, and then you are asked for a new password.

for sure not all devices. Maybe some, but recent ones they mostly require you to enter a random passcode on the back of your router

But it is indeed quite common for organisations to leave default passwords set on interfaces, but not limited to routers. Also printers, phones, remote interfaces etc.

Yes, you are right.

guys plssss help me

The person on live support on the site still hasn't responded since last night.

so someone knows if it is supposed to be long?

Is there a way to know who is spying on your phone, whether through applications or Gmail?

hello I'm block in the Firewall and IDS/IPS Evasion - Hard Lab I tried everything that I know do you have an hint for me pls ?

I hope I recall correctly

My hint is:
||What firewall configuration do Sysadmins often use to allow certain traffic. It's an easy configuration for them to do, but it is not the safest||

It is mentioned somewhere in the module

okay

Hello,

Can someone DM me for Skills Assessment - File Upload Attacks ?

thanks you

the firewall ?

||If I remember correctly it the firewall has a misconfigation that you can abuse. In the examples provided in the module itself the technique is also used||

sudo nmap 10.x.x.x -p 445 -sA -sV -f -Pn -n -T2 --disable-arp-ping --packet-trace I tried this I'm close ?

||The flag in question is missing in this command, but if you add it, it should work||

okay thanks you

No problem, just check all the commands again and look for something that isn't present here and that you didn't try

Good luck!

okay thank you bro

If you're stuck again, I can give you another small nudge
Maybe the other hint was too vague

yes please I need another one

@rose lagoon
||Thoroughly read through the DNS-Proxying section in https://academy.hackthebox.com/module/19/section/106

What technique / nmap flag do they use which you don't?||

Hope this helps, sorry I'm not great at giving advice without spoiling the challenge 🫂
But this narrows it down

on the hackthebox site it disconnects me every time after 5 hours approximately even more

It's normal ?

Hello pls help on the site ı need . My support is not answering 3 -4 hours

I think I tried everythings

it's .....

You should probably put your text in spoilers so you don't accidently spoil the challenge for others

||I do think so yes. Admins supposedly sometimes let traffic from sourceport 53 (and also 20 for ftp data) through the firewall because it could could otherwise break things for users
Here is a reference discussion https://security.stackexchange.com/questions/131599/why-is-it-better-to-use-ports-20-and-53-as-source-ports-when-portscanning
||

just try it out xd

Peace be upon you. Hello, I want to learn protection. Can I find someone to help me?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@frank bloom ^

Can I contact you?

For what reason?

hello for the skill assesment of the "Attacking Wi-Fi Protected Setup (WPS)", i found the second question really quick, but for the first one i would like to know if it is supposed to takes a lot of time? because the ap keep getting locked and idk if i should try another way?

Okay I see but I alredy tried it and try again but I have the same it's filtered . this is my cmmand : sudo nmap -sA -p 53 -Pn -n --source-port 53 10.x.x.x

how to put the text in spoiler ?

type between ||

||This is spoiler text||

What's filtered? What are the results of the nmaps you've done so far?

Looking for some help on the Privileged Access module

On the last question. I can't get the damundsen password to reset. I went through the same ACL Abuse from the module prior, but nothing is working to reset this PW. Used a different account with DCSync privs, but hash wouldn't crack. Am I missing something? Please @ with responses

Edit: solved, forgot to start my ligolo tunnel

hey im stuck on a module (command injection Advanced Command Obfuscation) i manage to run the command but i just don't know what format the question is expecting the thing i get :
||
.
./style.css
./index.php
||

btw i get it from : ||ip=127.0.0.1%0a%09$(rev<<<"c-%09hsab")%09$($(rev<<<"d-%0946esab")<<<ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE=)||

|| sudo nmap 10.129.100.235 -p53,445 -sA -Pn -n --disable-arp-ping --packet-trace --source-port 53|| @dry grove @snow badge ||what is wrong here ? I also test w SYN Scan ||

thanks you

This for the hard lab?

If so: the right port to enumerate is not gonna be low

Guys, a live support agent named Stefan hasn't responded for 13 hours since last night. Why?

No idea dude. Write in the support ticket. To make sure it didnt get lost

But support isnt generally given on the discord

thank u so much

yes it is

pls can someone help me for : https://academy.hackthebox.com/module/109/section/1039

The expected port to enumerate isn't low. Telling them to scan 53/445 will yield nothing of value

okay so I have to scan every

You got multiple lines, therefore something is wrong with your command

-p- is useful if a default scan finds nothing

Hi, I feel very stupid asking this question. I'm doing the chapter on nmap but there's this question that I don't understand.

there is no IP to scan

Look at the last example

no you have to Analyze the packet sent

That's what its asking about

Pro-tip: if theres no target, the information is in the reading

OK, thanks

I want you to teach me ways of protection and security please

sorry but I can't figure out what the operating system is I feel so stupid

hint: TTL

Check out the Academy. There you'll learn all the things

i finally got it to work

thx

always the dumbest things (like adding a parameter)

Thank you but I don't know where to start I want to start from scratch and I want you to help me

Start with the bible that was posted above! #modules message

thanks so much

I’m working on advanced deserialization attacks and focusing on Example 2: XML. I’m testing the payload against a locally hosted IIS web application. The payload successfully bypasses the initial root XML checks, but when it reaches the deserialization step, it does not spawn the expected process. Can anyone help me understand why it isn’t executing or how to troubleshoot this?

I'm not sure if I can share the PoC code here without "spoiling" the content

Hello admins, I am having a problem with identification

I already id'ed once but when I came back to discord I didn't have this discord channel and I had to Auth again to type into general

Dm me

Guys who is doing Linux Privilege escalation on academy? I need a hint. I am stuck at task 0 😱 (environment enumeration). I managed to change user from htb-student to lab_adm with sudo privs but where from here

I’ve done it what’s up?

Stuck there for good 3 days. Enumerated everything and the only iffy thing is that they use /bin/screen and there is an exploit on internet

Can u give me a hint plz

pwnbox down??

Works for me

can I get a nudge please on part 1 skills assessment of Windows Priv Escalation module

Just finished the AD attacks module, very fun & complete !

If you are trying to answer Q2, just finish out the other questions then circle back to Q2 last.

thats sort of the issue okay thank you - the nudge would still be needed on the priv esc as I must be doing something wrong... if possible

You can send me a DM

thank you 🙂 will do

hi im stuck on Attacking SMB question is "What is the password for the username "jason"?" cant find the password list

There is a tab/button called Resources located at the top right side of the page with Cheat Sheet and ? Go to Questions. Click on Resources and you should be able to download the provided wordlists for the module.

bruh iv spent like 40 minutes on this thanku

I’ll have to check the module rq give me a min

Doing way too much for that lab. Can send me a DM if you are still stuck.

The first task in the module right?

SSH into the target and enumerate using the find command

Yeah I just got the flag

nice let me know if you need more help

Debug the process trough dnSpy just like they do in the exercise, set a breakpoint and read the error message

Hi, i need help with the hashcat rule at this question. The last part with the last character repeated three times : "Crack the password of Wi-Fi network named "HTB-Wireless", using a rule where the second character is capitalized, all occurrences of the letter 's' are replaced with '$', any letters 'b' are capitalized, and the last character is repeated three times" !!!

@cloud urchin

hey

How do I see my Identify?

Sorry my friend, I'm not home right now and don't am not sure what the problem is just by looking at it.

I can check again tomorrow

Do you know how I see my ID?

No problem

I need to write a walkthrough

oh

In the nmap testing firewall IPS IDS it is normal that my scan is slow ??? it's written 1h+

-T5

hoo okay

The -T5 is for fast scanning but may give less information.

but it won't trigger the firewall ?

although you can search for specific information with -p

no

just send faster packages

or more

idk

ok thanks y

I find the port but now I don't find the flag

&someone?

you meen you need a pass to open the screen if so the pass is wifi the one you conected with RDP

With -p you can search specifically

Create an account at https://www.hackthebox.com/ for general help.

no im talking about the skill assesments, i need to crack a WPS pin and i don't succed at all, or it takes rly long time

Hello friends, does any of you have a YouTube channel that explains cybersecurity and protection?

Hi and welcome. As stated before, this is not the appropriate channel for such questions. This channel is dedicated for discussion of the modules on HTB. You'll need to verify your HTB account by following the instructions in #welcome which will grant you access to most channels, where you can ask this question. Also as a side note, they're not videos, but the Academy platform on HTB is where you can learn about cybersecurity and protection.

I just have difficulty understanding the lessons via links.

Then you'll need to follow the instructions to ask in a better channel about videos

What would you advise me?

#modules message

I'm in Password Attacks, Pass the Ticket (PtT) from Linux, Question 7. I'm trying to import julio's ccache file with kinit, but get errors when trying: Pre-authentication failed: "Unsupported key table format version number while getting initial credentials" or "Pre-authentication failed: Permission denied while getting initial credentials". Any idea what I'm doing wrong? I've tried changing the permissions of the files, same errors.

Attacking Common Services
Attacking DNS

How long should subbrute be taking to accomplish the first part of this?

Could someone help me on this question?
It is on the section "AD Enumeration & Attacks - Skills Assessment Part II"

So I get the hash with metasploit "load kiwi"
as you can see here

[+] Running as SYSTEM
[*] Dumping SAM
Domain : SQL01
SysKey : 2cdbbee2d1fb9cfb7cf7189fa66971a6
Local SID : S-1-5-21-3827174835-953655006-33323432
SAMKey : 1f3713f605ea<SNIP>dea5ce
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 136b3<SNIP>61248f364```

But it fails!

I don't know what else to try, I have tried Inveigh, Responder

Dont post the account hashes and stuff its content spoiling

K, I'll mark it as spam

if you have the hash did you try pth with xfree?

Not on this Mod yet so if there are new ways mentioned idk them yet

Just remove the hashes. Marking as spoiler does nothing.

Yes, I have tried pth, the thing is, the Hash is not the right one.

crackmapexec also says that the hash is wrong

Correct, the hash is not the right one.

any guesstimate on this?

Could I get a little hint?

Try to understand the context of the hashes you're dumping

No one can really answer this, depends on computer & network speed as well as the wordlist you're using. If you have a wordlist with 1 word, it should probably take less than 1 second. If you have a huge wordlist over 9 billion, it's going to take a lot longer.

true, I didn't know if it was notoriously slow or not

So far I know that the hash I am dumping is for SQL01, and the Hash it asks is for the Admin on MS01 the thing is I thought that there would be password reuse across admin accounts.

I don't have SYSTEM/Admin on MS01 so I can't dump hashes there. on SQL01 I have SYSTEM so I can dump hashes there.

Your assessment is correct

I'm in Password Attacks, Pass the Ticket (PtT) from Linux, Question 7. I'm trying to import julio's ccache file with kinit, but get errors when trying: Pre-authentication failed: "Unsupported key table format version number while getting initial credentials" or "Pre-authentication failed: Permission denied while getting initial credentials". Any idea what I'm doing wrong? I've tried changing the permissions of the files, same errors.

Hello @terse sedge

hello everyone!

I'm currently doing the Whitebox Attacks - Type Juggling Authentication bypass. The question is:

"Try to use what you learned in this section to access the admin panel and obtain the flag."

At the moment I found the vulnerability for the password I believe but when I send the request I still get a failed message. I've been researching for potential username bypass but I cannot find anything can anyone help?

Thank you!

Nevermind figured it out!

\

May i dm you?

Is not the admin search all the lsa dumps

Yes! I found the flag like an hour and a half later

I finished that module, rn I am on attacking common apps

Hello

Hi, welcome. You can follow instructions in #welcome to gain access to way more channels in the server, like #general where you can have general chat discussions/greetings. This channel is dedicated for discussion of the modules on Academy.

Can anyone help me? I have an issue with the Introduction to Windows Evasion Techniques module, specifically in the Static Analysis section. When I placed my .exe in C:\Alpha\Static, the logs showed this message:
[21:07:31] C:\Alpha\Static\Evasion_HTB.exe - OK - Undetected by Microsoft Defender Antivirus, but I couldn’t find the flag anywhere. Any idea what I might be missing?

did you 1) choose console app (.net framework) ass the app, 2) compiled a relase build and 3) use c#?

yes, i did but no works

Can anyone help me with the Final question with the Bloodhound Module Skill assessmentI have been stumpped all day long

I have figured out how many azure users have global admin path and have access and the total number of azure users of it but the percentage keeps on saying it is incorrect.

Hey mate, i had the exact same issue. I updated the msfvenom command line to use -o instead of > as the file that was being output was not executable, and then netcat was receiving info but never opening a shell. i then updated the shell type to meterpreter and used multi/handler to receive the shell. Even so it still died seconds after the session opened so had to type cat flag.txt quickly

No, I didn’t haha, my bad. I chose the Console C# project without .NET Framework. I changed the solution and now it works.

Thanks

Yes, please note it’s Saturday and I’m not watching my phone all the time, so might be a bit slow 🙂

@slender bane that's illegal, please familiarize yourself with the #rules

not related to modules. but how do you guys setup the obsidian git sync. can someone dm me a video or link (tried following some but no clue why its not working for me)

whenever i rdp pth, i can only do it once, if i exit out and try again it tells me that the username\password is wrong

how do i rdp in again if thats the case

@broken star please refrain from spoiling Skill assessments and simply ask for help on the module and section, I'll dm you with your message so you can copy paste it to a person who'd like to help.

Sounds good, thank you

Looks like your DMs are closed, I've sent a friend request so I can DM you

hey huys, i just started and i´m having a gard time with the most basic comand (ssh), can somebody please tell me what im doing wrong?

Hello, someone could help me on the "Attacking Wi-Fi Protected Setup (WPS)" module please?

Don't ask to ask, just ask.
Write the question in the required format (can be found in pinned messages), and if someone can help he will.

<@&861185840277487616> I'm not sure exactly but doesn't seem module related...

Advanced XSS and CSRF Exploitation -> Skills Assessment. We can get flag without promoting role to moderator. To fix the expected path, maybe filtering <> when uploaded file is needed.

Hello there!
I hope this is the correct section for this topic.
In my company, we will do an HTB-CTF event. I'm a programmer, but I never do anything like a CTF. I started with the HTB Academy.
Can you suggest a course or a learning path? I'm a little bit overwhelmed.

Hello
IMO try the Getting Started module in academy and the starting point machines on the lab platform
After that You can go for the pentester path

@cyan blade Hello
Okay. Thank you.

So pentester path is something like ctf?
(I know pen testing only from our company. There create a lot of requests against a system for testing the scalability.)

Is the lab this website? https://app.hackthebox.com/starting-point

Is there a version off certify.exe not detected by defender.
If I try to compile it myself i get compile errors ?
This one gets detected https://github.com/Flangvik/ObfuscatedSharpCollection/tree/main/NetFramework_4.7_Any

Goog morning everyone

The pentester path would cover multiple topics on how to find vulnerabilities in different services, not necessarily sending multiple requests, but say for example some configs can be abused by attackers and give them additional access to internal stuff

The module I recommended goes over this stuff in a basic way, and for starting point machines they are helpful to try and experiment with different services

And yes that's the website you're looking for

<@&861185840277487616>
Spams as usual

I've managed to figure this out a couple of days ago but thanks anyway 🫡

@cyan blade Thank you 🙂

I will continue my journey.

Good luck 🔥

Can anyone please tell me what's recently changed in the academy (after the update)?

What modules were updated & should be revised?

I'm talking about CPTS.

Iirc the password attacks module has changed, also you can see the change logs for modules from the side bar

This information is not public.
You can see when each module was last updated.

Is there a compiled version off certify.exe not detected by defender.

I see some new sections in Passwords Attacks too marked as completed even though they're new. Some other sections which are new are marked incomplete. It would be beneficial to know what I should read more/was updated.

If you look at the change log, you will see that the entire module has been revised.

Another good place to start is #academy-announcements

Hey

@acoustic owl could you please check my dm

Such things are made public there.

I could not send pictures here so I had to send a screenshot

Read and follow #welcome

Done

I am struggling with https://academy.hackthebox.com/module/18/section/79. I tried this, regex, asked chatgpt, asked other people, but the answer is incorrect. Need help.

probably best asked in #cpts where more specific help like that can be found.. unless the module requires it ?

#red-team or here - it could well be placed

dddd

Thanks it is cape related.

Hey all, just a generic question for module 'Session Identifiers' Cross-Site Request Forgery (POST-based). During the module they explained to authenticate on to the web yeah. However, in a case where I want to fid the CSRF token using this technique, either 1. I haev already obtained a users credentials to authenticate in to a web app (which renders the CSRF token post req attack) 2. I am using a different user, of which I have to wait and hope for the best that a certain user would then click the link I have been crafting.? is this the best way to use this vector? I am just confused on its main purpose tbh. lmk if I am over stepping any rules here chat cheers

Pls guys am to have a project in cybersecurity to build and present by the end of this month any suggestions?...

not the place for this Hunter.

The attacker doesn't have to be authenticated, only the victim

As long as the application is vulnerable to CSRF then you can place the payload on any other website and it should execute because cookies should be sent with that request

IMO CSRF works better if it was not really targeted towards a specific user, say for example an application that was widely used by people, like 30% of the population

If 5% of the population were authenticated and some of those would visit my blog that has the CSRF payload then pretty much that's a lot of victims, and imagine if a banking app was vulnerable to CSRF then oh well

Ah im hearing what you are saying, as at the end of the day this is meant to obtain some form of authentication via sesisonID, and in this case CSRF.. if its Vulnerable, and it happen to be a POST request I can set up a listener of some form or capture a traffic (as per the example) just based on that scenario alone. .. apologies for my silly questions im just trying to put this attack vector in perspective

Hey, I'm trying to move some tool to the internal network host, how do I achieve this. I have a meterpreter session working as a proxy

Plenty of file transfer methods available, http server... you just need to have a listener to point back to your device:port

I personally dont use meterpreter pivoting

It is on port 8000

Yeah the CSRF Token makes the attack harder because the request would require the token to be there and valid

Compare it with CSRF attacks that do not require a CSRF token where the victim could interact with a form in another website that does a malicious behavior on the user's behalf

You'd have to modify your payload to grab that token first and then perform the request

hey guys need help in this module : Windows Privilege Escalation(Server Operators)

I got the hash but while cracking it i am facing issues.
john --format=NT --wordlist=/usr/share/wordlists/fasttrack.txt admin_hash.txt

I am trying this

Yeah abit of a tricky situation there, I would honestly need mroe time to digest these vectors. Thank you for clarifying this

Which method is the best

anyone done with Prompt Injection Attacks , skill assessment I got the first part ||I have the key of the administrator and I can read chats|| , still can't have progress after that

I use ligolo-ng

hello can I Dm you about that ?

Hello everyone, I wanted to ask what is the best tier 3 module to buy on htb academy

It depends on your interests.

I would like to delve more into red teaming

how does this work?
Back when I had a subscription i started the mini-module about graphql ( not completed it ). Now when I don't have any subscription, I still can access it although it is Tier 2

yo guys

im on web proxies

im using burpsuite as my proxy on port 8080

when using nmap and proxying to http://127.0.0.1:8080, the traffic dosent get intercepted

my command is nmap --proxies http://127.0.0.1:8080 google.com -p80 -sC -Pn

also tried proxying with proxychains

also added http 127.0.0.1 8080 to the tail of my /etc/proxychains.conf, and ensured other routes are commented

and burp working and interpection is on

it works fine when proxying with firefox

Can someone help me with bloodhound cypher tricks
This is from HTB academy I got but when I run it on Newer version of Bloodhound CE it says no result

MATCH p1=shortestPath((u1:User)-[r1:MemberOf1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote1..]->(c:Computer) RETURN p2

Ummm i guess for of stuff pre builts are more than enough

Yes but for some specific queries I need to understand how will it work

Its just coding language

Check out youtube

Or some blogs for more detail, even in bloodhound section i guess they share a link if you wanna go deep

Make sure the data ingested properly, maybe rerun your collector

Yes that might be the issue as I’ve been working on this since last 2 hours

Maybe reuploading works

Thanks for the nudge

any help.?

hey ! dm if you need more help but you should look at other methods of using that hash to log in... maybe the hash isn't intended to be cracked?

You can login with psexec using that NT hash

ohh got it thanks let me try

thank you let me try

find / -type f -name '*.log' 2>/dev/null | wc -l

Try that, it's something to do with it being one quote rather than speech quotes, and not -iname but -name.

Then like make sure to actually see the results so remove the 2>/dev/null and count how many entries there are because some are not log files but other lines.

something subtle ig.

I reingested the data again yet I cannot view the specify search I want to

how did you get on with that ?

hello

im new here

Hello @ebon warren Please read #welcome and #rules it will explain how to get verified

Still facing issues with bloodhound query anyone can help me understand what mistake I’m doing

i also faced

ummm you can do to change the sharphound.exe

sometimes precompiled binaries dont work

or try building yourself if option

i am not sure if it helps ...but it worked me for me in mimikatz case

i was fetching wrong binaries , when i tried any other binaries from github it worked in the first go

I used The academy one binary itself and I’ll try to compile it by myself and use that .exe file

@mighty mulch Please do not reveal answers. The format is firstword-secondword, all lowercase

soryy and thank u i new here

does anyone know how to reconfigure the opvn file to allow to split tunneling?

It allows split tunneling by default

hello for the skill assesment of the "Attacking Wi-Fi Protected Setup (WPS)", i found the second question really quick, but for the first one i would like to know if it is supposed to takes a lot of time? because the ap keep getting locked and idk if i should try another way?

for some reason when the vpn is enabled, I loose internet connection

Does your PC have a 10.x.x.x address? Because if so, you would have to change the IP of the PC. This IP range is used by HTB. Check the routing table

In the module https://academy.hackthebox.com/module/254/section/2930 Process Injection
we start a reverse shell.
But if I want to start let's say rubues.exe with a specific parameter how should I do that.

I dont use any 10.0.0.0/8 IPs at home

@gray yacht i already dm you

@acoustic owl sorry for the tag , can you help with this ?

Hey all,
For the "Attacking Drupal" module,
I am not able to find the "Install New Module" button for the drupal-dev.inlanefreight.local vhost.
Any nudges for this?

About what?

.

@gray yacht

Ok, im tracking. Give me a sec

Send me a DM

@acoustic owl you dont have cape

Studying for cape?

You have all the certifications

Hey guys in the password attacks module, skill assessment https://academy.hackthebox.com/module/147/section/1356,
im falling in a bit of loopholes, so i need just to know where to head exactly, i enumerated the shares, and noticed one of the shares which I had read access contained creds.txt there, and then i enumerated the usernames through nxc, and found some usernames but they dont match the folder names at all which were named inside the share i managed to get the creds.txt from

So can anyone tell me if im on the right track or did i drift way too much

no, I have neither CAPE nor CJCA

I have to study the AD modules again and then finish working through the path. I haven't done anything with AD for a long time

I have some few things more to talk about should i dm you, dont waana disturb others here

Sure, send me a dm

hello for the skill assesment of the "Attacking Wi-Fi Protected Setup (WPS)", i found the second question really quick, but for the first one i would like to know if it is supposed to takes a lot of time? because the ap keep getting locked and idk if i should try another way?

I’m looking at the cap machine and no matter what I do it doesn’t seem to be up for me. I think my network is setup ok for this?

#boxes 🙂

Hi guys , which module should i take first introduction to networking or network foundations?

Network Foundations is a precursor to Introduction to Networking

Just look at the contents and see for yourself the difficulty difference.

hey guys I'm stuck in a binary exploitation challenge can someone help me ?? (not a HTB challenge)

this is the decompiled script :

undefined8 main(void)

{
setup();
vuln();
return 0;
}

void vuln(void)

{
char local_28 [32];

puts("Describe your plan to hack the future:");
read(0,local_28,0x200);
puts(local_28);
puts("Processing your plan...");
return;
}

and there's a win function :

void win(void)

{
puts("You hacked the future!");
system("/bin/sh");
/* WARNING: Subroutine does not return */
exit(0);
}

If it's not a HTB challenge, then this isn't the place to find help with it, sorry

Is that from a CTF? Another learning platform? What?

yes a local ctf I played

Well again, this isn't the place.. this channel is for discussing HTB Academy Modules

ok 😢 . do you know where I can find help ?

Read #welcome to verify your Discord account, maybe check #binex-rev, but include a link to the event so anyone helping can be sure it's not to do with a live event

Another option, speak to others that have taken part in the CTF if that's what it is.

tried that but don't have much of a contact with them soo ..
can I post on community-help-zone ?

That's for HTB community driven support, I already gave my recommendation.

https://academy.hackthebox.com/module/35/section/247
Under the GET section in the Web-Requests Module, it says it's broken? Why is that so, under the network tab the requests seem to be fine, going to the search.php? I have solved it already by crafting a curl cmd, and why doesn't copying it in fetch and using it in the console work. I got this.

"The exercise above seems to be broken, as it returns incorrect results. Use the browser devtools to see what is the request it is sending when we search, and use cURL to search for 'flag' and obtain the flag."

The former part "seems to be broken" is a bit confusing. What is it referring to.

Broken is a bit misleading I think.. focus on what is different between the requests being sent from the browser (either from the page, or fetch) and what is being sent from cURL

I think it's trying to highlight difference in behaviour of requests from different sources

I don't see the curl command come up in the Network tab at all though..

Only the ones sent from the page are shown.

You have a cURL command though right?

Yeah.

Read up a little in that section, how could you investigate the differences between the cURL request and the fetch request?

HTTP requests include more than just the URL and query parameters

Again, I personally find "broken" a bit of a misleading term there

Checked headers and everything and they seem quite similar ig. Both have very close 'initiators' idk though.

Normal Search vs fetch (curl doesnt appear)

A cURL request would've been executed through the terminal

Have you compared that request with the ones from the browser?

I used the terminal, and nothing comes through, I've completed the section btw I just don't feel content.

What response do you get in the browser, also

Nothing comes through?

Something must have to get the flag though

When I use curl yes.
It gives me the flag but it doesn't show in the network tab.

I'll show you.

No it wouldn't show in the network tab

Re-read the section again, you're missing something critical in the output of the example curl command, and the available data from the browser requests

I don't want to flat out spoil it 🙁

Fair.

I think the end (again, a bit obscure and misleading) learning here I think should be the answer to the question.. why does cURL work

I can't think of anything else to say without directly spoiling tbh 😅

I have found the flag though? Are you sure we are on the same page haha.

Yes I know

It's a bit confusing, we're on the same page

Getting the flag, it says it is broken, but it doesn't ask you to find out why it is broken

..but you are obviously curious as to what it means

Maybe it has something to do with the fact curl is separate from your browser?

And so you don't see it there?

I'll try the options.

curl -I and curl -v

1-
nmap MS01.INLANEFREIGHT.LOCAL ==> 3389/tcp open ms-wbt-server
so there is a rdp service on MS01

but when i enum in bloodhound using cypher " workstation/servers were domain users can rdp = no results . why is bloodhound give fast results??!

2-
when i login to the domain computer MS01 with psexec i get the system priv .
but when i enum using bloudhound cypher "computer where domains are local admins " = no results . why is bloodhound give fast results??!

User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://94.237.57.211:34841/ DNT: 1 Authorization: Basic YWRtaW46YWRtaW4= Connection: keep-alive Sec-GPC: 1 Priority: u=0

* Connected to 94.237.57.211 (94.237.57.211) port 34841 (#0)
> GET /search.php?search=flag HTTP/1.1
> Host: 94.237.57.211:34841
> User-Agent: curl/7.88.1
> Accept: */*
> Authorization: Basic YWRtaW46YWRtaW4=``` 

So mainly what I see is the User-Agent difference, and if you also navigate to the resource via browser it says "Please use Curl" so Ig User-Agent is what differentiates and allows you to get the flag. Unless there is something else I'm missing. Thanks for your help tho.

No worries, you got it 🙂

Again.. misleading.. but it could be rules like that are covered further in the module

It's not broken, it's restricted

Yup.

You can provide feedback to us through /feedback, but I will probably mention this next week if I remember

It's probably a balance between getting too technical for a fundamentals module, and providing a suggestion to investigate the why

Feedback is a gift.

everything i see here looks so hard

i got here from completeing cisco academy

It's a complex field that takes a lot of effort, practice and research to become comfortable with.. and even if you become "comfortable", there is always more to learn 🙂

Every expert started one day at "what the hell, how does this work"

Keep at it if it's a field you are interested in, keep learning and building your knowledge

What is this channel

Read the pinned message.

Ok thx

Also check out #welcome

np 🙂

I can't talk in the general chat

I did

Follow the verify steps